Category Archives: Science

End to end Encryption, Apple and iCloud to WSJ Future of Everything

How can you help prevent or lessen the risk for companies and more importantly for people?  End to end encryption using on device keys. Many or all cloud providers encrypt, but they all hold the keys. Think about Apple’s iCloud backups for iPhone, iPad, Mac etc.  While encrypted, Apple holds the keys.  At any point an employee at any of the cloud providers – AWS, Google, Microsoft, maybe more (*1) – or hacker could replicate the backups.  Or the NSA, CIA, FBI MSS (China), EU, Russia etc could capture them in transit.  So any person who has ever backed up to icloud could have an image backup captured by someone else. With more than 1.8 billion active devices (*2) that is a hugely valuable trove of data including passwords, images, videos, documents, emails, thoughts etc for state security agencies, hackers, criminals etc.  All that is required then is access to Apple’s keys.  How secure are Apple’s keys?  The answer to that is: how many zero-day patches does Apple patch?(*3)  No company, Apple included, is perfect.  It could be a software bug, burglar, a rogue employee willing to take a $10 million payoff, someone (NSA, MSS etc) who has broken into Apple’s internal systems, a social engineering hack or any number of other ways.  

How much would the NSA or CIA pay to have a copy of every email, text message, credit card, passwords to everything, photo and video for 1.8 billion devices?  What about a rogue country?  What about criminals?  It makes a huge target on Apple and on every cloud provider to have the master key just one hack away.  Then everything ever backed up on icloud is potentially available.

This same holds for Google, Microsoft, Amazon, and every other company.  This is not an attack on Apple, they probably have the best security out there, but it can be improved.  Apple planned to add it (*4) back in 2017 or 2018, but caved to FBI pressure.  Any company or person that uses iPhones or iPads and iCloud backup etc is vulnerable to an Apple iCloud hack.  Any company that uses Google, Microsoft or AWS is at least if not more vulnerable for similar methods. 

On device keys means that if your device is compromised, your information is compromised, but that is only 1 person, not 1.8 billion devices all at once.  Ditto for Android etc.  Thus, if you are a high value target using an iPhone, you could be at risk just like now, but there isn’t one master key that will open every door, just one door at a time making the value of an attack 1.8 billion times smaller.

It isn’t a question of IF this will happen, it is just a question of WHEN it will happen.  Who knows, perhaps the NSA or CIA or FBI already has the keys and access to the backups via other methods.  When was the last time there was a big stink between the FBI and Apple?  It has been a while which is worrying.

The key is that eventually Apple, Google, Microsoft, and/or AWS encryption keys will be lost, just no one knows when.  Zero trust is critical to prevent huge damage.  Think of the cost of 1.8 billion devices being compromised to credit card companies to replace cards, everyone having to change every password, private photos and videos being accessible, private thoughts and correspondence.  They are staggering, in the trillions.  And that would be just Apple.  Think about the liability to Apple, a huge class action suit.  Think about the liability to their cloud providers etc.  

* Notes: 

1. Providers Apple uses for iCloud, see https://en.wikipedia.org/wiki/ICloud

2. Number of Apple devices: https://www.theverge.com/2022/1/28/22906071/apple-1-8-billion-active-devices-stats

3. 8 between 1/1/2022 and 9/12/2022  https://www.bleepingcomputer.com/news/security/apple-fixes-eighth-zero-day-used-to-hack-iphones-and-macs-this-year/ And more with iOS 16:  https://nakedsecurity.sophos.com/2022/09/12/apple-patches-a-zero-day-hole-even-in-the-brand-new-ios-16/

4. https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT

5. More on security:

https://www.boxcryptor.com/en/blog/post/iphone-backup-icloud-encryption/

Fauci lies again about herd immunity

From the New York Times, December 24, 2020: “Dr. Fauci acknowledged that he had slowly but deliberately been moving the goal posts. He is doing so, he said, partly based on new science, and partly on his gut feeling that the country is finally ready to hear what he really thinks.”

So Fauci again lied about the herd immunity goal posts going for herd immunity, based on his “feeling” about what people were “ready to hear.” How about the truth Dr? How about not attempting to manipulate people to accomplish some deeper goal?

Apologists for Fauci on the mask issues admit he lied about masks for months in order to prevent a run on masks. It is completely rational to question his veracity. Lies for a good reason are still lies. Lying to the public for all of 2020 should immediately be cause for him to resign in disgrace.

His ensuing lack of credibility and credulity among people paying attention to the actual science is due to his continual lies over the course of 2020. If you truly care about science, you need to look at the actual factual data without the lying Fauci filter intervening. Anyone who really cares about facts, science, and reality must realize that Fauci has been playing politics with coronavirus since January 2020.

One wonders what he was telling the President at the same time? Certainly not the truth given his public statements. Where are the full transcripts of the coronavirus meetings?

Remember that when Fauci claims to be “pro science” he may really be lying which we may find out half a year or longer later. Selectively presenting facts results in people viewing him as a calculating person who is out to manipulate instead of being honest. Who wants their information coming from a person like that? No one who honestly cares about the truth or science.

Scientists should present facts, and truth, not massaging the information to manipulate people. That is anti-science, anti-reality, and anti-reason. It has one huge effect, to politicize whatever it is and undermine the trust in science. That is something anyone who believes in the scientific method should avoid at all costs. It is the trademark of hacks.

Fauci’s behavior is more typical of a cult than science. He should be ashamed.

Schwab.com Password security – passwords limited to 8 characters

[Still true as of July 2013] Schwab.com limits passwords to between 6 and 8 letters or numbers.  It does not allow longer passwords nor does it allow special characters, such as “!” or “$” or “%”. Limiting the selection of characters and the length greatly increases the chances that someone could hack into accounts at schwab.com.

Perhaps the management isn’t aware of the vulnerabilities this causes.  As a Schwab client since around 1994, I have been concerned about this for years and with all the issues for large banks and financial institutions over the past few months.  Unfortunately Schwab still has not addressed it.

Feb 2013 update:  Schwab has not addressed this except to recommend two factor authentication, if requested. However, if you do not have your token generator, it becomes much more inconvenient to access Schwab. An 8 character password with only alphanumeric characters is practically negligent on Schwab’s part for any year after 1995.  For Schwab’s two factor authentication, the SchwabSafe Page has more information or call Schwab at 800-435-4000.

From Schwab.com:
http://www.schwab.com/public/schwab/nn/legal_compliance/schwabsafe/your_questions_answered
“What format should my Schwab.com password take?
Your Schwab.com password should be a random combination of six to eight numbers and letters, with at least one number included between the first and last character. It should not be a significant sequence like your Social Security Number or birth date. ”

invent a method of embalming drowned persons, in such a manner that they might be recalled to life at any period, however distant; for having a very ardent desire to see and observe the state of America a hundred years – Benjamin Franklin

 “I wish it were possible …to invent a method of embalming drowned persons, in such a manner that they might be recalled to life at any period, however distant; for having a very ardent desire to see and observe the state of America a hundred years hence, I should prefer to an ordinary death, being immersed with a few friends in a cask of Madeira, until that time, then to be recalled to life by the solar warmth of my dear country! But…in all probability, we live in a century too little advanced, and too near the infancy of science, to see such an art brought in our time to its perfection”. 1773, Benjamin Franklin to Jacques Dubourg.

“Risk adjusted returns” stock are nonsense

The concept of “risk adjusted returns” are nonsense since “risk” is not defined as one might ordinarily think.  What investors should care about is maximizing total long term returns.  Volatility adjusted returns aren’t relevant to most long term investors.  Obviously this is different for short term investments that you might need in the next few (2-10) years.  The goal should be to invest in low cost stock indexes (e.g. mutual funds [edit: or now ETFs] from low cost providers such as Vanguard or Schwab) and letting your money compound over decades.  For someone in their 20s, 30s, 40s (or arguably even in their 50s) the optimal long term percentage for their investment portfolio is a 100% in stock mix. At those ages you have decades of compounded investment returns.   For people with larger portfolios in their 60s and up who can withstand volatility and not have it impact their lifestyle, a high (90+) percentage is also reasonable: if you are only withdrawing income from your portfolio, that will be much less volatile than prices.  Not completely non-volatile of course, just less.

When your time horizon is decades, you shouldn’t care about short term volatility.  For example, t-bills might be less volatile than stocks, but over any reasonable time period the total return of stocks has been much higher.

Obviously you should talk to a financial advisor about your specific scenario, but for people in the younger age range, time and compounding at the highest rate possible is critical.