Slashdot Mirror
Samsung Phones Are Spontaneously Texting Users' Photos To Random Contacts Without Their Permission (theverge.com)
Some Samsung smartphones are randomly sending pictures from the device to a user's contacts without explicit permission, according to users and media outlets. From a report: Users are complaining about the issue on Reddit and the company's official forums. One user says his phone sent all his photos to his girlfriend. The messages are being sent through Samsung's default texting app Samsung Messages, and the photos are being sent as SMS messages. According to reports, the Messages app does not even show users that files have been sent; many just find out after they get a response from the recipient of the random photos sent to them. Samsung told the news outlet it was aware of the issue and was looking into it.
*Looks down at LG V30* "Good boy"
How's that agile development coming along?
The Samsung phones remain the most explosive devices in the market. Not surprisingly so, coming as they are from Samsung, a company on fire, if there has ever been one.
A followup question is: How many wang pics were sent out because of this?
How's that agile development coming along?
I assume from this comment you've never gotten an OTA update from your carrier for a Samsung or any other brand. They're months and months between; hardly agile.
i tried taking a photo from a highrise looking out - my iphone when into burst mode for no good reason, taking 100 or so low resolution photos with a few seconds - I cleaned the glass and rebooted the phone but it still did the same thing at that location -- an hour later at home, the photo app worked normally - I'm wondering if someone at that hotel was able to hack into my phone via blutooth?
Some years ago, a co-worker of mine showed me his Samsung phone. It was a beauty, and he let me play with it for a bit. The hardware was wonderful. The proprietary Samsung crap-ware that was on it was what made me decide that I would never get a Samsung phone. It's just like the branded crap-ware on Windows machines. I have a Nexus 6P and I think it's wonderful. It's Android the way it was intended. Yes, I know Google spies on me.
An SMS message can carry at most 140 bytes. You don't have pictures worth worrying about which are that small.
Correct me if I'm wrong, but I assume this software is written in Java, like many Android apps are. Would using a modern programming language like Rust instead of an older language like Java have prevented a bug like this from happening (assuming it actually is a bug that is being reported by these users) in the first place?
It's not the release schedule that's Agile, its' the development process...
deleting the extra space after periods so i can stay relevant, yeah.
First, it's clearly not an SMS message. However, I'm trying to think through what mechanism could spontaneously pick a target and send these, and the simplest explanation is malicious code. It's probably disgruntled employee, but I wouldn't rule out competitors. There's a lot of money behind wining market share in the smartphone world.
Seriously, it's not a bug, it's a feature to let users who are socially awkward, get a funny story with people they don't talk to much.
And if it sends a naked picture of you, well you should've deleted it or never taken it in the first place, you reap what you sow. And by that I mean this is what you get for buying a Samsung phone.
Samsung is just trying to show that it cares by connecting you with your friends.
Agile, so Agile, 2 week sprints 14 days of 12 hours work, that brings out the greatest most stable programs. That Scrum guy better run!
Life is in a state of dynamic equilibrium, it both blows and sucks
I blame Bixby, about the worst digital "assistant" I've ever seen. I bet that Bixby is "interpreting" actions or words to do something stupid...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Don't take pictures of your cock and you won't have to worry about them being sent to your mom.
Problem solved.
I imagine this is probably a troll, but just in case:
The language chosen would have very, very little effect on this. This is a problem with the overall design of the app.
Rust, like Python, Java, Perl, PHP, VBScript, JavaScript, and most other languages, doesn't lend itself to one very specific type of bug called a buffer overflow. That specific issue is mostly just seen in C. Rust is like most languages in that buffer overflow isn't the bug you have to worry about in Rust (or in Perl, PHP, Python, Java, etc.)
What's different about Rust is a very clever marketing thing they did. They took the fact that most languages, including Rust, don't have buffer overflows and hyped it to Trumpian proportions. In marketing material that would make PT Barnum blush, they exclaimed "Rust is secure because it doesn't have buffer overflows! Write all your software in Rust and you'll never have another bug!" Understand this is analogous to saying "spiders are venomous, don't use spiders. Tigers have no venom! If you use tigers, you never have to worry about venom at all. Buy some tigers from us today so you can be safe!"
The problem then is that newbies who don't understand much about programming *think* they're safe because they're using tigers. No need to be careful with tigers because they aren't venomous. Er, I mean no need to be careful when you're using Rust because it doesn't have buffer overflows. That makes it slightly more dangerous, since a lot of people aren't being as careful as they should, thinking Rust is somehow magic.
I maintain a database of every CVE (security bug) ever reported. Well under 1% of them are buffer overflows, so it's a tiny percentage of problems that Rust protects against.
Who gets arrested when it sends out nude selfies from someone under 18? The coders? The CEO of Samsung?
Lawyers love this kind of stuff, lol
So many incredibly dumb things being said in that reddit post (which is what should have been linked, but the fucking verge article):
https://www.reddit.com/r/GalaxyS9/comments/8u36jz/my_s9_sent_my_entire_photo_gallery_to_my/
I'm actually amazed at the number of people that have no fucking idea how anything works.
Last summer, I went home to England for a visit with a brand new Google Pixel. Great handset, but the software was just dodgy. The only redeeming feature of the phone was the camera, which took some stunning photos, especially at Stonehenge, and at home around the Hampshire coast. I returned to America and the dodgy software kept acting odd, even after a full reset. I traded it in for an iPhone 8 and have been happy since. I did notice that quite a few Britons are now moving to the iPhone in lieu of Android, which still has a worldwide share of something like 80-85%. In China, the iPhone is considered less than top-of-the-line Xiaomi handsets. The problem with Android is that unless you buy a Pixel, you're getting a balkanised device that may or may not see updates. I'm not one to root my devices, so I use stock ROMs. Methinks I will be staying with the iPhone unless and until Google make a truly compelling device. The iPhone 8 just works. It's predictable, gets updates for years on end, and is generally far more reliable. YMMV.
Samsung = android = bloatware
nothing to see here - move along
A few days ago, I received a blackmail threat from some guy in Estonia threatening to distribute pictures from my smartphone unless around $470 was sent to a Bitcoin address.
iket Dtils: JWF-837-46497
Email: XXXXXXXX
Camera ready,Notification: 27/06/2018 02:57:49
Status: Waiting for Reply 98xuCaPy9A5f04wEnImPkL3WrF6By69Hu5_Priority: Normal
Good day,
If u were more scrutiny while playing with yourself, I wouldn't worry you. I don't think that playing with yourself is extremely awful, but when all colleagues, relatives and friends get video of it- it is certainly for you.
I placed malisious soft on a porn web-site which was visited by you. When the victim tap on a play button, device begins recording the screen and all cameras on ur device starts working.
Moreover, my program makes a remote desktop supplied with key logger function from ur system , so I could get all contacts from your e-mail, messengers and other social networks. I'm writing on this e-mail because It's your working address, so u must check it.
I suppose that 470 usd is pretty enough for this little misstep. I made a split screen video(records from screen (interesting category ) and camera ooooooh... its funny AF)
So its your choice, if u want me to delete ur disgrace use my bitcoin wallt ddress: 1PWpbtT6aaUKCNAVC8z6vJhWaFrJhcMXto
You have one day after opening my message, I put the special tracking pixel in it, so when you will open it I will know.If ya want me to share proofs with ya, reply on this message and I will send my creation to five contacts that I've got from ur contacts.
P.S. U can try to complain to cops, but I don't think that they can help, the inquisition will last for one year- I'm from Estonia - so I dgf LOL
It's not a flaw...it's a feature!
A few guesses as to who is really benefiting from this "bug."
... isn't this how Android is SUPPOSED to work? LOL
Obvious shill is astroturfing
Probably just a regex error: When searching for a particular contact to send information to, the backdoor app is matching other contacts:
Alfonsa
lorennsa
gonnsalo
consandra
lynnsay
linsay
I've been a long time Android user (I just don't care for iOS). My Moto G4 recently crapped out on me and I bought a Samsung phone. I've never been unhappier with an Android phone. Probably because it's barely Android. Samsung changed all sorts of things. Even with Nova launcher I was only able to turn off so many Samsung apps and replace them. Some built-in Samsung apps couldn't even be disabled. Either way they waste space, work differently than my other Android phones, and seem to be less intuitive.
I also think all the TouchJizz customizations is why Samsung is always lagging behind on Android updates.
Ironically the best smartphone experience I had was Windows Phone (and I'm no lover of Microsoft Windows on the desktop). I'd be happy if they would bring Windows Phone back -- it was spiffy and had a nice UI (and give me Gapps on the damn thing!)
Samsung doesn't seem to impress me on the software front (the HW seems ok).
Considering Samsung's ongoing anti-Apple marketing campaign, this just made me laugh.
Just another day in Paradise
Siegfried & Roy might have thought that, until 2003.
Just wonder how much money the cost can add up to
just another hate-the-biggest-manufacturer post. You'll find the same complaints if you dig around the forums of other manufacturers of Android sets.
The app is designed to send messages, to contacts, with pictures attached. Obviously that code didn't appear by accident, it was included because that's the purpose of the app. The question is "why is the app doing its thing without being told by the user?" It's as if it's especially prone to "pocket dialing" (or accidental voice dialing?) for some reason.
> This smells like some debugging function left in accidentally
Specifically, a test script. Unit testing could easily have behavior similar to what was described.
> What API would exist that hides SMS messages
The problem is in the messaging app. Where do you see your text messages other than in your messaging app? There is no hiding happening (no active hiding), rather the "display sent message" function is not being run. Normally the messaging app would do two things - display the message the user types and send the message. The app is not displaying messages that the user isn't typing, so that's normal behavior.
Programmers would write separate unit tests to test those two different parts of the program - the local UI would have tests, and sending messages over the network would have separate unit tests. Running the unit test for the internal process for sending an attachment would be expected to have this behavior - and would not be expected to run anything in the UI. So it would send messages, not display them.
It's ALSO possible that this is nefarious code. That's possible. Pocket dialing while it the screen is supposed to be locked is also possible.
But other than that, it works extremely well!
Now I have an excuse for sending that pic to the hot chick in accounting. 'twasn't me, it was the phone! Drop that harassment suit already, dammit!
Besides, that's not a bathing suit. It's a tan line.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
She has already seen it. Not only that, it was inside her! Even Trump's cock was inside his mom. I know this is shocking news.
It's amazed me that it's called "Agile" when it's the MOST rigid and inflexible process from the developer point of view. The schedule is not allowed to slip by even a single day, ever.
Imagine getting your hair cut. Everything is going well, great haircut, then at the last minute, when she's doing the edges and finishing touches free hand with those electric clippers, you yell "QUICK!!! HURRY UP!!!!1!!!!"
That's like the last day of a sprint. Rush through those last critical details so you can make the sprint demo. Because if you don't, you might as well have not come to work for the last two weeks.
The sprint is suppose to let shit slide to the next sprint. That's the whole point of regular mini-releases.
That doesn't help with hard endpoint feature demands by customers, but that's longer-term whole project planning.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
The only Agile features used in most Agile projects are two week deliverables and a status meeting every morning.
at the dawn of the consumer digital age: a world in which combines unprecedented convenience with unprecedented complexity and unpredictability.
For every prior generation convenience, simplicity and predictability were effectively synonymous.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
It's not the release schedule that's Agile, its' the development process...
Deployment to production is the last step of an Agile sprint. Otherwise you're doing Agile halfassed.
> Right so we should neuter everything we use to build the major bits of infrastructure in the world because newbies?
What we should do is not pretend it's any safer than Python, JavaScript, Perl, etc. Most languages don't have the problems that Rust fanbois gloat about. As I said, 99% of all security issues are unrelated to anything Rust does any better, so to pretend that Rust will solve your security problems, or even a significant percentage of security problems, is dishonest.
is this ascii art or something? how do you text a photo?
As a Samsung owner I am super excited about this feature. This will save me the time and money required to get blackout drunk and do this myself.
Samsung has become a toxic cesspool in technical division- Korean counterparts try to steal good projects from engineers abroad and try to sell it as their own. They track with hawk's eye on who is doing what. As soon as they see if there's anything special going on, they swoop and try to snatch it.
Another set of issue is dominance- Learning department and security depart dominate over engineers. Engineers' belongings are checked when they are leaving, and not when they enter the building. If anything is found, engineers are humiliated and blamed as if they were "stealing" anything. Learning department imposes yearly coding tests, and people are given dedicated time for weeks to compete through that.
All these issues together drove away the cream of the engineers, resulting in the politicking ones staying in, and the quality of software going downhill.
Of course, slipping to another sprint is actually not deploying, so the last step is sometimes just a sprint away...
Though around here we see sprints complete, release to production, but of course the 'release' is actually part of the intended release. Parsing the meaning of 'release' is a sport on my team. I'm too optimistic, and usually lose the bet.
deleting the extra space after periods so i can stay relevant, yeah.
You're arguing three silly points. The first is more or less "someone on a forum said something I don't like therefore Rust is crap". Secondly, you're ignoring that the main aim of Rust is the same space as C and C++. And thirdly, you're arguing that all CVEs are equal.
The thing is, most infrastructure is built in C and C++. If there's a CVE in Chrome, it affects 58% of internet users. If there's a CVE in OpenSSL, it affects an *awful* lot of services. Remember heartbleed?
What we should do is not pretend it's any safer than Python, JavaScript, Perl, etc.
Firstly it's irrelevant because no one would write a major web browser in any of those. Remember what Rust if for, and remember how many people a CVE in a web browser affects?
As I said, 99% of all security issues are unrelated to anything Rust does any better
Yes you keep saying it but it doesn't make your point any more accurate. None of those supposed other languages you keep harping on about compete with C++. It doesn't matter how safe a Haskell based browser would be it it takes 10 minutes to render a web page.
so to pretend that Rust will solve your security problems
Stop denying that a lot of infrastructure is in C and C++ and that those languagea are not safe.
or even a significant percentage of security problems, is dishonest.
Eh I mean how important was heartbleed anyway? I mean that hardly affected anyone, nulike that CVE against that obscure wordpress plugin that affected positively 10s of sites...
SJW n. One who posts facts.
You keep talking about web browsers, pointing out that most of them have some C++ code. Is the point you're trying to make "if you're writing a new web browser, consider Rust for the C-ish parts?"
If that's what you're saying, fine, I won't disagree with that.
If someone is building a new web browser, of course they'll use XUL or similar where appropriate, and it makes sense to consider Rust for other parts. (I didn't say use Rust, but considering it as one option is fine.)
> The first is more or less "someone on a forum said something I don't like therefore Rust is crap".
Not quite. Most of the comments and questions about Rust, here on Slashdot and many other places, either state or assume that using Rust will magically make your software much safer than other languages. That's false. To tell people they are safe (and therefore need not be very careful) when they aren't is not only a lie, is intentionally putting people in danger.
You mentioned Heartbleed. Heartbleed was an input validation error - as in the input wasn't validated at all. If you use invalidated network input for cryptography you have a major bug. That's in no way language specific. Heartbleed written in Rust is still Heartbleed.
In Rust the function would be called std::ptr::copy_nonoverlapping instead of memcpy - it does the same thing, dump random memory back to the attacker. (Slice clone was not available at the time).
> And thirdly, you're arguing that all CVEs are equal.
I didn't say that. I said I study vulnerabilities for a living, full time, and for the last several darn few of them have anything to do with anything Rust would help with. Have a look at the OWASP Top 10 - the most significant types of vulnerabilities that happen nowadays. See how many of the ten are addressed by Rust. Spoiler alert - the number is zero. Rust helps with none of the classes of vulnerabilities that cause the most problems.
Had Rust come out, with a stable, fully usable version, in 1985 it might have been useful in the age of buffer overflows. As it is, Rust promises that in 2020 it solve a few of the things that were a problem in 1990.
Is the point you're trying to make "if you're writing a new web browser, consider Rust for the C-ish parts?"
That's literally what Rust was created for.
If someone is building a new web browser, of course they'll use XUL
You what? Firefox abandoned XUL.
and it makes sense to consider Rust for other parts.
Tha that is precisely what Mozilla is doing right now. They're slowly replacing C++ bit with Rust bits.
Not quite. Most of the comments and questions about Rust, here on Slashdot and many other places, either state or assume that using Rust will magically make your software much safer than other languages.
I think you're wildly exaggerating there.
You mentioned Heartbleed. Heartbleed was an input validation error - as in the input wasn't validated at all.
It was a buffer overflow overflow error triggered by lack of input validation. But if it had been in a memory safe language it would have been a simple DOS attack, not the single biggest security issue of the year.
That's in no way language specific.
Yes it is. How the fuck would heartbleed have allowd you to extract someone else's keys in Python, Java, Haskell, Rust..., well anything other than C or C++? It says here in the CVE that it's a buffer over-read (TIL there was a different term for read vs write in this context):
https://cve.mitre.org/cgi-bin/...
That would not happen in not C or not C++, because other language you know, check bounds and do other things.
Which brings us on to the other topic. Why do people write major bits of infrastructure like SSL libraries and web browsers in unsafe languages like C and C++?
In Rust the function would be called std::ptr::copy_nonoverlapping instead of memcpy - it does the same thing, dump random memory back to the attacker.
Well done! You picked an unsafe function. You can get the same effect in, say, python or Java by using a C module and scribbling all over memory too. Kinf od the point is to stick to safe code. And it's auditable.
The fact you can manage unsafe things in just about any language no matter how hard you try does not mean that C is very unsafe by default and that C++ has quite a number of cases where it's eay to foul up. It's much harder.
Make no mistake: if you manage to do something memory unsafe in Rust you have either subverted it (by explicitly doing unsafe things) or have found a genuine bug.
I didn't say that.
I didn't say you said that, I said you are arguing that. And you are because you kept repeating the point about the number of CVEs only while not taking into account their performance.
I said I study vulnerabilities for a living, full time, and for the last several darn few of them have anything to do with anything Rust would help with.
You seem to think that anything other than C or C++ would not have prevented heartbleed either. I don't know how you can study these things full time not know that. Other languages crash or throw exceptions when overstepping the end of an array. C and C++ don't.
Have a look at the OWASP Top 10 - the most significant types of vulnerabilities that happen nowadays.
That's great and still doesn't invalidate anything I said. Sure you're more likely to make your web application insecure with an injection bug. But if you get a CVE in Chrome, half of everyone on the intire internet is vulnerable in one go.
You seem to be intentionally ignoring the distinction between infrastructure and applications. Rust is and always has been aimed at the same space as C++ (and C[*]). The claim that Rust magically makes your code safe against things inrelated to C++ specifically seems to have been invented by you.
It's possibly you've simply misunderstood people: when people talk about rust being "safe" it's almost always in the context of memry safety and in c
SJW n. One who posts facts.