+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30
General Chat Thread, Forensic scientist drops bomb on Apple iOS security in General; Originally Posted by seawolf So, how did that out in the open thing work out for OpenSSL? Heartbleed anyone? Obscurity ...
  1. #16

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,867
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by seawolf View Post
    So, how did that out in the open thing work out for OpenSSL? Heartbleed anyone? Obscurity plus good security frameworks are the ideal.
    Yeah, I'll take your word for that, over the words of pretty much *every* IT security professional on the planet. Security through obscurity is not security at all. Security with good documentation, and good frameworks means you can protect things properly...

    How things actually are is that you're dreaming if you think there is privacy on the internet. There hasn't been for a LONG time.
    May I point you at the Chewbacca defense. No-one has mentioned privacy on the internet it is completely unrelated. Why not bring up privacy walking down the street too? That's as irrelevant. This is a discussion of a personal device recording things it doesn't need to, and then making them available counter to the whole point of the built in encryption which is supposed to protect the owner. It is about the fact that the data tracked is accessible outside the protections for no good reason. Its about the lack of encryption when the phone is locked. Basically, I point you back at my first post and the individual points I made.

  2. #17

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by localzuk View Post
    Yeah, I'll take your word for that, over the words of pretty much *every* IT security professional on the planet. Security through obscurity is not security at all. Security with good documentation, and good frameworks means you can protect things properly...
    So, anyway how did this strategy work out for OpenSSL? Biggest known security flaw in the history of the internet sitting right there out in the open for years. Awesome stuff. Give me more of that!

  3. #18

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,867
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by seawolf View Post
    So, anyway how did this strategy work out for OpenSSL? Biggest known security flaw in the history of the internet sitting right there out in the open for years. Awesome stuff. Give me more of that!
    There were quite a few things at play there. It was discovered... because it was open source. If it hadn't been open source, would anyone have found it to fix it? We certainly wouldn't know if people were leveraging the vulnerability. Also, OpenSSL as a project was a mess.

    Your arguments on this topic are very very weak. I could trot out the thousands of vulnerabilities in closed source software as a counter but it would be pointless.

    Let's put it this way. Attackers find and use vulnerabilities, whether they're documented or not. That's well known. If we document those vulnerabilities, we can protect against them. Documentation aids security. It doesn't reduce is.

  4. #19

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by localzuk View Post
    There were quite a few things at play there. It was discovered... because it was open source. If it hadn't been open source, would anyone have found it to fix it?
    Bugs are discovered and fixed all of the time in closed source software. Like Windows for example. You know, that closed source, proprietary system you use all of the time? So, the bug may have been found and fixed much faster. On the other hand, it may have not. You accuse me of championing security through obscurity (I am not) while apparently claiming that open source is always more secure. It is not. It's much more complicated than that. Systems and code that are more used are generally improved more rapidly and have more people working on them - whether open or closed source.

    Your arguments on this topic are very very weak. I could trot out the thousands of vulnerabilities in closed source software as a counter but it would be pointless.
    And there about as many in open source. Let me improve my argument with a bit of empirical evidence showing that both closed and open source are pretty much equally vulnerable.

    http://www.icsi.berkeley.edu/pubs/ne...curityof09.pdf

    The worst thing though is to have good documentation and an open code base and having no one reviewing and updating that code regularly. That is a recipe for disaster as the documentation is just a gift to hackers (like Heartbleed) and there are quite a few open source projects that suffer from this sort of neglect (no one reviewing or updating code regularly or properly).
    Last edited by seawolf; 23rd July 2014 at 12:55 PM.

  5. #20

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,867
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by seawolf View Post
    Bugs are discovered and fixed all of the time in closed source software. Like Windows for example. You know, that closed source, proprietary system you use all of the time? So, the bug may have been found and fixed much faster. On the other hand, it may have not. You accuse me of championing security through obscurity (I am not) while apparently claiming that open source is always more secure. It is not. It's much more complicated than that. Systems and code that are more used are generally improved more rapidly and have more people working on them - whether open or closed source.
    Nope, you've made a bit of an error there. I haven't said open source is always more secure or anything like that. I've merely discounted the concept of security through obscurity as a valid method for protecting software. There are plenty of security holes in both open and closed source software. They get fixed in both open and closed source software and they get exploited in open and closed source software. You're the one making the claim that closed source is somehow better.

    The worst thing though is to have good documentation and an open code base and having no one reviewing and updating that code regularly. That is a recipe for disaster as the documentation is just a gift to hackers (like Heartbleed) and there are quite a few open source projects that suffer from this sort of neglect (no one reviewing or updating code regularly or properly).
    And that is not an argument against open source or against avoiding security through obscurity. It is an argument for better project management and better code auditing. There's plenty of closed source software that suffers from similar neglect. It doesn't mean security through obscurity is a good thing.

  6. #21

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by localzuk View Post
    Nope, you've made a bit of an error there. I haven't said open source is always more secure or anything like that. I've merely discounted the concept of security through obscurity as a valid method for protecting software. There are plenty of security holes in both open and closed source software. They get fixed in both open and closed source software and they get exploited in open and closed source software. You're the one making the claim that closed source is somehow better.
    No, you made the error in assuming that I was preaching for closed source. All I asked was if you preferred Apple to document how to hack the iPhone. As in document all of the back doors and intentional vulnerabilities in iOS so that anyone and their brother could use them. That's what I said. Check it. Then see who jumped to the conclusion here.

    My later comment about obscurity combined with great security frameworks being the ideal means that if you could take the community review of open source and combine it with the obscurity (and money for developers and testers) of closed source you'd have the ideal security. Disagree? It's impossible yes, but it would be the ideal.

    Anyway, I'm done with it. Edugeek is a minefield of bias. Bye.

  7. #22

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,867
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by seawolf View Post
    No, you made the error in assuming that I was preaching for closed source.
    So, how did that out in the open thing work out for OpenSSL? Heartbleed anyone? Obscurity plus good security frameworks are the ideal.


    You can't have obscurity and open source, its simply not possible by its definition. Therefore, the other option is closed source. Its a simple piece of logic based on your own words.

    All I asked was if you preferred Apple to document how to hack the iPhone. As in document all of the back doors and intentional vulnerabilities in iOS so that anyone and their brother could use them. That's what I said. Check it. Then see who jumped to the conclusion here.
    I want Apple to document all the bits of the phone, and what they're doing. Including the bits that track what you're doing and record data onto your device unencrypted. You've consistently ignored the actual points raised in my first post.

    My later comment about obscurity combined with great security frameworks being the ideal means that if you could take the community review of open source and combine it with the obscurity (and money for developers and testers) of closed source you'd have the ideal security. Disagree? It's impossible yes, but it would be the ideal.
    Your later comment is an extension of your comment I quoted above - if you are pro obscurity, using simple logic, you have to be anti-open source. You can't have an obscured open source project.

    Anyway, I'm done with it. Edugeek is a minefield of bias. Bye.
    What is with people who simply can't present good arguments stating this lately? Its happened in 3 or so threads when people fail to state their case properly and then get upset when called on it.

    Your posts are consistent in being pro-Apple. Even in the face of industry standards, evidence and simple facts. It isn't bias to question Apple. It is bias to skip over points raised and start using arguments unrelated to the actual discussion, in order to distract from the original issue.

  8. #23

    Join Date
    Apr 2010
    Posts
    2,054
    Thank Post
    83
    Thanked 188 Times in 155 Posts
    Rep Power
    84
    So does this mean China knew something we are just finding out. Seawolf says that both Apple and MS are closed security and it's both these companies that have been banned from Government use in China. Makes me wonder if the reason they gave was different from the real reason.

    Also, with so many people using and editing the Android code base and Google offering the code online would it not be much harder to hide something like this?

  9. #24

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Quote Originally Posted by edutech4schools View Post
    So does this mean China knew something we are just finding out. Seawolf says that both Apple and MS are closed security and it's both these companies that have been banned from Government use in China. Makes me wonder if the reason they gave was different from the real reason.

    Also, with so many people using and editing the Android code base and Google offering the code online would it not be much harder to hide something like this?

    How hard is it to hard something in several million lines of code, especially if it is the difference of a single character pointer dereference in all of that.

  10. #25


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,056
    Thank Post
    231
    Thanked 2,716 Times in 2,004 Posts
    Rep Power
    794
    When you have to have physical access to the device and for it to be unlocked, it's not really a bomb is it?

    Security expert rejects Apple, NSA, iOS backdoor claims « ComputerWorld

    Security researcher/hacker Jonathan Zdziarski (aka. "NerveGas") made the claims at the HOPE/X hacker conference, saying these "undocumented" services could be used by law enforcement. Typically, his story quickly became a cause célèbre among those who seek to damage Apple's robust reputation for security.

    Apple swiftly rejected Zdziarski's accusations, pointing out that end users are in complete control of the claimed hacking process -- the person owning the device must have unlocked it and "agreed to trust another computer before the computer is able" to access the diagnostic data the claimed NerveGas attack focuses on.

    In other words the NerveGas attack is a non-story. It's hot air.
    The Apple backdoor that wasn't « ZDNet

    Last weekend, a hacker who's been campaigning to make a point about Apple security by playing fast and loose with the now widely-accepted definition of "backdoor" struck gold when journalists didn't do their homework and erroneously reported a diagnostic mechanism as a nefarious, malfeasant, secret opening to their private data.

    Speaking at the Hackers On Planet Earth conference in New York, Jonathan Zdziarski said that Apple’s iOS contains intentionally created access that could be used by governments to spy on iPhone and iPad users to access a user's address book, photos, voicemail and any accounts configured on the device.

    As he has been doing since the Snowden documents started making headlines last year, Mr. Zdziarski re-cast Apple's developer diagnostics kit in a new narrative, turning a tool that could probably gain from better user security implementation into a sinister "backdoor."

    The "Apple installed backdoors on millions of devices" story is still making headlines, despite the fact that respected security researchers started debunking researcher Jonathan Zdziarski's claims the minute people started tweeting about his HopeX talk on Sunday.
    Regardless of the problems with Mr. Zdziarski's sermon, the (incorrect) assertion that Apple installed backdoors for law enforcement access was breathlessly reported this week by The Guardian, Forbes, Times of India, The Register, Ars Technica, MacRumors, Cult of Mac, Apple Insider, InformationWeek, Read Write Web, Daily Mail and many more (including ZDNet).

    People were told to essentially freak out over iPhones allowing people who know the passcode and pairing information to use the device.

  11. #26
    Alkaline's Avatar
    Join Date
    Sep 2011
    Location
    London
    Posts
    246
    Thank Post
    0
    Thanked 25 Times in 22 Posts
    Rep Power
    11
    Nothing to hide, nothing to fear.

    This is gonna happen forever, even if they say its not happening.

    If people want complete privacy, throw your laptop and phone into the river, delete as many online accounts as you can, and then go and live in the Scottish Highlands under a new name.

    Hand written letters are permitted.

    Good luck!

  12. #27

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,935
    Thank Post
    138
    Thanked 290 Times in 210 Posts
    Rep Power
    193
    Quote Originally Posted by Alkaline View Post
    Nothing to hide, nothing to fear.
    The cry of the stupid.

    "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged"

  13. #28
    Alkaline's Avatar
    Join Date
    Sep 2011
    Location
    London
    Posts
    246
    Thank Post
    0
    Thanked 25 Times in 22 Posts
    Rep Power
    11
    More the cry of common sense.

    I am accepting that monitoring will occur. And that if you are not doing anything wrong under UK law you have nothing to fear.

    The cry of the stupid comes when something happens and those against snooping complain that nothing was done to stop an incident.

  14. #29

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,867
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by Alkaline View Post
    More the cry of common sense.

    I am accepting that monitoring will occur. And that if you are not doing anything wrong under UK law you have nothing to fear.

    The cry of the stupid comes when something happens and those against snooping complain that nothing was done to stop an incident.
    It's demonstrably false though. Corruption occurs all the time. Corruption affected my life and should have had nothing to fear... You're assuming that the system is a just and fair one. It really really isn't.

  15. #30
    Alkaline's Avatar
    Join Date
    Sep 2011
    Location
    London
    Posts
    246
    Thank Post
    0
    Thanked 25 Times in 22 Posts
    Rep Power
    11
    Quote Originally Posted by localzuk View Post
    It's demonstrably false though. Corruption occurs all the time. Corruption affected my life and should have had nothing to fear... You're assuming that the system is a just and fair one. It really really isn't.
    In the case of snooping there are safeguards in place, warrants etc.

    We work towards a just and fair society, but also a society which is secure.

    Any person can yield to corruption. That will always be the case. That is why more than one person is involved. Absolute power corrupts absolute so they say. Absolute power is not something that is common place in these sort of things these days.
    Last edited by Alkaline; 28th July 2014 at 10:46 PM.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. The Simpsons let rip on Apple
    By SYNACK in forum General Chat
    Replies: 3
    Last Post: 1st December 2008, 07:43 PM
  2. hotmail drag and drop not on Linux Firefox
    By ITWombat in forum *nix
    Replies: 1
    Last Post: 9th June 2008, 06:14 PM
  3. Apple iCal security holes left wide open
    By webman in forum IT News
    Replies: 0
    Last Post: 23rd May 2008, 08:44 AM
  4. Running Java on RM Network Securely
    By tony82 in forum Network and Classroom Management
    Replies: 3
    Last Post: 10th September 2007, 09:22 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •