Android had more vulnerabilities in the last month than OpenBSD has had in the last decade. If you can't see a difference here, you need to have your brain adjusted. There is some sloppy programming going on in Android that doesn't need to be.
Because carriers make their own, modified distribution of Android. Which of course, git is set up to handle, but sometimes the carriers make a mess of things.
It's not entirely the carrier's fault, because sometimes Google makes some pretty big changes in the core OS. So, for example, imagine if the carrier had to change the screenshot utility to work with their hardware (surprisingly common). Then in a later version of Android, google changed the internal screenshot system. In order to update to the latest Android, the carrier would need to figure out how to get screenshots working again.
That's just one example, there are similar small changes throughout the Android system. So to make sure everything works with an updated version can be a lot of work for a carrier.
This topic has been brought up before. DJB showed with qmail that a substantial program can be written with no serious vulnerabilities.
OpenBSD shows we can do better on security by an order of magnitude (and if you listen to the techniques they use, it's not super-hard).
There's no excuse for the garbage, vulnerable software we are subjected to.
By the way, there's a huge difference between those who call themselves programmers today and those people I hired back from 1991 to 2005. (I needed no new programmers after 2005 but sold in 2007 and finalized the sale almost exactly eight years ago, today. I don't know what the difference is and I'm going to use a favorite quote of mine - it's nearly verbatim and might be verbatim. (Consider, I was paying 120k to start for qualified people, slightly less for training - I even sent some to school.)
I've wondered about this too.....are students really coming out worse? Or is it just my imagination? I don't know, but it worries me.
There have been times I've wanted to disagree with you 'cause you almost certainly reached the wrong conclusion BUT I'll be damned if I can find the flaw in your logic - and I was on the MIT debate team.
Well if you disagree, you should say so anyway; you're a reasonable person so there must be a reason for you to disagree. Maybe we can come up with a reason together: two heads are better than one, etc. The argument doesn't have to be perfect for us to come to a more nuanced understanding of a topic.
Some people would say that security depends on being perfect.
Whether perfection is possible or not: that is a philosophical question.
More practically, we can easily do better in security than we are doing now by an order of magnitude.
If there's a security fix for iOS, I can download and install it right away..... Fix your damn security model!
Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.
Is Joe the Plumber the threat here? because that's about all this regulation will stop.
Yes, actually, the police want to be able to decrypt phones from 'average' dumb criminals. They also want terrorist phones, but that is not the only issue.
Even if they close that loophole (which it looks like the current proposals do) an even simpler way is to just not carry them in stores in those states.
That's not going to happen. I admit it would be effective, though.
The headline is a little misleading......they didn't drop their "community elected members," they dropped the associate elected members, which were those that paid $99 to be a member of the foundation. There don't seem to be many of those.
The Linux Foundation is the group that pays Linus' paycheck (used to be called OSDL). It's funded by IBM, Samsung, Intel, Oracle, Qualcomm, and others. They support other kernel related projects (like Xen Hypervisor and LSB).
Karen Sandler is best known around here for leading Gnome when Gnome started their women/underrepresented outreach program. She is now at the Software Freedom Conservancy (which supports Inkscape, Wine, BusyBox, Samba and others), and she brought her outreach program with her (it's now a part of the SFC).
It is unclear whether the move by the Linux Foundation has anything to do with Karen. The article doesn't clarify, and since there were only six affiliate members who lost representation, hardly anyone is affected by this change.
How did you know which article to click on?
That's really great, how did you find out about this stuff?
Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."
Yeah, it's true. A fully patched Android system is still vulnerable. Any attacker who wants to put in the effort can find a vulnerability.
True, the patching system can be improved.
The binary is 10 MB on disk. Kind of smallish, actually.
Android had more vulnerabilities in the last month than OpenBSD has had in the last decade. If you can't see a difference here, you need to have your brain adjusted. There is some sloppy programming going on in Android that doesn't need to be.
Because carriers make their own, modified distribution of Android. Which of course, git is set up to handle, but sometimes the carriers make a mess of things.
It's not entirely the carrier's fault, because sometimes Google makes some pretty big changes in the core OS. So, for example, imagine if the carrier had to change the screenshot utility to work with their hardware (surprisingly common). Then in a later version of Android, google changed the internal screenshot system. In order to update to the latest Android, the carrier would need to figure out how to get screenshots working again.
That's just one example, there are similar small changes throughout the Android system. So to make sure everything works with an updated version can be a lot of work for a carrier.
The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,
If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.
Wouldn't you, if you thought you could make more than a billion dollars off it? Really?
This topic has been brought up before. DJB showed with qmail that a substantial program can be written with no serious vulnerabilities.
OpenBSD shows we can do better on security by an order of magnitude (and if you listen to the techniques they use, it's not super-hard).
There's no excuse for the garbage, vulnerable software we are subjected to.
By the way, there's a huge difference between those who call themselves programmers today and those people I hired back from 1991 to 2005. (I needed no new programmers after 2005 but sold in 2007 and finalized the sale almost exactly eight years ago, today. I don't know what the difference is and I'm going to use a favorite quote of mine - it's nearly verbatim and might be verbatim. (Consider, I was paying 120k to start for qualified people, slightly less for training - I even sent some to school.)
I've wondered about this too.....are students really coming out worse? Or is it just my imagination? I don't know, but it worries me.
There have been times I've wanted to disagree with you 'cause you almost certainly reached the wrong conclusion BUT I'll be damned if I can find the flaw in your logic - and I was on the MIT debate team.
Well if you disagree, you should say so anyway; you're a reasonable person so there must be a reason for you to disagree. Maybe we can come up with a reason together: two heads are better than one, etc. The argument doesn't have to be perfect for us to come to a more nuanced understanding of a topic.
lol looks like I need to read more carefully
Indeed, by 10,000 years ago, humans were probably already writing about their wars.
You're right.
I have to say we are in total agreement.
Some people would say that security depends on being perfect.
Whether perfection is possible or not: that is a philosophical question.
More practically, we can easily do better in security than we are doing now by an order of magnitude.
In case anyone cares, the bug was improper deallocation. Sloppy programming.
If there's a security fix for iOS, I can download and install it right away. .... Fix your damn security model!
Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.
Hopefully this course includes a section on security. Doesn't look like it will, as a professional course, it looks more aimed at business people.
In fact,if they made the course entirely about security, the world would be better off.
That's basically what Forth applications do......
Is Joe the Plumber the threat here? because that's about all this regulation will stop.
Yes, actually, the police want to be able to decrypt phones from 'average' dumb criminals. They also want terrorist phones, but that is not the only issue.
Even if they close that loophole (which it looks like the current proposals do) an even simpler way is to just not carry them in stores in those states.
That's not going to happen. I admit it would be effective, though.
"This shows that two of the conditions associated with warfare among settled societies—control of territory and resources"
Certainly plenty of wars have been fought over that, but wars have been fought over religion, or ideology, too. Wars have been fought over slavery.
The Greek historian Thucydides pointed out that the causes of war are three: greed, fear, and ideology.
The headline is a little misleading......they didn't drop their "community elected members," they dropped the associate elected members, which were those that paid $99 to be a member of the foundation. There don't seem to be many of those.
There's no way in hell I could function in that close proximity to ANYBODY for 9 years.
Somehow, based on your post history, I believe that lol
Wait, so the Linux foundation is now entirely corporate dominated? How the hell is that even possible?
It always was. The Linux Foundation used to be called OSDL. They give Linus a paycheck. You can see the member list here.
By design they don't make any decisions about the Linux kernel: they just got together to fund it.
The Linux Foundation is the group that pays Linus' paycheck (used to be called OSDL). It's funded by IBM, Samsung, Intel, Oracle, Qualcomm, and others. They support other kernel related projects (like Xen Hypervisor and LSB).
Karen Sandler is best known around here for leading Gnome when Gnome started their women/underrepresented outreach program. She is now at the Software Freedom Conservancy (which supports Inkscape, Wine, BusyBox, Samba and others), and she brought her outreach program with her (it's now a part of the SFC).
It is unclear whether the move by the Linux Foundation has anything to do with Karen. The article doesn't clarify, and since there were only six affiliate members who lost representation, hardly anyone is affected by this change.