[HN Gopher] Apple previews Lockdown Mode
___________________________________________________________________
Apple previews Lockdown Mode
Author : todsacerdoti
Score : 792 points
Date : 2022-07-06 17:01 UTC (5 hours ago)
(HTM) web link (www.apple.com)
(TXT) w3m dump (www.apple.com)
| mensetmanusman wrote:
| Will this be available to Chinese residents? Huge if so.
| tialaramex wrote:
| > Most message attachment types other than images are blocked.
|
| Who wants to bet that this reflects minimum requirements dictated
| for user experience, rather than reflecting what Apple are
| actually securing today ?
|
| The correct model here, the one that would actually defeat these
| adversaries, is to start with what you can actually secure and
| expand from there, prioritising customer needs. This delivers
| security improvements for all customers, but it makes the
| calculus simple for Lockdown customers, whatever Lockdown allows
| will be OK.
|
| Suppose today Apple has a working safe BMP reader, and a working
| safe WAV reader, but they're still using their ratty JPEG and MP3
| implementations. As described, this feature says you can receive
| a JPEG attachment (which takes over your phone and results in
| your cousin who remains in the country being identified as a
| contact and imprisoned) but you can't listen to the WAV file an
| informant sent you because that's "dangerous"...
| S0und wrote:
| I find is absolutely hilarious that they've kept the images in
| Messages while one of Pegasus attack vector was sending a PSD
| file as a *.gif, which crashed Messages parser.
|
| Apple is over confident in it ability.
|
| https://arstechnica.com/information-technology/2021/09/apple...
|
| People who need this have already a dumb phone, using this
| Lockdown mode is an unnecessary gamble on they part.
| galoisscobi wrote:
| I wonder if this mode would be helpful to protect myself if US
| border control forces me to unlock my phone so they can make a
| copy of all of my phone contents.
| [deleted]
| kylehotchkiss wrote:
| I'm excited about this mode for traveling outside the US, where
| other governments seem to be backsliding against privacy much
| more quickly
| nielsbot wrote:
| Can you be forced to unlock your phone at the border? I thought
| you couldn't. (I don't actually know.)
|
| BTW bringing up the power off UI on iPhone (holding power and
| up buttons at the same time) disables FaceID/TouchID until a
| passcode is entered.
| andrewia wrote:
| They can search your phone at the US border.
| https://www.theverge.com/2021/2/10/22276183/us-appeals-
| court...
| kersplody wrote:
| If you are a US Citizen or Permanent Resident, Border Patrol
| cannot prevent you from entering the United States. They can,
| however, detain you for up to 72 hours and confiscate the
| locked device if they have "reasonable suspicion". The
| confiscated property will be returned eventually.
|
| https://www.cbp.gov/sites/default/files/documents/inspection.
| ..
|
| If you are not a US citizen, refusal to unlock a phone and
| allow inspection, inclusive of allowing access to social
| media and corporate apps, will probably result in denied
| entry. They also have the right to detain you until
| indefinitely until you unlock the phone if they have
| "reasonable suspicion", but requires a court order within 72
| hours.
|
| Most foreign counties have similar rules in place for
| residents and non-residents.
| sneak wrote:
| They don't usually return the devices they steal, and most
| people travel with a total device value lower than the cost
| of an attorney and lawsuit to force the return.
| sneak wrote:
| You can be forced to unlock it with biometrics, but not a
| password/code.
|
| They also get to steal it and keep it if they want.
| Nextgrid wrote:
| Pressing it 5 times does the same (and starts an emergency
| call countdown if you have that enabled). Also, removing the
| SIM also locks it out.
| matwood wrote:
| You can also say 'hey siri, whose phone is this?'
| numpad0 wrote:
| The sterile area between the gate and the border control is
| treated as international waters/lands, which sounds fine, and
| IIUC there is the logic that _laws don 't apply_ there so you
| can be forced-forced anything free from constitutional
| protections. Not sure if that actually works though.
| happyopossum wrote:
| This is completely incorrect. Here's the actual law
|
| https://www.cbp.gov/sites/default/files/documents/inspectio
| n...
| kersplody wrote:
| It would be a good idea to enable this before going though any
| border controls. Doubly so for countries that require apps to
| be installed before entry/upon entry/after entry.
|
| ArriveCAN (Canada), Mobile Passport Control (USA), WeChat
| (China), and other mandatory government apps would be perfect
| vectors to stage highly targeted attacks.
| [deleted]
| kube-system wrote:
| If someone has your unlocked phone, they can look at the
| screen.
| xtat wrote:
| TBH even 2m bounty on lockdown mode bypass seems really low
| amelius wrote:
| What they think will happen: users activate Lockdown Mode to
| protect themselves.
|
| What actually happens: criminals activate Lockdown Mode to evade
| law enforcement.
| Analemma_ wrote:
| Lockdown mode is for preventing 0-days. Law enforcement does
| not burn 0-days on common criminals, they get a warrant and get
| into the device that way.
| duxup wrote:
| I was wondering when a "hardened" option would come.
| [deleted]
| matthewdgreen wrote:
| Last year I wrote: "In the world I inhabit, I'm hoping that Ivan
| Krstic wakes up tomorrow and tells his bosses he wants to put NSO
| out of business. And I'm hoping that his bosses say 'great:
| here's a blank check.' Maybe they'll succeed and maybe they'll
| fail, but I'll bet they can at least make NSO's life
| interesting." [1]
|
| Maybe this is the blank check :)
|
| [1] https://news.ycombinator.com/item?id=27897975
| bombcar wrote:
| Everything else to the side, this is excellent marketing on the
| level of Tesla's "bioweapons filtering mode".
| O__________O wrote:
| ///// Re: Bounty
|
| From press release, "Bounties are doubled for qualifying findings
| in Lockdown Mode, up to a maximum of $2,000,000 -- the highest
| maximum bounty payout in the industry."
|
| Appears Apple is not aware there was a $10 million bounty [1]
| paid out; unless when they say "by industry" they mean phones,
| not bug bounties.
|
| If Apple really believed it was secure, then even a $100 million
| bounty shouldn't be a concern; 2 million, while clearly high, is
| no longer enough to pull in the best bounty hunters, in my
| opinion.
|
| ///// Re: Naming
|
| Name conflicts with existing terms both Apple and consumers use.
| Naming should be unique so it's possible to Google the unique
| name for this feature and only get valid search results.
|
| ///// Re: iCloud
|
| While iMessage features are limited, it is neither blocked, nor
| is iCloud -- and both are known to being vulnerable to nation
| state demands on Apple due to iCloud not being end-to-end
| encrypted.
|
| ///// Re: iCloud end-to-end encrypt
|
| If Apple was serious about the topic, they would have already
| rolled out end-to-end encrypt for iCloud years ago.
|
| ///// Re: Targeting
|
| If Apple is logging if this feature is on and sending it back to
| Apple, it will result in targeting from nation states even if
| this feature is "invincible" - which I have no reason it is;
| basically, nation states demand list of users subject to its
| jurisdiction.
|
| ///// Re: Off vs Locked
|
| "Wired connections with a computer or accessory are blocked when
| iPhone is locked." -- Why is this not the default with an opt-in?
| Further, at the point you're turning on this features, when
| locking the phone it should explicitly tell the user of the risk
| of locking vs turning the phone off. Lastly, when you turn an
| iPhone off, it should really be off if set to this mode; if it
| is, and activity is detected, likely good sign something is going
| on.
|
| _______
|
| [1] https://medium.com/immunefi/wormhole-uninitialized-proxy-
| bug...
| barbarousbull wrote:
| c1sc0 wrote:
| And yet this feels like it's too little too late. If I'm likely
| to be the target of the kind of state-sponsored malware "lockdown
| mode" supposedly protects me from I shouldn't have been using
| Apple products in the first place. Which begs the question: what
| are current security best practices to protect from state-level
| hostile actors?
| savoytruffle wrote:
| The current best practice is to have already been using an
| Apple device, and this will enhance that.
| c1sc0 wrote:
| Really? Not something like Tails or Qubes? Am I too paranoid?
| I'm genuinely interested in learning about this. What _am_ I
| supposed to use these days when I'm working on a project that
| would make me a target for state-level actors?
| duskwuff wrote:
| Tails and Qubes are desktop operating systems. You can't
| run them on a smartphone.
| sk8terboi wrote:
| brundolf wrote:
| > Web browsing: Certain complex web technologies, like just-in-
| time (JIT) JavaScript compilation, are disabled unless the user
| excludes a trusted site from Lockdown Mode.
|
| That's very cool actually. You can keep JS enabled but choose to
| make it run more slowly in exchange for better sandboxing
| GuB-42 wrote:
| So Apple is saying that their "Lockdown Mode" protects against
| "highly targeted cyberattacks from private companies developing
| state-sponsored mercenary spyware".
|
| That's an interesting wording, because it claims to protect you
| against... nothing that matters. Notably, it doesn't protect you
| against:
|
| - The police. Don't get me wrong, I am all for letting the police
| do its job fighting crime, even if it means hacking iPhones, but
| even if you got the police attention for a noble cause, Lockdown
| Mode won't save you, at least, it doesn't claim to.
|
| - Foreign governments, as well as your own government. Notice how
| it mentions "private companies" specifically, as in, not public.
| And the cyberattacks themselves have to be performed by private
| companies, if the tools that these companies develop are used by
| government entities, it doesn't count.
|
| - Cybercriminals, the kind who are after your money. They are not
| "private companies", and they are usually not state-sponsored.
|
| - Terrorist organizations, mafias, drug cartels, etc... again,
| not "private companies", and while they may be backed by states,
| they typically work for themselves.
|
| The technical aspects have value, and I think giving the user the
| choice of wearing a tinfoil hat is great, but the claim they are
| making is deceivingly weak if you read carefully.
| ngetchell wrote:
| The NSO group used links and attachments in iMessage. These
| protections would mitigate those attacks.
| swayvil wrote:
| Inflation, pollution, censorship, global warming...
|
| Hey no, don't look at that, look over here instead. We're playing
| ratfuck with the abortion laws.
|
| Magicians call that "misdirection".
| Nextgrid wrote:
| Most of the features of this lockdown mode should be on by
| default.
| egberts1 wrote:
| ESPECIALLY the disabling of JavaScript, because ... malicious
| JacaScript.
| phoe-krk wrote:
| This does not seem to disable JS altogether, only JS JIT
| compilation. IIUC, JS will still be executed, although via an
| interpreter (which is safer) rather than via compiled machine
| code (which might be used to exploit memory safety bugs such
| as type confusion, somewhat frequent on the JS side).
| egberts1 wrote:
| which in my cybersecurity book is considered a "miss".
| Nextgrid wrote:
| FYI, if you mean that it should disable JS completely
| then you can already do that in Settings -> Safari.
| jimt1234 wrote:
| Totally agree. I'm also concerned about the fine print, what
| Apple is _not_ announcing - like, "Oh, we also updated our
| EULA to reflect that metadata from phones with 'lockdown mode'
| enabled will be forwarded to the FBI", something like that.
| someguydave wrote:
| This lockdown mode looks like what ought to be default security
| behavior.
| andrewia wrote:
| It slightly degrades some experiences, so I see why it's
| disabled by default. Disabling JIT JavaScript is going to make
| web browsing more painful. And incoming friend requests are
| useful because it simplifies things when two people are adding
| each other to their phones - one sends a request and the other
| reciprocates.
| jka wrote:
| > It slightly degrades some experiences, so I see why it's
| disabled by default.
|
| My sense is that the functionality to provide those
| experiences resulted in a decrease in user security and
| privacy when they were introduced -- and that those risks
| were widely-discussed and well-understood.
|
| It's weird (although not unexpected) to see the reversal of
| them touted as a selling point.
| JCWasmx86 wrote:
| > Disabling JIT JavaScript
|
| With a bit of luck, this will cause site operators to reduce
| their usage of unnecessary JS, so maybe this has positive
| impacts :)
| egberts1 wrote:
| Too bad that Google does not offer this same "Lockdown Mode" as
| Apple does.
|
| Instead, they (Google Play Store) removed our ability to see what
| "app privileges" that an app would required BEFORE we do the
| installation step from the Google Play Store. What we got instead
| was an obfuscated "Data Security" section that is pretty much
| always "blank".
|
| My flashlight app should not require GAZILLION app privilegeS nor
| hide that fact before I can determine whether I can safely
| install it, much like Apple App Store can do by doing the CRUCIAL
| pre-reveal of any needed app privilege(s) ... for our leisure
| perusual and applying any applicable but personalize privacy
| requirement BEFORE we do the app install.
| okneil wrote:
| Whilst not quite the same, Google does offer the Advanced
| Protection Program for accounts.
|
| https://landing.google.com/advancedprotection/
| einpoklum wrote:
| > they (Google Play Store) removed our ability to see what "app
| privileges" that an app would required
|
| Don't use Google Play Store, then. There are other APK
| repositories.
| andrewia wrote:
| Google removed the install-time permissions dialog because they
| replaced it with runtime permissions. This makes sense - some
| users wants PayPal or WhatsApp to access their contact list,
| and others won't. It also fixes "permission blindness", where
| users blindly accept a long list of permissions because they
| need the app, or just stop caring because it's too much to
| comprehend all at once.
|
| Obviously, this isn't perfect, especially since Google removed
| the internet permission and allowed all apps to access it.
| Allowing advanced users like us to toggle off internet access
| in the "App info" permission page would be a good compromise,
| and I hope and Android team does so to match Apple on their
| security efforts.
| varispeed wrote:
| You should be able to review the list of required permissions
| before installing the app anyway.
|
| I find it frustrating when I install a simple app and it asks
| me for every permission possible. Waste of time.
| egberts1 wrote:
| Fixes "permission blindness"? So, the current form of Google
| Play (app) Store "Data Security" section of each app being
| shown as "(blank)" is surely yet another form of "permission
| blindness".
|
| Google Play Store being proactive in protecting these end-
| users from their own form of stupidity (or "permission
| blindness", as you have eloquently pointed out) is just
| opening themselves to potential liability ramifications
| instead of deferring to end-user's responsibility of
| maintaining their own privacy.
|
| I think that the term "permission blindess" is better
| referred to as an app having zero privilege.
|
| And "App Privileges" should have referred to runtime
| permissions and should have been displayed in the first place
| at the Google Play Store instead of install-time privileges.
| vorpalhex wrote:
| Your apps have no permissions until you allow them. If you
| install spyware and it wants all your contacts and files it
| has to ask. You simply select "no" and then remove it.
|
| Apps would force you to consent to eg contact permissions
| "in case you want to share something to a contact" and then
| harvest all your contacts. Apps can no longer use that
| pretense.
| egberts1 wrote:
| you get prompted for such granularity of privacy AFTER it
| gets installed but not before you could preview such app
| settings.
| vorpalhex wrote:
| Yes. It has no access after being installed and before
| prompting. What exactly is the issue?
| cmroanirgo wrote:
| It's taken a decade, but it's pretty much moved back to the
| permission model that j2me had, which iOS and Android
| deliberately removed & sold as better UX. Seems like the
| original devs of j2me knew what they were doing - only the
| joe public's weren't ready for permission popups then like
| they are now. :sigh:
| javajosh wrote:
| Google hiding information about apps in the app store is a big
| problem - but its not as big a problem as not having a Little
| Snitch equivalent built into Android. This alone is a reason
| for real capital to be spent on startups in the alt-android
| space. Imagine a company that lets you use your current Samsung
| or Google or Sony or ASUS or whatever flagship phone, but with
| a truly open-source fork of Android with a Little Snitch built
| in, and security updates guaranteed for as long as you stay
| current with your subscription, which is like $5/mo. (Maybe
| that's too low). Maybe you could even wipe your device and mail
| it in to have the software installed if you can't be bothered
| to do it yourself. Or maybe even a partnership with a phone
| repair chain. (And if you don't want to pay the fee you can
| always install updates yourself manually, from source.)
| ignoramous wrote:
| > _Imagine a company that lets you use your current Samsung
| or Google or Sony or ASUS or whatever flagship phone, but
| with a truly open-source fork of Android with a Little Snitch
| built in, and security updates guaranteed_
|
| You describe the direction CalyxOS / DivestOS are going. And
| of course, there's the Pixel phones on GrapheneOS which
| arguably is _more_ security-focused.
| newscracker wrote:
| I hope Apple expands this quickly through minor updates to the OS
| rather than waiting for a next major release. This needs faster
| iteration than anything else.
|
| Quoting what's in the first release:
|
| _> At launch, Lockdown Mode includes the following protections:
|
| > Messages: Most message attachment types other than images are
| blocked. Some features, like link previews, are disabled.
|
| > Web browsing: Certain complex web technologies, like just-in-
| time (JIT) JavaScript compilation, are disabled unless the user
| excludes a trusted site from Lockdown Mode.
|
| > Apple services: Incoming invitations and service requests,
| including FaceTime calls, are blocked if the user has not
| previously sent the initiator a call or request.
|
| > Wired connections with a computer or accessory are blocked when
| iPhone is locked.
|
| > Configuration profiles cannot be installed, and the device
| cannot enroll into mobile device management (MDM), while Lockdown
| Mode is turned on._
|
| I'm not a target (I think, and hopefully don't get to be one),
| but nevertheless I'd feel safer with this turned on (I very
| rarely use FaceTime, so not accepting it is not a big deal).
|
| I'd also love more protections. Not allowing specific apps to
| connect to any network (WiFi included), Apple handling issue
| reports on apps with urgency (right now they seem to be ignored
| even when policy violations which are against the user's
| interests are reported), etc.
| perardi wrote:
| I think it's reasonable to think Apple will iterate quickly on
| this.
|
| Why? The iOS 15.x update history.
|
| https://en.wikipedia.org/wiki/IOS_15
|
| Lots and lots of privacy stuff in the point releases. (And
| accessibility stuff, they've been on a tear there.) They're
| still in a monolithic mindset when it comes to the "big" apps,
| but they're iterating faster on these sorts of things as the
| release cycle goes along.
| alwillis wrote:
| You might have missed that Apple announced realtime security
| updates at WWDC [1].
|
| [1]: https://techcrunch.com/2022/06/07/apple-introduces-real-
| time...
| concinds wrote:
| That includes fast, no-reboot, and invisible-to-the-user
| security patches, not improvements in features like
| Lockdown Mode.
| PoignardAzur wrote:
| > _I'm not a target (I think, and hopefully don't get to be
| one), but nevertheless I'd feel safer with this turned on (I
| very rarely use FaceTime, so not accepting it is not a big
| deal)._
|
| Good. We need people with nothing to hide to turn Lockdown Mode
| on, so that Lockdown Mode isn't a telltale signal that you have
| something to hide.
| erichurkman wrote:
| Aside from the JIT change, those all sound like pluses to me!
| [deleted]
| xyst wrote:
| Is the apple bounty program still terrible in terms of payout and
| length of time to approval?
|
| I can't see many people submitting bounty reports if it's too
| much of hassle or not worth the effort.
|
| Since the apple ecosystem is mostly proprietary, it's hard to
| gauge as individuals if this just provides a false sense of
| security or not against "state actors".
| ProAm wrote:
| Apple is not stopping state-sponsored anything. They do not have
| the expertise nor willing to invest enough to stop it. And they
| also turn everything over they can at a local-law enforcement
| request, because they have to.
| _the_inflator wrote:
| "Web browsing: Certain complex web technologies, like just-in-
| time (JIT) JavaScript compilation, are disabled unless the user
| excludes a trusted site from Lockdown Mode."
|
| Highly interesting, that Apple is doing this. This is a thing. MS
| and Google are also taking steps to harden Chromium security
| against JIT compiler issues with JavaScript.
| https://www.zdnet.com/article/securing-microsoft-edge-switch...
| colechristensen wrote:
| I just don't want most of the programming capabilities on the
| web, plain old hypertext with a bit of style is enough. There
| are plenty of other ways to run software on a computer than
| inside a web browser.
| capableweb wrote:
| Most (if not all) browsers allow you to disable JS, so that
| seems like the perfect preference for you. I know it works on
| Chrome and Firefox on desktop (I use the NoScript extension
| myself, that blocks JS by default but allows you to enable it
| per-site), I can imagine it works the same on smartphones as
| well.
| olliej wrote:
| I /think/ what they're asking for is a world where turning
| JS off is actually a real option. Currently the web
| essentially does not work in such a case, so while it
| technically exists the option to disable JS isn't actually
| an real option.
| simion314 wrote:
| I agree half way with you, we need the web split into 2
| parts, webpages and apps.
|
| I seen some cool simulation, small apps, small games that I
| can just test online and not have to install them on my
| machine. Apple would love that we all got scared and only use
| installed apps from their store but the web is a decent
| deliver platform.
|
| If we could have a modern subset of html and css for news
| websited and blogs , and the rest of js for web apps then you
| can have the option to turn off teh advanced settings or we
| could have different browsers that could focus on different
| things, like a website reader browser that does not care
| about super fast JITed JS it would not support webgl,camera
| or microphone acccess, it would just focus on text layout and
| simple forms,
|
| and a web app browser that focuses on extreme optimizing for
| JS , canvas and webgl operations, camera and microphone
| access.
| peoplefromibiza wrote:
| I'm having fun with Gemini exactly because it's so dumbed
| down that you can't do anything more than publish text
|
| It's still very niche, but it's growing and the protocol is
| so simple that I'm writing software for it, specifically a
| multi platform browser (more like a viewer?)
| capableweb wrote:
| You can already achieve all this. Either turn of JS in your
| browser, or use extensions such as NoScript.
| npteljes wrote:
| You can technically achieve this, but you get a degraded
| experience. Most sites don't test for JS being turned
| off, and it's not rare to only get a blank page when
| viewing a site in that way.
|
| What OP wishes for is rather an experience that decidedly
| doesn't use JS, similar to Google's AMP or Gemini. A
| subset of HTML that makes publishing possible, without
| moving parts.
| simion314 wrote:
| Actually I browse with JS off by default and whitelist
| stuff, ironic since I am a web dev (or maybe the fact I
| know how shit web tech is is why I think documents should
| be documents , imagine I want to show you my blog but I
| make an Unreal Engine 5 app because I want some cool
| effects and I also want to learn this shiny tool and the
| marketing team wants to do some shitty things too)
| [deleted]
| blintz wrote:
| I am so excited about this news. I understand that some people
| are pessimistic, and view it as a "giving up" on complete
| security against nation-states. I think that's the wrong way to
| analyze the situation.
|
| The dream I have is someone making a phone that is purpose-built
| to be secure against state actors. Unfortunately, this makes very
| little economic sense, and probably won't happen (maybe if some
| rich person started a foundation or something?). The phone would
| need to have pretty restricted functionality and would not be
| generally appealing to mass market consumers.
|
| As it stands, securing a mass market modern smartphone, even from
| just remote attacks, is just intractable. We should not bury our
| heads in the sand and wishfully think that if they just spend a
| little more money, close a few more bugs, and make the sandboxing
| a little better, somehow iOS 16 or Android 13 will finally be
| completely secure against state actors. The set of features being
| shipped will grow fast enough that security mitigations will not
| someday 'catch up'.
|
| This is the next best thing! The more we can give users the
| _freedom_ to lock down their devices, the more the vision of an
| actual solution comes into view. This is the first step towards
| perhaps our only hope of solving this someday - applying formal
| methods and lots of public scrutiny to a small 'trusted code
| base', and finally telling NSO group to fuck off.
|
| Even this dream may not pan out, but at least we can have hope.
| germandiago wrote:
| The potential a phone like that would have if you explained
| people how states can and _do put_ their nose into their lives
| is quite big IMHO. It is just that people have no idea of how
| much they can take from your info through a phone.
| Nextgrid wrote:
| The problem 90% of cases is the user himself. Advanced
| attacks such as spyware-for-hire with zero-days and stuff
| only affect a minority of users. For the fast majority, the
| vulnerabilities are much simpler: password
| reuse/carelessness, malware on other devices (laptop, etc)
| that also has access to their data, willingly sharing too
| much information, etc.
|
| You don't need a special phone or hardened OS to defend
| against that, and users vulnerable to this will remain just
| as vulnerable regardless of how much hardening there is.
| Fargren wrote:
| In general, I'm much more concerned with private actors than
| state actors. I'm aware of multiple ways in which companies
| use information to try to extract money from me, and they
| actively make my life worse in the attempt.
|
| I have a much harder time thinking about how giving states
| access to my information has been harmful for me. I can think
| of potential harms, if the state started doing religious or
| ethnic persecution(not trying to diminish the chance of this,
| but not a problem today) so I'm aware of potential threats.
| But other than that... What exactly should I be worried
| about?
| runnerup wrote:
| Most people couldn't grasp the important ramifications even
| if you walked them through it from first principles. I'm not
| sure I can despite being very interested in information
| entropy my whole life.
|
| A lot of people really don't understand much at all about
| anything that they don't constantly see and touch their whole
| lives. A lot of people truly just live in the moment
| constantly and use their higher order thinking for social
| navigation and sex.
| awll wrote:
| I feel like the closest you can come to the dream of a phone
| that is secure against state actors today would be a google
| pixel phone running graphene os.
| dark_star wrote:
| Bunnie Huang is working on Betrusted [1], a communications
| device that is designed to be secure from state actors. The
| first step is Precursor (about: [2], purchase:[3]) the hardware
| and OS that will be the platform for the communications device.
|
| It's designed to be secure even though it communicates via
| insecure wifi, for instance via tethering or at home. The CPU
| and most peripherals are in an FPGA with an auditable bitstream
| to program the device to ensure there are no back doors.
| Hardware and software are all open source. It has anti-tamper
| capability.
|
| It looks well-thought-out.
|
| 1. https://betrusted.io/
|
| 2. https://www.bunniestudios.com/blog/?p=5921
|
| 3. https://www.crowdsupply.com/sutajio-kosagi/precursor
| stjohnswarts wrote:
| Unless you design the FPGA inhouse and make it in your own
| Fab how would you know it's secure? Taiwan and Korea owe the
| US a lot of favors...
| samatman wrote:
| FPGAs just have a much lower essential complexity.
|
| Adding one undocumented latch is enough to undermine an
| ASIC CPU. To do that to an FPGA, you'd have to know where
| the layout engine is putting the circuit you intend to pwn,
| and good luck with that staying still under any revision.
|
| If this did become a problem, a technique analogous to
| memory randomization could be employed to make any given
| kernel unique from the hardware's perspective.
| buildbot wrote:
| You can't of course know, but modifying the mask of a
| modern chip (millions of dollars by itself), slipping those
| mask(s) (you need many, one per layer of material) into
| production to target a subset of devices, in a way that
| lets you inject faults and lets you own the design the FPGA
| is emulating, is nuclear power level. And would imagine
| they would not risk it very often if at all due to the
| fallout it could cause.
|
| A microcontroller on 130nm? Different story probably. Still
| crazy hard
| RonMarken wrote:
| Realistically you cannot win against a resourceful adversary
| every time. But merely painting the situation through the lens
| of premature surrender is also a disservice.
|
| It will be interesting to see what third-party researchers
| discover about these new protections. Might remember something
| about Apple rewriting format parsers for iMessage in memory-
| safe language with sandboxing as Blastdoor and it was
| discovered there was still plenty of attack-surface in the
| unprotected parsers.
| [deleted]
| PuppyTailWags wrote:
| I would suspect any phone designed to resist a state-level
| actor, that is made available to me (a regular citizen) would
| 100% be a honeypot for a state level actor.
| wmf wrote:
| https://www.vice.com/en/article/y3d3dx/doj-charges-anom-
| infl...
| godelski wrote:
| In fact, several phones which have been advertised as such
| have been honeypots from state level actors.
| Swenrekcah wrote:
| Which ones? Not challenging you, just curious.
| Entinel wrote:
| https://www.pcmag.com/news/fbi-sold-criminals-fake-
| encrypted...
| bilekas wrote:
| That's crazy! Straight out of the Wire.
| hyperionplays wrote:
| Australian Federal Police did it as well:
| https://www.theguardian.com/australia-
| news/2021/sep/11/insid...
| usrn wrote:
| Security as a service is going to be a honeypot 100% of the
| time.
| godelski wrote:
| This comment feels disingenuous to me, but maybe I'm
| misinterpreting. Security features are always a service
| but there are real apps that provide real security.
| Signal and Matrix provide real encryption for
| communication. There's even mainstream products that do,
| like iMessage or Gmail, though these tend to be more
| selective about what is secure and what isn't (typically
| through walled gardens). Apple and Google both use
| federated learning, which is at least a step better than
| your typically data "anonymization." I agree that there's
| not enough push for serious security, especially as a
| default, but I also am not pessimistic on the subject
| either.
| contingencies wrote:
| Signal wants your PSTN ID = real world ID, wants contacts
| from your phonebook which on Google phones generally
| means already cloudified, and is itself distributed
| through Google Play. Further, IIRC it's US-based so
| subject to acts of intervention from on high. I would be
| _strongly_ suspicious of any metadata security claims,
| even if it nominally provides message or session-level
| encryption. Metadata is bad news.
| astrange wrote:
| I assume you're an FBI agent trying to encourage people
| to install your real cooler encrypted app that's not on
| the store and only available via sideloading.
|
| https://nymag.com/intelligencer/2021/06/fbi-snooped-on-
| crimi...
| contingencies wrote:
| Heh, nice one. Not that it's my area, but in case the
| above was not decodable as sarcasm to other readers,
| following the evidence-based / defense-in-depth
| strategies I'd personally recommend not using phones at
| all (far too little control in general) and instead
| recommend seeking out auditable (open source) software on
| actual machines you have a hope to control for secure
| communications. It's a deep rabbit hole with diminishing
| returns, though.
| cowtools wrote:
| sms and email are insecure-by-default protocols.
| Gmail/imessage extend them which necessarily will create
| vendor-lock in when the extension relies on some
| centralized service, the extensions are private, and the
| implementations are closed source.
|
| Matrix fixes this, but only in the sense that they
| replace the whole protocol without reverse compatibility.
| stjohnswarts wrote:
| It's definitely tin-foil-hat level. Obviously if you're a
| spy you're gonna have to have next level stuff, most of
| us aren't Jason Bourne, even we'd like to think we are.
| stjohnswarts wrote:
| anyone big like samsung, lg, or apple? I'd love to see
| those articles and teardowns.
| px43 wrote:
| IMO Bunnie has the technical skills and the reputation to
| pull it off though.
|
| I think it has about zero chance of withstanding physical
| attacks, which is important to me in a phone, but it's a nice
| effort.
| stjohnswarts wrote:
| Gotta trust somebody at some point? Otherwise you have to
| live off the grid in the woods eating squirrels and mushrooms
| ajsnigrutin wrote:
| Most of the people in charge, only care about what state the
| "bad"/"good" actors are from, so preferably, "our guys"
| should be able to do everything, and "theirs" nothing.
| newsclues wrote:
| And yet we got TOR because it was required for National
| Security.
| cowtools wrote:
| TOR is no magic bullet
| newsclues wrote:
| No, but it was a layer of security required by DoD so it
| was created and continues to exist.
|
| The same need for modern communications (phones) exists.
| samstave wrote:
| >>" _...a "giving up" on complete security against nation-
| states..._
|
| DEFINE:
|
| State Actors: [0]
|
| As one who is acting on " _behalf_ " of a government.........
|
| What if said _government_ was actually an arm of the corporate
| entities as the state ACTING at their behest?
|
| Crazy, I know.
|
| [0] https://en.wikipedia.org/wiki/State_actor
| ransom1538 wrote:
| I want deniability. After watching the videos from Ukraine of
| Russians pulling out citizens from cars forcing them to unlock
| their phone with guns to their heads -- I want a way to hand
| someone a phone, unlock it, and STILL be protected. I want my
| private things in a volume with deniability. Trucrypt was
| close.
| gambiting wrote:
| >>The dream I have is someone making a phone that is purpose-
| built to be secure against state actors
|
| I just don't see how anyone could build such a thing. State
| level actors have the tools necessary to force you or your
| company to build in any backdoor they want, and prevent you
| from ever talking about it to anyone. US certainly does, and
| could just force apple to add a backdoor to this lockdown mode
| and apple could never even hint at its existence under legal
| threat.
| eurasiantiger wrote:
| Or they could just add an implant at the factory.
|
| Why anyone allows their devices to be manufactured overseas
| is beyond me.
| outside1234 wrote:
| That's because you are unwilling to buy a $1500 phone when
| there is the same phone for $800.
| rblatz wrote:
| Might want to update those prices. Highest priced iPhone
| is $1,600.
| qzx_pierri wrote:
| >Why anyone allows their devices to be manufactured
| overseas is beyond me
|
| $$$$
| Consultant32452 wrote:
| We recently discovered one of our biggest geo-political
| enemies manufactures all our medicines. So that's crazy.
| robin_reala wrote:
| Looking forwards to when Apple manufactures all iPhones in
| Sweden. Or did you mean the US, which remains stubbornly
| overseas and scary to the majority of the world's
| population?
| stjohnswarts wrote:
| I don't recall getting a vote. Do you even know of a single
| device made in a relatively "benevolent" state actor
| country? I would love to know. I would love it if there was
| a provably secure device manufactured in some remote
| Pacific island that has never projected itself as a
| malevolent international threat like 100% of the first
| world countries have.
| stjohnswarts wrote:
| Not just the US, so do the EU, any five eyes country, China,
| Korea, Taiwan. The US doesn't have a hegemony on backdoors so
| lets always remember that and not exclude others or act like
| it's an island of corruption in a world of benevolent state
| actors.
| Miraste wrote:
| I don't think Korea or Australia have the power to force
| Apple to build backdoors into their products. Maybe they'd
| get to use the US one if they asked nicely.
| buildbot wrote:
| Unless it was some kind of false flag to encourage trust,
| the US government asked less than nicely via the FBI and
| Apple told them to pound sand.
| googlryas wrote:
| It might just be better to not rely on a phone, rather than
| rely on something achieving perfect security against the most
| malicious and capable of actors.
|
| If I was really concerned about targeted cyber attacks against
| me, I think that I would exclusively use computers that I would
| buy from random people on Craigslist, take the hard drives out
| and only boot with live CDs using ram disks, and only connect
| via random public Wi-Fi locations.
| reaperducer wrote:
| _If I was really concerned about targeted cyber attacks
| against me, I think that I would exclusively use computers
| that I would buy from random people on Craigslist, take the
| hard drives out and only boot with live CDs using ram disks,
| and only connect via random public Wi-Fi locations._
|
| Excellent precautions if you live and work in average middle-
| class suburbia and never go anywhere or do anything
| dangerous, controversial, or politically unpopular.
|
| Lockdown Mode is not for you. It's for other people with
| different lives.
| googlryas wrote:
| My point is lockdown mode won't be good enough. Which is
| why there is still a big bounty for it. And those wouldn't
| be excellent precautions if you weren't doing anything
| dangerous, because they would be a huge burden over just
| operating normally above board.
|
| How exactly does this method stop working in cities? You
| could have provided some content instead of a weirdly
| vitriolic dismissal.
| IncRnd wrote:
| The parent was simply explaining that lockdown is not
| intended for a person who buys computers from Craigslist
| in order to enforce security.
|
| Your mitigation is not a mitigation against being singly
| targeted. There are so many attack vectors in a computer
| outside of the boot disk. The computers sold on
| Craigslist should not be considered secure, since there
| is no level of trust in the supply chain or the state of
| the hardware.
|
| For ex: If you are being directly targeted, a nation-
| state can purchase the computers from your local
| Craigslist, rewrite their bios, and list them for you to
| purchase. Then flood Craigslist with 100 other
| compromised machines.
| googlryas wrote:
| Sure, they can do that. If they know that what you're
| actually doing. And you just do the same thing stupidly
| on repeat in the same area.
|
| All of that certainly sounds much more involved than
| sending a zero-day zero-click iMessage to the well known
| phone number of a dissident.
| Analemma_ wrote:
| This is a fantasy that could only from someone who doesn't
| actually need it. The people who actually need Lockdown
| Mode-- dissidents, organizers, journalists, etc.-- also
| actually need to communicate with normal people, and that
| means having a phone. If you're so unimportant that you can
| get away with your proposed computing scheme, you're not
| going to be the recipient of targeted cyber-attacks.
| googlryas wrote:
| Well, I don't need it, but the people who do need it
| usually don't have much of a clue about infosec or cyber
| security.
|
| What means of communication are available to you via a
| phone but not via an internet connected computer?
|
| There isn't even anything intrinsically wrong with a cell
| phone, other than the fact that it encourages you to carry
| it everywhere and merge all communications with everyone
| onto a single device that is default connected to the
| internet.
| wmf wrote:
| Defense in depth is good. Apple is finally getting over their
| faith in their sandbox.
| stephc_int13 wrote:
| Computer security is notoriously difficult, but at the same time,
| none of this is magical, this is meticulous hard work, and with
| enough time, skills and money I don't see how you can't plug all
| the holes.
|
| At least the remote attack surface does not seem to be that
| huge...
| post_break wrote:
| When reading through this list at each feature I can't help but
| go "why isn't this in regular iOS?"
| joshstrange wrote:
| Which is exactly why it's optional. Plenty of other people,
| myself included, look at that list and would not want them all
| or would like to pick and choose which subsets are locked down.
| post_break wrote:
| Yeah pick and choose makes sense for sure. Apple isn't
| exactly the king of choice unfortunately.
| olyjohn wrote:
| They should give you a list and the toggle should give you
| the option "SECURE" or "INSECURE" because that's basically
| what this is.
| nojito wrote:
| Hardened devices only work if it's an all or nothing
| proposition.
| [deleted]
| [deleted]
| tristor wrote:
| This feature is really fantastic, and it re-affirms my commitment
| to using Apple devices due to security in preference over
| Android. The only thing I could see that would be a superior
| alternative could perhaps be something like Graphene. Already
| today I locally set up a profile via Configurator in order to
| ensure that my phone can't be hijacked by some local attacks, the
| work that is happening Lockdown is even better and I'll be
| enabling this as soon as it becomes available to me.
| Terretta wrote:
| This is great, but also clever.
|
| By offering users a more locked down option with clear tradeoffs,
| (a) users can make a choice between security and convenience, and
| (b) given user agency, negative press around hacks of _not_
| locked-down devices loses potency.
|
| Meanwhile, the choice seems straightforward on most of these...
|
| _Lockdown Mode includes the following protections:_
|
| _- Messages: Most message attachment types other than images are
| blocked. Some features, like link previews, are disabled._
|
| GREAT!
|
| _- Web browsing: Certain complex web technologies, like just-in-
| time (JIT) JavaScript compilation, are disabled unless the user
| excludes a trusted site from Lockdown Mode._
|
| GREAT!
|
| _- Apple services: Incoming invitations and service requests,
| including FaceTime calls, are blocked if the user has not
| previously sent the initiator a call or request._
|
| GREAT!
|
| _- Wired connections with a computer or accessory are blocked
| when iPhone is locked._
|
| GREAT! (Used to have to do this yourself with Configurator if you
| wanted to be hostile border-crossing proof.)
|
| _- Configuration profiles cannot be installed, and the device
| cannot enroll into mobile device management (MDM), while Lockdown
| Mode is turned on._
|
| HMM ... there are hardening settings only available through
| Configurator or MDM profiles. Will those be defaulted on as well?
| Infernal wrote:
| >> - Configuration profiles cannot be installed, and the device
| cannot enroll into mobile device management (MDM), while
| Lockdown Mode is turned on.
|
| > HMM ... there are hardening settings only available through
| Configurator or MDM profiles. Will those be defaulted on as
| well?
|
| Reading between the lines here - on lockdown mode, you can't
| install a profile, or enroll in MDM. What it doesn't say, is
| that you _can 't_ enable lockdown mode with a profile
| installed, or if enrolled in MDM.
|
| I take this to mean, with lockdown turned on, I can't install
| profiles or enroll in MDM (but presumably could uninstall
| profiles or unenroll from MDM).
| sodality2 wrote:
| Correct. Existing MDM profiles will be unaffected.
| xoa wrote:
| > _- Configuration profiles cannot be installed, and the device
| cannot enroll into mobile device management (MDM), while
| Lockdown Mode is turned on._
|
| > _HMM ... there are hardening settings only available through
| Configurator or MDM profiles. Will those be defaulted on as
| well?_
|
| Yes, that one leapt out at me as well as kind of an awkward one
| with more compromises, painting with a very broad brush. It's
| obvious that some of the very powerful config profiles/MDM
| capabilities could be used for a lot of mischief, but some of
| them are also exactly what I'd want to be running myself if I
| was at a lot of risk, and some are both. Ie., continuing to
| have one's own offline based CA with proper Name Constraints
| could be handy for a group of people who want to try to better
| secure and keep private their own internal network services
| from anything short of a government physical assault, but if an
| attacker can slip on a profile with an unlimited CA your goose
| is cooked.
|
| Perhaps Apple simply doesn't have the capability for fine
| grained control of those capabilities yet, which wouldn't be
| surprising given their path up until now. I'll be interested to
| see if over time Apple leaves this mostly untouched or invests
| in seriously improving it. Like it'd be interesting if you
| could boot into a special mode ala DFU though requiring
| password and with graphics up and have a bunch of toggles for
| various capabilities that would then be enforced in normal
| usage. Analogous to the Recovery Mode on Macs.
| alwillis wrote:
| _Perhaps Apple simply doesn 't have the capability for fine
| grained control of those capabilities yet, which wouldn't be
| surprising given their path up until now._
|
| I have to believe they're working on exposing some of this
| via MDM. Certain organizations may never want the JIT turned
| on, for example or allow attachments in iMessage.
|
| I expect we'll hear more about more capabilities this summer
| and fall.
| m0dest wrote:
| Do you really trust your average IT department to make an
| informed decision about whether WebKit JIT is currently
| secure or not? I don't see Apple putting these in MDM
| Configuration Profiles. If they do, it will only be for
| Supervised Devices (i.e. devices owned by your employer,
| must be wiped to enroll).
| alwillis wrote:
| _Do you really trust your average IT department to make
| an informed decision about whether WebKit JIT is
| currently secure or not?_
|
| In general, no.
|
| For specific website or web apps, yes.
| sodality2 wrote:
| You can simply enable those MDM profiles then enable Lockdown
| mode; they will stay on. You just can't enable new ones while
| Lockdown mode is enabled.
| Animats wrote:
| Does lockdown mode prevent updates from Apple?
| lisper wrote:
| Extreme? This sounds like the way I have my computing environment
| configured by default (to the extent that I'm able to do so with
| browser extensions and whatnot).
| ArrayBoundCheck wrote:
| Same. Its too bad general browsing is nearly unusable with JS
| turned off.
| fbanon wrote:
| >Web browsing: Certain complex web technologies, like just-in-
| time (JIT) JavaScript compilation, are disabled unless the user
| excludes a trusted site from Lockdown Mode.
|
| This should be ON by default. It would force webdevs to write
| efficient websites.
| iasay wrote:
| They'd just work out how to write web apps entirely in CSS
| instead somehow.
| m463 wrote:
| If I could just firewall my phone like Little Snitch.
|
| But apple doesn't allow this.
| ignoramous wrote:
| Firewalls like Little Snitch may not be enough against actors
| like NSO (that exploit unknown zero-days), tbh. The mechanisms
| to enhance protection does need to come from the vendor
| (Apple). This _lockdown mode_ , for all its present
| shortcomings, is moving the needle in the right direction, imo.
| colechristensen wrote:
| Can I turn these features on one by one by some other method?
| (self-managed MDM, or something else?)
| jackson1442 wrote:
| Self-managed MDM is the way to go for most of them. I think the
| main one that can't be achieved thru MDM is the browser
| lockdown. MDM has a lot of other security policies available
| though.
| corytheboyd wrote:
| If Apple could somehow make phone and sms not useless due to spam
| that'd really save the average person. They must have the
| resources to throw at something like this. I'm not claiming to be
| an expert, I'm not saying I'm right, but phone spam is fucking
| awful.
| thothamon wrote:
| Phone spam as in text messages? Your email is a whole other
| thing
| corytheboyd wrote:
| Yes indeed email is a whole other thing, that's why I didn't
| mention it :)
| duskwuff wrote:
| > If Apple could somehow make phone and sms not useless due to
| spam
|
| 1) A full solution to this problem is going to depend on mobile
| carriers making changes. It isn't something which Apple can
| unilaterally fix.
|
| 2) This is completely irrelevant to the purpose of "Lockdown
| Mode". It's intended to protect high-risk users from certain
| sophisticated threats -- it isn't a feature which most users
| should use.
| knodi wrote:
| they do already do this, report the message as junk the number
| will be flagged as junk and messages from it will be filtered
| to the junk view.
| ipsi wrote:
| Surely that's the responsibility of the providers, though?
| Apple can improve the situation a bit, maybe, but you'd really
| need to get AT&T & co to crack down on it to have any chance of
| solving it for good.
|
| I know that I've had approximately zero spam on my German
| number (that I've had for ~2.5 years) - I'm sure why, whether
| I'm just lucky, or whether it's much more under control here.
| My UK number definitely had problems with spam, though. Maybe a
| couple of spam calls a week.
| corytheboyd wrote:
| Nice, glad to hear it's at least reasonable elsewhere, It's
| very, very bad in the US, at least for my partner and I. We
| started getting unsolicited calls days after starting the
| house buying process because the credit reporting companies
| sell you off immediately. Very frustrating.
| vorpalhex wrote:
| There are several redirection services that will pair your
| spam caller to a very chatty chatbot. Excellent way to make
| spammers pay.
| thedougd wrote:
| Worst part of switching from Android (Pixel) to iPhone. It was
| shocking.
| jeroenhd wrote:
| This seems to be a problem mostly localized to some countries.
| Device manufacturers should not be fighting a rotten network,
| the networks should be fixed instead.
| corytheboyd wrote:
| Yeah but... here we are. In the US at least, I don't see this
| ever being addressed at the root. Everything between the user
| and the phone service is at least somewhat malleable, what's
| the problem with at least trying in one of those places?
| newaccount2021 wrote:
| janandonly wrote:
| If Apple was really serious about this, they would add one more
| feature to Lockdown mode: To delete and scrub permanently and
| definitively _all your iCloud data_.
|
| You can close the proverbially "front door" by enabling "Lockdown
| mode" but if that same government sends a subpoena to Apple, then
| they will just give them a copy of all your iCloud private data.
| devnulll wrote:
| Nobody who is at risk for this is doing iCloud backups. That's
| something you can already turn off.
| sneak wrote:
| Their conversation partners are. iCloud Backup is a backdoor
| in iMessage's end to end encryption preserved explicitly at
| the behest of the FBI.
| sonofhans wrote:
| I'd love to see evidence of this.
| modeless wrote:
| "For Messages in iCloud, if you have iCloud Backup turned
| on, your backup includes a copy of the key protecting
| your messages"
|
| https://support.apple.com/en-us/HT202303
|
| Yes, that really does mean that Apple can decrypt your
| messages. In fact, Apple does it this way at the explicit
| request of the FBI, as reported by Reuters.
| https://www.reuters.com/article/us-apple-fbi-icloud-
| exclusiv...
|
| And look at all the other potentially sensitive data that
| is not end-to-end encrypted in the backups. Photos,
| notes, reminders, calendars, the list goes on.
| sodality2 wrote:
| It's not something that has evidence - what they mean is
| that even if you have iCloud backups disabled, everyone
| you talk to might not. The point of e2ee is that both
| ends must have it encrypted - not just you and the
| server, but more abstractly, the communication partners.
| warkdarrior wrote:
| That is a novel and quite broad interpretation of E2EE.
| In typical E2EE only endpoints of a (logical)
| communication channel can decrypt messages on that
| channel. But E2EE does not say anything about what an
| endpoint can do with those messages once they decrypted
| them -- they could print them at the public library and
| leave them there, they can forward them to the FBI, they
| can post them on reddit, etc.
|
| If you do not trust your communication partner to
| safeguard your messages, E2EE will not help you at all.
| concinds wrote:
| The point is that many people have iCloud Backups enabled
| without any awareness whatsoever of the implications, as
| iCloud Backups are opt-out and there is zero disclosure
| within the OS (only an Apple Support webpage nobody will
| visit).
|
| It leads to E2E being systemically weakened, since most
| of your iMessage conversations will get immediately
| scooped up by Apple and alpbabet agencies, dragnet-style.
| sodality2 wrote:
| I understand that, I didn't mean the concept of e2ee
| requires the endpoints to never share it at all. What I
| meant was, commonly people will disable iCloud backups
| hoping to regain some privacy, but it does nothing
| because most of your communication partners use iCloud
| backups. Just like people who switch to eg. Protonmail -
| if you only ever talk to GMail users, it doesn't really
| give you much extra privacy.
| apeace wrote:
| GP is partially right:
|
| https://www.reuters.com/article/us-apple-fbi-icloud-
| exclusiv...
|
| According to Reuters sources, Apple abandoned plans to
| offer iCloud backup encryption, out of fear of government
| retaliation or even spawning new anti-encryption
| legislation.
|
| On the other hand, GP is responding to:
|
| > Nobody who is at risk for this is doing iCloud backups.
| That's something you can already turn off.
|
| And indeed, if you turn off iCloud backups, there is no
| "backdoor" into iMessage. You can also set up your phone
| to do encrypted backups locally to your laptop, if you
| want that instead.
| stu2b50 wrote:
| You can already turn off iCloud features?
| threeseed wrote:
| If you care about your privacy don't upload your private data
| to ANY cloud service.
|
| Even if iCloud was encrypted they still run on third party
| cloud providers who nobody knows what relationship they have
| with governments. Many types of encryption are breakable if you
| have effectively unlimited resources.
| luhn wrote:
| Most iCloud data is end-to-end encrypted; Apple doesn't have
| direct access to your data. In the end they do own the OS and
| could potentially backdoor your device, but if you're worried
| about that... well, Lockdown Mode is moot at that point.
|
| Worth noting Apple previously refused an FBI order to do just
| that. https://en.wikipedia.org/wiki/FBI-
| Apple_encryption_dispute
| jackvalentine wrote:
| > Most iCloud data is end-to-end encrypted; Apple doesn't
| have direct access to your data.
|
| Depends what you think of as 'most' really, things that don't
| have end-to-end includes photos, icloud drive files, notes
| and backups.
|
| https://support.apple.com/en-us/HT202303
| mytherin wrote:
| Secure notes are end to end encrypted [1]
|
| [1] https://support.apple.com/en-
| gb/guide/security/sec1782bcab1/...
| modeless wrote:
| Apple refused an FBI order to decrypt a phone; however they
| allow the FBI to access iCloud data all the time. And
| iMessage is not end-to-end encrypted in iCloud _at the
| explicit request of the FBI_.
| https://www.reuters.com/article/us-apple-fbi-icloud-
| exclusiv...
| nojito wrote:
| Yes but many things on iCloud are E2E encrypted.
|
| https://support.apple.com/en-us/HT202303
| modeless wrote:
| Which makes it all the more ridiculous that sensitive
| things like messages, photos, contacts, and notes aren't,
| even as an option. Clearly the technical ability is
| there.
| 2OEH8eoCRo0 wrote:
| > Wired connections with a computer or accessory are blocked when
| iPhone is locked.
|
| Android defaults to charging only.
| Aaronn wrote:
| The same is true on iOS
| (https://www.theverge.com/2018/7/10/17550316/apple-iphone-
| usb...). Lockdown mode just prevents you from enabling it.
| 2OEH8eoCRo0 wrote:
| > USB Restricted Mode prevents USB accessories that plug into
| the Lightning port from making data connections with an
| iPhone, iPad, or iPod Touch if your iOS device has been
| locked for over an hour.
|
| Android asks every time for every device. There is no 1-hour
| grace period.
| TIPSIO wrote:
| If you are "a target" and going to take measures of basically
| disabling everything on your iPhone, wouldn't it just make sense
| to get a burner dumb phone?
|
| Hasn't this been happening for years (drug dealers, anonymous,
| etc..)?
| stu2b50 wrote:
| Think more about journalist. You need slack to talk to the rest
| of the team. You need WhatsApp to communicate with sources and
| locals in most of the world that's not the US. Your iPhone is
| an important tool for your work in general - a dumb phone that
| can only make real phone calls and sms is not particularly
| close.
|
| Phone calls and sms are also completely unprotected as opposed
| to chat apps with e2e.
| pizlonator wrote:
| But then you'll want lockdown mode (or something like it) on
| whatever device you use to browse the web.
| yreg wrote:
| What then? Use SMS?
| [deleted]
| alwillis wrote:
| Let's not let the perfect be the enemy of the good.
|
| This is a _huge_ step forward for iPhone users. Look, I get it.
| From the typical HN perspective, this potentially looks like a
| lot of hype. But many of you aren 't looking at from a high
| level.
|
| In the world we are now living in; even what's happening in the
| United States right now, being able to protect yourself from
| well-funded, determined attackers for the average person couldn't
| come at a better time.
|
| There's a huge gap between Fortune 500 executives, government
| officials, etc. and regular people in terms of the resources
| available to them to prevent state-sponsored attackers. It
| doesn't take much these days to go from a nobody to being on
| somebody's radar.
|
| If you're a woman seeking an abortion in a state where it's
| illegal or severely restricted, you could be the target of
| malware from your local or state government or law enforcement.
| In Texas, you can sue anyone who aids and abets a woman who
| attempts to get an abortion for $10,000, which is enough to get
| someone to trick someone into installing malware on a phone.
|
| No, it's not China or Russia coming for you but it doesn't take
| much to ruin someone's life.
|
| I don't think this is virtue signaling or marketing hype by
| Apple; if anything, this is right in alignment with the stance
| they've had on privacy for years. Even for a company the size of
| Apple, putting up $10 million to fund organizations that
| investigate, expose, and prevent highly targeted cyberattacks
| isn't pocket change.
|
| At the end of the day, this is all good news for user privacy and
| security going forward. I also suspect if I lockdown my iPhone,
| my other compatible devices using the same Apple ID will also
| lockdown. No IT department required.
| Sebb767 wrote:
| > There's a huge gap between Fortune 500 executives, government
| officials, etc. and regular people in terms of the resources
| available to them to prevent state-sponsored attackers. It
| doesn't take much these days to go from a nobody to being on
| somebody's radar.
|
| It's also a question of whether you want that. Anyone can take
| anti-phishing training, it just takes a lot of time. Want to
| download a mod for a game? You better have a separate gaming
| machine with _no_ important data on it and, to be sure, in a
| separate network. Want to buy a phone? Better drive to a random
| store, ordering is to dangerous.
|
| Sure, it's easy to get on the radar, but avoiding a state-
| sponsored hack is also a lot of effort. Fortune 500 executives
| need to put that effort in and they do have the money to make
| it happen, but for most people, the problem is not the cost.
| rmbyrro wrote:
| > putting up $10 million isn't pocket change
|
| 10 Million = 0.0027% of Apple's sales in 2021.
|
| Equivalent to an Apple developer who made 300K in 2021 donating
| 8 dollars.
|
| If this doesn't classify as pocket change, it's quite close.
| tyingq wrote:
| Enlightening comparison, though revenue isn't income.
|
| If you went with net income, it would be 0.0105% of Apple's
| 2021 net income.
|
| Or $31.80 of $300k instead of $8.
| rmbyrro wrote:
| $300k is not the developer net income, in the example
| fastball wrote:
| Apple has a lot of other stuff to spend money on. Pocket
| change adds up.
| samatman wrote:
| Apple made 25 billion _in profit_ in 2021, so the equivalent
| of a 300K income donating $1200 dollars.
|
| To stave off tedium, it's still $800 at a 1/3rd tax rate.
| These numbers aren't pocket change any way you slice it.
| jorvi wrote:
| I agree with the rest of your comment, but this
|
| > Even for a company the size of Apple, putting up $10 million
| to fund organizations that investigate, expose, and prevent
| highly targeted cyberattacks isn't pocket change.
|
| is kind of funny, as it's about 1/20000 of their total _cash_
| reserves. With 20000 in my savings account, it'd be equivalent
| to giving 1 dollar to charity. In other words, pocket change :)
| PoignardAzur wrote:
| It's still ridiculously good by bug bounty standards.
|
| Zero-day buyers are going to have a hard time topping that.
| O__________O wrote:
| Bounty is $2 million, grant is $10 million.
|
| You could easily get more for selling a zero-day likely
| this than reporting it to Apple. If you combined the risk
| this is being turned on is reported back to Apple or
| remotely detectable, combined with a zero day, it would be
| a goldmine; cover this and other issues in my comments on
| the topic:
|
| https://news.ycombinator.com/item?id=32006436
| jjtheblunt wrote:
| where are the cash reserves documented?
| zie wrote:
| see: https://investor.apple.com/investor-
| relations/default.aspx
|
| Specifically the 2022 Q2 financial statement(it's a PDF).
| under "Cash and Cash equivalents" on the 2nd page, you will
| see: 28,098
|
| That's in millions of dollars(see top of that page for
| source), so they have 28 Billion USD just laying around.
|
| 10M/28098M = 0.0004 so it's 0.04% of their cash.
| kelnos wrote:
| I have mixed feelings about this.
|
| Lockdown Mode basically cripples the phone, feature-wise. It's
| not quite to the point where I'd (even hyperbolically) say "why
| don't you just get an old dumb phone instead", but still...
|
| The right thing to do would be to redesign the system from the
| bottom up to actually be secure in the face of vulnerabilities
| in any of these features that get disabled because they can be
| dangerous for people. (And maybe Apple is working on this
| behind the scenes, which will take them years to complete.)
|
| But, agreed: let's not let perfect be the enemy of the good.
| It's better to have this option than to not have it, even
| though it likely creates a super restricted user experience
| that probably isn't particularly pleasant to use.
| Syonyk wrote:
| > _Lockdown Mode basically cripples the phone, feature-wise.
| It 's not quite to the point where I'd (even hyperbolically)
| say "why don't you just get an old dumb phone instead", but
| still..._
|
| The problem is that phones (of the "dumb"/"feature" variety)
| are running OSes that don't have nearly the security
| attention or hardware features related to them as iOS
| devices.
|
| I carry a KaiOS feature phone as my personal phone (when I
| remember it). Apple pissed me off enough with the CSAM stuff
| that I wanted to experiment with alternatives, and I've done
| so. However, I don't pretend KaiOS is particular "hard"
| against attackers - it's almost certainly not. But neither
| does it have much of an attack surface. It doesn't even try
| to render emoji, they're just black rectangles. And neither
| does it try to, say, render weird old Xerox image formats.
|
| I would trust an iOS device with "most of the complex attack
| surfaces turned off" far more than I'd trust a KaiOS or
| stripped Android device. You get all the hardware
| protections, regular OS updates, a bug bounty program focused
| on this mode, and the smaller attack surface window of
| Lockdown.
|
| I'm incredibly excited by it, because it turns off all the
| stuff _I don 't want in a phone anyway._
|
| Unfortunately, "crickets on CSAM" is a problem too. If they
| say they're not going to ship that ill conceived feature, I
| might move back to iOS. If not, well... I'll probably play
| with Lockdown mode for a week or two and then go back to the
| Flip.
| samstave wrote:
| CYBER-FUCKING-PUNK has entered the chat!
|
| ---
|
| >> _There 's a huge gap between Fortune 500 executives,
| government officials, etc. and regular people in terms of the
| resources available to them to prevent state-sponsored
| attackers._
|
| - Full Stop.
|
| -----
|
| The fact is ; UNLESS you are either the .% or the other ...% of
| HN users/hackers/dark-web 'rippers' ; you are cyberly _FUCKED_
|
| And its super odd that we have ~~Ono-Sendai~~ APPL 'defending'
| cyber-rights.
|
| --
|
| How the fuck can one downvote the above and not have a valid
| reason they'd lik to share. We are on H-FN-N... you think we
| don't know the above is true?
| smoldesu wrote:
| > If you're a woman seeking an abortion in a state where it's
| illegal or severely restricted, you could be the target of
| malware from your local or state government or law enforcement.
|
| Let's not get in above our heads, here: if the US government
| wants to know what's on your iPhone, they still have the
| faculties to retrieve that information. Setting your iPhone in
| a lockdown mode isn't going to let you escape the purview of
| government surveillance, and if it did then Apple wouldn't be
| announcing it today. We're _all_ targets of government malware,
| and the way they ensure we all keep it installed is simple:
| they just make Apple and Google write it for them. This
| pervasive idea that Apple is somehow escaping the jurisdiction
| of PRISM is pretty hysterical, and it makes me excited for the
| first Senators to get caught paying for prostitution services
| with Apple Pay inside Lockdown Mode. The only enemy of "good"
| in a threat model is the unknown, and Apple makes sure there's
| _plenty_ of unknown factors in your iPhone.
|
| Edit: For all HN loves to rant about the Halloween Documents,
| you lot seem awfully unfamiliar with the Snowden leaks...
| andrewmcwatters wrote:
| "Silly HN reader, you're just not seeing the big picture."
| Could you not?
|
| You know what people do when they're targeted by state actors?
| They don't use computers. And if they have to, they air gap.
| MBCook wrote:
| Ok. You're in the Republic of Somethingistan. You're alone.
| All you have is your phone to contact people at home to help
| you and some money and you need to get out.
|
| You know the state is after you.
|
| So you ignore this, turn off your phone instead, and... what?
| Now you're even more alone, can't get help from
| friends/family.
|
| This seems like a very reasonable option in some situations.
| dangus wrote:
| It seems like there could be a median area between "in the
| crosshairs of the KGB" and "I need to avoid off-the-shelf
| exploits in a specific situation."
|
| A great example of this might be visiting a country like
| China while on business. Straight up going "off the grid"
| isn't really an option in that scenario.
| PoignardAzur wrote:
| > _You know what people do when they 're targeted by state
| actors? They don't use computers. And if they have to, they
| air gap._
|
| That's like saying "men who don't have easy access to condoms
| just stay abstinent instead". This is what we _wish_ would
| happen. But empirically, they just shrug and do the insecure
| thing.
|
| (There was an article posted on HN a few years ago that was
| from a journalist pointing out this exact thing, from his
| personal experience. I can't find it though.)
| wnevets wrote:
| Someone better let those NGOs hacked by china know right
| away!
| astrange wrote:
| It's true, NSO Group doesn't exist and none of their exploits
| have ever worked on anyone.
| dkarl wrote:
| > In Texas, you can sue anyone who aids and abets a woman who
| attempts to get an abortion for $10,000, which is enough to get
| someone to trick someone into installing malware on a phone.
|
| Anecdata for people who think this is unlikely: my wife had an
| issue getting unclaimed property back from the state of Texas
| and hired someone who advertise the ability to help. She turned
| out to be a bulldog with a ton of knowledge of the necessary
| bureaucracy. She put hours per week into it on our behalf for
| months, through many rounds of filing paperwork and then
| hounding bureaucrats on the phone by telling them exactly how
| and why we could sue if they ignored it. She did all that for a
| cut that was a fraction of the $10k abortion bounty. The $10k
| might seem like a symbolic gesture, but it will spawn a cottage
| industry of bounty hunters. No doubt most of them will be
| ideologically excited wannabes who quickly give it up, but some
| will be dogged and effective and will cultivate an expanding
| repertoire of skills. It's a terrifying prospect.
|
| There will be many, many people who never previously
| entertained the idea of getting involved in serious criminality
| who now need protection from the prying eyes of the state and
| their fellow citizens. To look at it from a cold and
| opportunistic viewpoint, this could change the public
| perception of digital privacy from being just for dangerous
| creepy people to something that everybody should value.
| cirgue wrote:
| To add to this: the whole point of the civil right to action
| is so that anti-abortion groups can target individuals in
| order to create precedent-setting cases. This is a mechanism
| that is designed to be used by well-funded groups. The threat
| model here isn't some rando deciding they want to sue you,
| it's a team of determined lawyers that absolutely will take
| your case as far as they possibly can.
| greiskul wrote:
| I hadn't thought about this, but you are right. Hell, they
| don't necessarily even have to be immediately targeted
| attacks bounty hunters. Try to perform attacks in mass to
| read personal messages/e-mails of people, use filtering to
| try to find messages of people discussing getting abortions,
| and then parallel construct a innocent sounding story to use
| in court. With 10k per success, you really don't need that
| many hits to start making big money.
| nextos wrote:
| Also, I personally know many old people who use a device just
| for managing their finances as they are inexperienced with
| security and fear their main device might get hacked.
|
| This functionality makes a lot of sense in such a case.
| fastball wrote:
| Yeah except putting malware on someone's phone is actually
| illegal, so seems like a pretty bad tradeoff since, ya know,
| you'd have to mention how you got the data when you sue
| someone in court.
| kelnos wrote:
| Police use this sort of tactic (parallel construction) all
| the time, though: they collect evidence in ways not
| admissible in court, but use knowledge of that evidence to
| find new lines of investigation and new evidence that _can_
| be admissible in court.
|
| Presumably someone could use malware on someone's phone to
| know who to target with an abortion-related lawsuit, and
| then use legal forms of investigation to find evidence to
| prove that they got an abortion.
| BHSPitMonkey wrote:
| https://en.wikipedia.org/wiki/Parallel_construction
| Angostura wrote:
| Getting information through an illegal trawl, is an
| amazingly effective way of working out how to get related
| information "legally".
|
| Find out from the phone, that they have an appointment at a
| particular time and place? It's easy to just be there and
| photograph them, "as part of occasional surveilance" or
| whatever.
| hk1337 wrote:
| I kind of want to turn it on and leave it on. I'm assuming
| since it's a "mode" that I can turn it off when I need to, do
| what I know is legit, then turn back on again.
| rmbyrro wrote:
| Might not be as convenient. Probably requires restarting the
| phone.
| QuantumSeed wrote:
| As soon as you enable lockdown mode in iOS 16 Beta 3 it
| reboots the phone
| kelnos wrote:
| I would assume that disabling Lockdown Mode means wiping the
| phone to factory condition. Otherwise Lockdown Mode is only
| as secure as whatever PIN or password you use to disable it,
| which isn't particularly secure at all.
| Syonyk wrote:
| Yes, but if an attacker has physical access and unlimited
| time, you've probably lost anyway.
|
| What this seems to be focused on are the "remote zero-
| click/one-click" vulnerabilities we've seen, in which
| either a message is delivered that never shows up but
| installs a backdoor hook, or a website can deliver a
| malware package to a particular user and install the
| backdoor hook without notifications.
|
| It sounds like it does improve some of the physical
| security features, which should help reduce attack surface,
| but I wouldn't trust _any_ bit of consumer electronics
| against a sustained physical attack by a sufficiently
| motivated adversary.
| Veserv wrote:
| Let's not let better be the enemy of good either. Better than
| terrible is still bad and is nowhere near good.
|
| It is frankly ridiculous that anybody should believe Apple when
| they claim to provide even minimal resistance to well-funded
| determined attackers. Protecting against well-funded determined
| attackers has been the holy grail of software security since
| forever and everybody in software security at least claims to
| be working toward that. Despite that, the prevailing state of
| "best-in-class" "best-practices" commercial software security
| is objectively terrible including Apple circa 1 year ago.
|
| Are we supposed to believe that Apple, despite abject failure
| over the last few decades until as recently as the last time
| they announced security updates to the iPhone, has finally this
| time, for sure, pinky swear its true, jumped from terrible to
| the holy grail, or even good, because they said so?
|
| No, this is absolute, utter, unequivocal garbage. Their claims
| are completely unsupported and they should be excoriated for
| spewing unsubstantiated bullshit that muddies the waters of the
| actual state of software security and misleads people into
| believing they are getting a meaningful degree of protection or
| software security.
|
| If they want to make such claims, they should put their money
| where there mouth is and, instead of certifying iOS to EAL1+
| and AVA_VAN.1 as they currently do, they should certify it in
| "Lockdown Mode" to EAL6-7 and AVA_VAN.5 which actually does
| certify protection against "high attack potential" attackers
| such as large organized crime and state-sponsored attackers. At
| the very least they could certify it to EAL5 and AVA_VAN.4
| which certifies protection against "moderate attack potential"
| attackers. Until they do that, their claims to protect against
| state-sponsored attackers are complete unverifiable bullshit.
| donw wrote:
| Especially as Apple is often the "well-funded attacker".
| O__________O wrote:
| At the point it puts users at more risk that not, I don't see
| this as a step forward; not informing users of the risk of
| having iCloud enabled is one example.
|
| For more of my take on the topic, see:
|
| https://news.ycombinator.com/item?id=32006436
| mcculley wrote:
| This is great but too big of a hammer for most use cases. What I
| really want is a per-application firewall.
|
| For example, say I would like to install a photo editing
| application. It would need access to my photos. That is fine, so
| long as it is not allowed to connect to the Internet (or any
| other network). There is currently no way to ensure this.
| lolsal wrote:
| > This is great but too big of a hammer for most use cases.
|
| This is not in any way intended for most use-cases, it's very
| clearly intended for a single, specific, uncommon use-case. The
| press release says as much more than once.
| mcculley wrote:
| I guess my point is that instead of making a special mode
| that is only useful for a minority of users, it would have
| been really nice to get a feature that everybody should be
| thinking about and using.
| Legion wrote:
| Perhaps that's what it eventually evolves into. Probably
| easier to get this off the ground by developing it as a
| separate mode.
| briffle wrote:
| I'd go a step further, and say per-application virtualization.
| Every single program running its own (ideally encrypted memory)
| namespace, with its own assigned memory, etc.
| muricula wrote:
| That's what the ios sandbox provides. Heck, the tools arm64
| gives you to isolate VMs are awfully similar to the tools
| they give you to isolate processes. VM escapes aren't too
| different than sandbox escapes.
|
| Encrypted memory isn't part of arm yet, I was holding out
| hope with armv9 "realms" but not so.
| varenc wrote:
| Agreed. I wish iOS had a "network access" permissions just like
| Android does. (Though to avoid permission fatigue for the
| average user, perhaps make it something only users that care
| can deny)
|
| That said, I think this is pretty unrelated to protecting
| yourself from nation state actors. Mercenary spyware (like NSO)
| doesn't use a legitimate app store app as their initial
| infection point. I can think of many reasons for this:
| difficulty getting target to install it, app store approvals,
| leaking their 0days, leaving more of a paper trail, and
| avoiding scrutiny in general, etc. I'd of course love this
| feature for my own data privacy of course.
| mcculley wrote:
| > (Though to avoid permission fatigue for the average user,
| perhaps make it something only users that care can deny)
|
| Yeah, I would not want to have to approve every app. What I
| would like is a machine readable description of the app's
| capabilities to include Internet access, just as is required
| for access to the microphone or photos. This would encourage
| app developers to advertise to users that they don't need
| such capability and encourage users to realize that privacy
| and Internet access are mutually exclusive.
|
| There are many small apps I simply will not buy/install
| (e.g., apps for editing photos or contacts or calendars)
| because they cannot be trusted. Even if you trust the
| developer, the developers are often embedding third party
| analytics libraries that cannot be trusted.
| astrange wrote:
| This feature exists in Chinese iPhones because it's
| required by law there.
| olliej wrote:
| Edit: apparently I was wrong here? Though I'd swear it had the
| feature?
| Nextgrid wrote:
| You can disable app's cellular data access, but that's it, at
| least on Western phones. Ironically, phones for the Chinese
| market actually expand that setting and also allow to block
| Wi-Fi access.
| mcculley wrote:
| Where do you see this in iOS? The Settings app has many
| permissions for applications, but no "Internet" permission.
| azinman2 wrote:
| You can turn off cellular data access to an app; not quite
| whole internet as this WiFi will still work. But it's half
| the problem.
| LeoPanthera wrote:
| It does not ask for internet access, it asks for access to
| other devices on the LAN. Not the same thing.
| imdsm wrote:
| I use little snitch for this, but I agree, a big hammer, and
| likely more hoops for regular developers to jump through.
| Notarisation, signing, forced developer keys...
| post_break wrote:
| Little Snitch is great. Apple would never allow it on iOS
| which is ridiculous.
| CharlesW wrote:
| It's not the same, but have you used App Privacy Report to
| monitor what your iOS apps are doing?
|
| https://www.wired.com/story/ios-15-app-privacy-report/
| mcculley wrote:
| The App Privacy Report is great, but too late. It shows
| you what an app did, not what it might do.
| criddell wrote:
| Thanks for posting this. I just turned it on and am
| looking forward to the report.
|
| It's under Settings > Privacy > App Privacy Report.
| mcculley wrote:
| I use Little Snitch on macOS, but it is not available on iOS,
| so far as I know. Normal apps on iOS do not have enough
| visibility into the system for that.
| jeroenhd wrote:
| Android exposes a soft VPN API that firewall apps can use
| to block network traffic for certain apps in certain
| scenarios (say, no Google Play updates when on mobile data)
| with apps like Netguard [1].
|
| Does iOS not expose such functionality? Surely there's some
| kind of VPN API?
|
| [1]: https://github.com/M66B/NetGuard
| mathisonturing wrote:
| Android has app system level options in the settings to
| disable WiFi/mobile data.
|
| I tend to use that, and use Netguard as a fallback
| because the latter has an off by default config incase I
| forget to disable it for new apps.
|
| Netguard on its own is insufficient because sometimes
| you'd need to use an actual VPN (which turns off
| Netguard)
| infthi wrote:
| I've had those options on multiple OnePlus phones, but
| they were not present on multiple Pixels. Since Pixels
| are usually sold as "AOSP experience with Google flavor"
| are lacking this feature - I am not sure if that is that
| feature comes from AOSP or is only present on OnePlus
| phones.
| ignoramous wrote:
| > _Android exposes a soft VPN API that firewall apps can
| use to block network traffic for certain apps in certain
| scenarios (say, no Google Play updates when on mobile
| data) with apps like Netguard._
|
| I worked on AOSP for longer than I care to admit. This is
| mostly an illusion. System apps (like Google Play) can
| pretty much do whatever the heck it is that they want to.
| NetGuard, sure, "firewalls" it... but it wouldn't even
| know if a system app bypassed its tunnel. For installed
| apps, NetGuard is golden (as long as NetGuard itself
| doesn't leak).
|
| disclosure: I co-develop a FOSS NetGuard alternative (and
| yes, this alternative has similar limitations).
| mcculley wrote:
| iOS has APIs for VPNs and "content blockers". But as far
| as I know, such a filter has no access to know which
| process/application is trying to make a connection.
| Little Snitch on macOS has to install code into kernel
| space. (Or at least it used to; I have not reinstalled in
| a long time.)
|
| The Android app you link to seems to have the
| functionality I think should exist as a built-in. It
| needs to be built-in so that non-geeks can use it.
|
| Just as users are asked the first time an application
| attempts to use the microphone and are able to prevent it
| before it starts, they should be able to limit network
| access and revoke it at any time.
|
| (I don't think users should be necessarily be forced to
| approve Internet access for every app install. Just make
| it possible to revoke in the global Settings widget and
| encourage users to think about personal data and Internet
| access being mutually exclusive.)
| FireBeyond wrote:
| Not like that. The idea is antithetical to Apple, who
| have said during keynotes that they've tried to avoid
| doing so, because what they really want is a world where
| the concept of "mobile data" is not limiting.
| radicaldreamer wrote:
| None of which is particularly effective since it's trivial to
| setup a legal entities that makes one game but signs a bunch
| of malware (or steal enterprise keys).
| freedom-fries wrote:
| I'm guessing it will run afoul of the EU regulations. At the bare
| minimum there should be a way for level playfield - individual
| applications and third party application providers should have
| same access as Apple's apps!
|
| * If Safari and Messages is allowed then all other apps should be
| allowed and have complete access to the device even in the
| lockdown mode. * If apple gets access to any traffic from the
| device in the lockdown mode, then all other applications should
| have full access to advertising metrics and device data as well.
|
| At that point it's probably not much of a lockdown, but Apple
| can't have all the fun can it?
| clamprecht wrote:
| They should offer "US President mode". Didn't Obama have to have
| a special version of the Blackberry developed for him, while he
| was president?
| sedatk wrote:
| Yeah, in which Twitter is also locked down.
| drexlspivey wrote:
| Does this offer any protection after you are already pwned? Is
| the expectation that you have it permanently on if you are a high
| value target or do you turn it on temporarily before clicking on
| a link for example?
| dustyharddrive wrote:
| Don't know enough about iOS to say for sure about persistence,
| but recent Pegasus (NSO Group spyware) versions don't
| bother[1], instead repeatedly exploiting bugs starting with
| "features" like background Messages attachment parsing.
|
| Those are the kind of threats Lockdown Mode finally
| acknowledges -- targets (well IMO everyone) would need it
| permanently enabled.
|
| Otherwise the temporary protection before clicking a link can
| be had today in other ways, like disabling Settings > Safari >
| Advanced > JavaScript.
|
| [1] Lack of persistence likely an attempt at making it harder
| to analyze:
| https://www.amnesty.org/en/latest/research/2021/07/forensic-...
| Nextgrid wrote:
| If you're already pwned to the point where they have kernel-
| level access and can bypass code signature enforcement, all
| bets are off. Even if lockdown mode interfered with their
| activity, at this point nothing prevents them from modifying
| the Settings app to not really enable lockdown mode even if you
| request it to.
| olliej wrote:
| If you have already been pwned, the OS is compromised so it
| clearly is not able to retroactively undo that - any checkbox,
| option or whatever can just be turned into a no op that lies.
| olyjohn wrote:
| If you're going to run a crippled-ass phone to protect
| yourself, because the regular phone is so fucking insecure, why
| even bother with a smartphone? They'll just find an exploit in
| something that the "security mode" hasn't disabled.
| einpoklum wrote:
| Apple cannot even in theory protect you from spyware, because
| Apple's OS and apps _are_ spyware - as Apple (routinely?
| occasionally?) collects your personal data for the US
| government's NSA and passes it to them (Snowden revelations:
| https://www.theguardian.com/world/interactive/2013/nov/01/sn...)
| Nextgrid wrote:
| This might get downvoted but it's actually true. If you're
| logged into iCloud, even with all features disabled, things
| like your call history and email recipient history (regardless
| of whether you're using iCloud Mail) are uploaded for example.
| legalcorrection wrote:
| I see they're running the reality distortion field at full power.
|
| This is a load of bullshit and marketing hype. They are letting
| you turn off features for security reasons, i.e. what basically
| every OS has let you do, and what every half-competent IT
| department has been doing, for decades. In fact, iOS was an
| outlier in how unconfigurable it was, and with the pitiful MDM
| options not letting you turn off many of these features that are
| constant sources of vulnerabilities and social engineering.
|
| Nothing that novel here other than the framing and cybersecurity
| marketing bullshit about Nation State Actors and "mercenaries."
| haswell wrote:
| Of course Apple is going to put a marketing spin on everything
| they do - that is a given. Does that somehow invalidate the
| work itself?
|
| Why do you find it necessary to reframe the introduction of
| these features as a load of bullshit?
|
| Are you arguing that these features are bad or not useful?
|
| Or are you just saying that "it's about time"? And if so, why
| not just focus on the part where Apple is doing a thing that
| needed to be done?
|
| The undertones in your comment feel a bit unnecessary.
| legalcorrection wrote:
| Because it's being made to sound like something it's not. The
| comments are full of people fawning over how innovative and
| groundbreaking this is. Just trying to offer a dose of bitter
| reality to bring people back down to earth.
| haswell wrote:
| To what end? What new insight is gained from such a
| reframing?
|
| I personally don't think the individual features are as
| interesting as the overall framing and the fact that Apple
| is publicly announcing their intentions. The feature set
| will doubtless change over time - such is the nature of any
| software endeavor - but starting that journey is the
| interesting part.
|
| Getting stuck on "but it's just xyz dumb feature..." or
| "but they should have done x long ago", etc. just obscure
| the more interesting fact that they're explicitly embarking
| on this path to begin with.
| [deleted]
| TheRealDunkirk wrote:
| Sounds like a plan to make iOS the default for highly-placed
| government employees. Maybe that's already the case, but I
| thought I remembered that Obama had to have 2 phones, and the
| "secure" one wasn't an iPhone. Anyone have any more knowledge
| about this?
| ceejayoz wrote:
| The secure one was a BlackBerry for a while.
| https://www.theverge.com/2016/6/11/11910306/obama-upgrades-f...
| easton wrote:
| I'm guessing it isn't, if only because this feature completely
| disables MDM (which you'd need in government or business to do
| things like remote wipes or passcode policies). It looks to be
| designed for people that are possible targets to use on their
| personal phone, which shouldn't have work data on it.
|
| (Of course, they could make some new MDM policies to
| individually turn these features on. You can already block
| external devices with MDM, and you can completely disable
| FaceTime/iMessage/iCloud. It wouldn't be much of a jump to add
| the more granular protections this has.)
| bad416f1f5a2 wrote:
| I think you've misread this announcement: it doesn't appear
| that MDM is disabled. It merely looks like you cannot change
| MDM settings, including enrolling, while this feature is
| active.
| InitialLastName wrote:
| At least at the start of the Obama Administration, he was known
| to be hooked on his Blackberry [0], and I know RIM did a lot of
| work to provide secured devices to government officials. I
| don't know what government officials are using since RIM went
| under though.
|
| [0] https://www.nbcnews.com/id/wbna28780205
| saos wrote:
| This seems rather extreme. I like it!
| [deleted]
| midislack wrote:
| camdenlock wrote:
| This is mostly great news. Then you scroll down a bit and see
| this eye-opening 2nd part:
|
| "Apple is also making a $10 million grant [...] to the Dignity
| and Justice Fund established and advised by the Ford Foundation -
| a private foundation dedicated to advancing equity worldwide and
| designed to pool philanthropic resources to advance social
| justice globally."
|
| So Apple is releasing a great new hardened security mode in iOS,
| AND... they're donating money to collectivist activism? What a
| bizarre combination. One step forward, two steps back.
| numpad0 wrote:
| But how secure are iDevices peripherals, and RAM? I guess it's a
| start of a journey, but I don't see this does anything yet.
| stephc_int13 wrote:
| What does it even mean to be a state-level actor? For me this is
| the same kind of bullshit/PR language that is is used to sell so-
| called "military-grade" artefacts.
|
| This is nonsense. Security breaches can be discovered and used by
| anyone with the right knowledge and skills. Geohot was not
| sponsored by the CIA or the FSB.
| halJordan wrote:
| State-level is a label for groups that have resources and
| persistence and perhaps the technical acumen that is available
| to states.
| WFHRenaissance wrote:
| I think they're focusing on the notion of protecting against
| well-funded mercenary firms with the
| resources/time/ability/motivation to target specific
| individuals with specific exploits. I have a hard time
| believing that anyone would enable this Lockdown Mode _prior_
| to being owned though.
| threeseed wrote:
| > I have a hard time believing that anyone would enable this
| Lockdown Mode _prior_ to being owned though
|
| I can imagine many use cases where they would e.g.
|
| journalist enabling this before working on an article that
| was critical of a foreign government. Or any government
| contractor, NGO, embassy worker etc.
| threeseed wrote:
| > Security breaches can be discovered and used by anyone with
| the right knowledge and skills
|
| That's often not enough.
|
| You need a lot of resources and most importantly prosecutorial
| immunity.
| the_other wrote:
| With this announcement, Apple are saying "we will protect you
| from state actors", which is a role usually performed by states.
| Apple is saying "we operate at the same level as nation states;
| we are a nation-state level entity operating in the "digital
| world": It's a flag-raise.
|
| It's the first such flag-raise I've seen. Security researchers
| talk about protections from state actors all the time, and there
| are tools which support that... but this is the first public
| announcement, and tool, from a corporation with more spare,
| unrestricted capital than many countries. It comes at a time when
| multiple nation states are competing for energy and food
| security; and Apple are throwing up a flag for a security-
| security fight (or maybe data-security). This is not just handy
| tech, it's full-on cultural zeitgeist stuff. Amazing.
| jiveturkey wrote:
| > It's the first such flag-raise I've seen.
|
| "Flag-raise" seems a bit hyperbolic but at any rate I think the
| BSA asserted such reach and power, long ago. Both have to act
| within the oversight of actual nation states.
|
| Beyond that, a secure phone is necessary but not sufficient to
| defend oneself against a nation state.
| ivraatiems wrote:
| The NSO Group, whom Apple specifically cites as an opponent
| that inspired this work, is a private corporation. They sell to
| governments, but so does Apple.
|
| The relationship between state and private industry has never
| been binary and has always had features like this. I don't
| think this is a "Jennifer Government" type scenario.
| kccqzy wrote:
| Google has been dealing with nation state actors targeting its
| users (Gmail specifically) for a decade now. They have Advanced
| Protection program. We actually regularly used to hear about
| how human rights activists were targeted in spear phishing
| campaigns and then arrested.
|
| https://landing.google.com/advancedprotection/
| bsedlm wrote:
| agreed, the rise of the corporation as the most powerful
| institution (above the nation-state) in this new budding global
| civilization is a long time coming.
|
| on the other hand, this is how democracy dies. what structures
| (systems) exist to prevent apple (and other comparable
| corporations) from being an oppresive force against human
| persons? moreover, what incentives do they have?
| kube-system wrote:
| Corporations definitely have a lot of power today, but
| nothing more than they've had in the past.
|
| https://en.wikipedia.org/wiki/Company_rule_in_India
| jfjrkkskdik wrote:
| scottyah wrote:
| To be fair, banks have been more powerful than a lot of
| nation-states for awhile, and religious entities before that.
| atlasunshrugged wrote:
| The religious entities I get the argument but what banks
| have been more powerful than nation states?
| concinds wrote:
| The Knights Templar were a religious organisation, but
| also a quasi-banking institution in Europe; they took and
| protected deposits of gold, and issued 'cheques'
| allowing, for example, travellers to deposit gold in
| London and spend the money in Southern Europe. They were
| dissolved because they were beginning to rival the Papacy
| and nations in power due to their immense wealth.
|
| Also, few know this, but many African slaves who were
| victims of the slave trade became slaves due to debt-
| slavery (though this didn't involve formal banks). I've
| seen estimates of up to 25% of slaves back then having
| been debt-slaves.
| bsedlm wrote:
| the ones that only service other banks hence only people
| working in higher level banking are likely to have heard
| about. e.g. the bank for international settlements
|
| I only found out about this bank because the former
| president of the mexican central bank -- Mr. Carstens,
| left the central banking gig to go to that bank.
| atlasunshrugged wrote:
| From reading their Wikipedia quickly sounds like BIS has
| a similar function to say the IMF when it comes to
| financial system stability. I do agree these sorts of
| organizations exert huge amounts of influence, especially
| for smaller countries that are dependent on loans and
| outside financing, but I'm not sure I agree they are more
| powerful than a nation itself. A nation can
| (theoretically) decide to opt out from these systems and
| operate independently, or can play different parties
| funded by nations (because in the end they all are
| working for someone's agenda) off of one another as many
| countries did during the cold war between the U.S. and
| Soviet Union. But if a nation reneges on its debt, the
| BIS, IMF, etc. isn't going to invade your country--one of
| it's creditor nations might, but not them.
| saurik wrote:
| Based on their history of using their control over the App
| Store to "protect people" from such harmful content as
| content about how smartphones are made in sweatshops and
| tools (such as VPN clients, but also for a long time
| cryptocurrency wallets) that allow people to bypass
| restrictions put in place by these nation states that Apple
| works with, I'd claim these incentives are pretty shit :(.
|
| https://www.youtube.com/watch?v=vsazo-Gs7ms
| astrange wrote:
| If you try to get into cryptocurrency your phone should
| automatically deliver electric shocks until you stop.
| [deleted]
| Omniusaspirer wrote:
| Apple is a public corporation and votes on its corporate
| direction are freely available on the open market for anyone
| to purchase. Based on my share ownership Apple is much more
| subject to my whims than my actual elected politicians are on
| a % basis.
| ryandrake wrote:
| I can think of a few, at least applicable in the USA:
|
| Apple doesn't have a military or police force with
| jurisdiction over me. They don't have the legal power to
| arrest me or throw me into prisons, which they also don't
| have. I don't have to pay taxes to Apple. I don't have to do
| business with them or interact with them in any way if I
| don't want to. I don't need Apple's permission to do anything
| unrelated to their product lines.
|
| Same is true for any megacorporation. It's a big stretch to
| say they are even remotely as powerful as nation-states, let
| alone more powerful.
| [deleted]
| autoexec wrote:
| > I don't have to do business with them or interact with
| them in any way if I don't want to. I don't need Apple's
| permission to do anything unrelated to their product
| lines... Same is true for any megacorporation
|
| Nope. You can avoid buying an iphone, but you cannot escape
| Google. I'm often forced to "do business" with google. I've
| seen several government websites that require code hosted
| on Google's servers. I need Google's permission to do all
| kinds of things unrelated to their service (reCAPTCHA) and
| google will track everywhere you go online even if you
| never use any of their services. Facebook also doesn't give
| you any option. They'll create a profile for you and start
| collecting data on you even if you've never created an
| account. You could argue that you pay these companies taxes
| in the form of your data rather than money, or that the
| fees they charge developers drive up consumer prices
| (acting as a tax on the purchases), and I suspect that
| should Apple/Google pay become more commonplace they will
| start charging a fee (tax) for that as well. Nothing stops
| them from doing it.
|
| Some corporations even have their own literal armies
| (Blackwater/Xe/Academi), but others don't bother because
| they have the ability to command the police and military
| wherever they are. The RIAA have their own "swat" team.
| They participate directly in raids breaking down doors and
| handling evidence.
|
| Companies like Apple and Google are far more invasive than
| police watching everything you do, listening to everything
| you say, recording every person you're in contact with.
| They censor and ban with impunity. If they really wanted
| to, they could plant data on your devices that would get
| you arrested and thrown in prison in any country around the
| globe.
|
| corporations might not yet be as powerful as a nation
| state, but they're a lot closer than you give them credit
| for, and they likely have more direct influence on your day
| to day life and what happens to you.
| kube-system wrote:
| No, they're nowhere close to being a nation state. Those
| spheres of power are nothing compared to something like
| the British East India Company, which had a currency, an
| army, and forcefully controlled almost 2 million sq. km.
| of Asia.
|
| Captchas are definitely worthy of criticism, but they are
| not remotely on the same level as forcefully controlling
| the land under someone's feet.
| atlasunshrugged wrote:
| Yes, the state's monopoly on force is to me what truly
| differentiates them into a different category of power than
| a corporation. Also international recognition for nation
| states and being able to have treaties and the like, but
| really its the monopoly on use of force. That said, I think
| the rise of charter cities (think of an SEZ on steroids run
| by a private corporation) will blur the lines further,
| although most proposals I've seen for charter cities leave
| policing to the locality they're residing in.
| tambourine_man wrote:
| Mandatory taxes, interest rates, printing money... nation
| states have a lot of power.
| dane-pgp wrote:
| > interest rates, printing money
|
| Many nation states don't have control over interest rates
| (because their central banks are run independently of the
| government) or even the ability to print money, if they
| have adopted another currency.[0]
|
| > Mandatory taxes
|
| States typically tax transactions which happen on their
| territory (e.g. wages and sales), and in the case of
| Apple, their devices are their territory, like feudally
| controlled tracts of land in cyberspace. Taking a cut of
| all app sales and in-app purchases seems very much like a
| tax under this analogy.
|
| [0] https://en.wikipedia.org/wiki/Currency_substitution
| dotnet00 wrote:
| This feels like an argument the government would make against
| strong encryption like in the case a few years ago where the
| government tried to force Apple to unlock an iPhone and Apple
| refused claiming it wasn't possible.
|
| Apple are basically saying that they're going to do their best
| in terms of security measures to thwart even state actors,
| which is only as much of a nation-state level thing as
| "military grade encryption" is a thing only applicable to
| militaries.
| axolotlgod wrote:
| Definitely very interesting. I know Google has their "Advanced
| Protection Program"[0] with a Titan security key which is
| similar. It is interesting considering that Google's
| protections target the user as the weak link, as your data
| lives on their hardware; while Apple is obviously targeting
| both the user and the hardware they have. I'm curiuos what
| security researchers will think of this, if it's more theater
| or if it is actually a innovative attempt at giving advanced
| privacy to people who need it. Despite their past stumbles
| (e.g., CSAM), it seems like Apple is genuinely in the privacy
| fight, even if it is just for their bottom line.
|
| [0]: https://landing.google.com/advancedprotection/faq/
| alwillis wrote:
| "About Apple threat notifications and protecting against
| state-sponsored attacks": https://support.apple.com/en-
| us/HT212960
| LegitShady wrote:
| Counterpoint - the EU has been passing laws that force apple to
| be more fair in their markets, and this "we're protecting you
| from bad guys" stuff is apple trying to figure out deniable
| methods to protest or sue against the EU passing laws to
| restrict apple's ability to lock other developers out.
|
| Throw together a basic set of options that should have been
| available long ago, now apple is protecting you, don't strip
| apple of the ability to protect you, etc.
| kmeisthax wrote:
| There's a bit of a journey from "protecting you against
| government hackers and spooks" to full-on sovereign states; and
| there's a _lot_ of things that a country 's government funds
| that Apple couldn't even begin to take on[0]. Physical security
| and military operations are a hell of a different field from
| that of locking down computers.
|
| Furthermore this _isn 't_ the first of its kind; Google has
| been alerting high-risk Gmail users about state-sponsored
| hacking for about a decade now. Microsoft probably does
| something similar. Apple is comparatively late to the party on
| this. On the offensive side you have the zero-day vendors that
| broker exploits between hackers and the government.
|
| A better explanation is that Apple isn't supplanting the US
| government. It's supplanting Halliburton. As more and more
| people and things go online, hacking and doxxing them is
| becoming more militarily valuable than just arresting someone
| or firing a missile. After all, physical attacks risk
| counterattacks and escalation, but Internet attacks are
| relatively cheap, not really treated as an attack by many
| sovereign states, and, most importantly, difficult to
| attribute.
|
| [0] Call me when Apple black-bags Louis Rossman for illegally
| repairing MacBooks, or threatens literal nuclear war - like,
| with uranium bombs and radioactive fallout - on the EU for
| breaking the App Store business model.
| FredPret wrote:
| Apple doesn't have to literally have an army and a bureacracy
| to rival a government. They just need enough flex. And they
| do!
| alwillis wrote:
| _Furthermore this isn 't the first of its kind; Google has
| been alerting high-risk Gmail users about state-sponsored
| hacking for about a decade now. Microsoft probably does
| something similar._
|
| It's great that Google alerted Gmail users, but then what?
|
| "We believe you may be a target of a state-sponsored
| attacker; have a nice day."
|
| Beyond just telling you, Apple is providing some tools to do
| something about it.
| joshuamorton wrote:
| Google advanced protection mode has been available for a
| while.
|
| The threat models are different because the companies
| provide different services (spear phishing defenses from
| the web services company, hardware defences from the
| hardware provider), but still.
| closewith wrote:
| I not a big supporter of Google in general, but they don't
| just notify you. They offer to enrol you in their Advanced
| Protection Program:
| https://support.google.com/a/answer/9378686?hl=en
| lwswl wrote:
| I've always thought that the companies coded the "zero day
| exploits" in, and then sold them for profit.
| PeterisP wrote:
| It doesn't make sense from numbers perspective, there's
| simply not that much potential for profit there. In
| general, the sale price of a zero-day or ten in some
| popular product is tiny compared to, for example, the
| marketing budget of that product.
|
| That money is significant from the perspective of a
| particular employee (i.e. if they personally would get the
| money) or for a specialized consulting company, but it's a
| drop in the ocean for the large companies actually making
| the products. So we should expect some backdoors
| intentionally placed by rogue employees (either for
| financial motivation or at the behest of some government)
| but not knowingly placed by the organizations - unless in
| cooperation with their host government, not for financial
| reasons.
| [deleted]
| ivraatiems wrote:
| I'm not saying it never happens, and I don't want to assume
| anything about your background, but I think most people who
| work in software would agree there's no need. Plenty of
| problems get in on their own.
| skrtskrt wrote:
| yep if that were your goal it would be way more cost
| effective to get a zero day from just not trying that
| hard with security practices. Not having any security
| knowledge on the team. Not patching/upgrading
| dependencies with security bugs.
| ivraatiems wrote:
| And then you have plausible deniability! I think we're
| hitting on a new business model here...
| dylan604 wrote:
| RSA weaker key set to default perhaps?
| wyuenho wrote:
| A nation state has more than one way of extracting information
| from enemies of said state. There's the civilized way we now
| call hacking, and then there's the traditional way, which may
| or may not involve technology.
| labrador wrote:
| Apple is following the lead of Microsoft in this regard.
| Microsoft has been acting as an international cyber defense
| agency for a few years. On the effectiveness of Ukraine's cyber
| defense: "Microsoft in particular has been hard at work" 21:45
|
| Assessing Russia's War in Ukraine
|
| https://youtu.be/CzbsPOaCrLw?t=1305
| marcodiego wrote:
| Since the software is still proprietary, considering these
| statement as guarantees is just an exercise of faith.
| atmosx wrote:
| Nothing new. When states requested access to covid DB apple and
| Google refused access based on what happened in the Netherlands
| in WW2.
|
| I must that on one hand it's anti-democratic, on the other hand
| western democracies have a rather poor track record on
| safeguarding this kind of info.
| legalcorrection wrote:
| I think you're letting the reality distortion field get to your
| head. They're creating a safe mode for iPhones because a lot of
| features complex/intricate enough that they are perennial
| sources of vulnerabilities (and/or UX flaws that lead users to
| make unsafe decisions).
|
| That is, they're turning features off for security. Something
| every IT department has been doing for decades. Windows
| supports this. Mac OS supports this. In fact, iOS was kind of
| notable in being so unconfigurable. The settings available in
| their MDM implementation were pitiful and didn't let admins
| disable many of these features.
| cma wrote:
| > It's the first such flag-raise I've seen.
|
| After the Snowden leaks that showed even in-country citizen-to-
| citizen communication was being scooped up by the NSA without a
| warrant through fiber taps (if I remember that right) when
| Google replicated the data to out-of-country data centers,
| Google announced encryption of those links:
| Google encrypts data amid backlash against NSA spying
|
| https://www.washingtonpost.com/business/technology/google-en...
| modeless wrote:
| > It's the first such flag-raise I've seen
|
| You haven't been paying attention. Many tech companies have
| been protecting accounts from state attackers for many years,
| and explicitly calling out state sponsored attacks. Google
| introduced state-sponsored attack warnings in 2012 [1] and the
| Advanced Protection program explicitly protects from state
| sponsored attacks [2].
|
| [1] https://security.googleblog.com/2012/06/security-warnings-
| fo...
|
| [2] https://blog.google/threat-analysis-group/protecting-
| users-g...
| newaccount2021 wrote:
| starwind wrote:
| > Apple are saying "we will protect you from state actors",
| which is a role usually performed by states
|
| Not to sound flippant, but defense attorneys do this, too. I
| don't think it's as big a zeitgeist as you think
| KennyBlanken wrote:
| Apparently that protection does not include protection from the
| US government.
|
| iMessage offers excellent privacy of message content, but no
| 'pen register' protection.
|
| Phone device security is very strong, but it's made largely
| moot if you turn on iCloud backups (which is the default
| behavior if you provide an Apple ID. I'm not sure there's even
| a way to stop the initial backup from happening?)
|
| Apple reportedly doesn't offer e2ee on iCloud, or even
| encrypted device backups, out of compromise with the federal
| government...specifically the FBI, CIA, and NSA.
|
| Why might people care about this? Criminalizing abortion and
| miscarriages...and what looks like at the very least a re-
| recognizing, and possibly criminalization, of LGBTQ
| relationships.
| eastbound wrote:
| True, Apple could stop nagging about backing up into iCloud.
|
| Apple should offer other sorts of backups, and offline iCloud
| systems.
| threeseed wrote:
| They do offer other sorts of backups.
|
| You can backup to a Mac or PC. And it's offline and
| encrypted.
| kube-system wrote:
| When Apple says "state actor threats" they're not talking
| about future-state theoretical breaches of domestic privacy
| by your own government. Apple is always going to follow the
| law. They're talking about the types of situations where data
| from people's phones is used to commit international criminal
| activity, espionage, assassinations, etc.
| mnd999 wrote:
| Do you also believe the earth is flat?
| unethical_ban wrote:
| No, they aren't, any more than an OS claiming "military grade
| encrypted boot drive" means they have a military.
| the_gipsy wrote:
| It's marketing and you ate the hook, line, and sinker.
| Swizec wrote:
| > Apple is saying "we operate at the same level as nation
| states; we are a nation-state level entity operating in the
| "digital world"
|
| Apple's _profits_ are bigger than my country 's (Slovenia)
| whole GDP. You bet your butt they're a state level actor in the
| digital world. They have more resources than many countries.
|
| If Apple was a country, their $365bn in revenue would make them
| the 43rd richest country in the world right after Hong Kong.
|
| https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(nomi...
| nradov wrote:
| This also points out how the increasing costs of technology
| and economies of scale mean that small countries like
| Slovenia are no longer viable on their own. The only way they
| will be able to survive the next few decades and avoid
| turning into failed states is to surrender most of their
| sovereignty to larger regional alliances.
| amelius wrote:
| And if you computed the per-capita GDP?
| Swizec wrote:
| Hard to compute because contractors don't count towards
| Apple's official headcount. Comes out to $2.5mil/employee
| using wikipedia numbers.
|
| GDP per capita for Slovenia is $25,179 in comparison. 100x
| less.
|
| For Hong kong, which makes a bit more GDP than Apple does
| revenue, the per capita number is $46,323. 50x less than
| Apple.
| whateveracct wrote:
| Also silly to compare because a proper nation-state does
| more than develop products and services for profit.
| Social contract and all that.
| Swizec wrote:
| My understanding is that the "social contract" inside
| many of these large companies is quite cushy. Especially
| in USA where being employed comes with services
| traditionally provided by the state like health care,
| child care, free or subsidized food, retirement benefits,
| etc.
| whateveracct wrote:
| It's not especially comparable to what an actual
| government has to deal with though. It's superficially
| similar I guess.
| moogly wrote:
| > It's the first such flag-raise I've seen
|
| Zuckerberg, 5 years ago:
| https://www.youtube.com/watch?v=mFPAe8Tc2NE
| foobiekr wrote:
| Perhaps "first credible" is the correct description.
| moogly wrote:
| I'm not so sure about that; I'm not that impressed by that
| list of features.
| lolbutwutf wrote:
| Apple blocking a few features means it's now operating as a
| nation state.
|
| Tell me it's a Hacker News comment without telling me it's a
| Hacker News comment.
| whatgoodisaroad wrote:
| At the same time, if that state actor happens to be China,
| Apple will just give the government access to your iCloud data.
| Not all state actors are equally within Apple's striking range.
| KerrAvon wrote:
| What makes you think so?
| kop316 wrote:
| https://support.apple.com/en-us/HT208351
| shard wrote:
| "Apple is moving some of the personal data of Chinese
| customers to a data center in Guiyang that is owned and
| operated by the Chinese government. State employees
| physically manage the facility and servers and have direct
| access to the data stored there; Apple has already
| abandoned encryption in China due to state limitations that
| render it ineffective."
|
| https://www.cpomagazine.com/data-privacy/icloud-data-
| turned-...
| KennyBlanken wrote:
| Apple has abandoned encryption for everyone in iCloud.
| You cannot encrypt anything except a limited subset of
| your device's data (Apple Health data, mostly.)
| kmeisthax wrote:
| In Apple's defense E2E encryption also makes it a lot
| easier to get locked out of your photos and device
| backups.
|
| IMHO it should still be an option but only as part of
| Lockdown Mode, with the explicit caveat that turning it
| on risks losing data.
| holmesworcester wrote:
| That may be true, but Reuters reported that Apple had a
| plan for it (which means they felt it was workable) and
| dropped it due to pressure from FBI/DOJ.
|
| https://www.reuters.com/article/us-apple-fbi-icloud-
| exclusiv...
|
| Also, there are many users who would benefit from e2ee
| iCloud backups who are _not_ targets of NSO Group-type
| attacks, so I don 't think it makes sense to make it only
| available in "Lockdown Mode".
| mercutio2 wrote:
| I was all prepared to answer this with "so Reuters
| reporting something makes it true?", only to discover
| that, in fact, Reuters reported no such thing.
|
| Reuters makes two claims:
|
| 1) The FBI talked to Apple (duh) 2) An unannounced plan
| to implement fully E2EE backups was no longer discussed
| with the FBI at their next meeting
|
| Both of those things might be true! Reuters isn't known
| for just making stuff like this up, like, say Bloomberg,
| but the article specifically says:
|
| "When Apple spoke privately to the FBI about its work on
| phone security the following year, the end-to-end
| encryption plan had been dropped, according to the six
| sources. Reuters could not determine why exactly Apple
| dropped the plan."
|
| So we've got an unannounced product, which the FBI didn't
| like, which Apple stopped talking to the FBI about
| (according to some leakers at the FBI).
|
| This does not add up to "Apple dropped plans due to
| pressure from [the] FBI/DOJ". It adds up to "secretive
| company discusses plans with secretive agency, and some
| stuff about that conversation leaked".
| stjohnswarts wrote:
| I would suggest that if you're doing anything illegal in
| the country you're staying in, turn off icloud sync at
| the least, and best policy is don't use an iphone but use
| an android with an open source operating system like
| graphene OS
| matwood wrote:
| > In Apple's defense E2E encryption also makes it a lot
| easier to get locked out of your photos and device
| backups.
|
| This is likely the real reason E2E hasn't been done yet.
| I would wager Apple deals with orders of magnitude more
| people who are locked out of their phones than the number
| impacted by the lack of E2E backups. Trusted recovery
| contact added in the last iOS version is a step in a
| direction of providing some way to implement E2E, and
| still give people a way to recover.
| germandiago wrote:
| I really dislike that there is so much social control :(
| In theory is to protect you. In practice it can and is
| misused in so many ways that it should not be even
| allowed without a judge authorization.
| nradov wrote:
| You're kind of missing the point. The Chinese government
| has unlimited social control. Even if there was some sort
| of written law in China requiring judicial oversight,
| that wouldn't limit social control because the judiciary
| is just a rubber stamp.
| atlasunshrugged wrote:
| Because they are complying with Chinese laws regarding data
| localization in the country and have been known to work
| with China (recently YMTC chip deal, previously in a major
| unreported deal that was unearthed a little while ago) in
| order to get market access.
|
| https://www.reuters.com/article/us-china-apple-icloud-
| insigh...
|
| https://www.forbes.com/sites/roslynlayton/2022/06/08/silico
| n...
|
| https://www.theinformation.com/articles/facing-hostile-
| chine...
| GeekyBear wrote:
| How is this different than Microsoft Azure?
|
| Microsoft handed over control of Azure in China to a
| Chinese company years ago.
| Matl wrote:
| It is worth mentioning that things like National Security
| Letters exist in the US. It is also the US who made Apple
| back off of encrypting iCloud backups E2E.
|
| I wish we were more willing to cite our own government(s) as
| the bad actors here, rather than pretending that we have to
| reach for China/Russia/North Korea to find the kind of
| behavior Apple is attempting to protect its users against
| here.
| closewith wrote:
| Not to mention the CLOUD (Clarifying Lawful Overseas Use of
| Data) Act, which was enacted following a case in 2014 where
| Microsoft refused to hand over emails stored in the EU (an
| Irish data centre, in that case) on foot of a domestic US
| warrant.
|
| The CLOUD Act expressly brings data stored by US-based
| companies anywhere in the world under the purview of US
| warrants and subpoenas.
|
| https://en.wikipedia.org/wiki/CLOUD_Act
| gzer0 wrote:
| How well does this play out with things like GDPR? I can
| only find one sentence about it but this seems like a
| direct conflict.
|
| Who wins? The USA, the EU, no one, everyone?
| t0mas88 wrote:
| It's not entirely clear yet who wins, but the current
| issues with Google Analytics in the EU seem to be
| partially related. Some countries have come to the
| conclusion that GA can't be legal if Google US has access
| to the data.
| xet7 wrote:
| USA cloud services are not GDPR compliant:
|
| https://nextcloud.com/blog/the-new-transatlantic-data-
| privac...
| closewith wrote:
| It's part of the reason that Privacy Shield collapsed and
| why the US isn't considered to offer adequate protection
| to EU residents. It's currently being both litigated (as
| more and more EU country data protection agencies make
| individual rulings that specific instances of transfers
| of personal data to US companies are unlawful) and the
| subject of intense political negotiation between the EU
| and US.
|
| Most companies affected are currently awaiting the
| results of these processes, because following the current
| precedent to it's logical conclusion, it appears unlawful
| to transfer any personal data of an EU resident to a US-
| based company (even if that data remains physically in
| the EU or another adequate country). That would obviously
| have catastrophic consequences for the current status
| quo, so it's hard to believe that a compromise won't be
| found to avoid it.
|
| However, it's also hard to see a compromise unless the
| United States exempts EU data subjects from the CLOUD
| Act, which seem unlikely. Hard to know where it'll go.
| legalcorrection wrote:
| This has always been the law. Common law courts have been
| issuing court orders that require you to take actions in
| foreign countries, even in violation of foreign law, for
| as long as it's been a legal question. The CLOUD Act
| actually introduced some additional safeguards and allows
| judges to consider the seriousness of the foreign law
| violation with the importance of the court getting access
| to the foreign-stored data.
|
| You unfortunately need something like this because
| otherwise people will just hide documents, money, stolen
| property, etc. in foreign countries out of reach of US
| courts, even if they are US persons and corporations.
| kube-system wrote:
| Yes, this is Apple protecting you against _extralegal_ state
| actor threats. There 's not really much Apple can do to
| protect you against the laws of your own country.
| jonny_eh wrote:
| > Apple will just give the government access to your iCloud
| data
|
| "You" only means you if you're a Chinese citizen.
| savoytruffle wrote:
| resident
| acomar wrote:
| and if the state actor happens to be the US? which of these
| tech companies do you expect to look after you then?
| milesskorpen wrote:
| If you opt-in to iCloud, you're opting in to a lot of state-
| level security risk in any country (and this is true of any
| commercial cloud).
| Maxburn wrote:
| We have seen reports that apple can remotely enable icloud
| backups and then trigger a backup.
| Nextgrid wrote:
| Do you have more info about this?
| nojito wrote:
| Source? iCloud backups can only be triggered via your
| passcode which is secured against the secure enclave.
| threeseed wrote:
| This doesn't sound plausible in the slightest.
|
| The only persistent connection Apple has that I can think
| of to implement such a concept is for push notifications.
| Which would be a massive security hole if a HTTP response
| to that daemon was capable of bypassing the lock screen,
| secure enclave etc.
|
| And the logical question is if they had such a system why
| would they bother triggering an iCloud Backup when they
| could ask the device to specifically hand over certain
| information e.g. Messages. Which at least could be done
| quietly over Cellular.
| KennyBlanken wrote:
| Nothing stops Apple from offering e2ee backups, and in fact
| they do this for certain data backed up to iCloud (health
| data for example.)
|
| But your iMessage data...well there, your ass is hanging
| out in the breeze. In fact, I'm not sure it's possible to
| log into an iPhone with your Apple ID and not have an
| iCloud backup immediately fire off, which means your
| private encryption keys hit iCloud and stay there until it
| is purged according to their data retention policies. And
| we have no idea what those policies actually are; those
| keys made end up stored forever.
| GeekyBear wrote:
| > Nothing stops Apple from offering e2ee backups
|
| The US Government pressured them to drop a plan for fully
| encrypted cloud backups.
|
| >Apple dropped plan for encrypting backups after the FBI
| complained
|
| https://www.reuters.com/article/us-apple-fbi-icloud-
| exclusiv...
|
| If you want a fully encrypted backup of your device, you
| have to make it to your local Mac or Windows computer.
| astrange wrote:
| > Nothing stops Apple from offering e2ee backups, and in
| fact they do this for certain data backed up to iCloud
| (health data for example.)
|
| Almost all users can't handle this; to support people,
| you need to be able to recover their account when they've
| lost every single password and proof of identity they
| possibly can. It's not a backup if you can't restore it.
| mehrdada wrote:
| > In fact, I'm not sure it's possible to log into an
| iPhone with your Apple ID and not have an iCloud backup
| immediately fire off
|
| You are correct there's a bit of dark pattern going on
| here, but it is possible (to the extent the code does
| what it says of course). To be extra sure I have a custom
| lockdown MDM profile to disallow iCloud backups, as well
| as a number of other nefarious things like analytics, and
| whenever I get a new device, I first DFU restore it to
| the latest iOS image to ensure software (post bootrom)
| isn't tampered with, then activate and install the MDM
| profile via a Mac and only then I interact with the
| device and go through setup.
| thewebcount wrote:
| > I'm not sure it's possible to log into an iPhone with
| your Apple ID and not have an iCloud backup immediately
| fire off
|
| Yes, it absolutely is possible. I have never turned on
| iCloud backup so I have no cloud backups of any of my
| phones or other devices.
| ivraatiems wrote:
| I mean, since your phone was made there by a Chinese company,
| what's to stop the government from just forcing a backdoor in
| at the factory?
| time_to_smile wrote:
| I don't know if you've been paying attention to Apple's
| strategy over the last year, but it's basically been "granting
| user privacy also happens to grant us an advertising/data
| monopoly"
|
| I don't think the aim here is to block at state actors but to
| basically continue to close all security holes that can be
| exploited by any other company and continually proving to users
| that Apple cares about privacy.
|
| The things is I really like Apple even more now since they have
| realize that my privacy interests can be tightly aligned with
| their own economic interests. I never trust companies to be
| good or look out for my interest even when I pay them to, but
| when my privacy ultimately means they gain a very strong
| competitive edge the I'm much more trusting.
|
| Apple has realized they can become to privacy what Google has
| been to ubiquitous search, and doing so can reap even larger
| and more secure rewards.
|
| They started with a walled garden and now extending it to
| fortress surrounding the garden.
| happyopossum wrote:
| > advertising/data monopoly
|
| not to be glib, but 'citation please?'
|
| Other than running ads _inside the App Store_ , do you have
| any knowledge or evidence of Apple collecting personal
| information for advertising or any other use?
| germandiago wrote:
| This is good news IMHO because it encourages that companies
| compete for the best offer in that space as they go.
|
| In some way it reminds me (with all the differences!) of how
| things like cryptocurrencies could remove the state from a
| monopoly.
|
| Good news for me this announcement!
| spamfilter247 wrote:
| Microsoft has a "Democracy Forward" team (previously called
| "Defending Democracy") that aims to protect government
| officials and systems from adversarial state actors. It's been
| ongoing for a few years now.
|
| https://www.microsoft.com/en-us/corporate-responsibility/dem...
| Nuzzerino wrote:
| > Apple is saying "we operate at the same level as nation
| states; we are a nation-state level entity operating in the
| "digital world": It's a flag-raise
|
| Maybe. But these security "features" feel like things that
| should have been there from the beginning. Windows 11 has
| already had a much wider and deeper array of security options.
| Sure, it's not mobile, but many of those security options would
| be unlikely to be needed against unsophisticated attacks.
|
| Flag-raise or marketing gimmick? You be the judge I guess.
| stefan_ wrote:
| I think you need to put away the pipe, this is Apple saying "we
| can't make JIT work safely so here's an option to turn it off".
| threeseed wrote:
| > Apple saying "we can't make JIT work safely so here's an
| option to turn it off"
|
| To be fair has anyone made it work safely ?
| alwillis wrote:
| This is more like "there are always going to be zero-day
| exploits out there and until we can fix them, this is the
| next best thing."
| ziddoap wrote:
| > _Apple is saying "we operate at the same level as nation
| states; we are a nation-state level entity operating in the
| "digital world"_
|
| Making mountains out of molehills.
|
| I'm pretty sure they are saying that they will "offer
| specialized additional protection to users who may be at risk
| of highly targeted cyberattacks from private companies
| developing state-sponsored mercenary spyware".
|
| There is a looooong list of things which nation states can do
| which Apple cannot, some examples of that are in other comments
| in this thread.
|
| > _but this is the first public announcement, and tool, from a
| corporation with more spare, unrestricted capital than many
| countries._
|
| Google & Microsoft have both had fairly long-standing tools and
| procedures (which were publicly announced) to both alert users
| and aid users against nation state attacks.
| sodality2 wrote:
| Google's Advanced Protection program is the same:
| https://landing.google.com/advancedprotection/
| alwillis wrote:
| Apple also started alerting people being targeted by state
| actors last year [1].
|
| [1]: "About Apple threat notifications and protecting against
| state-sponsored attacks" https://support.apple.com/en-
| us/HT212960
| lizardactivist wrote:
| It's good I guess, but I will not convince myself that a button
| saying "Lockdown mode" will casually side-step the entire legal
| and surveillance machinery built up in the U.S.
| toomim wrote:
| > Messages: ... Some features, like link previews, are disabled.
|
| I've been wanting to disable link previews for YEARS!! Not for
| security, but to keep those corporate advertisements (aka
| previews) out of the conversations I have with my friends and
| family.
|
| It feels super disingenuous when I type out an articulate,
| heartfelt, personal message to my loved one, character by
| character, anticipate their reaction reading it, and then hit
| send -- only to find the URLs expanded 400 pixels into corporate
| advertisements designed by the bonehead SEO jerks who care about
| clickbaiting over content.
| donkarma wrote:
| could always just not use a smart phone
| concinds wrote:
| Could a security expert enlighten me: is Windows more secure
| today than macOS, if we purely take OS-level and hardware-level
| security measures and ignore subjective factors? (like
| marketshare, attractiveness of targets, etc.)
|
| Windows has all sorts of buzzwordy-sounding security features:
| Microsoft Defender Application Guard (Hyper-V for untrusted
| websites & Office files), kernel virtualization-based security
| (VBS), Code Integrity Guard, Arbitrary Code Guard, Control Flow
| Guard, and Hardware-enforced Stack Protection.
|
| It's extremely hard to compare the two on a deep technical level
| (beyond "modern OS's are safe, install updates, you'll be fine")
| without having deep security experience. Any professional
| insights?
| [deleted]
| throw20220706 wrote:
| Reminds me of a classic https://xkcd.com/538/.
|
| For the vast majority of users the most realistic threat is
| simply being ordered to unlock their phone under the threat of
| force (from a criminal, a cop, a CBP agent, etc). This is way,
| way more likely than being attacked through an unknown JIT
| compiler vulnerability.
|
| What would be _really_ helpful is Apple implementing a way to
| have multiple iPhone profiles with plausible deniability (a la
| VeraCrypt) or some sort of compartmentalization (a la 1Password
| travel mode).
|
| Of course that would mean people can start sharing their phones
| instead of buying one per person from Apple, so I'm not holding
| my breath.
| rootsudo wrote:
| That's the thing, if you think your device is compromised, don't
| use it. This is dangerous as it's a bandage and most likely
| allows surveillance that's "pre-approved" or is carrier based,
| probably even baseband modem based.
| pluc wrote:
| Apple's been making it real difficult to pick Android lately.
| Only thing Android still has going for it is the ability to flash
| custom ROMs, eg CalyxOS or Graphene.
| lern_too_spel wrote:
| Better security, more features, more privacy, and more user
| control in general are significant reasons to choose Android.
| pluc wrote:
| Compare the actions of Google versus the actions of Apple and
| it's real difficult to think Google has your privacy in mind
| lern_too_spel wrote:
| Compare the actual features of Android vs. the actual
| features (instead of the marketing) of iOS, and it's clear
| that Apple doesn't care about user privacy. With Android,
| you get to choose which if any Google services to use. On
| iOS, you can't run any apps without telling Apple which
| ones, you can't get your location without also sending your
| location to Apple, and you can't practically run your own
| apps without fully deanonymizing yourself with banking
| details.
| viktorcode wrote:
| Android has a wide plethora of devices, Apple can't make
| hardware catering to everyone's needs.
| pluc wrote:
| That is not an Android advantage. Tightly controlled hardware
| makes it so much easier to control software. You ever built
| an app for Android? It sucks
| ysleepy wrote:
| On Android I can use a firewall to block network access per
| app. on iOS that is not possible.
|
| My password manager app might be bought out and exfiltrate all
| my credentials, or any of the linked libraries it uses.
| idle_zealot wrote:
| > My password manager app might be bought out and exfiltrate
| all my credentials
|
| This is less likely if you use Apple Keychain for your
| passwords. _lock-in intensifies_
| sneak wrote:
| Apple Keychain requires iCloud. Most of iCloud is not end
| to end encrypted.
| oblio wrote:
| Maybe they changed this lately, but can you copy files through
| USB to an iPhone?
| lordofgibbons wrote:
| I explored installing a custom ROM on my android phone, but
| ended up questioning the utility of them. There appears to be
| many banking apps, random apps (McDonalds??) and others that
| will not work if the device is running a custom ROM.
|
| That makes my phone useless to me.
|
| Our only hope is a proper Linux phone with an Android emulation
| layer
| SirYandi wrote:
| You can get around that by spoofing safteynet stuff using
| Magisk. But yeah, it is a few more hoops to jump through and
| you need to be rooted which is itself not great for security.
| yrgulation wrote:
| What if there is a little device that acts like network firewall
| and router appliances but somehow the phone proxies all
| connectivity via it. Something to carry around that shows ingress
| and egress connections, calls and anything in between. You can
| either set an allowed or blocked list, detects cell connection
| mitm attacks and spikes in traffic (to detect leaks). Mobile
| phones are like desktop computers and will always have security
| issues. It only makes sense to firewall them.
| bistable wrote:
| Why not on the same device? Have a separate small simple SoC
| completely segregated from everything else, except shared
| battery, with 2 NICs and a physical switch to swap between
| using the firewall interface and the regular phone. Although
| this may make more sense for a regular computer plus router,
| with a cell phone there's multiple radios, not just a single
| simple IP connection...
| yrgulation wrote:
| Issue is that we would have to get device makers to buy into
| it, and also trust them that they show us everything. Also we
| wouldn't be able to retrofit existing devices. Most people
| dont like tinkering with things. A universal device small
| enough to fit in your pocket, with a nice little display or a
| usb connector to download data to a laptop and configure
| rules, is more desirable imo.
| jiveturkey wrote:
| Like your own personal stingray
| yrgulation wrote:
| Had to look it up. I guess the question is how to make sure
| it cant be abused by capturing data from random nearby
| phones. In that case we'd end up worse off.
| Nextgrid wrote:
| TLS and certificate pinning makes this a problem. Technically
| certificates don't have to be pinned, but if they weren't then
| people would use this to defeat "growth & engagement" and block
| analytics, ads, etc (or worse, reverse-engineer the API to make
| a third-party client) and we obviously can't have that.
| [deleted]
| Veserv wrote:
| I do not know why anybody would believe any claim by Apple with
| respect to security without overwhelming empirical evidence
| supporting their claims. The default assumption in commercial
| software security, supported by literal decades of abject failure
| by every player, is that commercial software security is
| atrocious. To claim anything more than trivial security is a
| extraordinary claim and thus demands extraordinary evidence
| before being accepted.
|
| Apple has demonstrated no such evidence. In fact, the opposite is
| the case. Despite decades of assurances that their systems
| provide meaningful security, every single year we see their
| security torn apart by individuals and small teams with budgets
| that do not even constitute rounding errors to a Fortune 500
| company. There is exactly no reason to believe they have
| meaningfully superior technical expertise with respect to
| security relative to the default standard of the industry.
|
| However, this should be no surprise to anyone as the security
| certifications that Apple advertises for iOS [1][2] are only
| "applicable where some confidence in correct operation is
| required, but the threats to security are not viewed as serious."
| [3][4]. I mean, look at [4], the process used to certify their
| security is that their evaluators typed search terms into the
| internet and verified that every vulnerability that turned up was
| patched, _that's it_. There is no requirement to even do a
| independent analysis that it protects against attackers with a
| _basic_ attack potential, that is done at the next higher level
| of security that they could have chosen to certify against, but
| did not.
|
| To be fair, Apple has historically demonstrated the ability to
| certify against AVA_VAN.3 which demonstrates resistance to
| attackers with a _enhanced-basic_ attack potential, but they have
| failed every time they have ever attempted to certify against
| AVA_VAN.4 which demonstrates resistance to attackers with a
| _moderate_ attack potential. It should be no wonder that they can
| not protect against _moderate_ attack potential threats such as
| individuals or small teams, let alone _high_ attack potential
| threats such as large organized crime and nations.
|
| If Apple wants their security claims to be taken seriously, they
| should start by demonstrating their ability to protect against
| _moderate_ attack potential threats via the internationally
| recognized security certification process they already use and
| advertise. Until then, the only thing we should trust is what
| they certify they can do (protect against script kiddies), not
| what they have failed to ever achieve in a auditable manner
| (protect against moderately skilled attackers).
|
| [1] https://support.apple.com/guide/sccc/security-
| certifications...
|
| [2] https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11146
|
| [3] https://www.niap-
| ccevs.org/MMO/Product/st_vid11146-aar.pdf#p...
|
| [4]
| https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3...
| walrus01 wrote:
| putting rich media like images, GIFs, video etc embedded inline
| in chat applications presents a huge attack surface.
|
| i'm even suspicious that signal does it.
|
| if you really want to design a secure messaging system it needs
| to handle text ONLY.
| notriddle wrote:
| Text rendering is more complex than decoding a PNG.
| lwswl wrote:
| Honestly, this is bad news, because it means Apple is no longer
| capable of offering both security and all features, but now needs
| to spit them into groups, presumably because they need to keep up
| with (the clearly less secure) Android...
| lekevicius wrote:
| I see this as securing against "unknown unknowns". No software
| can ever be "100% bug free". If you can identify areas that are
| more likely to contain yet-undiscovered vulnerabilities and
| turn them off in advance, the device becomes more secure.
| olliej wrote:
| No, this is a completely reasonable response.
|
| Security by reducing attack surface is a standard, and sensible
| response.
|
| What you are asking for is that Apple (or any company) be able
| to produce absolutely 100% bug free code, no matter the
| complexity or requirements. This feature is an acknowledgement
| that what you're asking for is an unreasonable demand for any
| company.
|
| So Apple has looked at the attack surface present by default,
| and then provided an option to that trades off removing
| presumably low use features in exchange for removing large
| attack surface. That is a trade off: for example any modern
| phone would be vastly more secure if all it could do is make
| phone calls, and everything - the browser, apps, etc - were
| disabled. But that end of the spectrum results in an
| impractically restricted device, in reality there's a middle
| ground, but for high profile targets the trade off is closer to
| "just a phone" than it is for normal users.
|
| An example is the RW^X region required to support JITting JS -
| the OS simply supporting such memory region at all was a huge
| addition of attack surface to the platform - prior to that
| every single executable page was protected by code signing,
| afterwards there was a region that by definition the OS could
| not verify, and it has been used by every attack since then.
| But disabling that simply disables the JIT, the JS interpreter
| runs, so the impact is only that some web content runs slower,
| but the functionality itself is still there.
|
| Similar for messages: receiving JPEGs is super common,
| receiving OpenEXR or whatever probably isn't, so removing
| everything other than JPEG by default again removes attack
| surface without realistically impacting the usability of
| messages.
| npteljes wrote:
| Security and convenience _can_ coexist, but you can't
| transition into a more secure world without breaking
| convenient, insecure stuff that already exists and users expect
| it to just work. Later they can ramp this up.
| capableweb wrote:
| Security has never been "Secure or not" proposition, it's
| always a balance between convenience and safety against
| threats, threats that change depending on who you are, and who
| is targeting you.
|
| Some features are (understandably) almost impossible to make
| very safe. Take PDF viewing for example, the entire thing is so
| huge, that it's bound to be holes in any implementation, just
| like what the NSO proved some time ago with the iMessage
| exploit.
|
| I take this effort as something similar to the "Hardened Linux"
| effort. Just that it exists doesn't mean that Linux is
| "unsecure", it just means that if you really need to, there is
| more steps you can take to make it even more secure. Just like
| what Apple is doing here.
| vorpalhex wrote:
| If I could upvote you twice, I would.
|
| Security is _always_ a tradeoff and there is no single
| answer. A feature for one person is another person 's hell.
|
| An acquiantance just lost all their data because they had
| enabled "format on too many missed passcodes" and their kid
| was playing with their phone.. caused quite a few tears. On
| the other hand, that feature is invaluable to international
| travelers.
| lekevicius wrote:
| What a strange implementation of "format on too many missed
| passcodes". Apple (on iOS and watchOS) implements this, but
| after some amount of failures, phone gets into
| progressively longer lockdowns. So maybe after 3 failed
| attempts you have to wait 2 minutes, after 4th 5 minutes,
| and before the final (formatting) attempt you have to wait
| something like 12 hours. This prevents "kid playing with
| the phone" problem.
| alwillis wrote:
| _Honestly, this is bad news, because it means Apple is no
| longer capable of offering both security and all features..._
|
| Absolutely not true.
|
| There's a difference between being secure and having all of the
| features and being secure against a state-level attacker. The
| vast majority of users are quite secure while enjoying all of
| the features of their iPhones.
|
| For those who are being targeted, potentially in a life or
| death situation, being able to send attachments in iMessage is
| trivial by comparison. Only a tiny percentage of iPhone users
| should ever have to enable this; it won't impact the user
| experience of over 95% of iPhone users _at all_.
| WmyEE0UsWAwC2i wrote:
| But should apple we liable when they, or any other organization
| making such claims, inevitably fail to protect their users?
|
| I think their should.
| KerrAvon wrote:
| How do you propose to do that without disincentivizing the
| addition of such features? Even NASA has software failures.
| verdagon wrote:
| Very cool! I wonder if this, combined with some sandboxing for
| apps' unsafe code, could make a more secure OS than any previous
| mainstream ones.
| jasonhansel wrote:
| Downside: if attackers can tell that you've enabled Lockdown
| Mode, then they know that you're likely a high-value target.
| [deleted]
___________________________________________________________________
(page generated 2022-07-06 23:00 UTC)