I love the creativity when it comes to being an apologist. Kudos to you for steering people away from the actual point of the article! You're good!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix
- Thread starter MacRumors
- Start date
- Sort by reaction score
See above. Your File Vault is secure, but I do recommend that your iCloud password be incredibly strong, you use a password locker (I prefer 1Password), make all your answers to recovery questions random, use 2FA where possible, and a VPN when on any public or questionable internet connection.Now this concerns me. Just who is Apple Sleeping with?
None of these steps will ensure protection, but not being the "weakest of the herd" means you're statistically unlikely to be attacked, save for being directly targeted, in which case you definitely want to make it as difficult as possible to be hacked.
According to security.stackexchange.com, this is a huge mistake:
http://security.stackexchange.com/q...ha256-to-generate-an-aes-encryption-key#16357
PBKDF2 is an intentionally slow algorithm, meant to make brute force guessing of passwords difficult.
SHA256 is a very fast algorithm, meant to produce hashes for dictionaries and sets and whatnot - basically, it helps make all your programs run quickly.
Normally quicker is better, so SHA256 is preferable in almost all situations, except when it comes to storing your password.
Either someone made an honest mistake and thought, hey, lets make this run faster because faster is better and they didn't consider the implications of hacking being faster, or they intentionally wanted to cripple security.
http://security.stackexchange.com/q...ha256-to-generate-an-aes-encryption-key#16357
PBKDF2 is an intentionally slow algorithm, meant to make brute force guessing of passwords difficult.
SHA256 is a very fast algorithm, meant to produce hashes for dictionaries and sets and whatnot - basically, it helps make all your programs run quickly.
Normally quicker is better, so SHA256 is preferable in almost all situations, except when it comes to storing your password.
Either someone made an honest mistake and thought, hey, lets make this run faster because faster is better and they didn't consider the implications of hacking being faster, or they intentionally wanted to cripple security.
Doesn't matter if you don't backup to iCloud and don't store the recovery key from File Vault 2 with iCloud. No chance.
1) No, they don't simply hand out usernames and passwords to "any government" without a warrant (or reason).
2) If you're concerned about privacy and understand that any internet-facing login is a potential weak point, you choose not to store your Mac's recovery key on your iCloud account.
Absolutely correct, that's what I do. But most people store it in iCloud.
[doublepost=1474746699][/doublepost]
How stupid do you think Apples programmers are?
Do you think one single person changes that for no reason, without anybody overlooking it.
That was not an "honest mistake".
I don't think one person could just alter a part of the codebase that easily. I'm sure apple uses some form of source control and a change that big would show up. Which leads me to believe at the very least a whole team or department agreed to this change even if the CTO/project lead did not.
Right. It was a conspiracy. They thought they could get away with it and no one would ever know.
How stupid do you think Apple programmers are?
We don't know why they did it, but they're not stupid and this was not a mistake.Right. It was a conspiracy. They thought they could get away with it and no one would ever know.
How stupid do you think Apple programmers are?
Yup.
But the point that they're making is that unlike something like the Yahoo breach, someone needs to actually have access to your personal computer to exploit this.
Their Devotees... It's why you read so many posts on all sorts of topics in the forums, where Devotees blindly defend Apple.Now this concerns me. Just who is Apple Sleeping with?
...
, Apple confirmed it is aware of the issue and is working on a fix.As Apple points out, this security oversight is limited to backups created on a Mac or PC and does not affect the security of iCloud backups. ...
It is interesting they say that because someone fro. The Royal family just had their iCloud hacked.
Where exactly did Apple ever say that?
They have said they will hand it over if served with a valid legal order, but I have never seen anything from Apple that they would just hand it over upon request.
Nothing to worry about ... they are a courageous company ... going where no company has gone before.
It probably wasn't done intentionally. It's easy to include a different encryption library or do a file replace and forget some part of the code used something some way.
My bet is they probably added the more simple encryption for another part of iTunes entirely and it conflicted with the backup encryption some how, perhaps changing a function that performs the encryption calls etc
I don't think this was done maliciously, I mean sure it could be but I don't think so.
No they only changed the backup encryption algorithm. That's what the security firm says.
The only fact is that the encryption changed. It's clearly a mistake, which they are fixing. No spokesperson has come forward to say we don't really need strong encryption. If it wasn't an "honest" mistake then what kind of mistake was it?
Right. It was a conspiracy. They thought they could get away with it and no one would ever know.
How stupid do you think Apple programmers are?
I understand many conspiracy theories are actually absurd or extreme but you can't always brush off the evidence by stating its just paranoia. Its impossible that this change to the GM IOS 10 codebase was made in secret by one programmer. This was a choice and there isn't any apparent benefit to making this change.
Don't get me wrong its very surprising. It's one thing not to strengthen the security, to weaken it is very odd coming from such a large company.
err, no. A password was guessed / revealed to someone. There was (99% certain) no iCloud hack.
A "mistake" they where pressured into just a few months ago.
That's what the whole FBI ordeal was about, access to backups.
Stupid enough to let the certificate expire on supportprofile.apple.com (yes I know that isn't the programmers, but you wouldn't expect them to be that stupid either)
