Is the DEA Lying About iMessage Security? 195
First time accepted submitter snobody writes "Recently, an article was posted on Slashdot about the claim that law enforcement made about being frustrated by their inability to decrypt messages using Apple's iMessage. However, this article on Techdirt suggests that the DEA may be spewing out disinformation. As the Techdirt article says, if you switch to a new iDevice, you still are able to access your old iMessages, suggesting that Apple has the key somewhere in the cloud. Thus, if law enforcement goes directly to Apple, they should be able to get the key."
Re:Who cares (Score:4, Interesting)
Everyone should. Not because they're breaking a law, but because laws are changing. And rapidly so. What is very legal today may be illegal tomorrow. And then try to prove that you stopped the behaviour just because it became illegal. What is that you say? They have to prove that you still did it after it became illegal? You think you'd be the first to be in jail because there is "strong evidence" (read: someone hinted at it) that you did again what you did before?
Re:Key in cloud != Key accessible by Apple (Score:5, Interesting)
Re:PGP (Score:5, Interesting)
If they were the only ones who said so, I'd be inclined to distrust it too. However, RSA has been around for 36 years now with no serious challenges, so either there is a world-wide conspiracy that controls every single mathematician (or several that between them control all the mathematicians), or it's unbroken.
It's also possible that there are a few mathematicians decades ahead of current research that all work for various governments, but considering how much of mathematical work is derivative now, it seems far too unlikely that some unaffiliated researcher wouldn't have stumbled across the discovery independently.
(Well, or the NSA has a working quantum computer that can do work on a useful scale, which goes back to "decades ahead of current research".)
Re:It's American company so the answer is obvious (Score:1, Interesting)
OpenSSH buys you very little. The key management has always been poor, especially the host key management, which is replaced and updated without signatures and is subject to more man-in-the-middle attacks due to the ediots who leave unsecured hostkeys and personal keys lying around on poorly secured filesystem.
OpenSSH ignores the user environment. Theo de Raadt's attitude is that if you don't trust the host you're on or the one you're connecting to, you're screwed anyway, so why bother implementing even the most basic steps (such as a more useful chroot cage for upload/download areas, proper management tools for updating locally recorded hostkeys, or *)turning off* the default support for passphrase free personal or host keys. There is *no excuse* for the default behavior passphrase keys for critical SSH servers, they should require a hands-on "start this server and unlock the keys" operation as Kerberos and Apache have done for years. Otherwise, it's like putting a really, really big lock on a door with the hinges on the outside.