I have now read the article and it is apps misuse the APIS. They search for apps that either don't use the TLS APIs but have ssl addresses encoded, or which use a non-default trust manager. When you establish an SSL connection via the normal Java APIs the default trust manager does check the validity of the certificates (i.e. that tey are signed by a trusted CA) and that the URL requested matches the hostname in the certificate's subject DN. There can be valid reasons for overriding this, including using your own specific certificate rather than any signed by a CA, or for development to allow self-signed certificates - though this should be put in production.
They found that a lot of apps had overridden the rust manager in a dangerous way, allowing self-signed certificates in production or allowing any certificate even if id didn't match the host.
Though this is a problem it is not an "android issue". You can write apps that use self-signed certificates, bypass host checking etc. on Windows and any platform that allows you to customise certificate trust checking.
Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations.
I would have thought that an SSL implementation, complete with certificate chain validation would be provided by the OS, and that apps would use that. Only apps that had special requirements should have to implement SSL. Does anyone know if android does provide a TLS interface, and if so are the apps ignoring the platform service?
..when they only play WoW and download american content?
And really, in Sweden, it is all they do after school or work. The only people who have a healthy outdoors lifestyle are the young arab immigrants, who can't stay over in others rooms even for homework because the parents will think they are having sex...
According to the Swedish stereotype the Swedish parents would probably rather they were having sex than be playing Wow.
What is a robocall? We just don't have them where I live (Western Europe).
Also, since we don't have robocalls, and have never had them, how difficult can it be?
Don't worry - I am sure that this is not some sort of pet-shooting monster. He must have been using cockney rhyme slang, and what better way to punish someone who abuses the phone system.
The "auto image" display will mean that spammers can determine active email addresses. This goes away from the previous trend where images are only diplayed if you explicitly download so that spammers would have no idea if james.bog121@gmail.com is a real email address or not.
Huh? "extreme simplicity" is "cool" now?
"extreme simplicity" is just an euphemism for "extremely, utterly dumbed down, to the point where a mold, and ONLY a mold can use it".
I am not an Apple fan, but since the judge himsef said at that Samsung's devices were not as "cool" because they lacked Apple's "extreme simplicity" I think Apple can come up with an apology that will not hurt. I imagine they will apologise for "overestimating the Samsung device but now rightly see that it lacks the superiour design aspects of the iPad".
Why in hell should a british newspaper be censored -in Britain?!?- 'cause it reports on China?
Doesn'r make sense.
Censored in China? Yes.
Censored in UK? No.
They are putting it on torrents so that people in China can read it!...... Oh wait... are you being paid 50c to divert the conversation to UK censorship?
Can't seem to access the PDF link to read more into it.
Interesting that the (sometimes) hours of effort involved in derailing a message thread or debate only pays 50 cents - one might argue that you'd be looking at 50-100 threads at once, but surely that's still not enough to justify the hours of work that must go into it each day?
Just look at the people here who do the same thing for free though!
as long as he has the landowners permission he can dig
With the obvious exception of land which covers scheduled monuments or Archaeological Priority Areas, where permission form English Heritage is needed (and rarely granted to individuals with metal detectors)
A lot of the time, the reason people aren't making money off of their open-source content is because they're too ingrained in the GPL mindset as opposed to the BSD minset.
The GPL license works better for commercial dual licencing. Release something under BSD and people can use it for commercial purposes for free. Under GPL if they want to incorporate it into a commercial system they can't - that's where you offer a commercial "paid for" license.
Slashdot Mirror
I have now read the article and it is apps misuse the APIS. They search for apps that either don't use the TLS APIs but have ssl addresses encoded, or which use a non-default trust manager. When you establish an SSL connection via the normal Java APIs the default trust manager does check the validity of the certificates (i.e. that tey are signed by a trusted CA) and that the URL requested matches the hostname in the certificate's subject DN. There can be valid reasons for overriding this, including using your own specific certificate rather than any signed by a CA, or for development to allow self-signed certificates - though this should be put in production.
They found that a lot of apps had overridden the rust manager in a dangerous way, allowing self-signed certificates in production or allowing any certificate even if id didn't match the host.
Though this is a problem it is not an "android issue". You can write apps that use self-signed certificates, bypass host checking etc. on Windows and any platform that allows you to customise certificate trust checking.
Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations.
I would have thought that an SSL implementation, complete with certificate chain validation would be provided by the OS, and that apps would use that. Only apps that had special requirements should have to implement SSL. Does anyone know if android does provide a TLS interface, and if so are the apps ignoring the platform service?
..when they only play WoW and download american content? And really, in Sweden, it is all they do after school or work. The only people who have a healthy outdoors lifestyle are the young arab immigrants, who can't stay over in others rooms even for homework because the parents will think they are having sex...
According to the Swedish stereotype the Swedish parents would probably rather they were having sex than be playing Wow.
If it is a Muzzie terrorist like Abu Hamsa it takes years. If it is a banker working in London who should be tried in the UK whooshh .... he's gone.
..Take a look at my tool ....
OK that's quite enough, I stopped reading there
1) Build machine to turn air into petrol. 2) Use machine's output to power itself and make more petrol. 3) Profit!
Hey you could get a positive feedback and turn all the atmospheric CO2 into fuel. That would mean it would burn cleaner too ;-)
Nothing that an oil-producing plant can't do. The key will be efficiency - how will this compare with some of the "alge to fuel" systems
What is a robocall? We just don't have them where I live (Western Europe). Also, since we don't have robocalls, and have never had them, how difficult can it be?
You don't? I'm in the UK and we do.
Kick their doors down and shoot their dog...
Kick their doors down and shoot their dog...
NO, not the dog
Don't worry - I am sure that this is not some sort of pet-shooting monster. He must have been using cockney rhyme slang, and what better way to punish someone who abuses the phone system.
Tor Mail:
http://www.tormail.org/
which leads to the Tor Hidden Service:
http://jhiwjjlqpyawmpjx.onion/
AOL, can you provide a hidden service to match? Aww, I didn't think so.
They had a completely hidden one but for some reason nobody signed up
The "auto image" display will mean that spammers can determine active email addresses. This goes away from the previous trend where images are only diplayed if you explicitly download so that spammers would have no idea if james.bog121@gmail.com is a real email address or not.
Huh? "extreme simplicity" is "cool" now? "extreme simplicity" is just an euphemism for "extremely, utterly dumbed down, to the point where a mold, and ONLY a mold can use it".
Remember we are talking about a judge here
I am not an Apple fan, but since the judge himsef said at that Samsung's devices were not as "cool" because they lacked Apple's "extreme simplicity" I think Apple can come up with an apology that will not hurt. I imagine they will apologise for "overestimating the Samsung device but now rightly see that it lacks the superiour design aspects of the iPad".
Why in hell should a british newspaper be censored -in Britain?!?- 'cause it reports on China? Doesn'r make sense.
Censored in China? Yes. Censored in UK? No.
They are putting it on torrents so that people in China can read it! ...... Oh wait ... are you being paid 50c to divert the conversation to UK censorship?
Can't seem to access the PDF link to read more into it. Interesting that the (sometimes) hours of effort involved in derailing a message thread or debate only pays 50 cents - one might argue that you'd be looking at 50-100 threads at once, but surely that's still not enough to justify the hours of work that must go into it each day?
Just look at the people here who do the same thing for free though!
Who on earth came up with that headline?
I don't know but they should go home (by TWOCing their own car), burgle their own house, then sexually molest themselves.
If they found the legal loophole that allowed literally ass-raping customers to make extra money, they'd use it the same day.
Well bugger that for a laugh
as long as he has the landowners permission he can dig
With the obvious exception of land which covers scheduled monuments or Archaeological Priority Areas, where permission form English Heritage is needed (and rarely granted to individuals with metal detectors)
People bitch about Office, but despite the alternatives no one switches.
I switched to vi you insensitive clod <esc>:wq ... oh fuck
Hijack this one then Muzzie
Why just have one wire in your bra? Introducing the Faraday collection!
Will it match my tinfoil hat?
I'm sure the developer was thinking, "Who would even think of trying to hack a pacemaker? Who would even want to?"
Unfortunately, it only takes one sociopath.
Or a Muslim driving through town with a live broadcast
Holy fucking Christ. What else is out there waiting to be compromised and exploited?
Your sanity?
Your dildo?
A lot of the time, the reason people aren't making money off of their open-source content is because they're too ingrained in the GPL mindset as opposed to the BSD minset.
The GPL license works better for commercial dual licencing. Release something under BSD and people can use it for commercial purposes for free. Under GPL if they want to incorporate it into a commercial system they can't - that's where you offer a commercial "paid for" license.
You pays your money and takes your choice. That's all