But for that to work, they would have had to have a meaningful way to abstract HW from SW.
Arguably, they do.
There's a fundamental problem with things like closed source drivers and folks down the chain forking Android to add their secret sauce, but at its heart Android is basically a big JVM on top of a Linux kernel.
Branching the sources isn't the only way to do it. It's just how things seem to work. That the assorted manufacturers and carriers are particularly shitty FLOSS software development collaborators, and that the smartphone hardware ecosystem is basically a collection of one-offs... that's a hard thing to fix.
Honestly, given the state of the industry when Android kicked off, I'm surprised things have gone as smoothly as they have.
But it's a situation that they could reasonably have foreseen.
They might've believed having an "open" handset operating system would break the various carrier/manufacturer strangleholds on the market similar to how MS-DOS and the PC affected the computing market years ago.
In fact, I think while that might not have been the plan from the outset, I'm willing to bet that's the direction the strategy went as Android gained market share.
Whether or not they should have planned for failure (or the partial success they have largely due to the Nexus series) is an interesting. Apple demonstrated that it's entirely possible to have an ecosystem of up-to-date phones, so it's not exactly unreasonable to expect that Android could have pushed things that way.
However, if this security failing leads to a major loss of money or privacy for Android users, I suspect Google could be on the recieving end of a multi-gazillion dollar class action. And so could the handset manufacturers.
Lawsuits are always a possibility.
Mind you, Google has an out ("it's fixed in 4.4.x, which we make available free-of-charge. Why didn't you install it?") while the handset manufacturers don't, really.
Why does Google get a pass just because they have a fast versioning scheme?
Largely because everyone with a clue knows that 99.999% of devices still running Android 4.3.x which haven't been upgraded to 4.4.x have approximately 0.00000 probability of being updated to 4.3.(x+1) even if Google were to make a patch available.
Whether they "support" 4.3 for two days, two years or two decades at this point is largely irrelevant. If you have no means to get a patch to the people affected by the problem and you're going to get criticized irrespective of whether or not you try, then why waste the resources?
And it's pretty darn obvious from what Google's been doing in the last few years that this is not a situation that Google is happy with, nor is it a situation they could reasonably do much more about.
I am not sure that this group of people has any business telling me what I need or don't need.
No, it's a useful gauge of how good it would be for the consumer. If the telcos and/or cable industry oppose something then it's a solid bet that it's in the best interests of the average consumer.
In all honesty, I don't know where it is exactly, but I'm confident that it's where it would've been anyway had Microsoft done absolutely nothing. I'll blame any usage drop solidly on the rise of PHP, Python and maybe Ruby.
It's ancient history, but when Microsoft put some money into perl-on-Windows development, there were a lot of ruffled feathers and panicky headlines.
It didn't amount to anything even close to "taking over perl", even during the nastier stretch of Microsoft's "embrace and extend" era, but asking people to remember things that happened so long ago is obviously too much.
Remember just because the phone is rooted doesn't mean it also isn't running the manufacturer's (if any) malware.
Sure. But we're talking about evaluating trust, not whether or not the phone's running malware. If I'm running a stock firmware, in my mind it's already compromised; slapping an XDA hack on top of it doesn't strike me as increasing risk substantially.
That being said, I don't find getting root at all useful unless it's a means to the end of unlocking the phone and replacing the stock firmware. I trust XDA hacks to perform that function, at least, and at that point trusting the manufacturer becomes moot.
I'm a little surprised that the comments so far haven't really tackled the crux of your question, which was NOT "how do I find root exploits", but "are they trustworthy".
Well, the way I see it, I'll trust a random XDA developer pushing closed-source hacks way more than I trust my carrier and/or handset manufacturer.
So 90 days is an appropriate time to wait but not 106 days?
I wouldn't be surprised if there was a "give an inch, take a mile" kind of situation, where they tried allowing some flexibility and got into a cycle where the vendor kept requesting more time each time around.
If you stop option ROMs from loading, you can say goodbye to using external...
Would it really be so terrible if the owner of the hardware could decide whether or not their device supported that kind of thing, or even which specific things it supported?
No, not with encrypted-locked bootloaders becoming common.
Yeah, you're pretty much outlining exactly why I tend to research unlockability prior to buying my devices. I'm not going to pretend that even a small fraction of buyers do this.
I don't really have much of a solution for people who blindly buy whatever junk the carriers decree that they're allowed to buy. Google's worked on migrating to the Play services approach to get around this, but short of hacking into, unlocking and updating everyones devices I'm not sure what more they can do.
Know, you are talking about an exploit that could be affecting 60% of Android phones...
No, I'm not.
I was responding to a comment about the general state of Android and iOS security updates, not anything specific to this security vulnerability.
In general, if you have an iOS device and Apple decides not to fix a security problem on your phone, it's most likely not going to be fixed.
In general, if you have an Android device and both Google and your vendor decide not to fix a security problem on your phone, you might have a chance to get it fixed by other means. It's not a sure thing, it's not without risk, and you might not be entirely happy with the end result, but it works often enough that it's not a crapshoot.
Now, if you want to get into specifics, I don't know how many of the 60% of vulnerable devices might be able to take advantage of non-Google support, but it's far better than nothing.
I do argue that Google's role in this malfeasance is that they haven't contractually obligated handset manufacturers to make updates available for 2+ years after model introduction.
Given the pile of shit Google's been catching over their Play store contracts, can you really blame them for avoiding anything that leaves a paper trail of arm twisting?
In this regards, I think both Android and iOS are sorely lacking.
With Android at least there may be other providers for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.
I hold Google accountable, as well as the handset manufacturers.
I believe Google's fix is called "Android 4.4" or "Android 5.x".
That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).
You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.
If a Canadian infringes American copyright material by redistributing it within the United States, why would the Canadian not be subject to US law?
They probably could be. But the copyright owner is going to have to go through a Canadian court to get a court order to get the subscriber information from the ISP.
I expect an American corporation could start a suit in Canada, get the identification of the Canadian citizen, then dismiss it and open a new copyright lawsuit in the US. But even if they win a large default judgement, they'd then have to go back to the Canadian courts to collect on that judgement.
More usefully, it sounds like the owner of the machine itself can patch it such that any Option ROMs need to be signed with their own private key rather than Apple's.
Slashdot Mirror
try {
throw BlahException("blah");
} catch(Exception& blah) {
}
^^ Idiot.
Arguably, they do.
There's a fundamental problem with things like closed source drivers and folks down the chain forking Android to add their secret sauce, but at its heart Android is basically a big JVM on top of a Linux kernel.
Branching the sources isn't the only way to do it. It's just how things seem to work. That the assorted manufacturers and carriers are particularly shitty FLOSS software development collaborators, and that the smartphone hardware ecosystem is basically a collection of one-offs... that's a hard thing to fix.
Honestly, given the state of the industry when Android kicked off, I'm surprised things have gone as smoothly as they have.
They might've believed having an "open" handset operating system would break the various carrier/manufacturer strangleholds on the market similar to how MS-DOS and the PC affected the computing market years ago.
In fact, I think while that might not have been the plan from the outset, I'm willing to bet that's the direction the strategy went as Android gained market share.
Whether or not they should have planned for failure (or the partial success they have largely due to the Nexus series) is an interesting. Apple demonstrated that it's entirely possible to have an ecosystem of up-to-date phones, so it's not exactly unreasonable to expect that Android could have pushed things that way.
Lawsuits are always a possibility.
Mind you, Google has an out ("it's fixed in 4.4.x, which we make available free-of-charge. Why didn't you install it?") while the handset manufacturers don't, really.
Largely because everyone with a clue knows that 99.999% of devices still running Android 4.3.x which haven't been upgraded to 4.4.x have approximately 0.00000 probability of being updated to 4.3.(x+1) even if Google were to make a patch available.
Whether they "support" 4.3 for two days, two years or two decades at this point is largely irrelevant. If you have no means to get a patch to the people affected by the problem and you're going to get criticized irrespective of whether or not you try, then why waste the resources?
And it's pretty darn obvious from what Google's been doing in the last few years that this is not a situation that Google is happy with, nor is it a situation they could reasonably do much more about.
No, it's a useful gauge of how good it would be for the consumer. If the telcos and/or cable industry oppose something then it's a solid bet that it's in the best interests of the average consumer.
In all honesty, I don't know where it is exactly, but I'm confident that it's where it would've been anyway had Microsoft done absolutely nothing. I'll blame any usage drop solidly on the rise of PHP, Python and maybe Ruby.
It's ancient history, but when Microsoft put some money into perl-on-Windows development, there were a lot of ruffled feathers and panicky headlines.
It didn't amount to anything even close to "taking over perl", even during the nastier stretch of Microsoft's "embrace and extend" era, but asking people to remember things that happened so long ago is obviously too much.
To avoid looking like an idiot and asshole, it might be worth looking up Flu-Related Complications.
Sure. But we're talking about evaluating trust, not whether or not the phone's running malware. If I'm running a stock firmware, in my mind it's already compromised; slapping an XDA hack on top of it doesn't strike me as increasing risk substantially.
That being said, I don't find getting root at all useful unless it's a means to the end of unlocking the phone and replacing the stock firmware. I trust XDA hacks to perform that function, at least, and at that point trusting the manufacturer becomes moot.
Well, the way I see it, I'll trust a random XDA developer pushing closed-source hacks way more than I trust my carrier and/or handset manufacturer.
It'll grant you that it's a low bar.
I wouldn't be surprised if there was a "give an inch, take a mile" kind of situation, where they tried allowing some flexibility and got into a cycle where the vendor kept requesting more time each time around.
I imagine if you did this in the USA, you'd get sued for not waiting for the nearest local incumbent to provide the service.
Would it really be so terrible if the owner of the hardware could decide whether or not their device supported that kind of thing, or even which specific things it supported?
Yeah, you're pretty much outlining exactly why I tend to research unlockability prior to buying my devices. I'm not going to pretend that even a small fraction of buyers do this.
I don't really have much of a solution for people who blindly buy whatever junk the carriers decree that they're allowed to buy. Google's worked on migrating to the Play services approach to get around this, but short of hacking into, unlocking and updating everyones devices I'm not sure what more they can do.
No, I'm not.
I was responding to a comment about the general state of Android and iOS security updates, not anything specific to this security vulnerability.
In general, if you have an iOS device and Apple decides not to fix a security problem on your phone, it's most likely not going to be fixed.
In general, if you have an Android device and both Google and your vendor decide not to fix a security problem on your phone, you might have a chance to get it fixed by other means. It's not a sure thing, it's not without risk, and you might not be entirely happy with the end result, but it works often enough that it's not a crapshoot.
Now, if you want to get into specifics, I don't know how many of the 60% of vulnerable devices might be able to take advantage of non-Google support, but it's far better than nothing.
... nascent artificial intelligences now have a comprehensive list of people they need to kill as soon as possible.
Relax. This is slashdot. Almost nobody reads the source article unless they need to grab a quote in order to prove a point.
Given the pile of shit Google's been catching over their Play store contracts, can you really blame them for avoiding anything that leaves a paper trail of arm twisting?
With Android at least there may be other providers for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.
I believe Google's fix is called "Android 4.4" or "Android 5.x".
That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).
You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.
They probably could be. But the copyright owner is going to have to go through a Canadian court to get a court order to get the subscriber information from the ISP.
I expect an American corporation could start a suit in Canada, get the identification of the Canadian citizen, then dismiss it and open a new copyright lawsuit in the US. But even if they win a large default judgement, they'd then have to go back to the Canadian courts to collect on that judgement.
That last step would probably be a huge mistake.
More usefully, it sounds like the owner of the machine itself can patch it such that any Option ROMs need to be signed with their own private key rather than Apple's.
Trivial.
Set up a really good firewall.
On one interface, install a porn server.
On the other interface, set up a LAN party of teenage boys.
Wait. It won't take the whole 5 years.