CrazyCanucklehead writes "Security Researcher Michael Sutton discusses his findings when looking at the advertised anti-phishing features in the recently released iPhone OS 3.1. It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all."
The difference between Windows Mobile not having phishing filters and the IPhone not having phishing filters is that Windows Mobile never at any point gave you an illusion of protection.
If you haven't been trained on basic internet usage - its VERY easy to fall for phishing attempts. We've been browsing the net for years now, and all it takes is someone who says "You can pay your bills online" for someone to try and google how to do it on their own and then fall into a trap.
What's a BlackBerry? What's a Windows Mobile phone?
No, I know what they are. But why bring out the obscure ones?
Oh, I know, because on my Symbian phone, I can "install and tweak whatever I want"(TM), including anti-phishing stuff.:) (Hmm, I think that's even possible on those two systems above.)
You're missing the point, it's shiny, and Steve has given it the stamp of cool and he's the only person on the planet officially allowed to do that, so he should know cool when he sees it. That should be enough for you. Or are you a commie?/sarcasm.
If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.
If anyone from Apple does comment, we'll not know for sure as they'll not be able to identify themselves sufficiently. As such, everything we do see will just be guesses. Some may make sense and quite probably be right, but who knows...
It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product. It really works, and it's available to buy TODAY!
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").
Hey... I still drive a manual (though admittedly it is syncromesh), I still hunt, I still fabricate arrow heads. These are largely relegated to hobbies, but some people really do still do these things.
Speaking as a parent of a toddler: modern playgrounds are AWESOME. At a nearby park there is a frikin' 3 story spiral tunnel slide! A ladder that leads to a rock wall about 5' up that kids can climb along then drop down (yes, drop) onto a big flat slide. An obstacle course of monkey bars that go UP from about 6' to 8' then end at a raised platform on a sprawling playset.
All in all, playgrounds seem far more dangerous (and awesome) than the tiny slides and see-saws I played on as a kid. I'm actually pretty j
I don't know, there are a few women I know that know more about the internet than some slashdotters, and other women who have less fashion sense than me (and I wear pretty much the same kind of clothes I wore decades ago).
Right. So would it be fair for me to say you're not beating the hotties off with a stick?
No offense intended, I didn't mean that as an attack. Frankly, I'm not one to talk. My point is that we, as geeks/nerds think other people are stupid, yet other people think we are stupid.
I have a feeling that example isn't going to go over to well so I'll use another. There are peeps out there that would think *I* am stupid because I don't know how to change the oil in m car. I could retort that I think those peop
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.
Unfortunately that is a physical impossibility, so your plan fails. Moreover the wide access to technology depends on it being accessible to stupid people - otherwise they wouldn't buy them and the technology companies would fold. There is just no solution to this problem: idiots will always get their computers hacked, fall for scams, get their credit cards stolen etc. no matter how secure we make them. The only way to cope with this is to minimize the effects they can have on other people.
approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Phishers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
(X) It will stop phishing for two weeks and then we'll be stuck with it
(X) Users don't want to be educated
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from phishers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for information
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) Accessibility
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your information?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Until you make a type and misspell your banks website domain name. (or are you stupid enough to have a nice bookmark wide open for anyone to click on to see who you bank with) then you go to a site that look just like your bank. Heck it may even have a valid security certificate, and you just got fished.
So you know how you got onto you site. However you a simple mistake... To bad you didn't have a Phishing protection to tell you that you went somewhere wrong.
I agree with your point about no protection not being the best protection, but I don't think that the statistics that you cite demonstrate the point that you are trying to make. The notion that motorcycle crashes in general have a greater incidence of fatality means that behavior that causes crashes will correlate better with motorcycle fatalities than with passenger vehicle fatalities.
A more meaningful number would be something like the number of crashes per vehicle mile. Or perhaps the number of injury-
That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.
That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.
I know where people are coming from on this but it is a first pass at a new capability. Should they used the same mechanism as Safari on OSX (i.e. Google database)? Maybe, but perhaps there is a reason why that wasn't appropriate.* Perhaps there was a specific challenge they hadn't resolved for 3.1
I think it is encouraging that they made an attempt and expect to see some improvements as the engineering team gets real world feedback on the feature. Regardless, I don't think I normally go to sites on my
Phishing sites come into existence so fast, that I really wonder how much use any phishing filter is. But any protection is better than none, though I'd recommend not trumpeting it too loudly for the exact same reason you gave.
It doesn't matter how many bells and whistles, security and user protection systems you put on a device. A dumb user is still a dumb user. Look at your typical computer user. Even though they are using the latest A/V software, their ISP scans for email viruses and spam, they are using Firefox which has anti-phishing protection, a firewall program or a router with SPI, and malware protection software they still manage to blow their computer out of the water on a regular basis requiring tech support to fix it
I wasn't aware Google = Government, with a few exceptions like China. Any closed source application can be tracking you and you'd never know. Chances are Apple are doing the same in all sorts of ways, for the same reasons Google do....targeted advertising. They want to know more about you so they can put an advert up which is more likely to appeal to your wallet opening tendencies. At least with Google you don't need to use Google apps to access the services, you can use open or closed source third party app
Given that the iPhone OS 3.1 was just released yesterday, I've got to wonder just how thoroughly this blogger investigated anything.
Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.
Sigh... I'll be so happy when blogs die their already-overdue natural death.
Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.
His central point was that he couldn't find a single site that was flagged as a phishing site. He even bolded that for you. If you can disprove that, go ahead and post a comment to his blog, he doesn't have any comments yet of people offering sites that do actually get flagged.
He's not just a "security researcher" - he's an official blogger for Zscaler, a "cloud security" vendor. Essentially, they seem to provide security-checking proxies. My take is that he would have a vested interest in portraying the iPhone (or any platform not protected by Zscaler) as insecure.
The PhishTank list has 2279 entries. I'd be interested to know how many he tried, and which ones.
I followed the same steps as outlined in TFA: download the verified online [phishtank.com] phishing list, pick a few URLs and load each into MobileSafari.
The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google [google.com].
So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.
For those of you who are curious and have never seen the phishing warning, here it is [imageshack.us] (two images were combined to show the full height of the message).
Far Less than OS X (Score:5, Insightful)
the iphone in general contains far less than what is provided in OS X so this doesn't come as a surprise to me.
now, whether or not iphone 3.1 phishing protection is a big oversite on apple's part is another discussion and a worthy one at that
Re:Far Less than OS X (Score:5, Insightful)
the iphone in general contains far less than what is provided in a real smartphone so this doesn't come as a surprise to me.
There, fixed that for ya!
*ducks*
Parent
Re: (Score:3, Insightful)
The difference between Windows Mobile not having phishing filters and the IPhone not having phishing filters is that Windows Mobile never at any point gave you an illusion of protection.
If you haven't been trained on basic internet usage - its VERY easy to fall for phishing attempts. We've been browsing the net for years now, and all it takes is someone who says "You can pay your bills online" for someone to try and google how to do it on their own and then fall into a trap.
I'd say Cross Server Scripting ha
Re: (Score:2)
What's a BlackBerry? What's a Windows Mobile phone?
No, I know what they are. But why bring out the obscure ones?
Oh, I know, because on my Symbian phone, I can "install and tweak whatever I want"(TM), including anti-phishing stuff. :)
(Hmm, I think that's even possible on those two systems above.)
Re: (Score:2)
Re: (Score:2)
To be fair, do any phones offer anti-phishing on the device?
Do users of any other phone need it?
Re: (Score:3, Funny)
To be fair, do any phones offer anti-phishing on the device?
Do users of any other phone need it?
Oh, come on. Web browsing on other phones isn't that bad.
Re: (Score:2)
Re: (Score:2)
Slight catch in that last sentence (Score:3, Insightful)
FTA:
If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.
If anyone from Apple does comment, we'll not know for sure as they'll not be able to identify themselves sufficiently. As such, everything we do see will just be guesses. Some may make sense and quite probably be right, but who knows...
I've got built-in phishing protection. (Score:5, Insightful)
It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
Re: (Score:2)
Re:I've got built-in phishing protection. (Score:4, Funny)
If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.
Parent
Re:I've got built-in phishing protection. (Score:5, Funny)
My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product.
It really works, and it's available to buy TODAY!
http://shop1337.youscam.ru/darwin/get_smart_stupid [youscam.ru]
Parent
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Thanks!
Re: (Score:3, Insightful)
Re:I've got built-in phishing protection. (Score:4, Informative)
It's not frickin' rocket science.
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").
Sheldon
Parent
Re: (Score:2)
Hey... I still drive a manual (though admittedly it is syncromesh), I still hunt, I still fabricate arrow heads. These are largely relegated to hobbies, but some people really do still do these things.
Re: (Score:2)
Speaking as a parent of a toddler: modern playgrounds are AWESOME. At a nearby park there is a frikin' 3 story spiral tunnel slide! A ladder that leads to a rock wall about 5' up that kids can climb along then drop down (yes, drop) onto a big flat slide. An obstacle course of monkey bars that go UP from about 6' to 8' then end at a raised platform on a sprawling playset.
All in all, playgrounds seem far more dangerous (and awesome) than the tiny slides and see-saws I played on as a kid. I'm actually pretty j
Re: (Score:2)
Re: (Score:2)
Oh also, manual transmission FTW. My wife has actually never owned a car that was anything else.
Re: (Score:2)
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
You can make people less ignorant, but there is no way to make them less stupid.
Re: (Score:3, Insightful)
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
You can make people less ignorant, but there is no way to make them less stupid.
You know, it's funny, chicks look at our fashion sense the same way we look at their understanding of the internet.
Re: (Score:2)
I don't know, there are a few women I know that know more about the internet than some slashdotters, and other women who have less fashion sense than me (and I wear pretty much the same kind of clothes I wore decades ago).
To me, fashion=stupid.
Re: (Score:2)
To me, fashion=stupid.
Right. So would it be fair for me to say you're not beating the hotties off with a stick?
No offense intended, I didn't mean that as an attack. Frankly, I'm not one to talk. My point is that we, as geeks/nerds think other people are stupid, yet other people think we are stupid.
I have a feeling that example isn't going to go over to well so I'll use another. There are peeps out there that would think *I* am stupid because I don't know how to change the oil in m car. I could retort that I think those peop
Re: (Score:2)
Re:I've got built-in phishing protection. (Score:4, Insightful)
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.
Parent
Re: (Score:2, Funny)
You think making people less stupid is easier??
Please excuse me while I clean up the drink I just snarfed all over my laptop!
Re: (Score:2)
we should make people less stupid.
Unfortunately that is a physical impossibility, so your plan fails.
Moreover the wide access to technology depends on it being accessible to stupid people - otherwise they wouldn't buy them and the technology companies would fold. There is just no solution to this problem: idiots will always get their computers hacked, fall for scams, get their credit cards stolen etc. no matter how secure we make them. The only way to cope with this is to minimize the effects they can have on other people.
Re:I've got built-in phishing protection. (Score:4, Funny)
we should make people less stupid.
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) demographic
approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Phishers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
(X) It will stop phishing for two weeks and then we'll be stuck with it
(X) Users don't want to be educated
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from phishers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for information
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) Accessibility
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your information?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Parent
Re: (Score:2)
Until you make a type and misspell your banks website domain name. (or are you stupid enough to have a nice bookmark wide open for anyone to click on to see who you bank with) then you go to a site that look just like your bank. Heck it may even have a valid security certificate, and you just got fished.
So you know how you got onto you site. However you a simple mistake... To bad you didn't have a Phishing protection to tell you that you went somewhere wrong.
It is not that people are stupid. But they let
Re: (Score:3, Insightful)
I agree with your point about no protection not being the best protection, but I don't think that the statistics that you cite demonstrate the point that you are trying to make. The notion that motorcycle crashes in general have a greater incidence of fatality means that behavior that causes crashes will correlate better with motorcycle fatalities than with passenger vehicle fatalities.
A more meaningful number would be something like the number of crashes per vehicle mile. Or perhaps the number of injury-
I RTFA (Score:3, Insightful)
That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.
Re: (Score:2)
That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.
I know where people are coming from on this but it is a first pass at a new capability. Should they used the same mechanism as Safari on OSX (i.e. Google database)? Maybe, but perhaps there is a reason why that wasn't appropriate.* Perhaps there was a specific challenge they hadn't resolved for 3.1
I think it is encouraging that they made an attempt and expect to see some improvements as the engineering team gets real world feedback on the feature. Regardless, I don't think I normally go to sites on my
Re: (Score:2)
Doesn't matter anyway (Score:2)
Latency (Score:2)
Latency is the likely reason to not go with the Google lookup method.
Besides, don't know about you, but I'd prefer that not all my browser habits be logged to the government.
Re: (Score:2)
At least with Google you don't need to use Google apps to access the services, you can use open or closed source third party app
Re: (Score:2)
I'd provide links, but someone might be tracking.
Snap judgements (Score:2, Flamebait)
Given that the iPhone OS 3.1 was just released yesterday, I've got to wonder just how thoroughly this blogger investigated anything.
Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.
Sigh... I'll be so happy when blogs die their already-overdue natural death.
Re:Snap judgements (Score:4, Informative)
He went to the popular testing site Phishtank and tried the phone out against a bunch of different phishing attempts. He says not one was blocked.
Parent
Re: (Score:2)
Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.
His central point was that he couldn't find a single site that was flagged as a phishing site. He even bolded that for you. If you can disprove that, go ahead and post a comment to his blog, he doesn't have any comments yet of people offering sites that do actually get flagged.
Re: (Score:2)
He's not just a "security researcher" - he's an official blogger for Zscaler, a "cloud security" vendor. Essentially, they seem to provide security-checking proxies. My take is that he would have a vested interest in portraying the iPhone (or any platform not protected by Zscaler) as insecure.
The PhishTank list has 2279 entries. I'd be interested to know how many he tried, and which ones.
He didn't do his research. (Score:5, Interesting)
The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google [google.com].
So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.
Re: (Score:2)
Re: (Score:2)
Let me Blow your mind. (Score:2)
Re: (Score:2)
No, you're thinking of ONE product from GENERAL MILLS.