Slashdot Mirror
Apple Worries Spy Technology Has Been Secretly Added To Computer Servers It Buys (businessinsider.com)
An anonymous reader writes: According to Business Insider, "[Apple] worries that some of the equipment and cloud services it buys has been compromised by vendors who have agreed to put "back door" technology for government spying, according to a report from The Information's Amir Efrati and Steve Nellis." With many of its cloud-based services like iTunes, the App Store, and iCloud requiring enormous data center to operate, Apple hasn't been able to build all the data centers it needs, and has instead been using services from its rivals, namely Amazon Web Services and Microsoft. Google recently landed Apple as a customer for the Google Cloud Platform. "Meanwhile, [Apple] has embarked on yet another attempt to build more of its own data centers to handle all of that, called Project McQueen, reports Jordan Novet at VentureBeat, and the project is having a rough go of it, reports The Information." Apple suspects that backdoors have been added to many of the servers it has been ordering from others. "At one point, the company even had people taking photographs of the motherboards in the computer servers it was using, then mark down exactly what each chip was, to make sure everything was fully understood."
I know it's a crazy idea, but maybe if Apple built their own servers, they wouldn't have to worry about that. Maybe they could even sell a few of them to other companies.
Nah. Crazy idea. Forget I mentioned it.
Assume your cloud service provider isn't secure.
Fuck backdoors, you can't vet their security or admin staff, you can't adequately audit their processes, you can't believe the marketing bullshit they produce.
So assume they're not secure.
How you deal with it isn't paranoia. Don't be bloody stupid.
Encrypt your data at rest. Control the keys yourself.
Encrypt your data in transit. Control the keys yourself.
Encrypt your keys. Fuck it, go whole hog if you're that worried about it.
But Apple aren't in any different position to anybody else, and photographing motherboards? Fuck me, get a life.
try f.ex. Ericsson or another reputable manufacturer that doesn't conduct spying for the U.S government like Cisco etc. does.
It's quite sad that in the United States of America, of all places, this is now a legitimate and very real concern. What in the hell happened to this country?
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Some years back, Virgin Airlines accused British Airways of "dirty tricks", which included unauthorised access to the Virgin (rented) space on the BA bookings computer
http://law.justia.com/cases/fe...
VIRGIN ATLANTIC AIRWAYS LIMITED, Plaintiff,
v.
BRITISH AIRWAYS PLC, Defendant.
No. 93 Civ. 7270 (MGC).
United States District Court, S.D. New York.
December 30, 1994.
"She's furniture with a pulse"
You guys remember when we'd read about some random individual doing paranoid crap like this, and our first response would be to make fun of the wacko?
Those were the good old days...
#DeleteChrome
The iPhones they used to take the photos with had also been tampered with and edited the images
...encrypt data with a distinct key per individual piece of content using a centralized key management system.
Loading...
You know, 15 years ago, give or take, this would have been considered the most absurd tin-foil hat bullshit imaginable.
Suddenly, we find ourselves in a world where this makes total sense ... which scares the shit out of me.
It's like the nasty dystopian future, but without cool skater chicks and designer digital drugs.
Lost at C:>. Found at C.
when you outsource everything
-I'm just sayin'
So a few years ago I called a NOC asking them to confirm a trace I had done resulting in what was a US Navy IP address trying to brute force my server. They promptly hung up and I got a call from an unknown number to my phone and when I answered they said, "Yes its confirmed" believing they didn't think I had answered yet. They were very nice and followed up with me several times ... the next month our friend Ed was in the news. Apple has every right to be watching their back, and in all honesty we all do.
Here's a crazier idea. All data uploaded to cloud servers is encrypted so that it is unreadable by servers. Backdoors should be irrelevant.
Just sayin
So Apple fears that the servers it relies on for its business are not fully under Apple's control, as one's computers ought to be fully under the control of those who own the computer. The same would be true even if the servers weren't virtual. As I understand it, this is part of the reason why Google is keen to build their own hardware and takes some interest free software to run that hardware. As Edward Snowden pointed out in his recent LibrePlanet talk this is the same reason privacy-minded people can't use Apple's equipment either. Snowden mentioned this in terms of Microsoft ("I did not use Windows machines when I was in my operational phase because I couldn't trust them. Not because I knew there was a particular backdoor or anything like that but because I couldn't be sure." circa 5m54s or 8m33s in the prerelease video) but the same insecurity stemming from a lack of freedom issue applies to all proprietors, not just Microsoft.
In other words there's quite an irony here: the proprietor is coming to terms with the same lack of freedom it imposes on its customers. Apple's iThings include phones that aren't under the owner's exclusive control allowing someone other than the owner to update software on the device. Some other devices (perhaps Apple's as well) don't allow the computer owner to fully control the cryptographic keys used to sign software installed on the device, so these keys are used to keep the owner locked out of full control (or the proprietor from being fully locked out). The updates can and do come in Apple and non-Apple systems without the owner's consent in the name of "convenience" and "safety" (one must ask whose safety is being assured in this scheme) or (as some proprietor sycophants are sure to point out) keeping non-technical users from messing something up. The technical details of precisely where the non-free software lies (on the main computer, on a modem controller, on some other bit of hardware one uses with the system) are no excuses for not providing documented hardware, a means to install a fully free software system, and thus a means to fully own one's own computer.
Digital Citizen
it's never enough to keep up. Lily Tomlin
Once a gov has splitters, weak crypto and friendly staff members at a generational design level in place in the past what can now be fixed?
Hunt down the gov hardware at the optical level thats still part of ongoing investigations and has to be left in place and will be upgraded for many years?
Thats under some security letter or a secret court has the color of law paperwork.. who even has the authority mention that within the wider brand?
Clean room the next crypto with a brand new, more advanced team?
Re fab the hardware from new with new staff?
Side ways or promote any team members who worked with any gov team away from new crypto or other sensitive development areas?
Find new consultants and contractors with a lack of working for govs/mil and have them restart generational projects again?
Domestic spying is now "Benign Information Gathering"
In other words there's quite an irony here: the proprietor is coming to terms with the same lack of freedom it imposes on its customers.
1. apple is fighting tooth and nail for their customers privacy.
2. what is this "lack of freedom" of which you speak? my freedom is impinged when I cannot vote or when my drinking water is poisoned. my freedom is NOT impinged by my questionable choice of consumer products. if you object to them and what they do, don't buy their stuff. if you don't object, buy their stuff. nobody is losing any freedoms here
Do you know why hardware snooping is a bad idea? You can trace the parts through your supply chain and have indefatigable truth. Unless they are your biggest customer at the same time. Sort of like knocking on the front door but entering from the back. :(
While encryption in transit is good, unfortunately encryption on the server is typically more theatre/ marketing than it is useful security. There are only two things you can do with properly encrypted data - decrypt it or send it to someone who can decrypt it. If the server can decrypt it, and the concern is that the server may be compromised, there's little point in encrypting it.
As a random example, let's consider the data of which users have purchased which songs on itunes. Apple uses that to know which songs you're allowed to stream. If it's encrypted, their server-side software can't do the lookup , so that can't be encrypted (or the server has to have the key, which amounts to the same thing).
Essentially the only data that can be usefully encrypted is files sent from a customer's device which Apple doesn't want to read or understand, they just want to send back the exact same binary blob that they received. That CAN be encrypted before it's sent to Apple. But any data that Apple needs to query, change, record, or de-duplicate can't really be usefully encrypted, in general.
It's an annoying problem, and a hard problem. There was a theory about encrypting data in such a way that you could do some very limited statistical processing on it without being able to actually read the data, but it's pretty limited so approximately nobody uses it. The one major use for data "encrypted" on the server is passwords, where you store a hash and can compare whether the password the person entered is the same as the stored hash. Though that's an important use case, it's only one use case. There aren't too many use cases for storing data you can't retrieve.
It's already done on Cisco equipment so why not servers?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
When I worked at the Google help desk in 2008, the powers to be were talking about moving away from the Lenovo laptops because they suspected that the Chinese government were putting a backdoor into the BIOS. When I did contract work for a Google data center in 2011, the only laptops I saw were MacBook Pros from Apple.
If only Apple had the money to buy their own infrastructure...
Apple is a very rich company with $200bn+ in the bank. They got that way by taking every opportunity to grow their business. Nothing wrong with that. But sometimes that entails doing things that might not be in their best long-term interests.
Consider this: they chose to buy cloud services from other vendors because their business was growing beyond their ability to provision these services in-house. They could have chosen to do it themselves, preserving the integrity of their infrastructure, but that would run the risk of not being able to scale it out as fast as their customers demanded it, and limited their growth.
So they made the choice to outsource, maximizing their growth but taking the risks that come with that approach.
They could have taken the other path and kept their integrity. They are one of the few companies rich enough to do that. But it's not in their DNA, and their stockholders would take a dim view.
So now they have to take pictures of motherboards in the hope that they catch the bad guys doing something. Pathetic really.
What of the freedom to speak your mind without worrying of extraneous consequences from third parties listening in? That freedom is impugned upon.
Just because you have an extremely narrow definition of freedom that's strictly limited to the physical world doesn't mean others share your myopic worldview.
Before Apple nominates itself as a privacy/user rights champion, maybe they could stop trying to install iCloud on my machine against my will.
No means no.
but you have to have been in this racket at least 10 years to remember Apple Servers.
if this is supposed to be a new economy, how come they still want my old fashioned money?
http://m.slashdot.org/story/10...
"Common sense will be the death of us all"
I mean sure, encryption and building your own servers is one avenue...
But when some of your lead developers are given the choice to either add backdoors/give company secrets or "discover" that one of their kids "was a terrorist all along" - possibly with a few incidents so the FBI can maximize its budget gains, your security is guaranteed to remain crap.
Civilians don't matter to these guys anyways.
And you will be crapping out Cupertino doughnuts in no time.
There's nothing to see in the linked articles. Absolutely no interviews or attempt to verify. Idiotic.
all over the internet... all popular sounding and shit... matters zero. "oh it's so secure FBI can't crack it"
stfu.
distrowatch.com
...those cunts are goin' down at some point in the future.
Apple should ask the FBI to check them......oh, wait
Table-ized A.I.
I actually saw by a freak chance an industrial grade eavesdropping equipment. It was still fourteen years ago. It was so incredibly tiny.
I cannot see why it is not being pre-installed in all electric equipment which we buy: cameras, coffee makers, etc. by several services of several powers independently, and also by private entities. No chance whatsoever to find it.
I think it is time to accept that every word which we say or write is seen and recorded by several governments and private organizations. There is no chance to resist this technology.
I guess the data which is collected this way is used not only to fight crime, but also to plan policies by analyzing our reactions to events, speeches, etc. It is not the questions if it is being done on mass scale, but what we as individuals can do about it to mitigate the effects on the civilization.
Perhaps, we should carry on important conversations outdoors in woods wearing only freshly washed t-shirts and shorts, or speak for several minutes indoors a nonsense to jam analyzing soft, etc.
That's clearly a PR move (and pretty effective one, it seems), it does not need to make any sense to tech savvy.
Processing Encrypted data is possible, it is called Fully Homomorphic Encryption.
It was not until 2009 however that Craig Gentry proved that such a scheme exists at all in his PhD thesis. In terms of Cryptography it is still brand new.
It is worth a read, not just for crypto experts, as it is well written and quite interesting.
FHE is based on lattices instead of factorization, elliptic curves or discrete logarithms.
The "fully" is because before that we had ways to process certain kinds of encrypted data, now it is possible to process any sort of data.
Teeny, tiny drawback as of now: It slows down computation speed compared to computing on unencrypted data by about 2.3 billion times.
Unless Apple starts to manufacturing its own people, it is just easier for NSA to manufacture enough evidence of experiences and train its operatives with the right skills to get them hired by Apple where they will have direct access to all their secrets.
P.S. Posting as AC since password retrieval captcha is not working.
Well, except for the whole thousands of nuclear warheads aimed at the US and USSR on 30 minutes launch notice and let's hope no one makes a mistake thing.
Best Slashdot Co
Are they using windows 10 ?
Welcome to the club. Here is your tin-foil hat and badge to wear when you attend the meetings.
This is the reality that greed and power bring about. No matter what we use, we all have to consider the very real possibility that the hardware or software is already compromised. Either by malice or incompetence. That feeling sucks doesn't it ? Makes you rethink about what sorts of information you're willing to entrust to the devices in question or if you're going to trust the devices at all.
The masses, in general, are typically blind to the nefarious possibilities of the devices they utilize on a daily basis. Those that do understand how powerful
information can be try to guard it as best they can.
This is the thought process I have to go through every time I consider buying something. If I do end up buying it, I now have to become a detective to both
spot and deal with any behaviors the device is exhibiting that I consider questionable.
To be fair, it's not just your products. It's everyone's product.
The computer I use.
The software it runs.
The routers and switches that connect them.
The car I drive.
The phone.
My ISP.
The list is nearly endless.
Everything that is network connected at any point in its life is a risk and thus, subject to the question of " How much do I trust it ? "
The sad answer is usually, " Very little. "
I do what I can to limit what the devices can do, but I always wonder if I've done enough.
If you're using an Intel Product with ICH 9 or later, there's a back door built in called IME. That's in every ICH chipset. If you're using an Intel Network Interface, the same backdoor is most likely backed into the silicon and absolutely not documented.
Just check the Intel ARK in regards to vPro in their chips. It's damn near impossible to get a chip now without the feature that's a security nightmare by itself as it provides remote access directly to the CPU. The question is, why did they and who insisted on destroying system security and stability (Follow the money/conspiracies) and you have an idea.
Captcha = Sterile
Pretty indicative that open hardware is becoming the only safe solution against any unwanted intrusions. The problem is, I'm no engineer and can't vet that the silicon isn't modified from the disclosed design anyhow so who do I trust?
Apple is correct - but what you going to do?
Roll your own? Never fear, someone may mess with a secure part or influence the design.
Oh this costs money. Then there are bugs anyway. Then assume the pipes going in or out are compromised.
Blink, and you are pawned.
The solution is parallel servers on different hardware, and comparing to spot something.
As for what to look for - look for daughterboards and anything that does DMA, such as graphic cards.
Welcome to our world, Mr Big Corporation, where we used to worry about you monitoring our communications....but now it's your turn to do the worrying.
Yeah, this whole "spy on people" thing ain't so fuckin' cool now, is it?
Just cruising through this digital world at 33 1/3 rpm...
When it comes to working with servers and cloud storage, there's two different issues.
The first is just storing gobs and gobs of data. That should be considered solved.
Backblaze had to solve that. They got a really good, scalable, cheap system -- and they tell you how they did it, with enough information to replicate what they did. See their blogs: https://www.backblaze.com/blog... for how to make cheap storage _hardware_, and https://www.backblaze.com/blog... for how to design the storage "file system" to spread load around.
But data storage is only step one. You have to have the CPU power to search all that data. You have to have ways to read lots of data, and make it available for people to search through.
That's Google's specialty. They haven't shared everything that they've learned. Other than saying that when you get to their size, all old problems become new ones again, and old solutions need to be challenged/rethought.
How do you manage to replicate data across multiple data centers, such that you know how many copies of a file are still accessible, given that at that size, drive failures are a matter of rate rather than merely probably. How do you manage synchronized data writes when, even if the low-level data at a given site is a RAID that has low-level self correction, the high-level is 7 copies in 7 different data centers, and if you ever think you are down to 3 or fewer live copies you replicate new ones -- and still permit people to update and synchronize changes.
And that's before you even begin to look at processing all that data.
For Apple to be looking at this, they are basically saying, "we are becoming a significant fraction of Google's data/processing size, and starting to run into the same problems that Google had to solve".