Related
so after posting an excerpt of my letter to Dan Morrill, the author of the absolutely idiotic statement regarding what they're doing, i received several PMs asking me to post the whole thing. It's so long it wont fit in a single post, so read it all. if you dont want to read a wall of text, stop here and go to a new thread.
Mr. Morrill,
First, I would like to bid you a good day, as I'm sure this letter is going to effect it. Yes, that is a bold statement to make at the onset, but writings such as these have a way of eating their way into your psyche and leaving a lasting impression that could very well sour your appetite at lunch time.
Perhaps I should introduce myself. My name is XXXXXXXXXXXXX, and I am an amateur developer on the Android platform. I am also a user of many of the custom Android builds that have come out since the release of the source development kit, including the build made by Steve "Cyanogen" Kondik. Ah, yes, now you see what this letter is going to be about.
So lets start with the basics. Google is a multi-billion dollar corporation that released a supposedly open-source platform onto the mobile device market. Now, I say mobile device as opposed to mobile phone, simply because there are products being released, such as the Zii EGG, which do not support telecommuniations, yet are still running on the Android platform. Now, in any reasonable programmers mind, the reason for making a platform open source, regardless of what the Public Relations people spin it as, is to alleviate some of the burden on the actual in-house development teams. The source code created by thousands of bright minds is doubtless going to yield a much stonger end result than that of a small development squad. Its simple mathematics. Well, that point alongside the fact that the original linux developers made no secret of their intentions by open-sourcing their operating system, which paved the way for Android many many years later.
In addition to that, all of the applications included in the "stock", or unmodified and officially released Android, builds are free. Any user with internet access can use any of these functions through the internet, with the blessings of your employer, free of charge. Yet, somehow, this has caused a sort of hiccup between your supposed idea of free development and that of the general public. Now, before you warp your mind into "this guy doesnt know what he's talking about" mode, think about the principles that your company was founded upon. You wanted to beat out the corporate giants and look out for the little guy. Oh yes, I've done my homework on Google over the years. The benevolent company trying to provide free services for the masses that the "evil-empire" corporations would deny free access to. Ironically enough, this letter is being written to you on Google Docs, another of your free services. Quite troublesome, it would seem.
And now, lest I digress further, I'll shift to the meat of the topic. In your statement regarding the cease and desist letter to Mr. Kondik, you claim that the sales of your free software to be used on mobile platforms being provided to the end user by custom developers for free would hurt the bottom line. Perhaps you should re-examine your own words. Free software being given to the masses by developers whom you claim to encourage is huring your profit share because you cannot sell the use of it to large corporations. Pardon me if I fail to understand the rationale behind such a contradictory and obviously ridiculous statement. But just so that you can understand my position on the matter, lets look at a related position. Google produces an internet browser, Chrome. Mozilla, a competing franchise, produces Firefox, their own browser. Developers for firefox have created applications which borrow on Google's proprietary code to access the functionality of the various features and programs. Are these developers charged for being able to include such features? No. Are these developers caused to halt their activities through threats of legal action for providing end users access to the capabilities that Google readily offers for free? No. So where is the disparity between allowing a competitor to do such things and tying the hands of developers of YOUR open source platform from doing the same?
Before I go further, let me give you a little background on myself to illuminate things. I used to work for XXXXXXXXXXXXXX. I worked in one of their call centers with well over a thousand people, almost a quarter of whom purchased the G1. More than 50% of those users had custom builds running on their phones. How would I know this? I personally installed it on over 300 and gave instructions to many more who wanted to do it themselves. This was one call center. But your apparent attitude on the situation makes it apparent that providing these people with custom software that includes the Google-based programs that were ORIGINALLY ON THE DEVICE AT PURCHASE, is illegal. I'm sorry sir, but that notion is preposterous. All of the Android-based mobile platforms on the market today include the software that caused you to send Mr. Kondik a cease and desist letter. This means that every single end user who purchased one of the devices paid that bottom line you spoke of. Any other rationale is impossible. Non-supporting devices will not run Android, and as such, the only way to use the device is to have purchased one. This brings us to the logical conclusion that those applications, such as GMail and Google Talk are PAID FOR. The situation is equitable to this situation: Joe purchases a computer from a major distributor, say Dell. Dell gives Joe a complimentary piece of free software (available on the Dell website) which updates his drivers on the Dell website, included with his purchase. Joe decides he doesnt particularly like the operating system on the computer, and installs an operating system more to his liking, that also happens to include the Dell software. But lo-and-behold, that free software shouldnt be free to Joe, even though he paid Dell's bottom line through his original computer purchase.
Your flaw is that you are obviously trying to "spin" the situation. Unfortunately, its a thin disguise and everyone can see through it, clear as crystal. These people that I speak of? Developers. The developers whom you claim to encourage. This brings me to my next point. Developers are essentially software hackers. They take the code from a program, rip it apart, improve on it, and then put it back out on the market for other developers to toy with. Perhaps, in your travels as a computer programmer, you have come across a copy of the much fabled "hacker's manifesto". Free access to data. That is what it was about at its core philosophy. You claimed to provide developers with that free access through Android, and then punish the people whom you claim to support.
Have you ever seen "The Devil's Advocate", Mr. Morrill? Al Pacino has an excellent line in which he is describing the way God imbued man with instinct, saying "Think about it. He gives man instincts. He gives you this extraordinary gift, and then what does He do, I swear for His own amusement, his own private, cosmic gag reel, He sets the rules in opposition. It's the goof of all time. Look but don't touch. Touch, but don't taste. Taste, don't swallow." Is this not what you've done here? You've given us, the developers, what you claim to be an open-source platform, written for mobile platforms that contain previously installed versions of the software, and also containing applications that each and every possible user would have purchased through buying the device on which they run. Then you tell us that it is illegal for us to modify any portion of that software which you see fit at any given point in time. Perhaps you should have just kept it closed-source, so that anything innovative wouldnt stir controvversy, as it would have truly been illegal. You give us a gift and then set the rules in opposition as it suits you.
Now, if I havent struck a nerve yet, perhaps I will in my own belief on the subject. You FEAR us. The android development team put out an initial platform. The developers, using the source code given to us, have turned out platforms on several different versions that utilize more functionality with greater performance, more flexibility and a wider range of features than ANYTHING that the official releases have even come close to. Mr. Kondik's releases are a prime example of this. He has created a version of the platform which utilizes every aspect of the platform infinitely better than the official releases. He has also included functionality from FUTURE releases, constantly and consistently improving on such, in a timeframe that should have your development team in absolute hysterics. That, sir, is what I believe this is about. Fear and shame. Never did you imagine that the Android development community would be able to surpass the Godly heights of the original development team, but we have and continually do so. It's his popularity that earned him the letter. He posed the biggest threat to your team by sharing a creative vision with anyone willing to install it that your team couldn't possibly compete with. But what about all of the other major developers? As of right now, I can count over a hundred different custom builds that include much of the same functionality and applications that Mr. Kondik's software includes. Are you going to attempt to stop them too?
(continued in post #2)
I assume you have been on the internet before. I assume you know that it spans the globe and has absolutely no limits or boundaries. It is freedom at its peak. Anyone, anywhere can express anything they want. The beautiful thing is that it enables people to communicate, and thereby collaborate in real-time. An internet community with thirty thousand people doesnt have to find a meeting room with enough chairs. This is the problem you're facing. You have attempted to cut the head off of a snake that you created. Unfortunately, on the internet, when you cut off the head of a snake, the body doesnt die. A thousand more heads spawn in its place, angrier, defiant and more intent on their purpose. Perhaps that should be a wake up call.
Mr. Morrill, I hope that in reading this letter, you have come to realize the gravity of your position. You have not only hurt yourselves, but angered an entire community, consisting of tens, if not hundreds, of thousands of people. These are the people who write the applications that are sold on the Android Market. These are the people who have the time to spare to ensure that you still have a job by creating works of digital art, using the code that you claim to be "open source". Are you so obtuse as to believe that these people are going to slip silently into the night when their creativity is stifled by the whims of a multibillion dollar corporation? I think not, sir.
You simply cannot give freedom to the masses and then attempt to bind their hands, as you are attempting to do in this case. This has ended in cataclysmic failure for every culture and every authority that has attempted to do so in history. We live in a global society of ingenuity. People WILL find a way. The creative power of the developers of the android community will inevitably break you. History has shown ample evidence that a creative mind cannot be beaten down. No army of lawyers, no amount of cease and desist letters will stop the tide of creativity.
It's like a bear. The choice you had was to embrace this creativity and nurture it or to poke at it with a stick. Mr. Morrill, are you aware of the consequences of poking a bear with a stick? Some thought on that will bring you to an obvious, and quite unpleasant, conclusion.
Had you simply left well enough alone, the damage might have been minimal, but at this point you could be looking at a 2009 reenactment of the Boston Tea Party, with the Android platform playing the part of the British tea. The damage to your "bottom line" was so infinitesimally small as to equate to a mouse burping on a rush hour subway car in New York City. As stated previously, it is simply my belief that your development team was offended by the fact that amateur developers would put them to shame. Does Android come with a complimentary set of swim trunks? Perhaps you might invest. I hear Boston Harbor gets cold in the winter.
In closing, perhaps you should let the immortal words of Japanese Admiral Isoroku Yamamoto echo through your mind as you contemplate the statements made in this letter:
"I fear that all we have done is to awaken a sleeping giant and fill him with a terrible resolve".
Mr. Morrill, the giant is awake now, and his resolve is beyond your wildest dreams. I truly hope you are prepared to reap the consequences of what you have put in motion.
Sincerely,
XXXXXXXXXXXXXXXXXX
amazing. your right they do fear us and they have woken a sleeping giant. what i dont get is the fact that these roms are making this phone better. as you said you gave over 300 people instructions how to do this at the call center. if anything these devs are helping google make sales, and google doesnt even have to make a better product. they make they same thing tht has been out since 0ct.22.2008 and the devs make it better. you sir are a god among men.
Wow, great letter, really looking forward to hearing the response to this - If you'd post it that is ;-)
You misspelt "purchased" in the eighth paragraph btw
yeah, this was the pre-spell-checked rough draft. the copy that i sent him was clean as a whistle.
Interesting letter. Not to mock you or anything, but it reminds me a lot of Keith Olbermann.
I am a RSA for TMO, and one of the major selling points was that Android was (is?) Open Source. That was a big deal to many customers.
I don't think the folks over a Google realize how tech savvy even the dumbest tech user is.
Had probably a 60 year old man come in the other day and he had put Hero on his G1 by himself.
(No offense to any oldsters.)
The world is changing, and Google just jumped in front of that subway train you mentioned.
this was truly a great letter. i would love to see the response (if you even get one) to this. i feel inspired to go do something now...
Android users, this is your call to arms.
Before you go and write long winded threatening letters to someone, maybe you should look into what you are writing about first. The person you are writing the letter to is an employee of a company that tells him what to do. I doubt after all of the help he has given developers and "hackers" in the Android irc channel, that he was just planning on striking everything down. My guess, and that of many others who know of him (havent chatted a lot, but he is social with us) would be that he was told to write that post. I dont want cyanogen roms to go away either, but I think you are going at it the wrong way. Hate the company, not the developers.
And after re-reading the post, you mention installing this on devices that already have it. The exact same arguement I used but you must also realize that an HTC hero does not get these Google Apps. It is an HTC branded phone and instead gets HTC branded apps. The "With Google" phones are the only ones that come with these apps pre-installed. Even then, apparently (I just found this out today) that your license to these apps does not allow you to copy them OFF of the device they came on. So that cut down another idea we had: copy the apps from the rom to SD, flash image, copy apps back.
Once again, I do not disagree with you or your anger, I just disagree with who you are directing it at.
irrelevant. "i was just doing what i was told" is never an excuse. it doesnt work in the justice system, and it doesnt work here. i could elaborate more, but i really dont want to invoke Godwin's Law this early in the conversation. he opened his mouth. he made himself the target. everyone is a nice and helpful person until they show their true colors.
perhaps its just me, but i'm one of those people that actually hold to my ideals. if i'm fighting for something and my boss tells me to do otherwise, i'm going to tell him to pack sand. if I get fired, i can always find a new job, but I can do so with my integrity intact. he had a choice. everyone always has a choice.
also, to your second post, the HTC branded phones arent the subject of controversy. the apps are "free". i quote free because it isnt true in this case. how is distributing the official Gmail app for free any different than accessing the same capabilities through another means? if I were to delete the official GMail app off of my phone entirely and instead access my gmail account through a browser, wouldnt that have the same effect on Google's "bottom line"? I'm still using the same service and not paying for it. Similarly, with the hero, if you have access to GMail through any email application or browser, are you not violating the same concept? You're still using the core of google's intellectual property for free. Their only real solution is to make the Google apps paid applications that everyone has access to if they want to shell out the cash, or simply drop the whole thing.
Are they going to stop people from creating custom GMail apps too? Cause if so, they've got a big fish to fry, cause they'd have to go after everyone who wrote a gmail plugin for firefox as well. any way you look at it, they're not going to stop the development community from going on, its simply too big.
If Dell gives you a "free" copy of vista on your laptop, and then you buy a compaq with linux installed on it. Does that mean you have the right to install your "free" vista on the compaq also? It was free! How about you write a new windows shell and you bundle your free windows vista with it. And you also throw in your free copy of Office that came with it.
I understand their point and I realize these examples are not EXACT enough to matter, but the point does. They give you the apps for A SPECIFIC device and they give them to you with rules. Rules that we do not like.
I feel that they instead of C&D'ing him, should have had a little sit down with him. Said "hey, we realize you are doing a lot of good for us by promoting our product and giving those who want more what they ask for when we cannot, but we have some rules for you. A, you must make every attempt you can to make sure the roms you distribute go on authorized "With Google" devices. B, not release stuff you do not have permission to release." This would allow google to control what he releases enough to fit within the rules (keeps carriers from saying "hey, he can release your apps without paying, why cant we?"). They would also benefit from the many thousands of users who flock to these custom roms but realize they are unusable in their bare forms.
And so you do not have to, I will be the first to pull the term nazi out of my hat in this one
I agree completely. As i said in the letter, they could have nurtured creativity (i.e. having a sit down with him and saying "hey look, we know that this is going to non-google devices and we cant have that, so make an attempt to not let it happen") or poke it with a stick. They chose the stick, and now they get to reap the backlash.
I also understand your initial examples, and while they do hold true for the circumstance, windows isnt lauded as being an open-source platform. In addition, i havent heard of microsoft going after people who create custom shells that utilize windows information, so long as they put a disclaimer on it saying that you're only allowed to use them if you're running an authorized copy of the OS. The same should have been done here, as you suggested.
Also, microsoft has specific anti-piracy safeguards in place to keep you from installing that software on your compaq that didnt come with it. Can you get around it? sure. Piracy happens, but its also illegal. But google has no such safeguards on the apps. Is it because they lacked the foresight to see this coming? Absolutely. If they didnt want the apps installed on non-branded/non-approved devices, then perhaps they should have made it impossible to do so. Sure, people would eventually find a way around it, but then they'd have a legitimate piracy gripe. As it is now, they dont. You dont hand a kid a cookie, let him eat half and then snatch it away because he shared the chocolate chips. You keep him away from the cookies from the get-go.
It really is a sad state of affiars. If something is going to be free, such as GMail, then Google shouldnt care how the users access it. How big of a chunk of their profits do you think its really going to hurt if people with the hero get a free copy of the gmail app? I bet their legal team made for handling this "issue" than it would cost them in ten years. If the apps in question were paid apps, then I would completely understand. People shouldnt get something free that they should have to pay for, which is one of the reasons that XDA has such a strict "warez" policy. But thats not the case.
The simplest solution would have been to realize that "oops, we did tell them it was open source, maybe we should clarify a bit and see if we can come to a reasonable understanding". But alas...
Also, to your point that the apps came with a specific device, what about those that purchased a device with those apps? We have a right to be using them as we see fit. When I bought my phone, I never signed anything that said that I couldnt theme the application if I wanted to. Google never made me sign a contract. And they couldnt, it would be ridiculous. What about people that purchased them on ebay or craigslist without a contract? They still bought the device and are the owner, and they certainly didnt have to agree not to modify any content. Is google going to go after every developer and every themer now too? Are they going to go after every end user who modified their content? It's just as illegal as making a rom that allows it to happen in the eyes of the law. Apple is attempting to do the same sort of crap with people jailbreaking the iphone. They're saying that even though you bought it, apple technically still owns it, so anything you do to it is illegal. Theres a huge legal debate going on over it right now and apple looks like theyre probably going to lose.
The safeguard they have in place is lack of root access. If you have root access yo have exploited a bug and are acting out of the designed use of the phone. You would not be able to backup or otherwise access these app files. Also, you would not be able to flash the new rom without root, which you gained by exploiting a bug.
Absolutely. But at the same time, the whole "exploiting a bug" argument is similarly null. If the bug never existed, two things would be true:
1. There would be no custom roms for end users, which Mr. Morrill says he supports and looks forward to seeing more of. This would be true since the idea of creating custom software would be idiotic as nobody would be able to install it. The only people utilizing the open-source framework would be major development houses, such as what creative is doing with the plazma stem-cell android that they're putting on the EGG. Application development has nothing to do with open source. The iPhone is not open source, but you can still develop apps for it.
2. The claim that they have about the free distribution of their intellectual property would hold merit, as it would be legitimate software piracy, instead of an unintended side effect of faulty design.
The first point is what makes this a farce. We, as developers, found a way to get custom software onto our devices, something which we were never intended to do. One of two things should have happened at that point: they should have let us continue to do it, which they did (closing the loophole could have been done, they could have found a way to prevent downgrading, seeing as there are no other OS options for the device) or they could have stopped it there and said that exploiting the bug is illegal. Its been a year since the device came out. This has been going on for a YEAR. You mean to tell me that this is an issue NOW and wasnt a year ago when it first started? Its only an issue because they're not the only game in town anymore. Ridiculous. Someone got their feathers ruffled and wanted to take out the little guy.
Ok, I am not going to keep replying to your endless wandering rebuttals. I feel you are wrong in who you are aiming your hate mail at and that is the end of the story.
Thats fine, and I do apologize for being excessively adamant about it. But I still feel I'm right. You only paint a target on yourself if you're prepared for people to shoot at you. Thats all I can say about it.
Darkrift said:
If Dell gives you a "free" copy of vista on your laptop, and then you buy a compaq with linux installed on it. Does that mean you have the right to install your "free" vista on the compaq also? It was free! How about you write a new windows shell and you bundle your free windows vista with it. And you also throw in your free copy of Office that came with it.
I understand their point and I realize these examples are not EXACT enough to matter, but the point does. They give you the apps for A SPECIFIC device and they give them to you with rules. Rules that we do not like.
I feel that they instead of C&D'ing him, should have had a little sit down with him. Said "hey, we realize you are doing a lot of good for us by promoting our product and giving those who want more what they ask for when we cannot, but we have some rules for you. A, you must make every attempt you can to make sure the roms you distribute go on authorized "With Google" devices. B, not release stuff you do not have permission to release." This would allow google to control what he releases enough to fit within the rules (keeps carriers from saying "hey, he can release your apps without paying, why cant we?"). They would also benefit from the many thousands of users who flock to these custom roms but realize they are unusable in their bare forms.
And so you do not have to, I will be the first to pull the term nazi out of my hat in this one
Click to expand...
Click to collapse
About your dell giving you a "free" copy of vista. As long as that CD key is only used on one computer, you can use that CD key on ANY computer. Read their TOS. Your are wrong about a lot, but right about some. Changing the integrity of the windows shell is illegal, because that is microsoft property and NOT open source, but anytime you purchase an OS, or computer, you OWN that cd key of the software, all apps that come included as well. Could you try another example?
nice letter.
not so sure about the whole HTC (not "with google") phone thing- my magic is a HTC magic (32A) and it came will every single google app preinstalled on it.... not sure about hero though...
MontAlbert said:
nice letter.
not so sure about the whole HTC (not "with google") phone thing- my magic is a HTC magic (32A) and it came will every single google app preinstalled on it.... not sure about hero though...
Click to expand...
Click to collapse
Hero did too.
Regards,
Dave
Hello! I'm doing my bachelor thesis on Android security issues and I'd love to hear what you guys think about it, mainly on how you work with security issues when you develop your apps!
I threw together a quick 10 question multiple answer google docs form, should take 2-3 min max to fill out and it would really help me and hopefully lead to something that will benefit the android dev community when it's finished!
It's totally anonymous and requires no registration and i don't need any contact info to you :fingers-crossed:
LINK: https://docs.google.com/forms/d/1fvs166K4C9lcv7bHeNnOLfeaHK3LQNmc1qGffWWYjO4/viewform
(While i'm aware that this is technically a question I felt it goes under discussion rather than being a simple Q&A post, so that's why i posted here instead of the Q&A forum, hope you agree!)
Hi!
I read your questions but I don't think it's as easy as that.
The time spent on security varies very much with the kind the of app. For example, you don't need to spend much time on security if there's no network interaction and no sensitive data which needs to be stored.
So I would have entered that I spend no time on security. That, however, doesn't mean that I wouldn't spend time on security if an app would require that.
Do you get my point?
QuestionAsker said:
Hello! I'm doing my bachelor thesis on Android security issues and I'd love to hear what you guys think about it, mainly on how you work with security issues when you develop your apps!
I threw together a quick 10 question multiple answer google docs form, should take 2-3 min max to fill out and it would really help me and hopefully lead to something that will benefit the android dev community when it's finished!
It's totally anonymous and requires no registration and i don't need any contact info to you :fingers-crossed:
LINK: https://docs.google.com/forms/d/1fvs166K4C9lcv7bHeNnOLfeaHK3LQNmc1qGffWWYjO4/viewform
(While i'm aware that this is technically a question I felt it goes under discussion rather than being a simple Q&A post, so that's why i posted here instead of the Q&A forum, hope you agree!)
Click to expand...
Click to collapse
I completed it but I think there are maybe 2 quite different questions here...
1) Security from a user's perspective (i.e. their personal data)
2) Security from a developer's perspective (i.e. their IP / product)
I guess they overlap a bit but as a developer you need to consider both separately.
PicomatStudios said:
I completed it but I think there are maybe 2 quite different questions here...
1) Security from a user's perspective (i.e. their personal data)
2) Security from a developer's perspective (i.e. their IP / product)
I guess they overlap a bit but as a developer you need to consider both separately.
Click to expand...
Click to collapse
Thanks for the input, i was hoping to discuss the relationship between the user and the developer by examining how the developer handles the users data and to what extent the user can take control over the data s/he has inputted if for some reason s/he would like to make sure that the data never will end up somewhere it shouldn't. Because this data can be obtained in different ways, the survey has questions that could be perceived to relate to different questions perhaps? I should probably have written about the end goal more in detail
Anyways, thanks for participating!
QuestionAsker said:
Thanks for the input, i was hoping to discuss the relationship between the user and the developer by examining how the developer handles the users data and to what extent the user can take control over the data s/he has inputted if for some reason s/he would like to make sure that the data never will end up somewhere it shouldn't. Because this data can be obtained in different ways, the survey has questions that could be perceived to relate to different questions perhaps? I should probably have written about the end goal more in detail
Anyways, thanks for participating!
Click to expand...
Click to collapse
OK, I see.
I work on a Keyboard app.
There's an interesting phenomenon you might be interested in regarding 3rd party keyboards... almost all of them require internet permission.
When we started out we figured that nobody would download a keyboard with internet permission, as that's all you need for a keylogger.. we were wrong about that though ! In the end, the usability issues with having to download multiple language pack apps troubled more people than the potential security issues in downloading an internet-aware keyboard.
There's another one, which is that our app (and others) is quite heavily pirated and distributed on blogs etc (we know that, because we can measure how many apps are downloaded vs the number of language installations there have been). That's despite the fact that an unofficial copy could very easily be a keylogger - it still doesn't put people off !
PicomatStudios said:
OK, I see.
I work on a Keyboard app.
There's an interesting phenomenon you might be interested in regarding 3rd party keyboards... almost all of them require internet permission.
When we started out we figured that nobody would download a keyboard with internet permission, as that's all you need for a keylogger.. we were wrong about that though ! In the end, the usability issues with having to download multiple language pack apps troubled more people than the potential security issues in downloading an internet-aware keyboard.
There's another one, which is that our app (and others) is quite heavily pirated and distributed on blogs etc (we know that, because we can measure how many apps are downloaded vs the number of language installations there have been). That's despite the fact that an unofficial copy could very easily be a keylogger - it still doesn't put people off !
Click to expand...
Click to collapse
Hehe that's indeed pretty interesting. I know lots of people who don't even bother reading the permissions of apps, even knowing that Play is full of malicious content.
Back in March, Replicant developers revealed a backdoor in the Samsung Galaxy application processor that lets the modem perform I/O operations on the device's storage.
(There was one security researcher who claimed on Ars Technica there was no evidence that the backdoor was used; Replicant's developers have responded to that here and here.)
Anyway, any progress on Galaxy S5 ROMs that use Replicant's replacement library, which won't collaborate with the backdoor, whether it's been used or not?
CC @Leigh Kennedy, @a2441918, @elelinux, @optx, @firebird11, @albinoman887, @kornfed, @ks3rv3rg, @BeansTown106, @tp2215, @edgarf28, @keysoh2, @AxAtAx
Nobdy...
Anyone?
Up
Up
@Leigh Kennedy, @a2441918, @elelinux, @optx, @firebird11, @albinoman887, @kornfed, @ks3rv3rg, @BeansTown106, @tp2215, @edgarf28, @keysoh2, @AxAtAx, Denis "GNUtoo" Carikli and Paul Kocialkowski where you at?
Security holes like this effect the community as a whole. I have no doubt this an intentional flaw brought to us all by the Auroragold mission. Whats it going to take for this type of lunacy to stop, a figurehead's child's phone getting hacked by a malicious actor, or terrorist? Because it's only a matter of time before that exact threat is a damning reality, & Samsung will be left holding the bag. This flaw has been an open wound for me ever since I first read Paul Kocialkowski's report in February. The issue has been burred for way too long; on behalf of devs, users, people who don't want to know, and the ones that just wont ever get it, I demand a full community based effort to KILL THIS BUG. This is why were all here right? On XDA, we help one and other learn, as well as help ourselves to use our personal devices better, and soon, safer. But if we are not making a strong enough effort to get what we require as basic device security, why use one at all?
".....because once NSA introduces a weakness, a vulnerability, it’s not only the NSA that can exploit it". -Karsten Nohl
Agent Soap said:
@Leigh Kennedy, @a2441918, @elelinux, @optx, @firebird11, @albinoman887, @kornfed, @ks3rv3rg, @BeansTown106, @tp2215, @edgarf28, @keysoh2, @AxAtAx, Denis "GNUtoo" Carikli and Paul Kocialkowski where you at?
I demand a full community based effort to KILL THIS BUG. This is why were all here right?
Click to expand...
Click to collapse
If that's the reason you are here, do something about it, instead of 'demanding' someone else doing it for you.
kornfed said:
If that's the reason you are here, do something about it, instead of 'demanding' someone else doing it for you.
Click to expand...
Click to collapse
Thank you for your input. I mentor felons and teach them to use linux, windows, and android, essentally building a small army of informed individuals, teaching others to teach others. Sooo congrads for calling me out! And thanks for editing my statement to make me look silly.
Agent Soap said:
Thank you for your input. I mentor felons and teach them to use linux, windows, and android. Sooo congrads for calling me out!
Click to expand...
Click to collapse
Good, take the lead, we are all very excited about your efforts.
kornfed said:
Good, take the lead, we are all very excited about your efforts.
Click to expand...
Click to collapse
Whats your deal with me man? If you love these flaws, please please please continue to berate/belittle/troll me. I didnt deliberately make your phone work against you, hate on someone who deserves your hate. If you are such a narcissist that you cant see that your higher skill set will aid with RESOLVING the problem, please gtfo the away. Use your anger on some one else. Because in the real world I'm the scariest thing on the street, here, you are. Now that **** measuring competition has completed, what can we do as a community to resolve this important security issue?
:laugh:
Good question and nice of you to bring this up. I think people don't give these matters enough attention.
I mean you can play pretend with your "encrypted" & "selinux secure" device as much as you want but there's no sense to it if the hardware is hardwired to spy on you.
This is an active backdoor
Six months later...
Is this backdoor still not fixed by current ROMs?
With even a modest set of modifications, the monthly OTA update is incredibly annoying. Especially for people who actually have important things they need to do rather than manually apply updates to their phone.
And we all know that the monthly ota updates are just a show being put on to address complaints that have no bearing in reality. Specifically, all those nasty security holes that really don't lead to anything besides mild annoyance, IF somebody bothered to try to exploit them. Like for example the most [in]famous bug in StageFright that could allow a hacker to... do absolutely nothing of consequence (since it is protected by user access rights -- the "media" user, and also selinux which would nail it quite quickly. There is also the bug that could break out of the lockscreen if somebody bothered to punch in an absurdly long random password.... but only affects people who actually use a password lock (as opposed to pin, pattern, face, or none).
So here is a very easy little program that stops the SystemUpdateService from doing its thing;
http://github.com/lbdroid/StopOTA
You will have to compile it yourself.
Don't share binaries, I don't like that. If you can't figure out how to compile, you are unworthy, if I catch you, I will stop giving things away for free.
If you want to learn how to compile simple Android applications, feel free to ask! I'd be happy to help.
If you would like to contribute, submit a pull request!
Don't forget to read the project README file, it explains about it properly.
This should work with any device that uses gms SystemUpdateService for its OTAs. I've personally tested on Nexus 5, 6, and 9.
doitright said:
With even a modest set of modifications, the monthly OTA update is incredibly annoying. Especially for people who actually have important things they need to do rather than manually apply updates to their phone.
And we all know that the monthly ota updates are just a show being put on to address complaints that have no bearing in reality. Specifically, all those nasty security holes that really don't lead to anything besides mild annoyance, IF somebody bothered to try to exploit them. Like for example the most [in]famous bug in StageFright that could allow a hacker to... do absolutely nothing of consequence (since it is protected by user access rights -- the "media" user, and also selinux which would nail it quite quickly. There is also the bug that could break out of the lockscreen if somebody bothered to punch in an absurdly long random password.... but only affects people who actually use a password lock (as opposed to pin, pattern, face, or none).
So here is a very easy little program that stops the SystemUpdateService from doing its thing;
http://github.com/lbdroid/StopOTA
You will have to compile it yourself.
Don't share binaries, I don't like that. If you can't figure out how to compile, you are unworthy, if I catch you, I will stop giving things away for free.
If you want to learn how to compile simple Android applications, feel free to ask! I'd be happy to help.
If you would like to contribute, submit a pull request!
Don't forget to read the project README file, it explains about it properly.
This should work with any device that uses gms SystemUpdateService for its OTAs. I've personally tested on Nexus 5, 6, and 9.
Click to expand...
Click to collapse
or.. you can long press on the ota notification, then press do notnotify , without needing the knowledge to compile anything. and yes, anyone can do itit, for free, and without the knowledge to compile anything. and, i will keep helping users out. btw, who the heck publishes something on xda, then says they wont publish anything else if they dont compile it themselves? thats a first time ive ever seen anyone post such a ludicrous statement. im sorry, but you are the one thats unworthy. i mean all respect to you, i appreciate whatever help you give here on xda, but that statement does nothing for you.
just lol!!
i mean, really, the reasons to buy a nexus device are short and simple,
1. frequent updates to keep you protected and running smooth
2. development and modding
thanks for providing the community with this tool, but seriously, provide them with a working tool or dont post it.
why limit its use to the vast minority of those who can build it, then threaten us with no more of your work if anyone shares it? not cool
so why not post it built for those who might actually use it?
imo, if updates bother you because there too frequent, you should buy pretty much any non nexus device, and be at the mercy of your carrier for updates.
i can build this, and pretty much anything else i want on my phone, but i would never use it. i guess thats my point here....
doitright said:
With even a modest set of modifications, the monthly OTA update is incredibly annoying. Especially for people who actually have important things they need to do rather than manually apply updates to their phone.
And we all know that the monthly ota updates are just a show being put on to address complaints that have no bearing in reality. Specifically, all those nasty security holes that really don't lead to anything besides mild annoyance, IF somebody bothered to try to exploit them. Like for example the most [in]famous bug in StageFright that could allow a hacker to... do absolutely nothing of consequence (since it is protected by user access rights -- the "media" user, and also selinux which would nail it quite quickly. There is also the bug that could break out of the lockscreen if somebody bothered to punch in an absurdly long random password.... but only affects people who actually use a password lock (as opposed to pin, pattern, face, or none).
So here is a very easy little program that stops the SystemUpdateService from doing its thing;
http://github.com/lbdroid/StopOTA
You will have to compile it yourself.
Don't share binaries, I don't like that. If you can't figure out how to compile, you are unworthy, if I catch you, I will stop giving things away for free.
If you want to learn how to compile simple Android applications, feel free to ask! I'd be happy to help.
If you would like to contribute, submit a pull request!
Don't forget to read the project README file, it explains about it properly.
This should work with any device that uses gms SystemUpdateService for its OTAs. I've personally tested on Nexus 5, 6, and 9.
Click to expand...
Click to collapse
What an asinine statement. Why make something that you don't want shared? Not everyone knows how to, or wants to install and waste all that HDD space with the adk for just one program. If you don't want it shared, don't publish it.
Sent from my Nexus 6 using XDA Free mobile app
on top of that, i do not own a computer nor laptop, as i know many other people dont. not like i want to build it, but just saying..
Anyone with a Nexus can stop OTA notifications in about 5 minutes by flashing the update with fastboot.
Not for nothing... This post was unnecessary.
Sent from my Nexus 6
simms22 said:
or.. you can long press on the ota notification, then press do notnotify , without needing the knowledge to compile anything. and yes, anyone can do itit, for free, and without the knowledge to compile anything. and, i will keep helping users out. btw, who the heck publishes something on xda, then says they wont publish anything else if they dont compile it themselves? thats a first time ive ever seen anyone post such a ludicrous statement. im sorry, but you are the one thats unworthy. i mean all respect to you, i appreciate whatever help you give here on xda, but that statement does nothing for you.
Click to expand...
Click to collapse
Hate to break it to you, but killing the notification doesn't kill the process that causes it. It also kills several other notifications that aren't related to the update.
Borderpatrol1987 said:
What an asinine statement. Why make something that you don't want shared? Not everyone knows how to, or wants to install and waste all that HDD space with the adk for just one program. If you don't want it shared, don't publish it.
Click to expand...
Click to collapse
I didn't say don't share. I said don't share COMPILED.
Those are my terms, not up for argument or negotiation. If you don't like it, you can go away.
Hello everyone. I've been always very keen into adding content guard to my rom. Recently I found out that there was 38% of pirated apps on an android system. I have to admit that I don't own any app which gets me premium apps right now, but I like the flexibility to explore if an app is good or not before buying. At the same time it becomes a flaw because android does not provide any sort of protection.
So the debate starts here, should this be included on the rom? Yes or no, but more importantly why?
Remember that when you install an app which was not bought, you are taking from a dev his "food supply".
Thank you,
Jorge
I liked the idea when its first implemented by Dave in Exodus, safeguard developer interest and protect user from any infected app
Hi AFAIK there are some options to return bought app in a play store within some limitted time. Also there are a lot of free test versions of apps.. just saying because i was always on side of freedom of choice.. And finally if it really give us more protection it is necessary thing but i am aware if some xposed or root apps can be blocked ... its a really hard decission Jorge lets wait for others opinions...
Yep removing thieves is always the best option! Do it I'd say --- and be prepared for idiots hatin' lol
Transmitted via BACON
gerciolisz said:
Hi AFAIK there are some options to return bought app in a play store within some limitted time. Also there are a lot of free test versions of apps.. just saying because i was always on side of freedom of choice.. And finally if it really give us more protection it is necessary thing but i am aware if some xposed or root apps can be blocked ... its a really hard decission Jorge lets wait for others opinions...
Click to expand...
Click to collapse
Hello. Basically what this does is protects the developer interests by not permitting apps which give the ability to have access to premium apps for free. The list is :
https://github.com/ContentGuard/Ant...roid-6.0.1/src/utils/AntiPiracyConstants.java
Only apps which MAIN purpose is pirating, are blocked.
So most likely you won't be affected
If you have any other questions, I'll try to answer these the best way possible
Alex
I would say that it is a good idea, but the number of people that don't like the idea would lead to a negative effect on the ROM and its users just like it happened to Exodus when it first got implemented.
Therefore I would be against the idea of implementing ContentGuard into the ROM.
Sent from my OnePlus One using XDA Labs
BTW i think if they dont want content guard they can just compile ROM wothout it.. simple solution
Just stepping in here as a moderator on XDA. Our point of view is: We do support apps like this. XDA has a rule against discussing or requesting warez. If we find any posts that are asking for help, or asking for links to download warez apps, EG an app that is on playstore but needs to be bought, or an app that has in app purchases, if a user is trying to bypass these, we remove it. So from an XDA standpoint developers are free to add ContentGuard into their rom. We have no issues with that at all.
Well I don't know what is possible with these blocked apps, i.e. if they can be used for legit things or if they are used solely for pirating other apps ecc.
If the sole purpose of those apps, is stealing, I would include this into the ROM. And If people would complain I would just tell them that stealing is not a supported feature on this ROM.
I mean, you can't go around stealing in RL, there are alarms, walls, tresors ecc. this is just an anti-theft-system for digital goods.
Stone_88 said:
Well I don't know what is possible with these blocked apps, i.e. if they can be used for legit things or if they are used solely for pirating other apps ecc.
If the sole purpose of those apps, is stealing, I would include this into the ROM. And If people would complain I would just tell them that stealing is not a supported feature on this ROM.
I mean, you can't go around stealing in RL, there are alarms, walls, tresors ecc. this is just an anti-theft-system for digital goods.
Click to expand...
Click to collapse
The criteria for adding an app is whether the main purpose of the app is piracy
Alex
I'm happy either way, I don't use pirated apps and love my devs, so if it helps them add it.. If people want to use these apps then they aren't supporting their devs anyways so freeloaders and theives can get lost..
jgcaap said:
Hello everyone. I've been always very keen into adding content guard to my rom. Recently I found out that there was 38% of pirated apps on an android system. I have to admit that I don't own any app which gets me premium apps right now, but I like the flexibility to explore if an app is good or not before buying. At the same time it becomes a flaw because android does not provide any sort of protection.
So the debate starts here, should this be included on the rom? Yes or no, but more importantly why?
Remember that when you install an app which was not bought, you are taking from a dev his "food supply".
Thank you,
Jorge
Click to expand...
Click to collapse
This is completely useless because there exists a xposed module which easily disables the content guard again. Have fun blocking xposed
hellcat50 said:
This is completely useless because there exists a xposed module which easily disables the content guard again. Have fun blocking xposed
Click to expand...
Click to collapse
Well related to that, contenguard has also a solution where xposed module doesn't work.
Would like to know your opinion. Do you favor piracy? Why do you think is useless to fight for a more honest enviroment? Thanks
hellcat50 said:
This is completely useless because there exists a xposed module which easily disables the content guard again. Have fun blocking xposed
Click to expand...
Click to collapse
The module doesn't work
TheCrazyLex said:
The module doesn't work
Click to expand...
Click to collapse
It's working for sure...
I think it's quite stupid to implement anything, which has no effect. If you want pirated apps there are ways also with this module.
Sent from my A0001 using XDA-Developers mobile app
lampshade90 said:
It's working for sure...
I think it's quite stupid to implement anything, which has no effect. If you want pirated apps there are ways also with this module.
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
The real question i would like to see your opinion, would be this.
Google haven't done much to protect developers work.
As you know many developers donate their time for free to develop apps. And consider some apps should be used for a small fee.
Same as you going to a store and having the option to steal or to buy a book.
Sometimes we think " ah those companies are gigantic" , but they also pay to alot of people to work. Shouldn't that matter ?
As a human beeing, i've donated to xda, donated blood to hospital, donated my free time to help poor people in Portugal, donated my time to help timor (around 1996-7 when i was a kid). But when i'm providing a service, where the deal is i'll do this and in exchange i'll receive something. Don't you believe it is fair?
The big problem with the anti piracy measures, which in my opinion should be implemented by google , do not work effectivly for users. In exchange many of us get used to that reality. Right? But should we? Or should we try do something?
I came up with this thread because, I've thought about Content Guard as a measure which is not efficient to change and become a safe working enviroment for people which dedicate their lives to android. But I think we can see this as a simbol of wanting things to change from some people which are frustrated for not beeing sucessfull in their work.
So I ask you, as all users here. We live and fight our lifes to be happy. Should we embrace and try better solutions to find a balance where more people becomes happy (developers), and in exchange they'll be putting more time, doing a harder work to deliver a better app.
What do you think?
As you know i'm Democratic, and I love to discuss ideas. So please, feel free to share yours. I'll be happy to understand your perpective as it is important to find a common ground together.
Thanks
jgcaap said:
Well related to that, contenguard has also a solution where xposed module doesn't work.
Would like to know your opinion. Do you favor piracy? Why do you think is useless to fight for a more honest enviroment? Thanks
Click to expand...
Click to collapse
Although I do not pirate apps, I would rather not have contentguard. Google could've easily have anti piracy measures on stock roms considering that a high percentage of apps are pirated, but they didn't, because it compromises the openness of android (I know there are a lot of additional factors to this as well.) Developers of roms shouldn't have to take it upon themselves to force users to not install certain applications because even if contentguard is present, people who pirate can easily switch over to other roms, which means that contentguard only hurts the privacy people who actually pay for apps.
I understand what the rom developers are trying to do with contentguard, but it is not effective on a large enough scale to be a viable stop to piracy, unless it is implemented google themselves (a couple thousand of people running a custom rom which happen to have contentguard vs about a billion android devices).
TLDR: No
jgcaap said:
The real question i would like to see your opinion, would be this.
Google haven't done much to protect developers work.
As you know many developers donate their time for free to develop apps. And consider some apps should be used for a small fee.
Same as you going to a store and having the option to steal or to buy a book.
Sometimes we think " ah those companies are gigantic" , but they also pay to alot of people to work. Shouldn't that matter ?
As a human beeing, i've donated to xda, donated blood to hospital, donated my free time to help poor people in Portugal, donated my time to help timor (around 1996-7 when i was a kid). But when i'm providing a service, where the deal is i'll do this and in exchange i'll receive something. Don't you believe it is fair?
The big problem with the anti piracy measures, which in my opinion should be implemented by google , do not work effectivly for users. In exchange many of us get used to that reality. Right? But should we? Or should we try do something?
I came up with this thread because, I've thought about Content Guard as a measure which is not efficient to change and become a safe working enviroment for people which dedicate their lives to android. But I think we can see this as a simbol of wanting things to change from some people which are frustrated for not beeing sucessfull in their work.
So I ask you, as all users here. We live and fight our lifes to be happy. Should we embrace and try better solutions to find a balance where more people becomes happy (developers), and in exchange they'll be putting more time, doing a harder work to deliver a better app.
What do you think?
As you know i'm Democratic, and I love to discuss ideas. So please, feel free to share yours. I'll be happy to understand your perpective as it is important to find a common ground together.
Thanks
Click to expand...
Click to collapse
For me it seems, that you haven't understand the meaning of capitalism.
Some people will live some people will die. Some people will be rich, some poor, same for companies.
That's the world.
I think it's up to the developer. There are ways to make piracy harder. The harder you will make it, the more people will buy it. If you're not capable of programming an app, which is hard to Crack you should definitely change your job to something you're good at.
Your social engagement might be good for you, for me it would wasting my small amount of time. From your text you could get an intention that it's god given what you will make out of your life. It's definitely not.
I don't care if you implement this. You will make it harder to use pirated apps but it's still possible and it's work for you. So I have no opinion to this topic I just wanted state out, that it will be work for you, less people will use your rom and if you want pirated apps it's still possible.
But honestly noone will buy an app due to your implementation. Maybe it will gain you experience but nothing more....
Sent from my A0001 using XDA-Developers mobile app
lampshade90 said:
For me it seems, that you haven't understand the meaning of capitalism.
Some people will live some people will die. Some people will be rich, some poor, same for companies.
That's the world.
I think it's up to the developer. There are ways to make piracy harder. The harder you will make it, the more people will buy it. If you're not capable of programming an app, which is hard to Crack you should definitely change your job to something you're good at.
Your social engagement might be good for you, for me it would wasting my small amount of time. From your text you could get an intention that it's god given what you will make out of your life. It's definitely not.
I don't care if you implement this. You will make it harder to use pirated apps but it's still possible and it's work for you. So I have no opinion to this topic I just wanted state out, that it will be work for you, less people will use your rom and if you want pirated apps it's still possible.
But honestly noone will buy an app due to your implementation. Maybe it will gain you experience but nothing more....
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Well is also true we live capitalism. But the way you express it is like it doesn't have flaws. Do you really believe that?
I haven't decided on adding yet. I like to listen to people, to speak and discuss. For you might be a loss of your time... But for me is information gathered among different people which I believe it is important, or I would be rather selfish on doing things without asking questions. No ? =p
Hehe.
Thank you for your honest answer.
f41lbl0g said:
Although I do not pirate apps, I would rather not have contentguard. Google could've easily have anti piracy measures on stock roms considering that a high percentage of apps are pirated, but they didn't, because it compromises the openness of android (I know there are a lot of additional factors to this as well.) Developers of roms shouldn't have to take it upon themselves to force users to not install certain applications because even if contentguard is present, people who pirate can easily switch over to other roms, which means that contentguard only hurts the privacy people who actually pay for apps.
I understand what the rom developers are trying to do with contentguard, but it is not effective on a large enough scale to be a viable stop to piracy, unless it is implemented google themselves (a couple thousand of people running a custom rom which happen to have contentguard vs about a billion android devices).
TLDR: No
Click to expand...
Click to collapse
Thanks