Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
This is one of the areas where people assume too much regarding iCloud.

Apple can't decrypt the information off iCloud, that much is true (if they're to be believed). However, That encrypted information is still tied to you, it's your blob of encrypted information, this can be passed to the Government. Now can the Government decrypt it? Who knows, maybe not today but as computers get more powerful it's only a matter of time.

The point is, evan though it's encryted, Apple still knows which information is yours and will happily pass it on if subpoenad; it's just that Apple can't read it so that's what they use in their marketing.

That is not true.

Apple can and has decrypted iCloud backups multiple times. Apple's own documentation states it. See the above message about why China told Apple it must move its iCloud servers to China - the reason was so that the keys are under China's control when the servers are there so anyone who has iCloud backup turned on with a home country of China can have their data accessed.

Ditto in the US under legal process since Apple has the keys.

This does not mean that they can decrypt your phone, but if you have iCloud backup on, the can access what is stored in the backup. For that matter, anyone at Apple could do so if they desired and had access to the keys.

Off-device encryption is a huge issue and will eventually become a problem. No matter how good Apple is at some point, someone at Apple will make a mistake or be compromised.



See e.g. -- there are many discussion with more details, but this has a reasonably good high level overview:
https://www.reuters.com/article/us-...hina-raising-human-rights-fears-idUSKCN1G8060
"
That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.
...
“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.
...
And even though Chinese iPhones will retain the security features that can make it all but impossible for anyone, even Apple, to get access to the phone itself, that will not apply to the iCloud accounts. Any information in the iCloud account could be accessible to Chinese authorities who can present Apple with a legal order.

Apple said it will only respond to valid legal requests in China, but China’s domestic legal process is very different than that in the U.S., lacking anything quite like an American “warrant” reviewed by an independent court, Chinese legal experts said. Court approval isn’t required under Chinese law and police can issue and execute warrants.

“Even very early in a criminal investigation, police have broad powers to collect evidence,” said Jeremy Daum, an attorney and research fellow at Yale Law School’s Paul Tsai China Center in Beijing. “(They are) authorized by internal police procedures rather than independent court review, and the public has an obligation to cooperate.”
"
 
Last edited:
Exactly. And there is no issue or conflicts based on your facts. Apple does not want to be a gatekeeper, however it does want to show that YOUR data is being handled as best as possible by apple. It can’t control, nor should it what Facebook does with your information and it has a right to take a cut of sales from the App Store.

So what you are saying is: What happens on your iPhone does not stay on your iPhone?
 
Whatever, the iCloud backups were compromised and data stolen.... And who's to say it's never gonna get hacked or compromised in some way in the future. You can't.

So let’s see.... you make factual incorrect statement. You get corrected by multiple member who clearly have more knowledge on the subject. And instead of acknowledging it, you double down and somehow try to spin it.

You have a future in politics my friend.
 
Think about this: if someone, say the NSA, FSB (Russia), or anyone else somewhere can copy the current state of iCloud today (or at any point) via a hack, there will be issues later. There have been a lot of options from Heartbleed, Spectre, Meltdown to name some big ones where public servers could have been compromised with little chance of detection. Why mention those in particular? Recall that iCloud has been based on AWS and Azure per Apple's security white papers so if either of them have an issue, the encrypted backups could be duplicated. And it doesn't have to be a security issue. It could be an employee who gives someone access (for money, under duress, for the thrill, by clicking on a phishing link etc) to duplicate the encrypted data.

It may have already happened. Microsoft (Azure) and Amazon (AWS) have had issues so while iCloud itself might not have been hacked, there is a reasonable chance that the backend may have been. Heartbleed for example was in the wild for several years (2012-2014) and Spectre and Meltdown impacted a huge percentage of CPUs prior to OS patches and there were plenty of people who know about the potential problems prior to the patches. Could it have leaked? Some in the security community believe that Heartbleed was done intentionally allowing a big three-letter agency access. Whether or not AWS or Azure were compromised, no one knows, but it is a distinct possibility.

But, what good does someone having copies of the encrypted backups do you ask? Eventually if Apple's iCloud backup encryption keys are leaked, everything duplicated could then be decrypted.

The centralized nature of encryption keys for iCloud is a potential huge problem. I have little doubt that Apple knows and understands the issues, the question is whether they will take steps to remedy it by using on device keys to encrypt each device's backup so that a bulk decryption would be much less likely - e.g. it would require something akin to proving that P == NP.
 
  • Like
Reactions: jamezr
True... once their nude pics are out there... they're out there forever. That's unfortunate.

But as others have said... iCloud wasn't hacked.

It was a "very targeted attack on user names, passwords and security questions"

In other words... the bad guys opened the same door that the celebrities use... using their stolen credentials.

That's not the same as "hacking" Apple's servers.

Think of it this way: if I was to somehow acquire your MacRumors password... by an email phishing scam or simply guessing... and I login as you and post a bunch of crap under your name... did I "hack" MacRumors?

No... I "hacked" your user account.

There is a difference.
I thought it was using brute force attack? Meaning they had a python script that used brute force to keep going until they got the right password?
The account should have been locked out after a few bad password attempts but the hackers used a known find my phone exploit to bypass that and eventually get the passwords.
So yes...icloud was hacked....yes they had the passwords...but they got the passwords by using a known exploit that was not patched.
Apple has better security now than they did then with 2 factor and better safeguards in place.
But they did not at that time.

Then an app or service is only as good as the security it enforces. If it allows you to use 123456789 or password as your password then it is not designed very well. Apps need to enforce good security or they will get hacked or compromised.
Then the definition of hacked is below and it sounds like what happened to icloud. You can blame the end user all you want...but security starts with good software development and enforcement.

Hack
"to gain illegal access to (a computer network, system, etc.)"

https://www.merriam-webster.com/dictionary/hack
 
  • Like
Reactions: Michael Scrip
Think about this: if someone, say the NSA, FSB (Russia), or anyone else somewhere can copy the current state of iCloud today (or at any point) via a hack, there will be issues later. There have been a lot of options from Heartbleed, Spectre, Meltdown to name some big ones where public servers could have been compromised with little chance of detection. Why mention those in particular? Recall that iCloud has been based on AWS and Azure per Apple's security white papers so if either of them have an issue, the encrypted backups could be duplicated. And it doesn't have to be a security issue. It could be an employee who gives someone access (for money, under duress, for the thrill, by clicking on a phishing link etc) to duplicate the encrypted data.

It may have already happened. Microsoft (Azure) and Amazon (AWS) have had issues so while iCloud itself might not have been hacked, there is a reasonable chance that the backend may have been. Heartbleed for example was in the wild for several years (2012-2014) and Spectre and Meltdown impacted a huge percentage of CPUs prior to OS patches and there were plenty of people who know about the potential problems prior to the patches. Could it have leaked? Some in the security community believe that Heartbleed was done intentionally allowing a big three-letter agency access. Whether or not AWS or Azure were compromised, no one knows, but it is a distinct possibility.

But, what good does someone having copies of the encrypted backups do you ask? Eventually if Apple's iCloud backup encryption keys are leaked, everything duplicated could then be decrypted.

The centralized nature of encryption keys for iCloud is a potential huge problem. I have little doubt that Apple knows and understands the issues, the question is whether they will take steps to remedy it by using on device keys to encrypt each device's backup so that a bulk decryption would be much less likely - e.g. it would require something akin to proving that P == NP.

Speculation (however vague) about evil is easier than efforts for good.
Anyone who speculates about the methods and practice of evil without actually being able to lead something responsibly for the better harms his mind.
If you want to do something good, welcome to the club. Apple is still quite a clean area in this respect.
If this value is nothing to you, or you want to relativize that value, feel free and inexpensive within Android.
 
Last edited:
So Apple is advertising to ISIS and terrorist?

I wish they were this bold when it came to the Chinese Government..
 
Last edited:
I thought it was using brute force attack? Meaning they had a python script that used brute force to keep going until they got the right password?
The account should have been locked out after a few bad password attempts but the hackers used a known find my phone exploit to bypass that and eventually get the passwords.
So yes...icloud was hacked....yes they had the passwords...but they got the passwords by using a known exploit that was not patched.
Apple has better security now than they did then with 2 factor and better safeguards in place.
But they did not at that time.

Then an app or service is only as good as the security it enforces. If it allows you to use 123456789 or password as your password then it is not designed very well. Apps need to enforce good security or they will get hacked or compromised.
Then the definition of hacked is below and it sounds like what happened to icloud. You can blame the end user all you want...but security starts with good software development and enforcement.

Hack
"to gain illegal access to (a computer network, system, etc.)"

https://www.merriam-webster.com/dictionary/hack
I thought it was phishing also. But to me it doesn’t matter enough to go back into the history book. 2fa would have stopped that cold.
 
  • Like
Reactions: Michael Scrip
I thought it was phishing also. But to me it doesn’t matter enough to go back into the history book. 2fa would have stopped that cold.
True...today the same unpatched exploit would not work because of 2fa.
I am not going back in the history books as much as clarifying some of the inaccuracies that has been posted here.
Then if you don't look back at history....you will repeat the past.
[doublepost=1546702213][/doublepost]
True.

I'm guessing this billboard makes more sense today than it did 4 years ago. :p
Agreed.....
 
  • Like
Reactions: I7guy
So Apple is advertising to ISIS and terrorist?

I wish they were this bold when it came to the Chinese Government..
Troll kidding?
Don't drag the Marine Corps into dirt with such stupid remarks!
550577.jpg
 
The broadest, most meaningless definition possible.

Using this definition, if someone kidnaps a loved one to make you give them your password, then Apple would be at fault for that "hacking" too.
if you don't like the definition....you could always ask Merriam Webster to change it....

Kidnaping someone and under the threat of death....getting their passwords....is not hacking.

You have to add a little context. Go back and read my post again. They got the passwords by a brute force python script using a known unpatched exploit in Find My Phone. That is hacking......
 
Speculation (however vague) about evil is easier than efforts for good.
Anyone who speculates about the methods and practice of evil without actually being able to lead something responsibly for the better harms his mind.
If you want to do something good, welcome to the club. Apple is still quite a clean area in this respect.
If this value is nothing to you, or you want to relativize that value, feel free and inexpensive within Android.

Discussing and pointing out problems and issues that are factual is (a) not harmful to the mind and (b) part of the engineering and security process. I happen to be involved in the area for quite a long time now although not at Apple and agree that Apple is much better than the rest. They are not perfect though and there are areas for improvement. Imagine if Apple implemented on-device encryption what it would do to help free expression around the world, particularly in places like China?

If Apple isn't aware of the potential flaws, their engineering staff is sorely lacking. I don't believe it is, but I do believe that management either may not value it or may be under pressure not to provide on device end-to-end iCloud encryption.

Anyway, no one except you said anything about not valuing it. Are you projecting?

We have several iPads, several iPhones several Macs (we still even have the 128K Mac in the closest that still boots) and several Apple TVs, but none of them have iCloud backup on for the reasons I've mentioned. Not that there is anything to hide, but I don't want things spread about the internet if iCloud is eventually hacked.
 
Last edited:
  • Like
Reactions: Morgenland
It's kind of nice seeing Apple act like a commoner, showing up at what they didn't consider worthy before. But when your flagship product tanks and your stock drops 35%, you gotta start going to the bus stop again with the rest of the kids.

Tim, polish up that resume. Some non-profit out there needs you.
 
This is a great discussion, folks.

Many people have been quick to mention "The Fappening" from 4 years ago. It was literally the first comment in this thread. It was pretty nasty, sure. But luckily nothing else on that scale has happened since then.

I'd like to play devil's advocate for a moment, though.

If Apple is claiming that they care about your privacy... and thus the other guys (Google, Android) don't care about your privacy... then why haven't we seen fappening-level Android breaches?

I mean... if Android is less secure... it seems like we should have daily leaks of Android-using celebrity photos.

Or... why has no one attempted to phish for a celebrity's Google Photos password or something?

Just a thought...
 
  • Like
Reactions: jamezr
Even though I understand that privacy is being referenced, I’m going to be snarky and argue that very little happens on the phone without assistance from the Internet.

During a recent trip to a rural location, I was dumbfounded that Siri couldn’t look up a contact without a cellular/Internet connection. The contact’s data was on my phone!
 
CES is where the electronics world comes together to show off its new wares each year, while Apple traditionally snubs the extravaganza.
Now that Apple no longer really stands out as a unique electronics supplier, it's easy to forget about them while being wowed by everyone else's new tech.
 
  • Like
Reactions: jamezr
Is it just me or does advertising on the side of buildings come across as, well, somewhat cheap?

For apple, that is.

I'd expect to see an ad for Chick Fil A or something

What do you think @boltjames
Apple's been putting up giant murals on busy streets in Toronto since the iPod days. There's very strict zoning laws regarding billboards here and those are prime advertising spots.
 
Privacy, one of the few things Apple is doing these days that I agree with. Let's hope they keep it up, but sadly I do not trust them to do so since they have abandoned most of the other things they used to do that I consider important.
 
Whatever, the iCloud backups were compromised and data stolen.... And who's to say it's never gonna get hacked or compromised in some way in the future. You can't.

Yes but it hasn't yet, so your statement is still false. We can "what if" this to death. Data was stolen because of the end user not because of Apple, but you made in accurate statement.
 
This is actually very smart, specially since Apple is not known to participate in CES. Because of this, it’ll get attention. It already has.

Apple really stands apart as the one company that has no interest in your data and goes to great lengths to making your data, yours and ensuring that not even they can see it, even if they wanted to or were compelled to by law.

It was a good long term bet because Android can’t ever come close to matching it. The only reason Android exists and why Google gives it away for free to manufacturers is because Google’s entire business depends on monetizing your data.


You've accused people of being deliberately misleading in this thread yet the bold part of your post is misleading also.

Apple can and will provide iCloud data to law enforcement. Lets be very clear on that.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.