Slashdot Mirror
Kindle Fire and Nook Upgrades Kill Root Access
jfruhlinger writes "The Kindle Fire and Barnes and Noble Nook tablets are similar enough and close enough together in price that they ought to be fighting market share and one-upping each other in terms of features they offer users. But the latest OS upgrades to both gadgets claims to be an 'upgrade' while actually taking functionality away: both remove the ability to root the device."
A more balanced way of looking at it is that the updates fix known local privilege escalation vulnerabilities. This might be more of an issue for people wanting to hack on the Nook Tablet: its bootloader is confirmed locked, but reports lean toward the Kindle Fire having an unlocked bootloader letting anyone flash their own software without needing to gain root first.
Sort of like being able to open the hood on your car is a security risk.
Neither device [...] has access to the real android market.
Maybe you should [...] go buy a real Android tablet...
Which affordable, certified "real Android tablet" in the 7 to 8 inch range do you recommend instead of a Kindle Fire or Nook Tablet? Or are Kindle Fire and Nook Tablet like game consoles, sold at razor-thin margins or even at a loss to get people onto the manufacturer's store, and that's why they're so much cheaper than Google-certified devices?
Yeah, seriously. When you have a security flaw that allows root privilege escalation you don't just decide not to fix that because the homebrewer's were using it as a convenient way to get access to the machine. If this was on an (open) desktop platform, such a flaw wouldn't really be tolerated for long.
It's like when people are upset that an exploit in a game was fixed that people were using to win / get free stuf / etc, yet they don't get upset when a bug is fixed that was actually preventing them from completing a game.
Then let's roll with the analogy: why don't more Android devices have a legitimate hood release of sorts?
1) That people don't try to return the product when they screw it up doing something that the product wasn't intended to do (and it costs me money)
2) That I eliminate a potential attack vector for malware which would lead to decreased sales and increased returns (which costs me money)
3) That people are locked into using my products (which makes me money)
This is all about the money people. This isn't about trying to screw over the 0.1% of people who buy the tablet - It's about maximizing the profits. And let's be realistic here - they will be recracked in short order.
I call it 'The Aristocrats'
I have a real faux Android tablet called an HPTouchPad. It's sweet!
If this was on an (open) desktop platform, such a flaw wouldn't really be tolerated for long.
Which is why the user should simply be given root access to begin with. Instead of having to use privilege escalation attacks, users should just be able to hit a button or flip a switch to enable root access for themselves. Quick, easy, and perhaps voiding the warranty (but I think anyone who wants root access is willing to have no warranty).
Why is this so hard?
Palm trees and 8
Welcome to the real world, the property you own isn't yours.
You're not buying a product any more you're buying a service. You can't lend others your books (look in the copyright notice at the front if you doubt me) You can't
It is not your music, it is licensed from those who own it.
Oh you're a band and think you own your music? Nope, it belongs to your record label.
Oh you're not signed to a record label? Since 7 notes is enough to copyright a riff then that gives you just over 5000 original works of music so there is no original works anymore. You cannot produce your own works of art anymore.
Okay maybe you have an idea for a cool new machine, nope that's almost certainly covered by someone else's vague patent. Your ideas aren't yours.
Okay what about your house, I bet it's mortgaged so the bank owns it.
Oh, you own your house outright, fine but who enforces it? When someone tries to take it from you it's a government giving you a licence to live there as long as you pay property taxes.
Actually you know what I started writing this as a parody post and now I'm not sure anymore, exactly what do we own anyway? What has anyone ever owned? Did those 200 years ago have more property rights than we currently have?
Moving forwards should we have more property rights? Should I be allowed to sell you a device that is designed to break, or at least rely on updates to keep doing the same job? Machinery has always worn out, selling with a contract that requires a service contract has always been legal (AFAIK) so why are we annoyed about this now?
"The weirdest thing about a mind, is that every answer that you find, is the basis of a brand new cliche" -
I have several FlyTouch pads from China. The new ones are dual touch with 1ghz processors in a 7" format and are running around 80$ including shipping. They are google Android and they will send you the android image. Re-flashing is as easy as putting the image on an sd card and booting the unit with the sd card in it.
Not the greatest in the world but they are very good for around the house network access, book reading, hacking, etc.
Bingo. One can just look at the Nexus line of devices and the "fastboot oem unlock" command and the warning given as the right way to go about doing this. This is enough of a hurdle to keep Joe Sixpack from doing it so he can see the dancing bunnies, but allows people who are willing to trash their device (and not bother calling hardware support) to do what they feel free to.
Actually, a privilege escalation exploit IS a security risk.
The unlocked bootloader means that on the Fire, this is at most a small speedbump in the process of modifying a device. However this prevents malware from gaining privilege escalation. (Most of the easiest Android rooting techniques like psneuter and rageagainstthecage relied on exploits that could and WERE also used by malware such as Droid Dream.)
retrorocket.o not found, launch anyway?
In-case anyone hasn't read the Richard Stallman story: http://www.gnu.org/philosophy/right-to-read.html
From the authors notes:
One of the ideas in the story was not proposed in reality until 2002. This is the idea that the FBI and Microsoft will keep the root passwords for your personal computers, and not let you have them.
The proponents of this scheme have given it names such as “trusted computing” and “Palladium”. We call it “treacherous computing” ...
The 1997 prediction, proposed in 2002, is reality in 2011. The big surprise is that the implementation isn't a technical DRM/TC scheme, but a fundamental change in corporations retaining ownership and control of items after they've been sold. Who could have predicted that?
tomorrow who's gonna fuss
That's the point.
That isn't what was removed. What was removed was a security flaw that let a non-root app running on the device get root priveledges.
And yet if the car companies removed your hood release and required a special key or tool only available at the dealerships, you'd be screaming bloody murder and so would the mechanic's unions with good reason - in fact, several times there were class action lawsuits against GM, Ford, and Toyota due to their refusal to sell the appropriate adapters and codebooks necessary to troubleshoot or reset "check engine lights" and computer warnings to the 3rd-party mechanic shops.
Imagine if the car companies wanted to take away your RIGHT to have your car fitted out with a turbocharger, or an aftermarket performance chip, or a better flywheel, or any number of other changes.
Now why is it that people don't scream bloody murder when they have a computing device in their hand, personal property they purchase, and they're told "but you don't have admin rights to change anything so there"???
No, the answer is that copyright doesn't grant all the privileges the publishers are claiming, at least in the USA. In particular, the Doctrine of First Sale pretty much says that you can legally do whatever you want with your copy once they've sold it to you (aside from using it to make more copies). That includes not only obvious things like transportation, but also lending—both free/personal loans and commercial rental.
Rental companies and retailers often do have special agreements with the publishers, but that's because the publishers are offering them a better deal, not because they need the agreement simply to resell or rent out the physical books/DVDs/etc.
Digital media falls into a rather gray area, which is how the publishers like it. They take advantage of the ephemeral nature of digital goods to undermine the First Sale doctrine, while simultaneously claiming that the content has been fixed in a tangible medium in order to gain copyright privileges over it. It should be one or the other, but they leverage the confusion to get their way on both counts.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
This does not impact the Nook Color in any significant way.
Both the Nook Color and Nook Tablet will try to boot off microSD first if they can. That's not part of the OS. However, the Nook Tablet requires a signed kernel to boot, and the Nook Color does not. So, this change results in a significant loss of hackability for the Nook Tablet, since you had to "jailbreak" it in some sense to do anything. It does not result in a significant loss of hackability for the older Nook Color, since you can still just write an unsigned kernel to a microSD card and you're off and running.
Disclaimer: this is my understanding from scouring the xda-dev forums for details and from hacking my own Nook Color. I've confirmed that 1.4.1 on the Nook Color does close the sideloading "hole", and that a 1.4.1 Nook Color will still boot stuff like CM7.1 from microSD card. The rest of it, I have not personally verified myself, but am summarizing my understanding from reading experts talking about it all.
Boats have cabins, cars have interiors.
It's a ship not a boat.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
I drain my crankcase every weekend and replace the oil to try out different brands. Doesn't everyone?
It doesn't mean much now, it's built for the future.