Re: [cryptography] You can be too secure

2016-05-05 Thread Kevin 

I see what you mean :)


On 5/5/2016 2:45 PM, Ron Garret wrote:

On May 5, 2016, at 11:13 AM, Kevin  wrote:


One can never be to secure!

Actually, I learned the hard way last week that this is not true.

Four years ago I bought a 2010 MacBook air from a private party (i.e. I’ve 
owned it for four years, and it was two years old when I bought it).  I did a 
clean install of OS X, and used the machine with no problems for the next four 
years.

Last week, someone apparently put an iCloud lock on the machine.  It turns out 
that wiping the hard drive does not remove the machine’s iCloud binding.  If 
the machine has been associated with an iCloud account at any time in its 
history, only the owner of the associated account (or Apple) can remove that 
binding.  And Apple will only do it if you can produce a proof-of-purchase, 
which for them is a receipt from an authorized reseller.  The iCloud lock is 
implemented in EFI firmware, so not even replacing the internal drive will 
remove it.

It gets worse: Apple refuses to contact the owner of the iCloud account that 
placed the lock.  The lock message provides no information (it simply says, 
“Machine locked pending investigation.”)  So even if the machine I bought was 
stolen (I have a lot of evidence that it wasn’t, but no proof) I can’t return 
it to its rightful owner because I have no idea who it is.  Apple knows, but 
they won’t tell me (which is understandable) nor will they contact that person 
on my behalf (which is not).  They also don’t provide any way of checking 
whether a Mac has an existing iCloud binding.  (They provide this service for 
mobile devices, but not for Macs.)  The only way to tell is to take the machine 
into an Apple store and have them check it.

IMHO that’s too secure.

rg




---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] You can be too secure

2016-05-05 Thread Jeffrey Walton 
On Thu, May 5, 2016 at 2:45 PM, Ron Garret  wrote:
>
> On May 5, 2016, at 11:13 AM, Kevin  wrote:
>
>> One can never be to secure!
>
> Actually, I learned the hard way last week that this is not true.
>
> Four years ago I bought a 2010 MacBook air from a private party (i.e. I’ve 
> owned it for four years, and it was two years old when I bought it).  I did a 
> clean install of OS X, and used the machine with no problems for the next 
> four years.
>
> Last week, someone apparently put an iCloud lock on the machine.  It turns 
> out that wiping the hard drive does not remove the machine’s iCloud binding.  
> If the machine has been associated with an iCloud account at any time in its 
> history, only the owner of the associated account (or Apple) can remove that 
> binding.  And Apple will only do it if you can produce a proof-of-purchase, 
> which for them is a receipt from an authorized reseller.  The iCloud lock is 
> implemented in EFI firmware, so not even replacing the internal drive will 
> remove it.
>
> It gets worse: Apple refuses to contact the owner of the iCloud account that 
> placed the lock.  The lock message provides no information (it simply says, 
> “Machine locked pending investigation.”)  So even if the machine I bought was 
> stolen (I have a lot of evidence that it wasn’t, but no proof) I can’t return 
> it to its rightful owner because I have no idea who it is.  Apple knows, but 
> they won’t tell me (which is understandable) nor will they contact that 
> person on my behalf (which is not).  They also don’t provide any way of 
> checking whether a Mac has an existing iCloud binding.  (They provide this 
> service for mobile devices, but not for Macs.)  The only way to tell is to 
> take the machine into an Apple store and have them check it.
>

Drag them into court... Let them spend $25,000 attempting to defend
their position. It will cost you about $50.00 to file it.

Money is the only thing corporations care about. Hit back where it hurts.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography