I think the fact that even Apple can't unlock your phone if you forget your passcode proves that they use very naive encryption method.

Suppose my data is "Hey This is Some Data" and Passcode is 1234, I could just Jumble this data using that passcode and It will be difficult to decrypt without Passcode. And If data is huge, it will be fairly impossible to do so. But that doesn't make it a good encryption method.

Such encryption, though safe is not practical, Imagine if there was no "Forget Password" Option on any account, I usually forgot my password very often when I was a child.

Apple has been doing such things for years, Using Bad things as a selling point. Apple users are dumb anyways because they don't want to control their phone.

Reset Password is a weak point which might be exploited but in such cases, usability is more important than security. Any service which doesn't allow resetting Password is a shitty service and I would never use such a service, They are too naive.

Are you an idiot?

Using back-doored encryption is not better. It’s the exact opposite of better. I don’t care if it’s for convenience, it. is. not. secure.

Any flaw in security can and will be exploited. If not by malicious actors, by companies looking to exploit your data, and by the government.

Security should be your first concern; only after that should you work on making a product usable and friendly. Anything else is incredibly naïve.

@Root So all your data on Google Should have been hacked by now because they don't use such naive encryption. This is not a security flaw apple just never Bothered to think about a better encryption. So much user's data was completely lost from this world because they forgot their password. Why would anyone use such a mechanism?

If the data is huge it makes it easier to decrypt. Much more chances of finding patterns.

@theabbie All of the data google has, even the encrypted “secure” data, they share freely with the US government. Five eyes, prism, and all that. Same goes for Facebook, Amazon, Microsoft, Intel, etc.

I do not have any data on google. At least I do my damndest to not feed them any more. Same for the rest.

@Root Yeah, Fuck Google, All the websites on internet dumb as they allow you to reset password. Stop hating Google because of half knowledge, This doesn't make you cool.

@theabbie You really need to stop. Almost everything you have said is wrong. Even if you don’t know it, you’re embarrassing yourself.

@iiii Consider this jumbling function I Made

function jumble(text,n) {
var result="";
go(text,n);
function go(text,n) {
if (text.length!=1) {
var p = text.split("")[((n-1)%(text.length))];
result+=p;
go(text.slice(((n-1)%(text.length))+1,text.length)+text.slice(0,((n-1)%(text.length))),n);
}
else {result+=text;}
}
return result;
}

The output of

jumble("This is some data And It is Not even very long, Try this", n)

is " tt r ss snnhsANersa y o eTiIvidey vTdoe mlntt iao,gih "

Please find n

and this data is very small compared to real world data, and n is just an integer. You have very wrong sense of encryption.

@Root Why do you criticize things with half knowledge about that? We are not living in a perfect world, people do forget password. If your key gets lost, you don't abandon your house. It's a useless encryption, admit that.

@theabbie have you even read my message? 🤦‍♂️

@iiii Yeah, I read it, in my function, decryption becomes tougher if data size increses. Your statement was wrong.

@theabbie no it does not. It's not even good or strong encryption.

@theabbie What is the point of encryption? To secure the data. Having another key that the user does not control is the antithesis of secure because the user no longer controls access to their data.

When are encryption algorithms deprecated? When people find flaws that allow them to make better guesses at keys, or because there are a high number of collisions, and therefore multiple keys the user does not intend.

Having multiple keys the user controls is fine. It lowers the strength of the encryption, but it keeps everything squarely in the user’s hands — and only the user’s hands.

As soon as someone else has access, or an easier time gaining access, it is no longer secure.

@Linuxxx, care to have an aneurism? Come read this!

@iiii Then prove it. here n is just a one digit integer, Suppose passcode is ABCD, I could do this

var x = data;
x = jumble(x,A);
x = jumble(x,B);;
x = jumble(x,C);
x = jumble(x,D);

How will you find original data without Passcode, I have an unjumble function too, It can be decrypted but not without passcode.

To use Brute force you have 10000 combinations, That's not feasible.

@theabbie you need to read up on encryption methos. Like, a lot.
I do agree that over-authentication makes just about anything useless, but security has impact on usability too. Which is why proper level of security is hard to reach.

But as for Apple, all your data is backed up, so what difference does it make if you lose your lock? You just factory reset and start again.

@Root The goal of encryption is that no one other than user and the service should be able to access it. And,. multiple keys won't help, The goal here is to get data even if everything is lost. There are better ways to protect data from hackers, For example, Using another encryption over user data. What If you have a brain surgery and lose your password. Your data is gone forever, Just because of a naive encryption.

@NoMad That means the Backed up data is unencrypted somewhere, or, if even encrypted, is not with the user's passcode, as per @Root it should be completely controlled by user. Isn't that a backdoor. Why can't it be exploited. Please understand that Either it can be completely secure or usable. not both. Se need something in between them.

@theabbie the passcode to your device and your cloud account are different... You know that, right?

@theabbie considering you've said it's only a single digit number, i have only 10 combinations to try. And I can safely rule out 0 because your function would not change the input text if the key is zero. so it's 9 variants.

@theabbie Password manager. 🙄

Security through obscurity is not security at all. 🙄

Secure security is not naïve security. Intentionally weakened security is. 🙄

For multiple keys: A single-use password reset code, written down on physical paper, a la TutaNota. This is a backdoored encryption algo used for good rather than evil.

Your one controversial headache 🤦‍♂️

Serious question, how new are you to the tech field?

So you are saying that if people are used to lose their house/car keys, it is better to make lockers that other people can open without it?

Or yet saying the key guy next to your house have a copy of everyone keys, so he could open your door if you lose them?

Just because you can't remember where did you left them, everyone needs to be have their security compromised?

I don't want to live on this planet anymore.

@NoMad The point is forgetting password, If everyone Remembered password, there wouldn't be any problem, even if it is in device, it can be forgotten

@iiii oooh, a new one!

@iiii I can do it with 4 digits too, one after the other, Then there are 9^4 combinations

@theabbie not if you use it often enough 😛

Also, password managers are there for a reason.

Another points:

Did you know big CEOs etc prefer to have iPhones just because of the extra security Android can't provide?

Or yet, do you think one of the biggest companies in the world is naive just because you don't agree with them?

@Root Password managers mean transferring the burden to them. Even they use such encryption. We can assume that we won't lose Password for that manager but That would be too much trust on them. I am talking about a situation where you lose everything, the only thing that remains is your identity. That's worst case scenario but that's possible.

Stop trolling dude.

@C0D4 Not much experienced but atleast more knowledged about my arguments. Apple has been fooling prople. It's not useful.

@theabbie what is this naive security you are talking about? I got a little lost here...

@theabbie a password reset is not the same as sending you your password.

It's a change of password, meaning the service still has no reason to know what it is and store the damn thing in a 1 way hash.

Encryption is 2 way, hashing is 1 way.
There's a difference.

Except for telcos in Australia that literally SMS you your password in plain text just by adding your username🤦‍♂️🤦‍♂️🤔🤦‍♂️🤦‍♂️
Fuckers

@brunofontes If you lose your house key but you can prove that you own the house, you should be able to get new keys. In this case, your identity is irrelevant, Your Passcode is everything, That's not practical. It's not compromising security, It's just plain carelessness.

@theabbie you know, if you as a person were enough, then you wouldn't need an ID card since a photo of you, or you in person, would be enough 😛

@theabbie so wait, you are using the same kind of argumentation here than in another infamous thread? A theoretical yet unlikely worst case scenario is your argument for something completely irrelevant? Reminds me of some language being not bad because there is a theoretical superdev who never errs...

@100110111 edge lord won't stop

@iiii well, at least I have a virtually unlimited supply of popcorn...

@theabbie in order to prove your identity and get access to your stuff, someone needs ti have it. Probably hundreds of people would have access to your house keys.

Is that what you call security?

@brunofontes CEO's remember their Password, If they forget, they are ready to take responsibility for the loss. Common people, old people, children are not best at remembering passcodes. Android is for smart people who understand their phone, That's harsh, but that's a fact.

@theabbie see, you're extending irrelevant examples. You could keep multiple copies of the physical key elsewhere, but if your lock is easy to pick, that doesn't make the number of keys any relevant.

@100110111 Encrypting data using Password is called naive encryption, atleast for me. Because losing key means losing everything. In real world, that's useless. It hasn't caused problems yet because Apple people don't care about data, they reset and move on.

Like, if you buy a safe for very important stuff you want to the safe factory/workers could open if you loose your code?

So they will have your address and a way to open it without your code?

I am not sure if you understand security, now.

@theabbie any smart enough at least a little bit tech savvy person would use a password manager so as to only have to remember one or two passwords and maybe a few pin codes..

I'm going to ring in some people,
This is going to be fun 😅

@linuxxx
@linux
@AlecX04
@F1973
@Jespersh
@CrankyOldDev
@Awlex
@Bubbles
@bhouston
@caramelCase
@AlgoRythm
@Kimmax
@Jilano

@C0D4 You can't reset password if data was encrypted with some other key, you need old password, but, you don't have it. That means it's gone forever.

nNOOOOOOOOOOOOO

@NoMad If you can prove that you own the email ID associated with the account that's enough to prove you own that account and should be able to reset it.

@theabbie hahahaha So you want Apple to sell 2 iPhones, one for important people and another one for dummies?

"Buy your next iPhone for Dummies! You can set any password, any time, and we can just ignore it and unlock your phone if you say your ID number"

@theabbie proof of access is not proof of ownership. 👀

@100110111 It's not worst case, you never forgot your password? Or, your parents, or anyone you know. It happens a lot. People forget. They should not have all the burden.

@brunofontes Proving Identity means owning papers to house. Or, your photo that is with the house registry, or your neighbours statement that you own it. If it is proven, you should be allowe6to access it.

@theabbie the name of this is lack of security. There is plenty of services that implements it. They can even store and send your password in plain text for you.

This is also the reason there are so many email and WhatsApp accounts hacked.

@theabbie let me try a different argument:

1. Forgetting your password doesn't mean your data is useless. It means you don't have access to the data.
2. The encryption key and the password are different things.
3. Some people rather have their dick pics unreachable if they forget their passcodes rather than accessible by everyone.

@NoMad Lock should not be easy to pick but not impossible to pick too, atleast by the owner. We want something in between usability and security.

@brunofontes Not the factory workers, but I, if able to prove that I am the boss, should be able to open it without Passcode

@theabbie dude, this is hilarious. So someone will have your house keys with a photo and, if you show up with the invoice, they can see you face, the paper and give you a new pair of keys?

And all those workers that had access to your keys? And if the place that owns the keys were compromised?

@theabbie but that's literally what security means. It means giving access to the right people. Not to just store your data in oblivion. Lol.

@100110111 I already told password managers are fine, but it's not an excuse to Apple's Carelessness

@theabbie You are mixing topics. A lot.

First: You cannot do a "password reset" on encryption (in contrast to an online service). What you could to, is to save the key somewhere else. And this kind of defeats the purpose... The only way would be to display the key once and let they user write it down.

Second: It's not like all of your data is lost, there is still a (not E2E encrypted) iCloud backup (at least if enabled)...
And *surprise*, this has been used by the FBI (of course sometimes even legitimately).

Third: Apple *could* unlock your phone, by writing an update to the security chip. They explicitly reject this, to prevent opening the Pandora's box.

Fourth: Actually no disk encryption scheme allows decryption by the vendor. Neither LUKS, BitLocker (you could give Microsoft the key, but why would you?) or the pre-T2 encryption on iMacs (I'm contrast to the ones with an iPhone security chip).

@theabbie and how do you think they will have a copy of the keys to provide you if no one has access to it?

@brunofontes You can prove that you own the IPhone, there are numerous ways to do so. And If you can prove it, atleast prople at Apple should be able to unlock it for you.

@theabbie @NoMad so the lock needs to be magical. No one, but the owner, can open it without the keys. Hahahahahah

@C0D4 That means OTP is a joke. I can verify that I can access my SMS but I don't own that number.

@theabbie so if they cab open for you, they can open for eveyone else if it were interesting to them.

@theabbie so basically you just want security to be less secure?

@brunofontes It's mostly user's Carelessness that causes such breach. But that's irrelevant. Many great services use better encryption and weren't hacked.

@C0D4 Thanks for the laugh! This thread made my day 😂

@theabbie Have you ever considered people would want this, by a chance?

Also many people will just setup and fingerprint or facial recognition on their phones, not even needing to enter anything.

@NoMad Forgetting passcode and never Remembering it means data is lost. Everyone doesn't think like your 3rd point.

Also, the answer to your jumble crap is 8. You added an extra space in the expected output. 😕

@brunofontes Why do you need photo. Just show your face and the house registry would have your photo. That's enough to verify ownership.

@NoMad Yeah security means that, But Good security means that it should be accessible by right people even if they don't have passcode, they just have their identity.

@theabbie yes, they have encryption, a good one, that's why toy can't break it without the password.

@theabbie HAHAHAHAHAHAHAHAHAH
Thanks for the laughing, but I really need to sleep.

@sbiewald First: There are good ways to implement reset feature.

Second: Backup defeats the purpose if it's not encrypted the same way and it's not

@F1973 after today's fun and games... do I dare?

@brunofontes They don't have copy because they don't Encrypt like that. They don't give your password they create a new one.

@brunofontes Owner with some guy from that lock company

@theabbie identity is not one dimensional. Which is why we have multiple factor authentication.

But, as for the iPhone, again, you have multiple ways of accessing the same data. No, Apple should not be able to open your phone. Otherwise they could do it for just any reason. Yes, you do get backups. Which is why you can access the data even if you lose access to your phone.

@brunofontes Yeah they can open, they wouldn't, you need trust, World is not a trustless environment

@100110111 Less secure (in disguise) and more usable

@F1973 Is it just me or does that social media list never end? 🤭

No wonder he needs to reset his password so often.

@F1973 One of us is half knowledged, either me or you guys. It will be proved eventually who is

Guys, stop ganging up and making fun. 😛
He clearly doesn't still get the main point of security, so let's not turn a technical issue into a bullying rally. 😒

@sbiewald FaceID is ideal for encrypting and verifying identity at the same time. It's good for security on device

I’m just gonna assume this is a cheap trolling attempt to calm my nerves.

@NoMad I'm trying to play nice... but the evidence is compelling.

@theabbie Backup and device encryptions do have different purposes and threat models, so its fine to not have the same security properties.

This is the usual "usability vs. security" axis, where Apple chose security for their devices (heck, it's one of their core marketing aspects) and usability for their backups.

@Root Yeah, 8 is correct, you had to use brute force, Now If I first encrypt it with 8 then the output with 5 then with 2 and then with 3 and so on, It becomes more difficult with every digit. And the Space was there.

@Python it's not. It's a student's question of "why can't I reset my password". He's mixing a lot of topics, but that's the gist of the main question.

@C0D4 Dang it! You beat me to the punchline 🤣 I was just about to say the same thing

@F1973 It will be proved eventually

@brunofontes By your analogy, If you lose keys you should get a new house. So we should ban creating keys then. That would be very secure.

@F1973 I get ad revenue if you visit that. Go on.

@theabbie I'll give you one thing, you know how to raise a discussion!

@NoMad You need to trust a service for using it. If they really want to steal your data they have numerous methods.

@C0D4 I keep track of all my accounts, I care about my security and Everyone should

How this feels right now

@F1973 Obviously this guy doesn’t care about security nor privacy if he posts his email address, every social media account, and bloody phone number online.

Also: lol @ those projects. He’s embarrassing himself far more on there than in this thread — and willingly. 😬

“Guess my gender”
Anything pink or purple is female.
Everything else is male.
K...

“Guess the letter”
I draw M. then S. then T. It guesses “P, J, D” every single time. In fact, the only letters I can get it to guess correctly (and even then only sometimes) are P, J, and D. 😂

@NoMad Main point of security is your identity is the ultimate authority. Password is a more convenient waynto prove your Identity but it should not be the only way.

@Python No, it's not

@sbiewald Backup is a backdoor then, what makes it safe? If every data is hackable then why not Backup?

@NoMad I don't use such services at first. If you are not capable of good Encryption I am not using it.

The Dunig-Kruger is strong with this one. 😂

@Root That project is not ready yet, You used a Beta version

@F1973 That is a question about your Gender

Oh. According to his blog he's 18. That explains everything. That's the second worst age to argue with right after 2. 😂😂

@NoMad Google is not remotely like that. If it ever gets hacked, I may change my opinion.

@theabbie I never claimed it is safe.

@AmbientTea 18 but experienced is better than 25+ but half knowledged

@theabbie I copy pasted your shit. It was wrong. And yes, I tried values of `n` ranging from 1 to 8 million. Only when adding in Levenshtein distance did I realize you made a mistake when you retyped, rather than copy/pasted, your expected output.

GG on failing again.
And on wasting my time. 🙄

@sbiewald If a backdoor has to exist ultimately then why fool people by giving a sense of security while being equally vulnerable

@theabbie Why are you showing off unfinished, buggy code? Seriously! You are the literal worst.

@F1973 I can prove that I am correct, If usability is not that important why build UI, just tell your users the API endpoints and let them send requests. usability if not more important should be equally important.

@Root Maybe, anyways, you required brute force, If it was a long Passcode there would be many possibilities. Isn't it safe but useless?

@Root It's ML, it is not called Buggy, You have to train it first, I haven't yet

@F1973 I'm not saying all teenagers are full of shit. 🙄

@theabbie listen, I'm not gonna argue further, because I have to get out of bed and start my day. As well, you seem to think everyone is wrong and you're right. So maybe, you are right. If you're the genius you think you are, go ahead and make the safest encryption method and enlighten us all. But chances are, you're on the wrong track and just being hard headed.
But do read up on encryption and security. Specially on the maths behind it.

Also, yeah some of these guys above are being dicks. But that's what happens when you make a claim in front of pros that you can't back up.

@F1973 That would be a loophole in GitHub not my website

@NoMad My only claim is, Apple should not be called good just because of such encryption, They might be unhackable but at the cost of usability. They haven't done anything great and shouldn't be credited for that. Other services which are not (YET) hacked inspite of vulnerability are the real heroes. Admit that.

@F1973 I bet I can guess his key space. 🤫

/^[A-Z][a-z0-9]{7,13}$/

Dictionary word(s), probably followed by a number. Maybe with some 1337 }{4X3R substitutions. It’s probably simple.

After all, he’s terrified of forgetting his password, but he so badly wants to show off his skillz.

At least now he might change it. 🙄
Would never admit it, though.

Bloody hell I feel mean tonight.

OMFG that's a level of apple hating that shouldn't be possible. 😂 Even the cancer that killed Steve Jobs would go 'dude stop'. 🤣

@Root I don't use Apple Crap, And it's not as simple as that Regex

@theabbie Apple's device encryption is good.
You're wrong.
They're shit for many other reasons, but not for device security.

@AmbientTea Hate is not with Apple but their bragging, It's just another crap encryption which sounds secure but is useless

@theabbie The keyword is threat model.
An encrypted device protects against *anyone* having (physical) access to it (per definition this means Apple no access as well). Not more, not less.

Backup's purpose is to recover from device loss. Of course the secondary requirement is security to prevent (in this case remote) access. More "classic" solutions like 2FA can now be used (this is not possible for device encryption; 2FA also disables the simple password reset by the way).

If people choose to not want the iCloud backup (e.g. because they do not want Apple or law enforcement with court orders to have access to their data), they can even disable it.

@NoMad Security is not a big deal if there was no concept of forgetting password. Millions of accounts will be lost every month if there is no feature to reset it. It's just that services take some responsibility and don't put all the burden on users. Apple is bad at taking responsibility.

@sbiewald That means backdoor must exist for usability, Ideal security is a hypothesis.

@theabbie Just FYI you didn't outsmart anyone let alone @F1973.

It's just your pseudo-intellect telling you you did.

Go play somewhere else.

@C0D4 I'm either too old or too tired for that, haha (maybe both)

@F1973 His website isn't too awful as in, I've seen a lot worse. But I don't think I even knew that many social/donations thingies existed.

@-red Well, praising and defending Apple while knowing that it's crap doesn't make anyone cool

@Jilano There are a lot of things on that website, Keep wandering

@F1973 🤔I won't dox him, but I will say there is a page with enough information to knock on his front door and greet his parents by name.

There's also an admin page with a lack of authentication.

@theabbie you may want to remove that csv file from a public accessible file, God knows why you would have that on the Internet - tell Zorin i say hi.

And with that, I'm out!

@theabbie I think you miss the point, shall I call zorin's phone?

@F1973 That is not an actual admin page, Don't get excited, Thanks for stalking me so badly

@theabbie I wasn't stalking, hell I didn't even scroll past the first 30 lines of source code to get to where I am.

do you have... never mind I've be got your email, I'll send you a link to what I'm taking about before it becomes public.

@C0D4 Why would you do that? There are many phone numbers on internet, you don't call everything

@C0D4 If you found it, it was public already and most probably intentional

@F1973 Yeah, I do shitposting too

@F1973 Who's being a Creep now?

@theabbie Shocking, you know? /s

While not having "perfect" security, I find having 99.999% perfect one quite acceptable. And giving up a small part of usability is perfectly fine (and many people do accept it).

Look, you can attack Apple for many things (I'm sure many of them here will agree to that part), but their physical device security including the tradeoffs is one of the best regarding both security and usability.

Great guys, keep going

@sbiewald It might be very secure but it's not a big deal, That's unnecessary hype while they have accomplished nothing. It's unhackable, but not very usable, It's my opinion

Don't want to Brag, just showing

And here, dear watchers, we have a brilliant example of total ignorance and Dunning-Kruger effect dialed to 11/10.

Thanks for coming to my TED talk.

@iiii It's still better than knowing everything but understanding nothing

@theabbie yeah, right. Claim further that you understand everything while knowing nothing (as it seems). You're just an arrogant "know it all" child who learned some pretty easy but fancy stuff and now bragging and bitching in front of professionals who are just mature and lazy enough to not crush you entirely.

At this point it's not even funny. It's miserable.

@iiii I might not be professional but you guys even if professional are not acting like one. You guys are just sticking to your argument without realising it could be wrong. You are senior, you must be knowing better that usability is necessary, Users are stupid, how do you expect them to take all responsibility of their data. And if Apple is doing that, you must realise that it's easy for them. They are freeing their hands from hard work. It's too much Hype, They are good at manipulating and not accomplishing anything.

.

@iiii That's not frustration, that's lack of arguments

That is frustration. I'm yet to meet a human more arrogant and ignorant than you.

This discussion again transformed into EGO competition

@theabbie because users are grown ass adults, even if they sometimes act irresponsibly.
Your argument has been used way too often in history in suppressing women, people of color and mind you, even your own culture.
We're way past 20th century for you to make such arguments without even thinking of consequences. "How do you expect them to take responsibility"??? The same way you trust their driving license and voting capabilites, the same way you trust strangers who work at the restaurant to not poison you with dish washer and stupidity and the same way... You know what? Why am I even arguing it's not like you listen to anyone but yourself.
In a parallel universe, you'd be right tho.

@F1973 Arigato Baldy Roboto

@C0D4 Why make it hard for companies to get your info when you can just give everything to them

@NoMad If that's what you call security, Then Apple has actually accomplished nothing, I agree that such encryption is fine but in that case Apple is praised for things even a 15 year old could implement. This discussion started to prove that Apple is hyped. And I guess that's proven. Fck Usability It's unhackable, Everyone can do such encryption and Internet will be filled with Encrypted Garbage which cannot be claimed by anyone.

I negotiate and I agree to say that it's ideal Encryption but still Apple should not be given any credit for that, It's hyped and it's true.

@Jilano Using such Encryption means expecting that one day you might lose all your data and no one will be able to help you.

@theabbie "Apple did good, but shouldn't be given credit for the one good thing it did, right after usability for end user, which is their whole 2 selling points"
Lemme sum it up 😛

@NoMad I guess everyone was already convinced with that, This discussion yielded nothing

I'm not sure whether to laugh or cry...

@saucyatom You came too late, Show has been ended

@F1973 This is literally the only platform to Rant, I am at the most correct place to do this

Oh boi, you're gonna feel so embarrassed by this thread by the time you finish your uni cryptography course. 😏

I've got roll screenshots btw. 😌

@AmbientTea The Discussion is not even about cryptography, It's about how simple it is and Why Apple is hyped

What the hell.

The whole point of encryption is to make data inaccessible if you don't have the password.

Yes, people do forget passwords. If that's more of a problem in your threat model than unauthorized 3rd parties accessing your data, then encryption is not the right answer for the problem you're trying to solve.

> The goal of encryption is that no one other than user and the service should be able to access it.

No. The goal of encryption is that no one other than user should be able to access it. If the service can access it, so can anyone who hacks it or has legitimate access and abuses it (rogue employees). If anyone but you can access that data, it's not yours anymore.

Somebody -- All my comments, I have a little Idea of who it is, However, don't do it, Be a good sport, I have no hate for anyone

@gronostaj Okay, That might be correct, Also, Such an Encryption is simple to implement, So, Apple has done nothing great, It's hyped, that's all I wanted to prove

@theabbie

https://support.apple.com/en-au/...

No encryption is simple to implement, that's why nobody sane cooks their own cryptography in house unless they specialize in it. Anything you can implement out of your overconfident ass can be easily cracked.

@theabbie I don't like the situation you got stuck in either. Admittedly, everyone could've said "he's stupid" and moved on without arguing with you. But they care about security enough to know your kind of thinking has many negative consequences.
But then again, you made a claim about a field you know nothing about.

Encryption is the love child of theoretical cryptography and system security, btw 😛

@AmbientTea To show how simple it is, consider this function I made

function jumble(text,n) {
var result="";
go(text,n);
function go(text,n) {
if (text.length!=1) {
var p = text.split("")[((n-1)%(text.length))];
result+=p;
go(text.slice(((n-1)%(text.length))+1,text.length)+text.slice(0,((n-1)%(text.length))),n);
}
else {result+=text;}
}
return result;
}

Now I do this,

var x = data;
x = jumble(x,A);
x = jumble(x,B);;
x = jumble(x,C);
x = jumble(x,D);

Here, ABCD is a 4 digit passcode, eg. if it's 1234 then, A is 1, B is 2, C is 3, D is 4

I took some data and some passcode, and the result after this process is

"otTud ahhIanaa ir eeYoseref c aua scpdHieDIo,otyf e slvr Avk Ssr nod iImsa ehh,nyat iteEr ,aP"

Can you find the original data, If you do brute force, I must say, phone doesn't allow you to enter all combinations. It was that simple and you think Encryption is a Big deal.

@NoMad No one here is a pro in Encryption, They are arguing because it is against there EGO, They are just assuming that they know everything (so am I) But they are still in illusion that Apple is a Saviour

@theabbie @linuxxx is actually and specifically a cyber security expert. I still doubt you'd listen to him anyways.

@theabbie Root also has practical experience with these stuff.

@NoMad Many people called him, he didn't come still, I would surely listen to him if he just doesn't say security > usability, He is an expert.

@linuxxx Please Save us

@F1973 thanks. I like to try to avoid banning people for expressing unpopular or misguided opinions, and I’m not really sure that explicitly violates our rules so in fairness I’m not really sure what to do.

@theabbie please try to contribute to the community in a positive way if you’re actually interested in being a part of it (and aren’t trolling 😀)

@NoMad @Root said There shouldn't be any Backdoor, Later, It was found that Backdoor is necessary for usability, ie. Either Security or Usability, Not both. And she started her first comment with "Are you an Idiot?" That's not very polite for anyone with knowledge.

@dfox Sir, You can read this convo, I always start politely, Then some people go off-topic and question my skills. They just don't want to be disagreed with. What's your Opinion on all this Hype with Apple?

@theabbie You don’t need a backdoored encryption algo to allow the user to change their password. The password and decryption key do not have to be the same, as @NoMad demonstrated.

Seriously, please educate yourself on security and encryption before asserting misguided and dangerously incorrect information. If anyone followed your advice, it would put their users’ data at risk, yet you assert it so confidently, and refuse to listen to any arguments to the contrary. This is what makes me so angry.

@theabbie very cool function. Now, for the sake of completeness, can you provide a function to decrypt the data using the passcode?

@Root Multiple passwords don't make it any better, If a decryption key exists and is stored at server, that's still vulnerable. It's not about being educated, it's about common sense.

@F1973 no problem, thanks for giving me the heads up, and I’ll definitely keep an eye on this rant!

@theabbie

> No one here is a pro in Encryption, They are arguing because it is against there EGO, They are just assuming that they know everything (so am I) But they are still in illusion that Apple is a Saviour

Please avoid those assumptions, especially deyning someone's (especially not everyone's) competency.

And just because someone does not support your argumentation (or moves the discussion away from the subject), does not mean a certain motive.

@AmbientTea
Here it is

function unjumble(text,n) {
var result=[];
var nums=[];
var finalresult=[];
for (i=0;i<text.length;i++) {nums[i]=i}
go(nums,n);
function go(nums,n) {
if (nums.length!=1) {
var p = nums[((n-1)%(nums.length))];
result.push(p);
go(nums.slice(((n-1)%(nums.length))+1,nums.length).concat(nums.slice(0,((n-1)%(nums.length)))),n);
}
else {result.push(nums[0])}
}
for (x in result) {finalresult[result[x]]=text[x]}
return finalresult.join("");
}

Now decrypt it in the order D, C, B, A But still, if you don't have Passcode it's still Brute Force

@sbiewald The only reason anyone gave till now is that security is more important, If it's valid to compare Encryption to locking a house then By that analogy, losing key would be a nightmare, But it's not actually a big deal. If you carefully design an algorithm then maybe you could trade off with security and make it more usable. Ultimate Security is an illusion anyways. @linuxxx might have some opinion, let's wait for him.

@theabbie Yes. If I fail, I'm the only one responsible. That's how it should be.

@Jilano Then Why Should Apple Brag about being Secure? All it does is give you an unbreakable lock and a key and now it's your responsibility.

I’m favoriting this, un-fucking-believeable. My Maryland cybersec certificate goes down the drain

@theabbie братишка ебать ты долбоеб земля тебе пухом

Holy fucking shit this is not suicide this is self disintegration

@theabbie “brother you’re such a doofus Rest In Peace”

@theabbie

> [...] But still, if you don't have Passcode it's still Brute Force

No. Your algorithm is a simple permutation, nothing more, nothing less.

Thus, the ciphertext 'leaks' data from the plaintext: Every character in the output was in the input. With enough context, the message might be reconstructed without even touching your function.

@theabbie

> Then Why Should Apple Brag about being Secure? All it does is give you an unbreakable lock and a key and now it's your responsibility.

That's actually the point...

@Z-GOD It's not about forgetting password, It's about unnecessary Hype. I have started to respect other servives more now because they are not losers, They take responsibility of their user's data. Encryption might not be easy but Apple is no special. You have an illusion of security, Apple Manipulated you and now you are giving people fake assurance that their data js safe, Yeah, it is safe but it won't take much to transform it into an encrypted garbage.

@theabbie good luck with that confessions, and good luck with monica, naveen, sahil and pratik

@sbiewald How can you be so wrong? Prove it by solving it but not with Brute force

@theabbie Ideally, services would operate similar to TutaNota, where the service has almost zero knowledge of the users or their data. They can read just enough to route emails to their intended recipients, and little else. All decryption and encryption happens entirely on the client, meaning nothing is ever transmitted in clear text. For passwords, you have one, and a reset key. If you lose both, your data is irretrievable. So don’t.

This obviously poses problems for having multiple users able to access the data. In such a case, you would need a central store of decryption keys; there is no way around it. However, you can still apply the same principle by adding one layer: you can easily encrypt the decryption key with the user’s password hash, or other encryption key depending on your implementation, and store it securely on the server. Only the user could decrypt their copy, transmitted to the client only in encrypted form, which in turn allows them to decrypt the shared data on the client.

That way the server has zero knowledge of the data, nothing is transmitted in the clear, multiple users can access said data, and they can change their passwords using the reset token. All without ever allowing third party access.

True, if all users lose both their passwords and reset tokens, the data is irretrievable. But this also makes it impervious to DB leaks and social engineering, like what happened with Twitter verified accounts. The data and its access are secure, and safe so long as the users don’t share said passwords with anyone else.

The takeaway is that, while you can’t have perfect security and impose no limitations on the user, security is much more important. And strong security doesn’t necessarily mean the data is easy to lose.

@uyouthe What has it got to do with this, Stalking me, Proving that I don't have experience doesn't make me wrong

@theabbie also I’m texting Elisha rn about how creepy you are

@theabbie praising and defending JS while everyone knows its not good doesn't make anyone cool either

@theabbie out of your ignorance you exposed the addresses of 68 people, their names and addresses. FUCKING DELETE YOUR WEBSITE NOW BEFORE YOU GOT JAILED FOR THIS

@theabbie I HAVE YOUR CSV AND YOU AND YOUR GF VIDEOS AND EVERYONE ELSE DOES FUCKING DELETE THE WEBSITE THATS ILLEGAL

@Root That decryption key thing is good, That proves that user has to take responsibility of atleast key. What many websites today do is that they allow social login, This transferring their burden on social media accounts, Or, OTP login or Magic Link login are way of transferring burden. This is simlar to password managers, Since users can't remember keys, put it in vault and forget it, Write that vault password somewhere, make a tattoo, do whatever but don't lose it. This is about transferring burden. At last, If someone really cares about their data, remember keys

So, If password managers are doing the same thing, Why the Hype with Apple?

@uyouthe Don't

@theabbie stop liking my comments nigga you can go to jail for this shit, fucking unpublish your website before it’s too late

@theabbie

> How can you be so wrong? Prove it by solving it but not with Brute force

That's not how developing ciphers works. Really!

I do have work to do, so unfortunately I do not have time _proofing_ you wrong. Leaking data from the plain text (besides length, obviously), is a no-go for any cipher.

When I "Your algorithm is a simple permutation, nothing more, nothing less." you answered that "I could not be more wrong". Do you mind at least elaborating that part?

@uyouthe I removed that page, fine?

@100110111 It's everyone's personal hate towards JS, That is not a measure of how good JS is

@uyouthe oh you should see the one on JS too... kept me from going for a cig for a full 12h or more

@uyouthe That video is not of my girlfriend, It is part of a webpage and is done on command

@theabbie Your "jumble" function is not encryption - encryption is reversible. I can think of some cryptographic use cases for it, but still, it's not encryption.

Anyway, even with my limited crypto knowledge, I bet it's broken. People spend years creating crypto algos and still make mistakes - it's incredibly easy to miss something fundamental. For example MySQL's OLD_PASSWORD func. looks fine for someone without cryptoanalysis knowledge, but actually an efficient algorithm for reversing it can be derived: https://security.stackexchange.com/...

And even if the algorithm is perfect, the implementation can be flawed. For example this password check code looks fine at the first glance:

function checkPassword(providedPwd, correctPwd) {

return providedPwd === correctPwd;

}

But it's actually vulnerable to timing attacks: you can find out how many initial chars are correct by observing how fast the function returns (there's an invisible loop for string comparison).

@sbiewald It means that it's not that simple, If you think it's that, you should elaborate. It is basic jumbling but on doing it with 4 numbers, it's not simple jumbling anymore. You yourself haven't understood that function.

@theabbie no dude, that thread was everyone saying what is wrong about JS and why it's not really that good a language, specifically not about hating it. You just really, really, really wanted everyone to hate JS.

@theabbie Just because I repeat a permutation function multiple times or only about parts of the input, does not make the output less of one.

All letters of the input are still in the output, just in a different order. This is - per definition - a permutation.

@100110111 Everyone was wrong because weakly typed language though not providing any advantage doesn't harm anything. That Potential Bug argument is absolute Rubbish because those people never properly used JS in fear of Bugs. You don't hate JS because of it's flaws, you hate because something better exists and it's a peer pressure.

@theabbie Apple appears to care about privacy; google does not. Google’s entire business model is data mining to target ads. The more data they have about you, the more money they can make.

Everything they do is designed to gather data. Everything. Recaptcha, font and js CDNs, analytics, Gmail — especially Gmail — etc. Every http request to google’s servers tracks you and your activity across about 75% of websites, as I remember the statistic. They store everything, and correlate it as they learn more. And of course they are always getting better at correlating the data, so they continually learn more from everything they’ve stored.

The worst part, though, is that they share it.

Everything that goes online is permanent, and says a hell of a lot more about you than you will ever realize. Timing on posts, timing on traffic, search terms, use of specific wording, writing style, tone, new words, new interests, and above all else: trends of the above. These can show, with surprising and terrifying accuracy, where you live, who you know, what you like, what you are likely to buy/do/vote for (and when, down to the hour), your mood, if you are depressed, have a mental illness, are likely to have children within five years, love/hate your job, if you are cheating, what medications you are on, etc. etc. etc. All of this by analyzing patterns in the data, not even by understanding what it is you wrote because natural language processing isn’t even there yet.

This is why data privacy is so important. We have a moral obligation to do everything we can to protect and educate users, not exploit them like Google, Facebook, Amazon, Alibaba, Tencent, TikTok, etc.

@sbiewald For a data with n characters there are n! permutations, and it grows insanely with n, So, If by some method it is jumbled properly, It would have n! possibilities. And My method jumbles it properly. It's not a simple permutation. You haven't understood the function yet. And yes, it's reversible. It can be called Encryption and all characters being in it doesn't make it any less of an Encryption, It won't make any sense.

@Root It would be better if you give proper sources of information especially the sharing part. And It's perfectly fine to use data to improve it's performance, And regarding that it shares it, Which doesn't seem true (unless you give source) You have a misconception about how it happens. Targeted ads send you to correct advertisers, Google doesn't tell them that this person likes chocolate or is married or anything. I have no hate for Apple, I don't use it anyways, But saying that it is most secure is a hype. It might have the best Encryption but it is nothing special.

@theabbie I have to ask, how thick is your head? How is it even possible that it has yet to cross your mind that a community full of professionals in a subject may actually A) know what they are talking about, B) understand the subject through and through and C) be correct?

@theabbie Any rearranging is simple permutation. It doesn’t matter how well you shuffle the letters, it’s still just permutation, which leaks data about the input. This is always bad.

I still know how many “e”s are in the input string, for example. If I can make a guess as to the nature of the data, I can learn quite a bit about it. The number of spaces very likely correlates to the number of words. Based on letter counts I can make a good guess as to which words it likely contains, and this gets more accurate as the data size increases. And more so if I know anything at all about the user who produced the data.

Also, depending on the data, I might not even need to crack the permutation cypher to get what I need from it.

@100110111 How difficult it is to admit that Apple is Hyped? What's so special with it's Encryption? It can't be hacked because of mathematical limitations not because of Anything special Apple did. It is just like one of those password managers or decentralized websites where you can't reset password. Admit it, I don't want you to say Encryption is Crap, It's just that Apple is no special.

@Root Regarding Nature of Data, I could have done those permutations on Base64 encoded data, Then any nature won't have leaked. I am not saying my function is super impressive, it's a demonstration of what I mean

@theabbie That is not my point. For natural language, there are not n! permutations of letters.

Some examples:

Your ciphertext contains a capital "T". Usually this starts a sentence. A "," usually separates one. Spaces separate words. Now start reconstructing. Sure this becomes increasingly difficult for very long text, but still leaks many things.

Together with a bit of context (like education of the sender, message subject, potential text type, ...) the likely vocabulary of the message can be reconstructed.

If it is a message to soldiers regarding tacticts, the vocabulary likely contains words usually found in the military. This makes attacking even easier.

More often than thought, this "metadata" is available, at least when targeting a specific person.

A proper encryption leaks exactly nothing (besides length, obviously) about the plain text. A properly encrypted message is virtually indistinguishable from random data (independant of input).

Someone very intelligent and famous once said EGO=1/knowledge. No point to argue as knowledge comes to those who seek for it and learn from others.

Trying to prove a point that no one else buys into, should at least give you a small hint that you might be “slightly” wrong on this topic.

@theabbie wait, since when was this thread about Apple being hyped? As someone who's now worked on a Mac for a few years and wouldn't consider going back, and personally not being an expert on security (since security seems to have something to do with Apple hype in your opinion), I can not say a bad thing about Apple in this context.

@sbiewald Okay, what about Base64 encoding before, Now, It won't leak any nature and Brute Force is necessary, Don't just say it's permutation so It's possible. It's Not.

Can someone please tell me what we're talking about at this point of the thread? Apple? Security vs. usability? Security best practices? Theory of encryption? None if it? All of it?

... I can't hear it over popcorn munching

@100110111 Especially since we are all saying basically the same things. 🙄

I tried shock, I tried showing that there things he doesn’t know yet, I tried calm reasoning, I tried familiar wording. Nothing seems to work. He keeps insisting we don’t know anything, keeps mixing up concepts, and keeps not making any bloody sense.

I’m done.
It’s also 3:30am here and I’m exhausted. 🤦🏻‍♀️

@100110111 It was always about Apple being hyped. See the main problem statement at the top. People love apple because it makes things easier, I agree, But Spoonfeeding users is a bad thing. Apple is like that comfort Zone Bubble that you don't want to leave but it will eat you inside.

@Root I had agreed to your point earlier, There is no problem in such Encryption, What makes you think that Apple is not Hyped? What special it has done that other services like password managers Haven't done?

@theabbie It still leaks... Also the algorithm is damn inefficient now.

Because *surprise, surprise* natural language does not contain binary data, thus all "correct" arrangements of base64 data must decode to letters.

@sbiewald And to find correct combination you need brute force, And with so many characters it's not a good idea. Well, you just played yourself.

@F1973 haan na ...confidence dekho...

@theabbie No, not at all.

Just because there is no simple "algorithmic" solution to your cipher, this does not mean it is not broken (in cryptographic terms, look it up what it means in this context, please).

@sbiewald Okay, forget my example, there are many basic encryption algorithms which are unbreakable, Such encryption is never a big deal

The fact that they can't decrypt it is actually a very good sign. It means that the encryption method used is not viable to crack (not that they will bother with that), nor that they have a master key of their own (despite 3 letter agencies like the NSA absolutely loving the idea), AND that they don't store a copy of your data either. These are all very good things and privacy is rightfully so something that Apple is renowned for.

Don't get me wrong, they're shit for a lot of reasons but privacy and security aren't among them.

Companies like my lovely ISP that will send my password via postal mail upon request however... Yeah. They know the password, took years to encrypt their database (basically useless, they should've hashed it) and actively use it to impersonate customers for tech support.

I recommend that you learn about symmetric and asymmetric cryptography, hash functions and the importance of each, and their intended applications.

@Condor don’t bother. https://devrant.com/rants/2949952/...

He’s hopeless at that point

@Condor The point wasn't why such Encryption is bad, It was that Apple is Hyped, And yes it is. It is doing just Encryption, Is not some futuristic Technology, They are given to much credit for doing such basic stuff. That's wrong and that's the point of this discussion.

@Condor HEY, I FORGOT YOU EXISTED! HOW ARE YOU THESE DAYS? IT'S SO GOOD TO SEE YOU AGAIN!

@uyouthe But I wasn't wrong about that, Middle man can change data, HTTPS is a good system, So? I never told it's bad.

@NoMad If you guys are dating I must say, good choice

@theabbie I would but unfortunately I already promised someone else. 😛 Not every two people with the same opinion are dating, so you might as well just grow the fuck up.

@NoMad I must not have told you guys my age, If I acted like a 50 year old, You people would have agreed with my opinions

@NoMad haha, thanks! Just joined again I guess. Same as usual here, but really started working on the annoyances of technology. Sometimes just said fuck it and wrote my own stuff. Ended up being easier than dealing with the existing "solutions".. career shift from sysadmin mayhaps? XD

How have you been?

@Condor Don't waste the chat space here, I heard there is a limit, Save this for valuable discussion

@Condor not too bad. I also deleted a while back but frustration with tech brought me back again. How's the pandemic treating you? WFH is fun?

@theabbie then why are you talking?

You guys are being trolled. seriously.

@NoMad huge productivity boost actually, the COVID-19 pandemic! Especially in the first months, VPN access from anywhere and the servers themselves being at the comfort of my home (just reverse proxied from VPS's) really helped a lot. But the stores were plundered! Especially the toilet paper.. the goddamn toilet paper!!!! AAAAAAAAAA

@C0D4 @Jilano that's how you derail a useless convo.
Amateurs. 🤠

@F1973 I use telegram...what is it? This thread was already soooo damn long when I got here I didn’t read more than a few...

@scout we're reaching 300 comments. I wonder, what's the record for the most comments on a rant.
Does anybody know?

@NoMad I don't know but the OP's JS rant is still winning so far

@scout there's the codrTalk network there on t.me/codrTalk (invite link in that channel iirc), if you'd like we could talk there? I'm @ghnou on Telegram.

But also tempted to find out what the limit on comments is, if any :D

@100110111 I see. The one where he did research on a language via looking at memes... Perfection! 👌🏻

@Condor toilet paper was gone in days here, good thing i keep a large supply.. never know when the end of the world is going to come knocking at the doors.

@NoMad, what ever do you mean, i'm just hear sharing around the popcorn. i had to mute this thread... its almost as good / bad as a ++ bomb.

@NoMad just over 1200, then things start breaking.

It's the most fun I've had reading devRant in a while.

@100110111 Don't jinx this. We don't need that one to restart haha

@MySlugLikesSalt oh don't worry, OP will surely come up with a new one soon enough

@F1973 @Condor I'm late as well, I'm very curious. I use Telegram as well if anyone is interested in sharing... :P

We should do a game of drinking bingo and take a shot whenever @Nanos says "Reminds me of.." or "This reminded me of..." or "I'm reminded of...".

@Nanos don't mean any offense, just making light of your catchphrase.

@Root apple milks customers using other means though.

@iiii it's called capitalism. I don't know if you've noticed it around. It's this new thing everyone is doing.

@100110111 new??? It's soooooo "industrial revolution" and 1900s. 😜

@NoMad I don't know the actual number but back when AlexDeLarge was still LetMeCode, his face reveal rant got well over 400 I'm pretty sure... And made @dfox add a scroll to bottom button... Lol

@NoMad so this one you mention, okay I get it..

@sarafe not me, @C0D4 mentioned.

@100110111 yeah. I hate it 🤣

@AlgoRythm I miss him so bad 😢😢 I even tried stalking him but his website seems to be gone.
You know, like when you grow fond of someone but also can't be arsed really befriending them... But his placeholder account @AlexDeLarge is still here.

@NoMad I'm going to run out of vodka if we are playing @Nanos shots.
Great guy though!

@NoMad oh, okay sorry it's look similiar..

@theabbie Getting rid of those files with a simple delete isn't enough. Anyone can still see them. Check this out.

https://docs.github.com/en/github/...

@MySlugLikesSalt if you go into his .io repository... He's just doxxing people... Lol

@theabbie honestly man I know you are still figuring things out but you need to just take some advice and remove your site.

You messed up and it can have some pretty fucked up consequences. Your whole git log needs to be combed through so you can remove the databases of private info.

Honestly, it may be worth just deleting your .git folder at this point and starting anew.

Your views on technology are interesting. I think a good exercise is to implement a proper encryption Algo. Not one they teach on the first week of school, a real Algo used in the real world. They are complex, they are hard, and you will probably fail to complete it. But you will succeed in learning, which is the bigger picture.

Your information is always your responsibility. If it becomes someone else's responsibility... It also becomes their data. You must protect what is yours, always. It may seem counter intuitive, but @root @nomad @c0d4 ... Everyone here is right; losing your data IS good UX when compared to having your data accessible by those who don't own it (Even if it's the vendor, like Apple)

Maybe you do not believe this, but as soon as there is an opportunity for evil with profit, bad people will take it. An exercise to learn this: install an SSH server on a virtual Linux machine, and open that to the internet with port 22 open (default). Watch as thousands of requests come in per hour trying to hack you...

And just as general advice, if you find something generally regarded as extremely complex (encryption) to be "simple", you probably don't fully understand it (the alternative being you understand bit better than everyone else in the world. Use your own common sense to figure out which is true)

So basically what you're saying is that you're dumb?

@AlgoRythm Yeah I know, at this point I'm legit just trying to help not sarcastic in any way.

@AlgoRythm the last sentence. You think... OP... and common sense... in the same sentence?

Pinging @dfox just in case it's worth removing/censoring any comments linking to OP's site, in order to limit discoverability (leading to the JSON file with lots of personal details...)

@100110111 One would hope that even if their grasp of common sense is fractional, if you keep trying, eventually you will find that small fraction which is present...

@MySlugLikesSalt I doubt that the links here are what exposes him. The GitHub crawlers have already detected email patterns and downloaded his whole repository. The links being on devRant are just icing on the cake.

@dfox if you do take action, please don't remove the whole rant. There's lots of learning that OP needs to do, and this rant has some good info for him.

@MySlugLikesSalt OP did share them originally themselves, so I'd say the responsibility is on them, but who am I to say

@100110111 Right I'm not worried about OP, more worried about the people having their physical addresses exposed.

@100110111 I can see why OP wants their vendors to take responsibility for their data...

...because they have no business doing it themselves!

@AlgoRythm one could always hope, but it may take a few years of trying looking at how things stand...

@100110111 Unlike OP's jiggle encryption, that would take a true brute-force haha

@MySlugLikesSalt @AlgoRythm you're right. For the good of others, vendors taking ownership of and responsibility for OP's data (and others like them) would be a welcome service...

321 comments.
I'll add that your post is dumb as hell.
Bye.

@MySlugLikesSalt Please Help Me With That, Is there a method on Mobile without CLI?

@theabbie Not that I know of. Get to a computer with git and run the commands there. Be sure to delete the "details.json" file as well as the HTML file with all Elisha's info. Get rid of her photo from the "files" folder as well.