Apple Can Still Read Your End-to-End Encrypted iMessages

What level of paranoia do you operate at? Unless you are doing some really naughty things, iOS is probably more than you will ever need, security-wise, even if you have iCloud backup turned on. FDE TPM encryption by default, with a slew of options to increase security. I like Apple, even if they don't get everything right every time, they do seem to believe that security has a strong value and is worth sacrificing a little convenience for.

If you're going against a state level actor, then the OS you choose is only a tiny part of the equation. At that point you are looking at physical device security, airgapping, opsec - essentially intelligence tradecraft. And if you've no training in that, you're like a little leaguer going up against the Yankees. Most of the time the beat shot at private communications in the most paranoid scenarios means you are better off removing all electronic devices from your body and leaving them at home, then meeting face to face with a trusted someone in a randomly chosen busy public place.

I sometimes for fun try to think of how I would go about being as technically secure and anonymous as possible when communicating online if I was worried about a state level actor. I would probably buy an ancient laptop from a thrift store in a city far from where I live months in advance while wearing a disguise and gloves. (Rarely will NVRs store more than a month's worth of video data). The laptop would always be handled with gloves. I'd remove the hard drive. I'd download TAILS from a public wifi hotspot using a separate computer and burn it to disc. Months later, I would wear a disguise, drive to a different distant city, park my car, and pay cash to take a taxi to a location near a known free wifi spot. Using a cantenna hidden in a backpack, I'd find a park bench nearby and hop on the wifi with the laptop and TAILS and start a clock for 30 minutes. Any communications would use intentionally generic language, no punctuation or capitalization, and I'd try to use grammatical speech patterns I never use. When I was done or the 30 minutes was up, I'd pull the battery on the laptop and walk a few blocks and hail a cab and have them drop me off a few blocks from my car. I'd walk to my car and drive towards home, take off the disguise while driving, and stop along the way at a random dumpster to smash and dispose of the laptop and then another random dumpster to dispose of the disguise. At no point would I have a cell phone or any other electronic communications device on me or in my car. (Note - many newer cars come equipped with cellular modems already installed and running - obviously this kind of car could not be used).

These are the kinds of ridiculous precautions I think would be at minimum necessary if you were a lone actor trying to do or communicate something online that would be of great interest to a powerful state actor. Snowden had some pretty crazy opsec, and with him it only bought him a few days' time. We live in a panopticon any more. Having a secure OS would only matter if the guards weren't already looking at you.

/r/crypto Thread Parent Link - thehackernews.com