This Week in Security: The UK Wants Your iCloud, Libarchive Wasn’t Ready, and AWS
2 min read
Summary
There is a constant tension between governments’ desire for easier access to criminal investigations, companies’ need to protect users’ privacy, and individuals’ desire for complete privacy regarding their data.
The UK government has issued a secret order to Apple, demanding that it provide a method for officials to access iCloud backups using Apple’s Advanced Data Protection (ADP) system.
The order appears to apply to all ADP-protected data, regardless of the country of origin, implying that the UK government is attempting to compel a US company to add an encryption backdoor to allow access to US customer data.
Matthew Green, a cryptographer, suggests enacting laws that would make it illegal for US companies to add backdoors to their systems at the request of foreign nations, based on the potential for backdoors to be exploited by less friendly forces.
This concern is supported by the finding of a pair of researchers who discovered a Github Action that contained an unexpired token in a Docker image, allowing anyone to publish libraries to the company’s npm repository.
On the topic of security, Microsoft has discovered vulnerabilities in its Windows 11 libarchive library, including incomplete protection against archive types and unsupported archive types.
