Hi Ben,
By all means, disagree, I may be entirely wrong, I just don't think I
am. You write:
Not security theater at all. If you are seriously insinuating that a casual
Google search will allow your run of the mill mugger to bypass your passcode
and or touch ID in a way that allows them to access your data then I'd be very
interested in hearing some specifics.
I could be saying that a casual Google search would allow the run of
the mill mugger to bypass a passcode, it would be true for some versions of
iOS, but I'm not saying that. Obviously, the original poster's issue was not a
security hole at all, but that doesn't mean that there haven't been exactly
such holes in the past and I would be absolutely stunned if there weren't any
in future. I'm not terribly concerned about the run of the mill mugger because
he's already been given multiple headaches to the point where he may well not
want the phone. First, in Canada, the United States, and the UK at least, he's
going to have to get the phone out of the country given that all three
countries block by IMEI. Secondly, even if he does get the phone to somewhere
it can be used, given that a great deal of the phone's value is in the apple
systems, anyone activating it is going to have a hard time if I've reported it
as lost. Now I'm sure that these things can be overcome somehow, but is it
worth it for under $500? That is, let's say that there was a way through which
the IMEI could be changed, and then a way in which Apple could be fooled, or a
server set up, so that the phone could act exactly like a good,
non-blacklisted, iPhone. Would that be worth doing, even on a large scale, to
get phones that would have to go for under $500? I can buy a known-good iPhone
for less than that, why would I buy a sketchy one for the same price or higher?
Honestly, I don't see the point of stealing an iPhone for sale. I may well be
wrong, but I think the mugger who wants to sell the phone would be making a bad
bet without any passcode being involved. He would only know about the passcode
after the theft, so he'd know he was making a bad bet before he grabbed my
phone.
As for the three letter agencies, they wouldn't want the phone, but
rather the information on it. I'm sure they could bypass a passcode with great
ease, even assuming they couldn't get what they wanted from the wire. Also, I'm
of no importance to them, and if I were, I wouldn't use my phone for anything
at all, it would probably be best not to have a phone. So a passcode won't
protect me from them, either.
The only thing a passcode could plausibly be for in actual security,
rather than security theatre, would be to protect against the middle range,
the jealous wife, the angry business partner, the irritated teenager... The
lower end of the range has already been protected against, while the higher end
of the range is too difficult to protect against if you're going to use mobile
phones at all. Here is where I say that a passcode is just security theatre.
Even assuming that one has the said wife/business partner, and even assuming
that the user has updated to the latest version of iOS, and even assuming that
the Google search doesn't turn up anything about that version, there are many
companies which claim to have software that would spy on your iPhone. They
would undoubtedly come up on Google. If you are close enough, physically, to
the person you're spying on so as to have unrestricted physical access to the
phone, you can very probably manage to get it in a state where it's unlocked,
know the person well enough to guess the passcode, fool the person into
compromising the phone, install a sniffer on the network... Basically, if my
problem is that I'm involved with people who are physically close to me and who
I don't trust or don't trust me, I have bigger problems than my phone, I need
to sort things out elsewhere. As I said to Sieghard, even security theatre may
be of use, consider the two-year old who just loves to press numbers or the
cleaner who wants to know what emails you're getting. What I'm saying is that
it shouldn't be relied on as real security and, given the inconvenience of
entering the code, I don't use it. Other people may find it useful to have it,
but I would put some thought, in anyone's position, in relying on it.
You write:
As a side note, I'd wager that my iPhone is more secure than your average
computer due to the amount of control that Apple has at a very low level.
I wouldn't take the other side of that wager. In fact, I would join you
in it if you don't mind. You are almost certainly correct, the iPhone is more
secure than the average computer. That is setting the bar very low, though,
most computers are hopelessly insecure. Many people simply have a Windows
password protecting their machines. To say that the iPhone is more secure than
most computers is like saying that a heart attack is less painful than the
death of a thousand cuts. Great as far as it goes but it doesn't go too far. I
should also say that the iPhone is not at all secure against Apple themselves.
The amount of data they can collect makes me shudder. If I weren't blind, I
would never use such a thing.
You write:
Additionally, with all due respect, whilst we could debate the definition of
secure data, I'd wager that you might not be aware of quite how much data iOS
stores without making it overly clear to you.
You're probably right, there is probably data that is being saved that
I don't know about, though I do try to keep up. I have, not uncharitably, been
described as a privacy nut. My concerns, such as they are, are not of the thief
getting that data, as I said, theft of the phone isn't too much of a problem,
but of it leaking to advertisers and others over the network, I have no doubt
that's happening. As to the two items you mention, passwords and contacts, the
first thing I would do if any phone with saved passwords, for wireless networks
or anything else, went missing is to change those passwords. I would do that
whether I did or didn't have a passcode on the phone, there would be no reason
to take the risk of those passwords getting out even if I had a passcode and
thought the passcode was secure. As to my travels, they're open to anyone who
wants them, any private travels would mean that I should leave my phone at
home. As to contacts, I keep them in my head, not on the phone.
Finally, let me say that it's a pleasure to find someone who has
actually thought about these things, most people don't even think about what is
on their phone, they just apply the quickest security method and leave it
there.
Aman
From: viphone@googlegroups.com [mailto:viphone@googlegroups.com] On Behalf Of
Ben Mustill-Rose
Sent: Sunday, April 26, 2015 6:26 PM
To: viphone@googlegroups.com
Subject: Re: Iphones no longer secure
Hi,
I'm sorry but I have to disagree with a number of your points. You said:
On 4/26/15, Aman Singer <aman.sin...@gmail.com> wrote:
> A smartphone is nothing more or less than a computer. The
> passcode/fingerprint is simply security theatre, it makes things look
> secure and may be secure against someone who doesn't have Google, but
> it is not secure in fact. Once the phone is in the hands of someone
> who wants and is willing to bypass the security, nothing is secure in
> fact, it only depends on how much trouble the attacker is willing to
> go to.
Not security theater at all. If you are seriously insinuating that a casual
Google search will allow your run of the mill mugger to bypass your passcode
and or touch ID in a way that allows them to access your data then I'd be very
interested in hearing some specifics. Lets not forget that the hardware hack
that got a lot of media attention a month or so ago no longer works.
As a side note, I'd wager that my iPhone is more secure than your average
computer due to the amount of control that Apple has at a very low level.
> This is one of the reasons why I have no passcode on my phone, it
> offers very little extra security but does offer an inconvenience when
> I want to unlock the phone. I do not keep any secure data on my phone,
> any data that I object to the public having access to, simply because
> the chance of theft is too high and, as we see, the passcode is not of
> much use.
Whilst I agree that to a certain extent where there's a will there's a way,
unless you've been annoying any 4 letter agencies, I personally feel that
saying that a passcode offers very little extra security is incorrect. Lets not
forget that the workaround that was posted to the list has now been proven to
be ineffective.
Additionally, with all due respect, whilst we could debate the definition of
secure data, I'd wager that you might not be aware of quite how much data iOS
stores without making it overly clear to you.
For example, do you really consider your wireless network password/s, where
you've traveled to and any contact information data that you wouldn't mind
sharing with the public?
Cheers,
Ben.
> Aman
>
> --
> The following information is important for all members of the viphone list.
> All new members to the this list are moderated by default. If you have
> any questions or concerns about the running of this list, or if you
> feel that a member's post is inappropriate, please contact the owners
> or moderators directly rather than posting on the list itself. The
> archives for this list can be searched at
> http://www.mail-archive.com/viphone@googlegroups.com/.
> ---
> You received this message because you are subscribed to the Google
> Groups "VIPhone" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to viphone+unsubscr...@googlegroups.com.
> To post to this group, send email to viphone@googlegroups.com.
> Visit this group at http://groups.google.com/group/viphone.
> For more options, visit https://groups.google.com/d/optout.
>
--
The following information is important for all members of the viphone list. All
new members to the this list are moderated by default. If you have any
questions or concerns about the running of this list, or if you feel that a
member's post is inappropriate, please contact the owners or moderators
directly rather than posting on the list itself. The archives for this list can
be searched at http://www.mail-archive.com/viphone@googlegroups.com/.
---
You received this message because you are subscribed to the Google Groups
"VIPhone" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to viphone+unsubscr...@googlegroups.com.
To post to this group, send email to viphone@googlegroups.com.
Visit this group at http://groups.google.com/group/viphone.
For more options, visit https://groups.google.com/d/optout.
--
The following information is important for all members of the viphone list. All
new members to the this list are moderated by default. If you have any
questions or concerns about the running of this list, or if you feel that a
member's post is inappropriate, please contact the owners or moderators
directly rather than posting on the list itself. The archives for this list can
be searched at http://www.mail-archive.com/viphone@googlegroups.com/.
---
You received this message because you are subscribed to the Google Groups
"VIPhone" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to viphone+unsubscr...@googlegroups.com.
To post to this group, send email to viphone@googlegroups.com.
Visit this group at http://groups.google.com/group/viphone.
For more options, visit https://groups.google.com/d/optout.
