Ho hum,
Providing an option that lets just anyone nearby see your phone and send files to it.
What could possibly go wrong?
Perverts have latched onto Apple's AirDrop as a means of pushing unsavoury content at unsuspecting commuters. Lorraine Crighton-Smith, 34, received two unsolicited pictures of a unknown man's penis on her iPhone via AirDrop as she was travelling to work on a train in south London. Crighton-Smith, who told the BBC she felt " …
How else are companies supposed to push adverts to unsuspecting iPhone owners?
Given there have already been issues (on Android for example) with the bastard fucking stupid idea of loading and processing media without user interaction, how long before someone works out a way to use this to start popping phones? Think about the recent issues with Android automatically processing media in MMS messages, it's far from impossible that something similar could be achieved with this.
What's wrong with showing a filetype icon and saying "Picture received, open?" rather than silently processing the thing to show a preview? Granted a good number of the population would click 'Yes' either way, but at least it'd make it a little harder for you to silently get pwned without noticing that something slightly strange had happened.
At a previous employers we were the first department to have Outlook whilst everyone else had Novell. One fine day an email arrived with a pest piece of malware that just sent a message + malware to every email contact and if the recipients opened the email it would do their contacts too. So having been told that the computers needed to be sanitized one by one and not to use them, my team took the opportunity to go to the pub for the day.
Everything is good once the IT (support) crowd had finished doing their stuff and work could have resumed at 4pm except by that point we couldn't see a point in doing that. Fast forward a few months and the Intern email account is used for the first time since the outbreak, during intern season (the summer holidays) by our latest victim, sorry intern. Whereupon the emails start flooding in again as they clicked on the email and their account wasn't sanitised as someone forgot to check those accounts not logged in.
What could possibly go wrong indeed.
Quite a lot.
Having Airdrop wide open like that is equivalent to running an unsecured WiFi network. You're held responsible for the traffic that passes through it. So if someone is using your WiFi for downloading kiddie porn it's your problem to prove it wasn't you when the police come knocking. Difficult.
So if some horrible person sent kiddie port to an open Airdrop iPhone, that phone now has illegal content on it. The owner would then either have to
1) destroy the phone immediately,
2) hand it over to the police immediately with the image intact (the right thing to do, hopefully the cops know what Airdrop is...))
3) or take a risk that their phone at some point later in time is not forensically examined and the deleted image discovered lurking in the file system somewhere.
If 3) did happen it would be a bit late to claim the image wasn't yours and had arrived unwanted through Airdrop. You'd then have that charge added to whatever else was on the rap sheet to have caused your phone to be in the hands of the cops in the first place.
OK, so that might be a low risk, but it would have a high impact on your life.
By default AirDrop is restricted to "contacts only" to but this is changed to "everyone" as soon as a user accepts a message from a previously unknown contact.Munro told El Reg that Apple is not really at fault in how it set up AirDrop...
Um.. yes it is. Apple is at fault. Really. Completely. It's Apple wot dun it.
..and it's Apple wot's about to undun it as soon as Apple can get its shit together.
You're thinking of Google, not Apple. When has Apple tried to monetize pushing ads at people? Look at Apple Pay, and the way it is designed so neither Apple nor the retailer even get your name when you pay for something.
Anyway, the article says nothing about pushing ads, and I've never heard of anyone using Airdrop in this way - though I imagine a few unscrupulous retailers will read this article and have an "aha" moment.
I love how trolls try to push the faults of Apple's competition onto them. You can argue Apple's products are overpriced and are missing some features compared to the competition. You cannot however legitimately argue that Apple is selling out their users in any way even remotely close to how Google is.
Apple are one of if not the most successful company in the world at extracting value from their customer base. That is in essence what companies are there to do and no one would deny that Apple are spectacularly successful. So why shouldn't they, "We see you're standing in the Perfume Isle, we've got a a special offer on your favourite perfume today, buy 1 get 1 half price" etc... See easy to sell as a service.
This is a designed in feature that someone's naivety didn't see as a perving tool.
I am heartened to learn that flashers have adapted this technology and have embraced the concept of content delivery.
Well done that flasher!
I get annoyed when the term disaster or massacre involves the death of a few people. It seems to trivialise the whole thing and leave us no term to use when a genuine disaster comes about. Ohhh and the term hero has been much abused as well. Hmmmm, must go as I am dropping into rant mode.
I dunno. If I had someone sitting next to me and a dick pic appeared on my phone screen, I'd be more than a bit miffed that the person sitting next to me now thinks I'm surfing porn on my phone in a public place.
Violated? It may not be exactly the right word but it certainly captures the strength of feeling.
People react differently to the same thing. Apparently you all feel fine with some random bloke who's close enough to bluetooth a picture of his cock to your phone. Me, i'd be a little freaked out by that. I can imagine some people might feel violated by it.
You don't get to decide how other people feel and when you say they're wrong all you're really saying is "i don't do empathy".
Yes they do, but we also need to have a broad common standard that we agree on.
Violated is just stupid in this context. Angry, offended, frightened, upset, shocked would all be reasonable depending on personal sensibilities and the situation (lots of people around / only one other seedy looking bloke in carriage).
Violated is just tabloid-style hyperbole.
Well no, actually you've made some assumptions there that are incorrect.
It's a dick pic. Not an actual dick. Its an arrangement of pixels that represents a body part. No one is being violated, no real rules are being violated, and that's not my lack of empathy, its my annoyance at the abuse of the English language.
If said dick was in close physical proximity, or touched you, then you can feel violated and that be a correct use of the word, since they violated your personal space and probably a few laws at that point.
34 year old.
More likely "I was terrified that the person next to me thought I was looking at porn on the train"
And of *course* there's the mention of "Think of the Children". While I'll agree that the sender needs a good swat upside the head, if our society spent less time making the human form "forbidden fruit" there would be a heck of a lot less of an issue with crap like this, as it would be less likely to cause someone distress, and it would certainly be less of a thrill to the twat doing the deed.
<queue the downvotes>
What does the victim's age have to do with this? Why do you find it so hard to accept that the incident genuinely distressed her?
In cases like this it's easy for us - men in particular - to laugh it off and say that it was only a dick pic, but that doesn't mean that the woman concerned wasn't genuinely upset by this. Maybe she was a rape victim; maybe she had been sexually abused as a child. There are lots of reasons why this could have been distressing for her. Nothing to do with moralism or bubblewrap.
Or she could be an arachnophobe and thought it was a hairy spider.
We don't base laws (save it and send it to the police) based on the wild conjectures of what-ifs, laws are for all of us and have to be carefully tailored in order to protect genuinely vulnerable people and not so broad as to criminalise general twattery.
@Alistair
At first glance you can think that, but really I can see it being quite terrifying for some, the woman was being flashed at in public, with no knowledge of who in the immediate area was doing it, but that person was close by, perhaps some pervert stalking her.
There may also the strong probability that it is a bunch of teens having a laugh, but not something you would bet on to be safe.
As for "think of the children", while I do feel it is used a bit to much, in this case she may have a point, how would you feel if your son/daughter came back and reported the same thing happening to them in a public place? Its not that they have gone on the internet searching out a cheap thrill, it's forced on them from someone close by.
Don't know if there's be enough time for the handshake and transferring a file, even if you optimised the hell out of the image. Plus trains are metal boxes; which isn't going to help. Probably worth trying though - Goatse-ing Apple users from London to Edinburgh is a project well worth a bit of effort.
"how would you feel if your son/daughter came back and reported the same thing happening to them in a public place?"
Why care if it is a public place? Maybe they should be outraged at the stupidity of Apple (or anyone else with similar tech) for not making it more secure?
Also we have the underlying point of giving kids a tool to access practically any information in the world, how about they give them a dumb phone and problem solved.
It doesn't matter how crap apples implementation of this feature is , its upto the user to take responsibility for securing the device.
The only people at risk are those who don't secure the device.
It really is that simple, she can be as mortified as she likes that she got a random cock picture but she needs to take some responsibility for leaving the device wide open.
"It really is that simple, she can be as mortified as she likes that she got a random cock picture but she needs to TAKE responsibility for leaving the device wide open"
I left my front door unlocked and was surprised to find someone in my house, well woop de fucking doo
I left my front door unlocked and was surprised to find someone in my house, well woop de fucking doo
That actually happened to me about three or four years ago. I came downstairs one Saturday morning to find a complete stranger had slept on my couch. He seemed a decent sort so I made him a cuppa while he waited on his missus / pal (can't quite remember which) coming to pick him up, although I tend to lock the door at nights nowadays.
Why should people need to be constantly checking their settings to be sure they are secure. It sounds like accepting one picture from an unknown contact leaves it permanently open. I'm sure whoever coded that thought it would be easier for people to not have to constantly click accept, and wasn't thinking about people using it for something like this. I'm sure it will be fixed in an upcoming iOS update, then people won't have to "take responsibility" for securing their phone against this sort of thing.
People here are getting quite hysterical. You're not going to receive strangers' AirDrop files on an iPhone unless you
- Swipe up from the bottom of the screen
- Look at the AirDrop icon, which will be saying 'Contacts Only' next to it
- Click it
- Choose the 'Everyone' option
If you choose 'Everyone' you can expect to receive AIrDrop invitations from anyone who is minded to send you a file. Until such a time as you change your mind. Not exactly rocket science.
Toggling WiFi, Bluetooth, Airplane mode and Do Not Disturb are all set using the same swipe-up gesture. The current settings are super-obvious to see.
This is a lot of fluff about nothing.
RTFA:
> By default AirDrop is restricted to "contacts only" to but this is changed to "everyone" as soon as a user accepts a message from a previously unknown contact. From that point on users run the risk of being sent all sorts of undesirable content by strangers.
> By default AirDrop is restricted to "contacts only" to but this is changed to "everyone" as soon as a user accepts a message from a previously unknown contact. From that point on users run the risk of being sent all sorts of undesirable content by strangers.
Excuse me, but I have not been able to manage this at all so I am now wondering about the veracity of that statement.
1 - if the Airdrop setting is "contacts only", the device will simply not show up on devices not authorised for access, so it's impossible to use AirDrop in this context. If you're not in the recipient's contact list, your device will not even list the target device in the AirDrop selection box so you can't select it (it does not provide a manual entry like iMessage does).
2 - just on the off chance that "message" meant a genuine message I just sent an iMessage from a newly created iTunes account to an iPhone which was set to "contacts only" AirDrop and examined the settings afterwards. The incoming iMessage gets immediately classified as coming from an unknown source, and the 'AuirDrop" setting remains unchanged. This iPhone has not yet been upgraded, but I'm going to do that in the next 30 minutes or so (I always take a backup first).
This is why I like to test these things for myself.
"its upto the user to take responsibility for securing the device."
I'm not aware of a phone OS that lets you control the security of the device. They are all basically walled gardens for letting the vendor shovel content at you or sell your privacy to advertisers.
In this case, Apple are off the hook as soon as they provide a documented and supported way for customers to root the device. Until then, Apple are the responsible party and have clearly failed in this case.
I'm not aware of a phone OS that lets you control the security of the device. They are all basically walled gardens for letting the vendor shovel content at you or sell your privacy to advertisers.
Well, I don't know about Android, but iOS does actually have quite a few measures you can activate to tie it down, including retrospectively limiting access to phone facilities and data of already installed apps. Apple should NOT provide advice on how to root the device because that will actually kill off the screening they do of apps - very few apps with malicious content have made it through the app store screening process.
Apple does a reasonable job, but people want easy data sharing facilities, that's also why they install such crap as WhatsApp. You cannot stop people from being stupid, and frankly, advising them to root the device to make it safer is IMHO about the worst advice you can give to an end user.
AFAIK, AirDrop needs manual interaction (ahem) to change state from "Contacts only" to "Everyone". The only improvement Apple could make would be to add a timeout option on the "Everyone" setting.
it is so damn difficult to make airdrop 'safe'
you don't even have to 'log in'
Just slide up the bottom menu
select airdrop
Turn OFF (or set to contacts only; or if you are a sensitive type on the tube set it to everyone)
LIFE IS NOT BUBBLE WRAPPED
It is YOUR responsibility to understand something so mind numbingly simple to use. You DELIBERATELY open it to everyone then you are responsible for DELIBERATELY leaving it that way. It is not rocket science; it's even easier than 10 + 10 = 100
You dont buy an Apple device and then do personal responsibility. People pay through the nose so that other people take care of the complicated stuff.
I know that sounds glib but that's why a lot of people by Apple - they believe its so tied down they cant hurt themselves.
You dont buy an Apple device and then do personal responsibility.
Yeah, sure. I didn't pick iOS because I didn't want to become one of the 950 million people exposed to whatever Google dreams up. You know, that company whose main income is derived from grabbing any bit of personal data it can of people. The company that I do not want to give my address book to, or my email.
I chose iOS because the people behind it have better motives to keep it relatively safe. If that changes I'll ditch it, but so far it's been rather good.
> I didn't pick iOS because I didn't want to become one of the 950 million people exposed to whatever Google dreams up.
Indeed. Because an iOS device would never, ever have a remotely-exploitable code-execution vulnerability...
http://www.theregister.co.uk/2015/08/13/apple_patches/
...oops.
Also, while typically not the case with stock ROMs, but in the western world anyway, it *is* possible to have an Android device without Google Apps. Case in point: virtually all Android phones and tablets sold in that tiny country called China... I am curious whether one can pull the same off with iOS and if so, how painful (or not) such an iDevice should be.
As for the user tracking, let me tell you a little story. A device I use and love requires me to sign in before I can download anything from its app store, even if the software in question does not have to be purchased. Fortunately there is a possibility to download and install stuff page the store - except unless I disable a certain setting which is on by default, information about programs I run get sent to the mothership anyway (for verification purposes but I only have their word for that they do not use it for anything else). Oh, and some software is available ONLY through the app store. There are more such gems and while all of them (I think) can be avoided with some care, I suspect a large number of ordinary users of other devices like mine either can't be bothered or are oblivious of what goes on in there. Is it an Android phone? A Windows 10 PC? Some sort of a corporate system? Nope, it's a MacBook running OS X.
Yeah, it pretty much IS.
If you set Contacts Only and it reverts to Whole World upon you accepting something from a non contact AND allowing the device to receive AND DISPLAY without the basic "do you want to let this happen" prompt, then Apple has made such a cock-up (pun intended) of it that it just isn't funny.
Bluetooth pairing can be a pain, continual prompts can be a pain, but looking at fail such as this, it reminds me why such "hassles" are desirable. To allow me to transfer data between devices but keep your shit off my phone. Which part of that is too hard for Apple to understand?
If you set Contacts Only and it reverts to Whole World upon you accepting something from a non contact AND allowing the device to receive AND DISPLAY without the basic "do you want to let this happen" prompt, then Apple has made such a cock-up (pun intended) of it that it just isn't funny.
Except that that isn't what is happening. Apologies for ruining a good rant, but I have been trying to make this happen for a hour now from two different accounts, and there is NO situation yet where I have found an iPhone and an iPad change the setting without due warning. There is NO way that the iPhone will change from "Contacts only" to "Everyone" without you doing this yourself, and wilfully. It just doesn't happen.
It is also not possible to send something who has "Contacts only" set without being actually in that contacts list because the restricted device in question will not even show up in the selection of targets, so as far as I can tell this is a lot of hullabaloo about an event that is impossible to create - unless the iPhone in question was ALREADY set to "Everyone", and that could only be done wilfully by the user, and NOT by accident. It's simply impossible to make this happen any other way as far as I can tell.
So, the reality is that we're talking about a user complaining that everyone is walking into her house because she left the front door wide open. Well sorry, duh. You just don't do that without consequences, you cannot blame Apple for people being stupid.
can recall bluejacking
which was going to end the world a few years ago.
This. And if you made a contact with a picture and shared it, many phones showed you the picture with the name (which might be blank) and asked you if you wanted to accept it.
As I turn off WiFi and Bluetooth when leaving the house nothing like this has happens to me so I'll have to make do with Tindr which apparently is an app for making new friends.
Go back about 6 years and I was using my Sony Ericsson C501, with "Super Bluetooth Hack", on the bus to send and view data.
It really is surprising how many people accepted a connection from an unknown bluetooth device, back when bluetooth was always discoverable when turned on.
Since it had to be sent by someone within Bluetooth range, she could have jumped up waving the phone around and called out, "Who just Airdropped me this dick pic?" The man with a startled expression who dropped his iPhone would most likely have been the miscreant.
..t.he person who sent the pic, intended to sent it to a friend as a prank and hit the wrong device? And send a second one because the friend in cause didn't make any reaction?
It happened to me around 1993, when xmessage where still left open to us play some jokes at the other students. By mistake, I did send an hardcore image to the wrong terminal, and sent it again because my colleague didn't do anything. The problem was that the receiver was a female student...
I'm not excusing the guy, just that nowadays people, because they give to much importance to certain things, they are giving it to much importance, when then should be ignored...
"By default AirDrop is restricted to "contacts only" to but this is changed to "everyone" as soon as a user accepts a message from a previously unknown contact. From that point on users run the risk of being sent all sorts of undesirable content by strangers."
Sadly the specifics of the article are BS.
If AirDrop is set to 'Contacts Only' you won't see drops from people who aren't contacts. To see the willies of oddball strangers you have to manually select 'Everyone' first.
There is no mechanism that automatically switches between the two modes, and even if there were, how would you "accept a message from an unknown contact" as described if the setting forbids contact with unknown contacts?
If you read the BBC rather than the Reg clickbait version thereof:
"I had Airdrop switched on [to allow drops from anyone] because I had been using it previously to send photos to another iPhone user"
Kind of loses its impact at that point, dunnit.
Maybe my lateral thinking is off here but,
Why would you be sending pictures by bluetooth to someone not in your contact list to enable this setting in the first place? Especially giving the inbuilt human nature to add everyone to your contacts (I don't subscribe to that but I've seen it enough to know it exists)
Something isn't quite right here, what could she be sending?
You take a pic & whatever reason someone in your office wants it, but you don't want any further dealings with them / give them your details, so you airdrop it, simples! But seriously the story is guff, you CAN turn off airdrop as previously said by swiping up & changing from everyone back to contacts / off, you HAVE to accept picture when sent from a random person / contact, slow news day?
A cock pic from an unknown man it taken by pretty much every woman receiving it as a message saying, "I want to rape you."
There is no such thing as "it's just a cock pic" if the man and the woman are not in a relationship. It is always a threat. It doesn't have to mean that an attack is about to come, it just says, "I can rape you."
The men who do not get this are seen by pretty much every woman as one of the men who will sens cock pics to women he doesn't know.
Because it's never "just about".
To know so little about how women operate in the world and what is a threat to them is worrying. You might think that the poor dears are fraidy-cats and not willing to have a laff, but men don't grow up in a culture of constant threat. Count how many girls and women have been raped and killed this year alone, compared to boys.
To know so little about how women operate in the world and what is a threat to them is worrying. You might think that the poor dears are fraidy-cats and not willing to have a laff, but men don't grow up in a culture of constant threat. Count how many girls and women have been raped and killed this year alone, compared to boys.
You seem to be under the impression that the rape of men isn't an issue (in terms of numbers). I'm assuming you meant men rather than boys specifically?
Taking the first hit in google (for the UK), 69,000 women and 9,000 men were raped a few years ago, _BUT_ there's a fairly pervasive theory (advanced by a woman, if that matters to you) that only in 1 in 10 male-on-male rapes are reported due to the social stigma.
Female on male rape, historically, hasn't been treated with anywhere near the same severity as male-on-female, so a reasonable number of victims either don't report, or get nowhere when they do report.
If you want to try and correct 'sexist' views, feel free, but making generalisations about rape rates simply makes you look an idiot - rape is an incredibly abusive act, whoever the victim, and comparing numbers does nothing but further dehumanize the victims.
There is no such thing as "it's just a cock pic" if the man and the woman are not in a relationship. It is always a threat. It doesn't have to mean that an attack is about to come, it just says, "I can rape you."
I think you're unfairly generalising here too. I know and have known women who would probably laugh this off just as some have been doing in the comments. I've also known blokes who would have been incredibly put out by receiving an unsolicited picture like this (whether cock or tits). People differ, simple as.
Not, mind you, that I'm saying it's ever appropriate to send something like that to someone you don't know.
The men who do not get this are seen by pretty much every woman as one of the men who will sens cock pics to women he doesn't know.
For the record, I disagree with most of the generalisations you've cast, but I'm definitely not one of the ones who'd think it was OK to send pics like that.
And what will Plod do? Compare it to their database of dicks? They are database crazy.
Then Mad May, that crazy woman in the Home Office, will require that all male children, and immigrants - of course, submit their dicks for printing to be held an infinitum until the EU privacy court gets to to rule it illegal.
Best thing for recipients to is just have a laugh, mutter aloud 'How Small' and delete the thing.