Posts

Being an Apple User Means You’re Not the Product

/in /by

There’s an Internet saying: “If you’re not the customer, you’re the product.” The point is that, if you’re getting a service for free, the company providing it sees you not as a customer, but as a product to sell, generally to advertisers.

This is how Google, Facebook, and Twitter operate. They provide services for free, collect data about you, and make money by showing you ads. In theory, the more that advertisers know about you, the better they can target ads to you, and the more likely you’ll be to buy. Personalized advertising can seem creepy (or clueless, when it fails), but it isn’t inherently evil, and we’re not suggesting that you stop using ad-supported services.

This ad-driven approach stands in stark contrast to how Apple does business. Apple makes most of its money by selling hardware—iPhones, Macs, and iPads, primarily. Another big chunk of Apple’s revenue comes from App Store and iTunes Store sales, iCloud subscriptions, and Apple Pay fees. Knowing more about you, what Web pages you visit, what you buy, and who you’re friends with doesn’t help Apple’s business, and on its Privacy page, Apple says bluntly, “We believe privacy is a fundamental human right.”

Of course, once your data is out there, it can be lost or stolen—in June 2018, a security researcher discovered that the online data broker Exactis was exposing a database containing 340 million records of data on hundreds of millions of American adults. Ouch!

Let’s look at a few of the ways that Apple protects your privacy.

Siri and Dictation

The longer you use Siri and Dictation, the better they work, thanks to your devices transmitting data back to Apple for analysis. However, Apple creates a random identifier for your data rather than associating the information with your Apple ID, and if you reset Siri by turning it off and back on, you’ll get a new random identifier. Whenever possible, Apple keeps Siri functionality on your device, so if you search for a photo by location or get suggestions after a search, those results come from local data only.

Touch ID and Face ID

When you register your fingerprints with Touch ID or train Face ID to recognize your face, it’s reasonable to worry about that information being stored where attackers—or some government agency—could access it and use it for nefarious purposes. Apple was concerned about that too, so these systems don’t store images of your fingerprints or face, but instead mathematical signatures based on them. Those signatures are kept only locally, in the Secure Enclave security coprocessor that’s part of the CPU of the iPhone and iPad—and on Touch ID-equipped laptops—in such a way that the images can’t be reverse engineered from the signatures.

And, of course, a major goal of Touch ID and Face ID is to prevent someone from violating your privacy by accessing your device directly.

Health and Fitness

People with medical conditions can be concerned about health information impacting health insurance bills or a potential employer’s hiring decision. To assuage that worry, Apple lets you choose what information ends up in Health app, and once it’s there, encrypts it whenever your iPhone is locked. Plus, any Health data that’s backed up to iCloud is encrypted both in transit and when it’s stored on Apple’s servers.

App Store Guidelines

A linchpin in Apple’s approach to privacy is its control over the App Store. Since developers must submit apps to Apple for approval, Apple can enforce stringent guidelines that specify how apps can ask for access to your data (location, photos, contacts, etc.). This isn’t a blanket protection—for instance, if you allow a social media app Facebook to access your contacts and location, the company behind that app will get lots of data on your whereabouts and can even cross-reference that with the locations of everyone in your contact list who also uses the service.

In the end, only you can decide how much information you want to share with the likes of Google, Facebook, and Twitter, and only you can determine if or when their use of your details feels like an invasion of privacy. But by using Apple products and services, you can be certain that the company that could know more about you than any other is actively trying to protect your privacy.

Social Media: Many of the big Internet companies make their money by assembling a dossier of information about you and then selling advertisers targeted access to you. Luckily, that’s not true of Apple—here are a few of the ways Apple protects your privacy.

The post Being an Apple User Means You’re Not the Product appeared first on TidBITS Content Network.

Have Your Online Passwords Been Stolen? Here’s How to Find Out.

/in /by

Data breaches have become commonplace, with online thieves constantly breaking into corporate and government servers and making off with millions—or even hundreds of millions!—of email addresses, often along with other personal information like names, physical address, and passwords.

It would be nice to think that all companies properly encrypt their password databases, but the sad reality is that many have poor data security practices. As a result, passwords gathered in a breach are often easily cracked, enabling the bad guys to log in to your accounts. That may not seem like a big deal—who cares if someone reads the local newspaper under your name? But since many people reuse passwords across multiple sites, once one password associated with an email address is known, attackers use automated software to test that combination against many other sites.

This is why we keep beating the drum for password managers like 1Password and LastPass. They make it easy to create and enter a different random password for every Web site, which protects you in two ways.

  • Because password managers can create passwords of any length, you don’t have to rely on short passwords that you can remember and type easily. The longer the password, the harder it is to crack. A password of 16–20 characters is generally considered safe; never use anything shorter than 13 characters.
  • Even if one of your passwords was compromised, having a different password for every site ensures that the attackers can’t break into any of your other accounts.

But password security hasn’t always been a big deal on the Internet, and many people reused passwords regularly in the past. Wouldn’t it be nice to know if any of your information was included in a data breach, so you’d know which passwords to change?

A free service called Have I Been Pwned does just this (“pwned” is hacker-speak for “owned” or “dominated by”—it rhymes with “owned”). Run by Troy Hunt, Have I Been Pwned gathers the email addresses associated with data breaches and lets you search to see if your address was stolen in any of the archived data breaches. Even better, you can subscribe to have the service notify you if your address shows up in any future breaches.

Needless to say, you’ll want to change your password on any site that has suffered a data breach, and if you reused that password on any other sites, give them new, unique passwords as well. That may seem like a daunting task, and we won’t pretend that it isn’t a fair amount of work, but both 1Password and LastPass offer features to help.

In 1Password, look in the sidebar for Watchtower, which provides several lists, including accounts where the password may have been compromised in a known breach, passwords that are known to have been compromised, passwords that you reused across sites, and weak passwords.

LastPass provide essentially the same information through its Security Challenge and rates your overall security in comparison with other LastPass users. It suggests a series of steps for improving your passwords; the only problem is that you need to restart the Security Challenge if you don’t have time to fix all the passwords at once.

Regardless of which password manager you use, take some time to check for and update compromised, vulnerable, and weak passwords. Start with more important sites, and, as time permits, move on to accounts that don’t contain confidential information.

Social Media: Have any of your online passwords been stolen in a breach? The answer is probably “yes,” and today’s article helps you discover and correct your most problematic passwords.

Install Minor Operating System Updates to Maintain Herd Immunity

/in , , /by

It seems like Apple releases updates to iOS, macOS, watchOS, and tvOS nearly every week these days. It has been only a few months since iOS 11 and macOS 10.13 High Sierra launched, and we’ve already seen ten updates to iOS and seven updates to macOS. Some of these have been to fix bugs, which is great, but quite a few have been prompted by the need for Apple to address security vulnerabilities.

Have you installed all these updates, or have you been procrastinating, tapping that Later link on the iPhone and rejecting your Mac’s notifications? We’re not criticizing—all too often those prompts come at inconvenient times, although iOS has gotten better about installing during the night, as long as you plug in your iPhone or iPad.

We know, security is dull. Or rather, security is dull as long as it’s present. Things get exciting—and not in a good way—when serious vulnerabilities come to light. That’s what happened in November 2017, when it was reported that anyone could gain admin access to any Mac running High Sierra by typing root for the username and leaving the password field blank. That one was so bad that Apple pushed Security Update 2017-001 to every affected Mac and rolled the fix into macOS 10.13.2.

Part of the problem with security vulnerabilities is that they can be astonishingly complex. You may have heard about the Meltdown and Spectre hardware vulnerabilities discovered in January 2018. They affect nearly all modern computers, regardless of operating system, because they take advantage of a design flaw in the microprocessors. Unfortunately, the bad guys—organized crime, government intelligence agencies, and the like—have the resources to understand and exploit these flaws.

But here’s the thing. Security is an arms race, with attackers trying to take advantage of vulnerabilities and operating system companies like Apple, Microsoft, and Google proactively working to block them with updates. If enough people install those updates quickly enough, the attackers will move on to the next vulnerability.

The moral of the story? Always install those minor updates. It’s not so much because you will definitely be targeted if you fail to stay up to date, but because if the Apple community as a whole ceases to be vigilant about upgrading, the dark forces on the Internet will start to see macOS and iOS as low-hanging fruit. As long as most people update relatively quickly, it’s not worthwhile for attackers to put a lot of resources into messing with Macs, iPhones, and iPads.

That said, before you install those updates, make sure to update your backups. It’s unusual for anything significant to go wrong during this sort of system upgrade, but having a fresh backup ensures that if anything does go amiss, you can easily get back to where you were before.