[controv3]

> I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.

The Google Chrome Security team begs to differ [1]. According to them giving someone the illusion of security is bad.

[1] https://news.ycombinator.com/item?id=6165708

[CamperBob2]

Giving someone the illusion of security is bad because it displaces their understanding of security.

An understanding of security will reveal that security is not a binary state of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like the iPhone fingerprint reader to keep honest people honest and discourage ordinary muggers and thieves. I don't need military-grade access control for my personal iPhone, I don't want the inconvenience that would necessarily accompany it, and I damned sure don't want to pay for it.

And the Google Chrome guy is correct in all respects: it's not reasonable to expect an application to provide security that's redundant with security provided by user accounts on the OS it runs on. It would be better to teach users to create separate accounts on their system, if they want to hide their local passwords from other members of their family.

[epo]

You are completely detached from normal practical realities, as such your beliefs on security can be safely disregarded.

[melange]

Teaching users to create separate accounts might be better, but so would any number of impractical suggestions.

It is perfectly reasonable to expect an application to provide more security than the user account provides because in the real world, we know that people don't always lock their computers. Not all applications are risky, but one that centralizes a users credentials is clearly so.

Pretending otherwise is simply not acknowledging the real world.

[numbsafari]

Which is ironic coming from a company known to be sharing information directly with the NSA.

Name one security technology that is 100% foolproof. They don't exist. So the point isn't to rely on one thing, but to rely on many things that, used in concert, increase the risk, complexity and cost associated with subverting the entire system--not its individual components.

[philwelch]

I don't think I've seen anyone parry an appeal to authority with an ad hominem lately. Good one.

[Karunamon]

In this case it's valid.

In the same way that you'd afford extra scrutiny to a government agent making claims about what encryption methods to use, you should afford the same scrutiny to companies making security claims who are documented collaborators with the TLAs.

An ad hominem isn't always a fallacy, especially when the credibility of the speaker is legitimately in question. Saying they're automatically wrong would be fallacious (not to mention silly), but questioning credibility based on actual, documented behavior is not.

[numbsafari]

Umm... I think the point was to subvert the appeal to authority by pointing out that Google has been compromised.

The main argument is in the second paragraph.

Anyhow, thanks for noticing :)

[victorf]

Citing the Google Chrome Security team regarding security is the exact opposite of the appeal to authority fallacy. It's an appropriate expert for the context.

[sbuk]

No. It's appeal to authority.

[hahainternet]

It is an appeal to authority, but a non fallacious one. As the authority being quoted has the relevant position.

[arrrg]

Which is an incredibly absurd position, in any context.

Security is not binary.

[Groxx]

If it were, it would always be 0.