I know of one case of a Polish prosecutor who does not obey (do not want to bend the law) Zbigniew Ziobro, who is both the minister of justice and the prosecutor general. She received a notification from Apple just today.
I think you need to add a translation of the tweet. Because it sounds as if he didn't obey Apple's warning. Yet I think he approves of Apple's s notification. It is the government who he wasn't obeying? So the government installed the spyware?
Translates to:
"I just received an alert @AppleSupport
about a possible cyberattack on my phone from state services. With the indication that I may be targeted for what I am doing or who I am.
I will take the warning seriously because it was preceded by other incidents
@ZiobroPL
is this a coincidence?"
It is like polish Watergate: the prosecutor has been criticizing minister Ziobro and already lost her job (not only her, this problem is now on EU table and European trials say polish gov is breaking the law doing this) and now she learned minister Ziobro was spying her (and probably is still doing this)
The transport is secure, but if an attacker has already found their way into the device, they can intercept notifications/iMessages and remove it automatically anyway, so yes it's a bit or concern. But at that point, anything will be concerning, not only iMessage.
I received an imminent advanced security threat notification back in January 2019. Urging me to get one of those 2fa dongles (which I did). And just as well, because the next month my account was locked due to an attempted unathorized access.
The Google warning page can be viewed by anyone, but they do specifically tell targeted individuals through other channels (a big red warning message at the top of Gmail, for example): https://myaccount.google.com/stateattackwarning
Apple is like the last company in that space to do this. Google has had these warnings since 2012. Facebook, Microsoft and Twitter since 2015.
(I agree that it's great that Apple is finally doing this. But it seems entirely par for the course for them to be a decade late and still get the credit.)
I have never seen any warnings from Google or Facebook if I automate against my own accounts, and dumping the data. Only on sign-in attempts. That kind of warning is very limited, and Apple also have them.
It seems like Apple now have introduced ‘honey pots’ and other techniques to discover if there already is someone with access to your account/device, and that is a big deal and good news.
And something I have never seen from any of the other big companies.
I might care if Apple had a history of protecting US citizens from their own government, or shielding Chinese users from their own tyrannical surveillance systems.
I'm surprised to see protection against state sponsored attacks implemented by a company as big as Apple. Is any other 'mainstream' company offering a similar feature?
Warrant canary [0] comes to mind, but that is usually a message to all users, as opposed to notifying an individual user.
Yeah, I loved having my work gmail account peppered with a giant red banner warmomg "THIS ACCOUNT IS THE TARGET OF STATE SPONSORED HACKERS". That was fun. We didn't really know how to respond or attempt to mitigate such a warning so, left it ignored.
Would smaller company stand a chance against very much any state?
If men in suits taken a CEO of a big company for "a talk" in the forest there would be a lot of fuss in the media, whereas small company would probably be scared to bits and never said a word.
Keep in mind this will only work for non-court-gag-ordered instances. If the US subpoenas Apple about an individual they won't be allowed to notify them.
I have no idea how this applies to other countries.
I think this is more like: "We noticed unusual API usage and we don't have a gag order so whatever it is, it's not likely to be good"
The methods of detecting such attacks are not at all similar to a government requesting data which contains the non disclosure clause.
Apple doesn’t need to know the source of the attack to issue the warning, and if the attacker is competent Apple likely wouldn’t know the source, such that a gag would not apply.
To be fair, a subpoena isn't a cyberattack. But yes, this will be mostly of value of people being targeted by governments that are not the USA or best buddies with the USA.
It's rare that programmes like PRISM surface publicly. I don't see how Apple would gather top secret intel on national surveillance programmes on their own, so there is a good chance they aren't even aware.
I wonder if this could be used to expose those that are in sensitive position. IE offer attacks at people you think are in important positions and watch how they react to the news. For example if you work somewhere sensitive and you have an accounts not tied the Apple account. The State Sponsored group is probably good enough to see your traffic patterns and to see if they change after you have been notified. Not that I think Apple shouldn't do this but I can see someone being crafty and trying to take advantage of this. There are always trade offs in security!
I see a lot of people in the comments conflating legal requests and attacks. Regardless of your opinion on either of those issues, they are different things.
By "legal request" I mean requests made through channels of the law. These things aren't "attacks" because they're functionally not attacks. 'Cooperation' is the antithetical to 'attack'.
For example, when China demanded that iCloud for Chinese users was handed over to GCBD[0], and Apple complied, it was not, in any way, something that would be accurately described as an "attack". Apple cooperated with the demands that the legal environment presented.
If Apple learns of NSA surveillance of a specific individual... maybe? Beyond that what are you suggesting they do, send an alert to everyone in the US that the NSA might be spying on them?
This is a good service since states felt it was necessary to use surveillance powers against the domestic population.
To me that warrant retaliation in my opinion, it would be a case for self-defense. For example isolating the trojan in a honey-pot OS and delivering it to foreign actors cybersecurity research labs. Just make it unfeasible to support such software and it will stop. My country (Germany) sadly is prone to ignore civil liberties. There were home searches because someone called a some minister a penis on Twitter and there were other severe transgressions. Since the law doesn't protect against them anymore, the state has proved that it is not capable for responsible conduct with software the relies on zero-day-exploits which endanger every computer system.
Glad that companies with real security expertise put up the slack here, although they shouldn't have to do that.
Readit News
Source: https://mobile.twitter.com/e_wrzosek/status/1463551631648251...
Other companies should take note. More of this, please!
I received an imminent advanced security threat notification back in January 2019. Urging me to get one of those 2fa dongles (which I did). And just as well, because the next month my account was locked due to an attempted unathorized access.
(whoever works on this at Google, thank you)
(I agree that it's great that Apple is finally doing this. But it seems entirely par for the course for them to be a decade late and still get the credit.)
It seems like Apple now have introduced ‘honey pots’ and other techniques to discover if there already is someone with access to your account/device, and that is a big deal and good news. And something I have never seen from any of the other big companies.
Dead Comment
Warrant canary [0] comes to mind, but that is usually a message to all users, as opposed to notifying an individual user.
[0]: https://en.wikipedia.org/wiki/Warrant_canary
You mean apart from basically every other mainstream tech company? [1] [2] [3]
[1] https://www.washingtonpost.com/business/economy/google-to-al...
[2] https://www.wired.com/2015/10/facebook-now-warns-users-of-st...
[3] https://threatpost.com/twitter-warns-some-users-of-nation-st...
Would smaller company stand a chance against very much any state? If men in suits taken a CEO of a big company for "a talk" in the forest there would be a lot of fuss in the media, whereas small company would probably be scared to bits and never said a word.
Keep in mind this will only work for non-court-gag-ordered instances. If the US subpoenas Apple about an individual they won't be allowed to notify them.
I have no idea how this applies to other countries.
I think this is more like: "We noticed unusual API usage and we don't have a gag order so whatever it is, it's not likely to be good"
Apple doesn’t need to know the source of the attack to issue the warning, and if the attacker is competent Apple likely wouldn’t know the source, such that a gag would not apply.
I don't see how Google could have been aware that this was happening, although they certainly could have known it was theoretically possible.
Deleted Comment
For example, when China demanded that iCloud for Chinese users was handed over to GCBD[0], and Apple complied, it was not, in any way, something that would be accurately described as an "attack". Apple cooperated with the demands that the legal environment presented.
[0] https://www.apple.com/legal/internet-services/icloud/en/gcbd...
Deleted Comment
To me that warrant retaliation in my opinion, it would be a case for self-defense. For example isolating the trojan in a honey-pot OS and delivering it to foreign actors cybersecurity research labs. Just make it unfeasible to support such software and it will stop. My country (Germany) sadly is prone to ignore civil liberties. There were home searches because someone called a some minister a penis on Twitter and there were other severe transgressions. Since the law doesn't protect against them anymore, the state has proved that it is not capable for responsible conduct with software the relies on zero-day-exploits which endanger every computer system.
Glad that companies with real security expertise put up the slack here, although they shouldn't have to do that.