this post was submitted on 19 Nov 2023
101 points (89.8% liked)

Technology

59666 readers
3616 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
all 32 comments
sorted by: hot top controversial new old
[–] danielfgom 20 points 1 year ago (1 children)

What's the big deal? Google already do this to Android AND they also host Hackathons where they invite people to do this and reward those who do.

Plus they have an ongoing bug bounty program so at anytime you can submit a bug/hack and get paid.

Apple don't have a history of doing this at all. This is literally the first time they are doing it because of the bad PR from Pegasus.

It shouldn't be applauded. They should be roasted for not having done this sooner

[–] [email protected] 1 points 1 year ago (1 children)

I haven’t heard about google testing hardware based attacks on their chips, which I suppose could be caused by android running on a wide variety of chips instead of a few home-developed ones. Next to that Apple has had a bug bounty program for ages, that pays well and covers a wide range of attacks. Not hosting open hackathons has perhaps something to do with public brand image, but Apple shouldn’t be discredited regarding rewarding the findings of bugs and exploits.

[–] danielfgom 6 points 1 year ago (1 children)

Not sure about their own chips but definitely hack the daylights out of Android.

Apple has a bounty program but it doesn't work. I've read multiple stories over the years of Devs who submitted show stopping bugs and never got anything back from Apple. And they take MONTHS to release a fix.

The Google Security Team found a massive hole in iOS, reported it to Apple, and after months of waiting with no feedback or fix released, they published it openly. Only THEN did Apple suddenly acknowledge it and released a fix.

Apple are the biggest hypocrites. They claim to be private and not collect data but literally everything you do on your phone they can see and collect. Everything in iCloud is on their servers. All your browsing history they can see in Safari.

The only difference between them and Google is that they claim not to sell the data. But as we know Edward Snowden told us that the CIA/FBI etc have full access to all the servers of the Big Tech companies under the Patriot Act. They can decrypt and see your data anytime.

So in other words not really private. None of them are.

[–] [email protected] 2 points 1 year ago (1 children)

Sadly the same thing has been happening on the android side (a quick google search seems to confirm this). Possible exploits reported but not patched in a timely manner. In general I feel like the Apple bug bounty problem has been swift, although indeed failing from time to time to reward an original reporter. I have not been keeping a close eye on the android side but I imagine the same has been happening. Apple has started to offer e2e encryption on iCloud data blocking even CIA/FBI access. And next to that, seeing I’m based in Europe (and so my data should too) I don’t feel like the patriot act has any impact on me.

[–] danielfgom -1 points 1 year ago (1 children)

I'm assuming that Big Tech holds the encryption keys which they give the government access to in order to decrypt your data. The point of the Act is to allow law enforcement to be able to legibly access data in order to investigate possible terrorists.

It wouldn't be a very useful Act if they don't hold the decryption keys. So they definitely do.

And Snowden is still wanted, which means the info he leaked is accurate.

I too am in the EU but I don't trust any government. I'm sure they also can get the access from the US if they really want to. No one's data is truly safe if you're using Big Tech.

[–] [email protected] 2 points 1 year ago (1 children)

Having someone else with the decryption keys is not how e2e works. E2E is a pretty solid and proven system, and I have yet to find a solid source about “big tech holding the keys”.

[–] danielfgom 2 points 1 year ago (1 children)

Search for Project Prism

Here's one exhibit:

"The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.

The NSA access is part of a previously undisclosed program called Prism, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.

The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims "collection directly from the servers" of major US service providers."

Source: https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

That was back in 2013. I'm sure the tool is even more advanced now. This is why Snowden fled - he exposed this.

[–] [email protected] 2 points 1 year ago (2 children)

Yeah as the previous commenter said, e2e encryption just doesn’t allow anyone to access the data but the owner of the keys. E2E is prized because of this. There are two keys: public and private. If you and I are both using iMessage, you send a message to me that is encrypted on your device using your private key, and sent to my device using my public key. Only you and I can ever see those messages unless someone gets access to one of our phones.

Now, iCloud is backed up to apples servers. If you have iMessage backup enabled, it’s possible, and maybe even likely tbh, that Apple has access to recent messages. iMessage is also (potentially, but again in this case, I’d argue likely) susceptible to man-in-the-middle attacks. Because you need my public key for our communication to be decrypted, if you receive some else’s public key instead, they now have your messages and I don’t.

The DEA and FBI have both had documents leaked mentioning they can’t track or trace or unencrypt iMessage. The same is true for WhatsApp or any e2e messaging service.

Again, this is all contingent on not using iCloud backup. If you use iCloud backup, then the encryption keys used can be accessed with the proper authority. I assume (but haven’t looked into it) that Google is the same. If you don’t backup your e2e encrypted content, it cannot be decrypted without the private key only you have access to. Of course iCloud backup is enabled by default, so for the vast majority of Apple users, their messages and information are all available anyway so none of this matters.

In addition, iMessage uses a directory lookup to find the correct public key for your recipient. This information Apple does keep (I am unsure how long). What this means is that law enforcement (with a warrant) can see who and how often you are messaging. That alone is information we really don’t want people having.

So the moral is: if you don’t use backups for e2e encrypted communication, your content cannot be read externally. It’s just the way cryptography works.

This doesn’t mean that companies do not share information with law enforcement. There is a lot of unencrypted information Apple, Google, et al will share with government agencies when a warrant or subpoena is served. In addition to that, your phone provider will share information with them. In addition to that any SMS or MMS messages sent from any device will lack encryption and be easily discoverable.

Tl;dr: e2e encryption is secure, as long as you follow best practices and have an idea of how encryption works.

[–] danielfgom 1 points 1 year ago
[–] danielfgom 1 points 1 year ago (1 children)

Just a thought: how can the public key unencrypt something that was encrypted with a private key? Wouldn't the receiver need the same private key that was used to create the encryption.

Normally I'd encrypt a hard drive, for example, you're asked for a password to decrypt it again. And it also generates a long recovery key. If I try to decrypt with the wrong password, it won't decrypt.

Another thought: surely the sender must be sending the key to the receiver via a server (eg WhatsApp or iCloud)? If so what prevents that server from keeping a copy of the key and the message for future decryption by law enforcement?

Thanks

[–] [email protected] 1 points 1 year ago (1 children)

The public key doesn’t decrypt the information. The public key is used only for encryption. The private key is what is used for the decryption. Since the private key is on-device, there’s no way to get access to the decryption. It’s actually a bit more complicated than I wanted to go into for an already ridiculously long comment, but I’ll explain a bit more here.

With a hard drive, you have one key. This kind of encryption is called symmetric encryption. It uses a single private key, and that key can be used to decrypt at any time.

E2E encryption uses what is called asymmetric encryption. The key used to encrypt the information is actually the recipients public key. This is where some information is exposed to Apple (or anybody else who uses a directory lookup to find a public key). That lookup tells Apple who and how often you are messaging. This they will absolutely give to law enforcement with a warrant. It doesn’t tell a lot, but it does give information about your correspondence.

Once the information is encrypted, the matching private key is the only thing that can decrypt the content. This also places a vulnerability because if somebody sends a different public key, now the message is decryptable by the bad actor.

So because of the two key system, the private key for each individual is inaccessible to anyone except the individual. It’s actually a really cool concept. This is how HTTPS functions as well. TLS (it’s just the cryptographic protocol HTTPS uses) creates a secure connection using asymmetric encryption. The information it sends then uses symmetric encryption.

I’m a developer, and not an information security expert, so some of this may not be completely accurate, but it should be accurate for the most part. If you’re interested at all I would definitely suggest looking into it because I think it’s super neat.

Of course if you have any more questions I’m willing to talk as well.

[–] danielfgom 1 points 1 year ago

Thank you for taking the time to reply. I think I need to get read up on this.

Have a great day.

[–] [email protected] 20 points 1 year ago (1 children)

This is the best summary I could come up with:


Using a vast array of technology including lasers are finely tuned sensors, they are trying to find gaps in their security and patch them up before they even arrive in the world.

The actual chip doing the encryption can show signs of what it is doing: while processors might seem like abstract electronics, they throw out all sorts of heats and signals that could be useful to an attacker.

But they are up against highly compensated hackers: in recent years, there has grown up to be an advanced set of companies offering cyber weapons to the highest bidder, primarily for use against people working to better the world: human rights activists, journalists, diplomats.

But recent years have also seen it locked in an escalating battle: Lockdown Mode might have been a breakthrough of which it is proud, but it was only needed because of an unfortunate campaign to break into people’s phones.

It is not the kind of difficulty that comes even with other security work; those stealing passwords or scamming people out of money don’t have lobbyists and government power.

The kind of highly targeted, advanced attacks that Lockdown Mode and other features guard against however are costly and complicated, meaning they will often be done by governments that could cause difficulties for Apple and other technology companies.


The original article contains 2,167 words, the summary contains 219 words. Saved 90%. I'm a bot and I'm open source!

[–] [email protected] 15 points 1 year ago (3 children)

Downvote me if you must but what if Apple accidentally became the Privacy community's greatest ally? I know it can't happen bc they'll always keep a back door for their data mining

[–] stevedidWHAT 19 points 1 year ago (2 children)

A back door is not what apple uses to collect data, that’s very very different from sending analytics.

Apple already outperforms google by 3x in terms of privacy points collected.

Wanna talk about backdoors? Check out the exploit list for android phones compared to iPhones. Nuff said.

[–] cheese_greater 4 points 1 year ago (1 children)

How does a multimillion dollar company beat a trillion dollar company ath their own security game? Also stop suing Corellium is a good start, don't sue when you get caught lying, do better.

[–] stevedidWHAT 5 points 1 year ago

Idk but there’s plenty of other android os that are more secure than what google puts out. And they make substantially less.

Google hasn’t been the same since the switch regarding “evil” and “ethics”.

Anyone can see that.

[–] [email protected] 14 points 1 year ago

Hell, if they legitimately stopped their data collection, that would be enough to tip me into iOS until a truly good linux phone in my price range happens.

[–] Vub 4 points 1 year ago (1 children)

I’m curious, do you have a source for them having a backdoor and mining data?

[–] [email protected] 0 points 1 year ago (1 children)

Pure speculation based on things I saw in the news over the years

[–] Vub 1 points 1 year ago

Wow OK, well that doesn’t have any value then. It’s best not to spread rumours since eich behaviour it can easily spread to other, more important, issues in society.

[–] sebinspace 14 points 1 year ago (1 children)

Isn’t this just pentesting?

[–] SVcross 6 points 1 year ago

But is also marketing.

[–] Potatos_are_not_friends 0 points 1 year ago* (last edited 1 year ago) (1 children)

Definitely applauding them on going hard and testing their stuff.

I'm thinking of how Sony and Nintendo had piracy issues that completely ruined their hardware sales. Then again, they can kinda get away with it in the short run by continuing to release quality software.

Apple doesn't have that luxury as they've cemented themselves as making good bundled hardware+software. If any part of that gets crippled, they're fucked.

[–] AProfessional 8 points 1 year ago

Are there numbers showing any meaningful harm to Sony or Nintendo?