Tag Archive for ‘Security’

Apple Announces End-to-End Encryption Option for iCloud Photos, Notes, Backups, and More ➝

I’m a little late to the party on this, but this is excellent news.

➝ Source: macrumors.com

Option C

John Gruber, in reference to The New York Times’ piece on Apple, China, and user privacy:

It’s a big report, but the above is fundamentally true and gets to the heart of the conflict: physical access to the hardware in the facility is game over. But what’s missing from the whole piece is any serious discussion of what else Apple could do. Apple has no option other than to comply with Chinese law, or else stop selling products in the country.

Option A: Apple does what it did — store all Chinese users’ iCloud data on servers in China, under the ultimate control of the Chinese government.

Option B: Apple refuses to do so, and the Chinese government shuts down iCloud in China and probably bans the sale of Apple devices.

Is there an Option C? I don’t think there is.

There’s a very clear and obvious Option C — build Apple products that are less reliant on iCloud.

If access to the physical servers is the biggest privacy issue, then give users the tools to effectively opt-out of it entirely and take control of their own data.

Why can’t the iPhone backup to a shared Time Machine drive on the local network? Macs have been able to do this for years. It’s not as if iPhone’s have some sort of hardware limitation — the iPhone of today is significantly more capable than the Macs of 2008, when Time Capsule was first introduced.

Backing up your device to iCloud is actually the biggest point of failure of iMessage’s security. Despite the fact that iMessage is encrypted end-to-end when sending messages, Apple can access and view your messages within iCloud backups. If Apple offered a more convenient way to backup your iPhone locally, it would give users the option of better security if they prefer it.

Reintroducing Time Capsule would be the best way to do this, as it would be an easy, single-purchase solution for users that want to own their data.

But it could go beyond just device backups — Apple could pitch the Time Capsule as “iCloud at Home” and mimic many of the services that iCloud offers on a box that you physically control.

iCloud Photos, iCloud Drive, Notes, and any other service that syncs or stores data in iCloud could be stored locally on a Time Capsule. Apple’s servers would just be there to tell the device I’m using how to connect to the Time Capsule on my home network. In other words, Apple facilitates the connection and then my devices talk directly with the Time Capsule using end-to-end encryption.

This would seemingly eliminate offsite backups, leaving you vulnerable to data loss if there was a fire, flood, or something else that physically damages your Time Capsule. But this could be solved too. Apple could develop a system where you could pair a Time Capsule in your home with a Time Capsule in a friend or family members home giving them the ability to backup data to each other. Synology already offers this, actually.

But of course, there’s always the possibility that China pulls the rug out from these endeavors — enacting policies or practices that hamper these types of services or outlaws the sale of Time Capsules outright. But at least Apple would be making more of an effort. And a rising tide raises all ships — I imagine a lot of iPhone users would jump at the opportunity to buy an “iCloud at Home” Time Capsule to take greater ownership of their data.

And then there’s the issue of censorship in the App Store. This one is simple and I’ve advocated for it a number of times, even outside of the discussion of China — open up the platform to apps from outside the App Store. Make it more difficult to police iOS software by decentralizing.

This would almost certainly introduce the possibility of spyware on the platform, but given China’s relationship with large tech companies, one could argue that this is already happening. The difference is, if there was an app that the Chinese government didn’t want their citizens to have access to, instead of it simply being banned from the App Store, they would be be able to install it. Albeit through underground channels. But even that would be tremendously empowering.

553 Million Facebook Users Compromised ➝

David Sparks:

Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web.

How do we convince 2.7 billion people to stop using Facebook? It’s clear that the security and privacy angles don’t work. So what will?

➝ Source: macsparky.com

WordPress 5.6, “Simone” ➝

An exciting release, which includes a great new feature:

Thanks to the API’s new Application Passwords authorization feature, third-party apps can connect to your site seamlessly and securely. This new REST API feature lets you see what apps are connecting to your site and control what they do.

This gives you the ability to authenticate an app or service with WordPress using a password created specifically for that connection. And you can revoke that password as you see fit — keeping your site secure without having to change your password and re-authenticate in any app or service connected to your site.

But what’s more exciting is that this opens the door to natively supporting two factor authentication in the future. If that’s something you’d like to add with a plugin now, I use Two-Factor.

And for more information about Application Passwords, there’s an excellent integration guide available.

➝ Source: wordpress.org

Laboratory, a Firefox Add-on for Generating Content Security Policies ➝

I got on a kick of implementing security-related headers on Initial Charge this week. Most of these were fairly easy to add, simply copy and pasting some code from various tutorials into my .htaccess file and then testing. But Content Security Policy was a major pain. It essentially tells the browser what content is allowed to run on webpages and where it can load that content from.

This add-on made the process much easier. Once installed, I opened the add-on’s menu, enabled recording of my site, then browsed to every type of page I could think of — on the front-end and the backend. The add-on kept a running tab on all the different types of content loaded and where it was loaded from. Then I grabbed the markup provided from within the add-on’s menu and added it to the site’s .htaccess file.

I’m using some declarations that are considered unsafe, notably the ability to run inline JavaScript and CSS. But now that I have the header implemented, I can go through the process of adjusting that content to run from safer sources and then change my security headers accordingly.

➝ Source: addons.mozilla.org

Hackers Convinced Twitter Employee to Help Them Hijack Accounts ➝

I’m a bit behind on the Twitter hack story, but Michael Tsai does a great job collecting some of the more interesting takes from around the web.

I’m sure this isn’t a unique thought, but having a single, centralized system for publishing and communication is inherently insecure. It would be wise for high-profile individuals to buy a domain, install some publishing software, and start sharing their thoughts on something they completely control.

If one site gets compromised, it will only effect that single individual. And because they’ll own their own platform, they won’t be beholden to Twitter in regards to what security measures can be put in place.

➝ Source: mjtsai.com

Catalina’s Dialog Bureaucracy ➝

An excellent piece by Nick Heer discussing the terrible state of permissions prompts and security-related dialogs in macOS.

➝ Source: pxlnv.com

Samsung Accidentally Makes the Case for Not Owning a Smart TV ➝

Jon Porter, writing for The Verge:

Samsung has reminded owners of its smart TVs that they should be regularly scanning for malware using its built-in virus scanning software. “Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks,” a (now deleted) tweet from the company’s US support account read alongside a video attachment that demonstrated the laborious process.

It’s amazing to me that this was ever tweeted at all. Imagine if Microsoft was marketing their operating system by sharing tips on how to use malware or virus scanners on Windows. It’s not a good look.