On Monday, Apple's FaceTime video chat service lets users know about the guilty guilty of receiving audio and video from your iPhone or Mac computer. This can happen without your permission and according to what other people hear and see. Anyone at FaceTime can listen to any other FaceTime user simply by calling it simple operation and calling on the victim's device, even if they do not accept the call.
This is a mistake that is quite a mess. However, it is disturbing if they send the main international agencies of the spy agencies, there will be an error in almost every communication product that is currently used. It seems incredible, that's why we know it.
FaceTime defaults to the user interface; The user is aware of the parts of the software that controls the device. FaceTime's user interface relates at least two ways, but different. First, the attacker sends the victim's audio and video without permission, while the transmission does not allow the victim. Secondly, it does not make the victim's knowledge, that the normal warning call is missing.
The engineering community has understood for many years that the failure of user interfaces is a common cause of security errors and that these failures are worse than others. There are organizations, books and meetings dedicated to working with trusted and secure user interfaces, and Apple has guidelines that enhance the importance of its user interface interface.
But officials of the British Government's Communications Office (GCHQ) – the United States National Security Agency's irrevocable custody – have recently proposed government agents allowing hidden participants to access secure mail messaging. This proposal is known as the "Ghost Proposal".
Written by GCHQ by Ian Levy and recommended by Crispin Robinson, it recommends the government to institutionalize a reliable user interface that wants to spy on a conversation:
It is easy to easily add a service provider to the law enforcement participant in a group chat or call. The service provider usually controls the identity system, and therefore decides who and who is involved in participating in a chat or a call. In such a solution, we are usually deleting a notification on the device of a target … and probably communicate with that.
In summary, Apple or other people who would like to have a private conversation will need to force the government to silence those conversations and make them invisible. Even the most secure applications like the signal (we recommend) and WhatsApp, which use end-to-end encryption, would be safe if you are not required to carry out this proposal.
Ghost proposal Institualizes Monday's FaceTime flaw rather than a downturn in the user interface. With FaceTime, the vulnerable user receives an alert about at least one incoming call something While it's happening, the user interface is in the wrong state and violates user expectations. With Ghost's proposal, the user does not know that something is happening that violates his expectations.
The authors of GCHQ say that Ghost enforces a lawsuit with veterinarian's abilities, and "you do not even have to encrypt it." That's true, but it's just the widest sense.
When people want to encrypt on communication tools, they do not love mathematics. Guess what people are ciphering for du. Encryption and other cryptographic protocols are necessary for the protection of people through properties such as confidentiality, integrity and authenticity. Ghost proposals say: "We prohibit the authenticity violation and you can keep encryption." But do not know who you are talking about, what are your security guarantees?
Cryptography is required to ensure these properties, but it is not enough on its own. The entire system, from cryptographic mathematics to implementation of the software, the network protocol to the user interface, is to provide a secure communication in an increasingly hostile environment.
And do not forget: if companies like Apple want to encourage the government to participate in private conversations, this tool will not be used solely for democratic government; Therefore, journalists, entrepreneurs, and others.
We must be clear: Software has errors, and Apple software, as good, is no exception. Although Apple's error recognition is too long, the company is treating it with the gravity it deserves.
Because it is vulnerable to Group FaceTime, Apple has completely ignored these servers until the FaceTime app is resolved. But any connected FaceTime app is still vulnerable, if Apple tries to activate the Group FaceTime server again, so until a reboot is sent, people should probably disable FaceTime. (This is why it is important to have new software updates available as soon as it is available)
This serious defect should be warned by anyone who prefers privacy in the company's software, including GCHQ and NSA, which defends personal insecurity to facilitate the surveillance of the government. It is very difficult to properly engineer the software, and it is even more difficult to design it with errors, however limited. If the mechanism exists necessarily, the user interface is not trusted, evil hackers and other hostile actors will be an attractive target. Who will prevent their abuse?
False weaknesses, fake identities, messaging, or any other security of communications software that should be reported, should be reviewed for the last weakness: with serious emergency discomfort, as soon as possible a software update removes the bug. And, definitely, the government should not consider adding such weaknesses.