The SFPD learned from television news outlets that Carmody was a source of the police incident report about Adachi's death. At that point, the investigating officer, Sgt. Joseph Obidi, knew he was a stringer. Obidi said he did an Internet search on Carmody's name and came across his LinkedIn profile. The initial search warrant for Carmody's phone information noted that in that profile Carmody described himself as a "Freelance Videographer/ Communications Manager" at "USO Bay Area" (the company where Carmody was the founder, owner, and sole employee). One would assume that the investigating officer would have looked for records concerning Carmody within SFPD's own databases. That officer would have found that Carmody had a press pass issued by the SFPD. A lot of SFPD officers would have known Carmody by name considering he had been working as a stringer for 30 years while based in SF. Let's give Sgt. Obidi, who has worked for the SFPD for 11 years, the benefit of the doubt and assume he didn't know of Carmody. A responsible officer would have mentioned the fact that Carmody was a stringer, that he possessed an SFPD press pass, and let the judge decide if Carmody qualified as a journalist. However, neither fact was mentioned. Instead, the statement of probable cause notes that:
"Further Internet research revealed that Bryan Carmody is not currently employed by any of the news organizations that obtained the death investigation report."
It seems that the statement of probable cause was written in a way to give the judge the impression that Carmody may have been a journalist at one time but was not one currently. There is no actual lie within that statement but it does seem to be intentionally misleading.
The statement of probable cause states that the police were investigating theft/fraud and obstruction of justice. Later on, it explicitly states the unknown SFPD police officer was suspected of those crimes. It was never explicitly stated that Carmody was guilty of any crime. The statement did say that the search of Carmody's phone records would:
"...assist me in determining the identity of the person(s) who stole the police report and may have interfered with the open death investigation by providing it to Bryan Carmody."
On the day of the raid, an SFPD statement was more ambiguous about who committed the crimes being investigated.
“...actions are one step in the process of investigating a potential case of obstruction of justice along with the illegal distribution of a confidential police report.”
David Stevenson, SFPD spokesman May 10, 2019.
On May 21st, SFPD Chief William Scott said this:
“We do believe that Mr. Carmody committed a crime and that’s what we’ve been investigating, Scott said The reason for the raid and seizure “is that we believe that he was complicit in committing crimes,” he said.
A police press release included this:
"Under investigation are theft of the incident report and “unlawful dissemination” of confidential information obtained through the California Law Enforcement Telecommunication System..."
It seems that the SFPD is now trying to say, after the fact, that they were investigating Carmody, himself, for crimes to justify the search warrant being applied to a journalist.
However, Carmody cannot be guilty of unlawful dissemination for receiving the police report from an officer and then selling it as part of a news package to news outlets.
Could Carmody be prosecuted for possession and sale of stolen information? Only if a copy of the incident report, or more accurately, a photocopy of a printed station copy of the report, can be considered stolen property.
Can you answer this? The statement of probable cause identifies Carmody as the intermediary in supplying the police report from an unknown SFPD police officer to television news outlets. It does not mention that Carmody, himself, was suspected of any crimes. If Carmody was not at all a journalist would this be a valid search warrant to either access his phone metadata, voicemail, email, and texts or to search his home? The search warrant and affidavit give the impression, as written, that a judge should see no problem with this.
In the Golden State Killer case the closest match in the GEDmatch database was a 3rd cousin. There were 10 20 matches. The matches were likely not based on percentage of DNA markers that matched. Rather, they were based on a single, rare, genetic marker. The suspect pool was determined from 25 family trees that were source from a great, great, great grandparent of DeAngelo, the killer. That pool was greatly narrowed given the known characteristics of the killer, a blond white male, 60-80 years old who had lived in that region of California. How small does that pool have to be before probable cause is established? There are thousands of living relatives with that marker. They could not have used other markers to narrow the pool because the closest identified relative in a database was a 3rd cousin. I suspect the investigators did not attempt to get a warrant to obtain DeAngelo's DNA because they did not have probable cause. Otherwise, they could have obtained a warrant and still used subterfuge to obtain the DNA to avoid tipping him off. They had previously obtained DNA from another individual that was identified via relations to someone in GEDmatch. It has not been said publicly whether that sample was obtained by permission, warrant, or just subterfuge. A warrant was obtained last year for a 73 year man in Oregon City who was not capable of giving permission. I doubt that warrant was proper as it was based on a close relative in the Ysearch database having that rare genetic marker. Given that only 189,000 individuals were represented in the database, there was no guarantee that any relative was the killer.
Maybe obtaining DNA without permission or a warrant is justified in this case but where is the line drawn when a familial search can only narrow the suspect pool down to several, dozens, or hundreds? Matches to close relatives will still narrow the suspects to a handful. Consider that advances in DNA testing technology will make such tests yet even cheaper and faster in the future. What level of crime will justify such familial searches? Under current California law, familial searches can only be done to find suspects "of major violent crimes in which the public faces safety risks and in which all other investigative avenues have proven fruitless". Other states are less restrictive. I wonder how long sites such as Ysearch.org and GEDmatch will continue to exist when users realize that it is not only law enforcement that can upload someone's DNA file and find relatives. What is to prevent anyone from using 23 and Me or AncestryDNA to get DNA results of a target individual. All you need is saliva./div>
This system could be very secure from hacking. It doesn't require a newly invented solution. The general problem of one-way authentication has been solved already. However, it is unclear if the Federal Signal Corporation (the supplier for Dallas) has provided such security in its controllers for the siren systems. It is also unclear if either Dallas, or the contractor hired to maintain and repair the system have configured the controllers to have their highest security. It seems all this is likely to remain unclear because city authorities buy into "security through obscurity". Another issue is that officials want multiple, maybe non-technical folk, to be able to activate the sirens. Security may be compromised in the interest of simplicity.
Here is what we know. The hacker used a radio signal from within signal reach of a base controller. The hacker knew the codes to trigger every siren in the system which is achieved through radio relays. Each siren can be triggered individually or as part of a group. In this case the code for "all sirens" was used. The hacker continually sent signals to activate the sirens, thus overiding the officials who sent signals to turn the sirens off. The officials eventually changed something in authentication so the hacker could no longer activate the sirens. I am guessing how authentication works here. It may be possible that it was turned off entirely in Dallas. The simplest, and maybe only method, is to use a programmed fixed sequence of digits that represents an authentication code. I do know that Federal Signal controllers have that capability at least. However, the hacker in this case can use a replay attack. Herein, the hacker listens and records the signals used during a periodic system test. He, or she, simply plays back the same signal. The solution is to change the authentication code for every activation. Such a rolling-code system is used in many areas such as for unlocking cars and opening garage doors. Unfortunately, the companies that design such systems try to maintain secrecy and the cryptography doesn't get well vetted. I think all these systems had to be corrected once the system was already in the field. There are algorithms for rolling-code systems that don't suffer from known vulnerabilities. The user may have to configure that level of security to make sure they are protected./div>
As I see it, the biggest vulnerability right now is that a hacker can start a trade war, or a real war, with a single tweet, That is, unless Trump beats them to it./div>
Here is Trump's take on Wikileaks (circa 2010). This is from banter before an actual interview with Brian Kilmead on the "Kilmead and Friends" radio show. Kilmead is part of Fox and Friends on the Fox TV network. Kilmead mentions another guest will talk about Wikileaks. Trump says (about Wikileaks) "I think it is disgraceful. I think there should be, like, death penalty or something." https://www.youtube.com/watch?v=fDEDQFj9sFk/div>
I was a teenager when "A Clockwork Orange" came out. Great film indeed! Do you recognize Darth Vader in that film (actor David Prowse)? The soundtrack was a great part of that movie. I had an early interest in electronic music started listening to "Switched on Bach" and the "Well Tempered Synthesizer" back in 1970. Wendy Carlos is one of the great electronic music pioneers. I do object to you bringing up the fact that she is transgender in a rather disdainful way. Firstly, it is entirely irrelevant to the discussion of whether her lawsuit has a valid legally valid claim of copyright infringement. Issues concerning transgenderism have been much in the news in the last couple of years. Wendy Carlos transitioned in 1968 but didn't come out publicly till 1979. She has never made a big issue of it and does not consider herself any sort of activist. So, she hasn't participated in the recent publicizing of transgender issues. This makes mentioning it all the more irrelevant in a discussion of fair use under copyright law.
Surely people here must recognize that a recorded performance of a public domain composition has a valid copyright in itself. Otherwise, why would any company try to sell recordings of classical music. Just the fact that the composition is in the public domain doesn't invalidate all copyright claims. Let's characterize all the 4 factors in this case even though Tim's focus in this article is that one of the 4 fair use factors is usually ignored.
1). the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes.
A parody short film freely available on Youtube. Profit doesn't seem to be the motive here but the parody addresses a very newsworthy occurrence. As Tim noted, the music background is not the subject of the parody. The musical piece is played in its entirety without any transformation.
2). the nature of the copyrighted work.
This is an original arrangement of a portion of a composition which is in the public domain. I don't know if the following is relevant to infringement considerations but in 1971 it took a lot of time to set up and record even an electronic piece that is only 1 minute 17 seconds long.
3). the amount and substantiality of the portion used in relation to the copyrighted work as a whole.
This recording of, an abridged, William Tell Overture is used in its entirety and is not changed at all from the original.
4). the effect of the use upon the potential market for or value of the copyrighted work.
I agree with Tim's point that this parody will not have any negative effect of the market or value of this Carlos' recording.
Overall, it seems the infringement claim is marginal but Serendip may win the lawsuit. I would advise Wendy Carlos to drop the lawsuit. Any of you can do this by writing to Wendy via this one-way mailbox: http://www.wendycarlos.com/write.html/div>
When you are offering information about records for only 4 patients in which some minor details are already known, it is pretty much impossible to anonymize (de-indentify is the term used in HIPAA) those records. Pretty much any detail, including appointment times is considered Protected Health Information (PHI) in the context of releasing it publicly to a media outlet. The only defense would be if those details were already public from the patients themselves./div>
The attack on Biddle's mental health is not just an ad hominem attack. It is the basis for the 4th cause of action in the lawsuit. Here, it is assumed that Biddle's "abuse" of benzodiazepines and SSRIs are responsible for his "caustic and reckless" writing of articles. According to the lawsuit, Denton and Cook should have known that and continuing to employ him was negligent on their part.
Unless you're a scientologist, I don't see how using SSRIs can be termed abuse, much less responsible for the writing of caustic articles. I wonder if Biddle was using antidepressants and, if so, how Ayyadurai's lawyers knew of it (that's part of his medical history and covered by HIPAA)./div>
“Shiva is the name of the lord of creation and destruction in the Hindu religion,” she says. “And Shiva” — her brother — “is truly the creator. He will fight for destruction if it means fighting for justice. And he will die in that fight for justice, at any cost.”
The "fight for destruction" sounds ominous. I am not sure what she means by that. I kind of feel sorry for Shiva Ayyadurai as loss of this suit will destroy him. I can't understand his obsession with being recognized as the inventor of email. He could still use his mind to create innovative things./div>
"The lifeblood of the criminal justice system has always been witness testimony. Now however, with witness intimidation, the cell phone data mine from these phones of victims, witnesses, and criminals, the cellphone now, and its data, have become our lifeblood."
So, Mike, it is unfair of you to say that the police fail to do their jobs when, as DA Moore explain, witness intimidation has become so rampant that cellphone data must now take its place./div>
I am thinking more and more that the exploit was a lie and the FBI appears to be fine tuning that lie to use it for maximum advantage. When public opinion and, just as importantly, their legal case didn't seem to be going their way, suddenly they have an exploit and don't need Apple's help. The lie appears so perfect! I'm imagining a conversation a wily teenager is having with his skeptical dad.
I thought you said there was no way to do this without Apple's help?
Uhm, that's still true. This secret hacker company figured it out and only told us at the last minute. I can't tell you who they are and I won't tell you any details about the exploit because, you know, National Security.
Didn't you say it would only work on that one specific phone?
Yeah, sorry about the ambiguity. I meant that one type of phone.
Will you ever tell Apple any details about this exploit?
Since the exploit only applies to this one version, it affects only a small percentage of their phones and that percentage will be getting less and less over time. Anyway, Apple has already fixed it and the exploit is still useful to us because, you know, National Security. so I don't think I really should tell Apple the details.
Will you help other law enforcement agencies with their cases using this exploit?
Of course, I'll always help my law enforcement brethren when I can. That is, when the phone, hardware and software just matches this one, and the case involves, you know, National Security in some way. Cause I really don't want to have the details revealed in court.
I wonder if the FBI has hired some smart teenagers to be part of a Tailored Lie Operations Group. One thing that is a bit comforting is that their doesn't appear to be a known exploit to crack the data encryption itself. So, if the exploit is a way to bypass the limits on guessing the passcode, then the data can still be protected with a good choice of passcode. If you choose a random 7 character (alphanumeric using only lower case letter plus 10 digits) it will take 99 years on average to brute force the passcode./div>
Thanks for pointing that out I hadn't read that. However, is that really how the display works? It shows you how many digits, or characters, the password is before you enter it? If so, that is a security weakness in itself. At any rate, once the 10 guess limit is bypassed, it doesn't really matter whether the passcode was four digits or six. Both are doable in a reasonable amount of time. If Farook's passcode was four alphanumeric characters, then let's calculate how long that would take to crack. ((36 ^ 4) * .08s) / 3600) = 37 hours max or 18.5 hours on average. Just one more character, 5 total, would take a month to crack on average. Still doable, but a pain./div>
If we take the FBI's report as true and they were able to access the data on this iPhone, then the most likely method would have been finding the passcode through brute force.
The minimum passcode length is four digits but the default is six digits and probably is the length Farook used on this iPhone. Each attempt requires 80 milliseconds to execute on the iPhone. Yes, it is intentionally slow. If he used just a six digit passcode there are 1 million possibilities which would take (1,000,000 x .08s) or 22 hours to crunch through all possibilities without taking into account extra time needed if the method wasn't just a program supplying attempts directly to the iPhone without interruption. The average time to crack the passcode, given this scenario, is 11 hours. However, if a six character alphanumeric passcode was used, it would take more than two years on average to crack the passcode. So, the level of security seems to now lie with the user's choice of passcode./div>
This article ought to have mentioned that any code used to update an Apple iPhone has to be digitally signed. Only Apple has the key necessary to sign such code. The FBI has not asked for that key and they will not be required to release it. This is the whole reason the FBI wants to compel Apple to write code that defeats their own security. The FBI may be capable of writing such code but they can't update an iPhone with their version. The FBI also asked Apple to make the update work on only the one iPhone in question. The way to do this is have the update check for one or more of the unique Ids used only on that particular phone (e.g UUID, serial #, cell IMEI, Bluetooth and WI-FI MAC addresses). The presence of a digital signature also means that the FBI, or anyone besides Apple, cannot alter the code even if they had a copy of the, un-compiled, source code. So, what's all the worry about then? I don't know the particulars of where, and how, these unique are stored on the iPhone. What may be possible though is to spoof these Ids to make another iPhone appear to be the one used by the San Bernardino terrorists. Another possible weakness is that every time a small change is made in the digitally signed code, it becomes easier to crack the key. A multitude of law enforcement agencies getting a new version for each case may allow the signing key to be discovered. I don't know if that is realistic in this instance, but it is something that should be looked at./div>
(untitled comment)
The SFPD learned from television news outlets that Carmody was a source of the police incident report about Adachi's death. At that point, the investigating officer, Sgt. Joseph Obidi, knew he was a stringer. Obidi said he did an Internet search on Carmody's name and came across his LinkedIn profile. The initial search warrant for Carmody's phone information noted that in that profile Carmody described himself as a "Freelance Videographer/ Communications Manager" at "USO Bay Area" (the company where Carmody was the founder, owner, and sole employee). One would assume that the investigating officer would have looked for records concerning Carmody within SFPD's own databases. That officer would have found that Carmody had a press pass issued by the SFPD. A lot of SFPD officers would have known Carmody by name considering he had been working as a stringer for 30 years while based in SF. Let's give Sgt. Obidi, who has worked for the SFPD for 11 years, the benefit of the doubt and assume he didn't know of Carmody. A responsible officer would have mentioned the fact that Carmody was a stringer, that he possessed an SFPD press pass, and let the judge decide if Carmody qualified as a journalist. However, neither fact was mentioned. Instead, the statement of probable cause notes that:
"Further Internet research revealed that Bryan Carmody is not currently employed by any of the news organizations that obtained the death investigation report."
It seems that the statement of probable cause was written in a way to give the judge the impression that Carmody may have been a journalist at one time but was not one currently. There is no actual lie within that statement but it does seem to be intentionally misleading.
The statement of probable cause states that the police were investigating theft/fraud and obstruction of justice. Later on, it explicitly states the unknown SFPD police officer was suspected of those crimes. It was never explicitly stated that Carmody was guilty of any crime. The statement did say that the search of Carmody's phone records would:
"...assist me in determining the identity of the person(s) who stole the police report and may have interfered with the open death investigation by providing it to Bryan Carmody."
On the day of the raid, an SFPD statement was more ambiguous about who committed the crimes being investigated.
“...actions are one step in the process of investigating a potential case of obstruction of justice along with the illegal distribution of a confidential police report.”
David Stevenson, SFPD spokesman May 10, 2019.
On May 21st, SFPD Chief William Scott said this:
“We do believe that Mr. Carmody committed a crime and that’s what we’ve been investigating, Scott said The reason for the raid and seizure “is that we believe that he was complicit in committing crimes,” he said.
A police press release included this:
"Under investigation are theft of the incident report and “unlawful dissemination” of confidential information obtained through the California Law Enforcement Telecommunication System..."
It seems that the SFPD is now trying to say, after the fact, that they were investigating Carmody, himself, for crimes to justify the search warrant being applied to a journalist.
However, Carmody cannot be guilty of unlawful dissemination for receiving the police report from an officer and then selling it as part of a news package to news outlets.
/div>Could Carmody be prosecuted for possession and sale of stolen information? Only if a copy of the incident report, or more accurately, a photocopy of a printed station copy of the report, can be considered stolen property.
Re:
Can you answer this? The statement of probable cause identifies Carmody as the intermediary in supplying the police report from an unknown SFPD police officer to television news outlets. It does not mention that Carmody, himself, was suspected of any crimes. If Carmody was not at all a journalist would this be a valid search warrant to either access his phone metadata, voicemail, email, and texts or to search his home? The search warrant and affidavit give the impression, as written, that a judge should see no problem with this.
/div>(untitled comment)
There is an interview and a news conference in which Chief Scott said that Carmody was described in the warrants (in the affidavit portion only, it appears) as a freelance videographer and a communications manager. This is a description he said came from Carmody's LinkedIn profile.
/div>https://abcnews.go.com/US/san-francisco-police-chief-calls-probe-force-reporter/story?id=63268168
Re: Re:
I suspect the investigators did not attempt to get a warrant to obtain DeAngelo's DNA because they did not have probable cause. Otherwise, they could have obtained a warrant and still used subterfuge to obtain the DNA to avoid tipping him off. They had previously obtained DNA from another individual that was identified via relations to someone in GEDmatch. It has not been said publicly whether that sample was obtained by permission, warrant, or just subterfuge. A warrant was obtained last year for a 73 year man in Oregon City who was not capable of giving permission. I doubt that warrant was proper as it was based on a close relative in the Ysearch database having that rare genetic marker. Given that only 189,000 individuals were represented in the database, there was no guarantee that any relative was the killer.
Maybe obtaining DNA without permission or a warrant is justified in this case but where is the line drawn when a familial search can only narrow the suspect pool down to several, dozens, or hundreds? Matches to close relatives will still narrow the suspects to a handful. Consider that advances in DNA testing technology will make such tests yet even cheaper and faster in the future. What level of crime will justify such familial searches? Under current California law, familial searches can only be done to find suspects "of major violent crimes in which the public faces safety risks and in which all other investigative avenues have proven fruitless". Other states are less restrictive. I wonder how long sites such as Ysearch.org and GEDmatch will continue to exist when users realize that it is not only law enforcement that can upload someone's DNA file and find relatives. What is to prevent anyone from using 23 and Me or AncestryDNA to get DNA results of a target individual. All you need is saliva./div>
(untitled comment)
Security may be compromised in the interest of simplicity.
Here is what we know. The hacker used a radio signal from within signal reach of a base controller. The hacker knew the codes to trigger every siren in the system which is achieved through radio relays. Each siren can be triggered individually or as part of a group. In this case the code for "all sirens" was used. The hacker continually sent signals to activate the sirens, thus overiding the officials who sent signals to turn the sirens off. The officials eventually changed something in authentication so the hacker could no longer activate the sirens.
I am guessing how authentication works here. It may be possible that it was turned off entirely in Dallas. The simplest, and maybe only method, is to use a programmed fixed sequence of digits that represents an authentication code. I do know that Federal Signal controllers have that capability at least. However, the hacker in this case can use a replay attack. Herein, the hacker listens and records the signals used during a periodic system test. He, or she, simply plays back the same signal.
The solution is to change the authentication code for every activation. Such a rolling-code system is used in many areas such as for unlocking cars and opening garage doors. Unfortunately, the companies that design such systems try to maintain secrecy and the cryptography doesn't get well vetted. I think all these systems had to be corrected once the system was already in the field. There are algorithms for rolling-code systems that don't suffer from known vulnerabilities. The user may have to configure that level of security to make sure they are protected./div>
the biggest vulnerability
Trump on Wikileaks
https://www.youtube.com/watch?v=fDEDQFj9sFk/div>
Re: Re:
Surely people here must recognize that a recorded performance of a public domain composition has a valid copyright in itself. Otherwise, why would any company try to sell recordings of classical music. Just the fact that the composition is in the public domain doesn't invalidate all copyright claims. Let's characterize all the 4 factors in this case even though Tim's focus in this article is that one of the 4 fair use factors is usually ignored.
1). the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes.
A parody short film freely available on Youtube. Profit doesn't seem to be the motive here but the parody addresses a very newsworthy occurrence. As Tim noted, the music background is not the subject of the parody. The musical piece is played in its entirety without any transformation.
2). the nature of the copyrighted work.
This is an original arrangement of a portion of a composition which is in the public domain. I don't know if the following is relevant to infringement considerations but in 1971 it took a lot of time to set up and record even an electronic piece that is only 1 minute 17 seconds long.
3). the amount and substantiality of the portion used in relation to the copyrighted work as a whole.
This recording of, an abridged, William Tell Overture is used in its entirety and is not changed at all from the original.
4). the effect of the use upon the potential market for or value of the copyrighted work.
I agree with Tim's point that this parody will not have any negative effect of the market or value of this Carlos' recording.
Overall, it seems the infringement claim is marginal but Serendip may win the lawsuit. I would advise Wendy Carlos to drop the lawsuit. Any of you can do this by writing to Wendy via this one-way mailbox:
http://www.wendycarlos.com/write.html/div>
Re:
Re:
Unless you're a scientologist, I don't see how using SSRIs can be termed abuse, much less responsible for the writing of caustic articles. I wonder if Biddle was using antidepressants and, if so, how Ayyadurai's lawyers knew of it (that's part of his medical history and covered by HIPAA)./div>
Re:
This is from a 2012 article where the author talks with Ayyadurai's sister.
http://www.bostonmagazine.com/2012/05/shiva-ayyaduri-email-us-postal-service/
The "fight for destruction" sounds ominous. I am not sure what she means by that. I kind of feel sorry for Shiva Ayyadurai as loss of this suit will destroy him. I can't understand his obsession with being recognized as the inventor of email. He could still use his mind to create innovative things./div>
Re: So...
from the dog and pony show, uuh, press conference
"The lifeblood of the criminal justice system has always been witness testimony. Now however, with witness intimidation, the cell phone data mine from these phones of victims, witnesses, and criminals, the cellphone now, and its data, have become our lifeblood."
So, Mike, it is unfair of you to say that the police fail to do their jobs when, as DA Moore explain, witness intimidation has become so rampant that cellphone data must now take its place./div>
Re:
I thought you said there was no way to do this without Apple's help?
Uhm, that's still true. This secret hacker company figured it out and only told us at the last minute. I can't tell you who they are and I won't tell you any details about the exploit because, you know, National Security.
Didn't you say it would only work on that one specific phone?
Yeah, sorry about the ambiguity. I meant that one type of phone.
Will you ever tell Apple any details about this exploit?
Since the exploit only applies to this one version, it affects only a small percentage of their phones and that percentage will be getting less and less over time. Anyway, Apple has already fixed it and the exploit is still useful to us because, you know, National Security. so I don't think I really should tell Apple the details.
Will you help other law enforcement agencies with their cases using this exploit?
Of course, I'll always help my law enforcement brethren when I can. That is, when the phone, hardware and software just matches this one, and the case involves, you know, National Security in some way. Cause I really don't want to have the details revealed in court.
I wonder if the FBI has hired some smart teenagers to be part of a Tailored Lie Operations Group. One thing that is a bit comforting is that their doesn't appear to be a known exploit to crack the data encryption itself. So, if the exploit is a way to bypass the limits on guessing the passcode, then the data can still be protected with a good choice of passcode. If you choose a random 7 character (alphanumeric using only lower case letter plus 10 digits) it will take 99 years on average to brute force the passcode./div>
Re: Re: Apple security
Re: Re: Apple security
Re: Re: Apple security
Apple security
"iOS supports four-digit and arbitrary-length alphanumeric passcode".
from Apple's iOS security white paper:
https://www.apple.com/la/iphone/business/docs/iOS_Security_May12.pdf
The minimum passcode length is four digits but the default is six digits and probably is the length Farook used on this iPhone. Each attempt requires 80 milliseconds to execute on the iPhone. Yes, it is intentionally slow. If he used just a six digit passcode there are 1 million possibilities which would take (1,000,000 x .08s) or 22 hours to crunch through all possibilities without taking into account extra time needed if the method wasn't just a program supplying attempts directly to the iPhone without interruption. The average time to crack the passcode, given this scenario, is 11 hours. However, if a six character alphanumeric passcode was used, it would take more than two years on average to crack the passcode. So, the level of security seems to now lie with the user's choice of passcode./div>
clarification
So, what's all the worry about then? I don't know the particulars of where, and how, these unique are stored on the iPhone. What may be possible though is to spoof these Ids to make another iPhone appear to be the one used by the San Bernardino terrorists. Another possible weakness is that every time a small change is made in the digitally signed code, it becomes easier to crack the key. A multitude of law enforcement agencies getting a new version for each case may allow the signing key to be discovered. I don't know if that is realistic in this instance, but it is something that should be looked at./div>
(untitled comment)
More comments from aldestrawk >>
aldestrawk’s Submitted Stories.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt