close
  • Sc chevron_right

    Apple’s Lockdown Mode

    news.movim.eu / Schneier · Tuesday, 26 July - 12:57 · 1 minute

I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

At launch, Lockdown Mode includes the following protections:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

What Apple has done here is really interesting. It’s common to trade security off for usability, and the results of that are all over Apple’s operating systems—and everywhere else on the Internet. What they’re doing with Lockdown Mode is the reverse: they’re trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren’t just removing random features; they’re removing features that are common attack vectors.

There aren’t a lot of people who need Lockdown Mode, but it’s an excellent option for those who do.

News article .

  • Sc chevron_right

    On Risk-Based Authentication

    news.movim.eu / Schneier · Monday, 5 October, 2020 - 16:47

Interesting usability study: “ More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication “:

Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.

We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.

Paper’s website . I’ve blogged about risk-based authentication before.

  • Be chevron_right

    Requirements Elicitation for Usable Systems

    debacle · pubsub.movim.eu / berlin-xmpp-meetup · Saturday, 7 March, 2020 - 14:47

Requirements Elicitation for Usable Systems

This time, we will enjoy a remote talk about requirements engineering and usability. This talk is not only related to XMPP, but we surely will have a vibrant discussion how to apply the lesson learned in XMPP.

Furthermore we will talk about the Berlin XMPP Sprint, planned for end of March.

When? Wednesday, 2020-03-11 18:00 CET (always 2ⁿᵈ Wednesday of every month)

Where?xHain hack+makespace, Grünberger Str. 16, 10243 Berlin (as always)

See you then!

Or join our non-physical room (xmpp:berlin-meetup@conference.conversations.im?join)!

#xmpp #community #xhain #freesoftware #berlin #meetup #sprint #usability #requirementsengineering