[Cryptography] The FBI can (almost certainly) crack the San Bernardino iPhone without Apple's help

Ron Garret ron at flownet.com
Wed Mar 2 21:17:01 EST 2016 

On Mar 2, 2016, at 5:23 PM, Jerry Leichter <leichter at lrw.com> wrote:

> 
>>> I want the security.  But I don't want the system I'd get if
>>> that security were a commodity that software or service
>>> providers could use to create captive markets in their walled
>>> gardens.
>> 
>> In practice, though, it appears that the average user seems to be
>> better served by the security of the walled garden than by a system
>> which anyone with physical access can sabotage. (I include myself, by
>> the way, as an average user for these purposes.)
> Frankly, as far as I can tell, pretty much *everyone* is more secure in the walled garden.
> 
> The day when any one person understood everything about what was happening on any useful computer system are long passeed.  Hell, even the days when any one person was familiar with all the security-relevant research have long passed.  I  could honestly say 25 years ago that I knew at least a bit of something about cryptography, access control, secure implementation techniques - pretty much everything being done in the field.  Today it's completely impossible.  You have sophisticated mathematical techniques, chip analysis techniques, bizarro attacks like ROP and JSFUCK - the range of stuff out there is astounding.
> 
> So the idea that you can somehow build a secure environment for yourself, confidently picking and choosing exactly what to trust and what can safely be combined with what is about as realistic as the idea that you could go out into the wilderness alone and in a couple of years build a car.
> 
> Attacks these days are team efforts.  So are defenses.  And if you think you can build a team of like-minded individuals to form your own team with any real degree of assurance that not one of them isn't quite what he seems ... well, forget it.  There's a reason organized militaries have been beating disorganized  but larger and fiercer groups since Roman times.
> 
> It's hard to let go of the dream, but it's necessary.

I disagree.  I think it is still possible to build a secure system that can be fully understood and vetted by its users.  I am in fact working on such a system.  The initial prototype is here:

https://github.com/Spark-Innovations/SC4

I’m currently working on an iOS app and an HSM.  I’m actively recruiting people to help me in this effort.  If you’re interested please contact me off-list.

rg

More information about the cryptography mailing list