Authentication, Chrome, Passwords – Security is Hard

From Chrome’s insane password security strategy:

There are two sides to this. The developer’s side, and the user’s side. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people:
The computer is already insecure as soon as you have physical access

Yes. It is. And I totally agree that no non-technical person understands this, or should have to understand it.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

Justin Schuh

But I believe that technical people are are fine with this not because they understand that physical machine access == “now it’s my computer” (they do, of course, that’s not the point), but because they have a much lower-level, visceral connection with their computer. it’s part of them. So of course it’s an extension of them from an authentication point of view. It’s their proxy to the universe. No-one touches my keyboard but me.

Of course, as a technical person, I know why it’s the way it is. Chrome has to type your passwords in for you. So it has to store them. The only long-term solution to this is to stop using passwords in favour of something better.

iOS data security and @parislemon

Android and iOS are operating systems that run on computers. Granted, these computers are smaller than the ones you grew up with, but they’re still computers. And guess what? In many ways, they work like computers have in past — including the ability of accessing your other files. It’s a feature, not a bug.

MG Siegler – Prompts

I agree – phones are computers now. But we’re still right to be annoyed over this, in the same way we were right to be annoyed over PathGate. Apps on my phone have the ability to go behind my back and take my (and other people’s) personal data. Of course they can. It’s a computer. They can do all sorts of things, and there are perfectly good and safe reasons to do all of them. This power can be used for evil! And it’s not possible to tell in advance if a given application is going to do something evil.

But we’re still right to be annoyed, because preventing this sort of thing was pretty much the entire premise of the app store review process. (That, and stopping iPhones bringing down the entire West Cost phone network, of course.) Apple promised to protect us from evil applications, and used this as justification for all sorts of stupid rejections that in no way made my iPhone experience safer.

I’m prepared to accept the trade off of a review process that sometimes stops good things if it’ll also stop bad things. But it’s not stopping the bad things. And it’s not possible to stop the bad things. It probably stops a lot of them. But that’s not the trade-off I was promised.

Apple and Address Book permissions

I’m late on this. But from All Things D last week:

[..] soon, apps that use address book data will require explicit user permission to do so.

This doesn’t fix the Thing That Actually Happened, it’s just a sop to people who want to see more gratuitous security. Merely gating access to the Address book doesn’t distinguish properly between Path’s “We’re going to send your entire address book to our servers and store it forever” friend finder, and Marco’s “I just want to make sure a particular contact isn’t already in your address book, and wouldn’t dream of sending anything to my server” Read Later contact install process. Even post-fix, the Path blog post doesn’t make it clear if they’re still going to store my address book (assuming I send it to them again) for all time or not, or how much contact information they’re sending.

This fix might even make things worse. The new version of Path shows a dialog box explaining roughly what they’re going to do with your data before requesting address book access. Once Apple have a gate in the way, are they going to put up two redundant dialog boxes? Or will they drop the helpful one and leave up a single “Path wants access to your address book but I won’t tell you why” confirmation?

It’s not access to the data that needs guarding. It’s what the apps do with the data. Of course, a technical solution to this problem is probably impossible. I’m just bitching.

Twittervision on the iPhone

I tried Twittervision on the iPhone. And it’s quite pretty, in a hypnotic way. So I gave it my twitter username/password, to try it as a twittering interface. And it’s lousy. But ok, I have a twittering interface. I delete the app.

Today, I see a tweet from @davetroy. Who? I don’t know him. Turns out that he wrote Twittervision. And now I’m following him. Which means that (a) his app must have followed him on my behalf, because I didn’t do it, and (b) he can now see all my private tweets (because my twitterstream isn’t public).

Well, fuck you, Mr Dave Troy.