
Introducing Netflix Stethoscope - dustinmoris
http://techblog.netflix.com/2017/02/introducing-netflix-stethoscope.html
======
darklajid
So, 'jailed' is a reason to mark it as 'requires attention'? Well played, well
played..

Honestly, I won't run a non-rooted device (although I admit that the current
way to root a device is questionable in parts). But here's a real, honest
question: Why would services stop working because of root access?

Why can't Android Pay work on a rooted device. Samsung's crappy equivalent (I
use neither, but I think those are often considered examples for 'stops
working if rooted' issues)?

I also own my credit card. Just like my mobile. What is the danger that these
services try to protect against, why is root a problem in these cases?

~~~
kiallmacinnes
As another reply to your post says, paraphrased, allowing applications to
escalate privileges is absolutely less secure than not allowing applications
to escalate privileges.

This really has nothing to do with services not working because root is
enabled, instead it has everything to do with companies (Netflix in this case,
or Google for Android Pay in your example) preventing widespread theft of
employee/customer data.

Even the most cautious users can accidentally click "allow" by mistake. Here's
a example of how that might happen:

Build an app that some user wants - maybe a game. Make the user click a
"Start" button to play. Time how long between presenting the button and
receiving the click, after a few rounds of this, wait a fraction of a second
less than the average time and trigger the sudo call which in turn usually
triggers an allow/deny popup.

Did it register with you in time, or did you click allow? Did you even notice
it if the game starts anyway? Probably not! Netflix just gave an attacker an
entry point, and Google just lost the confidence of their banking partners,
who are likely looking for any excuse to avoid working with Google (and Apple
etc) anyway.

A good IT department has to protect the company from risks like this, and
nothing the company requires you to do will require root (There are obviously
exceptions, but the number of employees worldwide who fit this bill, outside
of phone OS development, is likely less than a 5 or 6 figure number).

If you need root for personal tasks, and the company isn't happy with root,
then they are entirely within their right to deny that device access to
company systems.

~~~
darklajid
Listen, I'm with you. Root is special and granting root to ~stuff~ should be
something you don't do on a whim.

That said: I question that services should stop working if I have the ability
to grant root. Reasons:

1) Maybe I know what I'm doing (honestly .. I consider myself capable and
still have cringe while writing this)

2) Your software isn't immediately compromised in its core functionality if
_I_ own my _own_ device.

For Netflix, this feels like another failed attempt to close the analog hole.
Android Pay and whatever else might try to be your wallet (I'm a huge fan, as
you might notice in this thread) should be able to withstand that. Otherwise
it's just a crappy payment system.

I can pay stuff from my PC (various operating systems) and I do have root (or
the equivalent permissions). I also own - as I stated in my original post - a
CC that allows me to spend money freely. I don't know how hard it would be to
copy it physically, but you'd be able to strip the core details (name, number,
CSC) in a couple seconds/with two pictures.

Why is the CC secure, but a rooted phone isn't. Ignore Netflix, they're brain-
dead and content related DRM isn't what I'm going for. I'm asking why random
legitimate services refuse to work on a phone, because .. the owner actually
seems to own the device?

~~~
kiallmacinnes
> 1) Maybe I know what I'm doing (honestly .. I consider myself capable and
> still have cringe while writing this)

My example kinda covers this, phones really are getting faster... It's no
longer a case of "I know what I'm doing" when it now comes down to human
recognition and reaction time. In other words, you clicked allow before your
brain had time to stop you. How do you prevent this?

> 2) Your software isn't immediately compromised in its core functionality if
> _I_ own my _own_ device.

100% agreed. For the Google Pay example, fair enough. It's your credit cards,
and it's harder to come up with a counter point.. For the OP / Netfix example,
it's not your data, and likely not your device - or - by connecting to company
services, you've basically agreed it's not yours (This could be a whole
sidetrack on it's own! :))

> Android Pay and whatever else might try to be your wallet (I'm a huge fan,
> as you might notice in this thread) should be able to withstand that.
> Otherwise it's just a crappy payment system.

Credit card companies are generally responsible for theft of money where you
remained in possession of your card at all times. Sure, they really hate
admitting it, and gathering the proof is hard, many times impossible. But that
doesn't change the responsible party when the proof is found.. Given this,
it's easier for them to accept less secure alternatives (e.g. the US's
reliance on signatures).

The rise of NFC credit cards has changed this somewhat, if a credit card hands
out all the details needed to make a purchase to anyone who bumps into you on
the street, possession is now not the only factor, and banks have built
safeguards around this (e.g. max transaction size, max NFC transactions before
being required to enter your PIN).

Google with Android Pay must prevent that same bump on the street from
stealing their customers money. The cell phone payment version of this comes
in the form of other apps on the device, hackers breaking into the phone
remotely, etc. With a rooted device, or a device using unknown firmware[1],
all bets are off.

> I can pay stuff from my PC (various operating systems) and I do have root
> (or the equivalent permissions).

And this is a security hole, granted it's one I wouldn't want to see shutdown,
but it's still security hole. I don't have any good answers here, but I do
look forward to seeing a solution that works while letting me keep root access
on my Linux box!

> Why is the CC secure, but a rooted phone isn't.

I'm think I've mostly covered this, but you're looking at two totally
different landscapes. They just cant be compared in the same way.

> Ignore Netflix, they're brain-dead and content related DRM isn't what I'm
> going for.

While I'm no DRM fan, this entire article is about Netflix's corporate
employee device security, it's nothing to do with DRM or content..

[1]: Unknown firmware in this case means firmware google doesn't trust -
unrooted AOSP built from a unknown manufacturer can't be trusted any more than
rooted firmware from Google itself.

~~~
Dylan16807
I don't see how protection from hostile NFC and protection from rogue
applications are related. You want both, ideally, but the increased difficulty
of solving problem 1 on a phone vs. desktop does not make it harder to solve
problem 2 on a phone vs. desktop. So I think you're wrong to say that it's
"two totally different landscapes".

~~~
kiallmacinnes
Ah, I was suggesting that comparing "I have a CC in my wallet and can do
stupid things with it" to "I have a CC on my phone now others (hackers, bad
apps) do can evil things with it" are two totally different things.

I was drawing parallels between hostile NFC readers and hostile apps/hackers
:)

~~~
Dylan16807
But the more important comparison in those posts is not CC in wallet. It's
that CC on desktop computer has no restrictions.

"hackers/hostile apps can do evil things on desktop" is nearly identical to
"hackers/hostile apps can do evil things on phone"

So while in a vacuum you could argue that you need to protect against hostile
apps the same way you protect against hostile NFC, it's a weak comparison.
While the treatment of hostile apps on your heavier home computing device is a
super strong comparison.

~~~
kiallmacinnes
I'm not sure I agree it's a weak comparison, mostly because I think we've made
a whole bunch of bad decisions in how we handle things on a PC.. The PC was
born in a different era to the smartphone, and it's treated as such.

Example: CVV numbers, these are needed for "Card not present" transactions are
must not be saved (e.g. no browser will save them). Using your phone for an
NFC payment on the other hand does not need this number.

Yes, this is a tiny detail. But this detail entirely changes the share of
responsibility between the consumer/merchant/payment processor/bank.. This is
usually reflected in the different fees that are charged for different types
of transactions, card swipe vs card not present vs Chip+PIN vs NFC.

Assuming that just because a CC number + errata stored on a PC can be stolen
an abused, that the banks etc should just let me do that on e.g. Android Pay
is just wrong..

Nobody is stopping you from creating a text file on your phone with the card
and CVV numbers, but don't expect to be able to use that text file as a NFC
payment method!

Edit: in case I wasn't clear (I know I wasn't, because I kinda forgot to say
it ;)), once your phone is untrusted - as in untrusted by the bank etc -
everything stored on it may as well be that plain text file as far as they are
concerned.

------
memco
If anyone from Netflix reads this can you fix pinch to zoom on iOS on your
blog please? I kept trying to read the article, but the text is small and
every time I tried to make it bigger the swipe to navigate articles gesture
was triggered. Not very accessibility friendly.

~~~
shshhdhs
Same here. Only way I could read this on mobile was using iOS Safari's text
formatter thing that shows up in the URL bar.

------
madethemcry
This is related to employees only right? I would have thought a large company
like Netflix is using something like G Suite and therefore can just use Google
Apps Device Policy to simply enforce the best security settings (6 digit code,
software updates and so on) on Android devices. And I bet there is something
comparable for iOS devices isn't it?

[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.enterprise.dmagent&hl=en)

~~~
JoBrad
While this is related to employees, it seems to be focused on other devices
which are not under any group/device policy.

> By providing personalized, actionable information–and not relying on
> automatic enforcement–Stethoscope respects people's time, attention, and
> autonomy, while improving our company’s security outcomes.

------
kiallmacinnes
I have to admit, the screenshot they picked seems like a really bad example :)

Most Android devices can't just be updated to the latest version, which is
counter to the proposed goal of being user actionable.. Won't this particular
check just result in alert fatigue? Once any single alert comes in that the
user has no control over, they HAVE to ignore it, and once they ignore one,
it's easier to choose to ignore more..

------
rsmets
There was a startup that addressed this issue of personal devices potentially
leaking personal or business sensitive information. The idea was the device is
protected all the time, not just while on the office network.

They were Mojave Networks but looks like their website is no more. Acquired by
Sophos... I guess their called Cloud Web Gateway now. See links.

[https://www.crunchbase.com/organization/mojave-
networks](https://www.crunchbase.com/organization/mojave-networks)
[https://www.sophos.com/en-us/press-office/press-
releases/201...](https://www.sophos.com/en-us/press-office/press-
releases/2014/10/sophos-acquisition-of-mojave-networks.aspx)
[https://www.sophos.com/en-us/products/cloud-web-
gateway.aspx](https://www.sophos.com/en-us/products/cloud-web-gateway.aspx)

~~~
davidu
Mojave was a great idea. I've tried and failed to recruit the founder and
engineering leader for Mojave at least three times. :-)

------
crudbug
How do you detect whether a device is Jailbroken/rooted ?

[Edit] : Found this -
[https://github.com/scottyab/rootbeer](https://github.com/scottyab/rootbeer)

I think this will be useful for applications that want to know if the
execution environment is safe or not - Banking / Payments etc.

~~~
problems
You can try lots of things, detecting su binaries, UI applications,
checksumming the entire filesystem, etc. But ultimately if the user doesn't
want you to know, you won't know.

Rooting or jail breaking your device is taking control of your device into
your own hands, if you use something like Magisk, you can fully bypass root
detection, even via the nastiest methods on Android.

Detecting it as a security problem is moronic. In fact, I'd argue it's
actually a security improvement due to things like XPrivacy.

~~~
Godel_unicode
> Detecting it as a security problem is moronic

That's an interesting stance, you don't care about rootkits? What about
malware, which has been found in the wild, which abuses root privileges to
steal account information? That malware is extremely difficult to detect
directly.

~~~
problems
On Android, the standard root system most people apply to their device prompts
you when you launch an application if you want to allow it root access. This
makes it trivial to block malicious applications - that new game you
downloaded probably doesn't need root for any good reason. Just hit deny. The
sandbox is still fully in place, just now you can poke holes in it for certain
applications of your choosing.

What you're thinking of are things which use exploits to gain root - this may
be done by some users, but most often Android devices are rooted via
bootloader unlocking these days, which does _not_ use an exploit.

Exploits however are used by malware - and not having your device rooted won't
prevent them. They gain root via exploitation, whether you want them to or
not.

Not to mention that the kind of root detection done is by looking for things
that only the legitimate sort of root leaves behind, like a su binary which
prompts the user if they want to permit root or not.

Often times, rooting your device legitimately may allow you to flash a custom
ROM and get updates that your original vendor hasn't released for your device,
allowing you to actually _prevent_ exploitation by malware, even after your
vendor has long abandoned the device.

~~~
Godel_unicode
My experience has been that Android malware authors tend to be kind of sloppy,
and frequently leave a modified su binary hanging around. YMMV.

~~~
problems
In the same place that you'd install it as a user?

That'd be some very stupid malware - anyone who was actually rooted would
notice immediately when their root tool told them their support binary needs
to be updated.

------
dguido
Really glad they're thinking about osquery support in the future. Of the data
sources they support, osquery would be the most functional free and open-
source one which might help get Stethoscope more widely deployed.

------
TheAceOfHearts
My current policy is to keep work and personal devices completely separate.
Call if you need me urgently, otherwise it can wait until the next work day.

I used to have my work email and Slack on my phone. Eventually we started to
implement stricter security, which I found disagreeable, so I purged
everything work-related.

------
verandaguy
The page is down for me as of 13:20 EST.

Cached version:

    
    
        http://webcache.googleusercontent.com/search?q=cache:xcxywckCegkJ:techblog.netflix.com/2017/02/introducing-netflix-stethoscope.html+&cd=1&hl=en&ct=clnk&gl=us

~~~
fred256
Are you trying https instead of http? It's only hosted on http (because they
use Google Blogger with a custom domain name)

~~~
kissickas
I had the same problem, and it does indeed to be caused by the extension HTTPS
Everywhere that I imagine a lot of HNers use.

~~~
ars
I'm not using the extension, it is the remote server that is redirecting to
https, not the local browser.

------
bbarn
Is there a place one can actually use this tool? My daughter uses my account,
and I'd actually like to see the results of her setup.

~~~
Zaheer
I believe this is tailored towards employees rather than end-users

------
vosper
> Stethoscope is powered by a Python backend and a React front end. The web
> application doesn’t have its own data store, but directly queries various
> data sources for device information, then merges that data for display.

I thought the "various data sources" scenario was exactly what Falcor was for
- interesting that they used React.

~~~
bauerd
React is a UI library and Falcor is a library for data fetching. They solve
different problems

~~~
vosper
Yes, you're totally right, I should have remembered that.

------
finid
_We also want people to be comfortable making these changes themselves, on
their own time, without having to go to the help desk._

The part of that that I don't agree with, is "on their own time". What if the
change that needs to be made an urgent security fix?

~~~
the_duke
It means that you don't have to bother with IT if you want to install an App,
for example.

Many company provided phones are locked down completely, you can't install or
upgrade anything yourself.

------
Fiahil
That logo reminded me of those rubber toys for babies :
[http://www.sophielagirafe.fr/en/](http://www.sophielagirafe.fr/en/)

This is so close, it has to be intentional !

~~~
nkg
Sophie never had that creepy smile!

------
secfirstmd
Very interesting tool. Tried to build something like this awhile ago but it
became a bit messy. Glad to see Netflix have done it. I can see myself using
this for a number of groups we work with.

------
mtw
Isn't Netflix motivated to see if you changed your network (such as using a
VPM)? I don't see why this wouldn't call home and report you

------
pirocks
Is anybody else using firefox having crashes caused by this webpage?

------
amalag
How would this protect against phishing?

~~~
jedberg
It's not super clear from the writeup, but a big part of it is providing
security notifications to users. So when a backend system detects what looks
like a suspicious account access, it can notify the user and ask them to
confirm their action. If they say, "I didn't do this" than their account can
be immediately locked down until the issue is resolved by talking to a person.

------
BucketSort
"Give us data."

------
JimRoepcke
Wow that site hijacks the edge swipe to go to another blog post instead of
letting the browser go back. Gross.

~~~
traek
That's because it is, for some reason, hosted on Blogger (which even Google
themselves have abandoned for their corporate blog).

~~~
scrollaway
I'll be glad to see Blogger die. Such terrible UX.

Still today, its editing interface is awful and reminiscent of the early 2000s
WYSIWYG editors.

Still today, some Blogger blogs I visit (including one of my own old ones)
simply DO NOT LOAD, they are stuck at an infinite loading Javascript spinner.

Even still today, it insists on serving me _all its content_ in the language
of the country I'm currently visiting, even though I have my language set to
en-us in my Google account _and_ on my browser _and_ I consistently change its
language settings back to English.

~~~
nacs
Their new entirely-JS based layout only happened after Google bought them.

Before that, Blogger's sites were completely degradable and perfectly
functional without Javascript enabled. Then Google decided to remake all the
templates to be fully JS driven and added a ton of page weight to the site.

------
zump
Lol looks liek some bootstrap CRUD crap. People are getting 375k for this?

------
zobzu
not installing corporate spyware on my personal phone thx bai

------
phjesusthatguy3
>7 admirer married

>7 admires sidearm

"That's an awful purty wife you got there; shame if something happened to you"

~~~
ghubbard
This was probably supposed to be a comment on the Anagram article:
[https://news.ycombinator.com/item?id=13696196](https://news.ycombinator.com/item?id=13696196)

------
ams6110
I deleted Netflix from my phone when the lastst update demanded access to my
media files and photos, microphone, and call information.

~~~
endorphone
It doesn't demand it, and in fact those are just basic defaults when using the
new permission model/build APIs, though they default to off. In my 7.1.1
permissions Netflix lists those three, and none of them are granted nor have
they ever been requested by the app.

~~~
ams6110
They were presented when I tried to install the lastest update, and there was
no option other than "Accept".

They don't need that stuff so I deleted the app.

~~~
camiller
You are not on Android 7 yet. Prior to "Nougat" the fine grain permissions
control was not available so permissions were an all or nothing thing at
install time. Starting with version 7 you only enable a specific permission
the first time the application needs it. And you can change them later if you
wish on the permissions section of the application in app manager.

[https://goo.gl/photos/2rvYmX6WNgGVfEsJ7](https://goo.gl/photos/2rvYmX6WNgGVfEsJ7)

~~~
Stratoscope
You're off by one version: it was Android 6 (Marshmallow) that introduced the
fine grained permissions.

~~~
camiller
I stand corrected.

------
Y_Y
"As we say in the Netflix Culture Deck, responsible people thrive on freedom,
and are worthy of freedom."

But you arbitrarily can't watch stuff in Incognito Mode?

~~~
flying_kangaroo
Can't have people watching two streams on the same computer. Common sense or
something.

------
ebarock
Interesting. Trying to find some sort of correlation between this and the core
business of Netflix. Not sure they relate with each other. What does that
means? Netflix devs are "tired" hehe. :)

------
always_good
Aside, I've been looking into writing some basic browser extensions for
Netflix, like allowing a hotkey to toggle between English <-> Spanish
subtitles so I could quickly lookup words I don't know. Or increase playback
to 1.25x speed since I primarily use Netflix for language learning.

But I've been having a hard time figuring it out. Inspect the playback bar to
see what I'm talking about. Anyone have any luck extending the playback UI or
hooking into it?

~~~
BrandonMarc
How do you use Netflix for language learning? I'm curious.

~~~
lorenzhs
It helps a lot with understanding spoken language in a variety of settings,
pronunciation, idioms, and all the other little things that make language
appear natural. Watching movies and TV shows in a foreign language that you
already know somewhat but aren't comfortable with yet is tremendously helpful,
and it's also fun. Great way to help become fluent.

~~~
stordoff
Even if you barely know the language, I've found it beneficial to listen to
foreign language audio with subtitles (YMMV). It mean that when I actually try
to learn parts of the language, I already have somewhat of a feel for it, so
what I'm learning solidifies into something usable more quickly, and I don't
spend as much time stumbling with pronunciations/verb conjugations etc.

~~~
always_good
My problem with foreign audio + English subtitles (if that's what you meant)
is that my brain just reads the subtitles and tunes out the audio for the most
part.

I think anything is better than nothing, though. I personally watch
movies/shows now always with foreign subtitles.

~~~
lorenzhs
I hate subtitles that aren't in the same language as the audio, that's just
incredibly confusing. Having both in the foreign language requires a higher
level of proficiency, sure, but I find it a lot more rewarding.

------
huangc10
Although the focus is mainly on the Stethoscope security feature and what it
has to offer, but does anyone else find the giraffe with the stethoscope a bit
odd, creepy and out of place?

I think they were going for a "friendly" approach but it just doesn't do it
for me. Now, you may argue that the logo isn't important but some users will
utilize a tool purely based on aesthetics...why a creepy giraffe? Am I missing
something in American pop culture..? (I'm Canadian...)

~~~
hbhakhra
[https://en.m.wikipedia.org/wiki/Uncanny_valley](https://en.m.wikipedia.org/wiki/Uncanny_valley)

This explains some of what you are describing

~~~
huangc10
Thanks for the link! I've actually never thought about this concept and it
actually does describe a bit the way I feel about the giraffe.

The designer did a great job drawing it...but something just doesn't feel
right...

~~~
danudey
The giraffe feels like it's asking you to lie down on the table and relax, in
the same way that Hannibal Lecter might.

------
andrepd
Wow. "Jailed" is a compliment, now. You shouldn't own your devices, it's a
security risk. Please keep your phones nice and safe and locked-down in our
hands.

Totally backwards. As Mr Trump would put it, SAD!

~~~
bholzer
This is focused toward companies to ensure employee security. It's no secret
that jailbroken phones are less secure, and if an employer is giving phones to
employees for work use, it's perfectly reasonable for them to enforce a rule
that phones are not jailbroken or out of date.

~~~
problems
> It's no secret that jailbroken phones are less secure

There is no evidence that jailbroken or rooted users have resulted in any
significant compromises.

At least in the Android world, you must still approve any application which
wants root access and rooting your phone allow you to gain access to some
pretty impressive security tools you otherwise wouldn't have available to you.
Generally speaking, users who are rooted or jailbroken are sophisticated
enough to handle this on their own - and often use it to improve their
security, not damage it.

