Slashdot Mirror
Samsung Left Millions Vulnerable To Hackers Because It Forgot To Renew a Domain (vice.com)
An anonymous reader writes: Samsung cellphones used to have a stock app called S Suggest. The company apparently discontinued the app recently, and then forgot to renew a domain that was used to control it. This snafu left millions of smartphone users vulnerable to hackers who could've registered the domain and installed malicious apps on the phones.
This is just more proof that tech as we know it today is way too fradgile for critical functions. Cell phones getting screwed up is bad but think forward a few years, automated cars, drones, computerized ATC. Oh the humanity if one of those systems fails this way.
What would have happened with something like this if a company goes under?
We almost need a charity foundation of some sort to maintain domains like this in that situation.
Left vulnerable by NEVER updating the operating systems on phones other than Flagship. I remember stage fright, they promised a security release. Still waiting on my 4.4.1.
That's what you get when you have software that cannot be uninstalled, but has root permissions. Once the company in charge no longer gives a fuck, you are screwed if you keep using it. But Hey, I thought all of those digital signatures that we cannot legally override, and told we HAD to use, were supposed to keep us safe? Guess I was wrong..... *eyeroll*
They keep their shit wired tight
You can bitch about the walled garden, but it works
It doesn't matter who controls or hijacks your domain because DNS is not an authoritative source of information. You go through numerous unsigned caches before you get queries through.
If you write software without your head up your ass you'd use a certificate on the app to check every interaction with the server before you trust it.
“Common sense is not so common.” — Voltaire
I hope our goatse guy gets his domain renewed soon. I'd hate to see him fall victim to the same problem!
You'd think they could have instead used "ssuggest.samsung.com" or similar, rather than registering an entirely separate domain for what is essentially a minor feature on a phone.
The nice thing about DNS is that it was designed PRECISELY TO BE USED THIS WAY, being able to establish a hierarchy so that an entity can organize all their hostnames/services in one hierarchy.
Plus all of those Samsung crap apps.
That's why I use stock Android on my Nexus, and my next phone will be a Pixel. It's a shame because the Samsung hardware is really nice (except the Galaxy S7 of course).
I'm guessing the root cause goes deeper, and a key employee who handled these 'minor details' left, or was terminated.
The organization also lacked the depth and institutional knowledge.
It's only "hackers" we have to be afraid about. That's just a few CYBER ne'er-do-wells, right?
The point? No, it isn't that "hackers" used to mean something different, that's just ironic gravy. Withering irony, going right over most people's heads. But we'll let that slide for now.
The point is very much that the term now means exactly nothing and is used to hide ignorance and incompetence. For verily, "hackers" are the great unknown and thus it's Not Our Fault!!1! because IT WAS HACKERS! WE REALLY COULDN'T HELP IT! BECAUSE HACKERRRRRS! -- No you little shits, it's you that did done fsck up. Even if it looks like the great cyber bogeyman from cyberspace did. He didn't, you did. "Hackers" didn't do, you failed.
This is why the tech as we know it today is not fit for purpose, but crumbly and flakey and generally brittle. Don't breathe too loudly or it'll come crashing down, and let some thief in to empty your coffers, or just fail entirely on its own for no reason.
Very related to this is the late and great E.W. Dijkstra's lament that we talk about "bugs" like they have a mind of their own, when the proper term would be "defects", as that would immediately make clear what's what. It would be a call to arms to make our tech less defective. Sounds quite different from making it "less buggy", doesn't it? Same with blaming "hackers" for anything and everything.
"But!" you say, "every news outlet and every computer security company in the world blames 'hackers', why shouldn't we?" Why, of course, that would be because they're either ignorant or assuming you are, or both. Want to keep on playing the game of "we can't do it, cap'n" sheer incompetence? Go right on. Blame "hackers", I dare you.
No, you don't need "more power" to fix it, you need a clue. And now you have one: Now you know you are being stupid when you do that, just like all those other little shits who predictably haven't managed to punch a hole in the problem for the last thirty or forty years already. Deliberately, because being part of the problem is good money, just like that demotivator. You like failing that hard? You like easy money and "heroically" failing at changing the world for the better? Forge right ahead. There's a whole industry waiting for you to "help" them sell more imperial textile, of the "blame it on the hackers" brand.
It's almost certainly an internal corporate division problem. I'll bet internal processes and/or corporate divisions meant that it was easier for one department to create an entirely new website with their own servers etc. than it was to get Samsung's corporate website, or more accurately the DNS for such, altered by the other project team.
Did they though? did it all get sorted out properly in the end? Because Donald Trump could have nuked Canada, but he didn't. What other things might of happened that didn't and are worth reporting on today? I didn't murder anyone today, but i saw a lot of people who left them selves vulnerable to being murdered. I also didn't abduct any children, but i did find some children that i probably could have abducted.
The people doing the registering lack the basic clue that the DNS was anything beyond "that thing that makes www.ssuggest.com work", as in, "www dot myname dot extension". No you little shits, it's not an "extension", you have it exactly backwards. The entire thing is a distributed database that allows you to register a domain and you have full dominion inside that domain. That idea means nothing to most people, even many developers don't get this at all. And, of course, registrars encourage the folly so they'll sell more "web names" under various "extensions".
In a way the failure to understand this discerns the boys from the men... but at the same time, it marks a failure of the men to teach the boys. How would you explain "SOA record" to the average marketeer, or even the average "app dev"? Because let's be frank, it's not the brightest minds that do this sort of thing. Recall the sony rootkit girl? She's not an outlier, she's an example of the species that writes big corporate software, "code grinders", typically fresh graduates with nary a clue because they don't teach that in college any longer.
And, of course, their "apps" get deployed with the tried-and-true, best current industry practice, "throw it over the fence" method, with no thought for long-term viability and where to fit the abortion into the whole administrative framework. Which stands to reason because most of the time there is no such thing at all.
Worse, in this case the gimmick had run its projected run and so it got killed. That there were still quite a few devices depending on it still being available... "eh, they're consumers, they're supposed to buy new things, not cling to old crap!"
at fucking you over. ;)
Anons need not reply. Questions end with a question mark.
That is an utterly unhelpful and nasty website. Apart from the stupid tabletised layout that is painful to use on the desktop*, try for example the "about" tab. Popping in to see what it's all about, all I got was an acute sense of wasting my time.
I thought I'd drop the guys a note on IRC but all that happened was getting shunted to some channel where no talking was allowed. In my mind, this thing is now firmly marked as too self-centered hipsterific to possibly be useful and thereby written off.
* I'm not using the phone because even booting that, nevermind using its shitty slow browser, is too painful to contemplate. That's with cyanogenmod installed. The first thing I'd want to know after "just what is it and what does it do?" is "is this thing any faster than stock or cyanogen?" but the signs all point to "nope".
So the phones will install any received update without checking digital signatures, as long as it appears to be coming from the correct domain? Then it was already a major problem while they did control the domain name.
I would bet the root cause of that would be "didn't even try". It could be that they did try and found the internal road wanting, but as an admin even in a small company I've too often been blind-sided by people not even asking, sometimes not even using my services at all but expecting, say, corporate email to suddenly work on domains I didn't even know existed, n'mind registered, n'mind have any administrative access to.
Yes, this effectively added "be telepathic" to my job requirements, and of course the way they do that is by expecting telepathy to work. Obviously. This is how "lusers" well and truly earn their name, and why bitterness is never wanting among admins.
Enough time wasted. It is even disputed that this was true.
What users need is software freedom (the freedom to run, edit, and share the complete corresponding source code to the software) so they can alter the software as they wish, point the device to whatever site they want for updates, and genuinely own their computers. There's no good reason to keep a domain going and address this in a monopoly-sustaining surface level way. Keeping a domain going is not really the issue nor is that a thorough solution to the underlying problem.
Digital Citizen
Bought two Samsung TVs with all these networked smart features... Over six months, I see on the screen announcements of discontinued features.... I unplugged my TVs from the wifi connection and only watched TV on them.
Yeah, but they saved $9.99 by not renewing the domain so it was a huge win for Samsung.
Just cruising through this digital world at 33 1/3 rpm...
It self destroys by design, hackers don't have enough time to compromise the phone.
What users need is software freedom (the freedom to run, edit, and share the complete corresponding source code to the software) so they can alter the software as they wish, point the device to whatever site they want for updates, and genuinely own their computers.
You already can. Just buy the appropriate hardware for whatever software you have rights to and want to install on it. Enjoy.
The cesspool just got a check and balance.