Archive for March 9, 2021

Tuesday, March 9, 2021

Transferring iCloud Photos

Data Transfer Project (via Hacker News):

The Data Transfer Project was launched in 2018 to create an open-source, service-to-service data portability platform so that all individuals across the web could easily move their data between online service providers whenever they want.

The contributors to the Data Transfer Project believe portability and interoperability are central to innovation. Making it easier for individuals to choose among services facilitates competition, empowers individuals to try new services and enables them to choose the offering that best suits their needs.

Apple (via Juli Clover):

You can request to transfer a copy of photos and videos you store in iCloud Photos to Google Photos. Transferring photos and videos from iCloud Photos doesn’t remove or alter the content you store with Apple, but sends a copy of your content to the other service.

The transfer process takes between three and seven days. We use this time to verify that the request was made by you, and to make the transfer.

Some data and formats available in iCloud Photos—such as Smart Albums, Live Photos, or some RAW files—may not be available when you transfer your content to another service.

Mark Munz:

I can now transfer my iCloud photos to another service.

When will I be able to copy my iCloud data to another iCloud account so I can merge it into a single account? ⏱

Nick Heer:

Curious that you can transfer to Google Photos images from two of its biggest competitors, Facebook and now Apple’s iCloud Photos, but not from Google to either of those.

Did Schnorr Destroy RSA?

Steve Weis (via Hacker News):

A recent paper, “Fast Factoring Integers by SVP Algorithms“ by Claus P. Schnorr, claims significant improvements in factoring that “destroys the RSA cryptosystem“. If true, it would be practical to demonstrate on well known RSA factoring challenges.

No such demonstration has been made. Without this, assessing the correctness of the paper will have to wait for reviewers to wade through the details and give their feedback.

Bruce Schneier (Hacker News):

At best, it’s an improvement in factoring — and I’m not sure it’s even that.

See also: Stack Exchange.

Vulnerabilities in Microsoft Exchange Server

Brian Krebs (via Hacker News):

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

Nick Heer:

Thumbing through that spreadsheet is informative. You will see exploits targeting software and firmware from Apple, Google, Mozilla, and Adobe — especially Adobe. But the number of vulnerabilities in Microsoft’s products that are being used in the wild stands head and shoulders above all other vendors. That is alarming but it is also unsurprising: organizations large and small use Microsoft’s productivity and server products; perhaps more importantly, these products are used by governments at all levels with no great alternatives.

Previously:

The State of Deepfakes

James Vincent:

When a series of spookily convincing Tom Cruise deepfakes went viral on TikTok, some suggested it was a chilling sign of things to come — harbinger of an era where AI will let anyone make fake videos of anyone else. The video’s creator, though, Belgium VFX specialist Chris Ume, says this is far from the case. Speaking to The Verge about his viral clips, Ume stresses the amount of time and effort that went into making each deepfake, as well as the importance of working with a top-flight Tom Cruise impersonator, Miles Fisher.

Previously:

Apple Platform Security Guide (February 2021)

Apple (PDF, via mikeymikey):

This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.

Rich Mogull:

The future of cybersecurity is vertical integration. By vertical integration, I mean the combination of hardware, software, and cloud-based services to build a comprehensive ecosystem. Vertical integration for increased security isn’t merely a trend at Apple, it’s one we see in wide swaths of the industry, including such key players as Amazon Web Services. When security really matters, it’s hard to compete if you don’t have complete control of the stack: hardware, software, and services.

Nick Heer:

All of this makes me wonder whatever happened to Project McQueen, Apple’s effort to eliminate its reliance on third-party data centres for iCloud. Surely this project did not die when some of the engineers responsible for it left the company, but Apple still depends on others for hosting.

Rosyna Keller:

Apple modified the C compiler toolchain used to build the iBoot bootloader to improve its security. The modified toolchain implements code to prevent memory- and type-safety issues that are typically encountered in C programs.

Apple:

In macOS 11, equivalent at-rest protection for system content is provided by the SSV, and therefore the system volume no longer needs to be encrypted. Any modifications made to the file system while it’s at rest will be detected by the file system when they’re read. If the user has enabled FileVault, the user’s content on the data volume is still encrypted with a user-provided secret.

If the user chooses to disable the SSV, the system at rest becomes vulnerable to tampering, and this tampering could enable an attacker to extract encrypted user data when the system next starts up. Therefore the system won’t permit the user to disable the SSV if FileVault is enabled. Protection while at rest must be enabled or disabled for both volumes in a consistent manner.

In macOS 10.15 or earlier, FileVault protects operating system software while at rest by encrypting user and system content with a key protected by a user-provided secret. This protects against an attacker with physical access to the device from accessing or effectively modifying the file system containing system software.

The idea here is that with neither FileVault nor the signing protecting the system volume, someone with physical access to the Mac could tamper with the system, e.g. to exfiltrate your password when you log in.

Ricky Mondello:

Ever wonder how iCloud Keychain’s Password Monitoring feature works?

tl;dr: Apple servers. 1.5 billion passwords. On-device matching against the most common. Cryptographic private set intersection after that.

Previously: