Related
Is it possible to implement some sort of block for this kind of system dump?
Slashdot link
Could it be as simple as leaving USB debugging off and using a pin/pattern lock? Or would it require something as complex as whole-disk (card) encryption like TrueCrypt?
It really depends..
First.. those kinds of articles do have a way of getting blown out of proportion.
I've heard a lot about what people "can" do only to find out that when you really start digging into it... they made false/misleading claims.
Although if the article is to be believed.. a password wouldn't do any good as you can read "defeats password protection."
Something along the lines of truecrypt would be a prerequisite..
Also.. there are some major legal problems.. like sensitive data on phones ranging from a frisky girlfriend/boyfriend to confidential patient information in a doctor/lawyers email..
Pull battery
If I have helped press thanks.
Without a warrant, what they are doing is against the law. To obtain a warrant they would have to specify what was being looked for and need to be reasonably confident the phone have evidence leading to prosecution of believed criminal offense.
Remember, Lawful and Legal are two entirely different things. So they may be searching phones unlawfully while legally within bounds.
Law = Immutable rule, you know them with out being told (ex, Do not steal, Do not kill)
Statute = Legislation given the force of law (ex. seat belt , any "rule" you must be told of)
Code = Legislation given the force of law by Corp. (ex. local code- dry counties, no smoking in city bars, must wear black shoes to work at walmart < lol )
Encryption will stop this. I don't see it being a problem though due to the fact nothing found will be usable in ANY court of law without having obtained a warrant. Know and use your rights, as they will continue to be taken away until "YOU" draw the line in the sand and say No More.
Also: This is not new tech, they been doing this for some time, had the capability at least. Agree with Snow_Fox.... it is blown out of proportion, but for other reason. Its not that they cant, its that at this time, it is not a rampant thing. From there do what you will ......
Agreed with everything said with regards to legality. However, our government seems to do a lot of things illegally. It seems that all a law enforcement person has to say is "terrorism" and they get a hall pass for anything.
Sent from my SAMSUNG-SGH-I897 using XDA App
I am just glad to see such responses to this.. We need to spread the word.
Maybe its time to create a website dedicated to educating people of the (what should be shocking and horrifying) loss of rights we seem to be having.
halfsoul said:
Agreed with everything said with regards to legality. However, our government seems to do a lot of things illegally. It seems that all a law enforcement person has to say is "terrorism" and they get a hall pass for anything.
Sent from my SAMSUNG-SGH-I897 using XDA App
Click to expand...
Click to collapse
Oh yes, I agree, they will/do. The thing is we need to be brave enough to stand up and so NO and "enforce our rights", or they will surely continue to walk all over the scared general population.
Also, it is clearly illegal. To search your home pc, a warrant must be obtained. To get you home phone records, a warrant must be obtained. To listen to your phone calls, a warrant must be obtained. To look at your photo album in your hall closet, a warrant must be obtained. To search the locked trunk/glove compartment of your vehicle, a warrant must be obtained.
Smartphones are comparable to all of the above combined into one.A warrant less search is definitely illegal and unlawful and a violation of rights. Hold some feets to the fire, learn to say NO, consequences will never be the same
Snow_fox said:
I am just glad to see such responses to this.. We need to spread the word.
Maybe its time to create a website dedicated to educating people of the (what should be shocking and horrifying) loss of rights we seem to be having.
Click to expand...
Click to collapse
There is a website called eff.org
but unfortunately most Americas are too distracted and really don't care!
I f#$%n care while most of the people i know, have no idea what is happeneing!
My view is humans get used to small changes but not big changes. What people don't realize is the changes to our rights is small and slow but one day WE WILL WAKE UP to a world of complete control and the idea of freedom won't even be comprehendable to future generations!
Maybe Big Brother is inevitable but thanks to terrorism, it has only accelerated the progression to Complete Control!
Sent from my ADR6400L
bulletproof1013 said:
Pull battery
If I have helped press thanks.
Click to expand...
Click to collapse
Or turn it off?
Human smugglers get around police being able to look at their phones by keeping the battery out of the phone
Sent from my SAMSUNG-SGH-I897 using XDA App
I don't think pulling the battery or turning it off is reasonable. If someone has hardware to do a dump, surely they can provide power and turn it on.
I'm looking for something more along the lines of disabling the usb port or encrypting the sd cards.
Sent from my SAMSUNG-SGH-I897 using XDA App
halfsoul said:
I don't think pulling the battery or turning it off is reasonable. If someone has hardware to do a dump, surely they can provide power and turn it on.
I'm looking for something more along the lines of disabling the usb port or encrypting the sd cards.
Sent from my SAMSUNG-SGH-I897 using XDA App
Click to expand...
Click to collapse
Power without a battery? Tell me how and we'll make trillions!
Added: If you're that worried about what someone can discern from your phone, you got bigger issues.
it is soo vague i think this is a conceptual project and not something being deployed, if it were in use there would be more details, does it communicate over cellular? wifi? bluetooth? usb? are gsm phones safe?, are cdma phones safe?
can it be done without the driver knowing about it? or is it a search you can refuse? can you protect against it by encrypting the sd card, the sdcard + /system + /data +/cache?
what security exploits does it use?
Sounds to me like a technology that is available and there is no evidence yet that it is being abused. Odd though that the article has obvious errors, stating that Michigan has no cell phone laws, as texting and driving will get you pulled over. This opens the door to more abuse by police than worrying about them illegaly searching my phone. All they have to do is see you looking at your phone and they can claim that you appeared to be texting, thus justifying the traffic stop. I in no way condone texting/driving but it seems that we have given the police free reign to pull anyone over virtually at will given the plethora of "primary" offenses.
cappysw10 said:
Power without a battery? Tell me how and we'll make trillions!
Added: If you're that worried about what someone can discern from your phone, you got bigger issues.
Click to expand...
Click to collapse
Please tell me you're joking. The micro usb cable provides power + data simultaneously, try it for yourself if you don't believe me. And freedom & privacy should be everyone's biggest issue -- at least, all Americans.
Dani897 said:
it is soo vague i think this is a conceptual project and not something being deployed, if it were in use there would be more details, does it communicate over cellular? wifi? bluetooth? usb? are gsm phones safe?, are cdma phones safe?
can it be done without the driver knowing about it? or is it a search you can refuse? can you protect against it by encrypting the sd card, the sdcard + /system + /data +/cache?
what security exploits does it use?
Click to expand...
Click to collapse
If you followed the links to read the articles you would see that it is already deployed and in use, hence the ACLU FOIA request.
According to Cellebrite's website here, the Captivate is by cable (screencap attached).
Not much info about the exploits' particulars, but here are some choice snippets from Cellebrite's site:
Superior handset support - Over 3,000 handset models supported, with monthly software updates for newly released devices prior to carrier launch. The system includes more than 85 data cables for connecting 95% of all handset models worldwide. Cellebrite has exclusive carrier agreements and works directly with cellular phone manufacturers to receive pre-production handsets prior to retail launch.
Complete extraction of mobile phone data - Contacts, SMS Messages, pictures, videos, call logs (dialed, received, missed), ESN/IMEI, audio files, and deleted SMS/Call History from the SIM/USIM.
Memory Dump - Complete dump of phone file system for select handsets, providing the ability to extract otherwise inaccessible files, and user passwords.
Click to expand...
Click to collapse
And here you can see it in action.
halfsoul said:
Please tell me you're joking. The micro usb cable provides power + data simultaneously, try it for yourself if you don't believe me. And freedom & privacy should be everyone's biggest issue -- at least, all Americans.
Click to expand...
Click to collapse
ACTUALLY you may want to try it yourself. the phone DOES NOT RUN OR MOUNT without battery. take out battery, plug it in, and dont post anything on xda until it mounts to your PC... I'll wait here for you...
If you Plug it in first and remove the battery it will run for 22 seconds then shut off (with official Samsung AC charger) and 4 seconds with aftermarket "USB" charging
bulletproof1013 said:
Pull battery
If I have helped press thanks.
Click to expand...
Click to collapse
Yeah, that's going to do a lot of good.
Surely if they are asking for the phone they will also either ask you to stop taking out the battery or if you have already done so, ask for the battery also?
In either case it is no different than simply refusing to give the phone. Either you get away with it because they are taking advantage of people being intimidated into giving them permission or they arrest you for refusing to give them the phone or the battery.
Even worse, taking the battery out just makes you look like a smartass if they see you doing it.
TRusselo said:
ACTUALLY you may want to try it yourself. the phone DOES NOT RUN OR MOUNT without battery. take out battery, plug it in, and dont post anything on xda until it mounts to your PC... I'll wait here for you...
If you Plug it in first and remove the battery it will run for 22 seconds then shut off (with official Samsung AC charger) and 4 seconds with aftermarket "USB" charging
Click to expand...
Click to collapse
You're right, I stand corrected.
jimk9 said:
Yeah, that's going to do a lot of good.
Surely if they are asking for the phone they will also either ask you to stop taking out the battery or if you have already done so, ask for the battery also?
In either case it is no different than simply refusing to give the phone. Either you get away with it because they are taking advantage of people being intimidated into giving them permission or they arrest you for refusing to give them the phone or the battery.
Even worse, taking the battery out just makes you look like a smartass if they see you doing it.
Click to expand...
Click to collapse
Exactly. Especially for those of us with cases.
In addition, this has broader application than just keeping your info private from authorities. What about if your phone is lost or stolen? You wouldn't have an opportunity to pull the battery.
but im sure if they have a dump computer, it wouldnt be a far reach at all to have a variable voltage power supply with 2 tiny clip on leads....
but there is any EASY fix for this,
but not capable on our captivate, needs some programming...
in the newer phones they have NFC chip readers, (Near Field Communication)
get a micro chip NFC implanted into your body, and have the new generation phones encrypt its whole OS to your Chip ID on first boot, and needs your chip near by to do anything at all or unlock it by storing your chip in flash memory temporarily until locked again.
easy fix.
As long as there are devices that that store information there will be devices that can swipe it. As for if it is right or not, that is not my place to say. A simple lock will require that the cops get a search warrent for it, so just keep it locked.
I personally hate people who text and drive but there will always be people that do it no matter who they hurt while they do it.
There will be no true way to stop this if what they are saying is true. As they would need to be working with the OS makers for it to work. So while these devices may have just come into light, they have been around for awhile. We will keep an eye on it, but to be honest all that one could really do is not keep anything on the phone that you have to worry about the cops seeing.
There is an ota update of 142.00mb, Im trying to download it and I keep getting error. it reboots into recovery and says 25% then it boots into main phone, then it says install update was unsuccessful. Any ideas? I did have my phone rooted it before, the method I used was threw the app store.
the_professor. said:
There is an ota update of 142.00mb, Im trying to download it and I keep getting error. it reboots into recovery and says 25% then it boots into main phone, then it says install update was unsuccessful. Any ideas? I did have my phone rooted it before, the method I used was threw the app store.
Click to expand...
Click to collapse
Go here...http://forum.xda-developers.com/att-galaxy-s5/general/g900and3tong3keeprootota-zip-t2862299
Read trouble shooting
I dont want to root it again, i wanted to unroot it, i seem to be having alot of problems since I rooted .
the_professor. said:
I dont want to root it again, i wanted to unroot it, i seem to be having alot of problems since I rooted .
Click to expand...
Click to collapse
You don't have to root, that's why I said read the trouble shooting in the op.
what is op? sorry
the_professor. said:
what is op? sorry
Click to expand...
Click to collapse
Opening post or sometimes Original poster.
I've been getting a notification about an update that I repeatedly decline. About 15 min ago it was forced to my phone but failed. What I mean by forced is I had no option to decline/remind me later. Now my biggest issue with that is how do they know or why do they think I'm not using my phone to handle important business? That is what aggravated me the most. Assuming I want the update, and attempting to force it on my phone. I'm pissed for real for the first time with AT&T.
Assassyn said:
I've been getting a notification about an update that I repeatedly decline. About 15 min ago it was forced to my phone but failed. What I mean by forced is I had no option to decline/remind me later. Now my biggest issue with that is how do they know or why do they think I'm not using my phone to handle important business? That is what aggravated me the most. Assuming I want the update, and attempting to force it on my phone. I'm pissed for real for the first time with AT&T.
Click to expand...
Click to collapse
Short answer - they don't care. Their interest in maintaining residual control over your property is more important to them than whatever you want to do with your property.
Assassyn said:
I've been getting a notification about an update that I repeatedly decline. About 15 min ago it was forced to my phone but failed. What I mean by forced is I had no option to decline/remind me later. Now my biggest issue with that is how do they know or why do they think I'm not using my phone to handle important business? That is what aggravated me the most. Assuming I want the update, and attempting to force it on my phone. I'm pissed for real for the first time with AT&T.
Click to expand...
Click to collapse
Not to defend any carrier but my guess is they felt it was an important enough update and had to be pushed to the phone after the repeated attempts were declined. I agree that this is not a proper practice and perhaps a call to executive services filing a complaint might help in the long run. But as the other 99% of owners that are not rooted or modified will probably just accept the update, they have little concern for the rooted community. One would hope that it was detecting a period of low activity?
Kamchak said:
Short answer - they don't care. Their interest in maintaining residual control over your property is more important to them than whatever you want to do with your property.
Click to expand...
Click to collapse
Ah..the old "my property" argument....well what rights you have to things you purchase are subjective. In most communities a homeowner cannot park a vehicle on his own grass, nor keep unregistered vehicles in his driveway unless covered, has to maintain the property...and thousands of other laws and ordinances telling them exactly what they can and cannot do to their owned "property." Cell phones are a communication device thus governed by communication laws allowing the carriers to tell you what you can and cannot do to your "property" for security and communication regulated reasons. The only way around those regulations forcing updates to you (to a certain degree) is to buy an unlocked device from independent sales outlets. Using a certain carrier will then add their restrictions to you in the TOS that you sign.
KennyG123 said:
Ah..the old "my property" argument....well what rights you have to things you purchase are subjective. In most communities a homeowner cannot park a vehicle on his own grass, nor keep unregistered vehicles in his driveway unless covered, has to maintain the property...and thousands of other laws and ordinances telling them exactly what they can and cannot do to their owned "property." Cell phones are a communication device thus governed by communication laws allowing the carriers to tell you what you can and cannot do to your "property" for security and communication regulated reasons. The only way around those regulations forcing updates to you (to a certain degree) is to buy an unlocked device from independent sales outlets. Using a certain carrier will then add their restrictions to you in the TOS that you sign.
Click to expand...
Click to collapse
Although I understand what you are saying, and (being a homeowner) understand the realities of your post, I am uncertain as to the purpose in making the answer. Although my answer may be an old argument, that doesn't make it an erroneous argument. Their consideration for our interests begins and ends with our wallets. They couldn't care less about what we want to do with our communication equipment, whether bought from a certain carrier or an independent sales outlet. I'd venture to guess that their TOS isn't any different, regardless from where you obtain the property.
As far as there not being a way around their control, isn't that why this site exists? I thought what xda-developers was here for was to help people get the most out of their devices by providing a collaborative environment where people could share their experiences of creative use and exploration of said property without restriction by other entities?
Kamchak said:
Although I understand what you are saying, and (being a homeowner) understand the realities of your post, I am uncertain as to the purpose in making the answer. Although my answer may be an old argument, that doesn't make it an erroneous argument. Their consideration for our interests begins and ends with our wallets. They couldn't care less about what we want to do with our communication equipment, whether bought from a certain carrier or an independent sales outlet. I'd venture to guess that their TOS isn't any different, regardless from where you obtain the property.
As far as there not being a way around their control, isn't that why this site exists? I thought what xda-developers was here for was to help people get the most out of their devices by providing a collaborative environment where people could share their experiences of creative use and exploration of said property without restriction by other entities?
Click to expand...
Click to collapse
What you say is true...I was just trying to clarify the entitlement I see way too often regarding what people feel are their rights to do what they want with their "property." As a communication device it is not fully anyone's property until deactivated.
This site does exist to help members do more with their devices than intended by the carrier..however that comes with ramifications like voiding the warranty or violating TOS. There are many posts made by people thrown off of their carrier for tethering huge amounts of data. As for a way around their control...there are many methods available on this site to avoid updates. At the first sign of an unwanted updated the OP should have sought those methods out. I know...it was a surprise that it got forced on the device (though failing) without consent. I am sure there is some clause in the TOS allowing that. So I apologize if it seemed my post was directed at you..it was just to clarify this "property" idea that I see spouted way too often around this site. :good:
KennyG123 said:
Not to defend any carrier but my guess is they felt it was an important enough update and had to be pushed to the phone after the repeated attempts were declined. I agree that this is not a proper practice and perhaps a call to executive services filing a complaint might help in the long run. But as the other 99% of owners that are not rooted or modified will probably just accept the update, they have little concern for the rooted community. One would hope that it was detecting a period of low activity?
Ah..the old "my property" argument....well what rights you have to things you purchase are subjective. In most communities a homeowner cannot park a vehicle on his own grass, nor keep unregistered vehicles in his driveway unless covered, has to maintain the property...and thousands of other laws and ordinances telling them exactly what they can and cannot do to their owned "property." Cell phones are a communication device thus governed by communication laws allowing the carriers to tell you what you can and cannot do to your "property" for security and communication regulated reasons. The only way around those regulations forcing updates to you (to a certain degree) is to buy an unlocked device from independent sales outlets. Using a certain carrier will then add their restrictions to you in the TOS that you sign.
Click to expand...
Click to collapse
I was able to get them to go away after freezing the updater apk file with Titanium BackUp. Haven't been bothered since. I think if it's that serious to where they need to force an update, they should at least tell us what the major concern is. Very likely that they won't but it's ok, I "fixed" it enough for my liking.
Assassyn said:
I was able to get them to go away after freezing the updater apk file with Titanium BackUp. Haven't been bothered since. I think if it's that serious to where they need to force an update, they should at least tell us what the major concern is. Very likely that they won't but it's ok, I "fixed" it enough for my liking.
Click to expand...
Click to collapse
Yes! Thankfully there is no shortage of information on this site on how to prevent OTA's and the annoying nags.
KennyG123 said:
Yes! Thankfully there is no shortage of information on this site on how to prevent OTA's and the annoying nags.
Click to expand...
Click to collapse
I take my annoying nag out to dinner a couple times a month. Oops don't tell her I said that or I'll be building another doghouse. ????
"You stay classy San Diego"
Sent from my G900A powered by XKRom GoldLimiTed.
https://www.washingtonpost.com/news...o-buy-almost-anything/?utm_term=.088c0c1a80ff
It seems like this directly applies to the ability to root and tinker with our electronics?
Edit: if some mod would fix my grammar in the post title...that would be great.
skinote said:
https://www.washingtonpost.com/news...o-buy-almost-anything/?utm_term=.088c0c1a80ff
It seems like this directly applies to the ability to root and tinker with our electronics?
Click to expand...
Click to collapse
It's been a little while, but figured I'd reply about it, because I had the same reaction to hearing about that decision. Some qualifiers; the case was regarding patent law. As such this decision is not an apples to apples comparison to rooting/modding/taking control of our phones and other similar electronics; and we cannot point to this case and tell Google/Apple, Samsung/LG/HTC/et al, and AT&T/Verizon/Sprint/et al to give us full access to our phone if we want it. That said, I do still think that if someone was to take a case to the Supreme Court specifically on this topic; the decision would be pretty much the same.
The SCotUS has been fairly consistent over the decades with regards to the person who purchases a physical device as being allowed to do whatever they want with it after they get it. But they might also decide to allow the phone companies some requirements so that they can secure their services. This likely is the main reason why none of the companies will try to resolve rooting/modding/bootloader unlocking in the courts; they know that they will lose based on previous decisions.
With how Android has been steadily moving to be more and more like iOS in trying to make it harder and harder to root the phone and taking away more and more control that the end user has; I think that it might be a good time for a new mobile phone OS that innately gave the user the option to root, install custom recoveries, and otherwise truly make ones phone their own.
This might be a silly question, I've not used Samsung in a long time, last one was the S2 haha.....but is it ever going to be possible to root and/or install TWRP on this device without breaking OTA updates? I love rooting my devices and using custom ROMs, I still have need for root access, but to be honest this phone I would be happy keeping as close to stock as possible, I could live without TWRP, but will we ever get root without losing the ability to OTA update? If not then I'll just go custom when the urge becomes too strong haha.
Oh and I have the exynos version.
beta546 said:
This might be a silly question, I've not used Samsung in a long time, last one was the S2 haha.....but is it ever going to be possible to root and/or install TWRP on this device without breaking OTA updates? I love rooting my devices and using custom ROMs, I still have need for root access, but to be honest this phone I would be happy keeping as close to stock as possible, I could live without TWRP, but will we ever get root without losing the ability to OTA update? If not then I'll just go custom when the urge becomes too strong haha.
Oh and I have the exynos version.
Click to expand...
Click to collapse
+1
I too see a growing need for root elevation without destroying core security patch options. Either from stock, or with an aptitude like package management used by ROM creators, so you can even patch android files sooner than Samsung normally would. Because as it stands, the way we root now makes android a security disaster.
In essence this is a design failure by google and android. How could they expect users to be happy with non-configurable systems? That's why we don't have Apple devices, so we can config and alter whenever we would want to. Sigh.. Closed source for android is such a PITA. And so slow with patches..
?
jult said:
+1
I too see a growing need for root elevation without destroying core security patch options. Either from stock, or with an aptitude like package management used by ROM creators, so you can even patch android files sooner than Samsung normally would. Because as it stands, the way we root now makes android a security disaster.
In essence this is a design failure by google and android. How could they expect users to be happy with non-configurable systems? That's why we don't have Apple devices, so we can config and alter whenever we would want to. Sigh.. Closed source for android is such a PITA. And so slow with patches..
Click to expand...
Click to collapse
I agree, people like Samsung who just want to lock down their devices for whatever reason is just getting a bit extreme now. I don't think it's Google to blame though as android is easily rooted in general, it's manufacturers like Samsung that make you jump through hoops to do it. And yes it's exactly why we don't have iPhones haha. I believe every android device should come with a setting in developer options that just activates root with a disclaimer.....take my warranty, I don't care in the slightest, but don't cripple my device that I payed £720 for that is now my property, just because I want to use some of the most useful features and app designed to work with root. After reading through these forums I see Samsung seem more like apple than ever. I mean God the guide to install a custom ROM is crazy haha, perfectly doable, but compared to my le max 2 which was just, plug your phone in, push this through ADB, then flash this zip and you're done, so simple.
beta546 said:
I agree, people like Samsung who just want to lock down their devices for whatever reason is just getting a bit extreme now. I don't think it's Google to blame though as android is easily rooted in general, it's manufacturers like Samsung that make you jump through hoops to do it. And yes it's exactly why we don't have iPhones haha. I believe every android device should come with a setting in developer options that just activates root with a disclaimer.....take my warranty, I don't care in the slightest, but don't cripple my device that I payed £720 for that is now my property, just because I want to use some of the most useful features and app designed to work with root. After reading through these forums I see Samsung seem more like apple than ever. I mean God the guide to install a custom ROM is crazy haha, perfectly doable, but compared to my le max 2 which was just, plug your phone in, push this through ADB, then flash this zip and you're done, so simple.
Click to expand...
Click to collapse
The most important part of your post is often missed by a lot of people.
"lock down their devices for whatever reason..."
No one thinks about the reason it seems. As much as it sucks for folks on XDA, the folks that come to XDA don't think about all of the people that DO NOT come to XDA, or why a device manufacturer that makes their devices primarily for the Corporate world, wouldn't want to let their devices be unlocked by the small amount of XDA folks that buy them.
And before anyone says "the exynos is unlockable!" Remember the Exynos version is international, not USA. There's are so much more benefits to Samsung keeping the USA devices locked than there are downsides. I work for a small corporate company of about 300 employees and I am not allowed to have a device with the bootloader unlocked, period. Why? I don't even know, and I am in the tech field. Each company has their rules and such. Imagine how much contracts Samsung could have with corporations out there for their devices. We used to have one, and look at how small we are. We don't have one anymore because it's cheaper to just have employees front the device cost instead of the company paying for devices! Lame I know. I fought against it but lost.
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Jammol said:
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Click to expand...
Click to collapse
Now. You mean. It can (and should) change. The way the android permission model is designed, is totally corporate-based, not user-friendly at all. And if Samsung would stay on top of security-patches and push updates (like you have with Win10 now, which are still totally under the user's control without having to 'root' anything), that would be fine, but time and again these smartphone manufacturers have proven to stop giving a hoot after they've released a new model, if they even cared at all about security patching in time, because they apparently really don't. Not enough anyway. If they would, we'd already be running Android 9 on our Notes by now.
Jammol said:
The most important part of your post is often missed by a lot of people.
"lock down their devices for whatever reason..."
No one thinks about the reason it seems. As much as it sucks for folks on XDA, the folks that come to XDA don't think about all of the people that DO NOT come to XDA, or why a device manufacturer that makes their devices primarily for the Corporate world, wouldn't want to let their devices be unlocked by the small amount of XDA folks that buy them.
And before anyone says "the exynos is unlockable!" Remember the Exynos version is international, not USA. There's are so much more benefits to Samsung keeping the USA devices locked than there are downsides. I work for a small corporate company of about 300 employees and I am not allowed to have a device with the bootloader unlocked, period. Why? I don't even know, and I am in the tech field. Each company has their rules and such. Imagine how much contracts Samsung could have with corporations out there for their devices. We used to have one, and look at how small we are. We don't have one anymore because it's cheaper to just have employees front the device cost instead of the company paying for devices! Lame I know. I fought against it but lost.
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Click to expand...
Click to collapse
That makes a lot of sense really, obviously there are going to be businesses and companies and such that wpild rely on their workers devices being as secure as possible, for multiple reasons. But again that's not really up to Samsung to decide really, now I agree that although there are a huge number of people that want to modify their devices in various ways, but on the grand scale it's a relatively low percentage of the market. Which is why I think it should always be an option, that way they cater to everyone. If a company has a requirement that all their employees devices stay locked down, they simply don't allow it, and if an employee does it regardless then the consequences would be their own. I guess Samsung could bake in the setting, but with an option at first boot as to leave the ability to unlock intact, or to choose to permanently remove any option of ever being able to do it. That way when a company bought the phones they could lock them all down before handing them out. But in the scenario where people must purchase their own device, they then would have to decide whether to follow company policy, or unlock the phone and risk potentially losing their job at worst because of it....that's just what I think really, but I'm in no way some business or manufacturing giant haha, there will be multiple arguments for and against this entire scenario.
And also thanks for the answer ? It was as I suspected, but always worth an ask.
Voiding the Warranty for unrelated modifications is illegal and there is a better way
It seems we are all getting used to the arrogance and impertinence ...
... with which manufacturers and telephone service operators want to dictate what we do with our property. Let us not forget that «this will void your warranty», though common practice, is not in accordance with current legislation.
Modifications to devices should be protected under the Magnuson-Moss Warranty Act, unless the modification caused the damage you're asking the manufacturer to repair. Manufacturers threatening to void warranties for rooting, even when they have no legal right to do so, is nothing but bullying, banking on the fact that most people are not feeling confident about legal battles with corporations for which time and money are of no consequence. It is about time that reviews took the aspect of rooting/customization friendliness into consideration, so that manufacturers like OnePlus and HTC receive the credit they deserve for being more lenient toward rooting and still receiving updates. If technology journalists pointed this aspect out in their reviews, companies might come to their senses. Being able to use some apps that can do what they do only with Root access is more important than yet another MegaPixel on the camera -- if the other manufacturers do not drop the ball yet again, by dumbing down their phone instead of building the best device they possibly can, this year's phone purchase will be from a brand that is user friendly and provides OTA updates even on customised devices.
As for the «security» fairytale, that's often the last aspect that manufacturers care about, skipping security patches even after exploits have been detected. By the way: if some guy with a mobile phone could really bring down or disturb an operator's network, the operator doesn't deserve better. Most people do not root because they are devious masterminds from a Bond movie who try to mess up their kernels or bring down the global communication networks, but because they want to customize the looks of devices to their liking, fix some flaws or get some software to work. Very few people would keep rooting if manufacturers only guarded their kernels against overclocking beyond what the phone can endure and operators blocked what could disrupt the network -- if they did that and only that, hardly anyone would complain or root.
Security is obviously not what it's really all about. On my SAMSUNG GALAXY NOTE 9, Amazon Shopping, Fakecrook, LinkedIn and a whole bunch of other garbage came pre-installed as system apps that can be disabled but not uninstalled. Like everything imposed on us by Google, these companies have no interest in enhancing their customers' security and privacy, but exactly the opposite, grab as much sensitive information about us as they possibly can and sell it to whoever is interested and willing to pay for it.
On a Windows PC, I can do most things I want to do if I really have to, via editing the Windows Registry if need be and turning off User Access Control (UAC) when the unnecessary extra-click got on my nerves. Millions of people are and have been doing the same without upsetting the space-time-continuum, and corporations can restrict whatever they want to restrict if there is an administrator to do it. In most cases, however, there is not, because after all, it's a Personal Computer (PC), managed by the user at home. If we pay for something -- and quite handsomely so -- we own it, consequently it should be us who, after a warning that can be turned off with a checkmark, have the final say. So far, the corporate world seems to thrive quite nicely with the kind of approach to security that MS Windows is taking, despite surely being the first and loudest ones to complain if there were any real and relevant problems that seriously threaten their dayly operations.
Mobile phone manufacturers and operators use «security» as an excuse to restrict what the owners of those expensive little toys can do, just like governments proclaim «terrorism» as the excuse for spying on and controlling their own populations by grabbing ever more power with authorizing laws that undermine constitutional civil liberties. In our societies, it is to keep track on any possible threats to the Status Quo that might be caused by a shift of public opinion if the media -- these days large corporations themselves -- did not distract us with polemics, sports and celebrity BS, but reported on and kept in focus issues such as ecology, human overpopulation, inequality, tax evasion, poverty, injustice, corruption, lobbyism and so on. In the mobile phone world, they do it to milk us for banalities like boot animations, wallpapers, type fonts, themes, icons and whatever we would like to do to make our phones look nicer. Under Windows, buy a shareware CD with 10,000 fonts, copy the 20 or 30 you like into the respective system folder -- done. On Android, they want to milk us for every bit they can and that's the real motivation for all the bull****, harassment, hoops and loops they make us jump through.
If companies were really interested in user privacy rights and security, the first thing that would be forbidden were advertisements, because a lot of sh.t can come in through those backdoors. Second, why does Apple not allow antivirii and firewalls if security is such a concern? Why are owners of devices with a custom recovery or root being punished by exclusion from OTA updates, given that these updates are supposed to improve stability and security? That's just bollocks and distraction to ram as much advertising down our throat, rip us off for every boot animation, wallpaper, theme, icon or type font that we have tons of lying around on our hard drive, and to obtain as much data from us as possible, in order to know and track what we buy, think, believe, suffer from, like, dislike or do in any place at any at any time.
Apart from a couple of absolute geeks and nerds, nobody would root their phones if adaptation and customization of our phones was easily possible, i.e. if everything except things that could irrevocably damage hardware or networks could be easily modified as we please. The introduction of a/b partition slots for Seamless Updates paved the way for preventing irreparable accidents and could easily be expanded and improved, together with a better design of the user interface and user experience to make the process more comprehensible for average users. Yet, most companies did not even implement a/b partitions, although this approach makes accidents and mistakes when playing around with the device «non-lethal» and saves the Customer Service costs that companies so often cite as the second excuse and pretext for the arrogance with which they keep and exert control over other people's property. With each new generation of phones and every new version of operating systems, the restrictions are getting worse, the options for access and harmless modification less, and that unacceptable trend needs to stop.
If companies want to disencourage people from rooting their phones, they need to stop bombarding us with intrusive ads, stop spying and imposing bloatware and replace it with useful tool bundles (Titanium Backup, decent file managers, cleaners, system tools and the like). It is okay to guard and firewall the indispensable and risky parts (hardware overclocking, network integrity), but only block those irreparable areas while opening up the rest for users to customise to their hearts content, making it as comfortable, easy and intuitive as possible to copy, paste, move and configure everything else between phone and PC. If something goes wrong while doing so, make sure that a system restore point and booting into the alternative partition means that there's no harm, no foul and therefore no problem and no service cost.
Instead of wasting our time hunting for patched partiton files, info on how to get out of bootloops, etc., users could then enjoy and be happier with our phone instead of fixing its shortcomings or, dare I say it, do something fun and entertaining outside while the snow is fresh or the sun is shining.
.
Qui Peccavit said:
It seems we are all getting used to the arrogance and impertinence ...
... with which manufacturers and telephone service operators want to dictate what we do with our property. Let us not forget that «this will void your warranty», though common practice, is not in accordance with current legislation.
Modifications to devices should be protected under the Magnuson-Moss Warranty Act, unless the modification caused the damage you're asking the manufacturer to repair. Manufacturers threatening to void warranties for rooting, even when they have no legal right to do so, is nothing but bullying, banking on the fact that most people are not feeling confident about legal battles with corporations for which time and money are of no consequence. It is about time that reviews took the aspect of rooting/customization friendliness into consideration, so that manufacturers like OnePlus and HTC receive the credit they deserve for being more lenient toward rooting and still receiving updates. If technology journalists pointed this aspect out in their reviews, companies might come to their senses. Being able to use some apps that can do what they do only with Root access is more important than yet another MegaPixel on the camera -- if the other manufacturers do not drop the ball yet again, by dumbing down their phone instead of building the best device they possibly can, this year's phone purchase will be from a brand that is user friendly and provides OTA updates even on customised devices.
As for the «security» fairytale, that's often the last aspect that manufacturers care about, skipping security patches even after exploits have been detected. By the way: if some guy with a mobile phone could really bring down or disturb an operator's network, the operator doesn't deserve better. Most people do not root because they are devious masterminds from a Bond movie who try to mess up their kernels or bring down the global communication networks, but because they want to customize the looks of devices to their liking, fix some flaws or get some software to work. Very few people would keep rooting if manufacturers only guarded their kernels against overclocking beyond what the phone can endure and operators blocked what could disrupt the network -- if they did that and only that, hardly anyone would complain or root.
Security is obviously not what it's really all about. On my SAMSUNG GALAXY NOTE 9, Amazon Shopping, Fakecrook, LinkedIn and a whole bunch of other garbage came pre-installed as system apps that can be disabled but not uninstalled. Like everything imposed on us by Google, these companies have no interest in enhancing their customers' security and privacy, but exactly the opposite, grab as much sensitive information about us as they possibly can and sell it to whoever is interested and willing to pay for it.
On a Windows PC, I can do most things I want to do if I really have to, via editing the Windows Registry if need be and turning off User Access Control (UAC) when the unnecessary extra-click got on my nerves. Millions of people are and have been doing the same without upsetting the space-time-continuum, and corporations can restrict whatever they want to restrict if there is an administrator to do it. In most cases, however, there is not, because after all, it's a Personal Computer (PC), managed by the user at home. If we pay for something -- and quite handsomely so -- we own it, consequently it should be us who, after a warning that can be turned off with a checkmark, have the final say. So far, the corporate world seems to thrive quite nicely with the kind of approach to security that MS Windows is taking, despite surely being the first and loudest ones to complain if there were any real and relevant problems that seriously threaten their dayly operations.
Mobile phone manufacturers and operators use «security» as an excuse to restrict what the owners of those expensive little toys can do, just like governments proclaim «terrorism» as the excuse for spying on and controlling their own populations by grabbing ever more power with authorizing laws that undermine constitutional civil liberties. In our societies, it is to keep track on any possible threats to the Status Quo that might be caused by a shift of public opinion if the media -- these days large corporations themselves -- did not distract us with polemics, sports and celebrity BS, but reported on and kept in focus issues such as ecology, human overpopulation, inequality, tax evasion, poverty, injustice, corruption, lobbyism and so on. In the mobile phone world, they do it to milk us for banalities like boot animations, wallpapers, type fonts, themes, icons and whatever we would like to do to make our phones look nicer. Under Windows, buy a shareware CD with 10,000 fonts, copy the 20 or 30 you like into the respective system folder -- done. On Android, they want to milk us for every bit they can and that's the real motivation for all the bull****, harassment, hoops and loops they make us jump through.
If companies were really interested in user privacy rights and security, the first thing that would be forbidden were advertisements, because a lot of sh.t can come in through those backdoors. Second, why does Apple not allow antivirii and firewalls if security is such a concern? Why are owners of devices with a custom recovery or root being punished by exclusion from OTA updates, given that these updates are supposed to improve stability and security? That's just bollocks and distraction to ram as much advertising down our throat, rip us off for every boot animation, wallpaper, theme, icon or type font that we have tons of lying around on our hard drive, and to obtain as much data from us as possible, in order to know and track what we buy, think, believe, suffer from, like, dislike or do in any place at any at any time.
Apart from a couple of absolute geeks and nerds, nobody would root their phones if adaptation and customization of our phones was easily possible, i.e. if everything except things that could irrevocably damage hardware or networks could be easily modified as we please. The introduction of a/b partition slots for Seamless Updates paved the way for preventing irreparable accidents and could easily be expanded and improved, together with a better design of the user interface and user experience to make the process more comprehensible for average users. Yet, most companies did not even implement a/b partitions, although this approach makes accidents and mistakes when playing around with the device «non-lethal» and saves the Customer Service costs that companies so often cite as the second excuse and pretext for the arrogance with which they keep and exert control over other people's property. With each new generation of phones and every new version of operating systems, the restrictions are getting worse, the options for access and harmless modification less, and that unacceptable trend needs to stop.
If companies want to disencourage people from rooting their phones, they need to stop bombarding us with intrusive ads, stop spying and imposing bloatware and replace it with useful tool bundles (Titanium Backup, decent file managers, cleaners, system tools and the like). It is okay to guard and firewall the indispensable and risky parts (hardware overclocking, network integrity), but only block those irreparable areas while opening up the rest for users to customise to their hearts content, making it as comfortable, easy and intuitive as possible to copy, paste, move and configure everything else between phone and PC. If something goes wrong while doing so, make sure that a system restore point and booting into the alternative partition means that there's no harm, no foul and therefore no problem and no service cost.
Instead of wasting our time hunting for patched partiton files, info on how to get out of bootloops, etc., users could then enjoy and be happier with our phone instead of fixing its shortcomings or, dare I say it, do something fun and entertaining outside while the snow is fresh or the sun is shining.
.
Click to expand...
Click to collapse
Best post I've read in the recent years. Well done!
PS: Love the Angola flag.
Information available on Reddit seem to show that several of Motorola's phones have not had any security patch levels applied since after January. It also seems like as long as the known security issues are just documented as theoretically possible that Lenovo/Motorola seem happy to keep reiterating the same lie that they make security a "top priority" while not actually addressing these problems. It is also frustrating that Motorola seems unwilling to release a version of the Motorola One that is intended to be used in the USA.
It would be nice to have a proof of concept repository similar to Rapid7's metasploit but for the Motorola G-series. Please keep in mind, I am *NOT* talking about violating responsible disclosure. This would not include any unpatched vulnerabilities. Instead, this would be known issues were AOSP has provided fixes to Motorola for over a month and Motorola has selected to still notify it's customers that their device is "up to date" without having addressed the known issues.
I believe only by showing customers what is possible with this exploits can enough pressure be put on Lenovo/Motorola to make "top priority" mean actual action instead of empty posturing.
However, based on my careful reading of the XDA ToS, it seems anything that facilitate the creation of malicious content is not allowed. This seems vaguely worded enough to exclude all proof of concept exploit discussion. But several of the issues left unaddressed by Motorola seem to be fairly easy to exploit. So, is XDA really improving the situation or avoiding transparency in favor of shielding Motorola's poor behavior?
It would be really nice if someone could provide some clarification behind the wording of this ToS and XDA's position on vendors that make security a "top priority" leaving months of patches outside of the scope available to customers if the device is to remain under warranty.
This is what I already said.
Motorola is just a retarded company.
I don't know in which universe this is acceptable.
Someone needs to sh*t in a bag and address it at Motorola, so they see what they sell.
The G6 was my last Motof**k phone.
F**k Motorola. F**k Lenovo and f**k all the retards which work in this companies.
I hope the company dies and never sells a f**kphone again.
I completely understand your level of frustration ThisIsRussia but please don't get the thread locked.
If I were to mail something to Motorola to make a statement, it would probably be a finger-print reader attached to swiss cheese. They keep using user facing features to give the illusion of security while leaving the rest of the product full of security holes.
Yeah, sorry I was a little upset because they are always responding with phrases like "soon it will be updated" etc.
Since February. Its May now.
I just don't use Motorola phones anymore and if someone asked me for opinion I didn't recommend Motorola/Lenovo.
They are a bunch of liars. period.
I picked up the g6 on Fi just to have a cheap phone. I thought it was just the Fi version not getting security updates.. luckily I don't keep financials, etc on. Only good as a glorified phone and music streaming device, but for $99?
Not many budget phones get monthly patches on time. None that are under$150 anyways.
$99 or $150 isn't what I was charged for the Moto G6. It was released for a price of $200.
The Federal Trade Commission has fined D-Link, TP-Link and ASUS for marketing *BUDGET* wireless routers that sold for much less than $200 or $150 or $99 for misrepresenting their products as providing security while "failing to take reasonable steps to secure."
According to David Kleidermacher, Google's head of security for Android, ""Android security made a significant leap forward in 2017 and many of our protections now lead the industry" and also "as Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits."
Google owned Motorola, they should have been able to established policies and procedures for Motorola to make good on David Kleidermacher's statements. Or they should have made establishing those part of terms of the sale to Lenovo.
Lenovo and Motorola also market themselves as providing security even for budget devices with statements as:
* "Prevent unauthorized access with secure biometrics"
* "keeping your devices and systems secure and your digital privacy intact is a top priority"
At no point do they put any exclusionary statement such as "but only if it is not a budget device."
Also, while Motorola One is also a budget device, it does get more frequent updates. However, the Moto One is clearly not intended for purchase in the USA market and is missing support for several LTE bands.
And the Moto G6 is supposed to be a Treble/GSI device were any effort Motorola put into providing updates to flagship GSI devices should also apply to being able to also update the G6 for almost no additional effort.
So, I reject the claim no one should expect Feb 2019 security updates by May 2019 because it is simply a budget device.
Then let's also look at the claim that if financials or similar are not stored directly on the phone then it is not really a big issue.
To respond to that I am going to focus on just one Feb 2019 patch. There have been plenty of other security issues in Jan 2019 to now but for purposes of this discussion, I will just focus on one. The CVE-2019-1988 seems to still apply to still apply to any Motorola phone that is "up-to-date" but has a Jan 2019 security level. This vulnerability as a high impact score of 10 out of 10 and an easy exploitability score of 8.6 out of 10. The attack complexity is low and "could lead to remote code execution in system_server with no additional execution privileges needed."
What would need to result from this for it to be considered a violation of Lenovo and Motorola's marketing of making security a top priority?
What if an email or MMS ("text message") or instant message could do any of the following:
* Open and stream the microphone while the phone is locked
* Take and transmit pictures from either the front or rear camera while the phone is locked
* Send and receive text messages while the phone is locked
* Transmit phone location while the phone is locked
* Access and transmit email and files/documents on Google Drive and Google Docs while the phone is locked
Would any of this be disturbing? Is Lenovo/Motorola really delivering on "[preventing] unauthorized access with secure biometrics" if this is possible while the phone is locked?
I get this is all theoretical and I sound like I have been wearing a tin foil hat (maybe I am ). Anyone want to find out? Anyone want to give me the phone number to a Moto G6? Anyone want to give me the email address that they use with their Moto G6? How confident are people that not having financials stored directly on the phone means CVE-2019-1988 is not a major issue?
So far, people's reactions have been similar to this forum that there is still things people can do to maintain their privacy while using a device in this state. No one wants to believe that a major company would leave them so exposed. Lenovo/Motorola seems to be banking on no one understand the full scope of the problem. But what if a Proof of Concept of a Remote Access Trojan launched not via installing an application but simply from viewing a PNG really happened, would anyone be interested that? Would being able to actually demonstrate a PoC RAT have any positive value in holding Motorola accountable to their marketing claims or simply feed "hackers" with an exploit? If it is already known to be easily exploitable, shouldn't it be safe to assume any criminal that wanted it already has created their own implementation?
What exactly is XDA's stand on a real PoC RAT full disclosure? Is XDA taking on the stance that a RAT disclosure is always only harmful? Or is it that Motorola's actions are harmful?
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
I didn't say you or anyone should accept it. I said it's common on low end devices. Even low to midrange devices.
I don't care what you paid for it. I have the g6 play and paid $99 for it. And it has been updated to pie with March security patch.
Moto is not great at supplying updates the way they were when they were under Google. Not many companies in China that are shopping phones to other countries are good at it.
It sucks, I was agreeing with you.
So rant at someone else. Geez
madbat99 said:
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
Click to expand...
Click to collapse
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
chilinux said:
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
Click to expand...
Click to collapse
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
madbat99 said:
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
Click to expand...
Click to collapse
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
chilinux said:
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
Click to expand...
Click to collapse
Nope. Nobody is "honest" in marketing. They would sell nothing. Is it right....? No. Is it going to continue? Of course.
There are places to speak out. This isn't IT. Period.
You want a Google device that updates with every patch, you're gonna have to get a Pixel. Flat out. No company truly cares about you're security. They start companies to make money. The end. Right or wrong. Sorry bro. It is what it is.
Unless a company specifically spelled it out in the laws of the country their marketing in they don't have to do it. They can skirt rules and regulations anyway they possibly can. And they have lawyers to make sure they get around that crap. Marketing gimmicks do not equal legal regulation obedience.
if you have a medium to carry out the plan you intend to, find it and do it. just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
companies are going to sell their products at the greatest profitt imaginable and that's just the way things are going to be until some company proves that profits lie somewhere else. There isn't much you or I can do about it.
Again, this is not the medium for you to carry out such a vision. the most we hope to do here is to give users the keys to find a way to pick the lock for themselves. Not a way to circumvent the rules, punish the guilty, or vindicate innocence. There are places for that.
I'm going to bed now because I get up for work early. Good luck dude. hope you feel better in the morning.
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Infinity gems be damned, level-headed decisions with your device make all the difference in the world
madbat99 said:
just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
Click to expand...
Click to collapse
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
The security audit PoC suite would be similar to previously publicly released project. It would have a method of install via exploit similar to JailbreakMe and it would provide demonstration on what privileged level access provides similar to Back Orifice 2000. Both of those previous project had the potential to weaponize but also helped customers make a better informed decisions about the products they use.
madbat99 said:
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Click to expand...
Click to collapse
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
It is also a level of mistaken trust that was contributed to by people like Ronald Comstock with the XDA Developers sponsorship team which recommended this phone. It might be possible to make an excuse that at the time the recommendation was made it wasn't known how far behind security updates for the product would go. However, the XDA sponsorship team never posted a retraction and the XDA ToS makes it hard to effectively counter the vendor's misrepresentations of the XDA recommended product.
chilinux said:
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
.
Click to expand...
Click to collapse
It can be said that security and privacy are separate issues.
But your insights are well stated.
I remember when a "researcher" seemingly died right before demonstrating how security flaws in insulin pumps could kill a man. (We know who did it Jack) so security is a real concern. And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
madbat99 said:
And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
Click to expand...
Click to collapse
I have hard feeling about this issue but not about what you have said.
I also have a much less issue with "big money" not spending money were it does not need to. But they need to be transparent about that.
What I have hard feelings about is this:
https://androidenterprisepartners.withgoogle.com/device/#!/5659118702428160
And statements from Google related to that page such as:
"Organizations can then select devices from the curated list with confidence that they meet a common set of criteria, required for inclusion in the Android Enterprise
Recommended program ... Mandatory delivery of Android security updates within 90 days of release from Google (30 days recommended), for a minimum of three years"
As appears in this document:
https://static.googleusercontent.co...droid_Enterprise_Security_Whitepaper_2018.pdf
Ninety days from the February 5, 2019 security update bulletin was May 6, 2019. Choosing from that list does not result in mandatory delivery of security updates within 90 days. Google and David Kleidermacher are drowning consumers with willfully misleading information to put trust into devices that aren't held to the criteria they claim they are.
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Dadud said:
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Click to expand...
Click to collapse
You are far from the only one who doesn't care about security patches. I would agree with you that you should not have to care. Addressing problems that are over 90 days old are stated to be the responsibility of Google and Motorola to have taken care of.
In terms of it working just fine, my point is while it appears to normally be fine there is known ways that unapproved behavior can be applied to the product without the owners being aware of them. To me that is not working as advertised and is also not really working fine.