top | item 42547411

(no title)

faramarz | 1 year ago

That’s an interesting comment.

I have a sidebar question for you: what phone do you use if you are comfortable sharing.

I’m wondering if you are bias towards the walled garden of apple with its perceived security or android or some other.

discuss

I use an iPhone, but that's really more because of personal preference than any particular security posture. I'm not a particularly attractive target for commercial spyware: I'm a guy who likes to post things on the internet, rather than someone with genuine value. I don't interact with and am not in the business of handling exploits. There's not really any reason why you'd want to pick through the details of my private life or silence me. It would be pretty dumb to target me with an exploit, especially considering that I would be more likely than most to find it and burn it. If you have that kind of money to waste, I can think of a lot better ways to spend it than getting my chat messages.

From your question I am guessing that this is a disappointing answer, since you probably wanted me to point to a specific phone and an explanation of why I think it is better. But any honest security professional is incapable of giving you a simple answer. I have a beat-up iPhone 13 mini because I like small phones and Apple is unlikely to make a new one soon. I have Lockdown Mode off because it would make my life more annoying than it needs to be. My threat model does not include sophisticated attackers that would be thwarted by security mitigations present in a new device or paranoid software. Should it be in yours? Well, I can try to help you answer that question. But for these attacks the problem is that 99.99% of people will never be targeted by them. But it's not very easy to tell if you're part of the 0.01% (these are made up numbers, btw). There are a lot of things you can do that can make you more or less attractive–for example, if you're a journalist, or a political activist, you might be more concerned. But what if your cousin you're close to is actually a VP at Google? More difficult to say. If you connect all the dots you can build all sorts of models where you should turn this on, regardless of who you are. But the fact is that security is not free and they almost always come with some sort of tradeoff against usability or cost. You could be mowed down on the street by an assassin tomorrow but that is generally a bad reason to never leave your house or walk everywhere in a kevlar vest.

My general advice for people, taking into account practicality and ease of implementation, is to go with a fairly modern phone of their pick that gets regular security updates, so they're not the subject of much lower-cost attacks that reuse patched vulnerabilities. I know a lot of the people who work on security at Apple and they're smart people who really care about making things that are good. Whether the walled garden accounts for that, or even if I think they always make the right choices…well, I have Opinions on that but that's for another day. They certainly make mistakes, but they also do good work. If you look at Android you'll see similar, with it pulling ahead in some areas and being behind in others. I've done a lot of research on Apple's security story and worked on Android's but I can only really rank them on specific facets rather than as a whole. Really I would say, pick up an iPhone or Pixel, be careful about things that are far more likely to hurt you (like, say, phishing), and otherwise just keep a pulse on this area if it interests you. Otherwise I think you have more than enough in your life to worry about.

newuser2022|1 year ago

Considering security updates, do you think iOS has advantage in speed? Apple’s usually to roll out security updates to all supported iPhones —often for five or six years— nearly instantly, including critical zero-day fixes, which can be deployed overnight. In comparison, while Pixel devices get immediate updates(but it's only available in a handful of countries), Android devices from other manufacturers depend on their update schedules, which can be slow and inconsistent and often ends after about three or four years. Even with top players like Samsung, there are week delays, especially for non-flagship or older models. In your view, does the pace and longevity of Apple’s security updates tip the balance in their favor, or am I just being biased?

jimmySixDOF|1 year ago

the suggestion is whatever you do use it should involve a presumption of compromise as the default posture

saagarjha|1 year ago

I don't think this is a useful model to have, because it's too simple and not actionable. Who is compromising you? What is their cost to doing so? What level of compromise can they achieve? If you just go "you are always hacked" what is your suggestion? That I never touch a computer ever again?

bigbacaloa|1 year ago

[deleted]