Lost and Found

Losing your laptop or phone is one of the most devastating things that can happen. Not only is there a loss of whatever data wasn’t backed up, a loss of business continuity as you find and re-build a replacement, but there’s also the potential of loss of critical data. This is actually one area the phone is substantially better – you can carry it with you everywhere. Like I discussed before, you’re far more likely to bring your phone with you to the bathroom than act like a nut-job and bring your laptop. It’s just a fact. Even if you’re extremely good about keeping your laptop bag with you at all times, it’s just far more likely that you’ll be separated from it than from a smart phone.

But I’d be remiss in saying that a smart phone is a perfect solution. It too can and does get separated from your hands. You go through an airport, it’s out of your hands. You want to show someone a video? There it is, in someone’s hands, unlocked. I have even been told I can’t bring my cell phones into a meeting – so there it sits in some basket outside of my direct line of sight. Let’s ignore the threat of malware for this post, because that’s a different threat vector in a number of ways.

So what do you do when your cell phone is stolen to prevent bad things from happening beyond the immediate loss of the hardware? There are some pre-emptive steps you can take and some things you’ll have to do after the fact:

Let’s start with the pre-emptive steps:

  • Keeping your phone locked with a password is the first line of defense. If you can limit it to a number of failures before being wiped that further increases your safety. If your phone is locked, the data within should be safe barring any other vulnerabilities in the phone. I really recommend a relatively short timeout (E.g. Less than 5 minutes) before the screen locks, but not so short (Eg. Less than two minutes) that you have to type your password/passphrase often in public, as that creates more likely opportunities for shoulder surfing the password/passphrase.
  • Disable Wifi on the phone when out in public. You don’t want the phone connecting to a random Wifi and being man in the middled so that content it sends over the wire is visible. Apple has made a lot of progress here by requiring that apps communicate over HTTPS, but that’s still not 100% rolled out, given that there are many apps that have circumvented this rule.
  • Disable any notifications so they aren’t readable on the locked screen so that information isn’t leaked to whomever has the phone ahead of time. This often requires a lot of configuration of each app’s notifications.
  • Use a long passcode/passphrase instead of the short 4 digit pins or equivalent, so that brute force is significantly more difficult. I know it’s annoying, especially when you’re in a hurry, but it does provide a significant barrier to someone breaking into the phone once it’s outside of your control.

After the fact:

  • Use any/all services you have to locate the phone. Maybe your friend picked it up for you at the bar. You can attempt to call it as well. At this point it’s probably gone and you can move onto the following. On trick is to allow one of your close friends to always have access to your phone’s location. That’s a lot of trust though, and understandably comes with its own risks.
  • Remote wipe the device if you can.
  • Immediately change all passwords to all of the services you use, and ideally lock that phone out from any APIs it is authorized to once the phone is deemed lost.
  • Disable VPN accounts, and any SSH keys you use. As an aside I don’t recommend SSH keys as the only line of defense for exactly this reason – if the machine is compromised they have instant access to the remote server. I prefer SSH keys be used to jump to bastion hosts or VPN tunnels, but then passwords be used from that point on, so that even if an attacker does get access to the bastion host, they can’t pivot into the other machines because they lack the password. Passwords are easy to brute force though, so that’s why you use them only after a key is required. It’s a bit like second factor auth in a way.
  • Assume email has been compromised, shut down the accounts immediately. This is one of the most critical steps, because email typically has a lot of passwords, and PII in it. And worse yet, most of the services you use require an email for password reset. Once they have access to email they have access to everything. This means every password needs to be changed that exists in your email, and anywhere you use that password should also be changed.
  • Assume that all apps that have access to your credit cards have been compromised – think things like Uber, and Amazon. Unfortunately this means you need to cancel your credit card immediately.
  • Assume all chat clients that you have logged into have been compromised. iMessage, SMS, Facebook, Instagram, Snapchat, Signal, Twitter, Yahoo!, MSN, IRC, Slack, Hipchat, WeChat, Skype, etc… etc… Only chat clients with ephemeral OTR are reasonably safe because they auto-delete content over time, but even still, the adversary can read recent messages and contact your contacts as you, so you’ll need to disable the account/change passwords, etc if that’s possible.

The nice part though, is that while all that stuff sounds bad, if you follow the very first step, you may have no issues at all to worry about other than replacing the device. So in many ways the primary defense really is the best one – a good password and keeping it locked when it’s out of your sight.

Period Shortcut on iPhone

I’ve never been a big fan of cloud based applications or cloud based programming as a general rule, because I lose control over what I’m working on, it’s more difficult to use those services when I’m traveling with spotty connectivity, etc. But for the sake of moving down the path of a phone desktop replacement, it’s important to get at least vaguely comfortable with the idea that if you need to do some programming work, you’re probably not going to want to be doing that on your phone.

I’ll talk about doing dev-work on the phone itself in a bit, but for now, let’s talk about cloud solutions. Over the last week I’ve slowly gotten myself used to connecting through iSSH to remote Amazon Elastic Cloud Computing (EC2) servers to test various features, develop simple applications and general ease of use. I’ll dissect iSSH at a later date as well, but I ran into other interesting issues almost immediately.

Firstly, as I said in a previous post, I use Vi (or Vim) as an online editor fairly regularly, because it makes my life easier. However, there’s a usability feature of the iPhone that gets in the way. If you hit double space on the iPhone it creates a period. If you in Vi a period will do one of two things. It will either write a physical period if you are in editing mode, or it will run the previous command. Yes, whatever thing you just did, it will do it again. So if you were just editing something and you added a word, that word will get added again. Extremely frustrating.

If you’ve seen the Silicon Valley episode for spaces verses tabs, you’re probably chuckling to yourself right now, but the reason I use spaces is because terminals are often fixed-width and line wrapping is reduced when you use spaces. Anyway, without getting into a religious war, on the iPhone it can be overridden by going to Settings – Keyboard – “.” Shortcut and disabling that shortcut checkbox.

Disable “.” Shortcut

Ideally something like this would be optional and easy to enable or disable on an app by app basis when a user identifies a problem with their shortcuts. But for now, this workaround does work well, if you are okay disabling this otherwise helpful shortcut for the rest of the applications that need it.