Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
That digital ID story left me dumbfounded - that New South Wales would adopt such a poor design, but also that private businesses require it for identification. Steve’s rental car story left me scratching my head too - similar to the false IDs, it would be super simple to save a JPG of a phony banking app screen and show it if asked. I’m with Steve, I don’t use any mobile banking apps. It seems that people want to adopt these technologies without doing any of the actual work required to adopt them.
Regarding the Vodafone TrustPiD story - I think it would be trivial for a mobile carrier to install their own trusted root cert into user devices to gain access to snoop on HTTPS traffic. Wouldn’t a carrier be able to install such a certificate through an app? The “normals” all buy their devices through carriers anymore, and I’m sure most would dad-click right through any sort of system prompt asking them to install a carrier app.
If you still live in a region where carriers brand phones, then, yes, they could organise to have their own root certificate to be installed. But that wouldn’t work with iPhones or carrier free phones. I’m not even sure if carriers still brand phones, here in Germany.
My last carrier branded phone was a 2008 htc Diamond Pro with O2 branding. The last carrier subsidised phone was a stock Android smartphone from the shelf of a local electronics market, I received 200€ off the price of the phone, but it was a stock Huawei phone, not a customised one for the carrier.
We haven’t had branded phones here for quite some time either, except maybe some featurephones. Unfortunately smartphones - even Apple, are subsidized to a sickening degree.
Regardless of market differences between countries, I still would wager that the majority of users would thoughtlessly install their carrier’s app - which I believe would be a vector for such a root cert.
Not familiar with iOS, do you believe it wouldn’t work because Apple controls that certificate store?
Apple don’t let the carriers make changes to the firmware. The update to the certificate store would have to take place post-purchase, therefore the user would have to agree to the change.
Android should be the same, for standard phones, but carrier-branded phones have a custom ROM, so the carrier could add their own certificate into the ROM image, therefore no user consent is necessary.
Policies can try and add their own certificates, but the user is informed about the change and muss agree - E.g. corporate self-signed certs for internal services.
2 Likes
When I learned programming and in my first job, the mantra was documentation, documentation, documentation.
We had to document what we wanted to do.
We had to document the code, before we wrote the code, and we had to go back and change the documentation, when we made changes to the code.
When I joined a company, there were about a dozen programmers working on the finance system. We were given change requests on a first come, first served basis, so documentation was the A and O.
We had to update the module header with the date, version number, change request number, programmer’s name and a brief description of the change. Before each block of code that was changed, a comment with the version and author had to be entered, followed by a description of the change and after the changed block, another “end” comment.
E.g.
*
* v 2.3.1 D. Wright
*
* added new field for status of invoice
*
… code here…
*
* end v 2.3.1
*
1 Like
Mobile Driver Licenses have already been solved with ISO/IEC 18013-5. This is what Apple is using and I expect others are as well.
Opt-out is illegal in Germany, because of GDPR. It has to be opt-in.
Didn’t Steve actually say that it was opt-in through the usual cookie selection dialogs on websites (cookie banners, announcing that a site uses cookies is only legal, if the site uses no 3rd party cookies and does nothing else other than keep a session open and track current navigation). Therefore you must opt-in to it and if you opt-out for a specific site, it must honour that.
The problem is, only the privacy concious ever bother to say reject all or turn off non-necessary cookies - “legitimate interest”, tracking and advertising cookies are considered not necessary.
It sounds like DT/T-Mobile and Vodafone are either hosting ad servers on their networks and/or they are getting a cut of the revenues. Either way, it is very reprehensible in 2022 and I don’t see how this will conform to GDPR.
Edit:
Also, Deutsche Telekom (DSL and Fibre) and Vodafone (DSL and fibre/cable) are two of the biggest ISPs in Germany, as well as mobile operators (T-Mobile (D1) and Vodafone (D2) networks). If they are putting it into the routers and man-in-the-middling from the routers, with a signed local certificate on the router, like most AV products these days, that would probably work for home use.
They also have a range of streaming TV kit and IoT devices etc. that they provide.
(That is one thing I hate about our AV product, when I go to a site, I often call up the certificate to ensure it is from a known authority and it is valid (especially my bank, for example, I know which CA they use, so if the site suddenly shows a different cert from a different CA, I know there is something fishy going on… Apart from if I am using the AV software, in which case, it is always the self-signed auto-generated cert from the AV software!
Leo must have disabled 1Blocker because when I go to iMore on my iPhone I see no ads.