inference  
@rqsd You can get Pixel 6a at this point for extremely low cost, and these people often refuse not only because of money, but because they want to just not get another phone.

Whether it's cost prohibitive or not, it's impossible to keep those devices secure and updated. That's just how it is. People are misled by many cultists that the OS is the only thing you need to update, which is completely false.
1+
m0xEE  

@inference
It is false, but it's not unreasonable. What are the chances of encountering a threat targeted at specific hardware in the wild? If someone has physical access to your device, you're fscked anyway. And that's security, their privacy is more often threatened by newer software, by stuff marketed as useful features that come built right into their ROM.
I don't disagree with you, but claiming older devices a privacy nightmare is a bit of a stretch too 🤷
@rqsd@borg.social

1+
inference  
@m0xee @rqsd It's completely untrue that physical access is fatal, because verified boot exists, and Pixels take it further with a HSM.

Verified boot and a locked bootloader makes it so any tampering of the device will be detected and the user will be warned.
1+
m0xEE  

@inference
Not completely! Secure boot and chain of trust stuff was there for decades, but we still have jailbroken iPhones and all that. Yeah, I know, verified boot is different, okay-okay 😅
And we're only talking well-known exploits here, you can't prove there aren't any 0-day ones. There is no such thing as 100% secure and with physical access the amount of attack vectors is *always* higher. You just choose what security level is acceptable to you.
@rqsd@borg.social

1
inference  
@m0xee @rqsd You can't know there are no zero-days, of course not, but using an EoL device means they can't be fixed at firmware level when they *are* discovered. You're basically allowing everyone to pwn you for the entire time you use that device from that point, and the OS can only do so much.

An example in any phone, regardless of OEM or OS, is the SoC TEE; an exploit in that means even apps could see other apps' and even system encryption keys. Only SoC firmware patches can prevent that.
1
m0xEE  

@inference
> You're basically allowing everyone to pwn you for the entire time
Well, yeah! But if it is not a remote exploit, maybe it's an acceptable threat level for me? I don't want to get a new phone, but I consider physical access fatal so I don't have anything sensitive on my phone. You, being into infosec, have everything patched and up to date and may have more on your phone than me. Neither of us is crazy, let's not get dogmatic — that was my original point actually 😅
@rqsd@borg.social

1+
m0xEE
Follow

@inference
> Neither of us is crazy
Well, except for those who neither take security measures, nor are conscious about what to expect from their devices, who are like: "Oh, I have all my photos synced eyeCloud, using 'password' as password and now all my nude pics are online!" 😱
@rqsd@borg.social

· Web · 0 · 0 · 0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml