Chinese Hack of US ISPs Show Why Apple Is Right About Backdoors (9to5mac.com) 119
Alypius shares a report from 9to5Mac: It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What's notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement. [...] Apple famously refused the FBI's request to create a backdoor into iPhones to help access devices used by shooters in San Bernardino and Pensacola. The FBI was subsequently successful in accessing all the iPhones concerned without the assistance it sought.
Our arguments against such backdoors predate both cases, when Apple spoke out on the issue in the wake of terrorist attacks in Paris more than a decade ago: "Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they're not -- and if they're not then it's a question of when, rather than if, others are able to exploit the vulnerability."
This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them. Exactly the same would be true if Apple created backdoors into iPhones.
Our arguments against such backdoors predate both cases, when Apple spoke out on the issue in the wake of terrorist attacks in Paris more than a decade ago: "Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they're not -- and if they're not then it's a question of when, rather than if, others are able to exploit the vulnerability."
This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them. Exactly the same would be true if Apple created backdoors into iPhones.
Apple right about something?!?!?! (Score:3, Funny)
Chinese Hack of US ISPs Show Why Apple Is Right About Backdoors
Apple right about something?!?!?! ... I'VE FOUND A HERETIC!!! BUURRRN HIM!!!!
Re: (Score:1)
Re: (Score:2)
Posting to undo accidental downmod of parent.
(I meant to mod it +1 Funny ... )
Re: (Score:2)
Apple made claims of an unlock tool leading to orwellian society. [slashdot.org] Never mind that with the current system they have in-place for signing firmwares for installation [theapplewiki.com], the use of the device's unique ids [theapplewiki.com], and a nonce [theapplewiki.com], Apple has so much control over an iOS device that they can individually target a unique device and limit the firmware it is allowed to install to a specific installation attempt. Not only would this have made the San Bernardino case irrelevant, as at this point creating a
Re: (Score:2)
Don't have to look far.
Apple made claims of an unlock tool leading to orwellian society. [slashdot.org] Never mind that with the current system they have in-place for signing firmwares for installation [theapplewiki.com], the use of the device's unique ids [theapplewiki.com], and a nonce [theapplewiki.com], Apple has so much control over an iOS device that they can individually target a unique device and limit the firmware it is allowed to install to a specific installation attempt. Not only would this have made the San Bernardino case irrelevant, as at this point creating a firmware that only worked on the phone while it was subject to the court ordered search warrant and ensuring it's removal after the search was completed is now possible, but it's the exact type of backdoor that no-one should want in their devices. A factory-made individually-targeted backdoor controlled by others that can be sprung at a moment's notice. I.e. The exact thing that people in the IT industry were hand-wringing over.
This is just Apple patting itself on the back for it's previous efforts while ignoring the current reality which is far different.
How, pray tell, was the FBI, or Apple, planning to Initiate an iOS "Update" Sequence, when that Requires the User to both Unlock the Phone, but then actually Manually Enter The Passphrase On that Phone?!?
Think, Motherfucker, Think!!!
Re: Apple right about something?!?!?! (Score:3)
Re: (Score:2)
And you can't see any commonality having a backdoor that was breached and used and what Apple was talking about.
Curious.
Are the crowds in the room with us now?
Re: Apple right about something?!?!?! (Score:5, Interesting)
I reckon GP is correct. Apple was talking about backdoors in encryption, not applications or services. Why do I say that? Because they already offer such backdoors. The government has even used said backdoors:
https://appleinsider.com/artic... [appleinsider.com]
In fact, apple even wanted to add one the government didn't even ask for:
https://www.theverge.com/2021/... [theverge.com]
This isn't even a matter of apple being right or wrong, just some apple fanboy editorializing it in there because he can't tell the difference between cryptographic backdoors and application backdoors.
Re: (Score:3)
I reckon GP is correct. Apple was talking about backdoors in encryption, not applications or services. Why do I say that? Because they already offer such backdoors. The government has even used said backdoors:
https://appleinsider.com/artic... [appleinsider.com]
In fact, apple even wanted to add one the government didn't even ask for:
https://www.theverge.com/2021/... [theverge.com]
This isn't even a matter of apple being right or wrong, just some apple fanboy editorializing it in there because he can't tell the difference between cryptographic backdoors and application backdoors.
Bullshit.
The first was to provide iCloud Backup info in response to a lawful subpoena. No "Back Door" involved.
The second stuff, the CSAM scanning, was killed-off while still in Development, partially due to Public Backlash; but mostly because Apple concluded there was no way to prevent rampant false-positives. Oh, and even when the CSAM Scanning was in Development, the Design called-for On-Device "scoring" of On-Device Images against a CSAM Database.
Again, where is the "Back Door"?
Re: (Score:2)
The first was to provide iCloud Backup info in response to a lawful subpoena. No "Back Door" involved
A backdoor is any means of access to something that is less commonly used than at least one other method. So yes, this is a backdoor means of accessing a user's icloud data, unless you're trying to argue that most people can and do access their icloud data this way.
The second stuff, the CSAM scanning, was killed-off while still in Development
No shit.
partially due to Public Backlash; but mostly because Apple concluded there was no way to prevent rampant false-positives
Wrong, it was mostly due to public backlash.
Oh, and even when the CSAM Scanning was in Development, the Design called-for On-Device "scoring" of On-Device Images against a CSAM Database.
Again, where is the "Back Door"?
And what happens when said CSAM material is found? Apple just tells the user to do a better job of hiding it? Or, more likely, does it provide somebody else with access to said material?
Dumbass.
Ok, let's take these one at a time, shall we?
1. Apple handing over iCloud Backup Data in Response to a Lawful Subpoena: Well, sorry; there isn't a company in America that could Refuse that. But what Apple did in 2022 was to add Opt-In "Advanced Data Security for iCloud". This does E2E Encryption for nearly all Classes of Data, across all your Apple Devices and Computers, with the Key stored On-Device, in the "Secure Enclave"; with Apple retaining No Key. That way, Even if Apple complies with a Subpoena now,
Re: (Score:2)
1. Apple handing over iCloud Backup Data in Response to a Lawful Subpoena: Well, sorry; there isn't a company in America that could Refuse that.
Just like the ISP in this scenario, isn't it?
So, that's ONE down. . .
No, you and your fanclub are literally comparing cryptography backdoors to service backdoors. The exact same reasoning applies here. Otherwise, why the hell even mention apple in this at all?
2. Apple Scanning-for/Reporting possible CSAM: Project was killed before Development was even finished; just like a zillion other Projects that might have seemed like a good idea at an early stage.
Their reasoning for cancelling it doesn't change the fact that they were willing to build a backdoor into their own product.
IOW, Nothing to see here, Move Along.
There never was anything to see here to begin with. Why the hell did you idiots bring up apple to begin with? You just HAVE to take every opportunity av
Re: (Score:2)
1. Apple handing over iCloud Backup Data in Response to a Lawful Subpoena: Well, sorry; there isn't a company in America that could Refuse that.
Just like the ISP in this scenario, isn't it?
So, that's ONE down. . .
No, you and your fanclub are literally comparing cryptography backdoors to service backdoors. The exact same reasoning applies here. Otherwise, why the hell even mention apple in this at all?
2. Apple Scanning-for/Reporting possible CSAM: Project was killed before Development was even finished; just like a zillion other Projects that might have seemed like a good idea at an early stage.
Their reasoning for cancelling it doesn't change the fact that they were willing to build a backdoor into their own product.
IOW, Nothing to see here, Move Along.
There never was anything to see here to begin with. Why the hell did you idiots bring up apple to begin with? You just HAVE to take every opportunity available to you to lick Tim Cook's balls don't you? No matter how unrelated to the topic, you just HAVE to connect it to his nuts.
I didn't pick the subject of TFA, you moron.
We're done here.
Re: (Score:2)
No, you attempted to be a contrarian because you felt Apple was under attack even though I clearly stated that Apple isn't even relevant to the topic, so you came to Apple's defense for who knows what the fuck reason, and it blew up in your face harder than Tim Cook's load.
Re: (Score:2)
No, you attempted to be a contrarian because you felt Apple was under attack even though I clearly stated that Apple isn't even relevant to the topic, so you came to Apple's defense for who knows what the fuck reason, and it blew up in your face harder than Tim Cook's load.
Look at the Title of the Slashdot Article.
How in the FUCK could "Apple" be NOT "relevant to the topic"?!?
Drain bramage, much?!?
Re: (Score:2)
Look at the Title of the Slashdot Article.
How in the FUCK could "Apple" be NOT "relevant to the topic"?!?
Drain bramage, much?!?
As I already said idiot, somebody made a totally nonsense connection between an ISP having a backdoor with Apple. And as I already said, why they did this is anybody's guess, and my hunch is somebody wanted to use the opportunity to talk about how much they love Apple. It's a total non-sequitor, but this is something I've come to expect from adherents of your religion.
And what happened to "we're done here"? Talk about brain damage.
Re: Apple right about something?!?!?! (Score:5, Informative)
Apple right about something?!?!?! ...
Only them and pretty much everyone else.
Re: (Score:3)
Re: (Score:2)
Not to mention, everytime you execute a program on an Apple PC/Laptop, it phomes home.
Plus "Apple right ???". No, everyone who knows a tiny bit about cyper security has been saying this for decades before apple even existed. So all Apple is doing is echoing decades old comments.
1. Only if you want it to.
2. Does that make them wrong?
Re: (Score:3)
Apple right about something?!?!?! ... I'VE FOUND A HERETIC!!! BUURRRN HIM!!!!
Full disclosure: I do not like Apple, Sony, Microsoft, almost all game companies, telecom.
That said, Apple's stance on back doors is correct. Thus proving the adage that even greedy assholes can be correct when their imperatives are threatened. Apple doesn't want their user base to be hacked and owned.
That's Apple's job.
Re: (Score:2)
Apple right about something?!?!?! ... I'VE FOUND A HERETIC!!! BUURRRN HIM!!!!
Full disclosure: I do not like Apple, Sony, Microsoft, almost all game companies, telecom.
That said, Apple's stance on back doors is correct. Thus proving the adage that even greedy assholes can be correct when their imperatives are threatened. Apple doesn't want their user base to be hacked and owned.
That's Apple's job.
Precisely!
Re: (Score:2)
Apple still pulled off a masterclass in marketing and redirection. Somehow they prevented anyone from asking the correct question. That correct question is "WHY is it even possible for a company to compromise the users encryption?". That is because they control it and they SHOULD NOT. Encryption plugins should allow the use of any encryption that the user chooses. Not encryption enforced by the creator that has the ability for them to give up the keys to the kingdom. Which encryption, and total control of k
Re: (Score:2)
Apple still pulled off a masterclass in marketing and redirection. Somehow they prevented anyone from asking the correct question. That correct question is "WHY is it even possible for a company to compromise the users encryption?". That is because they control it and they SHOULD NOT. Encryption plugins should allow the use of any encryption that the user chooses. Not encryption enforced by the creator that has the ability for them to give up the keys to the kingdom. Which encryption, and total control of keys involved should be left to the users. Period. If you aren't controlling your own encryption and encrypting BEFORE it is delivered to any app, consider it compromised.
Um, I thought you were wrong; so I checked. You are.
https://support.apple.com/en-u... [apple.com]
Re: (Score:2)
Apple still pulled off a masterclass in marketing and redirection. Somehow they prevented anyone from asking the correct question. That correct question is "WHY is it even possible for a company to compromise the users encryption?". That is because they control it and they SHOULD NOT. Encryption plugins should allow the use of any encryption that the user chooses. Not encryption enforced by the creator that has the ability for them to give up the keys to the kingdom. Which encryption, and total control of keys involved should be left to the users. Period. If you aren't controlling your own encryption and encrypting BEFORE it is delivered to any app, consider it compromised.
Um, I thought you were wrong; so I checked. You are.
https://support.apple.com/en-u... [apple.com]
Sorry to Reply to myself; but this needed to be added to shut you up:
https://support.apple.com/en-u... [apple.com]
Note that, other than "iCloud Mail" and Contacts and Calendars information, whose Open Protocols and Data Formats "do not allow" for Advanced Data Protection (see, also, Notes 1&2 in the above tech support article); the rest of all iCloud Data is end-to-end Encrypted, with the Keys stored On-Device.
Also note that, even with Standard Protection, many Classes of Data are still protected by On-Device Keys.
That's rich... (Score:3, Insightful)
They're part of PRISM.
Re: (Score:2)
hah yeah American company subject to American laws. Me thinks they doth protest too much and pose a little too hard :)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yuo, since 2007? According to the slides from Snowden
ONE slide, with an Undated, Scribbled-On "Notation".
Sorry; not convinced it wasn't added.
Re: (Score:2)
They're part of PRISM.
Prove it.
nerd harder (Score:5, Insightful)
apple can be right all it wants but that won’t change the fact that politicians are know-nothings that don’t give a rat’s ass about weakening security when there is an opportunity for grandstanding and appearing to “do something.”
Re:nerd harder (Score:5, Insightful)
apple can be right all it wants but that won’t change the fact that politicians are know-nothings that don’t give a rat’s ass about weakening security when there is an opportunity for grandstanding and appearing to “do something.”
Remember: it's for the children !!
Seriously, there is no reason at all to provide the government with backdoor access to anything. If the government suspects someone of a crime, they can get a warrant, and compromise one of the endpoints, install hidden surveillance, or whatever. Backdoors led to spying in this case, but how many times has weakened security led to hacking and compromised data? Europe is fighting this battle right now with "chat control".
Re:nerd harder (Score:4, Insightful)
If a load of privacy being lost means some kids don't suffer or even people avoid being killed then thats fine by me.
Then you are dumb. Given enough privacy lost and government authoritarianism your kids lives will be a V for Vendetta nightmare and they'll be wondering why you stood by quivering, begging to give your rights to Big Brother for a little temporary protection.
No doubt I'll be modded down for having an opinion that goes against the tech nerd groupthink.
I could have, but prefer to reply and tell you what a short sighed chickenshit you are. I'll get modded down for trolling your frightened conformist groupthink.
Re: (Score:2)
Governments have always been able to access private info. Only recently has it become harder or impossible for them so I don't see what the big deal is. Encryption hasn't prevented authoritarian governments coming to power so your logic is flawed.
As for the insults, grow up man-child.
Re: Good guys don't outlaw/backdoor encryption (Score:2)
The good guys being for max profit corporations rather than elected governments, right?
Re: (Score:3)
"Remember: it's for the children !!"
Wait until you have kids then you may change your priorities. If a load of privacy being lost means some kids don't suffer or even people avoid being killed then thats fine by me.
No doubt I'll be modded down for having an opinion that goes against the tech nerd groupthink.
Draw me a line then. The majority of kids who have been abused are abused by a family member or a friend. Therefore we should require government cameras in every home to ensure some kids don't suffer or even die. Would you support this? If not why not, where do you draw the line?
Re: (Score:2)
Hidden cameras installed as part of a police investigation authorised by a judge? No problem at all with that.
No no, these cameras need to be installed as standard in every home just in case the police need them. Wouldn't want to tip the criminals off by installing them with a warrant, after all it's for the children. We'll just turn them on when we suspect you. If you've consented to warrantless backdoors in your phone without a police investigation, you should be okay with that right?
Re: (Score:2)
Re: (Score:2)
"I am fully capable of protecting them myself "
Keep telling yourself that, maybe even you'll believe it one day.
You'd change your tune if some paedo had encrypted pictures of them but it couldn't be proven unless the police broke the encryption.
Re: (Score:2)
Re: nerd harder (Score:2)
Not much of a father are you. I pity your kids.
Re: (Score:2)
Re: (Score:2)
If you want to see a coward look in the mirror. Its the guy hiding his fear of action behind personal "rights". You're pathetic.
Re: (Score:2)
Re:nerd harder (Score:5, Insightful)
It's not just the politicians, the journalists are no better. They are happy to use software like Telegram to protect their sources and avoid stories leaking. But when those same tools are used by 'bad people' it's a national scandal and the government needs to do something about it. They don't seem to understand that private communications work both ways.
As a previous poster noted, the government already has tools which can compromise the endpoints of secure communications, and legal opportunities to install them every time 'bad people' pass through a US airport. There's really no reason to install additional backdoors which can be abused by foreign governments/hackets.
Re: (Score:2)
politicians are just good at doing politics, when they draft laws they don't really need to know squat about the subject, they're just do what they're told to do.
now, the people who told them about this weren't stupid nor ignorant, they knew full well that these backdoors were a security threat for all, they just considered it as an acceptable drawback and risk if it allowed them to do the dirty little deeds they wanted.
btw the assumption that apple products don't have backdoors is pretty candid to put it v
Not completely buying into Apple's claims (Score:4, Interesting)
I am not buying Apple's story that they don't have any backdoors on their devices. Why I don't buy that is because there is evidence to indicate that they have secret API which they allow some select companies to use which has only one conceivable purpose - for spying and surveillance. I am referring to this incident when Uber app on Iphone was caught recording screens even when the app wasn't even running on the iphone. Somehow this story just disappeared with next to no followups from the IT security people.
https://thenextweb.com/news/re... [thenextweb.com]
Uber came up with a totally B.S explanation for why they were recording screens: "This API isn’t connected to anything in our current codebase, meaning it’s non-functional & there’s no existing feature using it. It was only ever used to render maps for an early version of our Apple Watch app, but has been dormant for quite some time. We are working with Apple to remove it completely ASAP."
What does recording screens have to do with displaying maps? and why didn't Apple contest this explanation? and how is it that Apple gave this secret entitlement to Uber?
This incident does show that, at the very least, there was some secret collusion between Apple and Uber to spy on users. And why would this happen unless there was some use case pushed by the surveillance state?
Re: (Score:2)
Re: (Score:3)
Wasn't exactly secret, it had a name and was in the manifest. Not like they needed to do some obfuscated port knocking to access it.
Re: (Score:2)
You really should read that article you linked to...
> It allows developers to read and write to part of the iPhone’s memory that contains pixel and display data.
write pixel data. For a completely custom renderer it even makes sense.
Not saying you're wrong to doubt the explanation, just that your doubting doesn't match what is in the article.
Re: (Score:2)
And read pixel data, to capture what is currently on the screen, not to render anything.
What about that?
Re: (Score:2)
Re: (Score:2)
Yes, that is the problematic part.
My point was:
> What does recording screens have to do with displaying maps?
The fact that the permissions API (wrongly) puts read and write in the same bucket.
Re: (Score:2)
If the watch didn't yet have a map widget, but did have a display image API, one could hack together a watch map interface by rendering the map on the phone, recording the screen, and transmitting the image to the watch. It's not a conspiracy, just shitty beta software that no one bothered to clean up. Or maybe Uber was doing some underhanded telemetry gathering. Wouldn't put it past them.
And Apple doesn't have "secret" APIs, they are just undocumented internal use only, reserved for iOS and first party app
Re:Not completely buying into Apple's claims (Score:5, Interesting)
And Apple doesn't have "secret" APIs, they are just undocumented internal use only, reserved for iOS and first party apps. Every OS has these.
Like in every OS except for the most popular kernel on the planet, you mean? And all of the other FOSS options? Or do you mean like what Microsoft was forced to open up to vendors, famously enabling Clownstroke to bring the Windows world to its knees for days?
Undocumented APIs are there specifically for antitrust, like when it was discovered that Microsoft Office was using one set of functions, and everyone else was using the documented functions which were literally the same functions with delay loops added. And Microsoft's excuse was that those delays were necessary if you didn't know what you were doing, but nobody else knew what they were doing because Microsoft refused to tell them.
If you believe any different from anyone, including Apple, then you are ignoring how everything works. Operating systems do not need such things at all, not even a tiny bit. Every single interface can and should be completely documented. Anything else is hostility or failure.
Re: (Score:2)
Like in every OS except for the most popular kernel on the planet, you mean?
The kernel is not the OS. Literally every OS has undocumented APIs, including that one running the most popular kernel on the planet.
Or do you mean like what Microsoft was forced to open up to vendors, famously enabling Clownstroke to bring the Windows world to its knees for days?
Microsoft didn't open up all APIs either. Microsoft was forced to open up specific APIs used by some very specific apps they were using in competition with others, all the while they actually did provide other documented APIs to achieve the same thing. ClownStroke was just that, a shitty company who didn't know what they were doing, using APIs in inappropriate ways interfacing
Re: (Score:2)
Literally every OS has undocumented APIs, including that one running the most popular kernel on the planet.
No FOSS OS has undocumented APIs.
Undocumented APIs are there for many reasons, including internal development reasons.
Guess what? Putting internal application development above external application development is done specifically for antitrust reasons.
Re: (Score:2)
Literally every OS has undocumented APIs, including that one running the most popular kernel on the planet.
No FOSS OS has undocumented APIs.
So long as there are no Binary BLOBs in the Build. . .
Re:Not completely buying into Apple's claims (Score:4, Interesting)
Let say I've got two shared libraries that ship with an OS. They each have their own public API, but lets say lib A.foo() needs to call some "internal" function in lib B called __os_internal__bar(). B.__os_internal__bar() is an internal implementation detail that is not part of the public, documented API of the OS and is subject to change without notice. However, since it is called by another lib it is an exposed symbol and can technically be called by anyone. Not saying it is good design, just that it happens.
Now let's say the clock app that ships with the OS, written by a junior dev who is under a time crunch or doesn't know any better, calls B.__os_internal__bar() directly, instead of going through A.foo(). Now we kinda sorta have to preserve it as an "unofficial", "internal" API, but we certainly don't want to encourage it, and we aren't going to sanction 3rd party apps calling it.
I'm not saying it's never been done for nefarious reasons, but I am saying it is not proof positive of an Apple/Uber/government co-conspiracy as pkphilip immediately jumped to. The most probable explanation is shitty software taking shortcuts and big companies giving each other privileged treatment. I'm not defending it as good, just saying often times it happens by accident or incompetence rather than by design.
Re: (Score:2)
The most probable explanation is shitty software taking shortcuts and big companies giving each other privileged treatment.
The latter of those IS ANTITRUST.
Re: (Score:2)
The most probable explanation is shitty software taking shortcuts and big companies giving each other privileged treatment.
The latter of those IS ANTITRUST.
Perhaps. Certainly unethical, but antitrust has a specific legal definition that I am not really qualified to apply to this situation.
But this thread was not about anti-trust. Specifically I was responding to the allegation in the top post:
I'm just saying that this is the least likely explanation,
Re: (Score:2)
Let say I've got two shared libraries that ship with an OS. They each have their own public API, but lets say lib A.foo() needs to call some "internal" function in lib B called __os_internal__bar(). B.__os_internal__bar() is an internal implementation detail that is not part of the public, documented API of the OS and is subject to change without notice. However, since it is called by another lib it is an exposed symbol and can technically be called by anyone. Not saying it is good design, just that it happens.
Now let's say the clock app that ships with the OS, written by a junior dev who is under a time crunch or doesn't know any better, calls B.__os_internal__bar() directly, instead of going through A.foo(). Now we kinda sorta have to preserve it as an "unofficial", "internal" API, but we certainly don't want to encourage it, and we aren't going to sanction 3rd party apps calling it.
I'm not saying it's never been done for nefarious reasons, but I am saying it is not proof positive of an Apple/Uber/government co-conspiracy as pkphilip immediately jumped to. The most probable explanation is shitty software taking shortcuts and big companies giving each other privileged treatment. I'm not defending it as good, just saying often times it happens by accident or incompetence rather than by design.
Finally!!!
Someone who really has been there; done that!
A tip o' the hat to you, sir.
Re: (Score:2)
I am not buying Apple's story that they don't have any backdoors on their devices. Why I don't buy that is because there is evidence to indicate that they have secret API which they allow some select companies to use which has only one conceivable purpose - for spying and surveillance. I am referring to this incident when Uber app on Iphone was caught recording screens even when the app wasn't even running on the iphone. Somehow this story just disappeared with next to no followups from the IT security people.
https://thenextweb.com/news/re... [thenextweb.com]
Uber came up with a totally B.S explanation for why they were recording screens: "This API isn’t connected to anything in our current codebase, meaning it’s non-functional & there’s no existing feature using it. It was only ever used to render maps for an early version of our Apple Watch app, but has been dormant for quite some time. We are working with Apple to remove it completely ASAP."
What does recording screens have to do with displaying maps? and why didn't Apple contest this explanation? and how is it that Apple gave this secret entitlement to Uber?
This incident does show that, at the very least, there was some secret collusion between Apple and Uber to spy on users. And why would this happen unless there was some use case pushed by the surveillance state?
Uber has, since its inception, been just one very-small step above a completely criminal organization. They didn't need any help from Apple. And besides; Qui Bono? Certainly not Apple!!!
Apple likely didn't want to make a big(ger) deal about a serious (and exploited!) vulnerability; and so didn't exactly go on the talk-show circuit to publicize it, especially not before they had a chance to:
1. Design and Test a Fix.
2. Scan all existing App Store Apps for signs of similar Exploitation.
. . .or perhaps that's j
Re: (Score:2)
This is important. Also, people need to be reminded of the Patriot Act and the orders it can enforce, under gag order. Look at all the so-called "secure VPN" companies that eventually are discovered to have been compromised by the US Gov't under this mode.
Apple is designing its own chips. I absolutely believe surveillance capabilities are engineered into the design; add to that, now, AI. Further, Apple has iCloud that they can parse through -- they hold master encryption keys -- at their will.
There are all sorts of ways to lie to the public, even with "white lies".
Also, take note over time that when something does interfere with surveillance, there's a war cry about "child porn" to get the public angry so they'll accept more controls. This tactic is classic. Of course their are pervs out there, but they make it sound like the pervs are running the world if we don't take away your rights OMG OMG LOL Like we're going to keep falling for it -- some do.
There's no real privacy. And that's a rabbit hole to fall into.
If you Enable "Advanced Data Protection", pretty-much all Data that can be exfiltrated is end-to-end Encrypted, with Keys Stored On-Device, in the Secure Enclave. Apple Has No Keys!
See:
https://support.apple.com/en-u... [apple.com]
Note that even "Standard Data Protection" stores the Keys On-Device for many Classes of Data. And Advanced Data Protection Hardens that significantly further.
Grounds for brining the gouvertement to a Court? (Score:2)
Would lawyers be able to use these backdoors imposed by the government, to bring the case to a court and demand compensation for the victims, and sanctions for those responsible for this deliberate weakening of security?
Re: (Score:2)
How about taking China to task, give all corporations a 2-year notice to move their manufacturing to another country, because that is when imports from China can be blocked. How long would it take for the Chinese economy to tank if the USA stopped all imports from China? The Trump approach was just to slap a tariff on things, without giving companies a chance to relocate their manufacturing. Telling the Chinese, "you've done this crap too many times, and it's time for you to actually get punished for
Re: (Score:3)
Fixed that for you.
It is, quite frankly, impossible to decouple the US economy from China on a foreseeable timescale, and vice-versa. Certainly not in the 2-year scale you suggest, nor on the 4-year timescale of an American president.
Sure, you might be able to get some companies to move their manufacturing somewhere else. But even the truly motivated ones would find that difficult - creating a new man
Re: (Score:2)
China already has many limitations on imports, not the useless tariffs, but hard limits, so, it's the sort of thing that should be at least moved towards with the crap the Chinese government keeps doing. I agree that it wouldn't be as simple as I suggested, but on the flip side, pushing companies to move their manufacturing out of China should be done.
Racist (Score:1)
Chinese hacker stereotype. I'm not Chinese and could be a hacker, too. I'm offended.
Alternate Reality? (Score:5, Informative)
What false reality is this where Apple didn't build a backdoor into their custom-silicon GPU?
https://arstechnica.com/securi... [arstechnica.com]
The whitepaper details step-by-step how the full access portal is activated and you can reproduce it on your own device if it hasn't been updated since they were caught.
The perniciousness of this is the knock is far into 64-bit address space so an exhaustive search would take decades. Only reverse-engineering an active exploit can find the addresses (or reversing the silicon).
We even know NSA deploys this against US-Citizen journalists who are at home.
The kayfabe gaslighting on this meme is astronomical. Is pretending somehow easier to live with mentally?
Re:Alternate Reality? (Score:5, Insightful)
I suspect most CPUs have some kind of backdoor, intentional or not. They need to be tested during the manufacturing process, which usually involves secret op-codes and interfaces that let someone with the right knowledge probe the chip's inner workings.
There's also the risk that microcode signing keys are leaked. They are obviously high value targets and likely irrevocable.
Re: (Score:3)
Re: (Score:2)
Angels and Demons (Score:5, Interesting)
Chinese Hack of US ISPs Show Why Bruce Schneier is (Score:5, Insightful)
“Either everyone gets to spy or nobody gets to spy,” he said. “And once you accept that, then you decide, do you want everybody or nobody?”
Re: (Score:2)
Re: (Score:2)
I am not defending the bad things the US government did.
That said, what makes you think the Chinese do not have police stations in the US?
Make your own research.
Backdoors lead to global thermonuclear war (Score:4, Funny)
Next thing you know your playing WOPR in a classic game of tic-tac-toe to save the world from annihilation.
Cpn O (Score:2)
Right Conclusion, Wrong Argument (Score:3)
I agree with the conclusion, but the argument is wrong. Remember what apple refused to do was create software that would allow it to workaround the limit on password guessing so the FBI could brute force the device password. The fact they refused implies that they *could* create that kind of software. Presumably, nation states like China could -- at least with access to the appropriate apple secret keys -- create the same kind of workaround. A system where apple used a secret key on an airgapped sealed cryptographic module to create per device law enforcement decryption keys would be no less secure.
The real danger is the second you create that legal precedent apple isn't going to be able to pick and choose which law enforcement requests it complies with -- be it from some random judge who issues the order ex-parte (say for a device image taken without your knowledge) without you having the chance to contest it or a request from judges in China. The danger here is mostly legal not technical.
Indeed, the greater hacking risk is probably someone hacking into a local police department and changing the account ID requested in a warrant and then getting access to your icloud backups that way than hacking a well-designed system that allowed apple to issue secondary per device decryption keys to law enforcement.
NIST used to require a back door in smart phones (Score:5, Interesting)
I was naive back then. The shit really hit the fan though when I was doing the FIPS testing on the original open SSL. It passed all the test cases but the random number generator wasn't the algorithm the authors claimed it was...
told you... (Score:3)
If I had a dollar for every time I got to say "told you so", I could... well, at least go on a pretty nice holiday.
The problem isn't this. It's not that it happened or that it was clear it would. The real problem is that those responsible knew that and still went ahead. And that they'll do the same thing again next time.
Because as much as the right currently rages on the left for being woke and facts being shoved aside for the benefit of feelings - the right has done the same thing with surveillance for decades. 90% of TSA has zero actual security effect and is purely there so people feel secure.
It's a problem you get every time politicans get to make decisions.
Re: (Score:2)
I think you got the core point there: The problem with our political system is that politicians aren't in the "most folks" category anymore. Being a politician is now a full-time job and an entire career. Many of the people in power haven't had an ordinary job in decades, if ever.
How dare they (Score:2)
why are balanced headlines so difficult? (Score:2)
Everyone didn't want backdoors, they were forced into them.
This headline makes it seem like Apple was some sole bastion of privacy and security, solely fighting the government against backdoors. They weren't the only ones against backdoors.
Lawful Intercept (Score:2)
A router isn't a back door (Score:2)
Re:Bullshit (Score:5, Insightful)
The threat models are entirely different. Your describing a threat where Apple as a corporation distributes signed software that violated customer expectations and their previous promises, and that people can protect against by not installing the software update. If a third party manages to subvert the build process, Apple and users can just install the software version that fixes it.
That's an entirely different threat than having wiretap or search backdoors that silently give access to real-time communications (in the case of wiretap) or data stored on arbitrary devices (in the case of backdoors). Vulnerabilities in those mechanisms become hugely valuable to any threat actor, not only the company that created the backdoor.
Re: (Score:2)
Which was not what the Feds were demanding, they wanted Apple to be able to get all the data off locked phones.
Re: (Score:3)
The phones don't know whether it's Apple or Guido the Yakuza Skinhead Human Trafficker trying to get data. They only respond to whatever technical trigger is built in.
Re: (Score:2)
They would know the same way they know an update is legit, Apple would sign the request with a private key from a HSM.
Re: (Score:2)
Yes, and when -- not if -- that process gets compromised, it opens an unfixable gaping security hole in every device everywhere. That would make it an extremely appealing target for every serious threat actor in the world, including government offensive cyber agencies. It is fundamentally different from the "bad software release" risk.
Re: (Score:2)
That's too pessimistic a view of the iOS update mechanism IMO.
Re: (Score:2)
It's so easy, we need to do this for porn: Just pass a law that all porn is encrypted by a key unique to each adult. That will save little Mary from grown-up truths, for sure.
Re: (Score:2)
Lets say Apple owned the private keys and would do decryption themselves only when ordered by court, then your porn would be exactly as safe against hackers as iOS updates.
The desirability of the scheme and the justification of hysterical fantasies about hackers are two seperate things.
A private key in an Apple HSM can already steal all your iPhone data in any realistic scenario (refusing updates will just saddle you with a mountain of former zero day vulnerabilities eventually, it's not realistic).
Re: Bullshit (Score:2)
How do people as dumb as you exist?
Re: (Score:2)
Just because these ancient wiretap APIs are poorly secured don't mean other mechanisms have to be. Especially if it has to be accessed by Apple themselves on request (which is what the FBI was demanding, not their own backdoor).
Apple has root on your phone and can steal all your shit on every update. Apple having a key to steal your shit when the phone is locked adds very little extra risk. It's a little extra attack surface code wise, but the security guarantuees are the same and the trusted party is the same.
Apple does not have root on your phone. And it certainly can't access it, or "force an update", without a Meatspace, Constitutionally-Protected, Manually-Entered, Inaccessible to Apple Passphrase (no Biometrics) permission.
Re: (Score:2)
Which you dutifully enter each time you use it, dutifully accepting updates too because no one desires being vulnerable to a pile of exploits and eventually incompatibility.
Would it make you feel better if I said that every normal user including you gives them remote root access regularly?
Re: (Score:2)
Which you dutifully enter each time you use it, dutifully accepting updates too because no one desires being vulnerable to a pile of exploits and eventually incompatibility.
Would it make you feel better if I said that every normal user including you gives them remote root access regularly?
By your measure, that same vulnerability exists on every single OS with a Login.
Re: (Score:2)
My point is that the login and update are not a vulnerability to hackers. All update mechanisms are inherent backdoors, so you already have to trust the security of your system provider against hackers.
Apple having a way to get into your device while locked does not create any significant extra hacking vulnerability, since it's protected the same as updates which any realistic user allows all the time. It only increases your vulnerability against law enforcement if they capture your device and get a court o
Re: (Score:2)
My point is that the login and update are not a vulnerability to hackers. All update mechanisms are inherent backdoors, so you already have to trust the security of your system provider against hackers.
Apple having a way to get into your device while locked does not create any significant extra hacking vulnerability, since it's protected the same as updates which any realistic user allows all the time. It only increases your vulnerability against law enforcement if they capture your device and get a court order for Apple to unlock it.
The hysterics about it being some gaping hole for hackers was always completely ridiculous.
I absolutely agree!
However, Court Order be Damned; Apple simply Cannot "Unlock" any of their Devices, and especially not without it being Wiped first. And if a User enables Advanced Data Protection, Apple can hand over all the Noise Data they want, and maybe it can be decrypted before the heat death of the Universe; maybe not. . .