About Lockdown Mode(support.apple.com) |
About Lockdown Mode(support.apple.com) |
https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...
There is growing political consensus that given the lawless conduct of our adversaries, and the semi-lawful conduct of American intelligence, a smaller overall security cross section is to our advantage.
> 4. Tap Turn On Lockdown Mode.
Tap twice? ;)
Countdown to some 0day no-click exploit that adds an app or service or site to the exclusion list and then proceeds with a further attack?
What type of exploit would be able to add something to the exclusion list but not already perform arbitrary code execution and just attack the system directly? This seems incredibly unlikely -- and roundabout, because you'd still have to get the browser to load the page.
> Tap Aa > Disable Lockdown Mode to view News Org secure content
Similarly to how malicious Word docs get users to enable macros.
Also, it appears you cannot use configuration profiles in lockdown mode, meaning you may not be able to use DNS over TLS or HTTPS.
—-
It says you can’t install new configuration profiles while lockdown mode is enabled, not that you can’t run lockdown mode with a profile enabled.
It is nice to make the effort, and it might be dome good. and allow a lot of people to feel l33t
It is bad if people at proper risk think they are safe once it is enabled. (and those, to me, appear to be the people this is marketed for)
I have seen some people in such positions and sometimes they don't even use a smartphone at all. I don't think they would be tricked into feeling 'safe' with something like this. I wonder if it will actually prevent the attack vectors used by something like Pegasus.
I think it will make a lot of people feel badass though :) Like most people that bought Phil Zimmermann's Blackphone.
> Lockdown Mode is available in iOS 16 and coming soon in iPadOS 16 and macOS Ventura.
> Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
The first sentence I believe is referring to disabling JIT (just in time compilation of Javascript), which is dangerous as it allocates W+X pages which are often used by the final stage of an exploit. Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT (and this is their justification for why non-Safari browser engines are not allowed on iOS) and even enabling per-thread memory page permissions. Many more details are in this fantastic post from Google's project Zero: https://googleprojectzero.blogspot.com/2020/09/jitsploitatio...
Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!
My theory on this is that apple is one of the few companies where everything they build seems to be well integrated into their ecosystem. This is part of their appeal.
Another part of Apple's appeal is that they've positioned themselves to appear as the company that cares the most about consumer privacy and security. Lockdown mode seems to be one of those features that's great for marketing and PR in certain circles, while being extremely useful in situations where it's needed.
I imagine someone writing an article claiming how lockdown mode saved them, and that's practically free viral marketing in the security circles.
Also, it gives them additional room to play with security research and engineering at large. They already have an incentive to improve security on device (drive by attacks, jail breaking), and this just enables them to play with things that are safer but break too much. They’re basically training their other tech teams to be more secure, and find where security and UX clash, identify and build the fix, even if off by default.
Are you sure? There's no need to ever have a page that is W and X at the same time, and I would not expect any current professional JIT to make one.
W^X is more difficult to exploit for sure, but as other commenters point out, unfortunately still possible.
https://armv8-ref.codingbelief.com/en/chapter_d4/d44_1_memor...
Apple has been doing this for decades with heavy investment into assistive technology, far better than other platforms.
Getting world leaders, celebrities and CEOs to use their devices might make this part of their marketing budget.
> Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.
Outside of that it’s kind of left-field and out of character for them to give users a way to make things work worse.
I think it's probably inaccurate to conflate these two things: the JIT was not even allowed in third party browsers when using Safari for a long time, and they still didn't allow other browser engines. If this was the only reason, surely other browser engines without JIT would be fine?
This is why the iOS App Store allows Swift Playgrounds (app with a memory-safe interpreter), and allows iSH Shell (virtualized POSIX environment, where you can write and run e.g. bash scripts), but doesn't allow iSH Shell to ship with gcc.
One area of greatest concern for me is client hints and the various JS APIs that leak way too much, from OS to memory and more. You would think that an extension as popular as uBlock Origin would exist that would make this information as generic as possible to mimic the most common browser profile. Without it, it is still incredibly easy to identify a user with JS enabled and unfortunately disabling JS also makes you unique.
This doesn't even address the Canvas API issue that needs to be virtualized to protect privacy. The web standard as a whole hasn't really put a lot of thought into privacy.
Maybe Apple wants to encourage more (non-classified) government use of iPhones? Maybe they have a big juicy contract they could take if they just get their OS into the right shape for it?
Government purchase-orders used to be the main thing that kept RIM/Blackberry afloat: they were a Canadian manufacturer, and so were (or could be validated + closely scrutinized to be) trustworthy as a supplier for American government communications systems. This is 90% of why the Blackberry ecosystem was... the way that it was.
Apple is now in (nearly) the same position. And their ecosystem has also been strange for the last 6-or-so years, in that particular "there's no clear reason for this, unless the government asked you to do it for supply-chain-integrity purposes" way (e.g. a self-serve repair program that requires you to pre-register a device for repair before ordering parts, and then report the part IDs to initiate online pairing.)
The niche they don’t play in is some police, inspector, and other outdoor jobs. The iPhone environmental operating range is too narrow.
I would say that this is at the very least a strong marketing point. "We are secure by default, and the most secure phone out-of-the-box on the planet if needed".
The hardware itself must be trusted to an extent, too. Is there an android-compatible device/ROM combination that can advertise the same level of security as this lockdown mode, without spending two days configuring it?
In no way is this 'revolutionary' by Apple.
[1] https://landing.google.com/advancedprotection/
[2] https://support.google.com/accounts/answer/9764949?hl=en
TBH, if you have a target on your back, spending two days configuring your phone is a pretty small inconvenience.
On the other hand, if you're applying this without looking deeper into what it covers, what it doesn't, and the linits you'll probably be in trouble sooner than later.
A phone fully designed, developed, and assembled in the States with capacity to further lock down is a huge + for three letter agencies.
Lockdown mode is quite similar in that thinking.
https://www.macobserver.com/tmo/article/tim-cook-soundly-rej...
Perhaps requested by Biden's Director of InfoSec?
Well they did that not because they care about users but because they want all software to pass trough the App Store (and thus the review and policies of Apple). If you would allow to run efficiently code from other sources (for example downloaded at runtime, put in a W+X memory page and executed) that code doesn't pass through the review process of Apple, thus one can publish an app that does something and then modify its code to make it do another thing (even load an entirely different thing).
In the end I don't think this is a good thing for users.
I really hope the EU will succeed in forcing Apple to allow third party app stores. That would be a game changer. People that are happy to stay in the walled garden can simply not use any other app stores but for someone like me it will open up iOS as an actual option I can choose. Right now there's too many things I can't do on iOS.
Though honestly, I'd be even happier with a real third option instead.
This is the best news. Otherwise, you can bet your IT department would be throwing that switch on for everyone.
I think you will find you are partially mistaken here.
Apple have provided the ability to disable cellular access from day one. Its right there for you as an option and has always been there (look under Settings->Mobile Data, you can toggle on/off for each specific app).
Additionally, Apple have always provided the ability to disable background data refresh for apps. In other words, this takes you 3/4 of the way to providing the ability to restrict WiFi access.
I know its cool to Apple bash, but at least get your facts right before you jump on the bandwagon.
That's not what he's talking about. I can't block a specific app I don't trust without blocking the internet for the entire phone.
On Android, you can download firewalls that allows you to turn on or off internet access for each apps individually.
Disabling network access entirely is a great safety switch for apps that claim to be offline-only, or to ensure apps literally can't send your data away. I knew I'd trust a lot more apps this way.
I look forward to when this comes to iPad. An iPad with a Bluetooth keyboard is an excellent option over a traditional laptop for a high-risk target, and this’ll make it even better.
What if I want to block USB devices, but I want to be able to use shared photo albums?
I'd also like to see some method for quickly wiping the phone or severely disabling it. A friend mentioned that a new scheme for thieves is to ask you for your unlocked phone at gunpoint and then use a cash app to transfer money to one of their accounts. Some way to very quickly (and covertly) wipe your phone would help defend against that attack. (Related: https://www.startribune.com/warrant-grifters-targeting-cash-...)
A more practical defence is keeping a low balance on any account that can be easily accessed from the phone. Not seeing any real use for this functionality when faced with an adversary physically.
But when locked it throws away the keys to the storage in memory so they need to be retrieved from the Secure Enclave again through device password.
So without an absolutely amazing exploit all your data on device is totally inaccessible.
Well I would like to have these two enabled in regular situation.
> web fonts might not be displayed
Great, I almost always prefer system default fonts.
> Incoming FaceTime calls are blocked
Perfect, I don't use it, it is always some scammer.
> Incoming invitations for Apple Services
Perfect, I don't care.
> Shared albums are removed from the Photos app
I don't use this stuff, I don't care.
> To connect your device to a USB accessory or another computer, the device needs to be unlocked.
This seems like it should have always been the default.
> Configuration profiles can’t be installed
Perfect, nobody should be trying to manage my phone.
> Perfect, I don't use it, it is always some scammer.
You get spam/scam FaceTime calls? (Not attacking, just generally curious... I've never in my life ever gotten or know anybody who has been spammed via FaceTime).
In fairness, there is a setting to turn Facetime off entirely, that didn't have to wait for this feature.
Isn’t it on by default too?
What baffles me is that damn near all of this stuff could also be a separate preference item, mostly because I don't want 90% of what they mention enabled anyway.
The list of restrictions doesn't seem to inhibiting - for those who have used it, what are the points that stand out? Is this something designed for habitual use or under specific situations?
1. You cannot tap on any links in iMessage. You have to hold your thumb down on the link, copy it to clipboard, switch to Safari, paste
2. If someone posts a gif in an iMessage thread, it doesn't show up
3. All inbound requests for FaceTime calls seem to be automatically blocked, even when they are coming from people who are favorites in my contacts. I haven't looked into why yet. Maybe it's because I don't have their phone number saved with a `+1` prefix in my contacts?
Other than that it's hardly noticeable, and I think it's fantastic that we now have this option.
> Incoming FaceTime calls are blocked unless you have previously called that person or contact.
So you may have to call them first, even if they are a favorited contact.
This sounds like a positive for me. I disable animations in chat whenever it’s an option.
So far, the only annoyance is that sites relying on custom fonts for icons can end up with indecipherable UI elements (e.g. a button with a "refresh" icon is now just a button with an empty square)
I'm not sure though, it might have been a bug, it might have been a user error, but I wonder if inter-device copy and paste is limited, too. I haven't read anything about it, though.
Otherwise I've noticed nothing, except a popup when starting apps for the first time after activating lockdown mode, that lockdown mode is active for the app.
To me, lockdown mode is a no-brainer. But I don't use very JS-intensive web sites, and never use Apple messages.
Private relay and locked down mode are two of the recent good features in iPhone.
I am wondering how much is it effective against NSO-style spyware? Like, are they going to still come up with exploits and zero days hacking locked down iPhones, maybe adding 25% to their fees?
Is there a similar mode in desk and server Linux?
Thanks to years of invasive online targeting, bulk data breaches and mobile phone network structural insecurity, it has never been cheaper to screen for higher-than-average-value targets with digital assets that can be exfiltrated.
Since targeting costs have fallen, it is profitable to target employees below the C-suite, e.g. those in strategic or development roles who routinely need to access sensitive information and digital assets. This applies to enterprise, mobile and WFH environments, e.g. leveraging mobile phone foothold to reach other devices like a home router.
Some apps like Gmail will warn you that Lockdown mode is activated and that it will impact your experience but I have not encountered any drawbacks beyond iMessage links not opening the browser. This is easily worked around by copying them.
I hope this also blocks incoming calendar invites. Apple has as a feature the automatic addition of calendar invites... spammers soon noticed this and send out calendar invites with their favorite links that can clutter it up.
Executives, politicians, government figures, engineers and scientists with access to intellectual property, lawyers, … will all benefit from this mode.
Think of nations stealing trade secrets and technological know-how from each other. Or how much money you could make hacking iPhone of an employee or CEO of a company that might provide inside information.
https://www.vice.com/en/article/epzpb4/websites-can-identify...
Apple is under more legal pressure than ever for its apparent 'anti-competitive' practices. They have on many occasions pushed the line of user privacy and security to defend their business. Features like this benefit a small group of people, but help Apple enormously in defending itself from litigation.
Edit: Downvote? Why are companies given the benefit of the doubt as if they were human and caring when they are clearly not! Large listed tech companies like Apple will ALWAYS act in their own interest first. User privacy is the advantage Apple has over its competitors who rely on free services and advertising. It is in their OWN INTEREST to pursue this path which in turn impacts others ability to compete. Must we continue to be so grossly naive?
If competitors that depend on tracking and advertising due, nothing of value is lost.
'Privacy and security' allows them to justify taking a cut of 30% from developers for simply allowing their apps to be installed on an Apple device, which is then passed onto you.
'Privacy and security' is why you need to update your perfectly capable phone after X amount of years because Apple stopped releasing updates for it.
'Privacy and security' is why they removed ad tracking on devices used by competitors, forcing developers into Apple's payment streams where.. you guessed it, they take a cut. They then created their own App Store advertising model in the process. No alternative payment methods are available on Apple devices because 'privacy and security'.
Question: If I turn off cell, like with airplane mode, is it truly, completely off, with no cell tower pings and such?
Many hacks these days exploit Whatsapp incoming message processing, etc.
Every app with push notification support increases your attack surface.
or perhaps disable their processing all together and just have notifications be a dumb pipe.
The article says that in LM, you can't enrol the device in MDM -- I suppose that if you want LM functionalities, it makes some sense that you wouldn't want parts of your device to be remotely controllable by an entreprise (or your MDM profile overriding some of the Lockdown options..?)
But... I don't understand what you mean by it being a bad thing that IT admins would want Lockdown Mode for everyone. Thanks
If there's a lazy security option that can be enabled, a lot of companies are just going to inappropriately turn it on because it doesn't bother them that your phone can't do anything fun. That doesn't cost them money. Even if you're a web designer for a small shoe store where obviously nuclear power plant level of security doesn't really make sense.
I remember android phones like 10 years ago or so had some corporate policy option so any time the screen is locked, you need to enter a 20 character password that has uppers, lowers, capitals, symbols, and numbers.
Any patterns / words it decided were too easy to guess were rejected for a password. This wasn't a "Lock after an hour of inactivity." It was "Lock immediately, and set screen timeout to 30 seconds."
My understanding is that you can't change the MDM settings/enrollment while in Lockdown, but you can enroll in it, and then enable Lockdown, and be fine.
If you want me to use lockdown mode, give me a separate phone.
It would make much more sense to look at their actual, independently validated security certifications that they advertise:
https://support.apple.com/guide/sccc/security-certifications...
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
Where they have only managed to achieve the absolute lowest levels of security.
Like, look at that last one, their security validation functionally consists of typing “public unpatched ios vulnerabilities” into Google and certifying that nothing comes up. It is utterly preposterous to claim they have any security expertise against highly skilled attackers at all when that is the limit of their advertised certifications. If they actually want to demonstrate security leadership, they should certify against the highest level, AVA_VAN.5, which actually verifies protection against HIGH attack potential threats instead of the lowest level, AVA_VAN.1, which only verifies protection against BASIC attack potential threats.
Security qua security (ie, not counting security loss due to privacy loss) it's pretty tight between Android and iOS:
Maybe Zerodium will offer a new tier for a zero-click attack on an iPhone on Lockdown mode in the future.
Privacy I am not even so sure - you can turn a ton of Google stuff off fairly easily and on top of that while Apple may not directly sell your aggregated data to third parties they sure as hell are using it themselves
[1] https://support.google.com/accounts/answer/11577602?hl=en
https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...
Anyone else being ... just Google. It's not like we have many options for mainstream mobile phones.
It's easy to be ahead of the competition when the competition's business model is selling your data. One can dream of a day when Apple gets real competition.
Apple’s privacy reputation is mostly marketing and boils down to “if anyone’s going to spy on you it’s going to be us!”
I just don't see how you could equate apple to every other company and accuse them of spying on their users when it is clearly not the case. You have options when it comes to phones and computers and only one fortune 500 company seems seriously committed to keeping their users personal info private.
[1] https://www.apple.com/privacy/docs/Differential_Privacy_Over...
It makes for a very clear demarcation as to why the product doesn't work as it normally should, and an abundance of differentiation would remove all of the guessing as to "why is feature X not doing what I expect" for the user of the device.
Regarding USB devices, Apple has offered a setting for years in "Face ID & Passcode", under "Allow Access When Locked" called "USB Accessories". If you turn that off, then your iPhone won't allow USB accessories to connect if the phone has been locked for more than an hour. Not quite the same as the Lockdown setting, but better than nothing?
Since around iOS 11 this USB lockout and “require pin, not FaceID/TouchID” used to be 5 clicks of the power button, and triggered it immediately. Also brings up an emergency button no matter what you were doing.
After this screen, pin is required.
Prior to this Lockdown mode, for best results you also may want to use Apple Configurator or JAMF Free or similar to block other ways of “recovering” access.
Before iOS 11’s USB lockout, this “pair locking” was the best way of helping block forensics tools:
Think of how Apple maintains their image, and who they claim this is for. They don't want a journalist killed because they thought they had Lockdown Mode on, but they had link previews in SMS and got hit by a zero-day tracker.
The value of grouping this into a mode is ensuring end operators don't miss important details.
I believe the JIT runs in its own process too.
https://developer.apple.com/documentation/apple-silicon/port...
People that think like this are a danger to humanity.
That's just a business requirement on the App Store rather than a technical requirement. Nothing prevents you from installing iSH shell and then installing gcc yourself afterwards. In fact I have done so.
To summarize, Apple made a speed bump, not a wall.
Maybe there are situations where switching permissions is too expensive in an unavoidable way but that borders on chip design problem...
Absolutely no one vendor can match apple in security, ever.
I'll get an Android phone if I want choices in situations where I don't need them.
Raging wildfires causing smog all over the west coast beg to differ. Having built-in HEPA filtration is fantastic.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7158270/ "In principle, homes could be outfitted with High-Efficiency Particle (HEPA) filters, although this would require substantial modifications to most home heating, ventilation, and air conditioning (HVAC) systems and would require positive overpressure systems to prevent infiltration through cracks. However, hermetically sealed office buildings frequently have HEPA filters and positive overpressure HVAC systems, making it easier to ‘harden’ such buildings if they are likely targets of attack or if they perform critical functions in the midst of an emergency."
It wouldn’t surprise me if the anti-googled, that is instead of enforcing adoption of a web technology because they own the browser market, stopping all the misused technologies they don’t want to have to explicitly protect for.
This isn't a 100% mitigation, but it does make it harder to exploit.
JavaScript JIT been source of so many RCE vulnerabilities.
“Slide this and cover practically everything built in” is a lot more reliable. You can still have problems (as always) with anything extra you install, like any system would.
- you spent the time to know what they do, and how they work
- you set yourself at the right level of security
So you still need to be sure that Apple got every single option completely right for your use case in the configuration you chose.
That’s probably a one time task, and once you understand what it does and where it protects you, you can just move the slider. But it can’t be a “no-brainer” just slide the thing.
I’d compare this to buying an insurance: some will have 3 plans and you just choose one level, some have 250 options and you take hours or days going though each of them.
But whichever you choose you’ll still spend a significant amount of time going though all the papers to even understand what the terms are and what you’re actually paying for. You wouldn’t be paying years of insurance to realize at the worst time that the “just sign this” plan was partly incompatible with you health situation.
What these people needed from the tech community is a fool proof failed safe way to turn the security level to the max.
What Apple just did is going in this direction. I am hope Google can do the same.
CEOs and celebrities and politicians are not only at risk because of their influence and insider knowledge, but they also have a huge target painted on them at all times. They simply can't keep a low profile due to their occupation. They also have money, much more than journalists and activists, so they attract "regular" criminals too.
Human right activists and journalists probably won't be their main user base but it will be the most prominent for public relations reasons, because who doesn't like human right and investigative journalism? VIPs are less marketable and let's not talk about criminals. To keep things clear, I think it is a good feature, even if it can help criminals. After all, human right activists are often technically criminals where they act.
[0] https://www.euronews.com/green/2022/02/18/30-environmental-r...
Everyone they're investigating. Here's a list of 51 journalists killed just this year https://cpj.org/data/killed/2022/?status=Killed&motiveConfir...
It’s literally spelled out as one of the target audiences in Apple’s press release announcing the feature.
https://deibert.citizenlab.ca/2017/02/mexico-nso-group-and-t...
Results of enabling it and using my phone as I normally would:
- Some websites don't display images. I've no idea what they encode to, but they won't display. Fine, don't care.
- Animated GIFs don't play in Messages when coming in via SMS (perhaps iMessage too, haven't tried). Annoying when people communicate in animated GIFs, but... people just expect my tech to be weirdly broken, so this doesn't actually impact things significantly.
And that's it. I couldn't tell you the performance delta in casual internet use, though I don't use my phone very heavily either.
This space is murky at the top end.
The Zerodium payout offering is a rough proxy, but for 99.99% of consumers the security win for a iPhone are mostly about how they don't have to think about the manufacturer (tell your tech illiterate friend to buy an iPhone is easier than saying "Android but only Google or XYZ manufacturer") and how the privacy differential helps out a bit.
Also, plenty of people can't enable crazy hyper secure mode without bleeding information that they've enabled it. So this isn't as helpful as it may seem.
Very few people are being targeted by nation-states. But more importantly, these are not a random set of people. These are head of states and companies, free speech activists and journalists, and people with access to top secret information. I suspect that a large set of them are aware that they are potential targets.
It's just not a helpful warning.
Which is funny because google is the advertising company.
Apple probably had a bigger budget for that sort of thing from the beginning, thus creating a proper culture. Google, probably not so much.
For context this is relatively new and is different from the older way of doing things (device enrollment).
1. https://support.apple.com/guide/deployment/user-enrollment-a...
People being targeted by the NSO Group are generally very smart very educated people, but they're journalists, not digital security specialists. They may even know how to beat a tail, but they have no idea about MAC addresses. As someone who has been on both sides of the divide just "flipping a switch" is a massive upgrade to the ability for reporters and activists to keep themselves and their contacts safe.
If so, it sounds like a very complicated way of marking contacts as "super favorites"?
Epic in fact tried to convince Android users to side load. It was not only a horrible failure, it introduced a security vulnerability.
https://www.itpro.co.uk/security/31787/vulnerability-spotted...
Epic also lost its case against Apple. The judge explicitly said that Apple wasn’t a monopoly.
The whole point of Epic side loading apps was to avoid the gatekeeping of the primary stores and their ‘review’ process. Was it a terrible failure because Epic is incapable of creating functioning software? Or was it a failure because it's near impossible to circumvent the limited developer 'sandbox' with APIs that all run through Google services? Are apps listed on Google Play free of security vulnerabilities? Who’s to say this information wasn’t disseminated throughout the public and media by Google or Apple themselves attempting to sway opinions against the so called evils of installing your own software.
As far as Epic vs Apple, whether the judge ruled Apple a monopoly or not isn’t of great concern. What’s more important is that she ruled Apple must provide other payment options to developers. It's in the user's interest that alternative payment methods are made available as it (in theory) will decrease the cost of app purchases. Apple's not in any hurry to implement it through.
Please point to a single third party who is competent to evaluate if they can actually protect against the “most sophisticated digital threats” that has actually supported Apple’s claims.
Valid third parties include, but are not limited to, any national security agency or premier hacking organization with hundreds of members (i.e. actual “most sophisticated digital threats”) declaring it can protect against them, any individual or organization who has designed and implemented such a system in the past agreeing Apple has created such a system, or any certification body who has reliably certified such systems with low rates of false positives such as the Common Criteria.
Invalid support includes, but is not limited to, certification bodies that give Windows their highest security rating, marketing articles, individual hackers of no particular renown, and claims of it being “better” or “harder” without even being able to quantify where in a multiple order of magnitude range it lies.
That said, it's still a new feature. I'm sorry I don't have the NSA spokesperson here to say that they are going to pack it up and go home now because iPhones are unhackable, since that's the only thing you are willing to accept. To be entirely honest I am not even willing to hide my disdain for the certification you've repeatedly brought up at this point beyond it being a set of good practices. Like, the Titan M2 chip was assessed at AVA_VAN.5 it got exploited last month because it was written in a bunch of C and deployed without layout randomization or attempts at CFI. I trust the words of hackers (of particular renown, mind you!) and their analysis of how strong the mitigations actually are over some certification person just looking at the system and trying to take a guess as to how it'd hold out.
I did not previously know that the Titan M2 chip was assessed at AVA_VAN.5, but I do not see how the chip itself being certified against physical attacks is relevant to the security properties of the Security IC Embedded Software which is explicitly out of scope and is uncertified at any level. To support my claim that it is a certification of the hardware, not the software:
Here we see the certificate: https://www.tuv-nederland.nl/assets/files/cerfiticaten/2021/...
This conforms to the Security IC Platform Protection Profile with Augmentation.
Here we see the actual security target: https://www.tuv-nederland.nl/assets/files/cerfiticaten/2021/...
This is consistent with the Security IC Platform Protection Profile with no material changes.
Here we see the Security IC Platform Protection Profile definition: https://www.commoncriteriaportal.org/files/ppfiles/pp0084b_p...
On Page 7, Section 1.2.2, Statement 9, we see that Security IC Embedded Software is all software running on the chip (i.e. non-firmware). Security IC Embedded Software, which is what we would consider to be the Titan codebase that was attacked, is explicitly called out as not part of the Target of Evaluation (TOE).
On Page 22, Section 3.2, Statement 70, we see that the threats specified are physical, electrical, and hardware attacks. On Page 25, Section 3.2, Standard Threats, Statement 82-87, we further confirm that the enumerated threats are physical and related to the hardware itself, not the software.
On Page 30, Section 3.4, Assumptions, Statement 99, we see a assumption required for correct operation of the composite TOE (hardware + software) is that the Security IC Embedded Software correctly protects user data. As this is a assumption, this is not a evaluated claim and assumed to be true for the purposes of evaluation and is thus out of scope.
So, to reiterate, I do not see how a software attack on uncertified code in the Titan M2 chip proves the certification evaluates software incorrectly given that the software was out of scope of the certification in the first place and thus no claims of its quality are asserted as part of the certification that the Titan M2 chip received. That is like complaining that waterproofing standards for phones are garbage because they do not tell you how fire resistant a phone is. If anything, it supports my statement since the uncertified code was defeated.
If you don't trust anyone but yourself, you'll have to do the audit yourself. How do you suggest to do that? An auditor with a good track record seems like the most trustworthy practically feasible alternative to me.
I'm not making an analogy. I'm saying right now, there's a similar long-odds off chance arecurrence is near someone having a stroke. And elaborating on stroke symptoms would be about as useful as the advice you gave earlier.
It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.
Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.
This allows the company to wipe data that actually belongs to them, but a policy doesn’t have to let them see your activity, mails, photos, or even what other apps you have.
If your employer is running policies for accessing your private stuff, send the right people some docs on how to protect company data w/o invading your privacy.
In my career I've always tried to enforce only the seamless security that users don't even notice, the ones that "work in the background". Most SecOps people have the opposite notion of this, thinking that systems aren't really secure unless they're in-your-face to the point of being obnoxious and interfering with regular business activities.
It's not secure if it's not theatre.
A random example is the "usage terms" that large orgs make everyone click through when they log in. These do nothing. Some text has never in the history of the world stopped a hacker hacking into a system. Illegal access is illegal whether you tell users about it or not. Crimes are crimes even if you don't have the legal code printed out and visible wherever that crime may be committed. The only users who will actually see the text are staff with contracts, staff that have their details registered with HR, staff that can be conveniently arrested by the police if they break the law. You know who doesn't see that disclaimer? Hackers.
Why does this matter anyway, you ask? Why not just "click accept" and move on with your life? Well... because when you log onto a shit-slow corporate terminal services desktop, that's a process that takes 2-5 minutes on a good day. Roughly half-way-through the process will stop and wait for 30 seconds for that acceptance click. No click, and the whole thing is aborted. It's a test to see if you have the patience to sit there, wasting minutes of your precious life on Earth watching a screen change colours while the system loads, click, and only then have a brief moment of freedom to do other things while the loading continues.
I put up with this every day, because some dingbat in legal thought that crimes will occur if they don't force 15,000 employees to click 'Accept' on text none of them have ever read. Every day.
It's a thousand cuts like that add up to corporate misery, to the point where big vendors are being irresponsible to the public by adding anti-human features like this.
Haha, so true!
I refuse to use my personal devices for work, as a matter of principle. Need me to be on call?, flip phones are pretty darn cheap.
If you have special requirements for the devices I use, it's your responsibility to provide separate devices from my personal ones.
There are settings though for passcode enforcement and whatnot
Given you are the most successful computer company on the planet, and the entire planet is connected by your products within two degrees of separation in a network; then the only thing you gain is a loss as any auditor is in a position of being unmatched in every category at best and at worst is an active agent who will dissipate information increasing vulnerability and attack surface.
Bug bounties work well to solve this, and that’s how it’s done.
Statistically unlikely to be seen is the case for almost every comment I make, because that’s how I enjoy participating here at HN. The rest of the commenters have “statistically likely” covered! No need for me to pile on.
So I look for the odd weird corners and note them and earn a mix of “Whoah”, “No you’re wrong”, and “Sure but so what”. I’m cool with that :)
And the warning you gave wasn't exactly going to be helpful to anyone else.
> Have curious conversation
There is no guideline directing me to make my comments relevant to the majority of HN readers. This is probably the most narrowly-focused HN comment I’ve ever made in a decade, though!
It’s neither offtopic nor generic, as it’s focused on the exact post topic at hand, and it says something odd but useful that no one else is saying. That’s the essence of what every HN comment should be.
We already established that the opsec scenario was so unlikely as to not matter for that particular poster. And for everyone else "you, specific person, under an extremely unlikely guess, should not be posting on HN" is not a useful post.