I’m so unused to seeing a corporation act in the interests of their customers explicitly counter to the wishes of law enforcement and the intelligence community that I’m racking my brain trying to think of ulterior motives that explain why Apple might have this.
Either way, on the surface, I’m quite pleased by this development.
I think it's as simple as: Apple's business is determined much more by end users than by government regulation. Unlike telecoms or increasingly, Google/Facebook. And this is amplified by Apple deciding that, as the others can't follow it, it's a good differentiator to invest in.
This is exactly the position I want in someone who I need to trust. Supposed corporate altruism and any promises of "don't be evil" goes out the window when enough money comes into play. However, if my interests and the monetary interests of the other party is aligned, then it compels the other party to behave in a way that helps my interests.
dont be evil is a pretty low bar to start with, because it does not even give you any direction of what you should be instead, and evil can be interpreted in multiple ways.
My wife is Chinese and we go there quite often. Regulation of consumer goods and services is very light and easily circumvented, and as a result the consumer market is a cesspit of shoddy, dangerous products and deceptive practices. Its so bad one of the most prized gifts you can take there is baby formula powder, because the local versions have frequently been found to be cut with dangerous chemicals. I’ve seen and have family with experience of a deregulated market and it’s not at all pretty. Individual consumers just don’t have the resources to deal equally with big companies that have no reason to care about consumer interests, without the ability to exercise their collective power - which is what a representative government is.
I think what I’m hearing you say is that China’s government regulations are “light”... :)
China has 8 different agencies involved in food regulation.
A government that doesn’t allow its subjects to express freedom of speech to its citizens is not “light” in anything.
The dangerousness of items produced in China is a symbol of the corruptability of the monopolization of power by government, underscored by the fact that business in mainland China starts with payoffs to local government officials.
Meanwhile, in Florida, where people are free to package up food items for sale with no license of any kind and no commercial kitchen (up to a certain volume), I don’t hear about many cases of people receiving brain damage from lead poisoning after eating cookies from their local coffee shop.
People that don’t have a foot on their neck are typically not evil by default, because they don’t have to be in order to just survive. That’s why things just work here in the US.
People accustomed to oppressive control just don’t understand these things.
No, the turn of phrase used to describe “baby milk formula” in powder form. “Baby formula powder” implies a kind of powder that produces a baby. Hence, the off-topic comment.
Simple desire for profit drove adding melamine to milk formula for babies. In that melamine cost less than milk powder. And that it reacted like proteins in the simple test that was commonly used.
Melamine is (C-N)3 in a ring, with NH2 on each of the carbons. And all amino acids have C-NH2 on one end. Thus the name. I gather that the test scored all C-NH2 moieties. So each melamine molecule looks like three amino acids, and contains less other stuff than amino acids on average. Making it a very efficient adulterant.
Political freedom alone won't solve tainted milk in China. People don't have the time or energy to audit every food product they purchase, establishing minimum standards to prevent death or injury from harmful food is one of the least costly ways to deal with the root issue.
Political freedom can lead to elect officials who care about such issues and take actual measures to create and enforce regulations instead of the current ones doing nothing or accepting bribes. A monopoly on politics is not optimal.
Thats what i am saying. There can be no accountability of officials if you cant replace officials with due process with folks coming out of several parties and not just one.
This is a pretty ludicrous statement. We wouldn't need any consumer protection laws, anti-fraud laws, or a really a majority of business law if the default modus operandi was pro-consumer. The reason Apple is different here is because their financial incentive aligns with the consumer. That is not the case with many businesses regardless of government involvement.
That's why we never had to do anything to address rampant fraud, cutting food with dangerous materials, straight up lying about what you're selling, con artists, snake oil salesmen, or irresponsible management of hazardous waste, right?
Not that I support the OPs absolutist statement, but courts could and do handle quite a few of those (I mean fraud is handled almost entirely by the courts). Especially if the effort over the last century was put into strengthening the law and property rights, instead of creating endless agencies, government economic power brokers, and pre-emptive hoops for companies to jump through, which encourage state-backed oligopolies to flourish at the expense of competition and any firm small enough to not afford a team of lawyers. Not to mention measuring efficacy and ROI on each individual agency involved in market intervention is largely absent once the agencies are in place.
Unless you're conflating 'removing government actors' as completely removing the justice system and law enforcement? Which are two things which libertarians are very much in support of being government responsibility...Smaller government != no government.
Laws are regulations, the courts you’re praising didn’t pull the laws they enforced out of their asses. If you remove government agencies specialised in regulating specific domains, then that responsibility will just fall on general law enforcement or just go unenforced.
Of course there are costs to any system of regulation, but most consumer regulation is there to prevent companies doing things some of them absolutely did. Busses in London used to have “no spitting” signs. Now they don’t. Why the change?
In general you regulate because hard earned experience shows you have to, not because you just feel like it. If regulations become unnecessary, ok it’s time to revisit it, but managing this stuff is what we elect people for.
On what grounds? Caveat emptor was the rule for a long, long time. It was only later when regulation and standards started coming into play that it was a thing. The courts can't just declare a legal thing to be bad.
You can only be libertarian if a) you've never bothered to study history or b) it's a cover story for an ulterior motive.
The US was mostly a libertarian's paradise from 1850-1950. It didn't work. Federal agencies and government regulations were created because the courts were unable to adequately respond to ongoing problems. The proximate cause of death for libertarianism was the sequence of massive bank panics and depressions leading up to the final "Great Depression" in 1929, but there were many causes across wide-ranging areas of society.
To give just one example: The FDA was created (and later strengthened) in response to a long succession of disasters where well-established drug companies added known toxic (or lethal!) chemicals to their drugs, then placed them on the market without testing. Thousands of people were killed.
No legal decision can bring back the dead.
Most of these companies already had reputations to protect and judgements against them were expensive. Yet they continued to screw up royally.
We've tried libertarianism. It simply doesn't work. It has never worked. It will never work. It is always less efficient to force millions of consumers to extensively research every aspect of the products they buy, then seek redress in the courts after suffering injury. It will always be a net win to set basic safety standards (for established product categories) and force manufacturers to follow the standards.
If you're a rich oligarch who hates paying taxes then libertarianism is a convenient excuse to shrink government (regulations = expense) and/or foist as much of the tax burden onto others as possible.
Libertarianism is also attractive to people who have grown up in a sheltered society and so see regulations and standards as unnecessary restraints. They don't have any basis for comparison.
It's similar to anti-vaxxers: Vaccines were so successful that whole generations have grown up without watching their kids or friends die and be crippled by disease, so they don't value vaccines any more than they value oxygen in the air.
For that matter it is the same as the current Boomer generation's FYGM attitude: growing up in a post-war boom when the effective wage was ~$18/hr and college cost 1/4 as much of course it was easy to work part time while getting your degree. And with a growing population and society of course there will be plenty of jobs waiting for you. Like oxygen in the air or water in the sea such conditions are completely beneath their notice and thus later generations "must" be lazy moochers and "of course" they should just "work hard like I did".
Sometimes I think humans really are doomed. As a society every time we get a good thing going we completely forget the toil, blood, sweat, and tears required to get there.
> You can only be libertarian if a) you've never bothered to study history or b) it's a cover story for an ulterior motive.
While I somewhat agree and don't consider myself a libertarian, I'm much more of Thomas Sowell supply-side economics fiscal conservative and social liberal, I believe this smug, self-righteous tone, littered with broad absolute dismissives, ("We've tried libertarianism. It simply doesn't work") through-out your post perfectly typifies the problem with US tribal politics, especially the left-leaning sort.
You could easily change the wording and throw in some similar greatly over-simplfied examples, and you could say "We tried socialism and it completely failed", as a dismissal for modern big-government liberalism. Which is ridiculous and unhelpful.
These endless trite left vs right debates on the internet always seem to pigeonhole unique and complex historical moments (with distinct geography, historial circumstance, economic situations, cultural differences, broad incentives, birth rates, technological differences, etc, etc) into some ideal fantasy governments that never really existed or even marginally fit into the molds of ideologies being questioned.
I mean... even scale is a huge difference maker. I believe smaller country's governments function far better (see: Canada, Scandinavia). As do "early-stage" countries in the growth stage after being up-ended. To apply some generic economic political system broadly across every country, big or small, financially stable or not, old population, cultural work, etc) is not a interesting or helpful as people seem to think.
Example: I love hear people explain how "Iceland nationalized banks and look how great it worked", meanwhile Iceland has a total population of a small US city, 0.01% the size of the US.
So it's entirely possible you're right. A more pure form of libertarianism, which may have worked well in the past when the country was 5% the size with immature industry, is likely going to be a disaster if it was imposed today. That doesn't mean it's not a good or superior model more fundamentally as a guiding force when shaping current polcy, or even within the larger system in thousands of isolated situations (such as schooling for example). Nor does it mean it wouldn't be ideal for a different culturally or smaller or geographically distinct group of people or for certain states within a heavily federated system.
A few days ago I was pondering what it would be like if we treated government like a software project. You can never address all the issues at once unless you're doing a rewrite (at which point the old project is effectively dead). You just have to refactor as you go. Practically each section becomes organized in a way that more or less reflects the values and style of the author. Sometimes a codebse is able to maintain an overall style, but try as we might you can't delete the programmer entirely.
So then I had an idea for a "single focus president". This would be someone who is entirealy indifferent to everything except the one focus area they call out in their campaign e.g. healthcare. It's not that progress wouldn't be made in other areas it would just be entirely congressional and judicial. Once the president addresses their focus issue, they step down. There are probably anecdotes of how we've tried similar things and failed, but I know I would be open to considering a campaign on those type of grounds.
This argument can be used to justify any form of government as long as some share of extortions get invested for the benefit of extorted.
But I agree all of this is great if I only have to pay <$5K yearly but not so much otherwise. Not to mention having to emigrate to cancel "the services". That sucks too.
> The US was mostly a libertarian's paradise from [insert date range of the most prosperous human development in the US].
And, the great depression was a direct result of government and bank collusion. The Federal Reserve tightened the money supply exactly after the market crashed. Take the federal government, which sanctioned the federal reserve, out of the picture, and you have a much smaller crash that weeds out all the idiots who fell for the securities fraud perpetrated by the Shenandoah Corporation, which precipitated the crash in the first place.
In fact, get rid of the federal reserve banking system that was created by the federal government in 1913, and you don’t have any of the major crashes in the ensuing 95 years.
Go one step further and remove the federal government’s control over the money supply in general and you have a system of multiple currencies, all controlled by their constituent markets, many backed by silver and/or gold. and you don’t have a nationwide gold seizure by the federal government in 1933, whereupon our distributed sovereign wealth was gifted to internationalist bankers. You have instead a wealthy population of the descendants of the colonialists that conquered this country for us.
They don’t really teach this kind of stuff in stated-funded “school”, now do they?
I concur, and I would add that Apple is fundamentally different than the Facebooks and Googles in that Apple makes money off their hardware. They have a natural incentive to protect user data because it enhances the value of their products.
This is why I am deeply skeptical of Apple's supposed security. As long as the company forfeits data to the Chinese government then there is no real data protection on their devices.
I need that to change, or where I see Apple's products heading is not going to be what I'm hoping. What I'm hoping: Apple devices become the computer. Totally secure. The only one that can access the information on it is myself with no exceptions. This device (watch, phone, glasses whatever) would carry every possible detail about myself and my life on it, making it the perfect form of digital identification. Accepted at hospitals, accepted as a drivers license, accepted at banks, accepted as a log in for websites. It doesn't need to provide identification if I don't want it to. But if I do, then there is a mathematical certainty that I am who I am claiming to be, and no one can claim otherwise.
That's why it's not going to happen with Apple's two faced position on privacy.
As for what I want Apple to be as a company, if their devices become the theoretical vault where I am the only one with the key, it wouldn't matter if they remain on my side or not. They fulfill the role of design and engineering, not data hoarder, and wouldn't be able to change that even if they wanted to. At least that is the image that they have been pushing recently.
From what I've read, enterprises certainly love iOS for security. And for better or worse, LEA provides well-reported test cases. So it's not that Apple wants to protect criminals, it's that criminals are canaries.
Indeed, the whole "going dark" vs privacy debate mostly misses the point.[0]
> The heightened tension produced by the introduction of encryption by default into an environment where terrorism has magnified the need for efficient law enforcement access (surveillance) supported by a newly-expanded CALEA framework is often framed as a contest between privacy and security. It is, however, more accurately framed as a security issue on both sides, one side which integrates traditional privacy concerns with the growing focus upon cybersecurity ... The cybersecurity and, incidentally, pro-privacy position rejects exceptional access as a dangerous fiction that would, among other things, create new attack surfaces, rendering networks more vulnerable to every form of predation, from financial crime and IP theft to cyber espionage, ultimately generating unacceptable risks to our national and economic security.
Even simpler. Apple doesn't have "enterprise" products that it sells to governments. Therefore, they can't be forced to comply through any wallet-based incentive.
Having said all that. . . I'm not sure that the rights of criminals' privacy outweigh the rights of citizens to be protected by law enforcement. I wish there was a clear way for law enforcement to act on behalf of citizens without such risk of corruption/abuse.
One of the basic principles in the US justice system is the presumption of innocence. Therefore, Apple is actually protecting the rights of innocent people, until law enforcement can legally prove otherwise, at which point they usually don't need access to the phone anymore.
This is why it is impossible to sacrifice phone security for "criminals" while keeping the rest of us safe.
Yes, I was thinking about the Dells of the world, too. But it's bigger than that as, say, Dell hasn't sold any valuable consumer targets since the Venue smartphone in 2012. I suppose telecoms have enterprise products, but they're more interested in cooperating with the government where it doesn't cost them much (hey, consumers already hate them), in exchange for regulation/legislation that protects their business (hey, consumers have nowhere else to go now).
Valid point on how we let law enforcement do its job. The other aspect of Apple's success here is timing. We don't trust government or law enforcement as much as we used to, and a new balance has to be found, perhaps by lawmakers who have foresight of both technology and human rights.
I highly doubt it’s that simple. Most users don’t value these extra security measures let alone know about them. This leads me to believe that there’s a different reason why they’re upping their security more than other user oriented companies.
Apple has been clear from the beginning. They do not supplement revenue with personal data sharing or ads. There is not hidden agenda here. Their major competition shares data with other companies and is very forthcoming with the government. Facebook, Google, Microsoft, and Samsung all sell access to their user's data. This is a winning strategy because Apple already charged a premium for it's products. Now more than ever that value added is win for the customer.
Just to be clear Apple does give information to the government, but they stopped short of unlocking devices for the government. I see this as a very big important precedent.
It could also be a product of their engineering teams and upper management. Most of the Apple development staff are in California and are highly technical. If a majority of the top dogs really believe in protecting privacy then it’s easy for them to get it done.
Isn't that the point, though? Touch ID was a major security feature (industry-changing even) that was added to the phone without changing the behavior of users. It's nearly a perfect scenario of adding an incredible amount of functionality for users without requiring them to do anything. Apple has always been about user security regardless of whether or not it was obvious to users.
In no way does that article claim there is a backdoor. It claims CIA and others have heavily invested in finding 0day exploits to gain access to the iphone; this news item is about apple closing some of those.
I'm not engaged in international crime or fighting nation states, I just want cops to have to get a warrant and my lawyer to get a chance to argue with them in order to read my phone.
Don't fool yourself. That's not possible with the current iOS configuration and the link you provided doesn't dispute that. If anything, Apple has closed any potential backdoors that could have been exploited.
A common misconception - parts of iCloud data are encrypted at rest, but a good chunk of it is not. They've indicated they want to get there at various points in the past, but unless I've missed an update it's not there currently.
The files are still encrypted at rest (using convergent encryption) to obscure their contents from the underlying storage service, but Apple holds the keys:
> Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.
The Chinese government made Apple hand over control ofiCloud infrastructure in China to a Chinese company. So those encryption keys stored in iCloud are now in the hands of aChinese company subject to Chinese government control.
Not exactly an ideal arrangement, but it was likely that or switch off iCloud in China, or pull out of China completely. Which to be fair Google actually did.
Files encrypted at rest on Apple’s servers represents protection for Apple against external threats, not for the user.
These are security schemes that do not enhance the user’s privacy.
It’s cool that some companies are security conscious enough to do this, but for the user’s privacy remember that ... if it’s not end to end encrypted, it doesn’t matter for privacy, just for security and those two notions are very different ;-)
No kidding! Everyone in my immediate circle has iPhone, I get the occasional friend with the “Android better”... but it’s things like this that make me remember Apple is a company that is very clearly for money which means for the most part they really need to deliver to the customer - where google is a company that tries to do everything they can to imply they aren’t about sales they “give away” this and that, it’s a “free and open” ecosystem etc etc.
I’ll take upfront and honest at the issue of more limited and expensive any day.
Google is very clearly all about the money as well. It's just that they understand there is no money that will come from the "customer". Instead, it will all come from other corporations that are seeking to leverage the relationship Google has established with you. I think it is healthy to remember that companies aren't some do good no matter what it costs them. At the end of the day, all companies are trying to make money the best way possible. Frankly, I am glad that there is both Apple and Google. I think they both do well while making money.
Still, saying you're not the customer but the product is wrong. If you watch TV, you're also not the product. I'd probably classify TV audience as customers of the stations, even if the money is made with advertisement. But viewers are certainly not products.
Google isn't different from a TV station. You as a user are a customer and pay Google by consuming the ads they present you in various products.
> NPR listeners for example are also not the product just because they don't pay NPR (but instead its funded by taxes).
NPR is mostly not funded (even indirectly) by taxes, and has both actual targeted advertising on their own and platform (for digital properties), and “underwriting spots” from sponsors on its broadcasts, that while regulated more than traditional advertising and are, and have been acknowledged by NPR to be, a form of advertising by the sponsors driven by the same factors and concerns that drive traditional advertising.
Now that you mention it, I wonder whether the security thing plays into the reason why I need to remove and add apps I compile myself every n days? This limit is pretty much my only gripe against Apple at this point but if it is for privacy/security, I don't know what a good balance would be...
Sorry if I sound like a broken record [1]. I don't own an iOS device at the moment. I would love to get an iPad but it kind of sucks that I can't compile and run my own apps.
That one is about platform control. It's one thing to build a platform that only executes signed code--that's good for security--but it's another thing to refuse to give users control over who the trust authority is for their system. Apple still maintains that under lock and key effectively refusing to let you run your own software on your iPhone.
It's not that clear cut of a tradeoff. If Apple were to allow limitless sideloading of apps and that became the standard way that people installed apps on iOS devices, it would seriously limit their ability to keep the platform secure against malicious apps.
No no. I'm talking about keys to my phone alone. If I choose to trust my own certificate then that only impacts what software I can run on my phone. An app cannot "sideload itself onto all your contacts". This extends to the OS itself. Let me change the certificate governing the OS software. Only once you allow that do I truly own my phone.
The problem here is social engineering. If someone says "click these buttons in your phone's settings, sideload our app, and you'll be able to do X" (where X is "pirate movies," "mine bitcoin," etc), a surprising number of people would follow the instructions, ignore any big red warnings, and end up with their device pwned. You'd need a way to make the certificate trust settings accessible only to those who know what they're doing.
Gee, I was going for ironic, missed, and hit moronic. Close enough for horseshoes. :)
I've started referring to software developers (like myself) with intentional irony as "mutant lizard people" after hearing one too many times how a particular OS/tool/programming language needs to be designed "for humans" (i.e, n00bs with no prior exposure to it).
Without that time limit, an entire black market of non-app-store software distribution could spring up, and Apple would not be able to protect little Bobby who wants an emulator from bad app actors.
The real limitation isn't "seven days", as that's not that annoying: it is that you can have at most three such apps. But frankly, that still doesn't provide much "protection" from bad apps. All it is doing is prevent all of the apps on your phone from being pirated (capping that at three), which bounds the damage from adding this feature.
This is simply not true. You’ve been lied to, and you don’t own an iOS device to check for yourself. I’m pasting something I shared in another thread here. I have no idea where this lie came from but it seems like someone is trying to keep people away from developing apps on iOS.
I’ve written a couple personal apps that sync with health kit data collected from my Apple Watch and nutrition apps to help me track things in a way that is useful for my fitness goals. In 2016-2017 I used these apps to put on 30 lbs and stay relatively lean but I’ve never wanted to publish them in the app store. I don’t pay for any developer program. Just need to download some (free) developer tools / SDK for XCode, build the source, and put it on my phone. The install is tethered, but afterwards it stays there until I delete it. Restarting the phone doesn’t delete the app either. Only time I needed to re-install was when my 5s crapped out and I had to get a new phone.
You can compile and run your own apps though. You would need an apple developer account and pay the fee to be able to side load your own apps. There is a process that allows you to do it if you're serious about it.
Edit: Disregard my comment. I clicked the link and understand the context of your comment now. Still, if you want to code and deploy your own apps you can do it but there are conditions.
Kind of a funny comment given the sibling comment noting that this is Apple catching up to a long-existing Android securitt feature, file transfer over USB requires first unlocking the device.
No, iOS has done that for years, since like iOS 2 or 3 maybe. This is different- it locks itself down completely, even to channels that have previously been granted access, if it hasn't been unlocked for 7 days
My Android phone (and most recent Android phones I know) completely locks USB data, including from devices that had previously been granted access. You have to unlock, touch a notification and enable some file transfer option instead of "charging only". No 7 days limit, the access is denied immediately once it disconnects.
Apple is awful at providing a reasonable spread of devices though. There's no $50 iphone that does everything I need, I'd have to spend at least ten times that. Then I'd have to pay MORE to be able to develop and run my own programs?! At that point, why even have a microprocessor rather than using a simple fixed function ASIC?
Would I be happier if I could get a phone with the equivalent of BIOS and nothing else and vet and install my own software? You bet. If nothing else, I'd not have to install all those Play ____ apps I never use. But given the choices available, Apple is a bad one.
$50 is a pretty amazing price point for something as flexible as a smartphone. However, you can get a perfectly usable used 5S for close to that range. Spend $15-40 extra and you can outfit it with new glass, screen, and battery, and it will feel like new, and probably perform at least as well as a brand new $50 Android.
You can get a free developer account that lets you develop and run your own programs since a couple of years.
I don’t know what you’re getting on about with ASICS, but I guess you may just need to accept being in a niche market segment.
No one would buy or make your low margin low cost phone, that’s why it doesn’t exist.
Almost like Apple has probably evaluated the business case of an open ecosystem low margin low cost phone, and then immediately went back to printing money.
The $50 price point being deliberately chosen seems to be a reference to Android Go, whose USP is that the max price of the phone, new, no subsidy, is $50. (Though in the US, ZTE actually sells them for $80.)
Of course, they're miserable little devices, but they are technically smartphones that technically run android.
I love the phrase "printing money". It's time proven. But it just occurred to me that it doesn't do Apple justice.
Apple's free cash flow for the trailing 12 months was $44.6 Billion. That's 446 million $100 banknotes. How many printing presses does it take to print that many bills? How many sheets of cotton/linen paper?
> I’m so unused to seeing a corporation act in the interests of their customers explicitly counter to the wishes of law enforcement and the intelligence community that I’m racking my brain trying to think of ulterior motives that explain why Apple might have this.
Apple started to assist chinese government and used their walled garden to ban all their users from using secure communications and VPNs. As soon as actual dollars are on the line Apple just like other corporations chooses dollars. I'd be vary of trusting them too much.
But dollars are always on the line, and that’s why they’re protecting customers outside of China and complying with the authoritarian Chinese gov in China. Most countries don’t have draconian measures like China does to make sure that companies comply with their every demand.
Other "evil" companies like Google instead refused to do business with such regime. Apple actively helps the regime by banning VPN apps and preventing Chinese people from installing them from 3rd party sources.
I am not quite sure the cases are analogous: Google is a website, Apple sells physical objects. When Google "refused to do business" with China, they doubtless knew that users would instead use a VPN and access some other national version of Google. Meanwhile, if Apple doesn't do business in China, it's not like people in China getting genuine smuggled iPhones that work normally. They're either going to use other platforms or use untrustworthy knock-off iPhones, and all of those probably comply with government regulations too.
Still, your point above stands: a company as large as Apple or Google has too many individuals with their own personal interests for "trustworthy" to really be a meaningful term. I trust Apple mobile phones much more than Google mobile phones, but, for instance, I trust Google laptops much more than I trust Apple laptops. I am sure there are good people working on all four products, but for some reason Apple's mobile phone division and Google's laptop division have consistently put out better products.
When Google "refused to do business" with China, they doubtless knew that users would instead use a VPN and access some other national version of Google.
From the same vein that "we're not Google's customers", neither are those Chinese users using a VPN. By leaving China, they're cut off from Chinese businesses who could pay to advertise.
Chromebooks have the same sort of solid design principles that iOS devices do - hardware-based boot attestation and isolated cryptographic coprocessor, an entire OS design that lends itself towards sandboxing, a team that clearly cares about pushing the state-of-the-art in sandboxing forwards, security support for many years, etc. And both products have consistently evidenced solid security design for several years.
Apple laptops and Android phones are much weaker on all of these fronts.
I don't have a good explanation for why this is so. I think there may not be a good one, other than that complex engineering organizations are very random systems with tons of inputs and changing engineering culture is very hard, and people early in both the Chromebook and iOS projects were able to set and maintain the right culture, and people in the Android and Mac projects (despite being skilled people who care about security!) weren't able to pull it off, essentially by random chance.
Then you should read older post by Elcomsoft (1), about Apple consciously degrading several layers of security in iOS11 (compared to iOS10) essentially to a PIN-code. Currently if you know PIN and have iPhone you can extract everything out of it, out of backups and out of iCloud.
I read the blog post, it shows that if you give up your devices passcode then you give up access to essentially everything on that device. It would be nice to have additional layers of security, but do you think this was done as an anti-user move to support law enforcement? I can't quite see that as being the case.
Graybox should have anyone security conscious ensure that they and all people they care about are using custom alphanumeric passwords for their iOS devices.
Even "999999!" would be hard to guess if the domain space is unbounded.
I believe SEP = Secure Enclave Processor - iOS has it throttle passcode input requests. Visibly this results messages like "iPad is Disabled. Try again in 5 minutes".
The point is - it is now a single point of failure and it is probably not very feasible to expect to enter long password every time you unlock the phone. And no, biometrics is not a replacement. Biometrics is a login, not a password. You can't change your compromised biometrics unlike passwords.
But you can disable the biometric logon automatically. Either screwing it up too many times (like touching the wrong finger) or by quick-tapping the power button a number of times - upon which it falls back to the stronger password.
If you're in a position where you know bad guys with guns are coming, you can just power the phone down.
If you know they're coming but don't have much time, or you're unsure, you just thwack the power button a few times.
If you don't know they're coming, you're kind of screwed, but then again you would be anyways.
If the bad guys with guns are coming and they want to decrypt your phone, they can beat it out of you - rubber hose decryption is remarkably effective.
"We're better at privacy" is a fairly obvious way for Apple to differentiate itself, especially when the business model of many of its competitors kind of depend on not being very good at privacy (contextual ads and so on). This fits that brand fairly well.
They are not counter law enforcement. They are pro-user and the fact that their device works for the user and not advertisers, law enforcement, or negative external actors.
Android has literally had this feature for ages. By default plugging your device in puts it in "charging only" mode and you have to tap a notification and explicitly select MTP or PTP mode before it even attempts to talk to the computer.
On Android no data connection is made, when a connection on the data pins is detected one is offered, but as far as I can tell no device is even detected by the OS until after picking a mode, nothing to attack.
Let me know if I'm missing something, but I get no change in Device Manager/dmesg when plugging my phone in, indicating no data connection to me. It would appear the entire data connection is disabled until a mode is picked.
This is the normal behavior in iOS, and has been for years.
What Apple is doing is _additionally_ disabling the USB port on an even lower level. Currently, the port could still exchange data if it were tricked or hacked, but disabling the port on a controller level will prevent accessing the device entirely.
Or at least that's the theory. Since it can obviously be reconnected after entering a passcode, there are conceivably ways to get it to open up. But that will have to be tested.
Correct me if I'm wrong as I don't have any recent experience with them, but don't iOS devices expose an authentication interface even without unlocked interaction from the user?
Apple's own guide doesn't seem to indicate any form of interaction is needed to enable that interface. That interface is what's attacked by devices like GreyKey if I'm not mistaken. Android devices when not manually unlocked and toggled present no such interface.
That's different. iOS has the same "Trust this computer?" prompt before it attempts to pair. But in both cases the phone still has a data connection, which leaves it vulnerable to any kind of security compromise (such as GreyKey), plus if the computer has a "lockdown record" it gets to skip that "Trust this computer?" prompt anyway (a lockdown record is a thing a computer gets after pairing with the phone that lets the computer prove it's already trusted to talk to the device).
But what this article is talking about is after 7 days of not being unlocked, iOS 11.4 won't even enable the data channel on USB, which means computers with lockdown records still can't talk to it, and presumably devices like GreyKey can't compromise the device.
On Android no such pairing system exists (except for USB debugging), you have to explicitly allow it every time you want to mount the device and no device shows up whatsoever, the USB data connection is disabled until after you pick a choice other than charging. You must unlock the phone and explicitly enabled the connection, I'd argue that's still better than the iOS implementation where an authentication interface is still available for 7 days even when locked.
Well, the iPhone has always been a locked down device. Every iteration of it has plugged up holes where access can get around safeguards.
1. It protects the store monopoly by guaranteeing the device will only ever load signed code from Apple. This is a huge financial incentive for Apple to invest engineering time into it.
2. Tim Cook has successfully recast the lockdown as a user privacy issue and is winning in the court of public opinion on the matter. Again, another huge financial incentive as it is something Android cannot deliver on.
3. There are real consequences to enabling the wishes of US law enforcement that I firmly believe the executives at Apple do not want to open that pandora's box. Our government may truly want to solve real crimes, and this may frustrate them, but there are governments who very concretely want that same power to lock up opposition voices and witch hunts.
In most circumstances it's not clear to me that a >48 hour timeout is really a major impediment to law enforcement in a major metro. Of course, if they arrest like 10,000 people on the same day from a major protest or something it could create a capacity problem, but otherwise it seems like more of an irritant - a new time constraint - rather than a truly effective countermeasure to vulns in their LI/USB stack.
I would be much more impressed if they allowed users to wholesale disable all non-charging functionality.
The reason why this is annoying for law enforcement is because it effectively shuts down many forms of brute-force password cracking attacks, which take time to perform.
Because Tim Cook strongly cares about privacy. Furthermore, privacy can be a competitive advantage. It’s an extremely smart move to double down on protecting users given what we’ve seen from the Facebook-types.
Apple's direction on privacy and using their premium brand image to look after their customers first is refreshing.
I just wish there was some way they could also play fair with their tax responsibilities. Rather than having the EU force their hand and showing the Irish deal to be illegal for example.
Granted the governments that enter into such deals (or refuse to fix the loop holes) are also part of the problem.
Considering the pile of cash they sit on if anyone can set a good example it's Apple.
google does this ALL the time. you just don’t read about it in the press. for example, they encrypt the inter-data center links. for which they own the fiber. they do all kinds of stuff like that and are always doing new things. of course they don’t go 100% and encrypt email or docs but still they go to quite far lengths as long as it is within scope of their business model. (same as apple)
other companies do this kind of thing also. again, they just aren’t in the news cycle.
Google covering their _own_ ass and encrypting their internal data at-rest and over-the-wire has nothing to do with their approach to mobile device security. Any company worth their salt will encrypt traffic that transits any untrusted network after Snowden's revelations.
> google does this ALL the time. you just don’t read about it in the press. for example, they encrypt the inter-data center links
This has been well covered in the press as part of the NSA story. To the extent that the belief Apple getting more coverage is true, it’s because most people know tech companies protect themselves but Apple’s moves affect millions of people who otherwise would not have the resources to do so.
Either way, on the surface, I’m quite pleased by this development.