Apple will notify users about state-sponsored cybersecurity threats(support.apple.com) |
Apple will notify users about state-sponsored cybersecurity threats(support.apple.com) |
What a joke
Edit : silly me, US doesn’t need that, they can simply ask for the data..
Source: https://mobile.twitter.com/e_wrzosek/status/1463551631648251...
Other companies should take note. More of this, please!
I received an imminent advanced security threat notification back in January 2019. Urging me to get one of those 2fa dongles (which I did). And just as well, because the next month my account was locked due to an attempted unathorized access.
(whoever works on this at Google, thank you)
(I agree that it's great that Apple is finally doing this. But it seems entirely par for the course for them to be a decade late and still get the credit.)
It seems like Apple now have introduced ‘honey pots’ and other techniques to discover if there already is someone with access to your account/device, and that is a big deal and good news. And something I have never seen from any of the other big companies.
Warrant canary [0] comes to mind, but that is usually a message to all users, as opposed to notifying an individual user.
You mean apart from basically every other mainstream tech company? [1] [2] [3]
[1] https://www.washingtonpost.com/business/economy/google-to-al...
[2] https://www.wired.com/2015/10/facebook-now-warns-users-of-st...
[3] https://threatpost.com/twitter-warns-some-users-of-nation-st...
Would smaller company stand a chance against very much any state? If men in suits taken a CEO of a big company for "a talk" in the forest there would be a lot of fuss in the media, whereas small company would probably be scared to bits and never said a word.
Keep in mind this will only work for non-court-gag-ordered instances. If the US subpoenas Apple about an individual they won't be allowed to notify them.
I have no idea how this applies to other countries.
I think this is more like: "We noticed unusual API usage and we don't have a gag order so whatever it is, it's not likely to be good"
Apple doesn’t need to know the source of the attack to issue the warning, and if the attacker is competent Apple likely wouldn’t know the source, such that a gag would not apply.
I don't see how Google could have been aware that this was happening, although they certainly could have known it was theoretically possible.
For example, when China demanded that iCloud for Chinese users was handed over to GCBD[0], and Apple complied, it was not, in any way, something that would be accurately described as an "attack". Apple cooperated with the demands that the legal environment presented.
[0] https://www.apple.com/legal/internet-services/icloud/en/gcbd...
To me that warrant retaliation in my opinion, it would be a case for self-defense. For example isolating the trojan in a honey-pot OS and delivering it to foreign actors cybersecurity research labs. Just make it unfeasible to support such software and it will stop. My country (Germany) sadly is prone to ignore civil liberties. There were home searches because someone called a some minister a penis on Twitter and there were other severe transgressions. Since the law doesn't protect against them anymore, the state has proved that it is not capable for responsible conduct with software the relies on zero-day-exploits which endanger every computer system.
Glad that companies with real security expertise put up the slack here, although they shouldn't have to do that.
Like it or not, if they go against three-letter-agencies in the US, high ranked apple employees will spend years in jail based on the rulings of secret courts where all of your rights are irrelevant. The moment the cia says the word "terrorism", all your rights are gone regardless of how wrong the investigators might be. They can literally declare you guilty without you even knowing you were were accused of anything because according to them, national security is more important than the constitution.
they are on the same level as the ccp
This is a warning that someone is trying to gain unauthorized access to your account. If the US government wants access it probably has better methods than brute force, such as ordering Apple to hand over your stuff.
I see no reason to think Apple will want to stay silent about an attacker trying to hack a user's account just because they might stay silent about warrants with gag orders.
When we're talking CIA, you can't get your way out of it with a better lawyer of by paying a fine. It's a decade of jail waiting for you if you don't bend over and give them exactly what they want. You have no constitutional rights when it comes to national security. they are legally allowed to kill US citizens without having to get court approval if they think they are a threat to the nation.
In which case, NSO f!@#ed up and left iCloud Messages Backup enabled, which stores unencrypted copies of the End-to-End messages and makes it trivial for Apple to alert any person that these accounts messaged to. That's one possibility.
They admit themselves that these attacks are not easy to detect.
It is not possible to disable all telemetry entirely.
I am really interested in understanding more about a "state-sponsored attack" as someone who works in Ops and has experience in CyberSec. All these years working in the industry and I had no idea you could identify an "attack" that easily.
> Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent.
> State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected.
Identifying the source of these attacks is often done by analyzing the tools and techniques, in comparison to other known tools and methods, and/or by information gathered in meat space.
If the complaint is that attribution is sometimes sketchy, so? Sometimes it isn't.
Before Apple sends a notification, do they cross reference any existing warrants they received and make sure they don’t notify the customer that the US tried to hack their account, or iPhone, or requested their info?
Or are we to assume that Apple only means non-USA based attacks?
Or is the US gov going ape shit right now that all their targets they been infiltrating are going to get notified of that fact?
Or are we to assume anything FISA related means Apple happily and willingly had over the data and really isn’t a hack attempt?
Contains the canary: “To date, Apple has not received any orders for bulk data.”
From a more philosophical point of view - expecting a large corporation to go mano a mano on your behalf, against a major state security organization...that's right up there with expecting Santa Claus to punish all the evil spies for being naughty.
This again another attempt at owning the device or your customer, like that CSAM backdoor wasn’t enough, now they have AI monitoring accounts, connections, etc out of each device.
They have majority support right now because of social spending and their supporters don't care about rule of law, corruption, any of that. There were already dozens of similar-scale scandals since 2015. Nobody cares. It's frustrating, really.
Obviously, that only really works once.
https://blog.google/threat-analysis-group/updates-about-gove...
You seem to be talking about the first, whereas the support page is about the second.
It utterly sucks having the sole oversight court having IC's back at our expense.
First, I haven't seen any indictments of any BLM rioters. Note when I say rioters I'm not including protesters but those who set fires and harmed people.
Second, while I'm against contact tracing apps in general for the reason they can be abused, I don't think they would be needed by LE given their ability to setup string rays, drones, and monitor social media.
Most of the BLM rioters and Antifa terrorists are known. Raz Simone is still free although he setup CHAZ, passed out rifles, and extorted public officials with political demands while claiming public land allowing 6 people to be killed under his "security".
- https://www.zdnet.com/article/singapore-police-had-used-covi...
- https://slate.com/technology/2020/06/contact-tracing-law-enf...
Given the past decade (Snowden & Assange) I don't find strange contact tracing being used for "other purposes". The data is readily available so, why bother with drones?
My MacBooks security keys are not trivial to acquire because they aren’t in icloud.
In some of the countries in five eyes nations, you don’t have a choice about cooperating or not.
But what do 5 eyes have to do with Chinese users?
Apple's cooperation with PRISM[0] is well documented[1], but if you want to find the particularly damning details you'll need to do your own research. The dust has settled since the Snowden revelations, and many mentions of the program have been sterilized.
> Also how they are different from any other tech company?
It's not. But the claim that Apple puts extra effort into protecting you from your government is comical, especially if you live in a first-world country. It's also a false dichotomy, since there are definitely more secure devices you could be using. They're just not being manufactured by the largest, most valuable companies in the world.
> My MacBooks security keys are not trivial to acquire because they aren’t in icloud.
That is indeed what the US would like you to think. It's no coincidence that Macbooks force you to use NIST-designed crypto for all of their services though, and if you've got a healthy degree of skepticism towards the same institute that backdoored Dual_EC_DRBG, it's safe to assume the rest of these ciphers are also vulnerable to differential cryptanalysis. Or just take what the NSA says at face value, that certainly won't cause any problems in the future. /s
> But what do 5 eyes have to do with Chinese users?
Also nothing, they have their own bespoke surveillance program since China cannot cooperate with the US like Britain or Canada can. In lieu of being able to break their encryption, China demanded that all of Apple's domestic data get stored on domestic servers. While Google, Microsoft, Yahoo and every other big tech company shied away from that kind of compliance with a known abuser of human rights, Apple happily complied with the request.
[0] https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
[1] https://web.archive.org/web/20130609061546/https://www.culto...
Otherwise, given their involvement in the PRISM program [1] I don't see how we can take that canary seriously.
[1] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
After all, they haven’t denied it!
> even if Apple themselves have decided to be pro-active and decided to give out bulk data without receiving any orders before
We have zero evidence if anything like this happing.
Neither of your links documents any kind of cooperation, let alone documenting it well.
Your links do not document cooperation with PRISM other than that the NSA believed they got information from them, which is very different. For all we know, it could have been the NSA abusing an API endpoint. Also, it said that it got lots of stuff like email, address, and so on when all of these services were combined which made it PRISM.
For all we know, it could have been checking the emails from Apple (because of FaceTime), getting address from Facebook, using address to look up other info on LinkedIn, and so forth. If anything, PRISM shows NSA abuse of services more than intentional compliance.
> definitely more secure devices you could be using.
I hate that I have to say this, but Linux phones are not more secure. They do have a company they don't phone-home to, but if a Linux phone was found on the side of the road, I have no doubt that the NSA would find a way in (unlike the iPhone, which as lately as the Rittenhouse trial, the latest model has not been cracked and the government ultimately struck a deal with the defense for a PIN code).
Linux phones are only secure by obscurity in that less research has been done on them and they are less common - but if government agencies were (or are) putting some research cash into them, I would not be surprised if they burst open from a million attacks that iPhones and Androids have found and fixed over the last decade.
> It's no coincidence that MacBooks force you to use NIST-designed crypto
Stop being conspiratorial - almost everyone, including many companies outside the US, use Curve25519 or P-256, and a big reason why is that the algorithm is very fast to calculate while being reasonably secure, which is a plus for fast encryption. Also, nobody has seriously alleged that Curve25519 is backdoor, unlike Dual_EC_DRBG which was suspect almost immediately. Also, NIST did not invent Dual_EC_DRBG. The NSA did and submitted it to NIST as a standard which NIST reluctantly accepted.
> Shied away from that kind of compliance with a known abuser of human rights
Yes - but Microsoft, Google, etc still make their phones in the same factories, and the reason they didn't hand over the server keys was because they don't really offer any services in China. Google doesn't work in China, and Microsoft's involvement is minor and China doesn't care because Windows doesn't encrypt data unless you have the Pro version and it's switched on. Also, your bias is showing in your use of Apple "happily" complying. How do you know that?
I can go on.
And if I'm not mistaken it's illegal for an US business entity to directly say that they are co-operating with the NSA or other such US institutions, so Apple actually sending messages to their users warning them about such co-operation might be also illegal (I also feel that the canary tests have failed their intended mission, nobody has time to decipher those messages in the minutest of details).
PRISM wasn't really a cooperative program, it was a highjacking of the internet backbone wasn't it? Your citation doesn't confirm any kind of cooperation.
I didn't really make any claim about Apple doing extra, I was challenging the idea that they some how do worse. They seem to play as fair as you can in the given political environments across the various nations they work in.
Not knowing what kind of keys or encryption I use on my device, I'm not sure you can make any reasonable comment on what I think, or what the US wants me to think. MacBooks don't force any particular type of crypto, you can kind of do whatever you like. Are you referring to something in particular?
Domestic data sovereignty is not unique to china. A number of countries ask for that. I agree it's not ideal, and mandated backdoors (which Countries like Australia have) add to the problem here. Google don't service the Chinese market directly, Microsoft have in country storage, as do Yahoo, so not sure your point there. "Every other big tech company"? Tencent/Alibaba are obviously also in china. I'm not sure what the alternative to compliance with countries laws are. Do you think it's better if companies do not obey local laws?
A lot of countries are "Known abusers of human rights"... if you made a prerequisite of not working with those countries, you'd be out of business pretty quick. Agree that's not ideal... but it is the reality.
Not the OP, but afaik directly saying you're co-operating with the NSA as a US business entity might be illegal, so Apple not saying it doesn't mean they didn't, quite the contrary (especially taking into consideration Snowden's revelations).
According to this screenshot, it appears they do: https://twitter.com/norbertmao/status/1463364241688305664
[*] If you enable "Messages" sync in iCloud, encrypted message history is synced across your iCloud devices in an E2E manner.
Syncing messages across your devices is very much different than backing up your iPhone to iCloud.
The above should be pretty well known by now, but unfortunately isn’t the case.
If someone wants to dispute my comment, please cite supporting evidence.
Also imagine another bug that allows someone to spoof the 'from' or hell even send a message that looks similar, basic phishing.
Like: This is apple. Click this link to secure your account you are being hacked (literally). Seems like a bad precedent. But I guess there isn't a great way to securely communicate. Maybe just say google the official apple 1800 number and enter this secret number pad code.
The problem is authenticity and authority, not encryption. How can the user know this message really came from Apple and not a spammer?
And even if there were a spam problem, the risk is mostly on the upside anyway. It would only be an issue if iMessage got a reputation for flooding people with admonishments to take security seriously, purportedly from Apple.
[1] https://support.apple.com/en-us/HT206906
[2] https://9to5mac.com/2021/07/19/zero-click-imessage-exploit/
Your anecdotal lived experience is not representative of the entire population.
I personally have encountered at least a dozen spam iMessages (not SMS) in the past year, and several friends of mine have described the same experience. I googled iMessage spam and this was on the second page, just from last year: https://thisrupt.co/lifestyle/imessage-spam-not-thai-chana/ Feel free to research yourself to discover that it is in fact a widespread issue for many people, if not as widespread as it once was since the "Unknown sender" tab was introduced.
Regardless, SMS spam remains an issue, and on iOS, many users may not know the difference, as they're in the same app.
> And even if there were a spam problem, the risk is mostly on the upside anyway. It would only be an issue if iMessage got a reputation for flooding people with admonishments to take security seriously, purportedly from Apple.
You're missing the point. iMessage spam (though it does exist as I've shown above) is not the problem. The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender. This deficiency is what enables iMessage spam, and creates the same potential for abuse with this new feature.
There was even an article on HN a couple days ago about a money transfer service phishing scam whose initial message looks very similar to this message from Apple.
I think a LOT of people will fall for phishing with cold messages that look like this
Read the document of the original top post (the document from Apple).
The answer to your question is right there in the document.
“For Messages in iCloud, if you have iCloud Backup turned on, your backup includes a copy of the key protecting your messages. This ensures you can recover your messages if you lose access to your Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.”[1]
And they did post the solution in the document. It’s an out of band verification. Pretty tried and true solution.
Of course. That goes without saying. But neither you nor this person you cherry picked from a Google search is representative either. (And it's noteworthy that you had to drill down into Google search results in order to find a useful citation. That alone is evidence of iMessage spam not being a broadly pervasive issue.)
> You're missing the point. iMessage spam (though it does exist as I've shown above)
Huh? I never said it didn't exist.
> is not the problem.
Huh? I never said it was the problem.
> The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender.
I completely agree. I never disputed that.