Tag Archives: security

A short rant about Error 53 and why it exists

So I went on a bit of a tear at some people I know when they were complaining about Apple’s implementation of Error 53, which (to the best of my understanding) bricks iPhones which have been detected as having a third-party repair performed on the Touch ID sensor. Here are the highlights, slightly edited for language.

EDIT: A number of people have asked why Apple didn’t disable just Apple Pay and leave the rest of the phone functional. Technically speaking, I can’t do more than guess at the details, but it’s my presumption that this is the only way they could prevent jailbreaks and other “the user will do any stupid thing rather than actually listen to security warnings” (the effect of user arrogance on security is a whole separate issue from user ignorance that I’m not going to get into) from getting around the error, which would have rendered it useless. If there was any workaround for the error, the protection would effectively not exist, and then all Apple’s done is made themselves the target of more “annoying popups” complaints. It’d actually be worse PR for them than Error 53 is now! Once again, I am 100% in agreement that the user experience is abysmal and could have been dealt with far better, even within these technical constraints. But it’s still my guess (and again, I do not speak from any position of actual knowledge whatsoever) that disabling just Apple Pay wasn’t a viable option.

And let’s not forget, the data that’s being guarded here is in the Secure Enclave. That means your fingerprints, which are biometrics you can’t (practically) change, and your financial data, which one typically suffers from exposure of even in the best case.


Here’s what gets Apple to do things like this: USERS ARE STUPID! Given the choice, users will do the wrong thing almost every time, especially with respect to security. It’s the same reason Windows Update is now mandatory in most Windows 10 setups despite the screaming about it!

Now granted, I do agree that error 53 should not cause an absolute brick, as it seems to. But I absolutely 100% believe a measure like it is absolutely reasonable.

Here’s the problem – Let’s say Apple doesn’t do this, and someone does break the system and steal a bunch of money. Who are users most likely to blame? Apple, of course, for making a weak system. ​Any one person might individually think to blame the malicious third-party, but I will tell you now it has been proven through harsh experience that the overwhelming majority of users will blame the manufacturer for not making the device more secure!

Apple can suffer the blame for being secure more than it can suffer the fallout from not being secure. Same is true of MS and Google.

I know just enough about how iPhones work to wonder if maybe bricking is literally all Apple can really ​do​. For all I know, if Apple lets the device boot ANY level of the OS, even with passcode security enabled, a compromised sensor could very well then have enough to work with to trick data out of the secure enclave/element (whichever it is!).

At this point it was suggested that Apple could add a slider on the Error 53 screen which warned the user that Apple was not responsible for the consequences if the user chose to continue. To which I said:

No.

Because every single user will instantly slide the slider. And you’re back to “well Apple didn’t actually do anything”.

In fact, the malicious third-party will just say “you’ll get this warning after the repair, don’t worry about it” And ​legit third parties would have to the say the same! So you’re back to the problem of trust model.

You must predicate everything you do in the name of security on the presumption that users are hopelessly lacking in knowledge.

They ​WILL​ be socially engineered into giving up credentials.

They ​WILL​ be socially engineered into turning off security features that give them even a moment’s annoyance even just once.

They ​WILL often do these things without any need to be prodded into it.

They ​WILL follow arcane, complicated, meaningless-to-them instructions to disable some critical safety features just to get a happy kitty running around on the lock screen instead of a static wallpaper. Don’t think so? What do you think jailbreaking ​is​?

The only way to fix this is to deal with the ​FUNDAMENTAL​ failures of the entire model of tech. Tech is not designed for people who don’t understand it. It never has been, it still is not. That includes the iPhone and all things like it.

Look at a different field, like finance – credit card debt is companies designing an entire industry around the predication that users are stupid.

Look at, say, being an electrician. I personally don’t know more than the basics of electronics; I couldn’t tell a three-phase power line from a one-phase with an illustrated freaking diagram. BUT I DON’T HAVE TO, because the person who wired up my apartment didn’t leave all the wires hanging around outside the walls, and there’s insulation on my power cables!

Computers, right up to and including the iPhone and similar, are effectively designed with all the live wires hanging out.


So that’s basically my opinion. All of my opinions are very much specifically my own, they don’t represent those of anyone I have ever before, do now, or ever will work for. If they did, I’d probably be a lot more critical, because I’d have to worry more about looking biased. I’d be pointing out more forcefully how Apple has a lot of problems about listening to what users want, same for Microsoft.

But when you get down to it, none of it is a problem with any one company or piece of technology. Apple is just the latest scapegoat in a debate that has more to do with the fact that society as a whole has a broken trust model than anything about who owns what. Could Error 53 have been handled better? You better believe it could have. But it’s a relatively reasonable solution in an overly complicated world where you effectively can’t trust anyone to know what they’re doing.

Rant: Security Questions Are Stupid

We’ve all heard this bit before, especially the avid readers of Bruce Schneier’s security blog, but after seeing the security questions available on a new account I created today, I just had to do my own rant.

Security questions are considered by some to be a form of “two-factor authentication”. They’re no such thing. If used to further secure login, they’re just an extra password which is almost guaranteed to be much more guessable than your usual password. If used to recover a lost password, they function to replace your password with something almost certainly less secure.

Some suggest giving nonsense answers to security questions for this reason. Of course, then you’re back where you started: You’ll never remember your answers. That’s when you could’ve remembered your answers if you answered them honestly, which is often just as impossible. And now we’re back to writing it down on paper, which negates the entire point.

Yet these stupid things are required on a majority of secure sites now. Can security auditors please stop trying to please their clients and tell them the truth about how security questions just make things worse?

The questions which prompted this rant:

  • “What was your favorite color in elementary school?” – Now, let’s assume I remember that time of my life in the first place. At which point in elementary school? Let’s say I just pick one, and let’s even more fantastically say I somehow stick to remembering which one. Most children will have said one of the colors of the rainbow. Say it with me now… “Dictionary attack”!
  • “What is the nickname of your youngest sibling?” – Suppose I don’t have any siblings. Suppose I am the youngest sibling. Suppose my youngest sibling doesn’t have a nickname. And even aside from all this, names suffer from relatively low entropy, though admittedly not as low as colors.
  • “What was your first job?” – Have I ever had a job? Am I young enough that I remember exactly which thing I did first? Do I count doing chores as a child? Do I count shoveling snow for my neighbors? Do I count internships? How do you define a “job”?
  • “What breed of dog was your first pet?” – I’ve never had a dog as a pet in my life. And that’s even after the assumption that I have a pet at all. If I did, was the first one a dog, and did I only get one dog at that time? By the way, the entropy of dog breeds is even lower than that of colors when you include all colors.
  • “What is the nickname of your oldest sibling?” – See youngest sibling.
  • “What is the name of your first pet?” – Again, suppose I have no pets. Suppose my “first” pet was one of a group. Suppose I picked an arbitrary one out of a group. Also, low entropy again.
  • “Who was your childhood hero?” – What constitutes a hero? Suppose there wasn’t someone I looked up to in childhood? Suppose there was more than one? Suppose I just don’t remember? And the entropy of a hero’s name is likely to be rather lower, on average, than that of a regular name.
  • “What was the model of your first car?” – Where do I even begin here? Did I ever own a car? Am I even old enough to drive? Do I remember its model? Do car models have any kind of entropy at all?
  • “What was the name of your earliest childhood friend?” – I had lots of friends as a child. Didn’t everyone? Suppose, more morosely, that I had none. Am I going to know which one was the earliest? And yet again, the low entropy of names.

Now, I grant, most of these are pretty silly nits. They don’t have to be accurate answers, just ones to which I can remember the answers consistently. Unfortunately, the more likely I am to remember the answers, the less likely they are to be remotely secure passwords.

Password strength doesn’t count when the answers are only one word long and chosen from a limited pool, people.