Remember when that new Apple PR lady didn't get the memo and actually spoke to El Reg?
That was funny.
Apple is facing tough privacy questions as it gears up for the release of its new Apple Watch, with one US state attorney demanding a meeting with Tim Cook. Connecticut Attorney General George Jepsen has asked the fruity führer for a face-to-face chat so he can ask whether Apple will store the data from the justWatch on its …
If Apple's PR dept blew a fuse over "snow lepperd", I don't think "fruity führer" will do their arteries any good.
But El Reg now has considerably more clout than back then; it's recognised as one of the leading tech publications in the English*-speaking world. So perhaps Apple will be willing to let a few disparaging comments slip through...
*English and related languages such as Strine or Murkin.
El Reg and clout ! you forgot the Joke icon
also "after hackers broke into Apple's iCloud"
Wrong; Fail. No-one broke in. They got some users passwords and logged in. A far cry from being a Hacker. My six year old niece logged into my iPad after watching me key in the PIN. Would call her a hacker,, and she didn't 'break in'
Top notch journalism !! I swear , more and more I come to this site for the laughs rather than for actual news.
My six year old niece logged into my iPad after watching me key in the PIN.
The difference being in the detail, of course. Did your Niece brute-force the password, over the internet, in order to gain remote access to the data from your iPad? No, didn't think so.
The actual problem with all the cloudy stuff (and not just Apple's implementation) is twofold:
Firstly, the authentication is weak - it is password based, and doesn't seem to authenticate the device itself (otherwise, this was actual hacking, not just password guessing), so anyone can have a crack at getting in. In security parlance, the attack surface is very large - i.e. the entire internet.
Secondly, your data is held by a third party, who you have to implicitly trust. you have no say in how they secure your data, and no control over how they use it, other than the terms and conditions they give you. Which nobody reads anyway, because they are likely to be 200 pages of legal jargon.
@Loyal Commenter
firstly, there is no evidence that the passwords were brute forced on iCloud, and not taken from some other hacked site and used, in the hope that the same one was in use. No evidence that it wasn't either, so neither of us can claim that point.
Secondly, it took my niece 3 attempts to get it right, as she had a fair idea what she saw me type, so in effect, yeah, she brute forced it (with a good starting point )
as for "over the internet" oh no's !!!! you can hack over the internet now ??!! What WILL we do? ;-)
don't worry, i'm just poking fun.
But I agree with you that the problem is, and always has been the single password. 2FA helps, but that has problems too, as if the phone is stolen, then it can be selected to receive the code. Short of it all is, that if someone really wants your data, they will get it. Same as when car immobilisers got good enough, the thief simply broke into the house and stole the keys or car jacked you.
Oh, and on the 200 word jargon, why do you think companies produce these? Answer: idiot users who want a quick buck and sue over the slightest thing. Ends up costing the normal people money. Case in point is that pretty soon you will have to have insurance on your ride-on mower in the EU. All because one guy fell off a ladder and happened to fall on the mower. Idiot sued and now you will need insurance to operate one on your own land. It won't be long before we all need T&Cs for people who just drop by for tea.
I wish we were back in 1980 again. Common sense was a lot more common
This post has been deleted by its author
Why, what with watch wizardry, wonder what we will not ever know? Just imagine if Sherlock Holmes could deduce the existence and recent history of Watson's elder brother just by looking closely at his pocket watch, a modern-day analyst should be able to deduce your secret girl friend's existence and her personal tastes by analysing the molecular-level traces of her perfume and hair spray on your watch, and matching those with a data base. They won't even need to bother looking at the actual data stored in the computing bit! Shame and exposure await you all, ye who buy those things.
Why much about with watches or perfume when all you need is, for example, a small piece of fairy cake:
Since every piece of matter in the universe is in someway affected by every other piece of matter in the universe, it is, in theory, possible to extrapolate the whole of creation - every galaxy, every sun, every planet, their orbits, their composition, and their economic and social history, from, say - one small piece of fairy cake.
(Douglas Adams - but you knew that)
@D.A.M.
Why is that wrong? The point to a representative democracy is that the elected officials should represent the views of the people.
When did listening to the people you represent and aligning your platform with their views become 'pandering'?
Certainly when you vote in alignment with the proddings of big corporate donors, this is not great but if you are acting on behalf of the people, that's got to be a step in the right direction, no?
Yes, of course, not everyone in the electorate is a 'progressive' and many, many won't be, but that's the point of elections (at least when they're run fairly) - to find out which representative the majority of the people support.
With the disclaimer that I realise the naivete of this statement, getting elected is an endorsement by the public that your platform and/or policies best represent their collective views. In a sense it doesn't matter if the candidate really believes in those views or is just 'pandering'. So long as he or she actually acts in accordance with those promised ideals then there is good representation.
In practice this is all more complicated and far less ideal but if adopting progressive ideals gets you elected as the Attorney General of Connecticut then the majority (54%) of the people of Connecticut want a progressive Attorney General.
Many smart watches have come before without a whisper, which although doesn't make the questions worthless, shows this for what it is; an attempt to jump on the passing security bandwagon (with Apple as a bonus for extra headlines) to get Mr Jepsons name in the press. Well played sir, it worked, although few will believe that you are the caring security conscious saint that you are trying to pass yourself of as...
Also most of his amazing questions for Apple were answered 6 months ago... I guess googling just doesn't generate the necessary press coverage...
https://developer.apple.com/app-store/review/guidelines/
Let's for one second assume the man is genuinely concerned.
Then I'm not sure simple Googling it, and reading a canned PR statement on a developer pointed website on a page named "guidelines" put out by Apple of all people is necessarily taking your job seriously.
Still hopefully he'll pay attention to your post and promise to be much more trusting of our corporate overlords in future.
Absolutely secure. No one in that state has one and no one will for quite a few months.
Sheesh. I assume the Attorney General has his office looking into the airbag situation for flying cars, though, I presume it's a much lower priority, because, you know, they really, really don't exist yet.
By the way, does Connecticut state law require the Attorney General to certify the security of devices and what are the criteria? Samsung and the Android world would keep him so busy that he would not have time for any thing else, especially if the process involves meeting the CEO. Our devoted Attorney General, too, may be nostalgic for the pre-tech days when he could pursue white-collar crimes with zeal.
Oh, wait, Connecticut.
This post has been deleted by its author
More convenient for users, with two secure elements (watch and phone) to choose from, so you aren't screwed if you lose one.
With all the regulations around HIPAA and privacy concerns, they should require two factor by default for health related data (not stupid stuff like pulse, but true health related data that may end up in HealthKit)
I suppose you could even do three factor (secure element, biometric i.e. fingerprint, AND password) but at some point users will reject it due to inconvenience, even if you make the grandstanding politicians happy.
. . . but answers are better.
For this exercise to be worthwhile, Mr. Cook must be pressed for accurate answers. That means that the specific topics and concerns must be explain ahead of time and the expectation made clear that Mr Cook should make sure he knows the answers or brings suitable technical assistance to explain it.
Otherwise you just have a CEO saying that he isn't sure and will have to investigate and is not across all the technical details.
Further, the questioning must be sufficiently persistent and the Attorney General must make sure that Mr. Cook actually gives direct answers to direct questions, rather than the non-specific waffle so common to such 'interviews' (just like politicians). Which of course means that the Attorney General's office must formulate suitably direct and specific questions.
"Where is data stored?" is direct but not specific enough for any answer to be useful.