[mindslight]

Most phones already come with two persistent implants - the user-antagonistic OS, and the baseband processor!

I'm all for trusting computing devices to act as one's agents, but attempting to do so with anything resembling a modern mobile phone is barking up the wrong tree.

Even though just having one means taking the location-tracking hit from negligently designed cellular protocols, further exposure can be mitigated by using these little snitches for as little personal activity as possible.

[alsetmusic]

At some point, reckless behavior affects people beyond the individual. I am irritated that people allow their systems, networks, devices etc to become compromised, thus becoming the assets of malicious actors. Most of the people in this category have are not particularly savvy, which doesn’t give them an out so much as it explains the predicament. However, you are demonstrating that you choose to be in this category, despite understanding the problem. You are letting your personal convictions get in the way of good judgement. You now shoulder responsibility for knowingly making the world a little less safe for the population at large.

[mindslight]

It's very fucking weird that by pointing out the larger non-corporate context of digital security, it's being inferred that I deliberately do not secure my devices. I guess by not toeing the AppGoogAzon "Security (TM)" marketing lines, I just end up in that "other - outsider" category, and must be wrong.

I already explained a mechanic of causality whereby assorted end nodes being owned up actually increases our security, as it helps keep at bay the simplistic/totalitarian philosophy of tracking/controlling communication. But don't let that get in the way of the malunderstanding that is ultimately driving this nebulous desire for promised "security".

[tscs37]

Your phone will probably turn up in a botnet soon enough, but atleast you had the moral high ground.

[Doctor_Fegg]

Do you have an actual number for "probably" - assuming normal browsing habits (i.e. not to the sort of porn site with a higher likelihood of installing malware), and an outdated version of iOS or Android?

How is that number changed by not using public wifi?

[pixl97]

>i.e. not to the sort of porn site with a higher likelihood of installing malware

Porn sites are not where most malware comes from. Ad networks are. I've had more attempts at virus and malware installs from 'legitimate' sites that have had poor control of their banner ads.

https://www.extremetech.com/internet/220696-forbes-forces-re...

>How is that number changed by not using public wifi?

You are, quite falsely, assuming that non-public wifi, say your friends house, is any more protected.

http://www.zdnet.com/article/flaws-in-att-routers-put-custom...

[Doctor_Fegg]

I'm not assuming anything: I asked a question, rather than stating a fact.

"Not significantly" would be a valid answer to the second question. However, you seem to be answering "are home routers entirely secure?", which wasn't my question: my question was about real-world risk levels (i.e. "_are_ public wifi points significantly more likely to deliver threatening payloads", not "_could_ they be").

I'd still be interested in an answer to the main question.

[mindslight]

Oh no, not a month's allocation of mobile data down the drain!

An impersonal passive botnet would likely do less damage than status quo "apps" that are built to siphon as much personal data as possible.

Never mind these few Mifi devices that I have - default configs that listen on wan telnet with static passwords! Well known domestic manufacturer, not worth attempting to report - the manufacturer obviously did not care, has long moved on, and there's countless other models with the same problem.

The panacea of every node being secure with an identifiable owner fell apart long ago. You can either cling to that belief in a fundamentalist manner (and prop up the totalitarians who wish to track communication ever more). Or you can work on understanding how non-technical people actually attempt to moderate their own exposure to these insecure-by-design surveillance devices.

[tscs37]

You should install security updates. Period.

You don't help anyone by feeling better because instead of having the vendor maybe sniff on you, a hacker can do it instead.

I also haven't found any apps yet that intentionally waste my monthly datacap.

[mindslight]

Sure, and I didn't advocate doing otherwise. My point is the larger context - there is no "secure" on mobile.

Likewise, my point about losing a datacap was that it was preferable to having more personal info backhauled into commercial surveillance databases. It's not an either-or and I'm not desiring either one - just calling attention to the larger context of user-security versus the myopia of marketing/corporate security.

[tscs37]

There is secure on mobile. Secure is not a binary property, it's a spectrum of options and possibilities which heavily depend on your environment and your threat model.

You either get security updates at the possible downside of sending more data to some database of a known vendor or you get the very possible risk of being part of a slide on DEFCON Fail Panel by some unknown blackhat.

I choose a known advesary over an unknown any day.

[mindslight]

At its core, digital security is a binary property equivalent to mathematical proof. Since universal security is neigh impossible (two people can keep a secret if both are dead), we then predicate it on various trust relationships / threat models - what one is secure against.

The modern non-technical but security-conscious person concedes that their devices are pwnt by (ie they are forced to trust) AppGoogAzon anyway, and simply shies away from trusting technology. The phenomenon is what it is - I'm not advocating for it, but advocating for understanding it.

Furthermore, are you saying that you actually know all the players in the commercial surveillance industry?!

I'd appeal to your same argument of known versus unknown, but point out that at least the motives of the rando blackhat are known. Whereas the surveillance industry will be innovating new ways of monetizing their malicious databases for the next century!

[zaarn]

As another comment mentions; security is not binary.

Binary Security is a sign you failed at security. You can be not secure at all, somewhat secure, etc, against a set of threat models or anywhere in between those steps.

Whether or not you have properly prepared against a threat model and you are confident in defending against it is a binary property (or rather, two binary properties) but the underlying security is not.

[PhasmaFelis]

> Most phones already come with two persistent implants - the user-antagonistic OS, and the baseband processor!

I don't trust Apple or Google to have my best interests at heart at all, but I am quite confident that neither of them will literally try to extort me with ransomware or kiddie porn. It's weird that you're equating the two.

[staticassertion]

Most people are willing to accept the risk that the NSA is listening in on them. Most people are not willing to accept the risk of an arbitrary person being able to steal their identity.

[junkscience2017]

That already happened as a result of Equifax. Your SSN is no longer secret...so rejoice, you are free to choose whatever phone you like!

[zaarn]

Sadly, the world is not America and most people on this planet are unaffected by the latest problems of America.

[pxndx]

s/Sadly/Fortunately/

[zaarn]

Naturally. For some reason my brain treats those two phrases as equivalent.

[ben_w]

Like 95% of the world, I don’t have an SSN.

Even if every American owns one of those outdated Android phones, 2/3rds of the phones would still have to be owned by people who don’t have SSNs.

[mindslight]

If one's "identity" is so bland that it can be trivially "stolen", then perhaps it's not much of an identity after all.

[nindalf]

For people living in America an identity is a name, date of birth, mother's maiden name and SSN. If you lose these, you could be the victim of fraud.

But you already knew that didn't you? You deliberately misinterpreted what he meant by identity theft.

[mindslight]

Mexico and Brazil use SSNs?

I am a USian. The nonsensical concept of "identity theft" has been promulgated by the surveillance industry to avoid responsibility for their own negligence. A person cannot become a "victim of fraud" in the way you describe. The banks are the only parties that stand to be defrauded, and they could avoid this by stopping to pretend that a few bits of semi-public information is enough to identify a person. So far it has been more profitable to keep the gravy train of easy credit rolling, which is fine. But that doesn't mean we should bear the burden for them!

When someone earnest talks about their "identity being stolen", I prefer to think of them as complaining that one of their friends bought the same pair of red Nikes or whatever.

[Analemma_]

This all might be true, but as a reason to not install patches, it still makes no sense. If you don’t trust the baseband or the OS, why did you buy the phone to begin with? You trust iOS n, but not iOS n+1?

[mindslight]

One is forced to buy a phone, as an expectation/requirement of modern society. This does not imply they wish to spend even more money in support of the broken ecosystem every year/six months/etc.

[jamespo]

You're not forced, particularly not to get a smartphone.

You're trading off convenience.