Tag: China

Apple still appears to provide far more data to U.S. law enforcement. Over that same period, from 2013 through June 2020, Apple said it turned over the contents of iCloud accounts to U.S. authorities in 10,781 separate cases.

Source: Censorship, Surveillance and Profits: A Hard Bargain for Apple in China – DNyuz

That’s an average of over 1,500 cases a year.

The documents also show that Apple is using different encryption technology in China than elsewhere in the world, contradicting what Mr. Cook suggested in a 2018 interview.

The digital keys that can decrypt iCloud data are usually stored on specialized devices, called hardware security modules, that are made by Thales, a French technology company. But China would not approve the use of the Thales devices, according to two employees. So Apple created new devices to store the keys in China.

Makes sense.

Apple has tried to isolate the Chinese servers from the rest of its iCloud network, according to the documents. The Chinese network would be “established, managed, and monitored separately from all other networks, with no means of traversing to other networks out of country.” Two Apple engineers said the measure was to prevent security breaches in China from spreading to the rest of Apple’s data centers.

Apple said that it sequestered the Chinese data centers because they are, in effect, owned by the Chinese government, and Apple keeps all third parties disconnected from its internal network.

They darn well better. I’m quite certain that China’s Ministry of State Security desires personal data on Americans on a level that rivals even that of the NSA.

China has been stealing intellectual property from all across the globe for decades, and now they don’t even have to fool with it any more. Anyone wanting to do business in China has to hand over all the keys to the kingdom, literally and figuratively. No muss; no fuss! You want allowed into their vast, growing, and under-fleeced market? You give China anything it wants, in the form of information and control. That’s the deal; take it or leave it.

And, as it turns out, basically every company on the planet is taking that deal, for the sake of their sales, their share price, and the personal wealth of their officers and board members. What a bargain!

In return, we peasants get labor-subsidized iPhones. They’re already $1,000 computers. Who knows how much they would cost if they weren’t being assembled by people making $5/day. What a deal!

So everyone is getting something from this situation, and there’s no one left to complain. Ergo, it will not change for the foreseeable future.

While the operation had a certain degree of complexity, Equifax itself made their job much easier than it should have. It should have patched that initial Apache Struts vulnerability, for starters. And an FTC complaint from last summer also found that the company stored administrative credentials in an unsecured file in plaintext. It kept 145 million Social Security numbers and other consumer data in plaintext as well, rather than encrypting them. It failed to segment the databases, which would have limited the fallout. It lacked appropriate file integrity monitoring and used long-expired security certificates. The list goes on. Equifax didn’t just let the alleged Chinese hackers into the vault; it left the skeleton key for every safe deposit box in plain sight.

Source: How 4 Chinese Hackers Allegedly Took Down Equifax | WIRED

This whole incident deeply offends me. I don’t like that our capitalistic society has given these credit-reporting companies so much control over our lives. I don’t like that they seem to be completely unaccountable for being so integral to so much of our economy. I don’t like that they hold all the information you would need to ruin someone’s life by impersonating them online. I don’t like that they are not being prosecuted for being so flippant with personally-identifying data.

I don’t like the fact that a sovereign foreign power committed industrial espionage on a critical part of our economy. I don’t like that they already did basically the same thing to a government personnel database the year before. I don’t like that China’s government exists to begin with, given their treatment of their own people, Hong Kong, and the Uighers. I also don’t like that China has been committing wholesale intellectual property theft for many decades. I don’t like the fact that we all know it, and nothing seems to be getting done to stop it.

The initial vulnerability the attackers leveraged was a problem in Apache Struts, which implies that Equifax’s web application uses Java. Using Java for a web application in 2017 is like driving a Model T in 1950. Sure, it was a reliable means of transportation, and revolutionary when it was introduced, but it’s 20 years out of date. It requires an inordinate amount of maintenance, spare parts are more difficult to find. Mechanics can be lazy, because they know they have the owner of the car over a barrel, and they can charge a premium for service, and take their time. There are many better options available, which start quicker, go faster, have safety features built in, and are far more comfortable.

Not all applications require encrypted this, and sharded that, and intrusion detection systems, and real-time monitoring, and everything else, but if any application needed these sorts of treatments, it would have been this one. Also, if any application needed its owners to stay on top of CVE disclosure reports, and fix affected layers of their stack, as appropriate, it would have been this one.

In sort, there’s literally no good news here. Nothing will happen to China, its government, or the actual individuals named in the indictment. The punishment to Equifax is a slap on the wrist. Everyone jumped on the settlement, and now no one will get anything. Everything about this is wrong, and nothing good will come of it.