On Thu, 20 Mar 2014 10:44:20 +0200 Jussi Laako <[email protected]> said:
> On 20.3.2014 2:33, Carsten Haitzler (The Rasterman) wrote: > > yes - but ivi wont be authenticating access to the car (ie the door), so > > security is less of an issue compared to a fob that can open the car door > > and turn it on. > > Well, it would still authenticate with the key fob to recognize the > user. You don't get same result with two different key fobs. but that still is not the same level of security for OPENING the car door and starting the car. ivi does not require the same level of security as the potential damage of someone who is SITTING in your care and using the ivi system (hey are trusted enough to sit in your car), vs someone outside of your car, at 3am when you are asleep trying to break in to steal the car. vastly different level of consequences due to a security breach, thus likely need vastly different amounts of attention security-wise. > I was planning to construct ecryptfs home directory encryption key using > the key fob or NFC. I can also support multiple authentication methods > for the same storage, such as keyfob, NFC tag or passphrase. > > Usually my goal has been that even if you desolder the flash chip from > the hardware and NSA puts it on their hacking bench they cannot get the > data out. > > > factory reset from bootloader then re-setup account login+pw for play/market > > and u can get all your apps back... :) in fact android handsets, last i > > played, > > That's equivalent of buying a new device, it's not a recovery, it's a it's not the equivalent. you don't spend another $500 or $1000. very far from it. :) > complete device wipe. Btw, do you know how to make a factory reset from > bootloader? Manual doesn't say anything. yes. a quick googling will show you how for many models of phone etc. no i'ts not in the manual they give you in the box, but it's documented. > Yeah, I can reinstall applications, but all my data is gone. I don't > worry about applications, I have something like five of them. not if data has been backed up. as most peolpe just hand their data to google etc. all their emails are there. all their facebook messages are there. their contacts are synced to gmail. they already gave their private info away for free and they just get it back. :) ok - i lose my call log and sms's - not used that much anymore. :) > > - it could just reset screenlock mode on the host. as long as it can get fs > > access to the internal storage. if it's encrypted and you forget your > > encryption key... then you're in trouble. factory reset method then for > > you. :) > > If there's a way to get past the device lock code, it's a really bad > security bug. > > Who wouldn't have their device encrypted these days? quick survey of me and 2 other engineers next to me. 0% use encrypted filesystems. i can tel you no one in my family uses them either. sol add a few more there. i actually personally know no one who uses this feature on their phones (that has in any way indicated they do - they may or may not use it, but they haven't said so), so my really quick survey of ENGINEERS around me says... this is not commonly used. you're likely not in the majority. :) http://consumerreports.org/privacy0613 "Almost 40 percent in our survey didn’t take even minimal security measures, such as using a screen lock, backing up data, or installing an app to locate a missing phone or remotely erase data from it." extrapolate that. if they don't even bother locking their scree.. do u think most people encrypt their filesystems? just remember. you're not in the majority. not by a long shot. :) > > yeah. the nsa agrees with you. :) but most people disagree. everyone who > > uses facebook or any google services are giving their data away for free > > all day in return for a service, and if they paid for the service, it'd be > > fairly cheap to > > Using Facebook or Google still doesn't mean giving up all your data. > Facebook app for Android is asking for too much permissions and that's > why I don't have it installed. I use it through browser instead. but 100's of millions of peolpe do have it installed. they give up that privacy for their "drug" (access to friends/social network). they rate their social network access as higher importance than privacy. MOSt people are not you. you of course are different, but most people seem to disagree. :) > On iOS I can control what kind of access it has. > > My point is that if someone steals your car, he shouldn't have a way to > get his hands on your Google Wallet or personal data through some stupid > backdoor in the system. i would argue.. they shouldn't be able to steal your car to begin with! :) if you've protected the ivi system and google wallet which maybe can cause them to lose $1000 before the account is blocked, OR you cause them to lose their $80,000 dollar car... because security was focused on for ivi but left lax for the door/ignition access... i'd say priorities are wrong. :) -- Carsten Haitzler (The Rasterman) <[email protected]> _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
