With the recent Heartblead Bug affecting up to 75% of all websites, and the fact that the NSA may have known about this bug for 2 years, exposing the rest of us to potential thieves and hackers so that they could exploit this bug, all in the interest of “making us more susceptible to keeping us safe from terrorist attacks*,” time has come to start NSA-Proofing all aspects of our lives, starting with your iPhones and iPads.

All iOS devices have 256 bit AES encryption built in, which is basically impossible to crack, and Apple also encrypts all data stored on their servers using a minimum of 128 bit AES on up to 256 bit AES.  In addition, iOS keychains are doubly encrypted, once with 256 bit AES, and a second time using a combination of a special key provided by special hardware known as an HSM (Hardware Security Module) and the 4 digit security code of the iCloud account.  This 4 digit code is not known by the HSM, and if there are more than 10 failed attempts at cracking the code of the HSM, the keys are then destroyed and the user accounts are moved to a new cluster and the users then need to provide the necessary data to access their files on the new server.

So, the system is about as secure is any system can get.  Not even Apple employees can peek at your data without taking the whole system down, but Apple recognized that if it was ILLEGALLY ordered by the NSA to COMPROMISE the functionality of the entire system, and ILLEGALLY ordered to not tell anyone about this compromise, which the NSA did with a company called RSA not too long ago, their customers could find their data at risk.  So, even though this potential scenario would not give the NSA access to already existing accounts, but only new ones, Apple decided that it’s in everyone’s best interest (except the NSA’s of course) to make it so that even if that played out, nobody would end up with anything.

So they created an additional layer that can protect their users even in the future, no matter what unscrupulous acts are carried out by our public service workers that work for us, the NSA employees.

This is all laid out in a recent document provided by Apple. Here we summarize the steps you can take to make sure that the NSA can’t violate your constitutional right not be subjected to unreasonable and unwarranted searches and seizures – and even if it tries, there is NOTHING that Apple can do to give the NSA access.  Nothing.

This added security means that you become fully responsible for keeping your own password safe and secure, because if you lose it, there is nothing anyone in the world will be able to do to recover your data!  So keep that in mind if you opt to apply this added security.

Step one:

icloud1

The first step is to get rid of the default 4 digit iCloud keychain password.  This is NOT the 4 digit code that unlocks your phone, but a 4 digit code that you can use to sync your keychain on different devices.  This code also allows you to recover a backup of your keychain in the event that you lose all your devices.

You will switch to a much longer code, one that is so secure, even the most powerful computers in the world today won’t be able to break it.  But again, make sure you keep this code somewhere, because you will have the only copy of it in existence, and without it, well… you know the deal.

You activate this new secure code on the iOS device, in Settings > iCloud > Account > Keychain.  Or,  on your desktop computer in System Preferences > iCloud Account Details.  

 

Step two:

The following instructions are the same for the desktop or mobile device.

icloud2
Select Change Security Code.

 

Step three:

icloud3

Here is where you would normally put your 4 digit code, but instead select Advanced,

 

Step four:

icloud4

And then select the middle option: Get a random security code.

 

Step five:

KEEP A COPY OF THIS PASSWORD SOMEWHERE! Without it, you will NEVER be able to decrypt your keychain again, ever, if you replace or lose your device.  Which also means that Apple cannot, nor can the NSA decrypt it either, even with brute force attacks.  You can keep the passcode in a secure program like 1Password, or LastPass, which also encrypt their data files – that way you can access the passcode when you need it down the road, but still keep it secure.

Once you have created this new code (and stored it away in a place that’s private), your original iCloud random key that was protecting your keychain is then encrypted again with this new random key, which is never sent anywhere, therefore, unsusceptible to interception, and voila, you now have an iCloud keychain that nobody can read but yourself.

This is but one step you can take to exercise your constitutional rights, in later posts we’ll address additional steps as well.  Of course, the ultimate solution is to fix our government so that we don’t have to protect ourselves from these people that work for us, but that fix will take us a little longer to put in place.

*(all of this, of course, denied by NSA spokespersons who have continuously lied to us from the beginning and will always lie to us until they are stopped)

13 thoughts on “How to NSA-Proof your Apple iCloud account.

    1. I think underground should start putting together articles like this, all in one place, to become the goto source to find it all in a manner that is easy for regular people to understand and implement.

  1. Have anything related to Windows 10? It’s just filled with holes that Microsoft seems to have admitted to allowing the NSA to utilize at will. I remember something long time ago about someone found NSA backdoor keys in the Windows 95 registry. Kinda scary to think that for 2 years they allowed a potentially devastating bug run free in the wild. Why didn’t Norton or McAfee pick up on it sooner? OR DID they? And were politely bludgeoned into keeping it under wraps?

      1. Oh boy do they. They record and upload a lot of your actions. Keystrokes, audio, video, handwriting. It’s claimed on their site they use the information to ‘better your experience’. Who really knows who their ‘Trusted Partners’ are and what information about you Microsoft is willing to sell.

        Linux on the other hand, there is no tracking software unless you put it there. All the logging, with the exception of bug reports, is kept on the machine. And you can even choose not to send bug reports. WHY more people don’t use Linux every day is unfathomable. Ok, so there is a slight learning curve and unfortunately you can’t run most of the top game titles, but if privacy is what you crave Linux would be your best bet in my opinion.

  2. Charles, perhaps I am mistaken, but this doesn’t make iCloud nearly as secure as iOS itself is. iOS is quite secure as you say (unless backdoored, and the whole FBI drama was just a ruse), but iCloud is not at all similar in security. From 9to5 Mac: “Right now, although iCloud backups are encrypted, the keys for the encryption are also stored with Apple. This means that law enforcement can ask for this data to be provided from Apple’s servers. In the San Bernardino case, Apple gave FBI iCloud backups for the iPhone until October 19th.Feb 25, 2016.” Therefore, I believe Apple can turn over everything in iCloud to various entities. If I upload my secret journal of crushes and pictures of breakfast to iCloud, say, it seems those will be easily viewed by anyone who can convince Apple to cough up my info if I store them in iCloud.

    1. But in the San Bernardino instance the person was simply doing regular iCloud usage, not the way as described here.. so the keys would have been stored at Apple as you state. This manner, with one key never being at Apple, no matter what Apple did, they could not provide the information asked for by the Feds.

      If you lose your password, your info is lost forever with this process.. meaning no password reset, etc.

  3. Furthermore, nothing is ever “XYZ Proof.” I feel that the current title, “How to NSA-Proof you Apple iCloud Account” is lacking in responsibility to your readers, misleading, and even dangerous (unless you work for the NSA, in which case, it is a great title, par for the course.)

Leave a Reply