Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Google competence (Score 1) 128

I don't use iOS, and I'm not familiar with their Apple's record on security. However, Google suffered 115 CVEs in 2015 on Stagefright and the Mediaserver. Nexus is a tiny fragment of the Android ecosystem, and most users have 3rd party devices that will never see these completely patched. These flaws are carved in stone in the /system mountpoint, and can never be corrected.

Apple may not have ideal security, but at least they CAN issue patches on the core OS that will reach the majority of their users. Google cannot, and this was a staggeringly bad decision. We have not yet seen the full consequences of it.

Comment Google competence (Score 5, Insightful) 128

Despite a blinding array of talent that works for the organization, this is the architecture for multimedia that they produced:

Don't start me on Stagefright and Mediaserver, I could rant for 2 or 3 hours non-stop! Seriously, the code over there is crap, and has insane concepts, like aborting the whole mediaserver (and all related media decoding of all other applications running at the same time), when it parses a file with attributes it does not know, instead of skipping the file. We discovered some issues in Stagefright (busy loops, device reboots, mediaserver crashes) quite early, but we never thought about submitting them.

Google has in no way acknowledged the exceptionally poor design of Android, and there is no evidence that the organization has improved and learned from their management mistakes. How then can they be trusted to produce a new operating system? And why would anyone trust them to produce a secure system that is closed source?

I don't care if Verizon gives it away. Absolutely not.

Comment SSH (Score 1) 103

On the scale of sandbox quality, Chrome should dump their model and adopt the SSH techniques - the rendering engine should be chroot() to /var/empty. That improves the software and kills the patent violation in one stroke. http://undeadly.org/cgi?action... "First of all, on the positive side, privileges separation, chrooting and the message passing design have proven fairly efficient at protecting us from a complete disaster. [The] Worst attacks resulted in [the] unprivileged process being compromised, the privileged process remained untouched, so did the queue process which runs as a separate user too, preventing data loss... This is good news, we're not perfect and bugs will creep in, but we know that these lines of defense work, and they do reduce considerably how we will suffer from a bug, turning a bug into a nuisance rather than a full catastrophe. No root were harmed during this audit as far as we know."

Comment Bake your SSD in an oven (Score 2) 232

Strange that the discrete 800 degree heating units haven't been integrated AFAIK. However, 250 degrees in an oven for a day fixes most of them.


Heat has long been known to help heal degraded materials in old flash memory. But because the heat healing process meant baking the memory chip in an oven at 250C for hours, few saw it as a practical solution... Briefly heating those locations to about 800C returned damaged memory locations to full working order.

Comment Mediatek and ADUPS (Score 2) 91

All of that will not help you in the slightest if the chipset vendor baked in spyware. Mediatek is the master of the cheap chipset, and they have compromised the OS in both Russia and the US with dozens and dozens of OEM devices.

[BLU] phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google's checks. Nice one MediaTek!

Comment Say hello to CVE-2014-6041 (Score 1) 71

And in not disclosing that it is using both, it opens many, many security holes on older platforms. Furthermore, we don't know how much work is being done by the local Webcore, and what sort of hostile traffic that Presto might send to it.

Avoid this browser in those cases. It is not safe.

We should all be looking at Tor at this point.

Comment 3rd party code (Score 4, Interesting) 71

One common reason is 3rd party code, which they may have licensed and do not control or own.

Alternately, the code may still be seen internally as useful, which it is with Opera Mini. It is still used to generate revenue, and may contain what Opera considers to be trade secrets that give them an advantage over a competitor (i.e. Amazon Silk).

Comment Opera Mini is Webcore, not Presto (Score 3, Insightful) 71

If you set the "data savings" option down from extreme to high in the settings menu, the scanner at ssllabs.com will report Webkit, not Presto. The Webkit version will be whatever is included on your device (Webcore). If you are running KitKat or Jellybean, you will see lots and lots of security problems with your Webcore, since they date from the end of the XP era, and haven't been updated since.

I believe that Presto would be installed at Opera's corporate systems, and it would feed a compressed stream to the Webkit used by Opera Mini.

Opera Mini could not be so small and include both a complete rendering engine and links to Webcore. They essentially cheated.

Comment Microsoft spyware purge (Score 5, Informative) 503

If you disable the "recommended updates" you don't appear to get any of the "old" telemetry - but it may all be back in the rollups and we would never know.

The old telemetry updates could be removed with the following:

wusa /uninstall /kb:Patch# /quiet /norestart

The patches to remove are: 3065988, 3083325,3083324, 2976978, 3075853, 3065987, 3050265, 3050267, 3075851, 2902907, 3068708, 3022345, 2952664, 2990214, 3035583, 971033, 3021917, 3044374, 3046480, 3075249, 3080149.

Comment And Candy Crush Soda comes free! (Score 5, Informative) 503

Microsoft believes that our PCs belong to them. They need to lose more market share.

The Windows app store is not something that we all want. It should be an optional add-on for all versions of Windows.

Some of us also like Aero. Windows 8 removed Aero simply because mobile devices could not run it well in Windows RT. We are asked to give up Aero solely because of Microsoft's mobile platform that failed in the market and was essentially discontinued.

Microsoft, we refuse.

Comment Re:Apple should outsource to HP and Lenovo (Score 1) 228

I do remember the Power Mac clones, which wrapped up immediately after Jobs came back (long before OSX).

PowerPC systems were a major share of Apple's revenue back then. These days, OSX/x86 is greatly eclipsed by iOS/ARM. Until such time that Apple wants to (re)focus on x86, they can farm it out.

All x86 is farmed out anyway - this just moves the outsourcing higher up the management chain.

Comment Apple should outsource to HP and Lenovo (Score 3, Insightful) 228

Seriously, it would make just about everybody happy. The designs must use aluminium cases, and they must be approved by Apple before manufacture. The Apple logo will be on the cover, and the manufacturer's logo will be over the keyboard.

PCs are no longer Apple's core competence, and they should make moves to divest the function.

Problem solved.

Comment And they will be covered in spyware. (Score 4, Interesting) 183

The market leader for cheap phones is Mediatek, part owners of ADUPS, the wonderful partnership that recently siphoned off texts, location, and call logs from BLU phones.

This is the same Mediatek that was caught doing the same thing with dozens of brands in the Russian market.

The only way to use such a phone safely is an immediate wipe, followed by a 3rd-party OS install to the eMMC.

The market will shortly realize this.

Slashdot Top Deals

A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie