
Apple hires one of the developers behind Signal - scottyates11
http://techcrunch.com/2016/02/25/apple-hires-developer-behind-signal-edward-snowdens-favorite-secure-chat-app/#labnol
======
MichaelBurge
This article seems more than a little silly. They blew up a single tweet into
an article about Apple's corporate strategy in relation to the FBI.

What next? Are they going to dig through Apple employees' trash, looking for
variations in the number of credit card offers?

"Apple Employees Load up on Credit"

"Investigators have uncovered a 10% uptick in the number of accepted credit
card offers from key Apple employees. Speculation about Apple's poor recent
performance seems validated by their own employees obtaining as much cheap
credit as they can get before the inevitable catastrophe approaches. Leading
VCs interviewed had this to say: 'We always recommend to our partners that
they obtain credit during times of prosperity, so that they don't need to
unnecessarily dilute their shares by raising money in a downturn. If you're
profitable but don't need the money, it's a great time to at least seek a line
of credit from your bank.'

Apple representatives declined to comment on this article, possibly wishing to
delay the bad news until the next shareholder meeting.

Next up: Microsoft reallocates its purchases of employee free soda to 20% Coke
/ 80% Pepsi. But what are the impacts on its cloud computing business?"

~~~
stygiansonic
I know you joke about looking at credit card info, but it reminded me of this
story[1] where fraud researchers at a credit card company (ab)used their
access to credit card transactions of their customers in order to mine the
data and perform fundamental research about various companies' retail
performance.

They then used this information to trade on the companies just before earning
release, and made a lot of money. They were eventually caught by the SEC
because their trading was deemed suspicious, i.e. their options bets always
seemed to work out.

1\. [http://www.bloombergview.com/articles/2015-01-23/capital-
one...](http://www.bloombergview.com/articles/2015-01-23/capital-one-fraud-
researchers-may-also-have-done-some-fraud)

~~~
pmarreck
So basically, they did their homework and got penalized for it?

~~~
ikeboy
>Here, Bonan Huang and Nan Huang allegedly got the information from their
employer, Capital One, which was supposed to have exclusive use of the -- hey,
wait a minute, does that mean that Capital One was allowed to trade on this
data for its own profit? Wouldn't that be amazing? Surely the answer is no: I
assume that Capital One signed agreements with retailers (or rather, with Visa
and MasterCard, which signed agreements with retailers) in which it promised
not to disclose transaction data, or use it for nefarious purposes. Really
anyone who used this data would be misappropriating it from, ultimately,
Chipotle. Which gets to keep its sales data to itself. Except once a quarter
when it releases that data and the stock jumps.

~~~
pmarreck
If I set up cameras with visual recognition software in front of a
statistically significant number of Chipotle branches to count the number of
customers and base pre-earnings security purchase decisions on that, have I
committed fraud? What they did seems equivalent to that, in a way.

I mean, that's basically a company idea right there, if someone hasn't already
done that

~~~
michaelbuckbee
For a long time satellite imaging of things like WalMart parking lots (used a
proxy for sales) have been a thing analysts and traders look at.

~~~
uxp
It's still a different scenario. Cops, up until a few years ago, used to think
they could stick GPS devices on people's cars without a warrant because they
were legally allowed to tail and observe people driving in vehicles without a
warrant. The GPS device, like a lot of technology, allowed them to "observe
and tail" hundreds of vehicles all at once.

The SCOTUS stepped in and said that the practice was illegal without a warrant
because, despite a vehicle moving around a city in plain and public view,
being allowed to monitor hundreds or even thousands of vehicles from a central
location with only a handful of officers was outside of the scope that allowed
them to hop into a vehicle and follow someone else, which would require
hundreds of officers and hundreds of vehicles observing with their own eyes.

It's the same idea. Getting access to data that is not public (in reference to
the credit card transaction data, not satellite imagery), in order to profit
from a publicly traded stock, does not create a level playing field. Semi-
realtime satellite imagery, on the other hand, may not be completely public,
but it's publicly available data (with a fee, possibly, from the operators of
the satellites, which is a device or technology that wasn't built to
specifically observe walmart parking lot capacity). I would argue that it's
still a grey area, as you can only interpolate sales based on a tangental
dataset like parking lot capacity. But getting access to actual transaction
history from the stores is a direct correlation to their sales and revenue
model, which drives their eventual stock price.

I don't see how anyone could argue that they were "just doing their homework".
They were subverting a system for financial gain. They weren't taking data
that anyone could obtain and doing a novel approach to interpret tangental
sales figures.

------
AdmiralAsshat
Oh, they hired _a_ developer behind Signal. No offense to Mr. Jacobs, I'm sure
he is an excellent developer. But I saw the headline and assumed they had
grabbed Moxie.

~~~
jpstory
Everyone who has ever known, or known of Moxie, thought the same :D I think
we'd all love to see him be CCO (Chief Cryptography Officer) or something
similar for Apple. Not to diminish his work at Whisper Systems, but talent
like his should be reaching the 100 of millions of customers that Apple has
reach to. Moxie, I know you hop on hacker news every so often - if you read
this - would you go work for Apple? Or are they too closed source for your
tastes?

~~~
justin66
_I think we 'd all love to see him be CCO (Chief Cryptography Officer) or
something similar for Apple._

I assumed that were referring to Moxie and my initial thought was that it
would represent a sad loss of autonomy for him.

~~~
ProAm
I don't see Moxie ever joining a company like Apple.

------
izacus
Hmm, so Apple just hired away the dev of pretty much only secure open and
cross-platform iMessage alternative?

~~~
uxp
Frederic Jacobs has been planning on moving away from Open Whisper Systems for
a while. They didn't hire him away, he took another job.

------
HappyTypist
I think this move shows that Apple is serious about security. They previously
assessed the risk of a government ordered backdoor low and the potential for
bugs in the Secure Enclave higher, and hence made the trade off the allow
signed updates.

------
duskwuff
The CoreOS ([https://coreos.com/](https://coreos.com/)) security team, or just
the core OS security team? If the former, I'm curious what Apple's involvement
with that project is.

~~~
dotch
Presumably the Core OS layer
([https://developer.apple.com/library/ios/documentation/Miscel...](https://developer.apple.com/library/ios/documentation/Miscellaneous/Conceptual/iPhoneOSTechOverview/CoreOSLayer/CoreOSLayer.html)).

------
jayarcanum
Does anybody see through these PR plays? They've unlocked many phones in the
past for the government, they're protecting their technology and using the
moral issue to look good at a time when they're still majorly losing their
way. To me this looks like governmental appeasement. Shutting down Snowden and
other's methods of private communications is a fantastic gift to the
government who doesn't want more of that type of scrutiny and people talking
about the NSA badly, there's already enough thinking they're a major problem.
What perfect a guise to get it done under another companies name that also
happens to be having a great PR week on the back of data they gave up or are
going to give up anyway, they always knew that. I wish more people would think
for themselves or at least consider why the script might not be reality. They
hired him! What happened is a formerly non corporate secure, private form of
communication is now... who knows what. Maybe the government just figured out
how to deal with the next Lavabit and not deal with more backlash. Nobody
trusts them right now, everybody seems to love this Apple letter PR play.

~~~
the_ancient
>They've unlocked many phones in the past for the government

I do not really see why this is always brought up. Ofcourse they unlocked
phones in the past, they had a master password, they could not legally refuse
to do it. There was no legal way for them to resist such actions by the
government

Do you understand the difference between the security model today, and
previous versions of the iPhone?

Further I do believe there is a Fundamental Difference between Apple run by
Steve Jobs, and Apple run by Tim Cook in how they view government. This is why
your seeing Apple shift its technology to resist government agents as well as
more "traditional" threats

//For the Record, I hate apples business model, and their Walled Garden
Ecosystem. I will never own a iPhone because of that, however this on going
theme of "well they unlocked it in the past" is just technological ignorance
that need to be put down.

~~~
givinguflac
What do you mean by hating their business model? Genuinely curious. I don't
like Google collecting and selling my personal data so I don't use their
products. What is your reasoning for "hating" Apple's model? Seems pretty
identical to other companies except they don't collect and sell user data.

~~~
the_ancient
>What do you mean by hating their business model? Genuinely curious.

They do not support open protocols, they do not support interoperablity, they
want to much control over the device I supposedly bought from them..

I have to use their App Store, they Operating System, their Backup (iCloud),
their Desktop App (iTunes) etc etc etc

There is no F-Driod, for iOS for example.

I hate walled gardens.

>Seems pretty identical to other companies except they don't collect

They may not sell it, but they are certainly collecting data about you...

------
abalone
Conjecture: Isn't Apple's private signing key already a "master key to turn
100 million locks"?

I.e. the key they use to sign software updates. With that key, someone could
create malware and sign it... Apple creating the malware just saves them a
step. Ergo the "target on that piece" is already pretty high value, yet Apple
is able to keep it secret / prepared for contingencies (like rotating the
key..)

Thoughts?

~~~
runholm
Well, this is true for any form of authentication. If you have information you
need to update, you need to have a form of authentication, and authentication
data can get lost. You just need to have good routines limiting the access to
this data.

This is a problem for signing software, but also things like updating their
webpage and content on the App Store. All these systems need to have
authentication data exist, and if lost to people with malicious intent it
could be lost.

~~~
abalone
So what does this say about Apple's claim that a "master key" is too dangerous
to create? Don't they already have that.. something that hackers could use to
unlock iPhones? Doesn't that danger already exist? (Again this is meant as
thought-provoking conjecture.)

------
aluhut
I don't care about Apple but I hope this won't end bad for Signal.

------
thecryof
This news is another +1 for Apple in my view.

------
Aissen
Congrats on the new gig. I wonder if this is a sign of bad financial health of
Open Whisper Systems ?

~~~
uxp
Frederic Jacobs announced he was looking elsewhere some time ago. I don't have
any insight into Open Whisper System's internals, but considering they've
still been committing code and they're still posting new job openings, I doubt
this has anything to do with Open Whisper Systems and more to do with Jacobs
wanting a change of scenery.

------
studentrob
Good for Apple. Maybe he can help critique Apple's security methodology. It
will be interesting to hear what he works on and how he finds Apple's security
systems.

------
ianamartin
I can understand how people want to put puzzle pieces together, but this is
completely idiotic.

Whatever remaining security holes there are with secure enclave, they have
nothing to do with a software chat app.

This is entirely coincidental and has nothing to do with anything.

TechCrunch should be ashamed of itself (again) for being such a douchebag.

Edit: I'm not saying Apple hiring the guy is stupid. I'm responding to the
hattery from the article itself.

As a hire, it makes sense. But trying to decide that it means "Apple is now
serious about security" is just a bunch of horseshit on both ends.

~~~
studentrob
It's not idiotic, it's interesting news given the climate. They didn't say
what his role or project will be. What's wrong with reporting on Apple hiring
a developer of one of the most popular secure messaging tools?

~~~
ianamartin
Are you blind to the difference between reporting an event and interpreting
the event badly?

~~~
studentrob
Please quote the article where you feel it interpreted events poorly. And be
civil.

~~~
teamhappy
How about the first paragraph?

    
    
        > Apple hires plenty of interns all year round, but one particular addition
        > revealed this week caught the eye given the company’s current position
        > opposing a controversial order to enable the FBI to access the iPhone used
        > by one of the San Bernardino shooters.
    

// Of course it's worth writing about, but it certainly would have been higher
quality reporting if they didn't immediately link it to the FBI story.

~~~
studentrob
That is hardly a misinterpretation of events. They're just saying,

 _" hey, there's this software developer who's done some work in the field of
security on an app which is famous, and he's going to work at Apple during a
time when some issues with Apple's security are in the news. And we noticed
and we want to share that with you"_

It's interesting. Tech Crunch can write about whatever they want. If you don't
like the article, downvote it and move on. Perhaps Ian is just jealous nobody
is writing an article about _him_ , because he is clearly smarter than this
developer.

~~~
yarou
TechCrunch can certainly write whatever they want, but it becomes problematic
when they think a single tweet is newsworthy.

When news outlets start writing puff pieces about memes[0], you know that
we've all collectively hit rock bottom.

[0] [http://qz.com/622001/damn-daniel-the-new-viral-meme-is-
gener...](http://qz.com/622001/damn-daniel-the-new-viral-meme-is-generating-
crazy-bids-for-these-shoes-on-ebay/)

------
a_lifters_life
Why is this about Edward Snowden?

------
Vivtek
I'm starting to think Apple has found its first viable post-Jobs narrative.

~~~
gear54rus
This is all a waste and show off as far as I'm concerned until they go open on
everything.

With this move, they will also waste very valuable developer's (crypto
experience ain't cheap) skills.

~~~
etiam
I'm inclined to agree in that they can't really be trusted if they can't be
thoroughly audited and all the lockdown is an obstruction to that.

On the other hand I think they could really be doing good things behind the
veils, and that could benefit very large numbers of people who don't have the
knowledge or inclination to defend their own communications, (and anyone who
has the knowledge and inclination but also the misfortune of needing to
communicate with those who don't).

I don't know anything about Jacobs beyond what we've just seen here, but I
would guess someone who has worked on that level with Open Whisper Systems
wouldn't be prone to accepting poor security design, nor to accepting
unethical practices in handling user information. I'd be much happier with an
open Apple Inc. too, but as long as it keeps standing for a closed and locked
environment, Jacobs seems like just the kind of person I would want working
there.

~~~
stephenr
I'm a big fan of using open source software to build a business on -
particularly BSD/MIT/Apache (aka "permissive") licenses - but the idea that
"Open Source === Audited" is laughable.

How many _huge_ bugs have been discovered in very widely used open source
libraries/applications and identified as having affected the software for many
_years_?

Would you be satisfied if Apple provided the option for NDA-sealed access to
the source, allowing people/researchers to view (but not redistribute) their
stack?

Edit: fixed brain shart (extra word)

~~~
threeseed
Heartbleed is a classic example.

OpenSSL was vulnerable since end of 2011. Fixed mid 2014.

And it's one of the most popular and commonly used open source technologies.

------
Sir_Cmpwn
>Apple Hires Developer Behind Signal, Edward Snowden’s Favorite Secure Chat
App

A "secure" chat app that depends on Google Play Services (spyware) and is only
available through the Play Store (rather than F-Droid, an open source software
repository for Android) and maintained by an author who refuses to integrate
fixes to either of these problems upstream.

For those wondering if Google Play Services really is spyware: one of the
purposes is to backdoor your phone for Google so they can _silently_ update
any of their apps on your phone. It has access to _every_ Android permission
and can (and does) grant any permission to any app silently. It also monitors
your location and reports it to Google, along with brief voice snippets for
"OK Google", as well as a list of all apps installed on your phone, and more.
It's definitely an awful thing to have on your phone if you're privacy
conscious.

~~~
r0muald
You're welcome to inform yourself on the subject before posting crude FUD:
[https://github.com/WhisperSystems/Signal-
iOS/blob/master/BUI...](https://github.com/WhisperSystems/Signal-
iOS/blob/master/BUILDING.md)

~~~
Sir_Cmpwn
I encourage you to do the same:

[https://github.com/WhisperSystems/Signal-
Android/issues/127](https://github.com/WhisperSystems/Signal-
Android/issues/127)

Security should be available to all, not just those with the environment and
know-how to compile apps from source. Doubly so on iOS where you have to pay x
dollars for a developer license.

