Viewing a single comment thread. View all comments

FeralCJ7 t1_j254w23 wrote

> The bill also won’t require OEMs to provide “passwords, security codes or materials” to bypass security features, which is sometimes necessary to do to save a locked, but otherwise functionally fine device.

That part I understand at least. If anyone can access locked devices there's not much point for locking it.

But the part about selling component parts is bullshit


Levelman123 t1_j25c7hl wrote

No, do not even give them that. The FTC has done plenty of research on this. There is absolutely no difference in data safety when an "approved Technician" is fixing your device and a third party technician is fixing your device.

In fact common sense says the third party if established will actually be much more cautious and handle your data a hell of a lot more safely than some dude working at the genius bar that had a 15 minutes breakdown on how to see water damage and tell you "nothing we can do" as the third party establishment has to uphold their reputation while the the genius bar guy can just go get another job.


Ashmizen t1_j25mj4h wrote

Well if my iPhone is stolen, I want to ensure the thief cannot just take it to a repair shop and unlock it and get a nice free iPhone.

Today they get sent to shenzhen and sold for a tiny fraction of the value for just the parts, making stealing iPhones far less profitable.

If stealing iPhones can net you a unlocked phone by using some master security pass/reset, iPhones would be targeted by thieves like car cat converters, as we are talking about $500 value of phones vs $50 value of parts.


Levelman123 t1_j25vazh wrote

Hmm. Not bad, This could be solved by insuring the same customer locks remain in place throughout the transaction. Or at least at the beginning and end of the transaction. Like repair shops cant unlock phones for the reason of "forgot password" as that is not a repair issue.

I guess the better question to ask would be does apple tech already have this? If so what is the difference to a guy with 15 minutes of training but branded an "apple genius" unlocking my phone compared to a guy with 20 years experience in his own repair shop doing it?


Ashmizen t1_j26jwfa wrote

I would assume currently iPhones do not have any unlock mechanism - however, laws can force Apple to change their design, like the recent EU ruling that is forcing Apple to add support for multiple app stores on future iPhones


IThinkIKnowThings t1_j26gh56 wrote

Culpability. It's much harder for Apple, who's ultimately responsible for their poorly-trained employees' actions, to get away with stuff like that. They're way too big with way too much government oversight. The public outrage alone would be palpable, with demands for Apple to pay. Meanwhile if Joe Blow jail breaks some stolen iPhones no one outside of law enforcement and those affected would know.


Scizmz t1_j26sq3p wrote

> with way too much government oversight.

You're funny.


FeralCJ7 t1_j25df8x wrote

If they sell the codes whatever to licensed technicians, will there be some sort of federal licensing required to ensure they don't sell it Joe Blow on the street though?


Levelman123 t1_j25ee60 wrote

Why cant Joe Blow on the street fix his own device? I don't know how licensing works with phone repair as i cant think of anything dangerous enough to warrant such licensing. If my phone is broken, i feel i should be allowed to take whatever steps i need to make it operable. There is nothing i can do from my phone that would give me access to any backdoor systems in their systems, if their is, that is a them issue, and they should deal with it on their end.


FeralCJ7 t1_j25glb2 wrote

I guess I'm looking at it from the perspective of right now the tools needed to break encryption and unlock devices aren't commonly possessed. So the incentive to steal my phone, which could happen, really isn't that high right now cuz I can lock it, wipe it etc.

But once you start selling the ability for people to crack devices it'll basically make locking your device worthless.


Levelman123 t1_j25k4yi wrote

Those tools exist en mass currently. Data centers get breached constantly, any incentive to steal your phone already exists. And that incentive doesnt go away just because the person behind the desk is from apple or a tech shop.

In fact apple service jobs have high turn over rate, so the incentives to steal phones is actually higher then if you just gave it to "tom's repair" down the street. Thats what im getting at. There is no difference in security, so when they block any repair bill using security as an issue, just know they are lying through their god damn teeth.


FeralCJ7 t1_j25peih wrote

I don't think I'm making myself clear.

I'm not talking theft from a shop. I'm talking theft from person. From car. Right now pawn shops (at least where I live) only take phones you can prove are unlocked. If anyone can just buy the stuff to unlock it thefts could go up.


Levelman123 t1_j25s4y2 wrote

You dont need to buy anything to unlock a phone right now. Those tools already exist is what i was getting at. Plus pawn shop aint the best example. All i need to do to get around anything a pawn shop looks into is factory reset the phone and remove the sim.


azvnza t1_j26a3pg wrote

a big example is more for iphones, you can’t remove the icloud account without the password. there is no way to do it, and it is still linked to the account post factory reset.


DaRadioman t1_j26qcii wrote

That's not how iPhones work. You can't factory reset away ownership on them, they stay tied to the iCloud account.

Hence this whole damned conversation...


Levelman123 t1_j27iqmy wrote

Okay. Then just make it so they have to sign in to their account first? I'm not sure where this convo ended up


IThinkIKnowThings t1_j26gzdp wrote

"I don't know about you, but I don't want my tax money going towards yet more god damn government oversight." - Some Republican who at some point will cut funding to said licensing agency.


Mygaffer t1_j26d8nz wrote

Nope, that's not at all what that's about. It's literally a software lock only put in to prevent replacing broken parts. NOTHING to do with device security.


FeralCJ7 t1_j26dl58 wrote

Ahhh gotcha, okay. Thanks for clarifying


Guffawker t1_j268gkr wrote

Theft will always happen. It's not going to change. Theft still happens right now even when people know the device is basically non-functional. The difference is it would just get tossed in a dumpster since it's a brick. That's absurdly wasteful. Now, you're down a phone and have a brick in a landfill. You don't fix that issue by making tech obsolete if it's stolen, you fix that issue by tighter regulations on repair/second hand shops. Every device has an SN, that SN can be registered. It can be tracked to the owner. Realistically there are ways that could fix this both in ensuring the device is being sold by the proper owner, and having the software check/alert the owner when the device is reactivated or reset.

This doesn't even get into the fact that you can accidently lock your own phone, forget your password, buy something second hand, etc and be left with a brick. This kind of thing doesn't help anyone. Your phone will still get stolen because the thief doesn't gaf if it's locked or not. If it's locked they bin it, if not they sell it.

These aren't anti-theft measured....these are measure to limit the second hand use of these devices, and keep prices high by artificially regulating the amount of devices that can end up on the second hand market. That's the problem.

The whole "locks only keep honest people out" applies to comp sec as well. Let's not keep contributing to e-waste by pretending things like these do anything for our "security". Once your device is stolen, it's stolen. This just determines if it ends up in a trash can or usable once it is.


blastermaster555 t1_j26c6ai wrote

So if someone steals your phone, unlocks it, then downloads data that lets them steal your identity, that's alright?

Stolen phones get bricked is good if everyone does it - then phone thefts go down because word on the street is, it's not worth it.


FeralCJ7 t1_j26duhz wrote

I was a cop for 14 years and just got out. I absolutely remember iphones getting stolen constantly when they were fairly new; gradually the thefts have tapered off due to being able to be tracked so easily by the owners and locked remotely.

I agree with you that allowing software to unlock these devices would just increase thefts.


Guffawker t1_j26f7j6 wrote

No one is saying're making a gross assumption on how things like that work. We are talking about manufacturer password/admin use to "reset" the phone, not "unlock" it. No one is saying the data should be widely accessible, but that's a SEPARATE thing. You can make the device function again without allowing access to the user data.

That's the whole point. We shouldn't sell devices that become bricks just because of theft (and in a lot of cases we don't, users just don't have that access). Having a way to reset the phone into working order is NOT the same as allowing unauthorized access into the phone. I'm advocating the former. Not the later. Stolen phones getting bricked does nothing, because people will still steal your phone, because it's always a user opt in feature, and users won't always use it. People will steal your phone in the hopes it's unlocked, because it's a small, incredibly easy device to lift, check, and bin if not the case. Even then, people will still steal them in hopes that they will be able to do something with it.

No amount of anti-theft measured are going to prevent someone from stealing a phone. You can lift 100 of um off people and if 1 person doesn't have a password, those 100 you stole don't matter. These measures just mean they get thrown in landfills instead of used. Shit, it might even REDUCE theft in the end, because if you can steal 1 and be able to make a buck off of it, you don't have to risk stealing 100. Phone theft works on the same "operation" as email scams. Doesn't matter how secure 99% of them are, you are looking for the 1% that isn't.

Again, no one should have access to your data. Full stop. Don't invent bs to my argument because you don't understand it. But you should be able to reset a phone into working order. That's the whole point. Your data is still safe, the theft already happened, the bricked device didn't prevent it, so instead of artificially keeping your stock off the second hand market and ending up in landfills, let's make them actually usable.


blastermaster555 t1_j26jaou wrote

Every theft is a chance to get caught.

I understand the separation, but the way the post was worded, it sounded like advocating for being able to unlock locked devices, which means getting access to user data.

Before the device locking (device tied to account, requires unlock), phone theft was more profitable, because tossing the sim card and resetting it was trivial. Now that we have stolen phone databases (carriers refuse phone on the network when stolen), device sign in requirements (phone serial attached to account and required to unlock), and on device encryption, now we have a different problem.

From what I understand via RtR, the problem is not this, but being able to connect replacement parts that are serialized for security reasons. It is a security risk to have a bugged part paired such as a touchscreen or print reader that can easily have an extra chip used to steal customer info. The problem that it clashes with RtR is with manufacturers not providing a way to put official parts on yourself (such as re-pairing these serialized parts with the device).


Guffawker t1_j26swiw wrote

Yes, but getting caught is not a deterrent to theft. If it was....people wouldn't steal. The people that steal do it because the risk of getting caught is worth the return. That doesn't change just because a device is locked. Phones are easy to steal. So it will always happen. Even with increases in security phone theft is on a rise. People don't give a shit if the device is locked or not, again, because they can pick it up, stick it in their pocket, and walk away. No amount of increased security changes how easy they are to steal. It's the same thing as spam emails. It works because you only need 1% of the 99% you go after to be unsecure for it to be worth your while.

Again, kill switches are the problem. I know how trivial it was. I've worked tech repair/IT my whole life. I've dealt with this issue. All that happens is the dude that came in with a phone asking for it to be fixed just walks outside and throws it in the trash. The theft still happens, but the device ends up in a landfill which is a problem. It may reduce it slightly, but it's not going to prevent it, all it does is prevent that device from ever being used again. If you want to stop the theft, make better measures of tracking the device, not allowing manufacturers to turn their device into a useless $1000 piece of landfill. These companies don't do this because it "protects" your device. That's just an added bonus. They do it so their devices don't end up costing $200 at a pawn shop. They could build other methods of theft reporting/alerting into the software if they wanted, but it's more beneficial for them if the device becomes a brick, because it kills the second hand market and the og owner now has to purchase a new one. Again, as you've said too, carriers have already implemented blacklists and such for stolen devices, so bricking the device does even less in that regard.

Again, data should always be secure.

This isn't in any way pointing to this as the problem of RtR.....this was a response to someone discussing the particular aspect of this bill that referenced the article mentioning the lack of requiring manufacturers to provide access to "save locked devices" as an oversight of this bill.

As far as RtR is concerned that's hardly the issue at all. It's not about using unofficial parts. That has little to do with RtR at all. RtR is honestly a LOT of fights wrapped into one, but the bi issue is about manufacturing companies having a monopoly on the ability to service and repair devices they manufacture, often to the detriment of the user. RtR is about separating the "electronics repair" industry from the "electronics manufacturing" industry, because they are two separate entities. It doesn't mean "users can shove whatever they want into their tech" (although, largely, they should be able to. It's your equipment, you bought it, you should be able to do what you want with it), it means "John Deere must provide other companies (and even the tech savvy DIY farmer) with the parts for repairs and make repairs accessible via normal means. You're still using their manufactured stuff, it's just you have more options then your current option of "Pay John Deere $7500 to service my tractor, or throw it away and buy a new one". A lot of tech companies have a monopoly on their services and outright refuse to sell parts to any other company. That means they can charge you whatever they want because your only solution to fixing the device is "buy a new one". Even if the fix is simple. Your argument is the kind of shit companies spew to make it seem like RtR is a bad thing, but it doesn't mean or prevent anything, and largely has little to do with RtR itself. RtR is about forcing manufactures to provide access to the tools/software/components for users and third party individuals to actually have options to repair, especially, because as is, it's completely legal to repair and modify things you purchase. It's not a security thing. It's about manufacturing companies not wanting to provide repair materials to external companies and individuals because if they are the only ones that can service their devices, they can make a shit ton more money. It's not a security risk at a to allow people to repair their own equipment or use a third party. It's not even a security risk to allow third party manufacturers to make parts that work in your equipment. We already have regulations on that shit, and consumers can/do spend time researching options like that when replacing parts. As a side note, things aren't serialized like that for "security" it's so the manufacturer can detect if you're using their parts and void/refuse service if you aren't. If people want to steal your data, they aren't going to "install an unauthorized touchscreen". They are gonna use cheap external hardware that can easily be removed/installed/disposed of, that they have full access to instead of having to find a way to implement it in the companies software as well, that would have to continually broadcast data to them in some way.

Manufacturing companies having a monopoly on servicing their products doesn't prevent a security risk. You, as a consumer, can still shop around for reputable repair service tecs, that use genuine parts provided by the manufacturer, or do it yourself with parts purchased from them.

The whole intent of RtR is to point out and clarify that manufacturing and service are two different industries, and just because you provide the former, does not give you exclusive rights to the later. In fact, just the opposite. It should be incredibly difficult for a company providing a product to be allowed to be the sole service point of that product, as it's in direct violation of already established copyright laws and allows the company to extort the consumer for repair cost.