ranson

About

Username
ranson
Joined
Visits
26
Last Active
Roles
member
Points
285
Badges
1
Posts
54
  • Twitter's text-based two-factor authentication becomes a paid-only feature

    This is an interesting choice with somewhat dubious reasoning: pay us $8 for the continuing privilege of using the least secure MFA mechanism.

    Most likely, the SMS's were too costly for Elon's liking, while Authenticator apps are both more secure and effectively free for Twitter to support. So from a financial perspective, it makes a lot of sense. From a security posture, forcing users off of SMS and over to an Authenticator app is a good long-term decision.

    However, the outright disabling of nonconforming users' existing SMS MFA on March 20 is a terrible idea, as it will expose what is likely millions and millions of accounts to being compromised, should their passwords have been previously harvested. This will particularly impact users who rarely access Twitter anymore, if at all. A better approach here would be to retain the SMS MFA on those users indefinitely, but require them to explicitly disable MFA or switch to an Authenticator app the next time they access Twitter after 3/20. You should never just turn someone's MFA off without their explicit approval.
    dewmeAnilu_777appleinsideruserwilliamhretrogustowatto_cobraStrangeDaysFileMakerFellerbeowulfschmidt
  • White House calls Apple and Google 'harmful' in bid to cut app store fees

    ranson said: I fail to understand how this compromises YOUR security. It's very simple. If YOU don't want to use a third party store or sideloading to have access to an app, then YOU don't have to. See, no security problem for you. But others, who want to put software on their phone that Apple has declined to list in their App Store, should have that opportunity, given it is their device that they own.  None of that compromises YOUR security in any way.
    That would only be true if there was a legal requirement for developers to make their app available in the App Store as well as in third party stores. 

     C'mon man, that's nonsense. First, such a "legal requirement" would be wholly unconstitutional. Nobody can require someone to sell their product in places they do not wish. Imagine if a law was passed requiring Sony to sell Playstations in both Target and Wal-mart.

    Secondly, again, if the only reason you can trust an app is because it's in Apple's store, then you are holding on to a false sense of security. If you see an app in Apple's store, and think to yourself that the only reason you're buying is because it's in Apple's Store and you couldn't trust it otherwise; then you're doing it wrong.
    darkvaderwilliamlondon
  • White House calls Apple and Google 'harmful' in bid to cut app store fees

    Hedware said:
    Somehow everybody gets asked except for consumers. As a owner of Apple products,  I do not want my privacy and security compromised because some lazy developers want to have open skies. They should attempt to build some decent apps. 
    I fail to understand how this compromises YOUR security. It's very simple. If YOU don't want to use a third party store or sideloading to have access to an app, then YOU don't have to. See, no security problem for YOU. But others, who want to put software on their phone that Apple has declined to list in their App Store, should have that opportunity, given it is their device that they own.  None of that compromises YOUR security in any way.

    I hear the argument that "well, there are apps that will move to their own stores instead of Apple's, and then we can't trust the app maker to not do nefarious things."  Fine, then don't install the app. If you can't trust their product because it's not in Apple's Store, then frankly, you can't trust the app at all and should not use it. Note that numerous scam apps are in the Apple Store already (see this AI article from just this morning), and popular apps like Tik Tok and Facebook actively track you in spite of the tracking transparency options. So again, if you think you wouldn't be able to trust them outside of the Apple store, those apps being in the Apple store is really no different. It's a completely false sense of security.

    So nobody's security is unwillingly compromised here. We are adults, and we can make informed decisions about what apps to install, even when it runs counter to Apple's opinion. This harms no one except those who choose to go down that road and make bad choices.
    darkvaderwilliamlondonavon b7
  • iMessage may be coming to Android with Sunbird

    KTR said:
    This is like building a Mac clone.  Apple legal shut them down.  But we see
    I doubt Apple could shut this down. Since the APK can be sideloaded onto Android, it could continue to be distributed outside of the Play store. If their app is perfectly mimicking the API client of iMessage on an older iOS version like 13 or 14, it would be very difficult for Apple to distinguish between the unauthorized client and a geniune iDevice and extremely difficult to block, since they no longer update those OSes.

    genovelle said:
    Considering the keys to Apple’s iMessage encryption lives on the device in the Secure Enclave I’m curious how this would work. Unless it intercepts text messages that have too much data and makes them more accessible and iMessage like. 

    Most (if not all modern) Android devices include a secure enclave as well. When the user signs in to iMessage for the first time on the device by authenticating with their iCloud credentials, that is when the client generates the encryption keys, stores the private key in the secure enclave, and registers the public key with the iMessage server.  So long as they have fully rerverse-enginered the API protocol from sign-in to sending/receiving messages, then it is pretty straightforward and largely identical to the iPhone workflow for the same operations.
    watto_cobra
  • Musk taps over 50 Tesla employees to make Twitter changes

    That’s could become a controversial move since Tesla is a public traded company and Twitter is his private company. So borrowing employees from a public company can get weird. 
    Not controversial at all. They will likely be paid as independent contractors by Twitter and receive a 1099 next year for tax purposes. One's original employer (Tesla in this case) cannot bar or punish the employee for simply working a second job unless it violates a non-compete or causes issues relating to performance at the original job.
    iOSDevSWEwilliamlondonwatto_cobra