Technology: Apple is fixing encrypted email on macOS because it’s not as encrypted as we thought - - PressFrom - US
  •   
  •   
  •   

Technology Apple is fixing encrypted email on macOS because it’s not as encrypted as we thought

20:30  08 november  2019
20:30  08 november  2019 Source:   theverge.com

Apple confirms iOS 13 Reminders will be fixed with macOS Catalina rollout

  Apple confirms iOS 13 Reminders will be fixed with macOS Catalina rollout iOS 13 came out a couple of weeks ago, but one thing you may have noticed is that Reminders no longer sync with Macs. Apple has confirmed that Reminders will not sync until the release of the newest version of macOS. The new version of Reminders for iPhone impressed us with its improvements in iOS 13.1. However, to sync Reminders between an iPhone and a Mac requires macOS 10.15, a.k.a. Catalina, which isn't due to release until the coming weeks. "Upgraded reminders aren't compatible with earlier versions of iOS and macOS," Apple says on its support site.

Apple stakes a lot of its reputation on how it protects the privacy of its users, as it wants to be the only tech company you trust. But if you send encrypted emails from Apple Mail, there’s currently a way to read some of the text of those emails as if they were unencrypted — and allegedly, Apple’s known about this vulnerability for months without offering a fix.

  Apple is fixing encrypted email on macOS because it’s not as encrypted as we thought © Illustration by Alex Castro / The Verge

Before we go any further, you should know this likely only affects a small number of people. You need to be using macOS, Apple Mail, be sending encrypted emails from Apple Mail, not be using FileVault to encrypt your entire system already, and know exactly where in Apple’s system files to be looking for this information. If you were a hacker, you’d need access to those system files, too.

GoPro's Hero8 Black Is Boring—and That's What Makes It Great

  GoPro's Hero8 Black Is Boring—and That's What Makes It Great No single upgrade in GoPro’s new flagship camera will surprise you. There is no “new killer feature” that sets it apart from either the competition or last year’s Hero7 Black. It doesn’t even have a built-in selfie screen (although you can buy one as a new add-on “mod.”) And yet, somehow, the Hero8 Black is the GoPro I’ve been waiting to see for years without realizing it.

Apple tells The Verge it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.

Only portions of emails are stored

The vulnerability was shared by Bob Gendler, an Apple-focused IT specialist, in a Medium blog published on Wednesday. Gendler says that while trying to figure out how macOS and Siri suggest information to users, he found macOS database files that store information from Mail and other apps which are then used by Siri to better suggest information to users. That isn’t too shocking in and of itself — it makes sense that Apple needs to reference and learn from some of your information to provide you better Siri suggestions.

macOS Catalina is available to download today

  macOS Catalina is available to download today It's happening a little later in the season than usual, but Apple's latest version of macOS is available to download today. Catalina arrives on the heels of iOS 13, which saw several back-to-back updates after an initially rough launch. For what it's worth, I've been using successive versions of the Catalina beta as my daily driver for months now and can assure you that the latest build is stable enough to safely install. Engadget will publish aEngadget will publish a full review of the software soon. The reason we're waiting: A couple of key features won't be available to try out until the finished OS ships today.

But Gendler discovered that one of those files, snippets.db, was storing the unencrypted text of emails that were supposed to be encrypted. Here’s an image he shared that’s helpful to explain what’s going on:

a screenshot of a cell phone© Image: Bob Gendler

The circle on the left is around an encrypted email, which Gendler’s computer is not able to read, because Gendler says he removed the private key which would typically allow him to do so. But in the circle on the right, you can make out the text of that encrypted email in snippets.db.

Gendler says he tested the four most recent macOS releases — Catalina, Mojave, High Sierra, and Sierra — and could read encrypted email text from snippets.db on all of them. I was able to confirm the existence of snippets.db, and found that it stored portions of some of my emails from Apple Mail. I couldn’t find a way to get snippets.db to store encrypted emails I sent to myself, though.

Apple just released macOS Catalina to the public

  Apple just released macOS Catalina to the public Back in the day, a new macOS release (or OS X if you want to be particular) was a huge event for Mac users. But as the world shifted from desktop to mobile computing en masse, Apple arguably started to neglect the Mac. While iOS would routinely receive a boatload of new features, macOS updates started becoming less and less compelling. In recent years, though, Apple has picked up the pace a bit. And while new macOS releases still aren’t as exciting as iOS releases, they’ve become more compelling than you might remember. With that said, Apple today released macOS Catalina, a desktop update with a number of new features that you’ll definitely want to download as soon as possible.

There’s a way to stop emails from being collected

Gendler first reported the issue to Apple on July 29th, and he says he didn’t get a response with a solution from the company until November 5th — 99 days later — despite repeated follow-ups. And even though Apple has updated each of the four versions of macOS where Gendler spotted the vulnerability in the months since he reported it, none of those updates contained a fix for the issue.

If you want to stop emails from being collected in snippets.db right now, Apple tells us you can do so by going to System Preferences > Siri > Siri Suggestions & Privacy > Mail and toggling off “Learn from this App.” Apple also provided this solution to Gendler — but he says this solution will only stop new emails from being added to snippets.db. If you want to make sure older emails that may be stored in snippets.db can no longer be scanned, you may need to delete that file, too.

If you want to avoid these unencrypted snippets potentially being read by other apps, you can avoid giving apps full disk access in macOS Catalina, according to Apple — and you probably have very few apps with full disk access. Apple also says that turning on FileVault will encrypt everything on your Mac, if you want to be extra safe.

Again, this vulnerability probably won’t affect that many people. But if you do rely on Apple Mail and believed your Apple Mail emails were 100 percent encrypted, it seems that they’re not. As Gendler says, “It brings up the question of what else is tracked and potentially improperly stored without you realizing it.”

A company that sold encrypted phones was run by crime lords .
That’s definitely a conflict of interestOkay, that’s obviously not an idiom, but it’s a true story chronicled by Vice’s Joseph Cox. In the story, Cox tells how MPC — a now-seemingly defunct company that apparently sold phones, tablets, and computers running custom firmware with significant encryption protections — was ultimately controlled by two at-large criminal kingpins known as The Brothers.

—   Share news in the SOC. Networks

Topical videos:

usr: 1
This is interesting!