Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Watered Down Phishing Protection In IPhone OS 3.1?

CmdrTaco posted more than 5 years ago | from the i-feel-better-already dept.

Cellphones 98

CrazyCanucklehead writes "Security Researcher Michael Sutton discusses his findings when looking at the advertised anti-phishing features in the recently released iPhone OS 3.1. It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all."

cancel ×

98 comments

Sorry! There are no comments related to the filter you selected.

Your official guide to the jigaboo presidency (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29379209)

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most prominent anatomical feature, after all, its oversized buttocks, which have evolved to make it more comfortable for your nigger to sit around all day doing nothing for its entire life. Niggers are often good runners, too, to enable them to sprint quickly in the opposite direction if they see work heading their way. The solution to this is to *dupe* your nigger into working. After installation, encourage it towards the cotton field with blows of a wooden club, fence post, baseball bat, etc., and then tell it that all that cotton belongs to a white man, who won't be back until tomorrow. Your nigger will then frantically compete with the other field niggers to steal as much of that cotton as it can before the white man returns. At the end of the day, return your nigger to its cage and laugh at its stupidity, then repeat the same trick every day indefinitely. Your nigger comes equipped with the standard nigger IQ of 75 and a memory to match, so it will forget this trick overnight. Niggers can start work at around 5am. You should then return to bed and come back at around 10am. Your niggers can then work through until around 10pm or whenever the light fades.

ENTERTAINING YOUR NIGGER.
Your nigger enjoys play, like most animals, so you should play with it regularly. A happy smiling nigger works best. Games niggers enjoy include: 1) A good thrashing: every few days, take your nigger's pants down, hang it up by its heels, and have some of your other niggers thrash it with a club or whip. Your nigger will signal its intense enjoyment by shrieking and sobbing. 2) Lynch the nigger: niggers are cheap and there are millions more where yours came from. So every now and then, push the boat out a bit and lynch a nigger.

Lynchings are best done with a rope over the branch of a tree, and niggers just love to be lynched. It makes them feel special. Make your other niggers watch. They'll be so grateful, they'll work harder for a day or two (and then you can lynch another one). 3) Nigger dragging: Tie your nigger by one wrist to the tow bar on the back of suitable vehicle, then drive away at approximately 50mph. Your nigger's shrieks of enjoyment will be heard for miles. It will shriek until it falls apart. To prolong the fun for the nigger, do *NOT* drag him by his feet, as his head comes off too soon. This is painless for the nigger, but spoils the fun. Always wear a seatbelt and never exceed the speed limit. 4) Playing on the PNL: a variation on (2), except you can lynch your nigger out in the fields, thus saving work time. Niggers enjoy this game best if the PNL is operated by a man in a tall white hood. 5) Hunt the nigger: a variation of Hunt the Slipper, but played outdoors, with Dobermans. WARNING: do not let your Dobermans bite a nigger, as they are highly toxic.

DISPOSAL OF DEAD NIGGERS.
Niggers die on average at around 40, which some might say is 40 years too late, but there you go. Most people prefer their niggers dead, in fact. When yours dies, report the license number of the car that did the drive-by shooting of your nigger. The police will collect the nigger and dispose of it for you.

COMMON PROBLEMS WITH NIGGERS - MY NIGGER IS VERY AGGRESIVE
Have it put down, for god's sake. Who needs an uppity nigger? What are we, short of niggers or something?

MY NIGGER KEEPS RAPING WHITE WOMEN
They all do this. Shorten your nigger's chain so it can't reach any white women, and arm heavily any white women who might go near it.

WILL MY NIGGER ATTACK ME?
Not unless it outnumbers you 20 to 1, and even then, it's not likely. If niggers successfully overthrew their owners, they'd have to sort out their own food. This is probably why nigger uprisings were nonexistent (until some fool gave them rights).

MY NIGGER BITCHES ABOUT ITS "RIGHTS" AND "RACISM".
Yeah, well, it would. Tell it to shut the fuck up.

MY NIGGER'S HIDE IS A FUNNY COLOR. - WHAT IS THE CORRECT SHADE FOR A NIGGER?
A nigger's skin is actually more or less transparent. That brown color you can see is the shit your nigger is full of. This is why some models of nigger are sold as "The Shitskin".

MY NIGGER ACTS LIKE A NIGGER, BUT IS WHITE.
What you have there is a "wigger". Rough crowd. WOW!

IS THAT LIKE AN ALBINO? ARE THEY RARE?
They're as common as dog shit and about as valuable. In fact, one of them was President between 1992 and 2000. Put your wigger in a cage with a few hundred genuine niggers and you'll soon find it stops acting like a nigger. However, leave it in the cage and let the niggers dispose of it. The best thing for any wigger is a dose of TNB.

MY NIGGER SMELLS REALLY BAD
And you were expecting what?

SHOULD I STORE MY DEAD NIGGER?
When you came in here, did you see a sign that said "Dead nigger storage"? .That's because there ain't no goddamn sign.

Re:Your official guide to the jigaboo presidency (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29379523)

I'd mod your black ass up if I could

Far Less than OS X (4, Insightful)

neonprimetime (528653) | more than 5 years ago | (#29379331)

It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all.

the iphone in general contains far less than what is provided in OS X so this doesn't come as a surprise to me.

now, whether or not iphone 3.1 phishing protection is a big oversite on apple's part is another discussion and a worthy one at that

Re:Far Less than OS X (1, Informative)

Anonymous Coward | more than 5 years ago | (#29379369)

It's spelled oversight [merriam-webster.com] .

Re:Far Less than OS X (1)

contrapunctus (907549) | more than 5 years ago | (#29381155)

but it's about web sites, you see over sites: oversite.

Re:Far Less than OS X (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#29379517)

For all intents and purposes, the iPhone is 100% secure like all Apple products. This protection, even rudimentary is just icing on the cake.

Re:Far Less than OS X (0, Troll)

Anonymous Coward | more than 5 years ago | (#29380127)

It's spelled intensive purposes.

Re:Far Less than OS X (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29380287)

No it isn't; the expression is "for all intents and purposes". "For all intensive purposes" just sounds like nonsense.

Re:Far Less than OS X (0, Offtopic)

david_thornley (598059) | more than 5 years ago | (#29380507)

Nonsense? An intensive purpose is one that's clearly focused. Doing something with the aim of getting to a particular movie theater is an intensive purpose. Doing something with the aim of promoting world peace is not. Now, it seems to me that one intensive purpose is unlikely to have much to do with another one, and so there really wouldn't be many things to generalize over them, but other people seem to disagree.

Re:Far Less than OS X (0)

Anonymous Coward | more than 5 years ago | (#29387485)

No man a doodley "intensive purpose" is marketing a doodley speak for people in black turtleneck seaters! a dodoley

Re:Far Less than OS X (4, Insightful)

Hurricane78 (562437) | more than 5 years ago | (#29379539)

the iphone in general contains far less than what is provided in a real smartphone so this doesn't come as a surprise to me.

There, fixed that for ya!

*ducks*

Re:Far Less than OS X (1, Informative)

Anonymous Coward | more than 5 years ago | (#29379685)

Yah, cause after all my BlackBerry Curve had anti-phishing... wait no it didn't... and that windows mobile phone work gave me had... wait no it didn't... granted both had such awful browsers I don't think many people even used them. Either way it's really popular to rag on Apple for things not being entirely perfect. Fact is I'm more excited about the loads of other things that came with 3.0 and less worried about perhaps a less than great anti-phishing black list. Besides I think you've gotta be pretty stupid to get caught by a phishing attack.

Re:Far Less than OS X (2, Insightful)

Monkeedude1212 (1560403) | more than 5 years ago | (#29380177)

The difference between Windows Mobile not having phishing filters and the IPhone not having phishing filters is that Windows Mobile never at any point gave you an illusion of protection.

If you haven't been trained on basic internet usage - its VERY easy to fall for phishing attempts. We've been browsing the net for years now, and all it takes is someone who says "You can pay your bills online" for someone to try and google how to do it on their own and then fall into a trap.

I'd say Cross Server Scripting has gotten the best of at least half my friends. Fortunately most of them didn't have any valuable information.

Re:Far Less than OS X (0, Troll)

MMC Monster (602931) | more than 5 years ago | (#29380467)

Also, no one in their right mind uses Windows Mobile to browse the internet. :-)

Seriously, though, given the percentage of iPhone users that actually use Mobile Safari (much higher than any other single mobile device), they really should get phishing protection like a desktop. Wasn't there a /. article a while back about people using iPhones as their only computer?

Re:Far Less than OS X (0)

Anonymous Coward | more than 5 years ago | (#29381909)

I use opera on my winmo phone you insensitive clod. I even have tabs :)

Re:Far Less than OS X (1)

Hurricane78 (562437) | more than 5 years ago | (#29380297)

What's a BlackBerry? What's a Windows Mobile phone?

No, I know what they are. But why bring out the obscure ones?

Oh, I know, because on my Symbian phone, I can "install and tweak whatever I want"(TM), including anti-phishing stuff. :)
(Hmm, I think that's even possible on those two systems above.)

Re:Far Less than OS X (0)

Anonymous Coward | more than 5 years ago | (#29380483)

The Curve does have one advantage over the iPhone and most other competitors., it enables accidentally dialing your local emergency # six times in a month while the phone's locked. Can't do that on an iphone unless the SIM's been pulled. Score: Curve 1, iphone 0.

Re:Far Less than OS X (1)

Minion of Eris (1574569) | more than 5 years ago | (#29381187)

try standby mode instead of lock (it's the little button up on top of the 'phone).

Re:Far Less than OS X (1)

indiechild (541156) | more than 5 years ago | (#29385543)

Elaborate?

Re:Far Less than OS X (0)

Anonymous Coward | more than 5 years ago | (#29385593)

Which is why it's so popular! Only nerds need to SSH into something from a smartphone.

Re:Far Less than OS X (1)

InsertWittyNameHere (1438813) | more than 5 years ago | (#29379645)

To be fair, do any phones offer anti-phishing on the device?

Re:Far Less than OS X (1)

Jurily (900488) | more than 5 years ago | (#29379841)

To be fair, do any phones offer anti-phishing on the device?

Do users of any other phone need it?

Re:Far Less than OS X (0, Troll)

Tom (822) | more than 5 years ago | (#29379919)

> To be fair, do any phones offer anti-phishing on the device?
>
> Do users of any other phone need it?

Only the part that constantly brags about how their smartphone of choice has this one important feature that the iPhone doesn't, and therefore it is superior in every way.

Re:Far Less than OS X (0)

Anonymous Coward | more than 5 years ago | (#29379931)

Blackberry?

Re:Far Less than OS X (0)

Anonymous Coward | more than 5 years ago | (#29379997)

Ummm, if they have web browsers then they need it just as much as iPhone users do.

Re:Far Less than OS X (2, Funny)

MobileTatsu-NJG (946591) | more than 5 years ago | (#29380581)

To be fair, do any phones offer anti-phishing on the device?

Do users of any other phone need it?

Oh, come on. Web browsing on other phones isn't that bad.

Re:Far Less than OS X (0, Troll)

david_thornley (598059) | more than 5 years ago | (#29380617)

Most phones either don't provide a web browser, or provide one so painful that nobody's going to use it long enough to get phished. With that protection, who needs specific anti-phishing measures?

Re:Far Less than OS X (1)

Minion of Eris (1574569) | more than 5 years ago | (#29380067)

If your BlackBerry Smart phone is connected to a BlackBerry Enterprise Server, and you use the BlackBerry Browser (as opposed to Internet Browser or whichever browser your carrier supplies in their software package), then all off your requests pass through the server, instead of "directly" to the 'net over your carrier - as a result, you share whatever filters/protections IT has put in place on the server. If you are BES connected, then you get whatever spam/phishing protection is enabled in your email client at work.

Re:Far Less than OS X (1)

AnalPerfume (1356177) | more than 5 years ago | (#29380125)

You're missing the point, it's shiny, and Steve has given it the stamp of cool and he's the only person on the planet officially allowed to do that, so he should know cool when he sees it. That should be enough for you. Or are you a commie? /sarcasm.

Slight catch in that last sentence (2, Insightful)

The Ancients (626689) | more than 5 years ago | (#29379449)

FTA:

If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.

If anyone from Apple does comment, we'll not know for sure as they'll not be able to identify themselves sufficiently. As such, everything we do see will just be guesses. Some may make sense and quite probably be right, but who knows...

I've got built-in phishing protection. (5, Insightful)

jtownatpunk.net (245670) | more than 5 years ago | (#29379577)

It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

Re:I've got built-in phishing protection. (1)

pak9rabid (1011935) | more than 5 years ago | (#29379661)

Seconded (only because I don't have mod points at the moment)

Re:I've got built-in phishing protection. (4, Funny)

bFusion (1433853) | more than 5 years ago | (#29379683)

If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.

Re:I've got built-in phishing protection. (5, Funny)

sakdoctor (1087155) | more than 5 years ago | (#29379941)

My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product.
It really works, and it's available to buy TODAY!

http://shop1337.youscam.ru/darwin/get_smart_stupid [youscam.ru]

Re:I've got built-in phishing protection. (2, Funny)

greyline (1052440) | more than 5 years ago | (#29380169)

I think so many people tried to visit your site, it went down. Can I just post my information here for your product?

Re:I've got built-in phishing protection. (1)

sbeckstead (555647) | more than 5 years ago | (#29380703)

Please do, we'll contact you when the product ships!

Re:I've got built-in phishing protection. (1)

amoeba1911 (978485) | more than 5 years ago | (#29381615)

Sign me up too please! Here's my name, address, birthday, social security number, bank account and routing number, credit card number.



Thanks!

Re:I've got built-in phishing protection. (1)

davidshewitt (1552163) | more than 5 years ago | (#29385473)

In Soviet Russia, our anti-stupid product sells YOU!

Re:I've got built-in phishing protection. (2, Insightful)

amoeba1911 (978485) | more than 5 years ago | (#29381681)

The day you invent anti-stupid technology, the stupid will get stupider.

Re:I've got built-in phishing protection. (0)

Anonymous Coward | more than 5 years ago | (#29384407)

If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.

No, I will be. You see, I have a patent on anti-stupid. I call it "smart" (TM)

Re:I've got built-in phishing protection. (3, Informative)

stokessd (89903) | more than 5 years ago | (#29379773)

It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").

Sheldon

Re:I've got built-in phishing protection. (1)

Nadaka (224565) | more than 5 years ago | (#29379967)

Hey... I still drive a manual (though admittedly it is syncromesh), I still hunt, I still fabricate arrow heads. These are largely relegated to hobbies, but some people really do still do these things.

Re:I've got built-in phishing protection. (1)

Gulthek (12570) | more than 5 years ago | (#29380683)

Speaking as a parent of a toddler: modern playgrounds are AWESOME. At a nearby park there is a frikin' 3 story spiral tunnel slide! A ladder that leads to a rock wall about 5' up that kids can climb along then drop down (yes, drop) onto a big flat slide. An obstacle course of monkey bars that go UP from about 6' to 8' then end at a raised platform on a sprawling playset.

All in all, playgrounds seem far more dangerous (and awesome) than the tiny slides and see-saws I played on as a kid. I'm actually pretty jealous.

Re:I've got built-in phishing protection. (1)

jargon82 (996613) | more than 5 years ago | (#29380737)

Having kids is really just an excuse to keep playing with their toys, at least for men.

Re:I've got built-in phishing protection. (1)

KingPin27 (1290730) | more than 5 years ago | (#29381301)

Having kids is really just an excuse to keep playing with their toys, at least for men.

Unless all you have are girls then all you do is spend most of your time with them undressing and re-dressing various assortments of barbies..... Ugh!

Re:I've got built-in phishing protection. (1)

Gulthek (12570) | more than 5 years ago | (#29380747)

Oh also, manual transmission FTW. My wife has actually never owned a car that was anything else.

Re:I've got built-in phishing protection. (0)

Anonymous Coward | more than 5 years ago | (#29380769)

Hey, my transmission is not synchromesh, you insensitive clod!

Re:I've got built-in phishing protection. (1)

geekboy642 (799087) | more than 5 years ago | (#29381937)

I wish I could afford an automatic transmission. Sure, there's something to be said for a proper gearshift, but after a decade of stop-and-go driving in the city, I'm ready to not use a clutch anymore.

Re:I've got built-in phishing protection. (1)

mcgrew (92797) | more than 5 years ago | (#29379819)

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

You can make people less ignorant, but there is no way to make them less stupid.

Re:I've got built-in phishing protection. (2, Insightful)

MobileTatsu-NJG (946591) | more than 5 years ago | (#29380611)

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

You can make people less ignorant, but there is no way to make them less stupid.

You know, it's funny, chicks look at our fashion sense the same way we look at their understanding of the internet.

Re:I've got built-in phishing protection. (1)

mcgrew (92797) | more than 5 years ago | (#29381267)

I don't know, there are a few women I know that know more about the internet than some slashdotters, and other women who have less fashion sense than me (and I wear pretty much the same kind of clothes I wore decades ago).

To me, fashion=stupid.

Re:I've got built-in phishing protection. (1)

MobileTatsu-NJG (946591) | more than 5 years ago | (#29381495)

To me, fashion=stupid.

Right. So would it be fair for me to say you're not beating the hotties off with a stick?

No offense intended, I didn't mean that as an attack. Frankly, I'm not one to talk. My point is that we, as geeks/nerds think other people are stupid, yet other people think we are stupid.

I have a feeling that example isn't going to go over to well so I'll use another. There are peeps out there that would think *I* am stupid because I don't know how to change the oil in m car. I could retort that I think those people are stupid for not knowing how to write a useful Mel script. If I look extra not-cool right now, you're getting my point.

Re:I've got built-in phishing protection. (1)

mcgrew (92797) | more than 5 years ago | (#29382031)

Actually, the "out of fashion" thing works for me. Women want the "bad boys" because they have a need to change them, and you don't have to be a true "bad boy" for the effect to work. The first thing a woman does after she gets her hands on me is try and get me to get rid of the sweater.

And I don't think I've ever seduced a woman. I suck at it, but some do come on to me. Unfortunately, some gay men do, too. [slashdot.org]

As to changing the car's oil, that's not stupidity, it's ignorance. You could learn to change the oil in your car, a truly stupid person couldn't. When I say "fashion=stupid", fashion is a waste. I'm not going to throw out a perfectly good pair of jeans just because fashion says jeans should be a darker color blue, and I'm not going to throw away my comfortable jeans because tight fitting ball busters are in style.

Re:I've got built-in phishing protection. (1)

MobileTatsu-NJG (946591) | more than 5 years ago | (#29382465)

As to changing the car's oil, that's not stupidity, it's ignorance. You could learn to change the oil in your car, a truly stupid person couldn't.

This is ultimately the point I was trying to make. We agree, man.

Have a good day.

Re:I've got built-in phishing protection. (1)

sbeckstead (555647) | more than 5 years ago | (#29380711)

Seconded!

Re:I've got built-in phishing protection. (0)

Anonymous Coward | more than 5 years ago | (#29385017)

Maybe you can't make *this individual* less stupid, but you can make future generations less stupid. By not babyproofing everything (future generations won't stick forks into electrical sockets?)

This is a joke, mostly...

Re:I've got built-in phishing protection. (0)

starglider29a (719559) | more than 5 years ago | (#29379847)

This problem is self limiting... People who are stupid enough to fall for a phishing scam will have their finances and credit pwned so badly that they won't be able to GET an iPhone.

Though maybe people would be less susceptible if they didn't think that their browser/OS/phone was idiot-proof. Maybe the best phishing protection is to declare that there isn't any phishing protection. Motorcyclist drive more carefully than people in air-bagged cars.

Re:I've got built-in phishing protection. (1)

goldmaneye (1374027) | more than 5 years ago | (#29380565)

I disagree that no protection is the best protection. Plenty of people make simple typing errors all the time when they go looking for a website. Bank0fAmerica (it's a zero; could you tell?) looks an awful lot like BankOfAmerica. As phishing attacks get more and more sophisticated, eliminating any kind of protection makes less and less sense; even smart people can get taken in by an expertly-executed phishing attack that uses a URL that very closely mimics the correct URL and a website that looks nearly identical to the actual website.

Regarding your analogy with motorcycles, statistics compiled by the National Highway Traffic Safety Administration suggest that motorcyclists might actually drive less safely than people in air-bagged cars. In a fatal collision, when compared to passenger vehicles involved in such collisions, motorcyclists were found to be:

(1) More likely to have been speeding.
(2) More likely to have had their license suspended.
(3) More likely to have been driving with a suspended license.
(4) More likely to have been legally intoxicated.
(5) More likely to have a previous DUI on their record.

Please note: The report does not suggest that these behaviors are prevalent among motorcyclists, and it is not in any way my intention to suggest that they are. Most motorcyclists that I have seen on the road drive in a very safe manner. I am just summarizing the statistics from the NHTSA report.

Source: http://www.nhtsa.dot.gov/portal/nhtsa_static_file_downloader.jsp?file=/staticfiles/DOT/NHTSA/Traffic%20Injury%20Control/Articles/Associated%20Files/810990.pdf [dot.gov]

Re:I've got built-in phishing protection. (2, Insightful)

johndiii (229824) | more than 5 years ago | (#29380767)

I agree with your point about no protection not being the best protection, but I don't think that the statistics that you cite demonstrate the point that you are trying to make. The notion that motorcycle crashes in general have a greater incidence of fatality means that behavior that causes crashes will correlate better with motorcycle fatalities than with passenger vehicle fatalities.

A more meaningful number would be something like the number of crashes per vehicle mile. Or perhaps the number of injury-producing crashes per vehicle mile. Even then, a conclusion might be slippery, because motorcycles do not tend to get into minor accidents like parking lot fender-benders, but even a minor motorcycle accident is more likely to produce an injury than a passenger car accident.

Re:I've got built-in phishing protection. (1)

starglider29a (719559) | more than 5 years ago | (#29382583)

In a fatal collision...

Ah, but what about the collisions that never happened? That's the point. A rider without the protection of a cage will driver gingerly and NOT GET into a fatal collision. Whereas, a driver who knows that their airbag will deploy will drive less carefully than a car without airbags.

But, says Steven Peterson, professor of economics at Virginia Commonwealth University, "An airbag allows me to drive more aggressively but not face any more risk [reason.com] ." In fact, drivers of airbag-equipped cars get into and cause more accidents, negating the safety benefits for drivers and increasing the risk to others.

And here's a stat you won't find... Bikers with NO helmet, NO leather will drive VERY carefully. NOT relying on airbag or even traffic laws to protect them.

The person surfing the web should be babysitting their OWN stuff because anti-phishing measures make better phishers, and idiot proofing makes better idiots.

And when I get an email from Bank0fAmerica telling me my account needs X, click here to login... I delete it without reading it. Zero or not. Keep telling them that they are safe and they eventually won't be.

Re:I've got built-in phishing protection. (3, Insightful)

Tom (822) | more than 5 years ago | (#29379883)

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.

Re:I've got built-in phishing protection. (2, Funny)

Anonymous Coward | more than 5 years ago | (#29379925)

You think making people less stupid is easier??

Please excuse me while I clean up the drink I just snarfed all over my laptop!

Re:I've got built-in phishing protection. (1)

Tweenk (1274968) | more than 5 years ago | (#29379949)

we should make people less stupid.

Unfortunately that is a physical impossibility, so your plan fails.
Moreover the wide access to technology depends on it being accessible to stupid people - otherwise they wouldn't buy them and the technology companies would fold. There is just no solution to this problem: idiots will always get their computers hacked, fall for scams, get their credit cards stolen etc. no matter how secure we make them. The only way to cope with this is to minimize the effects they can have on other people.

Re:I've got built-in phishing protection. (4, Funny)

cadeon (977561) | more than 5 years ago | (#29380201)

we should make people less stupid.

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) demographic

approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Phishers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
(X) It will stop phishing for two weeks and then we'll be stuck with it
(X) Users don't want to be educated
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from phishers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for information
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) Accessibility
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your information?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:I've got built-in phishing protection. (1)

intheshelter (906917) | more than 5 years ago | (#29388315)

I've got no mod points right now, but I have to say your reply was kind of dumb. I think you might fall under the stupid demographic for actually dissecting his tongue in cheek idea.

Re:I've got built-in phishing protection. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29380221)

You Can't Fix Stupid - Ron White

Re:I've got built-in phishing protection. (1)

jellomizer (103300) | more than 5 years ago | (#29380223)

Until you make a type and misspell your banks website domain name. (or are you stupid enough to have a nice bookmark wide open for anyone to click on to see who you bank with) then you go to a site that look just like your bank. Heck it may even have a valid security certificate, and you just got fished.

So you know how you got onto you site. However you a simple mistake... To bad you didn't have a Phishing protection to tell you that you went somewhere wrong.

It is not that people are stupid. But they let their guards down at some point when they do most of the time they are lucky but you can get that one point where you let you guard down and you make the mistake then bingo you are in trouble.

The really stupid people in the world think everyone else is stupid. The smart people in the world realize that they are not that smart and know to take advantage of help and tools to help offset their shortcomings.

Re:I've got built-in phishing protection. (1)

0110011001110101 (881374) | more than 5 years ago | (#29381025)

hahah silly man. I have 9 different banks bookmarked in my browser to fool people who break into my house, log into my computer and scan my favorites to see where I bank. There are like "beyotch why steal your tv when i can find out where you bank boooyyyy!". But then they see my 9 bookmarks, and they are like.. oh f#*$ this guy is smart, but still they start clicking. At some point they will click on my wachovia link (most robbers bank with wachovia) and decide they need to check their account balance.. bad news for them because thats my own fishing site and they are unknowingly giving me their password... hah! suckaz! The funny part is, not one of those nine bookmars are my bank, actually my banks website is spelled out with random letter positions from each of those 9 bookmarks. I look each one up and then build a string from that, then copy and paste that into my browser. You are thinking, what if you cant remember all the letter positions in each bookmark smarty pants?? well, i have that taken care of, see next to my keyboard is my Wells Fargo checkbook.. and inside of that the hidden combination of letter sequences is written out. So... good luck robber b*tches! I'm all covered yo!

Re:I've got built-in phishing protection. (1)

mehrotra.akash (1539473) | more than 5 years ago | (#29380427)

I dont think that the iPhone is targeted to people who actually know how to protect themselves, many of them would be using blackberries/nokia E/WinMo series or other business focused handsets as their primary phone and the iPhone as a secondary media device.

"Instead of putting all this effort into anti-phishing technology, we should make people less stupid."
then only those who want a media player would want iPhones

Note: all my comments are based on the original unjailbroken iPhone, have not encountered a newer version

Re:I've got built-in phishing protection. (1)

Dishevel (1105119) | more than 5 years ago | (#29382355)

How could anyone NOT know that's a scam? It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

As a rule in advanced societies people get more stupid and less able.

I RTFA (2, Insightful)

mcgrew (92797) | more than 5 years ago | (#29379667)

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

Re:I RTFA (1)

Webcommando (755831) | more than 5 years ago | (#29379987)

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

I know where people are coming from on this but it is a first pass at a new capability. Should they used the same mechanism as Safari on OSX (i.e. Google database)? Maybe, but perhaps there is a reason why that wasn't appropriate.* Perhaps there was a specific challenge they hadn't resolved for 3.1

I think it is encouraging that they made an attempt and expect to see some improvements as the engineering team gets real world feedback on the feature. Regardless, I don't think I normally go to sites on my iPhone that I don't already know from normal browsing and have a shortcut already.

* As an aside, if I was Apple, I'd start finding alternative ways of providing key content (maps, videos, etc.) to my phone that didn't rely on Google. Never sole source to a supplier that starts competing directly with you.

Re:I RTFA (1)

Bill, Shooter of Bul (629286) | more than 5 years ago | (#29380463)

Phishing sites come into existence so fast, that I really wonder how much use any phishing filter is. But any protection is better than none, though I'd recommend not trumpeting it too loudly for the exact same reason you gave.

Re:I RTFA (1)

jtownatpunk.net (245670) | more than 5 years ago | (#29382015)

If people were smart enough to "be more careful", they wouldn't need phishing protection in the first place. :)

mnerd (0)

Anonymous Coward | more than 5 years ago | (#29379737)

You do realize that just about any security feature of any platform could be broken or circumvented and "may not provide any protection at all"

Doesn't matter anyway (1)

ironicsky (569792) | more than 5 years ago | (#29379849)

It doesn't matter how many bells and whistles, security and user protection systems you put on a device. A dumb user is still a dumb user. Look at your typical computer user. Even though they are using the latest A/V software, their ISP scans for email viruses and spam, they are using Firefox which has anti-phishing protection, a firewall program or a router with SPI, and malware protection software they still manage to blow their computer out of the water on a regular basis requiring tech support to fix it, or fall victim to a phishing scheme. This is 10 years of doing consumer tech support talking. Most user's have the "Press Yes" mentality. The dialog could clearly state, press Yes to install this nice virus on your computer, and without reading it, they would hit yes.

The best solution out there is to actually train users of online devices to know how to spot problems or suspicious sites, programs, etc. Until the users are trained how to recognize problems they won't learn how to deal with them.

You bought an iPhone... (1)

f0rk (1328921) | more than 5 years ago | (#29379877)

... you're already fished.

Latency (1)

topham (32406) | more than 5 years ago | (#29379979)

Latency is the likely reason to not go with the Google lookup method.

Besides, don't know about you, but I'd prefer that not all my browser habits be logged to the government.

Re:Latency (1)

AnalPerfume (1356177) | more than 5 years ago | (#29380097)

I wasn't aware Google = Government, with a few exceptions like China. Any closed source application can be tracking you and you'd never know. Chances are Apple are doing the same in all sorts of ways, for the same reasons Google do....targeted advertising. They want to know more about you so they can put an advert up which is more likely to appeal to your wallet opening tendencies.

At least with Google you don't need to use Google apps to access the services, you can use open or closed source third party apps like Firefox which has an addon to limit what information Google get from you when you do use their services. More than that, you can choose not to use Google at all. With the iPhone Apple ensure that some of their apps are the ONLY option. They won't allow any competing web browser so your stuck with theirs, regardless of whether they've stuffed it with spyware or not. Same goes with iTunes, do you believe they don't track what media you have? Are you really that naieve?

Re:Latency (1)

mehrotra.akash (1539473) | more than 5 years ago | (#29380485)

actually, google would make a great government and in reality might just get big enough to start buying small countries at first and then slowly expand and become the world government

just imagine, if i wanted to go from point A to B anywhere in the world, i could easily look it up on google as, google being the world government would have all the information necessary, and no passports/restrictions/different currency conversions,etc would be required

even better, they might just be able to plan your life, just imagine that you want to spend X days in A y in B and z in C, google could automatically plan a trip, apply for your leave at office and the amount of money would be deducted from your bank account, all with just 1 click

Re:Latency (1)

dhaines (323241) | more than 5 years ago | (#29381359)

You are not stuck with Apple's browser on the iPhone. A casual search turned up 15 web browser apps before I stopped counting.

I'd provide links, but someone might be tracking.

But...but... (0, Troll)

dreamchaser (49529) | more than 5 years ago | (#29380027)

But it's Apple! I thought everything from Apple was considered magically delicious here. Now I'm confused :(

Let me Blow your mind. (1)

k_187 (61692) | more than 5 years ago | (#29380165)

Anything from Apple is considered magically delicious and explicitly loathed here.

Re:But...but... (1)

Monkeedude1212 (1560403) | more than 5 years ago | (#29380237)

No, you're thinking of ONE product from GENERAL MILLS.

Snap judgements (1, Flamebait)

93 Escort Wagon (326346) | more than 5 years ago | (#29380063)

Given that the iPhone OS 3.1 was just released yesterday, I've got to wonder just how thoroughly this blogger investigated anything.

Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.

Sigh... I'll be so happy when blogs die their already-overdue natural death.

Re:Snap judgements (3, Informative)

Monkeedude1212 (1560403) | more than 5 years ago | (#29380209)

He went to the popular testing site Phishtank and tried the phone out against a bunch of different phishing attempts. He says not one was blocked.

Re:Snap judgements (1)

amicusNYCL (1538833) | more than 5 years ago | (#29380591)

Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.

His central point was that he couldn't find a single site that was flagged as a phishing site. He even bolded that for you. If you can disprove that, go ahead and post a comment to his blog, he doesn't have any comments yet of people offering sites that do actually get flagged.

Re:Snap judgements (1)

johndiii (229824) | more than 5 years ago | (#29380621)

He's not just a "security researcher" - he's an official blogger for Zscaler, a "cloud security" vendor. Essentially, they seem to provide security-checking proxies. My take is that he would have a vested interest in portraying the iPhone (or any platform not protected by Zscaler) as insecure.

The PhishTank list has 2279 entries. I'd be interested to know how many he tried, and which ones.

He didn't do his research. (4, Interesting)

nneonneo (911150) | more than 5 years ago | (#29380679)

I followed the same steps as outlined in TFA: download the verified online [phishtank.com] phishing list, pick a few URLs and load each into MobileSafari.

The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google [google.com] .

So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.

Re:He didn't do his research. (1)

nneonneo (911150) | more than 5 years ago | (#29380739)

For those of you who are curious and have never seen the phishing warning, here it is [imageshack.us] (two images were combined to show the full height of the message).

Re:He didn't do his research. (1)

teshuvah (831969) | more than 5 years ago | (#29381351)

I have a 32GB iPhone 3GS phone, and I just put http://citibanking.ru/ [citibanking.ru] into MobileSafari and the webpage loaded. I did not get the phishing warning or anything. Something is very inconsistent here if it works for some and not for others.

Re:He didn't do his research. (1)

nneonneo (911150) | more than 5 years ago | (#29381415)

Is it running iPhone OS 3.1, and is the Fraud Warning option enabled under Settings->Safari?

Re:He didn't do his research. (1)

teshuvah (831969) | more than 5 years ago | (#29381447)

Yes, forgot to mention I am running iPhone OS 3.1. And yes, fraud warning is turned on in settings. What model of iphone do you have? how are you connecting - wireless or 3G/edge?

Re:He didn't do his research. (1)

nneonneo (911150) | more than 5 years ago | (#29381713)

iPod touch, first generation, firmware 3.1.1 (released yesterday), WiFi.

Re:He didn't do his research. (1)

teshuvah (831969) | more than 5 years ago | (#29381815)

3.1.1? I only have 3.1 and it says I am up to date. Maybe this is a bug in 3.1 for the iPhone but it works for the iPod touch 3.1.1?

Re:He didn't do his research. (1)

nneonneo (911150) | more than 5 years ago | (#29381891)

It's basically the same version, but the iPhone edition is labeled 3.1, while the iPod edition is 3.1.1. I don't think there's a major difference in the actual software.

Still, it's quite curious that it works for me but not for you. This would explain Michael's more recent observations [zscaler.com] .

Who cares? (0, Troll)

Stone Wolf99 (868461) | more than 5 years ago | (#29381551)

Iphone security is already a joke. There's no anti-virus, firewall, or malware protection of any sort. Get a keylogger on one and any competent hack could bankrupt by buying up Itunes, the first time the owner buys anything on the app stores or itunes. That doesn't even count what could happen if someone were to actually make a purchase at an actual website with the thing. Apple is more worried about protecting the phone from people who want to put their own applications and themes on it, than they are with making it secure. Go figure.

Phishing vs. blacklists vs. whitelists (1)

Animats (122034) | more than 5 years ago | (#29382643)

The trouble with phishing blacklists is that if you take a hard enough line to make them work, there's collateral damage. Blacklisting by URL is useless; most attackers with a clue use a different URL in each email. Even blacklisting by full domain is no longer enough; many attackers use a bogus subdomain for each phishing e-mail.

If you take a hard line and blacklist at the second-level domain, blacklists are more effective. We measure the collateral damage of doing that. We (as SiteTruth) maintain an updated list of major domains being exploited by phishing scams. [sitetruth.com] This is a list of domains that are both in PhishTank with a hostile URL, and OpenDirectory, as "major". Today, there are only 37 domains on the list, which is about as low as it's ever been. The high was around 175, back in 2008. This matters because the big-name sites are likely to be whitelisted, and phishers look for exploits that will let them use a big-name domain to evade filters.

We nag sites into fixing security holes which allowed some phishing site to exploit them. Microsoft, Yahoo, and eBay have cleaned up their act. Only a few major sites are still on the list. Google is on the list because someone figured out a way to use a Google Docs spreadsheet to host a phishing site [google.com] . Piczo.com, a free hosting service now hosting 103 phishing URLs, just doesn't seem to care. The other sites with more than one entry tend to be dying hosting services: Geocities, FortuneCity, RoadRunner.

The problem of big-name sites being exploited by phishers is coming under control. It's probably safe to blacklist by second-level domain now. (If only Google gets their act together and deals with that spreadsheet exploit.)

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?