Notices by Matthew Green (matthew_d_green@ioc.exchange), page 2

Of course, knowing that the phone is running a specific piece of software doesn’t help you if you don’t trust the software. So Apple plans to put each binary image into a “transparency log” and publish the software.

But here’s a sticky point: not with the full source code. 11/

When your phone wants to outsource a task, it will contact Apple and obtain a list of servers/nodes and their keys. It will then encrypt its request to all servers, and one will process it. They use a load balancer to make sure no single server processes all your requests. They’re even using fancy anonymous credentials and a third part relay to hide your IP. 13/

Security researchers will get *some code* and a VM they can use to run the software. They’ll then have to reverse-engineer the binaries to see if they’re doing unexpected things. It’s a little suboptimal. 12/

But now the tough questions. Is it a good idea? And is it as secure as what Apple does today? And most importantly: can users opt out of this thing? 14/

Ok there are probably half a dozen more technical details in the blog post. It’s a very thoughtful design. Indeed, if you gave an excellent team a huge pile of money and told them to build the best “private” cloud in the world, it would probably look like this. 14/

Back to the substance.

I admit that as I learned about this feature, it made me kind of sad. The thought that was going through my head was: this is going to be too much of a temptation. Once you can “safely” outsource tasks to the cloud, why bother doing them locally. Outsource everything! 16/

Quick intermission: I also posted this thread on Twitter, and then this happened right about this part. It was… uncomfortable.

As best I can tell, Apple does not have explicit plans to announce when your data is going off-device for to Private Compute. You won’t opt into this, you won’t necessarily even be told it’s happening. It will just happen. Magically.

I don’t love that part. 17/

This thing Facebook did — running an MITM on Snapchat and other competitors’ TLS connections via their Onavo VPN — is so deeply messed up and evil that it completely changes my perspective on what that company is willing to do to its users.

So Apple has gone and updated the iMessage protocol to incorporate both forward security (very good!) and post-quantum cryptography. https://security.apple.com/blog/imessage-pq3/

@feld No I’m doing it by hand. And aesthetically I dislike long posts so I just do it this way.

The Flipper Zero bans are amazing to me. And expected. Security on open IP networks only got to the (mediocre) state it’s at as a result of constant, unrelenting attacks. RF protocols are like a delicate species that’s never been exposed to predators.

I’m sad there are no malware-infested toothbrushes.

Does anyone have a very complete list of infosec accounts on Mastodon? The current top Google results aren’t great and I’d like to see if we can SEO some better ones.

This graph of solar PV installations up to the present vs. past predictions is… incredible.

Did we think AirDrop was anonymous? https://www.macrumors.com/2024/01/09/airdrop-cracked-chinese-authorities/

With that said, the details of this one look kind of exciting. Unfortunately the technical details are in Chinese and aren’t translating well for me.

This is a really big deal. Although the full rollout will take a little while, this isn’t opt-in encryption. It’ll be full end-to-end encryption for billions of users, complete with encrypted backup and disappearing messages built in.

I got a chance to play with the new Messenger a little while ago, and it’s remarkable for… basically not being remarkable. It looks exactly like the existing Messenger, but everything is protected using Signal protocol. Supports web and mobile, and just kind of works invisibly.

Meta is launching end-to-end encryption for direct messages on Facebook Messenger and Instagram this week. https://www.wsj.com/tech/meta-to-start-fully-encrypting-messages-on-facebook-and-instagram-a936c4f9