What they're doing with their time doesn't count

Posted Mar 21, 2014 3:10 UTC (Fri) by Max.Hyre (subscriber, #1054)
In reply to: Not going to buy any Samsung device again. by rvfh
Parent article: FSF: Replicant developers find and close Samsung Galaxy back-door

I once read a book about spying—factual analysis rather than John le Carré. One of the points that stuck with me was that spying on other countries is based on capability, not intention. If your best-friend country has nukes, you keep pretty much the same undercover eye on them as you do on your known adversary. Anything less would be irresponsible. (And the shock expressed about Angela Merkel and Victoria Nuland is purely show for the groundlings. They all know they're all doing it.)

The point is in any sort of security analysis, what the other party can do is what you have to defend against, not what they're doing now, or what they say or you hope they're doing. The fact that the capability is a leftover from debugging, or intended solely to update radio-related files is irrelevant.

What they're doing with their time doesn't count

Posted Mar 21, 2014 3:48 UTC (Fri) by raven667 (subscriber, #5198) [Link]

You have to be careful about going too far down that road, worrying about capability instead of intention, the fact is in human society that everyone has the capability to pick up a knife and murder their neighbor but most don't have the intention to do so, so we don't all wake up dead tomorrow morning. I think this is one reason that all the spying is so ineffective, because they are more concerned about their fantasies about what could happen that they don't see what actually is happening.

In computer security you will go crazy if you try to defend against all possible vectors of attack, you have to prioritize on factors a flimsy as what attack is popular at any time, and build threat models to see what parts of the security are actually important to your personal operations because not all vulnerabilities are equal.

Knowing what is likely is a better analysis than just what is possible.

What they're doing with their time doesn't count

Posted Mar 21, 2014 4:55 UTC (Fri) by dlang (guest, #313) [Link]

In that case, let me pose a question for you.

which is worse a phone carrier that doesn't upgrade their users and leaves them running old, vulnerable software, or a phone carrier that does upgrade their users, but because they can upgrade the core software on the device, could use that upgrade process to do something evil in the future?

If you just look at capabilities, the ability to upgrade the device to arbitrary software in the future is FAR worse than any number of current vulnerabilities

But if you start to include the probability of that being used to attack users, things turn around and the existing vulnerabilities are a far bigger problem