Slashdot Mirror
Android Lollipop Can Be Hacked With Very Long Password
Complex passwords are the way to beat some attacks, but for phones running the latest version of Android, that's not necessarily so: puddingebola writes with an excerpt from an article at CNN: Locked phones require a passcode. But there's a way to get around that. Just type in an insanely long password. That overloads the computer, which redirects you to the phone's home screen. It's a time-consuming hack, but it's actually easy to pull off. In a report published Tuesday, computer security researcher John Gordon documented the vulnerability and posted a video of the hack. It only affects smartphones using the latest version of the Android operating system, Lollipop.
Yeah, if you have hardware access to a device you own it. Nothing new to see.
Really? I'd love to bypass the bootloader on MY Verizon-compatible Kitkat GS4. Please post links.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Nothing to do with java. Buffer overflows are quite possible with java, but this problem has everything to do with shitty coding, not the implementation language.
No, but this problem has everything to do with shitty operating system design. The login "screen" should not just be an application that maximizes it's screen to cover the UIs of all other application. That is a naïve implementation, and it opens the supposed security feature up to all kinds of attacks, including shatter attacks and more. Not to mention that an application crash will cause the OS to clean up and close the "blocking" window.
Google should take a cue from Windows and make the login screen a totally separate "desktop" which is completely isolated from the "user" desktop. Switching between the two should be a privileged operation, one that can only be executed by trusted login applications. This way a mere exception will not cause the "login" program to crash, close and reveal the user desktop.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
All those promises only turned out to be true-ish. The chimpanzee quota for most teams actually remained fairly consistent. Turns out a lot of companies were hiring chimpanzees before Java came along. Some of the chimpanzees tried to use Java for system-level programming, and it turned out to not be very good at that. While it was technically true that you didn't have to worry about memory management anymore, if you didn't, you mostly handled your server running out of memory and crashing every few days by rebooting it every couple of days. Logs became a morass of unhandled and permanently ignored exceptions. I often start a new job, look in their logs directory and find gigabytes of exceptions that no one ever looked at.
But you know, it's still better! Because now instead of most programs being giant masses of functions that reimplement system API commands and never take responsibility for any action, they're now giant masses of objects that reimplement system API commands and never take responsibility for any action. Some of them just pass messages around from service to service, none of which anyone truly understands since the system designer was laid off years earlier.
Arguably yeah, implementation language doesn't make a difference. All those teams could have written shitty code and poorly designed systems no matter what language they were using. The implementation language just makes it easier to operate without any discipline and maintain the illusion that they're competent at what they're doing.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Windows' login screen isn't on a separate desktop. It's the only desktop.
The boot process hands control to the kernel loader (ntldr), which starts the kernel (ntoskrnl and kernel32), which starts the service control manager (scm), which starts winlogon.exe, which calls security account manager (sam) to authenticate and then spawns instances of the local security authority (lsass) for each user that logs on. The lsass process, in turn, hosts virtual desktops for the user. Usually there are 2 virtual desktops per user: the regular visible one and the "secure" one that is only used for UAC prompts. Everything within those virtual desktops runs at the mercy of lsass.
So you basically have the right idea, but described it the way Unix-based systems do it. Instead, Windows' nested/hosted startup process requires less plumbing than the method you describe. You don't need to protect the log-in program from "untrusted" execution if it's only allowed to run once (a simple mutex can handle enforcement) and it runs from boot and hosts everything in userspace. It's basically the kernel's userspace process supervisor.
In a past life I led UAT/QA testing teams, and I mostly blame poor fail state handling with a fair amount of positive-result-only testing. A lot of bits are coded such that they really only handle "correct" data, and anything else doesn't get handled properly or at all. On top of that, plenty of test case scenarios either only test that things work properly when used properly, or for things that include fail states that they still only really test "correct" usage. I used to get teased a fair amount for doing things like pasting huge amounts of data in fields (just for bugs like this one), or uploading images to csv-expecting text-based importers, or clicking buttons as fast as I could when it was only expecting a single click, but I found all kinds of weird bugs that way. My favorite, and relevant to this, was when I discovered that entering in a massive block of text on the customer account management site's Add Email Mailbox wizard would crash the entire customer management site systemwide. That one got fixed pretty quickly.
The metaproblem here is that Google is less competent than they imagine to develop Android by themselves as they do. The short form of that is one word: hubris.
When all you have is a hammer, every problem starts to look like a thumb.