Related
“Nexus S has been rooted, let the madness commence!” proclaims Engadget. “This is only possible because Android's security is crap and it's exploited easily to gain root priviledges [sic]” adds a commenter.
You’ll have to excuse me if I strongly disagree.
The Nexus S, like the Nexus One before it, is designed to allow enthusiasts to install custom operating systems. Allowing your own boot image on a pure Nexus S is as simple as running fastboot oem unlock. It should be no surprise that modifying the operating system can give you root access to your phone. Hopefully that’s just the beginning of the changes you might make.
Legitimately gaining root access to your device is a far cry from most rooting exploits. Traditional rooting attacks are typically performed by exploiting an unpatched security hole on the device. Rooting is not a feature of a device; rather, it is the active exploitation of a known security hole.
Android has a strong security strategy, backed by a solid implementation. By default, all Android applications are sandboxed from each other, helping to ensure that a malicious or buggy application cannot interfere with another. All applications are required to declare the permissions they use, ensuring the user is in control of the information they share. And yes, we aggressively fix known security holes, including those that can be used for rooting. Our peers in the security community have recognized our contribution to mobile security, and for that, we are extremely grateful.
Unfortunately, until carriers and manufacturers provide an easy method to legitimately unlock devices, there will be a natural tension between the rooting and security communities. We can only hope that carriers and manufacturers will recognize this, and not force users to choose between device openness and security. It’s possible to design unlocking techniques that protect the integrity of the mobile network, the rights of content providers, and the rights of application developers, while at the same time giving users choice. Users should demand no less.
Click to expand...
Click to collapse
http://android-developers.blogspot....id+Developers+Blog)&utm_content=Google+Reader
All because of a comment.
http://forum.xda-developers.com/showthread.php?t=1453695
Why are you creating 2 topics about it?
Had you tested it? How it compare to theoretically best Zoner Antywirus? Tell us some more, than posting links - this is kind of flooding.
For me, this program won't beat Zoner.. for now.
Anyway, I'll test it
Rayman96 said:
Why are you creating 2 topics about it?
Had you tested it? How it compare to theoretically best Zoner Antywirus? Tell us some more, than posting links - this is kind of flooding.
For me, this program won't beat Zoner.. for now.
Anyway, I'll test it
Click to expand...
Click to collapse
sorry if i did hurt you. well i was a beta tester for the app. it did performed well for me, besides comodo is a reputed company after all and they are standing for free softwares.
I posted the links cause it contains all the details of the software, details about the company etc, i thought its better than i explain those details.
about double posting, the one i posted is in the general section is for all to see. The second is for my fellow lgp500 users, where i really belogs. i hope i am clear enough. no harm ment
Best free antivirus is your brain - never install app without good amount of comments about app.
AdvDretch said:
Best free antivirus is your brain - never install app without good amount of comments about app.
Click to expand...
Click to collapse
Who in this world has time to read all that? Have you ever tried to read Google’s conditions and policies while creating a Google account? Certainly the answer would be ‘NO’. Do you know that Google had 60 different policies that helped them to collect data from your personal Gmail and other Google apps? Now do you know that they had merged all these in to one policy?
Google will know more about you than your wife does. Everything across your screens will be integrated and tracked. Google noted that it collects information you provide, data from your usage, device information and location. Unique applications are also noted. Sure you can use Google’s dashboard and ad manager to cut things out, but this policy feels Big Brother-ish. Google is watching you as long as you are logged in. It’s also unclear whether this privacy policy move will be considered bundling in some way by regulators. This unified experience hook appears to be at least partially aimed at juicing Google+. Google responded with clarification: Google noted that it already has all that data, but it’s now integrating that information across products. It’s a change in how Google will use the data not what it collects. In other words, Google already knows more about you than your wife.( not my comment go read this.... http://m.zdnet.com/blog/btl/googles-new-privacy-policy-the-good-bad-scary/67893)
Now my question is whether Google is good or bad? Do you need Droidwall to defend your privacy? Or do you still believe in your Brain(better do not believe in brain but use it to think rationally)?
Conclusion: we need a new definition to “virus”...My contribution is Anything that steals your private data is a virus.( no flames needed, no harm meant...just my thought about the relevancy of protective apps like Droidwall, comodo, avg, etc. ...etc)
,do we realy need anti virus?,
algie17 said:
,do we realy need anti virus?,
Click to expand...
Click to collapse
You dont need one
Sent from my LG-P500 using XDA Premium App
josinpoul's mean run anti virus before creating Google account
And if too don't have anti virus then don't use Google. Josin your explanation is wrong. Brain and antivirus both useful.
No need for 2 topics about one thing but thanks for sharing!!!
http://ca.reuters.com/article/technologyNews/idCATRE81N1T120120224
By Jim Finkle
BOSTON (Reuters) - Cybersecurity experts have uncovered a flaw in a component of the operating system of Google Inc's widely used Android smartphone that they say hackers can exploit to gain control of the devices.
Researchers at startup cybersecurity firm CrowdStrike said they have figured out how to use that bug to launch attacks and take control of some Android devices.
CrowdStrike, which will demonstrate its findings next week at a major computer security conference in San Francisco, said an attacker sends an email or text message that appears to be from a trusted source, like the user's phone carrier. The message urges the recipient to click on a link, which if done infects the device.
At that point, the hacker gains complete control of the phone, enabling him or her to eavesdrop on phone calls and monitor the location of the device, said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.
Google spokesman Jay Nancarrow declined comment on Crowdstrike's claim.
Alperovitch said the firm conducted the research to highlight how mobile devices are increasingly vulnerable to a type of attack widely carried out against PCs. In such instances, hackers find previously unknown vulnerabilities in software, then exploit those flaws with malicious software that is delivered via tainted links or attached documents.
He said smartphone users need to prepare for this type of attack, which typically cannot be identified or thwarted by mobile device security software.
"With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices," said Alperovitch, who was vice president of threat research at McAfee Inc before he co-founded CrowdStrike. Researchers at CrowdStrike were not the first to identify such a threat, though such warnings are less common than reports of malicious applications that make their way to online websites, such as Apple's App Store or the Android Market.
In July 2009, researchers Charlie Miller and Collin Mulliner figured out a way to attack Apple's iPhone by sending malicious code embedded in text messages that was invisible to the phone's user. Apple repaired the bug in the software a few weeks after the pair warned it of the problem.
The method devised by CrowdStrike currently works on devices running Android 2.2, also known as Froyo. That version is installed on about 28 percent of all Android devices, according to a Google survey conducted over two weeks ending February 1.
Alperovitch said he expects to have a second version of the software finished by next week that can attack phones running Android 2.3. That version, widely known as Gingerbread, is installed on another 59 percent of all Android devices, according to Google.
CrowdStrike's method of attack makes use of a previously unpublicized security flaw in a piece of software known as webkit, which is built into the Android operating system's Web browser.
Webkit is also incorporated into other software programs, including Google's Chrome browser and the Apple iOS operating system for the iPhone and iPad.
CrowdStrike said it had not attempted to create software to attack iOS devices or the Chrome browser.
Ok, now a group of hackers control 500000000 devices... an antivirus will slow the phone down more than a hacker trying to run a phone from another continent over your 2G network... just think about it... how can your screen be monitored over 3G in real-time? It can't be done on my 5Mbps PC...
And if you turn data off, then 1GB of data will be sent to google when you turn it on??? Think logic...(where the f**k do you store that??? I think the effect will be noticed right away, and the attacker has no time to take control, unless you are stupid enough to see a 1GB file and not suspect anything...) PCs have real-time protection, but that is because there are terrible threats out there, and they are optimized, they don't slow down... on your phone, you will regret having a phone for 2 years running like **** and then dropping in water, while you could have best performance in those 2 years...
We are not windows, but we are android, and it is the most unsafe mobile OS, if you want a safe one, get from apple... just 2x price at ½ quality...
Sent from my LG-P500
well i use avast antivirus
but not for scanning viruses
but rather for anti-theft feature and firewall(blocking apps)
and isnt android a java based OS ??
im sure there are not many virus's
that can cause heavy damage
Vulnerability Allows Attackers to Modify Android Apps Without Breaking Their Signatures
This might be the reason why the new MF2 and ME6 are not downgradable and why the 4.2.2 update was delayed.
Source->http://www.cio.com/article/735878/V...ndroid_Apps_Without_Breaking_Their_Signatures
IDG News Service — A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures.
When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key.
The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post.
"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.
The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware.
"You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.
Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware.
Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said.
Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment.
The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers.
Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said."
The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws.
Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported.
Click to expand...
Click to collapse
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Key phrase here is "for apps not installed through the google store". Hence not an issue for a large fraction of users. Total case of FUD. Someone must be wanting to sell some av software.
Sent from my GT-N7100 using Tapatalk 4 Beta
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
Well, X-Ray scanner either does not detect this latest security flaw or N7100 (as of DM6) is allready patched.
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literally hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
djmcnz said:
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literry hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
Click to expand...
Click to collapse
Ahh! Thats the answer I was waiting for (and from a Recognized Developer). I knew XDA Devs were using this method. My new question is.. If they fix it will it be harder to create Mods? Will it slow down development?
Shouldn't this be posted in the generals forum?
Kremata said:
If they fix it will it be harder to create Mods? Will it slow down development?
Click to expand...
Click to collapse
I suspect so. If they fix it properly it would become impossible to change any aspect of the app without signing it again. If you wanted to maintain compatibility with the original then you'd need the developer's keys.
At the moment really only the manifest and some metadata within the apk is signed, if they extended that to the entire contents of the apk many mods (think themes for stock Google apps etc) are screwed unless users are happy to relinquish Play Store links and updates (i.e. backward compatibility).
Google may not go this far and may only choose to authenticate the code (smali) rather than all of the apk contents (graphics, strings etc), this approach would leave room for some mods to survive. Remains to be seen.
I have the 2012 Note 10.1 for personal use and have come to the unfortunate resolution that Android just isn't going to cut it from a business perspective. I am not putting the full blame on either the manufacturers or Android itself but without timely updates to a specific platform, I can not justify the use of these in a production environment. There is no way company can justify replacing their hardware yearly, or regularly, in order to get the latest features and security fixes that are provided in updates. Ignoring the additional features for the time being, from a security stand point there has to be a way to patch the devices in a timely manner. The additional features being provided drives the developers to migrate to the newer operating systems and leaving the old systems behind. A lot of times this creates a huge disadvantage in the fact you can run a particular application on one Android device but is unsupported on another.
Now to be fair. I am focusing on Android in this post but have tested Microsoft and iPad devices as well. All have certain advantages and disadvantages but the clear loser so far has been Android. If Android is going to survive in the business world, the manufacturers are going to have to step up and maintain their products actively for at least the full two years of their life expectancy.Android itself will have to hold the manufacturers accountable for keeping their devices maintained. From a personal use perspective, I think it is a great platform and love my Note 10.1. Would I like to see it get updated, I would love to see 4.4.2 on the device to allow me to run application I need that are no longer compatible with 4.1.2. However, I require vulnerability patches in a timely manner and that just isn't happening.
My last job had hired a full time developer to build a custom ROM and patch or update when needed for all the tablets being used on the floor. This approach worked for them because there was only one model in use across all departments.
You should blame Samsung for the late major update for GT-N80XX.
Android actively pushing regular update (minor & major).
Actually Samsung also pushing regular update, but it's only 1 major update (ICS to JB) & some minor/security updates.
If a business used the nexus tablets, they wouldn't have this problem.
theatomizer90 said:
If a business used the nexus tablets, they wouldn't have this problem.
Click to expand...
Click to collapse
Not necessarily true. Most current android version is 4.4.4 while my N7 LTE still sits at 4.4.3 with no update even spoken of. So if a business has data enabled tablets, they're still behind current version.
What OP posted doesn't really apply to large businesses. Between KNOX and other third party equivalents sensitive data is sandboxed and doesn't rely on the core B2C version of the OS to protect it. As much as Google may see Android's potential in the business environment no one I know in IT at a bunch of Fortune 1K companies is looking at mobile OS's (either Android or iOS) to replace desktop/laptops as "standard" issue. Tablet and smartphone apps have niche opportunities (commercial pilot manuals and logs, flight attendant passenger service tools, gate agent/hotel staff roaming terminals, sales people inventory access, remote staff automated forms, etc.) but migrating the entire enterprise to mobile architecture just doesn't make sense. So Android can't lose anything it never had and, outside Google's wishes, isn't seriously considered for. The lack of Chromebook adoption by the enterprise demonstrates their disinterest.
BarryH_GEG said:
What OP posted doesn't really apply to large businesses. Between KNOX and other third party equivalents sensitive data is sandboxed and doesn't rely on the core B2C version of the OS to protect it. As much as Google may see Android's potential in the business environment no one I know in IT at a bunch of Fortune 1K companies is looking at mobile OS's (either Android or iOS) to replace desktop/laptops as "standard" issue. Tablet and smartphone apps have niche opportunities (commercial pilot manuals and logs, flight attendant passenger service tools, gate agent/hotel staff roaming terminals, sales people inventory access, remote staff automated forms, etc.) but migrating the entire enterprise to mobile architecture just doesn't make sense. So Android can't lose anything it never had and, outside Google's wishes, isn't seriously considered for. The lack of Chromebook adoption by the enterprise demonstrates their disinterest.
Click to expand...
Click to collapse
Not sure if I totally agree with the application only being a niche market. I work for a call center and find that the tablets are becoming an indispensable tool. We have people walking the floor with these devices and using them to keep track of various statistics as well as using them to report potential issues. The ability to pull up data about current client information to respond in an almost instant manner has shaped things drastically. Having a sandbox is really great for protecting certain information, such as email, etc.. but can not protect the device data in flux, such as web browser content. If the system is compromised and access to the file system is obtained then all the data previously obtained becomes available to the attacker. Some measure can be made such as requiring Citrix as your primary form of connectivity but you are only pushing the security back to another device. The focus of this article was to point out the shortcomings of the this tablet as it pertains to the lack of updates.
Don't get me wrong, I truly love Android and will continue to use it as a personal device. However, there is no way I can risk releasing these devices into a production environment without the proper support. And yes, I blame the manufacturer for release and forget, and I blame Android for not enforcing the manufactures to keep these update. It is crucial to both parties to work together and produce something that is not just desirable but maintained for a reasonable amount of time. If Android could come up with a way to provide updates to devices directly and bypass the manufacturer they would have an unbeatable platform.
Zeab said:
Not sure if I totally agree with the application only being a niche market. I work for a call center and find that the tablets are becoming an indispensable tool. We have people walking the floor with these devices and using them to keep track of various statistics as well as using them to report potential issues. The ability to pull up data about current client information to respond in an almost instant manner has shaped things drastically. Having a sandbox is really great for protecting certain information, such as email, etc.. but can not protect the device data in flux, such as web browser content. If the system is compromised and access to the file system is obtained then all the data previously obtained becomes available to the attacker. Some measure can be made such as requiring Citrix as your primary form of connectivity but you are only pushing the security back to another device. The focus of this article was to point out the shortcomings of the this tablet as it pertains to the lack of updates.
Don't get me wrong, I truly love Android and will continue to use it as a personal device. However, there is no way I can risk releasing these devices into a production environment without the proper support. And yes, I blame the manufacturer for release and forget, and I blame Android for not enforcing the manufactures to keep these update. It is crucial to both parties to work together and produce something that is not just desirable but maintained for a reasonable amount of time. If Android could come up with a way to provide updates to devices directly and bypass the manufacturer they would have an unbeatable platform.
Click to expand...
Click to collapse
Anytime a serious security breach that can be used from without to effect changes on a device have come to light I have seen updates come out on all my tablets and phones, which is blessedly rare. Android does not operate in the way you are thinking. There is no need to constantly shove out security updates like windows. The system is pretty well secure unless you unsecure it yourself, new versions of the OS usually just add functions, however there is a current (when is there not?) RUMOR of a adobe bug on all versions of android lower than 4.0. Personally I still prefere windows for business simply because of ease of function and with baytrail cpu's and even more promising hardware coming this year I find no reason not to use windows for hard business needs if your business can benefit from tablet use. There are a plethora of cheap windows tablets coming and the current hp omni 10 is powerful enough to suit any light tablet buisness needs for just 299.00 if your business needs more power pay the premium for a surface pro with a full on i3,5,7 cpu fully capable of doing the work of a high end laptop. All that said, I feel Android is if anything more secure than a windows machine. Nothing comes in unless you invite it. Updates not needed until such time as Android can add base functionality in the realm of windows 7, and it is close imho.
Check the trends
Have to agree with Zeab. The university I work for is now supporting apple mobile devices but not android. And despite my having pressured for some support, what support is was for android devices is disappearing. Why ?
Android from one device to the next is different enough to make support difficult if not impossible. Providing advice on connections to secure servers and use of common software falls foul of the same issue.
Android device manufacturers have attempted to sequester their market by creating difference, but all they'll achieve is failure. Add to that the early obsolescence they have engineered and android is dying, even as its market share grows!
We now as a family have windows, apple and android devices. If I include TVs and media devices the list lengthens. The only option that provides continuity of operating system and software, and longer term support with updates is Apple. Given the way Microsoft has gone off the rails with windows 8.1 (I really do believe that OSs should make my computing experience easier, not harder), I think we will be going Apple in the future.
http://www.cnet.com/news/california-wants-to-ban-encrypted-smartphones/
This will make future Nexus purchases easier for me as I will not need to run "forced unencrypt" boot.img anymore. LOL
mikeprius said:
http://www.cnet.com/news/california-wants-to-ban-encrypted-smartphones/
This will make future Nexus purchases easier for me as I will not need to run "forced unencrypt" boot.img anymore. LOL
Click to expand...
Click to collapse
its happening all over the country.. New York state announced the same 2 weeks ago, if it'll actually happen is anyone's guess. but also it doesnt matter, as google is only selling nexii via their site now.
simms22 said:
its happening all over the country.. New York state announced the same 2 weeks ago, if it'll actually happen is anyone's guess. but also it doesnt matter, as google is only selling nexii via their site now.
Click to expand...
Click to collapse
Regardless of *how* they are selling it, the problem is that they wouldn't be allowed to sell it in those states where it is banned, which means that they won't be able to SHIP it there, or possibly if there is just a billing address in one of those states.
Nice thing about Nexus, though, is that they can make it trivial to add back the encryption. Just make a system property that switches crypto on. echo "ro.crypto 1" >> /data/local.prop
---------- Post added at 09:25 PM ---------- Previous post was at 09:24 PM ----------
mikeprius said:
http://www.cnet.com/news/california-wants-to-ban-encrypted-smartphones/
This will make future Nexus purchases easier for me as I will not need to run "forced unencrypt" boot.img anymore. LOL
Click to expand...
Click to collapse
That was only necessary on Nexus 6 due to lack of CPU support for crypto functions. It only has the proprietary qcom parts available.
Lmao. Not like they have anything more important to deal with. Pretty sure this is wishful thinking
Sent from my Nexus 6 using XDA Premium HD app
rpolito73 said:
Lmao. Not like they have anything more important to deal with. Pretty sure this is wishful thinking
Click to expand...
Click to collapse
When this whole new "don't encrypt" thing started last year, I was under the impression that it was brought up just to make a point about why it is a bad idea, so that it could be put to rest.
But unfortunately, some idiots ran with it, and now its out of control.
If I have to, I will roll my own crypto, and I will do it just because I can.
However, encrypted computer... Just fine. I.E. SSH into your home PC and run your criminal enterprise from it.
Always afraid of people regulating things they don't understand.
Anyways, this wouldn't do away with encryption, or really prohibit any sales. Google would have enough heads up... They would simply be forced to add a "back door" to encryption so that the government could un-encrypt your device with a court order...
I get the spirit of this.... But really, like with so much else, private sector can usually out perform the government and any back door they add will likely be open to being exploited by the smart bad guys too. Data the government can't decrypted has existed for a LONG TIME.... but now that apple makes the news IT MUST BE STOPPED
scryan said:
However, encrypted computer... Just fine. I.E. SSH into your home PC and run your criminal enterprise from it.
Always afraid of people regulating things they don't understand.
Anyways, this wouldn't do away with encryption, or really prohibit any sales. Google would have enough heads up... They would simply be forced to add a "back door" to encryption so that the government could un-encrypt your device with a court order...
I get the spirit of this.... But really, like with so much else, private sector can usually out perform the government and any back door they add will likely be open to being exploited by the smart bad guys too. Data the government can't decrypted has existed for a LONG TIME.... but now that apple makes the news IT MUST BE STOPPED
Click to expand...
Click to collapse
just seems crazy that they were just making such a big deal about the ability to have it encrypted, and now they want to ban it. I understand why they would want that, but you would think the NSA or some other entity would pretty much be able to do whatever they needed to get in.
This would be difficult to regulate. There are certain states that have gun magazine bullet limits in certain states but it seems like a trivial issue and would be hard to enforce
mikeprius said:
This would be difficult to regulate. There are certain states that have gun magazine bullet limits in certain states but it seems like a trivial issue and would be hard to enforce
Click to expand...
Click to collapse
If it passes, they will simply have to add a backdoor or some universal key into the encryption used. They likely wont make versions for each state, so I would guess that if this passes, android and IOs would simply feature some built in mechanism to allow un-encryption by google/apple... will likely end up being in all versions of android.
Just a guess, but I bet they would be more inclined to build one version to meet all regulations rather than fragment.
Then someone will hack into that backdoor... and we will see wide spread panic over the fact that we are unsafe! (meanwhile career criminals will adapt and use off device storage with encryption that isn't vulnerable)
scryan said:
If it passes, they will simply have to add a backdoor or some universal key into the encryption used. They likely wont make versions for each state, so I would guess that if this passes, android and IOs would simply feature some built in mechanism to allow un-encryption by google/apple... will likely end up being in all versions of android.
Just a guess, but I bet they would be more inclined to build one version to meet all regulations rather than fragment.
Then someone will hack into that backdoor... and we will see wide spread panic over the fact that we are unsafe! (meanwhile career criminals will adapt and use off device storage with encryption that isn't vulnerable)
Click to expand...
Click to collapse
According to the DOJ encryption causes children to die LOL
http://gizmodo.com/the-doj-ups-the-ante-says-iphone-encryption-will-kill-1660827774
" (4) "Sold in California," or any variation thereof, means that the
smartphone is sold at retail from a location within the state, or
the smartphone is sold and shipped to an end-use consumer at an
address within the state. "Sold in California" does not include a
smartphone that is resold in the state on the secondhand market or
that is consigned and held as collateral on a loan."
I think the operative phrase "sold and shipped to an end user in California" would simply be interpreted as retailer needing an out of state dispatch center, so all the big guys are safe. Actually I think everyone is basically safe except your local Verizon store....
" (d) (1) The sale or lease of a smartphone manufactured on or after
January 1, 2017, that is not capable of being decrypted and unlocked
by its manufacturer or its operating system provider shall not
result in liability to the seller or lessor if the inability of the
manufacturer and operating system provider to decrypt and unlock the
smartphone is the result of actions taken by a person or entity other
than the manufacturer, the operating system provider, the seller, or
the lessor and those actions were unauthorized by the manufacturer,
the operating system provider, the seller, or the lessor."
So you can sell one of these phones if it's a refurb that broke the warranty, or if everyone is ok with it?
" (2) Paragraph (1) does not apply if at the time of sale or lease,
the seller or lessor had been notified that the manufacturer and
operating system provider were unable to decrypt and unlock the
smartphone due to those unauthorized actions."
So don't sell a phone that you can't unlock.... but only if there's actual notice from both the manufacturer and (not or) the OS provider.
Bull****, toothless (civil penalty, no private right of action), poorly and vaguely written and places potential legal obligations that are not enforceable since the manufacturer and OS maker might not be domiciled in CA... or even the US. Hell, it even specifically states that you can just sell a second hand one and a second hand device has not been defined as "used"
I quote Section 22761 to the Business and Profession Code because this is supposed to be an amendment of it.
Corporate security demands encryption and me I personally like my privacy.
Given a choice to be able to use my device for work encrypted or go with encryption disabled and use it as a personal device only.
I go with encryption.
California has a long history of disregarding the First and Second amendments... why not trample on the fourth while they are at it.
jimtje said:
" (4) "Sold in California," or any variation thereof, means that the
smartphone is sold at retail from a location within the state, or
the smartphone is sold and shipped to an end-use consumer at an
address within the state. "Sold in California" does not include a
smartphone that is resold in the state on the secondhand market or
that is consigned and held as collateral on a loan."
I think the operative phrase "sold and shipped to an end user in California" would simply be interpreted as retailer needing an out of state dispatch center, so all the big guys are safe. Actually I think everyone is basically safe except your local Verizon store....
Click to expand...
Click to collapse
The part I made bold contradicts your interpretation. Basically says that a new smartphone will not be able to be shipped to an end user in the state *at all*.
Now there is an obvious loophole in this, which is to distribute via a reseller, who opens the box, sets up a new randomly generated gmail address, and installs a few programs. Now deemed "resale" and "secondhand", it is legal to send it in.
" (d) (1) The sale or lease of a smartphone manufactured on or after
January 1, 2017, that is not capable of being decrypted and unlocked
by its manufacturer or its operating system provider shall not
result in liability to the seller or lessor if the inability of the
manufacturer and operating system provider to decrypt and unlock the
smartphone is the result of actions taken by a person or entity other
than the manufacturer, the operating system provider, the seller, or
the lessor and those actions were unauthorized by the manufacturer,
the operating system provider, the seller, or the lessor."
So you can sell one of these phones if it's a refurb that broke the warranty, or if everyone is ok with it?
Click to expand...
Click to collapse
This sounds like a roundabout way of saying that the manufacturer must actively "not authorize" any alteration that would result in unbreakable encryption. Note: NOT that they must actively work to BLOCK the modification, just that they must state something to the effect of "Alphabet Inc., does not authorize any modification that will circumvent california law blah blah blah." -- see, there is a big difference between "unauthorized" and "forbidden". There is also a difference between legally and technically. Also, there is absolutely nothing in there about the warranty, therefore no part of the "modification" necessarily voids the warranty.
At least that would give them a strong position when up against the "unauthorized" clause. Though technically, it may be adequate to just say nothing at all. I.e., for someone to "be authorized", takes an intentional act of providing authorization. Such would be the case if, for example, they were to provide *instructions* on what the end user could do to disable the crypto's back door.
However, another interpretation could be that Nexus devices, by definition, authorize the user to "do what they want" with it, including disabling the backdoor.
" (2) Paragraph (1) does not apply if at the time of sale or lease,
the seller or lessor had been notified that the manufacturer and
operating system provider were unable to decrypt and unlock the
smartphone due to those unauthorized actions."
So don't sell a phone that you can't unlock.... but only if there's actual notice from both the manufacturer and (not or) the OS provider.
Click to expand...
Click to collapse
Hmmm... that is very weirdly worded.
On the surface, it appears to be meaningless in the face of the (4) section, since there wouldn't BE such unauthorized modifications made to a device if it is new (hence qualifying for the resale/used exemption of (4)), but what it does suggest, is possibly somehow related to the notion of sending them out to be modified.
Bull****, toothless (civil penalty, no private right of action), poorly and vaguely written and places potential legal obligations that are not enforceable since the manufacturer and OS maker might not be domiciled in CA... or even the US. Hell, it even specifically states that you can just sell a second hand one and a second hand device has not been defined as "used"
I quote Section 22761 to the Business and Profession Code because this is supposed to be an amendment of it.
Click to expand...
Click to collapse
This kind of horrible nonsense is starting to make the Nexus 6's software crypto more and more appealing. With hardware crypto, the problem is that technically, the closed source radio could obtain access to the encrypted data directly. In other words, there could be an over-the-air backdoor that doesn't even interact with Android, and actually, there could be one there *right now*. At least with software crypto, the kernel is in charge. That leaves the backdoor restricted to what is accessible under Linux by the radio blobs, and the good news is that we can firewall those blobs right up the wahzoo as needed.
---------- Post added at 07:58 PM ---------- Previous post was at 07:58 PM ----------
mikeprius said:
According to the DOJ encryption causes children to die LOL
http://gizmodo.com/the-doj-ups-the-ante-says-iphone-encryption-will-kill-1660827774
Click to expand...
Click to collapse
And according to me, the DOJ causes children to die.
doitright said:
The part I made bold contradicts your interpretation. Basically says that a new smartphone will not be able to be shipped to an end user in the state *at all*.
Click to expand...
Click to collapse
Ah, question of statutory interpretation, a sure sign of a poorly written amendment, the fact that we see it differently shows that this legislation is already on the rocks.
Now there is an obvious loophole in this, which is to distribute via a reseller, who opens the box, sets up a new randomly generated gmail address, and installs a few programs. Now deemed "resale" and "secondhand", it is legal to send it in.
This sounds like a roundabout way of saying that the manufacturer must actively "not authorize" any alteration that would result in unbreakable encryption. Note: NOT that they must actively work to BLOCK the modification, just that they must state something to the effect of "Alphabet Inc., does not authorize any modification that will circumvent california law blah blah blah." -- see, there is a big difference between "unauthorized" and "forbidden". There is also a difference between legally and technically. Also, there is absolutely nothing in there about the warranty, therefore no part of the "modification" necessarily voids the warranty.
Click to expand...
Click to collapse
Hence, without teeth. There's no outright ban of encryption, only sale of unauthorized first-hand retail models of phones featuring encryption, so it's either supposed to be construed very narrowly or just turned out that way.
At least that would give them a strong position when up against the "unauthorized" clause. Though technically, it may be adequate to just say nothing at all. I.e., for someone to "be authorized", takes an intentional act of providing authorization. Such would be the case if, for example, they were to provide *instructions* on what the end user could do to disable the crypto's back door.
However, another interpretation could be that Nexus devices, by definition, authorize the user to "do what they want" with it, including disabling the backdoor.
Hmmm... that is very weirdly worded.
On the surface, it appears to be meaningless in the face of the (4) section, since there wouldn't BE such unauthorized modifications made to a device if it is new (hence qualifying for the resale/used exemption of (4)), but what it does suggest, is possibly somehow related to the notion of sending them out to be modified.
Click to expand...
Click to collapse
I think the limitation on what the state's power to regulate interstate commerce made that necessary but it effectively defeats itself. Clearly the law would have little effect and easily circumvented via the exceptions that are specifically given. With no private course of action individuals don't even have standing to bring a claim on their on regarding the viiolation anyway so it really is just words that have very little effect if actually enacted.
This kind of horrible nonsense is starting to make the Nexus 6's software crypto more and more appealing. With hardware crypto, the problem is that technically, the closed source radio could obtain access to the encrypted data directly. In other words, there could be an over-the-air backdoor that doesn't even interact with Android, and actually, there could be one there *right now*. At least with software crypto, the kernel is in charge. That leaves the backdoor restricted to what is accessible under Linux by the radio blobs, and the good news is that we can firewall those blobs right up the wahzoo as needed.
I think the fact that there's so much uncertainty in the plain text of the proposed amendment show that it' a defective work. They obviously don't even
---------- Post added at 07:58 PM ---------- Previous post was at 07:58 PM ----------
And according to me, the DOJ causes children to die.[/QUOTE]
Well, at least in a court of law an expert needs to establish foundation before testifying. You don't need to demonstrate any knowledge to write an amendment like this.
Oh and the big federal agencies all have blood on their hands anyway. DOJ loses prioners. DHS deports American citizens. FDA can find drugs and then send it right onto you. Ain't nothing new, but does make administrative law fun and sad if you practice it.
scryan said:
If it passes, they will simply have to add a backdoor or some universal key into the encryption used.
Just a guess, but I bet they would be more inclined to build one version to meet all regulations rather than fragment.
Click to expand...
Click to collapse
They won't do it. Both Apple and Google have stated that their encryption can't be designed with a "back door" in place, and if they DO build a back door, they'll be forced to accept other countries' requests for the keys, not just US state/federal requests. The burden this would put on Apple/Google, and the fact that it makes the encryption almost pointless, would mean they'll never do it.
Also, when the FBI did a review of device encryption, the three possible methods that they came up with were all too costly and illogical that they ended up saying that there just isn't a viable encryption solution that the government can get behind.
---------- Post added at 07:57 AM ---------- Previous post was at 07:53 AM ----------
Everyone's seriously overthinking this...
If Cali/NY pass a regulation like this, all Google or Apple will do is revert back to Kit Kat-style encryption. With KK, it was still FDE, but it was off by default, so that users had the *option* under security to enable full device encryption.
This way, devices sold to consumers would be un-encrypted at the point of sale and the end-user would be the one actually enabling/using encryption. The question would be whether the user is violating any state regs by enabling encryption, but it sounds like that's not what the states are trying to confront.
Does this ban mean that new Nexus devices will have the ability to be non-encrypted w/o root? The only thing I don't like about encryption is the decrease of performance.
mkygod said:
Does this ban mean that new Nexus devices will have the ability to be non-encrypted w/o root? The only thing I don't like about encryption is the decrease of performance.
Click to expand...
Click to collapse
The performance hit is a lot lower (practically non-existent) on CPUs that support it properly.
So Apple issued an open letter regarding the San Bernardino case regarding the FBI's request:
https://www.apple.com/customer-letter/
mikeprius said:
So Apple issued an open letter regarding the San Bernardino case regarding the FBI's request:
Click to expand...
Click to collapse
That FBI vs. the Fruit company battle is hilarious. Both sides are such complete morons that they are just going to bang at the courts until everybody pays a whole lot more money and ends up getting nowhere.
The first thing to be aware of, is that the phone in question has a SDMFLBCB2 or similar Sandisk eMMC chip.
The thing won't self-destruct unless you actually run the self-destruct code, so pull the chip (bake in oven at 450 F for 20 minutes, then grab chip with tweezers and pull), and install chip in reader.
READ THE BLOODY CHIP, then either (a) run crypto code in emulator and try to brute force password as desired, or (b) write it to millions of replacement chips and reinstall in phone to try passcodes until you run out of guesses.
Note that FBI just wants to be able to try passwords without the phone self-destructing. They aren't actually asking for a backdoor, just to disable the self-destruct routine.
Now next step is to bring it to the APPLE side of stupid. Apple is acting as if they would be CAPABLE of creating an actual backdoor into an already-existing phone, with nothing but a software change. Not just disabling the self-destruct routines, but actually breaking through the supposed "encryption". Is it possible that they aren't *actually* encrypted at all? Or are we talking about something insane, like the crypto key is stored somewhere on the device in PLAIN? While Android has this capability (of using a default crypto-pass in order to obtain the key needed to decrypt and mount /data automatically on boot), it also has the ability to stop mid-boot to demand the passcode when it needs to mount /data. I wonder just how secure that apple crypto really is....
In any case, assuming that they are being truthful about the inability to assist the FBI without compromising *everything*, it tells me that data on an apple device is NOT secure.
The FBI is acting like end-users, when they should be dealing with computer engineers, who can trace the software execution on the device and reverse-engineer the destructo-routines in order to patch their way around them. They should *NOT* be needing or asking for apple's help with this.