Apple Advances User Security With Three New Data Protections

WankerWeasel writes: Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple's highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

One Time Pad

[fermion]

One reason I started using PayPal back in the day us they had an electronic one time pad. A device that would generate a number. The bank I used for international stuff also had a one time pad.

This hardware key will open Apple products to a lot of secure environments. My sister has a dongle for her computer.

But I would like to see a compromise that is less inconvenient. Like maybe the Apple Watch knows you are wearing it, and only you, and that is the only way to log in.

Re:

[registrations_suck]

My sister has a dongle for her computer.

I have a dongle for your sister!!!

Sorry, just couldn't resist (:

Re:

[EvilSS]

Careful, dongle jokes can get you in trouble these days: https://arstechnica.com/tech-p... [arstechnica.com]

Ultimate data security in the cloud

[Rosco P. Coltrane]

Don't put your data in the cloud.

Don't believe cloud providers' claims on security.
Assume the cloud providers themselves are a threat.

Re:Ultimate data security in the cloud

[rtkluttz]

Exactly. If you don't control the encryption algorithm independently from the app and encrypt BEFORE the app touches the data, assume the app maker or cloud provider has access to it and can get to your data if they want to. The whole kerfuffle years back when the FBI was trying to get into the iPhone in California from the suspected terrorist, was a master class in misdirecting the public to what they wanted people to focus on. Them: Apple won't give you up. But in reality, the statement should be Apple won't give you up unless they eventually make us with court orders. And beyond that, the REAL question should have been, why is it even POSSIBLE for Apple to give you up? They shouldn't control the encryption and cloud usage should not be forced but yet they somehow redirected everyone and the media from asking those questions.

Re:

[uncqual]

All good advice.

However it is worth noting that US courts have, in general, concluded that you can be required to give up your "key" - physical or digital - in response to a search warrant just as you can be required to provide the combination to a safe if the search warrant's scope includes the associated location or data. Although if you refuse to do so in the case of physical locks, the search team will probably just drill out or force the lock rather than bother to go to court and have the court toss yo

Re:

[Rosco P. Coltrane]

I have nothing to hide to a court. I'd provide the key willingly. I just don't want cloud providers to rip through my data and exploit it.

Why do you assume people who use encryption are doing something illegal?

Re:

[uncqual]

I'm not making the assumption you think I was making.

However, encryption is sometimes used to conceal criminal activity and the parent mentioned the FBI and the iPhone encryption case.

Of course in that case those that were most likely to have the encryption key were dead as a result of their criminal activities so the FBI had to figure out other ways (including the attempt to make Apple help them) to decrypt the data.

Re:

[fropenn]

Why isn't this a violation of the constitutional right to be free from cruel and unusual punishment? You have not been convicted of a crime, so why is it constitutional for the government to take away your right to liberty? I also wonder how this isn't a violation of your right to remain silent. You can't punish me simply because I didn't confess to a crime.

It seems to me the founders, while certainly never considering this possible future state that includes iPhones and encrypted Cloud storage of digital

Re:

[uncqual]

Your interpretation of the US Constitution seems to vary from that of the courts. You may think yours is more correct than theirs but they sort of make the rules so that puts you at a disadvantage.

People don't actually have a "right to remain silent" in all cases. The now infamous "Miranda warning" and its "right to remain silent" clause is a fairly recent invention of the Supreme Court and only applies to those who are in custody and is often misunderstood (thank you Hollywood). Even then it's not absolute

Re:

[uncqual]

Addendum:

As well, a court may well refrain from ordering you to provide the encryption key or the encrypted data if the fact that you could do so would incriminate you (but not because the data itself would -- that's just an object like a knife with blood on it found under your mattress).

For example, the fact that you demonstrate that you know the password to an encrypted file will tend to incriminate you as the prosecution could use that to tend to disprove your defense (perhaps "suggested" by your lawye

Re:

[radarskiy]

"why is it even POSSIBLE for Apple to give you up"

Because the most common scenario is people who accidentally lost their credentials trying to recover their own account.

Google should do the same

[RaymondIT]

Google should do the same

Bring My Own Key

[registrations_suck]

Great. When will I be able to bring my own encryption key, instead of relying on Apple to provide one?

Re:

[nightflameauto]

When you are able to provide Apple with complete, unfettered access to your encryption key, you'll be allowed to use your own encryption key.

Re:Bring My Own Key

[rtkluttz]

Even that is not sufficient. You must encrypt using your own key with an app (preferably an entire operating system) out of apple's control before passing to any app that apple does control. Otherwise they can still get to it.

PGP

[VeryFluffyBunny]

So Apple's finally enabled PGP? Great, we need more companies & people to start using it.

Still, it's a step forward

[iustinp]

I see a lot of the comments just downplaying this, but while not perfect, it is a step forward (well, 3 separate steps forward). If you don't trust Apple in the first place, don't use their devices (since the device is the root of trust). But if you _mostly_ trust Apple, then the abilityto encrypt iCloud backups and notes and Photos is a very good thing against bugs in parts of the system and leaks.

Re: Still, it's a step forward

[SleepingEye]

Except this still seems like theater. If you lose your password... you should not be able to recover ANY data whatsoever. See: tresorit app. It explicitly warns that if you lose your password, you lose your data. In typical encryption, you need an encryption certificate and the password for that certificate. If there's a "forgot password", that means they have the means to decrypt and re encrypt your content

Apple Advances Marketing

[dgrey387]

protection of personal data is very important, and I can say that the niche for the implementation of this is not sufficiently filled - after all, there is a user request and resources who can help him with this are not enough. If you want to develop an application or launch your own web resource, or you already have it, then you need to use SEO tools and services such as https://ninjareports.com/websi... [ninjareports.com] to analyze the SEO traffic of your competitors and draw up a SEO plan to promote this resource