Google Fixes Zero-Day Kernel Flaw, Says Effect on Android Not Really That Bad

itwbennett writes: Google has developed a patch for Android in response to a flaw in the Linux kernel and has shared it with device manufacturers. That doesn't mean the patch will hit users' phones right away, though. It might take weeks. But that's ok, says Google, because most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux.

Ridiculous

If there's a security fix for iOS, I can download and install it right away. There's no reason that shouldn't be the case for Android. This is ridiculous. And what if the manufacturers have disabled SELinux or set it to be permissive? It's a matter of time before a worm like Blaster hits Android and does some serious damage. Fix your damn security model!

Re:Ridiculous

[phantomfive]

If there's a security fix for iOS, I can download and install it right away. .... Fix your damn security model!

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Re:Ridiculous

[Harlequin80]

Out of interest can you point to any in the wild infections for Android?

Re:Ridiculous

[SirSlud]

You're right. Some people would say that security depends on being perfect. Those people however are living in a dream world where trying to prevent mistakes and fixing mistakes are somehow physically mutually exclusive.

Re:Ridiculous

[phantomfive]

You're right.

I have to say we are in total agreement.

Some people would say that security depends on being perfect.

Whether perfection is possible or not: that is a philosophical question.
More practically, we can easily do better in security than we are doing now by an order of magnitude.

Re:Ridiculous

Nobody can deny the the Android update situation is a complete mess. But Apple aren't exactly security darlings here. Sure, you get the updates immediately... when Apple gets around to it. You still have to live with years-old known vulnerabilities, and major issues being held back for more product-cycle friendly release timescales.

Re:Ridiculous

Look, dipshit, the problem is that most Android users aren't using a Google branded device. They're manufactured by someone else who configures, builds, and installs Android on the device. It's great for the few Android users who use Google devices, but those are typically lagging behind in hardware and are a small minority of Android devices.

Re:Ridiculous

Google updates Android, folds in fixes submitted through AOSP and pushes them out to Google devices. That is where their responsibility ends. Google cannot make any hardware manufacturer push those updates out.

The hardware maker is the one who is supposed to take Google's updates, negotiate terms with the carriers and push them out to their devices. The end user is also free to manually install updates themselves and many do, which is why so many unofficial firmwares are available through places like xda devs.

Re:Ridiculous

[shawn2772]

what if the manufacturers have disabled SELinux or set it to be permissive?

Then those manufacturers' devices cannot pass the Android Compliance Test Suite, and they have no right to call their devices Android and cannot use Google's apps. SELinux, in enforcing mode and with the Google-defined configuration (mostly; OEMs can make tweaks in some areas, but not the ones relevant to this vulnerability) has been a formal Android compliance requirement since Lollipop.

It's a matter of time before a worm like Blaster hits Android and does some serious damage.

I doubt it. Android is vastly more secure than Windows was (or even is... and Windows is much better than it was when Blaster hit). The lack of updates delivered by OEMs has caused the Android security team to focus on defense in depth, and the system is working pretty well (see last year's report -- or wait a bit for the new report which should be out in a few weeks). In particular, less than 0.1% of Android devices that use the Play store have any potentially harmful apps (PHA) installed, and that PHA definition is much broader than just traditional malware. Of the PHA apps, only about 5% try to exploit vulnerabilities; the rest focus on social-engineering the users.

So, 0.005% of Android devices have some exploit-using malware on them. And AFAIK there are no Android worms. So, I really, really doubt Android is ripe for a Blaster.

Fix your damn security model!

The Android security model is actually very good... with one glaring exception, which is the update problem. But Google has committed to a monthly patch cycle for Nexus devices, and several other OEMs have hopped on that patch train. Thanks to that, carriers are being forced to get updated software through QA faster, and the focus on monthly updates is pushing OEMs to simplify their offerings to make updating them more practical (you probably won't see a visible reduction in number of offerings; but in the future I expect each model will have a handful of SKUs, at most, rather than hundreds as is often the case today).

The update problem isn't going to get fixed overnight, but I think it is getting fixed, at least from top manufacturers. The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase, to force all of the rest to get with the program.

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

(Full disclosure: I'm a Google engineer, on the Android security team.)

Re:Ridiculous

You *do* realize that people who have to wait months before being able to download an update are in that predicament because of their own choices, right? I bought a Google Nexus phone, I can download the updates as soon as they're published and sideload the new image on my phone, or I can wait another week and have it pushed out OTA.

Oh wait, you don't care what reality is, you're probably more interested in bashing Android in any way possible :)

Re: Ridiculous

[io333]

Google could require that manufactures subscribe to some sort of security update model as a requirement before using android software. By not doing this, Google is opening itself up to tremendous liability should something bad ever happen. You may not think so, but some jury someday may think differently. I know of what I speak, though I would prefer not to give full disclosure.

Re:Ridiculous

[cfalcon]

Well, given that we're discussing a case where Android has a vulnerability, then the speed of the update is pretty relevant.

Re:Ridiculous

[jrumney]

If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.

Re:Ridiculous

Your post is informative and I thank you for posting it. I agree that Android security isn't as bad as it's made out to be. That said, there are still some design issues that led to vulnerabilities like Stagefright. I have no doubt that work is being done to ensure that similar vulnerabilities don't exist in the future. Also, I do prefer the iOS permissions model, in which users are specifically asked to enable permissions for particular apps as needed. The Android model is OK, but could be improved.

The bigger issue is, as you say, the OEMs and carriers not sending out Google's updates in a timely manner. As you noted, formal testing is required before a device can be called an Android device and before the Google Mobile Services suite can be distributed at all. I don't understand why a requirement to deliver updates in a timely manner for a lengthy period of time isn't part of obtaining a license for GMS distribution. It seems like Google has more leverage here than ordinary users do because most consumers aren't aware of the problem. With respect to a Blaster-like worm, I agree that such a thing is unlikely. It would be a big mess, but it might also help solve the problem. Blaster was the first time I can recall that security and updates were brought to the attention of a very large segment of ordinary Windows users. If market forces are going to resolve the issues of OEMs delivering updates to carriers, that would unfortunately be the most effective way to make it happen.

One other thing I have an issue with is some of the crapware that's loaded onto devices by carriers. I have a Galaxy Note 4 with Verizon as my carrier. I have no problem that Samsung has preloaded some of their apps onto my phone to provide basic functionality. Likewise, my carrier has good reason to load a few apps that provide basic functionality specific to them. However, I have a big problem with some of the other software that resides on my phone, including apps and software that I don't want and especially a program called DT Ignite. In short, DT Ignite pushes apps out to my phone that aren't installed through any appstore, that sometimes aren't up to date, and without my permission. Furthermore, short of doing something that would void my phone's warranty, I can't remove DT Ignite, though I can remove the apps it installs without my permission. I suspect app downloading by DT Ignite probably also counts against a user's data usage. I do take objection with your malware statistics if something like DT Ignite isn't counted, and it surely isn't because there are a lot of Android devices on Verizon. I'd think Google could take care of this as part of the GMS licensing, but they don't seem inclined to do so.

I have no doubt that Android security, as Google designs the system, is pretty good. But OEMs and especially carriers do a lot to undermine security. As I see it, my phone shipped with malware (DT Ignite) that I can't remove without voiding the warranty.

Re:Ridiculous

As opposed to Android, where they might tell you about it if they feel like it but never ship.

Re:Ridiculous

[thejynxed]

No they won't, because too many of them insist having everything their way once you guys sign off on their use of Android. This leads to everything from locked bootloaders, out of date kernels, no OS patches at all, etc. This isn't getting better, it has been steadily getting worse, with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android. Many places are still selling flagship models with Lollipop that don't even have Marshmallow in the upgrade pipeline. It's just ridiculous.

Re:Ridiculous

In a sense you live in a dream world... a world full of false dichotomies and without code auditing or choosing the right tools for a job.

Re:Ridiculous

[ChunderDownunder]

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

Except when Google discontinues your device support. :(

Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.

Re: Ridiculous

[cyber-vandal]

You are a pathetic fanboi with no grasp on reality at all.

It's not the fault of the users that Google has failed to set up an ecosystem where they're protected from security flaws.

It's not the fault of the users that carriers and OEMs don't give a shit about their customers.

It's not the fault of the users that they can't buy Nexus devices in their country.

If Microsoft tried this bullshit they'd be torn a new one on here but because it's Linux under the hood it must be defended to the death.

Re: Ridiculous

[cyber-vandal]

How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.

Re:Ridiculous

[thegarbz]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

Re:Ridiculous

[Flavianoep]

Should they wait for one and then act?

Re:Ridiculous

[arglebargle_xiv]

However, I have a big problem with some of the other software that resides on my phone, including apps and software that I don't want and especially a program called DT Ignite.

There's an app for that. Also, the carriers claim the bloatware downloads are zero-rated, although that's been a bit hard to verify.

Re:Ridiculous

Is there a list somewhere of manufacturers that do offer timely updates, or which run the google version of android directly so updates are available as soon as google publishes them?

Re:Ridiculous

[jeremyp]

There is a reason why it shouldn't be the case for Android. The reason is that Google doesn't make the phones. This patch will have to be tested on each manufacturer's devices before it is made available. Google isn't going to do that, the manufacturers are. Well, you'd hope the manufacturers are.

This is the fundamental difference between the Android and iOS ecosystems, Android is fragmented, iOS is monolithic.

Re:Ridiculous

[Errol+backfiring]

The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase

That would be nice if a user had anything to say about the stuff he would buy. You can demand every reasonable thing in the world, but "then don't buy it" is the only answer you will ever get.

Not buying a phone might give you a good feeling for living up to your principles, but it will not result in a phone with reasonable support.

Re:Ridiculous

[Letophoro]

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

You would think so. Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it. In part because both pile useless software onto the handset that might rely on whatever is being patched. Even more unfortunately, neither of them have any vested interest in actually applying the patch because they would rather sell a new handset and get you into another contract instead.

While I am not an Apple fan, I think their model of removing other actors from the security equation is beneficial. The Google -> Nexus model is essentially the same thing and is partially why I have a Nexus phone.

Re:Ridiculous

[kbg]

Yes here is the list of manufacturers that offer timely updates:
  * None

Re:Ridiculous

[MachineShedFred]

Yeah, because in the history of software development, there are exactly zero products that have shipped, and are 100% free of bugs and flaws. So don't worry about how fast you can patch it.

Re:Ridiculous

[MachineShedFred]

That's a fantastic excuse for a horrible model.

If Google actually wanted to get serious about this, they would contractually obligate their OEMs to send security-related updates in a timely fashion. Yet they don't, and *their* platform continues to have this god damn mess.

Throwing up your hands and saying "that is the OEM's problem" is a fantastic way to be selling devices that are actively exploitable, and ruin the reputation of your brand. Even Microsoft recognizes that.

Re:Ridiculous

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Judging by the number of critical patches released for Android since November, I'd say that Google needs to improve on both QA and distribution of patches.

Re:Ridiculous

Out of interest can you point to any in the wild infections for Android?

I assume you mean since the Android/Samsapo.A in May 2014.

Re:Ridiculous

I always disable that NSA Spyware every time a build a kernel pfft!

Re:Ridiculous

[Merk42]

Please write something more complicated than "Hello World" that has no vulnerabilities. Also it must be invulnerable to unknown future attack vectors.

Re:Ridiculous

[Merk42]

If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.

no, but if there is a security vulnerability you do hear about it..

Re:Ridiculous

There's an interesting ongoing case in the Netherlands in that regard: A Dutch consumer organisation is suing Samsung for neither providing updates nor making it clear for how long a new phone will be kept updated. (I'm personally imagining best-before dates on the packaging, like on food).

http://www.consumentenbond.nl/actueel/nieuws/nieuwsoverzicht-2016/kort-geding-tegen-samsung-wegens-gebrekkig-update-beleid-smartphones/?icmp=home_nieuwsbericht_2_Kort+geding+tegen+Samsung+wegens+gebrekkig+update%26shy%3Bbeleid+smartphones_20160118
With a short English press release: http://www.consumentenbond.nl/nieuws/attachment/20160118_Consumentenbond_takes_Samsung_to_court.pdf

I'm not sure what legal arguments they're planning to use, but I've seen speculation: By EU rules, if you sell consumer goods you implicitly provide a warranty against defects for a while (two years, for phones). Software vulnerabilities are arguably defects, so why can't consumers demand them fixed within their warranty period?

Re:Ridiculous

Re: "The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase..."

Yes, because that has worked so well up until now.

We have to face facts. Consumers at the point of purchase value things like features, price, app support, cell coverage and carrier support (as in, do they support it at all, yes or no). Update policies just aren't enough of a factor. And even if they were, across-the-board poor update practices mean that there are no meaningful choices to be made on that front anyway.

Google has to step up on this issue. Or it languishes. Frankly I expect the latter. Google seems to be in the thrall of the carriers and the carriers aren't incentivized to care about post-sale updates. Google created this mess and keeps promoting update policies known not to work.

Perhaps Apple is simply the better choice.

Re:Ridiculous

[BronsCon]

Or, as a user, educate yourself and buy a Nexus device which, much as the iPhone gets its updates directly from Apple, gets its updates directly from Google. I've noticed that Google is generally quicker to update my Nexus 6 than Apple is to update my iPad Air when a flaw is publicly disclosed; I would assume the same when the flaw is not publicly disclosed but there is not frame of reference for this.

Re:Ridiculous

[BronsCon]

You mean this?

These types of worms also rely on social engineering to convince the user to click on the link and run the malware.

So, not a worm, but a trojan, which iOS also has.

Re:Ridiculous

[shawn2772]

Also, I do prefer the iOS permissions model, in which users are specifically asked to enable permissions for particular apps as needed.

Android moved to that model in Android Marshmallow.

Re:Ridiculous

[shawn2772]

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

Except when Google discontinues your device support. :(

Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.

Two years of updates and three years of security patches is better than anyone else is offering. Apple sometimes does a bit better than that, but they don't make any promises.

Re: Ridiculous

[shawn2772]

How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.

Google has a lot less power than you think. We have to tread carefully to keep the ecosystem unified and moving forward together. If Google is too heavy-handed, some of the bigger OEMs are totally capable of taking AOSP and going their own way.

Re:Ridiculous

[BronsCon]

those are typically lagging behind in hardware

I wouldn't say the Nexus 6 is lagging behind in hardware, even comparing to the generation of devices released after it. Actually, for the first time I've owned a phone for over a year and still see nothing compelling on the market. Just saying.

Sure, a fingerprint reader would be nice, but that's something I'd use for a grand total of a couple seconds per day, versus the display I'd be giving up, which gets used much, much more. The Nexus 6P is comparable, but trading wireless charging for a fingerprint reader and USB-C seems silly when the performance gains of the device are relatively small and the current model still handles everything I throw at it without a hiccup and likely will until the mid-range catches up with it in several years. That sure sounds like a device that's lagging behind, no?

Re:Ridiculous

[shawn2772]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

Hell if I know. It makes no sense to me, either.

Re:Ridiculous

[shawn2772]

Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it.

Same on Nexus, actually, though Google has managed to streamline the process a bit. The manufacturer vetting step is mostly cut out. Mostly.

While I am not an Apple fan, I think their model of removing other actors from the security equation is beneficial.

It's worth noting that Apple also has to go through the carrier vetting step.

The biggest difference between Apple/Nexus and other OEMs, IMO, is variety. Samsung, for example, has thousands of different system images to update, and each one has to be validated by the carriers. Nexus and Apple keep it down to a handful. The OEMs have done this to themselves, obviously, and they're working on fixing it now that it's becoming clear that users do care about updates.

Re:Ridiculous

[shawn2772]

Yes here is the list of manufacturers that offer timely updates: * None

Not true. Nexus devices get monthly updates. So do some Samsung devices. I know there are some other manufacturers. It seems like the list the AC is asking for is something Google could potentially provide.

Re:Ridiculous

[shawn2772]

There's an interesting ongoing case in the Netherlands in that regard: A Dutch consumer organisation is suing Samsung for neither providing updates nor making it clear for how long a new phone will be kept updated. (I'm personally imagining best-before dates on the packaging, like on food).

Cool. We do need companies to tell you before you buy what you're going to get, and then back it up. Glad to see that's happening.

However, Samsung actually has committed to a regular update cycle on their new flagship devices, after Google did it for Nexus. So they're getting it. I don't know if it's a result of this suit or what, but whatever it takes to make this happen, I'm for it.

Re:Ridiculous

[BronsCon]

That's a fantastic excuse for a horrible model.

And if you were at all familiar with the restrictions mobile operators place on device manufacturers, you'd understand that's it's a factual one, as well. Even Microsoft recognizes that.

We work closely with our carrier partners, and encourage them to test our software as swiftly as possible. But it’s still their network, and the reality is that some carriers require more time than others. By the way, this carrier testing is a common industry practice that all of our competitors must also undergo. No exceptions.

That said, this only applies to devices which the carrier has customized in some way. As far as Nexus devices go, that only includes the T-Mobile Nexus 6 and, even then, the customization was done by Google and T-Mobile allows them to push updates directly and without approval. Every other Android device sold, by literally any carrier, is customized with carrier apps and features and requires the carrier's approval for updates.

Re:Ridiculous

Never say never. The stagefright bug could have absolutely made an android worm spread like a wild fire. We both know Mr Ludwig was way overselling the security provided by ASLR. http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html

A ~4% success rate on an exploit that requires the user only to have their phone turned on would still be devastating in just a few short hours if your worm messages every number in an infected phones contact list.

Re:Ridiculous

[BronsCon]

although that's been a bit hard to verify

and probably in violation of net-neutrality regulations.

Re:Ridiculous

[BronsCon]

with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android

specifically because, starting with Lollipop, carrier apps are installed on first boot (based on the inserted SIM, so no carrier apps if no SIM is installed) and can be removed by the user once installed. They're no longer part of the firmware, thus no longer require carrier customization. which removes the carrier's ability to require their approval before updates are pushed by the OEMs. While this makes it easier for OEMs to push updates, they can only do so where standalone versions of the carrier apps are available; e.g. they can't update a KitKat device to Lollipop without carrier approval, but once the device is running Lollipop or newer, they can push their own updates. Carriers don't want to give up this control where they can avoid it, so they don't approve those updates for devices shipping with KitKat or older.

This problem will solve itself as those devices fall out of use.

Re:Ridiculous

[BronsCon]

They support their phones for at least as long as Apple. In fact, they've made a legally binding commitment to supporting devices for at least a certain period of time: major version updates for at least 2 years from date of first sale; security updates for at least 3 years from date of first sale or 18 months from date of removal from the Google Play Store, whichever is longer.

Meanwhile, Apple and Microsoft have done no such thing. I'm not sure of Microsoft's track record regarding device support, but I know Apple's done fairly well; there's nothing indicating they'll continue to do so, however, and no requirement that they do. With Google, you know how long to expect device support and anything beyond that is icing.

Re:Ridiculous

[BronsCon]

Wrong.
* Google (Nexus devices)

Re: Ridiculous

[BronsCon]

It is the fault of the users that they bought into it, though. Grasp that reality and take responsibility for your own decisions, maybe then you'll realize that it's important to learn exactly what it is you're buying before you buy it. The information was clearly available, as many of us made use of it when deciding to buy Nexus devices over all else. Those of us who live in a country where Nexus devices aren't available can still learn which devices ship with unlocked bootloaders and load vanilla Android ourselves. If lacking the technical knowhow to load a 3rd-party firmware, the iPhone is still an option. Failing the availability of the iPhone, Android isn't going to be an option either, rendering further extrapolation unnecessary.

There is no situation in which a user's only option is an Android device with OEM firmware that will never see updated. Literally none. It's a user choice, pure and simple; it may be made in ignorance, by users who don't know any better, but that ignorance is a user choice, as well.

Re: Ridiculous

So only Apple has that power then. Google could make the same moves as Apple and force OEMs
to update. If apple can do it then so can google. No fucking excuses.

It feels like we are moving backwards with IoT. It's like we forgot everything we learned.
Or maybe it's just a bunch of wide eyed college grads who just see oooooooo shiny. I don't know but I do know we are fucked if we keep going this route.

Re: Ridiculous

So be it. Let them fork and see where that gets them. Open market = more competition = fork code = see what happens.

Re:Ridiculous

[tlhIngan]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

No, because some carriers get anal and demand things work in certain ways.

It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example. Then there are the test commands that carriers want, and how many bars correspond to certain signals (remember when AT&T demanded that Apple show "4G" on the iPhone 4S when doing HSPA?).

Then there are other things like phones must not show things like call timers or data counts or must adjust them somehow so it more reflects how the carrier counts, etc.

Re: Ridiculous

LOL one device out of how many?

Truly fucking sad. Android is written/maintained/used by children it feels like. Enjoy your little sandbox.

Re: Ridiculous

You are right that it is the users choice, but most users don't know enough to make an informed decision. The companies aren't informing them. That is why it is the manufacturers fault. They take advantage of people not knowing. Hoping they will just buy a new phone in a year or two. Who needs updates when you are forced to upgrade a perfectly good device. When you buy a new phone they don't tell you "oh you will never get updates because that cost us to much money and you aren't important enough for us to update your phone." No you buy a phone thinking it will be updated like a computer because guess what? It's a fucking computer. Shocking. We are moving backwards with mobile, it's fucking sad.

Not everyone has the tech savvy that is required. It is a dire situation right now, that's only going to get worst if this security model isn't fixed. Mark my words. A botnet full of hacked android phones will cause havoc on the web.

Re:Ridiculous

These support timers should start when the model is discontinued globally and removed from the supply chain. The last person to purchase a "new" phone should have the full support commitment. This expiring software is such a sham, structured around forced, fad-chasing consumerism.

I have been using a Razr i for over three years and the only thing wrong with it is the lack of software updates. I'm stuck on a KitKat release that took way too long and is definitely the last one that will ever come out of Motorola. It's a fantastic phone for my requirements, and frustratingly there isn't even a Nexus phone that comes close to it so I have no option to replace it with something under support or even with continuing CyanogenMod support.

In a few more years, I want my 6 year old phone to be able to run the latest Android software just like my 6 year old laptop can run the latest Linux desktop distributions. Smartphones need an industry standard akin to the PC architecture that allows for modular platform and driver support, instead of monolithic integration and individual builds for each device variant.

Re:Ridiculous

[phantomfive]

This topic has been brought up before. DJB showed with qmail that a substantial program can be written with no serious vulnerabilities.
OpenBSD shows we can do better on security by an order of magnitude (and if you listen to the techniques they use, it's not super-hard).

There's no excuse for the garbage, vulnerable software we are subjected to.

Re:Ridiculous

[phantomfive]

The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,

If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.

Re:Ridiculous

[phantomfive]

Because carriers make their own, modified distribution of Android. Which of course, git is set up to handle, but sometimes the carriers make a mess of things.

It's not entirely the carrier's fault, because sometimes Google makes some pretty big changes in the core OS. So, for example, imagine if the carrier had to change the screenshot utility to work with their hardware (surprisingly common). Then in a later version of Android, google changed the internal screenshot system. In order to update to the latest Android, the carrier would need to figure out how to get screenshots working again.

That's just one example, there are similar small changes throughout the Android system. So to make sure everything works with an updated version can be a lot of work for a carrier.

Re:Ridiculous

[Merk42]

Both OpenBSD and qmail have had vulnerabilities, so I guess they're garbage too.

Re:Ridiculous

[phantomfive]

Android had more vulnerabilities in the last month than OpenBSD has had in the last decade. If you can't see a difference here, you need to have your brain adjusted. There is some sloppy programming going on in Android that doesn't need to be.

Re:Ridiculous

[phantomfive]

True, the patching system can be improved.

Re:Ridiculous

[Merk42]

Security through obscurity!
Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."

Re:Ridiculous

[phantomfive]

Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."

Yeah, it's true. A fully patched Android system is still vulnerable. Any attacker who wants to put in the effort can find a vulnerability.

Re:Ridiculous

[shawn2772]

The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,

If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.

Utter nonsense.

There is no way that any system as large and complex as a modern personal computing operating system is going to be completely bug-free. If you believe otherwise, you're either clueless or living in a fantasy world.

Re:Ridiculous

[phantomfive]

Utter nonsense.

You're wrong. Even if you were correct in your assumption that large systems can't be secure, then you would still be wrong in saying that such security is good. Bad security is bad security, even if you think it's the best possible. Software with many vulnerabilities is not secure.

If you believe otherwise, you're either clueless or living in a fantasy world.

I like the fact based, well-reasoned argument you have there. It's so convincing.

Re:Ridiculous

[shawn2772]

You've clearly never tried to build large-scale secure software systems. There's no point in discussing this with you.

Re:Ridiculous

[shawn2772]

Oh, something for you to consider: http://www.openbsd.org/errata5...

OpenBSD is much smaller and simpler than any mainstream OS, and has had a laser focus on security for years. Security is their number one goal, above usability, features or anything else... and yet they need more-than-monthly updates to fix security defects. That should give you an indication of just how hard a problem this is.

Re:Ridiculous

[phantomfive]

That's the most insightful comment you've made so far, and it actually has data in it. So good job.

Re: Ridiculous

[cyber-vandal]

Samsung, HTC and various carriers have already done that to a degree and that's part of why updates aren't provided in a timely manner. The Android ecosystem is a mess leaving consumers vulnerable and Google is the only org that can pull it together again. I don't envy you having to do that but the current status quo is not good enough.

Re: Ridiculous

[cyber-vandal]

Are you taking the piss? It's the fault of the user that they don't load some random firmware that doesn't support all the functions of their phone via Odin which isn't exactly user friendly. In a world like that how soon would it be before malware infested firmwares were everywhere. You fanboys are mental.

Just buy a Nexus is not the answer, the answer is for the OEMs, the carriers and Google to give a shit about their customers.

I'm not attacking the OS. I had a Nexus 6 (which wasn't cheap) and it was great. Google needs to sort out the fragmented ecosystem for the benefit of customers and developers. As it is only the OEMs and the carriers are benefiting from the status quo.

Re:Ridiculous

[thegarbz]

It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example.

That's not relevant. A lot of those features especially the candy is controlled by individual apps. There's no reason a whole kernel upgrade should have any visible impact on the user or any of the applications at all. My point was why isn't the system modular enough that these customisations aren't a problem. It's not like I have to rebuilt my linux server every time a new package or security fix is released.

Re:Ridiculous

[thegarbz]

I'm talking about minor updates and fixes here not API changing modifications. One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.

Re: Ridiculous

[BronsCon]

Odin works (for some definitions of "works") for Samsung, there are better tools for HTC, LG, and Motorola. Beyond that, dedicated community members tend to build full-function firmwares for popular devices and yes, it is the user's fault if they can't be assed to learn this stuff before purchasing a device, if security is a concern to them and other options are available.

Yes, the carriers and OEMs share in the blame, and Google gets their fair share as well for not requiring that the OEMs conform to some standardized update schedule (as a minimum, of course the OEMs could go above and beyond that schedule) in order to ship Google Apps with their devices (AOSP should remain unrestricted as it currently is), but let's not kid ourselves by saying the users bear no responsibility for their purchase decisions. Android isn't the only option; and, even if it were, OEM firmware and phones locked to such are not the only options in the Android world. This is true everywhere. And for users who may be concerned about security and, for whatever reason, are incapable of learning which phones can run alternate firmwares and/or how to load them, there is sure to be a friend or family member who can help.

But no, you'd have them keep giving their money for locked devices that will never see updates, when other options are available. Clearly, you disagree that their dollars would be much better spent on devices that are capable of community support when the OEM backs down from updates, then applying a bit of knowledge (or asking a capable friend or family member to do so) to extend the useful secure life of the device, rather than rewarding the OEMs and carriers for their shit-show by buying new devices to get the newest software.

You don't have to tell me the Nexus 6 is great, I absolutely love mine. I've had it since it was released and not only is this the longest I've kept the same phone since I got my first phone in 2000, this is the longest I've gone without looking at what's on the market for any purpose other than to help a friend select the phone that is the best fit for them. That is to say that, in 16 years of cellphone ownership (and all flagship devices, mind you; I even had the first MP3 player phone to hit the market, released by Samsung, and the first phone with an OLED display, released by BenQ Seimens), the Nexus 6 is the first device I've owned that has met and exceeded my long-term expectations for a tool of its nature. It's actually all but replaced my iPad Air for all functions not requiring the pressure sensitive pen (Adonit Jot Touch) that just so happens to be iPad-only.

Beyond that, yes, I agree that the fragmented ecosystem needs to get sorted out and you are correct that only the OEMs and carriers are winning the current game. But, again, let's not pretend that users can't vote with their dollars and stop giving money to the OEMs for devices they're not allowed to take actual ownership of. It just takes a little bit of common sense and forethought, both of which seem to be lacking in today's society; globally.

Re:Ridiculous

[kbg]

Tell that to Google Nexus 4 owners.

Re: Ridiculous

[BronsCon]

You mean the Nexus 4 that has the most recent updates available? I think you meant Galaxy Nexus, and that phon was supported for over 4 years, except on Verizon, who blocked the last update.

Re:Ridiculous

[phantomfive]

One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.

That's true, especially since the kernel team is really good about maintaining backwards compatibility.

Re: Ridiculous

[kbg]

This page only lists that the Nexus 4 has 5.1.1 not 6.0, so no it doesn't have the latest updates.

Re:Ridiculous

It's not Google's problem. If you want to cry, go cry to your device maker, not Google.

If your car's computer starts acting up, you don't go and bitch to QNX/Blackberry, you complain to the manufacturer.

Re: Ridiculous

[BronsCon]

Derp, posting before fully awake... forgot 6.0 was out. That said, Google guarantees major version updates for 2 years from first sale and security updates for the longer of 3 years from first sale or 18 months from discontinuation. Lollipop was released more than 2 years after the Nexus 4 went on sale (November 13, 2012) and more than 18 months have passed since the Nexus 4 was discontinued (and no longer available from the Google Store) on November 1, 2013. They've lived up to what they promised; in fact, considering that Lollipop 5.1.1 was released on January 4 of this year, they've provided over 3 years of major version updates, going well above and beyond that promise. If the promised support duration wasn't enough for you, why did you buy the phone?

Re: Ridiculous

[kbg]

That is one of the problems with Android your phone can only be used for 2 years until it is completely outdated and can't be updated any more. Now that wouldn't be a problem if Google wasn't constantly changing Android and coming up with newer and newer versions making it impossible to install new/updated apps from app store. The problem is that Google doesn't care about backward compatability and is constantly deprecating and messing up things for no reason. I understand if the newer phone has some new hardware that your phone doesn't have but this is software we are talking about there is absolutely no reason why it shouldn't be able to install a new version on older phone. Google is just lazy.

Re: Ridiculous

[BronsCon]

You do realize that nothing you just said is true, right? Your example phone, the Nexus 4, was still getting updates after more than 3 years and. In fact, 6.0.1 was released in the first week of December 2016, while 5.1.1 was released in the first week of January 2016. Ignore version numbers for a moment and realize that means that the Nexus 4 has been updated more recently than the Nexus 5, Nexus 6, Nexus 5X, and Nexus 6P, all of which came out long after the Nexus 4. And anything that works on 5.x works on 6.x and vise-versa. Meanwhile, you go on to attack Google for "deprecating and messing things up for no reason" while Siri was an app that wan on the 3Gs and newer iPhone until Apple integrated it into iOS and only allowed it to work on the 4s and newer. Likewise with split-screen multitasking in iOS 9, which the iPad Air is more than capable of supporting in hardware (hell, Android devices with much more restricted resources have been doing it for years) but, yet, it only works on the Air 2; I know this because I have both devices. And no, the sidebar "multitasking" is not the same; both models do that, I'm talkign about the side-by-side, 2 apps actually fully running at the same time split-screen multitasking. My first Android phone, over 4 years ago now, cold do that, hell, it even had a dock that it plugged into that let it operate as an Ubuntu laptop *alongside* its android phone functionality. If the Motorola Atrix could do it, why can't the iPad Air? It's not the Apple isn't interested in the functionality, because the Air 2 does it; it's all in software and both devices run the same software, so what gives?

I think you're the one who's lazy. Or maybe just blind. I'm not sure. Do you just not see that you can unlock your Nexus 4's bootloader (Google gives you instructions, they allow it, they even encourage it once support has ended) and install Marshmallow on the damn thing, or are you too lazy to do it?

To clarify, what I'm referring to is the following:

there is absolutely no reason why it shouldn't be able to install a new version on older phone

And you're oh so right. There is no reason you shouldn't be able to. With about 2 minutes worth of research, you'll find that you can, actually.

Re:Ridiculous

[kmoser]

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Security doesn't depend on not having security vulnerabilities in your software to begin with; security depends on preventing people from discovering and exploiting your existing security vulnerabilities.

Re:Ridiculous

[phantomfive]

security depends on preventing people from discovering and exploiting your existing security vulnerabilities.

That's a bandaid that definitely works sometimes.

Re: Ridiculous

No, Apple isn't in the same situation because nobody but Apple makes devices that run iOS.

Google produces an operating system that they use on their devices and as a bonus makes that OS available to anyone else who wants to us it. Would you bitch to Debian for a problem in Ubuntu? Would you bitch to The FreeBSD project for a problem in iOS? Bitching to Google about a device maker wilfully not pushing out existing patches is equally as stupid.

Re: Ridiculous

[kbg]

You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.

Do you really think a normal user will be able to unlock or install Marshmallow on his phone with these unnecessary complex instructions? I have rooted and installed a few Android mods myself and I can tell you that it is very easy to make a small mistake or that the third party instructions are not clear enough so you end up with a bricked phone. I am not talking about myself, you or other technical people. My sister, mom or my grandma will not be able to install this crap.

If the company can't support a highly expensive device for more than 2 years then the install process should be as simple as dowloading a Google app that will update the phone. This is something that Google could easily do if they would just get of their asses and stop being evil.

Re: Ridiculous

[BronsCon]

You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.

I talk about Apple not to excuse Google, but because everyone always brings up Apple as an example of "doing it right". If that is incorrect (as I've shown) then, perhaps, people should stop doing it. If you weren't slyly hinting at Apple, and I know you weren't pointing to Microsoft of Blackberry, just who is the shining beacon of "doing it right"? And if nobody, who is doing it best? I'd venture that Google isn't doing too horribly if your requirement is the ability to buy a device from any number of suppliers and avoid Apple's vendor-lock. Mind you, I willingly submit to that as an iPad owner, but that's essentially become a glorified digitizer tablet since I got my Nexus 6.

I am not talking about myself, you or other technical people. My sister, mom or my grandma will not be able to install this crap.

So, you're saying you wouldn't help your sister, mom, or grandma with this? I know I would, as wold most technical people who wish to encourage their friends and family to be more secure.

If the company can't support a highly expensive device for more than 2 years then the install process should be as simple as dowloading a Google app that will update the phone.

And then every app and piece of malware would have fill write access to /system/ along with the update app. You don't think that would make things less secure? It would, by a lot. I'll remind you that I'm talking about unlocking your bootloader and flashing a new ROM to /system/, not rooting and installing things to /bin/ and /usr/bin/. In many cases, rooting an Android device is actually much more complicated than flashing a new ROM, though you can flash a pre-rooted ROM if you're flashing one anyway.

This is something that Google could easily do if they would just get of their asses and stop being evil.

You mean it's something Google cold easily do if they would just stop write-locking /system/ during the boot process to prevent malware from completely pwning Android devices. You must not realize that this is a security measure, and a very strong one at that; it's literally as simple as it could possibly be without opening the door to all kinds of nasty malware we currently don't have to deal with. The only thing that might make it easier is a GUI, but that would also make it easier for people to install malicious ROMs without really thinking about it; having to type it out makes you think about what you're about to do before you press enter.

Well, maybe not you, but most people.

Re: Ridiculous

Right away? Isn't there a few bugs that had to be made public because Apple ignored until they had their faces rubbed in shit?

Re: Ridiculous

So all of a sudden Google doesn't get to dictate terms in the licensing of their own work?

Wrong. They could fix this tomorrow if they wanted to. But they are too afraid of incentivizing Samsung to go whole-hog on their own Tizen OS, which would all but sink Android. So we, the users, end up with a fucking shit security model.

Thanks, Google.

Re: Ridiculous

[kbg]

So, you're saying you wouldn't help your sister, mom, or grandma with this? I know I would, as wold most technical people who wish to encourage their friends and family to be more secure.

I will help them as much as I can but I refuse to be a technical support for Google just because they are incompetient and don't care.

You mean it's something Google cold easily do if they would just stop write-locking /system/ during the boot process to prevent malware from completely pwning Android devices. You must not realize that this is a security measure, and a very strong one at that; it's literally as simple as it could possibly be without opening the door to all kinds of nasty malware we currently don't have to deal with. The only thing that might make it easier is a GUI, but that would also make it easier for people to install malicious ROMs without really thinking about it; having to type it out makes you think about what you're about to do before you press enter.

No Google controls the system. They already have a lot of system apps that can whatever they want. This is just a simple implentation of crypto signing the app. If the app is signed by a specific key by Google then they can give the app access to stuff like this. You talk about like this is something impossible to do? If you control the system like Google does you can have it any way you like.

Re: Ridiculous

[BronsCon]

Keys can be forged or stolen, we've seen it happen. I'll keep my hardware write lock, thanks, and you can have your insecure softlocked toy.

The bug

[phantomfive]

In case anyone cares, the bug was improper deallocation. Sloppy programming.

if OEM disabled security. Tautology

[raymorris]

> what if the manufacturers have disabled SELinux

Yes, if an OEM disabled the security model, that would be a security problem. Tautology much? That hasn't happened on any relevant device.

Oh I know, if the manufacturer installed a botnet malware and gave access to spammers, that would be a problem too! Oh my, a manufacturer could mess up the device the manufacturer!

Re:if OEM disabled security. Tautology

[ArmoredDragon]

That hasn't happened on any relevant device.

I really doubt it ever would because of the whole SEAndroid architecture built on top of it. An OEM would seriously have to go out of their way to not have it working.

Re:if OEM disabled security. Tautology

I guess you didn't hear about the Lenovo debacle. Or Dell. Or..

Re:if OEM disabled security. Tautology

[BronsCon]

Right? And here's the thing: Apple fans (I'm a user, but not a fan, it's a tool and it does a job, it's not deserving of fandom) will insist that issues that affect rooted or non-Nexus Android devices are worse than issues that affect jailbroken iOS devices, but they're really one-in-the-same. The reality is that rooting an Android device is a departure from the vanilla Android binaries and configuration provided by Google, as is a manufacturer replacing Android binaries and configurations with their own or adding their own binaries for additional features or interface layers, just as jailbreaking an iOS device is a departure from the stock binaries and configurations of iOS. To a logical person, that would indicate that the only possibly non-compromised iOS devices are the non-jailbroken ones and the only possibly non-compromised Android devices are those running vanilla Android (e.g. Nexus devices) which have not been rooted.

Mind you, this is largely because rooting and jailbreaking are, in and of themselves, compromises of the device. From the perspective of the user, they're not actually compromised until some bit of malware makes its way onto the device, which generally only happens in either class of device when the device's OS has been modified; again, that means rooted, jailbroken, or tampered with by the manufacturer. Allowing for that, both classes of device are equally secure, which is to say their radios have direct and unfiltered network connections and direct memory access, you can extrapolate whatever you want from that.

That doesn't mean .....

[frovingslosh]

That doesn't mean the patch will hit users' phones ever, though.

There, I fixed it for you.

Probably being trolled

manufacturers often don't push out updates in a timely manner.

That's true, but the situation is much worse than just that.

Hardware manufacturers' O/S teams almost never understand in depth the O/S that they're providing on their hardware. Their task is generally just to get it running with each new company product, nothing else. This is especially true when providing Linux distros or Linux-based systems like Android --- the hardware manufacturers rely on upstream expertise for almost everything.

It couldn't be any other way. Nobody sane can expect all those bazillion companies who offer Android devices to be software and security specialists. That's why they're using Android and open source, so that they don't have to run a big team nor be software specialists.

This makes total balderdash of the parent's point. In fact it's so ludicrous to suggest that the smartphone manufacturers deal with Android security problems themselves that I suspect the parent doesn't believe it either. In other words, you're probably being trolled by a Google fanboi who refuses to admit this reality and rejects that only Google has the power to fix it, or by someone so clueless that he simply doesn't understand the issue at all.

Re:Probably being trolled

What excuse are you going to use to defend the fact that hardware manufacturer's don't have to make security updates, they just need to push out the updates that Google makes, but they won't even do that because they are being cheap?

You clearly do not understand how the update chain works.

Verizon

So we should see that patch on Verizon phones in... 6 months? Or not at all for phones older than 2 years.

CAPTAIN CHUNK!

IT'S A STIIiiiiiiiiiiiiiiiiiiiiiiFFFFFF!

The problem with a root kit is that it's a root ki

[raymorris]

Lenovo's root kit wasn't bad because of some obscure bug in Windows. Lenovo's root kit was bad because it was a root kit.

Once you assume that the manufacturer is going to purposely ruin the security the security of the device, unrelated bugs don't have much effect on that.

In other words, if the manufacturer puts a tautology on your device, your device will have a tautology on it.

Be evil until you get caught

Thank you Google for your honest attitude on your customers security. Hopefully you do not lie this time, as you did when the Openssl was found to be vulnerable. Anyone can verify, if your claims on affected Android versions was true, but it seems that not that many did.

Weeks?

[cyber-vandal]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Re:Weeks?

[nnull]

Samsung and Verizon devices will probably never get an upgrade. Took forever to get an update for my Note 12.

Re:Weeks?

[thegarbz]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Yes but so are most attack vectors. When a problem gets discovered in Windows, IE, Flash, Acrobat etc it's sometimes a matter of hours / days before exploits are in the wild, sometimes the exploits are out before the the problem is discovered.

In the Android world I've yet to actually hear of a wide spread exploit self propagating between devices and turning them all into mass zombies. Typically we only hear about devices that were compromised via some dodgy app with questionable permissions, which is a far easier attack vector than any of the others which are theorised.

My phone isn't up to date yet on the whole I feel safe.

Re:Weeks?

[drinkypoo]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Not only is Motorola pretty good about updates, but I can get an AOSP build for pretty much any of their phones. I don't know if there are any other manufacturers as reputable, but I've been happy enough with Moto that my next phone will probably also come from them.

Re: Weeks?

[cyber-vandal]

The problem with Android is that even when the flaw is fixed by Google it doesn't make it onto the majority of the phones out there. That's not good enough. Microsoft would never escape criticism for ignoring flaws but for some reason Android OEMs seem to get a free pass.

Re: Weeks?

[BronsCon]

It's good enough for the Nexus device in my pocket. I don't own the majority of Android devices out there and neither would an educated consumer. Those OEMs aren't getting a free pass, I voted with my dollars and made them irrelevant, so it's not worth my time to jump on them.

Re:Weeks?

They've changed since Lenovo acquired them. The Moto X 2014 edition will not get the update to Marshmallow on US carriers (and the Pure edition doesn't support CDMA, so that won't work Verizon) after less than 1 year on the market. Motorola promised an update to support VoLTE shortly after launch in 2014. That still hasn't happened. Without VoLTE, the phone doesn't support simultaneous voice and data.

The Moto X 2013 edition didn't get Lollipop until late June 2015 after months of delays.

Re: Weeks?

[thegarbz]

The free pass is given due to the attack vector. I would give Microsoft a free pass too when their bugs have very little impact or are incredibly unlikely to be exploited.

Just like I gave Linux a free pass when the malware was discovered last week and we all couldn't help but joke at the fact that parts of it didn't work, and when they did work it didn't do so very widely.

My typical day using Linux upon a vulnerability...

1) Big celebrity comes up and says "Folks, I can't tell you right now, but do disable roaming in [software piece], a fix is upcoming."
2) In a matter of hours (some 4 to 6, perhaps), a sign appears on my desktop -- like this (!) -- stating there's an update.
3) I authorize the update with my non-root password and it gets installed (probably just disabling that roaming thing, I venture).
4) Sometime later (1 day?) a new update comes up with the real fix... another 5-minute update.

End result, vulnerability blocked, system safe again for critical operations like remote work access and on-line banking.

Can I do that in Android? Simply and directly: No.

I have a few brand-name devices, but I also have a "generic" one. None of them will get updates.

Is this a Linux vulnerability? Sure. Is Android Linux? As this vulnerability shows, yes -- if you're going to dispute that, know that there are things like metonymy and synecdoche (Wikipedia: Figures of Speech), and that we use Linux to designate both A.Linux and B.Linux. So, strange as it might seem, GNU/Linux is Linux, Android is Linux but Android is not GNU/Linux. I hope people can stop discussing how many Angels can dance on the head of a pin...

But back on-topic: I cannot update Android instantly. Then, a key feature of Linux is lost and it is reduced to the (bad) performance of conventional proprietary systems, where fixes come with new versions/devices (a.k.a. Windows).

I'm willing to solve that, and there's a simple way which is to give manufacturers more money (by purchasing more recent Android devices, which perhaps will be updated). While I can do that (up to a certain limit), other people will not be able to do it... and we'll have some sort of "epidemic" infection, much like in the situations about which we use to mock Windows users...

Right now I have a W7 machine I cannot update, because M$ has made the process too lengthy and unstable. It is as if they wish that I go out and buy a Windows 10 PC. I bet I'm being paranoid, surely that's not the case...

But if I have to buy new Windows _and_ Android devices, the ante* becomes a little too high for me.

Not OK.

(*) That's a figure of speech (metaphor, I believe).

Downmods = "best ya got" NOOB? Yes

"Android is vastly more secure than Windows was" - by Shawn Willden (2914343) on Friday January 22, 2016 @12:06AM (#51348617)

Vastly, eh? Listen KID (& to me you are, your job title means squat boy): See subject & the results of this search on Google:

http://www.bing.com/search?q=%...

Now, let me cite MY credentials like you did (in some "appeal to authority" illogic logic): I'm the guy who wrote that & I've been @ the art & science of computing coming up from techie->network admin->programmer/analyst->software-engineer for 24++ yrs. professionally since 1994 & programming + setting up these machines from 1982 onward (from mainframes, to midranges, to client-server designs) & in that timeframe, I'd wager YOU WERE STILL IN DIAPERS when I was making all the trade rags in it & working in the Fortune 100/500!

As far as securing systems? Same deal: Those guides of mine, yes for Windows, use the HIGHLY ESTEEMED CIS Tool - & guess what again? They TOOK FIXES & SUGGESTIONS FROM ME on how to do it on several accounts that make the system far more secure AND ones to avoid they suggested that *might* cause issues also.

Lastly & most importantly: That quote of yours I cited is why I am writing this - Windows can be as secure as ANY OS OUT THERE once it's properly security-hardened (none of them are "out-of-the-box").

To have the SHEER NERVE to say what you did is mind-boggling... why?

HELL - LOOK @ ALL THE VULNERABILITIES & PROBLEMS ANDROID HAS HAD SINCE IT'S VERY PUBLIC RELEASE & INCEPTION!

(Tons of bugs - so "tell us another one", ok? For Pete's sake - the interface/front-end is created in a JAVA variant that has code Oracle's SUED YOU FOR proving it is... & we all KNOW the security issues inherent in it that pop up constantly for years now... & don't try to say "but it's the kernel" well, ANDROID is made up of FAR MORE than a mere kernel only (but this news proves it too has issues as well))

ADDENDUM FACT:

Ah, so "the best you got" pr puppet with sockpuppets and "allies" advertisers was a DOWNMOD that's unjustifiable last time I posted this? Proof's in the pudding -> http://tech.slashdot.org/comme...

(YOU ARE FAILING, boy... lol, & you KNOW it!)

See you here too -> http://apple.slashdot.org/comm...

(Going to "downmod & run" on THAT post of mine too, Google pr spinboy puppet? Yes I wager!)

APK

P.S.=> Android's had SO MANY BUGS & SECURITY ISSUES since it's release it's not even funny, & you said that? Please... lol!

... apk

Re:Downmods = "best ya got" NOOB? Yes

Wow, that reads like the ramblings of a crazy person.

Re:Downmods = "best ya got" NOOB? Yes

RFI from all that time at the character cell terminals and other computer monitors toasted his brain.

With me, it was the EMP from sitting too close to the mainframes since 1982...

Re:Downmods = "best ya got" NOOB? Yes

You're the crazy one if you think we don't know it's you Shawn Wilden Google Engineer posting ac now after apk spanked you.

Re:Hey Mr. "Google Engineer", I'll take that bet

[shawn2772]

HELL - LOOK @ ALL THE VULNERABILITIES & PROBLEMS ANDROID HAS HAD SINCE IT'S VERY PUBLIC RELEASE & INCEPTION!

Yep. And look at the utter lack of Blaster-style mass infection.

Uh, no.

You were owned, lock stock and barrel, by pinkie pie's discovery of towelroot.

Since Jelly Bean and KitKat are more than 50% of your user community, you effectively have no security for most of your users.

Add to that coding errors in media libraries that you unwisely set read-only with no update capability (libstagefright.so, mediaserver), and there is only one question that can be asked of Android:

What were you thinking?

LMAO - Android daily exploits for decade++

See subject: Only a matter of time 4 your "blaster" & the sheer mass of ANDROID infestation is many orders of magnitude more, daily for years!

* I've heard tell & KNOW since I was there for the entire thing while you were in diapers still I wager, that the INFESTATION RATE ON ANDROID IS FAR MORE THAN ON WINDOWS EVER WAS FAR EARLIER too... & more of it by far.

(After all - Windows wasn't infected DAILY like I see on "ANDROID", lol...)

By the way - sockpuppet downmods of my posts != proving me wrong, noob...

APK

P.S.=> I don't think a YOUNG inexperienced rookie NOOB like you understands something - you're only THAT to me, nothing more - green, & inexperienced (& it shows here, & in another post of yours I blew you away with today also http://apple.slashdot.org/comm... )... apk