JustSomeGuy1

22july2013 said:

JustSomeGuy1 said:

maltz said:

xyzzy-xxx said:

Apple should prevent websites from being able to detect if Lockdown Mode has been activated.

That's like saying that a burglar shouldn't be able to tell if your front door is locked.  Any effective security measure will inherently give away the fact that you're using it.

Not necessarily. There are steps Apple could take in the future to mitigate this problem. For example, one of the ways this article implies that Secure mode is being deduced is by the restricted list of available fonts. Apple could make safari lie about available fonts in secure mode - for example, it could pull the list of available fonts from a few million web visitors who aren't using secure mode, and use that data to generate a list of available fonts to lie to a website (or its javascript) if asked. The list would be different day to day, with each font appearing as often statistically as determined by the observed visitors to apple.com.

Sure, Apple (iOS) can lie all it wants. But then when the website provides data using those fonts, what should iOS do? If it's lying about support a font, then that font is delivered by the web server, does it fail to show the text to the end user? If it's not failing to show the text, then it's telling the truth about supporting the font. I don't think you have thought this through.

maltz said:

xyzzy-xxx said:

Apple should prevent websites from being able to detect if Lockdown Mode has been activated.

That's like saying that a burglar shouldn't be able to tell if your front door is locked.  Any effective security measure will inherently give away the fact that you're using it.

dewme said:

JustSomeGuy1 said:

Less ignorance, more facts.

DAalseth said:

Apple needs to sever all ties with Russia. Cut them off cold to updates, services, iCloud, AppleMusic, everything. Flip the switch without warning. You live in Russia your device is bricked and you are SOL. I know that Apple keeps talking about trying to protect their customers. It's too late for that. Until the general populace starts feeling the pain from Putin's war they won't put an end to it. Remember, that's what brought down the Tzar. The people get fed up with paying in blood and treasure for the Tzar's adventure in WWI. It's time for another revolution and Apple needs to step up and do their part.

This would have zero impact on the situation described in the article. Had they already done so, nothing would have changed. Rostelecom could still have announced Apple's route(s) - which is an entire /8!!! - and everything would have played out exactly the same way.

bobolicious said:

... is this a good reminder of the potential vulnerability of (especially large, high value) cloud services with so many potential attack vectors ...?

... is it the opposite of the concept of the internet in terms of communication reliability of multiple web connections ...?

No, to both questions. This has nothing to do with attacks on cloud services. It's fundamental to all traffic on the internet. And the problem is exactly the multiple possible connections, in that the lack of a central authority for the net means there's no single source of truth for who is allowed to announce which routes. There has been an answer to that problem for over two decades, but it's not used everywhere, much to everyone's detriment. See http://irr.net, or google "radb". If the entire world used and enforced registration of routes in a route database like the RADB, this attack could not have any effect outside of Rostelecom's own customers.

9secondkox2 said:

Very serious and calculated move by Russia. 

Also finding vulnerabilities in the routing infrastructure. 

Russias war isn’t going to stop with Ukraine. That’s a strategic move to gain a massive nuclear power plant while advancing its dominance agenda. They e already threatened their own surrounding countries as well as the USA. And China is right behind with its unprecedented disrespect and threatening of the USA as it seeks to devour one of the most prolific product economies in Taiwan prior to its 2049 buildup goal. 

Though Apple was vigilant, there is no doubt that some data was stolen. You have to wonder what kind of blackmail is planned for any incriminating info discovered, especially where apple using politicians, media, and big tech folks are concerned.

This is extra ignorant. Just stop.

1) This isn't a "vulnerability in the routing infrastructure". It is, unfortunately, a designed-in feature. It will continue to be the case until use of route databases is universally enforced.

2) I have a LOT of doubt that any user data was stolen. In fact it's virtually certain that no data was stolen, as all of it was likely encrypted, though they certainly would be able to capture some metadata - for example, who was connecting to Apple services, and when. The scenario you envision is not the problem. It is conceivable that the metadata alone could matter in a specific case involving a high-value target, however. That's a reasonably plausible explanation for the whole event, in fact, though we'll likely never know.

3) Off topic, but the notion that Russia invaded Ukraine just to get control of one aging nuclear plant is ludicrous.

Thank you for providing a voice of reason on the topic.

Considering everything they did left a very clear trail back to the source and was essentially done in the open makes it hard to get too excited about this. It’s essentially the same as someone giving the post office a change of address form to route your mail to their mailbox, all the while telling you and the rest of the world that they are doing so. Whether it’s amateur hour, cyber heckling, or just being done to create a distraction we’ll never know for sure. So while I’m not overly concerned about this specific incident, we don’t know what their next move might be insofar as they operate in an environment of state sponsored terrorism.

freeassociate2 said:

Re:  http://irr.net their cert being expired doesn’t inspire confidence…

waveparticle said:

DAalseth said:

JustSomeGuy1 said:

3) Off topic, but the notion that Russia invaded Ukraine just to get control of one aging nuclear plant is ludicrous.

I would agree with that. Russia has wanted warm water ports for centuries. They grabbed Crimea, but that’s just a start. They have their eyes on Odessa, and then further south. 

Your history was taught by a sports teacher. USSR had Crimea before 1992. Then USSR was dismantled and Ukraine declared indolence.