[HN Gopher] Apple introduces end-to-end encryption for backups ___________________________________________________________________ Apple introduces end-to-end encryption for backups Author : frizlab Score : 742 points Date : 2022-12-07 18:06 UTC (4 hours ago) (HTM) web link (support.apple.com) (TXT) w3m dump (support.apple.com) | manchmalscott wrote: | iMessage backup encryption is HUGE, this was the main asterisk in | the "iMessage is totally end to end encrypted" messaging. | ulimn wrote: | But if the other person in the chat doesn't have this | encryption, they will backup your messages unencrypted on their | icloud, right? | richard___ wrote: | But Apple must be able to still access all your encrypted data | using your stored icloud password somehow right? Otherwise how | are they able to show all your files in a web browser, from an | arbitrary computer, after you've logged in | Operyl wrote: | You'll lose access to that by default, with the ability to | temporarily opt in according to what they've said. | richard___ wrote: | What does temporarily opt in mean? Like everytime you want to | use icloud on a browser, you use your devices to upload the | key temporarily, then after you don't want to use icloud, | apple deletes your key? | jdiez17 wrote: | > Every time a service key is uploaded, it is encrypted | using an ephemeral key bound to the web session that the | user authorized, and a notification is displayed on the | user's device, showing the iCloud service whose data is | temporarily being made available to Apple servers. | Operyl wrote: | Would appear so according to their news room post. | judge2020 wrote: | It hasn't been released yet, but I can see two scenarios - | | A. Apple could create a tunnel from your browser to your | devices, they could have key exchange via the web after you | scan a QR code shown on your web browser with your iPhone, | with some sort of "verify these words are the same" scheme. | | B. Apple does the typical OTP/2fa scheme where you enter a | x-digit code from your device, and in doing so your Device | furnishes a key to Apple to be temporarily used to access | your files from the web. | | But in both of these scenarios, Apple compromising you via | malicious javascript is ever-present, so you're right in | that you'd be trusting Apple even more to not store your | temporary key for too long or at the request of a NSL. | jdiez17 wrote: | To be honest, end to end encrypted cloud backups and the upcoming | forced-by-EU opening of the platform to third party developers | without going through the App Store are the two killer features I | was hoping to see on iOS. | Etheryte wrote: | For everyone else who was hoping to enable E2EE for backups right | away: | | > Advanced Data Protection for iCloud is available in the US | today for members of the Apple Beta Software Program, and will be | available to US users by the end of the year. The feature will | start rolling out to the rest of the world in early 2023. | fitblipper wrote: | "Some metadata and usage information stored in iCloud remains | under standard data protection, even when Advanced Data | Protection is enabled. For example, dates and times when a file | or object was modified are used to sort your information, and | checksums of file and photo data are used to help Apple de- | duplicate and optimize your iCloud and device storage..." | | Photo checksums can't be e2e encrypted huh? They reported today | they abandoned their plans to do CSAM scanning on people's | devices[1] and connecting the dots it seems like they wont need | to since they can just do it in the cloud. | | [1] https://www.wired.com/story/apple-photo-scanning-csam- | commun... | reilly3000 wrote: | I always thought that program was technically limited from the | start. It seems like it would be very easy to rotate a small | value of the file, even a single pixel, and return a different | checksum. | vbezhenar wrote: | https://en.wikipedia.org/wiki/Perceptual_hashing | mikehearn wrote: | The original implementation also involved sending a "safety | voucher" with each photo uploaded to iCloud, which contained a | thumbnail of the photo as well as some other metadata. | | The vouchers were encrypted, and could only be decrypted if | there were, I believe, 30 independent matches against their | CSAM hash table in the cloud. At that point the vouchers could | be decrypted and reviewed by a human as a check against false- | positives. | | It sounds like with a raw byte hash they might be able to match | a photo against a list of CSAM hashes, but they wouldn't be | able to do the human review of the photo's contents because of | E2E. | beeboop wrote: | Someone mentioned here but I didn't confirm that Apple is | stopping the CSAM scanning. It makes sense because there's | nothing they could reasonably do even if they found matching | hashes. It seems unlikely they'd report these findings to the | police if there's no manual ability to review the contents | first. | noduerme wrote: | I always thought the client-side hashing plan was something of | a giveaway to authoritarian governments which would have | demanded Apple check their own list of verboten files against | what the users had uploaded to iCloud. E.g. tank man photos. | | So I read this as Apple quietly saying "we're not bending to | China on privacy". Which is the first step toward probably | being banned from providing Apple services in China. | rekoil wrote: | People sharing images that an authoritarian government | considers banned might still be exposed by such a scheme, | given they are likely to be exactly the same data. There are, | after all, no new photos of tank man being photographed, any | that are shared would be identical to someone elses, unless | every recipient opened them up and modified them, and even | then I'm not sure that actually modifies the data if done on | an iOS device, as modifications done to images can be undone | suggesting to me they are only a layer on top of the | unchanged image, which would still return the same hash. | | Unfortunately, I think the privacy problems surrounding | iCloud Photos remain to an extent. | Spivak wrote: | "People rioted when we scanned for CSAM in a privacy-preserving | manner but don't give a shit when we do the same thing when | it's not privacy preserving so I guess just do that." | brundolf wrote: | I'm assuming these are normal checksums (bitwise hashes), | whereas before they were doing a hand-wavy AI-based thing that | they called "checksums" but weren't really. The latter captured | rough visual qualities of the images in question, which is why | it had a false-positives problem. A _real_ checksum shouldn 't | have that problem; in theory you'd only be able to detect an | exact match of a file you already have and are looking for. So | it is meaningfully different. | | Edit: confirmed that these are regular, real checksums | https://support.apple.com/en-us/HT202303 | | > The raw byte checksums of the file content and the file name | judge2020 wrote: | > The raw byte checksums of the file content and the file | name | | I wonder if this is literal; otherwise they wouldn't achieve | any de-dupe if you just rename the file. | brundolf wrote: | I assumed the two checksums are stored separately, though | even if they aren't it would seem useful for eg. syncing | between devices ("does file X already exist so we don't | need to download it?") | laweijfmvo wrote: | > For example, dates and times when a file or object was | modified are used to sort your information | | Who are they sorting it for that this can't happen after | decryption? | twhb wrote: | The abandoned plan was perceptual hashing, which should return | the same hash for very similar photos, while the new one is a | checksum, which should return the same hash only for identical | photos. I don't think that invalidates the point, but it does | seem relevant. It certainly makes it much less useful for CSAM | scanning or enforcing local dictator whims, since it's now | trivial to defeat if you actually try to. | drbawb wrote: | >The abandoned plan was perceptual hashing, which should | return the same hash for very similar photos . . . | | Is there any proof they actually abandoned this? NeuralHash | seems alive and well in iOS 16[1]. Supposedly the rest of the | machinery around comparing these hashes to a blind database, | encrypting those matches, and sending them to Apple et al. to | be reviewed has all been axed. However that's not exactly | trivial to verify since Photos is closed source. | | [1]: https://support.apple.com/guide/iphone/find-and-delete- | dupli... | Vt71fcAqt7 wrote: | This all just seems like pandering while they continue to accept | billions from Google in exchange for their user's privacy. If | they really wanted to protect users' data that would be a simple | starting point. | jaywalk wrote: | Safari has pretty good privacy protections, but you could also | just... not use Google. I've never even had iOS reset my | default search engine. | Vt71fcAqt7 wrote: | Does it protect you from Google's tracking? No. And it isn't | about me, I don't have Apple or Safari. It's about the fact | the privacy shouldn't be "opt in." Claiming that safari has | good privacy protections while it by default does the | opposite becuase you can opt in to a less inavsive version | which many don't even know about is, in my opinion, | disingenuous. | | If Apple would just go ahead and say "we've extracted tens of | billions of dollars from you indirectly by letting google do | the dirty work, but here's some encryption that doesn't make | up for what we've done and continue doing" that would be more | accurate. | tsunamifury wrote: | I'm sorry, but I don't believe the spirit of Apple's security | story at all. They have demonstrated REPEATEDLY that they | introduce new security services as a marketing story, which they | immediately undermine at the drop of the hat with a request from | the government. | | Apple literally sent iMessage conversations of US congresspeople | (secure messaging being a key marketing point) directly to the | Trump Administration with no argument. | | For comparison, Google won contesting this request and did not | comply. | | Edit: I understand many here are huge fans of Apple or work for | Apple, but please think hard about what Apple's actions say about | their real intents. | jackson1442 wrote: | Do you have a source for the iMessage story? Surprised I | haven't heard about it before. | Erikun wrote: | I would guess its this story | https://www.nytimes.com/2021/06/10/us/politics/justice- | depar... | | But that doesn't match OP's description very well. It was a | grand jury subpoena and only for metadata. | | "As the Justice Department investigated who was behind leaks | of classified information early in the Trump administration, | it took a highly unusual step: Prosecutors subpoenaed Apple | for data from the accounts of at least two Democrats on the | House Intelligence Committee, aides and family members. One | was a minor." | | "Apple turned over only metadata and account information, not | photos, emails or other content, according to the person | familiar with the inquiry." | tsunamifury wrote: | So they turned over the conversations but not emails. How | does that not match? Meta data is widely used political a | euphemism for this. | Erikun wrote: | I'm not sure what you mean by conversations, if you mean | the content of messages then no that is not metadata, if | you mean who talked to whom, then yes that is metadata. | AshamedCaptain wrote: | They can still simply push a software update that sends the | victim's keys to the mothership and/or simply decrypts | everything. Can even be pushed silently. The victim cannot do | anything, not even detect when this has happened. | | Why would governments push back, when this hole which has already | been used will _always_ be available? | fsociety wrote: | Yes true. What's your threat model though? If my government | wants to own me they can do that without going to Apple. | | For myself I'm quite happy with this as it is a huge | improvement over what we had. My only irk is that they called | themselves a champion of security and privacy before this.. | gjsman-1000 wrote: | So could your Android phone - even if it runs GrapheneOS. How | do _you know_ that GrapheneOS isn 't a CIA project like | ArcaneOS that won't push a sneaky software update to your | device? You don't and you never know, so it's not really fair | to target Apple for this. You will always be vulnerable to such | an attack no matter what you choose. | | The only true secure option is to build the source yourself, | sign it with your own keys, and run it. Assuming you can read | all the code and make sure its safe, and read all the code on | your compiler to make sure that is safe. And you'll still need | to trust the Google-signed bootloader code, which totally | hasn't had suspicious custom builds released previously | (ArcaneOS?) | infotogivenm wrote: | What? They have demonstrably gone toe-to-toe with the FBI to | NOT ever have to create "special software updates for the | government". | | https://en.m.wikipedia.org/wiki/FBI-Apple_encryption_dispute | | Can you show me another company that has done this? | Infinitesimus wrote: | The tricky thing with Apple is that they sell phones in | China, given that that govt demands visibility into what it's | citizens do, it is reasonable to assume that anything Apple | launches to secure your data from prying eyes will have an | asterisk to accommodate a big part of their market. | kube-system wrote: | That's because Chinese and US law are fundamentally | different. The US has laws that enable Apple to contest | those requests. It is not just possible to run a large | business in violation of any (competent) government. It | doesn't matter who it is. | | FWIW, Apple does not treat US and Chinese users the same. | If you have a Chinese mainland iPhone, you use a completely | different iCloud that isn't even run by Apple. | macshome wrote: | It's not that tricky as iCloud in a China isn't run by | Apple at all. [0] | | The laws are different there and the only way that Apple | could meet the requirements of the Chinese government | without also weakening their product for the rest of the | world was to cede control of iCloud there. | | [0] https://support.apple.com/en-us/HT208351 | newaccount74 wrote: | I'm going to assume that iCloud E2EE won't be available in | China. | TimTheTinker wrote: | It looks to me like Apple and China have a complicated and | somewhat adversarial relationship. | | Apple likely conceded early on that China-based iPhones use | China-based iCloud, and the Chinese government likely | conceded that Apple phones will use the same OS everywhere, | with region-based feature blocking being as far as they'll | go in customizing the OS. Both have a lot to lose from the | other party terminating the relationship. | mwint wrote: | The difference is in asking Apple for something they already | have access to, vs. asking them to create something entirely | new (a signed software update). That's what the FBI case a few | years back was about. | szundi wrote: | I am thinking since then that maybe it was a staged | performance | mrexroad wrote: | Based on what? | bee_rider wrote: | The alternative is to admit that, while all | megacorporations are fundamentally bad, Apple does | occasionally do good things. This is clearly infeasible. | threeseed wrote: | > when this hole which has already been used | | You have evidence that Apple has been pushing silent updates to | individual users ? | biggoodwolf wrote: | wellthisisgreat wrote: | Yeah, no that's not how accusations work. | | Well that's how some would _want_ them to work, but around | here to be heard you must back with evidence. | etchalon wrote: | https://en.wikipedia.org/wiki/Russell%27s_teapot | cantaloupe wrote: | That's along the lines of asking "Do you have evidence that | UFOs have NEVER landed on earth?" in response to someone | asking if you have evidence that UFOs have landed... | biggoodwolf wrote: | I guess the same point could be made about religion. Call | me an agnostic then when it comes to device security | DonaldPShimoda wrote: | You're asking for proof of a negative that cannot be | fulfilled without having access to all copies of all | versions of the source code deployed for every Apple device | in the world for their entire history. This seems an | unreasonable burden. | | Either we accept some amount of vulnerability at the | minimum and deal in likelihoods rather than certainties, or | we simply do not use modern communication devices | whatsoever. Given we're here on HN, we all have clearly | chosen the former, so the question becomes: "is it _likely_ | that Apple have violated individual users ' privacy in this | manner?", to which I think the answer is "no" because (a) | it's never been necessary before given the availability of | alternate methods, (b) we have absolutely no evidence to | suggest otherwise, and (c) we do have evidence of a history | of Apple being at least somewhat reluctant to cooperate | with the federal government of the US when it comes to | individuals' privacy, to the extent that they are able | (e.g., the San Bernardino case). So although it is true | that we cannot be _certain_ of our privacy, it seems very | _likely_ that Apple 's efforts to improve user privacy are | not disingenuous. | 8ytecoder wrote: | Even then the OP will ask us to prove that you do have | all the versions of code and that there was no self | destruct mechanism that wiped itself clean. You can't | prove a negative. That's the point of those assertions. | It's not without reason that most conspiracies use this | tactic. | zinekeller wrote: | Uh, because Apple specifically pushed back on this? (https://en | .wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...) Sure, | it's never a guarantee but they have some decency. | eptcyka wrote: | adventured wrote: | It's not an assumption. Apple has _earned_ a decent | reputation for being pro privacy through their actions over | decades. | jstummbillig wrote: | Can somebody explain the room for debate and expression | of sentiment here? If Apple was legally required to do x | in regards to privacy, I have to assume they would and | everyone could know they would (because it does not seem | very big US company to outright defy national law). If | they were not, on what ground, could the gov pressure | Apple? | adventured wrote: | The theory would be that it would be extralegal pressure. | Out of the Snowden era, for this generation, came the | belief that the government would use extralegal coercion | to get what they want when it comes to domestic | espionage. This showed up in eg how the government | battled Yahoo over PRISM [0], and the story of Joseph | Nacchio of QWest [1] supposedly being targeted by the | Feds for refusing to go along with the program/s. | | For prior generations, Hoover, Nixon, MLK (how they | targeted him), the Church hearings, and many other things | provided evidence as to the extralegal behavior of the | government at times. | | [0] https://www.wired.com/2014/09/feds-yahoo-fine-prism/ | | [1] https://www.businessinsider.com/the-story-of-joseph- | nacchio-... | sofixa wrote: | Like when they started recording what programs you launch | on your Mac, sent to them in cleartext? Or when they | force you to have an account with them to install apps | from the official sources (and of course the unofficial | ones are absolutely atrocious). | | Apple are better on the privacy front than their | competitors, but not by that much. | HardlyCurious wrote: | Given what we learned from the Snowden leaks, I would be | willing to believe that any PR in apples favor is awarded | by the govt for exchange of their cooperation relating to | providing the govt data / access they request. | | I don't trust any corporation to actually side against | the govt. | lern_too_spel wrote: | They pushed back on that after falsely telling their | customers that they were _technically incapable_ of helping | the FBI with such requests. After this incident, they no | longer make that claim. | https://appleinsider.com/articles/14/09/18/apple-says- | incapa... | shuckles wrote: | They never told customers it was technically infeasible. | From the contemporaneous Q&A from the 2016 letter opposing | coerced access: | | " Is it technically possible to do what the government has | ordered? Yes, it is certainly possible to create an | entirely new operating system to undermine our security | features as the government wants. But it's something we | believe is too dangerous to do. The only way to guarantee | that such a powerful tool isn't abused and doesn't fall | into the wrong hands is to never create it." | | - https://www.apple.com/customer-letter/answers/ | lern_too_spel wrote: | Read the link I gave in the GP post: | | Apple: "So it's not technically feasible for us to | respond to government warrants for the extraction of this | data from devices in their possession running iOS 8." | | Also, "create an entirely new operating system" is an | intentionally misleading exaggeration on Apple's part, | meant to fool customers but not governments. It makes it | sound like the amount of work they would have to do is | larger than changing one constant about how many retries | are allowed and another constant controlling rate liming, | build and sign and flash it to the phone, and delete it | after. | shuckles wrote: | Seems like a semantic quibble about the meaning of | "technically feasible." If you understand it as making | claims about the system as it exists, it is true. If you | understand it as making a claim about what Apple could | theoretically do in all circumstances, then you have an | absurd definition because everything is technically | feasible. | | I think the FAQ and letter both make clear that Apple | could comply with the FBI request and their objection was | over whether they should be forced to. | lern_too_spel wrote: | > If you understand it as making a claim about what Apple | could theoretically do in all circumstances, then you | have an absurd definition because everything is | technically feasible. | | If iOS 8 required a user key for updating the system, | this would be technically infeasible. It's not | technically infeasible as iOS 8 was implemented, _so | Apple stopped claiming it is_ , but only after the FBI | embarrassed them about that claim. | | > their objection was over whether they should be forced | to. | | Apple's objection had nothing about being forced to do | it. They were forced to provide data from devices before | iOS 8 and even provided a document about how to ask them | to do it. Apple instead made specious claims about how | hard it was and how it would affect other customers' | privacy. | arch-ninja wrote: | Hasn't the solution to this problem always been easy? Just | encrypt before you type it into imessages; this applies to | _all_ untrusted communication channels. Don't tell me | base64-encoding/decoding is what's stopping you from having | perfect security? | TillE wrote: | Exactly, if you're dealing with truly sensitive information | where any leak is unacceptable, make your own encrypted blob. | Don't trust any communication software to do it for you. | | The concern typically isn't backdoors, it's bugs. I've had | plenty of terrible experiences with Enigmail. | joosters wrote: | ' _easy_ ' and ' _just_ ' are doing a lot of work in your | assertion here! | kube-system wrote: | That doesn't solve the problem of needing a trusted | communication channel. You'd still need one to exchange keys. | MaxBarraclough wrote: | You missed out the punchline: all of this follows from that the | software is proprietary/closed-source/non-Free. | | You can't see how it works, you can't change how it works, and | you have to trust that it does as advertised. You must do all | this in the knowledge that over the years plenty of proprietary | software vendors have outright lied to their customers about | exactly this kind of thing, e.g. [0][1]. | | I'm not aware of Apple ever doing so though, for what that's | worth. | | [0] https://news.ycombinator.com/item?id=25044254 | | [1] https://news.ycombinator.com/item?id=33820538 | dxf wrote: | >Why would governments push back, when this hole which has | already been used will _always_ be available? | | I'm not aware of a time when Apple pushed a software update | (silently or otherwise) to defeat security for a user (or | users). Can you provide a reference? | bboygravity wrote: | The entire precondition for being able to do that is that | you're not aware of it. Ever. | eduction wrote: | With Apple's current lack of encryption on iCloud backups, | we are very aware of government access because those files | end up as evidence in court cases after being obtained by | police and prosecutors. | | If government were to compromise end to end encryption in | the manner described above, it would either be visible when | used to prosecute people, or invisible because it would | never be used to prosecute people (but presumably for | intelligence purposes). Even if it were used for | intelligence purposes through the method above, which I | don't think is at all established, it would still be a | significant improvement over having data in a form that is | actively used to prosecute people. | alldayeveryday wrote: | > Even if it were used for intelligence purposes through | the method above, which I don't think is at all | established, | | The snowden revelations were precisely about information | gathering for intelligence purposes. The vast majority of | intel gathering is not for prosecutionary purposes. | Melatonic wrote: | The thing that people always miss is that the damn SIM card | is running its own little processor already. If the | government really wants to read your shit they can probably | just do some behind the scenes work with your mobile ISP | and find a way to access your phones screen output or | microphone data or something. | lilyball wrote: | iPhone 14 doesn't even have a SIM card anymore, it's | strictly eSIM (and previous models could optionally use | eSIM). | madars wrote: | If I really wanted a physical SIM and imported a European | SKU which does have it (only North American variant is | eSIM-only), would I expect seamless support in the US? | E.g. would AppleCare just work? | astrange wrote: | eSIM isn't any different here, it still runs the same | applets. What makes it secure is the IOMMU preventing it | from accessing main memory. | gumby wrote: | The baseband module has a processor too, and you don't | have access to it per FCC regulation. | lghh wrote: | So there's no level of security that will ever be enough | for anyone. The number of people who know the source for | the current version of every piece of software, firmware, | and hardware they use almost certainly approaches 0. | | I don't know what people expect. These moves are _good | things_ and everyone is whatabouting situations that there | is 0 evidence has ever happened or would ever happen. It 's | unfalsifiable, impractical, and honestly just annoying. | tshaddox wrote: | "You can't prove that they don't already do X, because X is | by definition a secret action" is a pretty useless | epistemology though. Every electronic device you've ever | used _could_ secretly have a cellular modem that can | secretly download over-the-air firmware updates that alter | its behavior to be maximally evil. You by definition can 't | prove that your coffee machine doesn't secretly have the | ability to change its behavior to start connecting to the | internet and DDOSing charities or something. | jodrellblank wrote: | The parent comment said " _hole which has already been | used_ ", that's a claim that Apple has actually done it, | not only a speculation that they could. They are being | asked to back up that claim. | amelius wrote: | It doesn't matter. You are missing the entire point about | E2EE. | szundi wrote: | US can always pass a bill or have one that enables them to | covertly force apple to comply otherwise Tim goes to jail. | Easy | acdha wrote: | You make this sound easy but look at how that worked for | NSLs. They got a ton of pushback for that and there's no | way to keep that a secret for very long - especially since | things either end up in court or involve foreign | governments who won't share the desire to keep things | secret. | bee_rider wrote: | What do you mean, "can pass a bill?" | | On some level the US could also pass a law that says every | iPhone user will be summarily executed. That's how | sovereignty works. Is it a realistic concern? Probably not. | acchow wrote: | In the US, this is not easy. | tinus_hn wrote: | Last time they tried that Apple caused a lot of hoopla and | made the case go away. Not easy. | supertrope wrote: | Are you referring to the Pensacola encryption bypass | demand or PRISM? | parineum wrote: | That's not the point. The point is that Apple hasn't closed | the government out of Apple user's phones. The point of E2EE | is to remove the power of the middleman to read the data but | that middleman also has complete control over the device and | the software running on it with remote root access. | | Apple's ecosystem is, by default, design and necessity, | insecure to Apple. Keys stored on an Apple device are | insecure. | | One can easily make a similar argument for Android/Google, | however, a security conscious user could still take control | over their device and install a more secure OS. | smoldesu wrote: | When they migrated Chinese iCloud data to domestic servers. | ghostpepper wrote: | You're saying there was a silent update pushed to Chinese | iphones? Can you provide more details or a source on that? | smoldesu wrote: | It certainly wasn't silent, but that wasn't a condition | for the parent's question. It was a well-documented (and | much derided) decision though: | https://mashable.com/article/china-government-apple- | icloud-d... | sbuk wrote: | Seeing as context is conspicuously missing, all cloud | services offered by foreign business in China a required | to be hosted and controlled by state owned providers. For | instance, China has a separate Microsoft 365/Azure region | hosted and controlled by 21Vianet. Apple still controls | the encryption keys and there is no evidence that they | have handed them over to the CCP, but it is largely | assumed. Federighi has said that Apple will offer EE2E in | China. | astrange wrote: | You want them to break Chinese laws? Don't think they | have popular support for that. | shuckles wrote: | Why is data residency law cool and progressive when the EU | does it and Big Tech complies, but Bad and Dystopian when | China does the same? Tim Cook has said on the record that | iCloud is the same regardless of data center. | sofixa wrote: | Because the reasons for data sovereignty as legislated by | the EU and countries within it, and China, are | _drastically_ different. Which one is the authoritarian | regime which jails dissidents and which one has | regulations giving consumers rights over their data? I 'm | fairly certain the motives for data sovereignty are | wildly different. | shuckles wrote: | I'm not sure if you're aware, but there are anti- | encryption legislative proposals in the EU which are as | ill-informed and scary as anything I've heard of in | Mainland China. It's very unclear to me if motives matter | in this case. | smoldesu wrote: | China has a reputation for hunting down religious | minorities and political dissidents, Europe is known for | a more moderate take on those matters. I think there's | cause for concern when China demands domestic ownership | of iCloud info. | scarface74 wrote: | You mean like the French banning burkinis worn my | religious minorities? | | https://www.cnn.com/2022/06/21/europe/grenoble-france- | burkin... | lern_too_spel wrote: | Would it surprise you to learn that France also bans | female genital mutilation, another religious practice | enforced on people who typically have no say in the | matter? These bans apply to people of any religion and of | no religion. | | Let's not pretend this is the same thing as kidnapping | you and taking you to a reeducation camp because of your | religion, leaving your kids alone and confused. | scarface74 wrote: | So you put banning the clothes you can wear because you | want to be modest with female genital mutilation? | lern_too_spel wrote: | To be clear, France prevented a law that would have | allowed burkinis to circumvent existing public pool rules | that require a swim cap and forbid baggy clothes and | certain sun protection suits. People forced to wear | certain clothes by others in their religion do not get | special exceptions. | https://www.nbcnews.com/news/amp/rcna34833 | shuckles wrote: | The technical proposals are equally odious, and Europe | is, what, 30 years removed from all sorts of | authoritarian hijinks? | | In any case, selective support for technical proposals | based on broader political vibes is not a particularly | inspiring stance. | smoldesu wrote: | You seem to have missed my point entirely then. I'm in | full support of Apple holding themselves accountable for | the data they hold, but they don't. As a result, we rely | on "broader political vibes" to read between the lines. | shuckles wrote: | I'm not sure what you mean by "holding themselves | accountable for the data they hold", but you began by | implying data residency was compromising security at the | behest of a government, but it does not itself do | anything of that sort. Your technical claim is outright | false. | vineyardmike wrote: | > Europe is known for a more moderate take on those | matters. | | Very recently in history. China is bad now, European | nations have been bad in the past... but who knows what | the future holds. | | Once data is released (keys, databases, plaintext | messages, it doesn't matter) it can't be made private | later. | scarface74 wrote: | You mean the same one that wants to lessen encryption so | they can spy on you? | | https://www.secureworld.io/industry-news/new-eu-push-for- | enc... | aborsy wrote: | At least, data won't be harvested for commercial use (as Google | does). Apple clearly is leading in security. | cglong wrote: | Except that Android has had E2E encrypted backups since 2018 | https://security.googleblog.com/2018/10/google-and- | android-h... | aborsy wrote: | You are right. I guess I was thinking that none of the FANG | provides a "desktop" client app with e2e. | | But Android already collects a lot data from the device | before encrypting. | Melatonic wrote: | Most of which you can opt out of | lern_too_spel wrote: | Indeed, you can opt out of more of it on Android than you | can on iOS. Try to get your location on iOS without | telling Apple. You can't. Try installing an app without | telling Apple. Same. | | Even MacOS is infected with this privacy invading | nonsense that I can't opt out of. It has an Apple News | app that I can't uninstall, and whenever anybody sends an | Apple News link, even in a private tab, it opens the | Apple News app, a handler that I can't disable, sending | the article I want to read together with my Apple ID to | Apple. | v0idzer0 wrote: | Android is a steamy pile of privacy violations, but yes | they do have this one feature | lern_too_spel wrote: | Android, by virtue of giving more control to the user, | has far fewer privacy violations than iOS. | bloppe wrote: | Apple loves harvesting your data for commercial use | | https://www.extremetech.com/mobile/340887-apple-sued-for- | all.... | lloeki wrote: | > Apple loves harvesting your _store interaction_ data | _within store apps_ for commercial use | | FTFY. | | Please stop spinning that as if Apple were siphoning every | single of one's moves everywhere, irrespective of any | telemetry setting one has set. | | Both the linked piece and the reporter's Twitter thread | seem to have taken great care to bury behind clickbait | headlines and scary words the fact that this applies only | to App Store, Books, Apple TV, and iTunes Store apps, which | are all "store" apps (presumably that's where commercial | stuff typically happens) that used to outright be webviews | (not entirely sure they are 100% native as of today). I | don't think anyone would be appalled if a React-based web | app would send vast amounts of requests based on user | interaction. | | So yeah, they should probably not collect as much data as | that and probably should have a toggle to nerf such data | collection within the store apps (which is not the same as | OS/actual app/service telemetry), but the way things keep | getting spinned is beyond ridiculous and does not help in | improving anything. | v0idzer0 wrote: | You'd detect a software update? | fnordpiglet wrote: | They couldn't without bypassing all their controls and | assurance measures, which are required by not just governments | but corporations who don't trust apple or the government, as | well as regulators across the world who also don't trust either | apple or the us government. If you've ever worked in a highly | regulated highly sensitive enterprise tech environment you | would know this is hogwash. | [deleted] | spa3thyb wrote: | I still disagree with the shift from PR to 3P, but in that | spirit, this might be a better URL: | | https://9to5mac.com/2022/12/07/apple-advanced-data-protectio... | Arubis wrote: | And, just like that, I can finally turn on iCloud backups on all | my devices. | vengefulduck wrote: | Looking into the details it seems like they're using Convergent | Encryption [1][2] in order to enable deduplication in iCloud | drive and photos. Which would imply it is possible for an | attacker to determine if your account is storing a file for which | they know the plaintext. It's still a lot better than the status | quo but that's a pretty big asterisk in my mind. | | [1]https://support.apple.com/en- | ca/guide/security/sec973254c5f/... | | [2] https://smarx.com/posts/2020/09/convergent-encryption-and- | wh... | upofadown wrote: | >Conversations between users who have enabled iMessage Contact | Key Verification receive automatic alerts if an exceptionally | advanced adversary, such as a state-sponsored attacker, were ever | to succeed breaching cloud servers and inserting their own device | to eavesdrop on these encrypted communications. | | Generally the biggest threat that end to end encryption (E2EE) | addresses is the people that actually run the servers "inserting | their own device to eavesdrop". So Apple in this instance. We | would normally have to assume that Apple would do this on a | request from state level entities as part of the threat model. | | Apple has to provide some sort of E2EE identity verification if | they want to claim that they are providing E2EE messaging. I note | that they have been making such a claim for some time now. After | this, all that will remain is the issue of control of the | software. We will still have to trust Apple to not subvert the | clients in some way. So nothing has substantially changed yet. | | From the little we know about the usability of this new feature I | note that the warning about new/changed devices is in small grey | text. So very easy to overlook. hopefully Apple will provide | enough context to allow the user to do something meaningful in | response to such a warning. | WhackyIdeas wrote: | This reminds me of a hacker exploiting a victim's system, | patching the vulnerability and installing a keylogger. | | Yeah it's nice you are taking the security seriously so others | can't get in easily, but you (Apple) are still siphoning off my | data for profit after I spent an arm and a leg on your | equipment... | | It just feel like protecting your investment more than my data | security. | aborsy wrote: | This is major news. Companies such as Apple and Dropbox are | implementing end to end encryption, at least as an option. | | Was client side scanning implemented finally? Perhaps E2E paves | the way to client side scanning? | | For the hardware key, Apple is a bit late though. All other cloud | companies have that 2FA. | theshrike79 wrote: | Client side scanning was scrapped because 80% of the internet | couldn't understand how the implementation worked. | | Maybe they'll try it again after this. | sneak wrote: | > _Client side scanning was scrapped_ | | Apple never said that it was scrapped. They did, however say | that they intend to do it. | theshrike79 wrote: | https://www.wired.com/story/apple-photo-scanning-csam- | commun... | | "Apple Kills Its Plan to Scan Your Photos for CSAM. Here's | What's Next" | | That's dead enough for me. | amarshall wrote: | The press release is a bit sparse, there is a bit more detail on | "Advanced Data Protection for iCloud" in the support article | https://support.apple.com/en-us/HT202303#advanced | dang wrote: | Ok, I think we'll change the URL to that from | https://www.apple.com/newsroom/2022/12/apple-advances- | user-s.... Thanks! | | Is there a similar URL for the security key stuff? If so, we | can factor that out of this thread, which is almost all about | E2EE backups. | keepquestioning wrote: | Can someone get ChatGPT to summarize this PR release? | alexfromapex wrote: | Apple has introduced three new security features to better | protect users' data in the cloud. The new services will provide | the company's highest-ever levels of data security for the | iCloud. The services, called iMessage Contact Key Verification, | Security Keys for Apple ID and Advanced Data Protection for | iCloud, will be available for users to choose from. Apple is | committed to providing users with the best data security in the | world, said Craig Federighi, the company's senior VP of | software engineering. | yarg wrote: | End to end? | | Isn't that only required if the guy on the otherside needs to | decrypt? | dsign wrote: | iCloud was convenient and I was even paying for it, but when the | "we will scan your photos and snitch on you" debacle I started | backing up my photos at home and removed all my spreadsheets from | iCloud (who knows what crappy software can interpret as CSAM). | | This will go a long way into restoring my trust on Apple. Yet, I | can't help but notice that the "we will scan your photos and | snitch on you" workflow they published then is still compatible | with enhanced iCloud security. Hell, they can always send a | command to the photo's app in your phone to upload all your | photos straight to FBI's servers. So in this case technology is | like 50% of the trust, the other 50% is sheer commitment to | customers and that was tainted by that episode. | infotogivenm wrote: | Sorry mate but you have no idea how anything works. Literally | every photo hosting service on the internet will scan your | photos against an abuse list and work with LE - otherwise they | get to become the "cp-friendly" hoster. | | When apple released client-side scanning (which only ever | applies to photos uploaded to iCloud Photos) the only thing | that changed was now the scanning takes place on your device | where you have transparency and ability to see what hashes are | checked. The folks paying attention knew what this was - Apple | redesigning a workflow to make LE cool with e2e encrypted | photos. You read some false outrage articles and are now | somehow _still_ upset at a company doing work that is currently | in your best interest. Baffling. | therealmarv wrote: | I'm baffled how people can be so okay with letting their | whole device being scanned always. I don't want it to be | scanned no matter what the intention is, it's not the phone | or Apple's business. Device ownership and to decide for my | own what the device is doing with MY data is my liberty. If | you want your device to scan your data always is maybe cool | with you. But not cool with me. | | I've read all the technical documentation too. However who | says that the mechanism is implemented like intended forever? | Maybe Apple or (local) law will change and voila: Your device | scan report is reported to Apple and authorities because it | is anyway already in place on your device. | squeegee_scream wrote: | > In a second victory for privacy advocates, Apple said it was | dropping a plan to scan user photos for child sex abuse images. | The company had paused that plan shortly after its announcement | last year, as security experts argued that it would intrude on | user's device privacy and be subject to abuse. | | https://www.washingtonpost.com/technology/2022/12/07/icloud-... | pifm_guy wrote: | WhatsApp recently added e2e backups (as an option) too. | | I always thought the reason they didn't encrypt backups was as a | way to remove pressure from security services to weaken the | encryption. Better to let the security services go after | Google/apple as the backup provider. And have an option to turn | off backups for the security paranoid users. | | I wonder why they changed stance... | amadeuspagel wrote: | Android has had encrypted backups for years. | dodgerdan wrote: | This is pretty big news. I wonder will there be an immediate push | back by law enforcement and governments? | gjsman-1000 wrote: | Remember the CSAM scanning debacle almost a year ago? I and | others speculated that the reason Apple was trying to make the | CSAM-scanning and Safety Vouchers client-side was so that they | would be able to allow E2E encryption while having a plausible | reason to shut down law enforcement's biggest argument against | E2E. | nerdjon wrote: | I could have sworn apple even straight up said that was their | goal? | | Maybe I am just misremembering since like you I figured that | was the reason they were doing it, no other reason to do | something like that if it was all going too sit there | unencrypted. | gjsman-1000 wrote: | No, they didn't say anything like that at the time, so I | was even downvoted on HN and argued with for making the | suggestion. Because Apple was definitely just being evil | and had no bigger picture. | supertrope wrote: | It wouldn't stop at CSAM. Along side it in urgency of appeal | to fear is counter-terrorism* . Next would be drug dealing, | threats of violence. Then copyright infringement. And finally | Amber Alerts and silver alerts. A backdoor or warrant-less | search for one category is a backdoor for all. The point is | for government power to trump privacy. | | *The definition of terrorism depends on your jurisdiction. | AlexandrB wrote: | While the on-device CSAM scanning was a huge overreach I'm | not sure how you could leverage that system for things like | Amber/silver alerts or threats of violence. It's not | _really_ backdoor, more of a snitch system. | gigel82 wrote: | That's a very optimistic point of view. On the other hand, I | and others speculated that the reason Apple wants to | introduce code on your device that scans local content on | your device against a government mandated database of "wrong | content" was to appease law enforcement's desire for more | control. | schrodinger wrote: | I don't understand how your other hand argument is more | pessimistic. Isn't your phone scanning locally for | checksums better than requiring the data to be unencrypted | and scannable server-side? Surely they couldn't just do | _nothing_. | | edit: I take this back--"nothing" should be the right | answer. | gigel82 wrote: | _nothing_ is exactly what I expect them to do when it | comes to my local files. | | We all like to vilify Microsoft (rightfully so for all | the telemetry crap they pull) but imagine if Windows | started scanning all your local disks for files matching | certain checksums then notifying authorities when matches | occur (thumbnails / other metadata uploaded with the | reports) like Apple was planning. Sure, it'll be CSAM | first. Then, domestic terrorism; then RIAA / MPAA would | jump in on the action... and finally, opaque checksum | databases from local governments ("wrong think", Winnie | the Pooh memes, pictures from protests, etc.) ; if we | don't stop it in its infancy we're quickly tumbling down | the slippery slope. | schrodinger wrote: | Thanks, you've changed my mind and I totally agree. | (Sincerely in case it smelled of sarcasm). | theshrike79 wrote: | The CSAM scanning was only enabled if you had iCloud | uploads enable. | | They would've only scanned the files that would end up in | the cloud anyway. | | But people went "omg my files", stuck their fingers in | their ears and refused to read the damn spec. | gigel82 wrote: | The "damn spec" clearly stated that they would be | introducing functionality on your device that is capable | of scanning content on your device and matching that | against a database of opaque hashes downloaded from a 3rd | party. That's functionality I don't want on my device. | | FWIW, I don't use iCloud and never have used it; I don't | care if they scan content once uploaded (it's their | servers and I'm confident they'll continue scanning | content there no matter how "E2EE" it is - see China and | key sharing). As long as they keep their scanning on | their devices and off of my device it's all good. | mark_l_watson wrote: | I really enjoy the automatically generated iPhoto "experiences" | that include background music and photo/video effects that appear | sometimes, more often after I took vacation pictures. Hopefully | those can be generated on my device and I won't have to give | those up to get encryption at rest. | yreg wrote: | Those have always been generated on device (and uploaded if you | use iCloud). | pradn wrote: | They word their announcement carefully. | | > For users who opt in, Advanced Data Protection keeps most | iCloud data protected even in the case of a data breach in the | cloud. | | Here, "cloud" is treated generically - as if Apple doesn't have | to do with it. I suppose they don't want to spell it out. A more | honest, but still easy-to-understand statement would be: | | > For users who opt in, Advanced Data Protection keeps most | iCloud data protected even in if someone hacks Apple's iCloud | servers. | boringg wrote: | I don't think that's them being dishonest. I'm pretty sure the | way I read the first sentence and your re-write is the same | thing. I guess the only difference is maybe the layman might | not gather that. That said the layman probably isn't going to | care about end to end encryption either. | | Nice to hold the corporates accountable but I don't find this | to be slimy or anything - maybe just me though. | kitsunesoba wrote: | Excellent, I'll be adding hardware keys right away. Their | existing iCloud-connected-device 2FA is better than SMS but it's | always bugged me that I wasn't able to use a hardware key. | | Now if we could just get banks on board... they're probably the | single biggest glaring hole in non-SMS 2FA. To my knowledge | there's only 2-3 US banks that even support TOTP, let alone | hardware keys, which is insane given how important they are. | AlexandrB wrote: | AFAIK no Canadian banks even support TOTP - it's all SMS (or in | one case a bank "app" that does TOTP, but frequently logs you | out so you have to use SMS anyways). Maybe they'll catch up in | a decade or so. | Melatonic wrote: | Yea super annoying - this is the one thing stopping me from | getting a Yubikey. Whats the point if I cannot use it on the | stuff I really want to use it for? | steelframe wrote: | Just as they did for CSAM scanning, they will push any code that | mines your data for the purposes of targeted advertising down | into the phone itself. | yreg wrote: | CSAM scanning on device never happened. The plan was abandoned. | neop1x wrote: | Proof? Their keynote or their press release? | yreg wrote: | Burden of proof lies with the one who claims something | happened. Not with the one who says it doesn't exist. | KindAndFriendly wrote: | >> ...For users who opt in, Security Keys strengthens Apple's | two-factor authentication by requiring a hardware security key... | | I hope they will support existing Yubi-Keys etc and not force | users to get the dedicated Apple hardware key. | yakkityyak wrote: | > force users to get the dedicated Apple hardware key | | I don't think there is one? | ethanzh wrote: | I think your iPhone is the dedicated Apple hardware in this | case | zaroth wrote: | You don't have to guess the announcement actually tells you | 3rd party keys can be used and NFC keys can be tapped on | the iPhone. | frizlab wrote: | The iPhone and recent Macs are ones. But it would not make | sense to you your iPhone to protect your iCloud I think. | yakkityyak wrote: | It was a rhetorical question :P | | The section of the announcement is emphatically about 3rd | party security keys support, so the worry about lack of | support of YubiKey over some push for some imaginary Apple | Dedicated Key didn't make much sense to me. | | Also, security key (at least to me) implies a small, | keychain sized device. I wouldn't think of calling my Mac | Studio a security key. There is no device marketed as such, | even though yes, the SEP can and has fulfilled these | purposes. | fmajid wrote: | That's what I am most looking forward to. I hope they also | allow you to disable the phone-based recovery scheme that is | just a boulevard for SIM-swapping hackers to breach through. | frizlab wrote: | Given they already support standard WebAuthn (passkey or | other), I think it's a pretty safe guess to say they'll support | Yubikeys. I can't find any written confirmation yet though. | diebeforei485 wrote: | Written confirmation in WSJ (paywall) here: | https://www.wsj.com/articles/apple-plans-new-encryption- | syst... | | > [Apple] will now allow users to log in to their Apple | accounts with hardware-based security keys made by other | companies such as Yubico. | lxgr wrote: | Curious to see how they will use it. I don't see an | immediate way for FIDO/WebAuthN to help in an end-to-end | encryption scenario. | jackson1442 wrote: | I don't think this is directly related to the E2EE | announcement, rather it is an option to replace the | current MFA method of receiving codes on your Apple | devices. | lxgr wrote: | That makes sense, thank you. It's also mentioned under | the corresponding heading on the press release. | technothrasher wrote: | The linked page says yes. | | "users will have the choice to make use of third-party hardware | security keys" | [deleted] | dang wrote: | (This comment was posted when the linked URL was | https://www.apple.com/newsroom/2022/12/apple-advances- | user-s..., which contains the physical security key | announcement as well as the E2EE stuff. If there's a better URL | for the security key announcement, we can factor this topic | into its own thread, since it's a minority topic in this one | and mostly getting overlooked.) | cguess wrote: | The screenshot pretty clearly shows a yubikey outline. | twobitshifter wrote: | is apple making a hardware key? | NoImmatureAdHom wrote: | This is trash and Apple is trash. | | 1) They explicitly state that they're going to keep an eye on the | hashes of your files, allowing them to nuke anything they don't | like from orbit system-wide. They still know what you have in | cases where someone else has it and they know the plaintext. | They're definitely going to scan what you keep in their cloud. It | will start with kiddie porn, but then it'll be that plus | terrorist documents (and who decides what that is???), and then | illegal music and movies, and then... | | 2) It's all implemented with closed-source mysteryware. Who the | fuck knows what it's doing? You've got to trust their pinky- | swear, and you shouldn't. It probably works as it is described | until it receives the special wink from Apple's servers, and then | it sends along your private keys (possibly using an exploit they | put there on purpose). If it's not verifiable (open-source and | reproducible builds), it's a pinky swear. | | 3) This is your reminder that your iMessage isn't actually E2EE, | they have a lot of the keys on their own servers. | | These are all things they _could_ fix, but don 't. And they won't | fix them because they don't actually give a damn about your | privacy and security. We should all demand open-source, | reproducibly-built encryption software. | knaik94 wrote: | I wonder if they will push for client side scanning for CSAM | material again, since photos are covered under end to end | encryption based on this announcement. As a consumer, it feels | like two different teams with two different ideas of what kind of | consumer privacy should be protected are trying to guide Apple in | opposite directions. | | Apple, the client side scan pushing and ad platform expanding | company is now the same company that is releasing strengthened | cloud data protection. Deduplication becomes impossible at any | sort of scale and for safety Apple even turns off web access to | iCloud when E2E cloud protection is turned on for the first time. | | Apple has stated it will cache thumbnails using standard | protections when sharing files, using "anyone with a link" will | expose the unencrypted data to Apple servers. I wonder if CSAM | scanning can take place for those files only. | Shank wrote: | According to The Washington Post [0], "In a second victory for | privacy advocates, Apple said it was dropping a plan to scan | user photos for child sex abuse images. The company had paused | that plan shortly after its announcement last year, as security | experts argued that it would intrude on user's device privacy | and be subject to abuse." | | [0]: | https://www.washingtonpost.com/technology/2022/12/07/icloud-... | knaik94 wrote: | Thank you for the link, I had not come across that news. It | seems like Apple is still scanning photos when NSFW photos | are sent to phones belonging to minors. | | "When receiving this type of content, the photo will be | blurred and the child will be warned, presented with helpful | resources, and reassured it is okay if they do not want to | view this photo. Similar protections are available if a child | attempts to send photos that contain nudity. In both cases, | children are given the option to message someone they trust | for help if they choose. | | Messages analyzes image attachments and determines if a photo | contains nudity, while maintaining the end-to-end encryption | of the messages. The feature is designed so that no | indication of the detection of nudity ever leaves the device. | Apple does not get access to the messages, and no | notifications are sent to the parent or anyone else." | | https://www.apple.com/child-safety/ | jimbob45 wrote: | It was client-side scanning only for stuff that was going to | their servers, right? | yreg wrote: | Yes, and it was likely directly related to subsequently | offering E2EE backups. Not "two different teams with two | different visions". | explodingwaffle wrote: | Encrypted iCloud! Never thought I'd see the day- figured | intelligence agencies wouldn't be a big fan- I guess it's only | optional though. Still won't be using iCloud on my iPhone, but I | could at least consider it. | worldsavior wrote: | What's the government think about it? I remember they had | problems with them before trying to enable end to end encryption. | Despegar wrote: | This was the point of their plan to introduce CSAM detection on- | device. Unfortunately the reaction to that was histrionic and | couldn't see the writing on the wall. | | Governments will eventually pass legislation targeting E2E and | CSAM was the one issue where Apple's method would have defanged | support for that kind of law. But one good thing about making | those plans public is that any proposed legislation will likely | land on Apple's method as being a good compromise. Better for | Apple to wait until they're forced by governments to do it. | commoner wrote: | It's a good thing that the "histrionic" privacy advocates | succcessfully pressured Apple to back down from introducing a | vulnerability in the product before releasing this feature. | Despegar wrote: | It was definitely a win in a narrow and politically naive | sense. | dmix wrote: | I'd rather fight that battle when it comes rather than | compromise early on and trust they won't be back next week with | a new policy move. | brookst wrote: | Yep. Their CSAM implementation guaranteed that E2EE for photos | was coming. I thought the death of that CSAM approach meant | they just wouldn't ship E2EE photos. I guess you're right, they | know governments will mandate it and they at least have an | approach that's compatible with E2EE. | ir77 wrote: | this announcement is huge in multiple ways: | | 1) they just ate every other 3rd party "secure" backup services | lunch just like they did to the Hi-Res music industry. | | 2) details of what they backup securely, besides photos (which is | top priority for me): iCloud Drive: Includes Pages, Keynote, and | Numbers documents, PDFs, Safari downloads, or any other files | manually or automatically saved to iCloud Drive. | | 3) _BUT_ , perhaps the _BIGGEST_ news here is that Apple is | making a backup statement to what they 've been saying for years | and what they've recently gotten negative attention on: They | don't want your data. They're not Goodle/FB/Amazon. They're | giving you 2TB+ of space and you can encrypt it to the point that | you'll lose your data and they don't care -- they don't want to | mine your data, they don't want to know what you store on there, | the don't care to scan your pictures with AI 20 different ways, | they don't want to monetize it, etc, etc., just pay them money | for their service and transactionally they give you only thing | that you want in return -- reliable, secure, private service. | | seriously, anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river. | tehlike wrote: | Apple wants your data as much as other companies, except they | don't want this _specific_ data. | | Otherwise apple likes to track your moves in the areas they do | advertising on as much as everyone else. | plzmark wrote: | Maybe. But has this been audited? Are there backdoors, perhaps | in the hardware? | | I thought just a couple of months ago they wanted to scan | everyone's phones for illegal content. | amadeuspagel wrote: | > They're not Google | | No, google has had encrypted android backups for years. | ir77 wrote: | so did apple, you could encrypt through iTunes for decade, | and if you're that paranoid about encrypted backups i would | trust an off-line encrypted backup more than i would an | encrypted backup in google's cloud. | theonlybutlet wrote: | The fundamental iCloud product itself however is subpar and | until that is dealt with, it won't be that huge. | | Few examples: Still can't keep photos on iCloud and delete | thumbs on the phone. A real issue my old iPhone had | insufficient space and I had to move to OneDrive. Support for | other operating systems is lacklustre. One of the core benefits | of cloud is accessing your files anywhere when you need them, | not possible unless you're lucky enough to find yourself on a | Mac at that moment. | dzikimarian wrote: | * They have tons of your data anyway, lots of which is more | valuable for advertising than backup of your photos. | | * They are more and more into advertising business | https://news.ycombinator.com/item?id=32520894 | | * Their executives admit that they want you and your family | locked into their ecosystem (leaked emails). | | Sorry, but advocating for them seems like very bad idea. Google | was cool, pro-customer company once too. Until they had | position to not be anymore. Open standards, without any vendor | lock are only reasonable way. | logic_probe wrote: | richrichardsson wrote: | > They're giving you 2TB+ of space | | I think you and I have vastly different ideas about what | "giving" means. | | I get 5GB of iCloud storage, unless I pay them PS6.99/month for | 2TB. No idea what the rate is over 2TB. | | Have I missed a trick to getting this 2TB+? | | (I have 7 Apple devices in my possession and have owned a | further 2 that I've passed on to my kids; given the premium I | paid for those I almost expect that I should get 5GB PER | DEVICE, but of course that's fairly unreasonable in reality) | jshier wrote: | You can't even get over 2TB unless you subscribe to Apple One | and even then you only get another 2TB. Pretty useless as a | large scale backup service if the maximum you can ever pay | them for is 4TB. | mvanbaak wrote: | Per user. I know you would probably like to backup your | linux isos to icloud but besides that the 4tb per | account/user is pretty much all one would need. This is for | personal use, not business ;) | [deleted] | another_story wrote: | Been seeing a lot more of these snarky sort of comments | on HN as of late, and its not encouraging. Can we keep it | civil without making light jabs at others preferences or | tech needs? | ir77 wrote: | sorry, yes, i meant it that you can can now purchase 2TB of | stand alone E2E storage from apple for 9$/mo, or get it as | part of iCloud+. "giving" was a poor word and should have | been "available". | account-5 wrote: | > seriously, anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river. | | Count me in amongst the salmon then. | phpisthebest wrote: | >>seriously, anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river. | | Well for your use case maybe, but I do not find the value of | trading privacy for freedom to be a good one, specifically | since I can secure my data other ways including not storing it | at all on my phone. | | My phone is a tool, and I prefer to own and control completely | that tool | brewdad wrote: | What phone do you own and control completely? I was under the | impression that every phone capable of being a phone contains | BLOBs that you have no control over. | gigel82 wrote: | It's good to be passionate, but blind devotion is dangerous, | especially since we already know by now Apple is positioning | itself to become a major player in the advertising space and - | with a dwindling economy and an increased pressure to sustained | growth from shareholders - that's going to continuously | encroach on our privacy guarantees for monetization purposes. | | I'm advocating for an open and interoperable ecosystem of | operating systems, services and applications, which is the only | way to ensure sustainable customer freedom. Unfortunately that | ecosystem doesn't exist yet so we're stuck with the duopoly of | evil-doers (and while Google openly admits it is their business | model to monetize you and your data, Apple has been caught with | their hands in the cookie jar a bunch of times already and | they're just developing a sweet tooth, so...). | | Full disclosure: I've been using only iPhones for 12 years and | am still using one today. | dontbenebby wrote: | >Apple is positioning itself to become a major player in the | advertising space and - with a dwindling economy and an | increased pressure to sustained growth from shareholders - | that's going to continuously encroach on our privacy | guarantees for monetization purposes. | | Or they could sell us a rugged iPhone with a removable | battery and SD card slot to extend storage but keep the | proprietary OS to keep the music/movie ppl happy plus keep | out malware not sent via FISA warrant, but if they did that | Tim Cook might jump off the top of the donut apparently, so | they keep going the way you describe. | GeekyBear wrote: | > Apple is positioning itself to become a major player in the | advertising space | | Advertising does not require that you spy on each individual | person. | | Google, for instance, used to show you ads based only on your | search keywords. | judge2020 wrote: | > Google, for instance, used to show you ads based only on | your search keywords. | | This is still true. You basically never see personalized | ads on search, since getting a contextual ad for cruises | when searching for programming answers probably isn't going | to end up with many clicks. Instead, it's only really | 'Google Ads' (AdSense on other websites) and YouTube where | personalized ads result in higher CPMs. | | (Although Google does indeed use your search history for ad | targeting.) | katbyte wrote: | outside of appstore ads and ios ads for their services, where | is apple doing advertising? | falcolas wrote: | Throughout their News app for one. | HL33tibCe7 wrote: | Apple News is an unusual miss by Apple imo. It's just not | "Apple", like everything else they do is. | thewebcount wrote: | Yeah, this has been so depressing to see. I disliked that | there were ads when I signed up, but it was part of a | bundle with other things (arcade, music, tv, fitness, | etc.), so I gave it a try. But they've been increasing in | frequency and they've been added to places they didn't | exist before (like when you swipe to see the next | article). It's still nowhere near as bad as reading a web | page without an ad blocker, but it's definitely past my | threshold of pain, and so I'm just using it less. I want | the other things in the bundle, so they'll count me as a | subscriber, but I'm using it less each day. | | What's particularly odd is that some articles have no ads | at all. Some have the same ad repeated literally 3-5 | times in a short 1,000 word article. And the ads are all | trash. They seem like those awful chum-boxes you see on | web sites. Who in their right mind thought this would be | appealing to the typical Apple user? I mean, regardless, | I have never intentionally clicked on any ad on the web | in 30 years, and I'm not going to start now. | | It's sad because it's exposed me to regional newspapers | from around the world. I live in California and see | articles from newspapers in Idaho, Utah, Connecticut, | upstate New York, Dallas, Miami, Chicago, etc. and even | from other (mostly English-speaking) countries like | Canada, England, Ireland, Isreal, and Australia. They | even include some (English-language) stuff from China. I | don't normally see news sources that diverse on the web | because it takes more effort. But the ads just make it | not worth it to continue using. | brewdad wrote: | News+ silently dropped one of my preferred news sources | last week. No updated articles for a week now and it's no | longer listed on the news sources page on the web site. | Oh well, I'm still in a free 6 month trial but no longer | intend to become a paid subscriber next year. | ziml77 wrote: | Even with the amount of leverage they have to control | third parties, media companies are too big for them to | control. I'd be willing to bet they had little choice but | to let the various publications run ads as they please. | Those companies don't need to be available on Apple News+ | to survive. But Apple News+ has no chance without them. | rekoil wrote: | Lol, the News app is available in like two countries. | sn0wf1re wrote: | And "news" in Stocks | nomel wrote: | Are these ads? If I see a large derivative, I can usually | glance down at the relevant news to see why. More often | than not, it says "No Recent Stories", which shouldn't be | the case for an ad. | | The news articles in the main view are just top business | stories from Apple News. I don't see anything ad like at | all, actually. | nullwarp wrote: | In the settings app they advertise iCloud if you aren't | using it | kaba0 wrote: | If you consider that an ad, then we are not talking about | the same topic. Like sure, pedantically it is an ad, but | is not the kind people mind or hurts their privacy at | all, nor does it have shady incentives (it is not a | third-party service). | riversflow wrote: | > ios ads for their services. | | I hate ads, but for most people paying some bucks a month | to make sure their 2nd brain of | photos/notes/passwords/texts/etc is totally (and now | privately) backed up is a worthwhile insurance policy. | | I think the argument that advertising iCloud plan | upgrades in settings, where you'll be pointed to if you | run out of backup storage, is very benign as far as ads | go. Although I do think that they should have a method to | dismiss it(I don't see this so I'm projecting that they | don't). | HeckFeck wrote: | It is much, much less obnoxious than the constant nagging | to use Edge and OneDrive we see in Windows. | | Windows even sent a notification questioning my choice to | disable location tracking. | howinteresting wrote: | Yes, Apple is slightly less bad than Windows. On the | other hand, Linux doesn't have any ads (other than the | silly ones Ubuntu is trying to push on the command line | these days). | theshrike79 wrote: | So by this definition Firefox is advertising Pocket? | cies wrote: | Clearly. That was the main problem voiced when they | started doing this, wasn't it? | kergonath wrote: | > we already know by now Apple is positioning itself to | become a major player in the advertising space | | We don't know that. We know that they put ads in the App | Store, that's it. I wish they did not, because it made the | store even more of an unusable mess, but it really is not | even in the same league as Google and Facebooks, systematic | surveillance. | | > increased pressure to sustained growth from shareholders | | This sounds truthy, but is there any evidence of this? Apple | is famously the company that tells rent seekers after more | ROI above all to fuck off (both Jobs and Cook). | | > I'm advocating for an open and interoperable ecosystem of | operating systems, services and applications, which is the | only way to ensure sustainable customer freedom. | | Now that's a real point, which deserves more than being | buried after a paragraph of half-truths (and I almost | entirely agree, FWIW). | | > It's good to be passionate, but blind devotion is | dangerous, | | After starting a post like this, it is disappointing that you | fell in the trap you warned the OP about. Being contrarian | and using mis-informed tropes is not a good way of having a | rational discussion. It is not being cool or clever at all. | sircastor wrote: | > Apple is famously the company that tells rent seekers | after more ROI above all to f off (both Jobs and Cook). | | One of my favorite CEO moments comes from Tim Cook on an | earnings call: "If you want me to do things only for ROI | reasons, you should get out of this stock," And then more | recently "If you're a short-term trader, do not invest in | the Apple stock," | | I understand both, but it's so odd to hear a CEO tell | people "no, we don't want your money" and I will grant that | Apple is luckily not in the position of needing it. | manigandham wrote: | Everyone in adtech knows it. Apple (and Amazon) are both | rapidly growing their advertising businesses. | | And 30% take rate of everything from your app including | later subscriptions and services is extremely rent-seeking. | johnmaguire wrote: | > We don't know that. We know that they put ads in the App | Store, that's it. I wish they did not, because it made the | store even more of an unusable mess, but it really is not | even in the same league as Google and Facebooks, systematic | surveillance. | | They also put ads in Maps, Stocks, and News, and they | "started asking people last year if they wanted to enable | personalized ads on these apps."[0] | | > This sounds truthy, but is there any evidence of this? | Apple is famously the company that tells rent seekers after | more ROI above all to fuck off (both Jobs and Cook). | | "Inside the ads group, Teresi has talked up expanding the | business significantly. It's generating about $4 billion in | revenue annually, and he wants to increase that to the | double digits. That means Apple needs to crank up its | efforts. "[0] | | Plus the advertise iCloud in the Settings app with a red | badge, which is just annoying. | | [0] https://www.forbes.com/sites/kateoflahertyuk/2022/08/15 | /appl... | plusminusplus wrote: | >> Apple is positioning itself to become a major player in | the advertising space | | > We don't know that | | "Apple's VP of advertising platforms Todd Teresi has been | asked to bolster annual revenue into 'double digits' from | about $4 billion today" (Aug 2022) | | https://www.forbes.com/sites/kateoflahertyuk/2022/08/15/app | l... | madeofpalk wrote: | > Apple is famously the company that tells rent seekers | after more ROI above all to fuck off (both Jobs and Cook). | | The App Store, and their demand of 30% of all revenue that | passes through an iPhone is the most infamous example of | digital platforms rent seeking. | adamwk wrote: | Android has the same cut for their in-app purchases | random314 wrote: | > We don't know that | | The only way for a 2T business to grow is by expanding the | Services business significantly, in some market that is | already known to be close to half a trillion dollars in | revenue. | | You really think Apple is trying to make small change with | ads in Apple Maps?! | dwighttk wrote: | >we already know by now Apple is positioning itself to become | a major player in the advertising space | | Do we though? | adra wrote: | Subjective and rhetorical, but yes lots of people think | there's too much money on the table to just eschew ads in | their products. Let's be honest, Apple has a captive | market, and their largest real issue is that they make too | much money and can't find anything to spend it on. | dwighttk wrote: | I'll give you "lots of people think..." but not "we | already know..." | | And "ads in their products" but not "a major player in | the advertising space" | jeffbee wrote: | Speaking of blind devotion to memes, is there any objective | data, anywhere, of any kind, that indicates a "dwindling | economy"? | widowlark wrote: | Apple offers hi res audio, but most cant and wont take | advantage of it. Why? because most users of apple music use | AirPods, and apple claims lossless wireless audio is not | possible (despite the existence of LDAC). Therefore, you are | streaming hi res audio to your phone only to downscale it when | listening via your headset. Only people who really benefit are | carriers, who can rate limit your data. | | https://support.apple.com/en- | us/HT212183#:~:text=Can%20I%20l.... | ir77 wrote: | "most can't and won't take advantage" of it is a broad | statement. i would think there are a lot more DAC/lighting | adapters and analog headphones in the world than there are of | AirPods, anyone that wants to listen to CD (16/44) quality | can probably do so for free or a few $ already. my home "hi- | fi" now consists of an old iPhone 8+ hooked up to a DAC piped | into my receiver utilizing 24/96 setting from iTunes, no | longer need for Tidal or Qobuz. | kaba0 wrote: | With high enough "resolution" does it really matter? (Don't | trying to start a fight, genuinely curious as I'm not too | well versed in audio) | | We don't cry over bitmaps vs vector graphics in most | contexts, especially that the hardware is trivially limited. | It's probably a bit more nuanced with speakers, but I imagine | that they also have very real limits on distinguishable | outputs for a given input, even if it is not as trivial to | see as in the case of a w*h pixel grid of depth n. | WhackyIdeas wrote: | Yeah but it's still basically the great philosophical question | of the douche or the turd sandwich. | | With everything that has happened with Apple since Job's death, | my trust has been eroded so much that yeah I still use Apple | but they are the turd sandwich at the end of the day. I trust | Google a percent or two less. | | I like that they are doing with this E2E encryption. It | protects against hackers better. It doesn't protect against | Apple though... they will still continue to sell the analytics | on you. Which is fine if you don't care. | OOPMan wrote: | Yeah man, they're really swimming up river. They being the | majority of people across the world who can't afford Apple's | prices. | | It must be nice to be so full of shit you can be so blithely | oblivious. | | Next you will no doubt tell me that if you're too poor to | afford Apple's prices you deserve to have your data monetized | and mined? | eastbound wrote: | > the don't care to scan your pictures with AI 20 different | ways | | They actually systematically scan photos and declare people to | the police if IA determines it looks wrong. | | With Apple, you're at risk of losing your business just like | with any other company who wants your data. Apple didn't solve | the "An offline account is better than a Cloud account" | problem. | yreg wrote: | >They actually systematically scan photos and declare people | to the police if IA determines it looks wrong. | | Obviously the commenter is talking about the new E2EE plan. | No way to scan it then, under they do it on device, which | they also walked away from. | timmytokyo wrote: | > They actually systematically scan photos and declare people | to the police if IA determines it looks wrong. | | Apple was developing this technology, but they dropped their | plans. | | [0] https://www.theverge.com/2022/12/7/23498588/apple-csam- | iclou... | skrowl wrote: | He's very excited to get something android has had for a decade | now | scientism wrote: | They mine your data as long as it can be converted into a | marketable product for them. The most recent example was this: | https://9to5mac.com/2022/11/21/ios-privacy-concerns-deepen/ | | Maybe images/photos isn't something they want to expand at this | moment in time but let's not get ahead of ourselves. | behnamoh wrote: | They might mine your data BEFORE it leaves your device. | Thanks to the new A chips, Apple can definitely do that. | kaba0 wrote: | I mean, if you can't trust the very OS that handles your | encrypted data, then you are lost either way, so that | argument doesn't make sense. It is similar security LARPing | then hardware kill switches. | mejutoco wrote: | This. Technically the iphone can process images locally. | Photos app shows what is in the picture (faces, pets, food) | and can do ocr on text in screenshots and photos. This is a | very real possibility to outsource the processing to your | device. | nonameiguess wrote: | The camera itself does software processing and you can't | encrypt the light. It detects faces even before you click | the shutter for capture. There is no way to keep the | device itself from ever knowing what it was looking at. | Something _that_ sensitive is something you don 't | photograph. | mejutoco wrote: | we agree I believe. I am saying that technically the | device gets thst information on-device, and could send | it. Idk if that is the case, but it is possible. | | Edit:The ocr and face recognition on the iphone is | definitely more advanced than usual, thanks to the custom | hardware on device. | [deleted] | thrashh wrote: | Very few people I know who choose Spotify vs Apple Music or | iCloud vs Google Photos know anything about hi-res music or E2E | encryption | | Outside tech people I know at least | yreg wrote: | Hi-res music isn't important, but E2EE is. | | It's fine that very few people care Apple is very good at | attracting customers without it anyway, so it's not the | classical situation where we, tech people should feel sorry | that non-tech people "just don't get it" and don't use Apple | services. | | And lastly, if indeed no customers care, then that speaks for | even bigger respect toward the individuals working at Apple | who pushed for this and made it happen. (But I think Apple | believes this will be a good business decision, not | altruism.) | alfalfasprout wrote: | > they just ate every other 3rd party "secure" backup services | lunch just like they did to the Hi-Res music industry. | | Cross platform support is always a problem though. And frankly | I don't buy the "like they did to the hi-res music industry"-- | Spotify is still king here. | dancemethis wrote: | ...You believe them? After PRISM and all the things revealed in | the last decade and half? | | They DO want people's data, and they DO hoard it. If they | didn't, they would share the source code with the community. | kaba0 wrote: | That's a non sequitur. Also, there is no reliable way to | check whether a given source code is the actually deployed | version, neither on servers, nor local devices. | namdnay wrote: | > They're giving you 2TB+ of space | | No they don't. They sell it to you | sneed-oil wrote: | > seriously, anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river. | | Their software is not open source. Before this announcement you | had to trust Apple not to look into the files you store in the | cloud, now you have to trust that they're actually going to | encrypt your files and not save the decryption key. Ultimately | you still have to trust Apple. A combination of any open source | OS, any cloud provider and Cryptomator or Veracrypt wouldn't | require as much trust in one company. | beeboop wrote: | I think this is less of an issue than you might think - if | they're going to decrypt for law enforcement then it will | become painfully obvious there's a backdoor literally the | first time evidence is brought to a court that _shouldn 't_ | have been available without a decryption. | cromka wrote: | Not to mention employe whistleblowing. | StillBored wrote: | But that could be a very long time if they just apply some | form of parallel construction to most cases. They aren't | going to burn such information on the first low level | criminal/CP target they find. Instead they will wait 5 | years and then sweep up a bunch of people involved in some | criminal "ring". | | And the problem with all these services that provide some | kind of E2EE encryption and still have a way to push | application updates (or run something in your browser), is | that they just slip a version on your machine that sends | the password to the feds/whoever when you type it in. | kaba0 wrote: | Arguably, the chance of fckup might increase, as now you get | the problem of integration which will quickly increase the | surface area to n*m. | ir77 wrote: | my comment was not against someone 100% paranoid using | grapheOS and doing their own backups somewhere and trying to | figure out how to get a good google maps alternative in open | source. | | my comment was that against main stream companies apple leads | the way, and it's overall great for a consumer. | | do you personally expect every piece of open source software? | do you run your own email servers, music servers, photo | backups, etc.? If not, you somehow trust those companies -- | why? | rollcat wrote: | Acceptable security afforded today - through usability - is | better than superior security, that could've theoretically | been gained, but wasn't, because it was too difficult to set | things up. | | In particular, reviewing open source code has been repeatedly | proven to be way harder of a task, than the proponents of | this strategy are painting it to be. If you want an auditable | codebase, you pretty much have to throw Linux, | Chromium/Firefox, Gnome/KDE all out the window - there's just | way too much code. | | Auditable code is naturally always preferable to non- | auditable, but you need to choose your trade-offs - or at | least stop pretending you can read a hundred million lines in | your life time. | | On top of that - do you know a single non-tech person who | knows how to set up a VPS, or knows what Veracrypt is? OTOH I | can just show my wife: click here to enable backups. | | Let me reframe the problem: What is your threat model? How | much effort are you willing to commit to mitigate the | dangers? | counttheforks wrote: | > 1) they just ate every other 3rd party "secure" backup | services lunch just like they did to the Hi-Res music industry. | | This is an excellent point as to why you shouldn't even bother | trying to develop software for apple machines. If it's anywhere | near successful apple will just destroy you, after having taken | a 30% cut from your revenue for years. | juve1996 wrote: | Apple will destroy you regardless, they're a megacorp. If the | software is good but only on windows they'll just make their | own. | kaba0 wrote: | While I am the very first one to fight for allowing side | loading on apple devices, didn't Netherland's dating services | decided in the end to go with Apple's payment processing even | with that cut? | pixl97 wrote: | Embrace, extend, extinguish. Hmm, who is Apple trying to | become? | kergonath wrote: | Sherlocking is a very old issue. It has nothing to do with | what Apple is trying to become _now_. | behnamoh wrote: | I get this sentiment, but where do we draw the line? | Shouldn't OS makers (Apple, Microsoft) add additional apps | just because third party developers have done it already? | enjo wrote: | That's exactly the antitrust issue Microsoft ran into | isn't it? | bink wrote: | Microsoft had something around 95% of the desktop market | share in the 90s. Apple is not anywhere close that. I | would agree it's similar in behavior but not intent. | Microsoft was terrified of the Internet and applications | that could "run anywhere" so they tried to control how | people accessed the Internet. Apple is arguably adding | these features because it's what their user's want. | spogbiper wrote: | > Microsoft was terrified of the Internet and | applications that could "run anywhere" so they tried to | control how people accessed the Internet | | I see reflections of this throughout the history of the | iPhone. Apple has always controlled how people access | both the internet and even what applications they can | install. Every "browser" on iOS is just Safari with a | skin for example, because Apple will not allow any other | browser engine. | smoldesu wrote: | > Apple is arguably adding these features because it's | what their user's want. | | Apple would certainly argue that, yes. Foremost though, | they're adding it because it's what _Apple_ wants, and | conveniently converges with the desire of the user. | pixl97 wrote: | I would state it as this | | "If you buy a phone or general purpose computing device, | you have the legal right to choose your app store and | applications installed on it seperate from manufacture | demands". | | The particular problem with Apple is not only duplicate | your app, they can underprice it by 30% because they | don't self pay their own store tax, and they can kick you | out of the only app store for whatever reason they choose | to make up that day. | vel0city wrote: | I remember back in the early days of the iPhone, new | feature releases would coincide with lots of apps being | removed from the app store with the reason "this app | duplicates core functionality of iOS." | abbusfoflouotne wrote: | I like this view, though many people aren't just | purchasing the phone from Apple, they are purchasing the | OS and integration into the Apple ecosystem. Definitely | think the user should have the option to pick the app | store though | arghnoname wrote: | Apple doesn't seem to be in the business of selling | software very much. Instead it's mostly used to increase | the value of the hardware. The stuff I've seen them | incorporate that at one time were apps weren't 30% | cheaper when bought from Apple, they were free (i.e., | they came with the device). | | If they think some third party feature should be part of | the core experience, they're going to incorporate it. | This is true when building on anyone's platform (e.g., | Microsoft, Facebook). Non-core experiences, like domain | specific software, are less likely to suffer this fate. | It's similar to when MS decided to ship a browser. God | help you when the platform you're on decides they want to | subsume your features. | makeitdouble wrote: | > Apple doesn't seem to be in the business of selling | software | | As sheer hardware revenue growth slowed, they moved their | focus to services [0]. That's also what we're seeing on | their push into more ads for instance, and this new | feature goes the same direction: to benefit these | encrypted backups you'll need to sign up for storage. For | most people wanting to cover more than one device, | they'll probably end up with the 2Tb plan which is at 10 | bucks a month, the bare minimum 50GB being at 1$ a month. | | [0] https://www.insiderintelligence.com/content/how- | services-bec... | smoldesu wrote: | > Apple doesn't seem to be in the business of selling | software very much. | | This is veritably false, they made $80 billion selling | software this year. You might not see the App Store as | software revenue, but Apple certainly does. | behnamoh wrote: | Spotify is pretty successful and yet, Apple went in direct | competition with them, using APIs that only Apple gets to use | in their Music app (like integration with Siri). | j16sdiz wrote: | You can change the default music app for siri since ios 14 | | https://www.macrumors.com/how-to/set-preferred-music- | streami... | hnav wrote: | In the car today I asked Siri to play me a particular | song (I have had Spotify defaulted for a while), it | helpfully signed me up for a 7 day preview of Apple Music | Voice and started playing it there! Where's the FTC? Is | Apple too big to fail? | kaba0 wrote: | "Play X song on Spotify" also works. | vanilla_nut wrote: | And yet I still can't change the default music app that | opens on macOS when I hit the media keys! | [deleted] | DrBenCarson wrote: | You can easily map your own macros.... | smoldesu wrote: | Or use Linux, the highly advanced MPRIS protocol is | capable of tracking _multiple media applications_ and | presenting their playback controls. It 's like space-age | tech! | threeseed wrote: | iTunes Store predates Spotify by 3 years and the idea of a | subscription model was hardly unique to them. | | Also Spotify has access to all of the APIs it needs. It | just refuses to use them. | marcodena wrote: | https://www.timetoplayfair.com/ | ir77 wrote: | ok, i may buy your argument from a perspective of a brand new | cloud storage provider that's try to come up online and break | into the market, but you're telling me that Dropbox, | OneDrive, Box., etc., are all indie developers living in | their parent's basements? These companies made a conscious | choice not to offer encryption and now got the rug pulled out | from under them. steve jobs famously said that this "Storage" | is just a feature, not a product, and now they've proved it. | | additionally, as far as i can see, those apps all free to | download and you can buy their plans outside of the apple | ecosystem and thus they get a free ride in the App Store | without giving away any cut to apple. | fleddr wrote: | Similar model that Amazon uses. | | You pretty much have to be on their store to sell something, | which means you give them access to your sales and customers. | Which is a concept that is absolutely wild in any normal | healthy competitive landscape. | | Then they'll monitor and if you manage to actually be | successful, 3 months later there's an Amazon Basics version | of your product. | | It's so incredible to me how these practices get no push- | back. There used to be a time where in the case of Windows, | people were wondering if its fair that they ship it with a | calculator program. Now you can just use your massive | platform and extend in every possible direction, seize | secondary markets, nobody seems to care. | yunwal wrote: | > anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river | | Ok, come on. What apple's done here is great, and I personally | use an iPhone, but you couldn't think of a good reason to use | anything else? An open-source OS? | smoldesu wrote: | Any phone that doesn't trust the user to install software | shouldn't be called "consumer centric". | kaba0 wrote: | The GNU/linux distros (in contrast to android) available for | mobile phones are so far from usable, it is not funny. | Android is a viable choice, but only if it doesn't come with | all the shit from the vendo/Google, which gives you | effectively.. a pixel phone with GrapheneOS? Not too much of | a choice, especially if you would like to filter based on | hardware as well (where apple is just laughably ahead, | iphones are ~2 generations ahead in raw performance) | thih9 wrote: | > They don't want your data. They're not Google/FB/Amazon. | (...) | | Note that they still want some data, especially given the | recent increase in advertising activity. | gtvwill wrote: | >>>seriously, anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river. | | Lol I would never advocate for any company I engage with to use | apple products. Why? Because they suck.iphoto and iCloud are | pieces of trash. Most basic thing like, delete local but keep | cloud copy seems to be missing. Can't keep a iPhone synced and | do this with iCloud. Lulz worthy sitcho. | | Also can't even copy files off device easily. Can't put custom | apps on devices easily. The company actively kicks back against | things like, freedom of information, following standards, | reducing e-waste. | | You know some of us make decisions around the companies we | support on greater levels than just feature a or b is present | in device. Apple are a predatory company that in no way promote | a software or hardware ecosystem that is ethical imho and they | don't promote one I want to participate in. | | I wouldn't touch their shit with a barge pole and ontop of this | due to being IT everytime I'm forced to I'm mostly confused by | wtf folks think is so great. I legit find the kids toy ux | difficult to work with, borderline impossible. | | I also like blowing clients away with simple tasks | like....copying photos to a usb...browsing files on my phone on | a pc. You know the basic stuff like they used to do when they | were younger but apple cucked it along the way for zero reason | lol. | jdiez17 wrote: | > Also can't even copy files off device easily. | | See https://news.ycombinator.com/item?id=33898890. | | > Can't put custom apps on devices easily. | | You will, from May, thanks to the EU Digital Markets act. | | > [...] simple tasks like....copying photos to a | usb...browsing files on my phone on a pc. | | You can do this with ifuse: | https://github.com/libimobiledevice/ifuse | rOOb85 wrote: | > You will, from May, thanks to the EU Digital Markets act. | | Is this fact? Last I read about this the law was passed, | but it's still unclear if apple will actually allow this. | | I absolutely would love if I could use the latest version | of iOS and install apps that are not in the app store. I'm | currently using trollstore to do this but that means using | older versions of iOS that are vulnerable to exploits. | jdiez17 wrote: | So far Apple doesn't seem to be interested in breaking | the law. | gtvwill wrote: | May isn't today. | | Downloading some random GitHub app to access a phones | storage sure as shit won't be happening on any managed | corporate devices I deploy. Or unmanaged devices tbh. | That's the kinda shit I leave for quarantined VMs. | | Data is still not easily accessible once it's on a iPhone. | jdiez17 wrote: | Okay... then use iTunes on Windows or Mac? (Not sure how | those work, never used them, but I assume they provide | the same functionality as imobiledevice) | gtvwill wrote: | Nah I thought that was the case too. Turns out it is not. | Had a clients employee as me for help w/ her iphone about | 2 weeks back. 32gb phone, no storage space left on device | so it legit just stopped working, wouldnt recieve texts | or anything cus it was full. So clients like, help me get | photos off phone onto a USB or set photos to store in | icloud only and ill delete the phone copies (well this is | what I thought was an option because I can do it w/ just | about every other backup software I use). Turns out big | fat nup to either options. Only way she could delete | phone photos but keep cloud ones was to disable sync | entirely (lol wtf is the point of linked cloud if sync is | so shithouse?). Plug phone into itunes, all you get re. | access to device is no ability to view pics as files too | extract, you cant even control apps on the device (good | luck finding out what apple referred to as other apple | software that used up >30% of phones internal space it | just gets all lumped in under one grey color of storage | being used. | | Got forced to use a iphone 11 or someshit a few years | back as a company issued device. Man it was alright at | making phone calls, complete POS for doing any actual | work on. Basically found it to be an overpriced | paperweight that could take ok photos but was impossible | to retrieve photos from. No i dont want a icloud account | or any of that bs i just want to plug in to pc and pull | files like I've been doing for 25+ years on every other | platform ive ever used. | jdiez17 wrote: | https://support.microsoft.com/en-us/windows/import- | photos-an... ? | | Also, https://support.apple.com/en-us/HT201301 ? | jjtheblunt wrote: | > anyone at this point advocating for any other | phone/os/service out there besides apple is really going out of | their way to swim up river. | | in financial circles, an immediate thought would also be "is | such a person short AAPL?". | bobsmith432 wrote: | iamjake648 wrote: | Except for the 88 million who do? | selectodude wrote: | That's "quite literally" not true as I use Apple Music. So | there you go. | macshome wrote: | If around 80 million subscribers is nobody, then you are | correct. | Iv wrote: | Give me open source dev tools for the iPhone and I'll jump. | | While it is a closed garden, I'll begrudgingly accept it can be | marginally better in some fields than other options, but Apple | tries very hard to be a proprietary island in a world that has | switched to free software. | HL33tibCe7 wrote: | That really isn't true when it comes to phones, though. | youniverse wrote: | What about something like proton mail? They also have encrypted | drive I believe but I'm not sure. | hilyen wrote: | If they're still hashing files, its not end to end. | | An anecdote, an activist had a document in their Google Drive. It | was not something people high up wanted being distributed. It was | deleted not just from their account, but platform wide. Guess how | they did that? Its hash. | brundolf wrote: | Activists could always salt their own files by adding some junk | content to the end (or cropping images by one pixel, cropping | video clips by a fraction of a second, etc) | sneak wrote: | It also allows them to track the contact/social graph of all | users based on clusters of who has the same unique file hashes. | | Then again, they already have everyone's address books and | iMessage traffic, so I guess they already have that data for | most of the industrialized world. I wonder who else will | preserve copies? | smoldesu wrote: | 100% - this was my largest concern when they announced | perceptual hashing, and it seems to be the big takeaway here. | Of course, this is a concern with most online hosting | services, but at Apple's scale it's pretty scary to consider | the possibilities. | BudaDude wrote: | You are correct, but how could Apple solve this issue without | hashing? Syncing files alone without E2E is tricky. I can't | imagine a way to sync files between devices without having some | sort of hash or id. | n3t wrote: | You encrypt a file first, then you calculate hash of the | encrypted file. | AtNightWeCode wrote: | Great! This is not the common attack vector for data in iCloud | though. | Sirened wrote: | What is the common vector? Who is the common adversary even? I | suspect governments compromise more accounts with warrants than | hackers ever do with stolen creds | dopu wrote: | It is becoming increasingly difficult to not just recommend an | iPhone to the average person with privacy/security concerns. | Sure, you can tell them to go the GrapheneOS route, but I don't | think you can trust the average user not to just go and install | Google Maps/Google Photos/etc as soon as the alternative FOSS | option inconveniences them. I've certainly struggled with this. | Then they're arguably worse off than if they'd just stuck with | the Apple equivalents. | RjQoLCOSwiIKfpm wrote: | Their software is NOT open source (well, some parts are, but | AFAIK it's a minority). | | Thus the privacy claims are just advertisement, there is no way | to verify them. | | Apple devices might as well be fully backdoored. | madeofpalk wrote: | Apart from some very niche options, so is everything else. | | This is about trust. If you don't trust the manufacturer of | your hardware (or developers of software), that puts you down | a very specific path of what you can happily purchase. | therealmarv wrote: | The marketing is strong with Apple. | hackmiester wrote: | Also the products, though. | DrBenCarson wrote: | If by marketing you mean product development and putting | their money where their mouth is, yeah, it's pretty strong. | | There isn't another mainstream product that offers that. | therealmarv wrote: | People seem to forget fast (this is only 2 weeks ago) | https://gizmodo.com/apple-iphone-privacy-dsid-analytics- | pers... | HL33tibCe7 wrote: | I'm a FOSS person and run Linux as a daily driver. But I | recommend every single person who asks to just buy an iPhone or | a Mac (if they can afford it). The user experience alone is so | superior to the other options. Security and privacy too, these | days. | pixl97 wrote: | Apple produces a very nice set of golden handcuffs. Polished | shiny look, comfortable fur lining. Customers are really going | to going to scream bloody murder when Apple latches them down | tight. | | The problem here is we are wholly dependant on Apples goodwill. | It is not required in anyway (hence Googles behavior). At any | moment Apple can revoke said goodwill and exploit us to our | hearts content and we will have no fallback what so ever | because we decided to let the market codify our freedoms rather | than preventing companies from being ruthless. | Terretta wrote: | Let's assume they do _eventually_ flip their brand on its | head and turn on the users. | | While waiting for them to latch you down tight, you could | have already been enjoying the most consumer-centric and | privacy-conscious _mainstream_ mobile OS since 2007. | three_seagrass wrote: | >Let's assume they do eventually flip their brand on its | head and turn on the users. | | Chinese customers don't need to wait. Apple flipped | sometime in 2017 and gave up all user emails, photos, | messages, etc. to the CCP to stay in the market. | | People complain about TikTok spying for China, but Apple is | one of the biggest CCP spies around. That runs counter to | the brand headspace they keep investing in though. | Omniusaspirer wrote: | I'll never understand people who expect Apple to try and | fight the CCP and inevitably get themselves barred from | the Chinese market. It's not principled, it's just dumb | and will completely screw over all of their current | customers in the country who will now have useless | devices. Apple is not a nation-state and has no judiciary | or military power, and if they're to have any hope of | making positive change in the country they need to play | ball to some extent and become a large player who can | actually exert some influence. | three_seagrass wrote: | >I'll never understand people who expect Apple to try and | fight the CCP and inevitably get themselves barred from | the Chinese market. | | People have this expectation because other companies have | done this. | | For example, Google employees revolted when dragonfly was | leaked, and got the CCP search-spying project killed. | It's weird to think that Google cared more about user | privacy than profits than Apple does, but that's how | weird the branding works here. | pixl97 wrote: | "I am in a benevolent dictatorship, nothing ever could go | wrong" | | Just because Apple is playing nice at the moment, there is | no reason not to force them, and all the other players to | have a legal requirement of playing nice. I mean, the hog | that is fattened for slaughter thinks its life is great, | right up until its not. | judge2020 wrote: | Except Apple does not have a police force that will | detain you if you try to leave after they institute less- | desirable products, and I'm sure they'd lose a lot of | money and value if they literally disables data exports. | Spivak wrote: | "I'm not worried if the benevolent dictator turns on me | because on that day I'll just stop using an iPhone." | stouset wrote: | I've been using an increasing number of Apple products | since 2006 or so, after having used Linux for a decade | and Windows from 3.1 through 2000. | | If it's a benevolent dictatorship, it's undeniably been a | good one to me over nearly half my life. If they ever do | turn, I can always just leave. But what is and/or was my | alternative? The less-benevolent dictatorships of Google | or Microsoft? Spending inordinate amounts of time and | effort making a hodgepodge of various Linux devices work | together (often unsuccessfully)? I'll pass. | phpisthebest wrote: | >>most consumer-centric | | the fact you believe this is true today is most telling, I | do not find them to be "consumer-centric" they have very | draconian policies and if your use of the device fits in | their narrow band of use cases then it is find, if it does | not you are SOL | judge2020 wrote: | Given they accommodate over 50% of United States | residents[0], I'm not sure the band is as narrow as you | say it is. Of course, for those it doesn't accommodate, | there is a different product that hopefully better fits | their use cases. | | 0: https://9to5mac.com/2022/09/02/iphone-us-market-share/ | snowwrestler wrote: | If I don't like what Apple does with iMessage, I can move to | WhatsApp. If I don't like what Apple does with photos, I can | move to Google Photos. If I don't like what Apple does with | iCloud, I can move to Dropbox. If I don't like what Apple | does with iOS, I can move to Android. | | What am I missing? How am I handcuffed to Apple? | smoldesu wrote: | And if you don't like Safari? Gotta sell the whole phone, | sorry bud. | madeofpalk wrote: | Why would someone not like Safari? | | There is a Chrome app on iOS. I don't think many people | pick their browser based on rendering engine, but rather | on actual browser UI and features (like sync). | smoldesu wrote: | Guess it's a shame I'm one of those people then, all | infatuated with silly things like 'options' and 'choice'. | WorldMaker wrote: | I use Firefox just fine on iOS. Sure, it's just user | chrome and Firefox Sync, but those are the things I care | a lot more about than the rendering engine. | | I'd love to support Gecko on mobile too, as I've moved | the vast majority of my desktop usage to it, but Webkit | is still fighting the Blink/Chromium hegemony, too, and | that's still fighting the good fight. | smoldesu wrote: | > and that's still fighting the good fight | | Not if they treat user freedom as their enemy. | snowwrestler wrote: | Yes, exactly, I can switch phones. Doesn't seem like | handcuffs to me. | [deleted] | pixl97 wrote: | You seem to miss that you're switching the golden | handcuffs for rusty uncomfortable handcuffs with the | spikes facing inward. | | "It's a free market because I have the choice between two | brutal masters!" | vbezhenar wrote: | What will you do when Apple would delete Whatsapp from | AppStore? | snowwrestler wrote: | > If I don't like what Apple does with iOS, I can move to | Android. | DrBenCarson wrote: | How is the possibility that Apple may flip down the line | relevant? By that logic, no one should ever use any product | ever. | | I've enjoyed 15 years of a wonderful and privacy-first device | ecosystem. They're evidently making it even better. And you | want me to be upset? | llanowarelves wrote: | It's because the "lanes" that non-tech juggernauts break | out of are typically pretty restricted, much in advance | (aside from "Emergency Use Authorization" etc). Maybe it | was "paranoia" (thinking of conditional incentives ahead of | time), or people had to suffer enough before these to come | into existence. | | What's the equivalent of the FDA but for consumer privacy? | [deleted] | advael wrote: | Maybe this is just a matter of the buzzword doesn't precisely | convey the technical implementation, but I don't want "end-to- | end" encrypted backups, I want backups that are stored encrypted | on the server and that only I can decrypt | reilly3000 wrote: | Yep that is the plan. There is a good table in the article that | shows the implementation for each service and rationale for it. | Most of the iCloud services are now able to enable an optional | feature where the user's devices are the only ones that have | keys. | joshstrange wrote: | The number of people in the comments complaining or finding new | places to move the goalposts to is astounding. | | > what good is that encryption, if Apple obviously can do almost | anything with your device? | | > They can still simply push a software update that sends the | victim's keys to the mothership and/or simply decrypts everything | | > This all just seems like pandering while they continue to | accept billions from Google in exchange for their user's privacy. | | > Couldn't they simply use an encryption algorithm that has two | private keys and they control one? | | Apple could say they are going to cease operations tomorrow, | close down the company, and people would comment "Yeah but they | could always create a new company". I guess for those people | nothing is ever enough. | | This is a huge step forward (specifically iCloud E2EE) that I'm | super excited about and people are busy coming up with threat | models that 99% of us have zero use for and pretending as if this | doesn't matter. It's disappointing. | josephcsible wrote: | The issue is that it's not just that Apple "could" add client- | side scanning or something tomorrow. It's that they've already | tried to do so once. | Blue111 wrote: | > The number of people in the comments complaining or finding | new places to move the goalposts to is astounding. | | But why does Apple want to be the only administrator on your | device? | | Note: "Apple Kills Its Plan To Scan Your Photos for CSAM" | karaterobot wrote: | Shouldn't people demand more and more privacy protections? It's | not like these changes solve the problem. Since Apple is | managing so much data, they must keep it secure and give users | the ability to maintain privacy and confidentiality, even with | respect to Apple itself. I think the goal post has stayed | pretty constant, Apple just keeps moving in a zig-zag pattern | that occasionally involves backward steps. | brookst wrote: | > Shouldn't people demand more and more privacy protections? | | Yes! | | > It's not like these changes solve the problem. | | Perhaps because it is impossible to 100% solve the problem? | | A lot of people, me included, are just tired of the endless | litany of "50% secure is not secure! 75% secure is not | secure! 90% secure is not secure! 99% secure is not secure! | 99.9% secure is not secure! 99.999% secure is not secure!" | | There is no 100%. Hearing the same level of outrage over a | 0.001% gap that we heard over a 50% gap is just fatiguing. | | Especially in this audience, everyone knows there is no such | thing as verifiable perfect security. Asymptotic progress | towards that is interesting; decrying the latest improvement | as no better than no security at all just feels... IDK, lazy. | bdominy wrote: | In my experience having released an E2EE contact info sharing | app, most people don't think about privacy protection and | they won't tolerate much inconvenience to add them. So the | more a large company supports efforts to mainstream E2EE, the | better it is for everyone. | AshamedCaptain wrote: | > new places to move the goalposts | | "moving the goalposts"? | | Since when has closed source unverifiable crypto been a good | idea? Since when has it been a good idea to trust a provider | that fully controls the encryption algorithm to also be the | only possible store for your supposedly encrypted data? | | This is no better than Facebook claiming that Whatsapp is now | "E2EE" encrypted. It's a useless PR tactic. If you mistrust | Facebook, why would you suddenly trust their unverifiable claim | that the data is now E2EE? You could have an argument if at | least 3rd party clients were allowed, so that you could detect | when they silently change the protocol. But not even that. | | There's absolutely no _technical_ thing they could do to gain | any trust. The goalpost has never been there. | brookst wrote: | > why would you suddenly trust their unverifiable claim that | the data is now E2EE | | > It's a useless PR tactic. | | Maybe because a single whistleblower would bring down the | mother of all class action lawsuits? | | Hardcore anti-corporate types like to imagine that these | companies are evil geniuses, where all 100,000 employees are | operating in perfect alignment, with no mistakes or | disagreements, and all secrets are kept perfectly. | | It just doesn't work like that. Threat model it for a second: | how many more phones is Apple going to sell with this? Maybe | a 1% increase, to wildly overestimate it? And what would be | the financial harm from a single engineer popping on HN and | saying "it's all BS, phones send the keys to the cloud, I | worked on the system to store them."? | | > There's absolutely no _technical_ thing they could do to | gain any trust. | | Well, that's true. But there's also no non-technical thing | they could do. It is literally impossible to prove perfect | technical compliance on an ongoing basis using any | combination of technical and non-technical means. | | That goes for open source too. Evil compilers, etc, can turn | perfectly solid source into malicious binaries. The | compiler's source can even be perfectly secure. | | At some point you have to think about probabilities and | motivations, and move away from this "anything not 100% | perfect, which BTW is not possible, is 100% useless" world | view. | AshamedCaptain wrote: | > Maybe because a single whistleblower would bring down the | mother of all class action lawsuits? | | Sure, like that is going to happen. I mean, "Facebook can | read your supposedly-encrypted Whatsapp messages" will | raise how many eyebrows exactly? | | > But there's also no non-technical thing they could do | | No, that's untrue. For starters, release the source. Allow | me to run my own backup software on their servers. Allow me | to transparently run my own encryption before I upload | stuff to their servers. And a very long etc. | | > anything not 100% perfect, which BTW is not possible, is | 100% useless | | This is 100% useless not because it is not 100% perfect (it | very well could be), but because it is 100% useless by | conception. What threat model does this protect against | exactly? The scenario where Apple servers get compromised? | I'm quite sure this risk does not even enter the mind of | the target audience here, and if it did, the hacker could | very well push the silent update anyway. The scenario where | Apple itself has access to the data? This does absolutely | nothing to prevent it. The scenario where someone can | social engineer an Apple employee to give your iCloud key | to someone else? It was already not possible. | sianemo wrote: | Do you honestly believe that a malicious actor who can | access data storage can also necessarily access a silent | mechanism to affect the security internals of a given | iPhone? And also the theoretical hacker wouldn't be able | to just push said theoretical silent update to your | device to just exfil the data anyway? | | Really having a hard time understanding the detailed | security implications of your scenario beyond this vague | notion you're presenting that a theoretical hacker can | use theoretical tools to silently pwn any Apple device | collected to the internet at any time. | AshamedCaptain wrote: | > that a malicious actor who can access data storage can | also necessarily access a silent mechanism to affect the | security internals of a given iPhone? | | A malicious actor who can access _already encrypted_ data | storage where you cannot even associate files with a | given account ID _without_ having already put a backdoor | in the corresponding code may be able to actually put | such backdoor in the software that is distributed to | iPhones? Yes, I believe that. | brookst wrote: | > What threat model does this protect against exactly? | | Two big threats: 1) insider attacks like the Saudi | Twitter infiltration[0], and 2) Overreach by legitimate | government process like subpoena[1]. | | > release the source | | Useless. How do you know it's the exact source running | on-device? | | > Allow me to run my own backup software on their servers | | Useless. How do you know your own backup software isn't | compromised via a secret deal with Apple? | | > Allow me to transparently run my own encryption before | I upload stuff to their servers. | | Useless. How do you know the OS isn't grabbing the raw | files? How do you know your own encryption isn't | compromised? How do you know that Xcode isn't inserting | backdoors in the encryption you compiled from source? | | > And a very long etc. | | All useless. Tell me your perfect solution and I promise | I can show it's useless (by your standards). | | [0] https://en.wikipedia.org/wiki/Saudi_infiltration_of_T | witter | | [1] https://ijunkie.com/your-icloud-data-phenomenal-law- | enforcem... | AshamedCaptain wrote: | > Two big threats: 1) insider attacks like the Saudi | Twitter infiltration[0], and 2) Overreach by legitimate | government process like subpoena[1]. | | This does not prevent any of these threats, it does not | even necessarily make them more difficult whatsoever. | "Insiders" will still have access to the source code | doing the encryption and communications, and it is just | not possible to protect against government overreach that | can literally force you to do anything and keep quiet | about it, even in otherwise relative sane countries. | Search for NSA letter. | | I actually don't expect any corporation to be above the | government, fwiw, but this is off-topic. | | > Useless. How do you know it's the exact source running | on-device? | | Because you built it yourself? | | > Useless. How do you know your own backup software isn't | compromised via a secret deal with Apple? | | Because it's YOUR OWN backup software? | | > Useless. How do you know the OS isn't grabbing the raw | files? How do you know your own encryption isn't | compromised? How do you know that Xcode isn't inserting | backdoors in the encryption you compiled from source? | | Because I have the source of the OS and I built it | myself? Because I have literally used the same compiler I | use for other platforms and not Facebook's? Because I can | then actually monitor the actual communications between | the device and the mothership? etc. etc. | | The point of this entire thing was to show that _there | is_ non-technical policies they can do to actually | increase the trust level (or at least have a discussion | about it -- as you are), but there is very few technical | stuff they can do to increase it, and that's because it | would miss the entire point. It's not about "trusting | trust perfection" or whatever you think you are trying to | argue here. You are trying to protect stuff from Alice by | trusting Alice without even being capable of verifying | it. It just can't academically work. You need to either | be able to verify it or at the very minimum separate both | roles. | brookst wrote: | > This does not prevent any of these threats, it does not | even necessarily make them more difficult whatsoever. | "Insiders" will still have access to the source code | doing the encryption, and it is just not possible to | protect against government overreach that can literally | force you to do anything and keep quiet about it, even in | otherwise relative sane countries. Search for NSA letter. | | There you go again :) | | You literally just said something that used to take a | subpoena from any law enforcement now takes an NSA | letter. And that an insider attack that used to mean | retrieving a backup file now means inserting back doors | in source code that go undetected. | | And somehow those aren't even _more difficult_? | | > Because I have literally used the same compiler I use | for other platforms | | https://www.awelm.com/posts/evil-compiler/ | | It is literally provable that Apple will never be able to | satisfy you. For any mitigation they introduce, you can | (rightfully) create a hole in that mitigation. | | What you're missing is that the same flaws and attacks | appear in all of your "it would be better if" solutions. | Once you're invoking NSA letters and malicious source | code, all bets are off... _including_ for open source. | | > It just can't academically work. | | Yes, we agree on that. But it also doesn't work if you're | protecting stuff from Alice by trusting Bob, who might be | secretly an agent of Alice. | AshamedCaptain wrote: | > You literally just said something that used to take a | subpoena from any law enforcement now takes an NSA letter | | I didn't say that. You said "overreaching government". | | > It is literally provable that Apple will never be able | to satisfy you | | Nothing _technical_, that is, which has exactly been my | point. | | > Once you're invoking NSA letters and malicious source | code, all bets are off... including for open source. | | That's not true at all. There's an entire world of | difference where "oh the software is just hidden from my | eyes, communicating constantly and opaquely with the | mothership, changeable at any moment by the same | mothership, and all of it running in the same hardware | also made by the same mothership" versus "I have these | separate components that are only communicating through | these channels in these clearly specified ways". The | first only allows useless technobabble fake solutions, | the second system actually allows discussion about trust | and is usually the very minimum expectation of any | cryptosystem. | | > But it also doesn't work if you're protecting stuff | from Alice by trusting Bob, who might be secretly an | agent of Alice. | | I don't see that as necessarily true either. But anyway, | I can now choose between multiple providers for | encryption, which _finally_ goes towards measurably | increasing trust. Remember, despite the accusations, I | have never claimed it had to be 100% trusting trust | perfect, I am just claiming this one proposal is 100% | useless. If you didn't trust Apple backups before and you | would now, I'd question your judgement. | judge2020 wrote: | > Sure, like that is going to happen. | | Something like hacking into a journalist's phone would | require a lot of cooperation between infrastructure, | software, and security to actually perform a targeted | attack. | | Despite Apple's harsh warnings about leaking secrets, | people at Apple have already been spilling the beans | about Apple's upcoming Ad platform for over a year, and | that's just for something as morally grey as ads that | they're going to spin as "privacy preserving" anyways. | For something that actually goes against <everything> | Apple has ever stood for, like targeting a journalist's | phone to read their communications or extract data and | secret keys from their advanced protection-protected | iCloud Backups, at least one of the hundred involved | would find a comfy bunker to live in with a phone line | leading straight to News Corp or NYT. | bdominy wrote: | In an ideal world, E2EE would be in high demand and used | anytime sensitive info is exchanged between parties, but the | reality is that most people don't know about it or the | protections it provides. If FB and Apple can educate people | about E2EE, even as a PR tactic, it helps grow that | awareness. | jdiez17 wrote: | Closed source applications like WhatsApp can be and in fact | are reverse engineered by researchers who want to verify the | end-to-end encryption claim. For example, see this BlackHat | talk: https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin- | Reverse... | judge2020 wrote: | The goalposts have been moved because the leading argument | for the past few years has been "it's not actually encrypted | because you or the person you're talking to could be using | iCloud Backup". Now all you have to do is make sure you and | the people you talk to have this simple option enabled in | settings (with the only risk being that you lose all your | data if you need Apple Support to give you access to your | iCloud again after losing all backup codes and encryption | keys). | | As for your actual argument, there are always tradeoffs when | we implement "good" but not "perfect" encryption solutions. | Here, your trust is indeed in Apple to not perform an evil | maid attack, but for many of us, we trust that Apple doing | this to a regular person (or journalist, or government | official) would be absolutely devastating to their entire | brand. Even if most people wouldn't care if Apple cooperated | with the CIA to perform a coup in $x country via sending out | targeted malware to the leader's phone, they still stand to | lose hundreds of billions of, if not a trillion, dollars over | the following decade in lost iOS product sales, due to them | purposefully hacking their own product to steal user data. | smoldesu wrote: | > It's disappointing. | | What's disappointing is that Apple has zero accountability for | any of these services. Nobody would be so critical of iCloud if | it wasn't your _only_ sync option on iPhone, but they force | everything to go through them. Apple says 'trust us ;)' and | gives the user no way to confirm that they're not decrypting | your data as soon as it hits their servers. | | The argument is the same as it's ever been. Apple took away too | much of the user's control; if the iPhone were a more open | platform, nobody would be squabbling over our only sync option. | | Edit: Background Sync has apparently been available as an API | since iOS 13, but that doesn't change Apple's lack of | accountability wrt security practices. | ericmay wrote: | > The argument is the same as it's ever been. Apple took away | too much of the user's control; if the iPhone were a more | open platform, nobody would be squabbling over our only sync | option. | | It's just moving the goalposts. If Apple gave you more | control then people would demand that the source code for the | chips be open source, or that you could stand over the | shoulder of the person assembling your iPhone and make sure | they don't plug in a USB drive and install some malware. It's | a never-ending battle. You're just going to have to start | trusting Apple and other companies, or build your own device | from raw materials you mine yourself. | gigantaure wrote: | > Apple took away too much of the user's control; | | Apple couldn't take away what it never gave in the first | place. Anyone using an IOS device should have a basic | understanding that Apple highly integrates their devices, | OSes and services. | jjtheblunt wrote: | What? I sync to Google for instance and iCloud, and use Azure | as well. | threeseed wrote: | iPhone launched with local syncing _3 years_ before iCloud. | scarface74 wrote: | How is this the only sync option? My pictures go to iCloud, | OneDrive, Google Photos and Amazon's photo storage. | | My Contacts and calendar can sync with any provider that | supports whatever porn standards are behind it. | | When I save and load files using the iOS file dialog, it | shows every storage provider I have installed - Dropbox, | OneDrive, iCloud Drive and I assume Box if I had it. | fnordpiglet wrote: | This isn't actually true. Yes they don't give you personally | the ability to conduct assurance on their controls. That | couldn't scale. But they do allow large corporations looking | to standardize on apple tech, governments, and other like | entities the opportunity to verify the controls, their | effectiveness, and continued compliance. Further they | generally have to attest to their controls under a variety of | regulatory regimes with third party auditors verifying. | | Your startup may be able to weaken or circumvent your | controls and no one would know. But is not true of apple. | canes123456 wrote: | Apple offers local backups. Every cloud backup depends on | "trust us", even if open source, externally audited, etc. | They can offer a third party online sync option but that | seems like functionality would open up more security holes | than it fixes. You would just have bad actors convincing | users to sync to their servers. | | If you don't trust Apple, you should also not trust other | cloud back up services. Just turn off iCloud | diarrhea wrote: | I'm syncing almost all data via Nextcloud. That includes | actual files as well as contacts and calendars. The files are | obviously on my iPhone, but not in iCloud. In fact, iOS makes | CalDAV and CardDAV as easy as they could be. It's natively | supported, whereas Android requires an extra, _paid for_ app | (worth the money though). | | Other synchronisation like Joplin and Zotero happens via | WebDAV. My iCloud is basically empty yet I have every file I | could ever need on both iOS as well as iPadOS. Some apps I | don't care for sync via iCloud, that's all so far. I'm not | bought into the whole ecosystem (i.e. apps) too much though. | If all you use are apps that only support iCloud, that's a | problem indeed. | rrix2 wrote: | fwiw davx5 is libre licensed and available in fdroid: | https://f-droid.org/en/packages/at.bitfire.davdroid/ | | there is also a free fork of davx5 on Play as OpenSync: htt | ps://play.google.com/store/apps/details?id=com.deependhul.. | . | | agree that it should be bundled in to the system though.... | zuhsetaqi wrote: | > Apple took away too much of the user's control; | | Apple didn't took away anything. It wasn't there in the first | place and never promised. | teekert wrote: | The only sync option? My Pictures go to NextCloud, my | contacts and calendar are on NextCloud, and in contrast to | Android (I recently switched) I don't even need an app (like | davx5, great app though, as said here) to sync them, it all | just works from the standard contacts and calendar app. Oh | and the mail app doens't push me anywhere, it just works with | my local provider via IMAP. | | My vpn is a Wireguard server (and some Tailscale, recently | tested mullvad, works great as well), my position is updated | to my family via Home Assistant, Bitwarden pops up | automatically anywhere I need to enter a password. Podverse | is great for podcasts. | | Sure, it's a walled garden and I have my annoyances but much | less so than I was led to believe before I got my first | iPhone last year. I find it easy to swap out default | components where I don't like them (like iCloud and Apple | podcasts) and use them when they are superior (like the | calendar and mail app, I was always trying 3rd party apps on | Android). | smoldesu wrote: | Does your NextCloud sync in the background like iCloud | does? I don't believe third-party apps have access to | background usage, unless something has changed since I last | used iOS. | baxtr wrote: | That was a 5s google search. | | You're welcome. | | https://help.nextcloud.com/t/ios-background-sync/145197 | sirn wrote: | Photos are synced in the background via location change | events (and thus requiring Location permission). It can | be a bit unreliable from time to time, but generally | works. Contacts and calendars are synced in the | background via iOS' CalDav/CardDav integration. | | Nextcloud app also exposed itself as file provider in | Files.app, so it's possible to use it in place of iCloud | Drive for apps that use the appropriate API. | (Unfortunately most apps use CloudKit, which sync over | iCloud.) | smoldesu wrote: | Ah, I see this now. Me and my boyfriend tried switching | to Nextcloud a few years ago, but this wasn't implemented | on iOS yet so we had to look elsewhere. Nice to see this | opened up, it's about time. Hopefully they'll reverse | their sideloading opinions as well. | [deleted] | julkali wrote: | FWIW, you can sync files with Nextcloud on IOS and it works | fine. Also automatically syncs photos which makes it a viable | alternative for cloud storage on iPhone. What it doesn't sync | are things like settings, though. | teekert wrote: | Did your photo's also recently got synced to JPEG (by NC), | whereas at first the heic's were uploaded? Heic works | poorly in browser on other platform so JPEG is ok, would | prefer heic to work everywhere though... | dmitriid wrote: | > Nobody would be so critical of iCloud if it wasn't your | only sync option on iPhone | | I sync my photos with Google Photos because they are a | magnitude faster and more predictable than Apple's own | Photos. | | My passwords are in 1Password. | | Can't really say I sync much else. | rootusrootus wrote: | I don't use iCloud for anything. Dropbox gets my pictures, | Google has my contacts, 1Password handles my passwords, etc. | jdthedisciple wrote: | It's only for backups, that means my live files on the iCloud are | still plainly available to Apple, correct? | froggertoaster wrote: | It very clearly states it's more than backups. I would advise | you click the link and start reading. | M4v3R wrote: | It's not only for backup, the article literally lists all | categories of data that is end-to-end encrypted: iCloud Backup, | iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks, Voice | Memos, Wallet passes, Health data, Home data and more. | Gigachad wrote: | So tempting to replace Google Drive/Photos with icloud. Only | thing holding me back now is GDrive can easily be mounted on | Linux. | richard___ wrote: | Wait what is the point of using icloud if you use this e2ee | thing? If you lose your phone, all your data is useless because | the key is on your phone. So using icloud with e2ee is basically | using a phone with no icloud backup a all. | counttheforks wrote: | Great, now let me run my own web browser instead of a safari | webview. | unshavedyak wrote: | Is there a way to use this for non-Apple devices? I am "in" | Apple's ecosystem, but i work on Linux and play on Windows.. it | would be nice to have Dropbox/storage on an E2E Backup solution i | already pay for (1TB+ family plan for iPhone mainly) | Gigachad wrote: | Not sure about E2E but for standard icloud you basically only | get the clunky web ui. No way last I checked to mount icloud | like you can other providers. | tuxone wrote: | > You must also update all your Apple devices to a software | version that supports this feature. | | Didn't want to upgrade my perfectly functioning MBP 15 2015 for | Shared Photo Library alone. They found out another way to force | the upgrade. | Veserv wrote: | Okay, so when is Apple going to certify against any | standards[1][2] higher than "Applies when you require confidence | in a product's correct operation, but do not view threats as | serious."[3] with a security standard, AVA_VAN.1, whose objective | is: "A vulnerability survey of information available in the | public domain is performed by the evaluator to ascertain | potential vulnerabilities that may be easily found by an | attacker. ... Penetration testing is performed by the valuator | assuming an attack potential of Basic." [4][5]. | | On page 25 of [1], we can see the security auditing done as part | of their only official security certification for the iOS was: | "The evaluators searched for publicly known vulnerabilities | applicable to iOS using the following sources... The search was | performed on multiple occasions between... using the following | search terms... The valuator's CVE search found no | vulnerabilities apart from the ones listed in the developer's | security content disclosure statements, all of which have been | fixed in subsequent releases on iOS. The validators reviewed the | work of the valuation team, and found that sufficient evidence | and justification was provided by the valuation team to confirm | that the evaluation was conducted in accordance with the | requirements of ..." tl;dr The evaluation process is that they do | a web search of key words, check that all the publicly disclosed | vulnerabilities have been patched, then call it a day. | | To put that into perspective, their are certifying against | AVA_VAN.1. It is only at AVA_VAN.2 that the evaluator is required | to do any independent vulnerability analysis as seen in [5] Page | 155 AVA_VAN.2.3E (bold is changes from the previous level). At | AVA_VAN.3 you need to evaluate against "Enhanced-Basic" attack | potential. It is only at AVA_VAN.4 that you need to evaluate | against attackers with a "Moderate" attack potential. At | AVA_VAN.5 (the highest level) you need to evaluate against | attackers with a "High" attack potential. Apple's only security | certification, which in their own words "provide a measure of | confidence--that is, security assurance--that the security needs | of a system are being satisfied" and are "used by many | organizations as a basis for performing security evaluations of | IT product" is wholly three levels below "Moderate" and is | effectively self-graded. | | Until they actually certify against a standard requiring moderate | security, it is only prudent to take them at their word and | assume that their products are only fit for systems that "do not | view threats as serious". If they want their security to be taken | more seriously they should prove it against internationally | recognized standards assessed by independent third parties rather | than issuing unsupported marketing fluff. | | [1] https://support.apple.com/guide/certifications/ios- | security-... | | [2] | https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE... | | [3] https://www.cisa.gov/uscert/bsi/articles/best- | practices/requ... EAL1: Functionally Tested | | [4] | https://commoncriteriaportal.org/files/ppfiles/pp_md_v3.1.pd... | Page 136 Section 5.2.6 AVA_VAN.1 | | [5] | https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR... | Page 154 Section 14.3.3 | InTheArena wrote: | Great stuff. The question I have is what is Apple's position on | scanning for contact on phones themselves? In the past they | hinted that they would not enable e2e encryption unless that was | in place. | pettersolberg wrote: | Except in China and alike | atestu wrote: | According to WSJ it will include China: | | > The new encryption system, which will be tested by early | users starting Wednesday, will roll out as an option in the | U.S. by year's end, and then worldwide including China in 2023, | Mr. Federighi said. | | https://www.wsj.com/articles/apple-plans-new-encryption-syst... | busymom0 wrote: | sgjohnson wrote: | They seem to be abandoning China, they are planning to move | some 40% of the total iPhone production to India within the | next couple of years, so China might not have all that much | leverage. | adam_arthur wrote: | More about consumer base than manufacturing for them. | Doesn't matter where they move production. | | Same reason they edit movies to appease chinese audiences | brookst wrote: | https://www.cnn.com/2022/07/08/media/hollywood-china- | censors... | three_seagrass wrote: | >They seem to be abandoning China | | _Manufacturing_ , sure. _Consumers_? no. | | Apple traded it's privacy priority for profits back in | 2017 when it gave backdoor access to all the iCloud | backups - | https://www.nytimes.com/2021/05/17/technology/apple- | china-ce... | sgjohnson wrote: | The times have changed in the past 5 years, going all out | on China is simply untenable. Leaving China on the other | hand is positive PR. | | Just because Apple couldn't officially sell any iPhones | in China doesn't mean that the Chinese public would | suddently stop coveting them. I don't think they'd blame | Apple if it came to that. | criddell wrote: | They have to respect the laws of the countries they operate | in but they don't necessarily have to do so silently. | | If you go to set up encrypted backups and find out the | feature isn't available or get a message saying something | like "Feature cannot be activated in China, Turkey, and | Russia", that's better than the feature not being available | anywhere. | insane_dreamer wrote: | 100% certain Chinese gov will require back-door access | AlexandrB wrote: | It's interesting that this announcement was being predicted after | Apple unveiled their on-device CSAM scanning feature. Perhaps | this was indeed the plan all along, but they lost control of the | narrative. | | Whatever did happen to the on-device CSAM scanning? Is it still | coming to iOS? | yreg wrote: | When they announced the on-device CSAM, I was absolutely sure | that they want to do this. | | Lawfully nothing is stopping them, but since pretty much all US | cloud services scan files it's clear there are some forces | making them to do so. I thought that Apple was able to | negotiate a compromise where they scan locally and then they | are "allowed" to to E2EE. | | Interesting that they proceeding with the encryption | regardless. | loaph wrote: | According to https://arstechnica.com/gadgets/2022/12/apple- | adds-end-to-en... the CSAM scanning plans have been abandoned. | AlexandrB wrote: | Another interesting tidbit from that article: | | > First, iCloud users may now take advantage of hardware | security keys like YubiKeys. Both NFC keys and plug-in keys | are supported. | | This is great news! I wonder if this is able to replace | Apple's bespoke 2FA system or it's strictly in addition to | that. | | Edit: | | From Apple's announcement: | | > Now with Security Keys, users will have the choice to make | use of third-party hardware security keys to enhance this | protection. This feature is designed for users who, often due | to their public profile, face concerted threats to their | online accounts, such as celebrities, journalists, and | members of government. For users who opt in, Security Keys | strengthens Apple's two-factor authentication by requiring a | hardware security key as one of the two factors. | | If I read that right, it sounds like it's _in addition_ to | Apple 's 2FA? I'd love to replace Apple's weird 2FA | mechanisms, but this is still nice. | drak0n1c wrote: | Here's more info directly from Apple on their hardware key | plans: https://www.apple.com/newsroom/2022/12/apple- | advances-user-s... | sneak wrote: | Nothing Apple has ever said has indicated that they reversed | position on their announced plan to roll out clientside | scanning. Read the Apple statements carefully. | | On macOS photoanalysisd phones home even when not using | iCloud at all, fwiw. Who knows what it is doing? | jaywalk wrote: | This is correct. Apple said they've abandoned CSAM scanning | for _iCloud_ Photos, but they haven 't said anything about | on-device scanning as far as I've seen. | yamtaddle wrote: | That always made the most sense as the reason for attempting | that. I agree with some concerns about it surely being abused | (especially in some jurisdictions) but on the other hand _they | can ship whatever software they want to the devices anyway_ so | the idea that this was some sly way to sneak in spying that | they couldn 't otherwise get away with made no sense. Doing it | out of a desire to enable more encryption without instantly | becoming the overwhelmingly-preferred platform for child porn | enthusiasts was a far more likely explanation. | | Curious what they're going to do to mitigate that repetitional | risk now. Possibly they'll just eat it and say, "look, this is | what you fuckers wanted, we tried to solve the problem but you | said no." | | Not thrilled to see what the next showdown between them and | e.g. the FBI is gonna look like. I expect it's not gonna look | good in the court of public opinion and that might have | unfortunate legislative consequences. | | [EDIT] Actually, wouldn't be surprised if they wait until the | first high-profile case involving their inability to deliver | data on someone who _probably is_ a disgusting scumbag, and use | that as cover to go ahead with the local-CSAM-scanning-for- | iCloud-uploads, once it 's 100% clear what'll happen if they | don't and the no-scanning crowd isn't the loudest set of voices | anymore. | [deleted] | accrual wrote: | The physical security key is interesting as it shows a lightning | port in the image. Maybe a sign that a portless iPhone isn't | necessarily in the immediate future? I also wonder if there's | another copy of the image showing a USB-C port, since it's | assumed the iPhone 15 will be USB-C to comply with the EU's | standard port requirements. | fmajid wrote: | The Yubikey 5C NFC is a U2F key that works over NFC, no | Lightning port required (although they also make a USB-C + | Lightning key) | smith7018 wrote: | Yeah, Apple is a ways away from the rumored portless iPhone. I | think a prime example of their stalled efforts is the iPhone's | Magsafe charging speed. It's remained at 15w since 2020 whereas | Lightning can charge at roughly 30W. Apple's not going to | remove the Lightning port, force people to buy new charging | pucks, and then tell them their device won't charge as fast. | Conversely, switching to USB-C means they can use USB PD to | boost charging to around 45W. | dang wrote: | This comment was posted when the linked URL was | https://www.apple.com/newsroom/2022/12/apple-advances- | user-s..., which contains the physical security key | announcement as well as the E2EE stuff. | | If there's a better URL for the security key announcement, we | can factor this topic into its own thread, since it's a | minority topic in this one and mostly getting overlooked. | zhrvoj wrote: | If there is a need for new security measures...new security | recommendations - Chrome is bugging me, every day, not very | different from Apple. What a world is that? So then, someone is | working against my security every day! Looks like a war my | friends... | dang wrote: | We changed the URL from | https://www.apple.com/newsroom/2022/12/apple-advances-user-s... | to the link that several users pointed out has the meatier | details. | | A small number of comments here are not about E2EE backups but | rather the security key announcement. If there's a more detailed | URL for that part of the story, we can factor it into its own | thread. | sidcool wrote: | Thanks Dang. | lizardactivist wrote: | "E2EE" is probably more like it. I have no doubts there will be a | data, picture, movie or some-such leak eventually that proves | that the encryption keys were in the hands of Apple all along. | insane_dreamer wrote: | Fun anectdote. Many years ago, I had all my photos and other | personal documents encrypted in a PGP Disk on a RW-DVD, and did | not store the password in any digital form, because that was the | most secure thing to do. Some time later I forgot the password, | could not find where I had written it down, and to this day have | never recovered them. (Don't have a DVD reader anymore either, | though I could still get one of those.) Lesson: don't forget your | encryption key. | pjot wrote: | My freshman year of high school we had a project where we | created a "Time Machine" for us to open when we graduated. | Everything was stored on a floppy disk. Finding a working 3.5A: | drive has been quite difficult... | m463 wrote: | Even better security would be to allow users into their own | devices. This would mean that critical data just wouldn't leave | the device via the network. | | (letting users into their own devices means the ability to access | the entire device, examine what their device is doing, and | firewall it if wanted) | frizlab wrote: | 1. iMessage without internet would be tricky. 2. You don't have | to backup in iCloud. Just plug your phone on a Mac or Windows | computer with iTunes installed and backup it locally. | lxgr wrote: | It's ridiculous that I can only backup my (iOS) device to | either a computer via USB (what is this, 2005?) or to the | cloud. | | Just let me use my local Time Machine backup server! | | Sadly, I am convinced I'll never see that feature - it would | basically remove the need for any iCloud subscription for me | and thereby undermine Apple's "service" efforts too much. | 0xCMP wrote: | I think other commenters are missing your point: an iPhone | should be able to back up to a "server" the same way a | macbook does. I have a 24 TB NAS with Time Machine on it so | the phone should be able to backup to it (over wifi, usb, | whatever) the same way it does to a Mac. And this should be | possible out of the box by-design (not by using Linux based | tools to backup the iPhone in ways Macs do not let you do). | jaywalk wrote: | Don't they still offer local backup over Wi-Fi? | danaris wrote: | They do. Parent just wants to back up _directly_ to a | Time Machine backup, rather than backing up to computer, | then backing that up to TM. | | A reasonable desire, but clearly niche enough that it's | unlikely to come to pass. (Particularly since, given what | little I've seen of how Time Machine works, it would | likely require some quite significant dev work on Apple's | end to enable.) | [deleted] | tgv wrote: | A Mac can also backup your phone wirelessly. TM doesn't | make much sense without the Finder's interface. | lxgr wrote: | > A Mac can also backup your phone wirelessly. | | Yes, to its local storage only, which makes it completely | useless to me. (I have more data on my phone than on my | computer, and I can't be the only one.) | | > TM doesn't make much sense without the Finder's | interface. | | Why? I can even already connect to the same SMB mount | that holds my Mac's backup via my iPhone's "Files" app. | Just let me backup to that! | tgv wrote: | The TM back-up wil include your phone's backup too. I | agree it could be better. | | Don't exclude the back-up folder from TM, though. | lxgr wrote: | Yes, but I don't want that data on my Mac in the first | place. It takes up almost all disk space there, | completely needlessly. | | (Actually it doesn't - I symlinked the backup directory | to an external drive, and fortunately ~iTunes~ Finder | follows that. But this is something completely | unrealistic to ask of an average user, in my opinion.) | pathartl wrote: | That's still not access to the data. That's limited access to | data that Apple allows. I remember when Tinder stored their | messages in a local unencrypted SQLite database. I wanted to | save the conversations between my GF and myself, but I had to | get an Android phone and extract the db manually as I | couldn't do that with my iPhone at the time. | latexr wrote: | One can argue the iOS approach was more secure, since | someone getting hold of your iPhone wouldn't be able to | snoop on your Tinder messages. | | On the other hand I appreciate the hackability, and it is | your data. If you're in the EU, maybe you could have made a | GDPR request to get the messages in a database. | | Ultimately I don't disagree with this iOS choice because | we're the odd ones; I understand the decision to put the | privacy of "regular users" above a niche developer method | which could be exploited more than used in a legitimate | way. | | It feels to me the correct solution in this case is that | Tinder's database should be encrypted on both iOS and | Android and they would provide a way to export chats. | jdiez17 wrote: | You can access the data in an encrypted backup, which you | can request from an iPhone from Linux using the open source | libimobiledevice: | https://github.com/libimobiledevice/libimobiledevice | | Here's an overview of how to remove the various layers of | encryption (starting from the backup password): | https://stackoverflow.com/questions/1498342/how-to- | decrypt-a... | | And how to do it if you want to access the WhatsApp chat | database: https://yasoob.me/posts/extracting-whatsapp- | messages-from-io... | | Also some Go tools to inspect iOS encrypted backups | https://github.com/dunhamsteve/ios | lapcat wrote: | > Some metadata and usage information stored in iCloud remains | under standard data protection, even when Advanced Data | Protection is enabled. For example, dates and times when a file | or object was modified are used to sort your information, and | checksums of file and photo data are used to help Apple de- | duplicate and optimize your iCloud and device storage -- all | without having access to the files and photos themselves. | | > * iCloud Drive The raw byte checksums of the file content and | the file name | | > * Photos The raw byte checksum of the photo or video | | https://support.apple.com/en-us/HT202303 | rollulus wrote: | That means that you're not safe to store known files your local | dictator doesn't like, isn't it? Wouldn't a sort of per-user | salt allow the same functionality and give more confidentially? | AdamJacobMuller wrote: | It wouldn't allow them to deduplicate across users, which | they are likely doing. | | When you send your group iMessage of 30 people the same | photo, apple is not storing 30 copies of it, but, one. | madeofpalk wrote: | Is that actually true? | | My understanding of how E2E encrypted iMessage works is | that in group chats it does indeed send 30 copies of your | messages, individual encrypted for each recipient in the | group. | | https://support.apple.com/en- | gb/guide/security/sec70e68c949/... | | > _For group conversations, this process is repeated for | each recipient and their devices._ | judge2020 wrote: | Perhaps they're doing multi-recipient encryption, ie. the | data is wrapped with one key, and that private key is | then encrypted with the public key of each recipient, so | everyone ends up using the same private key to decrypt | the file data itself. This means the actual file data | isn't sent 20+ times (although the data is indeed stored | in everyone's Messages backups separately; if Apple is | doing de-dupe based on file data+filename, they're | probably benefiting from deduping group message images). | fraXis wrote: | Why does Apple enable a big new feature like end to end | encryption in the RC build only? | | We are only going to be able to test this feature one week before | it's released? | | I would hope a large feature like this would have had a lot more | public user testing/refinement behind it than just one RC build | release! | Gigachad wrote: | Because this isn't Linux. Apple has already tested it and you | can be pretty certain it's going to work on day one. | robmccoll wrote: | (Not an iMessage user) Does iMessage actually have a way to | display the raw public key(s) locally associated with a contact | and your public key(s)? Wondering if you can verify keys out of | band or if you have to trust Apple to be the authority. | Sirened wrote: | It's not surfaced in the UI but, as far as I recall, the | information does actually reach the device already. Here's a | paper [1] which dives into the cryptography used in iMessage | (at least whatever was used at time of publication). | | [1] https://www.cs.umd.edu/~imiers/pdf/imessage.pdf | lostmsu wrote: | Isn't Android backup end-to-end encrypted since 2018 or | something? Why are so many people commenting like something | revolutionary is happening? | DrBenCarson wrote: | This is more than just the backup, this is all user data-- | files, photos, etc. | | Google Drive and Photos are not E2EE | three_seagrass wrote: | Except for metadata and file hashing - iCloud is still using | those on files and photos. | brookst wrote: | Sometimes news is about market developments, not technical | innovation. | | Android backups are E2EE but I don't think Google photos is. | Photos aren't included in the phone backup, I think. Would | welcome correction if that's wrong. | 404mm wrote: | Anyone else noticed that they mentioned MacOS for iCloud backups? | | As of now, there is no backing up your Mac to iCloud. There is | iCloud Drive and all the individual services but TimeMachine is | local storage only (shared drive or the legacy TimeCapsule). | | Does this mean we're finally getting TM backups to cloud? | jxdxbx wrote: | Somehow I don't think Apple will like backing up my 16 TB media | drive the same way that Backblaze does. | newZWhoDis wrote: | Wow, Apple enabling E2EE for backup is huge, since before they | would bypass iMessage security by including your iMessage keys in | the unencrypted cloud backup (so governments could request that | copy then watch your messages in real time). | | I'm sure they'll get pushback for closing this loophole | anxiously wrote: | Couldn't they simply use an encryption algorithm that has two | private keys and they control one? | [deleted] | CGamesPlay wrote: | Yes, but this would be apparent in the code, since the sender | would have to encrypt against both public keys. | fnordpiglet wrote: | Yeah I'm thinking about how many millions of HN comments are | now invalid. I'm sure there's some other gripe in its place. | That's what we engineers do. | 542458 wrote: | I'm not quite sure what you're getting at. It's not a sin to | comment on a security issue while the issue still exists. | Furthermore, correcting a security issue doesn't render | somebody immune to all complaints on future security issues. | [deleted] | godelski wrote: | Do we know if they still continued with the data scanning? I'm | all for E2EE backups, but not if it comes at the cost of | scanning my data. | stalfosknight wrote: | Apple is abandoning its CSAM scanning plan: | https://www.wired.com/story/apple-photo-scanning-csam- | commun... | theshrike79 wrote: | They planned to scan only the files that would end up in the | cloud anyway. | | iCloud off -> no local CSAM scan. | | Local CSAM scan with multiple failsafes (+ actual person | checking) + E2EE iCloud -> zero need to allow law enforcement | access to iCloud servers. This would also mean that Apple | cloud've encrypted them in such a way that even they can't | access them. | qwertyuiop_ wrote: | What about turning off Airdrop in China when the people need it | most ? | Andrew_nenakhov wrote: | One must understand that E2EE is used when you don't trust your | service provider to handle your data. In other words, the | adversary in your threat model is the service provider - and in | this case, Apple. And what good is that encryption, if Apple | obviously can do almost anything with your device? | | They can remotely wipe apps. They can force-install apps and | force updates. It is not too far-fetched to think that they can | just remotely copy anything stored on your device to their | servers. So, with an adversary that capable, I'm not sure | encrypted backups provide a meaningful improvement to security | and privacy. | voxic11 wrote: | I think it mostly matters in the context of US case law, | specifically the third party doctrine. | | > The third-party doctrine is a United States legal doctrine | that holds that people who voluntarily give information to | third parties--such as banks, phone companies, internet service | providers (ISPs), and e-mail servers--have "no reasonable | expectation of privacy" in that information. A lack of privacy | protection allows the United States government to obtain | information from third parties without a legal warrant and | without otherwise complying with the Fourth Amendment | prohibition against search and seizure without probable cause | and a judicial search warrant. | | https://en.wikipedia.org/wiki/Third-party_doctrine | dgdfhdfhj wrote: | supertrope wrote: | In theory it adds a speed bump. Apple as the cloud service | provider can respond to the legal order by saying they don't | have the key. And then the police can ask for a booby trapped | update for just your phone which may or may not happen. Or they | can lobby the legislature for an encryption backdoor for all | devices which will force them to show their hand in terms of | "lawful intercept" capability. | | If you want maximum security use an air gapped computer. But | that won't let you send messages on the go. | jazzyjackson wrote: | > If you want maximum security use an air gapped computer. | But that won't let you send messages on the go. | | You can, with some inconvenience, use optical diodes to | transmit data from a trusted input device to an untrusted | network device for transport over tor, and then push the | received messages over a second diode to a display device | that decrypts the messages, so that even if you receive an | exploit/malware, there is no physical connection that allows | unencrypted data to be exfiltrated. | | https://github.com/maqp/tfc | gtvwill wrote: | They don't have to lobby anyone for this. Apple has | operations in aus. We have laws here gov can force you to put | a backdoor in software or hardware and you are not allowed to | tell even your employer you have been requested to do so. | | Tbh in theory apple aren't allowed to tell you they have done | it or otherwise. So their phones have probably been | backdoored for a few years now at request of aus gov. | theshrike79 wrote: | Who pays for the work required to add the backdoor? Does | the company have to do it for free? | Andrew_nenakhov wrote: | If you want maximum security then just obviously don't use | Apple services, or any other provider that has a capability | to fetch your data under any circumstances. | smoldesu wrote: | > then just obviously don't use Apple services | | How is this possible on iPhone/iPads, where using Apple | services like the App Store is required to install | software? | judge2020 wrote: | Maybe buy a product that better suits you. If you buy a | barbie doll, don't expect to be able to transform it into | an 18 wheeler big rig. | jdiez17 wrote: | Starting in May next year, the Digital Markets Act [1] | requires Apple to "allow the installation of third-party | software applications [...] by means other than the | relevant core platform services of that gatekeeper." | | [1] https://eur-lex.europa.eu/legal- | content/EN/TXT/?uri=uriserv%... | smoldesu wrote: | Very excited for this, but also disappointed that it took | the entire European Union to bring Apple to heel. | rched wrote: | I'm still on the fence about whether this will end up | being a net good or not but people don't seem to consider | the potential knock on effects of this. Apple puts some | nice pro-consumer, along with some less nice anti- | developer, requirements on Apps in the AppStore. Easy | subscription management, privacy disclosure, parental | controls etc. If the developers of an app decide to only | make it available outside the AppStore you as a consumer | may be forced to choose between using that app and | getting those benefits. | pixl97 wrote: | > If the developers of an app decide to only make it | available outside the AppStore you as a consumer may be | forced to choose between using that app and getting those | benefits. | | And Apple already chooses the reverse for you by not | allowing apps you may want and by charging at 30% tax for | doing so. There is a vast disparity between the | behaviors! | supertrope wrote: | Don't buy an iPhone. | smoldesu wrote: | Or just wait long enough for the EU's digital markets act | to take effect. But my point stands. | scarface74 wrote: | I can't wait for the mandated pop ups "did you know you | could install a third party App Store" every time you go | to the Apple App Store. | jdiez17 wrote: | What makes you think there will be such "mandated | popups"? | scarface74 wrote: | Have you heard of the GDPR and seen how it's made the web | browsing experience worse? | jdiez17 wrote: | Yes, I have heard of the GDPR and in my opinion it has | improved/consolidated my digital privacy rights and not | affected the "web browsing experience" in any negative | way. I believe you are referring to the ePrivacy | Directive (aka cookie law). As you may know, it's only | mandatory to inform the user when the website is | collecting information from the user beyond what is | necessary for technical purposes - and in that case I do | want the option to refuse that. | Andrew_nenakhov wrote: | Obviously, it is not possible on Apple devices. Probably | something like Pinephone [0] might help. | | [0]: https://en.wikipedia.org/wiki/PinePhone | smoldesu wrote: | How does the PinePhone help me download apps on my | iPhone? | Andrew_nenakhov wrote: | It won't help to download apps on an iPhone, which, I | must say, _isn 't even yours_: you don't get to decide | which apps you can install on your phone. Apple gets to | decide. Factually speaking you're merely renting the | iPhonefrom Apple, which, being the device owner, decides | the terms under which you can use it. | schrodinger wrote: | In practice this distinction is meaningless. In fact I | trust Apple more than my own government. To take your | argument to an absurd logical conclusion, I don't own | ANYTHING because my government can take it. | Andrew_nenakhov wrote: | It is known that Apple would do quite a lot of what | governments will ask of it. It removes app from national | AppStores on a simple request from countries like China | or Russia. (Well, _now_ Apple _might_ ignore Russian | takedown requests, but prior to the war with Ukraine they | were very receptive to their demands) | pixl97 wrote: | In rule of law countries there is a legal framework for | the government taking things which involves processes | that are generally voted on. | | We cannot say the same for Apple. | schrodinger wrote: | Laws voted on by elected officials like Ted Cruz, MTG, | Boebert. I trust Tim Cook over any of those. | gjsman-1000 wrote: | _Nothing is secure._ Once we remember that, we 'll stop | nitpicking improvements. | | Use your own server? Great, it's secure software-wise, but if | someone broke into your house, it's all of the sudden the | worst liability ever. The next thing you know, your entire | identity, your photos, everything is stolen. You have | excellent technical security, perhaps the weakest physical | security. | | So new plan, you use a self-hosted NextCloud instance on a | VPS somewhere. That's actually not much smarter than using | iCloud - VPSs handle data warrants all the time. They also | move your data around as they upgrade hardware, relocate | servers, and so forth. | | So new plan, you use iCloud E2E encryption. You have to trust | that Apple does as they say, and trust that their algorithms | are correctly functioning. Maybe you don't want to do that, | so new plan: | | You use a phone running GrapheneOS, with data stored on a | VPS, with your own E2E setup. Great - except you need to | trust your software, and all the dependencies it relies on. | Are you sure GrapheneOS isn't a CIA plant like ArcaneOS was? | Are you sure your VPN isn't a plant, like Crypto AG? And even | if the VPN is legitimate, how do you know the NSA doesn't | have wiretaps on data going in and out, allowing for greatly | reducing the pool of suspects? Are you sure that even if the | GrapheneOS developers are legitimate, the CIA hasn't stolen | the signing key long ago? Apple's signing key might be buried | in an HSM in Apple Park requiring a raid, but with the | GrapheneOS developer being publicly known, perhaps a stealth | hotel visit would do the trick. | | So new plan, you build GrapheneOS yourself, from source code. | Except, can you really read it all? Are you sure it is safe? | After all, Linux was nearly backdoored with _only two | inconspicuous lines_ hidden deep in the kernel (the 2003 | incident). So... if you read it all, and verify that it is | perfect, can you trust your compiler? Your compiler could | have a backdoor (remember the "login" demo?), so you've got | to check that too. | | At this point, you realize that maybe your code, and | compiler, is clean - but it's all written in C, so maybe | there are memory overflows that haven't been detected yet, so | the CIA could get in that way (kind of like with Pegasus). In | which case, you might as well carefully rewrite everything in | Rust and Go, just to be sure. But at that point, you realize | that your GrapheneOS phone relies on Google's proprietary | bootloader, which is always signed by Google and not | changeable. Can you trust it? | | You can't, and then you realize that the chip could have | countless backdoors that no software can fix (say, with Intel | ME, or even just a secret register bit), so new plan. You | immediately design and build your own CPU, your own GPU, and | your own silicon for your own device. Now it's your own chip, | with your own software. Surely that's safe. | | But then you realize there's no way to verify, even after | delidding the chip, to verify that the fabrication plant | didn't tweak your design. In which case, you might need your | own fabrication plant... but then you realize that there's | the risk of insider attacks... and how do you even know those | chip-making machines are fully safe? How do you know the CIA | didn't come knocking and make a few minor changes to your | design, and then gag the factory with a National Security | Letter from giving you any whiffs about it? | | But even if you managed to get that far, great, you've got a | secure device - how do you know that you can securely talk to | literally anyone else? Fake HTTPS Certificates from Shady | Vendors are a thing (TrustCor?). You've got the most secure | device that is terrified to talk to anybody or anything. You | might as well start your own Certificate Authority now and | have everyone trust you. Except... aren't those people... in | the same boat now... as yourself... And also, how do you know | the NSA hasn't broken RSA and the entire encryption ecosystem | with that supercomputer and mathematicians of theirs? How do | you know that we aren't using a whole new DUAL_EC_RBG and | that Curve25519 isn't rigged? | | The rabbit hole will _never end_. This doesn 't mean that we | should just give up - but it does mean we shouldn't be so | ready to nitpick the flaws in every step forward, as there | will be no perfect solution. | | Oh, did I mention your cell service provider always knows | where you are, and your identity, at all times, regardless of | how secure your device is? | | Edit @INeedMoreRAM: | | For NextCloud, from a _technical_ perspective it 's | fantastic, but your data is basically always going to be | vulnerable to _either_ a technical breach of Linode, an | insider threat within Linode, or a warrant served (either a | real warrant, or a fraudulent warrant, which can happen). | | You could E2E encrypt it with NextCloud | (https://nextcloud.com/endtoend/) which would solve the | Linode side of the problem, but there are limitations you | need to look into. Also, if a warrant was served (most likely | going to be authentic if police physically show up, at least | more likely than one they served your data over), you could | always have your home raided, recovery keys found, and data | accessed that way. Of course, you could destroy the keys and | only rely on your memory - but, what a thing to do to your | family if you die unexpectedly. Ultimately, there's no | perfect silver bullet. | | Personally... It's old school, I use encrypted Blu-rays. They | take forever to burn, but they come in sizes up to 100GB (and | 128GB in rare Japanese versions), they are physically stored | in my home offline, and I replace them every 5 years. This is | coupled with a NAS. It's not warrant-proof but I'm not doing | anything illegal - but it is fake-warrant-resistant and | threats-within-tech resistant, and I live in an area where I | feel relatively safe (even though this is, certainly, not | break-in-proof). Could also use encrypted tape. | schrodinger wrote: | You forget one of the simplest loopholes: "gun to the head | for the password". | INeedMoreRam wrote: | I've been running my own Nextcloud instance on a Linode | with 2FA and your response made me question how secure it | is. | | Even though I get an A+ on the Nextcloud Security Scan | (https://scan.nextcloud.com/), have 2FA, and custom IP | blocking set up in my .htaccess file, it's disheartening to | know that I'm not as secure as I thought I was. | | I removed all my photos/files from iCloud for privacy | reasons, and now I feel helpless contemplating how Linode | may just hand my data over if served a warrant. | | Any other Nextcloud hardening tips besides Fail2ban and | reverse proxying you'd recommend? May I ask what your | workflow looks like for preserving files throughout time? | vineyardmike wrote: | > And what good is that encryption, if Apple obviously can do | almost anything with your device? | | Because apple isn't in control of apple for data at rest, and | that's the specific risk. | | You have to trust control of the device sure, but you cannot | trust cloud data - almost at all - between subpoenas from over | eager LEOs and break ins from criminal and state hackers | smoldesu wrote: | > Because apple isn't in control of apple for data at rest | | That's not really true if Apple also holds copies of your | iCloud decryption keys. If they want to access your data, | they already have all the necessary components. | rodgerd wrote: | > That's not really true if Apple also holds copies of your | iCloud decryption keys. | | That is _literally the thing that this announcement | changes_. | | I see that Hacker News has plummeted below Reddit in the | "bothering to check the link" stakes. | vineyardmike wrote: | Yea, thats the point. | | Let me re-phrase, by giving Apple control over the keys, | you give control over the data to whoever controls apple - | which is non-zero (Eg. LEO), and whoever may gain control | (security vuln). | smoldesu wrote: | I don't want Apple to give over the keys. I just want my | key to be the only in existence. | vineyardmike wrote: | Yea... that's what they're changing. That is the point. | They're not going to be in control over the keys - which | is a good thing to you, it seems. | tshaddox wrote: | > In other words, the adversary in your threat model is the | service provider - and in this case, Apple. And what good is | that encryption, if Apple obviously can do almost anything with | your device? | | The adversary in this threat model isn't the service provider. | The adversary is someone attacking the service provider, like a | hacker or a government with a warrant, and getting access to | Apple's storage of your data. | | Now of course it's not impossible for such an adversary to | _also_ defeat other systems at Apple and get your data another | way, for example by controlling Apple 's ability to send over- | the-air updates to Apple devices. But I think that is a | sufficiently distinct threat that it's not worth dismissing | solutions to the first threat. That would be like dismissing | the importance of a web server storing passwords salted and | hashed, since attackers could just use a totally different | attack to bypass the web server's database access control. | Another way to illustrate this might be to point out that | attackers can physically coerce you to hand over data | regardless of _any_ security measures any service provider | could possibly make, but that doesn 't mean we should dismiss | all such security measures. | Terretta wrote: | We used to call this "NSL-proof". If your provider is | architected to be NSL-proof, then the warrant has to get | served to you. | | This is now possible to achieve in AWS, for example. | rsync wrote: | I disagree - the service provider should be considered an | adversary and their service - and your tooling - should make | it possible to obfuscate every single bit of data _and | metadata_ that you store there. | | If only such a service existed. | | _If only_ ... | xoa wrote: | rsync.net is great and I've always appreciated the exposed | ZFS capability, even if at this point 3x the cost per gb | for a small scale users vs B2 is a lot more painful. Having | encryption, including for transfers, also be part of the | filesystem (which is open source) is great. Pity but for a | small turn of history ZFS didn't become the native FS for | Apple. And I think backups in particular is one of the | focused completely unambiguous areas where Apple really has | behaved in textbook anticompetitive fashion, and they | should be required to allow people to point their iOS | devices at any 3rd party service (including their own!) | they wish that implements the right API (which Apple should | have to document and follow themselves). | | Still with all that said: | | > _I disagree - the service provider should be considered | an adversary and their service - and your tooling - should | make it possible to obfuscate every single bit of data and | metadata that you store there._ | | If you're using Apple devices at this point then I think | they do unavoidably form some part of your core trust | foundation. With current hardware Apple is everywhere in | the stack right down to the CPU level, heck arguably below | that since they have a special license with ARM and can | implement their own custom extensions. If you really think | they're an adversary to the point of doing custom backdoors | explicitly going after you, then the hardware just can't be | trusted. | | It's not unreasonable though to look at both Apple's | incentives and the state of American law at least and see | distinctions between Apple being compelled (or hacked) to | provide something they have passive access to on their side | anyway vs being compelled to engage in non-consensual | active work and feature development (or having that slipped | in and make it into general deployment) on things that | necessarily must go out to end user devices. The former is | both bog standard warrant/subpoena territory and not | inherently detectable outside of Apple and the government, | since it doesn't directly involve the user as a party at | all. The latter is very arguably illegal and provokes far | more public response, and involves deploying in ways that | make it far harder to keep concealed (and open up other | avenues of challenge). | nonameiguess wrote: | I don't get it. If you don't trust Apple, then you don't | take photos with an iPhone. There is no possible service | they could offer that assures you every bit of data and | metadata is obfuscated end to end in any sense of before | Apple software has a chance to see it. At bare minimum, the | camera app has to put together a file before there is | anything to encrypt. A malicious Apple could just keep a | second copy of that file, and even if you used a different | backup service, they'd still have it. | cbm-vic-20 wrote: | I've used such a service for at least a decade. End-to-end | encrypted. All open source. ;) | rsync wrote: | ... username checks out - our target demographic :) | leeoniya wrote: | > a government with a warrant | | remember Lavabit [0]? will Apple choose to shut down rather | than to comply [1]? if the government comes with a warrant, | it will be with a gag order, and they will be compelled to | silently update your phone to extract whatever the govt needs | over the course of a few months. | | [0] https://en.wikipedia.org/wiki/Lavabit | | [1] | https://en.wikipedia.org/wiki/Pen_register#Pen_Register_Act | sedatk wrote: | Apple isn't a monolithic entity. For example, a rogue engineer | might be able to access your iCloud data, but it's orders of | magnitude more complicated to push a specifically manufactured | app to your device. | | There's a similar variance of complexities for hacking and law | enforcement overreach scenarios. | | E2EE isn't a solution for all attack vectors, but it's a | significant mitigation in itself. | [deleted] | judge2020 wrote: | > They can remotely wipe apps. | | Technically no. I still have Fortnite on my iPhone, it just | can't be opened. Apple can't wipe apps from your phone, but if | they're App Store installed (as opposed to Ent MDM/Sideloaded), | they can render them inoperable by revoking the certificate | attached to the bundle. | schrodinger wrote: | There are multiple meanings of trust in this scenario: belief | in honesty, and confidence of ability. Eg I can trust you to | tell me the truth but not trust you to protect me from a | missile. | | I trust Apple's honesty. I don't trust many attack vectors. | Someone could gain access to their data center. E2EE protects | that. A gov could legally compel them to provide data. I trust | when they say they've engineered it in such a way that they | can't currently do it, and that they would publicly cause a | scene and legal battle if attempted-as they have before. | Accidental data leaks also happen. In all these scenarios I | trust Apples intentions but know that nothing is perfect. E2EE | adds a lot for me. | sneak wrote: | This opt-in, because of sneak's law ("users can not and will not | securely manage{generate, backup, authenticate} key | material")[1]. Apple knows that enabling this by default would be | a disaster. This means most people will not ever even know the | feature exists, and few will turn it on. | | This means that iMessage as a platform is still backdoored, | because most people you iMessage with will be escrowing their | endpoint iMessage keys to Apple in their effectively unencrypted | iCloud Backups. | | Apple (and the FBI/DHS/CIA/NSA soup bois without a warrant) will | still be able to read everyone's iMessages in real-time. | | Everyone wins. Spies keep spying, Apple gets to trot out the e2ee | marketing flag. | | Meanwhile, there is nothing to indicate that they don't intend to | continue the rollout of their clientside photo scanning software | that they previously announced. | | [1]: https://youtu.be/9k4GP3Evh9c | cglong wrote: | Now I get what dang was saying about press release verbiage... | https://news.ycombinator.com/item?id=33886505 | dmitryminkovsky wrote: | Came to the comments to say this. Would appreciate a non-Apple | source on this. | latexr wrote: | Daring Fireball highlights some bits and provides commentary: | https://daringfireball.net/linked/2022/12/07/advanced- | data-p... | baggy_trough wrote: | I don't really understand the objection. The press release is | very well written. | haswell wrote: | But in some cases, that's the point. A well written press | release will often gloss over potentially relevant/important | details that a neutral source will not. | baggy_trough wrote: | That's what the HN comment thread is for! | haswell wrote: | The difference is that the HN comment thread will rarely | have insights that a reporter can often provide after | following up with their inside contacts. | | Edit: on reflection, I don't agree with this and wrote | this too hastily. I'd still prefer 3rd party by default | and believe it's often a better basis for a discussion. | baggy_trough wrote: | That is very much opposed to my experience. | crazygringo wrote: | My experience is the complete opposite. | | Reporters rarely add much unless they've got several days | to do an analysis piece, which there are very few of. And | is never the case for breaking news. | | HN threads regularly supply oodles of context and | counterpoints you don't find in any articles anywhere. | Which is one of the big reasons we come here, right? | haswell wrote: | I probably wrote that too hastily, and will give you that | many threads are indeed deeply insightful by themselves. | | I still believe that a 3rd party source that at least has | a chance of being more objective than a company issued | press release is the ideal basis on which to form a | discussion. | dang wrote: | In this case we've changed the URL from | https://www.apple.com/newsroom/2022/12/apple-advances-user-s... | to the URL that several users pointed out has more details (and | isn't a press release). | lxgr wrote: | This is a great step, but I really hope Apple also change their | position on no longer allowing users to provide a high-entropy | passphrase to unlock all of this end-to-end encrypted data. | | As it is, my iPhone unlock PIN is everything that's needed to | decrypt the data server-side [1], and I'm not changing to an | alphanumeric password on my phone only because of that. | | [1] https://support.apple.com/en-us/HT204915 ("You might also be | asked to enter the passcode of one of your devices to access any | end-to-end encrypted content stored in iCloud.") | Analemma_ wrote: | This comment is baffling. You say you want Apple to allow the | option of a high-entropy passphrase, which they _do_ , but you | refuse to use it? | lxgr wrote: | I want to use a low-entropy PIN on my phone, because I enter | it dozens of times per day, shoulder-surfing is a concern as | big as hacking in many scenarios, and because I trust Apple's | hardware to be capable of efficiently limiting local PIN | attempts and wiping high-entropy keys if required. | | At the same time, I log in to new iOS devices with my Apple | ID about once per year. I would love to be able to use a | high-entropy key in that scenario. (As a point of reference, | WhatsApp allows exactly that for encrypted backups!) | | If that's still baffling to you, I'm glad I could introduce | you to a very different viewpoint :) | blokey wrote: | Use FaceID or TouchID, that's kind of their purpose! | lxgr wrote: | There's still too many situations in which I do end up | having to enter my passcode. | | Mask unlock isn't perfect, wet hands can throw off Touch | ID, and once per day I believe they will just reset and | as for the passcode anyway. It's also required for | software updates and reboots. | | I'm not asking for this to become the default, or even an | option given in any setup wizard. Just allow me to set up | my own end-to-end encryption recovery passphrase and let | me remove all of my device passcodes, i.e. allow me to | opt out of HSM-mediated key escrow. | quenix wrote: | Is your Apple ID password not a sort of "secondary | passphrase" as you're wondering? You enter the Apple ID | password to download the encrypted data and the low- | entropy passcode to decrypt it. | | Just make your apple ID password high-entropy. | lxgr wrote: | Not really. The Apple ID password is a regular server- | verified password and does not contribute to end-to-end | encryption in the cryptographic sense. In other words, it | gates access to the end-to-end encrypted data, but not | the keys used to encrypt them. | | If you trust Apple to never get hacked or hand over your | data to any third party, that's perfectly fine, but that | is not the scenario that end-to-end encryption is | designed to address. | yunwal wrote: | You _can_ use a high entropy passcode for iCloud. You just | can't stay signed in when you're not using it. I don't | understand the issue here | lxgr wrote: | How can I select a high-entropy iCloud passcode without | also making my phone unlock code high-entropy? | yunwal wrote: | To change your iCloud passcode: | https://support.apple.com/en-us/HT201355 | | To change your phone passcode: | https://support.apple.com/guide/iphone/set-a-passcode- | iph14a... | lxgr wrote: | > To change your iCloud passcode: | https://support.apple.com/en-us/HT201355 | | That's only the Apple ID/iCloud/account password, which | plays only a minor role in end-to-end encryption. | | The phone passcode _is_ the (secret which gates, on Apple | 's HSMs,) your iCloud encryption key! | | https://support.apple.com/guide/security/escrow-security- | for... | | Got "1234" as a passcode on a long-forgotten family iPad | or test iPhone? Better go change it to something secure, | as that's what stands between an advanced attacker (that | can compromise your 2FA), or somebody able to | compromise/apply sufficient pressure to Apple, getting | into your iCloud end-to-end encrypted data. | shbooms wrote: | > Got "1234" as a passcode on a long-forgotten family | iPad or test iPhone? Better go change it to something | secure... | | according to the article, I don't think this will be | possible because you won't even be able to turn on | Advanced Data Protection in this scenario. | | "You must also update all your Apple devices to a | software version that supports this feature." | | Just to get the feature enabled you're going to have to | go and "touch" all of the devices you're signed into and | either update their OS (and also update their passcode if | you're smart) or sign out of them. | sebk wrote: | The iCloud recovery key is a 28-character string, not | your iPhone PIN: https://support.apple.com/en- | us/HT208072. There is no situation that I can think of | where a device PIN is of any use off-device. | lxgr wrote: | Recovery keys were part of iCloud Keychain end-to-end | encryption when used without "two-factor authentication", | which is now a deprecated setup and can't be used with | new iCloud accounts anymore: | | https://support.apple.com/guide/security/secure-icloud- | keych... (describes how both approaches work) | | https://support.apple.com/en-us/HT204915 (documents that | two-factor authentication is now effectively mandatory, | which makes using recovery keys impossible) | | The device PIN is now exclusively used (off-device!) for | iCloud end-to-end encryption key recovery: | https://support.apple.com/guide/security/escrow-security- | for... | Dylan16807 wrote: | They want to use it to _get_ signed in but not to _stay_ | signed in. It makes sense to me. | Alex3917 wrote: | This. It seems like for the average person, if you go from not | using cloud backups to using cloud backups with their pin, then | this is a huge step backwards for security. | [deleted] | lxgr wrote: | On the other hand, for the average person already using | unencrypted iCloud backups, it is a considerable step | forwards, and arguably managing their own high-entropy | recovery key could be a significant burden. | | I just really wish they'd made PIN-based HSM escrow the | default, but optional (with the "off" switch behind several | scary-sounding warnings). | stouset wrote: | You can set a more complicated password to unlock your iPhone. | I know this because I do it. | lxgr wrote: | Sure, but I won't, and neither will many other people, | realistically. | | There is no technical need at all for the same password to | gate both local device unlock and remote end-to-end | encryption key escrow. | | It's a pure security vs. availability (and realistically | genius bar support load) tradeoff, and I even think they | nailed it for the vast majority of users! I just wish they'd | let advanced users participate in that tradeoff more | actively. | nikitoci wrote: | You are not limited by 6-digit passcodes only, you can also | | "...Or tap Passcode Options to switch to a four-digit numeric | code, a custom numeric code or a custom alphanumeric code." | which is on their support web site[1] | | [1]: https://support.apple.com/en-gb/HT204060 | lxgr wrote: | Yes, but then I need to enter a custom alphanumeric password | every time I unlock my phone or tablet. | | I want to be asked for it if and only if I grant a new device | access to my end-to-end encrypted iCloud data. | | I don't think this is an absurd demand. WhatsApp supports | this security model, for example. Evem Apple used to, before | they forced every iCloud keychain user to switch to their | HSM-based model! | ace2358 wrote: | I'm aussiming you don't use Touch ID or Face ID? | | I've been using an alphanumeric passcode for about 7 years | now. I've gotten used to it. It's not too long to be | annoying but better than a numerical pin. | | Even if you used 4 numbers for an alphanumeric password, | it's still much more secure than a 6 digit pin. | lxgr wrote: | > Even if you used 4 numbers for an alphanumeric | password, it's still much more secure than a 6 digit pin. | | Unfortunately, that's not the case: | | If you trust the secure enclave (for the device unlock | scenario) or Apple's HSMs (for the key escrow scenario), | a 6-digit PIN is just as secure as a 4-character | alphanumeric password. In both cases, you get 10 invalid | attempts before your data is wiped, and the odds are | negligibly small in either case (10/10*6 vs. 10/62*4). | | If you don't, i.e. you are concerned your adversary can | somehow perform a brute-force attack, you need way more | than four alphanumeric characters. | SllX wrote: | Do you not use FaceID or TouchID or unlock with the Watch? | | I switched my pin to alphanumeric because I'm _not_ putting | it in every time I pickup my phone. I can live with the | inconvenience of putting the passcode in every couple of | days or so. | sneak wrote: | I put in my 12 character numeric passphrase multiple | times a day because FaceID sucks with masks and covid is | still a thing. | | I wish TouchID were an option on latest pro iphones. | zaroth wrote: | I just want to second this. I use a long alphanumeric | password to unlock my iPhone plus FaceID. | | I enter the password at most a few times a week after | reboots and if someone plays with the phone and gets | FaceID to fail too many times. It's not annoying at all | to unlock with the keyboard rarely. | brookst wrote: | I see what you're asking for, but I don't think Apple would | ever do it. A passphrase that is only used once every few | years is a recipe for endless support calls. | dmix wrote: | Android offered it for a long time for decrypting on | boot. I'm sure Apple could communicate it well enough. | lxgr wrote: | Then hide it behind an option deep in the settings, and | label it "only for advanced users, and if you lose it, | all your data will forever be gone". | | Apple even had this exact setting in the past! And they | still have a similar thing for Mac disk encryption (the | default is iCloud escrow, but a local-only recovery | passphrase is also an option). | lilyball wrote: | I admit I still use a 6-digit passcode, but if you're actually | serious about protecting your data you should be using an | alphanumeric password anyway. Even ignoring the server-side | stuff, that single password unlocks most of the data on your | phone. | lxgr wrote: | It's much easier to securely limit invalid PIN attempts on a | device locally than in the cloud, though. This is the bread | and butter of embedded security cores like the secure enclave | or Google's Titan M. | | Users shouldn't be forced to use high-entropy local passwords | just because a service provider insists on reusing them for a | completely different purpose. | dgdfhdfhj wrote: | amatecha wrote: | A more thorough (or less PR-ish) explanation of the Advanced Data | Protection and how it works can be found here: | https://support.apple.com/en-ca/guide/security/sec973254c5f/... | dang wrote: | Ok, we've changed the URL to that from | https://www.apple.com/newsroom/2022/12/apple-advances- | user-s.... Thanks! | | (more at https://news.ycombinator.com/item?id=33899699) | layer8 wrote: | Unfortunately, it seems that this requires all connected devices | to be on the latest OS versions (iOS 16.2, macOS 13.1, etc.), | which means you can't use it as long as you have older devices | connected to your Apple ID. | | It also doesn't work for Shared Albums, and for other "Shared" | features it requires all participants to have ADP enabled. | yreg wrote: | >as long as you have older devices connected to your Apple ID | | Is it possible to have an old device connected to Apple ID, | Find My enabled and iCloud backups/sync disabled for ADP to | work on your newer devices? | | Having no backups/sync on the old devices is fine, presumably | people who care about encryption have that turned off at the | current state of matters anyway. | ezfe wrote: | It's not particularly surprising that all your devices need to | be updated, how else would it work? The whole point of E2E is | that the ends are your devices. | layer8 wrote: | Right, but it may be unexpected that a single device can | prevent using a new feature on your other devices. This is | just a heads up. And conceivably Apple could provide updates | for older OS versions, as they sometimes do for security | fixes. | acdha wrote: | This has been the case for other iCloud features and | they've historically done a good job communicating this to | the user at the time they upgrade the service and when they | attempt to access it from an old device. I would expect | that to follow the same process here either refusing to | enable it until your devices are updated or having the old | device kicked out until it's updated. | layer8 wrote: | Yes, they are refusing to enable it if you have older | devices signed in to your Apple ID. | novok wrote: | Now will they offer icloud tiers over 2tb next, like google does? | Will icloud be actually usable for 3rd party apps outside of ios | without constant reauth? | CharlesW wrote: | FWIW, there's a "product packaging hack"1 that gives you 4TB if | you pay for both Apple One Premium and iCloud+ at total cost of | $40/mo. It's not a great value, but it's possible. I'd bet on | them adding a 4TB plan in 2023. | | 1 https://mashable.com/article/apple-icloud-plus- | plans#:~:text.... | novok wrote: | All I want is a roadmap to ever increasing tiers of storage, | like google, so I know if I need to, I don't need to do a big | migration once my life history gets too big. Good to know | about the hack. | BiteCode_dev wrote: | I hope this is true, but since their entire stack is proprietary, | we have no way to know if there is not a backdoor to get the key | from you. | | Since Apple was part of the PRISM program, I'm going to assume | there is at least one for the 3 letters agency, which mean it's | available for Apple, who designed it, as well. | | But it does mean that they can mass scan easily the data, and | have to target people personnally, which is already a huge | improvement, and cover most people threat model. | modeless wrote: | I have often criticized Apple for marketing iMessage as end-to- | end encrypted while the vast majority of encryption keys still | reside on their servers and are routinely used to decrypt | messages for law enforcement on demand. This is a long overdue | step forward. | | However, for most people their messages will still not be end-to- | end encrypted because their contacts will mostly not have this | optional feature enabled. To be truly effective, this feature | would have to ensure that Apple does not strip the end-to-end | encryption from your messages when they are sent to other people | using iMessage. In my opinion it is still fraudulent to market | iMessage as an end-to-end encrypted system until this is fixed. | xoa wrote: | > _However, for most people their messages will still not be | end-to-end encrypted because their contacts will mostly not | have this optional feature enabled. To be truly effective, this | feature would have to ensure that Apple does not strip the end- | to-end encryption from your messages when they are sent to | other people using iMessage. In my opinion it is still | fraudulent to market iMessage as an end-to-end encrypted system | until this is fixed._ | | I think your opinion is mistaken in conflating separate problem | spaces/threat models. E2EE deals exclusively with the transit | and reading of data between trusted ends, that's the point. It | deals with the threat posed by middle observers. What happens | to the data _after_ it reaches and gets stored on one end or | the other is out of scope. Certainly important, but still has | nothing to do with whether something is E2EE. Communications | between people necessarily means no one person is fully in | charge. The person on the other side could perfectly well have | their PIN be "1234", that wouldn't suddenly mean | Signal/iMessage/SSH/whatever are no longer E2EE. | | This is definitely an unambiguously significant improvement, | and it will help more people stay secure more easily while | still making use of wireless services (vs backing up with a | cable to a system like I have always done and still do with iOS | devices). However, while technology is helpful it's not a total | substitute for opsec either. And I think it's a mistake to mush | together different domains. iMessage going full E2EE was a good | all by itself and its own specific thing, even if Apple was | wrong to not deploy the same thing everywhere and also wrong | (and still wrong!) not to allow 3rd party options for backups. | There was nothing fraudulent about saying it was E2EE. | fossuser wrote: | It seemed clear they were making moves in this direction back | when their announcement about on device hash checking for CSAM | prior to iCloud photos backup was made. That announcement only | made sense in a world where they wanted to enable end to end | encryption for photos. It's cool to see them do this, and see | them also extend it to Messages too (surprising imo). | | -- | | > The apple policy was likely about coming up with a way to | enable encrypted photos on iCloud while still having some privacy | preserving form of CSAM detection. Since it was only enabled when | iCloud photos was enabled it was better for privacy on net than | the status quo (unencrypted iCloud photos that are accessible to | apple and scanned anyway). | | https://news.ycombinator.com/item?id=30297272 | YokoSix wrote: | "Dates and times when a file or object was modified are used to | sort a user's information, and checksums of file and photo data | are used to help Apple de-duplicate and optimize the user's | iCloud and device storage--all without having access to the files | and photos themselves." | | https://support.apple.com/guide/security/advanced-data-prote... | | So Apple only encrypts the files but not the metadata? If that's | true the encryption is basically worthless because Apple is still | able to "see" what files you upload and scan them for CSAM, | copyright infringement or videos of 1989 Tiananmen Square. | tiffanyh wrote: | > Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, _you can | choose to enable_ Advanced Data Protection to protect the vast | majority of your iCloud data, even in the case of a data breach | in the cloud. | | Interesting, so this is an opt-in (not default secure). | [deleted] | Gigachad wrote: | Probably concerns about people losing data. Probably the vast | majority of people would rather someone gains access to their | photos than having their files lost | theshrike79 wrote: | For now, they'll make it opt-out when a large enough user base | is at those OS versions. | madeofpalk wrote: | Source? | tiffanyh wrote: | I don't understand. This is an opt-in, not opt-out. | theshrike79 wrote: | It's currently opt-in, because a significant percentage of | the user base is not running an OS version that can support | the E2EE features. | | When that percentage is high enough (a few years), I don't | see why Apple wouldn't make it opt-out. (Default it to | encrypted, you need to specifically disable it if you don't | want it). | martin_drapeau wrote: | Apple is extending the data privacy/security you have on your | phone for images, videos, files (content) to the cloud. Bluring | the lines between physical device and the cloud. | | This makes perfect business sense - people will want to buy extra | storage. Lock-in is deeper. | asymmetric wrote: | Does this apply to all jurisdictions? I somehow have a hard time | imagining China would allow them to do this for their citizen's | data. | yyyk wrote: | I didn't expect Apple to actually do this. Kudos. | | During the client-side scanning debacle I noted they'd have to | implement server-side scanning anyway, so they might as well | abandon client-side scanning. The wording still allows for | server-side scanning ("raw byte checksum" is vague enough be a | image hash or merely a CRC-32; I strongly suspect it's the | former) - and I'm perfectly fine with Apple choosing this. Their | server their rules. It's also the better technical choice IMHO. | yamtaddle wrote: | > ("raw byte checksum" is vague enough be a image hash or | merely a CRC-32; I strongly suspect it's the former) | | 1) The image fingerprinting they were talking about before is | _really_ different from a "raw byte checksum", since it could | recognize photos that had been resized or cropped. | | 2) AFAIK the plan was always to generate the fingerprint on the | device, but to check it server-side, possibly as a pre-flight | check before sending the actual file. The thing that upset | people was the device generating a too-good fingerprint [EDIT: | To be fair, people were also concerned Apple would expand the | fingerprint-generating-and-uploading to photos that _weren 't_ | bound for iCloud--the concern would have been pretty silly | otherwise, since of course unencrypted photos sent to iCloud | are CSAM-scanned, same as everywhere else). Pretty sure they | were gonna keep the naughty-list server-side all along. So, if | this _is_ the same thing (I doubt it, see #1) then checking the | fingerprints( /hashes) server-side isn't a change in plans. | yyyk wrote: | 1) I'm aware of the difference. However, I think the Apple | phrase is sufficiently ambiguous to legally cover an image | hash as well. An image hash is technically a checksum and is | made of raw bytes that cannot be converted back to the image. | If Apple is indeed using an image hash, I don't have a | problem with this - it's their servers. | | 2) The fingerprint check was supposed to be done _client- | side_ based on a server supplied list so that Apple would not | get the image and image hash unless there was a match (I 'm | simplifying this, there was a rather complex procedure | involved with thresholds and manual review). | | My main concern was that normalizing and making possible | client-side scanning would lead to other things being | scanned. e.g. China adding images of Winnie the Pooh to scan | list, and then sending every Chinese suspect to dissident- | ville in the sky. The Apple plan here was insufficient: it | wanted to rely on multi-country lists, this had both legal | and practical problems - e.g. China has sufficient sway with | friendly countries to add its choice of images to the list. | yamtaddle wrote: | Ah, thanks for the clarification, seems I was off on some | of that. | | > My main concern was that normalizing and making possible | client-side scanning would lead to other things being | scanned. e.g. China adding images of Winnie the Pooh to | scan list, and then sending every Chinese suspect to | dissident-ville in the sky. | | Right, but that hardly mattered as long as it applied only | to iCloud-uploaded files, since those were and are already | being scanned so all those scenarios were already in play | (well, not _now_ , I suppose, if you enable encryption... | maybe. But at the time they announced the scanning, | certainly) | nerdjon wrote: | I have been waiting a long time for backups and photos to support | this, and I am glad we are finally getting it. | | I don't feel like updating to a beta to get this feature | (especially for the risks associated with it). But I am curious | how the migration will work. Will this basically re-encrpt | everything locally and then upload it or will what is already | there stay unencrypted. | | Also does anyone know, how do features like this work for someone | with a single apple device? I don't worry about loosing access to | anything because if my phone dies I have... several other devices | with keys. But what about someone who doesn't? | gjsman-1000 wrote: | It shows in the screenshot the following: | | "Because Apple will not have the keys required to recover your | data, you will be guided to set up an alternate recovery method | in case you ever lose access to your account." | | I would assume a physical sheet of paper containing recovery | codes is a suitable alternative recovery method. | xattt wrote: | This is the Bitlocker recovery way. | nerdjon wrote: | I should have looked closer at the screenshot, didn't really | think it would tell me anything beneficial for an e2e system. | | Thanks for pointing that out! | | Honestly might not be a bad idea to have a backup somewhere | else just in case. Like in the event of a fire or something | have a backup sitting in a safe. | | It does bring up an interesting conversation, what levels do | we go to make sure we can recover accounts in situations like | this? Store a USB or a paper in a safety deposit box on the | other side of the country? I tend to store all of my backups | for my other accounts on my iCloud Drive so... loosing access | to that would be catastrophic. | rodgerd wrote: | Essentially at that point you're on your own - you can't | have Apple able to do recovery and be unable to access your | data for other purposes. | ask_b123 wrote: | The migration process is explained here: | https://support.apple.com/en-ca/guide/security/sec973254c5f | [deleted] | volleygman180 wrote: | I honestly never thought this day would come - THANK YOU APPLE!! ___________________________________________________________________ (page generated 2022-12-07 23:00 UTC)