[HN Gopher] Apple previews Lockdown Mode ___________________________________________________________________ Apple previews Lockdown Mode Author : todsacerdoti Score : 792 points Date : 2022-07-06 17:01 UTC (5 hours ago) (HTM) web link (www.apple.com) (TXT) w3m dump (www.apple.com) | mensetmanusman wrote: | Will this be available to Chinese residents? Huge if so. | tialaramex wrote: | > Most message attachment types other than images are blocked. | | Who wants to bet that this reflects minimum requirements dictated | for user experience, rather than reflecting what Apple are | actually securing today ? | | The correct model here, the one that would actually defeat these | adversaries, is to start with what you can actually secure and | expand from there, prioritising customer needs. This delivers | security improvements for all customers, but it makes the | calculus simple for Lockdown customers, whatever Lockdown allows | will be OK. | | Suppose today Apple has a working safe BMP reader, and a working | safe WAV reader, but they're still using their ratty JPEG and MP3 | implementations. As described, this feature says you can receive | a JPEG attachment (which takes over your phone and results in | your cousin who remains in the country being identified as a | contact and imprisoned) but you can't listen to the WAV file an | informant sent you because that's "dangerous"... | S0und wrote: | I find is absolutely hilarious that they've kept the images in | Messages while one of Pegasus attack vector was sending a PSD | file as a *.gif, which crashed Messages parser. | | Apple is over confident in it ability. | | https://arstechnica.com/information-technology/2021/09/apple... | | People who need this have already a dumb phone, using this | Lockdown mode is an unnecessary gamble on they part. | galoisscobi wrote: | I wonder if this mode would be helpful to protect myself if US | border control forces me to unlock my phone so they can make a | copy of all of my phone contents. | [deleted] | kylehotchkiss wrote: | I'm excited about this mode for traveling outside the US, where | other governments seem to be backsliding against privacy much | more quickly | nielsbot wrote: | Can you be forced to unlock your phone at the border? I thought | you couldn't. (I don't actually know.) | | BTW bringing up the power off UI on iPhone (holding power and | up buttons at the same time) disables FaceID/TouchID until a | passcode is entered. | andrewia wrote: | They can search your phone at the US border. | https://www.theverge.com/2021/2/10/22276183/us-appeals- | court... | kersplody wrote: | If you are a US Citizen or Permanent Resident, Border Patrol | cannot prevent you from entering the United States. They can, | however, detain you for up to 72 hours and confiscate the | locked device if they have "reasonable suspicion". The | confiscated property will be returned eventually. | | https://www.cbp.gov/sites/default/files/documents/inspection. | .. | | If you are not a US citizen, refusal to unlock a phone and | allow inspection, inclusive of allowing access to social | media and corporate apps, will probably result in denied | entry. They also have the right to detain you until | indefinitely until you unlock the phone if they have | "reasonable suspicion", but requires a court order within 72 | hours. | | Most foreign counties have similar rules in place for | residents and non-residents. | sneak wrote: | They don't usually return the devices they steal, and most | people travel with a total device value lower than the cost | of an attorney and lawsuit to force the return. | sneak wrote: | You can be forced to unlock it with biometrics, but not a | password/code. | | They also get to steal it and keep it if they want. | Nextgrid wrote: | Pressing it 5 times does the same (and starts an emergency | call countdown if you have that enabled). Also, removing the | SIM also locks it out. | matwood wrote: | You can also say 'hey siri, whose phone is this?' | numpad0 wrote: | The sterile area between the gate and the border control is | treated as international waters/lands, which sounds fine, and | IIUC there is the logic that _laws don 't apply_ there so you | can be forced-forced anything free from constitutional | protections. Not sure if that actually works though. | happyopossum wrote: | This is completely incorrect. Here's the actual law | | https://www.cbp.gov/sites/default/files/documents/inspectio | n... | kersplody wrote: | It would be a good idea to enable this before going though any | border controls. Doubly so for countries that require apps to | be installed before entry/upon entry/after entry. | | ArriveCAN (Canada), Mobile Passport Control (USA), WeChat | (China), and other mandatory government apps would be perfect | vectors to stage highly targeted attacks. | [deleted] | kube-system wrote: | If someone has your unlocked phone, they can look at the | screen. | xtat wrote: | TBH even 2m bounty on lockdown mode bypass seems really low | amelius wrote: | What they think will happen: users activate Lockdown Mode to | protect themselves. | | What actually happens: criminals activate Lockdown Mode to evade | law enforcement. | Analemma_ wrote: | Lockdown mode is for preventing 0-days. Law enforcement does | not burn 0-days on common criminals, they get a warrant and get | into the device that way. | duxup wrote: | I was wondering when a "hardened" option would come. | [deleted] | matthewdgreen wrote: | Last year I wrote: "In the world I inhabit, I'm hoping that Ivan | Krstic wakes up tomorrow and tells his bosses he wants to put NSO | out of business. And I'm hoping that his bosses say 'great: | here's a blank check.' Maybe they'll succeed and maybe they'll | fail, but I'll bet they can at least make NSO's life | interesting." [1] | | Maybe this is the blank check :) | | [1] https://news.ycombinator.com/item?id=27897975 | bombcar wrote: | Everything else to the side, this is excellent marketing on the | level of Tesla's "bioweapons filtering mode". | O__________O wrote: | ///// Re: Bounty | | From press release, "Bounties are doubled for qualifying findings | in Lockdown Mode, up to a maximum of $2,000,000 -- the highest | maximum bounty payout in the industry." | | Appears Apple is not aware there was a $10 million bounty [1] | paid out; unless when they say "by industry" they mean phones, | not bug bounties. | | If Apple really believed it was secure, then even a $100 million | bounty shouldn't be a concern; 2 million, while clearly high, is | no longer enough to pull in the best bounty hunters, in my | opinion. | | ///// Re: Naming | | Name conflicts with existing terms both Apple and consumers use. | Naming should be unique so it's possible to Google the unique | name for this feature and only get valid search results. | | ///// Re: iCloud | | While iMessage features are limited, it is neither blocked, nor | is iCloud -- and both are known to being vulnerable to nation | state demands on Apple due to iCloud not being end-to-end | encrypted. | | ///// Re: iCloud end-to-end encrypt | | If Apple was serious about the topic, they would have already | rolled out end-to-end encrypt for iCloud years ago. | | ///// Re: Targeting | | If Apple is logging if this feature is on and sending it back to | Apple, it will result in targeting from nation states even if | this feature is "invincible" - which I have no reason it is; | basically, nation states demand list of users subject to its | jurisdiction. | | ///// Re: Off vs Locked | | "Wired connections with a computer or accessory are blocked when | iPhone is locked." -- Why is this not the default with an opt-in? | Further, at the point you're turning on this features, when | locking the phone it should explicitly tell the user of the risk | of locking vs turning the phone off. Lastly, when you turn an | iPhone off, it should really be off if set to this mode; if it | is, and activity is detected, likely good sign something is going | on. | | _______ | | [1] https://medium.com/immunefi/wormhole-uninitialized-proxy- | bug... | barbarousbull wrote: | c1sc0 wrote: | And yet this feels like it's too little too late. If I'm likely | to be the target of the kind of state-sponsored malware "lockdown | mode" supposedly protects me from I shouldn't have been using | Apple products in the first place. Which begs the question: what | are current security best practices to protect from state-level | hostile actors? | savoytruffle wrote: | The current best practice is to have already been using an | Apple device, and this will enhance that. | c1sc0 wrote: | Really? Not something like Tails or Qubes? Am I too paranoid? | I'm genuinely interested in learning about this. What _am_ I | supposed to use these days when I'm working on a project that | would make me a target for state-level actors? | duskwuff wrote: | Tails and Qubes are desktop operating systems. You can't | run them on a smartphone. | sk8terboi wrote: | brundolf wrote: | > Web browsing: Certain complex web technologies, like just-in- | time (JIT) JavaScript compilation, are disabled unless the user | excludes a trusted site from Lockdown Mode. | | That's very cool actually. You can keep JS enabled but choose to | make it run more slowly in exchange for better sandboxing | GuB-42 wrote: | So Apple is saying that their "Lockdown Mode" protects against | "highly targeted cyberattacks from private companies developing | state-sponsored mercenary spyware". | | That's an interesting wording, because it claims to protect you | against... nothing that matters. Notably, it doesn't protect you | against: | | - The police. Don't get me wrong, I am all for letting the police | do its job fighting crime, even if it means hacking iPhones, but | even if you got the police attention for a noble cause, Lockdown | Mode won't save you, at least, it doesn't claim to. | | - Foreign governments, as well as your own government. Notice how | it mentions "private companies" specifically, as in, not public. | And the cyberattacks themselves have to be performed by private | companies, if the tools that these companies develop are used by | government entities, it doesn't count. | | - Cybercriminals, the kind who are after your money. They are not | "private companies", and they are usually not state-sponsored. | | - Terrorist organizations, mafias, drug cartels, etc... again, | not "private companies", and while they may be backed by states, | they typically work for themselves. | | The technical aspects have value, and I think giving the user the | choice of wearing a tinfoil hat is great, but the claim they are | making is deceivingly weak if you read carefully. | ngetchell wrote: | The NSO group used links and attachments in iMessage. These | protections would mitigate those attacks. | swayvil wrote: | Inflation, pollution, censorship, global warming... | | Hey no, don't look at that, look over here instead. We're playing | ratfuck with the abortion laws. | | Magicians call that "misdirection". | Nextgrid wrote: | Most of the features of this lockdown mode should be on by | default. | egberts1 wrote: | ESPECIALLY the disabling of JavaScript, because ... malicious | JacaScript. | phoe-krk wrote: | This does not seem to disable JS altogether, only JS JIT | compilation. IIUC, JS will still be executed, although via an | interpreter (which is safer) rather than via compiled machine | code (which might be used to exploit memory safety bugs such | as type confusion, somewhat frequent on the JS side). | egberts1 wrote: | which in my cybersecurity book is considered a "miss". | Nextgrid wrote: | FYI, if you mean that it should disable JS completely | then you can already do that in Settings -> Safari. | jimt1234 wrote: | Totally agree. I'm also concerned about the fine print, what | Apple is _not_ announcing - like, "Oh, we also updated our | EULA to reflect that metadata from phones with 'lockdown mode' | enabled will be forwarded to the FBI", something like that. | someguydave wrote: | This lockdown mode looks like what ought to be default security | behavior. | andrewia wrote: | It slightly degrades some experiences, so I see why it's | disabled by default. Disabling JIT JavaScript is going to make | web browsing more painful. And incoming friend requests are | useful because it simplifies things when two people are adding | each other to their phones - one sends a request and the other | reciprocates. | jka wrote: | > It slightly degrades some experiences, so I see why it's | disabled by default. | | My sense is that the functionality to provide those | experiences resulted in a decrease in user security and | privacy when they were introduced -- and that those risks | were widely-discussed and well-understood. | | It's weird (although not unexpected) to see the reversal of | them touted as a selling point. | JCWasmx86 wrote: | > Disabling JIT JavaScript | | With a bit of luck, this will cause site operators to reduce | their usage of unnecessary JS, so maybe this has positive | impacts :) | egberts1 wrote: | Too bad that Google does not offer this same "Lockdown Mode" as | Apple does. | | Instead, they (Google Play Store) removed our ability to see what | "app privileges" that an app would required BEFORE we do the | installation step from the Google Play Store. What we got instead | was an obfuscated "Data Security" section that is pretty much | always "blank". | | My flashlight app should not require GAZILLION app privilegeS nor | hide that fact before I can determine whether I can safely | install it, much like Apple App Store can do by doing the CRUCIAL | pre-reveal of any needed app privilege(s) ... for our leisure | perusual and applying any applicable but personalize privacy | requirement BEFORE we do the app install. | okneil wrote: | Whilst not quite the same, Google does offer the Advanced | Protection Program for accounts. | | https://landing.google.com/advancedprotection/ | einpoklum wrote: | > they (Google Play Store) removed our ability to see what "app | privileges" that an app would required | | Don't use Google Play Store, then. There are other APK | repositories. | andrewia wrote: | Google removed the install-time permissions dialog because they | replaced it with runtime permissions. This makes sense - some | users wants PayPal or WhatsApp to access their contact list, | and others won't. It also fixes "permission blindness", where | users blindly accept a long list of permissions because they | need the app, or just stop caring because it's too much to | comprehend all at once. | | Obviously, this isn't perfect, especially since Google removed | the internet permission and allowed all apps to access it. | Allowing advanced users like us to toggle off internet access | in the "App info" permission page would be a good compromise, | and I hope and Android team does so to match Apple on their | security efforts. | varispeed wrote: | You should be able to review the list of required permissions | before installing the app anyway. | | I find it frustrating when I install a simple app and it asks | me for every permission possible. Waste of time. | egberts1 wrote: | Fixes "permission blindness"? So, the current form of Google | Play (app) Store "Data Security" section of each app being | shown as "(blank)" is surely yet another form of "permission | blindness". | | Google Play Store being proactive in protecting these end- | users from their own form of stupidity (or "permission | blindness", as you have eloquently pointed out) is just | opening themselves to potential liability ramifications | instead of deferring to end-user's responsibility of | maintaining their own privacy. | | I think that the term "permission blindess" is better | referred to as an app having zero privilege. | | And "App Privileges" should have referred to runtime | permissions and should have been displayed in the first place | at the Google Play Store instead of install-time privileges. | vorpalhex wrote: | Your apps have no permissions until you allow them. If you | install spyware and it wants all your contacts and files it | has to ask. You simply select "no" and then remove it. | | Apps would force you to consent to eg contact permissions | "in case you want to share something to a contact" and then | harvest all your contacts. Apps can no longer use that | pretense. | egberts1 wrote: | you get prompted for such granularity of privacy AFTER it | gets installed but not before you could preview such app | settings. | vorpalhex wrote: | Yes. It has no access after being installed and before | prompting. What exactly is the issue? | cmroanirgo wrote: | It's taken a decade, but it's pretty much moved back to the | permission model that j2me had, which iOS and Android | deliberately removed & sold as better UX. Seems like the | original devs of j2me knew what they were doing - only the | joe public's weren't ready for permission popups then like | they are now. :sigh: | javajosh wrote: | Google hiding information about apps in the app store is a big | problem - but its not as big a problem as not having a Little | Snitch equivalent built into Android. This alone is a reason | for real capital to be spent on startups in the alt-android | space. Imagine a company that lets you use your current Samsung | or Google or Sony or ASUS or whatever flagship phone, but with | a truly open-source fork of Android with a Little Snitch built | in, and security updates guaranteed for as long as you stay | current with your subscription, which is like $5/mo. (Maybe | that's too low). Maybe you could even wipe your device and mail | it in to have the software installed if you can't be bothered | to do it yourself. Or maybe even a partnership with a phone | repair chain. (And if you don't want to pay the fee you can | always install updates yourself manually, from source.) | ignoramous wrote: | > _Imagine a company that lets you use your current Samsung | or Google or Sony or ASUS or whatever flagship phone, but | with a truly open-source fork of Android with a Little Snitch | built in, and security updates guaranteed_ | | You describe the direction CalyxOS / DivestOS are going. And | of course, there's the Pixel phones on GrapheneOS which | arguably is _more_ security-focused. | newscracker wrote: | I hope Apple expands this quickly through minor updates to the OS | rather than waiting for a next major release. This needs faster | iteration than anything else. | | Quoting what's in the first release: | | _> At launch, Lockdown Mode includes the following protections: | | > Messages: Most message attachment types other than images are | blocked. Some features, like link previews, are disabled. | | > Web browsing: Certain complex web technologies, like just-in- | time (JIT) JavaScript compilation, are disabled unless the user | excludes a trusted site from Lockdown Mode. | | > Apple services: Incoming invitations and service requests, | including FaceTime calls, are blocked if the user has not | previously sent the initiator a call or request. | | > Wired connections with a computer or accessory are blocked when | iPhone is locked. | | > Configuration profiles cannot be installed, and the device | cannot enroll into mobile device management (MDM), while Lockdown | Mode is turned on._ | | I'm not a target (I think, and hopefully don't get to be one), | but nevertheless I'd feel safer with this turned on (I very | rarely use FaceTime, so not accepting it is not a big deal). | | I'd also love more protections. Not allowing specific apps to | connect to any network (WiFi included), Apple handling issue | reports on apps with urgency (right now they seem to be ignored | even when policy violations which are against the user's | interests are reported), etc. | perardi wrote: | I think it's reasonable to think Apple will iterate quickly on | this. | | Why? The iOS 15.x update history. | | https://en.wikipedia.org/wiki/IOS_15 | | Lots and lots of privacy stuff in the point releases. (And | accessibility stuff, they've been on a tear there.) They're | still in a monolithic mindset when it comes to the "big" apps, | but they're iterating faster on these sorts of things as the | release cycle goes along. | alwillis wrote: | You might have missed that Apple announced realtime security | updates at WWDC [1]. | | [1]: https://techcrunch.com/2022/06/07/apple-introduces-real- | time... | concinds wrote: | That includes fast, no-reboot, and invisible-to-the-user | security patches, not improvements in features like | Lockdown Mode. | PoignardAzur wrote: | > _I'm not a target (I think, and hopefully don't get to be | one), but nevertheless I'd feel safer with this turned on (I | very rarely use FaceTime, so not accepting it is not a big | deal)._ | | Good. We need people with nothing to hide to turn Lockdown Mode | on, so that Lockdown Mode isn't a telltale signal that you have | something to hide. | erichurkman wrote: | Aside from the JIT change, those all sound like pluses to me! | [deleted] | xyst wrote: | Is the apple bounty program still terrible in terms of payout and | length of time to approval? | | I can't see many people submitting bounty reports if it's too | much of hassle or not worth the effort. | | Since the apple ecosystem is mostly proprietary, it's hard to | gauge as individuals if this just provides a false sense of | security or not against "state actors". | ProAm wrote: | Apple is not stopping state-sponsored anything. They do not have | the expertise nor willing to invest enough to stop it. And they | also turn everything over they can at a local-law enforcement | request, because they have to. | _the_inflator wrote: | "Web browsing: Certain complex web technologies, like just-in- | time (JIT) JavaScript compilation, are disabled unless the user | excludes a trusted site from Lockdown Mode." | | Highly interesting, that Apple is doing this. This is a thing. MS | and Google are also taking steps to harden Chromium security | against JIT compiler issues with JavaScript. | https://www.zdnet.com/article/securing-microsoft-edge-switch... | colechristensen wrote: | I just don't want most of the programming capabilities on the | web, plain old hypertext with a bit of style is enough. There | are plenty of other ways to run software on a computer than | inside a web browser. | capableweb wrote: | Most (if not all) browsers allow you to disable JS, so that | seems like the perfect preference for you. I know it works on | Chrome and Firefox on desktop (I use the NoScript extension | myself, that blocks JS by default but allows you to enable it | per-site), I can imagine it works the same on smartphones as | well. | olliej wrote: | I /think/ what they're asking for is a world where turning | JS off is actually a real option. Currently the web | essentially does not work in such a case, so while it | technically exists the option to disable JS isn't actually | an real option. | simion314 wrote: | I agree half way with you, we need the web split into 2 | parts, webpages and apps. | | I seen some cool simulation, small apps, small games that I | can just test online and not have to install them on my | machine. Apple would love that we all got scared and only use | installed apps from their store but the web is a decent | deliver platform. | | If we could have a modern subset of html and css for news | websited and blogs , and the rest of js for web apps then you | can have the option to turn off teh advanced settings or we | could have different browsers that could focus on different | things, like a website reader browser that does not care | about super fast JITed JS it would not support webgl,camera | or microphone acccess, it would just focus on text layout and | simple forms, | | and a web app browser that focuses on extreme optimizing for | JS , canvas and webgl operations, camera and microphone | access. | peoplefromibiza wrote: | I'm having fun with Gemini exactly because it's so dumbed | down that you can't do anything more than publish text | | It's still very niche, but it's growing and the protocol is | so simple that I'm writing software for it, specifically a | multi platform browser (more like a viewer?) | capableweb wrote: | You can already achieve all this. Either turn of JS in your | browser, or use extensions such as NoScript. | npteljes wrote: | You can technically achieve this, but you get a degraded | experience. Most sites don't test for JS being turned | off, and it's not rare to only get a blank page when | viewing a site in that way. | | What OP wishes for is rather an experience that decidedly | doesn't use JS, similar to Google's AMP or Gemini. A | subset of HTML that makes publishing possible, without | moving parts. | simion314 wrote: | Actually I browse with JS off by default and whitelist | stuff, ironic since I am a web dev (or maybe the fact I | know how shit web tech is is why I think documents should | be documents , imagine I want to show you my blog but I | make an Unreal Engine 5 app because I want some cool | effects and I also want to learn this shiny tool and the | marketing team wants to do some shitty things too) | [deleted] | blintz wrote: | I am so excited about this news. I understand that some people | are pessimistic, and view it as a "giving up" on complete | security against nation-states. I think that's the wrong way to | analyze the situation. | | The dream I have is someone making a phone that is purpose-built | to be secure against state actors. Unfortunately, this makes very | little economic sense, and probably won't happen (maybe if some | rich person started a foundation or something?). The phone would | need to have pretty restricted functionality and would not be | generally appealing to mass market consumers. | | As it stands, securing a mass market modern smartphone, even from | just remote attacks, is just intractable. We should not bury our | heads in the sand and wishfully think that if they just spend a | little more money, close a few more bugs, and make the sandboxing | a little better, somehow iOS 16 or Android 13 will finally be | completely secure against state actors. The set of features being | shipped will grow fast enough that security mitigations will not | someday 'catch up'. | | This is the next best thing! The more we can give users the | _freedom_ to lock down their devices, the more the vision of an | actual solution comes into view. This is the first step towards | perhaps our only hope of solving this someday - applying formal | methods and lots of public scrutiny to a small 'trusted code | base', and finally telling NSO group to fuck off. | | Even this dream may not pan out, but at least we can have hope. | germandiago wrote: | The potential a phone like that would have if you explained | people how states can and _do put_ their nose into their lives | is quite big IMHO. It is just that people have no idea of how | much they can take from your info through a phone. | Nextgrid wrote: | The problem 90% of cases is the user himself. Advanced | attacks such as spyware-for-hire with zero-days and stuff | only affect a minority of users. For the fast majority, the | vulnerabilities are much simpler: password | reuse/carelessness, malware on other devices (laptop, etc) | that also has access to their data, willingly sharing too | much information, etc. | | You don't need a special phone or hardened OS to defend | against that, and users vulnerable to this will remain just | as vulnerable regardless of how much hardening there is. | Fargren wrote: | In general, I'm much more concerned with private actors than | state actors. I'm aware of multiple ways in which companies | use information to try to extract money from me, and they | actively make my life worse in the attempt. | | I have a much harder time thinking about how giving states | access to my information has been harmful for me. I can think | of potential harms, if the state started doing religious or | ethnic persecution(not trying to diminish the chance of this, | but not a problem today) so I'm aware of potential threats. | But other than that... What exactly should I be worried | about? | runnerup wrote: | Most people couldn't grasp the important ramifications even | if you walked them through it from first principles. I'm not | sure I can despite being very interested in information | entropy my whole life. | | A lot of people really don't understand much at all about | anything that they don't constantly see and touch their whole | lives. A lot of people truly just live in the moment | constantly and use their higher order thinking for social | navigation and sex. | awll wrote: | I feel like the closest you can come to the dream of a phone | that is secure against state actors today would be a google | pixel phone running graphene os. | dark_star wrote: | Bunnie Huang is working on Betrusted [1], a communications | device that is designed to be secure from state actors. The | first step is Precursor (about: [2], purchase:[3]) the hardware | and OS that will be the platform for the communications device. | | It's designed to be secure even though it communicates via | insecure wifi, for instance via tethering or at home. The CPU | and most peripherals are in an FPGA with an auditable bitstream | to program the device to ensure there are no back doors. | Hardware and software are all open source. It has anti-tamper | capability. | | It looks well-thought-out. | | 1. https://betrusted.io/ | | 2. https://www.bunniestudios.com/blog/?p=5921 | | 3. https://www.crowdsupply.com/sutajio-kosagi/precursor | stjohnswarts wrote: | Unless you design the FPGA inhouse and make it in your own | Fab how would you know it's secure? Taiwan and Korea owe the | US a lot of favors... | samatman wrote: | FPGAs just have a much lower essential complexity. | | Adding one undocumented latch is enough to undermine an | ASIC CPU. To do that to an FPGA, you'd have to know where | the layout engine is putting the circuit you intend to pwn, | and good luck with that staying still under any revision. | | If this did become a problem, a technique analogous to | memory randomization could be employed to make any given | kernel unique from the hardware's perspective. | buildbot wrote: | You can't of course know, but modifying the mask of a | modern chip (millions of dollars by itself), slipping those | mask(s) (you need many, one per layer of material) into | production to target a subset of devices, in a way that | lets you inject faults and lets you own the design the FPGA | is emulating, is nuclear power level. And would imagine | they would not risk it very often if at all due to the | fallout it could cause. | | A microcontroller on 130nm? Different story probably. Still | crazy hard | RonMarken wrote: | Realistically you cannot win against a resourceful adversary | every time. But merely painting the situation through the lens | of premature surrender is also a disservice. | | It will be interesting to see what third-party researchers | discover about these new protections. Might remember something | about Apple rewriting format parsers for iMessage in memory- | safe language with sandboxing as Blastdoor and it was | discovered there was still plenty of attack-surface in the | unprotected parsers. | [deleted] | PuppyTailWags wrote: | I would suspect any phone designed to resist a state-level | actor, that is made available to me (a regular citizen) would | 100% be a honeypot for a state level actor. | wmf wrote: | https://www.vice.com/en/article/y3d3dx/doj-charges-anom- | infl... | godelski wrote: | In fact, several phones which have been advertised as such | have been honeypots from state level actors. | Swenrekcah wrote: | Which ones? Not challenging you, just curious. | Entinel wrote: | https://www.pcmag.com/news/fbi-sold-criminals-fake- | encrypted... | bilekas wrote: | That's crazy! Straight out of the Wire. | hyperionplays wrote: | Australian Federal Police did it as well: | https://www.theguardian.com/australia- | news/2021/sep/11/insid... | usrn wrote: | Security as a service is going to be a honeypot 100% of the | time. | godelski wrote: | This comment feels disingenuous to me, but maybe I'm | misinterpreting. Security features are always a service | but there are real apps that provide real security. | Signal and Matrix provide real encryption for | communication. There's even mainstream products that do, | like iMessage or Gmail, though these tend to be more | selective about what is secure and what isn't (typically | through walled gardens). Apple and Google both use | federated learning, which is at least a step better than | your typically data "anonymization." I agree that there's | not enough push for serious security, especially as a | default, but I also am not pessimistic on the subject | either. | contingencies wrote: | Signal wants your PSTN ID = real world ID, wants contacts | from your phonebook which on Google phones generally | means already cloudified, and is itself distributed | through Google Play. Further, IIRC it's US-based so | subject to acts of intervention from on high. I would be | _strongly_ suspicious of any metadata security claims, | even if it nominally provides message or session-level | encryption. Metadata is bad news. | astrange wrote: | I assume you're an FBI agent trying to encourage people | to install your real cooler encrypted app that's not on | the store and only available via sideloading. | | https://nymag.com/intelligencer/2021/06/fbi-snooped-on- | crimi... | contingencies wrote: | Heh, nice one. Not that it's my area, but in case the | above was not decodable as sarcasm to other readers, | following the evidence-based / defense-in-depth | strategies I'd personally recommend not using phones at | all (far too little control in general) and instead | recommend seeking out auditable (open source) software on | actual machines you have a hope to control for secure | communications. It's a deep rabbit hole with diminishing | returns, though. | cowtools wrote: | sms and email are insecure-by-default protocols. | Gmail/imessage extend them which necessarily will create | vendor-lock in when the extension relies on some | centralized service, the extensions are private, and the | implementations are closed source. | | Matrix fixes this, but only in the sense that they | replace the whole protocol without reverse compatibility. | stjohnswarts wrote: | It's definitely tin-foil-hat level. Obviously if you're a | spy you're gonna have to have next level stuff, most of | us aren't Jason Bourne, even we'd like to think we are. | stjohnswarts wrote: | anyone big like samsung, lg, or apple? I'd love to see | those articles and teardowns. | px43 wrote: | IMO Bunnie has the technical skills and the reputation to | pull it off though. | | I think it has about zero chance of withstanding physical | attacks, which is important to me in a phone, but it's a nice | effort. | stjohnswarts wrote: | Gotta trust somebody at some point? Otherwise you have to | live off the grid in the woods eating squirrels and mushrooms | ajsnigrutin wrote: | Most of the people in charge, only care about what state the | "bad"/"good" actors are from, so preferably, "our guys" | should be able to do everything, and "theirs" nothing. | newsclues wrote: | And yet we got TOR because it was required for National | Security. | cowtools wrote: | TOR is no magic bullet | newsclues wrote: | No, but it was a layer of security required by DoD so it | was created and continues to exist. | | The same need for modern communications (phones) exists. | samstave wrote: | >>" _...a "giving up" on complete security against nation- | states..._ | | DEFINE: | | State Actors: [0] | | As one who is acting on " _behalf_ " of a government......... | | What if said _government_ was actually an arm of the corporate | entities as the state ACTING at their behest? | | Crazy, I know. | | [0] https://en.wikipedia.org/wiki/State_actor | ransom1538 wrote: | I want deniability. After watching the videos from Ukraine of | Russians pulling out citizens from cars forcing them to unlock | their phone with guns to their heads -- I want a way to hand | someone a phone, unlock it, and STILL be protected. I want my | private things in a volume with deniability. Trucrypt was | close. | gambiting wrote: | >>The dream I have is someone making a phone that is purpose- | built to be secure against state actors | | I just don't see how anyone could build such a thing. State | level actors have the tools necessary to force you or your | company to build in any backdoor they want, and prevent you | from ever talking about it to anyone. US certainly does, and | could just force apple to add a backdoor to this lockdown mode | and apple could never even hint at its existence under legal | threat. | eurasiantiger wrote: | Or they could just add an implant at the factory. | | Why anyone allows their devices to be manufactured overseas | is beyond me. | outside1234 wrote: | That's because you are unwilling to buy a $1500 phone when | there is the same phone for $800. | rblatz wrote: | Might want to update those prices. Highest priced iPhone | is $1,600. | qzx_pierri wrote: | >Why anyone allows their devices to be manufactured | overseas is beyond me | | $$$$ | Consultant32452 wrote: | We recently discovered one of our biggest geo-political | enemies manufactures all our medicines. So that's crazy. | robin_reala wrote: | Looking forwards to when Apple manufactures all iPhones in | Sweden. Or did you mean the US, which remains stubbornly | overseas and scary to the majority of the world's | population? | stjohnswarts wrote: | I don't recall getting a vote. Do you even know of a single | device made in a relatively "benevolent" state actor | country? I would love to know. I would love it if there was | a provably secure device manufactured in some remote | Pacific island that has never projected itself as a | malevolent international threat like 100% of the first | world countries have. | stjohnswarts wrote: | Not just the US, so do the EU, any five eyes country, China, | Korea, Taiwan. The US doesn't have a hegemony on backdoors so | lets always remember that and not exclude others or act like | it's an island of corruption in a world of benevolent state | actors. | Miraste wrote: | I don't think Korea or Australia have the power to force | Apple to build backdoors into their products. Maybe they'd | get to use the US one if they asked nicely. | buildbot wrote: | Unless it was some kind of false flag to encourage trust, | the US government asked less than nicely via the FBI and | Apple told them to pound sand. | googlryas wrote: | It might just be better to not rely on a phone, rather than | rely on something achieving perfect security against the most | malicious and capable of actors. | | If I was really concerned about targeted cyber attacks against | me, I think that I would exclusively use computers that I would | buy from random people on Craigslist, take the hard drives out | and only boot with live CDs using ram disks, and only connect | via random public Wi-Fi locations. | reaperducer wrote: | _If I was really concerned about targeted cyber attacks | against me, I think that I would exclusively use computers | that I would buy from random people on Craigslist, take the | hard drives out and only boot with live CDs using ram disks, | and only connect via random public Wi-Fi locations._ | | Excellent precautions if you live and work in average middle- | class suburbia and never go anywhere or do anything | dangerous, controversial, or politically unpopular. | | Lockdown Mode is not for you. It's for other people with | different lives. | googlryas wrote: | My point is lockdown mode won't be good enough. Which is | why there is still a big bounty for it. And those wouldn't | be excellent precautions if you weren't doing anything | dangerous, because they would be a huge burden over just | operating normally above board. | | How exactly does this method stop working in cities? You | could have provided some content instead of a weirdly | vitriolic dismissal. | IncRnd wrote: | The parent was simply explaining that lockdown is not | intended for a person who buys computers from Craigslist | in order to enforce security. | | Your mitigation is not a mitigation against being singly | targeted. There are so many attack vectors in a computer | outside of the boot disk. The computers sold on | Craigslist should not be considered secure, since there | is no level of trust in the supply chain or the state of | the hardware. | | For ex: If you are being directly targeted, a nation- | state can purchase the computers from your local | Craigslist, rewrite their bios, and list them for you to | purchase. Then flood Craigslist with 100 other | compromised machines. | googlryas wrote: | Sure, they can do that. If they know that what you're | actually doing. And you just do the same thing stupidly | on repeat in the same area. | | All of that certainly sounds much more involved than | sending a zero-day zero-click iMessage to the well known | phone number of a dissident. | Analemma_ wrote: | This is a fantasy that could only from someone who doesn't | actually need it. The people who actually need Lockdown | Mode-- dissidents, organizers, journalists, etc.-- also | actually need to communicate with normal people, and that | means having a phone. If you're so unimportant that you can | get away with your proposed computing scheme, you're not | going to be the recipient of targeted cyber-attacks. | googlryas wrote: | Well, I don't need it, but the people who do need it | usually don't have much of a clue about infosec or cyber | security. | | What means of communication are available to you via a | phone but not via an internet connected computer? | | There isn't even anything intrinsically wrong with a cell | phone, other than the fact that it encourages you to carry | it everywhere and merge all communications with everyone | onto a single device that is default connected to the | internet. | wmf wrote: | Defense in depth is good. Apple is finally getting over their | faith in their sandbox. | stephc_int13 wrote: | Computer security is notoriously difficult, but at the same time, | none of this is magical, this is meticulous hard work, and with | enough time, skills and money I don't see how you can't plug all | the holes. | | At least the remote attack surface does not seem to be that | huge... | post_break wrote: | When reading through this list at each feature I can't help but | go "why isn't this in regular iOS?" | joshstrange wrote: | Which is exactly why it's optional. Plenty of other people, | myself included, look at that list and would not want them all | or would like to pick and choose which subsets are locked down. | post_break wrote: | Yeah pick and choose makes sense for sure. Apple isn't | exactly the king of choice unfortunately. | olyjohn wrote: | They should give you a list and the toggle should give you | the option "SECURE" or "INSECURE" because that's basically | what this is. | nojito wrote: | Hardened devices only work if it's an all or nothing | proposition. | [deleted] | [deleted] | tristor wrote: | This feature is really fantastic, and it re-affirms my commitment | to using Apple devices due to security in preference over | Android. The only thing I could see that would be a superior | alternative could perhaps be something like Graphene. Already | today I locally set up a profile via Configurator in order to | ensure that my phone can't be hijacked by some local attacks, the | work that is happening Lockdown is even better and I'll be | enabling this as soon as it becomes available to me. | Terretta wrote: | This is great, but also clever. | | By offering users a more locked down option with clear tradeoffs, | (a) users can make a choice between security and convenience, and | (b) given user agency, negative press around hacks of _not_ | locked-down devices loses potency. | | Meanwhile, the choice seems straightforward on most of these... | | _Lockdown Mode includes the following protections:_ | | _- Messages: Most message attachment types other than images are | blocked. Some features, like link previews, are disabled._ | | GREAT! | | _- Web browsing: Certain complex web technologies, like just-in- | time (JIT) JavaScript compilation, are disabled unless the user | excludes a trusted site from Lockdown Mode._ | | GREAT! | | _- Apple services: Incoming invitations and service requests, | including FaceTime calls, are blocked if the user has not | previously sent the initiator a call or request._ | | GREAT! | | _- Wired connections with a computer or accessory are blocked | when iPhone is locked._ | | GREAT! (Used to have to do this yourself with Configurator if you | wanted to be hostile border-crossing proof.) | | _- Configuration profiles cannot be installed, and the device | cannot enroll into mobile device management (MDM), while Lockdown | Mode is turned on._ | | HMM ... there are hardening settings only available through | Configurator or MDM profiles. Will those be defaulted on as well? | Infernal wrote: | >> - Configuration profiles cannot be installed, and the device | cannot enroll into mobile device management (MDM), while | Lockdown Mode is turned on. | | > HMM ... there are hardening settings only available through | Configurator or MDM profiles. Will those be defaulted on as | well? | | Reading between the lines here - on lockdown mode, you can't | install a profile, or enroll in MDM. What it doesn't say, is | that you _can 't_ enable lockdown mode with a profile | installed, or if enrolled in MDM. | | I take this to mean, with lockdown turned on, I can't install | profiles or enroll in MDM (but presumably could uninstall | profiles or unenroll from MDM). | sodality2 wrote: | Correct. Existing MDM profiles will be unaffected. | xoa wrote: | > _- Configuration profiles cannot be installed, and the device | cannot enroll into mobile device management (MDM), while | Lockdown Mode is turned on._ | | > _HMM ... there are hardening settings only available through | Configurator or MDM profiles. Will those be defaulted on as | well?_ | | Yes, that one leapt out at me as well as kind of an awkward one | with more compromises, painting with a very broad brush. It's | obvious that some of the very powerful config profiles/MDM | capabilities could be used for a lot of mischief, but some of | them are also exactly what I'd want to be running myself if I | was at a lot of risk, and some are both. Ie., continuing to | have one's own offline based CA with proper Name Constraints | could be handy for a group of people who want to try to better | secure and keep private their own internal network services | from anything short of a government physical assault, but if an | attacker can slip on a profile with an unlimited CA your goose | is cooked. | | Perhaps Apple simply doesn't have the capability for fine | grained control of those capabilities yet, which wouldn't be | surprising given their path up until now. I'll be interested to | see if over time Apple leaves this mostly untouched or invests | in seriously improving it. Like it'd be interesting if you | could boot into a special mode ala DFU though requiring | password and with graphics up and have a bunch of toggles for | various capabilities that would then be enforced in normal | usage. Analogous to the Recovery Mode on Macs. | alwillis wrote: | _Perhaps Apple simply doesn 't have the capability for fine | grained control of those capabilities yet, which wouldn't be | surprising given their path up until now._ | | I have to believe they're working on exposing some of this | via MDM. Certain organizations may never want the JIT turned | on, for example or allow attachments in iMessage. | | I expect we'll hear more about more capabilities this summer | and fall. | m0dest wrote: | Do you really trust your average IT department to make an | informed decision about whether WebKit JIT is currently | secure or not? I don't see Apple putting these in MDM | Configuration Profiles. If they do, it will only be for | Supervised Devices (i.e. devices owned by your employer, | must be wiped to enroll). | alwillis wrote: | _Do you really trust your average IT department to make | an informed decision about whether WebKit JIT is | currently secure or not?_ | | In general, no. | | For specific website or web apps, yes. | sodality2 wrote: | You can simply enable those MDM profiles then enable Lockdown | mode; they will stay on. You just can't enable new ones while | Lockdown mode is enabled. | Animats wrote: | Does lockdown mode prevent updates from Apple? | lisper wrote: | Extreme? This sounds like the way I have my computing environment | configured by default (to the extent that I'm able to do so with | browser extensions and whatnot). | ArrayBoundCheck wrote: | Same. Its too bad general browsing is nearly unusable with JS | turned off. | fbanon wrote: | >Web browsing: Certain complex web technologies, like just-in- | time (JIT) JavaScript compilation, are disabled unless the user | excludes a trusted site from Lockdown Mode. | | This should be ON by default. It would force webdevs to write | efficient websites. | iasay wrote: | They'd just work out how to write web apps entirely in CSS | instead somehow. | m463 wrote: | If I could just firewall my phone like Little Snitch. | | But apple doesn't allow this. | ignoramous wrote: | Firewalls like Little Snitch may not be enough against actors | like NSO (that exploit unknown zero-days), tbh. The mechanisms | to enhance protection does need to come from the vendor | (Apple). This _lockdown mode_ , for all its present | shortcomings, is moving the needle in the right direction, imo. | colechristensen wrote: | Can I turn these features on one by one by some other method? | (self-managed MDM, or something else?) | jackson1442 wrote: | Self-managed MDM is the way to go for most of them. I think the | main one that can't be achieved thru MDM is the browser | lockdown. MDM has a lot of other security policies available | though. | corytheboyd wrote: | If Apple could somehow make phone and sms not useless due to spam | that'd really save the average person. They must have the | resources to throw at something like this. I'm not claiming to be | an expert, I'm not saying I'm right, but phone spam is fucking | awful. | thothamon wrote: | Phone spam as in text messages? Your email is a whole other | thing | corytheboyd wrote: | Yes indeed email is a whole other thing, that's why I didn't | mention it :) | duskwuff wrote: | > If Apple could somehow make phone and sms not useless due to | spam | | 1) A full solution to this problem is going to depend on mobile | carriers making changes. It isn't something which Apple can | unilaterally fix. | | 2) This is completely irrelevant to the purpose of "Lockdown | Mode". It's intended to protect high-risk users from certain | sophisticated threats -- it isn't a feature which most users | should use. | knodi wrote: | they do already do this, report the message as junk the number | will be flagged as junk and messages from it will be filtered | to the junk view. | ipsi wrote: | Surely that's the responsibility of the providers, though? | Apple can improve the situation a bit, maybe, but you'd really | need to get AT&T & co to crack down on it to have any chance of | solving it for good. | | I know that I've had approximately zero spam on my German | number (that I've had for ~2.5 years) - I'm sure why, whether | I'm just lucky, or whether it's much more under control here. | My UK number definitely had problems with spam, though. Maybe a | couple of spam calls a week. | corytheboyd wrote: | Nice, glad to hear it's at least reasonable elsewhere, It's | very, very bad in the US, at least for my partner and I. We | started getting unsolicited calls days after starting the | house buying process because the credit reporting companies | sell you off immediately. Very frustrating. | vorpalhex wrote: | There are several redirection services that will pair your | spam caller to a very chatty chatbot. Excellent way to make | spammers pay. | thedougd wrote: | Worst part of switching from Android (Pixel) to iPhone. It was | shocking. | jeroenhd wrote: | This seems to be a problem mostly localized to some countries. | Device manufacturers should not be fighting a rotten network, | the networks should be fixed instead. | corytheboyd wrote: | Yeah but... here we are. In the US at least, I don't see this | ever being addressed at the root. Everything between the user | and the phone service is at least somewhat malleable, what's | the problem with at least trying in one of those places? | newaccount2021 wrote: | janandonly wrote: | If Apple was really serious about this, they would add one more | feature to Lockdown mode: To delete and scrub permanently and | definitively _all your iCloud data_. | | You can close the proverbially "front door" by enabling "Lockdown | mode" but if that same government sends a subpoena to Apple, then | they will just give them a copy of all your iCloud private data. | devnulll wrote: | Nobody who is at risk for this is doing iCloud backups. That's | something you can already turn off. | sneak wrote: | Their conversation partners are. iCloud Backup is a backdoor | in iMessage's end to end encryption preserved explicitly at | the behest of the FBI. | sonofhans wrote: | I'd love to see evidence of this. | modeless wrote: | "For Messages in iCloud, if you have iCloud Backup turned | on, your backup includes a copy of the key protecting | your messages" | | https://support.apple.com/en-us/HT202303 | | Yes, that really does mean that Apple can decrypt your | messages. In fact, Apple does it this way at the explicit | request of the FBI, as reported by Reuters. | https://www.reuters.com/article/us-apple-fbi-icloud- | exclusiv... | | And look at all the other potentially sensitive data that | is not end-to-end encrypted in the backups. Photos, | notes, reminders, calendars, the list goes on. | sodality2 wrote: | It's not something that has evidence - what they mean is | that even if you have iCloud backups disabled, everyone | you talk to might not. The point of e2ee is that both | ends must have it encrypted - not just you and the | server, but more abstractly, the communication partners. | warkdarrior wrote: | That is a novel and quite broad interpretation of E2EE. | In typical E2EE only endpoints of a (logical) | communication channel can decrypt messages on that | channel. But E2EE does not say anything about what an | endpoint can do with those messages once they decrypted | them -- they could print them at the public library and | leave them there, they can forward them to the FBI, they | can post them on reddit, etc. | | If you do not trust your communication partner to | safeguard your messages, E2EE will not help you at all. | concinds wrote: | The point is that many people have iCloud Backups enabled | without any awareness whatsoever of the implications, as | iCloud Backups are opt-out and there is zero disclosure | within the OS (only an Apple Support webpage nobody will | visit). | | It leads to E2E being systemically weakened, since most | of your iMessage conversations will get immediately | scooped up by Apple and alpbabet agencies, dragnet-style. | sodality2 wrote: | I understand that, I didn't mean the concept of e2ee | requires the endpoints to never share it at all. What I | meant was, commonly people will disable iCloud backups | hoping to regain some privacy, but it does nothing | because most of your communication partners use iCloud | backups. Just like people who switch to eg. Protonmail - | if you only ever talk to GMail users, it doesn't really | give you much extra privacy. | apeace wrote: | GP is partially right: | | https://www.reuters.com/article/us-apple-fbi-icloud- | exclusiv... | | According to Reuters sources, Apple abandoned plans to | offer iCloud backup encryption, out of fear of government | retaliation or even spawning new anti-encryption | legislation. | | On the other hand, GP is responding to: | | > Nobody who is at risk for this is doing iCloud backups. | That's something you can already turn off. | | And indeed, if you turn off iCloud backups, there is no | "backdoor" into iMessage. You can also set up your phone | to do encrypted backups locally to your laptop, if you | want that instead. | stu2b50 wrote: | You can already turn off iCloud features? | threeseed wrote: | If you care about your privacy don't upload your private data | to ANY cloud service. | | Even if iCloud was encrypted they still run on third party | cloud providers who nobody knows what relationship they have | with governments. Many types of encryption are breakable if you | have effectively unlimited resources. | luhn wrote: | Most iCloud data is end-to-end encrypted; Apple doesn't have | direct access to your data. In the end they do own the OS and | could potentially backdoor your device, but if you're worried | about that... well, Lockdown Mode is moot at that point. | | Worth noting Apple previously refused an FBI order to do just | that. https://en.wikipedia.org/wiki/FBI- | Apple_encryption_dispute | jackvalentine wrote: | > Most iCloud data is end-to-end encrypted; Apple doesn't | have direct access to your data. | | Depends what you think of as 'most' really, things that don't | have end-to-end includes photos, icloud drive files, notes | and backups. | | https://support.apple.com/en-us/HT202303 | mytherin wrote: | Secure notes are end to end encrypted [1] | | [1] https://support.apple.com/en- | gb/guide/security/sec1782bcab1/... | modeless wrote: | Apple refused an FBI order to decrypt a phone; however they | allow the FBI to access iCloud data all the time. And | iMessage is not end-to-end encrypted in iCloud _at the | explicit request of the FBI_. | https://www.reuters.com/article/us-apple-fbi-icloud- | exclusiv... | nojito wrote: | Yes but many things on iCloud are E2E encrypted. | | https://support.apple.com/en-us/HT202303 | modeless wrote: | Which makes it all the more ridiculous that sensitive | things like messages, photos, contacts, and notes aren't, | even as an option. Clearly the technical ability is | there. | 2OEH8eoCRo0 wrote: | > Wired connections with a computer or accessory are blocked when | iPhone is locked. | | Android defaults to charging only. | Aaronn wrote: | The same is true on iOS | (https://www.theverge.com/2018/7/10/17550316/apple-iphone- | usb...). Lockdown mode just prevents you from enabling it. | 2OEH8eoCRo0 wrote: | > USB Restricted Mode prevents USB accessories that plug into | the Lightning port from making data connections with an | iPhone, iPad, or iPod Touch if your iOS device has been | locked for over an hour. | | Android asks every time for every device. There is no 1-hour | grace period. | TIPSIO wrote: | If you are "a target" and going to take measures of basically | disabling everything on your iPhone, wouldn't it just make sense | to get a burner dumb phone? | | Hasn't this been happening for years (drug dealers, anonymous, | etc..)? | stu2b50 wrote: | Think more about journalist. You need slack to talk to the rest | of the team. You need WhatsApp to communicate with sources and | locals in most of the world that's not the US. Your iPhone is | an important tool for your work in general - a dumb phone that | can only make real phone calls and sms is not particularly | close. | | Phone calls and sms are also completely unprotected as opposed | to chat apps with e2e. | pizlonator wrote: | But then you'll want lockdown mode (or something like it) on | whatever device you use to browse the web. | yreg wrote: | What then? Use SMS? | [deleted] | alwillis wrote: | Let's not let the perfect be the enemy of the good. | | This is a _huge_ step forward for iPhone users. Look, I get it. | From the typical HN perspective, this potentially looks like a | lot of hype. But many of you aren 't looking at from a high | level. | | In the world we are now living in; even what's happening in the | United States right now, being able to protect yourself from | well-funded, determined attackers for the average person couldn't | come at a better time. | | There's a huge gap between Fortune 500 executives, government | officials, etc. and regular people in terms of the resources | available to them to prevent state-sponsored attackers. It | doesn't take much these days to go from a nobody to being on | somebody's radar. | | If you're a woman seeking an abortion in a state where it's | illegal or severely restricted, you could be the target of | malware from your local or state government or law enforcement. | In Texas, you can sue anyone who aids and abets a woman who | attempts to get an abortion for $10,000, which is enough to get | someone to trick someone into installing malware on a phone. | | No, it's not China or Russia coming for you but it doesn't take | much to ruin someone's life. | | I don't think this is virtue signaling or marketing hype by | Apple; if anything, this is right in alignment with the stance | they've had on privacy for years. Even for a company the size of | Apple, putting up $10 million to fund organizations that | investigate, expose, and prevent highly targeted cyberattacks | isn't pocket change. | | At the end of the day, this is all good news for user privacy and | security going forward. I also suspect if I lockdown my iPhone, | my other compatible devices using the same Apple ID will also | lockdown. No IT department required. | Sebb767 wrote: | > There's a huge gap between Fortune 500 executives, government | officials, etc. and regular people in terms of the resources | available to them to prevent state-sponsored attackers. It | doesn't take much these days to go from a nobody to being on | somebody's radar. | | It's also a question of whether you want that. Anyone can take | anti-phishing training, it just takes a lot of time. Want to | download a mod for a game? You better have a separate gaming | machine with _no_ important data on it and, to be sure, in a | separate network. Want to buy a phone? Better drive to a random | store, ordering is to dangerous. | | Sure, it's easy to get on the radar, but avoiding a state- | sponsored hack is also a lot of effort. Fortune 500 executives | need to put that effort in and they do have the money to make | it happen, but for most people, the problem is not the cost. | rmbyrro wrote: | > putting up $10 million isn't pocket change | | 10 Million = 0.0027% of Apple's sales in 2021. | | Equivalent to an Apple developer who made 300K in 2021 donating | 8 dollars. | | If this doesn't classify as pocket change, it's quite close. | tyingq wrote: | Enlightening comparison, though revenue isn't income. | | If you went with net income, it would be 0.0105% of Apple's | 2021 net income. | | Or $31.80 of $300k instead of $8. | rmbyrro wrote: | $300k is not the developer net income, in the example | fastball wrote: | Apple has a lot of other stuff to spend money on. Pocket | change adds up. | samatman wrote: | Apple made 25 billion _in profit_ in 2021, so the equivalent | of a 300K income donating $1200 dollars. | | To stave off tedium, it's still $800 at a 1/3rd tax rate. | These numbers aren't pocket change any way you slice it. | jorvi wrote: | I agree with the rest of your comment, but this | | > Even for a company the size of Apple, putting up $10 million | to fund organizations that investigate, expose, and prevent | highly targeted cyberattacks isn't pocket change. | | is kind of funny, as it's about 1/20000 of their total _cash_ | reserves. With 20000 in my savings account, it'd be equivalent | to giving 1 dollar to charity. In other words, pocket change :) | PoignardAzur wrote: | It's still ridiculously good by bug bounty standards. | | Zero-day buyers are going to have a hard time topping that. | O__________O wrote: | Bounty is $2 million, grant is $10 million. | | You could easily get more for selling a zero-day likely | this than reporting it to Apple. If you combined the risk | this is being turned on is reported back to Apple or | remotely detectable, combined with a zero day, it would be | a goldmine; cover this and other issues in my comments on | the topic: | | https://news.ycombinator.com/item?id=32006436 | jjtheblunt wrote: | where are the cash reserves documented? | zie wrote: | see: https://investor.apple.com/investor- | relations/default.aspx | | Specifically the 2022 Q2 financial statement(it's a PDF). | under "Cash and Cash equivalents" on the 2nd page, you will | see: 28,098 | | That's in millions of dollars(see top of that page for | source), so they have 28 Billion USD just laying around. | | 10M/28098M = 0.0004 so it's 0.04% of their cash. | kelnos wrote: | I have mixed feelings about this. | | Lockdown Mode basically cripples the phone, feature-wise. It's | not quite to the point where I'd (even hyperbolically) say "why | don't you just get an old dumb phone instead", but still... | | The right thing to do would be to redesign the system from the | bottom up to actually be secure in the face of vulnerabilities | in any of these features that get disabled because they can be | dangerous for people. (And maybe Apple is working on this | behind the scenes, which will take them years to complete.) | | But, agreed: let's not let perfect be the enemy of the good. | It's better to have this option than to not have it, even | though it likely creates a super restricted user experience | that probably isn't particularly pleasant to use. | Syonyk wrote: | > _Lockdown Mode basically cripples the phone, feature-wise. | It 's not quite to the point where I'd (even hyperbolically) | say "why don't you just get an old dumb phone instead", but | still..._ | | The problem is that phones (of the "dumb"/"feature" variety) | are running OSes that don't have nearly the security | attention or hardware features related to them as iOS | devices. | | I carry a KaiOS feature phone as my personal phone (when I | remember it). Apple pissed me off enough with the CSAM stuff | that I wanted to experiment with alternatives, and I've done | so. However, I don't pretend KaiOS is particular "hard" | against attackers - it's almost certainly not. But neither | does it have much of an attack surface. It doesn't even try | to render emoji, they're just black rectangles. And neither | does it try to, say, render weird old Xerox image formats. | | I would trust an iOS device with "most of the complex attack | surfaces turned off" far more than I'd trust a KaiOS or | stripped Android device. You get all the hardware | protections, regular OS updates, a bug bounty program focused | on this mode, and the smaller attack surface window of | Lockdown. | | I'm incredibly excited by it, because it turns off all the | stuff _I don 't want in a phone anyway._ | | Unfortunately, "crickets on CSAM" is a problem too. If they | say they're not going to ship that ill conceived feature, I | might move back to iOS. If not, well... I'll probably play | with Lockdown mode for a week or two and then go back to the | Flip. | samstave wrote: | CYBER-FUCKING-PUNK has entered the chat! | | --- | | >> _There 's a huge gap between Fortune 500 executives, | government officials, etc. and regular people in terms of the | resources available to them to prevent state-sponsored | attackers._ | | - Full Stop. | | ----- | | The fact is ; UNLESS you are either the .% or the other ...% of | HN users/hackers/dark-web 'rippers' ; you are cyberly _FUCKED_ | | And its super odd that we have ~~Ono-Sendai~~ APPL 'defending' | cyber-rights. | | -- | | How the fuck can one downvote the above and not have a valid | reason they'd lik to share. We are on H-FN-N... you think we | don't know the above is true? | smoldesu wrote: | > If you're a woman seeking an abortion in a state where it's | illegal or severely restricted, you could be the target of | malware from your local or state government or law enforcement. | | Let's not get in above our heads, here: if the US government | wants to know what's on your iPhone, they still have the | faculties to retrieve that information. Setting your iPhone in | a lockdown mode isn't going to let you escape the purview of | government surveillance, and if it did then Apple wouldn't be | announcing it today. We're _all_ targets of government malware, | and the way they ensure we all keep it installed is simple: | they just make Apple and Google write it for them. This | pervasive idea that Apple is somehow escaping the jurisdiction | of PRISM is pretty hysterical, and it makes me excited for the | first Senators to get caught paying for prostitution services | with Apple Pay inside Lockdown Mode. The only enemy of "good" | in a threat model is the unknown, and Apple makes sure there's | _plenty_ of unknown factors in your iPhone. | | Edit: For all HN loves to rant about the Halloween Documents, | you lot seem awfully unfamiliar with the Snowden leaks... | andrewmcwatters wrote: | "Silly HN reader, you're just not seeing the big picture." | Could you not? | | You know what people do when they're targeted by state actors? | They don't use computers. And if they have to, they air gap. | MBCook wrote: | Ok. You're in the Republic of Somethingistan. You're alone. | All you have is your phone to contact people at home to help | you and some money and you need to get out. | | You know the state is after you. | | So you ignore this, turn off your phone instead, and... what? | Now you're even more alone, can't get help from | friends/family. | | This seems like a very reasonable option in some situations. | dangus wrote: | It seems like there could be a median area between "in the | crosshairs of the KGB" and "I need to avoid off-the-shelf | exploits in a specific situation." | | A great example of this might be visiting a country like | China while on business. Straight up going "off the grid" | isn't really an option in that scenario. | PoignardAzur wrote: | > _You know what people do when they 're targeted by state | actors? They don't use computers. And if they have to, they | air gap._ | | That's like saying "men who don't have easy access to condoms | just stay abstinent instead". This is what we _wish_ would | happen. But empirically, they just shrug and do the insecure | thing. | | (There was an article posted on HN a few years ago that was | from a journalist pointing out this exact thing, from his | personal experience. I can't find it though.) | wnevets wrote: | Someone better let those NGOs hacked by china know right | away! | astrange wrote: | It's true, NSO Group doesn't exist and none of their exploits | have ever worked on anyone. | dkarl wrote: | > In Texas, you can sue anyone who aids and abets a woman who | attempts to get an abortion for $10,000, which is enough to get | someone to trick someone into installing malware on a phone. | | Anecdata for people who think this is unlikely: my wife had an | issue getting unclaimed property back from the state of Texas | and hired someone who advertise the ability to help. She turned | out to be a bulldog with a ton of knowledge of the necessary | bureaucracy. She put hours per week into it on our behalf for | months, through many rounds of filing paperwork and then | hounding bureaucrats on the phone by telling them exactly how | and why we could sue if they ignored it. She did all that for a | cut that was a fraction of the $10k abortion bounty. The $10k | might seem like a symbolic gesture, but it will spawn a cottage | industry of bounty hunters. No doubt most of them will be | ideologically excited wannabes who quickly give it up, but some | will be dogged and effective and will cultivate an expanding | repertoire of skills. It's a terrifying prospect. | | There will be many, many people who never previously | entertained the idea of getting involved in serious criminality | who now need protection from the prying eyes of the state and | their fellow citizens. To look at it from a cold and | opportunistic viewpoint, this could change the public | perception of digital privacy from being just for dangerous | creepy people to something that everybody should value. | cirgue wrote: | To add to this: the whole point of the civil right to action | is so that anti-abortion groups can target individuals in | order to create precedent-setting cases. This is a mechanism | that is designed to be used by well-funded groups. The threat | model here isn't some rando deciding they want to sue you, | it's a team of determined lawyers that absolutely will take | your case as far as they possibly can. | greiskul wrote: | I hadn't thought about this, but you are right. Hell, they | don't necessarily even have to be immediately targeted | attacks bounty hunters. Try to perform attacks in mass to | read personal messages/e-mails of people, use filtering to | try to find messages of people discussing getting abortions, | and then parallel construct a innocent sounding story to use | in court. With 10k per success, you really don't need that | many hits to start making big money. | nextos wrote: | Also, I personally know many old people who use a device just | for managing their finances as they are inexperienced with | security and fear their main device might get hacked. | | This functionality makes a lot of sense in such a case. | fastball wrote: | Yeah except putting malware on someone's phone is actually | illegal, so seems like a pretty bad tradeoff since, ya know, | you'd have to mention how you got the data when you sue | someone in court. | kelnos wrote: | Police use this sort of tactic (parallel construction) all | the time, though: they collect evidence in ways not | admissible in court, but use knowledge of that evidence to | find new lines of investigation and new evidence that _can_ | be admissible in court. | | Presumably someone could use malware on someone's phone to | know who to target with an abortion-related lawsuit, and | then use legal forms of investigation to find evidence to | prove that they got an abortion. | BHSPitMonkey wrote: | https://en.wikipedia.org/wiki/Parallel_construction | Angostura wrote: | Getting information through an illegal trawl, is an | amazingly effective way of working out how to get related | information "legally". | | Find out from the phone, that they have an appointment at a | particular time and place? It's easy to just be there and | photograph them, "as part of occasional surveilance" or | whatever. | hk1337 wrote: | I kind of want to turn it on and leave it on. I'm assuming | since it's a "mode" that I can turn it off when I need to, do | what I know is legit, then turn back on again. | rmbyrro wrote: | Might not be as convenient. Probably requires restarting the | phone. | QuantumSeed wrote: | As soon as you enable lockdown mode in iOS 16 Beta 3 it | reboots the phone | kelnos wrote: | I would assume that disabling Lockdown Mode means wiping the | phone to factory condition. Otherwise Lockdown Mode is only | as secure as whatever PIN or password you use to disable it, | which isn't particularly secure at all. | Syonyk wrote: | Yes, but if an attacker has physical access and unlimited | time, you've probably lost anyway. | | What this seems to be focused on are the "remote zero- | click/one-click" vulnerabilities we've seen, in which | either a message is delivered that never shows up but | installs a backdoor hook, or a website can deliver a | malware package to a particular user and install the | backdoor hook without notifications. | | It sounds like it does improve some of the physical | security features, which should help reduce attack surface, | but I wouldn't trust _any_ bit of consumer electronics | against a sustained physical attack by a sufficiently | motivated adversary. | Veserv wrote: | Let's not let better be the enemy of good either. Better than | terrible is still bad and is nowhere near good. | | It is frankly ridiculous that anybody should believe Apple when | they claim to provide even minimal resistance to well-funded | determined attackers. Protecting against well-funded determined | attackers has been the holy grail of software security since | forever and everybody in software security at least claims to | be working toward that. Despite that, the prevailing state of | "best-in-class" "best-practices" commercial software security | is objectively terrible including Apple circa 1 year ago. | | Are we supposed to believe that Apple, despite abject failure | over the last few decades until as recently as the last time | they announced security updates to the iPhone, has finally this | time, for sure, pinky swear its true, jumped from terrible to | the holy grail, or even good, because they said so? | | No, this is absolute, utter, unequivocal garbage. Their claims | are completely unsupported and they should be excoriated for | spewing unsubstantiated bullshit that muddies the waters of the | actual state of software security and misleads people into | believing they are getting a meaningful degree of protection or | software security. | | If they want to make such claims, they should put their money | where there mouth is and, instead of certifying iOS to EAL1+ | and AVA_VAN.1 as they currently do, they should certify it in | "Lockdown Mode" to EAL6-7 and AVA_VAN.5 which actually does | certify protection against "high attack potential" attackers | such as large organized crime and state-sponsored attackers. At | the very least they could certify it to EAL5 and AVA_VAN.4 | which certifies protection against "moderate attack potential" | attackers. Until they do that, their claims to protect against | state-sponsored attackers are complete unverifiable bullshit. | donw wrote: | Especially as Apple is often the "well-funded attacker". | O__________O wrote: | At the point it puts users at more risk that not, I don't see | this as a step forward; not informing users of the risk of | having iCloud enabled is one example. | | For more of my take on the topic, see: | | https://news.ycombinator.com/item?id=32006436 | mcculley wrote: | This is great but too big of a hammer for most use cases. What I | really want is a per-application firewall. | | For example, say I would like to install a photo editing | application. It would need access to my photos. That is fine, so | long as it is not allowed to connect to the Internet (or any | other network). There is currently no way to ensure this. | lolsal wrote: | > This is great but too big of a hammer for most use cases. | | This is not in any way intended for most use-cases, it's very | clearly intended for a single, specific, uncommon use-case. The | press release says as much more than once. | mcculley wrote: | I guess my point is that instead of making a special mode | that is only useful for a minority of users, it would have | been really nice to get a feature that everybody should be | thinking about and using. | Legion wrote: | Perhaps that's what it eventually evolves into. Probably | easier to get this off the ground by developing it as a | separate mode. | briffle wrote: | I'd go a step further, and say per-application virtualization. | Every single program running its own (ideally encrypted memory) | namespace, with its own assigned memory, etc. | muricula wrote: | That's what the ios sandbox provides. Heck, the tools arm64 | gives you to isolate VMs are awfully similar to the tools | they give you to isolate processes. VM escapes aren't too | different than sandbox escapes. | | Encrypted memory isn't part of arm yet, I was holding out | hope with armv9 "realms" but not so. | varenc wrote: | Agreed. I wish iOS had a "network access" permissions just like | Android does. (Though to avoid permission fatigue for the | average user, perhaps make it something only users that care | can deny) | | That said, I think this is pretty unrelated to protecting | yourself from nation state actors. Mercenary spyware (like NSO) | doesn't use a legitimate app store app as their initial | infection point. I can think of many reasons for this: | difficulty getting target to install it, app store approvals, | leaking their 0days, leaving more of a paper trail, and | avoiding scrutiny in general, etc. I'd of course love this | feature for my own data privacy of course. | mcculley wrote: | > (Though to avoid permission fatigue for the average user, | perhaps make it something only users that care can deny) | | Yeah, I would not want to have to approve every app. What I | would like is a machine readable description of the app's | capabilities to include Internet access, just as is required | for access to the microphone or photos. This would encourage | app developers to advertise to users that they don't need | such capability and encourage users to realize that privacy | and Internet access are mutually exclusive. | | There are many small apps I simply will not buy/install | (e.g., apps for editing photos or contacts or calendars) | because they cannot be trusted. Even if you trust the | developer, the developers are often embedding third party | analytics libraries that cannot be trusted. | astrange wrote: | This feature exists in Chinese iPhones because it's | required by law there. | olliej wrote: | Edit: apparently I was wrong here? Though I'd swear it had the | feature? | Nextgrid wrote: | You can disable app's cellular data access, but that's it, at | least on Western phones. Ironically, phones for the Chinese | market actually expand that setting and also allow to block | Wi-Fi access. | mcculley wrote: | Where do you see this in iOS? The Settings app has many | permissions for applications, but no "Internet" permission. | azinman2 wrote: | You can turn off cellular data access to an app; not quite | whole internet as this WiFi will still work. But it's half | the problem. | LeoPanthera wrote: | It does not ask for internet access, it asks for access to | other devices on the LAN. Not the same thing. | imdsm wrote: | I use little snitch for this, but I agree, a big hammer, and | likely more hoops for regular developers to jump through. | Notarisation, signing, forced developer keys... | post_break wrote: | Little Snitch is great. Apple would never allow it on iOS | which is ridiculous. | CharlesW wrote: | It's not the same, but have you used App Privacy Report to | monitor what your iOS apps are doing? | | https://www.wired.com/story/ios-15-app-privacy-report/ | mcculley wrote: | The App Privacy Report is great, but too late. It shows | you what an app did, not what it might do. | criddell wrote: | Thanks for posting this. I just turned it on and am | looking forward to the report. | | It's under Settings > Privacy > App Privacy Report. | mcculley wrote: | I use Little Snitch on macOS, but it is not available on iOS, | so far as I know. Normal apps on iOS do not have enough | visibility into the system for that. | jeroenhd wrote: | Android exposes a soft VPN API that firewall apps can use | to block network traffic for certain apps in certain | scenarios (say, no Google Play updates when on mobile data) | with apps like Netguard [1]. | | Does iOS not expose such functionality? Surely there's some | kind of VPN API? | | [1]: https://github.com/M66B/NetGuard | mathisonturing wrote: | Android has app system level options in the settings to | disable WiFi/mobile data. | | I tend to use that, and use Netguard as a fallback | because the latter has an off by default config incase I | forget to disable it for new apps. | | Netguard on its own is insufficient because sometimes | you'd need to use an actual VPN (which turns off | Netguard) | infthi wrote: | I've had those options on multiple OnePlus phones, but | they were not present on multiple Pixels. Since Pixels | are usually sold as "AOSP experience with Google flavor" | are lacking this feature - I am not sure if that is that | feature comes from AOSP or is only present on OnePlus | phones. | ignoramous wrote: | > _Android exposes a soft VPN API that firewall apps can | use to block network traffic for certain apps in certain | scenarios (say, no Google Play updates when on mobile | data) with apps like Netguard._ | | I worked on AOSP for longer than I care to admit. This is | mostly an illusion. System apps (like Google Play) can | pretty much do whatever the heck it is that they want to. | NetGuard, sure, "firewalls" it... but it wouldn't even | know if a system app bypassed its tunnel. For installed | apps, NetGuard is golden (as long as NetGuard itself | doesn't leak). | | disclosure: I co-develop a FOSS NetGuard alternative (and | yes, this alternative has similar limitations). | mcculley wrote: | iOS has APIs for VPNs and "content blockers". But as far | as I know, such a filter has no access to know which | process/application is trying to make a connection. | Little Snitch on macOS has to install code into kernel | space. (Or at least it used to; I have not reinstalled in | a long time.) | | The Android app you link to seems to have the | functionality I think should exist as a built-in. It | needs to be built-in so that non-geeks can use it. | | Just as users are asked the first time an application | attempts to use the microphone and are able to prevent it | before it starts, they should be able to limit network | access and revoke it at any time. | | (I don't think users should be necessarily be forced to | approve Internet access for every app install. Just make | it possible to revoke in the global Settings widget and | encourage users to think about personal data and Internet | access being mutually exclusive.) | FireBeyond wrote: | Not like that. The idea is antithetical to Apple, who | have said during keynotes that they've tried to avoid | doing so, because what they really want is a world where | the concept of "mobile data" is not limiting. | radicaldreamer wrote: | None of which is particularly effective since it's trivial to | setup a legal entities that makes one game but signs a bunch | of malware (or steal enterprise keys). | freedom-fries wrote: | I'm guessing it will run afoul of the EU regulations. At the bare | minimum there should be a way for level playfield - individual | applications and third party application providers should have | same access as Apple's apps! | | * If Safari and Messages is allowed then all other apps should be | allowed and have complete access to the device even in the | lockdown mode. * If apple gets access to any traffic from the | device in the lockdown mode, then all other applications should | have full access to advertising metrics and device data as well. | | At that point it's probably not much of a lockdown, but Apple | can't have all the fun can it? | clamprecht wrote: | They should offer "US President mode". Didn't Obama have to have | a special version of the Blackberry developed for him, while he | was president? | sedatk wrote: | Yeah, in which Twitter is also locked down. | drexlspivey wrote: | Does this offer any protection after you are already pwned? Is | the expectation that you have it permanently on if you are a high | value target or do you turn it on temporarily before clicking on | a link for example? | dustyharddrive wrote: | Don't know enough about iOS to say for sure about persistence, | but recent Pegasus (NSO Group spyware) versions don't | bother[1], instead repeatedly exploiting bugs starting with | "features" like background Messages attachment parsing. | | Those are the kind of threats Lockdown Mode finally | acknowledges -- targets (well IMO everyone) would need it | permanently enabled. | | Otherwise the temporary protection before clicking a link can | be had today in other ways, like disabling Settings > Safari > | Advanced > JavaScript. | | [1] Lack of persistence likely an attempt at making it harder | to analyze: | https://www.amnesty.org/en/latest/research/2021/07/forensic-... | Nextgrid wrote: | If you're already pwned to the point where they have kernel- | level access and can bypass code signature enforcement, all | bets are off. Even if lockdown mode interfered with their | activity, at this point nothing prevents them from modifying | the Settings app to not really enable lockdown mode even if you | request it to. | olliej wrote: | If you have already been pwned, the OS is compromised so it | clearly is not able to retroactively undo that - any checkbox, | option or whatever can just be turned into a no op that lies. | olyjohn wrote: | If you're going to run a crippled-ass phone to protect | yourself, because the regular phone is so fucking insecure, why | even bother with a smartphone? They'll just find an exploit in | something that the "security mode" hasn't disabled. | einpoklum wrote: | Apple cannot even in theory protect you from spyware, because | Apple's OS and apps _are_ spyware - as Apple (routinely? | occasionally?) collects your personal data for the US | government's NSA and passes it to them (Snowden revelations: | https://www.theguardian.com/world/interactive/2013/nov/01/sn...) | Nextgrid wrote: | This might get downvoted but it's actually true. If you're | logged into iCloud, even with all features disabled, things | like your call history and email recipient history (regardless | of whether you're using iCloud Mail) are uploaded for example. | legalcorrection wrote: | I see they're running the reality distortion field at full power. | | This is a load of bullshit and marketing hype. They are letting | you turn off features for security reasons, i.e. what basically | every OS has let you do, and what every half-competent IT | department has been doing, for decades. In fact, iOS was an | outlier in how unconfigurable it was, and with the pitiful MDM | options not letting you turn off many of these features that are | constant sources of vulnerabilities and social engineering. | | Nothing that novel here other than the framing and cybersecurity | marketing bullshit about Nation State Actors and "mercenaries." | haswell wrote: | Of course Apple is going to put a marketing spin on everything | they do - that is a given. Does that somehow invalidate the | work itself? | | Why do you find it necessary to reframe the introduction of | these features as a load of bullshit? | | Are you arguing that these features are bad or not useful? | | Or are you just saying that "it's about time"? And if so, why | not just focus on the part where Apple is doing a thing that | needed to be done? | | The undertones in your comment feel a bit unnecessary. | legalcorrection wrote: | Because it's being made to sound like something it's not. The | comments are full of people fawning over how innovative and | groundbreaking this is. Just trying to offer a dose of bitter | reality to bring people back down to earth. | haswell wrote: | To what end? What new insight is gained from such a | reframing? | | I personally don't think the individual features are as | interesting as the overall framing and the fact that Apple | is publicly announcing their intentions. The feature set | will doubtless change over time - such is the nature of any | software endeavor - but starting that journey is the | interesting part. | | Getting stuck on "but it's just xyz dumb feature..." or | "but they should have done x long ago", etc. just obscure | the more interesting fact that they're explicitly embarking | on this path to begin with. | [deleted] | TheRealDunkirk wrote: | Sounds like a plan to make iOS the default for highly-placed | government employees. Maybe that's already the case, but I | thought I remembered that Obama had to have 2 phones, and the | "secure" one wasn't an iPhone. Anyone have any more knowledge | about this? | ceejayoz wrote: | The secure one was a BlackBerry for a while. | https://www.theverge.com/2016/6/11/11910306/obama-upgrades-f... | easton wrote: | I'm guessing it isn't, if only because this feature completely | disables MDM (which you'd need in government or business to do | things like remote wipes or passcode policies). It looks to be | designed for people that are possible targets to use on their | personal phone, which shouldn't have work data on it. | | (Of course, they could make some new MDM policies to | individually turn these features on. You can already block | external devices with MDM, and you can completely disable | FaceTime/iMessage/iCloud. It wouldn't be much of a jump to add | the more granular protections this has.) | bad416f1f5a2 wrote: | I think you've misread this announcement: it doesn't appear | that MDM is disabled. It merely looks like you cannot change | MDM settings, including enrolling, while this feature is | active. | InitialLastName wrote: | At least at the start of the Obama Administration, he was known | to be hooked on his Blackberry [0], and I know RIM did a lot of | work to provide secured devices to government officials. I | don't know what government officials are using since RIM went | under though. | | [0] https://www.nbcnews.com/id/wbna28780205 | saos wrote: | This seems rather extreme. I like it! | [deleted] | midislack wrote: | camdenlock wrote: | This is mostly great news. Then you scroll down a bit and see | this eye-opening 2nd part: | | "Apple is also making a $10 million grant [...] to the Dignity | and Justice Fund established and advised by the Ford Foundation - | a private foundation dedicated to advancing equity worldwide and | designed to pool philanthropic resources to advance social | justice globally." | | So Apple is releasing a great new hardened security mode in iOS, | AND... they're donating money to collectivist activism? What a | bizarre combination. One step forward, two steps back. | numpad0 wrote: | But how secure are iDevices peripherals, and RAM? I guess it's a | start of a journey, but I don't see this does anything yet. | stephc_int13 wrote: | What does it even mean to be a state-level actor? For me this is | the same kind of bullshit/PR language that is is used to sell so- | called "military-grade" artefacts. | | This is nonsense. Security breaches can be discovered and used by | anyone with the right knowledge and skills. Geohot was not | sponsored by the CIA or the FSB. | halJordan wrote: | State-level is a label for groups that have resources and | persistence and perhaps the technical acumen that is available | to states. | WFHRenaissance wrote: | I think they're focusing on the notion of protecting against | well-funded mercenary firms with the | resources/time/ability/motivation to target specific | individuals with specific exploits. I have a hard time | believing that anyone would enable this Lockdown Mode _prior_ | to being owned though. | threeseed wrote: | > I have a hard time believing that anyone would enable this | Lockdown Mode _prior_ to being owned though | | I can imagine many use cases where they would e.g. | | journalist enabling this before working on an article that | was critical of a foreign government. Or any government | contractor, NGO, embassy worker etc. | threeseed wrote: | > Security breaches can be discovered and used by anyone with | the right knowledge and skills | | That's often not enough. | | You need a lot of resources and most importantly prosecutorial | immunity. | the_other wrote: | With this announcement, Apple are saying "we will protect you | from state actors", which is a role usually performed by states. | Apple is saying "we operate at the same level as nation states; | we are a nation-state level entity operating in the "digital | world": It's a flag-raise. | | It's the first such flag-raise I've seen. Security researchers | talk about protections from state actors all the time, and there | are tools which support that... but this is the first public | announcement, and tool, from a corporation with more spare, | unrestricted capital than many countries. It comes at a time when | multiple nation states are competing for energy and food | security; and Apple are throwing up a flag for a security- | security fight (or maybe data-security). This is not just handy | tech, it's full-on cultural zeitgeist stuff. Amazing. | jiveturkey wrote: | > It's the first such flag-raise I've seen. | | "Flag-raise" seems a bit hyperbolic but at any rate I think the | BSA asserted such reach and power, long ago. Both have to act | within the oversight of actual nation states. | | Beyond that, a secure phone is necessary but not sufficient to | defend oneself against a nation state. | ivraatiems wrote: | The NSO Group, whom Apple specifically cites as an opponent | that inspired this work, is a private corporation. They sell to | governments, but so does Apple. | | The relationship between state and private industry has never | been binary and has always had features like this. I don't | think this is a "Jennifer Government" type scenario. | kccqzy wrote: | Google has been dealing with nation state actors targeting its | users (Gmail specifically) for a decade now. They have Advanced | Protection program. We actually regularly used to hear about | how human rights activists were targeted in spear phishing | campaigns and then arrested. | | https://landing.google.com/advancedprotection/ | bsedlm wrote: | agreed, the rise of the corporation as the most powerful | institution (above the nation-state) in this new budding global | civilization is a long time coming. | | on the other hand, this is how democracy dies. what structures | (systems) exist to prevent apple (and other comparable | corporations) from being an oppresive force against human | persons? moreover, what incentives do they have? | kube-system wrote: | Corporations definitely have a lot of power today, but | nothing more than they've had in the past. | | https://en.wikipedia.org/wiki/Company_rule_in_India | jfjrkkskdik wrote: | scottyah wrote: | To be fair, banks have been more powerful than a lot of | nation-states for awhile, and religious entities before that. | atlasunshrugged wrote: | The religious entities I get the argument but what banks | have been more powerful than nation states? | concinds wrote: | The Knights Templar were a religious organisation, but | also a quasi-banking institution in Europe; they took and | protected deposits of gold, and issued 'cheques' | allowing, for example, travellers to deposit gold in | London and spend the money in Southern Europe. They were | dissolved because they were beginning to rival the Papacy | and nations in power due to their immense wealth. | | Also, few know this, but many African slaves who were | victims of the slave trade became slaves due to debt- | slavery (though this didn't involve formal banks). I've | seen estimates of up to 25% of slaves back then having | been debt-slaves. | bsedlm wrote: | the ones that only service other banks hence only people | working in higher level banking are likely to have heard | about. e.g. the bank for international settlements | | I only found out about this bank because the former | president of the mexican central bank -- Mr. Carstens, | left the central banking gig to go to that bank. | atlasunshrugged wrote: | From reading their Wikipedia quickly sounds like BIS has | a similar function to say the IMF when it comes to | financial system stability. I do agree these sorts of | organizations exert huge amounts of influence, especially | for smaller countries that are dependent on loans and | outside financing, but I'm not sure I agree they are more | powerful than a nation itself. A nation can | (theoretically) decide to opt out from these systems and | operate independently, or can play different parties | funded by nations (because in the end they all are | working for someone's agenda) off of one another as many | countries did during the cold war between the U.S. and | Soviet Union. But if a nation reneges on its debt, the | BIS, IMF, etc. isn't going to invade your country--one of | it's creditor nations might, but not them. | saurik wrote: | Based on their history of using their control over the App | Store to "protect people" from such harmful content as | content about how smartphones are made in sweatshops and | tools (such as VPN clients, but also for a long time | cryptocurrency wallets) that allow people to bypass | restrictions put in place by these nation states that Apple | works with, I'd claim these incentives are pretty shit :(. | | https://www.youtube.com/watch?v=vsazo-Gs7ms | astrange wrote: | If you try to get into cryptocurrency your phone should | automatically deliver electric shocks until you stop. | [deleted] | Omniusaspirer wrote: | Apple is a public corporation and votes on its corporate | direction are freely available on the open market for anyone | to purchase. Based on my share ownership Apple is much more | subject to my whims than my actual elected politicians are on | a % basis. | ryandrake wrote: | I can think of a few, at least applicable in the USA: | | Apple doesn't have a military or police force with | jurisdiction over me. They don't have the legal power to | arrest me or throw me into prisons, which they also don't | have. I don't have to pay taxes to Apple. I don't have to do | business with them or interact with them in any way if I | don't want to. I don't need Apple's permission to do anything | unrelated to their product lines. | | Same is true for any megacorporation. It's a big stretch to | say they are even remotely as powerful as nation-states, let | alone more powerful. | [deleted] | autoexec wrote: | > I don't have to do business with them or interact with | them in any way if I don't want to. I don't need Apple's | permission to do anything unrelated to their product | lines... Same is true for any megacorporation | | Nope. You can avoid buying an iphone, but you cannot escape | Google. I'm often forced to "do business" with google. I've | seen several government websites that require code hosted | on Google's servers. I need Google's permission to do all | kinds of things unrelated to their service (reCAPTCHA) and | google will track everywhere you go online even if you | never use any of their services. Facebook also doesn't give | you any option. They'll create a profile for you and start | collecting data on you even if you've never created an | account. You could argue that you pay these companies taxes | in the form of your data rather than money, or that the | fees they charge developers drive up consumer prices | (acting as a tax on the purchases), and I suspect that | should Apple/Google pay become more commonplace they will | start charging a fee (tax) for that as well. Nothing stops | them from doing it. | | Some corporations even have their own literal armies | (Blackwater/Xe/Academi), but others don't bother because | they have the ability to command the police and military | wherever they are. The RIAA have their own "swat" team. | They participate directly in raids breaking down doors and | handling evidence. | | Companies like Apple and Google are far more invasive than | police watching everything you do, listening to everything | you say, recording every person you're in contact with. | They censor and ban with impunity. If they really wanted | to, they could plant data on your devices that would get | you arrested and thrown in prison in any country around the | globe. | | corporations might not yet be as powerful as a nation | state, but they're a lot closer than you give them credit | for, and they likely have more direct influence on your day | to day life and what happens to you. | kube-system wrote: | No, they're nowhere close to being a nation state. Those | spheres of power are nothing compared to something like | the British East India Company, which had a currency, an | army, and forcefully controlled almost 2 million sq. km. | of Asia. | | Captchas are definitely worthy of criticism, but they are | not remotely on the same level as forcefully controlling | the land under someone's feet. | atlasunshrugged wrote: | Yes, the state's monopoly on force is to me what truly | differentiates them into a different category of power than | a corporation. Also international recognition for nation | states and being able to have treaties and the like, but | really its the monopoly on use of force. That said, I think | the rise of charter cities (think of an SEZ on steroids run | by a private corporation) will blur the lines further, | although most proposals I've seen for charter cities leave | policing to the locality they're residing in. | tambourine_man wrote: | Mandatory taxes, interest rates, printing money... nation | states have a lot of power. | dane-pgp wrote: | > interest rates, printing money | | Many nation states don't have control over interest rates | (because their central banks are run independently of the | government) or even the ability to print money, if they | have adopted another currency.[0] | | > Mandatory taxes | | States typically tax transactions which happen on their | territory (e.g. wages and sales), and in the case of | Apple, their devices are their territory, like feudally | controlled tracts of land in cyberspace. Taking a cut of | all app sales and in-app purchases seems very much like a | tax under this analogy. | | [0] https://en.wikipedia.org/wiki/Currency_substitution | dotnet00 wrote: | This feels like an argument the government would make against | strong encryption like in the case a few years ago where the | government tried to force Apple to unlock an iPhone and Apple | refused claiming it wasn't possible. | | Apple are basically saying that they're going to do their best | in terms of security measures to thwart even state actors, | which is only as much of a nation-state level thing as | "military grade encryption" is a thing only applicable to | militaries. | axolotlgod wrote: | Definitely very interesting. I know Google has their "Advanced | Protection Program"[0] with a Titan security key which is | similar. It is interesting considering that Google's | protections target the user as the weak link, as your data | lives on their hardware; while Apple is obviously targeting | both the user and the hardware they have. I'm curiuos what | security researchers will think of this, if it's more theater | or if it is actually a innovative attempt at giving advanced | privacy to people who need it. Despite their past stumbles | (e.g., CSAM), it seems like Apple is genuinely in the privacy | fight, even if it is just for their bottom line. | | [0]: https://landing.google.com/advancedprotection/faq/ | alwillis wrote: | "About Apple threat notifications and protecting against | state-sponsored attacks": https://support.apple.com/en- | us/HT212960 | LegitShady wrote: | Counterpoint - the EU has been passing laws that force apple to | be more fair in their markets, and this "we're protecting you | from bad guys" stuff is apple trying to figure out deniable | methods to protest or sue against the EU passing laws to | restrict apple's ability to lock other developers out. | | Throw together a basic set of options that should have been | available long ago, now apple is protecting you, don't strip | apple of the ability to protect you, etc. | kmeisthax wrote: | There's a bit of a journey from "protecting you against | government hackers and spooks" to full-on sovereign states; and | there's a _lot_ of things that a country 's government funds | that Apple couldn't even begin to take on[0]. Physical security | and military operations are a hell of a different field from | that of locking down computers. | | Furthermore this _isn 't_ the first of its kind; Google has | been alerting high-risk Gmail users about state-sponsored | hacking for about a decade now. Microsoft probably does | something similar. Apple is comparatively late to the party on | this. On the offensive side you have the zero-day vendors that | broker exploits between hackers and the government. | | A better explanation is that Apple isn't supplanting the US | government. It's supplanting Halliburton. As more and more | people and things go online, hacking and doxxing them is | becoming more militarily valuable than just arresting someone | or firing a missile. After all, physical attacks risk | counterattacks and escalation, but Internet attacks are | relatively cheap, not really treated as an attack by many | sovereign states, and, most importantly, difficult to | attribute. | | [0] Call me when Apple black-bags Louis Rossman for illegally | repairing MacBooks, or threatens literal nuclear war - like, | with uranium bombs and radioactive fallout - on the EU for | breaking the App Store business model. | FredPret wrote: | Apple doesn't have to literally have an army and a bureacracy | to rival a government. They just need enough flex. And they | do! | alwillis wrote: | _Furthermore this isn 't the first of its kind; Google has | been alerting high-risk Gmail users about state-sponsored | hacking for about a decade now. Microsoft probably does | something similar._ | | It's great that Google alerted Gmail users, but then what? | | "We believe you may be a target of a state-sponsored | attacker; have a nice day." | | Beyond just telling you, Apple is providing some tools to do | something about it. | joshuamorton wrote: | Google advanced protection mode has been available for a | while. | | The threat models are different because the companies | provide different services (spear phishing defenses from | the web services company, hardware defences from the | hardware provider), but still. | closewith wrote: | I not a big supporter of Google in general, but they don't | just notify you. They offer to enrol you in their Advanced | Protection Program: | https://support.google.com/a/answer/9378686?hl=en | lwswl wrote: | I've always thought that the companies coded the "zero day | exploits" in, and then sold them for profit. | PeterisP wrote: | It doesn't make sense from numbers perspective, there's | simply not that much potential for profit there. In | general, the sale price of a zero-day or ten in some | popular product is tiny compared to, for example, the | marketing budget of that product. | | That money is significant from the perspective of a | particular employee (i.e. if they personally would get the | money) or for a specialized consulting company, but it's a | drop in the ocean for the large companies actually making | the products. So we should expect some backdoors | intentionally placed by rogue employees (either for | financial motivation or at the behest of some government) | but not knowingly placed by the organizations - unless in | cooperation with their host government, not for financial | reasons. | [deleted] | ivraatiems wrote: | I'm not saying it never happens, and I don't want to assume | anything about your background, but I think most people who | work in software would agree there's no need. Plenty of | problems get in on their own. | skrtskrt wrote: | yep if that were your goal it would be way more cost | effective to get a zero day from just not trying that | hard with security practices. Not having any security | knowledge on the team. Not patching/upgrading | dependencies with security bugs. | ivraatiems wrote: | And then you have plausible deniability! I think we're | hitting on a new business model here... | dylan604 wrote: | RSA weaker key set to default perhaps? | wyuenho wrote: | A nation state has more than one way of extracting information | from enemies of said state. There's the civilized way we now | call hacking, and then there's the traditional way, which may | or may not involve technology. | labrador wrote: | Apple is following the lead of Microsoft in this regard. | Microsoft has been acting as an international cyber defense | agency for a few years. On the effectiveness of Ukraine's cyber | defense: "Microsoft in particular has been hard at work" 21:45 | | Assessing Russia's War in Ukraine | | https://youtu.be/CzbsPOaCrLw?t=1305 | marcodiego wrote: | Since the software is still proprietary, considering these | statement as guarantees is just an exercise of faith. | atmosx wrote: | Nothing new. When states requested access to covid DB apple and | Google refused access based on what happened in the Netherlands | in WW2. | | I must that on one hand it's anti-democratic, on the other hand | western democracies have a rather poor track record on | safeguarding this kind of info. | legalcorrection wrote: | I think you're letting the reality distortion field get to your | head. They're creating a safe mode for iPhones because a lot of | features complex/intricate enough that they are perennial | sources of vulnerabilities (and/or UX flaws that lead users to | make unsafe decisions). | | That is, they're turning features off for security. Something | every IT department has been doing for decades. Windows | supports this. Mac OS supports this. In fact, iOS was kind of | notable in being so unconfigurable. The settings available in | their MDM implementation were pitiful and didn't let admins | disable many of these features. | cma wrote: | > It's the first such flag-raise I've seen. | | After the Snowden leaks that showed even in-country citizen-to- | citizen communication was being scooped up by the NSA without a | warrant through fiber taps (if I remember that right) when | Google replicated the data to out-of-country data centers, | Google announced encryption of those links: | Google encrypts data amid backlash against NSA spying | | https://www.washingtonpost.com/business/technology/google-en... | modeless wrote: | > It's the first such flag-raise I've seen | | You haven't been paying attention. Many tech companies have | been protecting accounts from state attackers for many years, | and explicitly calling out state sponsored attacks. Google | introduced state-sponsored attack warnings in 2012 [1] and the | Advanced Protection program explicitly protects from state | sponsored attacks [2]. | | [1] https://security.googleblog.com/2012/06/security-warnings- | fo... | | [2] https://blog.google/threat-analysis-group/protecting- | users-g... | newaccount2021 wrote: | starwind wrote: | > Apple are saying "we will protect you from state actors", | which is a role usually performed by states | | Not to sound flippant, but defense attorneys do this, too. I | don't think it's as big a zeitgeist as you think | KennyBlanken wrote: | Apparently that protection does not include protection from the | US government. | | iMessage offers excellent privacy of message content, but no | 'pen register' protection. | | Phone device security is very strong, but it's made largely | moot if you turn on iCloud backups (which is the default | behavior if you provide an Apple ID. I'm not sure there's even | a way to stop the initial backup from happening?) | | Apple reportedly doesn't offer e2ee on iCloud, or even | encrypted device backups, out of compromise with the federal | government...specifically the FBI, CIA, and NSA. | | Why might people care about this? Criminalizing abortion and | miscarriages...and what looks like at the very least a re- | recognizing, and possibly criminalization, of LGBTQ | relationships. | eastbound wrote: | True, Apple could stop nagging about backing up into iCloud. | | Apple should offer other sorts of backups, and offline iCloud | systems. | threeseed wrote: | They do offer other sorts of backups. | | You can backup to a Mac or PC. And it's offline and | encrypted. | kube-system wrote: | When Apple says "state actor threats" they're not talking | about future-state theoretical breaches of domestic privacy | by your own government. Apple is always going to follow the | law. They're talking about the types of situations where data | from people's phones is used to commit international criminal | activity, espionage, assassinations, etc. | mnd999 wrote: | Do you also believe the earth is flat? | unethical_ban wrote: | No, they aren't, any more than an OS claiming "military grade | encrypted boot drive" means they have a military. | the_gipsy wrote: | It's marketing and you ate the hook, line, and sinker. | Swizec wrote: | > Apple is saying "we operate at the same level as nation | states; we are a nation-state level entity operating in the | "digital world" | | Apple's _profits_ are bigger than my country 's (Slovenia) | whole GDP. You bet your butt they're a state level actor in the | digital world. They have more resources than many countries. | | If Apple was a country, their $365bn in revenue would make them | the 43rd richest country in the world right after Hong Kong. | | https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(nomi... | nradov wrote: | This also points out how the increasing costs of technology | and economies of scale mean that small countries like | Slovenia are no longer viable on their own. The only way they | will be able to survive the next few decades and avoid | turning into failed states is to surrender most of their | sovereignty to larger regional alliances. | amelius wrote: | And if you computed the per-capita GDP? | Swizec wrote: | Hard to compute because contractors don't count towards | Apple's official headcount. Comes out to $2.5mil/employee | using wikipedia numbers. | | GDP per capita for Slovenia is $25,179 in comparison. 100x | less. | | For Hong kong, which makes a bit more GDP than Apple does | revenue, the per capita number is $46,323. 50x less than | Apple. | whateveracct wrote: | Also silly to compare because a proper nation-state does | more than develop products and services for profit. | Social contract and all that. | Swizec wrote: | My understanding is that the "social contract" inside | many of these large companies is quite cushy. Especially | in USA where being employed comes with services | traditionally provided by the state like health care, | child care, free or subsidized food, retirement benefits, | etc. | whateveracct wrote: | It's not especially comparable to what an actual | government has to deal with though. It's superficially | similar I guess. | moogly wrote: | > It's the first such flag-raise I've seen | | Zuckerberg, 5 years ago: | https://www.youtube.com/watch?v=mFPAe8Tc2NE | foobiekr wrote: | Perhaps "first credible" is the correct description. | moogly wrote: | I'm not so sure about that; I'm not that impressed by that | list of features. | lolbutwutf wrote: | Apple blocking a few features means it's now operating as a | nation state. | | Tell me it's a Hacker News comment without telling me it's a | Hacker News comment. | whatgoodisaroad wrote: | At the same time, if that state actor happens to be China, | Apple will just give the government access to your iCloud data. | Not all state actors are equally within Apple's striking range. | KerrAvon wrote: | What makes you think so? | kop316 wrote: | https://support.apple.com/en-us/HT208351 | shard wrote: | "Apple is moving some of the personal data of Chinese | customers to a data center in Guiyang that is owned and | operated by the Chinese government. State employees | physically manage the facility and servers and have direct | access to the data stored there; Apple has already | abandoned encryption in China due to state limitations that | render it ineffective." | | https://www.cpomagazine.com/data-privacy/icloud-data- | turned-... | KennyBlanken wrote: | Apple has abandoned encryption for everyone in iCloud. | You cannot encrypt anything except a limited subset of | your device's data (Apple Health data, mostly.) | kmeisthax wrote: | In Apple's defense E2E encryption also makes it a lot | easier to get locked out of your photos and device | backups. | | IMHO it should still be an option but only as part of | Lockdown Mode, with the explicit caveat that turning it | on risks losing data. | holmesworcester wrote: | That may be true, but Reuters reported that Apple had a | plan for it (which means they felt it was workable) and | dropped it due to pressure from FBI/DOJ. | | https://www.reuters.com/article/us-apple-fbi-icloud- | exclusiv... | | Also, there are many users who would benefit from e2ee | iCloud backups who are _not_ targets of NSO Group-type | attacks, so I don 't think it makes sense to make it only | available in "Lockdown Mode". | mercutio2 wrote: | I was all prepared to answer this with "so Reuters | reporting something makes it true?", only to discover | that, in fact, Reuters reported no such thing. | | Reuters makes two claims: | | 1) The FBI talked to Apple (duh) 2) An unannounced plan | to implement fully E2EE backups was no longer discussed | with the FBI at their next meeting | | Both of those things might be true! Reuters isn't known | for just making stuff like this up, like, say Bloomberg, | but the article specifically says: | | "When Apple spoke privately to the FBI about its work on | phone security the following year, the end-to-end | encryption plan had been dropped, according to the six | sources. Reuters could not determine why exactly Apple | dropped the plan." | | So we've got an unannounced product, which the FBI didn't | like, which Apple stopped talking to the FBI about | (according to some leakers at the FBI). | | This does not add up to "Apple dropped plans due to | pressure from [the] FBI/DOJ". It adds up to "secretive | company discusses plans with secretive agency, and some | stuff about that conversation leaked". | stjohnswarts wrote: | I would suggest that if you're doing anything illegal in | the country you're staying in, turn off icloud sync at | the least, and best policy is don't use an iphone but use | an android with an open source operating system like | graphene OS | matwood wrote: | > In Apple's defense E2E encryption also makes it a lot | easier to get locked out of your photos and device | backups. | | This is likely the real reason E2E hasn't been done yet. | I would wager Apple deals with orders of magnitude more | people who are locked out of their phones than the number | impacted by the lack of E2E backups. Trusted recovery | contact added in the last iOS version is a step in a | direction of providing some way to implement E2E, and | still give people a way to recover. | germandiago wrote: | I really dislike that there is so much social control :( | In theory is to protect you. In practice it can and is | misused in so many ways that it should not be even | allowed without a judge authorization. | nradov wrote: | You're kind of missing the point. The Chinese government | has unlimited social control. Even if there was some sort | of written law in China requiring judicial oversight, | that wouldn't limit social control because the judiciary | is just a rubber stamp. | atlasunshrugged wrote: | Because they are complying with Chinese laws regarding data | localization in the country and have been known to work | with China (recently YMTC chip deal, previously in a major | unreported deal that was unearthed a little while ago) in | order to get market access. | | https://www.reuters.com/article/us-china-apple-icloud- | insigh... | | https://www.forbes.com/sites/roslynlayton/2022/06/08/silico | n... | | https://www.theinformation.com/articles/facing-hostile- | chine... | GeekyBear wrote: | How is this different than Microsoft Azure? | | Microsoft handed over control of Azure in China to a | Chinese company years ago. | Matl wrote: | It is worth mentioning that things like National Security | Letters exist in the US. It is also the US who made Apple | back off of encrypting iCloud backups E2E. | | I wish we were more willing to cite our own government(s) as | the bad actors here, rather than pretending that we have to | reach for China/Russia/North Korea to find the kind of | behavior Apple is attempting to protect its users against | here. | closewith wrote: | Not to mention the CLOUD (Clarifying Lawful Overseas Use of | Data) Act, which was enacted following a case in 2014 where | Microsoft refused to hand over emails stored in the EU (an | Irish data centre, in that case) on foot of a domestic US | warrant. | | The CLOUD Act expressly brings data stored by US-based | companies anywhere in the world under the purview of US | warrants and subpoenas. | | https://en.wikipedia.org/wiki/CLOUD_Act | gzer0 wrote: | How well does this play out with things like GDPR? I can | only find one sentence about it but this seems like a | direct conflict. | | Who wins? The USA, the EU, no one, everyone? | t0mas88 wrote: | It's not entirely clear yet who wins, but the current | issues with Google Analytics in the EU seem to be | partially related. Some countries have come to the | conclusion that GA can't be legal if Google US has access | to the data. | xet7 wrote: | USA cloud services are not GDPR compliant: | | https://nextcloud.com/blog/the-new-transatlantic-data- | privac... | closewith wrote: | It's part of the reason that Privacy Shield collapsed and | why the US isn't considered to offer adequate protection | to EU residents. It's currently being both litigated (as | more and more EU country data protection agencies make | individual rulings that specific instances of transfers | of personal data to US companies are unlawful) and the | subject of intense political negotiation between the EU | and US. | | Most companies affected are currently awaiting the | results of these processes, because following the current | precedent to it's logical conclusion, it appears unlawful | to transfer any personal data of an EU resident to a US- | based company (even if that data remains physically in | the EU or another adequate country). That would obviously | have catastrophic consequences for the current status | quo, so it's hard to believe that a compromise won't be | found to avoid it. | | However, it's also hard to see a compromise unless the | United States exempts EU data subjects from the CLOUD | Act, which seem unlikely. Hard to know where it'll go. | legalcorrection wrote: | This has always been the law. Common law courts have been | issuing court orders that require you to take actions in | foreign countries, even in violation of foreign law, for | as long as it's been a legal question. The CLOUD Act | actually introduced some additional safeguards and allows | judges to consider the seriousness of the foreign law | violation with the importance of the court getting access | to the foreign-stored data. | | You unfortunately need something like this because | otherwise people will just hide documents, money, stolen | property, etc. in foreign countries out of reach of US | courts, even if they are US persons and corporations. | kube-system wrote: | Yes, this is Apple protecting you against _extralegal_ state | actor threats. There 's not really much Apple can do to | protect you against the laws of your own country. | jonny_eh wrote: | > Apple will just give the government access to your iCloud | data | | "You" only means you if you're a Chinese citizen. | savoytruffle wrote: | resident | acomar wrote: | and if the state actor happens to be the US? which of these | tech companies do you expect to look after you then? | milesskorpen wrote: | If you opt-in to iCloud, you're opting in to a lot of state- | level security risk in any country (and this is true of any | commercial cloud). | Maxburn wrote: | We have seen reports that apple can remotely enable icloud | backups and then trigger a backup. | Nextgrid wrote: | Do you have more info about this? | nojito wrote: | Source? iCloud backups can only be triggered via your | passcode which is secured against the secure enclave. | threeseed wrote: | This doesn't sound plausible in the slightest. | | The only persistent connection Apple has that I can think | of to implement such a concept is for push notifications. | Which would be a massive security hole if a HTTP response | to that daemon was capable of bypassing the lock screen, | secure enclave etc. | | And the logical question is if they had such a system why | would they bother triggering an iCloud Backup when they | could ask the device to specifically hand over certain | information e.g. Messages. Which at least could be done | quietly over Cellular. | KennyBlanken wrote: | Nothing stops Apple from offering e2ee backups, and in fact | they do this for certain data backed up to iCloud (health | data for example.) | | But your iMessage data...well there, your ass is hanging | out in the breeze. In fact, I'm not sure it's possible to | log into an iPhone with your Apple ID and not have an | iCloud backup immediately fire off, which means your | private encryption keys hit iCloud and stay there until it | is purged according to their data retention policies. And | we have no idea what those policies actually are; those | keys made end up stored forever. | GeekyBear wrote: | > Nothing stops Apple from offering e2ee backups | | The US Government pressured them to drop a plan for fully | encrypted cloud backups. | | >Apple dropped plan for encrypting backups after the FBI | complained | | https://www.reuters.com/article/us-apple-fbi-icloud- | exclusiv... | | If you want a fully encrypted backup of your device, you | have to make it to your local Mac or Windows computer. | astrange wrote: | > Nothing stops Apple from offering e2ee backups, and in | fact they do this for certain data backed up to iCloud | (health data for example.) | | Almost all users can't handle this; to support people, | you need to be able to recover their account when they've | lost every single password and proof of identity they | possibly can. It's not a backup if you can't restore it. | mehrdada wrote: | > In fact, I'm not sure it's possible to log into an | iPhone with your Apple ID and not have an iCloud backup | immediately fire off | | You are correct there's a bit of dark pattern going on | here, but it is possible (to the extent the code does | what it says of course). To be extra sure I have a custom | lockdown MDM profile to disallow iCloud backups, as well | as a number of other nefarious things like analytics, and | whenever I get a new device, I first DFU restore it to | the latest iOS image to ensure software (post bootrom) | isn't tampered with, then activate and install the MDM | profile via a Mac and only then I interact with the | device and go through setup. | thewebcount wrote: | > I'm not sure it's possible to log into an iPhone with | your Apple ID and not have an iCloud backup immediately | fire off | | Yes, it absolutely is possible. I have never turned on | iCloud backup so I have no cloud backups of any of my | phones or other devices. | ivraatiems wrote: | I mean, since your phone was made there by a Chinese company, | what's to stop the government from just forcing a backdoor in | at the factory? | time_to_smile wrote: | I don't know if you've been paying attention to Apple's | strategy over the last year, but it's basically been "granting | user privacy also happens to grant us an advertising/data | monopoly" | | I don't think the aim here is to block at state actors but to | basically continue to close all security holes that can be | exploited by any other company and continually proving to users | that Apple cares about privacy. | | The things is I really like Apple even more now since they have | realize that my privacy interests can be tightly aligned with | their own economic interests. I never trust companies to be | good or look out for my interest even when I pay them to, but | when my privacy ultimately means they gain a very strong | competitive edge the I'm much more trusting. | | Apple has realized they can become to privacy what Google has | been to ubiquitous search, and doing so can reap even larger | and more secure rewards. | | They started with a walled garden and now extending it to | fortress surrounding the garden. | happyopossum wrote: | > advertising/data monopoly | | not to be glib, but 'citation please?' | | Other than running ads _inside the App Store_ , do you have | any knowledge or evidence of Apple collecting personal | information for advertising or any other use? | germandiago wrote: | This is good news IMHO because it encourages that companies | compete for the best offer in that space as they go. | | In some way it reminds me (with all the differences!) of how | things like cryptocurrencies could remove the state from a | monopoly. | | Good news for me this announcement! | spamfilter247 wrote: | Microsoft has a "Democracy Forward" team (previously called | "Defending Democracy") that aims to protect government | officials and systems from adversarial state actors. It's been | ongoing for a few years now. | | https://www.microsoft.com/en-us/corporate-responsibility/dem... | Nuzzerino wrote: | > Apple is saying "we operate at the same level as nation | states; we are a nation-state level entity operating in the | "digital world": It's a flag-raise | | Maybe. But these security "features" feel like things that | should have been there from the beginning. Windows 11 has | already had a much wider and deeper array of security options. | Sure, it's not mobile, but many of those security options would | be unlikely to be needed against unsophisticated attacks. | | Flag-raise or marketing gimmick? You be the judge I guess. | stefan_ wrote: | I think you need to put away the pipe, this is Apple saying "we | can't make JIT work safely so here's an option to turn it off". | threeseed wrote: | > Apple saying "we can't make JIT work safely so here's an | option to turn it off" | | To be fair has anyone made it work safely ? | alwillis wrote: | This is more like "there are always going to be zero-day | exploits out there and until we can fix them, this is the | next best thing." | ziddoap wrote: | > _Apple is saying "we operate at the same level as nation | states; we are a nation-state level entity operating in the | "digital world"_ | | Making mountains out of molehills. | | I'm pretty sure they are saying that they will "offer | specialized additional protection to users who may be at risk | of highly targeted cyberattacks from private companies | developing state-sponsored mercenary spyware". | | There is a looooong list of things which nation states can do | which Apple cannot, some examples of that are in other comments | in this thread. | | > _but this is the first public announcement, and tool, from a | corporation with more spare, unrestricted capital than many | countries._ | | Google & Microsoft have both had fairly long-standing tools and | procedures (which were publicly announced) to both alert users | and aid users against nation state attacks. | sodality2 wrote: | Google's Advanced Protection program is the same: | https://landing.google.com/advancedprotection/ | alwillis wrote: | Apple also started alerting people being targeted by state | actors last year [1]. | | [1]: "About Apple threat notifications and protecting against | state-sponsored attacks" https://support.apple.com/en- | us/HT212960 | lizardactivist wrote: | It's good I guess, but I will not convince myself that a button | saying "Lockdown mode" will casually side-step the entire legal | and surveillance machinery built up in the U.S. | toomim wrote: | > Messages: ... Some features, like link previews, are disabled. | | I've been wanting to disable link previews for YEARS!! Not for | security, but to keep those corporate advertisements (aka | previews) out of the conversations I have with my friends and | family. | | It feels super disingenuous when I type out an articulate, | heartfelt, personal message to my loved one, character by | character, anticipate their reaction reading it, and then hit | send -- only to find the URLs expanded 400 pixels into corporate | advertisements designed by the bonehead SEO jerks who care about | clickbaiting over content. | donkarma wrote: | could always just not use a smart phone | concinds wrote: | Could a security expert enlighten me: is Windows more secure | today than macOS, if we purely take OS-level and hardware-level | security measures and ignore subjective factors? (like | marketshare, attractiveness of targets, etc.) | | Windows has all sorts of buzzwordy-sounding security features: | Microsoft Defender Application Guard (Hyper-V for untrusted | websites & Office files), kernel virtualization-based security | (VBS), Code Integrity Guard, Arbitrary Code Guard, Control Flow | Guard, and Hardware-enforced Stack Protection. | | It's extremely hard to compare the two on a deep technical level | (beyond "modern OS's are safe, install updates, you'll be fine") | without having deep security experience. Any professional | insights? | [deleted] | throw20220706 wrote: | Reminds me of a classic https://xkcd.com/538/. | | For the vast majority of users the most realistic threat is | simply being ordered to unlock their phone under the threat of | force (from a criminal, a cop, a CBP agent, etc). This is way, | way more likely than being attacked through an unknown JIT | compiler vulnerability. | | What would be _really_ helpful is Apple implementing a way to | have multiple iPhone profiles with plausible deniability (a la | VeraCrypt) or some sort of compartmentalization (a la 1Password | travel mode). | | Of course that would mean people can start sharing their phones | instead of buying one per person from Apple, so I'm not holding | my breath. | rootsudo wrote: | That's the thing, if you think your device is compromised, don't | use it. This is dangerous as it's a bandage and most likely | allows surveillance that's "pre-approved" or is carrier based, | probably even baseband modem based. | pluc wrote: | Apple's been making it real difficult to pick Android lately. | Only thing Android still has going for it is the ability to flash | custom ROMs, eg CalyxOS or Graphene. | lern_too_spel wrote: | Better security, more features, more privacy, and more user | control in general are significant reasons to choose Android. | pluc wrote: | Compare the actions of Google versus the actions of Apple and | it's real difficult to think Google has your privacy in mind | lern_too_spel wrote: | Compare the actual features of Android vs. the actual | features (instead of the marketing) of iOS, and it's clear | that Apple doesn't care about user privacy. With Android, | you get to choose which if any Google services to use. On | iOS, you can't run any apps without telling Apple which | ones, you can't get your location without also sending your | location to Apple, and you can't practically run your own | apps without fully deanonymizing yourself with banking | details. | viktorcode wrote: | Android has a wide plethora of devices, Apple can't make | hardware catering to everyone's needs. | pluc wrote: | That is not an Android advantage. Tightly controlled hardware | makes it so much easier to control software. You ever built | an app for Android? It sucks | ysleepy wrote: | On Android I can use a firewall to block network access per | app. on iOS that is not possible. | | My password manager app might be bought out and exfiltrate all | my credentials, or any of the linked libraries it uses. | idle_zealot wrote: | > My password manager app might be bought out and exfiltrate | all my credentials | | This is less likely if you use Apple Keychain for your | passwords. _lock-in intensifies_ | sneak wrote: | Apple Keychain requires iCloud. Most of iCloud is not end | to end encrypted. | oblio wrote: | Maybe they changed this lately, but can you copy files through | USB to an iPhone? | lordofgibbons wrote: | I explored installing a custom ROM on my android phone, but | ended up questioning the utility of them. There appears to be | many banking apps, random apps (McDonalds??) and others that | will not work if the device is running a custom ROM. | | That makes my phone useless to me. | | Our only hope is a proper Linux phone with an Android emulation | layer | SirYandi wrote: | You can get around that by spoofing safteynet stuff using | Magisk. But yeah, it is a few more hoops to jump through and | you need to be rooted which is itself not great for security. | yrgulation wrote: | What if there is a little device that acts like network firewall | and router appliances but somehow the phone proxies all | connectivity via it. Something to carry around that shows ingress | and egress connections, calls and anything in between. You can | either set an allowed or blocked list, detects cell connection | mitm attacks and spikes in traffic (to detect leaks). Mobile | phones are like desktop computers and will always have security | issues. It only makes sense to firewall them. | bistable wrote: | Why not on the same device? Have a separate small simple SoC | completely segregated from everything else, except shared | battery, with 2 NICs and a physical switch to swap between | using the firewall interface and the regular phone. Although | this may make more sense for a regular computer plus router, | with a cell phone there's multiple radios, not just a single | simple IP connection... | yrgulation wrote: | Issue is that we would have to get device makers to buy into | it, and also trust them that they show us everything. Also we | wouldn't be able to retrofit existing devices. Most people | dont like tinkering with things. A universal device small | enough to fit in your pocket, with a nice little display or a | usb connector to download data to a laptop and configure | rules, is more desirable imo. | jiveturkey wrote: | Like your own personal stingray | yrgulation wrote: | Had to look it up. I guess the question is how to make sure | it cant be abused by capturing data from random nearby | phones. In that case we'd end up worse off. | Nextgrid wrote: | TLS and certificate pinning makes this a problem. Technically | certificates don't have to be pinned, but if they weren't then | people would use this to defeat "growth & engagement" and block | analytics, ads, etc (or worse, reverse-engineer the API to make | a third-party client) and we obviously can't have that. | [deleted] | Veserv wrote: | I do not know why anybody would believe any claim by Apple with | respect to security without overwhelming empirical evidence | supporting their claims. The default assumption in commercial | software security, supported by literal decades of abject failure | by every player, is that commercial software security is | atrocious. To claim anything more than trivial security is a | extraordinary claim and thus demands extraordinary evidence | before being accepted. | | Apple has demonstrated no such evidence. In fact, the opposite is | the case. Despite decades of assurances that their systems | provide meaningful security, every single year we see their | security torn apart by individuals and small teams with budgets | that do not even constitute rounding errors to a Fortune 500 | company. There is exactly no reason to believe they have | meaningfully superior technical expertise with respect to | security relative to the default standard of the industry. | | However, this should be no surprise to anyone as the security | certifications that Apple advertises for iOS [1][2] are only | "applicable where some confidence in correct operation is | required, but the threats to security are not viewed as serious." | [3][4]. I mean, look at [4], the process used to certify their | security is that their evaluators typed search terms into the | internet and verified that every vulnerability that turned up was | patched, _that's it_. There is no requirement to even do a | independent analysis that it protects against attackers with a | _basic_ attack potential, that is done at the next higher level | of security that they could have chosen to certify against, but | did not. | | To be fair, Apple has historically demonstrated the ability to | certify against AVA_VAN.3 which demonstrates resistance to | attackers with a _enhanced-basic_ attack potential, but they have | failed every time they have ever attempted to certify against | AVA_VAN.4 which demonstrates resistance to attackers with a | _moderate_ attack potential. It should be no wonder that they can | not protect against _moderate_ attack potential threats such as | individuals or small teams, let alone _high_ attack potential | threats such as large organized crime and nations. | | If Apple wants their security claims to be taken seriously, they | should start by demonstrating their ability to protect against | _moderate_ attack potential threats via the internationally | recognized security certification process they already use and | advertise. Until then, the only thing we should trust is what | they certify they can do (protect against script kiddies), not | what they have failed to ever achieve in a auditable manner | (protect against moderately skilled attackers). | | [1] https://support.apple.com/guide/sccc/security- | certifications... | | [2] https://www.niap-ccevs.org/Product/Compliant.cfm?PID=11146 | | [3] https://www.niap- | ccevs.org/MMO/Product/st_vid11146-aar.pdf#p... | | [4] | https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3... | walrus01 wrote: | putting rich media like images, GIFs, video etc embedded inline | in chat applications presents a huge attack surface. | | i'm even suspicious that signal does it. | | if you really want to design a secure messaging system it needs | to handle text ONLY. | notriddle wrote: | Text rendering is more complex than decoding a PNG. | lwswl wrote: | Honestly, this is bad news, because it means Apple is no longer | capable of offering both security and all features, but now needs | to spit them into groups, presumably because they need to keep up | with (the clearly less secure) Android... | lekevicius wrote: | I see this as securing against "unknown unknowns". No software | can ever be "100% bug free". If you can identify areas that are | more likely to contain yet-undiscovered vulnerabilities and | turn them off in advance, the device becomes more secure. | olliej wrote: | No, this is a completely reasonable response. | | Security by reducing attack surface is a standard, and sensible | response. | | What you are asking for is that Apple (or any company) be able | to produce absolutely 100% bug free code, no matter the | complexity or requirements. This feature is an acknowledgement | that what you're asking for is an unreasonable demand for any | company. | | So Apple has looked at the attack surface present by default, | and then provided an option to that trades off removing | presumably low use features in exchange for removing large | attack surface. That is a trade off: for example any modern | phone would be vastly more secure if all it could do is make | phone calls, and everything - the browser, apps, etc - were | disabled. But that end of the spectrum results in an | impractically restricted device, in reality there's a middle | ground, but for high profile targets the trade off is closer to | "just a phone" than it is for normal users. | | An example is the RW^X region required to support JITting JS - | the OS simply supporting such memory region at all was a huge | addition of attack surface to the platform - prior to that | every single executable page was protected by code signing, | afterwards there was a region that by definition the OS could | not verify, and it has been used by every attack since then. | But disabling that simply disables the JIT, the JS interpreter | runs, so the impact is only that some web content runs slower, | but the functionality itself is still there. | | Similar for messages: receiving JPEGs is super common, | receiving OpenEXR or whatever probably isn't, so removing | everything other than JPEG by default again removes attack | surface without realistically impacting the usability of | messages. | npteljes wrote: | Security and convenience _can_ coexist, but you can't | transition into a more secure world without breaking | convenient, insecure stuff that already exists and users expect | it to just work. Later they can ramp this up. | capableweb wrote: | Security has never been "Secure or not" proposition, it's | always a balance between convenience and safety against | threats, threats that change depending on who you are, and who | is targeting you. | | Some features are (understandably) almost impossible to make | very safe. Take PDF viewing for example, the entire thing is so | huge, that it's bound to be holes in any implementation, just | like what the NSO proved some time ago with the iMessage | exploit. | | I take this effort as something similar to the "Hardened Linux" | effort. Just that it exists doesn't mean that Linux is | "unsecure", it just means that if you really need to, there is | more steps you can take to make it even more secure. Just like | what Apple is doing here. | vorpalhex wrote: | If I could upvote you twice, I would. | | Security is _always_ a tradeoff and there is no single | answer. A feature for one person is another person 's hell. | | An acquiantance just lost all their data because they had | enabled "format on too many missed passcodes" and their kid | was playing with their phone.. caused quite a few tears. On | the other hand, that feature is invaluable to international | travelers. | lekevicius wrote: | What a strange implementation of "format on too many missed | passcodes". Apple (on iOS and watchOS) implements this, but | after some amount of failures, phone gets into | progressively longer lockdowns. So maybe after 3 failed | attempts you have to wait 2 minutes, after 4th 5 minutes, | and before the final (formatting) attempt you have to wait | something like 12 hours. This prevents "kid playing with | the phone" problem. | alwillis wrote: | _Honestly, this is bad news, because it means Apple is no | longer capable of offering both security and all features..._ | | Absolutely not true. | | There's a difference between being secure and having all of the | features and being secure against a state-level attacker. The | vast majority of users are quite secure while enjoying all of | the features of their iPhones. | | For those who are being targeted, potentially in a life or | death situation, being able to send attachments in iMessage is | trivial by comparison. Only a tiny percentage of iPhone users | should ever have to enable this; it won't impact the user | experience of over 95% of iPhone users _at all_. | WmyEE0UsWAwC2i wrote: | But should apple we liable when they, or any other organization | making such claims, inevitably fail to protect their users? | | I think their should. | KerrAvon wrote: | How do you propose to do that without disincentivizing the | addition of such features? Even NASA has software failures. | verdagon wrote: | Very cool! I wonder if this, combined with some sandboxing for | apps' unsafe code, could make a more secure OS than any previous | mainstream ones. | jasonhansel wrote: | Downside: if attackers can tell that you've enabled Lockdown | Mode, then they know that you're likely a high-value target. | [deleted] ___________________________________________________________________ (page generated 2022-07-06 23:00 UTC)