[Cryptography] new wiretap resistance in iOS 8?

[ianG]

On 21/09/2014 16:14 pm, Peter Fairbrother wrote:
> On 20/09/14 21:18, John Denker wrote:
> 
>>   There will never be perfect security.  The measure
>>   of good security is that it imposes a cost on the
>>   attacker, out of proportion to the cost borne by
>>   the user.
> 
> Aaarrrghh, not that old bollocks again.
> 
> "Out of proportion"? - bear in mind Robert Morris's second rule: "Never
> underestimate the attention, risk, money and time that an opponent will
> put into reading traffic."


That's not a rule, it's a plea for unconstrained spending.  The attacker
does not likely spend more than he gains unless he is stupid.  While
stupid attackers do exist, they tend to go out of business in a while.

> Plus remember, we don't ever really know the full resources of an
> attacker, or how effective they are.


Well, again, no.  We actually do have a good picture about attackers.
We have about 20 years of experience now in internet attacks.  We know
what phishing takes, we know how APTs work, sort of, we know what
penetration is, and how likely silly attacks like SQL injection are.  We
now also have lots of Snowden stuff.  And we know that the attacker
works through a smorgasbord of attacks, before getting serious.


> The costs might be well out of proportion - but the attacker might still
> be willing to pay his.


Only if he can get what is worth something to him.  A state level
attacker is not interested in the contents of my laptop because there
are no state level secrets on it;  in contrast a phisher might spend up
to $10 on the chance that he can steal $1000 from my bank account.


> Security is only good if, in practice, it resists an attacker's attempts
> to break it.
> 
> Now what might be good enough in one case might not be good enough in
> another; if for example an attacker can employ extended resources in the
> second case.


Certainly, if there are multiple attackers (and there are) then we need
to do a pretty sophisticated risk analysis.  If our attackers range from
state level attacks to economic attacks, then we've got a range of
attacks, and sometimes these aren't easy to compromise on.

But for the most part, I welcome any defence against hard attacks such
as the state level thing, because (1) most people are concerned with
boring theft attacks and (2) anything that defends against the state is
likely good or better at defending against economic attacks.

Here's a thought baloon.  If the NSA were to actually take steps to stop
economic attacks, and do so well, but the cost of that is to let them
poke around all our hard drives ... would that be a fair deal?


> If an attacker can only employ effective extended resources in limited
> numbers, well you could say "it sucks to be the loser, but most of us
> are safe" -
> 
> - but I will not say that. I will say instead that most of us are at risk.


Most of us are *always* at risks.  Highways, hospitals, all systems use
risk analysis and they accept that some people will lose.  They all use
modelling that turns every successful attack into a damages model, and
they basically decide to mount defences that cost less than the damages
they stop.  It's all economic.  Most of us win this way, and that's the
only way to rationalise the complicated threat environment.


> Nor do I subscribe to the idea that security has to have any significant
> cost to the user - modern encryption is essentially free and
> unbreakable, why can't we do the same with the rest of our systems?
> Especially software systems - the cost of distributing software is lost
> in the noise.


In that I agree.  There is no excuse for cost in encryption, nor in
authentication.


> The reason why the security behind those systems isn't essentially free
> and unbreakable lies mostly in those who design them - they are not
> security minded. They make things which are not secure but which are
> popular and easy to use, and thus those things get used - we have to
> make those popular things secure.


Well, they are economic minded, but in the minds of their employers not
their customers.  Most security systems have to be "sold" and therein
lies a few complexities.


> The converse is that secure products have to have the same popularity
> and ease of use.
> 
> If a luser has to RTFM, it don't fukken work.


Yup, full agreement.



> (hint re password reminder service - why does it have to be Apple who
> remembers, or doesn't remember, the password? Distributed key shares are
> old news)


Ah, but do distributed key shares really work?  Any studies?  Or is it
all just shamir key sharing irrefutable mathematics bla bla?



iang