'Fee-Deduction' Malware On Android Spotted In the Wild

wiredmikey writes "New malware has been discovered embedded in more than 20 Android applications circulating via various forums on the Internet which auto-dials phone numbers to incur high user fees. Dubbed BaseBridge, the malware can be embedded in legitimate applications, and during the application's installation, the malware prompts the user to upgrade. If the user chooses to upgrade, the malware is installed on the Android device under the name 'com.android.battery'. Then, another prompt would pop up to ask the user to restart the app to run it, and the malware is formally activated upon restart. Once activated, the malware can activate three malicious services — AdSmsService, BridgeProvider and PhoneService, to communicate with a control server, from which it will download a configuration file to read related information and dial calls or send out SMS messages, incurring fees for users."

not possible!

Malware only affects stupid lusers on Wiblows and OSuX, not linux!!!!

Well

[JAlexoi]

That is the treat of sideloading. And I wouldn't give it up for anything.

Re:Well

[cHiphead]

In my day, we called that "installing" a program. Sideloading? Really? What has the world come to? DRM-ified nonsense.

Re:Well

[JAlexoi]

Sideloading = installing apps from secondary channels.

Re:Well

In my day we called it copying files!

so this is an act of war then?

I am confused of who determines what is a 'cyber attack'. To me this sounds like one

I like my walled garden

[neosar82]

Say what you will about Apple's "walled garden", but I'm kinda happy I'm inside it. That's not to say that iOS is not exploitable because it most certainly is, but it's much less likely something I purchase off the app store will contain malware like this.

Re:I like my walled garden

You did read the part about having to download these apps from forums and sideloading them, right? Stick to the Market and you'll be fine.

Re:I like my walled garden

[JAlexoi]

Apparently reading skills are not required in the walled garden...

Re:I like my walled garden

[h4rr4r]

I see the truth angers the fanbois.

Have fun modding me down, been here long enough my karma won't even notice it.

Glad I stuck with Windows Phone 7

Wow. I'm sure glad I stuck with Microsoft Windows CE Mobile Phone 7 Series SP1 Smartphone Edition Build 2943 codenamed {some vacation spot}, with Microsoft's great familiar track record for security and all...

Re:Glad I stuck with Windows Phone 7

[Dan+East]

I know you're being facetious, but ironically in this case you're probably indirectly right. Windows Phone 7 has such a small market share that it's not worth bothering with from a malware author's perspective, while iOS and Linux (Android) are huge targets. Funny how the table's turned.

Re:Glad I stuck with Windows Phone 7

[localman57]

It may or may not be worthwhile. If you know someone(s) who has something you want, and uses Windows Phone 7, you might write such a piece of malware. Remember, Siemen's Industrial Control Systems for Centrifuges have an even smaller number of manufactured units than Windows Phones. But I've heard there's been quite the nifty malware written for them. The criteria for writing malware is the value of what you achieve, not just the number of devices you can attack.

Um.. so which apps

[bigredradio]

It would be nice to see a list of the Apps. If there are "over 20" the list is probably not too large to post.

Re:Um.. so which apps

[blair1q]

Or a link in TFA to the original release from "NetQin Mobile".

Seriously, since I don't have the malware on my phone, this information-free story is the real malware, here.

Douchery

[Flipstylee]

Plain and simple.

What's the purpose of this?

[yuna49]

Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?

Proof of concept, perhaps?

Re:What's the purpose of this?

[thebra]

Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?

Proof of concept, perhaps?

Because they can.

Re:What's the purpose of this?

[stoanhart]

The author's set up their own pay-by-the-minute number (like with phone sex services). They set the rate to the maximum possible amount, which is something ridiculous like $99 per minute.

Re:What's the purpose of this?

[twidarkling]

Probably they get the proceeds from these calls/SMS'. Couple shell companies to an anonymous account, and you're making money well.

Re:What's the purpose of this?

[RottenJ]

I suppose it could be used to manipulate American Idol vote-ins?

Re:What's the purpose of this?

[TheRaven64]

Not always. The best ones set up quite a low rate and don't make the malware call it more than once or twice. If someone gets a 50 charge on their telephone bill, then they are unlikely to query it. If they do, then the phone company will probably just give them a refund and eat the cost - they probably charge more than 50 for the call to their support line anyway. 50 doesn't sound like much, but if you get a couple of million infections then that's a huge amount of money. Ideally, they'll register a few hundred premium rate numbers and have the malware dial a random one.

Re:What's the purpose of this?

[OS24Ever]

To make money.

They own the number being dialed, and above what the phone company charges the extra money all goes to them.

Re:What's the purpose of this?

[Threni]

As always, this sort of thing would be thwarted if you paid for "premium" numbers 3 months after the call, not at the end of the current month. This would give the consumer/community ample time to discover what's going on and report it before any money was taken. With no financial incentive to perform this crime it would happen far less often.

Of course, this means the phone networks would get less of a cut.

Re:What's the purpose of this?

[irishPete]

Random calls to numbers that bill $10 per minute to your phone

Re:What's the purpose of this?

[__aazsst3756]

They make money. Any more questions?

Re:What's the purpose of this?

[interkin3tic]

Telephone companies allow people to set up their own pay-by-the-minute number and willingly give their customers' money to that? Is there a legitimate use for setting up one's own number like that which I'm not thinking of? I'm assuming the phone company gets a cut of the money regardless of whether it's abusive and illegal, and so things like this aren't blocked on their side of things.

Re:What's the purpose of this?

[gstoddart]

Telephone companies allow people to set up their own pay-by-the-minute number and willingly give their customers' money to that? Is there a legitimate use for setting up one's own number like that which I'm not thinking of?

There's loads of places where you see such numbers ... phone sex is "legitimate" in that it is legal, and people can choose to do it. There's also probably lots of more 'mainstream' applications that I'm not thinking of. Generally, it's called "pay per call".

I can't even begin to count the number of "text this number for X" ads I see ... most of which say it costs you money to text to that number (or to receive the texts you've just subscribed to until you text "STOP").

In the end, if it generates revenue for the phone company, and unless it's been proven to be fraudulent or illegal ... the phone company has no incentive to police this stuff.

But, if you think there aren't plenty of businesses doing this already, you're grossly mistaken. This kind of mechanism has existed for probably decades and has probably both legit and shady companies. Fraudulently getting people to do it is probably not new either ... I think there's an entire class of phone scam which gets you to connect to their number and pay through the nose.

Re:What's the purpose of this?

[w_dragon]

Here in NA any number that starts with 1-900 is a pay-by-minute type. While the adult industry is the most well-known for them they can also be used by anyone where you're going to be charged by the minute for talking to them anyway (lawyers spring to mind).

Re:What's the purpose of this?

http://snopes.com/fraud/telephone/809.asp

Yep, been done before.

~Cwix

Re:What's the purpose of this?

[localman57]

What benefit do the authors receive from getting the phone to make random calls or send SMS?

What benefit to the authors recieve from getting your computer to send random e-mails? It seems like this could be the beginning of botNet style SMS spam. So far the networks have kept it pretty clean by putting heavy filtering on the internet/SMS gateways. It doesn't make sense to spam SMS if you're paying 5 cents a message to do it. But if you can compromise devices inside that gateway, and use their 5 cents, it's a whole different story.

Re:What's the purpose of this?

Fee for service. If you call a US embassy to get a visa it will not be a toll free number.

Re:What's the purpose of this?

[guyminuslife]

That sounds like a ridiculously easy way to get caught. If you wanted to catch the virus author, all you'd need to do way find out who owned the phone number.

Re:What's the purpose of this?

1-900 sex numbers? Or really any pay per minute service.Think of the money they could make....

Rather selfish

[SuperKendall]

That is the treat of sideloading. And I wouldn't give it up for anything.

So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.

Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

It's worked well for iOS from a security standpoint.

Re:Rather selfish

[nbetcher]

Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.

Re:Rather selfish

Or, we could treat the real problem, personal idiocy, and educate people.

"but people don't want or shouldn't need to learn!!!" You'll respond with.

And if that is true, then they deserve whatever malice comes there way.

Re:Rather selfish

[WhirlwindMonk]

If only there were a setting to allow sideloading. One that's disabled by default to protect unsavvy users, but is easily enabled by people who know what they're doing/willing to accept the risks. Oh, hey, look! There it is! "Unknown Sources: Allow installation of non-market applications."

Good to know that the iphone has a similar setting, that was a good move on Apple's part. Oh, wait, it doesn't? You have to exploit security holes to enable sideloading? Huh. How about that.

Re:Rather selfish

[h4rr4r]

Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

It's worked well for iOS from a security standpoint.

Where is this "Open mode, I am not a moron" button for the iOS devices?

As far as I can tell no one gets open access, everyone is assumed to be a moron.

Re:Rather selfish

[ArcherB]

That is the treat of sideloading. And I wouldn't give it up for anything.

So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.

Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

It's worked well for iOS from a security standpoint.

I believe the point is to have the option. Sure, if you choose to sideload, you risk malware or other bad things, but freedom comes with risk. As long as you have the choice and you are willing and able to take responsibility for your device, there is no reason to forced to live in a walled garden. However, if you are happy with what the official channel has to offer, good for you. You should stay in the garden. But just because the protected environment is good for most, that doesn't mean we should all be forced to live there.

Re:Rather selfish

[SuperKendall]

Where is this "Open mode, I am not a moron" button for the iOS devices?

It's called jailbreaking, and if you are really not a moron you don't need a button to easily install it.

Re:Rather selfish

[AJH16]

Some of us don't believe we should have to fight our device manufacturer to be able to use it. It is for primarily this reason I will never buy or recommend an iPhone or iPad.

Re:Rather selfish

[JAlexoi]

Doom? Aren't you exaggerating the issue?
In the context of the article: It's basically like saying installation of unsigned Windows applications that don't use the Trusted Platform Module should be banned because there are infected versions on warez sites, forums and torrents. But since this is Slashdot, you probably didn't even RTFA.

Re:Rather selfish

[h4rr4r]

Oh, you mean software exploits.

See, that is exactly not what was being talked about at all. Security exploits are not put in by apple just so you can own your own devices, they are mistakes. They are a defect, not a part of the model Apple choses to use.

Re:Rather selfish

[JAlexoi]

So... How is jailbreaking performed? Oh... That's right, by using security holes.

Re:Rather selfish

[JAlexoi]

And how is jailbreaking performed? Oh... Right... By exploiting security bugs.

Re:Rather selfish

[interkin3tic]

So you would doom millions to be raked over the coals by their own mistakes, all so you can have freedom. Awesome.

There, I generalized that for you.

Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

You would doom millions who insist they can handle security to be raked over the coals? Awesome.

Serious point here: mistakes and malware will happen no matter what. People who are competent enough to operate outside a walled garden will still make mistakes or not be informed enough, and will fall victim to malware, and walled gardens will be penetrated by malware too.

Re:Rather selfish

[element-o.p.]

At risk of sounding like flamebait or trolling (I'm not -- I'm honestly curious), how is Android different than an iPhone or iPad? I've got two Android devices, an HTC Hero and a Dell Streak 7, and I'm *pretty* happy with them...but not completely satisfied. I run ConnectBot on both devices so that I can SSH to various hosts at work, and I installed PocketCloud so that I can use RDP as well. Unfortunately, I'm severely limited when I can access hosts at work because the only OpenVPN compatible VPN clients I could find on the Android Market required that you first root (i.e., jailbreak) the device. So, as long as I'm in the office and connected to our internal wireless network I'm good, but forget trying to work from the coffee shop because I can't VPN from my Android devices unless I first root them...which, as far as I can tell, is not at all different from "fight[ing] our device manufacturer."

Re:Rather selfish

[Spykk]

I suppose that you are ready to give up your right to install software on your own PC for the good of the public, then?

Re:Rather selfish

[rickb928]

So the Apple store has never had any rogue apps find their way in?

And the Android store, likewise, has never, and will never, approve an app that is a risk?

Security by corporate moderation. I'm not at all comforted by that.

Re:Rather selfish

way to have no idea what you are talking about but post anyway. well played.

douchebag.

Re:Rather selfish

[Skuld-Chan]

In my experience the only people who sideload apps are power users - most people will just get their stuff from "Android Market".

Re:Rather selfish

[asdf7890]

Where is this "Open mode, I am not a moron" button for the iOS devices?

It's called jailbreaking.

... which may void your warranty (on the hardware, not just the OS) apparently: http://www.bbc.co.uk/news/technology-10836692

I doubt they would have an easy way to enforce this given that if you've performed a factory reset on the device they probably can't tell it has been jailbroken (but then again if you are sending it out for repair/replacement under warranty you might not be in a position to perform such a reset).

That said, I still wouldn't compare a built-in feature with warnings about possible consequences, that will always be available, that does not affect the device's warranty to a "feature" that is only available by exploiting bugs in the OS, may be disabled completely if future OS revision fill in all the relevant holes, and may (according to statements made by the manufacturer) invalidate your warranty.

Re:Rather selfish

[mosb1000]

Or they will just use something else.

Re:Rather selfish

Remember that starting with HoneyComb Android is a proprietary piece of shit. Andy Rubin is both an asshole and a hypocrite.

Re:Rather selfish

[Kitkoan]

This problem requires you to allow installing 3rd party programs, something you have to choose to allow. If you choose to remove a security feature and try things that is your choice. Its the same the first smartphone virus being on the iOS. Like this though, it required the user to disable a security feature to be able to effect you. Its not a security fault of the system, its a security fault of the user.

Re:Rather selfish

[tlhIngan]

Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.

If you want those free Amazon apps, you have Unknown Sources allowed, so there's that protection gone. (It's why Amazon doesn't work on AT&T right now, and probably why AT&T is going to have the option - some Amazon-AT&T deal).

And people will trust Amazon so they'll obediently set that checkbox.

As for installing an infected APK - all you need to do is visit the link on Android - someone sends you a link via e-mail, a QR code, or a website offering APKs for download (say, SlideME Marketplace - you can download free apps via their web site). Hell, all you need is to post in any forum "Get paid Android apps for FREE!" and they'll willingly install it.

Hell, considering you can convince people to copy and paste blobs of javascript i ntheir webbrowsers to do some facebook thing, I'd guess you can get them to use adb install as well.

Just like the iOS SSH issue - you can get people to not only install OpenSSH on their iOS device, but also SFTP and an SSH client on their PC.

It's remarkable how far users will go to do these things.

Coming next in Ice Cream - an option to finely control where APKs can come from to prevent people who use Amazon from exposing their phone to unintended app installs as well.

Re:Rather selfish

[brooklynwry]

Yeah, by matter of policy Apple bans it. Occasionaly (and by no means always) Apple breaks a jailbroken phone with an update. But the way you phrase it, you'd imply that Apple is smackin' down with lawsuits, cease-n'-desist, and disabling the phones permanently. Now I've known a lot of people to jailbreak their phones, and not one of them has ever EVER ended up with a bricked phone permanently. So, fight, well, yes, but, um, how? Oh "fight" by doing precisely nothing? Cause that's what Apple does in practice to users who jailbreak their phones: absolutely nothing.

Re:Rather selfish

every time apple issues an update it breaks my jailbroken phone by deleting all my non-jailbroken apps, while simultaneously attempting to make it impossible to put them back

Re:Rather selfish

I've never fallen victim to malware or virus. And I pirate a lot of shit (yaaar). I don't run AV software either (all except MSE is snakeoil). I read the comments closely and can discern if there are any viruses. If the download isn't listed on nzbmatrix or piratebay, then there are no reliable comments, and I don't download. Period.

When really in doubt, I start a VM and test things. Again, no malware or viruses.

I've also observed someone get malware. You have to be very desperate for what you are trying to get at... Desperate enough that the obvious signs evade you. When they click a link and it takes them to some other download page, then the page is full of shady ads, and when the site itself is shady as fuck... They click something thinking they finally have their download only for it to popup a file download box with a file of a completely different name with no relation to what they're downloading. They then click "Run" and ignore about 3 subsequent warnings. They are so impatient and desperate for whatever they are downloading that they don't read the shit. The more you throw at them, the quicker they will click.

Another is fucking codec downloads or videos that supposedly contain their own player. Yea fucking right. Doesn't take a comp. sci. major here. Drop the damn thing into VLC. If it dosen't play, then delete it. Not worth watching. Plenty of other porn out there, they can let that one video go.

Another vector is this cutsy dumb bullshit people trade on facebook. Again, they get warned about 10 fucking times by their browser and then Windows. The fucking UAC prompts on Win7 are really telling. If your fucking video with its embedded player asks to elevate to admin rights... Just click the damn cancel button.

Windows isn't at fault in these cases. It's the fucking user. The only option would be to refuse to let them execute the file and then they'd bitch about that.

Re:Rather selfish

That's like saying that I shouldn't have alcohol because millions manage to use it to mess up/end their lives.

You can't protect everyone from everything. People need to learn that the internet is a big, freaking scary place.

Re:Rather selfish

[Cyberllama]

Yeah, it's the same thing that happens now on jailbroken iPhones with hackulo.us. They host a repo for iPhone warez, and you take a pretty huge risk by installing any of it--though if you're just some kid, what do you care?

Re:Rather selfish

[AJH16]

The law reads that Apple can't do anything to people for jailbreaking their phones and they don't want to open themselves up to lawsuits, but their entire business model depends on iTunes sales. It is like licensing fees for video games. Their business model is to charge both the content creators and the consumers for access to the same hardware which they want to control. They make it as difficult as possible to do and it is a philosophy I hate. I also generally buy video games for PC whenever possible for the same reason.

Re:Rather selfish

[AJH16]

Yes, some features on Android do require rooting, but it is possible to run non-elevated applications that are not distributed through Google's market. Rooting is also left more up to the carrier and device manufacturer. Carriers like to have devices locked, but some devices are rooted by default. Android as a whole doesn't put a lot of effort in to protecting or trying to break root and can actually always be rooted (as far as I know) through ODIN or similar flashing. The culture of carriers makes this something that you don't see clearly unless you get in to the nitty gritty details, but in general, it is far easier, with fewer barriers or attempts to break rooting on Android vs jail breaking on an iPhone. Also, the level of customization you can do to an Android device after rooting is completely different from the level of changes you can make to an iPhone. Jailbreaking may let you run other apps and have more device permissions for those apps, but as far as I know you can't then put other versions of the OS or other builds on (particularly seeing as iOS itself isn't open for their to be other builds of it.)

My perception of Apple has always been "you will do things our way whether you like it or not, because really, why would you want to do things any other way, cause we're Apple, savy." Where as Android's philosophy just feels like it is much more about trying to make a device for consumers and giving them control over their device to whatever level is appropriate for them.

Re:Rather selfish

[AJH16]

It is also worth pointing out that most rooting methods on Android seem to stay in until they are exploited by malware and then are rapidly removed. A perfect example is the rageagainstthecage vulnerability with elevation of a debugging connection that was only fixed after the Market malware issue.

Re:Rather selfish

[pandrijeczko]

So be it. Why should I endure a "dumbed-down" computing experience just because far too many other people are too clueless and too lazy to learn about how a computing device works?

Yes, I use Android and Linux. Yes, both are great for what I want to do with computing devices. No, I couldn't give a toss how many people use either of them or about some fictitious "Linux Vs. Everyone Else" war.

Re:Rather selfish

[datapharmer]

There are phones available that come with root already accessible. Geeksphone is one example, future HTC phones will have this when they ship too.

Re:Rather selfish

[sexconker]

If you want those free Amazon apps, you have Unknown Sources allowed, so there's that protection gone. (It's why Amazon doesn't work on AT&T right now, and probably why AT&T is going to have the option - some Amazon-AT&T deal).

I have the Amazon store shit.
I am on AT&T.
What are you talking about?

Re:Rather selfish

Same thing with android if you get your phone from AT&T. AT&T disables that option to enable sideloading so rooting is your only option.

Re:Rather selfish

[AmberBlackCat]

Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.

By your logic, Windows is also as secure as iOS by default.

Re:Rather selfish

[shutdown+-p+now]

Let me guess - you didn't buy your phone from AT&T, did you?

Re:Rather selfish

[dudpixel]

Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

wait, you mean like the "unknown sources" button being unticked by default?

Re:Rather selfish

Yeah, except that's not the iOS security model. The iOS security model is that people who cannot manage systems have pre-secured systems, and the ones who can handle security buy an Android device. Being able to jailbreak your phone is just a happy mistake because we're still boneheaded enough to write critical security code in languages that don't have bounds checking (e.g. C/C++)

Re:Rather selfish

[Night64]

I rather have the possibility to install malware on my device, because I want to take the risks, than have someone forcing me to install only what's someone think it is good for me. And that is the default option in Android. Want to use unknow sources? Check here, read the disclaimer, assume your responsability. My device, my rules, my risks.

Re:Rather selfish

People who cannot manage systems SHOULD NOT TOUCH THEM!

Don't be an enabler for lazy asses. (efficient = doing as little as possible, and as much as needed; lazy = doing even less, even if it harms you)

I know you never really thought about this yourself, and that's why you have this wrong belief. So it's not your fault. But please, man, you're hurting us all.

Because right now, you're like someone arguing that people with no driving license who are known to drive their car into a tree (malware) or even someone else (malware affecting others), must still be allowed to drive.
Even if it means putting 3 feet of idiot-padding around them, and giving them only one large button as an interface (which they will still complain as being too hard... while you wonder how they manage to get up and dress in the morning).
Just so they can stay idiots and drive like drunken monkeys, crashing into you every now and then like a bumper car.
Even if that means the only car design that has enough users to still be manufactured, will be that one-button idiot thing, forcing you to drive the same, and crash 20 times, just to get to your job.

This is the madness we in the software industry put up with.
Because we don't have the balls of spine, to call a failure a failure, and make him take a test, before letting him touch the most complex and powerful machine on the planet that a normal customer is allowed to use.
It's not a failure to fail the first time. It's a failure to fail, and instead of learning from it, demand to be able to stay ignorant.

I really, deeply wish, a computer would have a chainsaw attached to it, so if they fail so hard, they at least can't reproduce any more.
But malware that is impossible not to avoid for non-idiots, but destroys one's life if one is an idiot, would suffice. (Analog to cars.)
And really, it should hurt us enablers too, every time it happens.

Re:Rather selfish

[sexconker]

Let me guess - you didn't buy your phone from AT&T, did you?

I'm not retarded, so I don't buy phones from carriers.

Apple's Steve Jobs must be smiling...

[bogaboga]

...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.

Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?

Re:Apple's Steve Jobs must be smiling...

[nschubach]

According to Google, it's "working as intended"

We've been reporting all kinds of attacks and Google assumes you'll contact the developer or write a blog post to warn others of suspicious activity and that's as far as they'll let you take it. The report is my sig is just one of many.

Re:Apple's Steve Jobs must be smiling...

[robmv]

Right, we need to check mental sanity of people that activate the option to install software from outside the market after the phone showed a big warning and they install anything from any place

Re:Apple's Steve Jobs must be smiling...

[JAlexoi]

Are all pirated iOS apps free of malware also? Or are you too lazy to even read the summary?

Re:Apple's Steve Jobs must be smiling...

[Abreu]

There's sanity in Android... There's also insanity, which is installing dubious apps from sketchy sources...

Choice is yours.

Re:Apple's Steve Jobs must be smiling...

Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?

It appears Sanity is available in the Android Market:
https://market.android.com/details?id=cri.sanity&feature=search_result

Re:Apple's Steve Jobs must be smiling...

[fortyonejb]

Where are my mod points when I need them. The article also for some strange reason doesn't mention that if you don't allow installation from unknown sources that this malware won't be able to install. Interesting how they leave that out.

Re:Apple's Steve Jobs must be smiling...

[Jonner]

...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.

Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?

Yeah, freedom == chaos. Oh, Steve, preserve us from the chaos of having to exercise judgment!

Re:Apple's Steve Jobs must be smiling...

[idontgno]

Yeah, I can picture the ants floating around in freefall:

Freedom! Horrible, horrible freedom!

I think this is the part where we welcome our insectoid walled-garden overlords.

(Reference, for the Simpsons-challenged among you.)

Re:Apple's Steve Jobs must be smiling...

[idontgno]

Actually, that was a terrible reference. This is a more specific and appropriate one. Or maybe another attempt to make you click one of my links. MWAHAHAHA!

Re:Apple's Steve Jobs must be smiling...

Virii, on my internet?

Re:Apple's Steve Jobs must be smiling...

Apple users have a hard time dealing with choice. The only choice they ever need to make is the choice to not have to choose anymore, which they make by buying Apple products. Their confusion is understandable, though unforgivable. It's akin to people claiming to need religion to cope with life. A far-fetched metaphor, perhaps, but it holds: it is self-deception in its purest form.

Appropriately, the captcha for this post was "follower".

Re:Linux = "Immune to malware" (another /. LIE?)

[thebra]

I kept hearing that Linux was immune to malware all these years here, and yet I am seeing a Linux variant in ANDROID showing holes and malware attacks left and right the past few years now.

(Has slashdot's Penguin crowd been lying to us all for all these years now? Seems so.)

Go back to your bridge.

I am shocked and appalled

[0xdeadbeef]

Trojans in software downloaded from sketchy websites? GTFO!

Re:I am shocked and appalled

[jedidiah]

Chase away the Free Software and this is what you get. The gratis software becomes much less reputable even if it is inside someone's walled garden.

The entire "ecosystem" becomes remarkably more crass and predatory.

Re:I am shocked and appalled

[Jonner]

Chase away the Free Software and this is what you get. The gratis software becomes much less reputable even if it is inside someone's walled garden.

The entire "ecosystem" becomes remarkably more crass and predatory.

What are you talking about? It's Apple and Microsoft that chase away Free software, not Google.

That doesn't answer his question

See subject

Re:Linux = "Immune to malware" (another /. LIE?)

[spire3661]

A user with root explicitly installing a program IS NOT A HOLE.

Re:Linux = "Immune to malware" (another /. LIE?)

[mlts]

The iPhone has similar issues. JB the iPhone, grab pirated apps from unknown/untrusted repos, shovel them via Installous, and there have been some really nasty things reported.

The average user is not going to be sideloading apps, and if told to by a website, he or she should be VERY wary, and be checking search engines about the app mentioned.

Linux doesn't appear to be immune to malware

He was asking about Linux being said to be immune from malware for years here on slashdot. That's being shown as a lie by ANDROID itself, a Linux variant, turning up malware left and right for the past few years. No more hiding behind the thin mask of "security-by-obscurity" anymore, is there, Penguins? The truth's out, and your Operating System's based on lies of saying Linux is immune to malware. Same crap from the MacOS X camp around here also. MacDefender's showing us all that MacOS X too can be taken down by malware, despite all the lies and utter bullshit that slashdot nix trolls spouted here for years. Too bad the truth's out, eh boys?

Re:Linux doesn't appear to be immune to malware

[Goose+In+Orbit]

Feeding time...

I take you you use a perfect OS then? Do tell us what it is...

Re:Linux doesn't appear to be immune to malware

[element-o.p.]

At risk of feeding the troll, here goes:

No one who's had any clue about network and OS security has ever said "Linux is immune to malware." In fact, what us Penguins have said is that it's impossible to stop a truly dedicated admin-level user from shooting himself in the foot if he's determined to do so. However, Linux's security model does a really good job of limiting the scope of the damage done by a user installing malware. Unless you are root (or equivalent) on a Linux box, *your* account will be all that's compromised. You won't hose the entire box because you stupidly installed malware. You won't even turn up a service on a port < 1024 because only root can do that.

The Android malware that's cropped up lately does NOT disprove any of the assertions above, because they are all essentially affecting a single user account. Granted, on Android, there IS only a single user account (which is one of my gripes about the OS, since on my tablet for example, I'd like to be able to set up different user accounts for me, my wife and my daughter, so we could all use the device without screwing up each other's settings, apps, etc.). Such a poor implementation of user accounts, IMHO, goes a long ways towards negating some of the advantages of Linux. <shrug>

Re:Linux doesn't appear to be immune to malware

At the risk of baiting trolls (not you, but I guarantee some trollish responses)...

Considering 99% of the Windows malware out there (and I'm not claiming 100%, that would be foolish) also requires an administrative-level user determined to shoot themselves in the foot to do any systemwide damage, and /. users throughout perpetuity have claimed that Windows is insecure as a result, does that not make Linux/Android insecure by extension too?

I mean, why the double standard?

URL of APK

[tepples]

In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application

That or enter the URL from which the APK can be downloaded, such as through following a link in an e-mail, following a link in the web browser, or scanning a QR code. After that, the device downloads the package over Wi-Fi or cellular, and then the user can choose to install or cancel on the privilege screen. That's how, for example, Amazon Appstore for Android gets installed.

Re:URL of APK

[JAlexoi]

Yet even then you have to enable Unknown Sources.

Re:URL of APK

[h4rr4r]

Before that you have to enable unknown sources. You can even enable it only when you are going to install something like that amazon app store and then turn it off again.

Still better than the amazon app store for iOS model, which is of course that there is not one and never will be.

Re:URL of APK

[tepples]

You can even enable it only when you are going to install something like that amazon app store and then turn it off again.

But doesn't the user have to turn "Unknown sources" back on whenever installing or updating an application in Amazon Appstore?

Re:URL of APK

[h4rr4r]

Indeed.

What is needed is a way to enable installation of applications signed by $X. Then you just install their pubkey and let those applications be installed without being "Unknown".

Re:URL of APK

[sqlrob]

So one of the malicious apps installs the key and you're back to square one.

Re:URL of APK

[h4rr4r]

No no.
The key needs to be installed in a seperate way from apps. Something done only when you want to add new markets to shop from. Sure morons will still do it for pirated apps, but nothing will stop that.

Re:URL of APK

Which Amazon encourages people to do with a handy video. They don't even discuss in either the video or elsewhere on Amazon's site the implications of turning this on.

Re:URL of APK

[sqlrob]

It needs to be separate from apps, and more importantly, not possible to do from apps.

Possibly a physical switch on the phone to enable it, or something along those lines. With massive warnings making it near impossible to do anything while it's possible to install a key.

Stupid users

[Moondevil]

No operating system can protect stupid users from installing dubious applications.

Regardless how many security walls you put in place, if the user says yes to everything there is no way he will get protected.

The stupid thing is that this then lands in the stupid non-technical press as "platform X has malware" articles.

Re:Stupid users

[gbjbaanb]

well, what's a dubious application?

a 'Make $$$ Fast' app.. probably
but how about something like 'Bubble Boinger'... would you be confident that *didn't* contain malware.. 'cos if you can't be sure, that's pretty much half the apps in the Market off limits to you.

Sure, if you put lots of security walls in place, the user can still be tricked into saying yes. ("restart app to apply update" says one, you say 'yes', oops. Not all malware asks 'install malware' in their popups).

So you still need to fall back on security measures like AV scanners and system monitors. I think it would also be useful to decline certain parts of app requests - Bubble Boinger doesn't need to make calls or send texts, but sometimes they ask for such. If you could prevent those parts from being available to an app, it might make things more secure.

Re:Stupid users

[Dog-Cow]

Um, the "platform X" does have malware. Why would reporting such a fact imply stupidity?

We know it's you, APK

Nice try, but you still couldn't resist randomly bolding shit. Honestly, these days I think 10 year old girls do a better job with their makeup than you do with your markup. Replying to other people and screaming at them to answer "his" (your) question is just the confirmation exercise.

Nobody ever claimed that Linux was immune to people installing shit on it. Hell, nobody ever claimed it was immune to :(){:|:&};: You are the only one who seems to believe that when people say nobody makes viruses for Linux that all of a sudden that means they're claiming that no malware at all can possibly exist.

Re:Something You Can Relate To - Lardass

cool story bro....

No details = Scare-Mongering for profit!

No app list, no advisories, no way to gain *any* information...unless you download their product and run it to find out....you're not infected.

How quaint.

I'm shocked these guys don't have a rogue anti-malware scam going. They are only one step away now, so...look for it "Real Soon Now"!

Don't experiment if it's mission critical

[devleopard]

I love apps on my phone, but along the way, I have to wonder, just how smart is this? My phone is for me, as for many, my primary communications device. I get loading an IM app or an invoicing app or even some Angry Birds. There comes an implicit trust there, I suppose.

I'm cool with tinkering.. that's how our modern marvels came to be. However, tinkering comes with implicit risk. The problem is people tinker and expect the mission critical stuff (like your phone making calls everytime you want, and only when you want) to still remain iron-clad.

It's like jacking with beta software. Yeah, do it on your local machine. However, if you do it on your production server, and you lose data or have run-away costs, that's just too bad.

Re:Linux = "Immune to malware" (another /. LIE?)

[StikyPad]

there have been some really nasty things reported.

References? While there's certainly the potential for such abuses, I haven't heard of anything in the wild to date.

So Linux + MacOS X (nix in general) isn't immune

To malware like has been implied here over time, and how Apple said they were basically on T.V. Commercials no less? Well, well, will wonders never cease! I kept hearing how Linux is immune to malwares over time here and now that time has passed, it appears that was a line of the purest bullshit.

At least Android has "Unknown sources"

[tepples]

At least Android has "Unknown sources" and "adb install" in the first place. Amazon appears to have convinced AT&T to push a firmware update that restores the checkbox, and "adb install" sideloading support is a requirement for Market access. In addition, devices without the Android Market application, such as such as all Archos products, ship with "Unknown sources" turned on so that the bundled AppsLib can work.

Penguins finally admit Linux gets malware, lol!

Same with MacOS X and Apple, eh?? LMAO! Despite all the slashdot "FUD" and Apple T.V. Commercials saying that nix variant Operating Systems can't be infested appears to have been the hugest line of bullshit ever perpetrated upon unsuspecting users. Linux's security model seems to be FAILING on ANDROID phones (so much for hiding behind literally NO MARKET SHARE on PC's, and "security-by-obscurity" eh, Penguin FUD spreading trolls... lmao!)

The NIX "std. security model" = Downmods?

LMAO - The "best security model" NIX users have on /. is to downmod anything that shows NIX for what it really is - based on lies!

(Downward moderations, simply to hide the truth of things via mod downs from most users since slashdot sets the mark for most browsers to be above 0 or more)

?

Please: Make us laugh some more at your falsehoods over the past nearly 2 decades being shown for what they are: LIES!

Yes, yes, we know - hide posts that ask honest questions based on facts (like a NIX variant in ANDROID being malware ridden as well as MacOS X being hit by numerous variants of MacDefender lately and other malware in the past)?

LMAO! Keep perpetrating your lies Penguins, and keep going downwards into oblivion!

So you have to be a moron...

So first you have to ignore the "HEY, YOU'RE INSTALLING OFF THE MARKET. ANYTHING THAT DAMAGES THE PHONE OR THE DATA ON YOUR PHONE IS OF YOUR OWN RISK" and click yes to the Unknown Sources dialog. Then you have to click the Install button on the screen that says "SERVICES THAT COST YOU MONEY: MAKING CALLS, SENDING SMS".

You wouldn't let a random stranger into your house, why would you let a random application into your device -- especially since this stranger's announced that they'll be making phone calls and sending text messages?

Re:Linux = "Immune to malware" (another /. LIE?)

[mlts]

If one visits sites like MacRumors, and looks under the iPhone hacks section, you will find a good amount of people posting about installing apps with Installous from dodgy repos. They all kinds of problems, from having to DFU restore, to corruption of other app's data, and so on.

The evidence is anecdotal (someone whining about a spotty JB iPhone that has been heavily modified could be a lot of issues), but slapping on pirated apps from repos that have not been vetted is just asking for an additional payload to come with the .apk file.

Re:So Linux + MacOS X (nix in general) isn't immun

[pandrijeczko]

Friend, I work as a Linux/UNIX security consultant and if I thought you had enough knowledge about Linux/UNIX to understand an explanation I could give you about how a UNIX-like OS differs from, say, Windows in terms of threat attack vectors, then I would do so. But because I doubt your IQ barely reaches 3-digits in length, such an explanation would be wasted on you.

Suffice it to say, I do not recall anyone on here ever saying that Linux is immune to malware because, the fact is, any program you run on any OS anywhere that you cannot guarantee is malware-free could be malware - so clearly anyone making such a statement would be a bigger fool than yourself.

But you can satisfy yourself in the knowledge that, by virtue of the well-paid job that I do, that there are security considerations you must take into account when deploying any Linux or UNIX server - beyond that, you need not worry yourself as clearly your lack of knowledge shows you don't use Linux in any shape or form. Therefore how secure or insecure it is would be irrelevant within your small and blinkered view of reality.

Digital Signatures

[DaMattster]

I am not sure 100% that this is the answer but I think it is high time that we use digital signatures to verify the authenticity of the code. In the open source community this is done all of the time with utilities like GNUPG. Just simply use the author's public key to verify the authenticity of the code. If there is a discrepancy, then there should be a provision to discard the downloaded app. That should, at least, put a severe curb on wrapping malware in legitimate applications.

Re:Digital Signatures

This is a great example of how Slashdot "doesn't get it". Do you really think Mom wants to (or can even comprehend) comparing public keys/signatures? But go ahead and continue the great Apple / Google war. That's doing us all a lot of good, of course.

Re:Digital Signatures

[teh_commodore]

So build it in and make it automatic. Web browsers check signatures all the time.

Re:Digital Signatures

The author's key? So if the malware author signed his code, it is safe to run?

Re:Digital Signatures

[Rich0]

Uh, I believe all apks are digitally signed - certainly the ones from the market are. All a signature tells you is that whoever owns the key created the software. The signature in itself doesn't tell you own owns the key, and whether they stuck nasty stuff in their software. A certificate backed by a CA can help tell you who owns the key, but not whether they stuck nasty stuff in their software. If the CA does their job well enough it can make it easier to trace down who stole your money after the fact.

Re:Digital Signatures

[Rich0]

Yup, and sites running SSL with valid certificates can host malware just fine. You just know who actually infected you with the malware (if the CA did their job well).

Re:Digital Signatures

They do use digital signatures. Whose signature is it, though?

Re:Digital Signatures

Not sure how this helps since this appears to be for apps that are side loaded. The user would have to care enough to verify the signature.

Wrong

[SuperKendall]

which may void your warranty (on the hardware, not just the OS)

You simply restore to factory OS before taking it in for hardware support.

Because if you jailbreak you have a clue. Remember?

Re:Wrong

[scot4875]

My only question to you: How much compensation do you receive from Apple in return for hijacking entire threads in EVERY Apple-related story and most Android-related ones as well?

--Jeremy

Re:Wrong

[asdf7890]

which may void your warranty (on the hardware, not just the OS)

You simply restore to factory OS before taking it in for hardware support.

Because if you jailbreak you have a clue. Remember?

Could you please explain, for I am obviously clueless on this matter, how one would go about restoring the factory default OS on hardware that isn't currently working and hence needs to be sent in for warranty repair/replacement?

OK so if they just replace the device they'll not notice. But you can't guarantee that will be the case.

Re:Linux = "Immune to malware" (another /. LIE?)

[pandrijeczko]

Linux is just the kernel, the small but complex piece of software that sits between the user's operating system and the system hardware. It's function is to ready the hardware for use by the operating system, so is responsible for loading drivers and setting up parameters specific to the CPU it is running on.

Anything else beyond that is the operating system that gets loaded once the kernel is in place. For convenience, the whole thing is referred to as "Linux" but, in reality, it is just a myriad of programs doing various tasks on that piece of hardware.

Bearing in mind that the OS tools running on top of the kernel are Open Source, there are no "rules" as to how you design that system to run once the kernel has loaded. Therefore, if you want to design an OS schema whereby everything runs at the highest root permissions, there is nothing stopping you doing that.

Having explained the above to you, I have permitted you to divest yourself of your clear ignorance when it comes to how Linux and free operating systems work.

With the above in mind, Android does indeed use a Linux kernel to initialise the hardware in a smartphone, touchpad, netbook, etc. etc. However, beyond that there are numerous reasons why an Android system would boot into the OS very differently to, say, a Ubuntu or Fedora Linux desktop - one of the major diffences would be because storage space and memory are far more limited on a smartphone or tablet than on an average desktop PC.

Consequently, your comparison between Android and Linux is invalid - if anything, a piece of malware running on an Android system probably wouldn't run on a Ubuntu system if it was transferred across, or indeed vice versa.

Any computer system needs to be hardened against security threats but your comments clearly show that you possess little knowledge of the subject - therefore you would be better employed spending your free time becoming better-informed on the subject first, and then coming on here to make what could be some very valid points about Linux security.

This would be a constructive alternative to just spewing out random comments and appearing like a complete and utter plonker.

Not idiocy

[SuperKendall]

Or, we could treat the real problem, personal idiocy, and educate people.

Bullshit. It's not idiocy, it's lack of understanding. And the truth is that you cannot educate people on something they have no interest in. Nor should there be a need for education, I don't have to be a structural engineer to drive over a bridge, because I know the people who made it are competent. The same should be true of OS's we use, the makers should have secured that for us as much as possible to the point where normal users do not need any understanding or education to keep the device safe for use.

Your response is every bit as absurd as "you're holding it wrong".

Re:Not idiocy

[nschubach]

The same should be true of OS's we use, the makers should have secured that for us as much as possible to the point where normal users do not need any understanding or education to keep the device safe for use.

I would like to add a caveat... If I have an engineer build me a bridge, I expect it to be safe for me to drive over but if I want to poke giant holes in it to let rain through or place a roof over it I should be aware that I may be messing with it's structure and accept responsibility for the bridge failing because of my mods.

That's pretty much the way Android works now. My only issue with it is that I have little control over what type of vehicles my gardener drives over it if he shows up in a pickup and asks me for permission to drive over my bridge and assumes that my answer will be the same when he decides to drive a 14-ton load over it later.

"The best you got" = mod down & adhominem atta

LMAO - ok "big man" (big f'ing deal, security consultant... do YOU really *THINK* that 'impresses me', boy?): Let's use some statistics then - time to make YOU, look VERY stupid (and you assume you're talking to someone that knows NOTHING about securing OS' either (dumb)):

"I work as a Linux/UNIX security consultant" - by pandrijeczko (588093) on Tuesday May 31, @03:20PM (#36300482)

This is supposed to "impress me", right boy? Take a peek @ my p.s. below, & don't assume you're talking to some NOOB, boy... ok??

---

"and if I thought you had enough knowledge about Linux/UNIX to understand an explanation I could give you about how a UNIX-like OS differs from, say, Windows in terms of threat attack vectors, then I would do so." - by pandrijeczko (588093) on Tuesday May 31, @03:20PM (#36300482)

Oh, really? Ok then - take a peek here:

http://mobile.slashdot.org/comments.pl?sid=2200490&cid=36300084

Seems the LINUX KERNEL 2.6x ALONE has 3.5++ times as many unpatched security holes as does nearly THE ENTIRE GAMUT/ARRAY of what Microsoft gives users to do business & development with...

Can you say the same of say, MySQL, Apache, & all the other analogs to what that link/url has in it above? I doubt it. You toss those things onto Linux?? Inclusive of what just comes in the distro package ALONE, that 3.5x times the # of unpatched bugs in Linux would go "up, Up, UP & AWAY"...

LOL! So much for your "b.s." boy (you're probably MANY years my junior & 1/100th as accomplished in this field as I am over time (the list below is VERY small & only partial too mind you - I could put out FAR more!)

---

"But you can satisfy yourself in the knowledge that, by virtue of the well-paid job that I do, that there are security considerations you must take into account when deploying any Linux or UNIX server - beyond that, you need not worry yourself as clearly your lack of knowledge shows you don't use Linux in any shape or form." - by pandrijeczko (588093) on Tuesday May 31, @03:20PM (#36300482)

LMAO - you poor little deluded fool: Do you *THINK* you're the "only person that setup Linux for business"? Do you?? Guess again, fool. I've done it 100's of times, & the principals are generically, rather the SAME in general, for layered security setups in Linux, MacOS X, or Windows really!

"Therefore how secure or insecure it is would be irrelevant within your small and blinkered view of reality." - by pandrijeczko (588093) on Tuesday May 31, @03:20PM (#36300482)

Ahem: ALL thru your 'reply' here boy, all you do is toss names & other snide innuendo... is that "the best you've got" BOY?

(Apparently so!)

---

"But because I doubt your IQ barely reaches 3-digits in length, such an explanation would be wasted on you." - by pandrijeczko (588093) on Tuesday May 31, @03:20PM (#36300482)

What a fool... I mean, for example, are YOU the "only person" that's tightened a MySQL DB, or Apache (LAMP system in general)? Are YOU the "only person" that's used SeLinux (which isn't setup NEARLY as tightly secured by default as it can be)??

Please... give us a break - I've done that, in addition to 100's of Windows setups over time too. You're arrogant, and you assume too much (and it does appear that the best you have, is adhominem attacks)

---

"Suffice it to say, I do not recall anyone on here ever saying that Linux is immune to malware because, the fact is, any program you run on any OS anywhere that you cannot guarantee is malware-free could be malware - so clearly anyone making such a statement would be a bigger fool than yourself." - by pandrijeczko (588093) on Tuesday May 31, @03:20PM (#36300482)

OH ma

Re:"The best you got" = mod down & adhominem a

[pandrijeczko]

Excellent.

You are improving. You have mastered "Cut & Paste" keys, well done! :-)

Now go read a few security manuals, get a few years experience in OSes and security, then you can set your sights on one day being able to speak to me at the same intellectual level. Hell, I may even reach down and help pull you up those last few steps of your very tiring climb.

Linux kernel ALONE vs. Near ALL MS tools

Linux kernel 2.6x, vs. NOT just the OS either in Windows 7, but rather nearly the ENTIRE GAMUT of what comes from Microsoft has LESS KNOWN SECURITY ISSUES UNPATCHED than does the LINUX KERNEL!

(That's FACT! See below... & "eat your arrogant words" boy, now flavored with "the bitter taste of YOUR defeat", lol!)

Linux 2.6x kernel too ONLY mind you, NOT THE REST OF WHAT COMES IN THE DISTRO like Window managers, GUI shells, apps etc. which HUGELY COMPOUNDS it even more, and worse still, for Linux:

To wit/e.g.:

---

Vulnerability Report: Microsoft SQL Server 2008: (05/31/2011)

http://secunia.com/advisories/product/21744/

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (05/31/2011)

http://secunia.com/advisories/product/17543/

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (05/31/2011)

http://secunia.com/advisories/product/28234/

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (05/31/2011)

http://secunia.com/advisories/product/29809/

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (05/31/2011)

http://secunia.com/advisories/product/34343/

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (05/31/2011)

http://secunia.com/advisories/product/30529/?task=advisories

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (05/31/2011)

http://secunia.com/advisories/product/14315/

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (05/31/2011)

http://secunia.com/advisories/product/34591/

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (05/31/2011)

http://secunia.com/advisories/product/30853/?task=advisories

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(05/31/2011)

http://secunia.com/advisories/product/16896/

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x:
(05/31/2011)

http://secunia.com/advisories/product/29592/

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (05/31/2011)

http://secunia.com/advisories/product/28947/

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (05/31/2011)

http://secunia.com/advisories/product/6473/

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (05/31/2011)

http://secunia.com/advisories/product/27467/?task=advisories

Unpatched 8% (5 of 65 Secunia advisories)

Re:Linux kernel ALONE vs. Near ALL MS tools

[pandrijeczko]

Friend,

Your mastery of CTRL-C and CTRL-V is impressive indeed but cutting and pasting links to security advisories is wasted on me as I already subscribe to updates from Secunia, Bugtraq, Cert, Red Hat, Oracle and probably a few others you haven't heard about - do you not remember me saying that I am in a well-paid security job?

You seem to be doing your best to rile me on the somewhat mistaken assumption that I treat operating systems like a religion and that therefore anything said against Linux in particular would have me foaming at the mouth and crying to the heavens demanding that a plague of demons be brought down upon your head.

Unfortunately, the reality is that whilst Linux is my favourite OS platform to use, it has got there because I've used it and UNIX for so long so know it well and find it perfect for most of the computing and entertainment tasks that I need a computer to do. However, it does not preclude me from using other OSes, I actually like using Windows XP for certain tasks and for gaming, neither do I give two hoots whether or not Linux wins some fictitious war over Microsoft.

The fact is, I like using it, have a well-paid job as a result of it's very existence and would therefore consider myself a "happy chappie" all-in-all, content with occasionally casting out a verbal challenge on here occasionally in order to see what thrashing dervish of a fish is willing to take a bite.

So please, it's a quiet evening, indulge me more...

Plus ca change, plus ca meme chose

[Platinum+Dragon]

This is ultimately no different from the days of downloading trojan-laden warez from a BBS or pr0n site and getting infected with an autodialer that calls some random long-distance number through the modem.

If you're not willing to be careful about what you're installing, or where you're downloading it from, don't be surprised when your phone racks up random charges without your direct input.

LMAO - Please, you're making me LAUGH boy!

In terms of overall experience at ALL levels (Operating System security, programming & analysis, degrees & more? Boy, you're a NOOB compared to me... show me 1/10th of what I've done to YOUR credit, & before I did them especially then... ok? You can't and YOU KNOW IT!).

I've been at these things since 1982 little boy, and at ALL LEVELS noted above... how about you?

"Now go read a few security manuals, get a few years experience in OSes and security, then you can set your sights on one day being able to speak to me at the same intellectual level. Hell, I may even reach down and help pull you up those last few steps of your very tiring climb." - by pandrijeczko (588093) on Tuesday May 31, @03:52PM (#36300818)

You're a "BIG TALKER" & that's about it! I've done the "security consultant" bit for both camps (NIX & Windows) & know EXACTLY what I'm talking about!

In fact, so much so, that the guide I've written up for Windows security is the:

You MAY wish to refer to the link below that shows a security guide I did for Windows (from 1997-current) as it is:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text

AND, more currently, the MOST viewed & highly rated one there is for years now since 2008 online:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE

Which has well over 300,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) 2.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008...

IMPORTANT:

So - Have YOU done better, troll? We want something we can SEE, not just your "alleged status" as a "security consultant", ok??

No, obviously.

(So much for your attempts @ "discrediting me" with "std. troll disinformation protocol", because it falls apart in the light of FACTS... easily! Just "too, Too, TOO EASILY" in fact!)...

However, since we're on the subject of security, Linux vs. Windows? Ok... how about I "up the ante" & show nearly ALL of what MS makes for business & development, vs. the Linux kernel ALONE then?

Here we go:

Linux kernel 2.6x, vs. NOT just the OS either in Windows 7, but rather nearly the ENTIRE GAMUT of what comes from Microsoft has LESS KNOWN SECURITY ISSUES UNPATCHED than does the LINUX KERNEL!

(That's FACT! See below... & "eat your arrogant words" boy, now flavored with "the bitter taste of YOUR defeat", lol!)

Linux 2.6x kernel too ONLY mind you, NOT THE REST OF WHAT COMES IN THE DISTRO like Window managers, GUI shells, apps etc. which HUGELY COMPOUNDS it even more, and worse still, for Linux:

To wit/e.g.:

---

Vulnerability Report: Microsoft SQL Server 2008: (05/31/2011)

http://secunia.com/advisories/product/21744/

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (05/31/2011)

http://secunia.com/advisories/product/17543/

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010:

Re:LMAO - Please, you're making me LAUGH boy!

[pandrijeczko]

Oh, you're back. And SO quickly!

Sorry, were we discussing Windows at any point in this conversation? I thought we were talking purely about Linux & Android from the perspective of you clearly having little understanding of UNIX topology and what might or might not constitute a threat attack vector on those.

At this stage, my advice to you is to restrict the topic of conversation rather than trying to broaden it, you will find the assimillation and learning process much easier.

And PLEASE stop with the endless Secunia links. I am relaxing after a nice home-cooked meal this evening and you're making this whole thing feel a bit too much like work.

You have a real opportunity to learn something really useful from an OS & security professional with three decades of experience in the field - so make the most of it.

Can't back up all your bluster, eh? LMAO!

Despite all your "big talk" & trying to put me down, you haven't been even a FRACTION of as well noted in the art & sciences of computing as I have... and, you're "trying to tell me how it works"? Please - what year were you BORN in?? I must ask, because I've been at most ALL forms of computer operating systems (inclusive of midrange & mainframe OS stuff on IBM "big iron" thru the System 34/36/38-OS/400-zOS series), & since 1982.

I'd wager thus, just on a guess? I've been at these things LONGER THAN YOU HAVE BEEN ALIVE, & done fairly well @ it too in the eyes of others as well as being professionally paid for it & on MANY levels inclusive of security, programming/analysis + system architecture & design, as well as mgt. too!

Give me a break - get over yourself, BOY... you act as if you're the "only knowledgeable person around" & you? You're FAR from that... hell:

You can't even SHOW US A DAMNED THING YOU'VE EVER DONE THAT WAS NOTED AS GOOD BY OTHERS IN PUBLICATION (trade mags, books, newspapers etc.), COMMERCIAL SOFTWARE, OR TRADE SHOWS et al as I have!

APK

P.S.=> Lastly: I find it FUNNY how the statistics of the Linux kernel alone having more unpatched security vulnerabilities than does nearly ALL of what Microsoft offers to do business & development with "shut you up", & fast... lol, you arrogant little boy! apk

Re:Can't back up all your bluster, eh? LMAO!

[pandrijeczko]

With all respect, I have nothing to prove to you as I have no idea who you are and actually care little of your opinion as to my skills.

I've got three decades experience in telecoms, OSes and security, I've written a few technical whitepapers in my time, developed training courses on TCP/IP, Linux, Shell Scripting and Security but beyond that I am not prepared to go into more detail - it's an illustration for you as to the depths of my skills, but I've no interest in boasting to you more specifically as to what I've done - suffice it to say, I had just started my telecoms career in 1982.

And, if I'm honest, you do sound a bit too much like a petulant child to have the maturity and experience that you claim to, so I'll take that with a pinch of salt.

That's enough about me anyway. If you want to continue discussing the core topic then please continue, otherwise I've no interest in getting into a pissing contest with you or anyone else.

Re:Can't back up all your bluster, eh? LMAO!

[teh_commodore]

Despite all your "big talk" & trying to put me down, you haven't been even a FRACTION of as well noted in the art & sciences of computing as I have...

On some level, this is true. Anonymous Coward has done a LOT of stuff over the years.

Still can't "back up your b.s." w/ facts, eh boy?

Despite all your "big talk" & trying to put me down, you haven't been even a FRACTION of as well noted in the art & sciences of computing as I have... and, you're "trying to tell me how it works"?

Please - what year were you BORN in??

I must ask, because I've been at most ALL forms of computer operating systems (inclusive of midrange & mainframe OS stuff on IBM "big iron" thru the System 34/36/38-OS/400-zOS series), & since 1982.

I'd wager thus, just on a guess?

I've been at these things LONGER THAN YOU HAVE BEEN ALIVE, & done fairly well @ it too in the eyes of others as well as being professionally paid for it & on MANY levels inclusive of security, programming/analysis + system architecture & design, as well as mgt. too!

Give me a break - get over yourself, BOY... you act as if you're the "only knowledgeable person around" & you? You're FAR from that... hell:

You can't even SHOW US A DAMNED THING YOU'VE EVER DONE THAT WAS NOTED AS GOOD BY OTHERS IN PUBLICATION (trade mags, books, newspapers etc.), COMMERCIAL SOFTWARE, OR TRADE SHOWS et al as I have... despite all your "alleged greatness" & trying to "put me down"!

(Come back when you've actually DONE something that others noted as decent, ok?)

APK

P.S.=> Lastly: I find it FUNNY how the statistics of the Linux kernel alone having more unpatched security vulnerabilities than does nearly ALL of what Microsoft offers to do business & development with "shut you up", & fast... lol, you arrogant little boy! apk

The sanity of people using Amazon?

[SuperKendall]

Right, we need to check mental sanity of people that activate the option to install software from outside the market

As they are explicitly told to do by Amazon?

It's a design feature of the platform than any mainstream alternate application stores must have you disable this block, and then any random link can install something for you. Do you really not expect a significant number of users will be getting things from Amazon given the marketing clout they have?

Re:The sanity of people using Amazon?

[robmv]

No the sanity of people installing from non respectable sources, the warning is very informative, if someone still try to save a few bucks installing applications from unknown sources, that is their problem

Re:The sanity of people using Amazon?

[AmiMoJo]

Okay, you enabled installing software from any source so that you could install the Amazon app-store. So what? You still have to go trawling round dodgy forums looking for this shit, it doesn't just magically appear on your phone or bypass the permission warnings. Or are you one of the people who complains that their machine is infected after they downloaded a crack for Photoshop and clicked "yes" to all the warning messages?

Users are dumb and can be tricked into installing malware. Is anyone surprised? Should Google tie people's hands to save them from themselves?

Re:The sanity of people using Amazon?

[PipsqueakOnAP133]

You're right that for BaseBridge to infect your Android phone, you would have to actually dig through some shady parts of the internet.
But wasn't the DroidDream infections originating from apps on Google's Android Market?

Prove it, & Mr. Eugene Kaspersky quoted

Funny how you're not trying to "put me down" anymore with your adhominem attacks, eh? Why's that, big talker?? Perhaps because I have been @ this as long as you ALLEGEDLY have, and that I can show things I've done at ALL LEVELS CONCERNED that you cannot show???

NOW, per my subject-line above:

Here's one for you, from a RESPECTED source in the realm of security, in regards to Linux & Windows security being "neck & neck", ok?

This article submission, based on words from Eugene Kaspersky tends to disagree with you, as do I!

(See my p.s. below later, where I ask you a VERY pertinent question based on YOUR STATEMENTS quoted there)

It's where Mr. Kaspersky even states Windows is as secure as Linux or moreso:

http://slashdot.org/submission/1568086/Windows-not-less-secure-than-LinuxOS-X

(That was put up as a story for submission here, in the "recent section", but it never was put onto the main page... totally "blown off" & we ALL know why! The /. "Pro-*NIX slant" around here & the trolls that help promote it, knowing most folks are "sheeple" that 'follow the crowd' because they don't know enough about a tech topic to know better!)...

---

"With all respect, I have nothing to prove to you as I have no idea who you are and actually care little of your opinion as to my skills." - by pandrijeczko (588093) on Tuesday May 31, @04:42PM (#36301390)

PROVE IT! Show us something then...

Anyone can "talk a good game" boy!

(Better still? Meet my challenge & show that you've done more & of better note + even EARLIER than I have in the art & science of computing that did well (inclusive of commercially used software on my end that is HIGHLY esteemed no less)).

Somehow I don't think you will ever be able to, and that suddenly your "adhominem attack" on myself has "run out of steam" (hot air on YOUR end is more like it, lol!).

(Anyone can "talk a big game" boy... trick is, to be able to show & prove it! You can't, & I can... simple!)

---

"I've got three decades experience in telecoms, OSes and security, I've written a few technical whitepapers in my time, developed training courses on TCP/IP, Linux, Shell Scripting and Security but beyond that I am not prepared to go into more detail - it's an illustration for you as to the depths of my skills, but I've no interest in boasting to you more specifically as to what I've done - suffice it to say, I had just started my telecoms career in 1982." - by pandrijeczko (588093) on Tuesday May 31, @04:42PM (#36301390)

Been there, done it, & apparently YOU & I have been at this the same amount of time (assuming you are telling the truth that is)...

Yet, by way of comparison? I HAVE DONE WELL & can prove/show it... you cannot!

(Big difference there)

---

"And, if I'm honest, you do sound a bit too much like a petulant child to have the maturity and experience that you claim to, so I'll take that with a pinch of salt." - by pandrijeczko (588093) on Tuesday May 31, @04:42PM (#36301390)

LMAO, omg... talk about "the pot calling the kettle black"!

Ahem: Need I refer other readers to your FIRST replies to me, adhominem attacks & all?

Take a peek here folks, after reading pandrijeczko's b.s. above:

http://mobile.slashdot.org/comments.pl?sid=2200490&cid=36300482

&

http://mobile.slashdot.org/comments.pl?sid=2200490&cid=36300672

(Two "prime examples" of this fool trying to "condescend to me", & yet he's never accomplished anything compared to myself in the art & scie

Re:Prove it, & Mr. Eugene Kaspersky quoted

[pandrijeczko]

If we walked past each other in the street, we would not know it.

I have no interest in the opinions of anyone I do not know and have nothing to prove to such a person. I have stated all I have to say, you are entirely within your rights to accept them or disbelieve them, to me it is of no consequence.

For the same reasons, trying to goad me into revealing more will achieve nothing, I am far too old and wise to fall for that trick.

You are also getting repetitive. By all means continue this with another repeated posting if you feel the need for the last word on me, I will not respond any more.

Re:Prove it, & Mr. Eugene Kaspersky quoted

[sexconker]

It's one thing to feed a troll, but to feed a troll and get thoroughly called out and owned?
That's shameful.

Another scheme...

[TheSync]

We could require people to develop on a specific platform to make the software easier to analyze, then have digitally signed software sold on a single walled-garden, only allow authorized software to run on the phone, with the phone provider able to take down and turn off any malware app as needed.

Oh yeah, that is called an iPhone!

Funny how your adhominem attacks ceased

Why's THAT? Hmmm?? Perhaps because we've both been at this approximately the SAME LENGTH OF TIME, & I have degrees in CSC & MIS, as well as a string of noted good accomplishments in the art & science of computing, and you do not???

"For the same reasons, trying to goad me into revealing more will achieve nothing, I am far too old and wise to fall for that trick." - by pandrijeczko (588093) on Tuesday May 31, @05:10PM (#36301756)

I'm far too old & wise to NOT realize that means this (translated from NIX troll-speak):

You don't have anything to show, no proofs, of your "alleged security guru status", period! Not only that, but nothing tangible that did well in the field of computing on ANY level, period!

---

"You are also getting repetitive" - by pandrijeczko (588093) on Tuesday May 31, @05:10PM (#36301756)

Repetitively POUNDING YOU INTO THE GROUND for your earlier attempts @ "condescending to me", adhominem attacking me, & more...

As well as my repetitively challenging YOU to show you've done MORE than I have, to better acclaim in respected publications & more like commercial software + trade shows etc. (which YOU blatantly RUN from!).

APK

P.S.=> Funniest part of all though, & it was on topic? Was this:

Lastly/AGAIN: I find it FUNNY how the statistics of the Linux kernel alone having more unpatched security vulnerabilities than does nearly ALL of what Microsoft offers to do business & development with "shut you up", & fast, here:

http://mobile.slashdot.org/comments.pl?sid=2200490&cid=36300850

Guess who gets the "last laugh" here? Not you... lol, you arrogant little boy!... apk

pandrijeczko did get called out, pwned & ran

Badly here http://mobile.slashdot.org/comments.pl?sid=2200490&cid=36301882 and probably why he "changed his trolling and condescending tone" and ran.

tomhudson = "CouNt StaLKuLa" by ac replies? LOL!

Don't you EVER learn tomhudson? We all KNOW that you stalk & troll me by AC replies, and who said that??

Why, YOU DID, here, quoted verbatim (and instigating others to do so as well? Please... lol, you FOOL, no one!):

"Wait until he starts on another kick, then reply to him as an AC. It's the new meme". - by tomhudson (43916) on Sunday May 09 2010, @08:29PM (#32150544) Homepage Journal

QUOTED, LITERALLY VERBATIM, FROM -> http://slashdot.org/comments.pl?sid=1646272&cid=32150544

(So, if the "best you've got" is AC trolling & stalking replies to me tomhudson? Well... lmao @ U!)

APK

P.S.=> Now, on this "tidbit" from you? Who the F do you think you're fooling tomhudson??

"Nobody ever claimed that Linux was immune" - by Anonymous Coward on Tuesday May 31, @01:26PM (#36299196)

I've been around here long enough (since 2004, maybe a bit earlier) to KNOW "how it is" around here, a very "Pro-*NIX slant" to things, & Penguins are NIGH CONSTANTLY implying that "Windows is a malware ridden horror, Linuxes are not"!

Well, to THAT, specifically (& on topic about ANDROID Linux)?

Heh... see these additional "problems" ANDROID Linux has shown over time then recently:

---

A RECENT HISTORY LIST OF ANDROID LINUX EXPLOITS BY MALWARE ETC. et al:

http://www.net-security.org/malware_news.php?id=1718

http://www.theregister.co.uk/2010/11/10/android_malware_attacks/

http://www.zdnet.co.uk/blogs/jacks-blog-10017212/android-and-facebook-attract-more-malware-attacks-10022271/

http://mobile.slashdot.org/story/10/12/30/1856242/Android-Trojan-Found-Spreading-From-Chinese-App-Stores

http://www.ft.com/cms/s/2/bf3d6002-452e-11e0-80e7-00144feab49a.html#axzz1FdlXHJmB

http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills

http://it.slashdot.org/story/11/01/29/1946202/New-Android-Exploit-Discovered-To-Steal-Data

http://mobile.slashdot.org/story/10/11/27/213219/Security-Expert-Warns-of-Android-Browser-Flaw

http://yro.slashdot.org/yro/08/11/21/1321200.shtml

http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel

http://mobile.slashdot.org/story/10/11/05/2011243/Major-Security-Holes-Found-In-Mobile-Bank-Apps

http://news.slashdot.org/story/10/10/18/1910224/A-Tidal-Wave-of-Java-Flaw-Exploitation

http://news.slashdot.org/story/

Crap

[Kidfork]

Of course its Android so everyone here is defending it. However if the same case was with iOS or RIM you all would be downing them to the max

Re:Linux = "Immune to malware" (another /. LIE?)

[Hamstaus]

A user with root explicitly installing a program IS NOT A HOLE.

Yes, but a user with root explicitly installing malware is most definitely an A HOLE.

In fact, today is more secure

[DrYak]

In fact, today is a more secure era.

Back in the BBS and early internet days, download shit of random sites was the only way to install software. You had to choose wisely the place you got your software from. If you /.er wanted to get the latest compiler suite, you had to fetch it from somewhere. If grandma wanted a weather app or a smiley pack, she got it from the interwebs too, and caught a nice trojan while doing it.

Now, systems like Android, WebOS, etc. provide you a nice walled garden of vetted apps. So most users can be sure they won't get malware. Advanced users, who are more knowledgeable and probably better at telling which sources are trusted, can enable other repositories ("sideloading", "dev mode", etc.)
Thus if you /.er want to install some crazy experimental piece of software, you're still allowed to fetch it from somewhere. If grandma want a nice "kitten" theme for her homescreen, she simply get it from the official repository and is spared from trojan.
Well, except for iPhone users. They are stuck in walled garden mode. Unless they go against Apple's effort, and have to use hacks and exploits on the phone that they actually own. Weird...

BTW: It's "Plus ça change, plus c'est la même chose"

LAMP "security": Bwaaahhh a joke!

http://www.theregister.co.uk/2011/06/10/domains_lamped/

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

That's JUST FOR YOU, trolls... & of course, this as well, for comparison's sake, Apples-To-Apples:

---

Vulnerability Report: Microsoft SQL Server 2008: (06/11/2011)

http://secunia.com/advisories/product/21744/

Unpatched 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/11/2011)

http://secunia.com/advisories/product/17543/

Unpatched 0% (0 of 6 Secunia advisories)

---

Vulnerability Report: Microsoft Exchange Server 2010: (06/11/2011)

http://secunia.com/advisories/product/28234/

Unpatched 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Internet Explorer 9.x: (06/11/2011)

http://secunia.com/advisories/product/34591/

Unpatched 0% (0 of 0 Secunia advisories)

---

Vulnerability Report: Microsoft Visual Studio 2010: (06/11/2011)

http://secunia.com/advisories/product/30853/?task=advisories

Unpatched 0% (0 of 1 Secunia advisories)

---

And?

Well, We already KNOW that Windows 7 has less bugs unpatched than Linux 2.6x also (the mainstream kernel, & KERNEL ONLY, not the entirety of a Linux distro mind you, vs. a COMPLETE OS in Win7)

APK

P.S.=> Now, that's a comparison for you "Pro-*NIX trolls" around here on /.:

LAMP stacks (Linux, Apache, MySQL, PHP) being BLOWN AWAY regularly, vs. ZERO BUGS in MS' dev. stack for websites!

Again... "read 'em, & weep" (current/new news)... apk