Comment by jcalvinowens
1 day ago
> Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order.
Nope. For this threat model, E2E is a complete joke when both E's are controlled by the third party. Apple could be compelled by the government to insert code in the client to upload your decrypted data to another endpoint they control, and you'd never know.
That was tested in the San Bernardino shooter case. Apple stood up and the FBI backed down.
It's incredibly naive to believe apple will continue to be able to do that.
Yeah and Microsoft could insert code to upload the bitlocker keys. What's your point? Even linux could do that if they were compelled to.
> Even linux could do that if they were compelled to.
An open source project absolutely cannot do that without your consent if you build your client from the source. That's my point.
This is a wildly unrealistic viewpoint. This would assume that you somehow know the language of the client you’re building and have total knowledge over the entire codebase and can easily spot any sort of security issues or backdoors, assuming you’re using software that you yourself didn’t make (and even then).
This also completely disregards the history of vulnerability incidents like XZ Utils, the infected NPM packages of the month, and even for example CVEs that have been found to exist in Linux (a project with thousands of people working on it) for over a decade.
1 reply →
Wait I'm sorry do you build linux from source and review all code changes?
4 replies →