Quantcast

Jump to content

» «
Photo

Cash vs Electronic money

46 replies to this topic
sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#31

Posted 07 October 2016 - 02:05 PM

I'm pretty sure you can make any transactions completely untraceable back to you

You can't. Not without losing the ability to actually access the money, anyway. Your example falls flat because you're only looking at a small window of the actual transaction flow, not the whole thing.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#32

Posted 07 October 2016 - 02:36 PM

Yea, I'm talking just about the transactions themselves, implying that you deal only with bitcoins and not trying to convert them from/to other kinds of currency. Also implying that you don't buy physical stuff with bitcoins and have it delivered to our house using DHL thus leaving a nice paper trail.

 

Depending on what you'd actually want to do, you'd need to take adequate anonymization steps with the rest of the workflow as well but it's certainly doable if you have the will.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#33

Posted 07 October 2016 - 02:43 PM

Cryptocurrency is eminently traceable, and complete anonymisation against the resources and capabilities of nation states is effectively impossible.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#34

Posted 07 October 2016 - 05:56 PM Edited by RogerWho, 07 October 2016 - 05:57 PM.

Well that's quite a different debate how omnipotent the "nation states" actually are or aren't. We don't really know what *exactly* the agencies are capable of when it comes to technology. You can't really crack good encryption without a security hole or a quantum computer for example, regardless of how much money you throw at the problem. Which is why, as far as we know, the agencies rely on backdoors directly to email providers and other ways of surveillance so they don't need to deal with that sh*t all the time.

 

Remember how FBI had to sue Apple to get them make a backdoor to the iPhone? Eventually they dropped it after they (apparently) figured out an alternative way but it's obvious they didn't have a solution ready. So you can't really say that "they" can read anything and everything regardless of the safety steps.

 

Crypto-currency is similar in the technological hurdles. You can use a private key from wherever, use a randomly-generated address for each transaction and several more steps. Is the technology safe enough that it's truly untraceable? It appears that it should be safe enough, or at least as safe as you care to make it for yourself. At the end we can only guess, I sure hope no agency will be interested enough in me that I find out for myself.

 

Either way we can surely agree that it's way more easier to just go to the bank and ask them for the list of your credit card transactions.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#35

Posted 07 October 2016 - 07:10 PM

You can't really crack good encryption without a security hole or a quantum computer for example, regardless of how much money you throw at the problem.

You don't need to. Trying to crack encryption algorithms is a waste of time and resources; you either attack the implementation of cryptography (via a side-channel) or you use techniques to bypass the cryptography entirely and obtain the data underneath either before transit or after decryption. Or you subvert the cryptographic seed generation techniques to weaken the crypto in the first place.

Which is why, as far as we know, the agencies rely on backdoors directly to email providers

That's something a bit different, though. That's not an example of user crypto, the encryption is all handled server side so the "channel" there is with the vendor.
 

Remember how FBI had to sue Apple to get them make a backdoor to the iPhone?

This isn't entirely true. The techniques for extracting private keys in the manner which was eventually used has been done in mobile forensics for a while now. The main justification behind the desire to pressure Apple into backdooring the OS was the legal precedent it would set, which would move the requirement for most of the exploitation work (which is costly, complex snd requires extremely rare expertise) onto the vendors.

Is the technology safe enough that it's truly untraceable? It appears that it should be safe enough, or at least as safe as you care to make it for yourself.

Depends on the adversary. If you're talking criminal type actors who are all about maximising financial return for the minimum iutlsy and who don't care about the actual victim (IE go for low hanging fruit) then sure. If you are the criminal, being pursued and specifically targeted by law enforcement or security services, then I don't think anything is "safe enough" to prevent compromise.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#36

Posted 07 October 2016 - 08:05 PM

you either attack the implementation of cryptography (via a side-channel) or you use techniques to bypass the cryptography entirely and obtain the data underneath either before transit or after decryption
That's the point I was trying to make: rather then dealing with such technological hurdles directly, it's way more effective to go around them. So instead of trying to decrypt an encrypted HDD, it's easier to plant some malware on the user's PC in advance or use other methods of surveillance. But that requires targeting of specific individuals so unless you're already under watch, the tech you may be using can be completely bullet-proof.
 
The point of failure is most likely elsewhere than the actual technology. Same thing with cryptocurrencies, actual criminals who would use bitcoins for money transfers (e.g. drug dealers) would be probably under different sort of surveillance and those bitcoin transfers might therefore be traced based on that, not as a starting point.
 
Of course the point would be moot if we'd be all under 24/7 full surveillance 1984-style, but that's not really happening yet.
 
The techniques for extracting private keys in the manner which was eventually used has been done in mobile forensics for a while now.

Yes, but it's getting more and more difficult. Phone manufacturers (or at least Apple, most Android makers don't give a sh*t) are constantly upping the ante. You can't even dismantle and put together the later iPhones without them refusing to work, since the individual parts use encryption on hardware level and can't even communicate with each other unless they get their private keys exchanged using Apple equipment. Due to the tech advancements, it's not only costly but most likely becoming impossible to crack this tech without completely reverse-engineering it. Which is why it would be easier (again) for the agencies to just force the manufacturers to make backdoors for them. I do wonder what happens next time when the FBI needs to unlock an iPhone 11 or so.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#37

Posted 07 October 2016 - 08:18 PM

Same thing with cryptocurrencies, actual criminals who would use bitcoins for money transfers (e.g. drug dealers) would be probably under different sort of surveillance and those bitcoin transfers might therefore be traced based on that, not as a starting point.

In the case of bitcoin, this simply isn't true. Bitcoin transactions are absolutely traceable, and without too much difficulty given the entire blockchain and ledger are public. The reason bitcoin is employed by criminals isn't because it's untraceable, or even that difficult to trace. It's because it can't be frozen or seized, and can be easily monetised without attracting attention. These factors also make it very vulnerable to theft or manipulation, as Mt. Gox demonstrated.

Yes, but it's getting more and more difficult.

Not from a hardware perspective it isn't. And it won't until mobile vendors start deploying proper Secure hardware Cryptomodules like Trusted Platform Module. The improvements in Apple (and Android) security over the last few generations have been primarily in the OS and firmware; they're still vulnerable to hardware based attacks as many security vendors have demonstrated.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#38

Posted 07 October 2016 - 09:01 PM Edited by RogerWho, 07 October 2016 - 09:02 PM.

Bitcoin transactions are absolutely traceable, and without too much difficulty given the entire blockchain and ledger are public.

But how do you trace the transaction to a particular person? That's the point. If I buy bitcoins in cash from someone in the dark alley, using a wallet on a burner phone, with internet connectivity on an anonymous prepaid card, then use those bitcoins to buy internet porn and watch said porn on the same phone which is never turned on in my home town, how could anyone ever trace it to my person without other forms of surveillance?

 

Not from a hardware perspective it isn't. And it won't until mobile vendors start deploying proper Secure hardware Cryptomodules like Trusted Platform Module. The improvements in Apple (and Android) security over the last few generations have been primarily in the OS and firmware; they're still vulnerable to hardware based attacks as many security vendors have demonstrated.

Apple has their equivalent of TPM, hardware-based, which is enabled on their later devices (at least those with a fingerprint reader). Which is why you can't disassemble and put together an iPhone without it stopping to work since the pieces need to be authorized using Apple equipment. There was a mild controversy about it last year as 3rd party service centers were complaining about not being able to repair iPhones.

 

Most Android makers don't give a sh*t (AFAIR HTC in particular is a complete joke when it comes to security) but Apple seems to take this pretty seriously. It appears next time FBI will have their work cut out for them, in fact the method they used for unlocking the 5C would already not work on the later ones. Note: I'm not actually an Apple lover, it's just this particular thing they appear to do well.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#39

Posted 07 October 2016 - 09:29 PM

how could anyone ever trace it to my person without other forms of surveillance?

That sort of misses the point. You can't really trace financial transactions either without employing multiple forms of surveillance. The same logic could be employed with a prepaid credit card bought in cash and used the same environment. Bitcoin doesn't really afford either more anonimity or transactional security than other methods leveraging conventional cash.

Apple has their equivalent of TPM, hardware-based, which is enabled on their later devices (at least those with a fingerprint reader). Which is why you can't disassemble and put together an iPhone without it stopping to work since the pieces need to be authorized using Apple equipment.

This isn't entirely accurate. It's possible to subvert the lock screen on any iPhone up to the 6 Plus by desoldering and cloning the NAND chip. With later nodeks, your average pleb can't simply swap components such as the mainboard thanks to the Security Enclave/SecurCore. This prevents off-chip attempts at bruteforcing the passcode off-device, but the Enclave itself can be subverted in a similar manner to the flash memory attacks on earlier devices. It's extremely risky in terms of the possibility for outright destruction of the Enclave chip, but entirely possible. The chip itself can also be cloned given the resources to do so.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#40

Posted 07 October 2016 - 10:45 PM

Bitcoin doesn't really afford either more anonimity or transactional security than other methods leveraging conventional cash.

I'm not arguing it provides more anonymity, I'm saying that if the anonymity of the transaction or the user is compromised, the point of failure is elsewhere and not with the design of the cryptocurrency itself. In other words bitcoins are not inherently traceable to the user, unless the user doesn't care about being identified.

 

The point you made about bitcoins being safe from being seized or frozen is also valid. Yea, technically I can also use an anonymous credit card or bank account for the same purposes as bitcoins, but since it's under a central authority, there's a risk it can be blocked. Heck, a card just needs to expire for it become worthless.

 

It's possible to subvert the lock screen on any iPhone up to the 6 Plus by desoldering and cloning the NAND chip.

That's not what I heard. Well technically you can clone the NAND chip of course but the data shouldn't be usable if the device was locked. You have a source for those experiments? That said, even if it's true that the current generation is still vulnerable like that, it may not be the same with the next one, and you can always employ further security measures. Cracking a locked phone is useless if the user stores their info in an app with another layer of password protection.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#41

Posted 08 October 2016 - 09:18 AM

That's not what I heard. Well technically you can clone the NAND chip of course but the data shouldn't be usable if the device was locked. You have a source for those experiments?

http://arstechnica.c...asscode-attack/

Basically NAND mirroring has been demonstrated with trivial hardware costs on the 5C and theoretically remains possible on later generations too, but hasn't yet been demonstrated due to the transition to the m-PCIE NAND interface on the 6S onwards.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#42

Posted 08 October 2016 - 12:43 PM Edited by RogerWho, 08 October 2016 - 01:04 PM.

OK, so looking at the paper, what they actually demonstrated in this case is brute-forcing a 4-digit passcode (after cloning the contents of the NAND). True, this would probably easily work with anything you have physical access to, but the point of failure here is the user for having a weak password and storing the data in the most approachable way (e.g. in the default apps). There are enough security measures available to make such an attack worthless.

 

Edit: I just looked at my iPod Touch at what options regarding passcode it actually has and there are options for: 4 digits, 6 digits, custom digits (30+ seems to work) and custom alphanumerical. The question is, whether this passcode can be overriden entirely using NAND mirroring, but this demonstration hasn't proven that.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#43

Posted 08 October 2016 - 04:26 PM

The question is, whether this passcode can be overriden entirely using NAND mirroring, but this demonstration hasn't proven that.


Actually, that wasn't the question, or the approach taken by the FBI in actually decrypting the phone. That was simply a lock screen retry limitation bypass, which is effectively what NAND mirroring also accomplishes.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#44

Posted 08 October 2016 - 04:58 PM Edited by RogerWho, 08 October 2016 - 05:00 PM.

The effectiveness however is dependent on quality of the password since the paper describes brute-forcing it. They mention that a 4-digit passcode can be brute-forced within a day. But use just a reasonably long hexadecimal password and they won't get anywhere with this approach, unless the actual contents of the memory aren't properly encrypted and thus could be read directly by an external device - which is what I was interested in the first place. For now, the user is the known weak link, not the tech.

 

Either way, we've come far from cash vs. electronic money.


sivispacem
  • sivispacem

    Jo Näkyvi Pohjan Portit

  • Moderator
  • Joined: 14 Feb 2011
  • European-Union
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2016, 2015, 2014, 2013, 2012, 2011

#45

Posted 08 October 2016 - 05:52 PM

I assume you don't acrually mean hexadecimal, given that a 16 character keyset gives vastly less possible permutations than the 95-character printable ASCII keyset.

RogerWho
  • RogerWho

    "Life is... weird."

  • Members
  • Joined: 02 Sep 2014
  • European-Union

#46

Posted 08 October 2016 - 06:39 PM

No, that's my fever talking. I meant alphanumerical of course :lol:


=Signal=
  • =Signal=

    Bitches!

  • Members
  • Joined: 14 Nov 2010
  • None

#47

Posted 12 December 2016 - 05:48 AM

Now a days they f*cking clone credit cards lmao!





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users