

Apple's security strategy: make it invisible - Garbage
http://www.macworld.com/article/2041724/apples-security-strategy-make-it-invisible.html

======
doe88
Given the number of times everyday I'm asked to fill my iTunes account's
password on iOS, I wouldn't call it _invisible_.

~~~
k-mcgrady
AFAIK they actually made this worse due to the in-app purchase complaints
(from parents who recklessly allowed their children access to their credit
card). It used to appear for the first purchase and then not for the next 5
minutes (something like that anyway) but now it appears every time you try to
purchase anything.

~~~
panacea
Complaints? They lost a lawsuit and had to pay out because of in-app
purchases.

Incidentally, in-app purchases have practically spoiled their nascent status
as _the_ handheld gaming platform. In-app purchases make sense for certain
things, but they've ruined the app store for gaming.

~~~
k-mcgrady
I will never understand how they lost that lawsuit. If a parent gives a child
access to their credit card they deserve what happens.

I totally agree with your second point, IAP has spoiled gaming on iOS and
that's the fault of the game devs for taking advantage of it. However if it
didn't work they wouldn't do it and obviously plenty of people spend money via
IAP. It's also their only choice. People are willing to spend more small
amounts of money over time than paying a fair price up front for the game.

------
esolyt
I have to say that I dislike the fanboyish tone of the article.

"The theft of iDevices is rampant throughout the world. While we might blame
Apple for producing such desirable products, the company clearly doesn’t want
people to have to hide their devices in fake Blackberry cases to use them in
public without fear."

Thieves aren't stealing iProducts because they are desirable, they are
stealing them because they are expensive. What the hell is a fake Blackberry
case and why do I need it to be able to use my iPhone safely? What's the point
of insulting Blackberry in an article about security? It's hard for me take
this article or author seriously.

~~~
myko
On a site like macworld.com that tone is to be expected.

------
windexh8er
"Then I realized that Apple was tackling a real-world security issue by trying
to make that issue simply go away for the average user." \-- While there are a
few features that are generally good for users (activation lock seemingly the
best one) the way iCloud keychain is ridiculously a bad idea. Since there is
no concept of segregation of the ownership of the data and everything is very
easily tied back to the owner the implications of using this aren't worth it
IMHO. Do you _really_ want Apple in control of your hardware, software and now
access to your online identity (by access I don't mean that they can directly
read your account information, but I'm not saying that is out of the question
based on what we know about how our government operates within partners such
as Apple)?

Apple's (and Google's) limitless boundaries should be taking a majority by
concern. Third party security tools are not a bad thing. Users should be
interested in understanding and learning at a level that is parallel with the
risks they are taking online. This is the part that is breaking down and Apple
is "solving" this for those users by further locking them out-of third party
software through feature bloat. I'm surprised at the complacency Rich avoids
this topic, it truly feels like a paid for point of view post.

I own Apple hardware but I find myself using it less and less in my support of
transparent 3rd party tools that help, not hinder, me to control ___my_
__data. I 'm glad the open laptop post sits above this one. To me that's an
indicator the masses here are on the same page.

~~~
_djo_
Those of us with the technical understanding to be concerned about security
should already be using third-party tools like 1Password, LastPass, etc. I
doubt there'll be a massive out flux of those who use those tools to iCloud
keychain.

What iCloud keychain does bring is much better security for the other 99%,
encouraging them not to re-use the same password across all their sites and to
choose good passwords by default. When I see how difficult it has been to get
other members of my family to adopt 3rd party password management systems I
can only see that as a good thing.

~~~
windexh8er
I would concede that you're right, however Apple doesn't provide a construct
for the 99% to "do it right". Yes, there will always be those that blindly
trust, however when you start talking about a master umbrella for an
indivdual's complete, and utter, online presence including physical ties to
money, property and other assets it shouldn't be taken lightly. If Apple had
provided a "just works" method of showcasing how they cannot _ever_ , without
a doubt, decrypt the data while it sits on their servers, or offer up a way
for the end user to easily leverage another service (for seperation of duties)
they wouldn't receive the flack they do from those who inherently know the
risks.

I have had no problems getting family members to adopt 3rd party password
tools. An hour showing them along with explaining the rationale and the light
bulb switches on. A simple document showcasing how to generate new passwords
and add new sites or services goes a long way for the few times they do that
particular task.

The root problem is that the 99% seems to be ignorant, not because they want
to be, but because someone hasn't talked them through it. I find that pointing
family to pages or videos is far less effective than me, personally,
explaining things. Not sure why - but it's far more effective (maybe because
they know I've actually taken time to show them vs just point them).

I still view iCloud as a bad idea and wouldn't recommend it to anyone I know.

------
kimlelly
Then again, there's the elephant in the room:

Apple is one of the companies that work directly with the NSA.

Should we accept "security solutions" from such a company?

~~~
raganesh
Just curious. Which company would be apt to provide "security solutions",
then?

~~~
kimlelly
None. That's the point.

The only thing we can do to improve our situation is to migrate towards open-
source operating systems (and software and encryption solutions).

~~~
pi18n
This is literally true and goes beyond security. I hope everyone who
complained about Google Reader takes note of this; once you have the freedom
to modify and rebuild you are trivially able to continue using your software
long after the creators have shut it down.

~~~
kimlelly
I'd even go further:

Closed-source operating systems/software solutions are dying a slow (too slow)
death.

~~~
pjmlp
Lets see who is going to pay those developers when they cannot sell their
skills any longer.

Not all type of software is amendable to consulting/trainings as means of
getting money out of it.

~~~
kimlelly
Keep this in mind:

Open-source also means: The entire planet's population is the pool (of
developers). And this in turn means:

As soon as there is a real need for something, and somebody in this world is
willing to work on it (for whatever motivation), this piece of software
instantly becomes available to the _entire_ planet, without barrier (no price
to pay, no payment method hurdles).

This is an _extremely_ powerful property which eventually will dominate the
nature of solutions we use.

~~~
pjmlp
This is all very nice to state as goal, but it does not help if you need money
as software developer.

I do a lot of open source on my free time, but that is because I get paid by
one of those commercial bad guys companies to work on closed software, which
allows me to contribute back for free.

How far do you think most open source projects would be without sponsoring
from commercial companies that allow some developers to work on open source
projects.

This is one of the reasons why most successful open source software is
developer tooling, or nowadays hidden behind SaaS walls.

It is all nice and dandy to talk about open source ideals, but when you need
to earn at least 1 000€ per month, those ideals start to fade away. Speaking
from experience.

~~~
kimlelly
I'm not saying closed-source is "bad guys" or anything like that. I'm just
saying what I'm observing: open-source is picking up steam and maturing across
the board. It's not slowing down at all. It's true that it will kill some
developer jobs. But that can't be an argument for not supporting open-source
(tech is always about getting more efficient, resource-wise, and therefor a
job killer by definition).

~~~
embolism
Software in general is 'picking up steam and maturing a across the board'. We
now have almost 2 billion consumers carrying a unix box in their pockets, not
running open source.

If anything, the relevance of open source is dwindling by comparison.

------
codyb
I would guess a lot of their security stems from their closed app store.
Apparently the process is a total hassle, takes weeks, and each every revision
is akin to releasing a brand new app. Perhaps they have application security
testers breaking that code and ensuring it can not be broken into? Beyond
their pruning of content they deem... not worthy of the Apple brand?

I do not have an iPhone (or even a smart phone) so I am not exactly sure how
downloads work. Can you download files to an iPhone from Safari or any other
browser? If you can't then that certainly helps rule out a lot of malicious
software possibilities.

~~~
threeseed
You're definitely wrong there. The process is not a hassle, it rarely takes
weeks and yes every update has to go through the same approval process again
(as you would expect). And yes you can download some files to your phone but
they only exist within the app's sandbox.

The reason iOS security is so strong is because (a) there is no side loading,
(b) system updates are regular, simple and apply to almost every phone and (c)
apps are heavily sandboxed. It's not magic. Apple simply chose security over
openness and flexibility. Android vice versa.

~~~
codyb
Apparently at one point it took longer and now it is shorter. That's good.

That was kind of my point that I was trying to make though. I definitely could
have said it better but what I was going for was "It is a closed system."

Android development seemed relatively sandboxed to me though from the
distributed systems course I did work for in. But I can see what you mean when
you say heavily as things on Safari don't open up the Wikipedia app like on
Android (if you choose to have it that way.)

iPhone's are literally only iPhones too which I imagine helps. The system
updates are tailored to a specific piece of hardware. Impossible to accomplish
on an Android update.

