Slashdot Mirror
WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (zdnet.com)
A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Public announcement from Mathy Vanhoef is https://www.krackattacks.com/ and his research paper can be found https://papers.mathyvanhoef.co....
As long as you use HTTPS protocol, the eavesdrop will be limit to what web site you visit, but not content of website. Nice workaround.
Don't use wifi, or wired, or bluetooth, or zigbee, or zwave. Instead live in a cabin in the middle of the woods aware from technology, just don't pull a Kaczynski, please.
At least for in the home !
I'm surprised that this still needs saying on an allegedly technical forum.
As of a few hours ago, some vendors are already offering beta updates. EOL-ed devices are fucked as usual,. Hopefully there's a way at the AP level to detect and block clients that haven't been patched for this vulnerability, or if it's even possible... As I know, backwards compatibility inherently exists between patched and unpatched so as to not break the WPA2 standard.
Since no one else uses it, WEP might protect you since people have given up looking for it.
Sounds like itâ(TM)s the new WEP.
This would be a good time to point out how many vulnerable (and probably forever unpatched) devices would result from the push for IoT.
Can anyone shed any light on how serious this actually is? How easy is it to exploit this?
I don't want some theoretical answer, either. I want to know in very practical terms.
Is this as bad as the "Shellshock" bash bug and the "Heartbleed" OpenSSL bug were, where systems were being compromised within hours of these bugs becoming widely known?
WPA2 enterprise doesn't use a pre-shared key. So which is it? Does the weakness lie with pre-shared key passwords? Or something else which also affects WPA2 enterprise?
Ah, here we go. The answer is "it's complicated." I'm reading through it right now, but as a PSA:
In the future can we link to original source articles or responses by authoritative organizations, instead of trade rags?
Replay packet 3 in the 4 way handshake, and the client will encrypt two different payloads with the same key and nonce. A big mistake with most encryption methods.
Worse, linux wpa_supplicant nulls out the key memory but still processes the replayed packet, causing the client to use a known (zero) key.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
this just goes to show who is paying attention :
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
F60.0
I'm really fucking concerned about how Google will fix this for Android, the most popular OS in the world.
Recent stats are showing that only 0.2% of users are using Android 8.0, the latest version. Only about 18% are using Android 7.x releases. A whopping 32% are using Android 6.x! About 28% are using Android 5.x! About 21% are using Android 4.x!
So like 80% of Android users are still using Android 6.x and earlier!
If this problem can be avoided with a software fix, I think that Google should do everything they possibly can to get this fix to as many Android devices as possible.
I'm sure some fools here will come along and just tell affected users to "buy a new phone" or some infeasible bullshit like that. Realistically, that's not happening. Users will continue to use their older devices. It will reflect badly on Android if it's susceptible to this wifi security issue, even on older devices.
While they obviously can't provide updates to all of the Android devices out there, I really hope that Google will do what they can to get the fix to at least all Nexus and Pixel devices from the Nexus 4 onward.
The most sensible solution would be to fix it in Android 8.x, and then port Android 8.x to the Nexus 4 and all devices after it. Then this release would be made available to those who wish to upgrade. Not only would this fix this wifi problem, but it would also help fix at least some of the serious version fragmentation that Android is currently experiencing.
I wonder about an almost off-hand remark in section 6.2.
"6.2 Example Attack Scenarios
Among other things, our key reinstallation attacks allow an adversary to decrypt a TCP packet, learn the sequence number, and hijack the TCP stream to inject arbitrary data [37]"
This implies that a "read only" (decrypt only) attack allows attacker to hijack the TCP stream. Can someone with better understanding of the issue explain this point? How can TCP connection be hijacked/modified if attacker has no ability to insert or modify packets at the wifi level (which is why that type of attack is "read only")?
Amazing paper, though.
Google can't do anything about that.
It's the fucking telcos who are withholding updates from the end users. Even if you have the patched version on your hard drive, you can't install it, because your wireless provider won't let you. Verizon is the most egregious offender; as long as they continue to refuse to sell devices with unlocked bootloaders, the only way to install an update is when the telco feels like pushing it to the users.
It's a good idea to revisit the arguments made when it was revealed that HP had been sharing it's security software with Putin's cyber inspectors.
One of the common themes was : "it should be secure enough to withstand that", or "NSA should have checked it better so FSB couldn't hack it".
Well here we have a protocol that's been published for years and years and in widespread use, and only now someones spotted the problem.
It is not a good thing to have closed source software that's only inspected by malicious foreign attacking governments cyber security agents. There will *always* be overlooked security holes in these products and anything you do to make it easier for the attacker to spot those holes is weakening the security.
HP should not be showing major security software used to secure the USA from a rogue country that has/is attacking its infrastructure.
1JEiV9CiJmhfYhE7MzeSdmH82xRYrbYrtc
Fnord fnord fnord!
Trying to find out if TLS certificates or Kerberos authentication are affected by this. If you're not using passwords, are you still vulnerable?
df 5d 14 f4 21 64 17 1c 74 47 22 9c 14 c0 9d ca
c2 5b 2f 06 ab 58 9f 49 a0 cb 9a 59 cb 39 00 de
de f7 c8 f5 2c 21 55 af c2 16 be 45 c9 0f 42 5d
ec 4b 21 96 17 f7 c7 b8 f7 b5 58 2d 24 ea 4e 1a
Would it not be possible to prevent by setting up a RADIUS server?
Man In The Middle attacks are not newsworthy and should not be making the front page of Slashdot, these are the equivalent of anti-Trump garbage that floods #fakenews sources.
So a flaw that affects every single Wifi network isn't newsworthy? Repeat: Every single Wifi network. Facts don't matter then to you. From what I can tell not all vendors have supplied patches yet so most people are vulnerable as they are unpatched.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Seriously, the whole design process of WIFI "security" is almost as badly broken as that of mobile phone security. Anybody sane tunnels over these connections, using a VPN or SSH, or the like for anything critical.
And for all those confused: No, this is not HTTP security, i.e. SSL or TLS on TCP-Level (ISO/OSI Leyer 4), this is link-level security for the WIFI connection, i.e. below IP layer but above hardware (ISO/OSI layer 2).
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A video showing the exploit is available at http://www.securitytaco.com/20...
I'm not sure older devices have the hardware capable of supporting Android 8.0.0, aka, Oreo. Even phones a couple of generation old would likely would become unacceptably slow with the newer OS. A huge majority of Android devices are not Nexus or Pixel devices and generally not updated by the carriers. Even older Nexus devices are not guaranteed security updates by Google.
The best thing might be for Google to provide appropriate security patch software for WPA2 for all versions of Android to carriers but it's likely they would never reach customer phones.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
This makes WPA2 "insecure" but (approximately) 100.00% of your applications that were written in the mid-1990s or later, already assume that the network is thoroughly compromised and utterly, completely untrustworthy. i.e for web browsing, the attacker next needs to break https. For email, they attacker has to break TLS. And so on.
This is going to potentially affect people who use wifi combined with protocols like telnet over that wifi.
In other words, if you play a MUD on your laptop at home, someone hiding in the bushes out front might be able to steal your character. (But if you were playing in public places, then you were already facing the same risk, even before WPA2 was compromised.)
Luckily my LMDE distro got a new wpa_supplicant this morning, I think this is to fix this, if yes, this is great!
"Science will win because it works." - Stephen Hawking
The router isn't the problem it's the Wi-Fi devices connected to the router. Examine the article carefully.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Why limit yourself to 100mb connections?
There's a pretty good write-up at Anantech: https://www.anandtech.com/show...
Basically, they say the vulnerability is worse for some configurations more than others. If you use Android, or WPA-TKIP, or 802.11ad the attacker can do more damage. Normally it's only evesdropping of one side of the communication.
They could also sell the latest Pixel phones at-cost, or even at a reasonable loss, to help make upgrading easier for users. There are lots of people who won't pay $700 for a new phone, but they would be willing to pay $300.
That's amazing! I have the same combination on my luggage!
Don't absolve google. I paid $500 for a Nexus 10 tablet a few years back. Straight-up google, through and through. No telco involved. Stopped getting updates a long while back and is slowly decaying to uselessness and, obviously, will not get patched.
This is a silly solution. A bug in WPA2 should not require its corporate user to eat billions of dollars. Just force the telcos to issue the patches and then tell them they're done with this silly customizing-the-OS bullshit that no customers ever wanted.
The telcos have absolutely nothing to do with updates for Android phones, with the exceptions of those that they themselves have branded. It's the manufacturers who are responsible. Your comments were sort-of true for the previous generation of feature phones, but Android devices aren't something telcos have control over.
The problem here is that manufacturers have few incentives, apparently, to keep Android devices up to date.
You are not alone. This is not normal. None of this is normal.
And don't forget the non Google Android tablets that never get OS updates by the likes of Samsung, and the bastardised Android used in consumer devices like the NV shield and Amazon's Fire range. And let's be honest, Apple are going to use this to encourage buying new hardware for the iThing stuff, too.
So, at the end of the day, if the browser shows the "secure" icon we're still secure correct? Or in other words, if the user pays attention to the browser windows and never enters information if the site says "not secure", they are secure.
Why browsers still support password forms over insecure channels in beyond me.
Why pay the troll to use his/her bridge when you can just step over the creek?
Pffft. Cat 5 is so 2001. You can't even get it anymore. You can barely get Cat 5e which is gigabit. Many places will happily sell you Cat 6 though.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I use 4g on my tablet and phone and use a VPN. Who needs wpa2 anymore? Also just use ethernet and pc when doing bank transactions
lol-k, when exactly do you think that Google turned into a charity?
For now, WRT the phone, turn off your WiFi, use data, and keep the "media" uproar to a minimum unless you have an unlimited data plan. That means no video, no music, no heavy pages, etc. unless you're willing to eat your data allowance pretty quick (that assumes you've been using wifi to keep from stuffing your phone provider's pockets.)
In any event, watch your data consumption. Overages are a cash cow. And you are the cow.
WRT your home system, use ethernet, and turn off wifi until / unless you know you've got the right level of patch / amelioration.
The problem is not the Internet. The problem is wifi. So get off wifi.
I've fallen off your lawn, and I can't get up.
Google is still providing support for Android 7, and 6, and 5, and 4. IIRC support for 4 ends next year. Carriers and/or handset manufacturers are the ones withholding updates.
That may be true, but it looks like a change to the WAP can prevent the attack too --- It would be good for someone like Apple to patch their router firmware as well as the clients. That way your macbook can be fairly safe regardless of where you connect it, and your unpatched IoT things strewn about the house can also be secure -- so long as they only connect to your patched router/WAP..
Ian Ameline
As an American I can tell you that this is the work of the CIA/NSA deep state crisis actors who want to try to make it seem like you need to patch your roter to be more secure when they really want to make it LESS secure. So yes when you care about securety DO NOT, I repeat, DO NOT, listen to this fake news about WPA2. Any patches you apply have been written by deep state crisis actors who want to use your personal information to for their secret agenda.
This was my main disappointment with Android. I had hoped that it would be google, not the carrier or handset manufacturer providing updates. The manufacturer would provide drivers for the hardware, but Google would take care of the rest, similar to how MS rather than a PC manufacturer handles Windows updates. Instead it’s a fragmented mess.
A fix was just released for Linux (e.g. Ubuntu and derivatives).
The phones and tablets will be the hard part here.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
I just read that Microsoft has fixed the problem in the latest updates (October, 2017 ?) for all supported Windows versions. Apple has done nothing according to the latest report. Some Google phones will be updated in the November security update. Other Android phones will depend on carriers to do the job, which is not likely unless pushed by Google, or someone else, to do so.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Jokes on them, I still use wep!
If a telco has installed a particular brand of Android on the phone, and pretty much all of them do this so they can bundle particular apps, then they have to release an updated version after Android itself updates. It gets worse if the device manufacturer (Samsung does this) has its own flavor, requiring the device manufacturer to update before the carrier does.
If Google releases an update, the only phones that get it immediately are those who aren't reliant on branded OS versions - i.e. the Pixel and Nexus. Some time later, current-gen phones will also get the update. Old-gen phones won't ever get the updates (unless they're Pixels) because no telco's going to make the effort to update an OS image for a device they're not currently selling.
This is where it goes wrong, android updates should be automatic for all phones that have android unless it's a driver issue, which this isn't.
I don't depend on ASRock or Intel to update my OS, Why should I depend on Samsung? Windows updates itself fine, as does Linux. But not Android, and it's clearly a system that doesn't work and will leave literally 100s of millions of devices open to being trojaned.
Things won't change until Mega-Corp A sues Mega-corp B or Little-Corp C for allowing their devices to be used to attack their networks. And get awarded large damages. With situations like this one, they can't say they weren't warned.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Looks like an intentional decrypting "feature" was discovered by this Belgian researcher. How come only newer OS are affected? macOS Sierra, OS X 10.9.5 and almost all new Linux distro and BSD were affected/vulnerable while older OS like Win7, Vista, XP have correct implementation of WPA2 which doesn't re-transmit the message 3 on its 4-way handshake.
First IPv6, now WPA2! New implementations were intentionally designed as vulnerable just so you can be snooped by Big Brother.
I know anecdote isn't data, but I just had a samsung tablet updated to 7.1 last week.
It's not a Man in the Middle attack: it's a mitm surveillance. It lets you read (but not modify) some of the traffic going by.
"First they came for the slanderers and i said nothing."
The idea behind our attacks is rather trivial in hindsight, and can be summarized as follows. When a client joins a network, it executes the 4-way handshake to negotiate a fresh session key. It will install this key after receiving message 3 of the handshake. Once the key is installed, it will be used to encrypt normal data frames using a data-confidentiality protocol.
to the article summary:
The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Notice in the summary it says absolutely NOTHING about "When a client joins a network, it executes the 4-way handshake to negotiate a fresh session key." Translation: you have to join a BAD NETWORK in order for this exploit to work. Don't join questionable WIFI networks or have your devices automatically join open networks and you won't have a single problem. This is not the scenario where the FBI Surveillance Van can snoop your WIFI connection by doing a drive by.
We'll make great pets
Google stops providing security updates for their devices 3 years after they are first available.
I know that my Nexus 5 phone will not get patched by them.
And hide out in the cellar.
By now the fighting will be close at hand.
There's a gun and ammunition
Just inside the door.
Use it in emergency.
Cat5 can do 1gbs, just not as far as cat6. Though last I looked into it cat6 was still an unofficial standard that guaranteed nothing.
How would you go about encrypting communication between a browser on your desktop, laptop, tablet, or smartphone, and a web-based management interface on your router, printer, or network attached storage (NAS) device? These servers tend to lack a fully qualified domain name (FQDN), making them ineligible for a certificate from a major certificate authority (CA).
tl;dr: There is no TLS CA for DNS-SD.
Bullshit. Almost every carrier-sold device has a locked bootloader, and some are even SIM-locked.
A locked bootloader prevents you from:
1) Rooting the device.
2) Installing Lineage|Cyanogen|Any-other-OS.
Whereas a non-carrier branded device can usually be unlocked and the OEM has infrastructure in place to enable it - see Xiaomi, Motorola (Lenovo), etc.
It's the fucking telcos who are withholding updates from the end users.
How is this true of Wi-Fi-only tablets or unlocked phones? For example, what power does Comcast have to withhold updates from my Wi-Fi-only Samsung Galaxy Tab A? That'd be like Comcast withholding updates from a Windows PC.
I had hoped that it would be google, not the carrier or handset manufacturer providing updates. The manufacturer would provide drivers for the hardware, but Google would take care of the rest, similar to how MS rather than a PC manufacturer handles Windows updates.
Android 8 "Oreo" introduces Treble, which begins to refactor Android toward what you expected: a stable driver ABI.
What you are still using SMB1
People are still buying new NES-clone consoles to enjoy SMB1.
Expecting updates on a mobile device made ten years ago? What the hell you smokin? Sure, nowadays that's not quite so unreasonable as the pace of hardware improvement slows, but I don't expect manufacturer's to get in line any sooner than they're forced to. Hell, I'd even settle for allowing unlocking of EOL'd devices and pushing 'em to something like Lineage when available.
When you live in a sick society, just about everything you do is wrong.
So a flaw that affects every single Wifi network isn't newsworthy?
No, that wasn't the troll's direct point. The point was to work anti-frump and fscknews into a sentence for search engines to pick up. Note the use of the hashtag there - this is partisan fodder, not commentary on the current story.
Making an inflammatory comment is just bait to get people to respond to it so that the comment appears to have an air of legitimacy to a content-scanning bot.
This is not a WPA2 security flaw, it's a bug in a specific implementation. It's a Linux/Android flaw if anything, but maybe it's not popular to say it when Windows/IOS did something better than Linux/Android?
A customer service rep on TP-Link's chat support this morning was completely unaware of the problem. After checking with the engineers, they said they will be working on it. Hmmm, the vulnerability has been known for about six months, and is only now being reported on news sites after presumably waiting to give vendors time to develop fixes. And TP-Link has done, well, nothing? There's no word on the TP-Link.com website about the issue at all. The rep said that I would be contacted when the fix becomes available, but that is not a credible claim since the company has no information about customers. I'm disappointed, guys.
Great! Now to get manufacturers to provide, if not push, updates on those devices. Best of luck!
When you live in a sick society, just about everything you do is wrong.
I have one of the TimeWarner (now Spectrum) wifi modems. The thing will barely reach across my apartment, so I'm safe.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Been hibernating a while? 6 and 6A have been ratified, 6e isn't a standard though.
When you live in a sick society, just about everything you do is wrong.
If the network is using TKIP there's a chance of content injection. AES-CCMP is safe from that, for now. More here.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's not like their flagships are any cheaper than Apple's, after all.
If the network is using TKIP there's a chance of content injection
No one does that.
"First they came for the slanderers and i said nothing."
Sadly, any strides made in wireless security to challenge the idea that wireless isn't secure have been undone with the publish of so many attack vectors
I'm actually a little surprised at how Google is handling all of this. There's no way in hell they didn't get advance notice. Most of the vendors either had patches ready to go today or snuck them into updates over the past couple of weeks.
And yet Google say Nov. 6? They're acting like they just found out about this today like most folks. That, or their code is so bad, it's that hard to fix
While the attack would result in decrypting any clear text being sent over wifi, the saving grace is that an increasing amount of traffic is sent via HTTPS or SSL, which would provide an additional barrier to an attacker seeing login credentials for remote websites, etc.
If you watch the video posted by Mathy Vanhoef, you'll see at 1:16 he's also using sslstrip.
FWIW, my device was first released in late 2011. It's the only one I've ever owned and likely ever will. It originally came with Android 2.x. Over the years I have upgraded to 4.x, 5.x, 6.x, and as of today 7.2.1. It actually runs faster now and I fully plan on upgrading to 8.x soon.
I also specifically bought this device because it was manufactured for sale outside of the US, so it is not carrier-locked.
Additionally, I give myself the ability (through various means over the years - it has become easier) to fully control permissions, which allows the situation to be acceptable for me. I wouldn't settle for anything less and I'll never understand why other technically-inclined people do.
Every single public hotspot, coffee shop, hotel, whatever, have always been affected by the same issue, even if they're encrypted (if using a shared/known key/password).
I predict that millions are now turning off their WiFi on their mobile devices and may keep it off for some time. Mobile data usage will surge over the next few weeks. The providers couldn't have asked for a better Christmas present.
I'm really fucking concerned about how Google will fix this for Android, the most popular OS in the world.
Recent stats are showing that only 0.2% of users are using Android 8.0, the latest version. Only about 18% are using Android 7.x releases. A whopping 32% are using Android 6.x! About 28% are using Android 5.x! About 21% are using Android 4.x!
And? What's your point? I got an OTA security update for a 5 year old Android 4.4 device in February this year, one which I voluntarily chose not to upgrade to 5 (though that also got a security update at the same time). Just because it isn't the latest OS version doesn't mean that it isn't getting security updates.
And likewise just because it's a security issue doesn't mean that the fix requires an OTA update. A great many are done by patching up drivers and core components through the Play Store.
Read up on how security in Android is handled before you get too concerned. Stress is not healthy.
but Android devices aren't something telcos have control over.
I take it you're not American? Yeah in most of the world the telcos in general don't get in the way much. However in America, the latest and greatest Android phones are telco specials, telco controlled, with telco specific firmware.
For example if you're the owner of a Galaxy S7 in the USA you will have one of these models depending who you buy it from:
SM-G930U
SM-G930V
SM-G930VL
SM-G930AZ
SM-G930A
SM-G930T1
SM-G930R6
SM-G930R7
SM-G930P
SM-G930T
SM-G930R4
If you're in Europe / The rest of the world with the exception of South Korea you will have:
SM-G930F
Or the dual sim model: SM-G930FD
Each of these have custom firmwares, and the US carriers are notoriously bad at providing firmware updates.
Mind you all of this is irrelevant since the OP was quoting Android core OS versions and not security updates. Even KitKat phones still receive security updates through some vendors, and yes even American Telcos will sometimes roll these out to customers, albeit a bit later than the international firmware.
Apple have already fixed the problems in the latest betas.
Maybe in the USA, but in most of the world we regularly still receive updates to older phones.
My Galaxy Tab 3 got an update earlier this year for Kitkat even though I voluntarily haven't installed Lollipop. My over 3 year old phone now 3 Android versions behind received its latest security update 3 weeks ago.
Kitkat introduced a security patching framework independent of the core OS. Since then, people quoting Android version install base when discussing security has been completely irrelevant.
WPA Privacy Attack!
Wi-Fi Protected Access
Wasn't Programmed Appropriately
Wads of Potential Attacks
Wireless Public Access
Without Prior Allowance
Well, Pretty Apocalyptic
WoPA!
When Patches Arriving?
Wardrivers, Present Arms!
Weaponized Privacy Assault
Wardriving's Productive Again
Wide-open Point of Access
Wrecks Privacy Automatically
Welcome, Protocol Attackers
Where Patches, Admin?
Worthless Privacy Attempt
Wrong Protocol, Admin
Won't Protect Anything
Weak Privacy Attempt
Waste of Precious Attention
Wins Prying Award
Wired Past, Again
by Cyphase ( 907627 )
Bullshit, or you would have said what device. The phone is likely 512MB ram, 1GB max. That shit was obsolete years ago.
Has anyone automated this for vulnerability testing with Kali yet?
Android is by far not the most popular OS in the world. I believe thats taken by Windows. Unless you want to limit the "Most popular OS" to just phones, in which case, it should be called "The most popular mobile OS in the world"
I was stung by this earlier. My Android went from 6 to 7 without me even wanting it, and t-mobile couldn't revert, saying it was coming from samsung and not them. Called Samsung, they said it was coming from Google and not them. Called Google, they said tough shit, your phone is upgraded and there is nothing I can do about it.
I hate android 7. Its such a shitty OS. 6 was perfect!
The Nexus 10 is from 2013.
You're a fucking liar.
What fucking rock have you been living under?
Verizon locks the bootloaders on all their smartphones. Google releases a patch, 90 days later HTC releases an update that incorporates that patch, and then it is up to Verizon to decide whether or not to roll it out or not.
Verizon often refuses to do so because it might mess with their ability to push bloatware (VZ Navigator, VZ Messages, VZ Cloud, etc).
This is a snag for many operating systems. Their "support" model is to always get the latest version, even if it's not the version you like. Ie, would Microsoft backport a fix to Windows 7 when they prefer to force people to upgrade to Ugly Edition? Will Android or phone makers backport to older models that the user wants to keep or force them to get the latest $800 phone if they want the fix? I can seriously see some companies thinking about this as a profit opportunity rather than priority bug.
Remember, WPA came about as an interim soltuion because the wifi makers wanted to get the products out and for sale quickly rather than wait for WPA2 or 802.11i, and yet it's still in wide use today as an option even in some new products.
Entirely incorrect! A patched AP does not prevent an unpatched client from being exploited. The attack is entirely against the client!
Ugh. Idiot moderators modding up because it "sounds" informative, without knowing themselves. This site sucks.
The situation is bad, but not as bad as you make out. It's really not important at all what version of Android you are running as long as the vendor issues security patches. Historically many vendors have released security updates for even old unsupported devices when an issue potentially this destructive arises.
What I get for skimming through too quickly. Oops. Still, ~4 yrs is a longer than most manufacturers support anything lately. Which sucks, is sad, condolences, etc.
When you live in a sick society, just about everything you do is wrong.
It's not like Android users have a choice. I'd love to have a current version on my Nexus 5, but Google basically abandoned us at a truck stop a couple of versions back for no good reason. Same goes with the manufacturers of my tablet and the couple of TV boxes I've bought over the years.
Not that Apple is a lot better in their own way: you basically get updates forced on you for a few years, gradually bogging your device down because the newer versions expect the latest hardware, then suddenly *pop*, tough luck, Chuck, no more updates.
If I remember correctly from my reading earlier today, the component causing the extreme version of the vulnerability was only introduced in Android 6.0, so earlier versions are actually safer than later ones, since Google couldn't be arsed creating a patch in the months they've had since being alerted.
Been hibernating a while? 6 and 6A have been ratified, 6e isn't a standard though.
Well, last I looked into it was 10 years ago when I bought a lot of cat6 cables, but had to use reviews as it didn't mean much at the time. Either that or I confused it with 6e ;)
My personal experience with updating android versions in older phones is that they get better and faster. Surprisingly so, I may add. Major updates include VM optimizations that make apps run more efficiently.
Your post does nothing, it's not funny, it's not informative. Try to imagine you're reading your posts and how you might feel about it as the reader.
At least it's not gross, offensive, repetitive, monetized, or off topic so you're making ok progress chris.
That must have been a long time ago:
"The standard for Category 6A is ANSI/TIA-568-C.1, defined by the TIA for enhanced performance standards for twisted pair cable systems. It was defined in 2009.[citation needed] Category 6A is defined at frequencies up to 500 MHz—twice that of Cat 6."
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."
But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!
Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.
Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?v=0oKreL1jvkg
Creimy's real pictures:
Before the sex change:
https://ibb.co/cc7Ddw
After the sex change:
https://ibb.co/gVad65
Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
http://www.keynamics.com/images/bariatric-chair.jpg
Creimy's head, while his supervisor was talking to him, not with him, since it is impossible to do with Creimy:
https://school.discoveryeducation.com/clipart/images/ani-hello.gif
Creimy acting in educational resource document, he actually confirmed himself on Slashdot that he was handled by Special Education for the Santa Clara County Office of Education! He is really a king Dumpty!:
http://www.sccoe.org/depts/students/special-education/Documents/Guide%20to%20Adult%20Agencies.pdf
yeah, but that's the problem. Google pushed out android "oooh, do what you want with it, customize, free!". But when security issues arise, it's all "Ooops, not our fault, talk to the manufacturer". They share some of the blame.
I may not like apple, but at least they're consistent in updating, fairly long in fact.