Hacker News new | past | comments | ask | show | jobs | submit login

The way Apple could "read" the messages is by sending a keybag down to the person sending the messages with another public key, one that Apple holds the private key for.

For example if you have 3 devices (iPhone, iPad, MBP) and someone goes to send you a message, they have to re-encrypt the message three times because Apple would have sent them three public keys.

Now if Apple were evil because of a government order, they could send down four public keys, the three ones for the devices you own, and the one public key that Apple has the private key for. At that point once they receive the message they can read it.

Any system that distributes public keys like this can be compromised the same way.

---

The only real way to stop something like this is to make sure that the person you are talking to holds the keys, OTR does this for example by allowing both parties to verify the fingerprint...




Lawful intercept isn't evil.


When there are secret courts and laws, it is evil. It is indistinguishable from the surveillance state.


Hardly. I think people's concern is with the use of warrants that apply to a massive range of people to justify (legally) data collection en masse without being backed by intelligence and probabal cause. Declaring that all warrants for communications material are evil because a certain subset are evil does not work to improve our situation at all; it is a tabloid worthy knee jerk reaction, and while such populism is common here, it is not constructive.


Let's say you are the German foreign ministry's IT guy. Are you really going to say "Hey, it's OK to use services and equipment from the companies on the PRISM participants list because we can trust the denials that they work with the NSA and we can trust LI not to be a gateway for spying <cough>Athens Affair</cough>."

This is not a matter of populism or even of principle. US technology can't be trusted any more. How are you going to restore that trust without making the technology verifiable and without providing simple, reliable ways for end users to routinely put their communications and data out of reach of surveillance?

Where is the "populism" in this? This is about many 10s of billions of dollars in revenue lost and even more in lost shareholder value and opportunity.


that depends on if the law is moral or immoral. Anything can be turned into law.


Who decides if they're moral?


You do, or at least I hope you do.


Would you suggest that Apple be the arbiter of morality?


Are the NSA's intercepts lawful?


The NSA's intercepts are a lot different from this. The problem with PRISM and the FISA courts that the NSA is intercepting all the data they think they'll ever need, then they need a warrant to query it. It inverts the intention of what warrants are for, which is to require just cause before any surveillance happens.

With iMessage, if the FBI gives apple a warrant to include their snooping pubkey as an additional encryption endpoint for all messages for a user, by definition it only gives access to messages made from then on, which is in keeping with how I would expect a search warrant to work.


My comment to which you replied was tongue-in-cheek, responding to the fellow who was defending lawful intercept. The point is that the NSA's intercepts, though controversial, have not halted nor have they been declared unlawful. (Not talking here about 215 programs.)

You're correct about iMessage, which is an important point to make. But you're not correct about PRISM; see my article from last summer: http://news.cnet.com/8301-13578_3-57588337-38/


This is a stale thread but I thought I should reply:

I made no claim that about direct access to servers, but I guess since the rumors of direct server access and "PRISM" are synonymous in popular news articles, it was misleading to use the term. My point still stands if you replace "PRISM" with "NSA's dragnet surveillance", which is surely happening.


And it would also only be for a specific user, rather than the dragnet surveillance (biggest fishing trip in history) that the NSA, et al, are conducting.


And I have bridge in Brooklyn I'd like to sell you.


Security is not a subset of morality.


Says spooky23.


My iPhone gives me a loud, blaring notification whenever my keybag gets changed, so it wouldn't necessarily be easy to modify my keybag without me knowing, unless they already have code in place with that specifically in mind.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: