This can't be something you happen upon by accident. This vulnerability must be surreptitiously shown by an Apple iOS engineer to his or her friend, who then posts a video detailing the vulnerability.
"Ironically, a nearly identical vulnerability reared its ugly head back in October of 2010 "
Coincidentally, maybe, but Ironically???
Cant see the irony here....
Love it when guys find these little bug things out... I always have to think... what made him do those actions in exactly that order to discover the bug? Do these people sit all day just trying random combinations of actions or is there a "method".
Irony is all too often when people should say coincidence. I guess people want to feel crafty and make their article interesting, even though they are using the wrong word. In fact, it seems that "coincidentally" is going out of style people are opting for "ironically."
Or, you could just look over someone's shoulder. About the same level of accuracy/security.
Seriously though, if anyone is using the passcode lock and thinking it really does much at all for "security," they are dreaming.
It's just there to make nervous people feel more comfortable.
Yes and no. My kids learned my PIN and my wife's by watching us (not even over the shoulder), so that part is dead on. On the other hand, I like the security of knowing that if I lose my phone it will get wiped automatically if some stranger types in 11 guesses.
As expected, this is the top story on the Verge's website.
Those guys are media whores. They're more concerned with being "TV Stars" than actually reporting news.
Also, it's a complete sausage fest over there, all their "reporters" have the exact same point of view, and most of the commenters are twelve year old boys (mentally or otherwise).
Yes and no. My kids learned my PIN and my wife's by watching us (not even over the shoulder), so that part is dead on. On the other hand, I like the security of knowing that if I lose my phone it will get wiped automatically if some stranger types in 11 guesses.
True. 11 guesses gives an attacker fairly good odds of guessing it though.
Where I work we have numbered locks on the doors and when I get bored I try to guess the codes. Most of the time it's under a dozen guesses or so and your in. You could use the longer alpha-numercial password to be safer.
I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press. Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass. Access to the phone itself is not given.
Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in. Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent. By giving them physical access, you are essentially complicit.
Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.
IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that.
Those guys are media whores. They're more concerned with being "TV Stars" than actually reporting news.
Also, it's a complete sausage fest over there, all their "reporters" have the exact same point of view, and most of the commenters are twelve year old boys (mentally or otherwise).
So ... Engadget 2.0 really.
The article has over 200 comments, most of them a troll fest. I had high hopes for the Verge because I can stand Engadget. But man this click bait mentality sucks. It's not Business Insider levels but the site could be so much more. What's amusing is most of the commenters think all their "reporters" are Apple fanboys.
True. 11 guesses gives an attacker fairly good odds of guessing it though.
Where I work we have numbered locks on the doors and when I get bored I try to guess the codes. Most of the time it's under a dozen guesses or so and your in. You could use the longer alpha-numercial password to be safer.
I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press. Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass. Access to the phone itself is not given.
Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in. Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent. By giving them physical access, you are essentially complicit.
Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.
IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that.
Lots of things make me scratch my head these days. Just this morning it was announced that one of Blackberry's original founders/CEO's no longer owns any shares in the company and the stock is up almost 6% on the day.
What fascinates me about stuff like this is how it is discovered. Some ODC type with too much time on their hands sitting around randomly pushing buttons? You tell me how somebody figures this out.
Think you meant OCD, a typo that any OCD person would have caught. Oh, must have a bit of OCD myself!
True. 11 guesses gives an attacker fairly good odds of guessing it though.
Where I work we have numbered locks on the doors and when I get bored I try to guess the codes. Most of the time it's under a dozen guesses or so and your in. You could use the longer alpha-numercial password to be safer.
I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press. Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass. Access to the phone itself is not given.
Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in. Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent. By giving them physical access, you are essentially complicit.
Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.
IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that.
We have penetration testers hired by our company to compromise our security. There are different ways to compromise security. Some are physical access some are remote (from outside the firewalls) but most of the time it is through some kind of social engineering that security is compromoised. Someone is fooled or convinced to not follow the established protocals and processes and security is compromised. Also...all software has vulnerabilites. Any clicks or touches on a screen can be replicated with a script. Afterall that what the OS software does behind the scenes anyway. To run these things you don't always have to have physical access to the device to run a script.....
Why would anyone care about this? Google isn't arbitrarily defined by the media as being "cool", so it's just business as usual for a company known (and never derided) for stealing your information and selling you to the highest bidder.
ok, this discussion is definitely bordering on "fanboism" (yes, I said it).
While the average person could care less about someone getting at their pictures and contacts (since they're probably all available on Facebook anyways), there could *shock* actually be people like law enforcement officers who do care about criminals getting ahold of their contacts (so that they can find out about an investigation, threaten people, or worse).
Obviously, those people should take more precautions that just a 4-digit password on a lock screen to keep people out of their private information. However, the fact that this method of keeping information safe has flaws will then make people question other (supposedly more secure) methods as well.
Why would anyone care about this? Google isn't arbitrarily defined by the media as being "cool", so it's just business as usual for a company known (and never derided) for stealing your information and selling you to the highest bidder.
Yeah I guess mass hypocrisy shouldn't surprise me any more.
Also, this isnt the first time Apple had this issue raised before. According to your logic, now that Apple had months since the last release, shouldn't they now have been fixed?
This latest video clearly shows that they certainly havent listened or at least bothered to check it.
So you think he notified Apple and allowed them sufficient time to fix the hole before posting his video online?
Let's examine the evidence, shall we?
We have a phone that is set to February 13, 2013 at 4:41pm. This doesn't tell us his time zone nor does either the date or time have to be accurate. Do you really think he made this video months ago but set his phone to February 13th first just to make it look like the video and upload date happened on the same day? It's possible but not probable.
I suppose he also could have informed Apple months ago but then only made a video yesterday but does that seem very likely to you .Do you really think that he followed the proper reporting channels before making a video with detailed info on how to do it, including a text version without mentioning how he submitted the bug to Apple and how they ignored him all this time? Really?
I can come to not other probable conclusion than him creating a video as soon as figured out how to recreate the events without ever going to Apple.
Despite Android's numbers not enough people care about Android for it to be a big deal. It's not that people are more rational it's about the mindshare making it newsworthy, like some actor who is a household name one year just to be forgotten the next. Apple has seemingly done the impossible by continuing generating more and increasingly dominant mindshare and holding it for so very long. I guess if you look at the single issue it's better for Google than Apple in this case and Apple needs to be more diligent because anything out of place will be dissected to the fullest degree but in the big picture everyone wants to be Apple.
Comments
How are these vulnerabilities usually discovered?
Quote:
Originally Posted by ClemyNX
Again? After the similar bug in 2010, they could test a little bit more the unlocking screen!
Those lazy must have skipped the standard
1. Lock device
2. Slide to unlock
3. Tap emergency call
4. Hold sleep button until the power down prompt shows.
5. Type in 911 or your emergency number
6. click call
7. cancel it asap
8. Lock your device with the sleep button
9. turn it on using the home button.
10 Slide to unlock
11 hold the sleep button
12 wait 3 seconds
13 tap emergency call.
test case.
Quote:
Originally Posted by seanie248
"Ironically, a nearly identical vulnerability reared its ugly head back in October of 2010 "
Coincidentally, maybe, but Ironically???
Cant see the irony here....
Love it when guys find these little bug things out... I always have to think... what made him do those actions in exactly that order to discover the bug? Do these people sit all day just trying random combinations of actions or is there a "method".
Irony is all too often when people should say coincidence. I guess people want to feel crafty and make their article interesting, even though they are using the wrong word. In fact, it seems that "coincidentally" is going out of style people are opting for "ironically."
Quote:
Originally Posted by Gazoobee
Or, you could just look over someone's shoulder. About the same level of accuracy/security.
Seriously though, if anyone is using the passcode lock and thinking it really does much at all for "security," they are dreaming.
It's just there to make nervous people feel more comfortable.
Yes and no. My kids learned my PIN and my wife's by watching us (not even over the shoulder), so that part is dead on. On the other hand, I like the security of knowing that if I lose my phone it will get wiped automatically if some stranger types in 11 guesses.
Quote:
Originally Posted by Rogifan
As expected, this is the top story on the Verge's website.
Those guys are media whores. They're more concerned with being "TV Stars" than actually reporting news.
Also, it's a complete sausage fest over there, all their "reporters" have the exact same point of view, and most of the commenters are twelve year old boys (mentally or otherwise).
So ... Engadget 2.0 really.
Quote:
Originally Posted by malax
Yes and no. My kids learned my PIN and my wife's by watching us (not even over the shoulder), so that part is dead on. On the other hand, I like the security of knowing that if I lose my phone it will get wiped automatically if some stranger types in 11 guesses.
True. 11 guesses gives an attacker fairly good odds of guessing it though.
Where I work we have numbered locks on the doors and when I get bored I try to guess the codes. Most of the time it's under a dozen guesses or so and your in. You could use the longer alpha-numercial password to be safer.
I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press. Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass. Access to the phone itself is not given.
Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in. Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent. By giving them physical access, you are essentially complicit.
Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.
IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that.
Quote:
Originally Posted by Gazoobee
Those guys are media whores. They're more concerned with being "TV Stars" than actually reporting news.
Also, it's a complete sausage fest over there, all their "reporters" have the exact same point of view, and most of the commenters are twelve year old boys (mentally or otherwise).
So ... Engadget 2.0 really.
The article has over 200 comments, most of them a troll fest. I had high hopes for the Verge because I can stand Engadget. But man this click bait mentality sucks. It's not Business Insider levels but the site could be so much more. What's amusing is most of the commenters think all their "reporters" are Apple fanboys.
Quote:
Originally Posted by Gazoobee
True. 11 guesses gives an attacker fairly good odds of guessing it though.
Where I work we have numbered locks on the doors and when I get bored I try to guess the codes. Most of the time it's under a dozen guesses or so and your in. You could use the longer alpha-numercial password to be safer.
I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press. Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass. Access to the phone itself is not given.
Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in. Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent. By giving them physical access, you are essentially complicit.
Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.
IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that.
Lots of things make me scratch my head these days. Just this morning it was announced that one of Blackberry's original founders/CEO's no longer owns any shares in the company and the stock is up almost 6% on the day.
Quote:
Originally Posted by lkrupp
What fascinates me about stuff like this is how it is discovered. Some ODC type with too much time on their hands sitting around randomly pushing buttons? You tell me how somebody figures this out.
Think you meant OCD, a typo that any OCD person would have caught. Oh, must have a bit of OCD myself!
Quote:
Originally Posted by Gazoobee
True. 11 guesses gives an attacker fairly good odds of guessing it though.
Where I work we have numbered locks on the doors and when I get bored I try to guess the codes. Most of the time it's under a dozen guesses or so and your in. You could use the longer alpha-numercial password to be safer.
I was mostly kicking back against how poorly the whole thing is being portrayed by the tech press. Everyone is saying this is a "bypass" of the lock screen for example when it's really only a partial bypass. Access to the phone itself is not given.
Also, it requires physical access to the phone, which if an attacker has, they could simply take your phone and take it back to their home in which case it's easy to break in. Any attack that requires physical control of the device is not really a security flaw in the same way as a "real" security flaw that could allow someone to access your stuff without your knowledge or consent. By giving them physical access, you are essentially complicit.
Finally, as others have pointed out, Android has numerous ways to *completely* bypass the lock screen (not partial), and no one gives a flying f*ck about that.
IMO it's just shameless the way this has been put forward by the tech press as some kind of giant serious security flaw when it isn't even close to that.
We have penetration testers hired by our company to compromise our security. There are different ways to compromise security. Some are physical access some are remote (from outside the firewalls) but most of the time it is through some kind of social engineering that security is compromoised. Someone is fooled or convinced to not follow the established protocals and processes and security is compromised. Also...all software has vulnerabilites. Any clicks or touches on a screen can be replicated with a script. Afterall that what the OS software does behind the scenes anyway. To run these things you don't always have to have physical access to the device to run a script.....
Where's the tech press outrage on this?
http://www.news.com.au/technology/massive-google-security-flaw-puts-users-details-on-display-for-all-to-find/story-e6frfro0-1226577210852
Originally Posted by Rogifan
Where's the tech press outrage on this?
http://www.news.com.au/technology/massive-google-security-flaw-puts-users-details-on-display-for-all-to-find/story-e6frfro0-1226577210852
Why would anyone care about this? Google isn't arbitrarily defined by the media as being "cool", so it's just business as usual for a company known (and never derided) for stealing your information and selling you to the highest bidder.
ok, this discussion is definitely bordering on "fanboism" (yes, I said it).
While the average person could care less about someone getting at their pictures and contacts (since they're probably all available on Facebook anyways), there could *shock* actually be people like law enforcement officers who do care about criminals getting ahold of their contacts (so that they can find out about an investigation, threaten people, or worse).
Obviously, those people should take more precautions that just a 4-digit password on a lock screen to keep people out of their private information. However, the fact that this method of keeping information safe has flaws will then make people question other (supposedly more secure) methods as well.
Originally Posted by abinitio
"spazz out", seriously?
You know, wig out, lose your cool, drop the skinny in a blender, etc.
Quote:
Originally Posted by Tallest Skil
Why would anyone care about this? Google isn't arbitrarily defined by the media as being "cool", so it's just business as usual for a company known (and never derided) for stealing your information and selling you to the highest bidder.
Yeah I guess mass hypocrisy shouldn't surprise me any more.
Obviously, it's because there's a massive double standard. Apple is held to different standards than everyone else.
So you think he notified Apple and allowed them sufficient time to fix the hole before posting his video online?
Let's examine the evidence, shall we?
We have a phone that is set to February 13, 2013 at 4:41pm. This doesn't tell us his time zone nor does either the date or time have to be accurate. Do you really think he made this video months ago but set his phone to February 13th first just to make it look like the video and upload date happened on the same day? It's possible but not probable.
I suppose he also could have informed Apple months ago but then only made a video yesterday but does that seem very likely to you .Do you really think that he followed the proper reporting channels before making a video with detailed info on how to do it, including a text version without mentioning how he submitted the bug to Apple and how they ignored him all this time? Really?
I can come to not other probable conclusion than him creating a video as soon as figured out how to recreate the events without ever going to Apple.
Despite Android's numbers not enough people care about Android for it to be a big deal. It's not that people are more rational it's about the mindshare making it newsworthy, like some actor who is a household name one year just to be forgotten the next. Apple has seemingly done the impossible by continuing generating more and increasingly dominant mindshare and holding it for so very long. I guess if you look at the single issue it's better for Google than Apple in this case and Apple needs to be more diligent because anything out of place will be dissected to the fullest degree but in the big picture everyone wants to be Apple.