WEIRD SERIOUS QUESTION: What hardware/software company cares about user privacy/user security the most?

[BeautifulWoman_1984]

Hey guys,

I know this is a weird question to be asking on MacRumors, but it's a serious question for me.

When choosing what device to use whether it be my tablet device, my phone device or my desktop device my first priority is always user security/user privacy.

I use Apple products because I trust Apple more than I trust other technology companies. However, this thread has really got me worried and has me questioning me using Apple products: https://forums.macrumors.com/thread...os-big-sur-report-data-back-to-apple.2277914/

Thank you so much!

 

[casperes1996]

I could write an insanely long post about that discussion, and I might do so on my blog at some point, but I’ll keep it a bit more condensed here.

In short, Apple does prioritize user privacy more than most, if not all mainstream tech companies. This does not mean Apple has no telemetry at all whatsoever, though they do generally allow users to opt in and out. But if you look at where the money comes from it’s pretty clear to see that Apple has an incentive to a keep user data privacy a priority while many of their competitors has the opposite incentive. Apple uses privacy as a market differentiator to sell their physical products.
Google doesn’t sell you any product, you are the product they sell. Same goes for Facebook and to some extend Microsoft.
Other hardware vendors like Samsung, Huawei, etc. may or may not directly profit off of selling your data in addition to selling hardware, but they rely on software from Google and Microsoft to run their operating systems (unless you install Linux or a BSD of course)

The thread you link talks about something that is simultaneously true and misinterpreted by many. This is not some big new scandalous discovery. We knew this was happening, we know how to block it, it’s in fact a form of security feature, not a privacy snooping one; Where Apple validates a hash of executables with expected hashes from the notarisation process. And Apple has also publicly commented on the matter saying they will provide an easy user-facing toggle to opt out of it, even though it is a security feature and I would advice against it.

With all of the above said;
You make a lot of posts about security and privacy. It’s good to care and be aware. But as soon as you input data into anything that executes code or transmits information that you do not have full control over, you do theoretically “run the risk” of giving up that information. I mean you technically do even if you control everything as well if you don’t ensure it’s not snooped on.
Apple is your best bet for “out-of-the-box” privacy. OpenBSD will provide you a good desktop OS that’s very security and privacy focused as well. But the cryptographer in me has to say that if something is so crucial that it could cause someone’s death or something... Consider everything compromised and encrypt it yourself

 

[Mr_Brightside_@]

WEIRD, SERIOUS RESPONSE

The only reason you are worried is due to conclusions you’ve jumped to based on very little evidence.

The name of the company that cares most about user privacy is Apple. If you disagree, a chalk and slate are a good fallback.

 

[casperes1996]

Addendum to my last comment; But do not try and construct your own encryption protocol. Trust what has been independently audited

 

[Apple_Robert]

I see no reason to be worried with the linked article. @casperes1996 did a fine job of summarizing the subject matter in a nice concise post.

Using the right hardware and OS is very important for a variety of reasons. I think Apple does an excellent job of integrating the two into a productive and entertaining manner.

The other part of the equation involves any third party apps you may be using, along with password management techniques, and what kind of internet footprint you are leaving behind each day you use the internet.

Never ever solely rely on your iPhone, iPad, or Mac to keep you safe or expect Apple to keep you safe. As much as I like Apple, I don't want them handling by business.

Make sure you are balanced on both sides of internet security, and your use of Apple will not fraught with so much concern when reading MacRumors articles.

 

[casperes1996]

I see no reason to be worried with the linked article. @casperes1996 did a fine job of summarizing the subject matter in a nice concise post.

Using the right hardware and OS is very important for a variety of reasons. I think Apple does an excellent job of integrating the two into a productive and entertaining manner.

The other part of the equation involves any third party apps you may be using, along with password management techniques, and what kind of internet footprint you are leaving behind each day you use the internet.

Never ever solely rely on your iPhone, iPad, or Mac to keep you safe or expect Apple to keep you safe. As much as I like Apple, I don't want them handling by business.

Make sure you are balanced on both sides of internet security, and your use of Apple will not fraught with so much concern when reading MacRumors articles.

Perhaps the first time I’ve ever managed to be concise

But Apple_Robert makes an excellent point. To a great extend what you do matters more than on what you do it

 

[BeautifulWoman_1984]

Thank you for your replies!

I guess my question comes down to:
How can we know which software/hardware is safe and keeps user information private?

 

[casperes1996]

Thank you for your replies!

I guess my question comes down to:
How can we know which software/hardware is safe and keeps user information private?

Under what threat model? Without bounds this question is impossible to properly answer, but regardless will practically always have the answer "none". There is no lock ever invented by anyone ever, physically or digital, that cannot be broken. Even something like OTP that is theoretically perfect encryption will not keep your information safe if the key is lost.
All safety properties need to be defined under a threat model otherwise there's nothing more to it than "no. It's not safe".

Is it safe to take a walk? Under a regular threat model you'd probably say yes in most cases. But if you include in your threat model the eventuality of a meteor landing on you, no. It isn't. It's unlikely to happen, but you're not safe from it.

How can we know what software is considered safe under regularly considered threat models?
Read the source code if it is available, have security audits of it, monitor its network traffic, attack it and challenge other people to attack it and see if anyone succeeds.
From a consumer perspective; Keep an open eye on news within the field and just follow good computing habits. Trust software the same way you'd trust businesses or people - If it stands in front of a dark alley and begs you to follow it so it can give you a load of cash it's shady. If it's a business with a big green sign that says "FREE SERVICES", it may be a legit business but suspicious to warrant investigation. But you will trust Tesco not to sell you food that will poison you, because it's in their best interest not to do so. It might happen on rare occasions regardless, but they don't intend for it to happen.

As for hardware it's a very similar answer, really, but I'd argue that if you're worrying about the security of the hardware your threat model is beyond that of any consumer and you need to hire an IT Sec department on what Trusted Computing Baseboard Management Chips (TCB BMC) to have in your server infrastructure

The T2 found in a lot of Macs is such a chip but it has been exploited and has known vulnerabilities. None that are severe, none that can be remotely exploited, none that have ever been used maliciously in the wild, but known exploits.

That M1 and A14 are to my knowledge not known to be vulnerable to any hardware-based attacks at this moment.

Almost no Windows laptop or to my knowledge Android phone will have chips like this. I'm sure they exist but they are rare. Mostly this kind of thing is just for servers or at the least is implemented in a smaller scale.

But this does not mean these devices are less secure under pretty much any threat model any consumer or professional would have to consider.

Keep your software up to date (mostly), practice good online habits like using secure passwords, don't blindly click yes on every popup;

And if it really is about Life or Death and the launch of nuclear war - Don't use computers. Not offline either, you never know who'll break into your home and modify the boot loader.

The "best effort" approach though, is to live normally but be conscious. If a corporation's wealth comes from analytics, they don't have your privacy as an interest. Use macOS, OpenBSD, FreeBSD, Linux and keep your packages/OS updated, be aware of TLS/SSL connections and clear-text. i.e the padlock in your web browser here signifies and encrypted and authenticated channel of communication. You can be sure you're talking to MacRumors and you can be sure that nobody's reading the traffic that is sent back and forth. Your DNS request is most likely clear-text so it can be snooped which websites you're visiting if someone is snooping on your network, but not what data is sent between your client and the server. Email on the other hand; Unless you're using S/MIME, is fully clear-text and not encrypted at all.

There is no general formula, everything needs to be inspected independently

And with that, I should get back to preparing, because funnily enough my exam in security is tomorrow

 

[Tech198]

Trust far outweighs privacy I reckon.

Thank you for your replies!

I guess my question comes down to:
How can we know which software/hardware is safe and keeps user information private?

That's a forever changing. There can't be anything rock solid indefinitely, because 2 month later it will be out of date. At least (not real privacy anyway),You still trusting hardware..

I have never port forwarded in my life, not even on "unknown" ports, since always Ibelieve its insecure... Even though technically, its less likely, better be safe then sorry. And if that means services are restricted because no open port, then so be it.

 

[casperes1996]

I have never port forwarded in my life, not even on "unknown" ports, since always Ibelieve its insecure... Even though technically, its less likely, better be safe then sorry. And if that means services are restricted because no open port, then so be it.

Sorry, what are you talking about? If you want to expose a service to the internet, like for example a web server, you will need to set up your routing table to forward requests to the web server or a load balancer that then does that for you.
If you're not exposing anything to the internet you would have no reason to set up port forwarding, so of course you haven't.

If you however think that a device with a directly routable address is more or less secure if its ports undergo some indirection that just doesn't really make sense.

Having an open port is also not inherently dangerous if nothing's listening on that port and traffic is just dropped anyway. If something is listening though that something might haver a possibility for buffer overflow on the input or something that could theoretically result in arbitrary code execution, but that's a bit of a stretch here. And it would in most circumstances be unprivileged code execution

Anyway point I'm making is that there's nothing inherently unsafe about port forwarding.

 

[BeautifulWoman_1984]

Thank you for all of your replies!

I'm trying to decide what device to buy next so this is a really important problem for me.