Good on you for exercising, but this is really sad. We don’t live on Mars. I hope your city / district can find a way to create pleasant outdoor spaces.
It's not the case in C#. It is discouraged, but mainly because there just used to be so much sloppily written async code that managed to bring down threadpool to its knees despite hillclimbing and blocked threads detection doing a lot of heavy lifting, so the community has grown scar tissue against this. It's rarely an issue if ever in the last 5 years or so.
What’s the deal with templates? I make new projects infrequently. Templates save me little time. I spend far more time struggling to fix broken code, fitting existing code to new requirements, etc
The Martian is a good example of transparent writing, where the prose gets the job done and doesn't call attention to itself in either a negative or overly positive way.
The Martian might not win any literary awards but writing like this is a much overlooked skill in authors.
Part of the appeal of an iGizmo is not sending so much data to Google. I really doubt this is happening, and if it is, Apple will be hosting the models.
It shows encrypted streams that neither you or I can decipher. By default, either will spend its day scraping your surroundings (wifi and bluetooth) and report it back home, unless you opt-out (which both allow). Both are equally evil in my book.
Can’t you root both of those to setup a proxy to decrypt and see for yourself? If it’s encrypted, how can you tell that’s what it's doing to say with such certainty there?
On Android the certificate pinning makes it very hard even with root. On iPhone where the owner of the phone (Apple) actively fights against your ability to gain root, I can't imagine it's easier, but if it is I'd appreciate being corrected.
mitproxy lets you one tap install a config profile that does it. You know like you sometimes need to do in Korea or Kazakhstan... It's routine.
But I don't get you. You complained that droid makes it hard and apple makes it impossible. But it would be better for average user security if they could not do it (aka "did not own the device" in anti-apple propaganda), right?
The parent is right, though. Both Google and Apple send encrypted telemetry that you cannot MITM or decrypt a-la HTTPS or TLS. The average iPhone and average Android phone lights up like a Christmas tree in Wireshark - some of it can be reverse-engineered with TLS or DNS abuse, some of it is RSA encrypted against the hardware root-of-trust.
Apple's mea-culpa is that unlike Android they do not ship an Open Source OS ROM for developers to modify. Google's telemetry can be entirely neutralized by removing Google Play services and using Android without Google software. iPhones don't have that escape hatch, leading to a pretty literal limitation of how you "own" your phone and the software on it. On top of that, iOS has a permissions architecture Apple designed to give the user second-class control over the network. You cannot MITM Apple services - they will go around whatever user-land profile you think you've set. On top of that, there are modem emissions that you're never going to catch with a MDM profile hack and certificate pinning. You have fully drank the kool-aid if you think an empty aircrack-ng screen means "you won" against the multitrillion dollar company and coalition of government regulatory bodies.
> But I don't get you. You complained that droid makes it hard and apple makes it impossible.
I didn't complain about anything, I just stated the facts, with a possible exception regarding the snark about how Apple "owns" the device, although I do think that's a defensible position since they have higher access to it than it's "owner". I do think it's shitty though that they don't provide a way (even with some hoops) for the "owner" of the device to get the highest level of access to it, but that wasn't in the comment.
> But it would be better for average user security if they could not do it (aka "did not own the device" in anti-apple propaganda), right?
Why would that be better? I highly doubt it would make any difference at all to the average user. I doubt it even impacts the majority of power users.
The people who are impacted by these restrictions are the technical users who want to capture and inspect their own device's traffic, usually on their own network. Conveniently, these are also the researchers who might publish blog posts and articles about what kind of data and surveillance the device is sending home about the user, without their knowledge.
It would be better because if not then someone can turn it off. Automatically or by misinforming the user or by requiring it etc. Like now on ios you apparently just need to install a profile, maybe it's too easy.
Well an MDM profile isn't going to decrypt iCloud data or Apple telemetry. It's basically the same dangerous power your ISP and DNS provider wields, but nobody is about to suggest banning those for user safety too.
That's the point, indeed. Your ISP and DNS can technically intercept your traffic, but it's pointless since TLS exists. Similarly, you can Wireshark an iPhone using MDM profiles but Apple doesn't respect your profile in the first place. Third-parties have no obligation to show you their traffic either, and many don't.
They don't need to. I'm not sure if you're aware, but it's actually possible to encrypt traffic using things other than TLS. A regular app on non-jailbroken iOS can completely circumvent TLS decryption. First-party Apple Apps will bypass your profile and custom CA.
Ah. You are saying they would encrypt on top. Sounds inefficient but I guess reasonable if you think about people like Kazakh government or Korean institutions requiring everyone to add a CA just to live a life. So without extra encryption they could snoop on that too. We can't have nice things...
(It's still possible to compare how much a blank device phones home but perhaps we wouldn't know all the details of what it talks about)
> So without extra encryption they could snoop on that too.
This is basically the crux of your argument. I mostly agree with you - neither Apple nor Google do enough to protect user traffic in the big-picture. You can Wireshark a lot of data off both OSes, the throughput is even scarier when you track radio emissions.
That being said, a lot of people have taken notes from Apple's "protect user privacy" shtick. Many logging libraries contain the app-equivalent of screen-recording baked in to the app framework, enabling a pipeline where PII gets ingested as a part of the logging process. Startups that incorporate these processes then brag about their self-imposed security compliance as a result of their own ass-backwards philosophy. And these aren't even the bad guys!
Companies like TikTok and Facebook collect lord knows how much information, and use the same "security" tautology as their scrappy startup peers. They consciously stretch the limits of their API capabilities, and then turn around and make puppy-eyes whenever regulators act concerned. Meanwhile, the actual users of these smartphones aren't empowered to regulate their own device's security. They can't turn off their phone because the modem is still on. They can't firewall Facebook analytics when the app is closed. They can't even stop their notifications from being snooped on without disabling the feature altogether. Where's Apple or Google when that's under scrutiny?
It's a bit tangential, but this is why I think Apple made an enormous mistake attempting to commodity privacy. Privacy is idealistic - there will always be perennial exploits on the iPhone to prove them wrong. Because Apple commits to imperfect, conditional privacy, scummier-and-scummier companies can follow their imperfect lead and make the same claims. And because none of them are as big as Apple, they rarely take flak when their systems fail. Apple's attempts to market security is like watching a leading F1 driver start turning into a tailspin, and taking the rest of the racers with them in a firey crash.
I'm not sure marketing privacy is the same as commodifying it, if anything commodifying something makes it less marketable...
Most marketing hinges on non commodities, take coca-cola for example, it's sugar water with a bit of caffeine, if they marketed that they'd be nothing, all of their marketing is about other stuff, intangibles
Kind of like Netflix's proverbial "chill"
Comparatively I'd say privacy is among better things to market
I can't even tell whether it's sarcasm… All those services are closed-source, exchanging over binary protocols, of which there is no public description/documentation, and no stability guarantee.
You overdramatize, they mostly just push json around. mitmproxy is your friend. And since you only need to see for yourself once who cares about stability.
I share your attitude towards inspecting your devices’ traffic being an inaliable right, but AFAICT this hasn’t been the case for a while now.
I believe on Android MITMing even most third party applications (that make zero-to-no effort to prevent this) requires a rooted phone or an emulator running and older Android (8) without Google Play Services and doing a little bit of RE (for instance using some Frida user scripts to patch the apk to circumvent the certificate pinning). I reckon MITMing the actual traffic Google itself can collect would require a lot more RE and network wizardry than I’m even aware of (feel free to link some reading though). Here’s a recent walkthrough I saw in the wild: https://youtu.be/c4wS9n7yilA?si=xAfwCyWIzdrvOiHc
For Apple devices afaict since rooting was…ahem rooted out, no viable amateur-DIY methods for monitoring your devices traffic exist.
I know everything is open source if you’re good enough at assembly but at some point it’s gone from something a tinkerer can do to something you need significant talent and in-depth knowledge to do.
I’d love to read any write-ups or guides to the contrary though.
