On 09/27/2013 05:58 PM, Jonas Sicking wrote:
On Thu, Sep 26, 2013 at 8:01 PM, Jim Blandy <jbla...@mozilla.com> wrote:
More succinctly: when a developer's phone is stolen, is their reaction going
to be "Oh dear, someone might hook up a debugger!"?
I'm saying that's going to be pretty far down on their list of concerns. And
if developers don't care about that, non-developer users won't either.
Really? As someone who has had my phone stolen, my first reaction was
"oh crap, now they can get at all the data on my phone, I wish I had
had a passcode enabled, now I gotta change all my passwords!".
I indeed didn't specifically think about debuggers, but I don't think
that's really relevant here. The question is if the data can be stolen
or not. And how much damage can be done between the time when the
device is stolen and the user is able to do something about it.
It's exactly what's relevant here: if users who understand the
significance of debugging consider the possibility of someone connecting
to their stolen phone with a debugger to be a second-tier concern, given
all the other ways of getting personal data off the phone, then there's
little advantage to restricting debugging.
The known disadvantage is that restricting debugging makes the phone
less cooperative with developers. The idea that the phone should be
responsive to you, and that the web is something anyone can create, are
central to our mission.
----
More broadly: when the phone is in the hands of its legitimate owner, we
want it to be super-responsive and inviting. The more we can lower the
thresholds to making cool stuff happen, including sharing data with
off-phone, non-Mozilla services, the better. We want frictionless access.
But once an unlocked phone is stolen, all effort in that direction works
against us. The easier it was for the owner to do stuff, the easier it
is for the thief.
It does *not* follow that we should therefore hinder these interactions,
just in case the phone gets stolen; that's crazy.
Debugging is just another kind of access that users might want. It's not
a special case.
_______________________________________________
dev-b2g mailing list
dev-b2g@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-b2g
