Slashdot Mirror
Android Malware May Have Infected 5 Million Users
bonch writes "A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user's personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications."
n/t
I've always thought it was odd that those games that literally copied Counter-Strike were allowed on the Google Market.
I know, you're about to say "copying gameplay, while unethical, is completely legal". Problem is, they didn't copy the gameplay - they're boring rail shooters. The copied stuff is the art - the textures, models, even some of the maps. And that's blatant copyright infringement. It's obvious even from the previews, if you've played the game enough. And since, at one point, people playing cs_italy were responsible for more bandwidth usage than actual people in Italy, I'm pretty sure I'm not the first to notice it.
I figured Valve, being pretty savvy about this sort of thing, figured that suing them would give them too much publicity - Streisand Effect and all that, not worth the huge amount of publicity that anything Valve does. Now, I'm thinking that iApps7 was just ignoring the cease-and-desists, because when you're already distributing malware and committing actual, commercial copyright theft, you're probably not too afraid of lawyers.
Although I seriously doubt Symantec's 5 million number is right, the fact that malware keep showing up on the market is disturbing. Actually, we're beyond disturbing, it's getting downright annoying. Google needs to do better than removing bad applications after the fact, and while this doesn't need to be a Jobsian walled garden, at a minimum Google needs to start reviewing all applications (and updates!) before posting them to make sure they're clean.
Phones are appliances, and trying to handle malware the same way we handle it on computers (which is to say, after the fact) is not going to work.
For years, the Windows platform was mocked relentlessly as a cesspool for malware. It's interesting to see what happens when there is a lack of quality control from the platform vendor, which turned Windows into a complete mess of contradictory interfaces (even within Microsoft's own software), convoluted configuration settings, and a third-party market devoted to cleaning up viruses and spyware. Android seriously risks going down that path, if it's not there already. There has to be more control on the part of Google.
Pushing back on that is a small contingent of techies who want to turn the smartphone into a PC. They like to cite the freedom to install anything they want, but the truth is that mainstream users wouldn't do so even if they knew how. Google needs to cater to the needs of the majority and not latch onto populist concepts sound good to tech crowds (e.g., "openness") but mean nothing to everyone else who just uses these things as tools rather than hobbies--especially when Google seems to have trouble following fundamental tenets of open source like source code access.
Those 37 million iPhone sales over December reversed the 2011 Android surge. The in-fighting among Android vendors risks more forks like Kindle Fire, customized interfaces, and abandoned phones that no longer receive updates mere months after their release. Google, turn the ship around before it's too late! The carriers won't help you.
"Sufferin' succotash."
From TFA:
'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high. "Yes, this is the largest malware [outbreak] on the Android Market," said Haley.'
Even the most optimistic estimate is very bad.
"Sufferin' succotash."
Apart from being somewhat annoyed about the greater difficulty of managing my smartphone when compared to my Linux boxes, I've been having a hard time selecting apps for it.
Android market is not exactly friendly (is there a way to get larger fonts?) and I'd like to have a search by permissions. Recently, I wanted a mere notepad app -- no frills, no cloud, no nothing, just the note, but there's an "excellent" notepad app which requires you to join an online service. WTF!!!
After finding 2 suitable apps, I would still need a bigger keys soft keyboard... again looking at permissions to avoid leaking unnecessary things.
No wonder guys end up getting viruses... we need better ways to control our exposure. Then again Google's business depends on offering us what we want and thus they need to know that. But am I giving my data only to Google? I wonder where my accounts and their details end up going...
foxconn factory workers very satisfied: 100%, with no dissent! amazing.
when interviewed, every last worker expressed their deepest appreciation for their bosses, and how much they love working together for harmonious success of the company, which they love and admire deeply.
This is what I came here to say. If you think that those apps are legitimate or at least only a positive, you are either very desperate, underage, or a moron of the highest order. In the case of the first, I'm sorry you don't have the brains to find actual free porn/cheesecake pics, in the case of the second you're not clever enough to ascend to the next level of porn, and in the case of the third your phone is too smart for you, please take it back.
On a slightly different topic, since I might as well go all out in insulting average non-computer-savvy people for the crime of not spending their life like pasty-faced Anonymous Cowards in front of the cool glow of a monitor in their basement, I remember an early app in the Android market that was literally a tithe calculator. I'm GUESSING this was someone's first app or otherwise a test app by someone learning to program, because I actually downloaded it a second time after an update and the interface became slightly more refined (with a background picture instead of a flat colour and so on), and I'm not particularly here to mock the author of the app so much as any target audience members that might exist.
The app had a prompt for you to enter how much your annual income was, and then a 'go' button that returned (income/10) as the amount you needed to tithe. In the event that you belong to a church that receives tithes to support it, I'm very afraid if you need a smartphone and a custom app in order to divide a number by ten. The app did exactly what it said on the can, but by FSM I hope nobody was browsing through the Android Market and went "Oh! That's exactly what I need!"
Well, combine this with Googles recent news of privacy policy changes and Android's shine really is fading fast. I hate Apple, not for the products, I love Macs. It's the overused domination attitude I just can't deal with. So, that said, what's left? Win phone? Omg no. Maybe RIM and Nokia still have a niche after all... Just something to consider.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
This still doesn't say anything about security of the OS. Users downloaded an app and granted it the rights to see things it shouldn't. That's not a hack, it is yet another case of PEBKAC.
Of course, everyone has known for the past decade at least that we're at the point where the primary attack vector for malware is social engineering. It's only really on Slashdot and other Linux-cebtric sites where you still see only a half admission of that fact. It's social engineering when it affects Linux, whereas it's shitty inherently shitty security when it affects Windows,
At least we can finally stop pretending that Linux is powered by MagicalPixieDust(TM) and is immune to infection.
The amazing part is that iApps7 games are still on the market (as of this writing, 10PM PST).
It's obvious from the comments that they are total crap though. Anyone literate enough to read the comments wouldn't touch this stuff.
foxconn factory workers very satisfied: 100%, with no dissent! amazing.
Who makes your Android phone?
Some company that cares even LESS for their workers. At least Apple is trying to help and improve things, but China has a very servile culture embedded that has been pushed on them for many generations. They have a factory culture that has been as it is for a long time now and change is not instant.
So every dig you take at Apple and Foxconn labels you a dirty hypocrite if you use any electronics whatsoever, because even more people suffered for your device to be made...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is what I came here to say. If you think that those apps are legitimate or at least only a positive, you are either very desperate, underage, or a moron of the highest order. In the case of the first, I'm sorry you don't have the brains to find actual free porn/cheesecake pics, in the case of the second you're not clever enough to ascend to the next level of porn, and in the case of the third your phone is too smart for you, please take it back.
Ah right. It's the user's fault. The classic excuse for bad IT systems.
It may have infected five million users!
Then again, it may have not.
"In other news, security research firm says they've found alarming evidence of their own relevance.
Details at 11"
That's 5:00 you non-binary-reading troglodytes. I suspect next I'll hear a story about how useful rats are at guarding cheese.
HTC makes all of their premium Android phones in Taiwan. The workplace standards are of course much higher there compared to Mainland China. Samsung, on the other hand uses a number of factories, including ones in South Korea and China to make their flagship Galaxy SII phones.
:. Ultimate Control Dedicated/VM Servers
If you upload an app to the market place that needs access to the users bookmarks I think that a more in depth review process is in order.
At the very lest the user should be see an alert that says something like "This app seems to want a lot on your phone and hasn't been verified by Google...only use it if you really want to "....
'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high.
Of course Symantec totally ignored that the download totals do not translate into the number of infected users. How many devices have multiple apps? That estimate could easily be 10x too high.
Did the author run scripts to pump up the numbers to gain visibility? Many app authors do this
Your link - 51degrees.mobi - uses analytics build into a web app framework to count clients. Generally speaking iPhone users don't use web apps because they have such a wide variety of quality native apps. That will be why the results don't tally with market share figures or those studies counting generic web usage.
When drivel like this gets modded up, I know why Taco left. Joke-dot? Slash-gadget? Take your pick.
The soylentnews experiment has been a dismal failure.
And of course NONE of the anti-virus or malware scanners caught even One instance of this in the wild.
SYMANTIC advertising their own uselessness.
Sig Battery depleted. Reverting to safe mode.
I just checked my Galaxy Nexus. It says "Made in China", so I'm guessing it's probably a safe assumption it's made at Foxconn.
And while HTC's premium flagship phones are made in Taiwan, I'd guess most of the rest of them are made in Foxconn (for every flagship, there's probably dozens more of the lowend phones sold).
yeah I wish Google would speak to this.
It could be that NO ONE has downloaded these apps...
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
In particular in Taoyuan. HTC makes their products in Taiwan, which is not a large surprise since they are also headquartered there.
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it. We were hoping for better with Android. But there are just so darned many apps now to vet.
Maybe a second level of "hey, these permissions are really loose and align with known malware. Are you really sure you want to enable this app to upload all your files and your contacts list to any random website and dial 1-900 numbers to run up your phone bill?" consent might be required.
Or maybe just triggers for additional inspection of apps based on required permissions. But that costs money, and somebody has to pay for that. Maybe a permissions cost matrix for uploading your app, to pay for the code inspection. That would encourage developers to require the minimum necessary permissions.
Help stamp out iliturcy.
...because I actually downloaded it a second time after an update...
...I'm very afraid if you need a smartphone and a custom app in order to divide a number by ten....
Ok, granted you are correct, but you also downloaded it... TWICE! I haven't downloaded any of the apps mentioned, and they look like crap apps I would never pay for, but I can't claim I've never tried out some free simple thing cause I was curious, as I'm guessing was the case with you. Now, if that tithe calculator required access to your phone book, net access, phone status, location data, etc, then it's stupid to install it... but then it gets into the realm of the user being able to interpret the security warnings.
I think there's definitely something about the (perceived) walled garden aspect of app stores that raises the false sense of security. Besides, it's just some goofy little app... what harm could it do? right?
People need to know about this stuff. It's not because Android or the app store security model is being bashed, but because everyone will soon need to be just as careful picking/installing apps on their phones as they should do on a PC, and perhaps more-so.
BTW: Symantec is just now disclosing that their servers were hacked in 2006 (as far as they know - maybe earlier). They don't know how long the hackers have PWNed their network, how much control they had, or for how long - but they're quite sure the hackers have stolen some of their source code. They recommend that you not use / disable / uninstall some (most) of their software. Most especially including PC Anywhere, since apparently it has a vulnerability or "back door" that allows the hackers to remotely administer your PC from Anywhere - and has for the last SIX YEARS.
I think I'm going to take Symantec's edicts with a grain of salt from now on, even if this is from a different group.
Help stamp out iliturcy.
Look at this list of infected apps.
iApps7 Inc Counter Elite Force Arcade & Action
iApps7 Inc Counter Strike Ground Force Arcade & Action
iApps7 Inc CounterStrike Hit Enemy Arcade & Action
iApps7 Inc Heart Live Wallpaper Entertainment
iApps7 Inc Hit Counter Terrorist Arcade & Action
iApps7 Inc Stripper Touch girl Entertainment
Ogre Games Balloon Game Sports Games
Ogre Games Deal & Be Millionaire Sports Games
Ogre Games Wild Man Arcade & Action
redmicapps Pretty women lingerie puzzle Photography
redmicapps Sexy Girls Photo Game Lifestyle
redmicapps Sexy Girls Puzzle Brain & Puzzle
redmicapps Sexy Women Puzzle Brain & Puzzle
These are all Facebook type games that idiots play.
Slashdot is intentionally not providing you full tech news coverage because it caters to a specific demographic of emotionally-invested users who are more likely to generate repeat page views.
Slashdot is a business whose sole income is advertising revenue. People visit because people visit. The Slashdot business model (Soulskill is an employee) is to promote controversy - The Rupert Murdock Model®. It ceased to be anything ./ related a long time ago.
I just really wish for a more fine-grained permissions system.
I mean:
full Internet access
Allows an application to create network sockets.
Wouldn't it be fucking nice if it only could have unchecked internet access to an explicit list of URLs and "full internet access" meant "initiated by user action"?
Same for file system and for "Read phone state and identity" - 95% of apps in the market want the same permission.
It just gets devalued, like UAC's very helpful and informative "Allow this program to make changes to your computer?" prompt (More details? Sure: "Origin: Hard drive on this computer"). With all kinds of "changes" and their frequency it's not hard to see why UAC is often turned off. WIth all kinds of "full internet access" it's not hard to see why permission page is just to click "Accept".
Yeah but did you see the names of the affected apps? You would have to be a real moron to be duped by those.
Especially when an app such as "sexy women puzzle" asks for godlike permissions to run on the phone. Of course if Google were doing their jobs they'd be catching this crap a lot sooner.
All Advertisements on the internet or otherwise are "unwanted advertisements"
"What Are They Gonna Do When Were All Using Freenet"
Their low end needs to be divided by 13, as it is possible (though unlikely) that all users that have downloaded these apps have downloaded all 13. And then there are the users who wipe their phones (perhaps because they saw malware symptoms) and redownload. So probably the reality is anywhere between 50,000 and 5,000,000 infections.
I don't think Android's permission model is very good (it should allow some actions like making calls / SMS / root to be user vetoable) but the fact it has permissions is still better than nothing. When a free "sexy women puzzle" is asking permission to make calls or send / receive SMS messages then if you have a lick of sense you won't install it.
I somehow can't imagine malware authors would sign their apps with a valid CA-issued certificate that would prove their identity in court.
But Samsung counts their Bada phones as smartphones as well as their Android offerings...
I've had this argument on /. a thousand times. There's a reason why NetBSD isn't popular. They have a certain philosophy that security isn't something you compromise on to deliver usability or popularity. They don't implement a feature - any feature - unless it can be secured. They don't listen on ports by default. They don't auto-execute anything on mounting, and so on - because these features, while popular, compromise security. It's a religion with them. They've had some lapses but AFAIK no current NetBSD distribution has ever been proven to have a remote exploit.
And that's why NetBSD is the go-to starting point for folks who don't want to share their files with the wide Internet.
Help stamp out iliturcy.
... that Symantic says its a Risk Level is at 1: Very Low
That they believe number of "infections" is 1000+
And that to get rid of it all you have to do is UNINSTALL IT.
If you don't it may
Copy bookmarks on the device
Copy opt out details
Copy push notifications
Copy shortcuts
Identify the last executed command
Modify the browser's home page
Steal build information (for example: brand, device, manufacturer, model, OS, etc.)
And a variant might also transmit
Android ID
IMEI
IMSI
MAC address
SIM serial number
Eeek.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Seriously, this is an opportunity for a company to come up with a new market to compete against Google. Basically, set it up similar to Apples: submit the app, have it tested, etc. and charge a small amount of money. For me, I will stay with google. BUT, for my parents and in-laws, they would go with the secured market.
I prefer the "u" in honour as it seems to be missing these days.
The trade press is getting less and less neutral lately. That has to cost a lot of money.
Help stamp out iliturcy.
I think when they say downloads, they mean "purchases". If you download again on the same google account, I don't think that increments the counter.
wet water
And there's a (probably small) number of users like me, who will occasionally install something against my better judgement that I need for a one time use... and I neuter the permissions with things like DroidWall, LBE Privacy Guard, Permissions Denied, and others... and I think CM7 included its own permissions control.
Hell, even "normal" apps need some control. Many, many apps want access to your phone ID (IMEI, etc.). Block, block, block. That's a hardware ID unique to your handset. Only good reason to grab it is user tracking.
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
There are apps (that if you trust them) for root users (e.g. LBE Privacy Guard) or custom roms (e.g. CM7) that enable the user to "veto" certain permissions.
and displays unwanted advertisements
Call me ignorant, but when are advertisements ever wanted
I understand that advertisements are a "necessary evil" in order to pay for development costs, etc, but I can't ever think of a situation when I've ever wanted to see advertising.
Apart from perhaps the Superbowl.
In the case of the tithe calculator app, it required no permissions whatsoever, and this was early on in the Market's lifespan, before too many malware incidents had happened (though there had been at least one). My phone is now rooted with DroidWall installed, so nothing gets 3G or wifi access unless I let it through the firewall, and if it's obviously fishy, Deal & Be Billionaire! anyone, I'm not even going to let it touch my system anyways.
Yes, had the tithe calculator asked for any sort of permissions except maybe turning the vibration on for some zany reason, I would've just kept on my way.
They recommend that you not use / disable / uninstall some (most) of their software.
I think any IT professional worth their salt has been recommending removal of their software for years.
If I understand well, what you are saying that apps should be a highly regulated market. From TFA: " Although the infected apps request an uncommonly large number of privileges -- something that the user must approve -- Haley argued that few people bother reading them before giving their okay." If I am allergic to nuts, and I don't bother to read the big red label that some cookies contain nuts, if I get in a coma, hey, that's Nabisco's fault, not mine! They should KNOW I can be bothered to read some boring warnings. I want my cookies, and I want NOW!
Grey's Law: Any sufficiently advanced incompetence is indistinguishable from malice.
Ah right. It's the user's fault. The classic excuse for bad IT systems.
No matter how secure a system you create, users will find a way to fuck it all up. This is not a new concept.
The alternative approach, a "walled garden" has it's caveats as well. In the end it comes down to what's more important to you, being able to download and install whatever the fuck you want, or having someone playing referee before you even get the choice to protect you from yourself?
However you decide is your decision, but in my years of providing tech support, I've discovered that yeah, most people should probably be on the walled garden, but convincing them of that fact is akin to telling any full grown adult they need to be supervised like children. Most people are not so willing to hear shit like that, so we end up with a bunch of idiots downloading obvious malware that any experienced user could identify.
I wouldn't give a kid who just got his learner's permit the keys to a Bugatti Veyron. Similarly, I wouldn't advise someone that doesn't know how to make safe computing decisions to buy an android phone. But if you know what you're doing, there's just no comparison to what you can do with your handset compared to the iPhone or Windows Mobile. It would be quite hard for me to trade that in for a layer of security I do not need.
Details at 11"
That's 5:00 you non-binary-reading troglodytes. I suspect next I'll hear a story about how useful rats are at guarding cheese.
11 in Binary is 5?
Damn, I knew I was getting old, because it used to be only 3...
It's hard to take anything Symantec says seriously as regards security. They have every incentive to make things seem far worse than they really are. Does Symantec offer an antivirus for Android?
Don't kid yourself. HTC is the same as the rest. http://htcpedia.com/news/activists-demand-htc-relieve-overworked-employees.html
This is a different problem than the usual Windows problem. The usual Windows problem is a matter of "viewing the wrong document". It's usually the sort of activity that would have previoulsy been considered absurd as a virus attack vector.
Microsoft loves to blur the boundary between programs and data and install things without a user's consent or knowledge.
The Android problem is different. It's harder because you are trying to protect the end user from their own actions, actions that need to be permitted in order for the platform to be useful. You need to do this when the user might simply ignore or disable any extra facility you might create.
A Pirate and a Puritan look the same on a balance sheet.
No. We should stop pretending that OS and application design choices don't matter. They can't stop everything but they can avoid the sort of nonsense that happens in Windows. When it comes to "social engineering" in Windows, the bar is simply much lower. No degree of self-delusion on yoru part will change that.
You can be smug when Android or iPhone or Linux or MacOS has the same sort of "browse this webpage get infected" problem that Windows has.
A Pirate and a Puritan look the same on a balance sheet.
Slashdot also generates money through paid subscriptions.
blog
I've always thought that apt (apt-get, aptitude, Debian) has the right solution to this.
You get your software from a repository, and only software that is approved by the maintainers of the repository gets in.
Then, _you_ get to choose which repositories you trust.
That way, you don't have to judge the quality of all software yourself. You can leave that to the people who maintain the repositories. They will build up reputation over time, and you can go with the ones that have a good enough reputation by your standards.
A walled-garden app store like Apple's basically implements the first part of this. This is fine for a lot of people.
To also cater to those who want more freedom, without opening the flood gates, all you have to do is allow them to shop at other app stores, as well.
That's what I thought we had with android. There is the main android market, which I assumed had software that had been vetted in some way, and there are other markets, which could have lots of scary stuff. I do know from reading that the various malware scanners are almost worthless. So the iPhone model of the walled garden isn't used, and since virus scanners are useless, the PC model isn't used, what is an end user supposed to do?
So is there somewhere online that I can search to learn at least which apps are known malware?
-- QED
No degree of self-delusion on yoru part will change that.
You can be smug when Android or iPhone or Linux or MacOS has the same sort of "browse this webpage get infected" problem that Windows has.
http://en.wikipedia.org/wiki/Pwn2Own
Keep sticking your head in the sand and calling others self-delusional if you want.
In day 2 the iPhone 4 and Blackberry Torch 9800 were both exploited. Security researchers Charlie Miller and Dion Blazakis were able to gain access to the iPhone's address book through a vulnerability in Mobile Safari by visiting their exploit ridden webpage. The iPhone was running iOS 4.2.1, however the flaw exists in version 4.3 of the iOS.
it's almost all porn. there are better places to get porn than the android market :) I agree anyone who downloaded one of these apps must be a moron
Only 'flamers' flame!
I answered. Don't get mad if your attempt at being smarmy backfired. Not everything is made in China.
Also there's the fact that Taiwan has a much higher standard of living and pays much greater wages.
People have had it drummed into them for the last 10 years not to trust unsolicited emails, attachments, to run av software and to take other simple precautions to protect their computer and their personal data.
And they've had to do it because email is a bad IT system. It's trivial to spoof, which means it's hard to systematically block those with bad intentions.
You've just echoed the point of users being blamed for bad IT systems.
A total non-issue ..
once you download an app from an unknown source, then it's game over !!!
And WinMo *is* a smartphone platform...
That being said, when you combine all of the offerings from all of the different manufacturers on all of the carriers around the world, I have a hard time believing that Apple managed to surpass all of the sales of Android with only 37 million sales.
Why do you need to spoof anything?
People gladly email passwords to adminlstrator@gmail.com and run the attachment to "Subj: Look at those dancing bunnies ^_^ From: Jenny <os107vwvrb@yahoo.com>" without any spoofing going on.
There's no way to stop this with any messaging system as long as registration is open and doesn't require a proof of identity.
"Ah right. It's the user's fault. The classic excuse for bad IT systems."
No matter how secure a system you create, users will find a way to fuck it all up. This is not a new concept.
Of course it's not a new concept. You're just restating the CLASSIC excuse for bad IT systems I just mentioned.
However you decide is your decision, but in my years of providing tech support, I've discovered that yeah, most people should probably be on the walled garden, but convincing them of that fact is akin to telling any full grown adult they need to be supervised like children.
Apple are having no difficulty selling the idea to people. Not just on iOS, but on the Mac, where the option to download from where ever is still there, people are loving the Mac App Store. People like the reassurance that apps have been vetted, and they like the idea of a one stop shop.
And no it's not just for those who don't know much about technology. I've been computing since 1977, and I spent a decade in mobile development. And I far prefer the single vetted store concept of iOS.
I wouldn't give a kid who just got his learner's permit the keys to a Bugatti Veyron.
OK, car analogies. An automatic isn't just for those who don't know how to use a stick shift. A seat belt isn't just for those who can't recognise hazards.
Why do you need to spoof anything?
One could write a book on it. Spammers and worms spoof all sorts of headers in email. So ask yourself what they know that you don't.
There's no way to stop this with any messaging system as long as registration is open and doesn't require a proof of identity.
You're lacking in imagination. For example: You want access to the internet, you go to an ISP and you subscribe and get an account. Suppose the messaging system was tied to that account, with no spoofing possible. When you get discovered as a spammer or sending malware, that account is frozen. That would stop spammers in their tracks, as they'd have to sign up and pay for another ISP account. And users with worm infections would need to get their computers cleaned up before they get their account unfrozen.
And that's just one of the many possibilities of a vastly more secure messaging system than email.
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it.
That's how. I'm a Mac developer. In that community, if users are doing things wrong, then the instinct isn't to blame the users, but to ask how the software can be better.
Wouldn't it be fucking nice if it only could have unchecked internet access to an explicit list of URLs and "full internet access" meant "initiated by user action"?
Can your mom differentiate between a good URL and a bad URL? If not then it's a pointless idea as a security feature for a phone.
Delegating vetting of apps behaviour to end users is a fundamentally bad idea. It's a task that requires skills and experience, and you can't assume them in a consumer product. This is stuff that should be done by professionals in the supply chain.
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it. We were hoping for better with Android. But there are just so darned many apps now to vet.
Maybe a second level of "hey, these permissions are really loose and align with known malware. Are you really sure you want to enable this app to upload all your files and your contacts list to any random website and dial 1-900 numbers to run up your phone bill?" consent might be required.
Or maybe just triggers for additional inspection of apps based on required permissions. But that costs money, and somebody has to pay for that. Maybe a permissions cost matrix for uploading your app, to pay for the code inspection. That would encourage developers to require the minimum necessary permissions.
I'd like to see just plain simple color coding added. The permission prompt would be red if the app was asking for permissions that include things like sending sms messages. Green would be for something that only asked for minimal or no permissions.
I like the idea of tiered costs based on permissions, but it's probably not going to be much of an obstacle for the guys that really want the permissions to do shit like hijacking your browser to point to click-through sites.
It's hard to take anything Symantec says seriously as regards security. They have every incentive to make things seem far worse than they really are. Does Symantec offer an antivirus for Android?
Yes they have a number of products for Android, so yes they aren't exactly non-biased.
http://us.norton.com/mobile-security/
One could write a book on it. Spammers and worms spoof all sorts of headers in email. So ask yourself what they know that you don't.
You seem to have misunderstood me. I'll rephrase: "Why do you need to spoof anything to make morons do what you need?"
What difference do headers make, when a) sender uses throw-away account on legitimate mail service (or worm uses victim's mailbox and address book), b) user doesn't understand "Don't tell your password to anyone", c) user wants his motherfucking dancing bunnies and doesn't even look at sender's name?
You're lacking in imagination. For example: You want access to the internet, you go to an ISP and you subscribe and get an account.
> as long as registration is open and doesn't require a proof of identity.
You basically propose yet another variation on the Internet passport theme.
Apple are having no difficulty selling the idea to people. Not just on iOS, but on the Mac, where the option to download from where ever is still there, people are loving the Mac App Store. People like the reassurance that apps have been vetted, and they like the idea of a one stop shop.
Uh, good for those people, I guess? It's still a layer of security that everyone does not need, hence why people opt out of it by choosing Android. Hell, there are millions of people that opt out by jailbreaking their iDevices, which comes with it's own set of risks. Clearly, some people prefer having a choice one way or the other, if they're willing to go to such lengths to have one...
And no it's not just for those who don't know much about technology. I've been computing since 1977, and I spent a decade in mobile development. And I far prefer the single vetted store concept of iOS.
I never said it's just for people that don't know much about technology. I said people that don't know much about technology should opt for the walled garden. I know techy people that went with the iPhone because they didn't feel like fiddling with their phone and wanted one that "just works".
I can tell that you're sensitive about people criticizing the walled garden, but it's not like it's perfect. Like I said, it comes with a loss of personal control that some people are unwilling to accept, that's an undeniable fact, unless at some point recently Apple started letting people install and run whatever the hell they want on their phone. Personally, I prefer having the ability to run whatever apps I wish on my phone regardless of whether or not it's considered "safe".
I just wish I knew what so terrified some of these more "locked down" companies about giving people the choice one way or the other with their own device. That's the biggest thing that would irritate me, the fact that after paying hundreds of dollars for a piece of hardware it still has the nerve to tell me I can't do something arbitrary with it. I can take a hammer to it if I want, but I can't run an unapproved app, even if I assume all the risks of doing so? Come on.
I run several unofficial apps on my Android phone and have never had a problem. It's not like all blocked apps are blocked for being "malware", after all, and I'm willing to take the risk.
Can your mom differentiate between a good URL and a bad URL?
She can. Why shouldn't she? It's not like there are no bad URLs outside apps. It should be as much common sense as knowledge of mail frauds and con tricks.
Delegating vetting of apps behaviour to end users is a fundamentally bad idea. It's a task that requires skills and experience, and you can't assume them in a consumer product. This is stuff that should be done by professionals in the supply chain.
May be, though I, like many others, prefer choice. But why does that invalidate a need for better permission system? AFAIK, iOS basically permits applications to do whatever they want with internet, relying on vetting to weed out abuse - and it's not guaranteed to work. There already was a handful of examples, like Dolphin browser quietly sending every URL you visit to their server "to check compatibility with Webzine"
You seem to be opposed to it only on "iOS approach good, Android approach bad" basis. I don't see anything wrong with requiring basic knowledge from smartphone users. Is "Don't install games that want to send paid messages on your phone" so much harder than "Don't put metallic tableware in the microwave"?
OK, car analogies. An automatic isn't just for those who don't know how to use a stick shift. A seat belt isn't just for those who can't recognise hazards.
Yeah, your post was good right up to here. Even if you are adept at spotting hazards would you trust others to ? The Malware door swings many ways.
When all else fails, you've won.
I'll rephrase: "Why do you need to spoof anything to make morons do what you need?"
And whilst you have the arrogance to call people who's specialism isn't IT "morons", you're never going to be able to see that the problem is your own inability to see past current solutions.
What difference do headers make, when a) sender uses throw-away account on legitimate mail service (or worm uses victim's mailbox and address book), b) user doesn't understand "Don't tell your password to anyone", c) user wants his motherfucking dancing bunnies and doesn't even look at sender's name?
What I proposed doesn't have throw-away accounts. And because abusers can't spoof, their account is quickly blocked from his early abuses, and few people ever get the password troll or dancing bunnies offer.
> as long as registration is open and doesn't require a proof of identity.
You basically propose yet another variation on the Internet passport theme.
You're the one that put the arbitrary requirement of open registration and lack of proof of identity in there. Whilst there is a need for anonymous services for whistleblowers and so forth, it doesn't have to be the same system the rest of us use for day to day messaging,
Slashdot also generates money through paid subscriptions.
Oh right - how could I overlook that? It makes a huge difference.
Do they sell t-shirts too?
And whilst you have the arrogance to call people who's specialism isn't IT "morons", you're never going to be able to see that the problem is your own inability to see past current solutions.
Why the fuck do you need to be an IT specialist to refrain from clicking dancing_bunnies.exe or sending passwords?
Do you need to be a security pro to refrain from giving keys to your house to random strangers? Do you need to be an automechanic to refrain from crossing the street on red light? Do you need to be an electrician to refrain from shoving a hairpin in the outlet?
It's a new technology entering everyday life and people has to learn the rules, just like they did with electricity a century ago.
You're the one that put the arbitrary requirement of open registration and lack of proof of identity in there
And you're the one that put the arbitrary requirement of "one man - one account". Making everyone go naked because someone might have a weapon under clothes is not a rational solution and replacing all forks with spoons because someone might stick it in his eye is not a rational solution. Trading liberty for security, yada, yada, yada.
Trading liberty for security, yada, yada, yada.
Ah, you're a libertarian. You'll probably grow out of it.
Oh my, ran out of arguments so fast? :( Well, good day to you too.
P.S.: "Ah, you're a libertarian." - nope. Try some better ad hominems next time.
What I proposed doesn't have throw-away accounts. And because abusers can't spoof, their account is quickly blocked from his early abuses, and few people ever get the password troll or dancing bunnies offer.
Except spammers and phishers will still spoof because there are corrupt ISPs and corrupt people who work for ISPs who'd generate accounts, and lots of people who'd willingly be paid to sign up for accounts to be used by spammers, and lots of people who'd unwittingly be signed up by spammers via botnets, trojans etc
So your measures wouldn't work but they'd certainly have a massive chilling effect on free expression on the internet. Lots of people appreciate being able to separate their real life from their online life yet all that would be toast. I have multiple email accounts myself not because I engage in phishing / spamming but because I want to be able to voice my opinion without any incursions on my real life.
Except spammers and phishers will still spoof because there are corrupt ISPs and corrupt people who work for ISPs who'd generate accounts, and lots of people who'd willingly be paid to sign up for accounts to be used by spammers, and lots of people who'd unwittingly be signed up by spammers via botnets, trojans etc
When messages are not possible to spoof they are traceable, and all these things are then policeable.
So your measures wouldn't work but they'd certainly have a massive chilling effect on free expression on the internet. Lots of people appreciate being able to separate their real life from their online life yet all that would be toast.
Not at all. Just because email could replaced with something better that is traceable doesn't mean forums and blogs disappear. Nor does it mean that other anonymous message systems can't exist for the minority that need that.
It just means that the majority of wanted email traffic, which is legitimate messages and attachments, from people and companies known to each other, isn't littered with spam, malware and fishing attempts.
There is no down side to this. It's just difficult to make it happen because of the network effect. (Until the vast majority of ISPs and users use it, it doesn't have value as the primary messaging system.)
Erm, Foxconn is not the only company in China.
Much like Asus, Samsung runs their own production complex in China.
And while HTC's premium flagship phones are made in Taiwan, I'd guess most of the rest of them are made in Foxconn
Bolded the key word. Once again, there's no evidence of this but nice try to spread FUD.
Calling someone a "hater" only means you can not rationally rebut their argument.
I encourage you to challenge him on his BS. When actually challenged, he shuts up (because he never seems to actually be able to back up his statements with logic or facts). And that is a relief for us all. :o)
When messages are not possible to spoof they are traceable, and all these things are then policeable.
As I said there are would be plenty of holes in such a system so it wouldn't be perfect. Emails will be forged, stolen, and hacked. Phishers use bots to mass mail their outgoing spam. It would be but a tiny extra step to use it for their incoming responses too - pick a handful of users from their massive botnet to act as daily receivers and that's that. One might also look at "traceable" systems like moneygrams, or electronic bank wires to see they are no remedy against fraud at all.
Your imagined email system is impossible to implement.
Not at all. Just because email could replaced with something better that is traceable doesn't mean forums and blogs disappear. Nor does it mean that other anonymous message systems can't exist for the minority that need that.
Er yes it would. Obviously.
Forums and blogs are hacked all the time. So all I need do is hack a forum or pay someone to and I have a complete, unique, personally identifiable email to each member. Perhaps I could print it out for all to see or just engage in a spot of extortion or blackmail as easily. Also, because forums / blogs were guaranteed to be associated personally identifiable email, it would be so much more attractive to subpoena a blog / forum which is a financial and administrative burden most operators could do without.
Might not matter much if this was a couple of people talking shit a World of Warcraft forum. It might matter a huge deal if it's a forum dealing with rape, incest, criminal / drug rehabilitation, malpractice, corporate oversite, sexuality, whistle blowing, politics, religion or anything else people might talk about in anonymity but not in a personally identifiable way.
There is no down side to this. It's just difficult to make it happen because of the network effect. (Until the vast majority of ISPs and users use it, it doesn't have value as the primary messaging system.)
Except there is massive downsides. If certfied emails were straightforward and desirable to implement then all the big names would have done it. The fact is it is neither.
IIRC, all GSM Galaxy Nexuses are made in Korea in 2011.
:. Ultimate Control Dedicated/VM Servers
That seems to be an isolated incident of an engineer, not a factory worker, so no, it is not the same.
:. Ultimate Control Dedicated/VM Servers
That seems to be an isolated incident of an engineer, not a factory worker, so no, it is not the same.
What was it you didn't understand about "engineers and factory workers" in paragraphs 2 and 4.
And that was just a random pick of the many articles that Google returned.
If you think the working conditions are any better at HTC than Foxconn, you're deluding yourself.
NetBSD isn't popular because it uses the same security philosophy as the very popular Apple app store?
I think there just might be one or two other tiny factors involved there that you're skipping over.. one being that the popularity of the iPhone has nothing to do with security.
which is totally what she said