[adrianmsmith]

> Any program running in the userspace can read the private key file; have the private keys always been not so private all this time?

That's right, and the reason for that seeming surprising is that the threat model has quietly changed.

Previously: You owned your computer and your data on it, and you ran programs you trusted e.g. you'd buy Microsoft Word and you'd assume that that program acted in your interests, after all the seller wants you to buy the program. Desktop operating systems originated from the time when this was the current threat model.

Now: Programs don't necessarily act in your interest, and you can't trust them. The mobile phone operating systems were built with this threat model in mind, so mobile "apps" run in a sandbox.

As an example of a modern program that doesn't act in your interest, Zoom "accidentally" left a web server on Macs, even after it was uninstalled. https://techcrunch.com/2019/07/10/apple-silent-update-zoom-a...

[exabrial]

Correction: Mobile phone operating systems are designed to give a single player in the market unlimited access to your privacy while locking out competitors. The operating system is not your friend.

Bravo on the rest, you nailed it.

[judge2020]

Correction: The operating system is a friend that vets your friends. Sometimes I don't want to have to do a full background check on "everyone" I want to "friend" so I let the OS do it for me.

[franga2000]

More like an abusive parent that unilaterally decides who you're allowed to do what with - sometimes because they think they know better than you and sometimes just because it's more convenient to them.

[eyelidlessness]

I legitimately experienced the abusive scenario you’re describing as a child. I’ve never once felt even an analogous experience from my OS vendor (which is Apple on all of the devices I own).

[franga2000]

Obviously the analogy is deeply flawed, I was trying to fit it to the style of previous comments. It's possible you never had a use-case that required such a feature, since you're fully in the Apple ecosystem. They intentionally limit their OS to give their own solutions an edge: clipboard sharing, notification mirroring, call forwarding, etc. only work iOS-macOS - if you have a Windows or Linux PC, Apple won't let you have those features, even if you're willing to develop them from scratch. Access to the WiFi, NFC and Bluetooth hardware is heavily limited - you won't find "WiFi Analyzer" on iOS. There are also many entirely legal categories of apps (web browsers, things that run code, porn, gambling...) that Apple refuses to allow on iOS, even when the user is fully informed of their "risks" and wants to use them. They won't let anyone but themselves fix your device because they think nobody could do it right, despite the fact that their own service technicians are almost always much worse than the third party, who then have to scavenge parts from damaged devices because Apple forced their suppliers into exclusivity contracts.

[danuker]

Indeed. One data point is here: https://issuetracker.google.com/issues/79906367

[pindab0ter]

What an incredibly uncharitable take.

[hdjjhhvvhga]

Care to elaborate? Because nothing the parents said is untrue. Even if you yourself don't feel that way, there are numerous reports of predatory and unethical behavior on the part of any corporation that is able to control your device, whether this is Sony[0], Samsung[1], Microsoft, Google or Apple[2][3].

They even stopped apologizing and consider their actions a standard practice. You know, Microsoft actually used to asked me if I allow them to send a report when Word crashed. What happened? What changed that they no longer ask me but do whatever they want? Why with each update they insist on "syncing my ms account" and I have to disable it each time?

The take is not uncharitable, it's realistic.

[0] https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

[1] https://old.reddit.com/r/assholedesign/comments/pqi486/samsu...

[2] https://gizmodo.com/apple-iphone-analytics-tracking-even-whe...

[3] https://www.forbes.com/sites/jeanbaptiste/2019/07/30/confirm...

[LarryMullins]

Being charitable to huge corporations (paperclip maximizers) is extremely naive.

[voakbasda]

No, experienced. Too many examples of this being true have been presented over the years. You do not own the software on your devices. You never have.

[LoganDark]

> As an example of a modern program that doesn't act in your interest, Zoom "accidentally" left a web server on Macs, even after it was uninstalled. https://techcrunch.com/2019/07/10/apple-silent-update-zoom-a...

Isn't this ridiculous? "the update does not require any user interaction and is deployed automatically." OK, how do I know if it's installed, or how to get it installed if it doesn't work? I guess there is just no help for me if I don't remember exactly how many auto-update mechanisms I've turned off.

</offtopic>

[kube-system]

Malware has been around for a while. I think the bigger difference is that we’ve started to design computer software with inside threats in mind.

[lfodofod]

It’s worth noting that desktop Linux has mostly missed this development

[spoiler]

Not a security expert, so I could be wrong.

I imagine stuff like AppArmor, Snap (or Craft? I forget) sandboxes, or Docker and LXCs help with this. Or do they not?

[smashed]

That is exactly what snap is aiming for.

Apps run in a sandbox and have no access to user files except through "portals", which are secure file pickers essentially.

[lfodofod]

Yes, AppArmor and snap try to. Still worlds away from what Windows and OS X are doing, not to even mention mobile platforms.

[ElectricalUnion]

> Still worlds away from what Windows

Not really, it's a on-purpose contrived thing to attempt to deploy sandboxed apps on Windows.

Developing a sandboxed app in Windows means deploying a correctly sandboxed Appx in Microsoft Store, and getting those (Appx deployed on Microsoft Store) correctly working is hell for any non-trivial application.

On Linux, you can attempt (it's not garanteed to work) to sandbox anything you want. Whenever the sandbox even is able to conveniently defend what really matters to you (say, your private key files) is another matter.

[franga2000]

Linux with snap or flatpak is far closer to mobile than whatever isolation Windows and MacOS have. The difference is in how widely and well implemented it is (it's neither).

[kube-system]

Linux was ahead of the game for quite a while. Back in the day, most desktop OSes assumed a single user.

[lfodofod]

Desktop linux still exists in a single user world today, excluding some exotic and super fragile setups you might see in .edu networks.

[LarryMullins]

I think he's referring to the time when desktop Linux was competing against the likes of Windows 98. At that time, it was common for household PCs to be multi-user because one computer was shared by several people in the house. But with Windows 98, there was no protection between users; anybody using the computer could read anybody else's files. Even if you didn't have an account on the computer, you could just press [cancel] at the login screen and have access to the computer. User accounts on Windows 98 were only for the convenience of having different desktop settings, there was no concept of files being owned by specific users.

Linux was a lot different at that time, in that it actually had a concept of users owning files. If you wanted to access another user's files without their permission you had to jump through more hoops like booting into single user mode.

[Ferret7446]

single user == root only. While linux has a single user mode, it is rarely used. Certainly not everywhere "excluding some exotic and super fragile setups you might see in .edu networks"

[hdjjhhvvhga]

What do you have in mind? I'm using terminal only and don't track desktop development. Whenever I have to run something I don't trust, I use another account or, if it demands elevated privileges, a virtual machine. I guess with desktop it's not much different?

[mgdlbp]

obligatory https://xkcd.com/1200/

[lamontcg]

Also related to how the threat model has changed: https://xkcd.com/1200/