Can you explain this point please. I've not heard it used in this context before.
> "Quick and reliable disclosure of and turn around on vulnerabilities"
Sadly there's only a very loose correlation between the popularity of a product and the corporations ability or willingness to disclose vulnerabilities or release patches in good time, nor even patch them at all (in the worst cases).
An apt example of this is how poor many OEMs are at pushing Android updates to popular tablets and smartphones. However I do appreciate you specified iOS and Apple are generally better at supporting older devices than many Android OEMs. But I'm replying to the "herd" point more generally.
> Can you explain this point please. I've not heard it
> used in this context before.
What I was poorly trying to explain was my feeling that there's sufficiently little data flowing through Tor, and probably sufficiently interesting data in there, that my guess it's it's seen a lot of scrutiny for all sorts of attacks, and there's a real possibility nodes are storing traffic for future decryption when vulnerabilities are shown. I try and lock almost all of my data down to HTTPS over a VPN (F-Secure's Freedome), which my gut feeling is is probably a lot less exciting.
In the same vein, a device that's meant purely for TOPSECKRITDATA?! and has a small install base feels like a much bigger target as I'm signalling I have something I am explicitly trying to hide.
>> "Quick and reliable disclosure of and turn around on
>> vulnerabilities"
> I do appreciate you specified iOS
Yeah, I probably didn't express this very well. But I do trust Apple to take it seriously, and I don't think I could take seriously the idea of running an Android device these days from a security and privacy perspective, which is sad.
Thank you for the explanation. Your signaling argument sounds an awful lot like security through obscurity[1], which I do read a lot and sympathise with to an extent, but unfortunately it can also be easily debunked.
Pragmatically, security needs to match the circumstances in order to get a fair balance between usability and security. For most people, hiding inside the noise is "good enough". However the issue arises if any one person gets the limelight thrust upon them for whatever reason. And we've seen examples of this with the phone hacking scandals in the UK and how some journalists also search social media accounts of previously unknown individuals who might hit the headlines. In situations like this, you can no longer hide your signal amongst the noise of the internet as you're not being specifically targeted.
So I guess the point I'm trying to make is the signaling argument only works because the odds are in your favour. But like with any game of chance, there's always the slim chance that you might be unlucky.
At least with stronger levels of security, your comms might be more visible in some circumstances, but at least very little can be ascertained from those comms. Generally speaking of course. However going back to your VPN vs Tor argument specifically, I do agree with you that the security benefits of Tor are largely overstated, so it's not something I use personally myself either.
> Pragmatically, security needs to match the circumstances
> in order to get a fair balance between usability and
> security. For most people, hiding inside the noise is
> "good enough".
I'd say it is different. This "herd security" business only matters if your adversary is the NSA. In which case you will need a complex security strategy that goes way beyond just picking OS.
If on the other hand you just want devices that behave reasonably, then you should select your devices based on their behaviour.
