Well, oops.
By #3 you mean BlackBerry right? Because Apple tracks your location, browsing history, and app usage to deliver iAds. Admittedly the tracking only applies when an iAd is being displayed, but to engage in the behavior your are critical of others for, then claim purity because you do it less is a bit dishonest.
I say this as a happy iPhone user. I love their devices and software, but I could do without the spin and outright BS that pervades the entire industry.
What is the company procedure regarding crypto? Not the official PR version, but the real version practiced by the programmers.
Iâll take Open Source over closed any day, even if I donât necessarily understand the code. You may or may not trust any one person who contributes to the source code, but youâve got (hopefully) many, many people, with diverse interests, allegiances, social and political leanings, etc, poring over that code, unlike closed source which is a few programmers developing according to company policy. Policy which itself be secret.
Thereâs the rub, no? To me the whole point of the OpenSSL flaw becoming important is the gap between theoretical security and efficiency because âanyone can audit and fix problemsâ and the reality of ânot many actually do itâ.
Edit: Related. All greek to me, but maybe you programmer types can get the joke.
These days, you canât even trust tin foil hats.
There has been some good analyses of this whitepaper, Steve Gibson did a multi-part review on his podcast Security Now. (note: heâs a bit of a controversial figure in the security community, so take his analyses with a grain of salt.)
The take away is that the on-device security or the latest devices looks like it should be near bullet proof, but it has a fatal flaw, any data that passes thought Appleâs servers is available to Apple to decrypt. The proof of this is that when you restore a backup to a new phone (different hardware keys) you only need to provide your Apple ID password. There are some caveats, local (non-iCloud) backups can be encrypted separately, But iMessages are always transmitted (and restored) by Apple servers, without access to the old hardware keys.
Apple has the power to bypass their own SSL encrypting to grab the data needed to access any data that would have been secured by their at-rest encryption. This is the Lavabit security hole, NSA requires they turn over SSL keys and just snoops the password used to access and decrypt your could backups and they have full access.
The argument is that open code that is seldom reviewed by the right people is more problematic than code that is reviewed by expertsâeven if done as part of a closed process.
Iâm not clear on how this could be fallacious, but understanding everything might not be feasible given my own limitations.
In such cases, perhaps we can fall back on examining the track record of the company itself. Has there really been a legitimate, genuine cause from Apple which indicates the tone taken by the author in the original link is justified? Maybe. I can see that many of the issues and concerns raised arenât technical, but political in nature.
Saying so doesnât diminish the value of open source, of course. But maybe hoping problems are found in someone elseâs code is ultimately a lesser strategy to what it could be.
Itâs wrong to assume that closed code will get any more review than open code. Itâs wrong to assume that critical code will get any review, let alone expert review, that goes for open as well as closed code.
I write code that is PCI-DSS compliant, Iâve taken part in our yearly PCI-DSS audit, done by accredited auditors. I have never seen a PCI-DSS auditor that knew how to write code. The experts are either doing forensic audits (after a breach) or independent security research. They are not typically doing annual audits of large closed source code bases.
The security assurances for most closed software comes from the development groups own internal non-expert (peer) review process. And in any group you have a diversity of skills, resulting in differing review quality. Which is pretty much what you also see in open code bases.
This topic was automatically closed after 5 days. New replies are no longer allowed.