Hacker News new | past | comments | ask | show | jobs | submit login
“Could you disable your Mac's password?” asked at an Apple store (2018) (spencerdailey.com)
25 points by spenvo on June 7, 2021 | hide | past | favorite | 25 comments



I had the same experience at the apple store a few years ago, where they asked me for my password. They insisted they needed it to run "hardware checks." I think I ended up just wiping it before giving it to them.

I wasn't happy about it, so I complained to corporate. I got a voicemail a few days later from a very apologetic store manager, saying that they would review the policy (who knows if they did). Furthermore, they found issues with my logic board, and replaced it (out of warranty) for free. So that was nice. Still wouldn't ever turn in a computer for service without wiping it however.


I too was asked to provide my user (admin) password when getting my MacBook's screen replaced at an Apple Store. I had the same concerns as OP, but I asked if I could set up a new, separate user account with standard permissions (just for them) so that they could verify their work that way.

That was a fine compromise for them, but it did make me wonder how many other, less-savvy customers were providing their main admin passwords in this manner...


My first Apple Store repair experience over a decade ago, _they_ asked me to create a separate admin user account for their usage, never crossed their mind to ask me for my password.

Times change or attitude varies by location or person?


> asked to provide my user (admin) password when getting my MacBook's screen replaced at an Apple Store

Happened to me too, in Germany (in ~2018) at an official Apple Store! Very annoying experience…


Same. Also: strongly advise wiping the box before letting it out of your sight for an extended period.


If you ever need to swap out a ssd at the Apple store, they won't give you back the old drive and promises you that they'll dispose of it..

I feel like this is a huge security risk if you're doing any kind of IP development.


FileVault is enabled by default. Have you been disabling it?


Why?

Hard drives are encrypted by default on macOS


Last time I turned in my MacBook Pro for repair (battery replacement), I pulled the SSD out ahead of time. They were pretty upset with me for this, but were able to complete the repair just fine.

With the more recent models, the SSD is soldered on and this would have been impossible.


I wonder why they don't have USB sticks ready to boot from...


Lenovo does this too. I just wiped my computer and made installing/testing the OS their responsibility.


Considering the recent payout from apple over leaked images from a college woman that was asked to hand over the password for the phone she had serviced it's a pretty atrocious ask for a strictly hardware issue.


This also used to happen with iOS only a few years ago but they improved iOS since to allow all the calibration tools to run without your passcode.

Be good to know if they’ve since fixed Macs in the same way.


Apple can read all of your iMessages and texts out of your non-e2e iCloud Backups, and they can see all of your Photos in your iCloud Photos. iCloud syncs all of your contacts to them, too. iCloud Backup is on by default so it’s safe to say that Apple can read everyone’s iMessages (even despite their claims of e2e encryption, which are now bogus due to the backup backdoor).

Every time you open the App Store, it sends your permanent, unchangeable device serial number to Apple along with your Apple ID, which is tied to your name and address and phone number and payment cards. (You can’t get an Apple ID without a phone number.) Many apps are App Store only, and on iOS it’s all apps.

Having location services on means your exact location is being sent in realtime over the network to Apple constantly (it’s not just passive GPS reception). Launching apps sends identifiers over the network to Apple in realtime (unencrypted, even, so even your ISP can see), so they know what apps you use, and where and when you use them. This all happens even with analytics disabled.

Even if you have iCloud off, using Siri sends your contacts and other data to Apple.

Books and Music track what you listen to, how often, and on which devices, under your Apple ID.

Even if you don’t use Apple for email, iCloud syncs your Mail app recent addresses autocomplete to Apple, who can then see who you correspond with.

All macs and iphones and ipads maintain a persistent 24/7 connection to Apple push servers with a client certificate linked to the hardware serial number of the device. If you aren’t using external VPN hardware at all times, this continuously leaks your city level location and ISP to Apple on a per-serial basis (which is linked to your Apple ID and name due to App Store use above). They know when you leave home and switch to 4G. They know when you arrive at work. They know when you travel to another city, and which hotel you stay in. They get all of this data even with location services off due to the invisible phone-home built in to the OS, and this happens even if you don’t use iCloud or any App Store apps.

Apple’s “commitment to privacy” or whatever presupposes that you don’t need or want privacy from Apple themselves. It is thus entirely natural for Apple staff to continue in this vein, as most Apple customers have surrendered their most private and sensitive data to iCloud and other Apple services already.

(In 2019, they turned over more than 30,000 customer accounts of data to the US federal government under FISA orders (per Apple’s own transparency report on their website), which are not warrants and do not require probable cause. Even if you trust Apple staff completely, there are reasons not to trust the federal investigators to whom they are compelled to leak your data without suspicion of a crime.)


>Apple can read all of your iMessages and texts out of your non-e2e iCloud Backups

You are conflating iMessage in iCloud with iCloud Backup. If you have iMessage enabled in iCloud, your message history is no longer under your sole control.

If you have iMessage in iCloud disabled, and iCloud Backup disabled, nobody has your messages except you and the recipient. (If they have it enabled then your messages with them will be stored that way.)

I personally use iMazing for automated local backups to my own equipment, and have iCloud Backup disabled.


> You are conflating iMessage in iCloud with iCloud Backup.

I'm not. MIC on, being the default, puts the MIC secret key used for sync into the iCloud Backup. This means after the first nightly backup, Apple can read your iMessages in realtime as they are synced via MIC.

> If you have iMessage in iCloud disabled, and iCloud Backup disabled, nobody has your messages except you and the recipient.

Yes, and these settings default to on, and resultantly virtually every iMessage recipient has both of these settings turned on, which means that Apple receives your iMessages from the other end of the conversation, even if you have them off.

Again, we are back to the original claim: Apple can read all of your iMessages in real-time.

I also have iCloud disabled and do local backups. I also have FaceTime and iMessage disabled for this reason. I also have an external VPN router that is used for all Apple device traffic that blocks push service connections and other telemetry collectors (xp.apple.com, pancake.apple.com, et c).


You are spouting bullshit which is directly contradicted by their technical security architecture documentation; I suggest you stop with the FUD.


https://support.apple.com/en-us/HT202303

> Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.


This directly contradicts what you previously said, which is the point I was trying to make; thank you for also having made it for me:

>When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.


Nobody you're iMessaging with has iCloud Backup turned off. Apple is still getting ~100% of the iMessages you send and receive.


You are misunderstanding (or deliberately misrepresenting) the architecture; please read the last half of page 109 and the first half of page 110 of their guide [0].

[0]: https://manuals.info.apple.com/MANUALS/1000/MA1902/en_GB/app...


Do you have pcaps to demonstrate Apple leaking your identifiers in clear text? That’s very surprising to me.


The requested pcaps are linked from here:

https://sneak.berlin/20210202/macos-11.2-network-privacy/


Thank you!





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: