Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Orders Apple, Google, Microsoft, BlackBerry, Samsung To Divulge Mobile Security Practices (networkworld.com)

Posted by BeauHD on from the key-to-understanding dept.

coondoggie quotes a report from Networkworld: The Federal Trade Commission today said it issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices. Apple, BlackBerry, Google, HTC America, LG Electronics, Microsoft, Motorola Mobility, and Samsung must provide the following: The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

74 comments

  1. Chasing the wrong people by Anonymous Coward · · Score: 5, Insightful

    The CARRIERS decide who gets the updates and when.

    1. Re:Chasing the wrong people by epiphani · · Score: 2

      Upvote required.

      Manufacturers can make updates available quite quickly, however carriers restrict what updates are made available to customers on their network.

      --
      .
    2. Re:Chasing the wrong people by Anonymous+Brave+Guy · · Score: 3, Insightful

      You're assuming this isn't an evidence-gathering exercise prior to going after the carriers for exactly that reason?

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:Chasing the wrong people by Anonymous Coward · · Score: 0

      Thats refined, weapons grade bullshit. Check the recent Android-Releases from Samsung, at least for the european devices, the branded carrier-specific versions where always first, the unbranded for the same Country with weeks, sometimes *months* behind...

    4. Re:Chasing the wrong people by Anonymous Coward · · Score: 2

      Not in the case of Apple.

    5. Re:Chasing the wrong people by the_skywise · · Score: 2

      You're assuming they're not trolling to figure out which vulnerabilities are still out there for exploiting?

    6. Re:Chasing the wrong people by gweilo8888 · · Score: 2

      Yes and no. Even if you are using an unlocked phone, security updates can take utterly ridiculous lengths of time to arrive.

      Speaking personally, my unlocked Sony Xperia Z2 running US-market firmware finally received its last patch against the Stagefright exploit on April 12th, 2016, as part of my Marshmallow update released publicly that same day. The exact same patch was provided on the exact same phone running Lollipop in other regions as early as 27th November 2015, and there were no carriers involved in the process at all. I got my patch direct from Sony.

      That is an utterly shameful 138 DAYS to get the patch direct from the manufacturer, and that is 138 days from when the patch was completely done being tested and applied, and ready to release to the public. It was even longer from when the fix was made available to the manufacturers by Google.

      I do not believe for one second that any additional testing was required to apply the same patch to a different firmware region; somebody at Sony simply forgot to ever release it for many markets. (The US was by no means alone in this; numerous other large markets didn't get a full Stagefright patch until Marshmallow was released, and it was basically a lottery whether you were in a lucky market or not.)

      But really, the problem here lies neither at the feet of the carriers nor the manufacturers. The problem here is quite clearly with Google, who have allowed both the carriers and manufacturers to play idiotic games in the name of product differentiation.

      It is high time that Google took Android back in-house, and required manufacturers to add their glossy, bloatware overlays as user-removable apps which sit on top of the OS. OS-level updates should then be sourced not from the manufacturer or the carrier, but from Google themselves. That would instantly solve the problem, while allowing manufacturers to provide the differentiation they foolishly believe us to want. (And for those of us who'd rather have a stock experience, we could get rid of all the manufacturer crapware and have a swiftly-operating phone with regular security updates.)

      But sadly, there's not a chance of this happening. The lunacy will continue to prevail, because the customers are seen as utterly unimportant in all of this. Whatever the manufacturers and carriers say goes, and the rest is just ignored.

    7. Re:Chasing the wrong people by Anonymous Coward · · Score: 0

      The CARRIERS decide who gets the updates and when.

      I'd rather not assume that the device manufacturers are doing all that they can do to protect consumers and have them answer some tough questions regardless... and that then opens the dialog to blame the carriers subsequent implementation (or lack there of) of the security updates.

      All this red fscking tape!? What's it for?!

    8. Re:Chasing the wrong people by berj · · Score: 3, Informative

      I've never had to wait for my carrier (Rogers Canada, in this case) to supply me an iOS update. I just download it on the day Apple releases it.

    9. Re:Chasing the wrong people by Anonymous+Brave+Guy · · Score: 1

      I'm certainly not assuming that, though it doesn't seem the most likely explanation to me.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    10. Re:Chasing the wrong people by scotts13 · · Score: 4, Informative

      If you think Apple are any different then you're basing an opinion on wishful thinking and hope.

      And your carrier cares for neither. Doesn't matter who your carrier is, if they don't want to supply an update to you, you won't see one. Apple, Samsung, HTC, whoever. It's all the same. Money talks.

      That turns out not to be the case. With my Apple phone, Apple offers updates and I accept (or decline) them. The carrier has nothing to o with it.

    11. Re:Chasing the wrong people by TrancePhreak · · Score: 1

      I agree with your assessment in how things should be made more simplified in that the updates should come from Google. There's a problem, however, in that to my knowledge the drivers are tightly coupled with the kernel. They do this for both performance and because that is the way the Linux kernel is. You run into the same issues on desktop Linux systems where installing NVidia drivers requires a patch and shim to load a binary blob.

      --

      -]Phreak Out[-
    12. Re: Chasing the wrong people by Anonymous Coward · · Score: 0

      They sent letters to four carriers as well, but you'd know that if you didn't read /.

    13. Re:Chasing the wrong people by viperidaenz · · Score: 2

      Not when you buy retail versions of phones.

      My EU retail version Moto X 2nd Gen is still on the "Android security patch level" 1 November 2015. That's 6 months old. It's still vulnerable to some of the drive-by remote code execution exploits where simply visiting a website with an embedded video can run arbitrary code.
      There's 34 critical exploits in the security patches since 1 Nov.

      Teaches me for buy a phone from a Google owned company. They then go sell it to Lenovo who then fires half their developers and stops updating old devices.

    14. Re:Chasing the wrong people by meadow · · Score: 1

      The CARRIERS decide who gets the updates and when.

      But when HP, Dell, or Lenovo sell a computer with Windows, they are not responsible for the updates to Windows. Microsoft is.

    15. Re:Chasing the wrong people by bickerdyke · · Score: 1

      What if you never connect your phone to a mobile network and use it WiFi only*? At least my manufacturer provides updates by regular Internet that I can access by Wifi. No provider ever knows if my phone is on his network.

      * not the most common use case, but people might need a small tablet or don't need mobile internet but want to sync calendar & contacts every 24 hours when they are at home

      --
      bickerdyke
    16. Re:Chasing the wrong people by bickerdyke · · Score: 1

      It is high time that Google took Android back in-house, and required manufacturers to add their glossy, bloatware overlays as user-removable apps which sit on top of the OS. OS-level updates should then be sourced not from the manufacturer or the carrier, but from Google themselves. That would instantly solve the problem, while allowing manufacturers to provide the differentiation they foolishly believe us to want. (And for those of us who'd rather have a stock experience, we could get rid of all the manufacturer crapware and have a swiftly-operating phone with regular security updates.)

      Yes, but will never come as

      a) what Google delivers as "Android" won't be running on any device as there are specific additions and changes necessary to get it to run on a specific hardware, that need to be provided and integrated by the hardware manufacturer

      b) Google is already in hot waters for abusing a de-facto monopoly and hindering competition between cellphone manufacturers by already making to much software descicions for android phone manufacturers. (or the slashdot article)

      --
      bickerdyke
    17. Re:Chasing the wrong people by bickerdyke · · Score: 1

      Which is correct as they don't have to build their own windows (based on what they get from Microsoft) to get it to run on the machines they manufacture. Windows will be running out of the box on any machine that follows "PC" specifications.

      There aren't any specifications like this for phones. Phone manufacturers need to build a specific OS for each phone based on what Google delivers as Android. That's exactly why you need the guys from cyanogen et al for: What Google gives out as Android will not be running on any phone without modifications.

      And as the old saying goes: If you mod it, you maintain it.

      --
      bickerdyke
    18. Re:Chasing the wrong people by meadow · · Score: 1

      Phone manufacturers can create their own customized launcher and proprietary apps, but besides compiling a custom kernel what else do they do?

      Is what they "build" that significant that there cannot be regular updates from Android? Is their any real justification for their extra control?

      Why can't it be like the model for Linux distros: The distro creates its own packages and updates. A sysadmin at a company may create their own custom package repository specific to their hardware with for example packages for their custom kernels which override the distro's kernel packages. As long as the device is set on whatever release channel from the distro, then the only updates that come are the official ones for that particular release from the distro, which have already been thoroughly tested.

      The way it is now and has been is crap. Phone manufacturers only want to sell device and comply with any security requirements (few if any) placed upon them to the minimal extent possible. The distro (Android) doesn't have the same responsibility as a full-fledged Linux distro in terms of providing and thoroughly testing releases on a regular schedule. And consumers lose out.

      The Android paradigm, from a Linux viewpoint, was messed up to begin with and needs to change.

    19. Re:Chasing the wrong people by bickerdyke · · Score: 1

      "compiling a custom kernel" ...yes... but after writing and including custom modules and drivers for the hardware used.

      The regular linus distros support a handful of processors, that's why a "building a custom kernel" is less more than checking boxes to in- or exclude modules, but you don't have custom hardware that you need write modules for first.

      --
      bickerdyke
    20. Re:Chasing the wrong people by meadow · · Score: 1

      The list of processors supported by Linux - meaning the Linux kernel - is huge. The CPU in my Samsung phone is an ARM, are the vast majority of phones. Samsung does not make the Linux kernel support for the various ARM architectures. It, like virtually every other company, purchases the components to build its devices on the market, devices which are generally supported independently by Linux.

      Yes there are mobile manufacturers who do also make their own chips, which puts them in the category of a device manufacturer. Whether they happen to contribute code to Linux to support their devices or not is another issue.

      Nothing you've said IMHO puts phone manufacturers in some special class different from computer manufacturers, except as outlined above. Whether the same company may or may not also create other hardware such as processing chips, which may or may not be used in their or other manufacturers' devices, is a totally separate issue.

    21. Re:Chasing the wrong people by tlhIngan · · Score: 1

      The CARRIERS decide who gets the updates and when.

      True, but the manufacturers also are the ones to make it available.

      I mean, Samsung makes a crap ton of phones - in 2014, they released on average 3 Android phones a week! (and a tablet a week, for completelness - it was something like 54 new tablets and 160-ish new phones). In 2015 they scaled it back somewhat. But the vast majority of phones will never get an update from Samsung - ever.

      I mean, Samsung's pretty bad by themselves in software updates. You might get a few if it's a flagship phone which then get hung up by the carrier, but for the majority of phone models Samsung made, they get zilch beyond what was shipped.

      For carriers to block an update, they need to have the update to begin with. If the manufacturer doesn't make them, then the carrier can't really do anything about that.

      And you can bet the carriers will be next in line for questioning.

    22. Re:Chasing the wrong people by Holi · · Score: 1

      Great so I would have an updated OS that couldn't actually do anything because it lacks the manufacturers drivers.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    23. Re:Chasing the wrong people by Anonymous Coward · · Score: 0

      If the reasoning behind updates not coming directly from Google is due to a technical requirement (base OS design), then fine, I can accept that.

      If the stated reason behind updates not coming directly from Google is due to a technical requirement (base OS) but the real reason is money or politics, then I cite Microsoft and GWX which proves that hell or high water, software updates can be forced regardless of the wishes of the hardware manufacturer or carrier.

      In my experience, anytime someone from a business division of a company (finance, marketing, sales) makes a statement about the realities and limitations of engineering, they are either don't understand what they are talking about (think that WiFi and 4G are the same thing), are lying (because it is more profitable to do so) or are lying (to cover their own or their division's ass by throwing the tech and by extension the engineers under the bus as a scapegoat).

      The most common is a two-for-one where they are lying about not understanding what they are talking about to maintain control without accountability. These are the folks that absolutely HATE facts and hard evidence - they hate being presented with it and LOATH creating it, particularly when it domes to documented instructions and approvals.

    24. Re:Chasing the wrong people by gweilo8888 · · Score: 1

      You do realize it's possible to update an OS without updating drivers, right? And that if there's a flaw in the drivers, the manufacturer can still patch them? This is an utterly specious argument.

    25. Re:Chasing the wrong people by gweilo8888 · · Score: 1

      a) those addons and changes can still be made by the manufacturer -- just separately from how the OS itself is delivered. You know, exactly what happens on numerous other platforms already, and has for decades. b) Google would be in no hotter water if it took on the updating. They're only in hot water in places where it matters -- such as giving themselves an advantage with their preinstalled browser, preinstalled search boxes, etc. The manufacturers would almost certainly prefer it too, actually, in the long run. It would save them money and work on updating, after all. They just don't want to be the ones to go first into that bold new future.

  2. A list of unpatched vulnerabilities? by mugurel · · Score: 2

    That would also be great for their fellow three letter agencies!

    1. Re:A list of unpatched vulnerabilities? by cyriustek · · Score: 1

      Although your point is well taken, there other other things to consider.

      Mobile devices often go unpatched due to the relationship between the carriers and the manufacturer. For example, you may buy a nice shiny Samsung, only to find out that it is not patched for the StageFright bug since the carrier has not vetted these patches yet. This is exacerbated when you bring your own phone over to the network, as they may not even know anything about what patch would work on your device.

      The exceptions to this include Apple and the Google Nexus phones. These phones seem to get patches, even without the carrier's involvement. However, if you have a generic Android phone, good luck.

      Now to the bugs that are not patched by the manufacturer...it makes sense to hold manufacturers feet to the fire as these devices contain a lot of valuable information for the user. (and the attacker for that matter.)

    2. Re:A list of unpatched vulnerabilities? by tom229 · · Score: 1

      Precisely. We're all starting to see the house of cards around centralized security models fall down now. Of course, this was apparent to anyone experienced in the industry, but the thickest amongst us. I've had innumerable arguments with Apple fanboys and shills about how centralized security isn't better, it just creates one massive point of failure. We'll see more and more of this in the coming years. Apple devices will be the easiest to compromise due to their centralized control structure.

      --
      If it ain't broke, don't fix it.
  3. Government taking care of me... by mi · · Score: 1, Insightful

    FTC Orders Apple, Google, Microsoft, BlackBerry, Samsung To Divulge Mobile Security Practices

    This is so nice of the government — protecting me from these nasty capitalists.

    I wonder, if those among them, who cooperate with the police (and/or donate to the correct politicians), will be granted exceptions...

    --
    In Soviet Washington the swamp drains you.
    1. Re:Government taking care of me... by Anonymous Coward · · Score: 0

      That's my question. What in the Constitution grants the FTC the power to demand this information? Even if we assume they can get it, what the hell can they do with it? What do security patches have to do with trade?

      This seems like yet another government power-grab, where the government is trying to grab powers they don't have in the name of "security."

    2. Re: Government taking care of me... by Anonymous Coward · · Score: 0

      You are such a fucking dumbass

  4. Buy a better device? by Aaden42 · · Score: 1

    Don’t buy phones that are locked to the carrier’s update schedule. Spend a little more and get something you can patch on your own terms.

    Perhaps you’ve heard of iOS and/or Nexus devices?

    1. Re: Buy a better device? by Anonymous Coward · · Score: 0

      At least on T-Mobile, only carrier ROMs have Wi-Fi calling.

    2. Re: Buy a better device? by amRadioHed · · Score: 1

      My understanding is that as of the Nexus 6, Wi-Fi calling is supported in standard Android.

      --
      We hope your rules and wisdom choke you / Now we are one in everlasting peace
    3. Re:Buy a better device? by meadow · · Score: 1

      Don’t buy phones that are locked to the carrier’s update schedule. Spend a little more and get something you can patch on your own terms.

      Or only buy devices that have active development going on on xda-developers.com including multiple and frequently-updated ROMs, or are actively supported by one of the large alternative ROM creators such as Cyanogen, Resurrection, Pac, Slim, etc.

      Personally I like the slightly older Samsung devices with some of the cool backport ROMs.

    4. Re: Buy a better device? by dumfrac · · Score: 1

      At least on T-Mobile, only carrier ROMs have Wi-Fi calling.

      I have T-Mobile and my Nexus 5X has wifi calling.

    5. Re: Buy a better device? by davester666 · · Score: 1

      It may be supported on the device, but not enabled/used by the carrier.

      --
      Sleep your way to a whiter smile...date a dentist!
    6. Re: Buy a better device? by WarJolt · · Score: 1

      A little bit of Googling could have prevented you from publicly revealing you are a moron.

      https://support.t-mobile.com/d...

  5. This should be interesting by Anonymous Coward · · Score: 5, Funny

    Apple: We release updates directly to phones because we control the software and hardware stack

    Google: We publish updates to the core OS, Android vendors implement updates. We we release updates to google apps on the play store. Vendors devices access to the play store if they sign a contract with us.

    Samsung: We released 56 different phone models in 2014 and it's a pain in the dick updating even the flagships because of all the.. Uhm.. Value added software we load on them.

    HTC: Uh. We publish updates on flagship models if it's convenient. Hey.. Uh.. Anyone want to buy a phone company?

    Motorola: Who owns us now? Do we still make phones?

    Blackberry: We're relevant! Our phones are secure.. Uhm.. Nevermind that we gave away our root keys when we said we didn't. Please buy a phone from us.

    LG: What?

    1. Re:This should be interesting by Anonymous+Brave+Guy · · Score: 2

      Now we're all wondering whether you forgot that Microsoft was the final company on the list or their omission was an oblique reference to their relevance in the mobile market and/or how they handle demands from authorities.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:This should be interesting by guruevi · · Score: 2

      Microsoft: Here's a copy of the vulnerabilities you wanted us to implement for you. Do you have a loading dock?

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:This should be interesting by Anonymous Coward · · Score: 1

      Microsoft: With Windows Phone 10 with Bing and Cortana the phones self-update. All the time. You can't stop it even if you want to. Don't like it? Too bad. You'll get 11 too weather you like it or not.

    4. Re: This should be interesting by heezer7 · · Score: 1

      To be fair Motorola keeps my latest gen moto x updated with the monthly patches. Not sure about the older phones.

    5. Re:This should be interesting by thegarbz · · Score: 1

      Why would anyone request Microsoft to put vulnerabilities into their phone and waiting for the upgrade cycle to complete rather than going after both users directly.

    6. Re:This should be interesting by tom229 · · Score: 1

      Interesting how Apple is the only one that can comply with an invasive and controlling question, because, well, they're the most invasive, centralized, and controlling among them. Your post implies this is a good thing. Any security researcher, administrator, developer, or technician worth their salary would disagree.

      --
      If it ain't broke, don't fix it.
  6. and they'll all say... by Anonymous Coward · · Score: 0

    (except, perhaps apple, who maintains a stranglehold on iOS)

    we provide the updates to the CARRIER, and it is primarily THEIR responsibility to distribute updates to THEIR customers. it is not our fault if they fuck up the software so bad that they can no longer simply pass-through updates as provided by us.

  7. Under what authority? by BitterOak · · Score: 1

    While I'm all in favor of more transparency in security vulnerability and patching processes, I wonder where the FTC gets the authority to order phone manufacturers to disclose this information. Is there some congressional statute they're acting under, or did they just make this up? Do they have unlimited power to require any company that manufactures and sells any product whatsoever to disclose anything they (the FTC) wants, or is there some narrower law they are working under?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:Under what authority? by tepples · · Score: 1

      The commerce clause, as explained in a reply to AC's comment.

    2. Re:Under what authority? by DigiShaman · · Score: 1

      You know damn well what the reasoning behind this is; it's so the government can have a standing in regulatory compliance in that if a cell phone provider wishes to use the network, it must let the government manage security policy - specifically with regards to encryption. This is nothing more than lining up the opportunity to legally cripple Apple and Google's ability to lockdown their devices to where not even the government can break into them. Don't comply, the you won't be allowed to use the new shiny on the cellular network. Think about it!!!

      --
      Life is not for the lazy.
    3. Re:Under what authority? by BitterOak · · Score: 1

      The commerce clause, as explained in a reply to AC's comment.

      The commerce clause is part of the Constitution. The Constitution doesn't grant the FTC any authority whatsoever. It grants congress the right to regulate interstate commerce. Congress must then, in turn, grant authority to the FTC. It does so by means of statutes in the United States Code. The FTC doesn't have unlimited power to regulate any and all interstate commerce. So I'm wondering, under which statute do the claim to have the authority to order private companies to disclose security vulnerabilities and patch schedules?

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  8. FTC authority? by mveloso · · Score: 1

    Does the FTC have the authority to compel the production of this information?

    1. Re:FTC authority? by Anonymous Coward · · Score: 0

      Yay more blatant in your face we do it anyway memo style federal over reach.

      FTC go home.

      We all know FBI/CIA/NSA/ShadowAgencies are just going to roll the constitution up and use it like a condom as they f*ck the security and privacy of every day Americans even more.

  9. Sad to see the Republicans... by Anonymous Coward · · Score: 0

    try to obstruct security again.

  10. And while the one hand asks for better security.. by Timmy+D+Programmer · · Score: 1

    The other tries to outlaw encryption.

    --


    (If at first you don't succeed, do it different next time!)
  11. Re:And while the one hand asks for better security by ffkom · · Score: 1

    In Germany, we only need one agency for this kind of hypocrisy: The "BSI" has _both_ the duty to promote the security of IT _and_ the duty to help with placing trojans on whatever computer the gouvernment wants to spy on. Go figure how much trust people have in advice from BSI...

  12. Why Microsoft? by Anonymous Coward · · Score: 0

    After all, they are insignificant in the mobile world.

  13. Re:And while the one hand asks for better security by sconeu · · Score: 1

    Pre-9/11, the NSA had a similar bent... They had a group working on securing stuff, and a group working on cracking stuff.

    See Cliff Stoll's "The Cuckoo's Egg". He talks about his visit to NSA.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  14. Wrong TLA group, guys. by Torodung · · Score: 1

    The FTC, according to the letter, is doing this on the basis of a "resolution." No law. No regulation. Just they _resolved_ it in order to complete a study. They're basically making a willful power grab. I wonder if the manufacturers will bite or fight? I think they should tell them where to stick it.

    The FCC or NSA has more authority to do this than the FTC. The NSA through a FISA court order seems the most likely way to grant any legal authority in the matter. This is otherwise a blatant power grab. What the hell is wrong with the executive branch these days? In the lame duck years, it seems to be going out of its way to assert new, untold powers by only their say-so. This requires a regulation that does not exist, and can only be made by the legislature.

    Finally, just what the hell does this have to do with trade policy/regulation? This is clearly NSA mission territory in my book. I would actually be comforted if the NSA took an interest in this and started helping us secure our technology instead of hanging on to a pool of vulnerabilities that any nation could exploit.

    1. Re:Wrong TLA group, guys. by viperidaenz · · Score: 2

      Maybe the FTC want to make sure those companies aren't being dodgy.
      Like saying they're selling secure, supported devices when they're not.
      Not deliberately cutting support for old devices so they can sell more new ones.
      Not selling devices they never intend to provide security fixes for.

    2. Re:Wrong TLA group, guys. by gaiageek · · Score: 1

      The FTC is doing this in partnership with the FCC, who I agree, has more power to do something about this. See my comment below.

      --
      www.gaiageek.com
  15. Give us the keys! by emil · · Score: 1

    Carriers and/or OEMs who abandon phones within 5 years of introduction should be compelled to release any signing keys that they used to lock bootloaders.

    If Verizon wants to create a walled garden with locked bootloaders, then they have a responsibility to maintain it. Any devices that do not receive quarterly security patches should be forced open, allowing Cyanogenmod (et al) to become an option for security fixes. Novice users can then use third party security support, and power users can wipe Verizon's beloved NFL bloatware with prejudice.

    I wish I had an LG with a leaked key, rather than my Samsung that lives in a straightjacket. I would never buy Samsung again. My Samsung will be retired far before the end of the useful life of the hardware.

    If we're going to ban Samsung at the borders, let's not do it over rounded corners. Let's do it to control the hardware that we own.

  16. Blackouts love you... by Tjp($)pjT · · Score: 1

    Since they now will publish vulnerabilities they know, and which have been fixed, and how they determine what is important to fix!!!

    --
    - Tjp

    I am in wallow with my inner money grubbing capitalistic pig. ... Oink!

  17. Moto X 1st gen Verizon by emil · · Score: 1

    I have one - it got 5.1 Lollipop late last year, and it just got a security update.

  18. FBI and other criminals by Anonymous Coward · · Score: 0

    he factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

    We also want detailed information on how your update process can be subverted by the FBI.

  19. My carrier is Xfinity by tepples · · Score: 1

    carriers restrict what updates are made available to customers on their network.

    So what blocks updates for Wi-Fi tablets? My carrier is Xfinity or Chick-Fi or Wendynet.

  20. Commerce among the states by tepples · · Score: 1

    What in the Constitution grants the FTC the power to demand this information?

    The fact that phones are manufactured in East Asia and sold across state lines for use on networks that communicate across state lines. There's your "commerce with foreign nations, and among the several states" that the Constitution grants the Congress "power [...] to regulate". And the Congress has chosen to exercise this power by creating the FTC and FCC.

  21. Not just the FTC, but a partnership with the FCC by gaiageek · · Score: 1

    The FCC launched an inquiry in partnership with the FTC. I submitted a story to slashdot on the FCC inquiry, yet somehow this is what we get.

    Regardless, this is a big story, as the way security patches have been handled -- or more preciesly ignored by the carriers and manufacturers -- has become a huge problem. We're talking millions of vulnerable internet-connected mobile devices out there which, the way things are now, will never get patches for severe exploits like Stagefright.

    --
    www.gaiageek.com
  22. It's not only the carriers either by pablo_max · · Score: 1

    Well, not exactly the carriers. Or the manufactures either.

    Most people who use cell phones in the US are totally unaware of the certification process in place for those phones.

    The main game in town is PTCRB. This makes up most of the GSM/UMTS and LTE carriers in the US and Canada. Verizon has their own program, which by and large follows GCF, the European counterpart to PTCRB, but based on open standards. Though, VzW mixes in proprietary standards.

    The certification for PTCRB has a LOT of testing involved. For a modern phone supporting 2G/3G/LTE, we are talking in excess of 15k separate tests which are run for conformance testing. This doesn't even include Field testing. Now, the manufactures cannot run these tests on their own, unless they are a PTCRB lab, which is very uncommon. Normally, they need to use a test house, which will determine the testing scope, run the tests, create the reports and then upload the test reports to PTCRB who will then approve the product.
    Now.. that certified product is linked to a SVN number. That is the last 2 digits after the IMEI number. That lets the network know which version of HW/SW your phone is.
    Every single time a new SW version comes out, they need to certify it again. Normally, this is done via an ECO (engineering change order) and the testing scope is pretty small. It still can take weeks though, depending on how busy the labs are. That's only PTCRB!
    If they also have VzW it's way more of a pain.

    The GCF model is a lot better IMO. It is self certification. The tests need to be run in the lab though, but there is no need to go through all the paper work stuff for a software update. Just some due diligence to ensure you didnt break anything and you will not harm the network.
    Though, if they want to change the feature set or add a band... that's a whole new ball of wax.
    Actually, if they enabled a band, they would technically need to get a new FCC ID as well. Then the model name would also need to change and it would be considered a variant product as far as PTCRB is concerned.
    Similar story for Bluetooth SW/HW as well. Except that goes through the BT SIG.

  23. Kiss off FTC by Anonymous Coward · · Score: 0

    The FTC need to mind their own business. Their job is to focus on TRADE, not security.

  24. Re:Not just the FTC, but a partnership with the FC by Anonymous Coward · · Score: 0

    To hell with the FCC also.

    They self proclaimed authority over the Internet, and so we don't recognize them ANYPLACE.