[mindslight]

Oh no, not a month's allocation of mobile data down the drain!

An impersonal passive botnet would likely do less damage than status quo "apps" that are built to siphon as much personal data as possible.

Never mind these few Mifi devices that I have - default configs that listen on wan telnet with static passwords! Well known domestic manufacturer, not worth attempting to report - the manufacturer obviously did not care, has long moved on, and there's countless other models with the same problem.

The panacea of every node being secure with an identifiable owner fell apart long ago. You can either cling to that belief in a fundamentalist manner (and prop up the totalitarians who wish to track communication ever more). Or you can work on understanding how non-technical people actually attempt to moderate their own exposure to these insecure-by-design surveillance devices.

[tscs37]

You should install security updates. Period.

You don't help anyone by feeling better because instead of having the vendor maybe sniff on you, a hacker can do it instead.

I also haven't found any apps yet that intentionally waste my monthly datacap.

[mindslight]

Sure, and I didn't advocate doing otherwise. My point is the larger context - there is no "secure" on mobile.

Likewise, my point about losing a datacap was that it was preferable to having more personal info backhauled into commercial surveillance databases. It's not an either-or and I'm not desiring either one - just calling attention to the larger context of user-security versus the myopia of marketing/corporate security.

[tscs37]

There is secure on mobile. Secure is not a binary property, it's a spectrum of options and possibilities which heavily depend on your environment and your threat model.

You either get security updates at the possible downside of sending more data to some database of a known vendor or you get the very possible risk of being part of a slide on DEFCON Fail Panel by some unknown blackhat.

I choose a known advesary over an unknown any day.

[mindslight]

At its core, digital security is a binary property equivalent to mathematical proof. Since universal security is neigh impossible (two people can keep a secret if both are dead), we then predicate it on various trust relationships / threat models - what one is secure against.

The modern non-technical but security-conscious person concedes that their devices are pwnt by (ie they are forced to trust) AppGoogAzon anyway, and simply shies away from trusting technology. The phenomenon is what it is - I'm not advocating for it, but advocating for understanding it.

Furthermore, are you saying that you actually know all the players in the commercial surveillance industry?!

I'd appeal to your same argument of known versus unknown, but point out that at least the motives of the rando blackhat are known. Whereas the surveillance industry will be innovating new ways of monetizing their malicious databases for the next century!

[tscs37]

That's a rather narrow mindset. As previously explained, security is not binary, even in the circumstances you mentioned.

I don't know all the players in the. Surveillance industry but I'm not as paranoid to believe they are worse the. Black hats.

You probably also have little probability of knowing the actual intentions or motives, which actually helps little in threat mitigations.

[mindslight]

It's not a "narrow mindset", but a formal basis that fosters analysis.

It's true that drive by black hats could be looking to snarf up all the personal information they can, and selling it into the corporate surveillance databases. I just think it's less likely than they're looking for a quick hit to defraud some banks.

It's not a matter of "paranoia" (there we go again with the handwavey maligning subjectivity!), but of looking at the outcomes. It's paradoxical - the things we think of as "bad" really are not that worrisome, because the shared goal is to correct them. Meanwhile the things we think are "just the way it is" form an insidious creeping trend.

I have very little fear of say my bank account being drained, because if that actually were to happen, then we're in general agreement that it will be made right - from bank policy on up to common law. Whereas if my de-facto mandatory insurance rates mysteriously double, there is both little immediate recourse and many people will even argue in support based on the just world fallacy!

[zaarn]

As another comment mentions; security is not binary.

Binary Security is a sign you failed at security. You can be not secure at all, somewhat secure, etc, against a set of threat models or anywhere in between those steps.

Whether or not you have properly prepared against a threat model and you are confident in defending against it is a binary property (or rather, two binary properties) but the underlying security is not.