On 03/20/2014 07:33 PM, Jussi Laako wrote:
On 20.3.2014 11:28, Carsten Haitzler (The Rasterman) wrote:
but that still is not the same level of security for OPENING the car
door and
starting the car. ivi does not require the same level of security as the
potential damage of someone who is SITTING in your care and using the
ivi system
(hey are trusted enough to sit in your car), vs someone outside of
your car, at
3am when you are asleep trying to break in to steal the car. vastly
different
level of consequences due to a security breach, thus likely need vastly
different amounts of attention security-wise.
It needs more security, because the consequences of someone stealing
your information can be much more severe than someone stealing your
car. Insurance covers stolen car, but usually not stolen information.
If you access your company email from the car IVI system for example
(or mobile device for that matter)...
i seriously doubt any ivi system i ever have will have more than music,
movies and maps in my car, so i can guarantee you, the vastly more
valuable thing to lose is the car.
You already get set of requirements if you want to certify your device
for MS Exchange access (policy enforcement etc).
Each user still needs to be authenticated properly, especially if they
have their Google Wallet or Facebook credit card accessible behind the
authentication system.
At least here for example taxis are just ordinary cars, usually
something like Skoda Superb or Mercedes E-class. Same goes for driving
school cars, those tend to be ordinary stuff like Skoda Octavia.
not if data has been backed up. as most peolpe just hand their data
to google
etc. all their emails are there. all their facebook messages are
there. their
I wonder how many corporations would allow their emails stored there.
enough. i have worked at companies that use google docs for their actual
work. real life.
http://www.google.com/enterprise/apps/business/customers.html
google trumpet on 1000's uploading their data to their services, handing
comapny communications, documents and more to a 3rd party (google). my
point is... your view is biased. there is another side to things. :)
And "most ordinary non-privacy aware private persons" is not enough to
steer platform requirements. What if the device is used by government
officials or company CEO?
contacts are synced to gmail. they already gave their private info
away for
free and they just get it back. :) ok - i lose my call log and sms's
- not used
that much anymore. :)
I don't think platform should be designed based on requirements of
least-security aware users.
no - but at the same time it should not become unusable or undesireable
because of security for the minority of users.
quick survey of me and 2 other engineers next to me. 0% use encrypted
filesystems. i can tel you no one in my family uses them either. sol
add a few
more there. i actually personally know no one who uses this feature
on their
phones (that has in any way indicated they do - they may or may not
use it, but
they haven't said so), so my really quick survey of ENGINEERS around
me says...
this is not commonly used. you're likely not in the majority. :)
Or they don't know, because it is just silently enforced by the
Exchange account policy?
no. my phone is my phone. company can't say squat diddly about it. i
paid for it. it's mine. my property and my rules. that is the same case
for every single enigneer around me. NONE of them had a phone given to
them by their company. they are personal phones paid for and owned by
them, on their own phone plans.
Again, majority in which category and geography?
i was making a point. your point is that no one at ALL uses unecrypted
phones. your point of view is just your own world. stand aback and look
at the bigger picture. what you do and what everyone does.. are 2 vastly
different things. that's the point i'm trying to make. your view is
colored by just what you see immediately around you and you arer
applying it to everyone.
"Almost 40 percent in our survey didn’t take even minimal security
measures,
such as using a screen lock, backing up data, or installing an app to
locate a
missing phone or remotely erase data from it."
Some will only learn the hard way when their device is lost or stolen.
and many will just never care. my phone has no personal information on
it that isn't already shared and public. my phone cant do banking or
share trading without and ADDED password auth (in fact cant to banking
at all). the only email account it has access to is my throw-away email
account i use to appease accounts i don't care about. i don't have any
company data or email on the phone.
since my phone is in a case that also holds my credit cards, if i lost
my phone i'd be in far more trouble of people misusing my credit cards
than anything else. forget the phone and data there. it's the credit
card that matters.
network access as higher importance than privacy. MOSt people are not
you. you
of course are different, but most people seem to disagree. :)
I don't care so much about what "most" think. I care about those who
expect privacy and security. I would expect Tizen to be better in this
area than any of the competition on the market, including BlackBerry.
well the problem here is... "you don't care". when you don't care what
most customers want, think etc. then we have a problem. there is almost
always a tradeoff of privacy and security vs convenience. most people
choose convenience. if you like it or not, that's how they behave
(statistics say so). if you make a platform so secure that it is
INCONVENIENT for people to use, you won't have any users. having the
most secure platform in the world with no users is a pretty pointless task.
if security is invisible and/or convenient, then it doesn't matter. if
it has no side-effects, then it doesn't matter, but invariably it does not.
there is a middleground. a tradeoff. users, developers and everything
else. they need and want access with the most power and most
convenience. they ALSO wouldn't mind security and privacy. some people
care more, some less about it, but MOST care less. that's the point i'm
making. let people make their choices.
if i have to get an iris scan, then a finger print, a blood test, type
in 17 different passwords (in the right order), get a voice match and
THEN can finally unlock my phone, or ivi unit to use it... i'll just not
buy that device. it's far too painful. it may be insanely secure, but
i'll just say no. and most peolpe in the world would do the same. i am
not saying you are advocating to do that. what i am saying is that for
every security measure that causes inconvenience, or removes a
capability or feature, it adds some more thing on the list of "reasons
to avoid", and my point above is that most people see convenience
trumping security.
the problem i see with tizen and security now is that it's aiming for
the most painful and least attractive position *BY DEFAULT* ... with *NO
OPTION* to say "i prefer convenience". take my example of developers
needing/wanting root access. developers needing to "set user" to the
current running user to strace/gdb attach to a misbehaving process to
debug it. security says "no way you can never do that at all no matter
how much you would like to or need to - so go away". well guess what. if
i am to go away - i shall neither be a consumer of tizen based products
nor develop for them. and you shall have 1000's of other developers (and
users) do the same. i'm trying to speak for the developers i know who
would find what we are doing with tizen insanely annoying to the point
of just not bothering. they are not on this list to speak, i am, so i'm
doing it.
i'm trying to point out that there has to be balance. it's not a one
sided affair all in the name of total security.
i would argue.. they shouldn't be able to steal your car to begin
with! :) if
you've protected the ivi system and google wallet which maybe can
cause them to
lose $1000 before the account is blocked, OR you cause them to lose
their
$80,000 dollar car... because security was focused on for ivi but
left lax for
the door/ignition access... i'd say priorities are wrong. :)
Insurance would pay for the car, but not for what ever immaterial loss
has happened as side effect. You would get new car and forget about
the incident. But you would continue to wonder what people will do
with all your private files/messages/emails/photos/videos/etc.
insurance may pay for the care, or may not - depending on my insurance.
if i do have comprehensive insurance you can bet you that my rates then
go up STEEPLY after that. so over the next 5 or 10 years.. it costs me
$1000's and $1000's more.
--
The above message is intended solely for the named addressee and may
contain trade secret, industrial technology or privileged and
confidential information otherwise protected under applicable law
including the Unfair Competition Prevention and Trade Secret Protection
Act. Any unauthorized dissemination, distribution, copying or use of the
information contained in this communication is strictly prohibited. If
you have received this communication in error, please notify the sender
by email and delete this communication immediately.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
