What are the dangers of an out of date phone?
NaibofTabr @ NaibofTabr @infosec.pub Posts 17Comments 3,362Joined 2 yr. ago
NaibofTabr @ NaibofTabr @infosec.pub
Posts
17
Comments
3,362
Joined
2 yr. ago
Targeting Lemmy specifically? probably not, but that's not really the issue. It's not that being a .zip address makes the server vulnerable, it's that the existence of the .zip TLD makes everyone vulnerable:
Surveys by security researchers immediately following public release of domain registration found numerous examples of links and domains registered under .zip being used in phishing attempts, and the ICSS recommended disabling access to .zip domains until "the dust settles and risks can be assessed".
https://en.wikipedia.org/wiki/.zip_(top-level_domain)#Security_concerns
The problem is that .zip conflicts with the very commonly used zip archive format which has caused user confusion - a user might click on what appears to be a URL to www.fakewebsite.zip and instead end up downloading a malicious .zip file. This creates an unnecessary and entirely avoidable security risk.
Google opened registration for the .zip and .mov top-level domains to the general public on May 3, 2023. Its release was immediately met with condemnation from cyber security experts as a result of its similarity with the file format of the same name. Malwarebytes warned against the use of already recognizable filenames and their confusion with top-level domains, as "plenty of users already have a clear idea that .zip means something completely different". Experts cautioned against their use, and noted that the use of .zip filetypes in cybercrime had had "an explosion" in recent years. Cisco warned against the potential for leaks for personal identifying information. Researchers also registered similar concern about Google's .mov domain.
Surveys by security researchers immediately following public release of domain registration found numerous examples of links and domains registered under .zip being used in phishing attempts, and the ICSS recommended disabling access to .zip domains until "the dust settles and risks can be assessed".
https://en.wikipedia.org/wiki/.zip_(top-level_domain)#Security_concerns
Choosing to use this TLD basically just screams ignorance, and should be causing users to question the competence of the person who made that choice.
where you steal a prototype ship
I still can't take anyone running a .zip TLD seriously. It was bad idea to create it and it's a bad idea to use it.
The danger is essentially that anything being done on the phone is not secure.
If all she does with the phone is look at cat pictures and talk to friends and family, there's probably not much critical information there to worry about.
But does she use the phone for banking? tax records? health care? Does she use the phone for multifactor authentication to log in to her bank account &etc?
Anything involving financial or personal information could be used for identity theft and fraud. Even if she doesn't have much money personally, her identity has value on the black market for opening fraudulent credit cards and other accounts. If her phone is no longer getting security updates then her email may be exposed, and basically if you can get into someone's email then you can get into all of their other accounts (through "I forgot my password" links). Also keep in mind that the phone is a tracking device, so if it's not secure then anyone with the time and interest could use it to track her location.
It's worth noting that switching the phone to another OS like Lineage may not solve this problem. Android uses a core security feature of ARM processors called TrustZone to handle cryptographic functions like security keys. This depends on processor microcode that only gets updated by the manufacturer. If the device is no longer supported, then it will probably stop receiving updates. A third-party developer like Lineage won't have the capability to update this code.
The potential threat from this is not usually immediate. Just because a device might be vulnerable doesn't mean that it's worth anyone's time to actually hack it. But frequently what happens is that someone finds a vulnerability that can be exploited and then builds some software that can do the necessary steps automatically, after which any device with that vulnerability is not secure at all.
Deciding how critical all of this is for your mother depends a lot on context. Does she have financial assets that might make her a target? Is she politically active? Is she a member of a sociopolitical group that might be a target? Does she have a social media account with a lot followers? Does she have any close friends or relatives that someone might want to target through her? Does she know anyone who works in security for a large corporation, government or bank? Her own vulnerability might make someone else vulnerable by proximity.
There's no way to eliminate risk completely. The only way to answer the question "how dangerous is this?" is to assess the severity of possible losses and the likelihood of potential threats (threat modeling) and then make judgment calls based on priority.
They can't stop the signal, Jim... they can never stop... the signal...
Yeah their whole shtick has been mimicking American corporatism et al since before the 80s. Aint working out for them.
There absolutely was an effort in Japanese businesses to imitate American businesses in the 1980s, but it was also very much a two-way street and it's important to keep this in mind. Some of the toxic work culture elements that exist in the US corporate world today were imported. Also keep in mind that learning about other businesses was more difficult at the time because the Internet wasn't a thing yet. Computers were barely getting local proprietary networks in very few, leading-edge businesses. If you wanted to learn about business operarions in another country you'd have to buy physical media (newspapers, industry journals, commentary books) or visit in person. It was slow and expensive.
Ultimately a lot of what you're referring to tracks back to Theory Z which was also called "Japanese Management".
In fact there has been a lot of cultural crosstalk between Japan and the US, going back a long time. For instance, baseball
Baseball was introduced to Japan in 1859 and is Japan's most popular participatory and spectator sport. [...]
The Japanese government appointed American oyatoi in order to start a state-inspired modernization process. This involved the education ministry, who made baseball accessible to children by integrating the sport into the physical education curriculum. Japanese students, who returned from studying in the United States captivated by the sport, took government positions. Clubs and private teams such as the Shinbashi Athletic Club, along with high school and college teams, commenced the baseball infrastructure.
When the digital electronics revolution came in the 1970s, Japan was both a competitor and a partner for the US. In the 1980s Japan's economy rivaled the US. Frankly, a lot of it did in fact "work out" for them, though it's difficult to separate the economic success from the electronics industry boom (how much of the rapid development of electronics was dependent on the corporate culture that had developed during the previous decade? how much of the business success was a result of the demand for the electronics products? how much of the demand was created internally by the businesses themselves? how would you even go about drawing lines between them?). The exploding popularity of video games (a side effect of the electronics revolution) resulted in a massive cultural export from Japan to the rest of the world, including the US.
And really the rabit hole goes way deeper. I highly recommend this video: Kawaii: Anime, Propaganda, and Soft Power Politics. by Moon Channel
So what you said is true, technically, but it is really a half-truth which projects the idea that the relationship was somehow one-sided, when in reality it was very much not.
And don't you worry, the AI, the advertising partners and anyone who pays for data access can still see all of it anyway.
Well my point was more that there's a bit of a rose-tint in this person's description of the "early internet"... unless they mean really early, like ARPANET early.
Plenty of rage-bait attention seeking in the mid-2000s.
I mean... how old is 4chan? .../b/?
republicans who are saying china is bad because of communism.
Yes, well, those are some very confused people who wouldn't know communism from a hole in the ground.
They're a lot like the people on .ml and hexbear, even some of the people on .world.
Yes, comrade, we have the best trains. They are most efficient for getting workers to the labor camps. We must work hard to build the glorious future for dear leader our people!
Potato, tomato...
Concentration camp is where you go when you really need to focus on learning to be a better wage slave party member patriot nationalist lunatic citizen.
A meaningful answer would require specificity about "older" (5, 10, 20+ years?) and would have to be broken down into manufacturer / major software / use case / target market groups. Also... would you include breach reports for software in the statistics? For instance, if an Adobe app was breached and leaked user account data, but it only affected devices running an older version of Android, is that an Adobe breach or an Android breach, or both?
Basically, once a device stops receiving security updates from the manufacturer it should be considered untrustworthy. The only caveat to this would be if you knew the hardware (CPU/APU/GPU, storage, RAM, and especially NICs and TPMs), knew the firmware for all of it, knew the software running on top of it, knew that it had been audited, knew that there weren't any major unpatched vulnerabilities for any of it, and probably limited its use to known/trusted networks. That's a lot of work and some of it is probably impossible due to proprietary hardware & firmware.
But you'd also have to weigh all of that against your threat model like I described above. The question is always "How much effort would someone put in to hack me?" There is never zero risk, even with a brand new, fully up to date device. Security is always a game of "I don't have to outrun the bear, I just have to outrun you."
There's some truth in this, but also recognize that every CPU model has its own specific microcode, every discrete device will have its own firmware and driver, and every mainboard will have its own specific firmware that makes all of those devices work together. Every version of every phone model ever produced has some amount of device code that is specific to that version and model. Keeping on top of updating every one of them would be a monumental task. Testing every update for every device before deploying the update would probably be functionally impossible.
All of that is a big part of why Apple controls the hardware of their devices so tightly. It allows them to standardize things and limit the amount of code they have to write, and in general Apple supports their devices with security updates much longer than other mobile device manufacturers. Their support range seems to be about 7 years.
Don't get me wrong, I'm not personally an Apple user. I prefer the broader freedom of choice in hardware and software in the Android market, but I understand that there's a tradeoff due to the lack of standardization. Apple's approach has benefits - there is a degree of safety in the walled garden that is not possible outside of it.
What really needs to happen is that buyers need to demand end-of-life information and support commitments from the manufacturers. For instance, the Fairphone 5 has guaranteed security updates until 2031, eight years after the launch date. That way you can make an informed decision before you buy.