I generally think arstechnica.com does a decent job of being a non-garbage news site. I pay a couple bucks a month for the ad-free RSS feed. This story feels terrible to me. I don’t doubt a law suit has been filed, but I would expect some investigation by the reporter of the extra-ordinary claims of privilege escape the application is claimed to be capable of.
Surprisingly, I thought the article was a reasonable summary of the actual paper. I think some people might think this was a poke at privacy on Apple, but it really focused on how hard it is to create accessible settings despite the enormous number of options.
I have found that navigating the menus in Apple iOS is quite a bit easier than on my Android devices. Mac seems more difficult as the settings tend to be inside the individual apps and don’t surface as well through the search.
The paper hammered home the point that Siri configurations were particularly hard, but they also mention that Siri data is end-to-end encrypted. I thought all those points were fair.
I do believe settings need to be improved, but I have little faith they will ever be useful for 99% of users who will simply never change anything from the default. At this point I believe any meaningful improvements for the majority of users will come from useful defaults that include E2E encryption on basically all user data. I feel Apple is coming close with iCloud Advanced Data Protection that was introduced last year, but that needs to become a default. Maybe it cannot though—too many users will lose all their data and then the trade off of security to convenience will not be worthwhile.
I don’t think a big business should have an advantage over a small business that cannot afford that technology while using public airwaves. A better solution imo would be to prioritize all very low-bandwidth traffic.
109 devices per capita? I just walked through the house looking at what my partner and I have that plugs in. We don’t have 109 together. And it isn’t like I we don’t have stuff. Mesh wifi routers, camping gear. Heck we even have a refrigerator. What do people collect?
I agree that decrypt/encrypt is bad—it is simply not E2EE. The solution would have to be a better method of public key distribution for ‘federated’ systems.
While I don’t know anything specific about facebook messenger, E2EE doesn’t necessarily preclude what you suggest. A messaging service could store the entire chat history encrypted without decryption keys. When you get a new client you could restore the entire history in encrypted form onto your device. You would then use a recovery key you would possess to decrypt the message history on your end. At no time would the messaging service have the keys to decrypt. I’m not saying that is what facebook does.
Why do you need to control both ends for E2EE? Both ends need a public and private key to encrypt and decrypt messages. You need a method of key exchange. I would prefer to have an offline method (phone call, in-person) of validating a key (like iMessage and Signal have). But I don’t see a reason to need to control both ends.
If you enable advanced data protection apple cannot recover your account. You need your recovery keys or a designated recovery contact.
The apple doc implies (to me) that a SIM swap only works after you authenticate on an apple device (e.g. using your password) even without advanced data protection. I have never tested that.
You can use the long process (many days) to recover an account assuming you haven’t enabled advanced data protection. I’m okay with that as it is perfect for my grandparents (I had an older relative who got their account back through this method).
I get that you could SIM swap to recover other accounts (not Apple) if they have SMS as a recovery method. That sucks and it really sucks for people who don’t get that an email or SMS recovery can be a giant hole in security.
The document you linked says it requires a combination of your apple account password plus an SMS text sent to a pre-registered phone number? Seems like a pretty good setup for most people. Also has the alternative of recovery contacts and recovery keys.
It looks like turning on advanced protection would eliminate the SMS method but I am not 100% sure. Then you would need recovery keys or recovery contact.
https://support.apple.com/en-us/102651
My biggest worry in these cases is not that I get locked out, but rather that Apple mangles my keychain. I have a USB CSV of my passwords in my bank safety deposit box. With passkey I am not sure of how I would get a similar backup.
I will vouch for it. I use it on my iPad constantly and have few complaints. I don’t think it syncs well between iPad and Mac or Phone when using iCloud sync, but I think they have other methods and I don’t really need sync since I do my media consumption on the iPad.
arstechnica has a premium RSS for $3 a month that has no ads. I love it.
I generally agree with your take on what is happening. But drug overdoses are way up in all states because of Fentanyl and Covid related breakdown of social programs. Since overdoses increased in other states too, I find it unlikely that we need to recriminalize to reduce them. Additionally, we have DECADES of criminalization that wasted billions without fixing the problem. How will this criminalization do what was not done in all that time in all those states. If it won’t fix it, why do we want to dump money into the police and courts?
I support a lot of actions to reduce the nuisance. I hate cleaning up needles and seeing public spaces turned into inhospitable areas. I just don’t think criminalization of possession is going to fix that. It didn’t for the last 40 years. It won’t now.
As those articles you linked point out, it is illegal to sell drugs and the police arrest people who do. What exactly are you recriminalizing? Is this a case where the POLICE do not want to actively solve the drug selling problem because they want to return to the days when the state money was being funneled to them and not treatment programs? We lived with possession being criminalized and nothing working since the 80s. I think we can try decriminalizing possession for long enough to get the treatment programs running.
Drug use is way up in states that are not Oregon. Fentanyl and Covid have changed the game. The timing is unfortunate sadly to try something new.
I so wish someone would make a cleaned up version that uses something like Podman and better conventions. Honestly, it needs to be a wiki like document that is slowly updated, improved and even varied. Because when I look at these comments I lose faith in implementing the original post.
Oof. I would buy more efficient hardware with those rates too!
Get a power measuring device if you don’t have one and consider the real cost of buying something new if you already have something. For instance, I have an older gaming laptop I am considering repurposing for my home automation stuff. While idling it draws about 10w which is amazing to me and a number I never would have guessed. For me that works out to (24 hours * 10w * 365 days* 1000w/Kw ) 87kwh per year. I pay about 10 cents per kwh so say $10 a year. Buying something to save a little power will never work out.
My current home server is an intel NUC from 2013! It can’t do some of the things I would like to add on, but it is a great media server and downloader. Powerful hardware isn’t really a necessity.
Damn, giving me flashbacks of slowly moving through ACLs then hitting domain groups, domain local groups, global groups, then eventually universal groups as AD moved forward in complex situations.
Got to admit it worked well though.
Can I use Proxmox on generic hardware that will run Linux? I was unfamiliar with it but I am intrigued once I went to the website.
I agree with that “and”
I would feel that it would be a reasonable if it was my local paper running the story. Arstechnica IS a primarily technical news site—I believe they should have a higher bar—otherwise they are just parroting a report and not providing useful (to me) news.