Hailing frequencies open! WikiLeaks pings Microsoft after promise to share CIA tools Last week, WikiLeaks chief Julian Assange said he would hand over the CIA hacking tools that fell into his lap to various technology companies before making the exploits public. We're told he has at least reached out to one tech corp. The so-called Vault 7 archive, dumped online by WikiLeaks on March 7, listed techniques used …
"Not everyone patches regularly enough, and there will be plenty of low-hanging fruit for malware users to harvest."
Is that not enough reason to hold off a bit longer? (How much longer? I don't know.)
When the crims do attack the 'low-hanging fruit,' victims will be screaming blue bloody murder... I suspect.
---> mine's the one with all the patch marks :)
It is true that not everyone patches often enough but for some there are no patches nor is there any possibility of any patches arriving.
I'm talking about the millions of android devices that are suck with the same crappy/obsolete version of the software that the handset maker slung at it in order to get it out the door as fast as possible.
How many posts do we see here (and all over the internet) about device makers failing to supply even basic security patches let alone version updates.
To me this is an issue that Google seems to have washed its hands of.
Like the MS 'Windows Update" process (including the pushing of updates in W10) , it is clearly not fit for purpose.
Google, like MS could sort it but they don't seem to be bovvered now do they?
If you cared about Android device security and OS upgradability, apart from Google what makers are on the ball here? Not many I'll bet.
"If you cared about Android device security and OS upgradability, apart from Google what makers are on the ball here? Not many I'll bet."
Why, how many do you need...? There's Nokia right there - it may not be the exact same friendly Finnish corp you got used to, but at least they did promise to ship their phones with untouched Android; I would assume that potentially means unparalleled ease of timely patch delivery...
"I would assume that potentially means unparalleled ease of timely patch delivery..."
I don't normally reply to myself, but this is ludicrously perfect timing, so there - apparently #ICanSeeTheFuture:
"Nokia has revealed that it will be pushing out monthly security updates to all its smartphones."
Google, like MS could sort it but they don't seem to be bovvered now do they?
Close. It's not that they're not bovvered, it's that they made a conscious decision that growing market share was more important than security updates. The gamble seems to have paid off for them, with Android now at, what, 80% of the global market? They're now about ready to start tightening up the licenseing scheme to ensure OEMs push updates, or make a direct update channel from the phones to Milk Tray Central, or whatever.
Or maybe they'll be too busy having moneyfights?
No. It is a certainty that both state and private actors, including organized crime, have them. These secrets circulated among the computer security equivalent of mercenary troops for a while before being shared with WikiLeaks. That was the kind of breach for profit that many warned about when criticizing the global intel industry's reckless weaponization of software bugs. Now they're out there: viruses with no vaccine, and more importantly no one in the $1 T a year US government who thinks it's their job to come up with defensive measures beyond the same tired old MAD based offensive strategy that's eventually going to put nuclear weapons in the hands of the "Toyota with a 20 mm canon" crowd.
The problem is, the holes are already out there, and if the CIA knows about them, there is a chance that other organisations and criminals also know about them.
About 5% according to that recent RAND report, although opinion in the community seems to be divided about the quality and reliability of that work.
Keeping quiet, once a patch has been released doesn't help anybody.
Not sure what you mean here, of course if a patch is out no-one "keeps quiet", because what would be the point when the vendor's released a patch? Anyone who's going to apply it will hear about it pretty quickly. Did you mean it doesn't help anyone to keep 0day secret? If so, you're obviously mistaken, as it helps the relevant agency. (And if not, just ignore me and accept a virtual pint.)
No, it was pointed at the first comment in the thread. There it was stated that many people don't patch straight away, so information about the bug shouldn't be published straight away.
If the patch is out there and it is a big hole, then it should be published straight away, to try and get people to apply the patch. If there is a patch, many think "oh no, not another patch, f' off." If they know that it fixes a hole that can be actively exploited, they might actually think about applying it.
Please, please, why won't anyone talk to me? I haz bugs! Microsoft, please, talk to me so it appears I am relevant. Google? Apple? Anyone?
Please, I crave attention, pleaseee. Please, please, please. Even the orange guy is not acknowledging my greatness, even after I helped him and the Russians, sniff.
Pathetic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
