LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

NSA releases security-enhanced Android (The H)

NSA releases security-enhanced Android (The H)

Posted Jan 18, 2012 9:53 UTC (Wed) by hpro (subscriber, #74751)
In reply to: NSA releases security-enhanced Android (The H) by djf_jeff
Parent article: NSA releases security-enhanced Android (The H)

They probably will. But given the choice of having my phone firmware "abused" by the carrier, and _abused_ by malicious software, I would pick the former every time.

I'd much rather have a phone which has all the security bells and whistles but that provides me with a mechanism for loading my own firmware (i.e., unlocked bootloader). That is (one of the reasons) why I have a Nexus S.

(Log in to post comments)

NSA releases security-enhanced Android (The H)

Posted Jan 18, 2012 20:48 UTC (Wed) by JanC_ (guest, #34940) [Link]

Who says the malware isn't installed by the carrier? They already install malware right now, if I can believe certain news reports, so why would they stop doing that if they get the tools to more effectively hide this malware?

Security Against Who?

Posted Jan 18, 2012 22:19 UTC (Wed) by ldo (subscriber, #40946) [Link]

hpro:

But given the choice of having my phone firmware "abused" by the carrier, and _abused_ by malicious software, I would pick the former every time.

That’s a stupid, specious dichotomy. As is well-known, you cannot “secure” a system against the person who legitimately owns that system and has physical access to it. SELinux doesn’t try to do that, and SEAndroid wouldn’t try to do that. The NSA, of all people, are well aware of such a limitation—after all, it is the reason that Digital Restrictions Management doesn’t work. In short, these security frameworks, like all security frameworks, are useless for vendors trying to lock you out of devices that you buy from them.

But of course, like a lot of people, the stupid vendors would have trouble grasping such a fine point. So I wouldn’t be surprised to see one or two of them try to use it for this very purpose.

Actually DRM works perfectly fine...

Posted Jan 18, 2012 22:30 UTC (Wed) by khim (subscriber, #9252) [Link]

The NSA, of all people, are well aware of such a limitation—after all, it is the reason that Digital Restrictions Management doesn’t work.

Apparently NSA knows the reality better then you and they obviously knows that DRM does work. The governing principle in security is famous ages-old you can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time. DRM can not full fool all the people all the time - here you are absolutely correct, but it can fool all the people some of the time and this some of the time is growing: just 10 years ago DRM typically DRM was broken in weeks, often days, but today it takes years for well-designed DRM systems (XBox360, PS3, etc).

If you'll consider the fact that lifespan of typical phone model is 2-3 years... this means that for Android DRM may work just fine.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds