Interesting article about Android - comp.os.linux.advocacy

sophos.com: <http://wp.me/p120rT-aPs> ----- Information security professional Thomas Cannon disclosed a new vulnerability in Google's Android operating system this week on his blog. Baking security into the recipe from the start is clearly an advantage for the Android platform. Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating system to meet their needs. This sounds like a good thing, right? It is awesome if you are a consumer and want the maximum amount of choice and flexibility. The problem comes in when you have to patch or maintain the software that drives these devices when they only have the most basic components in common. This is the security nightmare that Android is beginning to face. Every device on every carrier has a slightly unique configuration that requires that phone's manufacturer and carrier to update its software independent of what Google may have provided. Many applications are embedded into the operating system itself like the browser, contact manager and calendar. This means you must upgrade the OS to patch any flaws discovered in these programs. Currently this is the fatal flaw in Android's security model. Google has developed a fix for this flaw and has stated they will fix it in a maintenance release for the upcoming Gingerbread (2.3) release. That's great, but means even the most modern of devices will be exposed to attack for a month or more and older Android phones may be vulnerable in perpetuity. Apple and RIM do not face these types of issues because they have a limited selection of hardware shipping and provide OS updates only for devices they manufacture. ----- Interesting: both the idea that the choice Android offers is "awesome" but comes with a significant price... in this case security. Some in COLA seem to not be able to accept this. -- [INSERT .SIG HERE]

Snit <usenet@gallopinginsanity.com> writes: > sophos.com: <http://wp.me/p120rT-aPs> > ----- > Information security professional Thomas Cannon disclosed a new > vulnerability in Google's Android operating system this week on > his blog. > > Baking security into the recipe from the start is clearly an > advantage for the Android platform. > > Now for the #fail. Android, like Windows Phone, is largely > designed to be an open platform. Windows Phone does require > licensing, but supports many handset makers similar to the Android > strategy. What do I mean by this? Many carriers and manufacturers > of handsets are encouraged and able to use the operating system > and adapt it to just about any form factor they can imagine. HTC, > Samsung, Motorola, Acer and others each can make interesting, > innovative devices and customize the operating system to meet > their needs. > > This sounds like a good thing, right? It is awesome if you are a > consumer and want the maximum amount of choice and flexibility. > The problem comes in when you have to patch or maintain the > software that drives these devices when they only have the most > basic components in common. This is the security nightmare that > Android is beginning to face. Every device on every carrier has a > slightly unique configuration that requires that phone's > manufacturer and carrier to update its software independent of > what Google may have provided. > > Many applications are embedded into the operating system itself > like the browser, contact manager and calendar. This means you > must upgrade the OS to patch any flaws discovered in these > programs. Currently this is the fatal flaw in Android's security > model. > > Google has developed a fix for this flaw and has stated they will > fix it in a maintenance release for the upcoming Gingerbread (2.3) > release. That's great, but means even the most modern of devices > will be exposed to attack for a month or more and older Android > phones may be vulnerable in perpetuity. Apple and RIM do not face > these types of issues because they have a limited selection of > hardware shipping and provide OS updates only for devices they > manufacture. > ----- > > Interesting: both the idea that the choice Android offers is "awesome" but > comes with a significant price... in this case security. > > Some in COLA seem to not be able to accept this. How can they not? Its as clear as day. None of the apps in the market are vetted. Its almost trivial to write an app which steals peoples data or racks up huge phone bills.

Hadron stated in post icsetu$chj$1@news.eternal-september.org on 11/27/10 7:31 PM: > Snit <usenet@gallopinginsanity.com> writes: > >> sophos.com: <http://wp.me/p120rT-aPs> >> ----- >> Information security professional Thomas Cannon disclosed a new >> vulnerability in Google's Android operating system this week on >> his blog. >> >> Baking security into the recipe from the start is clearly an >> advantage for the Android platform. >> >> Now for the #fail. Android, like Windows Phone, is largely >> designed to be an open platform. Windows Phone does require >> licensing, but supports many handset makers similar to the Android >> strategy. What do I mean by this? Many carriers and manufacturers >> of handsets are encouraged and able to use the operating system >> and adapt it to just about any form factor they can imagine. HTC, >> Samsung, Motorola, Acer and others each can make interesting, >> innovative devices and customize the operating system to meet >> their needs. >> >> This sounds like a good thing, right? It is awesome if you are a >> consumer and want the maximum amount of choice and flexibility. >> The problem comes in when you have to patch or maintain the >> software that drives these devices when they only have the most >> basic components in common. This is the security nightmare that >> Android is beginning to face. Every device on every carrier has a >> slightly unique configuration that requires that phone's >> manufacturer and carrier to update its software independent of >> what Google may have provided. >> >> Many applications are embedded into the operating system itself >> like the browser, contact manager and calendar. This means you >> must upgrade the OS to patch any flaws discovered in these >> programs. Currently this is the fatal flaw in Android's security >> model. >> >> Google has developed a fix for this flaw and has stated they will >> fix it in a maintenance release for the upcoming Gingerbread (2.3) >> release. That's great, but means even the most modern of devices >> will be exposed to attack for a month or more and older Android >> phones may be vulnerable in perpetuity. Apple and RIM do not face >> these types of issues because they have a limited selection of >> hardware shipping and provide OS updates only for devices they >> manufacture. >> ----- >> >> Interesting: both the idea that the choice Android offers is "awesome" but >> comes with a significant price... in this case security. >> >> Some in COLA seem to not be able to accept this. > > How can they not? Its as clear as day. None of the apps in the market > are vetted. Its almost trivial to write an app which steals peoples data > or racks up huge phone bills. > Not only are apps not vetted, the OS itself is modified by different manufactures... each with different goals. This will burn some users. -- [INSERT .SIG HERE]

Snit <usenet@gallopinginsanity.com> writes: > Hadron stated in post icsetu$chj$1@news.eternal-september.org on 11/27/10 > 7:31 PM: > >> Snit <usenet@gallopinginsanity.com> writes: >> >>> sophos.com: <http://wp.me/p120rT-aPs> >>> ----- >>> Information security professional Thomas Cannon disclosed a new >>> vulnerability in Google's Android operating system this week on >>> his blog. >>> >>> Baking security into the recipe from the start is clearly an >>> advantage for the Android platform. >>> >>> Now for the #fail. Android, like Windows Phone, is largely >>> designed to be an open platform. Windows Phone does require >>> licensing, but supports many handset makers similar to the Android >>> strategy. What do I mean by this? Many carriers and manufacturers >>> of handsets are encouraged and able to use the operating system >>> and adapt it to just about any form factor they can imagine. HTC, >>> Samsung, Motorola, Acer and others each can make interesting, >>> innovative devices and customize the operating system to meet >>> their needs. >>> >>> This sounds like a good thing, right? It is awesome if you are a >>> consumer and want the maximum amount of choice and flexibility. >>> The problem comes in when you have to patch or maintain the >>> software that drives these devices when they only have the most >>> basic components in common. This is the security nightmare that >>> Android is beginning to face. Every device on every carrier has a >>> slightly unique configuration that requires that phone's >>> manufacturer and carrier to update its software independent of >>> what Google may have provided. >>> >>> Many applications are embedded into the operating system itself >>> like the browser, contact manager and calendar. This means you >>> must upgrade the OS to patch any flaws discovered in these >>> programs. Currently this is the fatal flaw in Android's security >>> model. >>> >>> Google has developed a fix for this flaw and has stated they will >>> fix it in a maintenance release for the upcoming Gingerbread (2.3) >>> release. That's great, but means even the most modern of devices >>> will be exposed to attack for a month or more and older Android >>> phones may be vulnerable in perpetuity. Apple and RIM do not face >>> these types of issues because they have a limited selection of >>> hardware shipping and provide OS updates only for devices they >>> manufacture. >>> ----- >>> >>> Interesting: both the idea that the choice Android offers is "awesome" but >>> comes with a significant price... in this case security. >>> >>> Some in COLA seem to not be able to accept this. >> >> How can they not? Its as clear as day. None of the apps in the market >> are vetted. Its almost trivial to write an app which steals peoples data >> or racks up huge phone bills. >> > Not only are apps not vetted, the OS itself is modified by different > manufactures... each with different goals. This will burn some users. This is my biggest bug bear. This is why so many people, myself included, are dropping Android. We are simply NOT getting the promised OS updates since the 3rd party mfrs are too busy playing catchup in the HW stakes to invest time and money in porting their proprietary extensions to the newer Android versions which are appearing quicker than Roy's spam, TomB's "new position" or Chris Ahlstrom's suck up posts. I wonder why none of the "Free" advocates here offer to port the SW for them?

On 2010-11-28, the following emerged from the brain of Hadron: > TomB's "new position" Uh? Are you developing an obsession? -- Actually, I think he's the most over-rated human being since Judas Iscariot won the AD31 Best Disciple Competition. ~ Blackadder

TomB pulled this Usenet face plant: > On 2010-11-28, the following emerged from the brain of Hadron: >> TomB's "new position" > > Uh? Are you developing an obsession? Developing? "Hadron"'s primary obsession has been insulting, nay-saying, and shitting all over the posts of anyone with anything positive to say about something related to Linux. After years of drivel, sometimes at an insane volume level, "Hadron" has merely toned his dismissive rhetoric down slightly. -- <Roy> Linux sucks and I have decided it will never work properly so have installed XP. <Liarnut> Phnaar, phnarr, you go tell 'em Roy. That sure is some real goddarn good 'adferrcating youse is doing boy! You a shows them finicky tootin Windoes shillickens whose a running this chicken coup!<GRIN> <Terry Porter> : Goddamme Roy mate, you show know how to bamboozle these Sheilas! Good one! Fair Dinkum! Oy Mate! Down Liarnut, down Oy say! -- "Hadron", gibbering and capering in <gi5n7p$lk1$1@reader.motzarella.org>

"Snit" <usenet@gallopinginsanity.com> wrote in message news:C9170C06.84492%usenet@gallopinginsanity.com... > sophos.com: <http://wp.me/p120rT-aPs> > ----- > Information security professional Thomas Cannon disclosed a new > vulnerability in Google's Android operating system this week on > his blog. > > Google has developed a fix for this flaw and has stated they will > fix it in a maintenance release for the upcoming Gingerbread (2.3) > release. That's great, but means even the most modern of devices > will be exposed to attack for a month or more and older Android > phones may be vulnerable in perpetuity. Wait a month (or forever) for a fix.... why doesn't the "community" fix it right away? Oh wait - there is no community. This is an OS that's entirely controlled by a single corporation. It'll get fixed if and when they decide to fix it.

"Ezekiel" <zeke@nosuchmail.com> writes: > "Snit" <usenet@gallopinginsanity.com> wrote in message > news:C9170C06.84492%usenet@gallopinginsanity.com... >> sophos.com: <http://wp.me/p120rT-aPs> >> ----- >> Information security professional Thomas Cannon disclosed a new >> vulnerability in Google's Android operating system this week on >> his blog. >> >> Google has developed a fix for this flaw and has stated they will >> fix it in a maintenance release for the upcoming Gingerbread (2.3) >> release. That's great, but means even the most modern of devices >> will be exposed to attack for a month or more and older Android >> phones may be vulnerable in perpetuity. > > Wait a month (or forever) for a fix.... why doesn't the "community" fix it > right away? > > Oh wait - there is no community. This is an OS that's entirely controlled by > a single corporation. It'll get fixed if and when they decide to fix it. Of course the publication of these issues now means most of those on pre 2.2 are fucked. New handset time. One or two of the "advocates" need to put their hands up and accept that Google have made a complete and utter mess of Android deployment and development.

Hadron stated in post ictmja$puj$2@news.eternal-september.org on 11/28/10 6:48 AM: > "Ezekiel" <zeke@nosuchmail.com> writes: > >> "Snit" <usenet@gallopinginsanity.com> wrote in message >> news:C9170C06.84492%usenet@gallopinginsanity.com... >>> sophos.com: <http://wp.me/p120rT-aPs> >>> ----- >>> Information security professional Thomas Cannon disclosed a new >>> vulnerability in Google's Android operating system this week on >>> his blog. >>> >>> Google has developed a fix for this flaw and has stated they will >>> fix it in a maintenance release for the upcoming Gingerbread (2.3) >>> release. That's great, but means even the most modern of devices >>> will be exposed to attack for a month or more and older Android >>> phones may be vulnerable in perpetuity. >> >> Wait a month (or forever) for a fix.... why doesn't the "community" fix it >> right away? >> >> Oh wait - there is no community. This is an OS that's entirely controlled by >> a single corporation. It'll get fixed if and when they decide to fix it. > > Of course the publication of these issues now means most of those on pre > 2.2 are fucked. New handset time. > > One or two of the "advocates" need to put their hands up and accept that > Google have made a complete and utter mess of Android deployment and > development. > With all of its problems - it is the biggest competitor to iOS on the iPhone, at least for now. And for that I am grateful to see it. -- [INSERT .SIG HERE]

TomB wrote: > Hadron quacked: >> >> TomB's "new position" > >Uh? Are you developing an obsession? You're near the top of Quack's shit-list, dude, for spanking him so many times. -- "This type of polish and detail simply does not occur in most non company funded OSS because no one has the time or the desire to do it. Most are too busy making money from Windows SW." - "True Linux advocate" Hadron Quark