ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    RemixOS -- Android for the PC

    Scheduled Pinned Locked Moved IT Discussion
    android desktopandroid
    131 Posts 12 Posters 45.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stacksofplatesS
      stacksofplates @Dashrender
      last edited by

      @Dashrender said:

      @johnhooks said:

      @Kelly said:

      @johnhooks said:

      @Kelly said:

      @johnhooks said:

      @Kelly said:

      @scottalanmiller said:

      Not really, Google doesn't own the Android code and cannot really enforce anything. Anything they put in, someone else can remove. Google oversees the ecosystem but has no means of enforcing control.

      True, but they can do more to influence and guide Android than any other single organization. Given the number of security flaws that occur in the Nexus lines they are not doing well enough to put any pressure on the OEMs. If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

      What security flaws in the nexus line? They're the most secure of all of them. They get the updates immediately and constantly. It's the others who need to rely on carriers that are less secure.

      Most secure does not equal secure 🙂 That is my point. Google does fix a lot of vulnerabilities, but they don't always fix them as promptly as they seem to expect others to.

      I get monthly security updates on my Nexus, that's pretty prompt. What current vulnerabilities for the Nexus line are you referring to?

      The most recent one is Stagefright: https://en.wikipedia.org/wiki/Stagefright_(bug).

      That's been patched on the Nexus. I guess my point is, you know which vulnerabilities are on android because people can view the source. What vulnerabilities are on IOS or WP? Who knows?

      I'm not sure what you mean? There was a vulnerability in OpenSSL for something like 15 years and it was completely open source.

      The only difference is that ONCE it's discovered, you can check to see if it's been patched.

      But can you really say that about modern phone OSs? Is the complete source for what is installed on the Nexus available for public review? Maybe it is, I have no clue.

      Right, same with stagefright. It was discovered by someone who didn't work for Google and reported it to them. My point is, you can't say that it's the least secure phone because you have no idea what vulnerabilities are in the other phone OS's. Stagefright wasn't found by someone being hacked and reporting it, it was found by someone auditing code. So how many people were hacked and had no idea?

      If there is a vulnerability in IOS for example, who's going to find it and report it? There could be tons of people vulnerable right now and have no idea, and not be able to do anything about it, and you may never find out about it if Apple decides not to tell anyone and just fix it in a larger patch.

      KellyK 1 Reply Last reply Reply Quote 0
      • KellyK
        Kelly @stacksofplates
        last edited by

        @johnhooks said:

        @Kelly said:

        @johnhooks said:

        @Kelly said:

        @johnhooks said:

        @Kelly said:

        @scottalanmiller said:

        Not really, Google doesn't own the Android code and cannot really enforce anything. Anything they put in, someone else can remove. Google oversees the ecosystem but has no means of enforcing control.

        True, but they can do more to influence and guide Android than any other single organization. Given the number of security flaws that occur in the Nexus lines they are not doing well enough to put any pressure on the OEMs. If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

        What security flaws in the nexus line? They're the most secure of all of them. They get the updates immediately and constantly. It's the others who need to rely on carriers that are less secure.

        Most secure does not equal secure 🙂 That is my point. Google does fix a lot of vulnerabilities, but they don't always fix them as promptly as they seem to expect others to.

        I get monthly security updates on my Nexus, that's pretty prompt. What current vulnerabilities for the Nexus line are you referring to?

        The most recent one is Stagefright: https://en.wikipedia.org/wiki/Stagefright_(bug).

        That's been patched on the Nexus. I guess my point is, you know which vulnerabilities are on android because people can view the source. What vulnerabilities are on IOS or WP? Who knows?

        I'm happy you're happy with your Android experience. I'm not making these comments for the sake of tearing Android/Google down and promoting another platform. I want to see Android become better. Yes, Google does a decent job for the most part with patching vulnerabilities in a reasonable timeframe. This isn't about "compared to Apple, Microsoft, Cisco, Citrix, etc." This is in a timely fashion to reduce the attack surface on their devices. I don't ever want to hold a technology vendor to a relative security standard. That sets the bar way too low.

        dafyreD stacksofplatesS 2 Replies Last reply Reply Quote 0
        • dafyreD
          dafyre @Kelly
          last edited by

          @Kelly said:

          @johnhooks said:

          @Kelly said:

          @johnhooks said:

          @Kelly said:

          @johnhooks said:

          @Kelly said:

          @scottalanmiller said:

          Not really, Google doesn't own the Android code and cannot really enforce anything. Anything they put in, someone else can remove. Google oversees the ecosystem but has no means of enforcing control.

          True, but they can do more to influence and guide Android than any other single organization. Given the number of security flaws that occur in the Nexus lines they are not doing well enough to put any pressure on the OEMs. If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

          What security flaws in the nexus line? They're the most secure of all of them. They get the updates immediately and constantly. It's the others who need to rely on carriers that are less secure.

          Most secure does not equal secure 🙂 That is my point. Google does fix a lot of vulnerabilities, but they don't always fix them as promptly as they seem to expect others to.

          I get monthly security updates on my Nexus, that's pretty prompt. What current vulnerabilities for the Nexus line are you referring to?

          The most recent one is Stagefright: https://en.wikipedia.org/wiki/Stagefright_(bug).

          That's been patched on the Nexus. I guess my point is, you know which vulnerabilities are on android because people can view the source. What vulnerabilities are on IOS or WP? Who knows?

          I'm happy you're happy with your Android experience. I'm not making these comments for the sake of tearing Android/Google down and promoting another platform. I want to see Android become better. Yes, Google does a decent job for the most part with patching vulnerabilities in a reasonable timeframe. This isn't about "compared to Apple, Microsoft, Cisco, Citrix, etc." This is in a timely fashion to reduce the attack surface on their devices. I don't ever want to hold a technology vendor to a relative security standard. That sets the bar way too low.

          "In a timely fashion" -- Google is usually pretty quick to release patches. The problem comes in when the various carriers want to build on their front-end stuff and add their own UI components and all the extra bloatware.

          1 Reply Last reply Reply Quote 0
          • KellyK
            Kelly @stacksofplates
            last edited by

            @johnhooks said:

            @Dashrender said:

            @johnhooks said:

            @Kelly said:

            @johnhooks said:

            @Kelly said:

            @johnhooks said:

            @Kelly said:

            @scottalanmiller said:

            Not really, Google doesn't own the Android code and cannot really enforce anything. Anything they put in, someone else can remove. Google oversees the ecosystem but has no means of enforcing control.

            True, but they can do more to influence and guide Android than any other single organization. Given the number of security flaws that occur in the Nexus lines they are not doing well enough to put any pressure on the OEMs. If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

            What security flaws in the nexus line? They're the most secure of all of them. They get the updates immediately and constantly. It's the others who need to rely on carriers that are less secure.

            Most secure does not equal secure 🙂 That is my point. Google does fix a lot of vulnerabilities, but they don't always fix them as promptly as they seem to expect others to.

            I get monthly security updates on my Nexus, that's pretty prompt. What current vulnerabilities for the Nexus line are you referring to?

            The most recent one is Stagefright: https://en.wikipedia.org/wiki/Stagefright_(bug).

            That's been patched on the Nexus. I guess my point is, you know which vulnerabilities are on android because people can view the source. What vulnerabilities are on IOS or WP? Who knows?

            I'm not sure what you mean? There was a vulnerability in OpenSSL for something like 15 years and it was completely open source.

            The only difference is that ONCE it's discovered, you can check to see if it's been patched.

            But can you really say that about modern phone OSs? Is the complete source for what is installed on the Nexus available for public review? Maybe it is, I have no clue.

            Right, same with stagefright. It was discovered by someone who didn't work for Google and reported it to them. My point is, you can't say that it's the least secure phone because you have no idea what vulnerabilities are in the other phone OS's. Stagefright wasn't found by someone being hacked and reporting it, it was found by someone auditing code. So how many people were hacked and had no idea?

            If there is a vulnerability in IOS for example, who's going to find it and report it? There could be tons of people vulnerable right now and have no idea, and not be able to do anything about it, and you may never find out about it if Apple decides not to tell anyone and just fix it in a larger patch.

            They believe Stagefright 2 was exploited, but have no real idea how many times. As for vulnerabilities in other platforms, they undergo many of the same tests. You can't audit code externally, but you can attempt to discover flaws as a security research just as the hackers are. Apple has had a ton of CVE's over the last few years: http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49. Again, this is not about relative security. I never stated that it was the least secure phone. I want Android to be secure. Not just more secure than iOS.

            I get that you're happy with your phone and Nexus @johnhooks. That is fine with me. I have my platform preference, and I'm happy to explain what it is and why, but I don't think it is germane to this discussion.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • stacksofplatesS
              stacksofplates @Kelly
              last edited by

              @Kelly said:

              @johnhooks said:

              @Kelly said:

              @johnhooks said:

              @Kelly said:

              @johnhooks said:

              @Kelly said:

              @scottalanmiller said:

              Not really, Google doesn't own the Android code and cannot really enforce anything. Anything they put in, someone else can remove. Google oversees the ecosystem but has no means of enforcing control.

              True, but they can do more to influence and guide Android than any other single organization. Given the number of security flaws that occur in the Nexus lines they are not doing well enough to put any pressure on the OEMs. If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

              What security flaws in the nexus line? They're the most secure of all of them. They get the updates immediately and constantly. It's the others who need to rely on carriers that are less secure.

              Most secure does not equal secure 🙂 That is my point. Google does fix a lot of vulnerabilities, but they don't always fix them as promptly as they seem to expect others to.

              I get monthly security updates on my Nexus, that's pretty prompt. What current vulnerabilities for the Nexus line are you referring to?

              The most recent one is Stagefright: https://en.wikipedia.org/wiki/Stagefright_(bug).

              That's been patched on the Nexus. I guess my point is, you know which vulnerabilities are on android because people can view the source. What vulnerabilities are on IOS or WP? Who knows?

              I'm happy you're happy with your Android experience. I'm not making these comments for the sake of tearing Android/Google down and promoting another platform. I want to see Android become better. Yes, Google does a decent job for the most part with patching vulnerabilities in a reasonable timeframe. This isn't about "compared to Apple, Microsoft, Cisco, Citrix, etc." This is in a timely fashion to reduce the attack surface on their devices. I don't ever want to hold a technology vendor to a relative security standard. That sets the bar way too low.

              I didn't mean for it to sound like you were tearing them down. It was just this line I was disagreeing with:

              If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

              I was saying it already is, and could possibly be more secure than the other platforms, we have no real way of knowing. I think there is a big push back already though. Look at the other companies like Blu, who are giving you stock android on a great phone for $350.

              KellyK 1 Reply Last reply Reply Quote 0
              • KellyK
                Kelly @stacksofplates
                last edited by

                @johnhooks said:

                @Kelly said:

                @johnhooks said:

                @Kelly said:

                @johnhooks said:

                @Kelly said:

                @johnhooks said:

                @Kelly said:

                @scottalanmiller said:

                Not really, Google doesn't own the Android code and cannot really enforce anything. Anything they put in, someone else can remove. Google oversees the ecosystem but has no means of enforcing control.

                True, but they can do more to influence and guide Android than any other single organization. Given the number of security flaws that occur in the Nexus lines they are not doing well enough to put any pressure on the OEMs. If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

                What security flaws in the nexus line? They're the most secure of all of them. They get the updates immediately and constantly. It's the others who need to rely on carriers that are less secure.

                Most secure does not equal secure 🙂 That is my point. Google does fix a lot of vulnerabilities, but they don't always fix them as promptly as they seem to expect others to.

                I get monthly security updates on my Nexus, that's pretty prompt. What current vulnerabilities for the Nexus line are you referring to?

                The most recent one is Stagefright: https://en.wikipedia.org/wiki/Stagefright_(bug).

                That's been patched on the Nexus. I guess my point is, you know which vulnerabilities are on android because people can view the source. What vulnerabilities are on IOS or WP? Who knows?

                I'm happy you're happy with your Android experience. I'm not making these comments for the sake of tearing Android/Google down and promoting another platform. I want to see Android become better. Yes, Google does a decent job for the most part with patching vulnerabilities in a reasonable timeframe. This isn't about "compared to Apple, Microsoft, Cisco, Citrix, etc." This is in a timely fashion to reduce the attack surface on their devices. I don't ever want to hold a technology vendor to a relative security standard. That sets the bar way too low.

                I didn't mean for it to sound like you were tearing them down. It was just this line I was disagreeing with:

                If they started marketing Nexus as the most secure Android (and made it so) platform, then there could be pushback from the marketplace.

                I was saying it already is, and could possibly be more secure than the other platforms, we have no real way of knowing. I think there is a big push back already though. Look at the other companies like Blu, who are giving you stock android on a great phone for $350.

                Fair enough. I'll concede that point to you. Nexus is the most secure version of Android at this point.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @Kelly
                  last edited by

                  @Kelly said:

                  I get that you're happy with your phone and Nexus @johnhooks. That is fine with me. I have my platform preference, and I'm happy to explain what it is and why, but I don't think it is germane to this discussion.

                  Actually I think it is germane. What makes any platform potentially more secure than the Nexus (again assuming that all code it comes with from the factory is 100% open source)?

                  KellyK 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender
                    last edited by

                    I feel like we've had this discussion before. What makes open source fundamentally more secure than closed source? The fact that more eyes can be on it? But like my example of Open SSL, it was out there, for 15 years, and no one looked at it, at least, no one reported it.

                    For that case I'd argue that closed source is more secure because at least you have to hack on it to find the problems, with open source, you can go digging for problems in the code directly, and then exploit them.

                    It's probably a tit for tat type thing.

                    scottalanmillerS stacksofplatesS 4 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said:

                      I feel like we've had this discussion before. What makes open source fundamentally more secure than closed source? The fact that more eyes can be on it? But like my example of Open SSL, it was out there, for 15 years, and no one looked at it, at least, no one reported it.

                      What you are missing is that that example in no way whatsoever disputes the point that open source is more secure. Open source is simply a more secure method. There is no means of disputing it with examples. It covers every possible means of making closed source secure and adds more. No number of examples are relevant.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        For that case I'd argue that closed source is more secure because at least you have to hack on it to find the problems, with open source, you can go digging for problems in the code directly, and then exploit them.

                        That's not the correct logical assumption. People have access to the code of closed source, just not the right people.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said:

                          It's probably a tit for tat type thing.

                          Not really. Open source is critical for good security. Closed source is fundamentally abhorrent to security.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            Any argument that closed source has a benefit, is simply a rewording of a belief in security through obscurity. If you want to argue that obscurity is the premier security methodology, do so openly discussing it as obscurity. Trying to hide it in a discussion of closed source is misleading and confusing.

                            Unless you disagree with the idea that obscurity is the enemy of security and that security through obscurity is a myth, then I don't see how closed source could be seen as in any way logically security minded.

                            1 Reply Last reply Reply Quote 0
                            • stacksofplatesS
                              stacksofplates @Dashrender
                              last edited by

                              @Dashrender said:

                              I feel like we've had this discussion before. What makes open source fundamentally more secure than closed source? The fact that more eyes can be on it? But like my example of Open SSL, it was out there, for 15 years, and no one looked at it, at least, no one reported it.

                              For that case I'd argue that closed source is more secure because at least you have to hack on it to find the problems, with open source, you can go digging for problems in the code directly, and then exploit them.

                              It's probably a tit for tat type thing.

                              What if the shoe was on the other foot. What if it heartbleed was closed source developed by Microsoft? Would it have been fixed, and how long would it have taken to be fixed?

                              With heartbleed it was discovered and patched in the same day, and you could update immediately. Would Microsoft send out an update immediately or would you have to wait until patch tuesday?

                              scottalanmillerS 1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender
                                last edited by

                                I agree that security through obscurity is a myth.

                                And that Open Source proves everything closed does plus more.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @stacksofplates
                                  last edited by

                                  @johnhooks said:

                                  What if the shoe was on the other foot. What if it heartbleed was closed source developed by Microsoft? Would it have been fixed, and how long would it have taken to be fixed?

                                  With heartbleed it was discovered and patched in the same day, and you could update immediately. Would Microsoft send out an update immediately or would you have to wait until patch tuesday?

                                  More importantly... how often HAS THIS HAPPENED and we weren't told? How many times were these same vulnerabilities or ones like them fixed or even ignored internally with closed source?

                                  The idea that open source being open with vulnerabilities and reporting them being bad is way off base. It highlights just how security open source is, not how bad it is. It shows how much risk we are under from closed source not needing to tell us things like this.

                                  stacksofplatesS 1 Reply Last reply Reply Quote 2
                                  • stacksofplatesS
                                    stacksofplates @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    @johnhooks said:

                                    What if the shoe was on the other foot. What if it heartbleed was closed source developed by Microsoft? Would it have been fixed, and how long would it have taken to be fixed?

                                    With heartbleed it was discovered and patched in the same day, and you could update immediately. Would Microsoft send out an update immediately or would you have to wait until patch tuesday?

                                    More importantly... how often HAS THIS HAPPENED and we weren't told? How many times were these same vulnerabilities or ones like them fixed or even ignored internally with closed source?

                                    The idea that open source being open with vulnerabilities and reporting them being bad is way off base. It highlights just how security open source is, not how bad it is. It shows how much risk we are under from closed source not needing to tell us things like this.

                                    And how many times have they been fixed within another patch. You have to trust that the patch is what they tell you it is. Why couldn't they say KB800348 fixes an error in MS Paint when it's actually "oh we accidentally hardcoded leaving port 3389 open?"

                                    DashrenderD 1 Reply Last reply Reply Quote 1
                                    • stacksofplatesS
                                      stacksofplates
                                      last edited by

                                      Here's another good example:

                                      http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-password-raises-new-backdoor-eavesdropping-fears/

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @stacksofplates
                                        last edited by

                                        @johnhooks said:

                                        @scottalanmiller said:

                                        @johnhooks said:

                                        What if the shoe was on the other foot. What if it heartbleed was closed source developed by Microsoft? Would it have been fixed, and how long would it have taken to be fixed?

                                        With heartbleed it was discovered and patched in the same day, and you could update immediately. Would Microsoft send out an update immediately or would you have to wait until patch tuesday?

                                        More importantly... how often HAS THIS HAPPENED and we weren't told? How many times were these same vulnerabilities or ones like them fixed or even ignored internally with closed source?

                                        The idea that open source being open with vulnerabilities and reporting them being bad is way off base. It highlights just how security open source is, not how bad it is. It shows how much risk we are under from closed source not needing to tell us things like this.

                                        And how many times have they been fixed within another patch. You have to trust that the patch is what they tell you it is. Why couldn't they say KB800348 fixes an error in MS Paint when it's actually "oh we accidentally hardcoded leaving port 3389 open?"

                                        Does that really matter?

                                        The days of picking and choosing what updates to install seem over. you should install them all. At least if they are security updates, boy I hope they aren't lying about that!

                                        scottalanmillerS stacksofplatesS 2 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          @johnhooks said:

                                          @scottalanmiller said:

                                          @johnhooks said:

                                          What if the shoe was on the other foot. What if it heartbleed was closed source developed by Microsoft? Would it have been fixed, and how long would it have taken to be fixed?

                                          With heartbleed it was discovered and patched in the same day, and you could update immediately. Would Microsoft send out an update immediately or would you have to wait until patch tuesday?

                                          More importantly... how often HAS THIS HAPPENED and we weren't told? How many times were these same vulnerabilities or ones like them fixed or even ignored internally with closed source?

                                          The idea that open source being open with vulnerabilities and reporting them being bad is way off base. It highlights just how security open source is, not how bad it is. It shows how much risk we are under from closed source not needing to tell us things like this.

                                          And how many times have they been fixed within another patch. You have to trust that the patch is what they tell you it is. Why couldn't they say KB800348 fixes an error in MS Paint when it's actually "oh we accidentally hardcoded leaving port 3389 open?"

                                          Does that really matter?

                                          The days of picking and choosing what updates to install seem over. you should install them all. At least if they are security updates, boy I hope they aren't lying about that!

                                          It matters when you start pointing out open source reports. Because the closed source ones don't get reported. So pointing out an open source one forces us to discuss all the ways that this can be buried in the closed source world.

                                          1 Reply Last reply Reply Quote 0
                                          • hobbit666H
                                            hobbit666
                                            last edited by

                                            Downloaded, unzipped, created USB didn't boot lol.
                                            Will have a play later

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 7 / 7
                                            • First post
                                              Last post