← Back to context

Comment by Hackbraten

3 days ago

> Secondly, it's a lot more convenient to use a device that's always with you than a dedicated standalone single-use computer.

The price the owner pays for this is that they're locked out of their own expensive general-purpose computing device while still having to bear all the inconveniences (babysit OS updates, configure stuff, keep it charged, have the battery fail, buy a new device every five years, etc.)

In the meantime, the standalone chip-and-TAN device costs 30 bucks, is powered by three AAA batteries that hold their charge for five years, lives for 20 years, and never needs a single software update.

I'd choose the small single-purpose device over the enshittified, locked-down smartphone every single time.

6 comments

Hackbraten

Reply
ogogmad  3 days ago

This reminds me of crypto wallets. I also dispute mike_hearn 's:

> Smartphone HW attestation is better in every way

They're still prone to side-channel attacks like SPECTRE. Crypto wallets are practically immune because they're air-gapped.

[edit] I just realised that's Mike Hearn of early BTC fame. I suppose he would know what a crypto wallet is.

  • mike_hearn  2 days ago

    Spectre doesn't work across process boundaries, so I don't think they are. You can't Spectre your way into a banking app on an iPhone. Or if you can I'd like to see it in action.

    • ogogmad  2 days ago

      I don’t think "Spectre doesn’t work across process boundaries" is correct as stated; cross-process and cross-security-domain Spectre attacks have been demonstrated. But I agree that "a malicious app can trivially Spectre its way into an arbitrary banking app on a patched iPhone" is a much stronger claim, and I’m not aware of a public demonstration of that exact attack. My point is only that process isolation alone is not, in principle, a complete answer to Spectre-class attacks.

      1 reply →

6510  2 days ago

You could also open your front door with your smart phone. It would look high tech until your battery is empty.

Sometimes I see people captured by the train station unable to check out. They usually find someone with a charger but technically the formula is to fine them for not having a ticket. Then one might still need to buy a ticket to continue the journey. (bring cash)

Phones are usually empty when things [already] aren't going as planned.

  • Hackbraten  2 days ago

    Back in my iPhone days, I once got bitten by a bug where the app developer failed to raise that flag "dear OS, I'm in the middle of presenting a ticket for optical scanning, and it would be really amazing if you could just, you know, not disturb the screen with random shit for a couple seconds."

    Unfortunately for me though, the turnstile that I was about to pass to exit the train station had both an optical scanner and some NFC thing lumped into the same physical module, and every time I tried to scan my ticket, the phone would raise its NFC screen and hide the 2D matrix code.

    So yes, you can have a fully charged phone and a perfectly valid ticket with the latest software and still get stuck in a train station.