Remember just because the phone is rooted doesn't mean it also isn't running the manufacturer's (if any) malware.

Sure. But we're talking about evaluating trust, not whether or not the phone's running malware. If I'm running a stock firmware, in my mind it's already compromised; slapping an XDA hack on top of it doesn't strike me as increasing risk substantially.

That being said, I don't find getting root at all useful unless it's a means to the end of unlocking the phone and replacing the stock firmware. I trust XDA hacks to perform that function, at least, and at that point trusting the manufacturer becomes moot.

I'm a little surprised that the comments so far haven't really tackled the crux of your question, which was NOT "how do I find root exploits", but "are they trustworthy".

Well, the way I see it, I'll trust a random XDA developer pushing closed-source hacks way more than I trust my carrier and/or handset manufacturer.

It'll grant you that it's a low bar.

So 90 days is an appropriate time to wait but not 106 days?

I wouldn't be surprised if there was a "give an inch, take a mile" kind of situation, where they tried allowing some flexibility and got into a cycle where the vendor kept requesting more time each time around.

i imagine if you did this in the usa you'd get sued for using spectrums you don't own.

I imagine if you did this in the USA, you'd get sued for not waiting for the nearest local incumbent to provide the service.

If you stop option ROMs from loading, you can say goodbye to using external ...

Would it really be so terrible if the owner of the hardware could decide whether or not their device supported that kind of thing, or even which specific things it supported?

No, not with encrypted-locked bootloaders becoming common.

Yeah, you're pretty much outlining exactly why I tend to research unlockability prior to buying my devices. I'm not going to pretend that even a small fraction of buyers do this.

  I don't really have much of a solution for people who blindly buy whatever junk the carriers decree that they're allowed to buy. Google's worked on migrating to the Play services approach to get around this, but short of hacking into, unlocking and updating everyones devices I'm not sure what more they can do.

Know, you are talking about an exploit that could be affecting 60% of Android phones...

No, I'm not.

I was responding to a comment about the general state of Android and iOS security updates, not anything specific to this security vulnerability.

In general, if you have an iOS device and Apple decides not to fix a security problem on your phone, it's most likely not going to be fixed.

In general, if you have an Android device and both Google and your vendor decide not to fix a security problem on your phone, you might have a chance to get it fixed by other means. It's not a sure thing, it's not without risk, and you might not be entirely happy with the end result, but it works often enough that it's not a crapshoot.

Now, if you want to get into specifics, I don't know how many of the 60% of vulnerable devices might be able to take advantage of non-Google support, but it's far better than nothing.

... nascent artificial intelligences now have a comprehensive list of people they need to kill as soon as possible.

This is a hit job from a shitty windows enthusiast website (neowin.net).

Do not click any links!

Relax. This is slashdot. Almost nobody reads the source article unless they need to grab a quote in order to prove a point.

I do argue that Google's role in this malfeasance is that they haven't contractually obligated handset manufacturers to make updates available for 2+ years after model introduction.

Given the pile of shit Google's been catching over their Play store contracts, can you really blame them for avoiding anything that leaves a paper trail of arm twisting?

In this regards, I think both Android and iOS are sorely lacking.

With Android at least there may be other providers for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.

I hold Google accountable, as well as the handset manufacturers.

I believe Google's fix is called "Android 4.4" or "Android 5.x".

That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).

You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.

If a Canadian infringes American copyright material by redistributing it within the United States, why would the Canadian not be subject to US law?

They probably could be. But the copyright owner is going to have to go through a Canadian court to get a court order to get the subscriber information from the ISP.

I expect an American corporation could start a suit in Canada, get the identification of the Canadian citizen, then dismiss it and open a new copyright lawsuit in the US. But even if they win a large default judgement, they'd then have to go back to the Canadian courts to collect on that judgement.

That last step would probably be a huge mistake.

Then so can Apple.

More usefully, it sounds like the owner of the machine itself can patch it such that any Option ROMs need to be signed with their own private key rather than Apple's.

1. North Korea managed to develop an acceptable army of hackers on their own in 5 years. (No internet in 2009, supposedly)

Trivial.

Set up a really good firewall.

On one interface, install a porn server.

On the other interface, set up a LAN party of teenage boys.

Wait. It won't take the whole 5 years.