On 09/23/2013 04:54 PM, Jonas Sicking wrote:
On Mon, Sep 23, 2013 at 4:28 PM, Jim Blandy <[email protected]> wrote:
I don't even think we should *require* users to wipe sensitive data to
enable debugging. We should *offer* to do so, but forcing it seems like
building in the assumption that users who are choosing to develop can't
consider the consequences of that choice. Is that the way we want to treat
people?
I'm not sure what you mean here. If we assume that most users won't
ever turn on debugging, and we assume that the attacker might turn on
debugging. Then what is the purpose of asking about wiping the phone
at the time of turning on debugging?
There are two separate situations under discussion where wipes might be
valuable:
a) Folks have suggested requiring a wipe when turning on debugging. A
thief interested in personal data would simply leave debugging off, and
use the apps as the owner would. For this deterrent to work, the wipe
must be an inescapable consequence of turning on debugging.
b) If I were going to try some wild experiment on my phone, then I might
well want to depersonalize it first. For this use case, a voluntary wipe
is fine, and needn't be tied to debugging at all.
The only thing in that direction I could see doing would be to ask at
the initial phone boot if the user wants to enable security features
like "wipe on debug turn-on". But I doubt that we'll be ok with adding
UI during the first-time-run specifically about developer features.
Yeah, I don't think adding first-time-run UI for this makes sense. We
need to stay out of peoples' way.
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
