Hacker News new | ask | show | jobs
by epcoa 1060 days ago
People should read actual documentation and expert or academic writing rather than a bunch of terminally online nerds on Reddit. I’ve seen nothing credible that the E2E for iMessage and FaceTime isn’t as advertised. If you backup to the cloud you’re electing to disclose your data outside the boundaries of encryption.
1 comments
smoldesu 1060 days ago
> People should read actual documentation

Then they should read the leaked government documents from around the world that contradict what Apple says themselves. Failing that, they should at least be able to read the actual code to corroborate its security, but that's not an option either.

link
epcoa 1060 days ago
> Then they should read the leaked government documents from around the world that contradict what Apple says themselves.

On what specifically?

> they should at least be able to read the actual code to corroborate its security, but that's not an option either.

Why does that matter? You're already trusting Apple hardware. Public access to source code doesn't make security systems safer. I'm not sure what a journalist or even 99% of webshits on this forum would do with trying to audit crypto.

link
smoldesu 1060 days ago
> On what specifically?

For starters, PRISM and XKeyscore. Both are damning indictments of the state of surveillance a decade ago, and are so damaging that pretty much every FAANG company denies knowledge of their existence. PRISM was about the outreach the US government has with domestic companies, and XKeyscore showed just how far those connections could be abused.

Simply the fact that these leaked documents exist and Apple denying them is a contradiction. Everything else is speculation, but my brain can imagine a lot happening over those past 9 years.

> Why does that matter?

Accountability purposes.

> You're already trusting Apple hardware.

Ideally I don't do that either. I'm not a fan of closed firmware interfaces and if possible, I'd like to audit the code for those as well.

> Public access to source code doesn't make security systems safer.

The majority of networked servers online today beg to differ. Over time the industry actually found that it's much safer to use an open and transparent OS than it is to trust a black-box with UB that may-or-may-not be fixed.

> I'm not sure what a journalist or even 99% of webshits on this forum would do with trying to audit crypto.

This speaks to a lack of either experience or imagination, I can't tell which.

link
epcoa 1060 days ago
> For starters, PRISM and XKeyscore. Both are damning indictments of the state of surveillance a decade ago, and are so damaging that pretty much every FAANG company denies knowledge of their existence.

Where's this denial by Apple? Or is your argument that because Apple doesn't admit colluding with the NSA they must be doing it. Well that is not falsifiable and what evidence are you speaking to of Apple specifically colluding with the NSA.

> I'd like to audit the code for those as well.

Firmware is not hardware. That would still not address the hardware issue.

> The majority of networked servers online today beg to differ. Over time the industry actually found that it's much safer to use an open and transparent OS than it is to trust a black-box with UB that may-or-may-not be fixed.

Yes, the neckbeards chant since CatB. There are extremely few people not putting their trust in blackboxes. Slapping linux on a box doesn't magically make it transparent - nor does linux have a security record you want to brag about.

link
smoldesu 1060 days ago
> Where's this denial by Apple?

https://www.apple.com/apples-commitment-to-customer-privacy/

> Well that is not falsifiable and what evidence are you speaking to of Apple specifically colluding with the NSA.

Wow. What a conspicuous coincidence that all of the exonerating evidence is behind closed-doors and marked "trust us"!

> That would still not address the hardware issue.

Is there a hardware issue?

link
epcoa 1060 days ago
That's from a decade ago. Verb tense matters. Apple denied knowledge of PRISM before the leak, I don't see where they are denying it since. In any event, you may not believe it, and it's not the craziest thing to be suspicious, but you also unfortunately don't seem to have any counter.

> What a conspicuous coincidence that all of the exonerating evidence.

What exonerating evidence? How does one generally exonerate themselves that they don't know something or were never privy to it.

And I'm no fan of Apple (I'm also not a fan of baseless conspiracy theories), and the flip side of this is what benefit would it be to the NSA to disclose a program to a multinational company of >100k employees if they didn't have to.

You're trying to make it sound like there is a smoking gun that Apple has been lying about their NSA involvement, moreover insinuating in ways that don't seem to serve the best interests of the NSA - and I might even believe you - but so far you have put up nothing but innuendo.

> Is there a hardware issue?

Ok, so you audit your firmware. Why do you trust the hardware you're going to run this audited firmware on? You have thus far proven my point about general public access to source code.

The bottom line is that for the threat model faced by most developed nation citizens, Apple's privacy value proposition is pretty good. If you're up against a large nation-state that is willing to spend some resources you're fucked - and auditing your firmware isn't going to change that.

https://news.ycombinator.com/item?id=13516780

link