Profile picture
, 7 tweets, 2 min read
My Authors
Read all threads
I was going to write something about iCloud backup and encryption but I realize that I’ve written it all. So here are a bunch of old posts: blog.cryptographyengineering.com/2012/04/05/icl…
And here’s one on iCloud Keychain from 2016, which ends with the following question. blog.cryptographyengineering.com/2016/08/13/is-…
And a slightly more recent one about Apple moving its encryption keys to China. blog.cryptographyengineering.com/2018/01/16/icl…
iCloud Keychain is an interesting product, only because it shows how much trouble Apple went to in order to ensure that people could back up their passwords to iCloud without getting them all stolen.
What I mean: it contrasts with an anti-encryption narrative (that plaintext is good enough for most people, e2e is gratuitous for most users), in that the need to seriously protect passwords is intuitively obvious.
With messaging you could picture the Apple execs saying “how can we push out more warrantproof encryption to mess with the FBI” or whatever, if you’re inclined. With KeyChain you picture them saying “crap, how screwed would we be if all our customers’ passwords got stolen.”
TL;DR iCloud Keychain is the *most* powerful security system Apple has on its server side, and it’s also the one that’s *least* likely to be driven by privacy ideals or the desire for hip marketing. Apple seems legitimately scared of getting its keystore hacked.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Matthew Green

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @matthew_d_green see all

Profile picture
Matthew Green
@matthew_d_green
I suspected this was true ever since Apple released iCloud Keychain and did nothing interesting with it. Government pressure works. reuters.com/article/us-app…
This is the short-term strategy of these “Apple v. FBI” cases and the pressure campaign on Facebook to delay e2e encryption: the government knows that once encryption is deployed, the advantage moves to the tech companies. So the plan is to delay deployments.
Engineers and project managers: this is why you don’t have time to delay and “get everything right” if you’re planning an e2e deployment. The chances that the political environment remains favorable go down as the time horizon increases.
Read 6 tweets
Profile picture
Matthew Green
@matthew_d_green
Do something nice for your family this holiday season: go through their phone settings and turn on all the privacy features.
It’s sort of amazing to me how hard this has gotten, even on iOS, which advertises itself as the “privacy” OS. My wife asked me how Facebook knew she walked by a particular store yesterday, so I dove into the Settings. What a mess.
First, there’s this “Privacy” tab in iOS settings, but under it you’ve got this ridiculous and ever-growing list of crap. Every app appears multiple times, and you have to know where to look.
Read 7 tweets
Profile picture
Matthew Green
@matthew_d_green
I have two comments on this new Signal proposal for backing up secrets:

1. If your solution to a hard problem is “use Intel SGX”, please say so right at the beginning!
2. Despite that criticism, holy cow does this look like sophisticated work. signal.org/blog/secure-va…
So the basic problem here is an important one: Signal wants to back up your secrets in the cloud, so you can get them back if you lose your device. At the same time, being Signal, they don’t want your secrets accessible to hackers. 2/
Password-based encryption solves the problem, but then you need really strong passwords to prevent offline dictionary attacks. Putting a key on your device helps, but the whole point is to secure against lost devices. 3/
Read 14 tweets

Related threads

Profile picture
mRr3b00t
@UK_Daniel_Card
I’m going to write something or record a video on the importance of enumeration and why speed isn’t always your friend. Your task is to answer some questions about the target to help identify key elements. #pentesting #hacking #pwnDefendWithKali
So in the mean time i'm just going to make this a small thread... so we start with out awesome kali laptop on the network segement 192.168.100.0/24. We run ifconfig and understand our gateway and subnet, DHCP options etc.
after running "ip a" we are now going to launch wireshark. The number of people who seem to not pcap whilst testing is way bigger than you think. SANS recomend it.. there's a reason for that ;)
Read 38 tweets
Profile picture
Colm MacCárthaigh
@colmmacc
Tuesday Tweet Thread is a "Today in Infosec" one. It's 10 years since @marshray published one of my favorite TLS/SSL issues, and the best named. The Pizza Attack! Read about it in EKR's blog post from the time: educatedguesswork.org/2009/11/unders… ...
@marshray In a case of "History doesn't repeat itself, but it does rhyme", the attack is similar in several ways to the latest HTTP "DESYNC" attacks. The Pizza attack hinged on inconsistencies between layers, and clever use of HTTP headers to hide requests.
@marshray Basically: TLS/SSL *used* to allow clients or servers to renegotiate a connection at any time, and that was like starting over. The Pizza attack had the attacker create a legit connection to a server, and then place a not quite finished lingering HTTP request on the connection.
Read 12 tweets
Profile picture
ᴅᴀᴠɪᴅ ᴘᴇʀᴇʟʟ ✌
@david_perell
Take a moment to appreciate the power of writing online.

When you share intelligent ideas, you accelerate human progress and attract incredible people and opportunities.

Almost anybody can write. And everything you need is available online, for free.

Writing is a superpower.
“The coolest people I meet are the ones who find me through something I’ve written.”

- @sivers
Here's what your teachers never told you: Good writing is hard work, but almost anybody can write well.

Use this system to improve your writing:

1. Write often
2. Read great books
3. Publish your best writing

Free to learn. Big-time benefits.

perell.com/blog/the-ultim…
Read 11 tweets
Profile picture
Alec Muffett
@AlecMuffett
justsecurity.org/62114/give-gho…
1/ Applying this idea to WhatsApp, it would mean that—upon receiving a court order—the company would be required to convert a 1-on-1 conversation into a group chat, with the government as the third member of the chat. But that’s not all.
2/ In WhatsApp’s UX, users can verify the security of a conversation by comparing “security codes” within the app. So for the ghost to work, there would have to be a way of forcing both users’ clients to lie to them by showing a falsified security code, ...
Read 39 tweets
Profile picture
Eric Wall
@ercwl
Going to think loudly while I read David Chaum's @elixxir_io technical brief. Chaum is pretty much the forefather anonymous communication and is about as respected as you can be in this space. Now he's built a privacy PoS coin. I'll look silly criticizing this but, here I go.
Starting with a cheap shot: the fact that they got the < > signs mixed up when describing their tps made me giggle.
Next thing I'm coming up with is that they seem to think that one of the scaling bottlenecks of conventional blockchains like Bitcoin is the amount of time it takes to *produce* a block. That's kind of... not the problem at all. The bottleneck is on users validating the blocks.
Read 25 tweets
Profile picture
(((🌊Nasty Cajsa🌊)))
@Cajsa
1/ #RepublicanSexualPredators @RealDonaldTrump is accused of sexual assault by multiple women. He is accused of raping a 13-year-old girl and bragged of walking in on underage girls at pageant. en.wikipedia.org/wiki/Donald_Tr…
2/ #RepublicanSexualPredators Judge Roy Moore is accused of sexual assault and dating underage women. en.wikipedia.org/wiki/Roy_Moore…
3/ #RepublicanSexualPredators Jim Jordan is seeking to step in to Speaker Ryan’s shoes even though he is accused of ignoring sexual assault of young men while a coach, dismissing it as locker room talk vox.com/2018/7/6/17536…
Read 284 tweets

Trending hashtags

#WallaceandGrommit #SinCity #potus #superkey #TimmyOToole #Kang #blog #NewAwarenessAwards #Untouchable #MyWifeandMyDeadWife #decrypted #HomersPhobia #GilbertandSullivan #homersimpson #HeISAnEnglishman #rootDance #serviceproviders #PokemonGo #HotStuff #RepublicanSexualPredators #Ogdenville #TroyMcClure #CororationsAct2001 #BatmansAScientist #SimpsonsFamilyPortrait
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!