Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why would you think it was end-to-end encrypted? Did you never use icloud.com where you can simply access all your icloud data with a usernam+password?


You cannot see your device backups on iCloud.com, so that doesn't prove (or disprove) anything.


Well, you just have to “trust” the server to not serve a website that will phone home your password. Apple pinky swears they won’t do that, and all your browser extensions running all the time do, too.

As Mark Zuckerberg once opined: “They ‘trust’ me. Those dumbfucks.”

https://www.businessinsider.com/embarrassing-and-damaging-zu...

And it’s not just mere words, here is he actually set up a honeypot site to get people’s passwords and break into their emails to satisfy his burning curiosity when he first launched Facebook:

https://www.businessinsider.com/how-mark-zuckerberg-hacked-i...

Instead, he decided to access the email accounts of Crimson editors and review their emails. How did he do this? Here's how Mark described his hack to a friend:

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

In other words, Mark appears to have used private login data from TheFacebook to hack into the separate email accounts of some TheFacebook users.

In a world where we are sending our Alexa data to “the cloud” and the companies are admitting people are listening to it, in a world where Facebook secretly records everything it can, why would you assume your password isn’t being sent?

To the downvoters... you may say that this was only when Mark Z was a young man and now Facebook the company is far more responsible. But then we have this from just a few months ago:

https://www.independent.co.uk/life-style/gadgets-and-tech/ne...

I can understand trusting a browser or a software release that can be tested by many people, and was signed with a checksum. But a website and all your extensions on every website?? Those can ship new code at any time.

(Am I wrong? Any counter-arguments?)


None of what you said has anything to do with E2E encryption.


Yes it does. The password and other secret data can be sent in ways that are not end-to-end encrypted.


If the password is sent to the server and the data can be decrypted with the password then it's not end-to-end encrypted.


I think the truth of the dumbfucks argument is too painful for some people especially seeing how things are the same given recent developments. As an engineer I would be deeply ashamed if I were still working for Facebook.


In that case, isn't the web server storing the E2E key to decrypt for serving it up via the icloud web front-end?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: