Share this page!

John Scott-Railton Profile picture
Twitter logo
Jul 6 9 tweets 5 min read
NEW: @Apple's #LockdownMode is radical reduction of the threat surface of an iPhone.

Cannot overstate how big a change this is for Apple.

So important that people at higher digital risk have the option to harden their phones.

Some thoughts 1/
apple.com/newsroom/2022/…
2/ When you notify users that they've been targeted with sophisticated threats, they inevitably ask:

'How can I make my phone safer?'

We haven't had many great, honest answers that really make an impact.

Hardening a consumer handset is really out of reach.
3/There's a common mental barrier among big platforms & OS developers around mainstreaming high-security features.

A lot of inevitable considerations, like:

- Worse user experience (esp. vs. the competition!)
- Breaking features
- More customer support resources required, etc.
4/ Big companies can be *slow* to roll out higher security features.

Yet after they toe-dip as opt-in, they often realize some of these features are *also* possible for their whole user base.

Source: paper I wrote about this problem
computer.org/csdl/magazine/…
5/In #LockdownMode, we see high-impact changes that stomp on specific attack categories that mercenary spyware companies et al. exploit.

Does this cover all possible desirable things? No. Not yet (one can hope!)

But this is a broad set of welcome protections.
6/ With #LockdownMode @Apple just raised the bar around what's possible.

I'm excited to see how it works out for high risk users.

There will be a learning curve & unexpected lessons.

I'm also hoping we see similar efforts from other companies.

Also, the 2x bounty = smart.
7/ 'Where did #LockdownMode come from?'

@apple gets a ton of credit! This can't have been easy.

They also get credit for listening to researchers & nonprofits... who have called for versions of this for years.

Good to see a big company take the chance.
8/ When features like #Lockdownmode work... bad things don't happen!

Challenge: Users feel frictions up front.

Analogy: vaccination & side effects.

Messaging challenge: making sure high risk users know what to expect...while believing it's still worth it.
(edited for clarity)
9/ Composing tweets is hard.

I decided to delete and repost above tweet because some people parsed it as saying vaccines = bad.

For the record, vaccines = very good, get yours!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
Jul 3
Death, glory or... slurp juice?

Looks like the @BritishArmy's social media team missed the OPSEC course.
UPDATE: scammers also breached the @britisharmy's @YouTube account, deleted the vids, and are now running Musk-themed live crypto scams w/ thousands of viewers.

Everything is fine.
The @britisharmy YouTube & Twitter scams are a helpful reminder: governments still struggle to secure their accounts.

And tech platforms have a *hard time* detecting these compromises in anything like real time.

This has been going on for hours.
Read 6 tweets
John Scott-Railton Profile picture
Jun 30
The sheer velocity at which SCOTUS is taking away rights & pulling the country backwards feels unprecedented.
Decades of progress wiped out overnight.

There's a lot to be angry about.

It may sound petty, but I can't forgive the big name legal scholars who assured the rest of us that we were being unnecessarily alarmist about these justices.

I hope they feel some shame.
He's right. The sum of these regressive changes is actually a brave new era of awfulness.
Read 7 tweets
John Scott-Railton Profile picture
Jun 28
BREAKING: Saudi operative in Mississippi caught harassing dissidents in USA, Canada.

Also had images of Khashoggi's tweets on his phone.

Dissidents have warned about *transnational repression* by dictators in 🇺🇸& 🇨🇦 for *years*

Thread 1/

Warrant: documentcloud.org/documents/2207…
2/ At @citizenlab we've investigated Saudi hacking with #Pegasus.

The Saudis were infecting people around the world.

A lot of dissidents were infected.

Like @oamaz7, a 🇨🇦 resident who was a close friend of Jamal Khashoggi.

Report citizenlab.ca/2018/10/the-ki…
3/ WATCH: using harassment & hacking, dictators export fear & repression into democracies.

Yet, the 🇺🇸US and 🇨🇦Canada have done little to help victims & hold perpetrators accountable.

Same for EU governments, sadly.
Read 7 tweets
John Scott-Railton Profile picture
Jun 24
Tech worker: take the blinders off about the surveillance & tracking technologies you're helping to build.

And step away.

The writing is on the wall.

And please, read @evacide's full thread.
Enough with silicon valley's self-serving denial of the obvious.

The moral medievalists will one day come and demand the keys.

It is obvious why.

The valley has built a bundle of glittering, historically unprecedented, control & power.
Tech companies collectively honed a modest galaxy of rationalizations to help workers ignore & dismiss the immense political implications of what they're creating.
Read 6 tweets
John Scott-Railton Profile picture
Jun 23
NEW: meet Italian mercenary spyware vendor RCS Labs.

Victims in:
🇮🇹Italy
🇰🇿Kazakhstan.

One clever technique: cut victims data w/ISP complicity, then prompt them to load malicious app to 'reconnect.' 1/

By @benoitsevens & Clement Lecigne h/t @maddiestone
blog.google/threat-analysi…
2/ The inevitable question is "how does RCS Labs compare to..."

Two datapoints:

- This isn't zero click, this is a bunch of clicks & requires some user convincing
- Look at these stale milk exploits...

Yet obviously...it still works well enough that folks are paying for it.
3/ @Lookout recently published a detailed investigation into RCS Lab, which has been a reseller for Hacking Team.

Lookout does a nice job of highlighting the sketchy regimes they deal with.

Recommended read: lookout.com/blog/hermit-sp…
Read 4 tweets
John Scott-Railton Profile picture
Jun 22
Spot a generic notification from @Twitter in your timeline?

They're hoping you don't read it.

So I'll summarize.

Twitter used phone numbers you gave them to secure your account... for targeted ads.

This was dumb. And wrong. 1/
help.twitter.com/en/personal-in… Image
2/ @Twitter notified you that they abused phone numbers...because the @FTC made them.

Embarrassing details that they left out:

- They did it from 2014-2019
- Affected more than 140 million users.
- The FTC hit them w/a $150 million dollar fine.

ftc.gov/news-events/ne… ImageImage
3/ Experts have spent a decade educating users that two factor authentication = key to staying safe.

Still true!

We like it when companies encourage users to participate.

But when they turn around & use those numbers for advertising, they erode user trust in security measures.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(