iCloud data is stored on Google servers

I always thought my iCloud data was stored in an Apple-owned data center. I’m not sure why I thought that. I guess I just assumed. Turns out it’s not. It’s being stored on Google and Amazon S3 servers.

I’m not sure how I feel about that. I started avoiding Google services several years ago. I left Gmail for Fastmail. I moved my calendars and contacts from Google to Apple Calendar and Contacts. Now I find out that Apple is storing my data on Google servers.

I guess we have to trust that Apple is properly securing our data on Google and Amazon’s servers. They say they are.

iCloud stores a user’s contacts, calendars, photos, documents, and more and keeps the information up to date across all of their devices, automatically. iCloud can also be used by third-party apps to store and sync documents as well as key values for app data as defined by the developer. Users set up iCloud by signing in with an Apple ID and choosing which services they would like to use. iCloud features, including My Photo Stream, iCloud Drive, and iCloud Backup, can be disabled by IT administrators via MDM configuration profiles. The service is agnostic about what is being stored and handles all file content the same way, as a collection of bytes.

Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.

​CNBC first reported on this.

Don’t use Facebook’s data tracking Onavo VPN: It’s spying on you!

Facebook is always looking for new ways to violate user privacy. They’ve instituted a new one.

In the Facebook iOS mobile app, they recently added a new button under the Settings menu called “Protect”. When you click on “Protect” it takes you to an app in the App Store called “Onavo Protect – VPN Security”. Don’t install it.

This may seem like a good option for a free security app, but it’s not.

This is indeed a VPN. But, it routes all your web browsing and app usage data to a Facebook server. Think I’m kidding? I’m not. They even tell you they are.

From the Onavo description in the App Store

To provide this layer of protection, Onavo uses a VPN to establish a secure connection to direct all of your network communications through Onavo’s servers. As part of this process, Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.

This is nothing more than Facebook spyware. If you’re looking for a VPN I can recommend TunnelBear. It’s what I use. It’s not free though. But remember if it’s free you’re the product.

Web Finds for January 12, 2018

Web Finds are from my web surfing travels. You’ll find some unique and informative news, apps and websites that you may have never known existed. Enjoy!

Apple planning new, “robust” parental controls to help protect children, teens
In a report by The Wall Street Journal, Apple states it has plans to create new software features that will make its current parental controls on iPhone and other devices “even more robust.”
Via Ars Technica

Apple Shares Updated iOS Security Guide With Info on Face ID, Apple Pay Cash and More
Apple this afternoon published an updated version of its iOS Security white paper for iOS 11 [PDF], with information that covers features introduced in iOS 11.1 and iOS 11.2, like Face ID and Apple Pay Cash.
Via MacRumors

How-To Disable macOS High Sierra Upgrade Notifications
Is it just me or are those daily upgrade notifications for upgrading to macOS High Sierra annoying the bleep out of you? Every time I turn on my MacBook (2017,) it immediately starts up with that exasperating High Sierra notice to upgrade to High Sierra so I can “enjoy the latest technologies and refinements.” And it’s even popping up on my iMac (2015 with Fusion Drive,) that Apple itself recommends NOT updating to High Sierra. And I really DON’T want to upgrade to macOS High Sierra right now on any of my Macs!
Via AppleToolBox

How-To Fix an iPad Keyboard That’s Split in Half or Two
One of the most frequent questions we get from our iPad friends and readers is problems with their iPad keyboards. Specifically, what should you do when your iPad keyboard is split down the middle with half of it on the left side and the other part on the right side of your iPad’s screen. Just how do you get it back together like it should be? For many iFolks, this a very annoying problem that they just can’t figure out how to fix!
Via AppleToolBox

The iPad Gestures You Should Master
Your Dock will follow you wherever you go, in any iPad app. Just swipe up about an inch from the bottom of the screen to bring up your Dock and its list of applications, along with the three most recent apps used. You can add up to 13 apps to your Dock so you have the most important ones at your fingertips, apps you can drag and drop to use for multitasking.
Via lifehacker

Previous Web Finds are here.

Worst passwords of 2017 still include “123456” and “password”

SplashData has published its annual list of the worst passwords of the year. The data was pulled from over five million passwords that were leaked by hackers in 2017.

Despite many well-publicized data leaks in 2017, it looks like many people are continuing to use weak passwords like “123456” and “password” that are easily guessed by hackers.

If you’re still using weak passwords please, please do your self a favor and stop. Get a password manager. I use 1Password. With 1Password I’m able to have a unique strong password for every website that requires a password and the best part is I don’t have to remember them because 1Password does it for me.

1Password has an app for Mac and iOS. LastPass is another option.

Web Finds for December 11, 2017

Web Finds are from my web surfing travels. You’ll find some unique, informative, and some of the coolest websites and apps that you may have never known existed. Enjoy!

How to Use Do Not Disturb While Driving on iPhone
Do Not Disturb While Driving is an iPhone specific safety feature. When Do Not Disturb While Driving is activated on iPhone, no calls, messages, notifications, or alerts will come through to the iPhone. I have my iPhone set to automatically go to do not disturb as soon as my car starts moving.

How to Lock Your Mac Screen and Protect It from Prying Eyes
Whether you’re at home or at work, you might not want other people snooping on your Mac when you step away. Leaving your Mac unlocked and unattended allows others nearby to read your emails, text messages, browser history, and all your files. You don’t need to shut down your Mac, you don’t even need to log out. You can just lock it.

How to restore deleted files from iCloud Drive
I use Dropbox more often than iCloud Drive. One of Dropbox’s features is the ability to recover deleted files. I didn’t know I could also recover deleted files in iCloud Drive.

Phishers Are Upping Their Game. So Should You. — Krebs on Security
This is read is worth your time. Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Previous Web Finds are here.

Equifax breach caused by failure to patch two-month-old bug

Negligence! If they would have patched their server(s) the day the patch was released this would have never happened.

This is inexcusable! Heads should roll. Maybe it’s time some people go to jail for this kind of sh^t.

Dan Goodin, writing for Ars Technica 9/13/2017, 8:12 PM

We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.

The Equifax Breach: What You Should Know

I’m sure you’re pissed about the Equifax breach just like I am. And I’m sure you’re as concerned about how this affects you as I am.

Brian Krebs of KrebsonSecurity is an expert in the area of data breach’s has written an excellent article about what we need to know to protect ourselves in light of the “Equifax Breach”.

Please – Please take the time to read his article.

Brian Krebs, writing for KrebsonSecurity

Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

iOS 11 has a way to quickly disable Touch ID and require a passcode

As reported, last week, by The Verge iOS 11 has a way to quickly and discreetly disable Touch ID.

According to The Verge:

Apple is adding an easy way to quickly disable Touch ID in iOS 11. A new setting, designed to automate emergency services calls, lets iPhone users tap the power button quickly five times to call 911. This doesn’t automatically dial the emergency services by default, but it brings up the option to and also temporarily disables Touch ID until you enter a passcode. Twitter users discovered the new option in the iOS 11 public beta, and The Verge has verified it works as intended.

This is a handy feature because it allows Touch ID to be disabled in circumstances where someone might be able to force a phone to be unlocked with a fingerprint. With Touch ID disabled in this way, there is no way to physically unlock an iPhone with Touch ID without the device’s passcode.

As a side note. Last week Mashable reported that according to a Virginia judge a cop can force you to unlock your phone with Touch id but not with a passcode.

As pointed out by John Gruber:

Until iOS 11 ships, it’s worth remembering that you’ve always been able to require your iPhone’s passcode to unlock it by powering it off. A freshly powered-on iPhone always requires the passcode to unlock.