Hacker News new | past | comments | ask | show | jobs | submit login
Apple will notify users about state-sponsored cybersecurity threats (support.apple.com)
525 points by evercast 2 days ago | hide | past | favorite | 148 comments

I know of one case of a Polish prosecutor who does not obey (do not want to bend the law) Zbigniew Ziobro, who is both the minister of justice and the prosecutor general. She received a notification from Apple just today.

Source: https://mobile.twitter.com/e_wrzosek/status/1463551631648251...

I think you need to add a translation of the tweet. Because it sounds as if he didn't obey Apple's warning. Yet I think he approves of Apple's s notification. It is the government who he wasn't obeying? So the government installed the spyware?

Translates to: "I just received an alert @AppleSupport about a possible cyberattack on my phone from state services. With the indication that I may be targeted for what I am doing or who I am. I will take the warning seriously because it was preceded by other incidents @ZiobroPL is this a coincidence?"

It is like polish Watergate: the prosecutor has been criticizing minister Ziobro and already lost her job (not only her, this problem is now on EU table and European trials say polish gov is breaking the law doing this) and now she learned minister Ziobro was spying her (and probably is still doing this)

The problem is that Ziobro was already doing this (illegally wiretapping opposition) together with Kamiński and Kaczyński when they were in power in 00s. They lost power, almost got to jail but avoided it thanks to political calculation of the next party (that used them as "look at least we aren't like them" threat), then they got elected again anyway in 2015.

They have majority support right now because of social spending and their supporters don't care about rule of law, corruption, any of that. There were already dozens of similar-scale scandals since 2015. Nobody cares. It's frustrating, really.

Wow. Just need to have something against state level power … just can’t fight them on an individual basis on one’s own alone.

Is it concerning to any security people with more knowledge than me that this is sent via iMessage?!

It's also sent by e-mail and on the Apple ID website (appleid.apple.com) - even if you have iMessage disabled you should still be notified.

The transport is secure, but if an attacker has already found their way into the device, they can intercept notifications/iMessages and remove it automatically anyway, so yes it's a bit or concern. But at that point, anything will be concerning, not only iMessage.

Send all the notifications at once without warning, and the real recipient will probably see it before the attacker programs his malware to hide this specific notification.

Obviously, that only really works once.

iMessage is extremely secure and utilizes end-to-end encryption, why is this concerning to you?

iMessage has no concept of a "verified user account" (iMessage for Business is separate), so there's zero indication this message is genuinely from Apple, except an email address that can possibly be faked. It's strange Apple hasn't built-in visible confirmation that this specific Threat Notifications sender is legitimate.

> iMessage has no concept of a "verified user account" (iMessage for Business is separate), so there's zero indication this message is genuinely from Apple

According to this screenshot, it appears they do: https://twitter.com/norbertmao/status/1463364241688305664

Looking at that screenshot, now I'm interested in how you can sign imessages with certificates. Even being able to have a certificate and look at the fingerprint, is much better than the current state of affairs where you just have to trust apple didn't swap out the keys.

Aren't iMessages backed up to icloud that does not have end to end encryption.

Not anymore[*].

[*] If you enable "Messages" sync in iCloud, encrypted message history is synced across your iCloud devices in an E2E manner.

An important caveat. If the messages are backed up to iCloud then they are not en encrypted. Apple may encrypt iCloud backups, but they hold the key and can turn the data over to the law enforcement.

Syncing messages across your devices is very much different than backing up your iPhone to iCloud.

The above should be pretty well known by now, but unfortunately isn’t the case.

If someone wants to dispute my comment, please cite supporting evidence.

You are correct. I was confused because since the “Messages for iCloud” was introduced, the backup itself won’t include plaintext message data if that feature is enabled (unlike before). However, this is where I stand corrected: it seems they store a copy of the Messages for iCloud encryption key in your iCloud Backup, if you have enabled iCloud Backup, which effectively defeats that encryption. The solution seems to be keep message sync on and backups off.

“For Messages in iCloud, if you have iCloud Backup turned on, your backup includes a copy of the key protecting your messages. This ensures you can recover your messages if you lose access to your Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.”[1]

[1]: https://support.apple.com/en-us/HT202303

iMessage does not have a mechanism to verify the devices associated with the destination account is actually theirs. It is feasible to assume an attacker/Apple/NSA could register an additional device key associated with your iMessage ID and snoop all future messages sent to that user from that moment on, even if they are not able to decrypt past messages. (This is true even if you assume iMessage client binary does what Apple says it does and is not tampered with/backdoored).

Can we reasonably say any piece of software is extremely secure against state sponsored attacks?

because the KSA hack was supposedly an iMessage zero door? And others allegedly don't even need to be clicked/opened.

Also imagine another bug that allows someone to spoof the 'from' or hell even send a message that looks similar, basic phishing.

Like: This is apple. Click this link to secure your account you are being hacked (literally). Seems like a bad precedent. But I guess there isn't a great way to securely communicate. Maybe just say google the official apple 1800 number and enter this secret number pad code.

And it has spam problems: https://www.wired.com/2014/08/apples-imessage-is-being-taken...

The problem is authenticity and authority, not encryption. How can the user know this message really came from Apple and not a spammer?

That article is seven years old and in no way reflects current reality. In fact it has never reflected my own experience or that of anyone I know, where iMessage spam has been near enough to non-existent.

And even if there were a spam problem, the risk is mostly on the upside anyway. It would only be an issue if iMessage got a reputation for flooding people with admonishments to take security seriously, purportedly from Apple.

Meanwhile apple has added iMessage apps[1], that you can add to your iMessage and there recently were a few iMessage exploits including a zero-click one[2].

[1] https://support.apple.com/en-us/HT206906

[2] https://9to5mac.com/2021/07/19/zero-click-imessage-exploit/

I think you have replied to the wrong person, otherwise I fail to see how either of these citations are in any way relevant.

Yeah I did, sorry.

> That article is seven years old and in no way reflects current reality. In fact it has never reflected my own experience or that of anyone I know, where iMessage spam has been near enough to non-existent.

Your anecdotal lived experience is not representative of the entire population.

I personally have encountered at least a dozen spam iMessages (not SMS) in the past year, and several friends of mine have described the same experience. I googled iMessage spam and this was on the second page, just from last year: https://thisrupt.co/lifestyle/imessage-spam-not-thai-chana/ Feel free to research yourself to discover that it is in fact a widespread issue for many people, if not as widespread as it once was since the "Unknown sender" tab was introduced.

Regardless, SMS spam remains an issue, and on iOS, many users may not know the difference, as they're in the same app.

> And even if there were a spam problem, the risk is mostly on the upside anyway. It would only be an issue if iMessage got a reputation for flooding people with admonishments to take security seriously, purportedly from Apple.

You're missing the point. iMessage spam (though it does exist as I've shown above) is not the problem. The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender. This deficiency is what enables iMessage spam, and creates the same potential for abuse with this new feature.

> Your anecdotal lived experience is not representative of the entire population.

Of course. That goes without saying. But neither you nor this person you cherry picked from a Google search is representative either. (And it's noteworthy that you had to drill down into Google search results in order to find a useful citation. That alone is evidence of iMessage spam not being a broadly pervasive issue.)

> You're missing the point. iMessage spam (though it does exist as I've shown above)

Huh? I never said it didn't exist.

> is not the problem.

Huh? I never said it was the problem.

> The problem is iMessage doesn't have a good way to "verify" that messages that purport to be from Apple or anyone else truly are from a known and trusted sender.

I completely agree. I never disputed that.

Yes thank you. this was the concern i was trying - seems like failed - to express.

There was even an article on HN a couple days ago about a money transfer service phishing scam whose initial message looks very similar to this message from Apple.

I think a LOT of people will fall for phishing with cold messages that look like this

>How can the user know

Read the document of the original top post (the document from Apple).

The answer to your question is right there in the document.

That does nothing to verify authenticity within iMessage itself, creating the opportunity for abuse and impersonation I outlined in my other comment in this thread. A simple solution to this problem would be a "verified" indicator for users to know that the iMessage did in fact originate from Apple, without them having to first know that such a support document exists.

Some of these scam messages, being tailored to individuals and not necessarily sent in bulk, do in fact come from technically valid Apple IDs that have been created for the purpose by the scammer. So they would show your little verified indicator just fine, so it doesn’t help.

And they did post the solution in the document. It’s an out of band verification. Pretty tried and true solution.

The use goes to the Apple ID website to confirm. Then they know if the message was genuine.

OK, but what does that mean? They use that Israeli spying tool against her?

I see a lot of pessimism in the comments. But I think this is a great step in the right direction.

Other companies should take note. More of this, please!

Google does this for some time at least.

I received an imminent advanced security threat notification back in January 2019. Urging me to get one of those 2fa dongles (which I did). And just as well, because the next month my account was locked due to an attempted unathorized access.

(whoever works on this at Google, thank you)

The Google warning page can be viewed by anyone, but they do specifically tell targeted individuals through other channels (a big red warning message at the top of Gmail, for example): https://myaccount.google.com/stateattackwarning

Apple is like the last company in that space to do this. Google has had these warnings since 2012. Facebook, Microsoft and Twitter since 2015.

(I agree that it's great that Apple is finally doing this. But it seems entirely par for the course for them to be a decade late and still get the credit.)

I have never seen any warnings from Google or Facebook if I automate against my own accounts, and dumping the data. Only on sign-in attempts. That kind of warning is very limited, and Apple also have them.

It seems like Apple now have introduced ‘honey pots’ and other techniques to discover if there already is someone with access to your account/device, and that is a big deal and good news. And something I have never seen from any of the other big companies.

The warning is for government-sponsored attacks, not any kind of automation.


Google's been doing this since at least 2012 http://arstechnica.com/information-technology/2012/06/google...

I might care if Apple had a history of protecting US citizens from their own government, or shielding Chinese users from their own tyrannical surveillance systems.

??? Are you referring to the storing of encryption keys for iCloud in country?

No, I'm referring to Apple's continued cooperation with surveillance agencies across the United States and all associated governments through the FIVE EYES program. The fact that your Macbook's security keys are trivial for the government to acquire is besides the point, but potentially germane if you, well, trusted your laptop in the first place.

Can you provide citation for this? Also how they are different from any other tech company?

My MacBooks security keys are not trivial to acquire because they aren’t in icloud.

In some of the countries in five eyes nations, you don’t have a choice about cooperating or not.

But what do 5 eyes have to do with Chinese users?

> Can you provide citation for this?

Apple's cooperation with PRISM[0] is well documented[1], but if you want to find the particularly damning details you'll need to do your own research. The dust has settled since the Snowden revelations, and many mentions of the program have been sterilized.

> Also how they are different from any other tech company?

It's not. But the claim that Apple puts extra effort into protecting you from your government is comical, especially if you live in a first-world country. It's also a false dichotomy, since there are definitely more secure devices you could be using. They're just not being manufactured by the largest, most valuable companies in the world.

> My MacBooks security keys are not trivial to acquire because they aren’t in icloud.

That is indeed what the US would like you to think. It's no coincidence that Macbooks force you to use NIST-designed crypto for all of their services though, and if you've got a healthy degree of skepticism towards the same institute that backdoored Dual_EC_DRBG, it's safe to assume the rest of these ciphers are also vulnerable to differential cryptanalysis. Or just take what the NSA says at face value, that certainly won't cause any problems in the future. /s

> But what do 5 eyes have to do with Chinese users?

Also nothing, they have their own bespoke surveillance program since China cannot cooperate with the US like Britain or Canada can. In lieu of being able to break their encryption, China demanded that all of Apple's domestic data get stored on domestic servers. While Google, Microsoft, Yahoo and every other big tech company shied away from that kind of compliance with a known abuser of human rights, Apple happily complied with the request.

[0] https://www.theguardian.com/world/2013/jun/06/us-tech-giants...

[1] https://web.archive.org/web/20130609061546/https://www.culto...

> Apple's cooperation with PRISM[0] is well documented[1]

Neither of your links documents any kind of cooperation, let alone documenting it well.

I'd like to discuss with you in Good faith. But your points seem to be made in bad faith.

PRISM wasn't really a cooperative program, it was a highjacking of the internet backbone wasn't it? Your citation doesn't confirm any kind of cooperation.

I didn't really make any claim about Apple doing extra, I was challenging the idea that they some how do worse. They seem to play as fair as you can in the given political environments across the various nations they work in.

Not knowing what kind of keys or encryption I use on my device, I'm not sure you can make any reasonable comment on what I think, or what the US wants me to think. MacBooks don't force any particular type of crypto, you can kind of do whatever you like. Are you referring to something in particular?

Domestic data sovereignty is not unique to china. A number of countries ask for that. I agree it's not ideal, and mandated backdoors (which Countries like Australia have) add to the problem here. Google don't service the Chinese market directly, Microsoft have in country storage, as do Yahoo, so not sure your point there. "Every other big tech company"? Tencent/Alibaba are obviously also in china. I'm not sure what the alternative to compliance with countries laws are. Do you think it's better if companies do not obey local laws?

A lot of countries are "Known abusers of human rights"... if you made a prerequisite of not working with those countries, you'd be out of business pretty quick. Agree that's not ideal... but it is the reality.

> PRISM wasn't really a cooperative program,

Not the OP, but afaik directly saying you're co-operating with the NSA as a US business entity might be illegal, so Apple not saying it doesn't mean they didn't, quite the contrary (especially taking into consideration Snowden's revelations).

I shouldn't be arguing with the trolls - but in case anyone was curious about these (nonsense) allegations:

Your links do not document cooperation with PRISM other than that the NSA believed they got information from them, which is very different. For all we know, it could have been the NSA abusing an API endpoint. Also, it said that it got lots of stuff like email, address, and so on when all of these services were combined which made it PRISM.

For all we know, it could have been checking the emails from Apple (because of FaceTime), getting address from Facebook, using address to look up other info on LinkedIn, and so forth. If anything, PRISM shows NSA abuse of services more than intentional compliance.

> definitely more secure devices you could be using.

I hate that I have to say this, but Linux phones are not more secure. They do have a company they don't phone-home to, but if a Linux phone was found on the side of the road, I have no doubt that the NSA would find a way in (unlike the iPhone, which as lately as the Rittenhouse trial, the latest model has not been cracked and the government ultimately struck a deal with the defense for a PIN code).

Linux phones are only secure by obscurity in that less research has been done on them and they are less common - but if government agencies were (or are) putting some research cash into them, I would not be surprised if they burst open from a million attacks that iPhones and Androids have found and fixed over the last decade.

> It's no coincidence that MacBooks force you to use NIST-designed crypto

Stop being conspiratorial - almost everyone, including many companies outside the US, use Curve25519 or P-256, and a big reason why is that the algorithm is very fast to calculate while being reasonably secure, which is a plus for fast encryption. Also, nobody has seriously alleged that Curve25519 is backdoor, unlike Dual_EC_DRBG which was suspect almost immediately. Also, NIST did not invent Dual_EC_DRBG. The NSA did and submitted it to NIST as a standard which NIST reluctantly accepted.

> Shied away from that kind of compliance with a known abuser of human rights

Yes - but Microsoft, Google, etc still make their phones in the same factories, and the reason they didn't hand over the server keys was because they don't really offer any services in China. Google doesn't work in China, and Microsoft's involvement is minor and China doesn't care because Windows doesn't encrypt data unless you have the Pro version and it's switched on. Also, your bias is showing in your use of Apple "happily" complying. How do you know that?

I can go on.

We have known what PRISM is for almost a decade now (since we saw Snowden's slides for it), and it is neither what you nor smoldesu claim it to be. The FBI issues a court order to tap a particular account, and the company complies by forwarding that account's email and messages. Then PRISM ingests that data into NSA databases.

> Then PRISM ingests that data into NSA databases.

And if I'm not mistaken it's illegal for an US business entity to directly say that they are co-operating with the NSA or other such US institutions, so Apple actually sending messages to their users warning them about such co-operation might be also illegal (I also feel that the canary tests have failed their intended mission, nobody has time to decipher those messages in the minutest of details).

I'm surprised to see protection against state sponsored attacks implemented by a company as big as Apple. Is any other 'mainstream' company offering a similar feature?

Warrant canary [0] comes to mind, but that is usually a message to all users, as opposed to notifying an individual user.

[0]: https://en.wikipedia.org/wiki/Warrant_canary

> Is any other 'mainstream' company offering a similar feature?

You mean apart from basically every other mainstream tech company? [1] [2] [3]

[1] https://www.washingtonpost.com/business/economy/google-to-al...

[2] https://www.wired.com/2015/10/facebook-now-warns-users-of-st...

[3] https://threatpost.com/twitter-warns-some-users-of-nation-st...

Yeah, I loved having my work gmail account peppered with a giant red banner warmomg "THIS ACCOUNT IS THE TARGET OF STATE SPONSORED HACKERS". That was fun. We didn't really know how to respond or attempt to mitigate such a warning so, left it ignored.

Respond by using 2fa if you weren't already, not signing into the account from untrusted devices, checking OAuth grants for apps you don't recognize, not using same pw elsewhere

Yeah, we were doing that, so the response was to just shrug. Without a lot more context it's hard to know what your reaction should be to something like that.

I can only guess, but I suppose the context in which they would trigger something like this would be that some of their accounts get hijacked to send things to a bunch of email addresses, which later turn out to be links to zero-day exploits attribuable to state-sponsored attackers, so they warn the recipients of those emails. But it's got to be a relatively scattershot warning - Google doesn't really know how vigilant you are. A friend of mine working for an NGO got the Gmail warning back in 2012 and upgraded a few overdue things.

A lack of context is kind of the problem here. What we need are specific method details, including origination addresses. There may be times when only most of that info is helpful, but withholding is always the opposite of helpful.

Except for future users targeted by those same attackers, for whom it is immensely helpful that they aren't being tipped off

Google's approach (and possibly Apple's) is commendable, but very poor UX-wise. Google specifically seems to include "phishing attempts" in their government-attack detection, and the direct reason seems to be that phishing was used in compromising the DNC in 2016. But there's a huge difference between a hacker-for-hire group that may have tenuous government links sending a mediocre phishing email (as in https://blog.google/threat-analysis-group/updates-about-gove...), and advanced zero-click zero-day use on all personal devices by a direct government body. Lumping them together makes zero sense.

> by a company as big as Apple

Would smaller company stand a chance against very much any state? If men in suits taken a CEO of a big company for "a talk" in the forest there would be a lot of fuss in the media, whereas small company would probably be scared to bits and never said a word.

A talk in the forest is for poor countries like Belarus. Rich countries just call their local SEC and IRS.

So something like PRISM that targets everybody won't trigger a warning?

I doubt it.

Keep in mind this will only work for non-court-gag-ordered instances. If the US subpoenas Apple about an individual they won't be allowed to notify them.

I have no idea how this applies to other countries.

I think this is more like: "We noticed unusual API usage and we don't have a gag order so whatever it is, it's not likely to be good"

The methods of detecting such attacks are not at all similar to a government requesting data which contains the non disclosure clause.

Apple doesn’t need to know the source of the attack to issue the warning, and if the attacker is competent Apple likely wouldn’t know the source, such that a gag would not apply.

To be fair, a subpoena isn't a cyberattack. But yes, this will be mostly of value of people being targeted by governments that are not the USA or best buddies with the USA.

tl;dr: Apple will notify us as long as the attacking state isn't the US - which it very often is.

It's rare that programmes like PRISM surface publicly. I don't see how Apple would gather top secret intel on national surveillance programmes on their own, so there is a good chance they aren't even aware.

In the case of Google, the NSA was reading their unencrypted replication traffic as it moved between data centers.

I don't see how Google could have been aware that this was happening, although they certainly could have known it was theoretically possible.

Will it notify users about cybersecurity threats from the US authorities or will it obey the gag order?

US state attackers get to ruin lives with impunity.

This is a good service since states felt it was necessary to use surveillance powers against the domestic population.

To me that warrant retaliation in my opinion, it would be a case for self-defense. For example isolating the trojan in a honey-pot OS and delivering it to foreign actors cybersecurity research labs. Just make it unfeasible to support such software and it will stop. My country (Germany) sadly is prone to ignore civil liberties. There were home searches because someone called a some minister a penis on Twitter and there were other severe transgressions. Since the law doesn't protect against them anymore, the state has proved that it is not capable for responsible conduct with software the relies on zero-day-exploits which endanger every computer system.

Glad that companies with real security expertise put up the slack here, although they shouldn't have to do that.

I wonder if this could be used to expose those that are in sensitive position. IE offer attacks at people you think are in important positions and watch how they react to the news. For example if you work somewhere sensitive and you have an accounts not tied the Apple account. The State Sponsored group is probably good enough to see your traffic patterns and to see if they change after you have been notified. Not that I think Apple shouldn't do this but I can see someone being crafty and trying to take advantage of this. There are always trade offs in security!

I see a lot of people in the comments conflating legal requests and attacks. Regardless of your opinion on either of those issues, they are different things.

NSA surveillance is illegal. Will we be notified?

By "legal request" I mean requests made through channels of the law. These things aren't "attacks" because they're functionally not attacks. 'Cooperation' is the antithetical to 'attack'.

For example, when China demanded that iCloud for Chinese users was handed over to GCBD[0], and Apple complied, it was not, in any way, something that would be accurately described as an "attack". Apple cooperated with the demands that the legal environment presented.

[0] https://www.apple.com/legal/internet-services/icloud/en/gcbd...

If Apple learns of NSA surveillance of a specific individual... maybe? Beyond that what are you suggesting they do, send an alert to everyone in the US that the NSA might be spying on them?

Which surveillance? By what ruling? The phone metadata collection was ruled illegal, but that does not affect Apple.

Under rulings that never happen due to the FISA court declaring a lack of standing due to the court keeping the evidence secret that proves standing.

It utterly sucks having the sole oversight court having IC's back at our expense.

Both of those are about the phone metadata program I mentioned. That doesn't affect Apple.

they'll only do it if the US government allows them to.

Like it or not, if they go against three-letter-agencies in the US, high ranked apple employees will spend years in jail based on the rulings of secret courts where all of your rights are irrelevant. The moment the cia says the word "terrorism", all your rights are gone regardless of how wrong the investigators might be. They can literally declare you guilty without you even knowing you were were accused of anything because according to them, national security is more important than the constitution.

they are on the same level as the ccp

> they'll only do it if the US government allows them to.

This is a warning that someone is trying to gain unauthorized access to your account. If the US government wants access it probably has better methods than brute force, such as ordering Apple to hand over your stuff.

There's a difference between a warrant with a gag order and noticing that someone is trying to hack into a user's account.

I see no reason to think Apple will want to stay silent about an attacker trying to hack a user's account just because they might stay silent about warrants with gag orders.

You think I'm taking about BS gag orders or NDA agreements....

When we're talking CIA, you can't get your way out of it with a better lawyer of by paying a fine. It's a decade of jail waiting for you if you don't bend over and give them exactly what they want. You have no constitutional rights when it comes to national security. they are legally allowed to kill US citizens without having to get court approval if they think they are a threat to the nation.

Are you talking about the CIA demanding something from Apple and ordering Apple to stay silent? Or are you talking about Apple detecting an attempt to hack a user's account? Those are 2 different things.

You seem to be talking about the first, whereas the support page is about the second.

> they are on the same level as the ccp



Has anyone put forward some theories as to how they are pulling this off? Are they tapping into iMessage Metadata, scanning crash logs, or something along those lines? While I totally understand the need for them to keep how they are doing this private, I do find it slightly concerning. Unless they are just flagging suspicious iCloud login attempts. If it’s relating to crash logs, it would be nice to know as I’m sure a bunch of privacy focused users have that disabled.

I assume they have iMessage metadata on what accounts the NSO accounts talked to. The contents are E2E encrypted, but unless they have explicitly promised not to keep logs, they probably have the metadata logged.

Apple claims in their lawsuit that they have over 100 false iCloud accounts that were created, and is confident in their identities to the degree they are going to use them for standing to prove that NSO signed a legal agreement in the lawsuit.

In which case, NSO f!@#ed up and left iCloud Messages Backup enabled, which stores unencrypted copies of the End-to-End messages and makes it trivial for Apple to alert any person that these accounts messaged to. That's one possibility.

Because the NSO group definitely used iMessage to communicate with one another...

Not with one another. With targets

This is more likely targeting phishing messages coming from NSO Group to victims, rather than communication between NSO members.

Not even phishing, NSO had a zero-click iMessage exploit (so they could just send a message to their victims and then hack their iPhones remotely).

It’s likely much more manual that.

They admit themselves that these attacks are not easy to detect.

> If it’s relating to crash logs, it would be nice to know as I’m sure a bunch of privacy focused users have that disabled.

It is not possible to disable all telemetry entirely.

Now if only Apple wouldn't search for CSAM on device, allowed repair shops to get the parts they need from the manufacturer, and provided schematics for repair shops. If they did those things, I might actually buy an iPhone.

Does it tell you about US sponsored cybersecurity threats?

"If Apple discovers activity consistent with a state-sponsored attack"

I am really interested in understanding more about a "state-sponsored attack" as someone who works in Ops and has experience in CyberSec. All these years working in the industry and I had no idea you could identify an "attack" that easily.

It’s not easy.

> Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent.

> State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected.

Identifying the source of these attacks is often done by analyzing the tools and techniques, in comparison to other known tools and methods, and/or by information gathered in meat space.

I was being sarcastic. Not only is it not easy, it is impossible! There is no such thing as distinguishing a cyber attack of any kind between a state-sponsored and independent-sponsored. This move by Apple is bizarre to say the least.

See also: Apple sues NSO Group to curb the abuse of state-sponsored spyware (apple.com) https://news.ycombinator.com/item?id=29320986

Where do you see the word 'easily' in Apple's statement?

If the complaint is that attribution is sometimes sketchy, so? Sometimes it isn't.

I believe it has to do with phishing attempts by known tools (NSO’s Pegasus). If anyone has the resources to fend them off, fingerprint them, etc it is Apple, Microsoft and Google.

For a company with the resources of Apple? I'd imagine their Threat Hunting/Identification and classification systems are top notch. There are a number of know taxonomies for different attacks around and I'm quite sure Apple has some automation around identifying those attacks. It even addresses that many will be false positives. Example taxonomy: https://us-cert.cisa.gov/CISA-National-Cyber-Incident-Scorin...

Yet you still can't download VPN apps in China and Saudi Arabia.

How can Apple differentiate between state sponsored FISA hacks vs. other hacks or USA hacks?

Before Apple sends a notification, do they cross reference any existing warrants they received and make sure they don’t notify the customer that the US tried to hack their account, or iPhone, or requested their info?

Or are we to assume that Apple only means non-USA based attacks?

Or is the US gov going ape shit right now that all their targets they been infiltrating are going to get notified of that fact?

Or are we to assume anything FISA related means Apple happily and willingly had over the data and really isn’t a hack attempt?

Why do I get the feeling that if the state is China, then it won't get reported as such. I assume their supply chain is more important.

China has their own iCloud servers and keys, from what I understand they're happy enough with that.

Also if the state if USA...


Contains the canary: “To date, Apple has not received any orders for bulk data.”

that appears to only be connected to requests under those specific acts.

Otherwise, given their involvement in the PRISM program [1] I don't see how we can take that canary seriously.

[1] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)

The specific acts include FISA requests.

Could also be weasly wording here. They can still truthfully make that statement even if Apple themselves have decided to be pro-active and decided to give out bulk data without receiving any orders before. As the Snowden leaks showed, we should be really careful about how we read the words from large companies about data.

True. They also could be part of the conspiracy to make people sick with 5g so that bill gates can inject microchips into people through the vaccines.

After all, they haven’t denied it!

Difference between the conspiracy about making people sick with 5G vs companies helping NSA and other US government entities to spy on people, is that we have evidence of the latter happening, while nothing about the former.

We have evidence of em radiation causing health problems, just not 5G.

> even if Apple themselves have decided to be pro-active and decided to give out bulk data without receiving any orders before

We have zero evidence if anything like this happing.

The state-sponsored cybersecurity threats I most want to know about are the ones from my country - because that is the state most likely to harm me and my family.

Even if the state in question is the USA? I think Apple should be clear if there are any states whose attacks they might ignore, for the sake of privacy, of course.

It's only possible because Apple is too big too fail. Probably they won't notify about the US snooping, but smaller countries often have smaller budgets that this company, so they can't really do anything about Apple pulling strings. It's a shame that smaller companies cannot do that without risking being closed down.

Does this include USA sponsored attacks?

This again another attempt at owning the device or your customer, like that CSAM backdoor wasn’t enough, now they have AI monitoring accounts, connections, etc out of each device.

An interesting spin. So Apple might somehow treat just regular threats differently in the past or the future? How does Apple know who paid NSO group to hack their phone?

What if it is illegal to do so?

From a pragmatic user's point of view, that would look just like "Apple didn't happen to notice that I was a target of state-sponsored activity". Recent headlines do not suggest that Apple's cyberdefenses are all that great against state-sponsored stuff.

From a more philosophical point of view - expecting a large corporation to go mano a mano on your behalf, against a major state security organization...that's right up there with expecting Santa Claus to punish all the evil spies for being naughty.

And yet, in the contact tracing case both Apple and Google refused to give data and control to EU governments. I believe the contact tracing app was used against protesters in rallies about BLM though, by the FBI IIRC.

Source? Pretty bold claim to just toss out with an IIRC.

First, I haven't seen any indictments of any BLM rioters. Note when I say rioters I'm not including protesters but those who set fires and harmed people.

Second, while I'm against contact tracing apps in general for the reason they can be abused, I don't think they would be needed by LE given their ability to setup string rays, drones, and monitor social media.

Most of the BLM rioters and Antifa terrorists are known. Raz Simone is still free although he setup CHAZ, passed out rifles, and extorted public officials with political demands while claiming public land allowing 6 people to be killed under his "security".

Here are some links:

- https://www.zdnet.com/article/singapore-police-had-used-covi...

- https://slate.com/technology/2020/06/contact-tracing-law-enf...

Given the past decade (Snowden & Assange) I don't find strange contact tracing being used for "other purposes". The data is readily available so, why bother with drones?

How would it be illegal?

What if the state is the US demanding data using NSLs or dragnet warrants?

except in china, i pray that the people of the free world unite from within all countries and say enough is enough to their oppressors. it is wild to think that we still have ill actors in high ranks that are from bloodlines upon bloodlines of “ownership” of nations. there really still is a ruling class that has existed forever, sounds like a conspiracy until you look at who is buddies with who

It's one of the largest enterprises against state-funded specialists and intelligence agencies, this will be an interesting arms race.

Will it send notifications also when it is a USA sponsored attack?

What a joke

What if you opted in to the terms of the Chinese App Store then switch to USA.

You are asked to accept new ones when changing store location

So Apple is saying they can’t solve their security problems?

That sound like it, but then again the security problem could be a user issue.

Wonder if that works for USA targeting terrorists and how well that’ll play in court if a terrorist attacks was helped in that way.

Edit : silly me, US doesn’t need that, they can simply ask for the data..

cybersecurity treats include secret orders by governments to comply to any requests?

completely and absolutely based. I have ambivalent feelings about apple

Unless, it's Chinese government. In that case, Apple handle over their control over database to Guizhou-Cloud Big Data

Does this include US-sponsored threats?

"trust me bro"

Will it let them know that their own phone has decided that they are a potential pedophile and their photos will be sent unencrypted to some tech centre god knows where where someone will decide whether to report them to authorities or not? Or is that ok to keep secret?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact