The fact that we have to call it "their firmware and secure enclaves" is a bit telling, though. The majority of consumer-facing devices today have a layer of inscrutability that we leave up to the manufacturer to implement properly. For instance, Microsoft has Bitlocker, but I couldn't confidently say that isn't backdoored either.
Apple has whitepapers, but they're about as verifiable as LK-99 in-practice. Their security model entirely revolves around the Apple-issued root of trust, and if you can't trust them then you have to hit the bricks. If you don't own both ends, the end-to-end encryption shtick is a theatrical farce.
If Bitlocker had a backdoor it would have leaked by now. I don't believe that they could keep an "alphabet boys only" backdoor secret for that long.
How would that backdoor even look like? A some sort of master key that can decrypt every Bitlocker encrypted drive? Imagine if something like THAT got leaked.
Who would have access to that key? Microsoft themselves? NSA? FBI? What about the UK, Australia or other US allies? Do their alphabet boys also get access to this?
Do small town cops also get access?
And I'm pretty sure lots of security researchers have tried to find vulnerabilities of Bitlocker. If there was something fishy going on - they would have noticed.
It can potentially be a theatrical farce, but you've only created hypothetical scenarios in your mind for why that might be the case. Even if you did "own both ends", you still have to rely on other parties to contribute the pieces that you don't watch over, unless you're going to be E2EE from scratch (again, because you can hypothetically just say "well what if the encryption scheme itself is backdoored").
Both of those conceits apply to Apple's scheme as well, though. Transparency enforces accountability, Apple themselves wouldn't be using things like OpenSSL and bash if they weren't open enough to scrutinize and modify.
sure, all clouds are other people’s computers; laypeople just want things to work and don’t really care about whose root of trust they use.
living in a world where you run everything yourself sounds good in practice but then you can’t communicate with anyone else.
i’d like for the firmware to be open source and for the cloud to be federated, but it’s a pipe dream and i’m busy so i just gotta trust apple in the end
e2ee for iCloud is opt in (ie disabled by default) so approximately 0% of iCloud users use it.
Until it's on by default for new iCloud accounts and previous non-e2ee iCloud accounts get automatically
upgraded to use it, the fact that it is offered is basically irrelevant.
Additionally if you are using it to protect your iMessages, it's ineffective, as your iMessages are stored on Apple servers twice: once for each end of the conversation. Unless both you and the other end of your conversation have both explicitly opted in to e2ee for iCloud, a single party enabling the setting does nothing for the security of iMessage, given that approximately nobody uses the feature today.
This has nothing to do with "paranoid", or with me personally. I don't use iMessage at all.
I also didn't live in Nazi Germany under the SS and Gestapo but I can still recognize and identify that police surveillance over the private communications of all
(or even a significant fraction of all) members of society silently and discreetly creates a world which sucks for everyone in it, as things like new political parties or new labor unions (or any other threat to the status quo) will be detected and defeated before they ever gain popular attention or critical mass.
Did we already forget OWS and the tea party? How about MLK?
Please stop using defined psychological disease terms to describe people who seek basic human rights to privacy from corporations and the state. It's disrespectful to both people who suffer from paranoid delusions as well as sane people who desire human rights.
