I've experienced that repair shops ask "and your password and username is?", many times when handing over my laptop - and i'm always like "what, no i'm not giving you my password" resulting in them looking surprised.
Who the on earth gives their passwords, also all laptops should be encrypted by default. I find it absurd to give away the keys to your bank, search history, personal notes, images, whatever - it's beyond private and personal besides being economically dangerous and very bad job security wise for most jobs.
Not blaming regular people though, but it's weird that people are so lax about giving the keys to absolutely everything.
I once sent in a ThinkPad for repair and Lenovo explicitly mentioned that I should remove any drives from the device before shipping it. I really think this should be the standard for fixing hardware issues.
Edit: This was during the times when even a layman could do it because drives were in a slot secured by a single screw. These days it might be more complex.
I feel this is a bit like popping your hood at the car shop, but taking your key with you. I can absolutely see why repair shops would want to verify that a) it's not a software problem and b) everything still works fine afterwards, both of which is hard w/o the password.
Sure, you can send in a wiped device or a device without hard drive - and if you can do so yourself, this is probably fine. But for the "average" user it's quite likely a better experience, assuming you can trust the repair shop - but then again, they have full access to your hardware plus the knowledge and time to permanently bug your device. If you really don't trust them, you probably should not give them your device at all.
I can see the issue here and I'd probably err on the side of privacy given the choice, but the other side has a point.
I've always either told them to wipe the drive, or setup a deliberate 'apple support' account before taking it in.
I sympathise with the young woman who was the victim here, but apart from "send your device unlocked" Apple do also recommend wiping the device before sending it.
When PINs started to become more common here, I had supermarket and continence store workers asking me to tell them the pin to my card, when paying for stuff. It didn't help that they'd ask me in Thai, I'd not understand, my wife would translate, and I'd immediately respond - in English - to the staff "Are you fucking crazy?".
Thankfully that idea didn't last long. I guess enough other people had similar reactions in their native tongue that they realised that's a really stupid way to do business.
I had this experience at an Apple authorised repair center (ie. not Apple Store but a shop that is partner with Apple): they almost forced me to give the password of my Mac, even after I argued that we set up security/Filevault explicitly to protect data and it would be stupid to give the password to anyone after that... They argued that when they change the component (battery problem), they have to test that everything works fine. I found that really shady!
At the Apple Store, they also asked for the password, but when I said no way, the support person was just "ok, no problem".
This is blaming users for something they shouldn't have to do. The onus should be on manufacturers to keep private data private by default. And also to sell systems that make it easy for repair shops to back up and restore private data without braking the privacy.
You can't start with "It just works" and then add "As long as you spend hours backing up and restoring your data before you can send it in for repairs, just - you know - in case."
Maybe the millions that were paid out will make Apple think about a more user-oriented solution.
There's a US-nationwide chain called "ubreakifix". I brought my Pixel phone there to have a broken screen replaced, and they wanted my passcode. I told them they were insane, and they acted as if I was the first person who ever declined. I can't believe they even ask, especially when there's no need for it whatsoever for a screen replacement.
Ya I once went to get my iPhone screen replaced, the technician wanted me to turn off my passcode just to diagnose the problem. I of course said I am not doing that. Instead I backed up my iPhone and reset it. This is ridiculous how can they even dare to ask people to turn off passcode and hand over their phones with so much personal information. This was not even an apple Genius Bar. This was an Apple premium reseller. I am sure many non tech savvy people just handover their iPhones this way.
Regular people are slowly catching up and understanding the consequences of technical stuff. For example, I think for years I struggled to provide concrete examples when trying to explain why people should care about privacy. Now, unfortunately, it's obvious that we should care about privacy because without, we're essentially provided a blueprint to our brains and how we can be psychologically exploited, e.g. fake news, conspiracy theories, etc...
I think these are concepts that before would have seemed liked sci-fi, but after 2020, I think most regular people seem to have an intuitive appreciation for how damaging this can be. It's a shame that it's taken such a tragic schism to allow, but here we are and it's better late than never.
Another example would be people probably have a better intuitive understanding for motivations behind decentralized architecture, after seeing people being removed from certain platforms. Note: I'm not saying I'm for or against this in any way, but I am saying that the technological architecture is sort of the lay of the land, in a way that I think people understand better than they used to.
And no, I would never in a million years give my password to a repair technician in the past either. Hopefully others now are starting to get a sense for why.
I worked at a tech support desk at my university, and we asked for passwords. We were supporting software, so there's really no way around that. I always felt a bit uneasy that a dozen college kids had full access to the data on every machine in the shop. We should have at least recommended that folks change their password when they picked the machine up, or set a temporary password while it was in the shop.
I had the same issue. I sent my phone to ubreakifix (Google's official repair partner) for a repair with warranty. After completing the repair they asked for my password and said that if I didn't provide it it would void the warranty on my phone.
I refused and they eventually relented while still providing the warranty but it ended up delaying the repair by 5 days (for a 2h repair).
This is really bad. Apple can and should fix this through policy and training. They talk so much about privacy and so many people have bought into Apple ecosystem because of it that. Many years ago, I had to take an iPhone for repair, my first and only time. It was a week old brand new phone whose proximity sensor wasn't working. The service person said he would need to take it to the back room and debug it. I insisted he diagnose it in front of me and I refused to hand over my phone for him to take it to the back room. Later, I had to wipe the device and send it in for replacement. But I was not happy that they asked me to unlock the phone and hand it to them to take it to the back office.
The problem being, if the device is so dead, that you cannot factory reset, or otherwise, wipe it, what do you do?
My daughter's MacBook Pro, with lovely soldered down solid state memory died, and had to go in for repair. There was simply no way to wipe it, and no physical drive to pull.
Same thing with most phones. Soldered storage, glued shut case. If it dies under warranty, what do you do? You have to trust the repair chain, or just chuck it in the garbage.
They asked for my password when I took a MacBook I took get repaired, it wouldn't power on.
I told them in no uncertain terms they cannot have my password, full disk encryption was enabled, and then pointed out if they can get the machine to the password prompt I'll be satisfied it's repaired.
I'm convinced these people are either intentionally being nefarious, or they were dropped on their fucking heads at birth.
The answer is “everyone”. I’m particularly aware of this as I just spent the past two days setting up my non technical parents-in-law with 1Password. Not to go out on a tangent here, but on the whole, authentication is broken for “normal” people. By the time someone takes a computer in to a repair facility, giving the person on the other end their password is about the least of their concerns.
i agree, if it's a hardware issue there's no reason to require a login. If the repair is finished and the tech can get to the login/pin screen then the job is done.
If it's a software issue then maybe they do legitimately need a password but i would never hand one over without very careful consideration. And, strange hands on the keyboard of my laptop or phone would be watched very very closely at all times.
I good app would be one that disables the network stack, bluetooth, and cell modem with a separate secure pin.
It's a heuristics quirk. It starts with "unknown unknowns" - the things you aren't even aware that you should be concerned about. Then add in a relationship where someone is trying to fix something for you. If you've never been trained to refuse information from someone who's seemingly trying to help you, it would never occur to you.
When you go to the doctor and they prescribe you pills, most people don't question it and just take them. And that leads to a lot of people taking antibiotics that they don't need. Or when you move and need to sign up for internet, phone service, power, water, electricity, gas, etc.... almost all of them will ask for your social security number. Even I don't know when it's mandatory and when it's optional, so usually I ask them first, but sometimes I don't.
The last time I witnessed this was some malware that infected an ex-roommate's laptop. The malware pretended to be an anti-virus and said she had a virus on her computer that it would fix. But first she needed to pay for the software - by putting in her credit card info & social security number. She complied because the files on her laptop were very sensitive and she didn't want lose them, and she had no idea that there was no reason to ask for a social to pay for this software.
We could probably do more as a community to educate people on keeping sensitive information secure. Part of it involves media outreach, as most people seem to get their news from the TV or Facebook.
Talented business consultant Nathan Fielder covered this topic not long ago. I believe he was the first one to spot this gap in the market for an asexual computer repair service.
I know there is historical precedent for royals trusting eunuchs with things they can't trust to horny men, but these days I'd be very skeptical of any repair service saying "Don't worry, you can trust us because we're asexual". This is like a priest saying, don't worry you can trust me not to be tempted by anything "sinful" because I'm a priest. Information security is not just about sex. I'd rather trust a computer repair service that passes third party security audits and is verfiably secure. The sexuality of employees is none of my business.
This is a gross understatement. Before being a consultant, Nathan also had a phenomenal career on CBC's On Your Side segment, it was CBC Marketplace before Marketplace. Why Nathan hasn't been awarded the Order of Canada for his hard work on behalf of the every day Canadian is beyond me.
I wonder how many times this has happened and they didn't find out about it. Posting it to her own Facebook made it pretty obvious.
My father was an accountant for many years and he always said if you found evidence of fraud you shouldn't be congratulatory because what you found is maybe 10% of what is actually there if you found it by chance.
This is one area where there are technological solutions to people problems. Namely, that currently an iOS device needs to be fully unlocked to be services but realistically there should be something between "service access" and "full unrestricted access to a customer's PII and app state."
Keep in mind that in iOS root is rarely available, so even when servicing devices they're manipulating the OS via a restricted service interface that can only perform certain actions (e.g. wipe, re-flash, test different components, etc).
I cannot access the original article, but I am hoping criminal charges were also utilized as this is unlawful in many states (and frankly should be national).
A decade ago I can remember forums suggesting you take out your hard drive out of your Mac when you send it in for repair. Part of the reason was privacy and the other part was user upgraded RAM or HD being removed by the repair techs and you getting billed for it.
I believe there was another case where the FBI was getting Best Buy’s Geek Squad repair centers to report CP.
Reminder that when you take in a phone to get repaired you should back up the phone and erase all of its data. I feel like this type of stuff is common in smaller repair shops.
When I had to repair my phone, they asked me to write down the code; I refused, and said I'll wait there and unlock it when they need. Modern iPhones (and I would guess that's also true of Androids) apparently can be accessed by law enforcement - but AFAIK that involves disabling the lock-up counters and some form of brute-forcing, which takes time.
99% of the people just give the phone password to the tech. If I was a foreign intelligence service, I'd set up attractive repair shops around army bases and government offices (quick turn around, competent service, reasonable prices) and just mirror every phone that comes through. Most of it will be useless, but I'm sure that one can occasionally find some gold (in the form of documents or compromising material).
Didn't Apple testify that allowing third-party repairs would risk user security/privacy? If Apple can't be trusted either, and has to be sued before making things right, isn't the testimony superfluous?
This another example why nudes and so forth should never make it onto a digital device. If that's your kink, then Polaroid cameras and camcorders exist.
It's kinda funny that Apple denounced 3rd party repairs with "because they could misuse your data" while (proper) 3rd parity repair shops normally don't ask for you password and in turn can't access the phones data after it had been shut down once.
I'm more irritated that a Apple repair shop asked for login information then that a repair person with login information abused them (which sadly isn't surprising).
I am not going to make a judgement on the morality, but this is not surprising.
Awards for loss of life are actually codified in case law as being vastly smaller awards than the award for loss of limbs, senses, etc.
It is somewhat logical since the primary injured (the dead) can't be made whole. Contrast this to someone injured but not dead - they will have to live with the injury for the rest of their life. Case in point - this girl.
This is why disability policies are more expensive for higher income individuals. Presumably, the injured and his/her family depends on that income to live, and the income loss must be made whole.
I guess Apple realized that the PR damage here was going to be significant as well. If they settle then can put an NDA in there, if they take it all the way to court and loose at a lower amount they have saved maybe a million compared to the settlement but now the other party isn't under NDA and can cause huge reputational damage by appearing on a few talkshows.
I once brought my MBP 15" Early 2011 into an Apple store (or maybe an authorized reseller? For that GPU snafu), they wanted the admin password with it... ugh I felt dirty giving them that.
Just boot from stick to test the hardware, leave my hdd/ssd alone!
Privacy violations are one of the floats in the Parade Of Horribles that Apple el al. offer when attempting to defend their repair monopoly. Guess that argument is out the window.
I remove any media from my computers when I send to a repair shop. If any media fails, it should be destroyed. If you ever sells storage media, dd if=/dev/zero it; also consider that it may not be enough with some wear leveling SSD's.
A few years ago, someone bought an used harddisk and got some private information of Brazil's then first lady Marcela Temer[0] and tried to blackmail her. He was later caught and imprisoned, but not everybody has the same luck.
Fair she got a settlement but immediate reaction to this report was it sounds like automatic facebook uploading? Like it's pretty crazy the techs went to trouble of uploading, but if her account was logged in/app logged in (as most are) then even a small adjustment to settings as far as what folders to upload etc might have triggered?
Not saying it wasn't malicious, likely was, but man, seems like could also be an accident of resetting settings etc
I wonder what (if anything) the repair techs thought when doing it. If a disgruntled employee wanted to maximize damage to the company (without regard to personal consequences), this surely looks like one of the ways to do it. I think it's still more likely that they just did it because they found it funny, but this is a kind of insider risk for companies that is really hard to defend against.
[+] [-] kossTKR|4 years ago|reply
Who the on earth gives their passwords, also all laptops should be encrypted by default. I find it absurd to give away the keys to your bank, search history, personal notes, images, whatever - it's beyond private and personal besides being economically dangerous and very bad job security wise for most jobs.
Not blaming regular people though, but it's weird that people are so lax about giving the keys to absolutely everything.
[+] [-] TonyTrapp|4 years ago|reply
Edit: This was during the times when even a layman could do it because drives were in a slot secured by a single screw. These days it might be more complex.
[+] [-] Sebb767|4 years ago|reply
Sure, you can send in a wiped device or a device without hard drive - and if you can do so yourself, this is probably fine. But for the "average" user it's quite likely a better experience, assuming you can trust the repair shop - but then again, they have full access to your hardware plus the knowledge and time to permanently bug your device. If you really don't trust them, you probably should not give them your device at all.
I can see the issue here and I'd probably err on the side of privacy given the choice, but the other side has a point.
[+] [-] stephenr|4 years ago|reply
I sympathise with the young woman who was the victim here, but apart from "send your device unlocked" Apple do also recommend wiping the device before sending it.
When PINs started to become more common here, I had supermarket and continence store workers asking me to tell them the pin to my card, when paying for stuff. It didn't help that they'd ask me in Thai, I'd not understand, my wife would translate, and I'd immediately respond - in English - to the staff "Are you fucking crazy?".
Thankfully that idea didn't last long. I guess enough other people had similar reactions in their native tongue that they realised that's a really stupid way to do business.
[+] [-] gregoriol|4 years ago|reply
At the Apple Store, they also asked for the password, but when I said no way, the support person was just "ok, no problem".
[+] [-] TheOtherHobbes|4 years ago|reply
You can't start with "It just works" and then add "As long as you spend hours backing up and restoring your data before you can send it in for repairs, just - you know - in case."
Maybe the millions that were paid out will make Apple think about a more user-oriented solution.
[+] [-] caymanjim|4 years ago|reply
[+] [-] vinni2|4 years ago|reply
[+] [-] asimpletune|4 years ago|reply
I think these are concepts that before would have seemed liked sci-fi, but after 2020, I think most regular people seem to have an intuitive appreciation for how damaging this can be. It's a shame that it's taken such a tragic schism to allow, but here we are and it's better late than never.
Another example would be people probably have a better intuitive understanding for motivations behind decentralized architecture, after seeing people being removed from certain platforms. Note: I'm not saying I'm for or against this in any way, but I am saying that the technological architecture is sort of the lay of the land, in a way that I think people understand better than they used to.
And no, I would never in a million years give my password to a repair technician in the past either. Hopefully others now are starting to get a sense for why.
[+] [-] cmckn|4 years ago|reply
[+] [-] kevincox|4 years ago|reply
I refused and they eventually relented while still providing the warranty but it ended up delaying the repair by 5 days (for a 2h repair).
[+] [-] vinay_ys|4 years ago|reply
[+] [-] greyhair|4 years ago|reply
My daughter's MacBook Pro, with lovely soldered down solid state memory died, and had to go in for repair. There was simply no way to wipe it, and no physical drive to pull.
Same thing with most phones. Soldered storage, glued shut case. If it dies under warranty, what do you do? You have to trust the repair chain, or just chuck it in the garbage.
[+] [-] TheSpiceIsLife|4 years ago|reply
I told them in no uncertain terms they cannot have my password, full disk encryption was enabled, and then pointed out if they can get the machine to the password prompt I'll be satisfied it's repaired.
I'm convinced these people are either intentionally being nefarious, or they were dropped on their fucking heads at birth.
[+] [-] ipython|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] chasd00|4 years ago|reply
If it's a software issue then maybe they do legitimately need a password but i would never hand one over without very careful consideration. And, strange hands on the keyboard of my laptop or phone would be watched very very closely at all times.
I good app would be one that disables the network stack, bluetooth, and cell modem with a separate secure pin.
[+] [-] raverbashing|4 years ago|reply
I'm just glad they have an excellent example here of how it's fundamentally BS
[+] [-] throw14082020|4 years ago|reply
[+] [-] psychlops|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] jmcz|4 years ago|reply
[+] [-] viro|4 years ago|reply
[+] [-] 0xbadcafebee|4 years ago|reply
When you go to the doctor and they prescribe you pills, most people don't question it and just take them. And that leads to a lot of people taking antibiotics that they don't need. Or when you move and need to sign up for internet, phone service, power, water, electricity, gas, etc.... almost all of them will ask for your social security number. Even I don't know when it's mandatory and when it's optional, so usually I ask them first, but sometimes I don't.
The last time I witnessed this was some malware that infected an ex-roommate's laptop. The malware pretended to be an anti-virus and said she had a virus on her computer that it would fix. But first she needed to pay for the software - by putting in her credit card info & social security number. She complied because the files on her laptop were very sensitive and she didn't want lose them, and she had no idea that there was no reason to ask for a social to pay for this software.
We could probably do more as a community to educate people on keeping sensitive information secure. Part of it involves media outreach, as most people seem to get their news from the TV or Facebook.
[+] [-] beckman466|4 years ago|reply
He actually shares his findings with us here: https://www.youtube.com/watch?v=jf9I04Oa-hU
"Nothing is more powerful than an idea whose time has come."
[+] [-] yosito|4 years ago|reply
[+] [-] trutannus|4 years ago|reply
This is a gross understatement. Before being a consultant, Nathan also had a phenomenal career on CBC's On Your Side segment, it was CBC Marketplace before Marketplace. Why Nathan hasn't been awarded the Order of Canada for his hard work on behalf of the every day Canadian is beyond me.
[+] [-] LudwigNagasena|4 years ago|reply
[+] [-] boleary-gl|4 years ago|reply
My father was an accountant for many years and he always said if you found evidence of fraud you shouldn't be congratulatory because what you found is maybe 10% of what is actually there if you found it by chance.
[+] [-] Someone1234|4 years ago|reply
Keep in mind that in iOS root is rarely available, so even when servicing devices they're manipulating the OS via a restricted service interface that can only perform certain actions (e.g. wipe, re-flash, test different components, etc).
I cannot access the original article, but I am hoping criminal charges were also utilized as this is unlawful in many states (and frankly should be national).
[+] [-] wil421|4 years ago|reply
I believe there was another case where the FBI was getting Best Buy’s Geek Squad repair centers to report CP.
[+] [-] iamricks|4 years ago|reply
[+] [-] beagle3|4 years ago|reply
99% of the people just give the phone password to the tech. If I was a foreign intelligence service, I'd set up attractive repair shops around army bases and government offices (quick turn around, competent service, reasonable prices) and just mirror every phone that comes through. Most of it will be useless, but I'm sure that one can occasionally find some gold (in the form of documents or compromising material).
[+] [-] arthur_sav|4 years ago|reply
Sure let me just give access to all my banking apps, photos, browser sessions etc...
I ended up creating a guest account for them but i was surprised they didn't have a policy not to access private user data or ask for passwords.
[+] [-] zamalek|4 years ago|reply
This another example why nudes and so forth should never make it onto a digital device. If that's your kink, then Polaroid cameras and camcorders exist.
[+] [-] Natfan|4 years ago|reply
Does this mean that she was a minor at the time, and if so was the sharing of these images as similar crime to distributing child pornography?
[+] [-] dathinab|4 years ago|reply
I'm more irritated that a Apple repair shop asked for login information then that a repair person with login information abused them (which sadly isn't surprising).
[+] [-] KMnO4|4 years ago|reply
It amazes me that workplace conditions causing loss of life can be settled for much, much less (as low as $75k paid to the family).
[+] [-] IG_Semmelweiss|4 years ago|reply
Awards for loss of life are actually codified in case law as being vastly smaller awards than the award for loss of limbs, senses, etc.
It is somewhat logical since the primary injured (the dead) can't be made whole. Contrast this to someone injured but not dead - they will have to live with the injury for the rest of their life. Case in point - this girl.
This is why disability policies are more expensive for higher income individuals. Presumably, the injured and his/her family depends on that income to live, and the income loss must be made whole.
[+] [-] t0mas88|4 years ago|reply
[+] [-] teekert|4 years ago|reply
Just boot from stick to test the hardware, leave my hdd/ssd alone!
[+] [-] cvwright|4 years ago|reply
What they stole here was much more intimate than that.
[+] [-] mymythisisthis|4 years ago|reply
[+] [-] yawaworht1978|4 years ago|reply
[+] [-] topspin|4 years ago|reply
[+] [-] diehunde|4 years ago|reply
[+] [-] marcodiego|4 years ago|reply
A few years ago, someone bought an used harddisk and got some private information of Brazil's then first lady Marcela Temer[0] and tried to blackmail her. He was later caught and imprisoned, but not everybody has the same luck.
[0] http://g1.globo.com/tecnologia/noticia/2016/10/hd-comprado-h...
[+] [-] ChrisArchitect|4 years ago|reply
Not saying it wasn't malicious, likely was, but man, seems like could also be an accident of resetting settings etc
[+] [-] tgsovlerkhgsel|4 years ago|reply
[+] [-] exabrial|4 years ago|reply