[cryptography] You can be too secure

Ron Garret ron at flownet.com
Thu May 5 14:45:55 EDT 2016


On May 5, 2016, at 11:13 AM, Kevin <kevinsisco61784 at gmail.com> wrote:

> One can never be to secure!

Actually, I learned the hard way last week that this is not true.

Four years ago I bought a 2010 MacBook air from a private party (i.e. I’ve owned it for four years, and it was two years old when I bought it).  I did a clean install of OS X, and used the machine with no problems for the next four years.

Last week, someone apparently put an iCloud lock on the machine.  It turns out that wiping the hard drive does not remove the machine’s iCloud binding.  If the machine has been associated with an iCloud account at any time in its history, only the owner of the associated account (or Apple) can remove that binding.  And Apple will only do it if you can produce a proof-of-purchase, which for them is a receipt from an authorized reseller.  The iCloud lock is implemented in EFI firmware, so not even replacing the internal drive will remove it.

It gets worse: Apple refuses to contact the owner of the iCloud account that placed the lock.  The lock message provides no information (it simply says, “Machine locked pending investigation.”)  So even if the machine I bought was stolen (I have a lot of evidence that it wasn’t, but no proof) I can’t return it to its rightful owner because I have no idea who it is.  Apple knows, but they won’t tell me (which is understandable) nor will they contact that person on my behalf (which is not).  They also don’t provide any way of checking whether a Mac has an existing iCloud binding.  (They provide this service for mobile devices, but not for Macs.)  The only way to tell is to take the machine into an Apple store and have them check it.

IMHO that’s too secure.

rg



More information about the cryptography mailing list