Macs send docs to iCloud without warning

[silicon_toad2000]

http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/

Honey... why is your icloud account full of porn?

Once upon a time, in-progress files were stored locally on a Mac, a design that gave users more ability to prevent sensitive files—say, those created on the fly to store passwords, a Social Security Number, or confidential client-attorney work product—from being accessed via law enforcement or national security dragnets. Whereas locally stored files residing on a FileVault-protected Mac require the adversary to have physical access and possession of crypto key, the bar for accessing files stored in iCloud is lower, according to former National Security Administration contractor Edward Snowden.

The iCloud autosave provides a convenience that many users no doubt are happy to have. After all, the cloud copies allow users to pick up right where they left off when switching Macs or turning on an iPhone or iPad to resume work on an unfinished letter, presentation, or other type of document. But critics object to the behavior being turned on by default without a more explicit warning that it funnels potentially sensitive data to Apple servers.

"I think the iCloud thing is really nasty behavior (and it’s apparently in Mavericks too) so I’m surprised that it hasn’t been mentioned in the tech press," Matt Green a professor specializing in cryptography at Johns Hopkins University, told Ars. "I’m sure someone will twig to it soon."

As Paul noted, the autosave feature is turned on unless users take action to disable it. One way is to turn it off within the settings can be accessed in System Preferences > iCloud > Documents & Data. Another way is to save a blank file and then type notes afterward.

[White Stripes]

hmmmmm... this 'cloud' schitt is great for servers that want to hide but terrible for home users.... i think we have found the only use for the cloud..... lets give it up apple...

[GhostShip]

It has always seemed rather a dubious offering given the rather obvious drawbacks in security, one has to wonder just why these big tech companies keep trying to get folks tied into such things, personally I think they want to move folks onto a rental model where your own hardware requirements become near nothing and they offer all of the fancy stuff, this would keep both the big companies and the ISP companies happy and also courts and govt snoops would not be upset by such a major change.

[silicon_toad2000]

People have been putting things "somewhere else" since the first library or the safe deposit box was invented. I think calling it the cloud just clouds the issues (yeah i know).
 I use google calendar, I think it's great to be able to share information easily.

I think the biggest issue here was the "opt out" rather than "opt in".

[GhostShip]

I don't share that thought , perhaps it has something to do with not requiring any warrant to read all of your emails etc when they are held off site, something the law treats as sacrosanct in your home is given open season status when held on a server somewhere.

[White Stripes]

all of this discussion is making me glad i have a mostly linux environment.... (only one windows computer left)

[GhostShip]

What flavour of Linux do you use anyway Stripes ?

[Update] Just read this article outlining some of the dangers of online storage of folks data

http://www.bbc.co.uk/news/business-29910101

[White Stripes]

heres an article thats going to make the first seem even worse...

Apple's China Experience Sours as State Hackers Target iCloud Data

http://globalvoicesonline.org/2014/11/03/apples-china-experience-sours-as-state-hackers-target-icloud-data/

Hackers backed by the central Chinese government have been staging man-in-the-middle (MITM) attacks on Apple's iCloud in an attempt to steal iCloud user data such as iMessages, photos and contacts. According to Greatfire.org, a research group focused on Internet censorship in China, the attacks took place when Apple launched iPhone6 in China on Oct. 17.

In the course of the attacks, hackers interposed their own website, with a fake iCloud.com certificate, between users and Apple's iCloud server to intercept user data. Earlier that day, Google, Github and Yahoo faced similar attacks aimed at stealing their users’ passwords.

.....

google knew better and picked up and left.... apple should be thinking about that too....


@GS: i use debian on this machine and linux mint on the netbook... mint with the 'mate' desktop is probably one of my most favorite of the distros (and ive been through a lot of em)... it takes care of the 'open source only' of debian without being bloated like ubuntu...

[Pri]

As usual this is the press blowing things out of proportion like the bent iPhone thing. When you first setup a new Mac or even upgrade your operating system from an older OS one of the first dialog boxes you will receive is "Do you want to setup iCloud?" and you can click No. And even if you do set it up and sign in to it you can untick the box to automatically save documents. The box is right there in your face.

I recently upgraded from Mavericks to Yosemite on my Mac. The first thing after it booted up in to the new OS was a window opened asking me to sign back in to iCloud, and as I did so it opened the iCloud control panel listing the things that would be stored there with tick boxes to disable anything I didn't want put in there.

[White Stripes]

the same ppl that bend iphones are the same ones that line up around the store to buy the latest iphone... with options in gold no less... ...along with the plenty that buy iphones without a data plan just for the 'status' of owning an iphone... many ppl forget that macs and iphones are actually computers (quite a bit less with iphone due to the walled garden) ..... apple computer is the 'nike' of computers... most buy them for the status... not the use... so users not paying attention to dialogs or things like 'the fappening' are just par for the course... seriously... do you think most icloud users keep up with articles regarding computer security?

prime example; http://www.cnet.com/news/preorder-an-iphone-6-with-a-pink-diamond-for-48-5-million/

thats not a phone... thats a piece of jewelry

[Pri]

iCloud like Dropbox, Mega, SkyDrive, Google Drive etc are useful tools and I don't think people should be denied them because some are ignorant to how they work or the risks they represent.

When you first sign up for iCloud, Apple recommends you turn on 2 Factor Authentication. This makes it so no one can access your account without also having physical access to one or more of your devices. So for example for someone to login to my iCloud they would need both my password and physical access to my iPhone at the same time. But they would also need my thumbprint to access my iPhone.

There will always be ignorant people out there and that shouldn't make us into a nanny state, just because some idiot can't read or ignores a menu doesn't mean we should get rid of things like iCloud. Robert A. Heinlein wrote in the Novella The Man Who Sold the Moon "Censorship is telling a man he can't have a steak just because a baby can't chew it." well I want my steak and iCloud.

[GhostShip]

My concern in all of this is not that folks cant use such online services but simply to understand that they have given up their rights to any security of content if they place that content on a remote platform, in Pri's example he muses about having a password etc but the fact is such passwords dont apply to the apple admin staff who will use a cryptographic backdoor to look at the contents if some judge signs a peice of paper demanding they do so, there is no real security involved here just the illusion of it.

[White Stripes]

The Chinese had no problem accessing iCloud without physical access to a machine... and like ghostship said... apple (or any of the other services) have no problem getting at your files either... ...if they were encrypted with the key being only on the local machine i could somewhat understand the use of these services but then you would need to take your key with you... ...at which point might as well bring the files as well... but i see no problem with a thumb drive on a keychain....

to each their own but apple sneakily storing unsaved files is just plain BS....

[Pri]

You'd have to own a Mac to understand why they store unsaved files. It's not as sneaky as it sounds. In Lion they saved unsaved documents from Text Edit and other apps incase you closed it and forgot to save what you were working on. These would get saved on the desktop. But with Mountain Lion, Mavericks and Yosemite Text Edit can have its files all stored in your iCloud document folder instead. This makes the files accessible on your iPhone and iPad over the air. Again you can just untick the box.

And when you first open Text Edit, at any time, not just the first time you ever use it but every time you open it. It opens a box to iCloud to show you the files you've previously saved there. It is not a big secret that the files are saved there and there is a little button to change from iCloud to your own hard drive. It is staring at you in the face each time you open it.

Again the Press just likes to push Apple around because it gets great views. As for the Chinese angle, that can happen to absolutely anything. We all know governments already save the content of every webpage you request, that ship has sailed a long time ago. There are apps available that allow you to fully encrypt your Dropbox, iCloud, Skydrive etc before it ever gets transmitted. There are options out there for people who are totally anal about their online privacy but lets be honest, if a government which owns all the infrastructure like the Chinese government in China does then there is little you as a citizen can do about it.

[Bluey_412]

You think only mac's store unsaved files?

PC's have been doing it for years, with a feature called Autosave, has rescued many a worker when their PC or application crashed...

[Bluey_412]

In fact go trawl thru your cache's files, it's all there, along with every document you ever printed, if you care to dig a little

[White Stripes]

textedit is a macs equivalent to notepad.... notepad doesnt autosave anything... i dont use wordpad but to read documents notepad cant open so i dont really know what it does but its useless for configuration files since it saves as binary... and nope... i dont have microsoft office either... which is what came up in google for 'autosave' ....

however... if something autosaved it would save to my hdd... not to a cloud account... ...and PCs dont just run windows... there is linux to contend with... have you looked at its internals lately?... vi is the only thing i can think of that saves a 'session file' in case something goes wrong when editing something... but as soon as that something is saved the session file disappears...

[Pri]

You think only mac's store unsaved files?

PC's have been doing it for years, with a feature called Autosave, has rescued many a worker when their PC or application crashed...

The automatic saving feature you're referring to I believe you mean in like Word or Powerpoint or some such? Macs have had these features for over a decade just as Windows has because Microsoft makes Office available for Mac.

What I am referring to with the Autosave in OS X which was added in Lion (Released in 2011) is now a system wide feature available to all software. Textedit on the Mac is like White Stripes said above akin to Notepad on Windows. It is not a full fledged publishing platform like what Word is. In-fact many people on the Mac install Microsoft Office it's one of the most popular apps on the Mac and it has been for a very very long time.

As for where Textedit saves documents, you would first need to set up iCloud for it to store files there. It doesn't just do it as you need an Apple account first to use iCloud. Just like you need an account to use Dropbox. By default Text Edit will save files on your desktop unless you've already told it to save files to iCloud which it asks you when you login to iCloud for the first time on any new Mac or even after upgrading your operating system.