[cryptography] Here's What Law Enforcement Can Recover From A Seized iPhone

Jon Callas jon at callas.org
Fri Mar 29 02:56:01 EDT 2013

Hash: SHA1

On Mar 28, 2013, at 10:27 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:

> There are a couple interesting lessons from LocationGate. 


> The second lesson has to do with the the status of iOS protection classes that can leave things unencrypted even when the phone is locked. There are things that we want our phones to do before they are unlocked with a passcode. 


> The trick is how to communicate this the people...


Very well put in all of those.

> What's the line? Never attribute to malice what can be explained by incompetence.

That is the line. And also that stupidity is the most second most common element in the universe, after hydrogen. (And variants on that.)

> At the same time we are in the business of designing system that will protect people and their data under the assumption that the world is full of hostile agents. As I like to put it, I lock my car not because I think everyone is a crook, but because I know that car thieves do exist.

And in many cases a cheap lock will work because it deters and deflects, not because it actually prevents. This doesn't apply so much with information security, but I think it does in places.

For example, I think that the most important thing about a password is that it not be a dictionary word. If it is one, length doesn't matter. If it isn't, length only matters a little, because most attackers just one someone's password, not yours. If they do want yours, either spearphishing or malware like Zeus is a better bang for the buck. They won't actually bother cracking it, they'll go around it.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list