Hi, I'm trying to determine this for many of my business clients who are considering switching away from Apple products to Open Source due to the recent NSA disclosures.
Does Apple's DMG format have a backdoor to allow Apple access to the data within them to comply with government?
I'm not suggesting that I believe the AES encryption itself has an inherent issue, I want to know if anyone has been able to independently verify that Apple's implementation with DMG is lacking a backdoor that can bypass AES.
We already know there's a backdoor for iPhones that Apple will access for law enforcement.
Is an Apple DMG also subverted with a backdoor as well?
P.S. This is a sincere security question for clients that have proprietary information and want to know what their risks are with Apple DMGs. Please don't bring politics into this.
If you are jailbreaking your phone, you obviously aren't concerned with security anymore.
You missed my point completely.
It is not a flaw in the implementation. It is inherent in the design of any public key encryption method. It was done purposefully because that is the way public key encryption is done.
Being able to bypass features that help thwart brute force attacks is a feature?
The critiera that smart people use to make technological decisions are cost, reliability, support, and install base. Whether or not it is open source is irrelevent.
People of average intelligence can also take into account security issues and the disadvantages of proprietary code in certain circumstances. It's not as black and white as you portray. For those that have more experience in real-world business consulting they understand there's more nuance in the needs of various businesses.
Open source and the size of the project's code itself is an important factor you're leaving out. Also, the speed in which bugs are fixed is a factor as well if one isn't going to ignore long-term issues for clients in certain circumstances. To say that's irrelevant doesn't make sense in the real business world, in my opinion.
Correct, but it is completely false regardless of what it applies to.
It's not completely false. There's nuance. It depends on the ratio of lines of code to those that inspect the code along with many other factors.
Your "NSA disclosures" are carefully orchestrated leaks by proven liars and criminals. ... Your NSA paranoia is much worse. You are making assumptions based outright, deliberate lies.
You're welcome to your opinion, but the NSA and other government officials have confirmed the leaks are accurate. I've requested that we keep politics out of this and will stop here.
As far a me making assumptions go, I don't assume there's a backdoor in Apple's DMG format. If anything, I've stated repeatedly that I think it's unlikely. I'm merely researching the possibility. That's a big difference.
As I've said, I've been approached by many clients who are now concerned about it and I'm practicing due diligence in light of the NSA disclosures. You may also think some of these Fortune 500 companies are "paranoid", but I think they'd beg to differ with you. They want me to look into, I'm doing it. Calling me paranoid and acting like a bully isn't going to dissuade me and is'nt productive, sorry.
This Apple thread is only one of about 30 where I've initiated the discussion. Unfortunately, out of all the other forums this is the only one where I've been met with hostility and derision, by the way.
That's because this is the only one where people actually know about security in DMG files.
Actually, I've found that this forum (while helpful in some ways) has been by far the most lacking in expressing the knowledge of the security of DMGs compared to many of the other sources I'm following and interrelating with.
Even if it is true that people (you mean yourself?) in this forum are more knowledgeable, I'm not sure how that would dictate as an excuse for being rude, hostile or derisive. It's really unnecessary and only makes people look bad.
If my lack of knowledge upsets someone of your expertise, I apologize. Nonetheless, I'm trying to be polite with you and I'd appreciate if that common courtesy was returned.
But, I'm not one to be detered by bullies.
Good. You will need that trait with open source.
I haven't found that I've needed that trait in dealing with open source for over 15 years, but in this thread it's been another case.
You don't have any clients. You aren't trying to learn anything about DMG files. You are only here to spread open source, anti-government political propaganda.
I have clients from over 15 years of business consulting, etc. I understand you are very upset about the NSA disclosures, but your hopped-up emotions are not germane to this discussion. Please focus on the technology.
As I've said, some of my clients have approached me specifically about the DMG format and whether it's secure in light of recent NSA disclosures. I came here asking about the format and the possibility of a backdoor in light of their questions. Ad hominem attacks aren't productive and I politely ask that you refrain from them in the future.
What is not being polite?
Well, calling me paranoid and a propagandist is several examples I can think of. Also, now calling me a liar who doesn't have any clients can be considered extremely impolite by most people's standards. If this is how you want to continue to talk with me, that's fine. I'll just be the better person and continue to ask that you stick with technology instead of deriding me personally. Thank you for your cooperation.
No, they don't. I have read many studies on open source. High security and high quality are not an inherent traits of open source projects. Harassment and sexual discrimination, however, are.
You're now equating Open Source to being an enabler of "harassment and sexual discrimination"? Ok.... I'm not going to respond to that because it seems that would lend itself to some other kind of philosophical discussion that has very little to do with this thread.
If you are only finding studies that show that Open Source is more buggy than proprietary code in all cases, then I think you're being pretty selective in your info diet.
As I've said, it depends on the ratio. Smaller projects tend to be superior to proprietary projects:
Also, bugs tend to be fixed more rapidly in Open Source projects than in commercial software:
Like I've said, there's studies (often industry-sponsored) that show that proprietary code is better. But, there's also studies that show that Open Source is. It's much more nuanced than you keep implying:
For even more nuance, here's an analysis of 450 million lines of code initiated between Coverity and the U.S. Department of Homeland Security. It says that code quality for open source software basically mirrors proprietary software (overall), but there's nuance, of course:
Once again, it confirms it that it may depend on the size of the project, etc. on which solution or hybrid thereof is better.
Studies have also shown proprietary code's "security through obscurity" doesn’t provide any additional security:
They also conclude that some things are more secure in Open Source (i.e. Apache versus Micro- soft IIS) while propretary can be more secure in other projects (S/COMP or GEMSOS** versus Gnu/Linux).
It's nuanced. This comprehensive work paper shows that it can be good to have a combination of proprietary and Open Source for many organizations as long as you study the potential conflicts of interests, etc.
Now, this might send you for a loop, but the NSA (National Security Administration) also details why Open Source has advantages over proprietary code in many circumstances including when dealing with hardening/customization. (This is the crux of why many of my clients use Open Source, by the way):
Personally, I think it's a good idea to expand research horizons a bit when things like nuance go out the window.
I do appreciate you responding to my questions and you've been helpful in some regards. Thank you. I also think it's very commendable that Apple embraces Open Source as much as they do especially when compared to Miscrosoft.