iOS, the Future of MacOS, Freedom, Security and Privacy
gist.github.comWhen the iPhone was new, Apple wasn't fighting surveillance society. They were mainly fighting carriers forcing you to buy shitty locked-down phones preloaded with as many monetization tools as they can fit in them.
So a lot of the basic security of iPhone OS, as it was originally called, was supposed to stop your carrier from fucking it up.
That legacy continues today, even though Apple is pivoting to a "privacy is the product" model. I suspect a lot of these criticisms are a byproduct of that legacy, and not necessarily a sign of trouble in the future.
I still trust Apple - but Apple will have to continue to work hard to maintain that trust.
> Especially since iOS10, and the “differential privacy” (dprivacyd) concept, which Apple pushed, and which this author feels essentially boils down to “let’s collect even more data without giving a real reason and spin it as a privacy improvement because we remove certain metadata, after all none of our users understand or care anyway”
This is too misleading and dismissive. Differential privacy collection requires that the device will send back data which doesn't contain enough information to tell anything significant about the individual, but does allow for population-level statistics to be computed from many samples (eg. the old private-survey trick of flip a coin and answer truthfully if it's heads or randomly if it's tails). If they're collecting more data with this system, then it's supposed to mean that they don't know more about you.
Almost all tech companies collect extensive usage data; Apple seems to have made a genuine and rare attempt to improve the privacy of their users (admittedly without damaging their ability to make informed product decisions). Given the popularity of AI tech and the huge amounts of data it requires, systems like this are probably the only plausible way to improve user privacy without getting left-behind in the AI and product-development race.
“On iOS, there is no full-disk or full-volume encryption, only varying levels of file-based encryption...”
I don't understand this claim. iOS had full disk encryption starting with iOS 3.0, in 2010. Or at least Apple (and other security experts) says it does:
https://darthnull.org/security/2014/10/06/ios-encryption/
Am I missing something here?
You're not missing something. The author doesn't seem to understand how iOS's disk encryption works. It's not "full disk encryption" in that the full disk is not encrypted with one key. However, every single file on the disk is encrypted, with separate keys, and the various levels of security (e.g. "accessible always", "accessible when unlocked", etc) are managed by storing these keys in different key bags whose own keys are evicted from memory at the appropriate times.
Which is to say, it's not classic FDE, but if you were to take the storage out of an iPhone and inspect it, you'd find that everything in the filesystem is in fact encrypted.
Yep. And this layered encryption is great because it allows — for example — your phone to boot up before you enter a passphrase.
Making this technology more convenient is just as important for making people secure as the algorithms themselves, because otherwise, almost no one will use them (PGP-encrypted email being the classic example).
The full disk is not very useful though because the disk is automatically unlocked at boot.
Anything you can see after starting the phone without entering your passcode is effectively not encrypted.
This post by a security researcher who prefers to remain anonymous
If iOS is to really be considered a secure OS, and if vanilla macOS is to become more secure, independent end-user control must be considered. Increased low-level design security at the cost of control, and the ability to prevent leaking data, cannot be considered a real improvement in security.
Whoever you are, thank you greatly for not being another one of those authoritarian cargo-cult "users are stupid so we should remove all control from them" people which the greater security community seems to be full of.
How old is this?
the state and details of disk encryption on both OSes is slightly unclear, but hopefully will become clearer when iOS 10.3 is released.
10.3 was released 9 months ago. And I find it hard to take seriously any article where every other sentence is bolded.
> macOS devices to date lack any form of verified boot process
Before iMac Pro, I’d guess.
Answering my own question - the original gist was posted in March 2017.
Haven't RTFA, but my judging that the link is Andrew Desantis's fork I'd guess there's interest by the submitter in gauging interest in his Deos project which leverages the darwin kernel.
I feel like one may have to understand his preferences towards bitcoin, libertarianism, etc. though to truly get the deos vision to discern whether it's actually a better solution or a sleight of hand. I don't follow desantis or the bitcoin community closely enough to know.
OK thanks, we'll add that.
The gist contains a 2018 update section at the bottom...
Ok thanks, we'll take that out.
The article has additions up to 2018 as additional sections.
I am no connaisseur, just a guy who cares about privacy (in general and his in particular) who also happens to own an iPhone and wants to buy a Mac.
This seems pretty troubling, as I as well as many I suppose, trust Apple and think that they're one of the good guys. I know it's cliché but I think this is the part where "[..] live long enough to see yourself become the villain." applies.
The more important question, imho, then is: what can we do about it ? If nothing, what should be done ?
What do you do? Windows world is worse. So is Android generally.
Use Linux? How do you trust that? QubesOS? Pen and paper?
If you walk outside, you’re on camera. Living off grid with no phone or computer seals the deal, but not very practical.
I’m all about security and privacy, but everything is on balance with practically. If a three digit govt agency wants to find you, they have so many other ways than Apple.
Why not trust Linux? No activation, full control over all the processes. Seems like a good solution for people who "care".
It's good in theory but in practice you'd need to spend a lot of time and money doing deep audits yourself, both hardware and software. That just really isn't a worthwhile investment for the vast, vast, majority of people.
At the end of the day it all still boils down to trust based on reputation, incentives and oversight. Openness is important but no panacea.
Well at least the surface area of the audit is a LOT smaller than on macOS, Windows, etc.
I really doubt that's the case if you use more than a few small apps which is the case for the vast majority of users.
Must I link a running process list of my Linux laptop vs my macOS laptop?
Linux:ps aux | wc
Mac OS X:177
macOS?44How do you know the process list is accurate for certain?
The point is, there’s potentially back doors in everything, including the C compiler that built your Linux kernel.
We've all read reflections on trusting trust... still my point stands, it's hard to argue that Linux is not lighter than the mainstream OSes.
Something like a default Ubuntu install (which might be somewhat "mainstream") actually has a surprising amount of stuff running in the background. Of course it's all open-source or otherwise completely documented, so it's still easier to figure out what's what than with Windows or macOS.
It can be lighter but what does that mean in practical terms if the cost of maintenance is monumental? I think with even just the barest bones practical computer with wifi + with email + browser + compiler and their dependencies is well beyond the scope of what one person is able to audit. You'd need a team of at least 20-30 individuals before that starts making sense.
If only it was possible for massive armies of people to inspect source code for possible defects or backdoors?
Further what if it happened we were unsatisfied with this we could all collectively hire more people to audit the software stacks we rely on in order of priority instead of expecting each person to hire dozens to vet the software they are presently running.
Further if only even if we can't ever arrive at 100% surety we can get closer and closer to satisfaction.
> If only it was possible for massive armies of people to inspect source code for possible defects or backdoors?
You mean like what Google, Apple, Microsoft, etc. already do?
Its silly to advice against reasonable actions like switching to an OS that respects your privacy based on unreasonable standards that aren't met presently anyway.
Don't bother leaving that disease ridden hag covered in boils you can't possibly invest the resources to sequence the full genome of this clean looking young lady over here it all comes down to trust amirite.
User experience and usability.
That has nothing to do with trust and is highly subjective.
Sure, but that has nothing to do with the notion of trust we're talking about here.
Perhaps, but if poor UX prevents a user from using an ostensibly more secure platform, then security of said platform doesn’t enter into the consideration at all.
Yes, we're all well aware. That's NOT what I'm talking about though. I'm responding to "Use Linux? How do you trust that?".
Please think about things before aimlessly countering someone's question.
How many distros are shipping with ASLR now? Last I knew there were still major distros that weren't.
Heck, do the common DEs sandbox their search indexing processes yet, given there's been various vulnerabilities there previously?
Yes, okay, you have control, but when nobody implements relatively basic defence-in-depth mitigations that have been available on Windows (especially) and macOS for over a decade it's just sad and undermines the argument that its security is better.
It's not that you shouldn't trust it, it's that you could from security perspective easily shoot yourself in the foot.
Does anyone know of a distro that focuses on usability and privacy"? Subgraph is still in alpha...
Either trust yourself, or trust someone else. (of course it's generally impossible to avoid some amount of trust in others.)
> I’m all about security and privacy, but everything is on balance with practically. If a three digit govt agency wants to find you, they have so many other ways than Apple.
Can't argue with that.
This is a false dilemma. If you walk outside and must necessarily put up with shopkeepers rights to record their premises we don't in turn invite people to publicly accessible webcams in our bedrooms/bathrooms.
I'd say you use as much privacy respecting hardware/software as is feasible given your present use case and circumstances and progressively look to improve this situation funneling your money towards people and projects that respect you and your privacy in order to encourage people to build the things you need.
If you already have expensive hardware that doesn't work with open source software I don't think it terribly reasonable to suppose you throw it in the trash for example.
Just buy something better next go round.
Windows before Vista/XP is quite good in terms of privacy in the "phones home" sense --- no activation and a fresh default install will remain absolutely quiet on the network. Activation started with XP (but easily cracked), and then Microsoft began increasing the noise and phoning-home crap shortly after that.
I find it ironic that one of the features removed starting with Win7 was the network activity indicator in the system tray. Of course, recent Apple hardware and software has no indicators either. The opaqueness is unsettling.
> Apple Activation servers are accessed via Akamai, which means sensitive data may be cached by Akamai and its’ peering partners' which includes many global ISPs and IXPs
Wouldn't this be devastating to about 10000 other businesses as well?
Wow, this was a long article, so let me try to unpack it:
> iOS devices (even non-cellular devices) on first boot and, occasionally for unclear reasons after OS upgrades, will require “Activation” and an internet connection to contact an array of Apple servers.
The linked patent says that this is for carrier locking. It's possible that the code is used even on non-cellular devices because they just found it more convenient to not remove it? There might be more to this; maybe it allows for something like Activation Lock to work or allow Apple to track stolen inventory.
> Apple links the credit card used at purchase, the purchaser's name and email, and of course, the serial number and all components required to generate a UUID
Of course they do; these are all components of an Apple ID, so it would be impossible for them to keep them apart.
> This means, for example, that if you were to use a certain app for a social network under a pseudonym on an iOS device (not that I would recommend installing any social networking site’s apps on your device) and that service sends information via APNS, Apple (and possibly the social networking service) can most likely link the pseudonym account to your real identity.
I'm not very familiar with APNS, but doesn't it work something like "social media server sends Apple message, and Apple forwards it to the right device"? How would device-specific information get to third parties?
> if you enter contacts into the address book, contacts’ details are hashed and automatically sent to Apple, supposedly to check for presence in Apple’s iMessage database to determine whether to show iMessage as an option on that contact’s page
I agree that this is a stupid decision. This is a reasonably large loss of privacy for a very small benefit.
> ust try to remove your Mac’s WiFi card and rebooting - all Mac App Store apps will likely fail to open
Wait, what? I've been able to open Mac App Store apps without a network connection. You can try to validate with the App Store over the network, but that's an option, not a requirement: https://developer.apple.com/library/content/releasenotes/Gen...
> Apple really wanted the DRM aspect
I'm not even sure what the purpose behind Apple's "DRM" is. It's trivially bypassed on jailbroken devices, and I think on macOS as well.
> On macOS you can separately download an update/upgrade DMG, which will be signed by Apple, and then simply install it without a network connection.
On macOS you can also downgrade your OS to whatever you like. iOS requires a firmware to be signed before it will install, which obviously means that it will have to reach out to Apple somehow.
> if a user feels like removing/modifying certain Apple system binaries they are uncomfortable with
What if a user removes AMFI or the Sandbox?
> The fact that there is no way of monitoring or intercepting file system events, network connections and other system calls on said device and that you are giving apps many, many more privileges than you realise
It takes work, but this is possible. What you need to do is sign every app you download with your own entitlements that allow for debugging.
Despite the author's hesitations, I'm still pretty convinced that macOS/iOS are probably some of the most secure operating systems you can buy today; the amount of time Apple has put into this clearly shows. Plus, it's obvious to see that Apple's incentives don't really align along data collection, even when taking a cynical viewpoint. Not collecting user information allows them to resist government requests for data and increases public goodwill; unlike other companies they have a clear source of revenue that's not tied to data collection, and it's highly unlikely that they'd burn that money to go after data collection for AI or whatever given that's not an area they have a whole lot of experience in.
That being said, there are many good points brought up in the article, namely the centralized control that Apple has over devices. We've already seen occasions where this has caused Apple to acquiesce to third-party requests: for example, the removal of network extension apps from China's App Store. Apple is playing a delicate balancing game of trying to maintain some control over the hardware they vend while trying to keep it secure, and this is a difficult thing to do, especially when they need to cater to the needs of users for whom features are important and privacy is invisible.
Having to choose between sanely developing and cuatomizing your phone, and privacy on your phone, sshouldnt be the case.
Does anyone have a pastebin copy or something? I don't log into gh on my phone and gists are behind a reg-wall now...
You can't create gists without an account anymore, but there's no account requirement to simply view them.
> gists are behind a reg-wall now
I've never encountered this behavior. I can load this fine when logged out in Safari.
It loads on mobile Safari without a login. Do you have any browser extensions which might be causing that?
I have Firefox Focus installed. I've definitely talked to other people who have also been unable to read gists lately without logging in. Would github care about adblockers?
I also use Focus so I don’t think it’s that. Maybe A/B testing gone terribly wrong?
Its encouraging to be reminded that still not everyone who uses Apple hardware runs MacOS exclusively.
http://www.sacrideo.us/openbsd-on-macbook/
However I have not heard any reports of anyone running an alternative OS on iPhone or iPad hardware.
With every passing year I continue to think it would be interesting to observe how users would choose if Apple hardware and Apple software were sold separately.
Would all users choose Apple software?
Duplicate comments are not ok here.
For a long time now—and an astonishing number of posts—you've been using HN basically to post agitprop. The trouble isn't your opinions—whatever they are, I'm sure plenty of other users agree with them, all of whom manage to use HN just fine. The trouble is that you've crossed into being a single-purpose account, which is not cool. HN threads are for conversations, not agendas. One can't have a conversation with a megaphone.
Since we already asked you once to stop and you don't seem interested in changing, I'm going to ban this account. If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.
Its not a duplicate. @mercer suggested the last paragraph should be removed, so thats what I did. Alas, the edit period had expired.
Edit: Notice that youve toned down your original reply, which had statements like "No one cares about your opinions about Google, Apple or Facebook." It seems I have agitated you. I apologise.
I didn't say "no one cares". Originally I wrote "We really don't care about your opinions of Apple or Facebook or Google". That is true, in the sense that if you flipped the high bit on all your opinions to turn them into the opposite opinions, we'd have the same moderation response.
But I've learned it's better not to word things that way. I can't easily stop myself from typing the first version of a comment more strongly than I know is helpful, so my solution is to sand off the sharp edges by editing, which I do a lot of.
I dont have any issue with editing comments. I use the edit feature constantly myself.
Im just making clear I am not trying to cause agitation. Thats not the intent.
I try to be sparing with opinions. I dislike having to type prefix or postfix statements with "IMO" again and again, but I want to make explicit what is only an opinion versus what are facts or observations because ("IMO") opinions are almost always worthless. I prefer facts and questions.
Most of the volume of posts I made the past few weeks were not opinions but were excerpts and pointers to articles: facts and some journalists opinions.
The truth is I waste too much time "interacting" with this addictive forum. Its a distraction.
If you ban me from ever posting anything ever again on HN, in all honesty, you will probably be doing me a favour.
I don't mean this in a mean way, but you do seem to care a little too intensely (about both fb/apple/etc. and the effects of that on your karma and whatnot). Wouldn't a good alternative be to just tone it down a bit, if possible? Because honestly I don't think you're wrong probably most of the time, so your contributions could be valuable.
I often struggle with my own conduct in social settings, and I've been called 'too intense' more than once, among other things. I don't know your particular story, or if there is a 'story', but I'd really hate the idea that you'd leave entirely instead of finding a way to be you and still fall within the acceptable range of HN commenters. And not get too addicted, of course :). I've been so unsuccessful at the latter that I decided to 'use it for good' and build my own little plugins so at least I'm learning something while being here.
Its encouraging to be reminded that still not everyone who uses Apple hardware runs MacOS exclusively.
http://www.sacrideo.us/openbsd-on-macbook/
However I have not heard any reports of anyone running an alternative OS on iPhone or iPad hardware.
With every passing year I continue to think it would be interesting to observe how users would choose if Apple hardware and Apple software were sold separately.
Would all users choose Apple software?
Expecting to take a little karma subtraction from the thought police for daring to entertain such a nonpermissible idea. Par for the course here and well worth it.
> Expecting to take a little karma subtraction [...]
Please don't comment about the voting on comments. It never does any good, and it makes boring reading.
I'm almost certain that your comment wouldn't be greyed out if you hadn't added that last paragraph.
Comments from me that are skeptical of Apple are always downvoted. Complaining is acceptable but doubting is not. I have tested this over the years and it is remarkably consistent. Its both amusing and sad. The clicks can sometimes take a while to come, sometimes days, but they always come. Whether I add something silly acknowedging this phenomenon makes no difference. They come either way. Its just a small price to pay for being irreverent I guess. I have plenty of karma to spare. Well worth it.