Hacker News new | past | comments | ask | show | jobs | submit login

What's really disappointing is that there seems to be an all-or-nothing security model here. If I pair my phone with a computer, then suddenly it has complete access to spy on me, install monitoring tools that can continue to run, etc. Why can't there be a way where I can transfer music/photos to/from my phone without providing this full device access?

You'd be pretty annoyed if the front door to your house, when you opened it, also opened up your document safe, emptied your wallet onto the floor and invited visitors to leave bugging devices to spy on you later.

Also, the defence of "just don't agree to pair your phone with an unknown USB device" can actually be tricky. On a flight, I plugged my phone into the USB port on the seatback to charge it. The phone repeatedly kept asking if I wanted to pair it with something (who knows what it was? the entertainment system, maybe?). If I had accidentally hit the wrong button only once (on a prompt that randomly appeared), my phone could have been owned, and there's no easy way to un-pair.

This is what is worrying me the most.

Why can something even repeatedly ask for permission? (My iPhone was asking me every 5 seconds the other day due to a faulty cable.) Even if there's a reason for that, why isn't there a "don't ask again" button?

Why doesn't such a thing need a pin code or iCloud password entry?

Why isn't services like file_relay or pcap a setting deep inside the Advanced section of Settings.app that requires password entry on enabling and features a warning message?

These things are advanced features. Few use them, why not make it a little more difficult?

Why can't I opt-out of Apples access to my files? Sure, I can say "No" when they ask at the store, but I could say no as well in the Settings app.

It's easier to enable packet capture than complete the Provisioning Profile process when releasing an app update to App Store.

These are the things Apple should be answering instead of the vague support note entry they published today.

I think my iPhone was repeatedly asking about it for similar reasons to yours, as the connector is worn and it can take several plug attempts to make it even charge. However, a malicious USB socket could cause repeated prompts by just briefly dropping the power from time to time to trigger it. (n.b. I'm sure my experience wasn't a sinister attack on my phone, just stating that this is possible to do)

The "Don't ask again" is a little tricky - is there enough information present for the phone to tell if it is plugged into the same or different computer?

A better UI would be for the phone to always default to not pairing. No popup choice would be shown at all. After all, how often do you need to pair to a new computer?

"Why doesn't such a thing need a pin code or iCloud password entry?"

It does - any passcode/fingerprint locked device needs to be unlocked before granting trust.

I would like a 'don't ask again' option though...

There are USB condoms built exactly for the scenario you describe.


It partially matches what he's talking about, but it's still a trinary choice.

1> Don't tether

2> Get only power

3> Give away the keys to the castle

FYI it's "ternary".


2> Get only power

Not really. the USB charging protocol requires data pins for chargers to communicate with the device about how much current it can draw. Suppose the data pins are left open, a compliant device can only draw <100mA, which is not even enough power to keep device from draining battery. Even if the data pins are shorted, I don't think it works with most apple devices, which use a different non-standard protocol.

That's an amazing name.

I think the name may have been coined in this HN thread: https://news.ycombinator.com/item?id=6146279 around August 2nd, 2013.

Google shows some uses before hand[1], but Wayback Machine does not corroborate. I think Google is using the self-reported page date and pages dynamically update with "latest news' content.

[1] http://int3.cc/collections/all

This problem is solved pretty easily:

1> Buy a shit Nokia, use the 2 pin charger. TBH if it goes flat it won't charge off USB anyway. Then use a microSD for transferring music/photos.

2> Buy an Android handset with USB OTG. Transfer files on and off via a USB stick that you control. Charge it with a USB cable with the data pins shorted (you can buy these off Amazon).

Both of these ignore the main attack vector that I'd be concerned about which is over-the-air (via GSM/packet data) and a fuck load more scary than plugging your USB thing into a dirty USB hole and getting some USB STD.

There are also solutions for iPhones: send via AirDrop, email, imessage, iCloud share, Dropbox, copy.com, etc. AirDrop works even without an Internet connection and will work that way with macs too.

It's not like it's 2003 again and the only way to share a picture or a album is with a cable.

How do you propose adding music to your iDevice like that?

Not all things are equal on iOS which is my point above.

iTunes sync via wifi those days, backup is done on iCloud.

There is not that many reasons to plug a cable other than charging nowadays.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact