Apple again rumored to goose iCloud security amid iPhone encryption flap

2

Comments

  • Reply 21 of 43
    MacProMacPro Posts: 19,718member
    Swear said:

    Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
    And therein lies the rub.

    How would Apple protect 500 million iPhone users' privacy... while simultaneously providing law enforcement access to 50,000 terrorists' iPhones?

    Imagine what sort of information you could find on people's phones these days:  their home address, pictures of their children, their children's school, schedules, emails, access to door locks, garage door openers, health data, etc.  Do you really want that stuff to be easily accessible to any common criminal?

    I certainly don't.  It should be as secure as it can possibly be.

    But by keeping that information secure... it also prevents law enforcement from getting into criminals' phones too.  

    There's no way to selectively make some phones secure while making other phones easy to open.

    So what do you think Apple should do?
    IMHO it's all or nothing.  

    In answer to your question ... A sense of false security is worse than none so one could argue zero encryption would make everyone more careful.  Then there is the problem you outline, dangerous people could easily know everything about a target's family etc.  Also that would inevitably lead to those in power having their systems heavily encrypted for national security reasons anyway.  So then we are back to it's better to have billions secure even if thousands of bad people can communicate secretly.  At least they are unable to access anyone else.  So I come down in favor of Tim by process of elimination. The problem is most people are easily fooled by phishing scams.    Witness the so called hacking of iCloud the press so eagerly reported on.  The perpetrator admitted this week in court it was a simple phishing scam (as we all suspected here on AI)  and there was no hacking involved.  There is zero protection against an idiot handing their user name and password out and the world in made up almost entirely of idiots.
    edited March 2016 pscooter63dasanman69ration albanchocornchip
  • Reply 22 of 43
    lkrupplkrupp Posts: 10,557member
    So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
    The Apple discussion forums are full of poor souls who forgot their passcode, forgot their security questions, bought a used device and forgot to ask the previous owner to unlock it, and probably forget their own names from time to time. Call them stupid, call them ignorant, laugh at their predicament if you want to, but they are customers. They will be sol and they will be angry that Apple can’t help them. What good is a backup if you can’t access it? This is a real problem and I wonder what solution is available fro these types.
    ration altenly
  • Reply 23 of 43
    MacProMacPro Posts: 19,718member
    lkrupp said:
    So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
    The Apple discussion forums are full of poor souls who forgot their passcode, forgot their security questions, bought a used device and forgot to ask the previous owner to unlock it, and probably forget their own names from time to time. Call them stupid, call them ignorant, laugh at their predicament if you want to, but they are customers. They will be sol and they will be angry that Apple can’t help them. What good is a backup if you can’t access it? This is a real problem and I wonder what solution is available fro these types.
    I wonder if biometrics are not the solution.  That said, these 'poor souls' wouldn't do it a second time I'd hope. :)
  • Reply 24 of 43
    lkrupplkrupp Posts: 10,557member
    bdkennedy said:
    We can cheer Apple on, but if the government wins and decides to fine Apple per iPhone for not being able to circumvent encryption, this could cause Apple to price the iPhone out of most people's reach.

    The biggest setback would be other countries not trusting Apple anymore.

    The government cannot and should not win this.
    But they could trust Google’s Android or Blackberry? Is that what you’re saying? It’s only Apple that gets the shaft if the government “wins?”
  • Reply 25 of 43
    CMA102DLCMA102DL Posts: 121member
    Swear said:
    Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
    And yet, those ISIS terrorists used PlayStation 4 and clear communication to plan and conduct the Paris attacks. And these terrorists were in watch list and their photos were in the ISIS magazine. Where CT intelligence asleep or were they looking for information in the wrong place? I swear, these intelligence agencies are so worried about encrypted communication that terrorists find alternate channels and avoid detection. I am not saying that you are wrong, but even with iPhones, the NSA can go to the Telecom companies with a court order and request business records. With all that metadata and a bright analyst, CTs should be able to connect dots. But say that the FBI succeeds at forcing Apple to weaken encryption and then continues weakening other encryption, then nobody will use encryption. NOBODY. Terrorists will communicate via couriers and face to face or find other less than obvious communication methods. The general public will stop using the internet for sensitive data transfer. A double whammy. With weakened encryption, the world infrastructures such as power, water and defense will be more exposed to cyber attacks. Hackers and governments will be able to easily mount attacks to shut down power, open dams, maybe redirect drones....imagination is the limit.

    edited March 2016 jony0
  • Reply 26 of 43
    mjtomlinmjtomlin Posts: 2,673member
    To be clear, the data stored on Apple's servers is encrypted. Should Apple's servers ever be "compromised" your data is still safe. The biggest difference between data on the iPhone and that stored in the cloud is that Apple knows the encryption key to your iCloud account. They have to in case you forget your password and it needs to be reset. This is also how they're able to hand over that data to law enforcement officials.
    ration al
  • Reply 27 of 43
    rogifan_newrogifan_new Posts: 4,297member
    mjtomlin said:
    To be clear, the data stored on Apple's servers is encrypted. Should Apple's servers ever be "compromised" your data is still safe. The biggest difference between data on the iPhone and that stored in the cloud is that Apple knows the encryption key to your iCloud account. They have to in case you forget your password and it needs to be reset. This is also how they're able to hand over that data to law enforcement officials.
    But if you use 2FA and don't have your recovery key I think you're sol, correct?
  • Reply 28 of 43
    So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
    You are SOL if you forget your password, just like if you forget the passcode of your iPhone.
  • Reply 29 of 43
    eideardeideard Posts: 428member
    Sock it to 'em, Sock it to 'em, Sock it to 'em!
  • Reply 30 of 43
    mjtomlinmjtomlin Posts: 2,673member
    mjtomlin said:
    To be clear, the data stored on Apple's servers is encrypted. Should Apple's servers ever be "compromised" your data is still safe. The biggest difference between data on the iPhone and that stored in the cloud is that Apple knows the encryption key to your iCloud account. They have to in case you forget your password and it needs to be reset. This is also how they're able to hand over that data to law enforcement officials.
    But if you use 2FA and don't have your recovery key I think you're sol, correct?

    Yes, you're SOL. When you use 2FA you're basically telling Apple, "Under no circumstances are you allowed to ever reset this account without me giving you the recovery key."
  • Reply 31 of 43
    SpamSandwichSpamSandwich Posts: 33,407member
    macseeker said:
    They'll have to move iCloud servers outside the US if they want real security with strong encryption. 
    Yes, I see your point BUT which country will protect ones digital data. Will that country eventually require Apple to surrender the user data. Very tricky here.
    Any country which would not have a problem with strong encryption.

    https://en.m.wikipedia.org/wiki/Strong_cryptography
  • Reply 32 of 43
    nolamacguynolamacguy Posts: 4,758member
    Swear said:
    Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
    get back to work.
    ai46
  • Reply 33 of 43
    stevehsteveh Posts: 480member
    Swear said:
    Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
    get back to work.
    Work? Isn't "work" something he'll have to do after he moves out of mom's basement?

    Not going to happen.
    jony0ai46
  • Reply 34 of 43
    rogifan_newrogifan_new Posts: 4,297member
    So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
    You are SOL if you forget your password, just like if you forget the passcode of your iPhone.
    I'm not sol if I forget my passcode because I can restore from iCloud backup.
  • Reply 35 of 43
    crowleycrowley Posts: 10,453member
    AppleInsider said:

    Apple again rumored to goose iCloud security amid iPhone encryption flap

    Wtf? :smiley: 

    where did that title come from?
    cornchip
  • Reply 36 of 43
    jony0jony0 Posts: 378member
    Swear said:
    Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
    Ah, the pervasive clueless drive-by single commenter. In the unlikely event he she it or others of their ilk would actually read this far :

    There are many other encryption products for Android. Al-Fajr, one of Al-Qaeda’s media arms, released a new Android encryption application early June 2014 on their website. […] GIMF, another media arm of Al-Qaeda, also launched a new version of their Android software since our last post. Interestingly, between these two new product releases this continues the bet on mobile and Android as the preferred platform for these groups. The large availability and affordability of Android phones, especially in underdeveloped countries, is probably the reason for this.
    https://www.recordedfuture.com/al-qaeda-encryption-technology-part-2/

    To be fair, there are some first commenters that actually bring welcomed smart arguments, but they have been the exception in this debate.
    ration al
  • Reply 37 of 43
    jony0jony0 Posts: 378member
    steveh said:
    get back to work.
    Work? Isn't "work" something he'll have to do after he moves out of mom's basement?

    Not going to happen.
    Definitely not, these social service lifetime subscribers don't work, nestled with their mommy supplied Android and wi-fi.
  • Reply 38 of 43
    So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
    When you set up 2 factor authentication now, Apple is very explicit in telling you that without your encryption key or password you will not be able to access your data and they cannot help you. 
  • Reply 39 of 43
    TomETomE Posts: 172member
    They'll have to move iCloud servers outside the US if they want real security with strong encryption. 

    Why? Let's say Apple gives you the option of using a pass phrase that isn't stored anywhere on Apple servers or even on your iPhone (well, it IS stored on your iPhone, but only a hash is stored, not the original pass phrase).

    Whenever your iPhone connects to iCloud to backup data, it firsts get encrypted locally on your iPhone (using your pass phrase) and then gets sent for backup. The iCloud servers would be storing already encrypted data. If someone got hold of this information it would be useless as they don't have the pass phrase to decrypt it (they'd have to brute force decrypt it, which could take some time depending on the pass phrase you chose).

    Apple could even take this further. The "username" the data gets stored under isn't your actual Apple ID, but a token that's an encrypted representation of your Apple ID hashed with your iCloud pass phrase. So even Apple employees themselves wouldn't be able to link a set of iCloud data to a specific user or device (like they can do now, presumably because there's an identifier linked to your Apple ID and device).

    Hell, let's forget pass phrases altogether. We know that Apple takes your fingerprint and stores a mathematical representation (a hash) of it in the secure enclave, in a format that makes it impossible to reverse back to the original print. What makes it so impressive is you can use a PORTION of your finger at different angles or orientations on the fingerprint sensor and Touch ID still somehow manages to "match" this with the stored hash of your fingerprint. So why not make a fingerprint as the pass phrase that encrypts your iCloud data? Now you can't forget it, and because of the complexity of your fingerprint you'd have the equivalent of a very long pass phrase (impossible to decrypt).


    I don't think security rides so much on WHERE the servers are, but on HOW the data is stored. They could be treated as "dumb" servers who simply store information sent to them, without actually knowing anything about the data itself or who it belongs to.
    Well, re the Fingerprint Scanner on my 6SPlus does not always work.  Either the fingerprint changes or the scanner cannot recognize it.

  • Reply 40 of 43
    macseekermacseeker Posts: 544member
    foggyhill said:
    macseeker said:
    Yes, I see your point BUT which country will protect ones digital data. Will that country eventually require Apple to surrender the user data. Very tricky here.
    Why not just essentially torrent the crap out of it, meaning bitslice it accross 10+ countries.... Only the client knows where the files really are. Each file could even have it's own set of countries... Make it a jurisdictional nightmare to recover, not just an encryption nightmare.

    Since you have to have access to the phone to know where the files are, that really ups the ante on recovery :-).
    Obviously, if you lose your phone your really really screwed, unless you can back the recovery directory in a locally encrypted cache with a long passcode  (not the same as your phone hopefully)..
    No one knows where the files are but you :-)..


    I like your first paragraph. Is it my understanding that Apple a couple or few years ago was investigating using torrents for software distribution and/or iCloud backups. Wondered if Apple dropped the ball.
Sign In or Register to comment.