[HN Gopher] Apple introduces end-to-end encryption for backups
___________________________________________________________________
Apple introduces end-to-end encryption for backups
Author : frizlab
Score : 742 points
Date : 2022-12-07 18:06 UTC (4 hours ago)
(HTM) web link (support.apple.com)
(TXT) w3m dump (support.apple.com)
| manchmalscott wrote:
| iMessage backup encryption is HUGE, this was the main asterisk in
| the "iMessage is totally end to end encrypted" messaging.
| ulimn wrote:
| But if the other person in the chat doesn't have this
| encryption, they will backup your messages unencrypted on their
| icloud, right?
| richard___ wrote:
| But Apple must be able to still access all your encrypted data
| using your stored icloud password somehow right? Otherwise how
| are they able to show all your files in a web browser, from an
| arbitrary computer, after you've logged in
| Operyl wrote:
| You'll lose access to that by default, with the ability to
| temporarily opt in according to what they've said.
| richard___ wrote:
| What does temporarily opt in mean? Like everytime you want to
| use icloud on a browser, you use your devices to upload the
| key temporarily, then after you don't want to use icloud,
| apple deletes your key?
| jdiez17 wrote:
| > Every time a service key is uploaded, it is encrypted
| using an ephemeral key bound to the web session that the
| user authorized, and a notification is displayed on the
| user's device, showing the iCloud service whose data is
| temporarily being made available to Apple servers.
| Operyl wrote:
| Would appear so according to their news room post.
| judge2020 wrote:
| It hasn't been released yet, but I can see two scenarios -
|
| A. Apple could create a tunnel from your browser to your
| devices, they could have key exchange via the web after you
| scan a QR code shown on your web browser with your iPhone,
| with some sort of "verify these words are the same" scheme.
|
| B. Apple does the typical OTP/2fa scheme where you enter a
| x-digit code from your device, and in doing so your Device
| furnishes a key to Apple to be temporarily used to access
| your files from the web.
|
| But in both of these scenarios, Apple compromising you via
| malicious javascript is ever-present, so you're right in
| that you'd be trusting Apple even more to not store your
| temporary key for too long or at the request of a NSL.
| jdiez17 wrote:
| To be honest, end to end encrypted cloud backups and the upcoming
| forced-by-EU opening of the platform to third party developers
| without going through the App Store are the two killer features I
| was hoping to see on iOS.
| Etheryte wrote:
| For everyone else who was hoping to enable E2EE for backups right
| away:
|
| > Advanced Data Protection for iCloud is available in the US
| today for members of the Apple Beta Software Program, and will be
| available to US users by the end of the year. The feature will
| start rolling out to the rest of the world in early 2023.
| fitblipper wrote:
| "Some metadata and usage information stored in iCloud remains
| under standard data protection, even when Advanced Data
| Protection is enabled. For example, dates and times when a file
| or object was modified are used to sort your information, and
| checksums of file and photo data are used to help Apple de-
| duplicate and optimize your iCloud and device storage..."
|
| Photo checksums can't be e2e encrypted huh? They reported today
| they abandoned their plans to do CSAM scanning on people's
| devices[1] and connecting the dots it seems like they wont need
| to since they can just do it in the cloud.
|
| [1] https://www.wired.com/story/apple-photo-scanning-csam-
| commun...
| reilly3000 wrote:
| I always thought that program was technically limited from the
| start. It seems like it would be very easy to rotate a small
| value of the file, even a single pixel, and return a different
| checksum.
| vbezhenar wrote:
| https://en.wikipedia.org/wiki/Perceptual_hashing
| mikehearn wrote:
| The original implementation also involved sending a "safety
| voucher" with each photo uploaded to iCloud, which contained a
| thumbnail of the photo as well as some other metadata.
|
| The vouchers were encrypted, and could only be decrypted if
| there were, I believe, 30 independent matches against their
| CSAM hash table in the cloud. At that point the vouchers could
| be decrypted and reviewed by a human as a check against false-
| positives.
|
| It sounds like with a raw byte hash they might be able to match
| a photo against a list of CSAM hashes, but they wouldn't be
| able to do the human review of the photo's contents because of
| E2E.
| beeboop wrote:
| Someone mentioned here but I didn't confirm that Apple is
| stopping the CSAM scanning. It makes sense because there's
| nothing they could reasonably do even if they found matching
| hashes. It seems unlikely they'd report these findings to the
| police if there's no manual ability to review the contents
| first.
| noduerme wrote:
| I always thought the client-side hashing plan was something of
| a giveaway to authoritarian governments which would have
| demanded Apple check their own list of verboten files against
| what the users had uploaded to iCloud. E.g. tank man photos.
|
| So I read this as Apple quietly saying "we're not bending to
| China on privacy". Which is the first step toward probably
| being banned from providing Apple services in China.
| rekoil wrote:
| People sharing images that an authoritarian government
| considers banned might still be exposed by such a scheme,
| given they are likely to be exactly the same data. There are,
| after all, no new photos of tank man being photographed, any
| that are shared would be identical to someone elses, unless
| every recipient opened them up and modified them, and even
| then I'm not sure that actually modifies the data if done on
| an iOS device, as modifications done to images can be undone
| suggesting to me they are only a layer on top of the
| unchanged image, which would still return the same hash.
|
| Unfortunately, I think the privacy problems surrounding
| iCloud Photos remain to an extent.
| Spivak wrote:
| "People rioted when we scanned for CSAM in a privacy-preserving
| manner but don't give a shit when we do the same thing when
| it's not privacy preserving so I guess just do that."
| brundolf wrote:
| I'm assuming these are normal checksums (bitwise hashes),
| whereas before they were doing a hand-wavy AI-based thing that
| they called "checksums" but weren't really. The latter captured
| rough visual qualities of the images in question, which is why
| it had a false-positives problem. A _real_ checksum shouldn 't
| have that problem; in theory you'd only be able to detect an
| exact match of a file you already have and are looking for. So
| it is meaningfully different.
|
| Edit: confirmed that these are regular, real checksums
| https://support.apple.com/en-us/HT202303
|
| > The raw byte checksums of the file content and the file name
| judge2020 wrote:
| > The raw byte checksums of the file content and the file
| name
|
| I wonder if this is literal; otherwise they wouldn't achieve
| any de-dupe if you just rename the file.
| brundolf wrote:
| I assumed the two checksums are stored separately, though
| even if they aren't it would seem useful for eg. syncing
| between devices ("does file X already exist so we don't
| need to download it?")
| laweijfmvo wrote:
| > For example, dates and times when a file or object was
| modified are used to sort your information
|
| Who are they sorting it for that this can't happen after
| decryption?
| twhb wrote:
| The abandoned plan was perceptual hashing, which should return
| the same hash for very similar photos, while the new one is a
| checksum, which should return the same hash only for identical
| photos. I don't think that invalidates the point, but it does
| seem relevant. It certainly makes it much less useful for CSAM
| scanning or enforcing local dictator whims, since it's now
| trivial to defeat if you actually try to.
| drbawb wrote:
| >The abandoned plan was perceptual hashing, which should
| return the same hash for very similar photos . . .
|
| Is there any proof they actually abandoned this? NeuralHash
| seems alive and well in iOS 16[1]. Supposedly the rest of the
| machinery around comparing these hashes to a blind database,
| encrypting those matches, and sending them to Apple et al. to
| be reviewed has all been axed. However that's not exactly
| trivial to verify since Photos is closed source.
|
| [1]: https://support.apple.com/guide/iphone/find-and-delete-
| dupli...
| Vt71fcAqt7 wrote:
| This all just seems like pandering while they continue to accept
| billions from Google in exchange for their user's privacy. If
| they really wanted to protect users' data that would be a simple
| starting point.
| jaywalk wrote:
| Safari has pretty good privacy protections, but you could also
| just... not use Google. I've never even had iOS reset my
| default search engine.
| Vt71fcAqt7 wrote:
| Does it protect you from Google's tracking? No. And it isn't
| about me, I don't have Apple or Safari. It's about the fact
| the privacy shouldn't be "opt in." Claiming that safari has
| good privacy protections while it by default does the
| opposite becuase you can opt in to a less inavsive version
| which many don't even know about is, in my opinion,
| disingenuous.
|
| If Apple would just go ahead and say "we've extracted tens of
| billions of dollars from you indirectly by letting google do
| the dirty work, but here's some encryption that doesn't make
| up for what we've done and continue doing" that would be more
| accurate.
| tsunamifury wrote:
| I'm sorry, but I don't believe the spirit of Apple's security
| story at all. They have demonstrated REPEATEDLY that they
| introduce new security services as a marketing story, which they
| immediately undermine at the drop of the hat with a request from
| the government.
|
| Apple literally sent iMessage conversations of US congresspeople
| (secure messaging being a key marketing point) directly to the
| Trump Administration with no argument.
|
| For comparison, Google won contesting this request and did not
| comply.
|
| Edit: I understand many here are huge fans of Apple or work for
| Apple, but please think hard about what Apple's actions say about
| their real intents.
| jackson1442 wrote:
| Do you have a source for the iMessage story? Surprised I
| haven't heard about it before.
| Erikun wrote:
| I would guess its this story
| https://www.nytimes.com/2021/06/10/us/politics/justice-
| depar...
|
| But that doesn't match OP's description very well. It was a
| grand jury subpoena and only for metadata.
|
| "As the Justice Department investigated who was behind leaks
| of classified information early in the Trump administration,
| it took a highly unusual step: Prosecutors subpoenaed Apple
| for data from the accounts of at least two Democrats on the
| House Intelligence Committee, aides and family members. One
| was a minor."
|
| "Apple turned over only metadata and account information, not
| photos, emails or other content, according to the person
| familiar with the inquiry."
| tsunamifury wrote:
| So they turned over the conversations but not emails. How
| does that not match? Meta data is widely used political a
| euphemism for this.
| Erikun wrote:
| I'm not sure what you mean by conversations, if you mean
| the content of messages then no that is not metadata, if
| you mean who talked to whom, then yes that is metadata.
| AshamedCaptain wrote:
| They can still simply push a software update that sends the
| victim's keys to the mothership and/or simply decrypts
| everything. Can even be pushed silently. The victim cannot do
| anything, not even detect when this has happened.
|
| Why would governments push back, when this hole which has already
| been used will _always_ be available?
| fsociety wrote:
| Yes true. What's your threat model though? If my government
| wants to own me they can do that without going to Apple.
|
| For myself I'm quite happy with this as it is a huge
| improvement over what we had. My only irk is that they called
| themselves a champion of security and privacy before this..
| gjsman-1000 wrote:
| So could your Android phone - even if it runs GrapheneOS. How
| do _you know_ that GrapheneOS isn 't a CIA project like
| ArcaneOS that won't push a sneaky software update to your
| device? You don't and you never know, so it's not really fair
| to target Apple for this. You will always be vulnerable to such
| an attack no matter what you choose.
|
| The only true secure option is to build the source yourself,
| sign it with your own keys, and run it. Assuming you can read
| all the code and make sure its safe, and read all the code on
| your compiler to make sure that is safe. And you'll still need
| to trust the Google-signed bootloader code, which totally
| hasn't had suspicious custom builds released previously
| (ArcaneOS?)
| infotogivenm wrote:
| What? They have demonstrably gone toe-to-toe with the FBI to
| NOT ever have to create "special software updates for the
| government".
|
| https://en.m.wikipedia.org/wiki/FBI-Apple_encryption_dispute
|
| Can you show me another company that has done this?
| Infinitesimus wrote:
| The tricky thing with Apple is that they sell phones in
| China, given that that govt demands visibility into what it's
| citizens do, it is reasonable to assume that anything Apple
| launches to secure your data from prying eyes will have an
| asterisk to accommodate a big part of their market.
| kube-system wrote:
| That's because Chinese and US law are fundamentally
| different. The US has laws that enable Apple to contest
| those requests. It is not just possible to run a large
| business in violation of any (competent) government. It
| doesn't matter who it is.
|
| FWIW, Apple does not treat US and Chinese users the same.
| If you have a Chinese mainland iPhone, you use a completely
| different iCloud that isn't even run by Apple.
| macshome wrote:
| It's not that tricky as iCloud in a China isn't run by
| Apple at all. [0]
|
| The laws are different there and the only way that Apple
| could meet the requirements of the Chinese government
| without also weakening their product for the rest of the
| world was to cede control of iCloud there.
|
| [0] https://support.apple.com/en-us/HT208351
| newaccount74 wrote:
| I'm going to assume that iCloud E2EE won't be available in
| China.
| TimTheTinker wrote:
| It looks to me like Apple and China have a complicated and
| somewhat adversarial relationship.
|
| Apple likely conceded early on that China-based iPhones use
| China-based iCloud, and the Chinese government likely
| conceded that Apple phones will use the same OS everywhere,
| with region-based feature blocking being as far as they'll
| go in customizing the OS. Both have a lot to lose from the
| other party terminating the relationship.
| mwint wrote:
| The difference is in asking Apple for something they already
| have access to, vs. asking them to create something entirely
| new (a signed software update). That's what the FBI case a few
| years back was about.
| szundi wrote:
| I am thinking since then that maybe it was a staged
| performance
| mrexroad wrote:
| Based on what?
| bee_rider wrote:
| The alternative is to admit that, while all
| megacorporations are fundamentally bad, Apple does
| occasionally do good things. This is clearly infeasible.
| threeseed wrote:
| > when this hole which has already been used
|
| You have evidence that Apple has been pushing silent updates to
| individual users ?
| biggoodwolf wrote:
| wellthisisgreat wrote:
| Yeah, no that's not how accusations work.
|
| Well that's how some would _want_ them to work, but around
| here to be heard you must back with evidence.
| etchalon wrote:
| https://en.wikipedia.org/wiki/Russell%27s_teapot
| cantaloupe wrote:
| That's along the lines of asking "Do you have evidence that
| UFOs have NEVER landed on earth?" in response to someone
| asking if you have evidence that UFOs have landed...
| biggoodwolf wrote:
| I guess the same point could be made about religion. Call
| me an agnostic then when it comes to device security
| DonaldPShimoda wrote:
| You're asking for proof of a negative that cannot be
| fulfilled without having access to all copies of all
| versions of the source code deployed for every Apple device
| in the world for their entire history. This seems an
| unreasonable burden.
|
| Either we accept some amount of vulnerability at the
| minimum and deal in likelihoods rather than certainties, or
| we simply do not use modern communication devices
| whatsoever. Given we're here on HN, we all have clearly
| chosen the former, so the question becomes: "is it _likely_
| that Apple have violated individual users ' privacy in this
| manner?", to which I think the answer is "no" because (a)
| it's never been necessary before given the availability of
| alternate methods, (b) we have absolutely no evidence to
| suggest otherwise, and (c) we do have evidence of a history
| of Apple being at least somewhat reluctant to cooperate
| with the federal government of the US when it comes to
| individuals' privacy, to the extent that they are able
| (e.g., the San Bernardino case). So although it is true
| that we cannot be _certain_ of our privacy, it seems very
| _likely_ that Apple 's efforts to improve user privacy are
| not disingenuous.
| 8ytecoder wrote:
| Even then the OP will ask us to prove that you do have
| all the versions of code and that there was no self
| destruct mechanism that wiped itself clean. You can't
| prove a negative. That's the point of those assertions.
| It's not without reason that most conspiracies use this
| tactic.
| zinekeller wrote:
| Uh, because Apple specifically pushed back on this? (https://en
| .wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...) Sure,
| it's never a guarantee but they have some decency.
| eptcyka wrote:
| adventured wrote:
| It's not an assumption. Apple has _earned_ a decent
| reputation for being pro privacy through their actions over
| decades.
| jstummbillig wrote:
| Can somebody explain the room for debate and expression
| of sentiment here? If Apple was legally required to do x
| in regards to privacy, I have to assume they would and
| everyone could know they would (because it does not seem
| very big US company to outright defy national law). If
| they were not, on what ground, could the gov pressure
| Apple?
| adventured wrote:
| The theory would be that it would be extralegal pressure.
| Out of the Snowden era, for this generation, came the
| belief that the government would use extralegal coercion
| to get what they want when it comes to domestic
| espionage. This showed up in eg how the government
| battled Yahoo over PRISM [0], and the story of Joseph
| Nacchio of QWest [1] supposedly being targeted by the
| Feds for refusing to go along with the program/s.
|
| For prior generations, Hoover, Nixon, MLK (how they
| targeted him), the Church hearings, and many other things
| provided evidence as to the extralegal behavior of the
| government at times.
|
| [0] https://www.wired.com/2014/09/feds-yahoo-fine-prism/
|
| [1] https://www.businessinsider.com/the-story-of-joseph-
| nacchio-...
| sofixa wrote:
| Like when they started recording what programs you launch
| on your Mac, sent to them in cleartext? Or when they
| force you to have an account with them to install apps
| from the official sources (and of course the unofficial
| ones are absolutely atrocious).
|
| Apple are better on the privacy front than their
| competitors, but not by that much.
| HardlyCurious wrote:
| Given what we learned from the Snowden leaks, I would be
| willing to believe that any PR in apples favor is awarded
| by the govt for exchange of their cooperation relating to
| providing the govt data / access they request.
|
| I don't trust any corporation to actually side against
| the govt.
| lern_too_spel wrote:
| They pushed back on that after falsely telling their
| customers that they were _technically incapable_ of helping
| the FBI with such requests. After this incident, they no
| longer make that claim.
| https://appleinsider.com/articles/14/09/18/apple-says-
| incapa...
| shuckles wrote:
| They never told customers it was technically infeasible.
| From the contemporaneous Q&A from the 2016 letter opposing
| coerced access:
|
| " Is it technically possible to do what the government has
| ordered? Yes, it is certainly possible to create an
| entirely new operating system to undermine our security
| features as the government wants. But it's something we
| believe is too dangerous to do. The only way to guarantee
| that such a powerful tool isn't abused and doesn't fall
| into the wrong hands is to never create it."
|
| - https://www.apple.com/customer-letter/answers/
| lern_too_spel wrote:
| Read the link I gave in the GP post:
|
| Apple: "So it's not technically feasible for us to
| respond to government warrants for the extraction of this
| data from devices in their possession running iOS 8."
|
| Also, "create an entirely new operating system" is an
| intentionally misleading exaggeration on Apple's part,
| meant to fool customers but not governments. It makes it
| sound like the amount of work they would have to do is
| larger than changing one constant about how many retries
| are allowed and another constant controlling rate liming,
| build and sign and flash it to the phone, and delete it
| after.
| shuckles wrote:
| Seems like a semantic quibble about the meaning of
| "technically feasible." If you understand it as making
| claims about the system as it exists, it is true. If you
| understand it as making a claim about what Apple could
| theoretically do in all circumstances, then you have an
| absurd definition because everything is technically
| feasible.
|
| I think the FAQ and letter both make clear that Apple
| could comply with the FBI request and their objection was
| over whether they should be forced to.
| lern_too_spel wrote:
| > If you understand it as making a claim about what Apple
| could theoretically do in all circumstances, then you
| have an absurd definition because everything is
| technically feasible.
|
| If iOS 8 required a user key for updating the system,
| this would be technically infeasible. It's not
| technically infeasible as iOS 8 was implemented, _so
| Apple stopped claiming it is_ , but only after the FBI
| embarrassed them about that claim.
|
| > their objection was over whether they should be forced
| to.
|
| Apple's objection had nothing about being forced to do
| it. They were forced to provide data from devices before
| iOS 8 and even provided a document about how to ask them
| to do it. Apple instead made specious claims about how
| hard it was and how it would affect other customers'
| privacy.
| arch-ninja wrote:
| Hasn't the solution to this problem always been easy? Just
| encrypt before you type it into imessages; this applies to
| _all_ untrusted communication channels. Don't tell me
| base64-encoding/decoding is what's stopping you from having
| perfect security?
| TillE wrote:
| Exactly, if you're dealing with truly sensitive information
| where any leak is unacceptable, make your own encrypted blob.
| Don't trust any communication software to do it for you.
|
| The concern typically isn't backdoors, it's bugs. I've had
| plenty of terrible experiences with Enigmail.
| joosters wrote:
| ' _easy_ ' and ' _just_ ' are doing a lot of work in your
| assertion here!
| kube-system wrote:
| That doesn't solve the problem of needing a trusted
| communication channel. You'd still need one to exchange keys.
| MaxBarraclough wrote:
| You missed out the punchline: all of this follows from that the
| software is proprietary/closed-source/non-Free.
|
| You can't see how it works, you can't change how it works, and
| you have to trust that it does as advertised. You must do all
| this in the knowledge that over the years plenty of proprietary
| software vendors have outright lied to their customers about
| exactly this kind of thing, e.g. [0][1].
|
| I'm not aware of Apple ever doing so though, for what that's
| worth.
|
| [0] https://news.ycombinator.com/item?id=25044254
|
| [1] https://news.ycombinator.com/item?id=33820538
| dxf wrote:
| >Why would governments push back, when this hole which has
| already been used will _always_ be available?
|
| I'm not aware of a time when Apple pushed a software update
| (silently or otherwise) to defeat security for a user (or
| users). Can you provide a reference?
| bboygravity wrote:
| The entire precondition for being able to do that is that
| you're not aware of it. Ever.
| eduction wrote:
| With Apple's current lack of encryption on iCloud backups,
| we are very aware of government access because those files
| end up as evidence in court cases after being obtained by
| police and prosecutors.
|
| If government were to compromise end to end encryption in
| the manner described above, it would either be visible when
| used to prosecute people, or invisible because it would
| never be used to prosecute people (but presumably for
| intelligence purposes). Even if it were used for
| intelligence purposes through the method above, which I
| don't think is at all established, it would still be a
| significant improvement over having data in a form that is
| actively used to prosecute people.
| alldayeveryday wrote:
| > Even if it were used for intelligence purposes through
| the method above, which I don't think is at all
| established,
|
| The snowden revelations were precisely about information
| gathering for intelligence purposes. The vast majority of
| intel gathering is not for prosecutionary purposes.
| Melatonic wrote:
| The thing that people always miss is that the damn SIM card
| is running its own little processor already. If the
| government really wants to read your shit they can probably
| just do some behind the scenes work with your mobile ISP
| and find a way to access your phones screen output or
| microphone data or something.
| lilyball wrote:
| iPhone 14 doesn't even have a SIM card anymore, it's
| strictly eSIM (and previous models could optionally use
| eSIM).
| madars wrote:
| If I really wanted a physical SIM and imported a European
| SKU which does have it (only North American variant is
| eSIM-only), would I expect seamless support in the US?
| E.g. would AppleCare just work?
| astrange wrote:
| eSIM isn't any different here, it still runs the same
| applets. What makes it secure is the IOMMU preventing it
| from accessing main memory.
| gumby wrote:
| The baseband module has a processor too, and you don't
| have access to it per FCC regulation.
| lghh wrote:
| So there's no level of security that will ever be enough
| for anyone. The number of people who know the source for
| the current version of every piece of software, firmware,
| and hardware they use almost certainly approaches 0.
|
| I don't know what people expect. These moves are _good
| things_ and everyone is whatabouting situations that there
| is 0 evidence has ever happened or would ever happen. It 's
| unfalsifiable, impractical, and honestly just annoying.
| tshaddox wrote:
| "You can't prove that they don't already do X, because X is
| by definition a secret action" is a pretty useless
| epistemology though. Every electronic device you've ever
| used _could_ secretly have a cellular modem that can
| secretly download over-the-air firmware updates that alter
| its behavior to be maximally evil. You by definition can 't
| prove that your coffee machine doesn't secretly have the
| ability to change its behavior to start connecting to the
| internet and DDOSing charities or something.
| jodrellblank wrote:
| The parent comment said " _hole which has already been
| used_ ", that's a claim that Apple has actually done it,
| not only a speculation that they could. They are being
| asked to back up that claim.
| amelius wrote:
| It doesn't matter. You are missing the entire point about
| E2EE.
| szundi wrote:
| US can always pass a bill or have one that enables them to
| covertly force apple to comply otherwise Tim goes to jail.
| Easy
| acdha wrote:
| You make this sound easy but look at how that worked for
| NSLs. They got a ton of pushback for that and there's no
| way to keep that a secret for very long - especially since
| things either end up in court or involve foreign
| governments who won't share the desire to keep things
| secret.
| bee_rider wrote:
| What do you mean, "can pass a bill?"
|
| On some level the US could also pass a law that says every
| iPhone user will be summarily executed. That's how
| sovereignty works. Is it a realistic concern? Probably not.
| acchow wrote:
| In the US, this is not easy.
| tinus_hn wrote:
| Last time they tried that Apple caused a lot of hoopla and
| made the case go away. Not easy.
| supertrope wrote:
| Are you referring to the Pensacola encryption bypass
| demand or PRISM?
| parineum wrote:
| That's not the point. The point is that Apple hasn't closed
| the government out of Apple user's phones. The point of E2EE
| is to remove the power of the middleman to read the data but
| that middleman also has complete control over the device and
| the software running on it with remote root access.
|
| Apple's ecosystem is, by default, design and necessity,
| insecure to Apple. Keys stored on an Apple device are
| insecure.
|
| One can easily make a similar argument for Android/Google,
| however, a security conscious user could still take control
| over their device and install a more secure OS.
| smoldesu wrote:
| When they migrated Chinese iCloud data to domestic servers.
| ghostpepper wrote:
| You're saying there was a silent update pushed to Chinese
| iphones? Can you provide more details or a source on that?
| smoldesu wrote:
| It certainly wasn't silent, but that wasn't a condition
| for the parent's question. It was a well-documented (and
| much derided) decision though:
| https://mashable.com/article/china-government-apple-
| icloud-d...
| sbuk wrote:
| Seeing as context is conspicuously missing, all cloud
| services offered by foreign business in China a required
| to be hosted and controlled by state owned providers. For
| instance, China has a separate Microsoft 365/Azure region
| hosted and controlled by 21Vianet. Apple still controls
| the encryption keys and there is no evidence that they
| have handed them over to the CCP, but it is largely
| assumed. Federighi has said that Apple will offer EE2E in
| China.
| astrange wrote:
| You want them to break Chinese laws? Don't think they
| have popular support for that.
| shuckles wrote:
| Why is data residency law cool and progressive when the EU
| does it and Big Tech complies, but Bad and Dystopian when
| China does the same? Tim Cook has said on the record that
| iCloud is the same regardless of data center.
| sofixa wrote:
| Because the reasons for data sovereignty as legislated by
| the EU and countries within it, and China, are
| _drastically_ different. Which one is the authoritarian
| regime which jails dissidents and which one has
| regulations giving consumers rights over their data? I 'm
| fairly certain the motives for data sovereignty are
| wildly different.
| shuckles wrote:
| I'm not sure if you're aware, but there are anti-
| encryption legislative proposals in the EU which are as
| ill-informed and scary as anything I've heard of in
| Mainland China. It's very unclear to me if motives matter
| in this case.
| smoldesu wrote:
| China has a reputation for hunting down religious
| minorities and political dissidents, Europe is known for
| a more moderate take on those matters. I think there's
| cause for concern when China demands domestic ownership
| of iCloud info.
| scarface74 wrote:
| You mean like the French banning burkinis worn my
| religious minorities?
|
| https://www.cnn.com/2022/06/21/europe/grenoble-france-
| burkin...
| lern_too_spel wrote:
| Would it surprise you to learn that France also bans
| female genital mutilation, another religious practice
| enforced on people who typically have no say in the
| matter? These bans apply to people of any religion and of
| no religion.
|
| Let's not pretend this is the same thing as kidnapping
| you and taking you to a reeducation camp because of your
| religion, leaving your kids alone and confused.
| scarface74 wrote:
| So you put banning the clothes you can wear because you
| want to be modest with female genital mutilation?
| lern_too_spel wrote:
| To be clear, France prevented a law that would have
| allowed burkinis to circumvent existing public pool rules
| that require a swim cap and forbid baggy clothes and
| certain sun protection suits. People forced to wear
| certain clothes by others in their religion do not get
| special exceptions.
| https://www.nbcnews.com/news/amp/rcna34833
| shuckles wrote:
| The technical proposals are equally odious, and Europe
| is, what, 30 years removed from all sorts of
| authoritarian hijinks?
|
| In any case, selective support for technical proposals
| based on broader political vibes is not a particularly
| inspiring stance.
| smoldesu wrote:
| You seem to have missed my point entirely then. I'm in
| full support of Apple holding themselves accountable for
| the data they hold, but they don't. As a result, we rely
| on "broader political vibes" to read between the lines.
| shuckles wrote:
| I'm not sure what you mean by "holding themselves
| accountable for the data they hold", but you began by
| implying data residency was compromising security at the
| behest of a government, but it does not itself do
| anything of that sort. Your technical claim is outright
| false.
| vineyardmike wrote:
| > Europe is known for a more moderate take on those
| matters.
|
| Very recently in history. China is bad now, European
| nations have been bad in the past... but who knows what
| the future holds.
|
| Once data is released (keys, databases, plaintext
| messages, it doesn't matter) it can't be made private
| later.
| scarface74 wrote:
| You mean the same one that wants to lessen encryption so
| they can spy on you?
|
| https://www.secureworld.io/industry-news/new-eu-push-for-
| enc...
| aborsy wrote:
| At least, data won't be harvested for commercial use (as Google
| does). Apple clearly is leading in security.
| cglong wrote:
| Except that Android has had E2E encrypted backups since 2018
| https://security.googleblog.com/2018/10/google-and-
| android-h...
| aborsy wrote:
| You are right. I guess I was thinking that none of the FANG
| provides a "desktop" client app with e2e.
|
| But Android already collects a lot data from the device
| before encrypting.
| Melatonic wrote:
| Most of which you can opt out of
| lern_too_spel wrote:
| Indeed, you can opt out of more of it on Android than you
| can on iOS. Try to get your location on iOS without
| telling Apple. You can't. Try installing an app without
| telling Apple. Same.
|
| Even MacOS is infected with this privacy invading
| nonsense that I can't opt out of. It has an Apple News
| app that I can't uninstall, and whenever anybody sends an
| Apple News link, even in a private tab, it opens the
| Apple News app, a handler that I can't disable, sending
| the article I want to read together with my Apple ID to
| Apple.
| v0idzer0 wrote:
| Android is a steamy pile of privacy violations, but yes
| they do have this one feature
| lern_too_spel wrote:
| Android, by virtue of giving more control to the user,
| has far fewer privacy violations than iOS.
| bloppe wrote:
| Apple loves harvesting your data for commercial use
|
| https://www.extremetech.com/mobile/340887-apple-sued-for-
| all....
| lloeki wrote:
| > Apple loves harvesting your _store interaction_ data
| _within store apps_ for commercial use
|
| FTFY.
|
| Please stop spinning that as if Apple were siphoning every
| single of one's moves everywhere, irrespective of any
| telemetry setting one has set.
|
| Both the linked piece and the reporter's Twitter thread
| seem to have taken great care to bury behind clickbait
| headlines and scary words the fact that this applies only
| to App Store, Books, Apple TV, and iTunes Store apps, which
| are all "store" apps (presumably that's where commercial
| stuff typically happens) that used to outright be webviews
| (not entirely sure they are 100% native as of today). I
| don't think anyone would be appalled if a React-based web
| app would send vast amounts of requests based on user
| interaction.
|
| So yeah, they should probably not collect as much data as
| that and probably should have a toggle to nerf such data
| collection within the store apps (which is not the same as
| OS/actual app/service telemetry), but the way things keep
| getting spinned is beyond ridiculous and does not help in
| improving anything.
| v0idzer0 wrote:
| You'd detect a software update?
| fnordpiglet wrote:
| They couldn't without bypassing all their controls and
| assurance measures, which are required by not just governments
| but corporations who don't trust apple or the government, as
| well as regulators across the world who also don't trust either
| apple or the us government. If you've ever worked in a highly
| regulated highly sensitive enterprise tech environment you
| would know this is hogwash.
| [deleted]
| spa3thyb wrote:
| I still disagree with the shift from PR to 3P, but in that
| spirit, this might be a better URL:
|
| https://9to5mac.com/2022/12/07/apple-advanced-data-protectio...
| Arubis wrote:
| And, just like that, I can finally turn on iCloud backups on all
| my devices.
| vengefulduck wrote:
| Looking into the details it seems like they're using Convergent
| Encryption [1][2] in order to enable deduplication in iCloud
| drive and photos. Which would imply it is possible for an
| attacker to determine if your account is storing a file for which
| they know the plaintext. It's still a lot better than the status
| quo but that's a pretty big asterisk in my mind.
|
| [1]https://support.apple.com/en-
| ca/guide/security/sec973254c5f/...
|
| [2] https://smarx.com/posts/2020/09/convergent-encryption-and-
| wh...
| upofadown wrote:
| >Conversations between users who have enabled iMessage Contact
| Key Verification receive automatic alerts if an exceptionally
| advanced adversary, such as a state-sponsored attacker, were ever
| to succeed breaching cloud servers and inserting their own device
| to eavesdrop on these encrypted communications.
|
| Generally the biggest threat that end to end encryption (E2EE)
| addresses is the people that actually run the servers "inserting
| their own device to eavesdrop". So Apple in this instance. We
| would normally have to assume that Apple would do this on a
| request from state level entities as part of the threat model.
|
| Apple has to provide some sort of E2EE identity verification if
| they want to claim that they are providing E2EE messaging. I note
| that they have been making such a claim for some time now. After
| this, all that will remain is the issue of control of the
| software. We will still have to trust Apple to not subvert the
| clients in some way. So nothing has substantially changed yet.
|
| From the little we know about the usability of this new feature I
| note that the warning about new/changed devices is in small grey
| text. So very easy to overlook. hopefully Apple will provide
| enough context to allow the user to do something meaningful in
| response to such a warning.
| WhackyIdeas wrote:
| This reminds me of a hacker exploiting a victim's system,
| patching the vulnerability and installing a keylogger.
|
| Yeah it's nice you are taking the security seriously so others
| can't get in easily, but you (Apple) are still siphoning off my
| data for profit after I spent an arm and a leg on your
| equipment...
|
| It just feel like protecting your investment more than my data
| security.
| aborsy wrote:
| This is major news. Companies such as Apple and Dropbox are
| implementing end to end encryption, at least as an option.
|
| Was client side scanning implemented finally? Perhaps E2E paves
| the way to client side scanning?
|
| For the hardware key, Apple is a bit late though. All other cloud
| companies have that 2FA.
| theshrike79 wrote:
| Client side scanning was scrapped because 80% of the internet
| couldn't understand how the implementation worked.
|
| Maybe they'll try it again after this.
| sneak wrote:
| > _Client side scanning was scrapped_
|
| Apple never said that it was scrapped. They did, however say
| that they intend to do it.
| theshrike79 wrote:
| https://www.wired.com/story/apple-photo-scanning-csam-
| commun...
|
| "Apple Kills Its Plan to Scan Your Photos for CSAM. Here's
| What's Next"
|
| That's dead enough for me.
| amarshall wrote:
| The press release is a bit sparse, there is a bit more detail on
| "Advanced Data Protection for iCloud" in the support article
| https://support.apple.com/en-us/HT202303#advanced
| dang wrote:
| Ok, I think we'll change the URL to that from
| https://www.apple.com/newsroom/2022/12/apple-advances-
| user-s.... Thanks!
|
| Is there a similar URL for the security key stuff? If so, we
| can factor that out of this thread, which is almost all about
| E2EE backups.
| keepquestioning wrote:
| Can someone get ChatGPT to summarize this PR release?
| alexfromapex wrote:
| Apple has introduced three new security features to better
| protect users' data in the cloud. The new services will provide
| the company's highest-ever levels of data security for the
| iCloud. The services, called iMessage Contact Key Verification,
| Security Keys for Apple ID and Advanced Data Protection for
| iCloud, will be available for users to choose from. Apple is
| committed to providing users with the best data security in the
| world, said Craig Federighi, the company's senior VP of
| software engineering.
| yarg wrote:
| End to end?
|
| Isn't that only required if the guy on the otherside needs to
| decrypt?
| dsign wrote:
| iCloud was convenient and I was even paying for it, but when the
| "we will scan your photos and snitch on you" debacle I started
| backing up my photos at home and removed all my spreadsheets from
| iCloud (who knows what crappy software can interpret as CSAM).
|
| This will go a long way into restoring my trust on Apple. Yet, I
| can't help but notice that the "we will scan your photos and
| snitch on you" workflow they published then is still compatible
| with enhanced iCloud security. Hell, they can always send a
| command to the photo's app in your phone to upload all your
| photos straight to FBI's servers. So in this case technology is
| like 50% of the trust, the other 50% is sheer commitment to
| customers and that was tainted by that episode.
| infotogivenm wrote:
| Sorry mate but you have no idea how anything works. Literally
| every photo hosting service on the internet will scan your
| photos against an abuse list and work with LE - otherwise they
| get to become the "cp-friendly" hoster.
|
| When apple released client-side scanning (which only ever
| applies to photos uploaded to iCloud Photos) the only thing
| that changed was now the scanning takes place on your device
| where you have transparency and ability to see what hashes are
| checked. The folks paying attention knew what this was - Apple
| redesigning a workflow to make LE cool with e2e encrypted
| photos. You read some false outrage articles and are now
| somehow _still_ upset at a company doing work that is currently
| in your best interest. Baffling.
| therealmarv wrote:
| I'm baffled how people can be so okay with letting their
| whole device being scanned always. I don't want it to be
| scanned no matter what the intention is, it's not the phone
| or Apple's business. Device ownership and to decide for my
| own what the device is doing with MY data is my liberty. If
| you want your device to scan your data always is maybe cool
| with you. But not cool with me.
|
| I've read all the technical documentation too. However who
| says that the mechanism is implemented like intended forever?
| Maybe Apple or (local) law will change and voila: Your device
| scan report is reported to Apple and authorities because it
| is anyway already in place on your device.
| squeegee_scream wrote:
| > In a second victory for privacy advocates, Apple said it was
| dropping a plan to scan user photos for child sex abuse images.
| The company had paused that plan shortly after its announcement
| last year, as security experts argued that it would intrude on
| user's device privacy and be subject to abuse.
|
| https://www.washingtonpost.com/technology/2022/12/07/icloud-...
| pifm_guy wrote:
| WhatsApp recently added e2e backups (as an option) too.
|
| I always thought the reason they didn't encrypt backups was as a
| way to remove pressure from security services to weaken the
| encryption. Better to let the security services go after
| Google/apple as the backup provider. And have an option to turn
| off backups for the security paranoid users.
|
| I wonder why they changed stance...
| amadeuspagel wrote:
| Android has had encrypted backups for years.
| dodgerdan wrote:
| This is pretty big news. I wonder will there be an immediate push
| back by law enforcement and governments?
| gjsman-1000 wrote:
| Remember the CSAM scanning debacle almost a year ago? I and
| others speculated that the reason Apple was trying to make the
| CSAM-scanning and Safety Vouchers client-side was so that they
| would be able to allow E2E encryption while having a plausible
| reason to shut down law enforcement's biggest argument against
| E2E.
| nerdjon wrote:
| I could have sworn apple even straight up said that was their
| goal?
|
| Maybe I am just misremembering since like you I figured that
| was the reason they were doing it, no other reason to do
| something like that if it was all going too sit there
| unencrypted.
| gjsman-1000 wrote:
| No, they didn't say anything like that at the time, so I
| was even downvoted on HN and argued with for making the
| suggestion. Because Apple was definitely just being evil
| and had no bigger picture.
| supertrope wrote:
| It wouldn't stop at CSAM. Along side it in urgency of appeal
| to fear is counter-terrorism* . Next would be drug dealing,
| threats of violence. Then copyright infringement. And finally
| Amber Alerts and silver alerts. A backdoor or warrant-less
| search for one category is a backdoor for all. The point is
| for government power to trump privacy.
|
| *The definition of terrorism depends on your jurisdiction.
| AlexandrB wrote:
| While the on-device CSAM scanning was a huge overreach I'm
| not sure how you could leverage that system for things like
| Amber/silver alerts or threats of violence. It's not
| _really_ backdoor, more of a snitch system.
| gigel82 wrote:
| That's a very optimistic point of view. On the other hand, I
| and others speculated that the reason Apple wants to
| introduce code on your device that scans local content on
| your device against a government mandated database of "wrong
| content" was to appease law enforcement's desire for more
| control.
| schrodinger wrote:
| I don't understand how your other hand argument is more
| pessimistic. Isn't your phone scanning locally for
| checksums better than requiring the data to be unencrypted
| and scannable server-side? Surely they couldn't just do
| _nothing_.
|
| edit: I take this back--"nothing" should be the right
| answer.
| gigel82 wrote:
| _nothing_ is exactly what I expect them to do when it
| comes to my local files.
|
| We all like to vilify Microsoft (rightfully so for all
| the telemetry crap they pull) but imagine if Windows
| started scanning all your local disks for files matching
| certain checksums then notifying authorities when matches
| occur (thumbnails / other metadata uploaded with the
| reports) like Apple was planning. Sure, it'll be CSAM
| first. Then, domestic terrorism; then RIAA / MPAA would
| jump in on the action... and finally, opaque checksum
| databases from local governments ("wrong think", Winnie
| the Pooh memes, pictures from protests, etc.) ; if we
| don't stop it in its infancy we're quickly tumbling down
| the slippery slope.
| schrodinger wrote:
| Thanks, you've changed my mind and I totally agree.
| (Sincerely in case it smelled of sarcasm).
| theshrike79 wrote:
| The CSAM scanning was only enabled if you had iCloud
| uploads enable.
|
| They would've only scanned the files that would end up in
| the cloud anyway.
|
| But people went "omg my files", stuck their fingers in
| their ears and refused to read the damn spec.
| gigel82 wrote:
| The "damn spec" clearly stated that they would be
| introducing functionality on your device that is capable
| of scanning content on your device and matching that
| against a database of opaque hashes downloaded from a 3rd
| party. That's functionality I don't want on my device.
|
| FWIW, I don't use iCloud and never have used it; I don't
| care if they scan content once uploaded (it's their
| servers and I'm confident they'll continue scanning
| content there no matter how "E2EE" it is - see China and
| key sharing). As long as they keep their scanning on
| their devices and off of my device it's all good.
| mark_l_watson wrote:
| I really enjoy the automatically generated iPhoto "experiences"
| that include background music and photo/video effects that appear
| sometimes, more often after I took vacation pictures. Hopefully
| those can be generated on my device and I won't have to give
| those up to get encryption at rest.
| yreg wrote:
| Those have always been generated on device (and uploaded if you
| use iCloud).
| pradn wrote:
| They word their announcement carefully.
|
| > For users who opt in, Advanced Data Protection keeps most
| iCloud data protected even in the case of a data breach in the
| cloud.
|
| Here, "cloud" is treated generically - as if Apple doesn't have
| to do with it. I suppose they don't want to spell it out. A more
| honest, but still easy-to-understand statement would be:
|
| > For users who opt in, Advanced Data Protection keeps most
| iCloud data protected even in if someone hacks Apple's iCloud
| servers.
| boringg wrote:
| I don't think that's them being dishonest. I'm pretty sure the
| way I read the first sentence and your re-write is the same
| thing. I guess the only difference is maybe the layman might
| not gather that. That said the layman probably isn't going to
| care about end to end encryption either.
|
| Nice to hold the corporates accountable but I don't find this
| to be slimy or anything - maybe just me though.
| kitsunesoba wrote:
| Excellent, I'll be adding hardware keys right away. Their
| existing iCloud-connected-device 2FA is better than SMS but it's
| always bugged me that I wasn't able to use a hardware key.
|
| Now if we could just get banks on board... they're probably the
| single biggest glaring hole in non-SMS 2FA. To my knowledge
| there's only 2-3 US banks that even support TOTP, let alone
| hardware keys, which is insane given how important they are.
| AlexandrB wrote:
| AFAIK no Canadian banks even support TOTP - it's all SMS (or in
| one case a bank "app" that does TOTP, but frequently logs you
| out so you have to use SMS anyways). Maybe they'll catch up in
| a decade or so.
| Melatonic wrote:
| Yea super annoying - this is the one thing stopping me from
| getting a Yubikey. Whats the point if I cannot use it on the
| stuff I really want to use it for?
| steelframe wrote:
| Just as they did for CSAM scanning, they will push any code that
| mines your data for the purposes of targeted advertising down
| into the phone itself.
| yreg wrote:
| CSAM scanning on device never happened. The plan was abandoned.
| neop1x wrote:
| Proof? Their keynote or their press release?
| yreg wrote:
| Burden of proof lies with the one who claims something
| happened. Not with the one who says it doesn't exist.
| KindAndFriendly wrote:
| >> ...For users who opt in, Security Keys strengthens Apple's
| two-factor authentication by requiring a hardware security key...
|
| I hope they will support existing Yubi-Keys etc and not force
| users to get the dedicated Apple hardware key.
| yakkityyak wrote:
| > force users to get the dedicated Apple hardware key
|
| I don't think there is one?
| ethanzh wrote:
| I think your iPhone is the dedicated Apple hardware in this
| case
| zaroth wrote:
| You don't have to guess the announcement actually tells you
| 3rd party keys can be used and NFC keys can be tapped on
| the iPhone.
| frizlab wrote:
| The iPhone and recent Macs are ones. But it would not make
| sense to you your iPhone to protect your iCloud I think.
| yakkityyak wrote:
| It was a rhetorical question :P
|
| The section of the announcement is emphatically about 3rd
| party security keys support, so the worry about lack of
| support of YubiKey over some push for some imaginary Apple
| Dedicated Key didn't make much sense to me.
|
| Also, security key (at least to me) implies a small,
| keychain sized device. I wouldn't think of calling my Mac
| Studio a security key. There is no device marketed as such,
| even though yes, the SEP can and has fulfilled these
| purposes.
| fmajid wrote:
| That's what I am most looking forward to. I hope they also
| allow you to disable the phone-based recovery scheme that is
| just a boulevard for SIM-swapping hackers to breach through.
| frizlab wrote:
| Given they already support standard WebAuthn (passkey or
| other), I think it's a pretty safe guess to say they'll support
| Yubikeys. I can't find any written confirmation yet though.
| diebeforei485 wrote:
| Written confirmation in WSJ (paywall) here:
| https://www.wsj.com/articles/apple-plans-new-encryption-
| syst...
|
| > [Apple] will now allow users to log in to their Apple
| accounts with hardware-based security keys made by other
| companies such as Yubico.
| lxgr wrote:
| Curious to see how they will use it. I don't see an
| immediate way for FIDO/WebAuthN to help in an end-to-end
| encryption scenario.
| jackson1442 wrote:
| I don't think this is directly related to the E2EE
| announcement, rather it is an option to replace the
| current MFA method of receiving codes on your Apple
| devices.
| lxgr wrote:
| That makes sense, thank you. It's also mentioned under
| the corresponding heading on the press release.
| technothrasher wrote:
| The linked page says yes.
|
| "users will have the choice to make use of third-party hardware
| security keys"
| [deleted]
| dang wrote:
| (This comment was posted when the linked URL was
| https://www.apple.com/newsroom/2022/12/apple-advances-
| user-s..., which contains the physical security key
| announcement as well as the E2EE stuff. If there's a better URL
| for the security key announcement, we can factor this topic
| into its own thread, since it's a minority topic in this one
| and mostly getting overlooked.)
| cguess wrote:
| The screenshot pretty clearly shows a yubikey outline.
| twobitshifter wrote:
| is apple making a hardware key?
| NoImmatureAdHom wrote:
| This is trash and Apple is trash.
|
| 1) They explicitly state that they're going to keep an eye on the
| hashes of your files, allowing them to nuke anything they don't
| like from orbit system-wide. They still know what you have in
| cases where someone else has it and they know the plaintext.
| They're definitely going to scan what you keep in their cloud. It
| will start with kiddie porn, but then it'll be that plus
| terrorist documents (and who decides what that is???), and then
| illegal music and movies, and then...
|
| 2) It's all implemented with closed-source mysteryware. Who the
| fuck knows what it's doing? You've got to trust their pinky-
| swear, and you shouldn't. It probably works as it is described
| until it receives the special wink from Apple's servers, and then
| it sends along your private keys (possibly using an exploit they
| put there on purpose). If it's not verifiable (open-source and
| reproducible builds), it's a pinky swear.
|
| 3) This is your reminder that your iMessage isn't actually E2EE,
| they have a lot of the keys on their own servers.
|
| These are all things they _could_ fix, but don 't. And they won't
| fix them because they don't actually give a damn about your
| privacy and security. We should all demand open-source,
| reproducibly-built encryption software.
| knaik94 wrote:
| I wonder if they will push for client side scanning for CSAM
| material again, since photos are covered under end to end
| encryption based on this announcement. As a consumer, it feels
| like two different teams with two different ideas of what kind of
| consumer privacy should be protected are trying to guide Apple in
| opposite directions.
|
| Apple, the client side scan pushing and ad platform expanding
| company is now the same company that is releasing strengthened
| cloud data protection. Deduplication becomes impossible at any
| sort of scale and for safety Apple even turns off web access to
| iCloud when E2E cloud protection is turned on for the first time.
|
| Apple has stated it will cache thumbnails using standard
| protections when sharing files, using "anyone with a link" will
| expose the unencrypted data to Apple servers. I wonder if CSAM
| scanning can take place for those files only.
| Shank wrote:
| According to The Washington Post [0], "In a second victory for
| privacy advocates, Apple said it was dropping a plan to scan
| user photos for child sex abuse images. The company had paused
| that plan shortly after its announcement last year, as security
| experts argued that it would intrude on user's device privacy
| and be subject to abuse."
|
| [0]:
| https://www.washingtonpost.com/technology/2022/12/07/icloud-...
| knaik94 wrote:
| Thank you for the link, I had not come across that news. It
| seems like Apple is still scanning photos when NSFW photos
| are sent to phones belonging to minors.
|
| "When receiving this type of content, the photo will be
| blurred and the child will be warned, presented with helpful
| resources, and reassured it is okay if they do not want to
| view this photo. Similar protections are available if a child
| attempts to send photos that contain nudity. In both cases,
| children are given the option to message someone they trust
| for help if they choose.
|
| Messages analyzes image attachments and determines if a photo
| contains nudity, while maintaining the end-to-end encryption
| of the messages. The feature is designed so that no
| indication of the detection of nudity ever leaves the device.
| Apple does not get access to the messages, and no
| notifications are sent to the parent or anyone else."
|
| https://www.apple.com/child-safety/
| jimbob45 wrote:
| It was client-side scanning only for stuff that was going to
| their servers, right?
| yreg wrote:
| Yes, and it was likely directly related to subsequently
| offering E2EE backups. Not "two different teams with two
| different visions".
| explodingwaffle wrote:
| Encrypted iCloud! Never thought I'd see the day- figured
| intelligence agencies wouldn't be a big fan- I guess it's only
| optional though. Still won't be using iCloud on my iPhone, but I
| could at least consider it.
| worldsavior wrote:
| What's the government think about it? I remember they had
| problems with them before trying to enable end to end encryption.
| Despegar wrote:
| This was the point of their plan to introduce CSAM detection on-
| device. Unfortunately the reaction to that was histrionic and
| couldn't see the writing on the wall.
|
| Governments will eventually pass legislation targeting E2E and
| CSAM was the one issue where Apple's method would have defanged
| support for that kind of law. But one good thing about making
| those plans public is that any proposed legislation will likely
| land on Apple's method as being a good compromise. Better for
| Apple to wait until they're forced by governments to do it.
| commoner wrote:
| It's a good thing that the "histrionic" privacy advocates
| succcessfully pressured Apple to back down from introducing a
| vulnerability in the product before releasing this feature.
| Despegar wrote:
| It was definitely a win in a narrow and politically naive
| sense.
| dmix wrote:
| I'd rather fight that battle when it comes rather than
| compromise early on and trust they won't be back next week with
| a new policy move.
| brookst wrote:
| Yep. Their CSAM implementation guaranteed that E2EE for photos
| was coming. I thought the death of that CSAM approach meant
| they just wouldn't ship E2EE photos. I guess you're right, they
| know governments will mandate it and they at least have an
| approach that's compatible with E2EE.
| ir77 wrote:
| this announcement is huge in multiple ways:
|
| 1) they just ate every other 3rd party "secure" backup services
| lunch just like they did to the Hi-Res music industry.
|
| 2) details of what they backup securely, besides photos (which is
| top priority for me): iCloud Drive: Includes Pages, Keynote, and
| Numbers documents, PDFs, Safari downloads, or any other files
| manually or automatically saved to iCloud Drive.
|
| 3) _BUT_ , perhaps the _BIGGEST_ news here is that Apple is
| making a backup statement to what they 've been saying for years
| and what they've recently gotten negative attention on: They
| don't want your data. They're not Goodle/FB/Amazon. They're
| giving you 2TB+ of space and you can encrypt it to the point that
| you'll lose your data and they don't care -- they don't want to
| mine your data, they don't want to know what you store on there,
| the don't care to scan your pictures with AI 20 different ways,
| they don't want to monetize it, etc, etc., just pay them money
| for their service and transactionally they give you only thing
| that you want in return -- reliable, secure, private service.
|
| seriously, anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river.
| tehlike wrote:
| Apple wants your data as much as other companies, except they
| don't want this _specific_ data.
|
| Otherwise apple likes to track your moves in the areas they do
| advertising on as much as everyone else.
| plzmark wrote:
| Maybe. But has this been audited? Are there backdoors, perhaps
| in the hardware?
|
| I thought just a couple of months ago they wanted to scan
| everyone's phones for illegal content.
| amadeuspagel wrote:
| > They're not Google
|
| No, google has had encrypted android backups for years.
| ir77 wrote:
| so did apple, you could encrypt through iTunes for decade,
| and if you're that paranoid about encrypted backups i would
| trust an off-line encrypted backup more than i would an
| encrypted backup in google's cloud.
| theonlybutlet wrote:
| The fundamental iCloud product itself however is subpar and
| until that is dealt with, it won't be that huge.
|
| Few examples: Still can't keep photos on iCloud and delete
| thumbs on the phone. A real issue my old iPhone had
| insufficient space and I had to move to OneDrive. Support for
| other operating systems is lacklustre. One of the core benefits
| of cloud is accessing your files anywhere when you need them,
| not possible unless you're lucky enough to find yourself on a
| Mac at that moment.
| dzikimarian wrote:
| * They have tons of your data anyway, lots of which is more
| valuable for advertising than backup of your photos.
|
| * They are more and more into advertising business
| https://news.ycombinator.com/item?id=32520894
|
| * Their executives admit that they want you and your family
| locked into their ecosystem (leaked emails).
|
| Sorry, but advocating for them seems like very bad idea. Google
| was cool, pro-customer company once too. Until they had
| position to not be anymore. Open standards, without any vendor
| lock are only reasonable way.
| logic_probe wrote:
| richrichardsson wrote:
| > They're giving you 2TB+ of space
|
| I think you and I have vastly different ideas about what
| "giving" means.
|
| I get 5GB of iCloud storage, unless I pay them PS6.99/month for
| 2TB. No idea what the rate is over 2TB.
|
| Have I missed a trick to getting this 2TB+?
|
| (I have 7 Apple devices in my possession and have owned a
| further 2 that I've passed on to my kids; given the premium I
| paid for those I almost expect that I should get 5GB PER
| DEVICE, but of course that's fairly unreasonable in reality)
| jshier wrote:
| You can't even get over 2TB unless you subscribe to Apple One
| and even then you only get another 2TB. Pretty useless as a
| large scale backup service if the maximum you can ever pay
| them for is 4TB.
| mvanbaak wrote:
| Per user. I know you would probably like to backup your
| linux isos to icloud but besides that the 4tb per
| account/user is pretty much all one would need. This is for
| personal use, not business ;)
| [deleted]
| another_story wrote:
| Been seeing a lot more of these snarky sort of comments
| on HN as of late, and its not encouraging. Can we keep it
| civil without making light jabs at others preferences or
| tech needs?
| ir77 wrote:
| sorry, yes, i meant it that you can can now purchase 2TB of
| stand alone E2E storage from apple for 9$/mo, or get it as
| part of iCloud+. "giving" was a poor word and should have
| been "available".
| account-5 wrote:
| > seriously, anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river.
|
| Count me in amongst the salmon then.
| phpisthebest wrote:
| >>seriously, anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river.
|
| Well for your use case maybe, but I do not find the value of
| trading privacy for freedom to be a good one, specifically
| since I can secure my data other ways including not storing it
| at all on my phone.
|
| My phone is a tool, and I prefer to own and control completely
| that tool
| brewdad wrote:
| What phone do you own and control completely? I was under the
| impression that every phone capable of being a phone contains
| BLOBs that you have no control over.
| gigel82 wrote:
| It's good to be passionate, but blind devotion is dangerous,
| especially since we already know by now Apple is positioning
| itself to become a major player in the advertising space and -
| with a dwindling economy and an increased pressure to sustained
| growth from shareholders - that's going to continuously
| encroach on our privacy guarantees for monetization purposes.
|
| I'm advocating for an open and interoperable ecosystem of
| operating systems, services and applications, which is the only
| way to ensure sustainable customer freedom. Unfortunately that
| ecosystem doesn't exist yet so we're stuck with the duopoly of
| evil-doers (and while Google openly admits it is their business
| model to monetize you and your data, Apple has been caught with
| their hands in the cookie jar a bunch of times already and
| they're just developing a sweet tooth, so...).
|
| Full disclosure: I've been using only iPhones for 12 years and
| am still using one today.
| dontbenebby wrote:
| >Apple is positioning itself to become a major player in the
| advertising space and - with a dwindling economy and an
| increased pressure to sustained growth from shareholders -
| that's going to continuously encroach on our privacy
| guarantees for monetization purposes.
|
| Or they could sell us a rugged iPhone with a removable
| battery and SD card slot to extend storage but keep the
| proprietary OS to keep the music/movie ppl happy plus keep
| out malware not sent via FISA warrant, but if they did that
| Tim Cook might jump off the top of the donut apparently, so
| they keep going the way you describe.
| GeekyBear wrote:
| > Apple is positioning itself to become a major player in the
| advertising space
|
| Advertising does not require that you spy on each individual
| person.
|
| Google, for instance, used to show you ads based only on your
| search keywords.
| judge2020 wrote:
| > Google, for instance, used to show you ads based only on
| your search keywords.
|
| This is still true. You basically never see personalized
| ads on search, since getting a contextual ad for cruises
| when searching for programming answers probably isn't going
| to end up with many clicks. Instead, it's only really
| 'Google Ads' (AdSense on other websites) and YouTube where
| personalized ads result in higher CPMs.
|
| (Although Google does indeed use your search history for ad
| targeting.)
| katbyte wrote:
| outside of appstore ads and ios ads for their services, where
| is apple doing advertising?
| falcolas wrote:
| Throughout their News app for one.
| HL33tibCe7 wrote:
| Apple News is an unusual miss by Apple imo. It's just not
| "Apple", like everything else they do is.
| thewebcount wrote:
| Yeah, this has been so depressing to see. I disliked that
| there were ads when I signed up, but it was part of a
| bundle with other things (arcade, music, tv, fitness,
| etc.), so I gave it a try. But they've been increasing in
| frequency and they've been added to places they didn't
| exist before (like when you swipe to see the next
| article). It's still nowhere near as bad as reading a web
| page without an ad blocker, but it's definitely past my
| threshold of pain, and so I'm just using it less. I want
| the other things in the bundle, so they'll count me as a
| subscriber, but I'm using it less each day.
|
| What's particularly odd is that some articles have no ads
| at all. Some have the same ad repeated literally 3-5
| times in a short 1,000 word article. And the ads are all
| trash. They seem like those awful chum-boxes you see on
| web sites. Who in their right mind thought this would be
| appealing to the typical Apple user? I mean, regardless,
| I have never intentionally clicked on any ad on the web
| in 30 years, and I'm not going to start now.
|
| It's sad because it's exposed me to regional newspapers
| from around the world. I live in California and see
| articles from newspapers in Idaho, Utah, Connecticut,
| upstate New York, Dallas, Miami, Chicago, etc. and even
| from other (mostly English-speaking) countries like
| Canada, England, Ireland, Isreal, and Australia. They
| even include some (English-language) stuff from China. I
| don't normally see news sources that diverse on the web
| because it takes more effort. But the ads just make it
| not worth it to continue using.
| brewdad wrote:
| News+ silently dropped one of my preferred news sources
| last week. No updated articles for a week now and it's no
| longer listed on the news sources page on the web site.
| Oh well, I'm still in a free 6 month trial but no longer
| intend to become a paid subscriber next year.
| ziml77 wrote:
| Even with the amount of leverage they have to control
| third parties, media companies are too big for them to
| control. I'd be willing to bet they had little choice but
| to let the various publications run ads as they please.
| Those companies don't need to be available on Apple News+
| to survive. But Apple News+ has no chance without them.
| rekoil wrote:
| Lol, the News app is available in like two countries.
| sn0wf1re wrote:
| And "news" in Stocks
| nomel wrote:
| Are these ads? If I see a large derivative, I can usually
| glance down at the relevant news to see why. More often
| than not, it says "No Recent Stories", which shouldn't be
| the case for an ad.
|
| The news articles in the main view are just top business
| stories from Apple News. I don't see anything ad like at
| all, actually.
| nullwarp wrote:
| In the settings app they advertise iCloud if you aren't
| using it
| kaba0 wrote:
| If you consider that an ad, then we are not talking about
| the same topic. Like sure, pedantically it is an ad, but
| is not the kind people mind or hurts their privacy at
| all, nor does it have shady incentives (it is not a
| third-party service).
| riversflow wrote:
| > ios ads for their services.
|
| I hate ads, but for most people paying some bucks a month
| to make sure their 2nd brain of
| photos/notes/passwords/texts/etc is totally (and now
| privately) backed up is a worthwhile insurance policy.
|
| I think the argument that advertising iCloud plan
| upgrades in settings, where you'll be pointed to if you
| run out of backup storage, is very benign as far as ads
| go. Although I do think that they should have a method to
| dismiss it(I don't see this so I'm projecting that they
| don't).
| HeckFeck wrote:
| It is much, much less obnoxious than the constant nagging
| to use Edge and OneDrive we see in Windows.
|
| Windows even sent a notification questioning my choice to
| disable location tracking.
| howinteresting wrote:
| Yes, Apple is slightly less bad than Windows. On the
| other hand, Linux doesn't have any ads (other than the
| silly ones Ubuntu is trying to push on the command line
| these days).
| theshrike79 wrote:
| So by this definition Firefox is advertising Pocket?
| cies wrote:
| Clearly. That was the main problem voiced when they
| started doing this, wasn't it?
| kergonath wrote:
| > we already know by now Apple is positioning itself to
| become a major player in the advertising space
|
| We don't know that. We know that they put ads in the App
| Store, that's it. I wish they did not, because it made the
| store even more of an unusable mess, but it really is not
| even in the same league as Google and Facebooks, systematic
| surveillance.
|
| > increased pressure to sustained growth from shareholders
|
| This sounds truthy, but is there any evidence of this? Apple
| is famously the company that tells rent seekers after more
| ROI above all to fuck off (both Jobs and Cook).
|
| > I'm advocating for an open and interoperable ecosystem of
| operating systems, services and applications, which is the
| only way to ensure sustainable customer freedom.
|
| Now that's a real point, which deserves more than being
| buried after a paragraph of half-truths (and I almost
| entirely agree, FWIW).
|
| > It's good to be passionate, but blind devotion is
| dangerous,
|
| After starting a post like this, it is disappointing that you
| fell in the trap you warned the OP about. Being contrarian
| and using mis-informed tropes is not a good way of having a
| rational discussion. It is not being cool or clever at all.
| sircastor wrote:
| > Apple is famously the company that tells rent seekers
| after more ROI above all to f off (both Jobs and Cook).
|
| One of my favorite CEO moments comes from Tim Cook on an
| earnings call: "If you want me to do things only for ROI
| reasons, you should get out of this stock," And then more
| recently "If you're a short-term trader, do not invest in
| the Apple stock,"
|
| I understand both, but it's so odd to hear a CEO tell
| people "no, we don't want your money" and I will grant that
| Apple is luckily not in the position of needing it.
| manigandham wrote:
| Everyone in adtech knows it. Apple (and Amazon) are both
| rapidly growing their advertising businesses.
|
| And 30% take rate of everything from your app including
| later subscriptions and services is extremely rent-seeking.
| johnmaguire wrote:
| > We don't know that. We know that they put ads in the App
| Store, that's it. I wish they did not, because it made the
| store even more of an unusable mess, but it really is not
| even in the same league as Google and Facebooks, systematic
| surveillance.
|
| They also put ads in Maps, Stocks, and News, and they
| "started asking people last year if they wanted to enable
| personalized ads on these apps."[0]
|
| > This sounds truthy, but is there any evidence of this?
| Apple is famously the company that tells rent seekers after
| more ROI above all to fuck off (both Jobs and Cook).
|
| "Inside the ads group, Teresi has talked up expanding the
| business significantly. It's generating about $4 billion in
| revenue annually, and he wants to increase that to the
| double digits. That means Apple needs to crank up its
| efforts. "[0]
|
| Plus the advertise iCloud in the Settings app with a red
| badge, which is just annoying.
|
| [0] https://www.forbes.com/sites/kateoflahertyuk/2022/08/15
| /appl...
| plusminusplus wrote:
| >> Apple is positioning itself to become a major player in
| the advertising space
|
| > We don't know that
|
| "Apple's VP of advertising platforms Todd Teresi has been
| asked to bolster annual revenue into 'double digits' from
| about $4 billion today" (Aug 2022)
|
| https://www.forbes.com/sites/kateoflahertyuk/2022/08/15/app
| l...
| madeofpalk wrote:
| > Apple is famously the company that tells rent seekers
| after more ROI above all to fuck off (both Jobs and Cook).
|
| The App Store, and their demand of 30% of all revenue that
| passes through an iPhone is the most infamous example of
| digital platforms rent seeking.
| adamwk wrote:
| Android has the same cut for their in-app purchases
| random314 wrote:
| > We don't know that
|
| The only way for a 2T business to grow is by expanding the
| Services business significantly, in some market that is
| already known to be close to half a trillion dollars in
| revenue.
|
| You really think Apple is trying to make small change with
| ads in Apple Maps?!
| dwighttk wrote:
| >we already know by now Apple is positioning itself to become
| a major player in the advertising space
|
| Do we though?
| adra wrote:
| Subjective and rhetorical, but yes lots of people think
| there's too much money on the table to just eschew ads in
| their products. Let's be honest, Apple has a captive
| market, and their largest real issue is that they make too
| much money and can't find anything to spend it on.
| dwighttk wrote:
| I'll give you "lots of people think..." but not "we
| already know..."
|
| And "ads in their products" but not "a major player in
| the advertising space"
| jeffbee wrote:
| Speaking of blind devotion to memes, is there any objective
| data, anywhere, of any kind, that indicates a "dwindling
| economy"?
| widowlark wrote:
| Apple offers hi res audio, but most cant and wont take
| advantage of it. Why? because most users of apple music use
| AirPods, and apple claims lossless wireless audio is not
| possible (despite the existence of LDAC). Therefore, you are
| streaming hi res audio to your phone only to downscale it when
| listening via your headset. Only people who really benefit are
| carriers, who can rate limit your data.
|
| https://support.apple.com/en-
| us/HT212183#:~:text=Can%20I%20l....
| ir77 wrote:
| "most can't and won't take advantage" of it is a broad
| statement. i would think there are a lot more DAC/lighting
| adapters and analog headphones in the world than there are of
| AirPods, anyone that wants to listen to CD (16/44) quality
| can probably do so for free or a few $ already. my home "hi-
| fi" now consists of an old iPhone 8+ hooked up to a DAC piped
| into my receiver utilizing 24/96 setting from iTunes, no
| longer need for Tidal or Qobuz.
| kaba0 wrote:
| With high enough "resolution" does it really matter? (Don't
| trying to start a fight, genuinely curious as I'm not too
| well versed in audio)
|
| We don't cry over bitmaps vs vector graphics in most
| contexts, especially that the hardware is trivially limited.
| It's probably a bit more nuanced with speakers, but I imagine
| that they also have very real limits on distinguishable
| outputs for a given input, even if it is not as trivial to
| see as in the case of a w*h pixel grid of depth n.
| WhackyIdeas wrote:
| Yeah but it's still basically the great philosophical question
| of the douche or the turd sandwich.
|
| With everything that has happened with Apple since Job's death,
| my trust has been eroded so much that yeah I still use Apple
| but they are the turd sandwich at the end of the day. I trust
| Google a percent or two less.
|
| I like that they are doing with this E2E encryption. It
| protects against hackers better. It doesn't protect against
| Apple though... they will still continue to sell the analytics
| on you. Which is fine if you don't care.
| OOPMan wrote:
| Yeah man, they're really swimming up river. They being the
| majority of people across the world who can't afford Apple's
| prices.
|
| It must be nice to be so full of shit you can be so blithely
| oblivious.
|
| Next you will no doubt tell me that if you're too poor to
| afford Apple's prices you deserve to have your data monetized
| and mined?
| eastbound wrote:
| > the don't care to scan your pictures with AI 20 different
| ways
|
| They actually systematically scan photos and declare people to
| the police if IA determines it looks wrong.
|
| With Apple, you're at risk of losing your business just like
| with any other company who wants your data. Apple didn't solve
| the "An offline account is better than a Cloud account"
| problem.
| yreg wrote:
| >They actually systematically scan photos and declare people
| to the police if IA determines it looks wrong.
|
| Obviously the commenter is talking about the new E2EE plan.
| No way to scan it then, under they do it on device, which
| they also walked away from.
| timmytokyo wrote:
| > They actually systematically scan photos and declare people
| to the police if IA determines it looks wrong.
|
| Apple was developing this technology, but they dropped their
| plans.
|
| [0] https://www.theverge.com/2022/12/7/23498588/apple-csam-
| iclou...
| skrowl wrote:
| He's very excited to get something android has had for a decade
| now
| scientism wrote:
| They mine your data as long as it can be converted into a
| marketable product for them. The most recent example was this:
| https://9to5mac.com/2022/11/21/ios-privacy-concerns-deepen/
|
| Maybe images/photos isn't something they want to expand at this
| moment in time but let's not get ahead of ourselves.
| behnamoh wrote:
| They might mine your data BEFORE it leaves your device.
| Thanks to the new A chips, Apple can definitely do that.
| kaba0 wrote:
| I mean, if you can't trust the very OS that handles your
| encrypted data, then you are lost either way, so that
| argument doesn't make sense. It is similar security LARPing
| then hardware kill switches.
| mejutoco wrote:
| This. Technically the iphone can process images locally.
| Photos app shows what is in the picture (faces, pets, food)
| and can do ocr on text in screenshots and photos. This is a
| very real possibility to outsource the processing to your
| device.
| nonameiguess wrote:
| The camera itself does software processing and you can't
| encrypt the light. It detects faces even before you click
| the shutter for capture. There is no way to keep the
| device itself from ever knowing what it was looking at.
| Something _that_ sensitive is something you don 't
| photograph.
| mejutoco wrote:
| we agree I believe. I am saying that technically the
| device gets thst information on-device, and could send
| it. Idk if that is the case, but it is possible.
|
| Edit:The ocr and face recognition on the iphone is
| definitely more advanced than usual, thanks to the custom
| hardware on device.
| [deleted]
| thrashh wrote:
| Very few people I know who choose Spotify vs Apple Music or
| iCloud vs Google Photos know anything about hi-res music or E2E
| encryption
|
| Outside tech people I know at least
| yreg wrote:
| Hi-res music isn't important, but E2EE is.
|
| It's fine that very few people care Apple is very good at
| attracting customers without it anyway, so it's not the
| classical situation where we, tech people should feel sorry
| that non-tech people "just don't get it" and don't use Apple
| services.
|
| And lastly, if indeed no customers care, then that speaks for
| even bigger respect toward the individuals working at Apple
| who pushed for this and made it happen. (But I think Apple
| believes this will be a good business decision, not
| altruism.)
| alfalfasprout wrote:
| > they just ate every other 3rd party "secure" backup services
| lunch just like they did to the Hi-Res music industry.
|
| Cross platform support is always a problem though. And frankly
| I don't buy the "like they did to the hi-res music industry"--
| Spotify is still king here.
| dancemethis wrote:
| ...You believe them? After PRISM and all the things revealed in
| the last decade and half?
|
| They DO want people's data, and they DO hoard it. If they
| didn't, they would share the source code with the community.
| kaba0 wrote:
| That's a non sequitur. Also, there is no reliable way to
| check whether a given source code is the actually deployed
| version, neither on servers, nor local devices.
| namdnay wrote:
| > They're giving you 2TB+ of space
|
| No they don't. They sell it to you
| sneed-oil wrote:
| > seriously, anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river.
|
| Their software is not open source. Before this announcement you
| had to trust Apple not to look into the files you store in the
| cloud, now you have to trust that they're actually going to
| encrypt your files and not save the decryption key. Ultimately
| you still have to trust Apple. A combination of any open source
| OS, any cloud provider and Cryptomator or Veracrypt wouldn't
| require as much trust in one company.
| beeboop wrote:
| I think this is less of an issue than you might think - if
| they're going to decrypt for law enforcement then it will
| become painfully obvious there's a backdoor literally the
| first time evidence is brought to a court that _shouldn 't_
| have been available without a decryption.
| cromka wrote:
| Not to mention employe whistleblowing.
| StillBored wrote:
| But that could be a very long time if they just apply some
| form of parallel construction to most cases. They aren't
| going to burn such information on the first low level
| criminal/CP target they find. Instead they will wait 5
| years and then sweep up a bunch of people involved in some
| criminal "ring".
|
| And the problem with all these services that provide some
| kind of E2EE encryption and still have a way to push
| application updates (or run something in your browser), is
| that they just slip a version on your machine that sends
| the password to the feds/whoever when you type it in.
| kaba0 wrote:
| Arguably, the chance of fckup might increase, as now you get
| the problem of integration which will quickly increase the
| surface area to n*m.
| ir77 wrote:
| my comment was not against someone 100% paranoid using
| grapheOS and doing their own backups somewhere and trying to
| figure out how to get a good google maps alternative in open
| source.
|
| my comment was that against main stream companies apple leads
| the way, and it's overall great for a consumer.
|
| do you personally expect every piece of open source software?
| do you run your own email servers, music servers, photo
| backups, etc.? If not, you somehow trust those companies --
| why?
| rollcat wrote:
| Acceptable security afforded today - through usability - is
| better than superior security, that could've theoretically
| been gained, but wasn't, because it was too difficult to set
| things up.
|
| In particular, reviewing open source code has been repeatedly
| proven to be way harder of a task, than the proponents of
| this strategy are painting it to be. If you want an auditable
| codebase, you pretty much have to throw Linux,
| Chromium/Firefox, Gnome/KDE all out the window - there's just
| way too much code.
|
| Auditable code is naturally always preferable to non-
| auditable, but you need to choose your trade-offs - or at
| least stop pretending you can read a hundred million lines in
| your life time.
|
| On top of that - do you know a single non-tech person who
| knows how to set up a VPS, or knows what Veracrypt is? OTOH I
| can just show my wife: click here to enable backups.
|
| Let me reframe the problem: What is your threat model? How
| much effort are you willing to commit to mitigate the
| dangers?
| counttheforks wrote:
| > 1) they just ate every other 3rd party "secure" backup
| services lunch just like they did to the Hi-Res music industry.
|
| This is an excellent point as to why you shouldn't even bother
| trying to develop software for apple machines. If it's anywhere
| near successful apple will just destroy you, after having taken
| a 30% cut from your revenue for years.
| juve1996 wrote:
| Apple will destroy you regardless, they're a megacorp. If the
| software is good but only on windows they'll just make their
| own.
| kaba0 wrote:
| While I am the very first one to fight for allowing side
| loading on apple devices, didn't Netherland's dating services
| decided in the end to go with Apple's payment processing even
| with that cut?
| pixl97 wrote:
| Embrace, extend, extinguish. Hmm, who is Apple trying to
| become?
| kergonath wrote:
| Sherlocking is a very old issue. It has nothing to do with
| what Apple is trying to become _now_.
| behnamoh wrote:
| I get this sentiment, but where do we draw the line?
| Shouldn't OS makers (Apple, Microsoft) add additional apps
| just because third party developers have done it already?
| enjo wrote:
| That's exactly the antitrust issue Microsoft ran into
| isn't it?
| bink wrote:
| Microsoft had something around 95% of the desktop market
| share in the 90s. Apple is not anywhere close that. I
| would agree it's similar in behavior but not intent.
| Microsoft was terrified of the Internet and applications
| that could "run anywhere" so they tried to control how
| people accessed the Internet. Apple is arguably adding
| these features because it's what their user's want.
| spogbiper wrote:
| > Microsoft was terrified of the Internet and
| applications that could "run anywhere" so they tried to
| control how people accessed the Internet
|
| I see reflections of this throughout the history of the
| iPhone. Apple has always controlled how people access
| both the internet and even what applications they can
| install. Every "browser" on iOS is just Safari with a
| skin for example, because Apple will not allow any other
| browser engine.
| smoldesu wrote:
| > Apple is arguably adding these features because it's
| what their user's want.
|
| Apple would certainly argue that, yes. Foremost though,
| they're adding it because it's what _Apple_ wants, and
| conveniently converges with the desire of the user.
| pixl97 wrote:
| I would state it as this
|
| "If you buy a phone or general purpose computing device,
| you have the legal right to choose your app store and
| applications installed on it seperate from manufacture
| demands".
|
| The particular problem with Apple is not only duplicate
| your app, they can underprice it by 30% because they
| don't self pay their own store tax, and they can kick you
| out of the only app store for whatever reason they choose
| to make up that day.
| vel0city wrote:
| I remember back in the early days of the iPhone, new
| feature releases would coincide with lots of apps being
| removed from the app store with the reason "this app
| duplicates core functionality of iOS."
| abbusfoflouotne wrote:
| I like this view, though many people aren't just
| purchasing the phone from Apple, they are purchasing the
| OS and integration into the Apple ecosystem. Definitely
| think the user should have the option to pick the app
| store though
| arghnoname wrote:
| Apple doesn't seem to be in the business of selling
| software very much. Instead it's mostly used to increase
| the value of the hardware. The stuff I've seen them
| incorporate that at one time were apps weren't 30%
| cheaper when bought from Apple, they were free (i.e.,
| they came with the device).
|
| If they think some third party feature should be part of
| the core experience, they're going to incorporate it.
| This is true when building on anyone's platform (e.g.,
| Microsoft, Facebook). Non-core experiences, like domain
| specific software, are less likely to suffer this fate.
| It's similar to when MS decided to ship a browser. God
| help you when the platform you're on decides they want to
| subsume your features.
| makeitdouble wrote:
| > Apple doesn't seem to be in the business of selling
| software
|
| As sheer hardware revenue growth slowed, they moved their
| focus to services [0]. That's also what we're seeing on
| their push into more ads for instance, and this new
| feature goes the same direction: to benefit these
| encrypted backups you'll need to sign up for storage. For
| most people wanting to cover more than one device,
| they'll probably end up with the 2Tb plan which is at 10
| bucks a month, the bare minimum 50GB being at 1$ a month.
|
| [0] https://www.insiderintelligence.com/content/how-
| services-bec...
| smoldesu wrote:
| > Apple doesn't seem to be in the business of selling
| software very much.
|
| This is veritably false, they made $80 billion selling
| software this year. You might not see the App Store as
| software revenue, but Apple certainly does.
| behnamoh wrote:
| Spotify is pretty successful and yet, Apple went in direct
| competition with them, using APIs that only Apple gets to use
| in their Music app (like integration with Siri).
| j16sdiz wrote:
| You can change the default music app for siri since ios 14
|
| https://www.macrumors.com/how-to/set-preferred-music-
| streami...
| hnav wrote:
| In the car today I asked Siri to play me a particular
| song (I have had Spotify defaulted for a while), it
| helpfully signed me up for a 7 day preview of Apple Music
| Voice and started playing it there! Where's the FTC? Is
| Apple too big to fail?
| kaba0 wrote:
| "Play X song on Spotify" also works.
| vanilla_nut wrote:
| And yet I still can't change the default music app that
| opens on macOS when I hit the media keys!
| [deleted]
| DrBenCarson wrote:
| You can easily map your own macros....
| smoldesu wrote:
| Or use Linux, the highly advanced MPRIS protocol is
| capable of tracking _multiple media applications_ and
| presenting their playback controls. It 's like space-age
| tech!
| threeseed wrote:
| iTunes Store predates Spotify by 3 years and the idea of a
| subscription model was hardly unique to them.
|
| Also Spotify has access to all of the APIs it needs. It
| just refuses to use them.
| marcodena wrote:
| https://www.timetoplayfair.com/
| ir77 wrote:
| ok, i may buy your argument from a perspective of a brand new
| cloud storage provider that's try to come up online and break
| into the market, but you're telling me that Dropbox,
| OneDrive, Box., etc., are all indie developers living in
| their parent's basements? These companies made a conscious
| choice not to offer encryption and now got the rug pulled out
| from under them. steve jobs famously said that this "Storage"
| is just a feature, not a product, and now they've proved it.
|
| additionally, as far as i can see, those apps all free to
| download and you can buy their plans outside of the apple
| ecosystem and thus they get a free ride in the App Store
| without giving away any cut to apple.
| fleddr wrote:
| Similar model that Amazon uses.
|
| You pretty much have to be on their store to sell something,
| which means you give them access to your sales and customers.
| Which is a concept that is absolutely wild in any normal
| healthy competitive landscape.
|
| Then they'll monitor and if you manage to actually be
| successful, 3 months later there's an Amazon Basics version
| of your product.
|
| It's so incredible to me how these practices get no push-
| back. There used to be a time where in the case of Windows,
| people were wondering if its fair that they ship it with a
| calculator program. Now you can just use your massive
| platform and extend in every possible direction, seize
| secondary markets, nobody seems to care.
| yunwal wrote:
| > anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river
|
| Ok, come on. What apple's done here is great, and I personally
| use an iPhone, but you couldn't think of a good reason to use
| anything else? An open-source OS?
| smoldesu wrote:
| Any phone that doesn't trust the user to install software
| shouldn't be called "consumer centric".
| kaba0 wrote:
| The GNU/linux distros (in contrast to android) available for
| mobile phones are so far from usable, it is not funny.
| Android is a viable choice, but only if it doesn't come with
| all the shit from the vendo/Google, which gives you
| effectively.. a pixel phone with GrapheneOS? Not too much of
| a choice, especially if you would like to filter based on
| hardware as well (where apple is just laughably ahead,
| iphones are ~2 generations ahead in raw performance)
| thih9 wrote:
| > They don't want your data. They're not Google/FB/Amazon.
| (...)
|
| Note that they still want some data, especially given the
| recent increase in advertising activity.
| gtvwill wrote:
| >>>seriously, anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river.
|
| Lol I would never advocate for any company I engage with to use
| apple products. Why? Because they suck.iphoto and iCloud are
| pieces of trash. Most basic thing like, delete local but keep
| cloud copy seems to be missing. Can't keep a iPhone synced and
| do this with iCloud. Lulz worthy sitcho.
|
| Also can't even copy files off device easily. Can't put custom
| apps on devices easily. The company actively kicks back against
| things like, freedom of information, following standards,
| reducing e-waste.
|
| You know some of us make decisions around the companies we
| support on greater levels than just feature a or b is present
| in device. Apple are a predatory company that in no way promote
| a software or hardware ecosystem that is ethical imho and they
| don't promote one I want to participate in.
|
| I wouldn't touch their shit with a barge pole and ontop of this
| due to being IT everytime I'm forced to I'm mostly confused by
| wtf folks think is so great. I legit find the kids toy ux
| difficult to work with, borderline impossible.
|
| I also like blowing clients away with simple tasks
| like....copying photos to a usb...browsing files on my phone on
| a pc. You know the basic stuff like they used to do when they
| were younger but apple cucked it along the way for zero reason
| lol.
| jdiez17 wrote:
| > Also can't even copy files off device easily.
|
| See https://news.ycombinator.com/item?id=33898890.
|
| > Can't put custom apps on devices easily.
|
| You will, from May, thanks to the EU Digital Markets act.
|
| > [...] simple tasks like....copying photos to a
| usb...browsing files on my phone on a pc.
|
| You can do this with ifuse:
| https://github.com/libimobiledevice/ifuse
| rOOb85 wrote:
| > You will, from May, thanks to the EU Digital Markets act.
|
| Is this fact? Last I read about this the law was passed,
| but it's still unclear if apple will actually allow this.
|
| I absolutely would love if I could use the latest version
| of iOS and install apps that are not in the app store. I'm
| currently using trollstore to do this but that means using
| older versions of iOS that are vulnerable to exploits.
| jdiez17 wrote:
| So far Apple doesn't seem to be interested in breaking
| the law.
| gtvwill wrote:
| May isn't today.
|
| Downloading some random GitHub app to access a phones
| storage sure as shit won't be happening on any managed
| corporate devices I deploy. Or unmanaged devices tbh.
| That's the kinda shit I leave for quarantined VMs.
|
| Data is still not easily accessible once it's on a iPhone.
| jdiez17 wrote:
| Okay... then use iTunes on Windows or Mac? (Not sure how
| those work, never used them, but I assume they provide
| the same functionality as imobiledevice)
| gtvwill wrote:
| Nah I thought that was the case too. Turns out it is not.
| Had a clients employee as me for help w/ her iphone about
| 2 weeks back. 32gb phone, no storage space left on device
| so it legit just stopped working, wouldnt recieve texts
| or anything cus it was full. So clients like, help me get
| photos off phone onto a USB or set photos to store in
| icloud only and ill delete the phone copies (well this is
| what I thought was an option because I can do it w/ just
| about every other backup software I use). Turns out big
| fat nup to either options. Only way she could delete
| phone photos but keep cloud ones was to disable sync
| entirely (lol wtf is the point of linked cloud if sync is
| so shithouse?). Plug phone into itunes, all you get re.
| access to device is no ability to view pics as files too
| extract, you cant even control apps on the device (good
| luck finding out what apple referred to as other apple
| software that used up >30% of phones internal space it
| just gets all lumped in under one grey color of storage
| being used.
|
| Got forced to use a iphone 11 or someshit a few years
| back as a company issued device. Man it was alright at
| making phone calls, complete POS for doing any actual
| work on. Basically found it to be an overpriced
| paperweight that could take ok photos but was impossible
| to retrieve photos from. No i dont want a icloud account
| or any of that bs i just want to plug in to pc and pull
| files like I've been doing for 25+ years on every other
| platform ive ever used.
| jdiez17 wrote:
| https://support.microsoft.com/en-us/windows/import-
| photos-an... ?
|
| Also, https://support.apple.com/en-us/HT201301 ?
| jjtheblunt wrote:
| > anyone at this point advocating for any other
| phone/os/service out there besides apple is really going out of
| their way to swim up river.
|
| in financial circles, an immediate thought would also be "is
| such a person short AAPL?".
| bobsmith432 wrote:
| iamjake648 wrote:
| Except for the 88 million who do?
| selectodude wrote:
| That's "quite literally" not true as I use Apple Music. So
| there you go.
| macshome wrote:
| If around 80 million subscribers is nobody, then you are
| correct.
| Iv wrote:
| Give me open source dev tools for the iPhone and I'll jump.
|
| While it is a closed garden, I'll begrudgingly accept it can be
| marginally better in some fields than other options, but Apple
| tries very hard to be a proprietary island in a world that has
| switched to free software.
| HL33tibCe7 wrote:
| That really isn't true when it comes to phones, though.
| youniverse wrote:
| What about something like proton mail? They also have encrypted
| drive I believe but I'm not sure.
| hilyen wrote:
| If they're still hashing files, its not end to end.
|
| An anecdote, an activist had a document in their Google Drive. It
| was not something people high up wanted being distributed. It was
| deleted not just from their account, but platform wide. Guess how
| they did that? Its hash.
| brundolf wrote:
| Activists could always salt their own files by adding some junk
| content to the end (or cropping images by one pixel, cropping
| video clips by a fraction of a second, etc)
| sneak wrote:
| It also allows them to track the contact/social graph of all
| users based on clusters of who has the same unique file hashes.
|
| Then again, they already have everyone's address books and
| iMessage traffic, so I guess they already have that data for
| most of the industrialized world. I wonder who else will
| preserve copies?
| smoldesu wrote:
| 100% - this was my largest concern when they announced
| perceptual hashing, and it seems to be the big takeaway here.
| Of course, this is a concern with most online hosting
| services, but at Apple's scale it's pretty scary to consider
| the possibilities.
| BudaDude wrote:
| You are correct, but how could Apple solve this issue without
| hashing? Syncing files alone without E2E is tricky. I can't
| imagine a way to sync files between devices without having some
| sort of hash or id.
| n3t wrote:
| You encrypt a file first, then you calculate hash of the
| encrypted file.
| AtNightWeCode wrote:
| Great! This is not the common attack vector for data in iCloud
| though.
| Sirened wrote:
| What is the common vector? Who is the common adversary even? I
| suspect governments compromise more accounts with warrants than
| hackers ever do with stolen creds
| dopu wrote:
| It is becoming increasingly difficult to not just recommend an
| iPhone to the average person with privacy/security concerns.
| Sure, you can tell them to go the GrapheneOS route, but I don't
| think you can trust the average user not to just go and install
| Google Maps/Google Photos/etc as soon as the alternative FOSS
| option inconveniences them. I've certainly struggled with this.
| Then they're arguably worse off than if they'd just stuck with
| the Apple equivalents.
| RjQoLCOSwiIKfpm wrote:
| Their software is NOT open source (well, some parts are, but
| AFAIK it's a minority).
|
| Thus the privacy claims are just advertisement, there is no way
| to verify them.
|
| Apple devices might as well be fully backdoored.
| madeofpalk wrote:
| Apart from some very niche options, so is everything else.
|
| This is about trust. If you don't trust the manufacturer of
| your hardware (or developers of software), that puts you down
| a very specific path of what you can happily purchase.
| therealmarv wrote:
| The marketing is strong with Apple.
| hackmiester wrote:
| Also the products, though.
| DrBenCarson wrote:
| If by marketing you mean product development and putting
| their money where their mouth is, yeah, it's pretty strong.
|
| There isn't another mainstream product that offers that.
| therealmarv wrote:
| People seem to forget fast (this is only 2 weeks ago)
| https://gizmodo.com/apple-iphone-privacy-dsid-analytics-
| pers...
| HL33tibCe7 wrote:
| I'm a FOSS person and run Linux as a daily driver. But I
| recommend every single person who asks to just buy an iPhone or
| a Mac (if they can afford it). The user experience alone is so
| superior to the other options. Security and privacy too, these
| days.
| pixl97 wrote:
| Apple produces a very nice set of golden handcuffs. Polished
| shiny look, comfortable fur lining. Customers are really going
| to going to scream bloody murder when Apple latches them down
| tight.
|
| The problem here is we are wholly dependant on Apples goodwill.
| It is not required in anyway (hence Googles behavior). At any
| moment Apple can revoke said goodwill and exploit us to our
| hearts content and we will have no fallback what so ever
| because we decided to let the market codify our freedoms rather
| than preventing companies from being ruthless.
| Terretta wrote:
| Let's assume they do _eventually_ flip their brand on its
| head and turn on the users.
|
| While waiting for them to latch you down tight, you could
| have already been enjoying the most consumer-centric and
| privacy-conscious _mainstream_ mobile OS since 2007.
| three_seagrass wrote:
| >Let's assume they do eventually flip their brand on its
| head and turn on the users.
|
| Chinese customers don't need to wait. Apple flipped
| sometime in 2017 and gave up all user emails, photos,
| messages, etc. to the CCP to stay in the market.
|
| People complain about TikTok spying for China, but Apple is
| one of the biggest CCP spies around. That runs counter to
| the brand headspace they keep investing in though.
| Omniusaspirer wrote:
| I'll never understand people who expect Apple to try and
| fight the CCP and inevitably get themselves barred from
| the Chinese market. It's not principled, it's just dumb
| and will completely screw over all of their current
| customers in the country who will now have useless
| devices. Apple is not a nation-state and has no judiciary
| or military power, and if they're to have any hope of
| making positive change in the country they need to play
| ball to some extent and become a large player who can
| actually exert some influence.
| three_seagrass wrote:
| >I'll never understand people who expect Apple to try and
| fight the CCP and inevitably get themselves barred from
| the Chinese market.
|
| People have this expectation because other companies have
| done this.
|
| For example, Google employees revolted when dragonfly was
| leaked, and got the CCP search-spying project killed.
| It's weird to think that Google cared more about user
| privacy than profits than Apple does, but that's how
| weird the branding works here.
| pixl97 wrote:
| "I am in a benevolent dictatorship, nothing ever could go
| wrong"
|
| Just because Apple is playing nice at the moment, there is
| no reason not to force them, and all the other players to
| have a legal requirement of playing nice. I mean, the hog
| that is fattened for slaughter thinks its life is great,
| right up until its not.
| judge2020 wrote:
| Except Apple does not have a police force that will
| detain you if you try to leave after they institute less-
| desirable products, and I'm sure they'd lose a lot of
| money and value if they literally disables data exports.
| Spivak wrote:
| "I'm not worried if the benevolent dictator turns on me
| because on that day I'll just stop using an iPhone."
| stouset wrote:
| I've been using an increasing number of Apple products
| since 2006 or so, after having used Linux for a decade
| and Windows from 3.1 through 2000.
|
| If it's a benevolent dictatorship, it's undeniably been a
| good one to me over nearly half my life. If they ever do
| turn, I can always just leave. But what is and/or was my
| alternative? The less-benevolent dictatorships of Google
| or Microsoft? Spending inordinate amounts of time and
| effort making a hodgepodge of various Linux devices work
| together (often unsuccessfully)? I'll pass.
| phpisthebest wrote:
| >>most consumer-centric
|
| the fact you believe this is true today is most telling, I
| do not find them to be "consumer-centric" they have very
| draconian policies and if your use of the device fits in
| their narrow band of use cases then it is find, if it does
| not you are SOL
| judge2020 wrote:
| Given they accommodate over 50% of United States
| residents[0], I'm not sure the band is as narrow as you
| say it is. Of course, for those it doesn't accommodate,
| there is a different product that hopefully better fits
| their use cases.
|
| 0: https://9to5mac.com/2022/09/02/iphone-us-market-share/
| snowwrestler wrote:
| If I don't like what Apple does with iMessage, I can move to
| WhatsApp. If I don't like what Apple does with photos, I can
| move to Google Photos. If I don't like what Apple does with
| iCloud, I can move to Dropbox. If I don't like what Apple
| does with iOS, I can move to Android.
|
| What am I missing? How am I handcuffed to Apple?
| smoldesu wrote:
| And if you don't like Safari? Gotta sell the whole phone,
| sorry bud.
| madeofpalk wrote:
| Why would someone not like Safari?
|
| There is a Chrome app on iOS. I don't think many people
| pick their browser based on rendering engine, but rather
| on actual browser UI and features (like sync).
| smoldesu wrote:
| Guess it's a shame I'm one of those people then, all
| infatuated with silly things like 'options' and 'choice'.
| WorldMaker wrote:
| I use Firefox just fine on iOS. Sure, it's just user
| chrome and Firefox Sync, but those are the things I care
| a lot more about than the rendering engine.
|
| I'd love to support Gecko on mobile too, as I've moved
| the vast majority of my desktop usage to it, but Webkit
| is still fighting the Blink/Chromium hegemony, too, and
| that's still fighting the good fight.
| smoldesu wrote:
| > and that's still fighting the good fight
|
| Not if they treat user freedom as their enemy.
| snowwrestler wrote:
| Yes, exactly, I can switch phones. Doesn't seem like
| handcuffs to me.
| [deleted]
| pixl97 wrote:
| You seem to miss that you're switching the golden
| handcuffs for rusty uncomfortable handcuffs with the
| spikes facing inward.
|
| "It's a free market because I have the choice between two
| brutal masters!"
| vbezhenar wrote:
| What will you do when Apple would delete Whatsapp from
| AppStore?
| snowwrestler wrote:
| > If I don't like what Apple does with iOS, I can move to
| Android.
| DrBenCarson wrote:
| How is the possibility that Apple may flip down the line
| relevant? By that logic, no one should ever use any product
| ever.
|
| I've enjoyed 15 years of a wonderful and privacy-first device
| ecosystem. They're evidently making it even better. And you
| want me to be upset?
| llanowarelves wrote:
| It's because the "lanes" that non-tech juggernauts break
| out of are typically pretty restricted, much in advance
| (aside from "Emergency Use Authorization" etc). Maybe it
| was "paranoia" (thinking of conditional incentives ahead of
| time), or people had to suffer enough before these to come
| into existence.
|
| What's the equivalent of the FDA but for consumer privacy?
| [deleted]
| advael wrote:
| Maybe this is just a matter of the buzzword doesn't precisely
| convey the technical implementation, but I don't want "end-to-
| end" encrypted backups, I want backups that are stored encrypted
| on the server and that only I can decrypt
| reilly3000 wrote:
| Yep that is the plan. There is a good table in the article that
| shows the implementation for each service and rationale for it.
| Most of the iCloud services are now able to enable an optional
| feature where the user's devices are the only ones that have
| keys.
| joshstrange wrote:
| The number of people in the comments complaining or finding new
| places to move the goalposts to is astounding.
|
| > what good is that encryption, if Apple obviously can do almost
| anything with your device?
|
| > They can still simply push a software update that sends the
| victim's keys to the mothership and/or simply decrypts everything
|
| > This all just seems like pandering while they continue to
| accept billions from Google in exchange for their user's privacy.
|
| > Couldn't they simply use an encryption algorithm that has two
| private keys and they control one?
|
| Apple could say they are going to cease operations tomorrow,
| close down the company, and people would comment "Yeah but they
| could always create a new company". I guess for those people
| nothing is ever enough.
|
| This is a huge step forward (specifically iCloud E2EE) that I'm
| super excited about and people are busy coming up with threat
| models that 99% of us have zero use for and pretending as if this
| doesn't matter. It's disappointing.
| josephcsible wrote:
| The issue is that it's not just that Apple "could" add client-
| side scanning or something tomorrow. It's that they've already
| tried to do so once.
| Blue111 wrote:
| > The number of people in the comments complaining or finding
| new places to move the goalposts to is astounding.
|
| But why does Apple want to be the only administrator on your
| device?
|
| Note: "Apple Kills Its Plan To Scan Your Photos for CSAM"
| karaterobot wrote:
| Shouldn't people demand more and more privacy protections? It's
| not like these changes solve the problem. Since Apple is
| managing so much data, they must keep it secure and give users
| the ability to maintain privacy and confidentiality, even with
| respect to Apple itself. I think the goal post has stayed
| pretty constant, Apple just keeps moving in a zig-zag pattern
| that occasionally involves backward steps.
| brookst wrote:
| > Shouldn't people demand more and more privacy protections?
|
| Yes!
|
| > It's not like these changes solve the problem.
|
| Perhaps because it is impossible to 100% solve the problem?
|
| A lot of people, me included, are just tired of the endless
| litany of "50% secure is not secure! 75% secure is not
| secure! 90% secure is not secure! 99% secure is not secure!
| 99.9% secure is not secure! 99.999% secure is not secure!"
|
| There is no 100%. Hearing the same level of outrage over a
| 0.001% gap that we heard over a 50% gap is just fatiguing.
|
| Especially in this audience, everyone knows there is no such
| thing as verifiable perfect security. Asymptotic progress
| towards that is interesting; decrying the latest improvement
| as no better than no security at all just feels... IDK, lazy.
| bdominy wrote:
| In my experience having released an E2EE contact info sharing
| app, most people don't think about privacy protection and
| they won't tolerate much inconvenience to add them. So the
| more a large company supports efforts to mainstream E2EE, the
| better it is for everyone.
| AshamedCaptain wrote:
| > new places to move the goalposts
|
| "moving the goalposts"?
|
| Since when has closed source unverifiable crypto been a good
| idea? Since when has it been a good idea to trust a provider
| that fully controls the encryption algorithm to also be the
| only possible store for your supposedly encrypted data?
|
| This is no better than Facebook claiming that Whatsapp is now
| "E2EE" encrypted. It's a useless PR tactic. If you mistrust
| Facebook, why would you suddenly trust their unverifiable claim
| that the data is now E2EE? You could have an argument if at
| least 3rd party clients were allowed, so that you could detect
| when they silently change the protocol. But not even that.
|
| There's absolutely no _technical_ thing they could do to gain
| any trust. The goalpost has never been there.
| brookst wrote:
| > why would you suddenly trust their unverifiable claim that
| the data is now E2EE
|
| > It's a useless PR tactic.
|
| Maybe because a single whistleblower would bring down the
| mother of all class action lawsuits?
|
| Hardcore anti-corporate types like to imagine that these
| companies are evil geniuses, where all 100,000 employees are
| operating in perfect alignment, with no mistakes or
| disagreements, and all secrets are kept perfectly.
|
| It just doesn't work like that. Threat model it for a second:
| how many more phones is Apple going to sell with this? Maybe
| a 1% increase, to wildly overestimate it? And what would be
| the financial harm from a single engineer popping on HN and
| saying "it's all BS, phones send the keys to the cloud, I
| worked on the system to store them."?
|
| > There's absolutely no _technical_ thing they could do to
| gain any trust.
|
| Well, that's true. But there's also no non-technical thing
| they could do. It is literally impossible to prove perfect
| technical compliance on an ongoing basis using any
| combination of technical and non-technical means.
|
| That goes for open source too. Evil compilers, etc, can turn
| perfectly solid source into malicious binaries. The
| compiler's source can even be perfectly secure.
|
| At some point you have to think about probabilities and
| motivations, and move away from this "anything not 100%
| perfect, which BTW is not possible, is 100% useless" world
| view.
| AshamedCaptain wrote:
| > Maybe because a single whistleblower would bring down the
| mother of all class action lawsuits?
|
| Sure, like that is going to happen. I mean, "Facebook can
| read your supposedly-encrypted Whatsapp messages" will
| raise how many eyebrows exactly?
|
| > But there's also no non-technical thing they could do
|
| No, that's untrue. For starters, release the source. Allow
| me to run my own backup software on their servers. Allow me
| to transparently run my own encryption before I upload
| stuff to their servers. And a very long etc.
|
| > anything not 100% perfect, which BTW is not possible, is
| 100% useless
|
| This is 100% useless not because it is not 100% perfect (it
| very well could be), but because it is 100% useless by
| conception. What threat model does this protect against
| exactly? The scenario where Apple servers get compromised?
| I'm quite sure this risk does not even enter the mind of
| the target audience here, and if it did, the hacker could
| very well push the silent update anyway. The scenario where
| Apple itself has access to the data? This does absolutely
| nothing to prevent it. The scenario where someone can
| social engineer an Apple employee to give your iCloud key
| to someone else? It was already not possible.
| sianemo wrote:
| Do you honestly believe that a malicious actor who can
| access data storage can also necessarily access a silent
| mechanism to affect the security internals of a given
| iPhone? And also the theoretical hacker wouldn't be able
| to just push said theoretical silent update to your
| device to just exfil the data anyway?
|
| Really having a hard time understanding the detailed
| security implications of your scenario beyond this vague
| notion you're presenting that a theoretical hacker can
| use theoretical tools to silently pwn any Apple device
| collected to the internet at any time.
| AshamedCaptain wrote:
| > that a malicious actor who can access data storage can
| also necessarily access a silent mechanism to affect the
| security internals of a given iPhone?
|
| A malicious actor who can access _already encrypted_ data
| storage where you cannot even associate files with a
| given account ID _without_ having already put a backdoor
| in the corresponding code may be able to actually put
| such backdoor in the software that is distributed to
| iPhones? Yes, I believe that.
| brookst wrote:
| > What threat model does this protect against exactly?
|
| Two big threats: 1) insider attacks like the Saudi
| Twitter infiltration[0], and 2) Overreach by legitimate
| government process like subpoena[1].
|
| > release the source
|
| Useless. How do you know it's the exact source running
| on-device?
|
| > Allow me to run my own backup software on their servers
|
| Useless. How do you know your own backup software isn't
| compromised via a secret deal with Apple?
|
| > Allow me to transparently run my own encryption before
| I upload stuff to their servers.
|
| Useless. How do you know the OS isn't grabbing the raw
| files? How do you know your own encryption isn't
| compromised? How do you know that Xcode isn't inserting
| backdoors in the encryption you compiled from source?
|
| > And a very long etc.
|
| All useless. Tell me your perfect solution and I promise
| I can show it's useless (by your standards).
|
| [0] https://en.wikipedia.org/wiki/Saudi_infiltration_of_T
| witter
|
| [1] https://ijunkie.com/your-icloud-data-phenomenal-law-
| enforcem...
| AshamedCaptain wrote:
| > Two big threats: 1) insider attacks like the Saudi
| Twitter infiltration[0], and 2) Overreach by legitimate
| government process like subpoena[1].
|
| This does not prevent any of these threats, it does not
| even necessarily make them more difficult whatsoever.
| "Insiders" will still have access to the source code
| doing the encryption and communications, and it is just
| not possible to protect against government overreach that
| can literally force you to do anything and keep quiet
| about it, even in otherwise relative sane countries.
| Search for NSA letter.
|
| I actually don't expect any corporation to be above the
| government, fwiw, but this is off-topic.
|
| > Useless. How do you know it's the exact source running
| on-device?
|
| Because you built it yourself?
|
| > Useless. How do you know your own backup software isn't
| compromised via a secret deal with Apple?
|
| Because it's YOUR OWN backup software?
|
| > Useless. How do you know the OS isn't grabbing the raw
| files? How do you know your own encryption isn't
| compromised? How do you know that Xcode isn't inserting
| backdoors in the encryption you compiled from source?
|
| Because I have the source of the OS and I built it
| myself? Because I have literally used the same compiler I
| use for other platforms and not Facebook's? Because I can
| then actually monitor the actual communications between
| the device and the mothership? etc. etc.
|
| The point of this entire thing was to show that _there
| is_ non-technical policies they can do to actually
| increase the trust level (or at least have a discussion
| about it -- as you are), but there is very few technical
| stuff they can do to increase it, and that's because it
| would miss the entire point. It's not about "trusting
| trust perfection" or whatever you think you are trying to
| argue here. You are trying to protect stuff from Alice by
| trusting Alice without even being capable of verifying
| it. It just can't academically work. You need to either
| be able to verify it or at the very minimum separate both
| roles.
| brookst wrote:
| > This does not prevent any of these threats, it does not
| even necessarily make them more difficult whatsoever.
| "Insiders" will still have access to the source code
| doing the encryption, and it is just not possible to
| protect against government overreach that can literally
| force you to do anything and keep quiet about it, even in
| otherwise relative sane countries. Search for NSA letter.
|
| There you go again :)
|
| You literally just said something that used to take a
| subpoena from any law enforcement now takes an NSA
| letter. And that an insider attack that used to mean
| retrieving a backup file now means inserting back doors
| in source code that go undetected.
|
| And somehow those aren't even _more difficult_?
|
| > Because I have literally used the same compiler I use
| for other platforms
|
| https://www.awelm.com/posts/evil-compiler/
|
| It is literally provable that Apple will never be able to
| satisfy you. For any mitigation they introduce, you can
| (rightfully) create a hole in that mitigation.
|
| What you're missing is that the same flaws and attacks
| appear in all of your "it would be better if" solutions.
| Once you're invoking NSA letters and malicious source
| code, all bets are off... _including_ for open source.
|
| > It just can't academically work.
|
| Yes, we agree on that. But it also doesn't work if you're
| protecting stuff from Alice by trusting Bob, who might be
| secretly an agent of Alice.
| AshamedCaptain wrote:
| > You literally just said something that used to take a
| subpoena from any law enforcement now takes an NSA letter
|
| I didn't say that. You said "overreaching government".
|
| > It is literally provable that Apple will never be able
| to satisfy you
|
| Nothing _technical_, that is, which has exactly been my
| point.
|
| > Once you're invoking NSA letters and malicious source
| code, all bets are off... including for open source.
|
| That's not true at all. There's an entire world of
| difference where "oh the software is just hidden from my
| eyes, communicating constantly and opaquely with the
| mothership, changeable at any moment by the same
| mothership, and all of it running in the same hardware
| also made by the same mothership" versus "I have these
| separate components that are only communicating through
| these channels in these clearly specified ways". The
| first only allows useless technobabble fake solutions,
| the second system actually allows discussion about trust
| and is usually the very minimum expectation of any
| cryptosystem.
|
| > But it also doesn't work if you're protecting stuff
| from Alice by trusting Bob, who might be secretly an
| agent of Alice.
|
| I don't see that as necessarily true either. But anyway,
| I can now choose between multiple providers for
| encryption, which _finally_ goes towards measurably
| increasing trust. Remember, despite the accusations, I
| have never claimed it had to be 100% trusting trust
| perfect, I am just claiming this one proposal is 100%
| useless. If you didn't trust Apple backups before and you
| would now, I'd question your judgement.
| judge2020 wrote:
| > Sure, like that is going to happen.
|
| Something like hacking into a journalist's phone would
| require a lot of cooperation between infrastructure,
| software, and security to actually perform a targeted
| attack.
|
| Despite Apple's harsh warnings about leaking secrets,
| people at Apple have already been spilling the beans
| about Apple's upcoming Ad platform for over a year, and
| that's just for something as morally grey as ads that
| they're going to spin as "privacy preserving" anyways.
| For something that actually goes against <everything>
| Apple has ever stood for, like targeting a journalist's
| phone to read their communications or extract data and
| secret keys from their advanced protection-protected
| iCloud Backups, at least one of the hundred involved
| would find a comfy bunker to live in with a phone line
| leading straight to News Corp or NYT.
| bdominy wrote:
| In an ideal world, E2EE would be in high demand and used
| anytime sensitive info is exchanged between parties, but the
| reality is that most people don't know about it or the
| protections it provides. If FB and Apple can educate people
| about E2EE, even as a PR tactic, it helps grow that
| awareness.
| jdiez17 wrote:
| Closed source applications like WhatsApp can be and in fact
| are reverse engineered by researchers who want to verify the
| end-to-end encryption claim. For example, see this BlackHat
| talk: https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-
| Reverse...
| judge2020 wrote:
| The goalposts have been moved because the leading argument
| for the past few years has been "it's not actually encrypted
| because you or the person you're talking to could be using
| iCloud Backup". Now all you have to do is make sure you and
| the people you talk to have this simple option enabled in
| settings (with the only risk being that you lose all your
| data if you need Apple Support to give you access to your
| iCloud again after losing all backup codes and encryption
| keys).
|
| As for your actual argument, there are always tradeoffs when
| we implement "good" but not "perfect" encryption solutions.
| Here, your trust is indeed in Apple to not perform an evil
| maid attack, but for many of us, we trust that Apple doing
| this to a regular person (or journalist, or government
| official) would be absolutely devastating to their entire
| brand. Even if most people wouldn't care if Apple cooperated
| with the CIA to perform a coup in $x country via sending out
| targeted malware to the leader's phone, they still stand to
| lose hundreds of billions of, if not a trillion, dollars over
| the following decade in lost iOS product sales, due to them
| purposefully hacking their own product to steal user data.
| smoldesu wrote:
| > It's disappointing.
|
| What's disappointing is that Apple has zero accountability for
| any of these services. Nobody would be so critical of iCloud if
| it wasn't your _only_ sync option on iPhone, but they force
| everything to go through them. Apple says 'trust us ;)' and
| gives the user no way to confirm that they're not decrypting
| your data as soon as it hits their servers.
|
| The argument is the same as it's ever been. Apple took away too
| much of the user's control; if the iPhone were a more open
| platform, nobody would be squabbling over our only sync option.
|
| Edit: Background Sync has apparently been available as an API
| since iOS 13, but that doesn't change Apple's lack of
| accountability wrt security practices.
| ericmay wrote:
| > The argument is the same as it's ever been. Apple took away
| too much of the user's control; if the iPhone were a more
| open platform, nobody would be squabbling over our only sync
| option.
|
| It's just moving the goalposts. If Apple gave you more
| control then people would demand that the source code for the
| chips be open source, or that you could stand over the
| shoulder of the person assembling your iPhone and make sure
| they don't plug in a USB drive and install some malware. It's
| a never-ending battle. You're just going to have to start
| trusting Apple and other companies, or build your own device
| from raw materials you mine yourself.
| gigantaure wrote:
| > Apple took away too much of the user's control;
|
| Apple couldn't take away what it never gave in the first
| place. Anyone using an IOS device should have a basic
| understanding that Apple highly integrates their devices,
| OSes and services.
| jjtheblunt wrote:
| What? I sync to Google for instance and iCloud, and use Azure
| as well.
| threeseed wrote:
| iPhone launched with local syncing _3 years_ before iCloud.
| scarface74 wrote:
| How is this the only sync option? My pictures go to iCloud,
| OneDrive, Google Photos and Amazon's photo storage.
|
| My Contacts and calendar can sync with any provider that
| supports whatever porn standards are behind it.
|
| When I save and load files using the iOS file dialog, it
| shows every storage provider I have installed - Dropbox,
| OneDrive, iCloud Drive and I assume Box if I had it.
| fnordpiglet wrote:
| This isn't actually true. Yes they don't give you personally
| the ability to conduct assurance on their controls. That
| couldn't scale. But they do allow large corporations looking
| to standardize on apple tech, governments, and other like
| entities the opportunity to verify the controls, their
| effectiveness, and continued compliance. Further they
| generally have to attest to their controls under a variety of
| regulatory regimes with third party auditors verifying.
|
| Your startup may be able to weaken or circumvent your
| controls and no one would know. But is not true of apple.
| canes123456 wrote:
| Apple offers local backups. Every cloud backup depends on
| "trust us", even if open source, externally audited, etc.
| They can offer a third party online sync option but that
| seems like functionality would open up more security holes
| than it fixes. You would just have bad actors convincing
| users to sync to their servers.
|
| If you don't trust Apple, you should also not trust other
| cloud back up services. Just turn off iCloud
| diarrhea wrote:
| I'm syncing almost all data via Nextcloud. That includes
| actual files as well as contacts and calendars. The files are
| obviously on my iPhone, but not in iCloud. In fact, iOS makes
| CalDAV and CardDAV as easy as they could be. It's natively
| supported, whereas Android requires an extra, _paid for_ app
| (worth the money though).
|
| Other synchronisation like Joplin and Zotero happens via
| WebDAV. My iCloud is basically empty yet I have every file I
| could ever need on both iOS as well as iPadOS. Some apps I
| don't care for sync via iCloud, that's all so far. I'm not
| bought into the whole ecosystem (i.e. apps) too much though.
| If all you use are apps that only support iCloud, that's a
| problem indeed.
| rrix2 wrote:
| fwiw davx5 is libre licensed and available in fdroid:
| https://f-droid.org/en/packages/at.bitfire.davdroid/
|
| there is also a free fork of davx5 on Play as OpenSync: htt
| ps://play.google.com/store/apps/details?id=com.deependhul..
| .
|
| agree that it should be bundled in to the system though....
| zuhsetaqi wrote:
| > Apple took away too much of the user's control;
|
| Apple didn't took away anything. It wasn't there in the first
| place and never promised.
| teekert wrote:
| The only sync option? My Pictures go to NextCloud, my
| contacts and calendar are on NextCloud, and in contrast to
| Android (I recently switched) I don't even need an app (like
| davx5, great app though, as said here) to sync them, it all
| just works from the standard contacts and calendar app. Oh
| and the mail app doens't push me anywhere, it just works with
| my local provider via IMAP.
|
| My vpn is a Wireguard server (and some Tailscale, recently
| tested mullvad, works great as well), my position is updated
| to my family via Home Assistant, Bitwarden pops up
| automatically anywhere I need to enter a password. Podverse
| is great for podcasts.
|
| Sure, it's a walled garden and I have my annoyances but much
| less so than I was led to believe before I got my first
| iPhone last year. I find it easy to swap out default
| components where I don't like them (like iCloud and Apple
| podcasts) and use them when they are superior (like the
| calendar and mail app, I was always trying 3rd party apps on
| Android).
| smoldesu wrote:
| Does your NextCloud sync in the background like iCloud
| does? I don't believe third-party apps have access to
| background usage, unless something has changed since I last
| used iOS.
| baxtr wrote:
| That was a 5s google search.
|
| You're welcome.
|
| https://help.nextcloud.com/t/ios-background-sync/145197
| sirn wrote:
| Photos are synced in the background via location change
| events (and thus requiring Location permission). It can
| be a bit unreliable from time to time, but generally
| works. Contacts and calendars are synced in the
| background via iOS' CalDav/CardDav integration.
|
| Nextcloud app also exposed itself as file provider in
| Files.app, so it's possible to use it in place of iCloud
| Drive for apps that use the appropriate API.
| (Unfortunately most apps use CloudKit, which sync over
| iCloud.)
| smoldesu wrote:
| Ah, I see this now. Me and my boyfriend tried switching
| to Nextcloud a few years ago, but this wasn't implemented
| on iOS yet so we had to look elsewhere. Nice to see this
| opened up, it's about time. Hopefully they'll reverse
| their sideloading opinions as well.
| [deleted]
| julkali wrote:
| FWIW, you can sync files with Nextcloud on IOS and it works
| fine. Also automatically syncs photos which makes it a viable
| alternative for cloud storage on iPhone. What it doesn't sync
| are things like settings, though.
| teekert wrote:
| Did your photo's also recently got synced to JPEG (by NC),
| whereas at first the heic's were uploaded? Heic works
| poorly in browser on other platform so JPEG is ok, would
| prefer heic to work everywhere though...
| dmitriid wrote:
| > Nobody would be so critical of iCloud if it wasn't your
| only sync option on iPhone
|
| I sync my photos with Google Photos because they are a
| magnitude faster and more predictable than Apple's own
| Photos.
|
| My passwords are in 1Password.
|
| Can't really say I sync much else.
| rootusrootus wrote:
| I don't use iCloud for anything. Dropbox gets my pictures,
| Google has my contacts, 1Password handles my passwords, etc.
| jdthedisciple wrote:
| It's only for backups, that means my live files on the iCloud are
| still plainly available to Apple, correct?
| froggertoaster wrote:
| It very clearly states it's more than backups. I would advise
| you click the link and start reading.
| M4v3R wrote:
| It's not only for backup, the article literally lists all
| categories of data that is end-to-end encrypted: iCloud Backup,
| iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks, Voice
| Memos, Wallet passes, Health data, Home data and more.
| Gigachad wrote:
| So tempting to replace Google Drive/Photos with icloud. Only
| thing holding me back now is GDrive can easily be mounted on
| Linux.
| richard___ wrote:
| Wait what is the point of using icloud if you use this e2ee
| thing? If you lose your phone, all your data is useless because
| the key is on your phone. So using icloud with e2ee is basically
| using a phone with no icloud backup a all.
| counttheforks wrote:
| Great, now let me run my own web browser instead of a safari
| webview.
| unshavedyak wrote:
| Is there a way to use this for non-Apple devices? I am "in"
| Apple's ecosystem, but i work on Linux and play on Windows.. it
| would be nice to have Dropbox/storage on an E2E Backup solution i
| already pay for (1TB+ family plan for iPhone mainly)
| Gigachad wrote:
| Not sure about E2E but for standard icloud you basically only
| get the clunky web ui. No way last I checked to mount icloud
| like you can other providers.
| tuxone wrote:
| > You must also update all your Apple devices to a software
| version that supports this feature.
|
| Didn't want to upgrade my perfectly functioning MBP 15 2015 for
| Shared Photo Library alone. They found out another way to force
| the upgrade.
| Veserv wrote:
| Okay, so when is Apple going to certify against any
| standards[1][2] higher than "Applies when you require confidence
| in a product's correct operation, but do not view threats as
| serious."[3] with a security standard, AVA_VAN.1, whose objective
| is: "A vulnerability survey of information available in the
| public domain is performed by the evaluator to ascertain
| potential vulnerabilities that may be easily found by an
| attacker. ... Penetration testing is performed by the valuator
| assuming an attack potential of Basic." [4][5].
|
| On page 25 of [1], we can see the security auditing done as part
| of their only official security certification for the iOS was:
| "The evaluators searched for publicly known vulnerabilities
| applicable to iOS using the following sources... The search was
| performed on multiple occasions between... using the following
| search terms... The valuator's CVE search found no
| vulnerabilities apart from the ones listed in the developer's
| security content disclosure statements, all of which have been
| fixed in subsequent releases on iOS. The validators reviewed the
| work of the valuation team, and found that sufficient evidence
| and justification was provided by the valuation team to confirm
| that the evaluation was conducted in accordance with the
| requirements of ..." tl;dr The evaluation process is that they do
| a web search of key words, check that all the publicly disclosed
| vulnerabilities have been patched, then call it a day.
|
| To put that into perspective, their are certifying against
| AVA_VAN.1. It is only at AVA_VAN.2 that the evaluator is required
| to do any independent vulnerability analysis as seen in [5] Page
| 155 AVA_VAN.2.3E (bold is changes from the previous level). At
| AVA_VAN.3 you need to evaluate against "Enhanced-Basic" attack
| potential. It is only at AVA_VAN.4 that you need to evaluate
| against attackers with a "Moderate" attack potential. At
| AVA_VAN.5 (the highest level) you need to evaluate against
| attackers with a "High" attack potential. Apple's only security
| certification, which in their own words "provide a measure of
| confidence--that is, security assurance--that the security needs
| of a system are being satisfied" and are "used by many
| organizations as a basis for performing security evaluations of
| IT product" is wholly three levels below "Moderate" and is
| effectively self-graded.
|
| Until they actually certify against a standard requiring moderate
| security, it is only prudent to take them at their word and
| assume that their products are only fit for systems that "do not
| view threats as serious". If they want their security to be taken
| more seriously they should prove it against internationally
| recognized standards assessed by independent third parties rather
| than issuing unsupported marketing fluff.
|
| [1] https://support.apple.com/guide/certifications/ios-
| security-...
|
| [2]
| https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
|
| [3] https://www.cisa.gov/uscert/bsi/articles/best-
| practices/requ... EAL1: Functionally Tested
|
| [4]
| https://commoncriteriaportal.org/files/ppfiles/pp_md_v3.1.pd...
| Page 136 Section 5.2.6 AVA_VAN.1
|
| [5]
| https://www.commoncriteriaportal.org/files/ccfiles/CC2022PAR...
| Page 154 Section 14.3.3
| InTheArena wrote:
| Great stuff. The question I have is what is Apple's position on
| scanning for contact on phones themselves? In the past they
| hinted that they would not enable e2e encryption unless that was
| in place.
| pettersolberg wrote:
| Except in China and alike
| atestu wrote:
| According to WSJ it will include China:
|
| > The new encryption system, which will be tested by early
| users starting Wednesday, will roll out as an option in the
| U.S. by year's end, and then worldwide including China in 2023,
| Mr. Federighi said.
|
| https://www.wsj.com/articles/apple-plans-new-encryption-syst...
| busymom0 wrote:
| sgjohnson wrote:
| They seem to be abandoning China, they are planning to move
| some 40% of the total iPhone production to India within the
| next couple of years, so China might not have all that much
| leverage.
| adam_arthur wrote:
| More about consumer base than manufacturing for them.
| Doesn't matter where they move production.
|
| Same reason they edit movies to appease chinese audiences
| brookst wrote:
| https://www.cnn.com/2022/07/08/media/hollywood-china-
| censors...
| three_seagrass wrote:
| >They seem to be abandoning China
|
| _Manufacturing_ , sure. _Consumers_? no.
|
| Apple traded it's privacy priority for profits back in
| 2017 when it gave backdoor access to all the iCloud
| backups -
| https://www.nytimes.com/2021/05/17/technology/apple-
| china-ce...
| sgjohnson wrote:
| The times have changed in the past 5 years, going all out
| on China is simply untenable. Leaving China on the other
| hand is positive PR.
|
| Just because Apple couldn't officially sell any iPhones
| in China doesn't mean that the Chinese public would
| suddently stop coveting them. I don't think they'd blame
| Apple if it came to that.
| criddell wrote:
| They have to respect the laws of the countries they operate
| in but they don't necessarily have to do so silently.
|
| If you go to set up encrypted backups and find out the
| feature isn't available or get a message saying something
| like "Feature cannot be activated in China, Turkey, and
| Russia", that's better than the feature not being available
| anywhere.
| insane_dreamer wrote:
| 100% certain Chinese gov will require back-door access
| AlexandrB wrote:
| It's interesting that this announcement was being predicted after
| Apple unveiled their on-device CSAM scanning feature. Perhaps
| this was indeed the plan all along, but they lost control of the
| narrative.
|
| Whatever did happen to the on-device CSAM scanning? Is it still
| coming to iOS?
| yreg wrote:
| When they announced the on-device CSAM, I was absolutely sure
| that they want to do this.
|
| Lawfully nothing is stopping them, but since pretty much all US
| cloud services scan files it's clear there are some forces
| making them to do so. I thought that Apple was able to
| negotiate a compromise where they scan locally and then they
| are "allowed" to to E2EE.
|
| Interesting that they proceeding with the encryption
| regardless.
| loaph wrote:
| According to https://arstechnica.com/gadgets/2022/12/apple-
| adds-end-to-en... the CSAM scanning plans have been abandoned.
| AlexandrB wrote:
| Another interesting tidbit from that article:
|
| > First, iCloud users may now take advantage of hardware
| security keys like YubiKeys. Both NFC keys and plug-in keys
| are supported.
|
| This is great news! I wonder if this is able to replace
| Apple's bespoke 2FA system or it's strictly in addition to
| that.
|
| Edit:
|
| From Apple's announcement:
|
| > Now with Security Keys, users will have the choice to make
| use of third-party hardware security keys to enhance this
| protection. This feature is designed for users who, often due
| to their public profile, face concerted threats to their
| online accounts, such as celebrities, journalists, and
| members of government. For users who opt in, Security Keys
| strengthens Apple's two-factor authentication by requiring a
| hardware security key as one of the two factors.
|
| If I read that right, it sounds like it's _in addition_ to
| Apple 's 2FA? I'd love to replace Apple's weird 2FA
| mechanisms, but this is still nice.
| drak0n1c wrote:
| Here's more info directly from Apple on their hardware key
| plans: https://www.apple.com/newsroom/2022/12/apple-
| advances-user-s...
| sneak wrote:
| Nothing Apple has ever said has indicated that they reversed
| position on their announced plan to roll out clientside
| scanning. Read the Apple statements carefully.
|
| On macOS photoanalysisd phones home even when not using
| iCloud at all, fwiw. Who knows what it is doing?
| jaywalk wrote:
| This is correct. Apple said they've abandoned CSAM scanning
| for _iCloud_ Photos, but they haven 't said anything about
| on-device scanning as far as I've seen.
| yamtaddle wrote:
| That always made the most sense as the reason for attempting
| that. I agree with some concerns about it surely being abused
| (especially in some jurisdictions) but on the other hand _they
| can ship whatever software they want to the devices anyway_ so
| the idea that this was some sly way to sneak in spying that
| they couldn 't otherwise get away with made no sense. Doing it
| out of a desire to enable more encryption without instantly
| becoming the overwhelmingly-preferred platform for child porn
| enthusiasts was a far more likely explanation.
|
| Curious what they're going to do to mitigate that repetitional
| risk now. Possibly they'll just eat it and say, "look, this is
| what you fuckers wanted, we tried to solve the problem but you
| said no."
|
| Not thrilled to see what the next showdown between them and
| e.g. the FBI is gonna look like. I expect it's not gonna look
| good in the court of public opinion and that might have
| unfortunate legislative consequences.
|
| [EDIT] Actually, wouldn't be surprised if they wait until the
| first high-profile case involving their inability to deliver
| data on someone who _probably is_ a disgusting scumbag, and use
| that as cover to go ahead with the local-CSAM-scanning-for-
| iCloud-uploads, once it 's 100% clear what'll happen if they
| don't and the no-scanning crowd isn't the loudest set of voices
| anymore.
| [deleted]
| accrual wrote:
| The physical security key is interesting as it shows a lightning
| port in the image. Maybe a sign that a portless iPhone isn't
| necessarily in the immediate future? I also wonder if there's
| another copy of the image showing a USB-C port, since it's
| assumed the iPhone 15 will be USB-C to comply with the EU's
| standard port requirements.
| fmajid wrote:
| The Yubikey 5C NFC is a U2F key that works over NFC, no
| Lightning port required (although they also make a USB-C +
| Lightning key)
| smith7018 wrote:
| Yeah, Apple is a ways away from the rumored portless iPhone. I
| think a prime example of their stalled efforts is the iPhone's
| Magsafe charging speed. It's remained at 15w since 2020 whereas
| Lightning can charge at roughly 30W. Apple's not going to
| remove the Lightning port, force people to buy new charging
| pucks, and then tell them their device won't charge as fast.
| Conversely, switching to USB-C means they can use USB PD to
| boost charging to around 45W.
| dang wrote:
| This comment was posted when the linked URL was
| https://www.apple.com/newsroom/2022/12/apple-advances-
| user-s..., which contains the physical security key
| announcement as well as the E2EE stuff.
|
| If there's a better URL for the security key announcement, we
| can factor this topic into its own thread, since it's a
| minority topic in this one and mostly getting overlooked.
| zhrvoj wrote:
| If there is a need for new security measures...new security
| recommendations - Chrome is bugging me, every day, not very
| different from Apple. What a world is that? So then, someone is
| working against my security every day! Looks like a war my
| friends...
| dang wrote:
| We changed the URL from
| https://www.apple.com/newsroom/2022/12/apple-advances-user-s...
| to the link that several users pointed out has the meatier
| details.
|
| A small number of comments here are not about E2EE backups but
| rather the security key announcement. If there's a more detailed
| URL for that part of the story, we can factor it into its own
| thread.
| sidcool wrote:
| Thanks Dang.
| lizardactivist wrote:
| "E2EE" is probably more like it. I have no doubts there will be a
| data, picture, movie or some-such leak eventually that proves
| that the encryption keys were in the hands of Apple all along.
| insane_dreamer wrote:
| Fun anectdote. Many years ago, I had all my photos and other
| personal documents encrypted in a PGP Disk on a RW-DVD, and did
| not store the password in any digital form, because that was the
| most secure thing to do. Some time later I forgot the password,
| could not find where I had written it down, and to this day have
| never recovered them. (Don't have a DVD reader anymore either,
| though I could still get one of those.) Lesson: don't forget your
| encryption key.
| pjot wrote:
| My freshman year of high school we had a project where we
| created a "Time Machine" for us to open when we graduated.
| Everything was stored on a floppy disk. Finding a working 3.5A:
| drive has been quite difficult...
| m463 wrote:
| Even better security would be to allow users into their own
| devices. This would mean that critical data just wouldn't leave
| the device via the network.
|
| (letting users into their own devices means the ability to access
| the entire device, examine what their device is doing, and
| firewall it if wanted)
| frizlab wrote:
| 1. iMessage without internet would be tricky. 2. You don't have
| to backup in iCloud. Just plug your phone on a Mac or Windows
| computer with iTunes installed and backup it locally.
| lxgr wrote:
| It's ridiculous that I can only backup my (iOS) device to
| either a computer via USB (what is this, 2005?) or to the
| cloud.
|
| Just let me use my local Time Machine backup server!
|
| Sadly, I am convinced I'll never see that feature - it would
| basically remove the need for any iCloud subscription for me
| and thereby undermine Apple's "service" efforts too much.
| 0xCMP wrote:
| I think other commenters are missing your point: an iPhone
| should be able to back up to a "server" the same way a
| macbook does. I have a 24 TB NAS with Time Machine on it so
| the phone should be able to backup to it (over wifi, usb,
| whatever) the same way it does to a Mac. And this should be
| possible out of the box by-design (not by using Linux based
| tools to backup the iPhone in ways Macs do not let you do).
| jaywalk wrote:
| Don't they still offer local backup over Wi-Fi?
| danaris wrote:
| They do. Parent just wants to back up _directly_ to a
| Time Machine backup, rather than backing up to computer,
| then backing that up to TM.
|
| A reasonable desire, but clearly niche enough that it's
| unlikely to come to pass. (Particularly since, given what
| little I've seen of how Time Machine works, it would
| likely require some quite significant dev work on Apple's
| end to enable.)
| [deleted]
| tgv wrote:
| A Mac can also backup your phone wirelessly. TM doesn't
| make much sense without the Finder's interface.
| lxgr wrote:
| > A Mac can also backup your phone wirelessly.
|
| Yes, to its local storage only, which makes it completely
| useless to me. (I have more data on my phone than on my
| computer, and I can't be the only one.)
|
| > TM doesn't make much sense without the Finder's
| interface.
|
| Why? I can even already connect to the same SMB mount
| that holds my Mac's backup via my iPhone's "Files" app.
| Just let me backup to that!
| tgv wrote:
| The TM back-up wil include your phone's backup too. I
| agree it could be better.
|
| Don't exclude the back-up folder from TM, though.
| lxgr wrote:
| Yes, but I don't want that data on my Mac in the first
| place. It takes up almost all disk space there,
| completely needlessly.
|
| (Actually it doesn't - I symlinked the backup directory
| to an external drive, and fortunately ~iTunes~ Finder
| follows that. But this is something completely
| unrealistic to ask of an average user, in my opinion.)
| pathartl wrote:
| That's still not access to the data. That's limited access to
| data that Apple allows. I remember when Tinder stored their
| messages in a local unencrypted SQLite database. I wanted to
| save the conversations between my GF and myself, but I had to
| get an Android phone and extract the db manually as I
| couldn't do that with my iPhone at the time.
| latexr wrote:
| One can argue the iOS approach was more secure, since
| someone getting hold of your iPhone wouldn't be able to
| snoop on your Tinder messages.
|
| On the other hand I appreciate the hackability, and it is
| your data. If you're in the EU, maybe you could have made a
| GDPR request to get the messages in a database.
|
| Ultimately I don't disagree with this iOS choice because
| we're the odd ones; I understand the decision to put the
| privacy of "regular users" above a niche developer method
| which could be exploited more than used in a legitimate
| way.
|
| It feels to me the correct solution in this case is that
| Tinder's database should be encrypted on both iOS and
| Android and they would provide a way to export chats.
| jdiez17 wrote:
| You can access the data in an encrypted backup, which you
| can request from an iPhone from Linux using the open source
| libimobiledevice:
| https://github.com/libimobiledevice/libimobiledevice
|
| Here's an overview of how to remove the various layers of
| encryption (starting from the backup password):
| https://stackoverflow.com/questions/1498342/how-to-
| decrypt-a...
|
| And how to do it if you want to access the WhatsApp chat
| database: https://yasoob.me/posts/extracting-whatsapp-
| messages-from-io...
|
| Also some Go tools to inspect iOS encrypted backups
| https://github.com/dunhamsteve/ios
| lapcat wrote:
| > Some metadata and usage information stored in iCloud remains
| under standard data protection, even when Advanced Data
| Protection is enabled. For example, dates and times when a file
| or object was modified are used to sort your information, and
| checksums of file and photo data are used to help Apple de-
| duplicate and optimize your iCloud and device storage -- all
| without having access to the files and photos themselves.
|
| > * iCloud Drive The raw byte checksums of the file content and
| the file name
|
| > * Photos The raw byte checksum of the photo or video
|
| https://support.apple.com/en-us/HT202303
| rollulus wrote:
| That means that you're not safe to store known files your local
| dictator doesn't like, isn't it? Wouldn't a sort of per-user
| salt allow the same functionality and give more confidentially?
| AdamJacobMuller wrote:
| It wouldn't allow them to deduplicate across users, which
| they are likely doing.
|
| When you send your group iMessage of 30 people the same
| photo, apple is not storing 30 copies of it, but, one.
| madeofpalk wrote:
| Is that actually true?
|
| My understanding of how E2E encrypted iMessage works is
| that in group chats it does indeed send 30 copies of your
| messages, individual encrypted for each recipient in the
| group.
|
| https://support.apple.com/en-
| gb/guide/security/sec70e68c949/...
|
| > _For group conversations, this process is repeated for
| each recipient and their devices._
| judge2020 wrote:
| Perhaps they're doing multi-recipient encryption, ie. the
| data is wrapped with one key, and that private key is
| then encrypted with the public key of each recipient, so
| everyone ends up using the same private key to decrypt
| the file data itself. This means the actual file data
| isn't sent 20+ times (although the data is indeed stored
| in everyone's Messages backups separately; if Apple is
| doing de-dupe based on file data+filename, they're
| probably benefiting from deduping group message images).
| fraXis wrote:
| Why does Apple enable a big new feature like end to end
| encryption in the RC build only?
|
| We are only going to be able to test this feature one week before
| it's released?
|
| I would hope a large feature like this would have had a lot more
| public user testing/refinement behind it than just one RC build
| release!
| Gigachad wrote:
| Because this isn't Linux. Apple has already tested it and you
| can be pretty certain it's going to work on day one.
| robmccoll wrote:
| (Not an iMessage user) Does iMessage actually have a way to
| display the raw public key(s) locally associated with a contact
| and your public key(s)? Wondering if you can verify keys out of
| band or if you have to trust Apple to be the authority.
| Sirened wrote:
| It's not surfaced in the UI but, as far as I recall, the
| information does actually reach the device already. Here's a
| paper [1] which dives into the cryptography used in iMessage
| (at least whatever was used at time of publication).
|
| [1] https://www.cs.umd.edu/~imiers/pdf/imessage.pdf
| lostmsu wrote:
| Isn't Android backup end-to-end encrypted since 2018 or
| something? Why are so many people commenting like something
| revolutionary is happening?
| DrBenCarson wrote:
| This is more than just the backup, this is all user data--
| files, photos, etc.
|
| Google Drive and Photos are not E2EE
| three_seagrass wrote:
| Except for metadata and file hashing - iCloud is still using
| those on files and photos.
| brookst wrote:
| Sometimes news is about market developments, not technical
| innovation.
|
| Android backups are E2EE but I don't think Google photos is.
| Photos aren't included in the phone backup, I think. Would
| welcome correction if that's wrong.
| 404mm wrote:
| Anyone else noticed that they mentioned MacOS for iCloud backups?
|
| As of now, there is no backing up your Mac to iCloud. There is
| iCloud Drive and all the individual services but TimeMachine is
| local storage only (shared drive or the legacy TimeCapsule).
|
| Does this mean we're finally getting TM backups to cloud?
| jxdxbx wrote:
| Somehow I don't think Apple will like backing up my 16 TB media
| drive the same way that Backblaze does.
| newZWhoDis wrote:
| Wow, Apple enabling E2EE for backup is huge, since before they
| would bypass iMessage security by including your iMessage keys in
| the unencrypted cloud backup (so governments could request that
| copy then watch your messages in real time).
|
| I'm sure they'll get pushback for closing this loophole
| anxiously wrote:
| Couldn't they simply use an encryption algorithm that has two
| private keys and they control one?
| [deleted]
| CGamesPlay wrote:
| Yes, but this would be apparent in the code, since the sender
| would have to encrypt against both public keys.
| fnordpiglet wrote:
| Yeah I'm thinking about how many millions of HN comments are
| now invalid. I'm sure there's some other gripe in its place.
| That's what we engineers do.
| 542458 wrote:
| I'm not quite sure what you're getting at. It's not a sin to
| comment on a security issue while the issue still exists.
| Furthermore, correcting a security issue doesn't render
| somebody immune to all complaints on future security issues.
| [deleted]
| godelski wrote:
| Do we know if they still continued with the data scanning? I'm
| all for E2EE backups, but not if it comes at the cost of
| scanning my data.
| stalfosknight wrote:
| Apple is abandoning its CSAM scanning plan:
| https://www.wired.com/story/apple-photo-scanning-csam-
| commun...
| theshrike79 wrote:
| They planned to scan only the files that would end up in the
| cloud anyway.
|
| iCloud off -> no local CSAM scan.
|
| Local CSAM scan with multiple failsafes (+ actual person
| checking) + E2EE iCloud -> zero need to allow law enforcement
| access to iCloud servers. This would also mean that Apple
| cloud've encrypted them in such a way that even they can't
| access them.
| qwertyuiop_ wrote:
| What about turning off Airdrop in China when the people need it
| most ?
| Andrew_nenakhov wrote:
| One must understand that E2EE is used when you don't trust your
| service provider to handle your data. In other words, the
| adversary in your threat model is the service provider - and in
| this case, Apple. And what good is that encryption, if Apple
| obviously can do almost anything with your device?
|
| They can remotely wipe apps. They can force-install apps and
| force updates. It is not too far-fetched to think that they can
| just remotely copy anything stored on your device to their
| servers. So, with an adversary that capable, I'm not sure
| encrypted backups provide a meaningful improvement to security
| and privacy.
| voxic11 wrote:
| I think it mostly matters in the context of US case law,
| specifically the third party doctrine.
|
| > The third-party doctrine is a United States legal doctrine
| that holds that people who voluntarily give information to
| third parties--such as banks, phone companies, internet service
| providers (ISPs), and e-mail servers--have "no reasonable
| expectation of privacy" in that information. A lack of privacy
| protection allows the United States government to obtain
| information from third parties without a legal warrant and
| without otherwise complying with the Fourth Amendment
| prohibition against search and seizure without probable cause
| and a judicial search warrant.
|
| https://en.wikipedia.org/wiki/Third-party_doctrine
| dgdfhdfhj wrote:
| supertrope wrote:
| In theory it adds a speed bump. Apple as the cloud service
| provider can respond to the legal order by saying they don't
| have the key. And then the police can ask for a booby trapped
| update for just your phone which may or may not happen. Or they
| can lobby the legislature for an encryption backdoor for all
| devices which will force them to show their hand in terms of
| "lawful intercept" capability.
|
| If you want maximum security use an air gapped computer. But
| that won't let you send messages on the go.
| jazzyjackson wrote:
| > If you want maximum security use an air gapped computer.
| But that won't let you send messages on the go.
|
| You can, with some inconvenience, use optical diodes to
| transmit data from a trusted input device to an untrusted
| network device for transport over tor, and then push the
| received messages over a second diode to a display device
| that decrypts the messages, so that even if you receive an
| exploit/malware, there is no physical connection that allows
| unencrypted data to be exfiltrated.
|
| https://github.com/maqp/tfc
| gtvwill wrote:
| They don't have to lobby anyone for this. Apple has
| operations in aus. We have laws here gov can force you to put
| a backdoor in software or hardware and you are not allowed to
| tell even your employer you have been requested to do so.
|
| Tbh in theory apple aren't allowed to tell you they have done
| it or otherwise. So their phones have probably been
| backdoored for a few years now at request of aus gov.
| theshrike79 wrote:
| Who pays for the work required to add the backdoor? Does
| the company have to do it for free?
| Andrew_nenakhov wrote:
| If you want maximum security then just obviously don't use
| Apple services, or any other provider that has a capability
| to fetch your data under any circumstances.
| smoldesu wrote:
| > then just obviously don't use Apple services
|
| How is this possible on iPhone/iPads, where using Apple
| services like the App Store is required to install
| software?
| judge2020 wrote:
| Maybe buy a product that better suits you. If you buy a
| barbie doll, don't expect to be able to transform it into
| an 18 wheeler big rig.
| jdiez17 wrote:
| Starting in May next year, the Digital Markets Act [1]
| requires Apple to "allow the installation of third-party
| software applications [...] by means other than the
| relevant core platform services of that gatekeeper."
|
| [1] https://eur-lex.europa.eu/legal-
| content/EN/TXT/?uri=uriserv%...
| smoldesu wrote:
| Very excited for this, but also disappointed that it took
| the entire European Union to bring Apple to heel.
| rched wrote:
| I'm still on the fence about whether this will end up
| being a net good or not but people don't seem to consider
| the potential knock on effects of this. Apple puts some
| nice pro-consumer, along with some less nice anti-
| developer, requirements on Apps in the AppStore. Easy
| subscription management, privacy disclosure, parental
| controls etc. If the developers of an app decide to only
| make it available outside the AppStore you as a consumer
| may be forced to choose between using that app and
| getting those benefits.
| pixl97 wrote:
| > If the developers of an app decide to only make it
| available outside the AppStore you as a consumer may be
| forced to choose between using that app and getting those
| benefits.
|
| And Apple already chooses the reverse for you by not
| allowing apps you may want and by charging at 30% tax for
| doing so. There is a vast disparity between the
| behaviors!
| supertrope wrote:
| Don't buy an iPhone.
| smoldesu wrote:
| Or just wait long enough for the EU's digital markets act
| to take effect. But my point stands.
| scarface74 wrote:
| I can't wait for the mandated pop ups "did you know you
| could install a third party App Store" every time you go
| to the Apple App Store.
| jdiez17 wrote:
| What makes you think there will be such "mandated
| popups"?
| scarface74 wrote:
| Have you heard of the GDPR and seen how it's made the web
| browsing experience worse?
| jdiez17 wrote:
| Yes, I have heard of the GDPR and in my opinion it has
| improved/consolidated my digital privacy rights and not
| affected the "web browsing experience" in any negative
| way. I believe you are referring to the ePrivacy
| Directive (aka cookie law). As you may know, it's only
| mandatory to inform the user when the website is
| collecting information from the user beyond what is
| necessary for technical purposes - and in that case I do
| want the option to refuse that.
| Andrew_nenakhov wrote:
| Obviously, it is not possible on Apple devices. Probably
| something like Pinephone [0] might help.
|
| [0]: https://en.wikipedia.org/wiki/PinePhone
| smoldesu wrote:
| How does the PinePhone help me download apps on my
| iPhone?
| Andrew_nenakhov wrote:
| It won't help to download apps on an iPhone, which, I
| must say, _isn 't even yours_: you don't get to decide
| which apps you can install on your phone. Apple gets to
| decide. Factually speaking you're merely renting the
| iPhonefrom Apple, which, being the device owner, decides
| the terms under which you can use it.
| schrodinger wrote:
| In practice this distinction is meaningless. In fact I
| trust Apple more than my own government. To take your
| argument to an absurd logical conclusion, I don't own
| ANYTHING because my government can take it.
| Andrew_nenakhov wrote:
| It is known that Apple would do quite a lot of what
| governments will ask of it. It removes app from national
| AppStores on a simple request from countries like China
| or Russia. (Well, _now_ Apple _might_ ignore Russian
| takedown requests, but prior to the war with Ukraine they
| were very receptive to their demands)
| pixl97 wrote:
| In rule of law countries there is a legal framework for
| the government taking things which involves processes
| that are generally voted on.
|
| We cannot say the same for Apple.
| schrodinger wrote:
| Laws voted on by elected officials like Ted Cruz, MTG,
| Boebert. I trust Tim Cook over any of those.
| gjsman-1000 wrote:
| _Nothing is secure._ Once we remember that, we 'll stop
| nitpicking improvements.
|
| Use your own server? Great, it's secure software-wise, but if
| someone broke into your house, it's all of the sudden the
| worst liability ever. The next thing you know, your entire
| identity, your photos, everything is stolen. You have
| excellent technical security, perhaps the weakest physical
| security.
|
| So new plan, you use a self-hosted NextCloud instance on a
| VPS somewhere. That's actually not much smarter than using
| iCloud - VPSs handle data warrants all the time. They also
| move your data around as they upgrade hardware, relocate
| servers, and so forth.
|
| So new plan, you use iCloud E2E encryption. You have to trust
| that Apple does as they say, and trust that their algorithms
| are correctly functioning. Maybe you don't want to do that,
| so new plan:
|
| You use a phone running GrapheneOS, with data stored on a
| VPS, with your own E2E setup. Great - except you need to
| trust your software, and all the dependencies it relies on.
| Are you sure GrapheneOS isn't a CIA plant like ArcaneOS was?
| Are you sure your VPN isn't a plant, like Crypto AG? And even
| if the VPN is legitimate, how do you know the NSA doesn't
| have wiretaps on data going in and out, allowing for greatly
| reducing the pool of suspects? Are you sure that even if the
| GrapheneOS developers are legitimate, the CIA hasn't stolen
| the signing key long ago? Apple's signing key might be buried
| in an HSM in Apple Park requiring a raid, but with the
| GrapheneOS developer being publicly known, perhaps a stealth
| hotel visit would do the trick.
|
| So new plan, you build GrapheneOS yourself, from source code.
| Except, can you really read it all? Are you sure it is safe?
| After all, Linux was nearly backdoored with _only two
| inconspicuous lines_ hidden deep in the kernel (the 2003
| incident). So... if you read it all, and verify that it is
| perfect, can you trust your compiler? Your compiler could
| have a backdoor (remember the "login" demo?), so you've got
| to check that too.
|
| At this point, you realize that maybe your code, and
| compiler, is clean - but it's all written in C, so maybe
| there are memory overflows that haven't been detected yet, so
| the CIA could get in that way (kind of like with Pegasus). In
| which case, you might as well carefully rewrite everything in
| Rust and Go, just to be sure. But at that point, you realize
| that your GrapheneOS phone relies on Google's proprietary
| bootloader, which is always signed by Google and not
| changeable. Can you trust it?
|
| You can't, and then you realize that the chip could have
| countless backdoors that no software can fix (say, with Intel
| ME, or even just a secret register bit), so new plan. You
| immediately design and build your own CPU, your own GPU, and
| your own silicon for your own device. Now it's your own chip,
| with your own software. Surely that's safe.
|
| But then you realize there's no way to verify, even after
| delidding the chip, to verify that the fabrication plant
| didn't tweak your design. In which case, you might need your
| own fabrication plant... but then you realize that there's
| the risk of insider attacks... and how do you even know those
| chip-making machines are fully safe? How do you know the CIA
| didn't come knocking and make a few minor changes to your
| design, and then gag the factory with a National Security
| Letter from giving you any whiffs about it?
|
| But even if you managed to get that far, great, you've got a
| secure device - how do you know that you can securely talk to
| literally anyone else? Fake HTTPS Certificates from Shady
| Vendors are a thing (TrustCor?). You've got the most secure
| device that is terrified to talk to anybody or anything. You
| might as well start your own Certificate Authority now and
| have everyone trust you. Except... aren't those people... in
| the same boat now... as yourself... And also, how do you know
| the NSA hasn't broken RSA and the entire encryption ecosystem
| with that supercomputer and mathematicians of theirs? How do
| you know that we aren't using a whole new DUAL_EC_RBG and
| that Curve25519 isn't rigged?
|
| The rabbit hole will _never end_. This doesn 't mean that we
| should just give up - but it does mean we shouldn't be so
| ready to nitpick the flaws in every step forward, as there
| will be no perfect solution.
|
| Oh, did I mention your cell service provider always knows
| where you are, and your identity, at all times, regardless of
| how secure your device is?
|
| Edit @INeedMoreRAM:
|
| For NextCloud, from a _technical_ perspective it 's
| fantastic, but your data is basically always going to be
| vulnerable to _either_ a technical breach of Linode, an
| insider threat within Linode, or a warrant served (either a
| real warrant, or a fraudulent warrant, which can happen).
|
| You could E2E encrypt it with NextCloud
| (https://nextcloud.com/endtoend/) which would solve the
| Linode side of the problem, but there are limitations you
| need to look into. Also, if a warrant was served (most likely
| going to be authentic if police physically show up, at least
| more likely than one they served your data over), you could
| always have your home raided, recovery keys found, and data
| accessed that way. Of course, you could destroy the keys and
| only rely on your memory - but, what a thing to do to your
| family if you die unexpectedly. Ultimately, there's no
| perfect silver bullet.
|
| Personally... It's old school, I use encrypted Blu-rays. They
| take forever to burn, but they come in sizes up to 100GB (and
| 128GB in rare Japanese versions), they are physically stored
| in my home offline, and I replace them every 5 years. This is
| coupled with a NAS. It's not warrant-proof but I'm not doing
| anything illegal - but it is fake-warrant-resistant and
| threats-within-tech resistant, and I live in an area where I
| feel relatively safe (even though this is, certainly, not
| break-in-proof). Could also use encrypted tape.
| schrodinger wrote:
| You forget one of the simplest loopholes: "gun to the head
| for the password".
| INeedMoreRam wrote:
| I've been running my own Nextcloud instance on a Linode
| with 2FA and your response made me question how secure it
| is.
|
| Even though I get an A+ on the Nextcloud Security Scan
| (https://scan.nextcloud.com/), have 2FA, and custom IP
| blocking set up in my .htaccess file, it's disheartening to
| know that I'm not as secure as I thought I was.
|
| I removed all my photos/files from iCloud for privacy
| reasons, and now I feel helpless contemplating how Linode
| may just hand my data over if served a warrant.
|
| Any other Nextcloud hardening tips besides Fail2ban and
| reverse proxying you'd recommend? May I ask what your
| workflow looks like for preserving files throughout time?
| vineyardmike wrote:
| > And what good is that encryption, if Apple obviously can do
| almost anything with your device?
|
| Because apple isn't in control of apple for data at rest, and
| that's the specific risk.
|
| You have to trust control of the device sure, but you cannot
| trust cloud data - almost at all - between subpoenas from over
| eager LEOs and break ins from criminal and state hackers
| smoldesu wrote:
| > Because apple isn't in control of apple for data at rest
|
| That's not really true if Apple also holds copies of your
| iCloud decryption keys. If they want to access your data,
| they already have all the necessary components.
| rodgerd wrote:
| > That's not really true if Apple also holds copies of your
| iCloud decryption keys.
|
| That is _literally the thing that this announcement
| changes_.
|
| I see that Hacker News has plummeted below Reddit in the
| "bothering to check the link" stakes.
| vineyardmike wrote:
| Yea, thats the point.
|
| Let me re-phrase, by giving Apple control over the keys,
| you give control over the data to whoever controls apple -
| which is non-zero (Eg. LEO), and whoever may gain control
| (security vuln).
| smoldesu wrote:
| I don't want Apple to give over the keys. I just want my
| key to be the only in existence.
| vineyardmike wrote:
| Yea... that's what they're changing. That is the point.
| They're not going to be in control over the keys - which
| is a good thing to you, it seems.
| tshaddox wrote:
| > In other words, the adversary in your threat model is the
| service provider - and in this case, Apple. And what good is
| that encryption, if Apple obviously can do almost anything with
| your device?
|
| The adversary in this threat model isn't the service provider.
| The adversary is someone attacking the service provider, like a
| hacker or a government with a warrant, and getting access to
| Apple's storage of your data.
|
| Now of course it's not impossible for such an adversary to
| _also_ defeat other systems at Apple and get your data another
| way, for example by controlling Apple 's ability to send over-
| the-air updates to Apple devices. But I think that is a
| sufficiently distinct threat that it's not worth dismissing
| solutions to the first threat. That would be like dismissing
| the importance of a web server storing passwords salted and
| hashed, since attackers could just use a totally different
| attack to bypass the web server's database access control.
| Another way to illustrate this might be to point out that
| attackers can physically coerce you to hand over data
| regardless of _any_ security measures any service provider
| could possibly make, but that doesn 't mean we should dismiss
| all such security measures.
| Terretta wrote:
| We used to call this "NSL-proof". If your provider is
| architected to be NSL-proof, then the warrant has to get
| served to you.
|
| This is now possible to achieve in AWS, for example.
| rsync wrote:
| I disagree - the service provider should be considered an
| adversary and their service - and your tooling - should make
| it possible to obfuscate every single bit of data _and
| metadata_ that you store there.
|
| If only such a service existed.
|
| _If only_ ...
| xoa wrote:
| rsync.net is great and I've always appreciated the exposed
| ZFS capability, even if at this point 3x the cost per gb
| for a small scale users vs B2 is a lot more painful. Having
| encryption, including for transfers, also be part of the
| filesystem (which is open source) is great. Pity but for a
| small turn of history ZFS didn't become the native FS for
| Apple. And I think backups in particular is one of the
| focused completely unambiguous areas where Apple really has
| behaved in textbook anticompetitive fashion, and they
| should be required to allow people to point their iOS
| devices at any 3rd party service (including their own!)
| they wish that implements the right API (which Apple should
| have to document and follow themselves).
|
| Still with all that said:
|
| > _I disagree - the service provider should be considered
| an adversary and their service - and your tooling - should
| make it possible to obfuscate every single bit of data and
| metadata that you store there._
|
| If you're using Apple devices at this point then I think
| they do unavoidably form some part of your core trust
| foundation. With current hardware Apple is everywhere in
| the stack right down to the CPU level, heck arguably below
| that since they have a special license with ARM and can
| implement their own custom extensions. If you really think
| they're an adversary to the point of doing custom backdoors
| explicitly going after you, then the hardware just can't be
| trusted.
|
| It's not unreasonable though to look at both Apple's
| incentives and the state of American law at least and see
| distinctions between Apple being compelled (or hacked) to
| provide something they have passive access to on their side
| anyway vs being compelled to engage in non-consensual
| active work and feature development (or having that slipped
| in and make it into general deployment) on things that
| necessarily must go out to end user devices. The former is
| both bog standard warrant/subpoena territory and not
| inherently detectable outside of Apple and the government,
| since it doesn't directly involve the user as a party at
| all. The latter is very arguably illegal and provokes far
| more public response, and involves deploying in ways that
| make it far harder to keep concealed (and open up other
| avenues of challenge).
| nonameiguess wrote:
| I don't get it. If you don't trust Apple, then you don't
| take photos with an iPhone. There is no possible service
| they could offer that assures you every bit of data and
| metadata is obfuscated end to end in any sense of before
| Apple software has a chance to see it. At bare minimum, the
| camera app has to put together a file before there is
| anything to encrypt. A malicious Apple could just keep a
| second copy of that file, and even if you used a different
| backup service, they'd still have it.
| cbm-vic-20 wrote:
| I've used such a service for at least a decade. End-to-end
| encrypted. All open source. ;)
| rsync wrote:
| ... username checks out - our target demographic :)
| leeoniya wrote:
| > a government with a warrant
|
| remember Lavabit [0]? will Apple choose to shut down rather
| than to comply [1]? if the government comes with a warrant,
| it will be with a gag order, and they will be compelled to
| silently update your phone to extract whatever the govt needs
| over the course of a few months.
|
| [0] https://en.wikipedia.org/wiki/Lavabit
|
| [1]
| https://en.wikipedia.org/wiki/Pen_register#Pen_Register_Act
| sedatk wrote:
| Apple isn't a monolithic entity. For example, a rogue engineer
| might be able to access your iCloud data, but it's orders of
| magnitude more complicated to push a specifically manufactured
| app to your device.
|
| There's a similar variance of complexities for hacking and law
| enforcement overreach scenarios.
|
| E2EE isn't a solution for all attack vectors, but it's a
| significant mitigation in itself.
| [deleted]
| judge2020 wrote:
| > They can remotely wipe apps.
|
| Technically no. I still have Fortnite on my iPhone, it just
| can't be opened. Apple can't wipe apps from your phone, but if
| they're App Store installed (as opposed to Ent MDM/Sideloaded),
| they can render them inoperable by revoking the certificate
| attached to the bundle.
| schrodinger wrote:
| There are multiple meanings of trust in this scenario: belief
| in honesty, and confidence of ability. Eg I can trust you to
| tell me the truth but not trust you to protect me from a
| missile.
|
| I trust Apple's honesty. I don't trust many attack vectors.
| Someone could gain access to their data center. E2EE protects
| that. A gov could legally compel them to provide data. I trust
| when they say they've engineered it in such a way that they
| can't currently do it, and that they would publicly cause a
| scene and legal battle if attempted-as they have before.
| Accidental data leaks also happen. In all these scenarios I
| trust Apples intentions but know that nothing is perfect. E2EE
| adds a lot for me.
| sneak wrote:
| This opt-in, because of sneak's law ("users can not and will not
| securely manage{generate, backup, authenticate} key
| material")[1]. Apple knows that enabling this by default would be
| a disaster. This means most people will not ever even know the
| feature exists, and few will turn it on.
|
| This means that iMessage as a platform is still backdoored,
| because most people you iMessage with will be escrowing their
| endpoint iMessage keys to Apple in their effectively unencrypted
| iCloud Backups.
|
| Apple (and the FBI/DHS/CIA/NSA soup bois without a warrant) will
| still be able to read everyone's iMessages in real-time.
|
| Everyone wins. Spies keep spying, Apple gets to trot out the e2ee
| marketing flag.
|
| Meanwhile, there is nothing to indicate that they don't intend to
| continue the rollout of their clientside photo scanning software
| that they previously announced.
|
| [1]: https://youtu.be/9k4GP3Evh9c
| cglong wrote:
| Now I get what dang was saying about press release verbiage...
| https://news.ycombinator.com/item?id=33886505
| dmitryminkovsky wrote:
| Came to the comments to say this. Would appreciate a non-Apple
| source on this.
| latexr wrote:
| Daring Fireball highlights some bits and provides commentary:
| https://daringfireball.net/linked/2022/12/07/advanced-
| data-p...
| baggy_trough wrote:
| I don't really understand the objection. The press release is
| very well written.
| haswell wrote:
| But in some cases, that's the point. A well written press
| release will often gloss over potentially relevant/important
| details that a neutral source will not.
| baggy_trough wrote:
| That's what the HN comment thread is for!
| haswell wrote:
| The difference is that the HN comment thread will rarely
| have insights that a reporter can often provide after
| following up with their inside contacts.
|
| Edit: on reflection, I don't agree with this and wrote
| this too hastily. I'd still prefer 3rd party by default
| and believe it's often a better basis for a discussion.
| baggy_trough wrote:
| That is very much opposed to my experience.
| crazygringo wrote:
| My experience is the complete opposite.
|
| Reporters rarely add much unless they've got several days
| to do an analysis piece, which there are very few of. And
| is never the case for breaking news.
|
| HN threads regularly supply oodles of context and
| counterpoints you don't find in any articles anywhere.
| Which is one of the big reasons we come here, right?
| haswell wrote:
| I probably wrote that too hastily, and will give you that
| many threads are indeed deeply insightful by themselves.
|
| I still believe that a 3rd party source that at least has
| a chance of being more objective than a company issued
| press release is the ideal basis on which to form a
| discussion.
| dang wrote:
| In this case we've changed the URL from
| https://www.apple.com/newsroom/2022/12/apple-advances-user-s...
| to the URL that several users pointed out has more details (and
| isn't a press release).
| lxgr wrote:
| This is a great step, but I really hope Apple also change their
| position on no longer allowing users to provide a high-entropy
| passphrase to unlock all of this end-to-end encrypted data.
|
| As it is, my iPhone unlock PIN is everything that's needed to
| decrypt the data server-side [1], and I'm not changing to an
| alphanumeric password on my phone only because of that.
|
| [1] https://support.apple.com/en-us/HT204915 ("You might also be
| asked to enter the passcode of one of your devices to access any
| end-to-end encrypted content stored in iCloud.")
| Analemma_ wrote:
| This comment is baffling. You say you want Apple to allow the
| option of a high-entropy passphrase, which they _do_ , but you
| refuse to use it?
| lxgr wrote:
| I want to use a low-entropy PIN on my phone, because I enter
| it dozens of times per day, shoulder-surfing is a concern as
| big as hacking in many scenarios, and because I trust Apple's
| hardware to be capable of efficiently limiting local PIN
| attempts and wiping high-entropy keys if required.
|
| At the same time, I log in to new iOS devices with my Apple
| ID about once per year. I would love to be able to use a
| high-entropy key in that scenario. (As a point of reference,
| WhatsApp allows exactly that for encrypted backups!)
|
| If that's still baffling to you, I'm glad I could introduce
| you to a very different viewpoint :)
| blokey wrote:
| Use FaceID or TouchID, that's kind of their purpose!
| lxgr wrote:
| There's still too many situations in which I do end up
| having to enter my passcode.
|
| Mask unlock isn't perfect, wet hands can throw off Touch
| ID, and once per day I believe they will just reset and
| as for the passcode anyway. It's also required for
| software updates and reboots.
|
| I'm not asking for this to become the default, or even an
| option given in any setup wizard. Just allow me to set up
| my own end-to-end encryption recovery passphrase and let
| me remove all of my device passcodes, i.e. allow me to
| opt out of HSM-mediated key escrow.
| quenix wrote:
| Is your Apple ID password not a sort of "secondary
| passphrase" as you're wondering? You enter the Apple ID
| password to download the encrypted data and the low-
| entropy passcode to decrypt it.
|
| Just make your apple ID password high-entropy.
| lxgr wrote:
| Not really. The Apple ID password is a regular server-
| verified password and does not contribute to end-to-end
| encryption in the cryptographic sense. In other words, it
| gates access to the end-to-end encrypted data, but not
| the keys used to encrypt them.
|
| If you trust Apple to never get hacked or hand over your
| data to any third party, that's perfectly fine, but that
| is not the scenario that end-to-end encryption is
| designed to address.
| yunwal wrote:
| You _can_ use a high entropy passcode for iCloud. You just
| can't stay signed in when you're not using it. I don't
| understand the issue here
| lxgr wrote:
| How can I select a high-entropy iCloud passcode without
| also making my phone unlock code high-entropy?
| yunwal wrote:
| To change your iCloud passcode:
| https://support.apple.com/en-us/HT201355
|
| To change your phone passcode:
| https://support.apple.com/guide/iphone/set-a-passcode-
| iph14a...
| lxgr wrote:
| > To change your iCloud passcode:
| https://support.apple.com/en-us/HT201355
|
| That's only the Apple ID/iCloud/account password, which
| plays only a minor role in end-to-end encryption.
|
| The phone passcode _is_ the (secret which gates, on Apple
| 's HSMs,) your iCloud encryption key!
|
| https://support.apple.com/guide/security/escrow-security-
| for...
|
| Got "1234" as a passcode on a long-forgotten family iPad
| or test iPhone? Better go change it to something secure,
| as that's what stands between an advanced attacker (that
| can compromise your 2FA), or somebody able to
| compromise/apply sufficient pressure to Apple, getting
| into your iCloud end-to-end encrypted data.
| shbooms wrote:
| > Got "1234" as a passcode on a long-forgotten family
| iPad or test iPhone? Better go change it to something
| secure...
|
| according to the article, I don't think this will be
| possible because you won't even be able to turn on
| Advanced Data Protection in this scenario.
|
| "You must also update all your Apple devices to a
| software version that supports this feature."
|
| Just to get the feature enabled you're going to have to
| go and "touch" all of the devices you're signed into and
| either update their OS (and also update their passcode if
| you're smart) or sign out of them.
| sebk wrote:
| The iCloud recovery key is a 28-character string, not
| your iPhone PIN: https://support.apple.com/en-
| us/HT208072. There is no situation that I can think of
| where a device PIN is of any use off-device.
| lxgr wrote:
| Recovery keys were part of iCloud Keychain end-to-end
| encryption when used without "two-factor authentication",
| which is now a deprecated setup and can't be used with
| new iCloud accounts anymore:
|
| https://support.apple.com/guide/security/secure-icloud-
| keych... (describes how both approaches work)
|
| https://support.apple.com/en-us/HT204915 (documents that
| two-factor authentication is now effectively mandatory,
| which makes using recovery keys impossible)
|
| The device PIN is now exclusively used (off-device!) for
| iCloud end-to-end encryption key recovery:
| https://support.apple.com/guide/security/escrow-security-
| for...
| Dylan16807 wrote:
| They want to use it to _get_ signed in but not to _stay_
| signed in. It makes sense to me.
| Alex3917 wrote:
| This. It seems like for the average person, if you go from not
| using cloud backups to using cloud backups with their pin, then
| this is a huge step backwards for security.
| [deleted]
| lxgr wrote:
| On the other hand, for the average person already using
| unencrypted iCloud backups, it is a considerable step
| forwards, and arguably managing their own high-entropy
| recovery key could be a significant burden.
|
| I just really wish they'd made PIN-based HSM escrow the
| default, but optional (with the "off" switch behind several
| scary-sounding warnings).
| stouset wrote:
| You can set a more complicated password to unlock your iPhone.
| I know this because I do it.
| lxgr wrote:
| Sure, but I won't, and neither will many other people,
| realistically.
|
| There is no technical need at all for the same password to
| gate both local device unlock and remote end-to-end
| encryption key escrow.
|
| It's a pure security vs. availability (and realistically
| genius bar support load) tradeoff, and I even think they
| nailed it for the vast majority of users! I just wish they'd
| let advanced users participate in that tradeoff more
| actively.
| nikitoci wrote:
| You are not limited by 6-digit passcodes only, you can also
|
| "...Or tap Passcode Options to switch to a four-digit numeric
| code, a custom numeric code or a custom alphanumeric code."
| which is on their support web site[1]
|
| [1]: https://support.apple.com/en-gb/HT204060
| lxgr wrote:
| Yes, but then I need to enter a custom alphanumeric password
| every time I unlock my phone or tablet.
|
| I want to be asked for it if and only if I grant a new device
| access to my end-to-end encrypted iCloud data.
|
| I don't think this is an absurd demand. WhatsApp supports
| this security model, for example. Evem Apple used to, before
| they forced every iCloud keychain user to switch to their
| HSM-based model!
| ace2358 wrote:
| I'm aussiming you don't use Touch ID or Face ID?
|
| I've been using an alphanumeric passcode for about 7 years
| now. I've gotten used to it. It's not too long to be
| annoying but better than a numerical pin.
|
| Even if you used 4 numbers for an alphanumeric password,
| it's still much more secure than a 6 digit pin.
| lxgr wrote:
| > Even if you used 4 numbers for an alphanumeric
| password, it's still much more secure than a 6 digit pin.
|
| Unfortunately, that's not the case:
|
| If you trust the secure enclave (for the device unlock
| scenario) or Apple's HSMs (for the key escrow scenario),
| a 6-digit PIN is just as secure as a 4-character
| alphanumeric password. In both cases, you get 10 invalid
| attempts before your data is wiped, and the odds are
| negligibly small in either case (10/10*6 vs. 10/62*4).
|
| If you don't, i.e. you are concerned your adversary can
| somehow perform a brute-force attack, you need way more
| than four alphanumeric characters.
| SllX wrote:
| Do you not use FaceID or TouchID or unlock with the Watch?
|
| I switched my pin to alphanumeric because I'm _not_ putting
| it in every time I pickup my phone. I can live with the
| inconvenience of putting the passcode in every couple of
| days or so.
| sneak wrote:
| I put in my 12 character numeric passphrase multiple
| times a day because FaceID sucks with masks and covid is
| still a thing.
|
| I wish TouchID were an option on latest pro iphones.
| zaroth wrote:
| I just want to second this. I use a long alphanumeric
| password to unlock my iPhone plus FaceID.
|
| I enter the password at most a few times a week after
| reboots and if someone plays with the phone and gets
| FaceID to fail too many times. It's not annoying at all
| to unlock with the keyboard rarely.
| brookst wrote:
| I see what you're asking for, but I don't think Apple would
| ever do it. A passphrase that is only used once every few
| years is a recipe for endless support calls.
| dmix wrote:
| Android offered it for a long time for decrypting on
| boot. I'm sure Apple could communicate it well enough.
| lxgr wrote:
| Then hide it behind an option deep in the settings, and
| label it "only for advanced users, and if you lose it,
| all your data will forever be gone".
|
| Apple even had this exact setting in the past! And they
| still have a similar thing for Mac disk encryption (the
| default is iCloud escrow, but a local-only recovery
| passphrase is also an option).
| lilyball wrote:
| I admit I still use a 6-digit passcode, but if you're actually
| serious about protecting your data you should be using an
| alphanumeric password anyway. Even ignoring the server-side
| stuff, that single password unlocks most of the data on your
| phone.
| lxgr wrote:
| It's much easier to securely limit invalid PIN attempts on a
| device locally than in the cloud, though. This is the bread
| and butter of embedded security cores like the secure enclave
| or Google's Titan M.
|
| Users shouldn't be forced to use high-entropy local passwords
| just because a service provider insists on reusing them for a
| completely different purpose.
| dgdfhdfhj wrote:
| amatecha wrote:
| A more thorough (or less PR-ish) explanation of the Advanced Data
| Protection and how it works can be found here:
| https://support.apple.com/en-ca/guide/security/sec973254c5f/...
| dang wrote:
| Ok, we've changed the URL to that from
| https://www.apple.com/newsroom/2022/12/apple-advances-
| user-s.... Thanks!
|
| (more at https://news.ycombinator.com/item?id=33899699)
| layer8 wrote:
| Unfortunately, it seems that this requires all connected devices
| to be on the latest OS versions (iOS 16.2, macOS 13.1, etc.),
| which means you can't use it as long as you have older devices
| connected to your Apple ID.
|
| It also doesn't work for Shared Albums, and for other "Shared"
| features it requires all participants to have ADP enabled.
| yreg wrote:
| >as long as you have older devices connected to your Apple ID
|
| Is it possible to have an old device connected to Apple ID,
| Find My enabled and iCloud backups/sync disabled for ADP to
| work on your newer devices?
|
| Having no backups/sync on the old devices is fine, presumably
| people who care about encryption have that turned off at the
| current state of matters anyway.
| ezfe wrote:
| It's not particularly surprising that all your devices need to
| be updated, how else would it work? The whole point of E2E is
| that the ends are your devices.
| layer8 wrote:
| Right, but it may be unexpected that a single device can
| prevent using a new feature on your other devices. This is
| just a heads up. And conceivably Apple could provide updates
| for older OS versions, as they sometimes do for security
| fixes.
| acdha wrote:
| This has been the case for other iCloud features and
| they've historically done a good job communicating this to
| the user at the time they upgrade the service and when they
| attempt to access it from an old device. I would expect
| that to follow the same process here either refusing to
| enable it until your devices are updated or having the old
| device kicked out until it's updated.
| layer8 wrote:
| Yes, they are refusing to enable it if you have older
| devices signed in to your Apple ID.
| novok wrote:
| Now will they offer icloud tiers over 2tb next, like google does?
| Will icloud be actually usable for 3rd party apps outside of ios
| without constant reauth?
| CharlesW wrote:
| FWIW, there's a "product packaging hack"1 that gives you 4TB if
| you pay for both Apple One Premium and iCloud+ at total cost of
| $40/mo. It's not a great value, but it's possible. I'd bet on
| them adding a 4TB plan in 2023.
|
| 1 https://mashable.com/article/apple-icloud-plus-
| plans#:~:text....
| novok wrote:
| All I want is a roadmap to ever increasing tiers of storage,
| like google, so I know if I need to, I don't need to do a big
| migration once my life history gets too big. Good to know
| about the hack.
| BiteCode_dev wrote:
| I hope this is true, but since their entire stack is proprietary,
| we have no way to know if there is not a backdoor to get the key
| from you.
|
| Since Apple was part of the PRISM program, I'm going to assume
| there is at least one for the 3 letters agency, which mean it's
| available for Apple, who designed it, as well.
|
| But it does mean that they can mass scan easily the data, and
| have to target people personnally, which is already a huge
| improvement, and cover most people threat model.
| modeless wrote:
| I have often criticized Apple for marketing iMessage as end-to-
| end encrypted while the vast majority of encryption keys still
| reside on their servers and are routinely used to decrypt
| messages for law enforcement on demand. This is a long overdue
| step forward.
|
| However, for most people their messages will still not be end-to-
| end encrypted because their contacts will mostly not have this
| optional feature enabled. To be truly effective, this feature
| would have to ensure that Apple does not strip the end-to-end
| encryption from your messages when they are sent to other people
| using iMessage. In my opinion it is still fraudulent to market
| iMessage as an end-to-end encrypted system until this is fixed.
| xoa wrote:
| > _However, for most people their messages will still not be
| end-to-end encrypted because their contacts will mostly not
| have this optional feature enabled. To be truly effective, this
| feature would have to ensure that Apple does not strip the end-
| to-end encryption from your messages when they are sent to
| other people using iMessage. In my opinion it is still
| fraudulent to market iMessage as an end-to-end encrypted system
| until this is fixed._
|
| I think your opinion is mistaken in conflating separate problem
| spaces/threat models. E2EE deals exclusively with the transit
| and reading of data between trusted ends, that's the point. It
| deals with the threat posed by middle observers. What happens
| to the data _after_ it reaches and gets stored on one end or
| the other is out of scope. Certainly important, but still has
| nothing to do with whether something is E2EE. Communications
| between people necessarily means no one person is fully in
| charge. The person on the other side could perfectly well have
| their PIN be "1234", that wouldn't suddenly mean
| Signal/iMessage/SSH/whatever are no longer E2EE.
|
| This is definitely an unambiguously significant improvement,
| and it will help more people stay secure more easily while
| still making use of wireless services (vs backing up with a
| cable to a system like I have always done and still do with iOS
| devices). However, while technology is helpful it's not a total
| substitute for opsec either. And I think it's a mistake to mush
| together different domains. iMessage going full E2EE was a good
| all by itself and its own specific thing, even if Apple was
| wrong to not deploy the same thing everywhere and also wrong
| (and still wrong!) not to allow 3rd party options for backups.
| There was nothing fraudulent about saying it was E2EE.
| fossuser wrote:
| It seemed clear they were making moves in this direction back
| when their announcement about on device hash checking for CSAM
| prior to iCloud photos backup was made. That announcement only
| made sense in a world where they wanted to enable end to end
| encryption for photos. It's cool to see them do this, and see
| them also extend it to Messages too (surprising imo).
|
| --
|
| > The apple policy was likely about coming up with a way to
| enable encrypted photos on iCloud while still having some privacy
| preserving form of CSAM detection. Since it was only enabled when
| iCloud photos was enabled it was better for privacy on net than
| the status quo (unencrypted iCloud photos that are accessible to
| apple and scanned anyway).
|
| https://news.ycombinator.com/item?id=30297272
| YokoSix wrote:
| "Dates and times when a file or object was modified are used to
| sort a user's information, and checksums of file and photo data
| are used to help Apple de-duplicate and optimize the user's
| iCloud and device storage--all without having access to the files
| and photos themselves."
|
| https://support.apple.com/guide/security/advanced-data-prote...
|
| So Apple only encrypts the files but not the metadata? If that's
| true the encryption is basically worthless because Apple is still
| able to "see" what files you upload and scan them for CSAM,
| copyright infringement or videos of 1989 Tiananmen Square.
| tiffanyh wrote:
| > Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, _you can
| choose to enable_ Advanced Data Protection to protect the vast
| majority of your iCloud data, even in the case of a data breach
| in the cloud.
|
| Interesting, so this is an opt-in (not default secure).
| [deleted]
| Gigachad wrote:
| Probably concerns about people losing data. Probably the vast
| majority of people would rather someone gains access to their
| photos than having their files lost
| theshrike79 wrote:
| For now, they'll make it opt-out when a large enough user base
| is at those OS versions.
| madeofpalk wrote:
| Source?
| tiffanyh wrote:
| I don't understand. This is an opt-in, not opt-out.
| theshrike79 wrote:
| It's currently opt-in, because a significant percentage of
| the user base is not running an OS version that can support
| the E2EE features.
|
| When that percentage is high enough (a few years), I don't
| see why Apple wouldn't make it opt-out. (Default it to
| encrypted, you need to specifically disable it if you don't
| want it).
| martin_drapeau wrote:
| Apple is extending the data privacy/security you have on your
| phone for images, videos, files (content) to the cloud. Bluring
| the lines between physical device and the cloud.
|
| This makes perfect business sense - people will want to buy extra
| storage. Lock-in is deeper.
| asymmetric wrote:
| Does this apply to all jurisdictions? I somehow have a hard time
| imagining China would allow them to do this for their citizen's
| data.
| yyyk wrote:
| I didn't expect Apple to actually do this. Kudos.
|
| During the client-side scanning debacle I noted they'd have to
| implement server-side scanning anyway, so they might as well
| abandon client-side scanning. The wording still allows for
| server-side scanning ("raw byte checksum" is vague enough be a
| image hash or merely a CRC-32; I strongly suspect it's the
| former) - and I'm perfectly fine with Apple choosing this. Their
| server their rules. It's also the better technical choice IMHO.
| yamtaddle wrote:
| > ("raw byte checksum" is vague enough be a image hash or
| merely a CRC-32; I strongly suspect it's the former)
|
| 1) The image fingerprinting they were talking about before is
| _really_ different from a "raw byte checksum", since it could
| recognize photos that had been resized or cropped.
|
| 2) AFAIK the plan was always to generate the fingerprint on the
| device, but to check it server-side, possibly as a pre-flight
| check before sending the actual file. The thing that upset
| people was the device generating a too-good fingerprint [EDIT:
| To be fair, people were also concerned Apple would expand the
| fingerprint-generating-and-uploading to photos that _weren 't_
| bound for iCloud--the concern would have been pretty silly
| otherwise, since of course unencrypted photos sent to iCloud
| are CSAM-scanned, same as everywhere else). Pretty sure they
| were gonna keep the naughty-list server-side all along. So, if
| this _is_ the same thing (I doubt it, see #1) then checking the
| fingerprints( /hashes) server-side isn't a change in plans.
| yyyk wrote:
| 1) I'm aware of the difference. However, I think the Apple
| phrase is sufficiently ambiguous to legally cover an image
| hash as well. An image hash is technically a checksum and is
| made of raw bytes that cannot be converted back to the image.
| If Apple is indeed using an image hash, I don't have a
| problem with this - it's their servers.
|
| 2) The fingerprint check was supposed to be done _client-
| side_ based on a server supplied list so that Apple would not
| get the image and image hash unless there was a match (I 'm
| simplifying this, there was a rather complex procedure
| involved with thresholds and manual review).
|
| My main concern was that normalizing and making possible
| client-side scanning would lead to other things being
| scanned. e.g. China adding images of Winnie the Pooh to scan
| list, and then sending every Chinese suspect to dissident-
| ville in the sky. The Apple plan here was insufficient: it
| wanted to rely on multi-country lists, this had both legal
| and practical problems - e.g. China has sufficient sway with
| friendly countries to add its choice of images to the list.
| yamtaddle wrote:
| Ah, thanks for the clarification, seems I was off on some
| of that.
|
| > My main concern was that normalizing and making possible
| client-side scanning would lead to other things being
| scanned. e.g. China adding images of Winnie the Pooh to
| scan list, and then sending every Chinese suspect to
| dissident-ville in the sky.
|
| Right, but that hardly mattered as long as it applied only
| to iCloud-uploaded files, since those were and are already
| being scanned so all those scenarios were already in play
| (well, not _now_ , I suppose, if you enable encryption...
| maybe. But at the time they announced the scanning,
| certainly)
| nerdjon wrote:
| I have been waiting a long time for backups and photos to support
| this, and I am glad we are finally getting it.
|
| I don't feel like updating to a beta to get this feature
| (especially for the risks associated with it). But I am curious
| how the migration will work. Will this basically re-encrpt
| everything locally and then upload it or will what is already
| there stay unencrypted.
|
| Also does anyone know, how do features like this work for someone
| with a single apple device? I don't worry about loosing access to
| anything because if my phone dies I have... several other devices
| with keys. But what about someone who doesn't?
| gjsman-1000 wrote:
| It shows in the screenshot the following:
|
| "Because Apple will not have the keys required to recover your
| data, you will be guided to set up an alternate recovery method
| in case you ever lose access to your account."
|
| I would assume a physical sheet of paper containing recovery
| codes is a suitable alternative recovery method.
| xattt wrote:
| This is the Bitlocker recovery way.
| nerdjon wrote:
| I should have looked closer at the screenshot, didn't really
| think it would tell me anything beneficial for an e2e system.
|
| Thanks for pointing that out!
|
| Honestly might not be a bad idea to have a backup somewhere
| else just in case. Like in the event of a fire or something
| have a backup sitting in a safe.
|
| It does bring up an interesting conversation, what levels do
| we go to make sure we can recover accounts in situations like
| this? Store a USB or a paper in a safety deposit box on the
| other side of the country? I tend to store all of my backups
| for my other accounts on my iCloud Drive so... loosing access
| to that would be catastrophic.
| rodgerd wrote:
| Essentially at that point you're on your own - you can't
| have Apple able to do recovery and be unable to access your
| data for other purposes.
| ask_b123 wrote:
| The migration process is explained here:
| https://support.apple.com/en-ca/guide/security/sec973254c5f
| [deleted]
| volleygman180 wrote:
| I honestly never thought this day would come - THANK YOU APPLE!!
___________________________________________________________________
(page generated 2022-12-07 23:00 UTC)