Friday, 1 December 2017

My Christmas present

The iPhone X is not my Christmas present, honest. It is OK, but to be honest not that "special", and the hassle getting it set up was a nightmare.

First off I had to iCloud backup, which meant sorting extra storage. Then it restored, good, but every single damn app knows the login but not the password. So setting up banking on Lloyds, and Barclays, and Monzo. Then setting up Twitter and Facebook, FFS, why is this not simple?!?!

My authenticator app has lost the details so I have yet to sort that, and Barclays deny me "pin sentry" for "up to 10 days" for no fucking good reason.

The FaceID works seamlessly but to be honest so did fingerprints.

Then Signal app no longer loads - not available on app store, WTF? That is a pain as we use that internally for out of band support and ops. Arrrrrg!

OK, so iPhone X, and I pronounce it "ex" as I selected "English" not "Roman", not the Christmas present.

The Christmas present, if it happens, is the new Mac Pro. It looks awesome. I do video editing from time to time, and it looks perfect for that. I want! Looks very not cheap...  Seriously, Apple, saying "available December" is not good in bloody "December"!

I am here, contemplating spending a shitload with you on my new toy, where is it?!?

/me goes back to a corner to cry.

P.S. In case it is not obvious, this is a little tongue in cheek and my being the average Apple consumer for a change. Though I do rather fancy the new Mac Pro :-)

10 comments:

  1. Signal was a store issue: https://twitter.com/whispersystems/status/936686074465869825?s=17

    ReplyDelete
  2. I read your article... then immediately started to question your sanity:

    "First off I had to iCloud backup, which meant sorting extra storage."

    Nope, you can hook your device up to a Mac or Windows machine running iTunes in order to back up your device - iCloud is an *optional* service - so 'had' was probably the wrong word to use there.

    "Then it restored, good, but every single damn app knows the login but not the password."

    This is where I started to question your sanity - are you really comfortable with storing auth credentials on a third party hosted service ?

    As the M.D. of an ISP that requires users to keep their usernames and passwords secure; especially if you give those customers access to an authenticated SMTP relay, I am amazed that you would be happy with customers *sharing* their access credentials with a third party who has no business knowing them.

    "So setting up banking on Lloyds, and Barclays, and Monzo. Then setting up Twitter and Facebook, FFS, why is this not simple?!?!"

    ... because the banking folks have the exact same restrictions... are you honestly telling me that you would be happy for Apple to store your online banking credentials in the cloud where some miscreant could steal them... and ultimately, your money ?

    Who would you hold responsible for such a theft ?

    Yourself, for storing the data there, or Apple, for *allowing* you to store the data there ?

    "My authenticator app has lost the details so I have yet to sort that,"

    It was at this point that I actually started laughing.

    Expecting Apple to store both usernames and passwords for your accounts in iCloud isn't enough... you also expect them to store second factor TOTP seed data there as well... that kind of security is instantly nullified as soon as the seed is stored somewhere else other than your own device.

    (for the record, I store my TOTP seed data on my personal device and in the form of printed QR codes stored in a physical safe)

    "and Barclays deny me "pin sentry" for "up to 10 days" for no fucking good reason."

    A minor *temporary* inconvenience in the interests of security I am sure; most people don't change their phone every other day and a portable PIN sentry device comes free with every business account plus you can get additional ones from any branch if you ask nicely.

    "Then Signal app no longer loads - not available on app store, WTF? That is a pain as we use that internally for out of band support and ops. Arrrrrg!"

    If you had backed up your phone via iTunes, I *believe* that the app is stored in iTunes as part of your local backup but if you backup your device to iCloud, a reference to the Apple Store location where the app can be downloaded is stored instead - makes sense for Apple as you don't need to store multiple copies of the app in iCloud.

    "I am here, contemplating spending a shitload with you on my new toy, where is it?!?

    /me goes back to a corner to cry."

    The complaints about the iPhone X, the Apple TV rantings and then the "Me likey Mac Pro for Xmas!" really makes me suspect you are suffering from some kind of Stockholm syndrome when it relates to the Apple ecosystem - that isn't a criticism - merely an observation of your writings over the past year.

    ReplyDelete
    Replies
    1. Some good points. What I want is to just be able to transfer what I have from one device to another, that was all. Sounds like using iTunes may have been the answer to that.

      Delete
  3. I am not too fussed about having to enter a password to reauthenticate say a bank or twitter but the real pain in my experience is as you say having to re-setup every since authenticator code from scratch and I too have got to the point of screenshoting the QR codes as part of the setup process for future. From a security perspective a TOTP is not fantasticly secure as you can clone it (in fact one nameless government service has such an unworkable rights assignment model for third party agents that the only way it can be practically used is to use a shared business login with all the customers authorised against it that is exactly what we ended up doing to enable 2FA - the other option was for our “pilot case” the was to setup 30 logins for each of the users and then assign each one access to each customer involving at least 3-4 clicks per user per client of which for the pilot site there were probably 750 with no “copy user”, no “assign by group” or “assign all” functions! They just have to change the password when someone leaves... far from an ideal system but a fine example of “insecurity though impracticality”) not like something tied to the actual device hardware fingerprint like say Google or Microsoft push notifications are where you can revoke an individual device so the ability to not be able to (securely with say at least 16 character complex key) backup your tokens database and restore it for a planned device move is a flaw in my view... 2FA is a bit of a pain at the best of time but is pretty effective as a next step but I bet the are people out there who replace devices and get “burnt” once and the instead of setting it back up just turn it off, after all it is probably on the same page - I know from experience what a (quite rightful) headache it is to get back into an account to reset the 2FA as obviously not being able to provide the 2FA you could simply be a hacker so you tend to get a very high level of validation checks! It’s just not a good user experience... not for that matter is scannng 50 QR codes! It need to be as seemless and as low impact as possible for people to use it.

    ReplyDelete
  4. It might be sub-optimal, depending on your threat model, but 1Password lets you store your OTP codes and syncs them between devices (macOS and iOS) via local sync, so not via a cloud service.

    ReplyDelete
  5. A shout out here for Codebook by Zetetic who also maintain SQLCipher. It supports TOTP and is a locally managed database which can be synced from a desktop or via Dropbox or Google Drive. It uses an atomic multimaster sync approach. It also has an open category, entry and field structure so you can make it reflect exactly what you need. I've used it for years and have all my TOTPs in there, so any of my devices can be called on to provide the secure info.

    https://www.zetetic.net/software/

    ReplyDelete
  6. If you backup/restore in iTunes after having set a backup password (so that the backup is encrypted) most app's login details etc will be transferred across.

    There's still a few exceptions, mainly banking apps, that don't allow this. Even then you still have to explicitly unpair (prior to the iTunes backup) and re-pair your Apple Watch, setup Apple Pay pretty much from scratch, etc.

    It's a ridiculously annoying process. You would think Apple would have sorted out an easier process, e.g. linking the two devices directly with a cable to do the transfer.

    ReplyDelete
    Replies
    1. Especially as there is this process at the start were the phones talk to each other and to punt the camera at the new phone with some swirly image to speed up the set up. That appears to transfer basic Apple ID data directly - why not have, in that, a direct transfer of “sensitive” data?

      Delete
  7. I've switched to Authy for MFA codes, as unlike Authenticator it allows you to back up, and have multiple devices. I actually had one code in Authenticator which did get transferred to my new X, my GitHub one, which was by far the oldest; not sure why. I use 1Password for some passwords, but I'm not too keen on putting my MFA eggs in that basket too!

    Signal didn't transfer any of my conversations, but it did work, so I think that must have just been a coincidence.

    The Barclays app was much less hassle than last time I changed handset, and doesn't require un-registering on the old phone any more. Maybe not so smooth because you're a business customer?

    I did use an encrypted iTunes backup. I can't say that was plain sailing, which was partly because I had apparently used a different password for this backup once. You can't just delete the backup and change password! You need to reset the phone settings!
    Then apparently my backup was corrupt, but that was just a shitty iTunes error message, as my old phone had a slightly newer version of iOS than the new phone. Hardly a surprising scenario that they couldn't anticipate and provide a better message for, frankly.

    ReplyDelete
  8. I also just got a new iPhone and the “quick start” tool worked amazingly - no passwords to re-enter - it was brilliant:
    https://support.apple.com/en-gb/HT201269#quick

    ReplyDelete