1. 34
  1.  

  2. 4

    I do love that optional chaining operator though! I promise I transpiled it.

    1. 2

      Consumer organisations should really be warning people about such things. Especially premium stuff like Apple’s (whose hardware is good enough that it can be used for many many years) should really be able to get lifetime updates. The real problem here is that these machines are so locked down that you can’t update them to something more modern, which you usually can with general-purpose computers like laptops and desktops (at least, in a supported way - there are almost always ways to hack around it).

      1. 9

        There’s regulation going through the EU at the moment that will require labelling of the guaranteed security update lifetime for IoT devices. I hope tablets and so on will fit into this scheme. A cheap Android handset looks a lot less cheap if you have to replace it after a year if you don’t want to be running malware.

        I disagree with the conclusion of the post. The versions of Safari and Chrome listed both have known security vulnerabilities that have been exploited in the wild. Modifying your site to support known-insecure clients is irresponsible. So is a manufacturer dropping security updates from a device and not explicitly notifying the customer. I’d love to see regulation that made these appliance-like devices display a prominent message to users after they stop getting security updates saying something like ‘This device no longer gets security updates, connecting it to the Internet is likely to expose you to malware that can compromise any personal data stored on or accessible from the device’ with large financial penalties for manufacturers that didn’t display them.

        The big problem with upgrades for security, from a usability perspective, is that normally people upgrade to make more things work. Security is about making fewer things work. A device that does only everything a user wants is strictly less featureful than a device that does everything that a user wants and everything an attacker wants. Telling people that they need to upgrade so that an attacker has fewer features is difficult.

        1. 2

          Total agree about the bad conclusion; the main issue is with the device not getting updates, not with the websites breaking backwards compatibility with ancient and insecure browsers (although there’s something to be said for not unnecessarily breaking things).

          And making people understand security is a fool’s errand. Just the idea of running malware and others controlling your computer is so alien to most people that they don’t care. And besides, it’s difficult to explain why it’s a problem for them, personally. Often the malware doesn’t interfere with your work (I’ve seen plenty of malware-infected Windows machines where the only complaint was that it was a bit slow and could I please have a look at it).

          1. 1

            I’ve found it easier with phones / tablets than with big computers for a couple of reasons:

            • People seem to use mobile banking on mobile devices more than Internet banking on the web. Explaining that malware could transfer all of the money out of their account can be scary.
            • Mobile devices have cameras and microphones and people take them into their bedrooms. Explaining that malware can turn on the camera and microphone and send the recording to an attacker can be scary.
            • Mobile devices with SIMs can send premium-rate text messages, which cost money.

            If I were evil, I’d register a load of premium-rate SMS numbers and write some Android malware that looked at the SIM state and identified people on popular pre-pay plans. When it found one, it would send one (lowish cost) premium SMS to that number. If it costs the user 20 cents or so, the cost of querying it with their provider is more than the cost of ignoring it for most people, and most people on pre-paid plans don’t look at itemised bills anyway. If a few people query it, the telcos will most likely just issue a refund until enough people complain that it triggers a fraud-detection threshold. If 99% of people don’t query it then the 1% that do will probably be assumed to be drunk people who forgot that they sent the message. You could probably make a few million doing this. If you make 20 cents per message and infect 10% of US mobile phones, then you’ll get something like $6m. If the premium-rate numbers are registered via different private shell corporations registered in tax havens then tracking you down would be quite difficult even if someone did discover the malware.

            I’m quite surprised that I’ve never read about anyone discovering a scheme like this in the wild. I bet far more than 10% of US mobile phones have remotely exploitable root vulnerabilities.

            1. 1

              I’m quite surprised that I’ve never read about anyone discovering a scheme like this in the wild.

              The voice-call version of this scheme is attempted regularly and every Telco or VoIP provider past a certain size has to stay vigilant for it.

              1. 1

                The points you raise are good but still somewhat vague. And I’m not sure how viable it is for bank accounts to be taken over in this way. I’ve never heard of malware that was able to do that (but then, I haven’t looked into malware that deeply)

                Regarding why nobody tried your get rich quick scheme: maybe it’s too easy to trace the premium number and bank account to an owner?

                1. 1

                  The points you raise are good but still somewhat vague. And I’m not sure how viable it is for bank accounts to be taken over in this way. I’ve never heard of malware that was able to do that (but then, I haven’t looked into malware that deeply)

                  There have been quite a few and banks have tried really hard to shift liability onto the customer when they’re discovered.

                  Regarding why nobody tried your get rich quick scheme: maybe it’s too easy to trace the premium number and bank account to an owner?

                  Open a bank account registered to the shell corporation, when money goes in, transfer it through a few different jurisdictions before it gets to you (or do more conventional money-laundering things like buying art, gold or BitCoin with it and selling the asset as you). I think US banks can reverse transactions for six months after they happen, but if you aren’t detected for a year then you’d still keep the first six months.

                  Note also that none of the intermediaries have an incentive to catch you. The company selling you the premium-rate connection takes a cut, as does the mobile provider sending the SMS messages. Unless they’re spending more handling complaints than they are making from the SMS fees, they make more money if they keep quiet than if they try to shut you down (which, itself, is expensive to do and involves sharing data with law enforcement). Even the banks will be charging corporate account fees. This may explain why I’ve not read about any such scams - everyone who could report them is happy making money from them.

                  1. 1

                    Open a bank account registered to the shell corporation

                    A thing I think I’ve heard of fraudsters doing is opening a bank account registered with a real corporation that doesn’t belong to them, giving contact information that looks plausible but won’t actually result in any real employee of the patsy corporation being directly contacted.

                  2. 1

                    Bank account stealing malware has been a thing for a while, pretty much since the first terryingly-insecure day an ethically-negligent software engineer attached a cgi-bin script to an RS-232 null modem plugged into a creaking, coal-fired mainframe. https://search.theregister.com/?q=bank+trojan has results going back for over a decade (and I suspect the only reason the stories stop when they do is because that was when the site was founded). For example, https://www.theregister.com/2005/02/09/banking_trojan/

                    One thing to be aware of is that it isn’t strictly necessary for the malware authors to go to all the trouble of completely automating the process of emptying out a victim’s accounts. Historically it’s been really common for people to deliver malware payloads that just do things like take screenshots and operate as a keylogger, then pass off the details of successful infections to a human to do cash extraction.

          2. 1

            We have an older iPad mini that works completely fine. The Disney+ app doesn’t work on it any more. I find this very inconvenient.

            1. 1

              Felt. I have a 2012 Samsung Chromebook that I’ve used in emergencies when I had laptop issues now get stuck on an un-updatable version. I’ve not put in the time to slap Arch or whatever Arm+Mali-compatible distro I can find to keep it running, but it’s pretty much a paperweight now. The irony is that it’s now stuck on the last version of Chrome that uBlock worked correctly on with Manifest v3,

              1. 1

                I can relate. I can no longer browse the C2 wiki because I’m using a ancient web browser that’s 20 minutes out of date and Ward Cunningham just doesn’t care (in other words, upgrade or GTFO).