Friday, April 3, 2020 [Tweets] [Favorites]

iPad Pro 2020 Includes Microphone Hardware Disconnect

Tim Hardwick:

Apple has added an anti-eavesdropping feature to the 2020 iPad Pro that ensures the microphone hardware is disabled when a case is attached to the iPad and closed.

John Gruber:

This is what it looks like when a company is focused on security as an utmost priority.

Previously:

17 Comments

“This is what it looks like when a company is focused on security as an utmost priority.“.

Really? Then how does he explain that the webcam security flaw in Safari was only rewarded $75,000 ?

@someone I don’t know, $75K for the camera exploit doesn’t seem out of line to me given Apple’s example payouts. It seems like a good bounty to me. What are you comparing it to? Isn’t adding a bug bounty program a sign that they care?

I can't really speak to relative corporate priorities, but I wish Apple would take a page from Lenovo and put a webcam cover on their laptops, too.

@Gruber is a funny guy. The iPad came out 10 years ago!!!! It took them ten years to figure out how to disconnect a mic? Neat.

On a serious note. Yes, everyone should have kill switches on mics and cameras. Or kill switches for mic and covers for cameras. That would be swell.

Interesting that this requires an optional case to work.

Remember when the original iSight webcam had a physical iris you could close against "peeping Toms"?

> What are you comparing it to?

It could be compared to multiple things;

- the number of devices which were suffering of this issue x $0.99.
- the money that some other companies/individuals would have been willing to pay to acquire such a hack.
- the cost of the "What happens on your iPhone stays on your iPhone" gigantic banner in Las Vegas.
- the average annual compensation of a member of the WebKit, Safari, Security and QA teams at Apple who unfortunately didn't think about this issue before the person who reported it.
- the price of the top configuration of Apple's new Mac Pro + Display + Webcam, a computer which was quite probably suffering from the issue.

You can pick the one you find the most realistic and then you double this amount since Apple "is focused on security as an utmost priority".

> Isn’t adding a bug bounty program a sign that they care?

I've been reading more often about bounties not being granted than anything else (or people wondering whether Apple finally introduced this program just to prevent the hacks from being disclosed after the standard delay).

Sören Nils Kuklau

I think Gruber's assertion there is a bit much, but they didn't have to add that feature (I haven't heard anyone asking for it, even though MacBooks have had it for a while), and chose to, as a small, nobody-will-ever-even-notice way to improve security. I think that's his point.

Countering that with "yeah, but Apple's engineering staff is clearly overpaid if they didn't discover every single security issue" seems silly.

You can look at the iOS security guide and will find lots of ways in which the iPhone's security design is very thoughtful in a way it didn't have to be. (It's also locked down in ways it didn't have to be, yes.) And there's a case to be made that, were it not for Apple pushing the envelope in that area, most other hardware vendors wouldn't.

So, no, I don't know about "utmost priority". But I do think it is a big priority, and yes, that giant banner in Las Vegas comes from a culture that prides itself on getting privacy right more often than not. I think that's a perfectly fair assessment.

> Countering that with "yeah, but Apple's engineering staff is clearly overpaid if they didn't discover every single security issue" seems silly.

Never mentioned them being overpaid. Just implied that $75,000 is under the average annual compensation x 2.

> But I do think it is a big priority, and yes, that giant banner in Las Vegas comes from a culture that prides itself on getting privacy right more often than not. I think that's a perfectly fair assessment.

Since they (the marketing teams) had the "brilliant" idea of this giant banner, there have been at least 3 serious security issues that countered the banner claim: e.g. Group FaceTime issue.

It's laudable that the technical teams aim to provide better security/safety but it's laughable that they (the marketing teams) make bold statements about a device being perfectly secured.

In retrospect, the Las Vegas banner looks like the equivalent of "640K ought to be enough for anyone" for security. The difference being Gates is reported to never have said that or stated that through a giant banner in Las Vegas.

Isn't the reward scale for bug bounty programs typically related to the black market rate for exploits? So that there's economic incentive to disclose to the software vendor, in addition to ethical & legal incentives? Not sure why any of these other comparisons would be relevant.

Sören Nils Kuklau

Never mentioned them being overpaid. Just implied that $75,000 is under the average annual compensation x 2.

You implied that they were incompetent, and that there was a connection between this incompetence and their pay.

Since they (the marketing teams) had the “brilliant” idea of this giant banner, there have been at least 3 serious security issues that countered the banner claim: e.g. Group FaceTime issue.

I don’t see how that invalidates anything.

but it’s laughable that they (the marketing teams) make bold statements about a device being perfectly secured.

In retrospect, the Las Vegas banner looks like the equivalent of “640K ought to be enough for anyone” for security.

Apocryphal or not, “640K ought to be enough for anyone” gets pulled as an example for lack of foresight.

That doesn’t apply here. You could make the case that it did if Apple had closed their security teams, not launched a bounty program (years late, arguably), and not put in efforts such as the microphone hardware disconnect.

They’re not making a privacy marketing push and then resting on their laurels. They’re making the push while also steadily improving security and privacy, including both in ways that are largely unprompted (such as the microphone hardware disconnect), and ways that are very much prompted (such as the FaceTime bug).

@Sören Yeah, I mean they are not perfect, but they are clearly trying to do the right thing with security/privacy and are making good progress. If anything, especially on the Mac, I think the are working too hard on security, at the expense of usability/bugs/features.

> You implied that they were incompetent, and that there was a connection between this incompetence and their pay.

Just take some time to type "unfortunately" in Dictionary.app and check what the first synonym is. You might be surprised.

Regarding the banner, if you don't think it has backfired and will continue backfiring, I don't have any problem with that.

Last time I read a reference to this banner, it was in January 2020 and related to Apple reportedly dropping end-to-end encryption for iCloud (drive?). It was something like "What happens on your iPhone stays on your iPhone… unless it's backed up on iCloud". Maybe it was a tweet related to this article: https://9to5mac.com/2020/01/21/icloud-backups/

@someone This may be a case where the general public perception is out of line with those of us who follow details like the backup encryption story. I think people generally believe that the banner is true (or at least true in a relative sense), so maybe it didn't backfire?

Sören Nils Kuklau

Yeah, I mean they are not perfect, but they are clearly trying to do the right thing with security/privacy and are making good progress. If anything, especially on the Mac, I think the are working too hard on security, at the expense of usability/bugs/features.

Yup.

Maybe Windows has the better trade-off here, with a “seriously, I know what I’m doing” developer mode. But I can see how that is fraught with problems.

Just take some time to type “unfortunately” in Dictionary.app and check what the first synonym is. You might be surprised.

I really don’t know where this is going.

Regarding the banner, if you don’t think it has backfired and will continue backfiring, I don’t have any problem with that.

I don’t think it has backfired, but I’m not a market researcher. I would wager if you did a focus group and asked people, “how do you feel about Apple and privacy?”, most would answer “yeah, I think it’s one of their pros”, with some perhaps adding, “but I can’t really afford Apple products”. But I could be wrong!

I can think of quite a few things to criticize about Apple, but if I wanted to think about something I think Apple has largely gotten right in recent years, and that partially validates my choice to be on Apple platforms, it would be their privacy push. This goes beyond marketing, too; I think Tim Cook sincerely has strong personal feelings about the importance of privacy.

That does not mean they always get that right. It also doesn’t mean they shouldn’t be criticized for when they get it wrong. But if they want to flaunt “hey, we made a product that has privacy as one of its key focus aras”? Yeah, more power to them, IMHO.

Last time I read a reference to this banner, it was in January 2020 and related to Apple reportedly dropping end-to-end encryption for iCloud (drive?). It was something like “What happens on your iPhone stays on your iPhone… unless it’s backed up on iCloud”. Maybe it was a tweet related to this article:

So, there’s two aspects I want to address here.

The first is iCloud backups itself. I think Apple can’t really win on that one. Anecdotal evidence suggests that there is a lot of support volume of people coming to an Apple Store with “help, I’ve lost access to my backups”. If they were to encrypt iCloud backups such that they don’t have a master key, that would lead to some very unhappy people. People don’t want to lose photos of their kids, and all the many other things they store on their phones.

But I do think there’s something Apple could do, and should’ve done quite a while ago, and a cynic might say the reason they haven’t yet is revenues: they could let me backup my iOS device locally instead. Macs can do it (and conversely, perhaps for historical technical reasons, Macs cannot be backed up to iCloud), but with an iOS device, I need to first connect to a PC, then backup through that. Just let me backup to my NAS. I know it’s nerdy and I know 95% will never do that. But those remaining 5% can be shown how by their friendly nerdy neighborhood son.

I remain hopeful they eventually will.

@Sören They could also enable third-party cloud backup! Let other providers handle the multitude of backup features that Apple itself never will.

3rd party cloud backup would also open up a privacy & security can of worms. Unless the system let you set a private key before sending the data to your provider of choice. (Although if I could set a private key I'd likely just continue to use iCloud backup.)

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment