|
Ron Amadeo over at Ars posted a piece on Android and security: http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/ Tl;Dr: Android is hosed from a security perspective because of the sacrifices Google made to gain market share, and its not likely to get any better until something catastrophic happens.
|
#
?
Aug 7, 2015 05:20
|
|
|
|
| # ? May 27, 2024 07:39 |
|
|
IuniusBrutus posted:Ron Amadeo over at Ars posted a piece on Android and security: All of this has been apparent for years. I like Amadeo quite a bit so this is no slight against him, but let's face it anyone using Android thinking they're on a secure platform is either completely ignorant or profoundly stupid. If you care at all about security you're going to use iOS and that's been true the whole time.
|
|
#
?
Aug 7, 2015 05:40
|
|
|
The solution exists and it's Motorola that has lit the fuse. Single SKU, every carrier, sold direct from manufacturer. You don't poo poo out 12,000 variants of the same device to satisfy every edge case of marketshare and you remove the corrosive carrier influence and suddenly this becomes a lot more tenable. At the same time though, I don't know if I can buy into the doom and gloom. People buy insecure crappy products all the time. You think that $20 router you bought at walmart has every vulnerability patched? What about your cut rate smart TV? As the (ugh) "internet of things" pervades everything, cell phones are going to seem like an EASY thing to protect. At least with these platforms you CAN install supplemental apps to mitigate issues and you can have protection from the network on some vectors. Good luck doing that with your car's infotainment system. Hell, while we can point as iOS as the model here, the sad reality is, people aren't forced to upgrade or apply patches. The iPhone 4s is 9% of the iOS market and only 70% of users are on 8.x iPhone 5, 9% of market, only 80% of people on latest iPhone 5s, 17% of market, only 85% on latest. iPhone 5c, 9% of market, 81% on latest None of these have breakdowns on patch level so it's possible that even fewer are fully patched. The situation isn't as dire as Android obviously, but it still points to a trend. Microsoft took a lot of flack for basically forcing updates on Windows 10 for general consumers, but it's increasingly obvious that a forced approach needs to be the ultimate evolution if security is going to be ensured. There just needs to be a greater conversation about security and awareness in general. In the end, it's on us. The consumers have to demand better and they can't be complacent and ignore security, refusing to update even things that CAN be updated.
|
|
#
?
Aug 7, 2015 06:05
|
|
|
I have a hard time giving a poo poo about an author that uses the word "pwnable" unironically.
|
|
#
?
Aug 7, 2015 06:08
|
|
|
Skeematic posted:I asked a couple pages back about the g3 buy it was missed, how do you like it? I'm looking for something that's not expensive current gen to replace my note 2, and its currently 500 Canadian dollars. Worth it? I've enjoyed the phone a lot but I always either root stock so I can fine tune things, or just run full Cm so ymmv. The screen is excellent but is definitely a battery hog. Tiny bezels and good design make it a very compact device considering it's packing a 5.5" screen. Build materials are cheap but I use a thin case on mine. The camera is exceptional, even in CM12. I like having an SD card and being able to replace the battery if needed. Battery life is relatively poor on stock but has been quite good on CM. I think at this point in its life cycle the G3 may not be worth 500 Canadian moon dollars, I assume that's like $400us. At that price point you might take a look at the zenfone 2, OPO, or moto style - or wait for the new nexuses.
|
|
#
?
Aug 7, 2015 06:24
|
|
|
Syrinxx posted:The screen is excellent but is definitely a battery hog. It's really not though (excellent I mean, it definitely IS a battery hog) - it has poor brightness and contrast and brightness drops off very quickly if you look at it at an angle. It's also highly reflective even compared to other phones and with the stock software has some horrible sharpening going on that you cannot adjust.
|
|
#
?
Aug 7, 2015 06:33
|
|
|
WhyteRyce posted:Doesn't running CM result in poorer camera photo quality? That was a particular Sony phone (Z3 I think?) that put DRM on an image optimization algorithm it licensed, which CM neither legally nor ideologically could work around (although you'd best bet there's XDA patches to restore it). Could be others do that, but it's not the norm. Also it wouldn't be relevant at all on a Camera2-compliant device.
|
|
#
?
Aug 7, 2015 06:57
|
|
|
Maker Of Shoes posted:I have a hard time giving a poo poo about an author that uses the word "pwnable" unironically. So because you don't like the author over one word the information is less valid? No, obviously not. bull3964 posted:The solution exists and it's Motorola that has lit the fuse. IoT is a crap trend with the way OEMs care about security, there is no debating that. The issue is that the general public does not want to (and should not have to) be concerned as we are over issues like this. Auto update mechanisms would be nice but we already have seen issues with updates bricking devices, and OEMs don't want to have to deal with that. The obvious fix is that OEMs and developers as a whole need to become a lot less lazy about code. I don't see that happening though when the whole "lazy" approach is generally pushed by the "it costs us a lot of money to write good stuff!!!" mentality. mAlfunkti0n fucked around with this message at 13:33 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 13:26
|
|
|
LastInLine posted:All of this has been apparent for years. I like Amadeo quite a bit so this is no slight against him, but let's face it anyone using Android thinking they're on a secure platform is either completely ignorant or profoundly stupid. If you care at all about security you're going to use iOS and that's been true the whole time. Totally fair - I don't mind that it isn't the most secure platform around. Most people don't, whether it comes to phones, computers, networking equipment, etc. What is troubling is that when a truly problematic exploit or flaw is discovered, it can't be patched expediently (or at all). And once of those exploits cease being theoretical and starts being used, consumers are going to care that they aren't getting some minimum level of service with regards to security updates.
|
|
#
?
Aug 7, 2015 17:08
|
|
|
mAlfunkti0n posted:So because you don't like the author over one word the information is less valid? Between that and this kind of thing happening since the dawn of the internet? Yeah. In 12 months this wont be a thing and we'll all be freaking out about Fairy Fart, the 2016 exploit that will end security! 
|
|
#
?
Aug 7, 2015 17:30
|
|
|
Maker Of Shoes posted:Between that and this kind of thing happening since the dawn of the internet? Yeah. In 12 months this wont be a thing and we'll all be freaking out about Fairy Fart, the 2016 exploit that will end security! Did you bother reading the article? I don't know how you could and take away that it is simply about a single security flaw. The majority of devices out WILL NOT get patched from this, as the author mentions there's roughly 2.6% of devices in use that will get the fix. Not to mention any future flaws found, hundreds of millions of devices with a critical security flaw that's trivial to exploit. But hey lets cover our eyes and pretend the issues don't exist because you know, there have always been issues! Why bother fixing anything? Edit : The more I sit and think about it the more it dawns on my you have no clue as to the scope of the issue. The other exploits we have seen this year such as heartbleed and shellshock can all be remedied pretty quickly because there is generally a single entity responsible for resolving the issue, then it gets pushed out and in a normal update procedure (for the OS, similar to what the article discussed) it gets patched. There IS NO way to do that with Android, tons of hands in the pot and most of them unwilling to fix anything older than a little over a year. The issue here is completely different than other security exploits because again, there IS NO patching mechanism in place except for a few handsets. mAlfunkti0n fucked around with this message at 17:44 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 17:38
|
|
|
mAlfunkti0n posted:Did you bother reading the article? I don't know how you could and take away that it is simply about a single security flaw. The majority of devices out WILL NOT get patched from this, as the author mentions there's roughly 2.6% of devices in use that will get the fix. Not to mention any future flaws found, hundreds of millions of devices with a critical security flaw that's trivial to exploit. Bullshit. The exploit can be filtered at the app level and at the app store level and (for the MMS variation) at the carrier level. It isn't an epic securitypocalypse no matter how many clickbait opinion pieces get written. It would be nice if Android manufacturers would announce regular security updates independent of other updates. Hey look! Google, Samsung, and LG announced regular security updates independent of other updates!
|
|
#
?
Aug 7, 2015 17:51
|
|
|
Panic!!!!!!!!!!!!!!!  jk don't actually panic
|
|
#
?
Aug 7, 2015 17:55
|
|
|
Rastor posted:Bullshit. The exploit can be filtered at the app level and at the app store level and (for the MMS variation) at the carrier level. It isn't an epic securitypocalypse no matter how many clickbait opinion pieces get written. You're right, no need to worry at all! It isn't like this was reported to Google back in May and those mitigation efforts aren't already in place. Oh wait, but they arent' and its just now starting to be patched on some devices. But hey it's just click bait everyone move along. The fact is crap like this wouldn't get anywhere near the attention it deserves if it weren't for "click bait" pieces bringing the attention to the issue. We all know how companies love to fix vulnerabilities on their own! mAlfunkti0n fucked around with this message at 18:01 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 17:59
|
|
|
mAlfunkti0n posted:Did you bother reading the article? I don't know how you could and take away that it is simply about a single security flaw. The majority of devices out WILL NOT get patched from this, as the author mentions there's roughly 2.6% of devices in use that will get the fix. Not to mention any future flaws found, hundreds of millions of devices with a critical security flaw that's trivial to exploit. I read it and it doesn't get a rise out of me. Sorry, bro. This isn't any different than going to Aunt Sally's house and seeing her XP/Vista desktop waiting on 237 updates or a flash install that hasn't been updated since 2012. Forced updates are coming one way ore another and by default people are ushered into modernish mobile hardware every 2-3 years just as the author indirectly points out. The world keeps spinning despite every new jim bob internets conference causing more sensationalist ERMERGERD YOUR BITS AND BYTES article.
|
|
#
?
Aug 7, 2015 17:59
|
|
|
Maker Of Shoes posted:I read it and it doesn't get a rise out of me. Sorry, bro. This isn't any different than going to Aunt Sally's house and seeing her XP/Vista desktop waiting on 237 updates or a flash install that hasn't been updated since 2012. Forced updates are coming one way ore another and by default people are ushered into modernish mobile hardware every 2-3 years just as the author indirectly points out. Guess you guys don't have anything to be concerned with then. Gotta love this thread.
|
|
#
?
Aug 7, 2015 18:02
|
|
|
mAlfunkti0n posted:Guess you guys don't have anything to be concerned with then. Gotta love this thread. What is your concern? What exactly is going to happen?
|
|
#
?
Aug 7, 2015 18:15
|
|
|
Rastor posted:It would be nice if Android manufacturers would announce regular security updates independent of other updates. Hey look! Google, Samsung, and LG announced regular security updates independent of other updates! mAlfunkti0n posted:Guess you guys don't have anything to be concerned with then. Gotta love this thread.
|
|
#
?
Aug 7, 2015 18:16
|
|
|
Star War Sex Parrot posted:
I guess something other than apathy, since apathy does nothing but feed mediocrity and the status quo. We hear lots of vulnerabilities talked about, and generally the reason why they don't affect people on a large scale is because they are taken seriously by at least some. It seems it will only bother the vast majority when they are caused some inconvenience in one form or another. It sucks my view seems to have been taken as the sky is falling rhetoric, I have just spent most of this year patching critical vulnerabilities in systems for a very large corporation. Without people taking security seriously you'd have a million threads here about people crying that their personal information was stolen, etc. I don't believe everything I read, but I do a lot of research and this one is a rather major flaw. Rastor posted:What is your concern? What exactly is going to happen? Ask the folks that will be glad to exploit it. Look at the countless millions of dollars wasted by stuff like the last few rounds of ransomware or the folks at the division of personnel who had their biometric data stolen. It's obvious biometric data will be used as some form of security in the future, and the fact that you know you can't get a new set of fingerprints should open peoples eyes a bit. If all this thread is here for is to discuss what phone model you're going to get then so be it. Since it's obvious it isn't a concern I won't discuss it any longer. mAlfunkti0n fucked around with this message at 18:32 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 18:24
|
|
|
Maker Of Shoes posted:I read it and it doesn't get a rise out of me. Sorry, bro. This isn't any different than going to Aunt Sally's house and seeing her XP/Vista desktop waiting on 237 updates or a flash install that hasn't been updated since 2012. Forced updates are coming one way ore another and by default people are ushered into modernish mobile hardware every 2-3 years just as the author indirectly points out.
|
|
#
?
Aug 7, 2015 18:24
|
|
|
This latest vulnerability annoys me because I'm trying to get a trial of KNOX approved here at work, and my managers are going to read about these latest Android security issues and push back 
|
|
#
?
Aug 7, 2015 18:27
|
|
|
Star War Sex Parrot posted:No doubt. Consumer education is always going to be one of the biggest hurdles to proper security, and the media doesn't really do the world any favors in that respect. I can understand why Microsoft did what they did with Windows 10 updates, and it'll make for an interesting guinea pig on forced updates. iOS and Android could sort of nudge people along by dropping app compatibility, but my understanding is that Microsoft is taking the next logical step. I'm curious if most consumers even notice at all, which should be seen as a win for the policy. Most wont I'm sure but I would love love love to see some the analytics behind that after 10 has been out for awhile to see what kind of fuckery the average user does or doesn't do. Like you said, consumer education is never going to improve. Hell, it's what keeps me employed. Edit: Remember when AP's first started to become a thing and there was a solid year or two that Wifi security was off by default on the vast majority of consumer gear? Customers weren't educated to turn that stuff on and even when they were it was largely ignored. WiFi security became a thing because it was forced on them. Same way this dumb poo poo will be solved. Those were the days. 
Maker Of Shoes fucked around with this message at 18:35 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 18:29
|
|
|
CLAM DOWN posted:This latest vulnerability annoys me because I'm trying to get a trial of KNOX approved here at work, and my managers are going to read about these latest Android security issues and push back
|
|
#
?
Aug 7, 2015 18:29
|
|
|
Star War Sex Parrot posted:I mean it's DEFCON week so I pity anyone who has to work in the IT sector and has to explain mass-media security stories to their bosses. Oh my god, after CanSecWest's pwn2own last year I had to spend like 2 hours with my boss calming him down.
|
|
#
?
Aug 7, 2015 18:34
|
|
|
Star War Sex Parrot posted:I mean it's DEFCON week so I pity anyone who has to work in the IT sector and has to explain mass-media security stories to their bosses. On that note about Knox, does it have any measures in place to mitigate the problem? Maker Of Shoes posted:Edit: Remember when AP's first started to become a thing and there was a solid year or two that Wifi security was off by default on the vast majority of consumer gear? Customers weren't educated to turn that stuff on and even when they were it was largely ignored. WiFi security became a thing because it was forced on them. Same way this dumb poo poo will be solved. Those were the days. I remember when War Driving was the geeky thing to do in those days. I remember watching the number of open AP's start to fall and secured start to rise. mAlfunkti0n fucked around with this message at 18:38 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 18:35
|
|
|
mAlfunkti0n posted:Guess you guys don't have anything to be concerned with then. Gotta love this thread. mAlfunkti0n posted:If all this thread is here for is to discuss what phone model you're going to get then so be it. Since it's obvious it isn't a concern I won't discuss it any longer. People engaged with you, what are you even complaining about? Just because they didn't agree 100% with your take on it doesn't mean you have to take your ball and go home, haha. As far as expecting more than apathy, you should probably keep in mind that if you're some IT guy dealing with security, of course you're going to care a lot more about it than someone who just has their Android phone with photos of their dog on it and whatever 
|
|
#
?
Aug 7, 2015 18:39
|
|
|
My nexus 5 has been patched for the stagefright vulnerability and isn't affected by the certifi-gate vulnerability. Case closed.
|
|
#
?
Aug 7, 2015 18:41
|
|
|
r0ck0 posted:My nexus 5 has been patched for the stagefright vulnerability and isn't affected by the certifi-gate vulnerability. Case closed. Grats.
|
|
#
?
Aug 7, 2015 18:42
|
|
|
Not to suggest that there isn't a problem here, because there is, but that 2.6% number is definitely too low. All that is is the number of devices on 5.1 from the Android dashboard. I think it is safe to say that those phones will be updated. In addition, LG announced they're releasing a fix for their flagships back to the G2. The G2 is on 5.0.x. Sony is updating back to the z2. Samsung has announced back to the s5, but I wouldn't be surprised if they go back farther, at least to the s4, since the s4 has a lollipop build. I think a more realistic number would be around 15% of phones will be updated. That's still bad, and it is still a problem, but 15% >>> 2%, and I don't think the author does himself any favors by being hyperbolic. The point of the story would still be the same if he had used 15%. As an aside, and speaking of being hyperbolic: "Drake called [the bug] the worst in Android's history". There isn't a  big enough to capture my reaction to that. It's bad that the bug can be triggered without any user action required, but until someone shows a way to get through google's memory randomization, it's just a bug, not an attack vector. The worst reasonable thing to consider is that it will overwrite some important memory and crash. Now if his blackhat talk is him showing how to weaponize this bug, I'll have to eat my words, but I doubt he'll be able to do that.
|
|
#
?
Aug 7, 2015 18:42
|
|
|
Grumpwagon posted:As an aside, and speaking of being hyperbolic: "Drake called [the bug] the worst in Android's history". There isn't a There is so much loving hyperbole when it comes to the tech media reporting security issues. It drives me loving insane. There are so few security writers I actually will trust these days, blogs like Krebs on Security and Naked Security, etc. You said it exactly right, the point of the story would be the same without the exaggerations added. People, tech industry and normal reader, goons and redditors, all buy into the hysteria generated for adclicks and freak the gently caress out over non-issues regularly.
|
|
#
?
Aug 7, 2015 18:47
|
|
|
CLAM DOWN posted:There are so few security writers I actually will trust these days
|
|
#
?
Aug 7, 2015 18:55
|
|
|
Verizon just killed the 2 year contract and subsidized phones. Anyone who gets a new phone on Verizon that doesn't buy either a 2015 Moto X or a Nexus 6 at this point is a certified moron since you get no advantage to buying a branded phone anymore.
|
|
#
?
Aug 7, 2015 18:55
|
|
|
bull3964 posted:Verizon just killed the 2 year contract and subsidized phones. Even if you BYOD it still costs $50 to use 1GB of data on Verizon. edit: It's the same price on T-mobile and AT&T postpaid 
nimper fucked around with this message at 19:17 on Aug 7, 2015 |
|
#
?
Aug 7, 2015 19:06
|
|
|
nimper posted:Even if you BYOD it still costs $50 to use 1GB of data on Verizon. That's neither here nor there. The post wasn't about the economics of using Verizon. In many cases you don't have a choice due to coverage and what not. The point was you are completely and totally dumb for buying a branded phone on Verizon now since there is no economic advantage to doing so anymore. Buy an unbranded all carrier phone that gets updates direct from the manufacturer.
|
|
#
?
Aug 7, 2015 19:18
|
|
|
bull3964 posted:Buy an unbranded all carrier phone that gets updates direct from the manufacturer. Yeah. I'll take it one step further: Buy an unbranded all carrier phone that gets updates direct from the manufacturer and don't pay for postpaid service since you can get basically the same thing from prepaid for less.
|
|
#
?
Aug 7, 2015 19:20
|
|
|
bull3964 posted:Verizon just killed the 2 year contract and subsidized phones. First thing from my friend's mouth when I told him this was "But you can still do the monthly payments of phones, which I'm doing now. Monthly payments of phones is different than subsidized"  Also "But how long is it going to take for the Moto X to be certified to work on Verizon? As in activate a new SIM in it and the carrier understanding what the device is"
|
|
#
?
Aug 7, 2015 19:23
|
|
|
nimper posted:Buy an unbranded all carrier phone that gets updates direct from the manufacturer and don't pay for postpaid service since you can get basically the same thing from prepaid for less. A bit of a loaded statement. Point me where I can get 50mbps data access everywhere I get Verizon for less and I'll take you up on it. It doesn't exist as far as I know.
|
|
#
?
Aug 7, 2015 19:34
|
|
|
nimper posted:Even if you BYOD it still costs $50 to use 1GB of data on Verizon. edit: damnit, should have hit F5.
|
|
#
?
Aug 7, 2015 19:36
|
|
|
RVProfootballer posted:People engaged with you, what are you even complaining about? Just because they didn't agree 100% with your take on it doesn't mean you have to take your ball and go home, haha. As far as expecting more than apathy, you should probably keep in mind that if you're some IT guy dealing with security, of course you're going to care a lot more about it than someone who just has their Android phone with photos of their dog on it and whatever As an IT guy dealing with security, I side more with the other posters than him. e: Interestingly enough, I have better T-Mo speeds here in Chicago and the burbs now (since the 15x15 flip) than I do with Verizon, and I get a good T-Mo signal in the police bunker at work where Verizon's at a single loving bar that flickers in and out.
|
|
#
?
Aug 7, 2015 19:36
|
|
|
|
| # ? May 27, 2024 07:39 |
|
|
I really want to add an "are you an IT guy?" poll to this thread.
|
|
#
?
Aug 7, 2015 19:40
|
|