NSA releases security-enhanced Android (The H) [LWN.net]

NSA releases security-enhanced Android (The H)

Posted Jan 18, 2012 20:48 UTC (Wed) by JanC_ (guest, #34940) [Link]

Who says the malware isn't installed by the carrier? They already install malware right now, if I can believe certain news reports, so why would they stop doing that if they get the tools to more effectively hide this malware?

Security Against Who?

Posted Jan 18, 2012 22:19 UTC (Wed) by ldo (subscriber, #40946) [Link]

hpro:

But given the choice of having my phone firmware "abused" by the carrier, and _abused_ by malicious software, I would pick the former every time.

That’s a stupid, specious dichotomy. As is well-known, you cannot “secure” a system against the person who legitimately owns that system and has physical access to it. SELinux doesn’t try to do that, and SEAndroid wouldn’t try to do that. The NSA, of all people, are well aware of such a limitation—after all, it is the reason that Digital Restrictions Management doesn’t work. In short, these security frameworks, like all security frameworks, are useless for vendors trying to lock you out of devices that you buy from them.

But of course, like a lot of people, the stupid vendors would have trouble grasping such a fine point. So I wouldn’t be surprised to see one or two of them try to use it for this very purpose.

Actually DRM works perfectly fine...

Posted Jan 18, 2012 22:30 UTC (Wed) by khim (subscriber, #9252) [Link]

The NSA, of all people, are well aware of such a limitation—after all, it is the reason that Digital Restrictions Management doesn’t work.

Apparently NSA knows the reality better then you and they obviously knows that DRM does work. The governing principle in security is famous ages-old you can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time. DRM can not full fool all the people all the time - here you are absolutely correct, but it can fool all the people some of the time and this some of the time is growing: just 10 years ago DRM typically DRM was broken in weeks, often days, but today it takes years for well-designed DRM systems (XBox360, PS3, etc).

If you'll consider the fact that lifespan of typical phone model is 2-3 years... this means that for Android DRM may work just fine.

NSA releases security-enhanced Android (The H)

Posted Jan 19, 2012 1:53 UTC (Thu) by rqosa (subscriber, #24136) [Link]

> Given the options between 1) harden Android security, and 2) get people to stop buying locked-down crap

Huh? Options 1 and 2 aren't mutually exclusive at all.

Maybe you meant to say "1) weaken Android security" (for the purpose of making locked-down Android phones easier to hack, which is what the parent and grandparent posts seemed to be advocating)? That way it makes more sense that 1 and 2 are mutually exclusive — if locked-down Android devices were truly unhackable, then there would likely be more end-user demand for the unlocked devices that are already for sale (Nexus, etc.).

NSA releases security-enhanced Android (The H)

Posted Jan 19, 2012 10:08 UTC (Thu) by job (guest, #670) [Link]

I'm sorry, that should have been "weaken". I try to pause and proofread before I post but this time I failed and inadvertently said the opposite of what I intended.

NSA releases security-enhanced Android (The H)

Posted Jan 19, 2012 15:01 UTC (Thu) by rich0 (guest, #55509) [Link]

How is the unlocked hardware competitive in performance and price?

I got a T-Mobile G2 for $0 with 4G service and a decent hardware keyboard. I couldn't get an unlocked android phone at any price with a hardware keyboard, and neglecting that feature a Nexus S would have cost me $200 with only 3G data. Before that the Nexus One was unsubsidized but would have cost the same per-month (you could have gotten a discounted rate at the time if you didn't have a family plan).

At some points in time the unlocked models are somewhat competitive, but more often than not they aren't. The fact that they only come out about once a year doesn't help - if your upgrade cycle is off by six months it will be hard for the free stuff to ever be feature-competitive.

Unlocked phones are clearly the best solution to the lockdown problem, but right now there just aren't enough of them, and vendors don't want to promote them. I doubt that would ever change without some kind of legislation.

NSA releases security-enhanced Android (The H)

Posted Jan 22, 2012 13:31 UTC (Sun) by job (guest, #670) [Link]

Competitive because they cover most price ranges and is the price difference between it and locked models are negligible. For example the unlocked and somewhat more open Nexus flagship model is currently 500 EUR while the comparable Samsung model is 450 EUR. That's not a big difference.

I obiously don't count subsidized phones since they are just part of a payment plan, whether you see separate payments or it's just part of your monthly fee (in which case you lose badly if you don't catch the expiration date). You probably didn't really get your phone for $0. That's just parroting market speak where fees are called something else.

I would think the varying states of unlocked-ness is a bigger problem. Some have just unlocked bootloaders, which many manufacturers offer across the entire price spectrum (some HTC models, newer Sony-Ericssons etc.), and some go further. It takes a lot of customer empowerment to know which phone to get. That's where the community can help out.