Apple Spying on You with Apple Silicon

[FakeTimCook]

Interesting article:

Jeffrey Paul: Your Computer Isn't Yours

Will always defend Apple against all other PC vendors. They better do something about this though. It does not look good.

 

[Saturn007]

Thanks for the heads-up. Certainly hope that MacRumors and leading tech writers take a close look at this. Geoffrey Fowler of the Washington Post wrote a series of revealing articles on tracking cookies, app trackers, browsing tracking. Hope he takes this up, too.

Apple better be careful, too, as it has built a reputation around privacy and this undermines that. (As does Siri's privacy policy, if anyone's bothered to read that!)

It's a scary Brave New World — with Big Brother and the Panopticon in full surveillance mode!

 

[bobmans]

Checked the article real quick and it's full of lies, you should not take everything you read at face value.
Had a good laugh reading this, can't believe the author calls himself a "hacker and security researcher".

1. All Macs do this. It's not Apple Silicon exclusive.
2. This article makes it sound so dramatical.
3. Basically if you open an Application from the App store, Apple checks if it's signed correctly to see if it's not tampered with.
4. They're not logging Applications, they're sending digital certificates and basically responding with "OK"/"NOT OK".
5. The results gets cached so a request is only made every 3 to 7 days per application, not "everytime you open an app" like this article claims.
5. OCSP is an industry standard.


That's it, next story please.

 

[imdog]

I'll reserve judgement until more info comes out, but I trust Apple far more than the likes of Google, Microsoft & Amazon.

 

[grjj]

So much wrong with the article I barely know where to begin.
Let me say this though:
a) it's called analytics and you can opt out of it.
b) if you don't it's anonymous with Apple, with other developers your milage may vary.
c) Apple doesn't even WANT to know about you, your personal life or your habits. The software and devices are designed to collect as little personal information as needed and keep it as private as possible.

I'd have to look back a few years to find the interview/presentation but the data sent back is anonymized and randomized so that Apple can't tell you from a fart in the wind. There's even false data injected into the reporting systems incoming data stream that they use statistics to remove and show only the anonymized data.
The end result is that if Apple sees anything it's more like "someone opened Pages" rather than "Tom at 123 Main streed started editing "blink.txt" in Pages on his 2018 MacBook Pro"

 

[the8thark]

This is just Apple making sure you actually bought the apps from the app store and haven't hacked them post purchase.
It's a good thing in my opinion.

When Tim pushes democrat agenda then we will all know about it. This is not one of those times.

 

[zakarhino]

So much wrong with the article I barely know where to begin.
Let me say this though:
a) it's called analytics and you can opt out of it.
b) if you don't it's anonymous with Apple, with other developers your milage may vary.
c) Apple doesn't even WANT to know about you, your personal life or your habits. The software and devices are designed to collect as little personal information as needed and keep it as private as possible.

a) No it's not, please read the article before responding to it. It's a """security""" feature that cannot be turned off, it also bypasses any custom firewall or VPN software you use on the Mac.

b) You don't have any evidence for this unfortunately. The likelihood that it's anonymous is basically 0%.

c) Do you have any evidence for this? I can think of a multitude of features they could build to make their software and devices way more secure and private (especially iCloud). If Apple really wanted to, they could create groundbreaking software that is lightyears ahead of the competition in terms of privacy. They choose not to. They choose to build the bare minimum to capture mindshare as "the company that respects privacy" but I've seen very little from them that indicates they care deeply about this.

 

[Kung gu]

a) No it's not, please read the article before responding to it. It's a """security""" feature that cannot be turned off, it also bypasses any custom firewall or VPN software you use on the Mac.

b) You don't have any evidence for this unfortunately. The likelihood that it's anonymous is basically 0%.

c) Do you have any evidence for this? I can think of a multitude of features they could build to make their software and devices way more secure and private (especially iCloud).

do u use the internet, cause that would take even more of ur information, like say a browser. Like u guys are worrried about this when ur browser does the same thing, track u, collect ur data and even knows where u live??

 

[zakarhino]

do u use the internet, cause that would take even more of ur information, like say a browser. Like u guys are worrried about this when ur browser does the same thing, track u, collect ur data and even knows where u live??

Browsers (at least Firefox as of the moment I'm writing this) are open and extensible. I can choose to allow the browser and websites I visit to track me and collect every little interaction with a website... or I can choose to install uBlock Origin and stop a vast number of collection scripts. I can choose to disable JavaScript. I can choose to not use services that violate my privacy (Google Mail, etc.).

"Choose" being the key word. If consumers don't have a choice, we've got a problem.

 

[grjj]

a) No it's not, please read the article before responding to it. It's a """security""" feature that cannot be turned off, it also bypasses any custom firewall or VPN software you use on the Mac.

b) You don't have any evidence for this unfortunately. The likelihood that it's anonymous is basically 0%.

c) Do you have any evidence for this? I can think of a multitude of features they could build to make their software and devices way more secure and private (especially iCloud). If Apple really wanted to, they could create groundbreaking software that is lightyears ahead of the competition in terms of privacy. They choose not to. They choose to build the bare minimum to capture mindshare as "the company that respects privacy" but I've seen very little from them that indicates they care deeply about this.

a)So you're claiming that Apple has developed a new Internet communication protocol outside IP TCP/UDP and doesn't use ports, IP addresses, frames or any normal communication system? Because that's what it would take for a firewall to not be able to block communications. And that they have a completely seperate network stack on their OSes that allows this secret communication to bypass any attempt to filter it. You don't know what you're talking about.

b) It's called differential privacy. https://www.wired.com/2016/06/apples-differential-privacy-collecting-data/
Also: Apple IDs are completely anonymous. You can use any throw-away email address and any fake name to create one. Apple has absolutely no way to know who you are when you create an Apple ID.

c) https://www.apple.com/legal/privacy/en-ww/
Data in iCloud is end-to-end encrypted, in flight and in storage. The keys are only held by you and any other parties you let access the data. The only shared key encryption is your iOS iCloud backups, which if you enable iCloud syncing contains no personal data.

If you belive Apple is lying about all these public statements then I suggest you hire an attorney and file a suit. Apple is a public company and materially misleading people in such a manner would be all manner of wrong on many levels. When they say your data is yours, they don't want to see it and you are in control of your security... I believe them.

 

[997440]

It’s important to note that there is iCloud data in addition to iOS backups that isn’t zero knowledge, end-to-end encrypted. Apple’s explanation is here:
https://support.apple.com/en-us/HT202303

 

[zakarhino]

a)So you're claiming that Apple has developed a new Internet communication protocol outside IP TCP/UDP and doesn't use ports, IP addresses, frames or any normal communication system? Because that's what it would take for a firewall to not be able to block communications. And that they have a completely seperate network stack on their OSes that allows this secret communication to bypass any attempt to filter it. You don't know what you're talking about.

b) It's called differential privacy. https://www.wired.com/2016/06/apples-differential-privacy-collecting-data/
Also: Apple IDs are completely anonymous. You can use any throw-away email address and any fake name to create one. Apple has absolutely no way to know who you are when you create an Apple ID.

c) https://www.apple.com/legal/privacy/en-ww/
Data in iCloud is end-to-end encrypted, in flight and in storage. The keys are only held by you and any other parties you let access the data. The only shared key encryption is your iOS iCloud backups, which if you enable iCloud syncing contains no personal data.

If you belive Apple is lying about all these public statements then I suggest you hire an attorney and file a suit. Apple is a public company and materially misleading people in such a manner would be all manner of wrong on many levels. When they say your data is yours, they don't want to see it and you are in control of your security... I believe them.

They key phrase in your response is the last three words: "I believe them." I don't. I don't believe in things I can't verify (for the most part), that's why zero trust/zero knowledge principles are a thing that people work on and Apple would work on them too if they had a strong view on privacy. I believe there are workarounds for most of their "encrypted" data so that it can be accessed by the government or Apple otherwise there wouldn't have been a controversy over them handing over "encryption keys" to the Chinese government nor would there have been anything for Apple to contribute towards the Prism program. Apple themselves say they scan files uploaded to iCloud, how can they do that if everything is encrypted? Hash the encrypted files? Wouldn't the hashes be different on every encrypted file even if the decrypted file is the same across different users? I'm not a security expert but that doesn't really make sense to me.

With all that being said, unfortunately I'm not naive enough to believe the US government would allow one of the biggest phone and messaging platforms in the world to exist as a black hole in the eyes of the intelligence community. So like I said, outside of some vague iCloud support docs and a surface level privacy policy I don't have much to go on to verify any of their claims. Just trust. Trust isn't enough for me.

 

[Kung gu]

What phone do u use, cause iphone does the same thing as the mac?
and don't even get started on android.. @zakarhino

 

[AltecX]

If you're not assuming EVERY company is lying about how it treats/protects your privacy you're interneting wrong.

 

[AltecX]

What phone do u use, cause iphone does the same thing as the mac?
and don't even get started on android.. @zakarhino

At least with Android you can pull the source code, audit it, fully rip out tracking, and add in other code to make it more locked down. THen flash that ROM to your device, then ONLY install the apps you 100% trust because they also passed other code audits. You dont even have that option with iDevices.

 

[Kung gu]

At least with Android you can pull the source code, audit it, fully rip out tracking, and add in other code to make it more locked down. THen flash that ROM to your device, then ONLY install the apps you 100% trust because they also passed other code audits. You dont even have that option with iDevices.

and who does that? maybe 0.1% of the population

 

[Takuro]

Unless the article just got modified, OP's thread title is highly misleading. This is the only claim made specifically with regard to Apple Silicon, and it's true:

Those shiny new Apple Silicon macs that Apple just announced, three times faster and 50% more battery life? They won’t run any OS before Big Sur.

 

[grjj]

They key phrase in your response is the last three words: "I believe them." I don't. I don't believe in things I can't verify (for the most part), that's why zero trust/zero knowledge principles are a thing that people work on and Apple would work on them too if they had a strong view on privacy. I believe there are workarounds for most of their "encrypted" data so that it can be accessed by the government or Apple otherwise there wouldn't have been a controversy over them handing over "encryption keys" to the Chinese government nor would there have been anything for Apple to contribute towards the Prism program. Apple themselves say they scan files uploaded to iCloud, how can they do that if everything is encrypted? Hash the encrypted files? Wouldn't the hashes be different on every encrypted file even if the decrypted file is the same across different users? I'm not a security expert but that doesn't really make sense to me.

With all that being said, unfortunately I'm not naive enough to believe the US government would allow one of the biggest phone and messaging platforms in the world to exist as a black hole in the eyes of the intelligence community. So like I said, outside of some vague iCloud support docs and a surface level privacy policy I don't have much to go on to verify any of their claims. Just trust. Trust isn't enough for me.

No, the "key" to my response is the overwhelming amount of factual evidence.
Where's all the security researchers proving Apple's iMessages are not encrypted and claiming their real money rewards from Apple? They aren't getting paid because the platform is as secure as Apple says it is.

 

[Kostask]

They key phrase in your response is the last three words: "I believe them." I don't. I don't believe in things I can't verify (for the most part), that's why zero trust/zero knowledge principles are a thing that people work on and Apple would work on them too if they had a strong view on privacy. I believe there are workarounds for most of their "encrypted" data so that it can be accessed by the government or Apple otherwise there wouldn't have been a controversy over them handing over "encryption keys" to the Chinese government nor would there have been anything for Apple to contribute towards the Prism program. Apple themselves say they scan files uploaded to iCloud, how can they do that if everything is encrypted? Hash the encrypted files? Wouldn't the hashes be different on every encrypted file even if the decrypted file is the same across different users? I'm not a security expert but that doesn't really make sense to me.

With all that being said, unfortunately I'm not naive enough to believe the US government would allow one of the biggest phone and messaging platforms in the world to exist as a black hole in the eyes of the intelligence community. So like I said, outside of some vague iCloud support docs and a surface level privacy policy I don't have much to go on to verify any of their claims. Just trust. Trust isn't enough for me.

Quite honestly, if you don't trust anybody, then why are you on the Internet? The only way you will be truly 100% secure in your scenario is if you designed your own CPU, put it on a PCB you designed (built with all ICs designed and built by you), running an OS that you programmed yourself, and running apps that you wrote on your own. Oh, yeah, and the libraries and protocol stacks that are used in the apps and OS you will need to write on your own. Barring that, you shouldn't be on the internet, if trust is not enough for you.

There is a reason that the US government, the FBI, and Law Enforcement in general have been trying to lean on Apple for years to open up things like iPhones. They have gone to court, and lost the cases on multiple occasions. US government doesn't like it, but Apple is not in the habit of doing what the government likes. It will comply with court orders, as long as their lawyers have had a chance to examine them for legality, but short of that, the US government gets nothing, nor does the FBI.

Whether you choose to trust that or not, that is the truth of it.

 

[Kostask]

At least with Android you can pull the source code, audit it, fully rip out tracking, and add in other code to make it more locked down. THen flash that ROM to your device, then ONLY install the apps you 100% trust because they also passed other code audits. You dont even have that option with iDevices.

Then let us ask the following question:

If what you wrote is all it takes, then please elaborate on why Google isn't doing this for the Play Store. I mean, Google, being the originator of Android, must know what tracking code looks like, right, seeing as they are the all knowing, all seeing gurus of Android? But guess what, the Play Store is riddled with apps that do have malware, key loggers, credential stealers and all sorts of apps that do anything from displaying false notifications to bricking Android phones. How do I know? Ever get the Threatpost newsletter? Two to three times a week, there are reports of "Google removes X number of apps for stealing private information", "Google deletes Y apps for installing banking trojans", and so on and so on. Don't want to get daily newsletters, they have a website site called inforsecindustry.com, and after you get through reading that web site, also take a trip through "The Hacker News". Let me know how many security issues you see on Mac and iDevices, and how many you see for Android and Windows.

If all of this were so easy, then i'm sure Google would have been able to keep the Play Store clean. It defintely isn't clean. Even though we don't have that option on iDevices, and they are closed off, do you actually believe the Play Store is more secure than the App Store? I certainly don't, and I don't think ANY person who has the smallest amount of computer security does, either. And I don't see any more than .00001% of Android users doing what you described above. That is insane on the face of it.

 

[FakeTimCook]

Looks like they don’t actually spy on us. I believe them. And that they already took steps to disconnect user IPs from verification processes. 👍
This was a good bug.

Apple responds to Gatekeeper issue with upcoming fixes | TechCrunch

Apple has updated a documentation page detailing the company’s next steps to prevent last week’s Gatekeeper bug from happening again, as Rene Ritchie

techcrunch.com