Even if it's fully open, with 0 binary blobs. How many qualified specialists, with serious math background, do you think are out there looking through complex encryption functions checking through flaws in math? Ever heard of Obfuscated C Code Contests? Openness of the code does not guarantee absence of backdoors even if the code does get a lot of eyeballs looking at it.
Firstly; if the Obfuscated C Code scares you then I guess you should look up the underhanded C contest. Notice especially the bits where malware is disguised as small programming bugs. When you say "Openness of the code does not guarantee.." you are 100% right. However, don't forget, "the perfect is the enemy of the good". We don't always need a guarantee; sometimes improvement is enough:
1) Given that there have been plenty of discoveries of problems (e.g. just today a flaw in Android's RNG was reported) there must be quite a few people who are checking.
2) All it takes is one person. You don't need to do anything to benefit if I check it for you.
3) There is a vast increase in the risk for the attacker if it's open source;
their change is likely visible in the version control and can be traced back to them
it's easy for someone to change their backdoor into a trap
if they do use the attack to break in it's much easier to track it back to the original programming mistake
4) Security problems tend to happen in generally insecure code. If code is open source you can avoid this:
by looking to see how the code is written and choosing the software using the best techniques and languages
by choosing code written by people you feel you can trust and avoiding others
Several of the things I mentioned are things that most people won't do most of the time. Having them as options means that they will be available when you actually really need them.
Is harder to hide a backdoor when the code of the OS is open source and the apps are in html5.
This helps a bit, but not as much as you would think. When they say "unlocked" what they mean is that this phone comes unlocked for use on multiple operators but probably (unless this changes close to market time) not not unlocked for using your own OS. That makes the whole phone OS close to a binary blob that you can't replace and which they will be able to change without you having true control. If you use cyanogenmod you might argue that the reduced number of binary blobs would allow some kind of auditing. However without true openness like replicant it's almost impossible to be sure.
Maybe worth calling up our ZTE friends and persuading them to provide an easy way to unlock the bootloader on the EBay phones.
You can go further and (as some phones do) prompt the user with "wifi base stations available; do you want to try to connect" when you see unknown APs. This can still be implemented without sending out any signal.
how would the phone differentiate from the "dlink" AP at the owner's regular coffee shop and the eavesdropping "dlink" AP?
The AP broadcasts its MAC as the BSSID. You could ask before signalling to an AP which has an unknown BSSID. Also, since the phones know where they are, you could ask whenever you see the same name in a different location.
No protocols have to be changed, and none of your posts are informative (at least not on this article). It's so simple and obvious that you don't have to broadcast to listen.
I think you are talking at cross purposes. You are asking for a protocol which allows you to connect automatically to open wifi and stay anonymous. As you say, that's impossible with a fixed MAC address. The posters you are discussing with wants to have their phones connect automatically to chosen WiFi access points without giving away the MAC address but to otherwise require manual intervention. What they ask for is possible simply through listening, though only as long as you never connect to a hidden access point.
Amazingly though, in order to find out if the network can actually route to the internet, which is what the station is trying to find out... you have to associate to the AP. As well, many people disable SSID broadcasting, necessitating probes to determine if that network is actually present.
It's so simple and obvious!
The interesting thing here is that cellphone networks have a bunch of interesting work done on the privacy here. They use random temporary identities and tunnelling of data back to the home network which should allow hiding of your identity from local passive attackers. The implementations are not perfect (an active attacker can use flaws in the GSM protocol for man in the middle attacks ; the crypto is/was a bit poor ; 3G phones are subject to fall back attacks etc.) but someone who is just listening to a GSM/3GPP phone should not see enough information to do tracking and someone who forces out enough information to do tracking should be clearly breaking the law (both computer hacking and radio frequency laws).
If the MAC address was a large random number which changed regularly and the standard was to start a VPN tunnel (back to the TOR network?) then untrackable connectivity would be possible. Of course it's not an accident that this is not the way things work.
There are many ways to set price. There's a range between cost (nobody will build it for less) and the maximum value someone can get out of it (no point in buying something for more). You don't show in any way it's outside this. The real question is the value that you can get out of it. That's what should decide how much you can pay for it. You need to compare it with other similar devices, not a bunch of non wireless enabled development boards.
In my view the device is new, but the fundamentals of the value are something we have seen before. I guess there are three devices to look at; OpenMoko, the Nokia N900 and the Nokia N9. There are a bunch of things which would work on those devices which are impractical on other devices. Here are some ideas off the top of my head; maybe other people can add theirs:
Normally your WiFi and other power consuming parts are off; when the phone detects that it arrives in the base station near your home (requires low level device modem access; was implemented on N900) then it turns on the WiFi, forwards your mobile calls to your VOIP account and turns off the mobile network.
You can trigger shell scripts when you enter locations - backup and copy media at home;
All your security audit tools - nmap / nessus / etc. can be installed
Compare these ideas with the closed competition. Windows phones, where you can't even really jail-break, are the worst it is true. iOS phones are also pretty limited (software from the app store only unless you get a developer key) but even Android phones which are supposed to be "open" end up as garbage here. Instead of having the full GNU/Linux you are limited to just small bits re-implemented by Google.
If you want to develop new personal device or wireless network ideas, this is going to be worth thousands of dollars to you. Even if you just want a device which does what you tell it to then it's likely to be worth hundreds more.
If you aren't a developer; you don't have any ideas about how to do something with wireless devices and you don't need a portable computing device, then you may well be right, it's not worth it to you. For a person who just uses it as a phone/PC, the competition would be something like a Samsung S4 - on sale for something like $600. In that case your questions about the level of testing would really matter. For most of the people who read this site, though, it's a chance to get a device which will be able to do things no other current device can do and that can really be worth much more than Canonical are asking for it.
You are saying that the ITC judges accepted bribes? I assume that when you say this you actually have some evidence; right? I mean, where bribing a politician is a protected right in the USA (AKA "lobbying" etc.) and there are even web sites dedicated to documenting how much who bribed who, bribing a judge is an actual crime and if you could show just some hint that Samsung had done so I'm sure there are plenty of people who would be interested. You wouldn't just be randomly spouting off would you?
You may want to look at my signature and posting history (not to mention the recommendation that everyone start's using Tor from the original submission). I guess maybe you could say that the editors deleted the part at the end because they didn't get the comment, but I assume they did it because they thought it was obvious.
Generally though I agree people who just accept this are beyond scary to the extent of being a serious threat. There is a definite space for some limited secret monitoring and much police work couldn't be done without it. Mass gathering of data just has so much opportunity for abuse that it's unreal.
Then again, maybe I'm recommending Tor as an INFO-OP muaaahhaaahahahaha. Or even better as a counter INFO-OP (you'll stop using it if you see it in an obvious INFO-OP like this one) ha.
If your work browser is configured to accept certificates from the proxy server, SSL might not give you privacy.
Right. Unfortunately the Slashdot Editors seem to have started editing (I can see why the trolls keep complaining that this place is going downhill) and deleted my my sarky suggestion to use tor from my submission.. If you want to do anything from work you wouldn't want to know then make sure you use someone else's IP address to do it from. Alternatively buy an Android tablet and a data subscription.
The US is still one of the most free countries in the world by a pretty long shot; the drop-off is pretty steep once you get too far east of western Europe.
Your statement is a bit of a dodge and I guess you mean a fairly large group of countries when you say "one of" however it's still pretty misleading. It all depends what and how you try to measure, but the USA is no longer nearly at the top of most lists and it really isn't that free in practice.
Look at the world press index and you will see the USA comes in 32nd this year, up from 47th (mostly because other countries did more bad things recently). Look even at the "Index of Freedom In the World" which seems pretty biased towards the kind of economic freedom the US is so famed for and you will see that the US isn't in the top five. Try sorting by "personal freedom" separately from "economic freedom" and you will see that it isn't even in the top 20.
The situation is not terrible and the fact that Americans still believe they are free and believe in freedom is actually a cause for hope, however if people don't start acting now to keep that freedom there is going to be a big problem. Most of all the fact that people just don't seem worried by giving up their freedom to big companies and their data to the government is really dangerous.
I know, if I would not have beleived that when I was a kid. Either things are changing, or my brainwashing is slowly wearing down.
Things are definitely changing in many ways. Certainly the USA is getting a bit scary in the level of monitoring. However I don't think that's the thing that changed here. Remember though what was done to Charlie Chaplin and company. Snowdon is hardly the first US dissident.
What's new about this is the total level of apparent visible incompetence involved. The fundamental rule of being Russia and China is "never do anything you don't want to do if the USA states openly that you you have to do it". Their entire world power comes from the feeling of other countries that if you have one or both of them your side then you may be able to stand up to the USA and do what you want in your own country. The moment American politicians started threatening Russia and China about asylum there was nothing they could do to avoid helping him. Even weirder because think if the dissidents which the US embassy helps in China and used to help in the USSR.
Given everybody knows this, then the main thing was to get to him in Hong Kong and promise safe passage to a friendly neutral country like Iceland where there would be a chance to limit leakage of damaging material that didn't show illegal activity. They could probably wait a few years, give him an offer of a plea bargain (20 years?) and have the Icelandic winter drive him home. Why the hell drive him to Russia, the country most likely to know what to do with whatever secret information he has?
Also, let me know what airports in Europe you can operate a for-profit taxi service out of without paying the requisite fees and having the proper licenses.
I'm going to interpret "out of" to mean "picking up passengers from" not "having an office in" and "requisite fees and having the proper licenses" to mean "without paying the special airport fee" but that you may have to be a registered taxi. If you meant something different please ask again more clearly.
In which case I will answer that I don't know of one where you can't. In some such as London, where you pay #50 just to get into a taxi you would be insane to do anything other than have a "mini-cab" (these are registered, but with much lighter requirements than a proper taxi) arranged to come and meet you. You just have to do the arrangement by phone. What that cannot be done is for those taxis to wait in a taxi rank.
This is a good example of a regulation which is done for the good of the customer. In many airports there used to be serious cowboy taxis who would wait for tourists and overcharge them massively by driving around a long long route or simply by having outrageous hidden charges or by various other kinds of fraud. By regulating and ensuring that the taxis that stand outside the airport are known, that doesn't happen much any more. The locals then take the cheaper local taxis which come and pick them up at pre-arranged places so this doesn't cause much overcharging.
The Heathrow's #50 service fee is a perfect example of a failure of democracy. The airport authority has a monopoly on air transport and even so is allowed to get away with doing whatever they want. This is one example of why I said "most of Europe" rather than "in Europe".
I would REALLY want to know. Because, you know, "In most of Europe yes; the regulations are there in order to improve people's lives and especially safety."
This is still largely true. Nothing is perfect and you shouldn't expect it to be. If you have a problem with a regulation then try to get it changed. If the majority of people agree with you that it's a bad rule and you still can't, then start thinking about how to change your political system. If they think it's a good rule but are wrong then start thinking about how to educate them. If you can't do either then you have a problem.
There are plenty, so really if you don't know about them then it's for you to Google. Here's a random list for the Lumia 900 alone to get you started
Purple screen - Grays appear with a purple hue...
Vibrate feature rattles / Lumia 900s often sounding like an electric razor
Inline remote on headset issue
Just some from the first Nokia quality information out of Google. There's another they list Camera button won't wake the phone - but I don't see why they don't put that down to software quality? Apart from these you will want to look at Lumia 800
battery problems (probably software-hardware integration; should certainly have been picked up in the production facility).
Recalls (e.g. T-mobile)
It's worth just having a look through dicussions like this one where you can just feel the astroturfers being drowned in a sea of sadness.
The real full picture is known only to Nokia of course and is well hidden for good reasons.
Now to be honest, these kinds of problems and complaints are pretty standard levels for second rank manufacturers. You need the high volume of Samsung or Apple to be able to get the manufacturing fully tuned. The main reason this is an issue is that Nokia used to be the best of the best.
Are you aware that Nokia's been producing most of their phones outside Finland long before Lumia was a thing?
Sure; however most of their top end phones were in their own plants and the ones needing the most supervision would always be done in Finland first. If you don't think that direct contact between the factory and the development engineers is critical to optimization then you haven't understood why Apple has to take such a control-freak attitude to their suppliers. Nobody except Apple and Samsung can afford that nowadays. In the old days, Nokia could use their own factories to build and optimize quality. Then, as a phone design became old hat, they could outsource the production whilst knowing everything they needed to to ensure that their suppliers kept up the quality they needed.
In most of Europe yes; the regulations are there in order to improve people's lives and especially safety. It is true that, in some places, people are able to change the regulations for their own profit or in ways that interfere with business. That is a symptom of failing democracy not that regulations are always bad. Your first priority must be to change your politicians. After that; once you have politicians who are trying to limit the regulations to the ones that actually matter, then is the time to start reducing the regulation which is getting in your way for no benefit.
Very often, the alternative to regulations which make it clear what needs to be done and what is just an optional extra is lawsuits, which are even more costly.
Now you've gone and destroyed the last shreds of credibility by linking to the blog of an exposed liar.
What I have seen is multiple attempts to portray him as a liar which turned out to be PR people propaganda. "Elop never said that.... oh shit Helsinkin Suomat had a recording; uhhh.. we didn't mean 'liar' just that he misunderstood". "no no, the operators love Skype. Oh that statement in the SEC filing, well yes, when we say 'love' we really mean 'love to hate'" and so on. I've seen things like "well look, the way he calculated the N9 numbers is wrong" coming from people who actually had the numbers and so would have just said something if the numbers he gave were too big. People are pouring over every word Tommi writes looking for something they can twist against him. After that, anyone who wants to claim Tommi is a liar needs to not only point to an untrue statement but to show hard evidence that he made it deliberately and that he knew 100% that it was untrue at the time he said it. There are even special slander sites (see the links provided by the astroturfing trolls in some zero scored other responses to my comments) set up especially to attack Tommi. If there wasn't much truth in what Tommi said, then the PR people would just ignore him.
I'm pretty sure we have discussed before and you are a legitimate and open Nokia employee. I'm pretty happy to agree to disagree with you since I'm 100% sure you are subject to a weird world of propaganda and no longer know truth from lies. This comment, however, is unacceptable and a clear part of a widespread smear campaign. That your comments are so similar to the astroturfer's is especially disturbing. My comment is either true or false. Who I choose to link to does not affect my credibility unless you show me that I should know he's liar (I do not) and that this particular statement is a lie (it is not; the links from Tommi's article are clear). If that were true you could simply show it and convince the others. Instead you choose to attack the messenger's messenger. As seen now, this can only be an attempt to silence a voice which is giving an uncomfortable message. Either point out the specific lies or stop this slander.
If your involvement with Microsoft is doing this to your ethics then please think about the old values of the company you loved and leave. Once upon a time the people who worked for Nokia were mostly good people. There are plenty of other companies out there where that is still true. There is no need to sell your soul for a pathetically small bit of Redmond's Danegeld.
What's wrong with the apps? OK, Instagram has decided to play nasty. Is anything of value lost?
Microsoft themselves have admitted to Windows phone being 18 months behind, especially in apps. This was even covered earlier on Slashdot. Go and look at reviews of Windows which cover the apps market; developers are simply not fixing or updating the Windows versions because there aren't enough customers to justify it. This leaves old buggy software where iOS and Android have the latest and best.
Most of the Major phone "manufacturer's" have no manufacturing capability anyway. They just buy from "noname" contract manufacturing plants (like Foxconn to name one). There are exceptions; companies like Samsung which are large enough, and companies like Apple which can afford to get involved in financing of production; but the rest mostly gave up their factories in the last few years and the change seems to have been one of the reasons for all problems that showed up in the Nokia Lumia phones after they closed their factories in Finland.
This means that a bunch of companies will just put together the device you order. This has been done by, for example, many of the phone companies to get custom devices for their networks (which is where HTC actually came from before they started to be a known brand).
There is no reason to think that, especially if they are willing to put some finance up themselves, Canonical wouldn't be able to do this too.
there is a way to use paypal without actually having a paypal account.
You can use your credit card, but at least in some locations they start blocking this after a few times. Anyone know how to do this reliably every time?
The agency is not obligated to wait for clear evidence in making their purchase decisions.
The opposite. It's a fundamental principle that authors and designers of the trusted computing base are trusted and so have to be trustworthy. The typical standard is that for high security applications that means that all of the people involved have to have full security clearance; that means they have to be nationals of the country where they are working or a NATO allies at the very least. In their high security applications the spy agencies should probably only use computers where every component and every part of the design follows those criteria.
I haven't seen them make any accusations outside of that they are no longer purchasing computer equipment from Chinese manufactures due to security concerns. From what I can tell, the media is the one deducing that Lenovo being a Chinese brand computer manufacturer is barred from being purchased.
This is exactly it. Everything is a mixture of innuendo and misunderstanding. What it all comes down to is "you can't trust your computer to be made properly" which we all should have known originally and "the person who designed your computer has a good chance to insert a backdoor" which we should also know and "the UKUSA security groupings don't really trust China" which is hardly a major relevation.
The problem is that everywhere you read this someone is stating that "malicious circuits" have been found in Chinese equipment and implying that it is widespread. That's an extra-ordinary statement and requires extraordinary evidence. If it can be shown then it a) would prove that the Chinese companies were working against their customer's interests and b) would mean that all the companies buying from them would be legally required to remove all equipment made by those companies otherwise they couldn't meet basic legal data security requirements.
Mixing the two ideas together makes this whole discussion stupid.
It wouldn't have existed, since Nokia would be bankrupt without the financial help of Microsoft.
A lie does not become truth if you just repeat it all the time. We keep hearing this all the time "Nokia was losing money" "Nokia's customers were abandoning it" "Nokia would have gone bankrupt".
The truth:
Up until Steven Elop's burning platforms memo Nokia had always been profitable for many years;
Up until Steven Elop's burning platforms memo Nokia had continuing increasing sales.
Up until Steven Elop's burning platforms memo Nokia had consistently increasing profits (though not every quarter)
Nokia had a huge and growing cash mountain of several billions of Euros.
If they did nothing they could afford to quietly and silently develop an Android phone far better than the ones Samsung puts out. It was announcing the decision to move to Windows phone and the cost of that change which killed Nokia. Not their past successful products.
Now Nokia which has contracts that leave it trapped with windows they are desperate to get some of the 808's shine back. They know that users who already used a Windows phone won't do it again so they have to look for new audiences. Aiming to sucker in camera users who they hope won't check app availability let alone how up to date the apps in the app store are is one of their better chances.
So, they found hardware vulnerabilities but they aren't stating what they are. Probably because they know that people would start exploiting them immediately. There's a reason this stuff stays quiet. Also note that the ban started in 2006. This is pretty old...it only getting reported now.
So, let me restate that as I heard it;
You believe that the security services know of widespread vulnerabilities in Chinese made equipment, which they believe were deliberately placed by the Chinese government, one of the countries they consider a serious potential enemy and against which they regularly carry out war games. You further believe that, for our own good and security, they chose to leave those vulnerabilities in the public internet which is now an integral part of their country's infrastructure where the Chinese could later exploit them at a critical moment. You believe that leaving people's computers vulnerable to mass Chinese attack is better than warning people; allowing them to take countermeasures and having some inevitable exploits by individual hackers.
That column is insufficiently clear; It repeatedly conflates completely different things; for example;
.... said the NSA was “incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in US defence systems”.
Sure; counterfeit circuitry is common. It's a serious safety issue. However it's not a relevant security issue. That is bundled together with state-sponsored malicious circuitry for which no evidence has ever been given that it's common looks exactly like deception. Even the one paragraph which seems clear:
The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips.
Actually seems to confuse "vulnerabilities" and "back-doors" if you read it carefully. Overall, whilst this is the closest to a clear statement that these vulnerabilities exist, the article is dubious. The evidence it tells us about is secret. I guess it's likely true but it's hardly clear evidence.
The spy agency do not have to make their evidence public. The news is only reporting that the spy agencies have banned Lenovo equipment from being used on THEIR network. This doesn't affect anyone outside of that network from being able to buy Lenovo.
The spy agencies are part of the national defences and are responsible for the security of their country. If they have clear evidence that malicious circuits are being widely deployed against their own people then they absolutely do have a duty to make this public. If the evidence is unclear then they have an absolute duty of secrecy and investigation until they can prove that clearly. At that point they should be banning all products of the manufacturers responsible and ensuring that they are removed from all public networks at the purchaser's or manufacturer's expense.
I see nothing wrong with insisting that all hardware and software used within the closed and secured network are written, assembled or manufactured from a member country with all vetting reasonable possible prior to use.
There is absolutely nothing wrong with this. However it is a different statement completely from the one made. This would be something like "Lenovo is unable to meet the stringent requirements of our security which require that all management, engineering and logistics and production staff are from countries covered within the UKUSA Agreement. At this time we know of no reason to ban Lenovo products in non classified networks, however we encourage continuing vigilance of the functioning of products from all vendors".
Instead we get a whole load of innuendo and no actual evidence.
Thanks for being the intelligence on Slashdot:-) It's interesting though. My guess is that this was done without any malicious intent and that it was done in a chip which was specifically intended for secure use. I'm guessing that:
a designed in backdoor would probably normally look like this or at least have "plausible deniability"
actually, most "backdoors" in hardware, as in software, are security faults and bugs discovered post manufacture
Now what the second thing means may sound like it takes "blame" away from the Chinese, however it's actually lots more worrying. Whoever has access to the device schematics + good engineers able to run and manipulate simulations will be the person most likely to be able to find backdoors in the hardware.
We know already that DARPA and co are looking for faults in chips; their own project requests show this. Probably you don't want to buy any device where any of the chips are the same as chips designed or manufactured in any country which you can't fully trust. Now, please name one.
Slashdot Mirror
Even if it's fully open, with 0 binary blobs. How many qualified specialists, with serious math background, do you think are out there looking through complex encryption functions checking through flaws in math? Ever heard of Obfuscated C Code Contests? Openness of the code does not guarantee absence of backdoors even if the code does get a lot of eyeballs looking at it.
Firstly; if the Obfuscated C Code scares you then I guess you should look up the underhanded C contest. Notice especially the bits where malware is disguised as small programming bugs. When you say "Openness of the code does not guarantee.." you are 100% right. However, don't forget, "the perfect is the enemy of the good". We don't always need a guarantee; sometimes improvement is enough:
1) Given that there have been plenty of discoveries of problems (e.g. just today a flaw in Android's RNG was reported) there must be quite a few people who are checking.
2) All it takes is one person. You don't need to do anything to benefit if I check it for you.
3) There is a vast increase in the risk for the attacker if it's open source;
4) Security problems tend to happen in generally insecure code. If code is open source you can avoid this:
Several of the things I mentioned are things that most people won't do most of the time. Having them as options means that they will be available when you actually really need them.
defenders can spot the hole and
Is harder to hide a backdoor when the code of the OS is open source and the apps are in html5.
This helps a bit, but not as much as you would think. When they say "unlocked" what they mean is that this phone comes unlocked for use on multiple operators but probably (unless this changes close to market time) not not unlocked for using your own OS. That makes the whole phone OS close to a binary blob that you can't replace and which they will be able to change without you having true control. If you use cyanogenmod you might argue that the reduced number of binary blobs would allow some kind of auditing. However without true openness like replicant it's almost impossible to be sure.
Maybe worth calling up our ZTE friends and persuading them to provide an easy way to unlock the bootloader on the EBay phones.
You can go further and (as some phones do) prompt the user with "wifi base stations available; do you want to try to connect" when you see unknown APs. This can still be implemented without sending out any signal.
how would the phone differentiate from the "dlink" AP at the owner's regular coffee shop and the eavesdropping "dlink" AP?
The AP broadcasts its MAC as the BSSID. You could ask before signalling to an AP which has an unknown BSSID. Also, since the phones know where they are, you could ask whenever you see the same name in a different location.
No protocols have to be changed, and none of your posts are informative (at least not on this article). It's so simple and obvious that you don't have to broadcast to listen.
I think you are talking at cross purposes. You are asking for a protocol which allows you to connect automatically to open wifi and stay anonymous. As you say, that's impossible with a fixed MAC address. The posters you are discussing with wants to have their phones connect automatically to chosen WiFi access points without giving away the MAC address but to otherwise require manual intervention. What they ask for is possible simply through listening, though only as long as you never connect to a hidden access point.
Amazingly though, in order to find out if the network can actually route to the internet, which is what the station is trying to find out... you have to associate to the AP. As well, many people disable SSID broadcasting, necessitating probes to determine if that network is actually present.
It's so simple and obvious!
The interesting thing here is that cellphone networks have a bunch of interesting work done on the privacy here. They use random temporary identities and tunnelling of data back to the home network which should allow hiding of your identity from local passive attackers. The implementations are not perfect (an active attacker can use flaws in the GSM protocol for man in the middle attacks ; the crypto is/was a bit poor ; 3G phones are subject to fall back attacks etc.) but someone who is just listening to a GSM/3GPP phone should not see enough information to do tracking and someone who forces out enough information to do tracking should be clearly breaking the law (both computer hacking and radio frequency laws).
If the MAC address was a large random number which changed regularly and the standard was to start a VPN tunnel (back to the TOR network?) then untrackable connectivity would be possible. Of course it's not an accident that this is not the way things work.
Nokia N950s go for well over a grand
$695 is still way too high.
There are many ways to set price. There's a range between cost (nobody will build it for less) and the maximum value someone can get out of it (no point in buying something for more). You don't show in any way it's outside this. The real question is the value that you can get out of it. That's what should decide how much you can pay for it. You need to compare it with other similar devices, not a bunch of non wireless enabled development boards.
In my view the device is new, but the fundamentals of the value are something we have seen before. I guess there are three devices to look at; OpenMoko, the Nokia N900 and the Nokia N9. There are a bunch of things which would work on those devices which are impractical on other devices. Here are some ideas off the top of my head; maybe other people can add theirs:
Compare these ideas with the closed competition. Windows phones, where you can't even really jail-break, are the worst it is true. iOS phones are also pretty limited (software from the app store only unless you get a developer key) but even Android phones which are supposed to be "open" end up as garbage here. Instead of having the full GNU/Linux you are limited to just small bits re-implemented by Google.
If you want to develop new personal device or wireless network ideas, this is going to be worth thousands of dollars to you. Even if you just want a device which does what you tell it to then it's likely to be worth hundreds more.
If you aren't a developer; you don't have any ideas about how to do something with wireless devices and you don't need a portable computing device, then you may well be right, it's not worth it to you. For a person who just uses it as a phone/PC, the competition would be something like a Samsung S4 - on sale for something like $600. In that case your questions about the level of testing would really matter. For most of the people who read this site, though, it's a chance to get a device which will be able to do things no other current device can do and that can really be worth much more than Canonical are asking for it.
You are saying that the ITC judges accepted bribes? I assume that when you say this you actually have some evidence; right? I mean, where bribing a politician is a protected right in the USA (AKA "lobbying" etc.) and there are even web sites dedicated to documenting how much who bribed who, bribing a judge is an actual crime and if you could show just some hint that Samsung had done so I'm sure there are plenty of people who would be interested. You wouldn't just be randomly spouting off would you?
You may want to look at my signature and posting history (not to mention the recommendation that everyone start's using Tor from the original submission). I guess maybe you could say that the editors deleted the part at the end because they didn't get the comment, but I assume they did it because they thought it was obvious.
Generally though I agree people who just accept this are beyond scary to the extent of being a serious threat. There is a definite space for some limited secret monitoring and much police work couldn't be done without it. Mass gathering of data just has so much opportunity for abuse that it's unreal.
Then again, maybe I'm recommending Tor as an INFO-OP muaaahhaaahahahaha. Or even better as a counter INFO-OP (you'll stop using it if you see it in an obvious INFO-OP like this one) ha.
If your work browser is configured to accept certificates from the proxy server, SSL might not give you privacy.
Right. Unfortunately the Slashdot Editors seem to have started editing (I can see why the trolls keep complaining that this place is going downhill) and deleted my my sarky suggestion to use tor from my submission.. If you want to do anything from work you wouldn't want to know then make sure you use someone else's IP address to do it from. Alternatively buy an Android tablet and a data subscription.
The US is still one of the most free countries in the world by a pretty long shot; the drop-off is pretty steep once you get too far east of western Europe.
Your statement is a bit of a dodge and I guess you mean a fairly large group of countries when you say "one of" however it's still pretty misleading. It all depends what and how you try to measure, but the USA is no longer nearly at the top of most lists and it really isn't that free in practice. Look at the world press index and you will see the USA comes in 32nd this year, up from 47th (mostly because other countries did more bad things recently). Look even at the "Index of Freedom In the World" which seems pretty biased towards the kind of economic freedom the US is so famed for and you will see that the US isn't in the top five. Try sorting by "personal freedom" separately from "economic freedom" and you will see that it isn't even in the top 20.
The situation is not terrible and the fact that Americans still believe they are free and believe in freedom is actually a cause for hope, however if people don't start acting now to keep that freedom there is going to be a big problem. Most of all the fact that people just don't seem worried by giving up their freedom to big companies and their data to the government is really dangerous.
I know, if I would not have beleived that when I was a kid. Either things are changing, or my brainwashing is slowly wearing down.
Things are definitely changing in many ways. Certainly the USA is getting a bit scary in the level of monitoring. However I don't think that's the thing that changed here. Remember though what was done to Charlie Chaplin and company. Snowdon is hardly the first US dissident.
What's new about this is the total level of apparent visible incompetence involved. The fundamental rule of being Russia and China is "never do anything you don't want to do if the USA states openly that you you have to do it". Their entire world power comes from the feeling of other countries that if you have one or both of them your side then you may be able to stand up to the USA and do what you want in your own country. The moment American politicians started threatening Russia and China about asylum there was nothing they could do to avoid helping him. Even weirder because think if the dissidents which the US embassy helps in China and used to help in the USSR.
Given everybody knows this, then the main thing was to get to him in Hong Kong and promise safe passage to a friendly neutral country like Iceland where there would be a chance to limit leakage of damaging material that didn't show illegal activity. They could probably wait a few years, give him an offer of a plea bargain (20 years?) and have the Icelandic winter drive him home. Why the hell drive him to Russia, the country most likely to know what to do with whatever secret information he has?
Also, let me know what airports in Europe you can operate a for-profit taxi service out of without paying the requisite fees and having the proper licenses.
I'm going to interpret "out of" to mean "picking up passengers from" not "having an office in" and "requisite fees and having the proper licenses" to mean "without paying the special airport fee" but that you may have to be a registered taxi. If you meant something different please ask again more clearly.
In which case I will answer that I don't know of one where you can't. In some such as London, where you pay #50 just to get into a taxi you would be insane to do anything other than have a "mini-cab" (these are registered, but with much lighter requirements than a proper taxi) arranged to come and meet you. You just have to do the arrangement by phone. What that cannot be done is for those taxis to wait in a taxi rank.
This is a good example of a regulation which is done for the good of the customer. In many airports there used to be serious cowboy taxis who would wait for tourists and overcharge them massively by driving around a long long route or simply by having outrageous hidden charges or by various other kinds of fraud. By regulating and ensuring that the taxis that stand outside the airport are known, that doesn't happen much any more. The locals then take the cheaper local taxis which come and pick them up at pre-arranged places so this doesn't cause much overcharging.
The Heathrow's #50 service fee is a perfect example of a failure of democracy. The airport authority has a monopoly on air transport and even so is allowed to get away with doing whatever they want. This is one example of why I said "most of Europe" rather than "in Europe".
I would REALLY want to know. Because, you know, "In most of Europe yes; the regulations are there in order to improve people's lives and especially safety."
This is still largely true. Nothing is perfect and you shouldn't expect it to be. If you have a problem with a regulation then try to get it changed. If the majority of people agree with you that it's a bad rule and you still can't, then start thinking about how to change your political system. If they think it's a good rule but are wrong then start thinking about how to educate them. If you can't do either then you have a problem.
What problems?
There are plenty, so really if you don't know about them then it's for you to Google. Here's a random list for the Lumia 900 alone to get you started
Just some from the first Nokia quality information out of Google. There's another they list Camera button won't wake the phone - but I don't see why they don't put that down to software quality? Apart from these you will want to look at Lumia 800
It's worth just having a look through dicussions like this one where you can just feel the astroturfers being drowned in a sea of sadness.
The real full picture is known only to Nokia of course and is well hidden for good reasons.
Now to be honest, these kinds of problems and complaints are pretty standard levels for second rank manufacturers. You need the high volume of Samsung or Apple to be able to get the manufacturing fully tuned. The main reason this is an issue is that Nokia used to be the best of the best.
Are you aware that Nokia's been producing most of their phones outside Finland long before Lumia was a thing?
Sure; however most of their top end phones were in their own plants and the ones needing the most supervision would always be done in Finland first. If you don't think that direct contact between the factory and the development engineers is critical to optimization then you haven't understood why Apple has to take such a control-freak attitude to their suppliers. Nobody except Apple and Samsung can afford that nowadays. In the old days, Nokia could use their own factories to build and optimize quality. Then, as a phone design became old hat, they could outsource the production whilst knowing everything they needed to to ensure that their suppliers kept up the quality they needed.
Regulations = safety... right?
In most of Europe yes; the regulations are there in order to improve people's lives and especially safety. It is true that, in some places, people are able to change the regulations for their own profit or in ways that interfere with business. That is a symptom of failing democracy not that regulations are always bad. Your first priority must be to change your politicians. After that; once you have politicians who are trying to limit the regulations to the ones that actually matter, then is the time to start reducing the regulation which is getting in your way for no benefit.
Very often, the alternative to regulations which make it clear what needs to be done and what is just an optional extra is lawsuits, which are even more costly.
Now Nokia which has contracts that leave it trapped with windows they are desperate to get some of the 808's shine back. They know that users who already used a Windows phone won't do it again
Now you've gone and destroyed the last shreds of credibility by linking to the blog of an exposed liar.
What I have seen is multiple attempts to portray him as a liar which turned out to be PR people propaganda. "Elop never said that.... oh shit Helsinkin Suomat had a recording; uhhh.. we didn't mean 'liar' just that he misunderstood". "no no, the operators love Skype. Oh that statement in the SEC filing, well yes, when we say 'love' we really mean 'love to hate'" and so on. I've seen things like "well look, the way he calculated the N9 numbers is wrong" coming from people who actually had the numbers and so would have just said something if the numbers he gave were too big. People are pouring over every word Tommi writes looking for something they can twist against him. After that, anyone who wants to claim Tommi is a liar needs to not only point to an untrue statement but to show hard evidence that he made it deliberately and that he knew 100% that it was untrue at the time he said it. There are even special slander sites (see the links provided by the astroturfing trolls in some zero scored other responses to my comments) set up especially to attack Tommi. If there wasn't much truth in what Tommi said, then the PR people would just ignore him.
I'm pretty sure we have discussed before and you are a legitimate and open Nokia employee. I'm pretty happy to agree to disagree with you since I'm 100% sure you are subject to a weird world of propaganda and no longer know truth from lies. This comment, however, is unacceptable and a clear part of a widespread smear campaign. That your comments are so similar to the astroturfer's is especially disturbing. My comment is either true or false. Who I choose to link to does not affect my credibility unless you show me that I should know he's liar (I do not) and that this particular statement is a lie (it is not; the links from Tommi's article are clear). If that were true you could simply show it and convince the others. Instead you choose to attack the messenger's messenger. As seen now, this can only be an attempt to silence a voice which is giving an uncomfortable message. Either point out the specific lies or stop this slander.
If your involvement with Microsoft is doing this to your ethics then please think about the old values of the company you loved and leave. Once upon a time the people who worked for Nokia were mostly good people. There are plenty of other companies out there where that is still true. There is no need to sell your soul for a pathetically small bit of Redmond's Danegeld.
What's wrong with the apps? OK, Instagram has decided to play nasty. Is anything of value lost?
Microsoft themselves have admitted to Windows phone being 18 months behind, especially in apps. This was even covered earlier on Slashdot. Go and look at reviews of Windows which cover the apps market; developers are simply not fixing or updating the Windows versions because there aren't enough customers to justify it. This leaves old buggy software where iOS and Android have the latest and best.
Who is even going to build them?
Most of the Major phone "manufacturer's" have no manufacturing capability anyway. They just buy from "noname" contract manufacturing plants (like Foxconn to name one). There are exceptions; companies like Samsung which are large enough, and companies like Apple which can afford to get involved in financing of production; but the rest mostly gave up their factories in the last few years and the change seems to have been one of the reasons for all problems that showed up in the Nokia Lumia phones after they closed their factories in Finland.
This means that a bunch of companies will just put together the device you order. This has been done by, for example, many of the phone companies to get custom devices for their networks (which is where HTC actually came from before they started to be a known brand).
There is no reason to think that, especially if they are willing to put some finance up themselves, Canonical wouldn't be able to do this too.
there is a way to use paypal without actually having a paypal account.
You can use your credit card, but at least in some locations they start blocking this after a few times. Anyone know how to do this reliably every time?
The agency is not obligated to wait for clear evidence in making their purchase decisions.
The opposite. It's a fundamental principle that authors and designers of the trusted computing base are trusted and so have to be trustworthy. The typical standard is that for high security applications that means that all of the people involved have to have full security clearance; that means they have to be nationals of the country where they are working or a NATO allies at the very least. In their high security applications the spy agencies should probably only use computers where every component and every part of the design follows those criteria.
I haven't seen them make any accusations outside of that they are no longer purchasing computer equipment from Chinese manufactures due to security concerns. From what I can tell, the media is the one deducing that Lenovo being a Chinese brand computer manufacturer is barred from being purchased.
This is exactly it. Everything is a mixture of innuendo and misunderstanding. What it all comes down to is "you can't trust your computer to be made properly" which we all should have known originally and "the person who designed your computer has a good chance to insert a backdoor" which we should also know and "the UKUSA security groupings don't really trust China" which is hardly a major relevation.
The problem is that everywhere you read this someone is stating that "malicious circuits" have been found in Chinese equipment and implying that it is widespread. That's an extra-ordinary statement and requires extraordinary evidence. If it can be shown then it a) would prove that the Chinese companies were working against their customer's interests and b) would mean that all the companies buying from them would be legally required to remove all equipment made by those companies otherwise they couldn't meet basic legal data security requirements.
Mixing the two ideas together makes this whole discussion stupid.
It wouldn't have existed, since Nokia would be bankrupt without the financial help of Microsoft.
A lie does not become truth if you just repeat it all the time. We keep hearing this all the time "Nokia was losing money" "Nokia's customers were abandoning it" "Nokia would have gone bankrupt". The truth:
If they did nothing they could afford to quietly and silently develop an Android phone far better than the ones Samsung puts out. It was announcing the decision to move to Windows phone and the cost of that change which killed Nokia. Not their past successful products.
Samsung has been showing serious cameras that have phone functions, standard phones which have been outclassing Nokia in general reviews and real optical zoom cameras with most smartphone features. Nokia traditionally lead in phone cameras and when the original Pureview 808 came out it looked pretty neat.
Now Nokia which has contracts that leave it trapped with windows they are desperate to get some of the 808's shine back. They know that users who already used a Windows phone won't do it again so they have to look for new audiences. Aiming to sucker in camera users who they hope won't check app availability let alone how up to date the apps in the app store are is one of their better chances.
So, they found hardware vulnerabilities but they aren't stating what they are. Probably because they know that people would start exploiting them immediately. There's a reason this stuff stays quiet. Also note that the ban started in 2006. This is pretty old...it only getting reported now.
So, let me restate that as I heard it;
You believe that the security services know of widespread vulnerabilities in Chinese made equipment, which they believe were deliberately placed by the Chinese government, one of the countries they consider a serious potential enemy and against which they regularly carry out war games. You further believe that, for our own good and security, they chose to leave those vulnerabilities in the public internet which is now an integral part of their country's infrastructure where the Chinese could later exploit them at a critical moment. You believe that leaving people's computers vulnerable to mass Chinese attack is better than warning people; allowing them to take countermeasures and having some inevitable exploits by individual hackers.
That's right?
The most cited column is the one written in the Australian Financial Review: Spy agencies ban Lenovo PCs on security concerns
That column is insufficiently clear; It repeatedly conflates completely different things; for example;
Sure; counterfeit circuitry is common. It's a serious safety issue. However it's not a relevant security issue. That is bundled together with state-sponsored malicious circuitry for which no evidence has ever been given that it's common looks exactly like deception. Even the one paragraph which seems clear:
Actually seems to confuse "vulnerabilities" and "back-doors" if you read it carefully. Overall, whilst this is the closest to a clear statement that these vulnerabilities exist, the article is dubious. The evidence it tells us about is secret. I guess it's likely true but it's hardly clear evidence.
The spy agency do not have to make their evidence public. The news is only reporting that the spy agencies have banned Lenovo equipment from being used on THEIR network. This doesn't affect anyone outside of that network from being able to buy Lenovo.
The spy agencies are part of the national defences and are responsible for the security of their country. If they have clear evidence that malicious circuits are being widely deployed against their own people then they absolutely do have a duty to make this public. If the evidence is unclear then they have an absolute duty of secrecy and investigation until they can prove that clearly. At that point they should be banning all products of the manufacturers responsible and ensuring that they are removed from all public networks at the purchaser's or manufacturer's expense.
I see nothing wrong with insisting that all hardware and software used within the closed and secured network are written, assembled or manufactured from a member country with all vetting reasonable possible prior to use.
There is absolutely nothing wrong with this. However it is a different statement completely from the one made. This would be something like "Lenovo is unable to meet the stringent requirements of our security which require that all management, engineering and logistics and production staff are from countries covered within the UKUSA Agreement. At this time we know of no reason to ban Lenovo products in non classified networks, however we encourage continuing vigilance of the functioning of products from all vendors".
Instead we get a whole load of innuendo and no actual evidence.
Is the US involvement in the MSWind backdoor confirmed? I thought it had be "plausibly denied". (I may doubt their denial, but that's not proof.)
It has been confirmed that Microsoft gives access to zero days to the NSA, so yes.
So I'll withdraw this example.
Thanks for being the intelligence on Slashdot :-) It's interesting though. My guess is that this was done without any malicious intent and that it was done in a chip which was specifically intended for secure use. I'm guessing that:
Now what the second thing means may sound like it takes "blame" away from the Chinese, however it's actually lots more worrying. Whoever has access to the device schematics + good engineers able to run and manipulate simulations will be the person most likely to be able to find backdoors in the hardware.
We know already that DARPA and co are looking for faults in chips; their own project requests show this. Probably you don't want to buy any device where any of the chips are the same as chips designed or manufactured in any country which you can't fully trust. Now, please name one.