Profile cover photo
Profile photo
Wes Winham
Software entrepreneur in Indianapolis who likes nerding, ultimate, beerpong and economics
Software entrepreneur in Indianapolis who likes nerding, ultimate, beerpong and economics

Wes's interests
View all
Wes's posts

Post has shared content
Sometimes you've gotta find your own questline.

Post has shared content
I never expected to be a good read, but this one resonated with me in a serious way. Enough for me to consider how ways to bridge this gap within my own children. 

Post has attachment
Some good news coming out of China, as it appears their anti-corruption campaign is legitimate. Traditionally, these sort of things are used to clean house and consolidate power in systems of centralized power. This research shows that's not the case in China.

Good news for a lot of people.

Post has shared content
Interesting piece on how the US Electorate, not the politicians, may be responsible for our current woes, as the active voters are more polarized, more likely to vote along straight party lines instead of based on candidate issues, and how this may be trapping the politicians to be beholden to a passionate, but potentially uncritical Electorate.

The data appears interesting, and I know that here in Louisiana, I've seen community organizers passing out flyers indicating how they want people to vote, and it's always been along strict party lines when I've seen it. It's unfortunate, we live in an age where we should have an easier time then ever before making an educated and informed decision on the voting booth, but either we can't or won't Again, as a Louisiana voter, I find it very difficult to find ballot information online. I sincerely miss Washington's voter guides they publish every year.

Post has shared content
Lmao. "Go: What if we tried designing C a second time?" ‪#‎programming‬ ‪#‎humor‬

Post has shared content

Post has attachment
If you had to predict on whether this is a result of:
A) hospitals taking action to improve quality and patient outcomes in response to regulatory incentives
B) hospitals taking action to superficially change the measured metric in response to regulatory incentives

What would your probability breakdown look like? Mine in the comments.

Post has attachment

Post has attachment
PsyCrypto: Who will be the first EDM artist to take advantage of this at a concert?

Post has shared content
Some Questions and Answers About the Apple Order

Let me start out with a pretty simple preface: I work for Google. But I am not speaking for Google. If you'd like to read someone speaking for Google, read someone whose job that is. (It isn't mine.)

Because this is the field I work in, I have been interested in what's going on with Apple. So, with that in mind, some questions and answers about what's going on.

Q: So, what's Apple being asked to do?

A: They're not being asked to decrypt the phone. They're being asked to make it so that attempts to decrypt the phone the easy way don't wipe the storage and render the device unusable. There's a difference, and the newer the Apple device, the more important that difference becomes.

Q: I am an engineer. What's Apple being asked to do?

A: Okay, so, this is going to be a little TL;DR for some of you, and I am not an engineer. I merely play one on TV. As I understand it, here's what's going on:

This is an older Apple device. On newer devices, the security flow seems to be relatively similar, except that much of this occurs within the secure enclave, which is a neat little piece of hardware which handles most of the cryptography directly.

So, Apple devices from this generation have hardware-assisted encryption. In order to generate a valid key to decrypt the storage, you need three components: the device key, the password or PIN, and the intermediate key that's in effaceable storage. How these three components relate is unclear to a lot of security professionals.

From a forensic perspective, this means that you need physical access to the device in order to attempt passwords. You can't just write everything to an image and attempt to brute-force the crypto on a second device. You actually need to be running everything on the device you're trying to crack open.

If you've ever looked at an iPhone PIN, you'll see that it's only a couple digits. If you're going to brute-force something, working your way through twelve bits is going to be a lot easier than working your way through the (much larger) device key. Which is why an iPhone will wipe the storage if you fail ten times.

If you could update the firmware, you could get around this restriction. Unfortunately, the government can't update the firmware without Apple's key. (Maybe.) Which is why they're asking.

Q: So, does the government have to go to court to get information out of Apple?

A: Probably not. This is an older device, and there are established forensic techniques for getting information out of older iPhones. Especially if it's ever been synced with a desktop. In addition, there are established legal techniques for getting information which has been uploaded to iCloud.

There have been some public papers on extracting hardware keys -- even ones where the difference is only in the n- and p-type silicon -- from hardware-locked devices. It is likely that these techniques are available to the government as well. (Though I'd presume they don't want to disclose them.)

Q: So why are they asking?

A: To get a favorable precedent, because they can't get Congress to pass a favorable law.

Q: There's got to be some legal basis for this.

A: Yeah. It's a weird one: the All Writs Act of 1789.

Q: Is that weird? How does the government usually get information from third parties in criminal cases?

A: By subpoena.

Q: So, why are they using the All Writs Act?

A: If this were a subpoena, the applicable rule would be F.R.Crim.P. 17(c)(3).

But they can't do that. The government can subpoena evidence from third parties. But they can't subpoena investigative tools from third parties. They especially can't subpoena investigative tools which haven't already been written from third parties.

So, the All Writs Act lets them do this?

A: Uh. Good question. Here's what the All Writs Act says:

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction.

So, really, it doesn't say much.

Q: That seems like a weird little law. What was it even meant to do?

A: The All Writs Act is an odd little beast. In early American law, courts were given a very limited, enumerated set of legal verbs. If a particular sort of relief didn't fall within the scope of a particular writ, then the person ordered to comply could frustrate the court's order. And the court could do nothing to stop it. What the All Writs Act does, in practice, is allow courts to order particular results. Its primary use is in civil injunctions. There's a much smaller body of law addressing its use in criminal cases.

Q: So, it means that a court can do anything it wants?

A: No.

Given an empowering law which mandates a particular result, the All Writs Act lets federal courts order that result. It also stops there from being legal orders for which there is no legal remedy. For those of you that are engineers, not lawyers, it's basically there to stop there from being court orders which are legal no-ops.

Underneath the surface, the question is, "Is there an empowering law which permits, in general, federal prosecutors to order third parties to actively participate in an investigation to which they do not have any particular connection." And while there are some laws which might do this in other cases (CALEA, for instance), there is no general authority to order third parties to participate in criminal investigations.

This is not a super-strong legal argument.

Q: So, they'll probably lose?

A: I'm not making predictions. But if you'll look at the link attached below, this isn't the first time the government has made this argument. It has not universally gone well.

It's also relatively early days. Right now, the case is in front of a federal magistrate. The next level of appeal is to the federal district court, and then to the 9th Circuit. It's possible that this could go away at the district level, in which case this would be a tempest in a teapot. If Apple chooses to skip to the 9th Circuit Court of Appeals (and I believe that it can?), a lot would depend on the composition of the panel.

Q: What are the consequences for Apple if this goes wrong?

A: Pretty bad.

If Apple can be compelled to use its key to alter the properties of effaceable storage or the secure enclave in order to empower brute-forcing, their technical remediation methods become more limited. Both forcing longer user passwords (to remove the entropy bottleneck) and disabling their ability to make changes to the secure enclave (to disempower themselves) have consumer-facing impact. The first makes accessing the phone relatively annoying. The second makes updating the device extremely annoying, and makes security holes in the secure enclave permanent.

It's not as bad as banning strong device-level encryption, but it's pretty close.
Wait while more posts are being loaded