alt.hn

1/11/2025 at 12:14:34 PM

Track your devices via Apple FindMy network in Go/TinyGo

 https://github.com/hybridgroup/go-haystack

by deadprogram

1/11/2025 at 2:47:40 PM

Incredibly cool. I am constantly amazed by these efforts and the find my network is a really impressive thing. What’s stopped me from using anything like this ever is the fact that I’m confident that at some point Apple will either embrace this sort of piggybacking on the network and open it up more officially, or it will ban any Apple ID that has ever been associated with such things. Right now they know about this and are not commenting either way.

Hope in the future either Apple supports this more officially, or there is a way to use it with no direct link to my Apple ID or account. Until then, I am a spectator in these things.

by a12k

1/11/2025 at 4:02:08 PM

The process of requesting locations for a certain tag is not tied to any Apple Account. In the instructions in the README, when logging into macless haystack, you can just use a burner account.

by malmeloo

1/12/2025 at 8:20:05 AM

Where does it say about burner account?

“You will be asked for your Apple-ID, password and your 2FA”

You mean get another apple device and setup another account?

by ustad

1/12/2025 at 11:21:20 AM

It doesn't mention a burner account anywhere, but as the author of FindMy.py, I happen to know how this stuff works :-). But yes, create a new account (either through an Apple device or the website or w/e), attach it to an Apple device or hackintosh at least once, then log out again.

by malmeloo

1/12/2025 at 1:33:33 PM

Doesn't Apple force SMS 2FA on accounts? I remember trying to use Apple Music some years back and it needed me to give a phone number.

by tossit444

1/12/2025 at 4:27:32 PM

Yes, but phone numbers can be used across multiple Apple accounts.

by ValentineC

1/12/2025 at 4:53:31 PM

What if they shitlist all accounts using the same phone number?

by DanAtC

1/12/2025 at 11:39:44 PM

Use a prepaid sim ;-)

by malmeloo

1/11/2025 at 11:02:57 PM

How is privacy protected? I wouldn't want everyone tracking my airtags.

by mmooss

1/12/2025 at 7:28:20 AM

It is a cryptography heavy, privacy-oriented protocol somewhat specific to the behavior apple wants, which is tied to social behavior. E.g. it is meant to track lost items, not stolen items and not people.

My understanding of how it is all supposed to work:

You get a key-generating-key at provisioning time. The tag itself has three modes depending on whether it is in contact with one of your devices, and further whether it has been out of contact more than a certain period of time.

When not in contact, it will advertise itself with a rotating public key based partially on a rotating Mac address. An Apple device which sees it will encrypt location data based on that key and send it to apple to store under that public key as a mailbox. A device which continues to see it while moving will start to alert the person holding that device that there may be an AirTag tracking them.

The tag itself has NFC functionality which provides information for helping find the owner, and on Apple's side this is meant to be tied to a real identity to aid LE if there's an abuse scenario.

After a certain amount of time not seeing another device, an AirTag will start to make sounds to alert people where it is when an Apple device comes into range.

When you want to find your item, you anonymously query it under its rotating key information, and use your knowledge of the private key generation to get location information. Since there's nothing Apple uses to correlate these entries, there may be multiple records over time although Apple's UI only shows the newest entry found.

So yes, there's anonymity in being near devices but limited so that someone can know they are being tracked. There's anonymity in querying location. However, there's not meant to be anonymity with physical access.

by dwaite

1/12/2025 at 3:00:31 AM

The data passes through any devices in the vicinity -- but they can't read the data unless they've got the private key to that tag.

by jki275

1/11/2025 at 11:33:25 PM

>I wouldn't want everyone tracking my airtags.

That’s kind of how the whole system works.

by menzoic

1/11/2025 at 11:49:37 PM

I thought it was designed to prevent unwanted people from tracking you. If I bought an airtag, you could track it? Without authentication or authorization?

by mmooss

1/12/2025 at 12:14:59 AM

Only if you have the private key belonging to the AirTag at the time of location capture. Anyone can download encrypted location reports for any AirTag found in the wild, but only the owner can decrypt them with the private key.

by malmeloo

1/12/2025 at 5:10:50 AM

So how does one get the private key for an airtag without associating it to their account?

by hattmall

1/12/2025 at 11:18:03 AM

By dumping it from a Mac. But that's not what this project does, it uses diy AirTags without rotating keys so you don't need to do all that.

by malmeloo

1/12/2025 at 1:15:04 AM

What about the Apple account of the tag itself?

by yardstick

1/12/2025 at 11:27:26 AM

These custom tags are not tied to any account; Apple can't tell whether a tag found in the wild is "legit" or not, so registering it is not necessary. You can use your main account if you want, but if you request too many location reports too often, they will ban your account.

by malmeloo

1/11/2025 at 4:01:32 PM

I think there is some positive effect potential for Apple to let this slide. The broader this network is, the more adoption it receives. P2P as a super-structure has always been a bigger than vendor problem; adoption by any means is likely an allowable tradeoff, especially since Apple doesn't have to do the work here.

Eventually they will capitalize more on the mesh density, rather than crushing the adoption now.

by jcutrell

1/11/2025 at 4:10:02 PM

Except that custom tags like these do not require an Apple device in order to use them, so the size of the network is not increased. They only increase the load on the network. FindMy is not a P2P/mesh network; all these tags do is broadcast keys which are picked up by iDevices, which then upload those reports to Apple.

by malmeloo

1/11/2025 at 8:23:35 PM

Are the keys not tied to known apple products? Or do you make them up when you first register a device?

Trying to understand why apple doesn’t (or can’t?) already reject broadcast data from keys that are not apple products.

by koolba

1/11/2025 at 9:34:03 PM

Two master secrets are randomly generated when pairing the AirTag for the first time, which are then saved to the iCloud keychain. Those secrets are then used to generate a new keypair every 15 minutes (at most), and the public key is broadcasted by the tag. Not only does Apple not know what the master secrets are in the first place (because they're stored in the keychain), but that's also an insane number of keys to compare against, with no real possibility to precompute them. And that's a big win in terms of privacy.

by malmeloo

1/11/2025 at 9:10:15 PM

I would guess because they don’t care. The marginal cost is zero and I think they would only bother if someone ddoses or it becomes an issue.

Until then, more devices are probably positive for reducing potential pitchforking.

by prepend

1/11/2025 at 10:19:54 PM

Story time. My wife and I were vacationing in Portugal last summer. She left her purse in a uber car on the way to the airport. The driver found the purse and dumped it after taking 20$ and some costume jewellery. We tracked it to an abandoned parking lot later that day using an AirTag and we ended up finding it using the Location app. We have AirTags in every bag now and we change the batteries on a schedule.

by _-_-__-_-_-

1/11/2025 at 11:04:24 PM

All my bags also now have airtags. I was at Sydney airport lost baggage area a few years ago waiting for a bag I'd found was there after hours of speaking to the airline and airport. Another gentlemen there told them that his item was there. They'd been evacuated from a plane in New Zealand a month before and left his iPad in the seat pocket, and had tracked it back using Find My to Sydney. He travels internationally multiple times per month and said airtags were the best thing he owned.

I've since added them into all my cars, bags and a few honeypots embedded into high value items that might be stolen.

by averageRoyalty

1/12/2025 at 12:29:06 AM

How do you know it was the driver and not someone they picked up after you?

by marci

1/11/2025 at 7:47:58 PM

Trying to parse this and can't tell. Can you use this with Apple's AirTags or do you have to create your own tracking devices?

by CPLX

1/11/2025 at 8:21:20 PM

I was wondering the same thing.

by iJohnDoe

1/11/2025 at 4:23:36 PM

I hope in the future we can determine the position of beacons to within a cubic metre or less.

My wife has ADD and she loses items often. Tiles aren't very loud and are flaky, we don't have an iPhone to use Airtags. I'm too exhausted to try to master the math needed to locate Bluetooth beacons, but I wish I could. I'd love for there to be a "just add 4 small Bluetooth boards" kind of software project, but it doesn't seem to scratch that itch for most open source devs.

by bloopernova

1/12/2025 at 5:36:16 AM

AirTags and an iPhone 11 or newer should exactly solve this for you. Lets you locate AirTags to within a foot.

Rather than using Bluetooth connection strength, it uses Ultra Wideband for precision location. This works on time-flight using the speed of light delay like GPS. When you open the Find My app it very quickly knows the exact distance to the AirTag, and then as you walk around it uses your observed change in position to determine the exact direction the AirTag is from you.

It's really cool tech! You need to use the "Find" feature in the Find My app and not the "Play Sound" feature. And it requires an iPhone 11+ with an H1 Ultra Wideband chip in it. Cost is probably on-par with setting up various bluetooth boards around the house, and way more accurate. Though not as much hackery fun.

https://en.wikipedia.org/wiki/Ultra-wideband#Real-time_locat...

by varenc

1/11/2025 at 4:57:48 PM

My partner and I are also Android only and honestly, I'm thinking about simply picking up a smashed up iPhone 11 or 12 mini and exclusively relegating it for precision finding needs with AirTags.

I don't think there will be equivalent alternatives, at least not ones with ultra wideband precision location functionality, availability, acceptable price, and robustness.

On the other hand there does seem to be some UWB support in some Android that might work with Tile's UWB: https://www.zdnet.com/article/how-to-enable-uwb-on-android-a...

by crazysim

1/11/2025 at 7:28:22 PM

> I don't think there will be equivalent alternatives, at least not ones with ultra wideband precision location functionality, availability, acceptable price, and robustness.

Why are you so confidently spreading misinformation? Samsung SmartTag+ exists for years now with this precision and capability for Samsung Android phones.

by izacus

1/11/2025 at 8:02:08 PM

Sometimes people are just incorrect and no ill intent.

by pests

1/11/2025 at 8:21:04 PM

I just don't get why I see so many of people on this very site (surprisingly usually Apple or Tesla fans) that so confidently spread misinformation about things they don't have knowledge of and didn't even attempt to check.

Where does this wish to spread baseless misinformation come from?

by izacus

1/11/2025 at 9:34:24 PM

How come the first thing you assume is ill intent?

How come you are so certain what the person was trying to say without asking a clarification question first?

by baxtr

1/11/2025 at 10:15:33 PM

[flagged]

by izacus

1/11/2025 at 10:25:00 PM

Again you make unsubstantiated assumption about someone else’s intentions/feelings.

I am not angry at all. I was just wondering why you reacted like that. Nevermind

by baxtr

1/11/2025 at 11:00:27 PM

It’s been normal that people are wrong, yes. “Calling out” vs correcting is unnecessarily hostile.

by jazzyjackson

1/11/2025 at 8:28:41 PM

Sometimes people are just wrong. There doesn’t have to be an ill intent behind it. Educate and move on. What else can you do?

by pests

1/11/2025 at 10:16:18 PM

Which is exactly what I did. And it made people here angry.

by izacus

1/11/2025 at 10:30:24 PM

You made an assumption of intent.

You could have just pointed out the Samsung product.

by mulmen

1/13/2025 at 9:34:45 AM

> You made an assumption of intent.

Where?

"confidently" doesn't assume intent. "misinformation" doesn't assume intent.

by Dylan16807

1/14/2025 at 2:47:09 AM

> Where does this wish to spread baseless misinformation come from?

https://news.ycombinator.com/item?id=42668637

by mulmen

1/14/2025 at 4:02:44 AM

That's not the comment that got downvoted though. It came later. Wasn't "you made an assumption of intent" supposed to be an explanation of why the initial comment got downvoted?

But it's also a more complicated point than you're giving credit for. That comment directly addresses lack of knowledge and accuses people of negligence, not lying. I do not parse it as an accusation of intent, and given the followup here I don't think izacus sees it as an accusation of intent either: https://news.ycombinator.com/item?id=42669379

But even if it is an accusation of intent the only accusation is deciding to be reckless. Which seems pretty justified to me.

(And there is a flagged comment that I have a big thing to say if you make me, but I'd rather we just ignore that comment as a separate thing.)

by Dylan16807

1/12/2025 at 3:09:05 AM

I wouldn’t call Samsung smart tags equivalent. They’re locked to Samsung phones, require other Samsung phones (that have accepted the terms of service for broadcasting location) to be nearby, and also seem to have limitations around finding if you’re in an area with no network connectivity.

It’s got ultra wide band finding which is nice, but you really need every single android device to have a truly comparable network.

by Kirby64

1/12/2025 at 11:27:17 AM

They're also unreliable in my experience. My mother has a galaxy phone and new galaxy tab, so I got her the Tag 2. I set this up for her and around 2 weeks later she said she couldn't find her keys. The "ring" option disappeared from the app. In order to get it back she has to find the keys, and re-pair the tag. Yep, find them by yourself to fix the ring function. Also I found the directional finding to be dreadful. And overall the device has a less than desirable delay. My tile pro is much better in every regard. I thought that the Samsung would have a better coverage but it turns out that the software must be installed for it to work! So it's restricted to Samsung devices that have that software installed.

by raffraffraff

1/11/2025 at 4:50:07 PM

I also have ADHD, am also constantly losing things, and I've had success with the Pebblebee tags. I have a tag on my keys and a card in my wallet. The noise is loud enough that I can hear it on a different floor in an old home with thick brick walls.

by lolinder

1/12/2025 at 3:50:54 AM

I'm guessing the 'math needed' is for using stationary beacons to triangulate your location. Even Apple just sends the location of the receiving phone which is why there are stories of the cops showing up at some innocent person's house because the neighbor kid found some headphones on the bus.

Anyhoo, back in the day I was messing around with beacons and can tell you it's fairly easy to get them working. I wrote a small program to get my laptop to act like a beacon and used some random "bluetooth tracker" on my phone which would give the approximate distance to said beacon. Then it's just a matter of walking around watching the distance measurement.

by UncleEntity

1/11/2025 at 4:52:18 PM

That’s AirTags with modernish iPhone now.

by stackskipton

1/11/2025 at 6:26:02 PM

AirTags are generally loud enough to solve that problem. I wish they put the same speaker in the ATV remote.

by willseth

1/12/2025 at 5:43:40 AM

The new ATV remotes support semi-precise location finding. Not as precise as AirTag and UWB, but the Find My app will tell you as your get closer to your ATV remote. I'm assuming it just makes use of Bluetooth connection strength. Sadly only the most recent remotes seem to support this.

by varenc

1/11/2025 at 6:18:43 PM

I’m also a misplacer-of-items. I hot glued an AirTag to the inside of my glasses cases but was frustrated at the poor signal. Turns out most cases are made of thin metal. Switched to a case with a cardboard core and it works great now.

by shermantanktop

1/11/2025 at 4:54:24 PM

If you know that the item is inside your apartment, you only need the UWB part, which is quite orthogonal to this project.

by tgsovlerkhgsel

1/11/2025 at 11:17:56 PM

I'm looking at setting up a trial system for 39c3 to allow hunting down tools given out from the logistics department (pallet jacks, ladders, if cheap enough pallets that get left unattended). Timeline for that is 10-11 months from now for when hardware has to exist and work.

I'd think of 2 or 3 AA batteries stuck to a small UWB PCB and stuck with tape of suitable type to the tool.

Are 10$ each doable? I don't see why not, but can't find any board akin to a Bluepill or ESP32-VROOM or PiPico containing the HF part.

The idea would be with base stations that can see each other well enough to synchronize and perform role-reversed pseudoranging to the tracker.

by namibj

1/12/2025 at 11:08:57 AM

While definitely not as cool, this might be achievable with the same indoor positioning method the c3nav app uses, which would probably be accurate enough to track larger items at least to a few meters. After that, you can hopefully spot them easily, or maybe even use Bluetooth hot-or-cold to track them down further.

An ESP32 with a battery controller (wemos clone) + a little pillow cell would be around 6€ each (less if you buy in bulk).

by franga2000

1/11/2025 at 6:36:07 PM

Ooooh it looks like you can now use it without a Mac? That would be amazing. Because Apple trackers cost only a few euro (aftermarket ones of course)

by wkat4242

1/11/2025 at 8:47:08 PM

Any recommendations?

by tomr75

1/12/2025 at 3:33:38 AM

I just buy them in the shop. We have this shop called "Action" that sells a brand called "Fresh 'n' Rebel". They sell a pack of 3 tags for 16€. They work well. I have a bunch of them and also put some in some of my more expensive electronics so I can track them when they get stolen (with the speaker disabled of course)

by wkat4242

1/12/2025 at 6:10:02 AM

They work well but don't have the UWB part and need to have battery replaced every few months.

by wielebny

1/12/2025 at 8:12:23 PM

Yeah true they don't last as long. I only have an iPad anyway so i don't care about the UWB but that's true, didn't think of that.

by wkat4242

1/11/2025 at 3:54:35 PM

Is it just me or this whole find my network capability is a security nightmare? I mean I understand its usefulness but can the [insert authority here] just request apple to tell them where this person is even without cellular coverage? Ive decided to move away from the apple ecosystem either way because of this but it just seems to me to be a surveillance nightmare.

by nobunaga

1/11/2025 at 4:58:04 PM

The system is designed specifically to make this impossible.

Your tag doesn't know its position, it simply broadcasts its own, rotating public key. Since the key changes randomly (in a way that you as the legitimate owner can predict), a third party can't easily follow the tag.

Other devices see that key, and share their position, encrypted with your tag's public key.

That makes it relatively hard to get the data, essentially impossible without forcing Apple to re-design the system and push malicious updates, which is generally considered as something that goes beyond what normal subpoenas can do.

by tgsovlerkhgsel

1/11/2025 at 6:18:25 PM

Apple could be subpoenaed to look at the account holder's registered tags still, no?

by nixpulvis

1/11/2025 at 6:27:08 PM

If the US government is subpoenaing Apple on your behalf, you probably have bigger problems.

by crims0n

1/12/2025 at 12:06:23 PM

The US government has told Google to query its location database for any device in the vicinity of certain crimes before. There's no way they're not trying to get Apple to do the same.

If Apple designed they'd crypto system as well as they claim that's not viable at this moment in time, but the government can certainly try.

by jeroenhd

1/12/2025 at 3:12:41 AM

This gives them a list of tags, but not their location. The keys to decrypt your location are (AFAIK) held on your iPhone.

by tgsovlerkhgsel

1/12/2025 at 3:18:51 AM

Anybody can write a subpoena, but Apple is on record as having absolutely no problem telling anyone who does so to go fuck themselves and then backing it up with litigation.

by jki275

1/11/2025 at 6:51:03 PM

No, because Apple doesn't have the private key of the account holder, and so can't see which rotating codes are associated with that account holder since it's all encrypted.

by HALtheWise

1/11/2025 at 6:37:51 PM

No they can't. Apple doesn't know who has which tag. It's built with privacy in mind. I know Apple listen touts privacy while having ulterior motives but I looked at the technical design specs and this is pretty great

I doubt Samsung and Google have gone to such lengths with their trackers.

by wkat4242

1/11/2025 at 6:49:15 PM

Apple always seems to design services the way a privacy-obsessed nerd would, (if you forced said privacy nerd to design a P2P tracking network).

It's like, "oh, you want all your photos to be searchable, like 'dogs' or 'Eiffel tower'? Fine, we'll create an on-device embedding of each photo, use homomorphic encryption so you can share it with us and we can match it to its contents without even knowing what they are, then we'll send that back to your device for storage. Oh, and we'll use a relay so we don't even see your IP address while doing this, not that it matters since we can't decrypt the content anyway." It's pretty wild, like they could have easily skipped all this and only a fraction of a fraction of a fraction of users would even know or care.

In fact, I was pretty annoyed that the news story from the above example was "Apple is looking at all your photos and violating your privacy", since they spent so much effort doing it the right way, in a way that respects your privacy, it makes it less likely they will bother going through the effort again

https://www.theregister.com/2025/01/03/apple_enhanced_visual...

by andy_xor_andrew

1/13/2025 at 3:01:04 PM

I think when you're at apple's scale, the cost of doing all of that difficult engineering pales in comparison to the cost of responding to subpoenas and bad press/lost sales from compromising user privacy. (google did something similar when they stopped storing per-user location data)

Separately; it doesn't matter how good your technology is or how much you believe in it, you need to win the PR battle of convincing people of how it works. An example is VPN companies who claim not to keep logs testifying in court under oath that they can't produce requested logs, or Mullvad being unable to comply with a search warrant for storage drives because their servers didn't contain any.

by extraduder_ire

1/11/2025 at 8:06:51 PM

You misunderstood the point of the news story. Apple automatically opted in everybody's iPhones to sending data to Apple, unlike every other company that requires explicit opt in.

by lern_too_spel

1/11/2025 at 11:11:50 PM

> unlike every other company that requires explicit opt in.

Not defending Apple here, but that's silly. User hostility and auto gobbling up data without consent is perfectly normal for most companies out there.

by averageRoyalty

1/12/2025 at 1:05:56 AM

No other company automatically sends data about pictures users take on their phones off the phone. Not a single one. All required explicit opt-in except for Apple. Hence, the news story.

by lern_too_spel

1/12/2025 at 3:10:00 AM

I guess it's a matter of informing the public that homomorphic encryption means no information is visible to Apple, so Apple never receives any information about your pictures at all.

I guess you could make the argument "well what if one day they stop using homomorphic encryption", but that argument doesn't make much sense since 1) why would they and 2) you could already ask the same question today "what if they just started sending info anyway"

by andy_xor_andrew

1/12/2025 at 3:35:14 AM

Still. Asking the user is important. Even when there isn't anything you can see.

by wkat4242

1/11/2025 at 7:29:12 PM

> I doubt Samsung and Google have gone to such lengths with their trackers.

You are wrong and it's trivially verifiable. You can watch this years 38c3 video comparing them or read the nicely public specification.

by izacus

1/12/2025 at 3:28:01 AM

I was mainly thinking of Samsung's SmartTag, not Google's recent venture. I have looked for info on the SmartTags in the past and couldn't find it. I have some Samsung ones myself.

I didn't look at the Google ones because I don't use a Google account. So I couldn't use them anyway.

But good to hear that they did design it well, I'll check that video.

by wkat4242

1/13/2025 at 3:04:34 PM

Do you have the title of that video? I'm having trouble finding it.

by extraduder_ire

1/11/2025 at 8:04:45 PM

Google's trackers are more private than Apple's to the point of stupidity. https://www.androidpolice.com/google-find-my-device-privacy-...

The PMs don't understand that they should be catering to the people purchasing the devices.

by lern_too_spel

1/12/2025 at 3:31:43 AM

Yeah I gather now. That's pretty cool for a company like Google. I still think they're evil though. But in this case it appears they did a good job.

by wkat4242

1/12/2025 at 6:36:18 PM

All companies are evil. Google tends to provide more control to the user than Apple, so from a consumer's perspective, it is less evil than Apple.

by lern_too_spel

1/11/2025 at 8:24:20 PM

I was without until you made that swipe about Samsung and Google. Don't be a fanboy. No company is your friend.

by bitpush

1/12/2025 at 3:30:59 AM

I'm absolutely not an Apple fanboy actually. I use Samsung phones. And FOSS on my computers. I moved away from iOS and Mac years ago because I found them too locked in.

I don't trust Samsung and Google as far as I can throw them but apparently in this case they did an ok job. And unfortunately there's no meaningful alternative to the duopoly of iOS and Android. So I was left with two bad choices.

But I don't trust any big tech no. It's just really hard to do without them, sadly.

by wkat4242

1/11/2025 at 3:56:08 PM

https://support.apple.com/guide/security/find-my-security-se...

by rgovostes

1/11/2025 at 3:58:21 PM

Interesting thanks. I understand that its designed to be anonymous, but I guess it requires faith in Apple not complying to any forceful request from a security authority in the US to not modify it in secret.

by nobunaga

1/11/2025 at 5:21:38 PM

Which mobile phone maker do you have more faith in? Which telco?

Apple have done work, and published tools for researchers, to make it so they can't "modify it in secret". The tools for security research community help verify that and "keep them honest". For instance, this is partly what the prompts about new devices or log in on other devices are about, there's a key exchange happening, and you get told. You can also exchange keys with Messages contacts to verify you're talking to them. You can turn on iCloud Advanced Security and Apple don't get even your backup keys. Also see the new Lockdown Mode.

Granted, Apple can change their minds and become anti-privacy or pro data-brokers and ad-tech, but some of these proofs would break so folks would know.

Anyway, if the government wants to know where you are, they can just ask the Chinese who've been watching Americans' cell phone identifiers move around.

In seriousness, the telcos already sell* this position data to data-brokers and law enforcement have portals to just watch you scurry around, even without a warrant.

* Sometimes telcos share your location data in ways that aren't "selling" so they can say they don't sell it. But the data goes and telcos derive value in exchange.

by Terretta

1/12/2025 at 12:21:35 PM

Just because someone doesn't trust Apple to build a worldwide live location tracking system doesn't mean they don't want someone else to build a worldwide location tracking system. There's an inherent risk to worldwide location tracking systems and while I think the genie is out of the bottle now, I would prefer there not to be a worldwide location tracking network at all.

Airtags have become a commodity at this point and despite attempts to prevent this, criminals are already using them to follow potential victims to their homes. I know GPS trackers and a bunch of different find-my style networks existed long before Apple brought the airtag to market, but those didn't turn up in purses and cars quite as often as Airtags now do.

Apple tries their best to make this thing secure and safe, but there's only so much safety they can add before the devices become useless.

by jeroenhd

1/11/2025 at 4:09:18 PM

Of course that can be said for nearly anything you own. iPhone, android, tablet, anything that is Bluetooth (for instance, your car), etc.

by CubsFan1060

1/11/2025 at 4:35:18 PM

Cryptographers who design these systems do consider the threat of a malicious future iteration of the company and thus try to reduce the trust in a centralized authority.

Apple did fight in court to not have to crack the San Bernardino shooter’s phone, which probably didn’t garner much sympathy with the general public, specifically against government power to compel them to make changes to subvert security.

They also publish a Transparency Report about government requests they’ve received and how many they’ve responded to.

by rgovostes

1/11/2025 at 10:00:21 PM

It didn't garner sympathy with the public because they had previously lied to the public that they were technically incapable of complying with those data requests. After the government explained how Apple could comply, Apple shamefully removed the erroneous claim from its website without informing its customers who had believed that claim.

All the big tech companies that have user data publish government data request transparency reports.

by lern_too_spel

1/12/2025 at 3:24:28 AM

That statement simply isn't true.

The government attempted to force them to write a new operating system for them that would allow them to get the data on the phone. This was never about the San Bernardino phone, everyone knew there was nothing of any use on it and everyone involved was dead. It was about getting precedent on record that they could force a company to backdoor their OS on a court order. They eventually dropped their request when it became obvious Apple wasn't going to roll over for them.

Your post reeks of some personal vendetta against Apple, and has no factual basis.

by jki275

1/12/2025 at 6:27:23 PM

If the statement isn't true, then why did Apple stop making that claim? It's because my statement is true. Apple was capable of getting the data.

It is possible for Apple to build a device that Apple wouldn't have been able to access the data on, as they claimed. That isn't what they provided to their customers.

You're using bad faith arguments to defend a multi-trillion dollar company that pushes a restrictive model of computing on its customers for its own benefit for what purpose?

by lern_too_spel

1/15/2025 at 2:15:57 AM

Apple can't access the data on the devices. They've spent absolute fucktons of money building their infrastructure that way, and they give up hundreds of millions of dollars that Meta and Google gladly suck up by not monetizing their customers' data.

Apple provides me with the devices I want that do the things I want them to do. "restrictive model of computing" is a concept that doesn't really mean anything. I can do anything I want on my Mac. My iPhone is way more locked down, and it doesn't bother me a bit. My guess is that like most Apple haters, you don't use Apple devices and have taken up a cause against them based on things that don't have any effect on you.

by jki275

1/12/2025 at 4:58:00 AM

> The government attempted to force them to write a new operating system

Which they are absolutely capable of, but refused to that time. People in this thread keep talking about provable trust when the software is fully under Apple’s control, which is just puzzling. It’s still a “trust me bro”. Whether you trust them due to past track record is something else. In fact, that you even need to bring up their refusal as evidence means you don’t believe they’re technically incapable of complying.

by oefrha

1/12/2025 at 6:20:56 PM

You're not understanding the issue here.

The government wanted Apple to backdoor iOS at their command.

Apple told the government to go fuck themselves.

None of that addresses whether it was technically possible or not. You've made up a theory in your head about how it was possible based on what some dumbfuck government lawyer made up to file with a court, but that doesn't make any of it true.

And again, none of this had anything to do with that phone. The government wanted to establish precedent that they could order Apple to create a backdoored iOS for them, so that they could use that to spy on people. They gave up when it became obvious Apple wasn't going to roll over for them and rewrite iOS so they could use it the way they wanted to.

Your beliefs about some theory about Apple claiming something about "provable trust" or whatever are really probably unfounded and don't even make any sense.

by jki275

1/13/2025 at 2:37:29 AM

> Your beliefs about some theory about Apple claiming something about "provable trust" or whatever are really probably unfounded and don't even make any sense.

It's not something I made up, it's literally claimed by people in response to my comment: https://news.ycombinator.com/item?id=42667329 https://news.ycombinator.com/item?id=42668767 Is this "provable trust" bullshit? Yes, we agree. Is the concept of provable trust bullshit? No, trusted computing is technically achievable, but it's not in Apple's case.

by oefrha

1/11/2025 at 4:47:14 PM

> Cryptographers who design these systems do consider the threat of a malicious future iteration of the company and thus try to reduce the trust in a centralized authority.

It’s no use. All the opaqueness to Apple relies on

> This private key pair and the secret are never sent to Apple and are synced only among the user’s other devices in an end-to-end encrypted manner using iCloud Keychain.

Which is trivial to compromise from Apple. They do their best to minimize trackability from third parties though.

by oefrha

1/11/2025 at 5:23:28 PM

> Which is trivial to compromise from Apple.

Explain this? Since both Apple and security researchers have worked on provable trust.

by Terretta

1/12/2025 at 4:50:09 AM

Provable how? iOS software is closed source and unverifiable. New code can be added to send any data anywhere at any point. Explain to me how you prove closed source software won’t send data under its control ever.

And we don’t even need to go as far as key exchanges, and forget about Find My. Maybe those are better protected and it’s harder for them to pull a sneaky without someone noticing. The location data of your phone isn’t in Secure Enclave and the OS can do whatever the hell it likes with it, good luck verifying a huge closed source OS which phones home all the time isn’t sending your location home. At the end of the day you’re trusting them (or just don’t care because you probably aren’t pissing off TLA, which is certainly true in my case), provable security is extremely limited.

by oefrha

1/11/2025 at 8:42:24 PM

iCloud Keychain escrow data is encrypted by HSM clusters that have administrator keys destroyed; if Apple tried to compromise a keychain by installing malicious HSMs users would first get notified that their data had been lost due to failed/destroyed HSMs.

by snuxoll

1/12/2025 at 4:50:58 AM

See my response to sibling. Explain to me how you prove iOS software can’t be malicious.

by oefrha

1/12/2025 at 3:19:55 PM

Explain to me how you can prove…

1. You aren’t a troll posing as a human

2. That if you are a human, that you won’t die in the next hour.

3. That if you don’t die today, that the Earth won’t be impacted by an asteroid this year.

by jsjohnst

1/13/2025 at 2:34:01 AM

Trusted computing is a technical concept. People use Bitcoin because it’s provably secure against clearly outlined threats, not because they trust some vendor. Apple and a certain group of fans want to present iOS as a trusted computing platform for certain use cases, but it’s not.

Anyway, I see you’re just trolling here, so there’s no point talking to you.

by oefrha

1/11/2025 at 4:20:47 PM

Given apples outright refusal to help the FBI previously I have more faith than other companies that they’ll do the right thing. But nothing’s perfect.

by givinguflac

1/11/2025 at 4:17:15 PM

I think it's worth mentioning that FindMy consists of two distinct "networks"; there's the one where other Apple devices find your stuff, and another where your devices upload their locations straight to Apple. The FindMy app combines these two networks to show the most recent location. As far as I can tell this project only uses the former network, which would require an explicit backdoor due to the way it is designed. But if you're trying to defend against government agencies, that latter network is probably more of your concern.

by malmeloo

1/11/2025 at 5:06:13 PM

Is it just me or this whole find my network capability is a security nightmare?

Settings → your_name → Find My → device → toggle off

If you don't trust that this will really disable the feature, then you are going to have to think hard about every electronic device you own.

Do you trust the firmware in your Android phone? What about the non-open-source modem chip? What about the SIM card, which runs Java? Are there microphones you haven't noticed built in to your TV remote? (Many have them.) Your toaster likely has a chip in it more powerful than a networked DOS-era computer. (Mine does.) How do you know it's not joining a nearby wifi network and sending out information?

Ever since the China/iCloud thing, I don't fully trust Apple. But among big tech companies, it's certainly the one that I trust the most.

by reaperducer