When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!
I just bought the latest BN Nooks as Christmas gifts. Now I have to tell EVERYONE who receives these gifts to use burner accounts, no credit cards, no sensitive gmail.
...is not so good. Such an app store is more likely to abuse developers than Apple or Google (who themselves are no angels).
...Some Samsung executives saw a path for boosting profits by boldly and illegally fixing prices with competitors in some of their top businesses... competitors secretly got together in what they called “Glass Meetings” at hotels and resorts around the world... Samsung was fined $32 million in the U.S., $21.5 million in South Korea, and $197 million by the European Commission.
..but by 2006 the L.C.D. jig was up. Rumors began circulating among the conspirators that one of the victims of their crime—a company they referred to by the code name NYer—suspected that the suppliers were rigging prices. And Samsung executives presumably feared that NYer could spark a criminal investigation by the U.S. government; after all, NYer—in reality Apple Inc.—was pretty powerful. Samsung ran to the Justice Department under an anti-trust leniency program and ratted out its co-conspirators. But that didn’t lessen the pain much—the company was still forced to pay hundreds of millions of dollars to settle claims against it by state attorneys general and direct purchasers of L.C.D.’s.
...The decision to fess up to the L.C.D. scheme may not have been driven just by Apple’s suspicions. Samsung was already in law enforcement’s sights: sometime earlier a co-conspirator in another criminal price-fixing conspiracy had given up Samsung. That scheme, beginning in 1999, involved Samsung’s huge business for dynamic random-access memory, or DRAM, which is used in computer memories. In 2005, after it was caught, Samsung agreed to pay $300 million in fines to the U.S. government. Six of its executives pleaded guilty and agreed to serve sentences of 7 to 14 months in American prisons.
Kim Yong-chul, who made his name as a star prosecutor in South Korea before joining Samsung, blew the whistle on what he said was massive corruption at the company. He accused senior executives of engaging in bribery, money-laundering, evidence tampering, stealing as much as $9 billion, and other crimes.
In January 2008, government investigators raided the home and office of Lee Kun-hee, the chairman of Samsung, who was subsequently convicted of dodging some $37 million in taxes. He was given a three-year suspended sentence and ordered to pay $89 million in fines. A year and a half later, South Korean president Lee Myung-bak pardoned Lee.
...a Korean lawmaker claimed that Samsung had once offered her a golf bag stuffed with cash, and a former presidential aide said the company had given him a cash gift of $5,400, which he returned.
- Google should be shipping the master kernel for all platforms, without carrier ability to block. Like RedHat, they should allow 3rd-party drivers by backporting patches into a kernel under long-term-support. All components of the master kernel should be in AOSP. This should have started with JellyBean.
- Android Webview is now updated from Play. This should also include Stagefright, OpenSSL/libcrypto/libssl, and libc.a. Everything in/system/lib that is NOT updated by the store should have an independent security audit to assure that it's appropriate to burn into rom.
- The default cipher settings for all applications should now default to the proposed-TLS 1.3 symmetric cipher set, and allow only AEAD aes/gcm and chacha/poly, with everything else denied (allow the user to open TLS1.1 ciphers with extensive warnings).
- Mediaserver/libstagefright must be reconfigured to chroot(/var/empty) and setuid(nobody) with open file descriptors on the media. Android's Zygote launches these components as root - this should never have happened.
- Android *just* enabled -D_FORTIFY_SOURCE in the last 6 months. Seriously? All available code audits and runtime code/stack protection tools should be applied yesterday.
...
Android is critical communications infrastructure, and it should act like it.
RedHat released backported Dirty Cow patches for the 2.6.18 kernel in EL5 last Friday.
Why isn't Google using a RedHat kernel in Android, and applying the backported updates to/boot and/system, around OEM drivers?
Why is the kernel "untouchable" by Google on non-Nexus devices? It didn't have to be this way. RedHat certainly makes kernel updates work with 3rd-party drivers. Oracle ksplice can even apply them without a reboot.
"Samsung was recently fined $340,000 by Taiwan’s Fair Trade Commission (FTC) for astro-turfing — hiring people to post fake comments supporting Samsung in online forums... The fine came in the wake of reports that Samsung was caught cheating on benchmark tests, then lying about it. In the most recent case, the Samsung Galaxy Note 2 looked for the presence of any benchmarking program and when it detected one, kicked into a special, high-power CPU mode in order to enable the phone to lie to [said] benchmarking programs. After this was proved beyond any doubt, Samsung lied about it and said they didn’t do it despite incontrovertible evidence to the contrary. The company was also fined recently by Taiwan’s FTC for lying in ads about smartphone features. This recurring pattern of stealing, cheating and lying by Samsung is creepy because they must know they’ll get caught and publicly called out. Yet they continue to do it."
A YouTube video of a GTA gamer using the phone as a bomb has been pulled due to a copyright complaint by Samsung — which given that Samsung doesn’t own the game or the modification makes rather little sense... According to some reports, Samsung tried to bribe one man to keep quiet after his phone began spewing smoke and melting in front of him. So perhaps it’s no surprise the company is trying to keep a lid on the fallout from the recall once these videos began circulating.
- Restore/clear the Knox bit when factory firmware is loaded.
I'm going to have to save photos from a European trip on a smashed Galaxy Active in the near future. I would not be doing this if there was an sd-card. I am sorely upset that I will need a guitar pick and a new digitizer, and I am saying unkind things about the Galaxy Grenade line peddled by Samsung. These phones should not be sold.
Technical reviews of Samsung phones are now of (yet another) walled-garden that is horribly tended due to the vendor neglect of Android.
If Samsung relents, and allows their remarkably poor-quality code to be wiped, then technical reviews immediately improve. With market opinion eventually come sales.
This also involves Samsung growing a backbone against Verizon. That will never happen, so the stock price will continue to tank. More explosions might accelerate the effect.
- Users certainly care about batteries at the end of the service life, and would rather not purchase a new phone because of the failure of a $10 component. The more expensive the phone, the more frustration when this point is reached.
- Users also certainly care about photos or other media on a damaged phone, the extraction of which is greatly complicated by the lack of an SD-Card.
Let's pick on Android's media player. Previous commentary from Jean-Baptiste Kempf, VideoLAN President and Lead VLC Developer:
Don't start me on Stagefright and Mediaserver, I could rant for 2 or 3 hours non-stop! Seriously, the code over there is crap, and has insane concepts, like aborting the whole mediaserver (and all related media decoding of all other applications running at the same time), when it parses a file with attributes it does not know, instead of skipping the file. We discovered some issues in Stagefright (busy loops, device reboots, mediaserver crashes) quite early, but we never thought about submitting them. As for your second question, a media player cannot be secure, you MUST keep it with the minimum privileges possible. But VLC is a good program to include in an Android device, since it reads a lot of formats.
The Android Zygote process links in Stagefright, and runs as root. Stagefright should be running in a chroot() as an unprivileged user.
Because I ported my longtime landline number, "Rachel from card services" was leaving me messages several times per day. With my SIT tone trick, she is now long gone. I really don't miss her.
It uses/system/lib/libwebcore.so, which has a massive amount of bugs.
Firefox has a ghostery extension. Use this instead, because Gecko will stay updated. Webkit should be avoided on the Android platform, because you have no idea what you are getting.
We need nuclear power that can be shut down at a moment's notice, with no further intervention necessary by the operators.
Gen 1 designs require 30 days of cooling post-shutdown before daughter nuclei decay stops producing massive heat.
I am looking for a salt plug that melts and scrams the core in a boron bath.
The TESCO employees were desperate for batteries for the cooling system, because they knew what was about to happen. I have the same reactor design 50 miles away. It's colossally dumb, and we need these things offline pronto.
If you just want to block ads to your browser, then Firefox has the best tool. uBlock Origin can be configured for adblock, malware, and many sundry lists. Opera also advertises adblock as well as VPN, but Opera is now Chinese-owned and will be able to keybridge you, so caveat emptor.
You only need to touch/etc/hosts if you want to adblock Chrome and/or something OTHER than a browser. In that case, I am using AdAway from F-Droid, and that needs root every time it applies updates to/etc/hosts, so you will likely need persistent root.
Slashdot Mirror
...I thought that I could trust BN. They would have been better served with a Sitara.
They were caught red handed.
DO NOT BUY EQUIPMENT WITH MEDIATEK CPUS!
Why is Mediatek installing malware to extract and send the owner's data to China?
I just bought the latest BN Nooks as Christmas gifts. Now I have to tell EVERYONE who receives these gifts to use burner accounts, no credit cards, no sensitive gmail.
None of these companies can be trusted.
Down with evil empires!
The article mentions a Beaglebone Black as "open source" - does this lack the management engine that is commonly included with ARM processors?
The only open/modern CPU that I know of that lacks a management engine is the SPARC T2.
...is not so good. Such an app store is more likely to abuse developers than Apple or Google (who themselves are no angels).
...
Android is critical communications infrastructure, and it should act like it.
RedHat released backported Dirty Cow patches for the 2.6.18 kernel in EL5 last Friday.
Why isn't Google using a RedHat kernel in Android, and applying the backported updates to /boot and /system, around OEM drivers?
Why is the kernel "untouchable" by Google on non-Nexus devices? It didn't have to be this way. RedHat certainly makes kernel updates work with 3rd-party drivers. Oracle ksplice can even apply them without a reboot.
http://www.cultofmac.com/254695/for-samsung-stealing-cheating-and-lying-are-business-as-usual/
Does "bending over backwards" include lawsuits and bribes?
I'm going to have to save photos from a European trip on a smashed Galaxy Active in the near future. I would not be doing this if there was an sd-card. I am sorely upset that I will need a guitar pick and a new digitizer, and I am saying unkind things about the Galaxy Grenade line peddled by Samsung. These phones should not be sold.
Technical reviews of Samsung phones are now of (yet another) walled-garden that is horribly tended due to the vendor neglect of Android.
If Samsung relents, and allows their remarkably poor-quality code to be wiped, then technical reviews immediately improve. With market opinion eventually come sales.
This also involves Samsung growing a backbone against Verizon. That will never happen, so the stock price will continue to tank. More explosions might accelerate the effect.
If you want to (re)attain market leadership in phone sales, then you must:
If you do not do these things, then your days of market leadership are over, and they will not return.
Warmest regards from your user community.
Let's pick on Android's media player. Previous commentary from Jean-Baptiste Kempf, VideoLAN President and Lead VLC Developer:
The Android Zygote process links in Stagefright, and runs as root. Stagefright should be running in a chroot() as an unprivileged user.
THIS DESIGN CAN NEVER BE SECURE.
For the moments that your phone is on, YOU decide if your apps can use the microphone.
This should be standard in the Android OS. Tells you something about Google that it's not.
The PSTN/POTS trust design is likely older than both of us combined.
Fortunately, autodialers also must trust "Special Information Tones" (SIT) that announce a disconnected number. I put this SIT tone on my voicemail.
Because I ported my longtime landline number, "Rachel from card services" was leaving me messages several times per day. With my SIT tone trick, she is now long gone. I really don't miss her.
Still, if I prevent human intervention for 48 hours, then I render a large portion of the country uninhabitable for hundreds (or thousands) of years.
This is not a reasonable risk. These devices should be retired. (And thanks for your corrections.)
It uses /system/lib/libwebcore.so, which has a massive amount of bugs.
Firefox has a ghostery extension. Use this instead, because Gecko will stay updated. Webkit should be avoided on the Android platform, because you have no idea what you are getting.
Open the source and we will talk. Until such time, keep your black box to yourself.
We need nuclear power that can be shut down at a moment's notice, with no further intervention necessary by the operators.
Gen 1 designs require 30 days of cooling post-shutdown before daughter nuclei decay stops producing massive heat.
I am looking for a salt plug that melts and scrams the core in a boron bath.
The TESCO employees were desperate for batteries for the cooling system, because they knew what was about to happen. I have the same reactor design 50 miles away. It's colossally dumb, and we need these things offline pronto.
Here is how to encrypt your pager/SMS outgoing messages using RFC822 over TLS.
# grep smtps /etc/services
smtps 465/tcp # SMTP over SSL (TLS)
# openssl s_client -connect mail.yoursmtpserver.com:465
helo 1.2.3.4
.
mail from: someuser@someplace.com
rcpt to: 1234567890@vtext.com
data
here is my pager/SMS message
quit
Nobody on the wire will be reading that.
If you just want to block ads to your browser, then Firefox has the best tool. uBlock Origin can be configured for adblock, malware, and many sundry lists. Opera also advertises adblock as well as VPN, but Opera is now Chinese-owned and will be able to keybridge you, so caveat emptor.
You only need to touch /etc/hosts if you want to adblock Chrome and/or something OTHER than a browser. In that case, I am using AdAway from F-Droid, and that needs root every time it applies updates to /etc/hosts, so you will likely need persistent root.
Verizon, Sprint, and U.S. Cellular still maintain sizable CDMA infrastructure. They cannot use Intel's gsm-only modem.