[mindfulhack]

This is infuriating. I spent over $5000 on a 16-inch MBP in only January this year.

If I'm a lawyer, CEO, or a human rights journalist (or just anyone) who professionally needs a reasonably secure device as the normal expectation, how can it be reasonable to be required to have your laptop with you at all times in order to maintain its security?

Is there precedent in consumer law that if security integrity of hardware is a normal feature of that product category and a computer model is fundamentally unfixable in this aspect, then you have the right to demand a refund or a replacement with a model not containing the same defect? (I know that this depends on your country. My country has strong consumer law.)

It's interesting to think about where the line is there. If someone really wants to compromise your device, then they could open it up and plant a bug anyway. But this feels over the line and grounds for being a manufacturer hardware fault, because attacking it would not require to physically modify the device but to merely use the device in the manner that it already came from the manufacturer.

[donor20]

Man - Apple has the worst customers.

Your filevault password has not been compromised by any T2 issue.

The secure enclave is rate limited.

If you are such a valuable target, then the key logger needed to get your credentials can be installed T2 or without T2 issues. Once "they" have that they can decrypt your drive.

The number of folks who are targeted at this level with physical direct access is relatively small. Even for state actors, REMOTE compromise is MUCH more appealing.

[nottorp]

Hmm perhaps you should buy one of the competing cheaper laptops that have no built in encryption then?

[Tsarbomb]

Except that lots of laptops have hardware based root of trust, encryption, and security management using industry standards.

It's apple that does something exotic, breaking industry standards, and then calls what should be standard by some new name for marketing reasons. Same with how lots of people think a "retina" display is some wonderful apple invention and not just a standard samsung panel.

[nexuist]

Having used many non-Apple laptops, "industry standard" means complete and unmitigated garbage to me. "Industry standard" laptops are awful to use and only get better once you approach Apple's price range - at which point why give up your Mac?

No, really, does anyone actually enjoy using cheap laptops? The only use case I think they would excel at is as a thin client for VMWare/Cisco virtualization solutions, or as a barebones terminal for Linux distros (at which point anything with a keyboard works for you).

Anyways, if laptops do security the same way laptops do touchpads, I would not be excited to depend on that. At all.

[bzzzt]

You mean something like the Intel TPM chip which was hacked last year?

[LexGray]

Fury is going a bit far. I've always been taught it is fundamental if a device with secure data is not in a secure location you have already lost. Why the VA gets in such trouble for losing their laptops no matter how well encrypted.

It would be completely irresponsible not to physically secure your hardware if you were in a position of trust.

[jiveturkey]

I feel for you, but your expectations are out of whack with reality. Any Windows laptop, properly maintained, is a reasonably secure device.

You can "restore" "reasonable" security to your Mac even in the almost unthinkable light of a possible actually available exploit, that can be reasonably be expected to affect you personally, by using a strong filevault password. Maybe you want to add a tripwire (file integrity) check at boot time, or a manual check when you mount any drive.

No, the precedent you ask for does not exist. In fact, the opposite is true.

[mindfulhack]

Actually, in my country the consumer culture is extremely different to America. Consumers are not left high and dry if a manufacturer screws them over or was incompetent (such as design defects). Remedies are on sliding scales commensurate with the situation.

This is probably partially why I'm getting downvoted. Cultural differences. Americans are not aware of what's possible when things are actually fair for the consumer. They're used to 'tough luck' culture.

Upon further reading, I'm concluding this might not be a massive problem with other precautions in place, but the valid discussion point still remains. If a manufacturer designs a product which turns out to have a problem caused to the consumer which breaches reasonable expectations of its usability, and either needs repairing / recalling / replacing / refunding, many countries offer resource to the consumer. Under this principle, I wonder about unpatchable hardware security defects which cause a major problem...it needs to be explored more.

[selectodude]

Apple never sold you an unhackable laptop. It isn't cultural differences, it's simply that you weren't lied to and your hardware didn't stop being "fit for purpose".

From their ad copy -

"Every MacBook Pro is equipped with the Apple T2 Security Chip — our second‑generation custom Mac silicon designed to make everything you do even more secure. It includes a Secure Enclave coprocessor that powers Touch ID and provides the foundation for secure boot and encrypted storage capabilities. It also consolidates many discrete controllers, including the system management controller, audio controller, and SSD controller, into one."

[mindfulhack]

Firstly, let's make it clear that we are now talking about broad concepts and not necessarily how it applies to the example of this situation at hand.

Under many jurisdictions' consumer laws, advertised features or promises by the manufacturer are not everything that they are legally held to. There is also statutory warranty, and other parts of consumer law, which can include rules on basic expectations of how that category of consumer item is expected to perform (I'm not talking CPU speeds, but major issues like a keyboard fundamentally not working at a reasonable success rate), how long it's reasonably expected to work without failing (for that category of item), and so on.

Very broad principles, but with some clear examples provided by consumer bodies to consumers, and it's reviewed on a case by case basis. You can bring it to the proverbial small claims court (or consumer complaint body), and they can review the claim.

I suppose I just won't bring up this matter to HN before. It's too alien to the US consumer situation and mustn't apply to most readers here.

[baybal2]

Consider an off-device key storage.

Any decent smartcard has physical security no worse than T2, but it will probably cost 100 times less, and it will at least allow you to chose a long enough password instead of 4 digit pin.

[layoutIfNeeded]

>Is there precedent in consumer law that if basic hardware security is a normal feature of that product category and a computer model has fundamentally unfixable hardware in this aspect, then you have the right to demand a refund or a replacement with a model not containing the same defect?

IANAL. You are.