The problem appears to lie in one of the files/system/lib/libstagefright*
NPR is saying that Google Hangouts makes the problem worse:
The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.
It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.
Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).
Root your phone, and await a new set of/system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.
The stock browser is a primary avenue of exploit for this malware. Stock lives in/system where it is installed read-only.
This was a colossally foolish thing to do. Browser libraries, executables, and sundry components MUST retain the ability to receive patches.
LD_LIBRARY_PATH should point to/data/lib, then resolve to/system/lib only if an override library is not installed, allowing update capability for stock webkit.
My Linux systems jack into Dorados running OS2200. We've carted out quite a bit of mainframe over the years.
We also carted out VAX 7000s, because we run VMS 7.3 on emulators now.
These environments are quite old.
I moved my long-time landline to my cell several years ago, and I could not get robocallers to leave me alone, even after several years on the do not call registry and regular complaints. It was particularly annoying when parts of their ads ended up as voicemail messages.
I realize that their IT systems must integrate into several major MNOs, but they will flat-out refuse to do for others what I have done for myself online. The constant obstructions are extremely annoying.
...I had hoped to run Cyanogenmod, but Verizon has installed a fascist bootloader. The phone remains capable of running the DN3 and Alliance touchwiz alternative roms. I am on Alliance.
In considering "unlimited" services, I do realize that byowireless has a $15 unlimited texting plan. However, byowireless is limited to 3g Verizon devices, and the $19 textnow/sprint plan seems a far better deal if you can tolerate the coverage.
It seems that most everyone tries to get the Moto G 3g prepaid Verizon phone onto the 3g mvnos, and this can be rather tricky. The textnow option is a lot less headache.
Yes, you can bring phones in from other carriers. This capability was greatly expanded with the Page Plus acquisition. I suggest a Verizon 4g device (this is the least expensive path to Verizon service). Verizon devices get triple the value on all purchased pins.
http://tracfonewireless.com/by...
Why didn't Google package a reasonable update agent within Android, and is this having a deleterious effect upon other Linux markets?
Would it have been possible for Google to deploy an updatable kernel with proprietary vendor modules? If so, why did they not do this?
I am still able to use towelroot to take control of several brands of Android phones (as can any app I load - silently). Should pressure and pain be brought to bear, or should we let Google continue to bring Windows 95-era security to Linux?
The keyboard application launches at boot and regularly downloads.ZIP files of json objects. This download happens as the system user, and is vulnerable to directory traversal. Disabling updates for this.APK will not halt this activity, and it is unlikely that all vendors will bother to patch this.
I am on the Alliance rom that bundles SuperSU, so I can fix this (unlike most unfortunate Samsung users).
I used the "NoBloat" application from the Google Play store to disable the Samsung keyboard (after clearing the cache with the app manager).
After doing so, I see the file/system/app/SamsumgIME.apk_ (note the underscore). I may try to copy the AOSP keyboard over from CM11 so there is a working keyboard in/system.
I would like to congratulate Google and Samsung for their stunning incompetence in Android security. Your only hope of closing exploits on this platform is to root. I would be hard pressed to name a modern, GUI-centric Linux distribution that lacked a system update agent capable of patching all system components.
A transit from an icehouse to a greenhouse phase would likely involve profound (and potentially destructive) changes for human civilization, but the planet has undergone this cycle many times before, and we are profoundly foolish to think that our impact has been significant - it has not.
The initial Verizon warrants were on an air-gapped server. Even with root everywhere on the network, these documents should have been inaccessible.
This situation makes more sense if we posit that the NSA had already been deeply penetrated by Russian intelligence, who learned of Snowden's sentiments and elected to assist him for reasons and costs of their own.
Snowden initially claimed that he was trying to reach Cuba. There are somewhat more direct routes than Hong Kong.
We likely do not know 1/100th of the backstory of the release of these documents.
I am all for fair compensation, but am I truly frightened when U.S. workers make more in one hour than Mexican workers make in a day.
If jobs are to remain, our workforce must be far more productive than our global competition. We should be demanding more worker education, which would likely impact wages far more than legislative mandate. Simply making the workforce more expensive with no realistic improvements will only enlarge the class of the permanent unemployed.
My professors conducted research in areas that were only slightly related (on a good day) to the material that they were assigned to teach. These people carefully preserved overhead transparencies from previous teachers that were cracked and faded. They obviously had little enthusiasm for their teaching duties, and my fellow students mirrored the excitement.
Some became prima donnas that flew into a rage in the wrong circumstances. Some actively preened their students for (low-paid) graduate research (not entirely suppressing a greedy desire to exploit). And some simply took apathy to levels that I had never seen before.
I went through a real circus with a professor going for tenure (who did have basic problems with competence) that had to endure not only the stifled laughter of fellow faculty in our class, but video tape recorders documenting his poor teaching style.
School, at all levels, needs to put people who want to teach in front of people who want to learn, which is diametrically opposed to the structure of a research university. If you don't have both of these types of people in the right place at the right time, the results will be substandard, as indeed they have been for the past century.
"Java and C#.Net are now the languages of choice in the projects that the ISBSG receives. COBOL has slumped to 12% (it used to be 38%) and Visual Basic has dropped back to 5% after peaking at 15%."
In addtion to sending the CSR, and not the key, scan your SSL server with the SSL Labs Scanner and you will see many flaws.
To fix these flaws, apply these cipher best practices to lock out bad ciphers (RC4, export-grade ciphers), and deny the entire SSLv3 protocol which now has critical design flaws.
The key to the best-practice ciphers are these Apache directives (this configuration is also effective on the older 0.9.8 OpenSSL):
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCompression Off
SSLHonorCipherOrder On
To summarize:
- Apply vendor patches for your OpenSSL with some degree of haste.
- Check the best practice cipher page at least once per quarter.
There were several miracle workers in Judea at the time of Yeshua, some who could even raise the dead by contemporary accounts. The main difference is that Yeshua performed his miracles without monetary charge. If this aspect is similar, and rebellion was a common sentiment (i.e. Sepphoris), then we can assume that Yeshua was familiar with the issues, even if he did not share the opinions of all of them.
After the crucifixion, Paul changed Yeshua radically, abandoning Mosaic law and calling himself the "first apostle." James the Just, the head of the whole church, recalled Paul to Jerusalem twice, and censured him for what would amount to heresy. James then dispatched emissaries to all of Paul's congregations to correct the "flawed" teaching, which was largely successful. There is even a story in the memoirs of Clement (Peter's successor) that Paul threw James down a flight of stairs in a rage on his second return.
Paul's teachings would have been discarded, if James had not been murdered, and Jerusalem destroyed. As it was, Paul's writings were the only existing documents after Jerusalem's fall, and all the later gospels included strong influence from his letters.
The rebellious attitude of Yeshua towards the Romans would not serve a new Roman religion, so it was removed, for practical reasons.
Slashdot Mirror
The problem appears to lie in one of the files /system/lib/libstagefright*
NPR is saying that Google Hangouts makes the problem worse:
It would appear prudent to uninstall Google Hangouts. If you can disable MMS with your carrier, do so, otherwise do not look at text messages from originators that you do not know - delete the conversations.
Carriers are unlikely to patch (look at SamsungIME.apk if you think OEMs or carriers will lift a finger to help us).
Root your phone, and await a new set of /system/lib/libstagefright* files - Cyanogenmod will likely provide KitKat copies if they ever shirk their laziness long enough to deliver the final promised KitKat milestone.
The stock browser is a primary avenue of exploit for this malware. Stock lives in /system where it is installed read-only.
This was a colossally foolish thing to do. Browser libraries, executables, and sundry components MUST retain the ability to receive patches.
LD_LIBRARY_PATH should point to /data/lib, then resolve to /system/lib only if an override library is not installed, allowing update capability for stock webkit.
My Linux systems jack into Dorados running OS2200. We've carted out quite a bit of mainframe over the years. We also carted out VAX 7000s, because we run VMS 7.3 on emulators now. These environments are quite old.
I moved my long-time landline to my cell several years ago, and I could not get robocallers to leave me alone, even after several years on the do not call registry and regular complaints. It was particularly annoying when parts of their ads ended up as voicemail messages.
I finally added the tones for a disconnected/no longer in service number to the beginning of my voicemail message, and the calls are drastically reduced, and I haven't had such an intrusive voicemail yet this year.
I realize that their IT systems must integrate into several major MNOs, but they will flat-out refuse to do for others what I have done for myself online. The constant obstructions are extremely annoying.
...I had hoped to run Cyanogenmod, but Verizon has installed a fascist bootloader. The phone remains capable of running the DN3 and Alliance touchwiz alternative roms. I am on Alliance.
...and I believe that America Movil is owned by Telmex, the Mexican telephone monopoly.
In considering "unlimited" services, I do realize that byowireless has a $15 unlimited texting plan. However, byowireless is limited to 3g Verizon devices, and the $19 textnow/sprint plan seems a far better deal if you can tolerate the coverage.
It seems that most everyone tries to get the Moto G 3g prepaid Verizon phone onto the 3g mvnos, and this can be rather tricky. The textnow option is a lot less headache.
Actually, this is the least expensive service that I've seen with unlimited features: http://www.textnow.com/
Yes, you can bring phones in from other carriers. This capability was greatly expanded with the Page Plus acquisition. I suggest a Verizon 4g device (this is the least expensive path to Verizon service). Verizon devices get triple the value on all purchased pins. http://tracfonewireless.com/by...
Why didn't Google package a reasonable update agent within Android, and is this having a deleterious effect upon other Linux markets?
Would it have been possible for Google to deploy an updatable kernel with proprietary vendor modules? If so, why did they not do this?
I am still able to use towelroot to take control of several brands of Android phones (as can any app I load - silently). Should pressure and pain be brought to bear, or should we let Google continue to bring Windows 95-era security to Linux?
Or, should Cyanogen-Microsoft fork AOSP?
The keyboard application launches at boot and regularly downloads .ZIP files of json objects. This download happens as the system user, and is vulnerable to directory traversal. Disabling updates for this .APK will not halt this activity, and it is unlikely that all vendors will bother to patch this.
I am on the Alliance rom that bundles SuperSU, so I can fix this (unlike most unfortunate Samsung users).
I used the "NoBloat" application from the Google Play store to disable the Samsung keyboard (after clearing the cache with the app manager).
After doing so, I see the file /system/app/SamsumgIME.apk_ (note the underscore). I may try to copy the AOSP keyboard over from CM11 so there is a working keyboard in /system.
I would like to congratulate Google and Samsung for their stunning incompetence in Android security. Your only hope of closing exploits on this platform is to root. I would be hard pressed to name a modern, GUI-centric Linux distribution that lacked a system update agent capable of patching all system components.
Except Android.
It is well-known that the Earth is in an unusually cold period with historically low atmospheric carbon dioxide levels.
A transit from an icehouse to a greenhouse phase would likely involve profound (and potentially destructive) changes for human civilization, but the planet has undergone this cycle many times before, and we are profoundly foolish to think that our impact has been significant - it has not.
The initial Verizon warrants were on an air-gapped server. Even with root everywhere on the network, these documents should have been inaccessible.
This situation makes more sense if we posit that the NSA had already been deeply penetrated by Russian intelligence, who learned of Snowden's sentiments and elected to assist him for reasons and costs of their own.
Snowden initially claimed that he was trying to reach Cuba. There are somewhat more direct routes than Hong Kong.
We likely do not know 1/100th of the backstory of the release of these documents.
If this is so, then Nokia can now assert copyright over fork().
Nokia now owns Bell Labs through a long chain of acquisitions. Bell Labs publicly asserted copyright over fork() in the Lions Commentary.
Nokia should now assert infringement over Solaris and the UEK. A sizable portion of Exadata revenues are fairly owed should this decision stand.
A great disaster has been averted!
I am all for fair compensation, but am I truly frightened when U.S. workers make more in one hour than Mexican workers make in a day.
If jobs are to remain, our workforce must be far more productive than our global competition. We should be demanding more worker education, which would likely impact wages far more than legislative mandate. Simply making the workforce more expensive with no realistic improvements will only enlarge the class of the permanent unemployed.
My professors conducted research in areas that were only slightly related (on a good day) to the material that they were assigned to teach. These people carefully preserved overhead transparencies from previous teachers that were cracked and faded. They obviously had little enthusiasm for their teaching duties, and my fellow students mirrored the excitement.
Some became prima donnas that flew into a rage in the wrong circumstances. Some actively preened their students for (low-paid) graduate research (not entirely suppressing a greedy desire to exploit). And some simply took apathy to levels that I had never seen before.
I went through a real circus with a professor going for tenure (who did have basic problems with competence) that had to endure not only the stifled laughter of fellow faculty in our class, but video tape recorders documenting his poor teaching style.
School, at all levels, needs to put people who want to teach in front of people who want to learn, which is diametrically opposed to the structure of a research university. If you don't have both of these types of people in the right place at the right time, the results will be substandard, as indeed they have been for the past century.
Fail the school.
...controversy are condemned to repeat it.
Still nothing to sneeze at.
Did you have directory delete permissions?
http://savannah.gnu.org/projects/gnucobol
...would beg to differ, with this fact from the COBOL wiki:
I would bet you that COBOL environments have had 1/10th, and perhaps 1/100th of the security problems as systems based on C.
In addtion to sending the CSR, and not the key, scan your SSL server with the SSL Labs Scanner and you will see many flaws.
To fix these flaws, apply these cipher best practices to lock out bad ciphers (RC4, export-grade ciphers), and deny the entire SSLv3 protocol which now has critical design flaws.
The key to the best-practice ciphers are these Apache directives (this configuration is also effective on the older 0.9.8 OpenSSL):
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCompression Off
SSLHonorCipherOrder On
To summarize:
There were several miracle workers in Judea at the time of Yeshua, some who could even raise the dead by contemporary accounts. The main difference is that Yeshua performed his miracles without monetary charge. If this aspect is similar, and rebellion was a common sentiment (i.e. Sepphoris), then we can assume that Yeshua was familiar with the issues, even if he did not share the opinions of all of them.
After the crucifixion, Paul changed Yeshua radically, abandoning Mosaic law and calling himself the "first apostle." James the Just, the head of the whole church, recalled Paul to Jerusalem twice, and censured him for what would amount to heresy. James then dispatched emissaries to all of Paul's congregations to correct the "flawed" teaching, which was largely successful. There is even a story in the memoirs of Clement (Peter's successor) that Paul threw James down a flight of stairs in a rage on his second return.
Paul's teachings would have been discarded, if James had not been murdered, and Jerusalem destroyed. As it was, Paul's writings were the only existing documents after Jerusalem's fall, and all the later gospels included strong influence from his letters.
The rebellious attitude of Yeshua towards the Romans would not serve a new Roman religion, so it was removed, for practical reasons.