Tag Archives: apple

End to end Encryption, Apple and iCloud to WSJ Future of Everything

How can you help prevent or lessen the risk for companies and more importantly for people?  End to end encryption using on device keys. Many or all cloud providers encrypt, but they all hold the keys. Think about Apple’s iCloud backups for iPhone, iPad, Mac etc.  While encrypted, Apple holds the keys.  At any point an employee at any of the cloud providers – AWS, Google, Microsoft, maybe more (*1) – or hacker could replicate the backups.  Or the NSA, CIA, FBI MSS (China), EU, Russia etc could capture them in transit.  So any person who has ever backed up to icloud could have an image backup captured by someone else. With more than 1.8 billion active devices (*2) that is a hugely valuable trove of data including passwords, images, videos, documents, emails, thoughts etc for state security agencies, hackers, criminals etc.  All that is required then is access to Apple’s keys.  How secure are Apple’s keys?  The answer to that is: how many zero-day patches does Apple patch?(*3)  No company, Apple included, is perfect.  It could be a software bug, burglar, a rogue employee willing to take a $10 million payoff, someone (NSA, MSS etc) who has broken into Apple’s internal systems, a social engineering hack or any number of other ways.  

How much would the NSA or CIA pay to have a copy of every email, text message, credit card, passwords to everything, photo and video for 1.8 billion devices?  What about a rogue country?  What about criminals?  It makes a huge target on Apple and on every cloud provider to have the master key just one hack away.  Then everything ever backed up on icloud is potentially available.

This same holds for Google, Microsoft, Amazon, and every other company.  This is not an attack on Apple, they probably have the best security out there, but it can be improved.  Apple planned to add it (*4) back in 2017 or 2018, but caved to FBI pressure.  Any company or person that uses iPhones or iPads and iCloud backup etc is vulnerable to an Apple iCloud hack.  Any company that uses Google, Microsoft or AWS is at least if not more vulnerable for similar methods. 

On device keys means that if your device is compromised, your information is compromised, but that is only 1 person, not 1.8 billion devices all at once.  Ditto for Android etc.  Thus, if you are a high value target using an iPhone, you could be at risk just like now, but there isn’t one master key that will open every door, just one door at a time making the value of an attack 1.8 billion times smaller.

It isn’t a question of IF this will happen, it is just a question of WHEN it will happen.  Who knows, perhaps the NSA or CIA or FBI already has the keys and access to the backups via other methods.  When was the last time there was a big stink between the FBI and Apple?  It has been a while which is worrying.

The key is that eventually Apple, Google, Microsoft, and/or AWS encryption keys will be lost, just no one knows when.  Zero trust is critical to prevent huge damage.  Think of the cost of 1.8 billion devices being compromised to credit card companies to replace cards, everyone having to change every password, private photos and videos being accessible, private thoughts and correspondence.  They are staggering, in the trillions.  And that would be just Apple.  Think about the liability to Apple, a huge class action suit.  Think about the liability to their cloud providers etc.  

* Notes: 

1. Providers Apple uses for iCloud, see https://en.wikipedia.org/wiki/ICloud

2. Number of Apple devices: https://www.theverge.com/2022/1/28/22906071/apple-1-8-billion-active-devices-stats

3. 8 between 1/1/2022 and 9/12/2022  https://www.bleepingcomputer.com/news/security/apple-fixes-eighth-zero-day-used-to-hack-iphones-and-macs-this-year/ And more with iOS 16:  https://nakedsecurity.sophos.com/2022/09/12/apple-patches-a-zero-day-hole-even-in-the-brand-new-ios-16/

4. https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT

5. More on security:


Facebook Takes Out Full-Page Newspaper Ads to Attack Apple’s iOS Privacy Changes, wants to track your money too with diem/libra

Facebook has today attacked Apple in a series of full-page newspaper ads, falsely claiming that iOS 14s privacy changes regarding data gathering and targeted advertising are bad for small businesses. (https://www.bloomberg.com/news/articles/2020-12-16/facebook-attacks-apple-s-ios-changes-in-full-page-newspaper-ads)

In reality, it is pure self interest. Facebook, Google, Twitter etc want to be able to be track and monitor you everywhere on the web and don’t like Apple interfering, and they also want to be able to track and monitor EVERY time you use their Diem coin.  

Their Diem (used to be Libra) coin is the largest, anti-privacy, anti-freedom, anti-liberty trojan horse ever.  The “Diem Association”/”Libra Association” is essentially an unregulated central bank that will monitor EVERY transaction in the ledger, freeze, control, inflate the value away or seize your coins at any point.  And it will be ONLY the association who can monitor it.  Plus you can bet the governments around the world will want in on the ledger to monitor it.  

Goodbye privacy for everything if people take up Diem and if Apple doesn’t stand up to them for the privacy of everyone else.

At least with the Fed and other central banks there is some control via a vote so that people know the issues with it. (assuming that Facebook, Google and Twitter allow you to criticize the Diem and don’t label it as “fake news” or “disputed”).

It is centralized, censorable, blocked at a border, tied to fiat, can be frozen at the whim of whatever government can pressure FB.  It might just be that FB not liking what you are posting or disagreeing with you.  As the last few years have shown, these huge companies (FB, Twitter, Google etc) are behold to the governments and political parities.  Do something they don’t like, “well your coins are frozen and you can’t move them or cash out.”  Recourse?  None since they aren’t regulated banks.   Think they are following you now with cookies etc?  Soon they’ll be able to also track what you spend your coins on.  Bitcoin will (one hopes shortly) be helping to increase privacy on chain via taproot and extensions..

It might as well be the Petro or one of the other nonsense coins.  Anyone who decides to use this is just asking to be controlled, watched and monitored. 

Apple standing up to Facebook in this case is important.  If they’d stand up to the authoritarians everywhere around the world that would be a good step also.