Data Protection is implemented by constructing and managing a hierarchy of keys, building on the hardware encryption technologies built into Apple devices. It's controlled on a per-file basis by assigning each file to a class; accessibility is determined by whether the class keys have been unlocked.
The four protection classes, from strongest to weakest:
NSFileProtectionComplete — Files are only accessible when the device is unlocked.
NSFileProtectionCompleteUnlessOpen — A file can only be opened when the device is unlocked, but is not closed when the device is locked — it's encrypted when the last open handle is closed. Suitable for data being uploaded in the background.
NSFileProtectionCompleteUntilFirstUserAuthentication — The resource cannot be accessed until after the device has booted. After the user unlocks the device for the first time, the app can access the resource and continue to do so even if the user subsequently locks the device. Fortify This is commonly called AFU (After First Unlock). This is the default class for all third-party app data not otherwise assigned to a Data Protection class.
NSFileProtectionNone — The resource has no special protections. It can be read or written at any time. The encryption only uses a key derived from the device's UID.
The BFU/AFU Distinction — The Heart of the Signal Issue
Apple's iOS devices operate in two key security states that directly impact data accessibility: Before First Unlock (BFU) and After First Unlock (AFU).
When an iPhone is in the BFU state, it has been powered on or rebooted but not yet unlocked with a passcode. In this state, the Secure Enclave does not release the decryption keys needed to access most user data.
Once you've unlocked once (AFU), files protected with NSFileProtectionCompleteUntilFirstUserAuthentication become accessible, the Keychain is available, and background processes and apps can access encrypted content as needed.
The Signal notification content issue connects here because notification data (including previews) stored in the default CompleteUntilFirstUserAuthentication class remains decryptable by any process — including OS-level forensic tools — as long as the phone has been unlocked at least once since the last reboot.
I spent a little time ~2012 trying to think how to create a system like this that would work with iPhones at burning man. Never really got anywhere with the idea, but I’m excited to try this!
I have three maxims that basically power all my decisions as an engineer:
1. The three C’s: Clarity always, Consistency with determination, Concision when prudent.
2. Keep the pain in the right place.
3. Fight entropy!
So in the context of the main example in this article, I would say you can try to improve clarity by e.g. wrapping the existing auth code in something that looks nicer in the context of your new endpoint but try very hard to stay consistent for all the great reasons the article gives.
Absolutely.
Broadly, I wonder what leads to schools not adopting emerging fields as part of the formal curriculum. Interesting to note even in 2021, only 51% US k12 high schools were found to have a CS course. Does not seem like a capital problem to me. Is this just inertia or a legibility problem?
As with any monopoly, the incentives for public school administrators are all out of wack. Adding a CS curricula takes real time and effort (lost summer vacation time, effort required to convince the board/PTA, picking a curriculum, hiring teachers for an unfamiliar topic). It brings with it real risks and headaches (budget issues, vulnerability/ignorance in a new domain, possible failure/embarrassment, board/PTA conflict, dissatisfied students/parents). Meanwhile the benefits are not tangible and the cost of not implementing a new CS curriculum is zero.
For public school administrators (as with all process owners) it's far easier to simply repeat what they did last year.
Oof yeah. The legibility-gained per effort put in for most admins working in a system that inherently incentivises tangibility and observable "utility" (whatever that may be in this case) reduces any hope of seeing much change.
Maybe this is another good problem that Systems Sciences might hold a great explanation too :-O.
I was expecting someone mentioning this very good book. In a time where politics is dominated by populism, this should be part of the school curriculum. Reality is complex. There are often no easy or simple solutions to get a certain number up or down. Even the author of this book writes that being an expert in systems science does not give her the superpower of never being surprised by outcomes. But being able to think in systems is still a very valuable ability. A lot of humbleness and appreciation for complexity can be gained from reading this book.
> It wont make any diff cause most people dont want to think.
On what basis do you say this? What exactly do you mean?
I don't mind that the above claim is cynical. But I think it is (a) wildly overconfident and (b) poorly reasoned. Check your biases. Also check your pain points -- would I be crazy to guess that you've become jaded about student's ability to learn, think, and/or care about education?
Next, consider a specific scenario so we're not talking past each other. Let's say 5% of high schools decide to teach Thinking in Systems. Say they get a grant so that someone experienced (in the book and subject matter) comes in and teaches for a few weeks as a special topic (at no cost to the school).
Now, think statistically and empirically. What kinds of effects will there be on students? If you are intellectually honest, you'll have to ask questions, maybe even gather some data. If you put some effort into thinking, you probably won't conclude there will be zero effect.
Commenter actually read the article before commenting, like a n00b. It brings up social media and income:
"Various studies around the world have proposed different explanations, such as economic status. Lower income is associated with greater declines. One study looked at use of computer games among young people [as a possible explanation]. Some folks have tracked declines in alcohol use, and we know that [alcohol use] can be associated with disinhibition. We have seen, somewhat, [an] increase in sex toy use—from what we looked at, not a massive increase. If there is a change, it’s probably just going to contribute to one of the blips. I don’t expect it to be the explanation."
That quote doesn't mention social media? It mentions computer games as a possible explanation, and then explicitly says none of the things listed is a complete explanation. The article speculates that social media may be related, but what I'm asking is what the commenter thinks is the specific connection between social media and a decrease in sexual activity.
The OP comment essentially said that Social Media was causing massive catastrophic social change. I'm not seeing that backed up in the article, even if I think I may agree.
Data Protection is implemented by constructing and managing a hierarchy of keys, building on the hardware encryption technologies built into Apple devices. It's controlled on a per-file basis by assigning each file to a class; accessibility is determined by whether the class keys have been unlocked.
The four protection classes, from strongest to weakest:
NSFileProtectionComplete — Files are only accessible when the device is unlocked.
NSFileProtectionCompleteUnlessOpen — A file can only be opened when the device is unlocked, but is not closed when the device is locked — it's encrypted when the last open handle is closed. Suitable for data being uploaded in the background.
NSFileProtectionCompleteUntilFirstUserAuthentication — The resource cannot be accessed until after the device has booted. After the user unlocks the device for the first time, the app can access the resource and continue to do so even if the user subsequently locks the device. Fortify This is commonly called AFU (After First Unlock). This is the default class for all third-party app data not otherwise assigned to a Data Protection class.
NSFileProtectionNone — The resource has no special protections. It can be read or written at any time. The encryption only uses a key derived from the device's UID.
The BFU/AFU Distinction — The Heart of the Signal Issue
Apple's iOS devices operate in two key security states that directly impact data accessibility: Before First Unlock (BFU) and After First Unlock (AFU).
When an iPhone is in the BFU state, it has been powered on or rebooted but not yet unlocked with a passcode. In this state, the Secure Enclave does not release the decryption keys needed to access most user data.
Once you've unlocked once (AFU), files protected with NSFileProtectionCompleteUntilFirstUserAuthentication become accessible, the Keychain is available, and background processes and apps can access encrypted content as needed.
The Signal notification content issue connects here because notification data (including previews) stored in the default CompleteUntilFirstUserAuthentication class remains decryptable by any process — including OS-level forensic tools — as long as the phone has been unlocked at least once since the last reboot.
reply