* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Rooting your Android phone? Google’s rumbled you again

Charles 9

Re: I use Paytag to make contactless payments with my rooted Android...

But it only supports ONE BANK. Android Pay and Apple Pay support many banks, including multiple banks on the same account.

Charles 9

No, they leave WHOLE WALLETS, leading to complete identity theft.

Anyway, some of us have to wear clothes with no pockets.

Charles 9

Because at least you get compensated for it with discounts and the like. Otherwise, they'll find other ways to data mine you and you get nothing for your trouble except junk mail.

Charles 9

Re: Google has no incentive to make it easy for you to remove that stuff

NO phone. I've made up my mind that, unless my current phone (a modified S4) breaks, I'm not getting another phone until I can get it vanilla WITH SD slot AND removable battery (if it does break, I'll get the closest match that I can modify secondhand and keep waiting).

I'm reminded of an ad for an electronics store since gone to that brand name scrap heap. This was right during the big HDTV push, and the guy claimed to be so confused about "SDTVs and HDTVs" that's he's ready to instead get "N-O TV."

Charles 9

Re: Google has no incentive to make it easy for you to remove that stuff

So they're not worried about it backfiring, as in more cruft means more likely they WON'T get the phone?

Personally, I'd be more interested in a plain vanilla Android phone, but Nexus phones don't offer SD slots or removable batteries, which are both make-or-break requirements for me.

Charles 9

PCI would be interested in Apple Pay and Android Pay as both use EMV over NFC, which provides much the same level of security as the Chip: both use nonces, so even if the data gets stolen, it's of no use to credit card thieves, plus both require explicit user consent to unlock the feature (thus why you can't use them without actual lockscreens), preventing even an NFC skimmer posing as a merchant from going unnoticed.

Charles 9

Re: Maybe I just don't get it

"Google doesn't use a secure element for Android Pay - they use host card emulation. That's a software based solution so they can't allow rooted devices to use it because it would defeat the security - it also means compromising the security of Android compromises its security. Google made that choice because requiring a secure element would lock out the lower end Android phones that choose not to include it for cost reasons."

And by doing so, they improved uptake of Google Wallet which helped keep NFC on the map until EMV-on-NFC came along (Apple Pay and Android Pay both use this now. Google Wallet virtual cards are being retired IIRC). The main reason for this move in Android Pay is at the behest of the banks who basically made it a prerequisite. Given this security requirement, Google may be more inclined to set up a hardware-based trusted path for future Android phones and in particular for Android N going forward. It's more affordable to do it now especially since Apple are helping bring economies of scale to the Secure Element market.

Charles 9

You do know there are a bunch of multimedia- and MMS-based exploits open in most Android versions. If you have an unmodded KitKat, you're one of those in trouble.

Charles 9

All iPhones that can use Apple Pay have Secure Elements. Google tried that in the past but were ahead of their time: SE's then were expensive and finnicky. Perhaps all Android Pay phones using Android N or whatever in future will have to incorporate a Secure Element, too. This will mitigate the need for root checks if push comes to shove. Another possibility (at least with ARM) is to use TrustZones or other hardware-based encrypted-execution zones again where not even root can intrude.

Charles 9

Re: Google Play

I can only see this being enforced on systems with Marshmallow, which enforces the dm-verity system integrity program all the way from bootup.

Charles 9

I think they're working on it with Marshmallow and improved overlay support, but with carriers still able to have final say, some give and take is involved (such as TouchWiz and T-Mobile WiFi Calling). Perhaps they'll have a better solution by the time of Android N. They may also decide to bring back the Secure Element or something similar to establish some Trusted Path.

Charles 9

Re: Rooting...isn't what it was.

Well, as soon as they'll let me perform a complete (nandroid) backup from stock, just in case there's a severe corruption (have had this happen after a few Sleeps of Death), and perhaps a user-configurable firewall, and the ability to update Android without carrier intervention, then I'll hand no more need for root.

Charles 9

Re: No problem here

That's entirely up to them since they can always check the Agent tag. Then again, it becomes a case of pick your poison: open yourself to hacking or starve yourself of practically your entire clientele.

State Department finds 22 classified emails in Hillary’s server, denies wrongdoing

Charles 9

Re: Um... da fuq

"Liar. They WERE classified at the time they were sent. $Hrillary explicitly instructed her minions to remove the classified headers and send it via unsecured channels."

And how do we KNOW this?

Charles 9

Re: Thursday's lunch menu

I would think it DOES matter since if they were classified AFTER they were received, then ex post facto kicks in and no one can be at fault for handling stuff that was only classified after the fact. Unless the material was classified in some way BEFORE it was put on a non-classified machine, there's no standing.

Charles 9

Re: Thursday's lunch menu

But here's the big question. Were the e-mails in question classified BEFORE or AFTER they ended up on the server?

Internet idiots make hoax bomb threats to UK, Aus, French schools

Charles 9

Re: $10 bet

Unless, of course, they're found to live in a country hostile to the West...

Charles 9

Re: $10 bet

$50 says someone else uses them as a smokescreen to cover up an ACTUAL attack?

Europe wants end to anonymous Bitcoin transactions

Charles 9

Re: $US

What's saying greenbacks AREN'T being used to fund terrorism? Money's money to most international miscreants: whatever buys the goods. I'm just saying, in terms of the article, that in order to make Bitcoin useful, you have to change it back into real-world goods or currency, which means having to go through some agent. Trying to get it back to currency has limited options, and most of those can be watched, so the better option would be some kind of barter.

Charles 9

Re: $US

Because the US are one step ahead. They passed regulations last year that forces Bitcoin exchanges in the US to keep accounts and records (Coinbase is legit, for example). Those that try to avoid the regs get pursued by the authorities. And they know to be useful you have to get the BTC back to actual currency, so they look for conversion points.

Why the Sun is setting on the Boeing 747

Charles 9

Re: >the aircraft that made Boeing into the global leader it is today

DC planes IIRC were made by McDonnel Douglas.

Charles 9

Re: *errrrr* No.

The El Al crash, right. I was just about to reference it. Two failures on the same side does make things trickier, raises the risk of loss of control.

And IIRC a tail engine failure did lead once to a crash because it managed to knock out ALL FOUR of the hydraulic systems, including the one on the opposite side, making it a Failsafe Failure.

T-Mobile USA’s BingeOn is a smash hit. So what now?

Charles 9

Re: "Throttling" is the "nice" word for it

What about more towers and backhaul to reduce congestion?

Charles 9

Re: "Throttling" is the "nice" word for it

"Total utopian bollocks. In what world is it fair that my realtime-dependant streaming service should get the same priority as Johnny Nobend uploading pictures of his dinner to Facebook?"

Yes, because the Internet is NOT designed that way (it's designed for robustness, NOT latency). If you need low-latency networking that badly, plunk down for your own specialized infrastructure the way we used to do it. That's why dedicated carriers like UPS have their own vehicle fleets, including airplanes, so they're not beholden to third-party couriers.

Charles 9

Ever thought Google and YouTube refuse to participate because there are strings attached?

Charles 9

Re: "Throttling" is the "nice" word for it

It's simple. No picking winners. You handle all data equally, regardless of what anyone else says. If you run out of space, you split the difference evenly across all contenders. That's the only way to be fair, and if your data model doesn't like it, tough shakes and get in the queue. It's the ONLY way to be honestly fair.

Charles 9

Re: unfair hybrid charging

People don't want their data to be the same...until it's the other guy's data that's the winner. Since you can't pick winners without complaints, the only way to be fair is to pick no winner at all. That way, at worst, everyone complains but at least they're on the same boat.

Charles 9

Re: "Throttling" is the "nice" word for it

Just curious. As someone noted, without some kind of vetting (which then breaks neutrality), you could have people cheating. How do you stay neutral AND simultaneously guard against cheating?

Smart toys spring dumb vulns. Again. This time: Cuddly bears, watches

Charles 9

Re: Scary State Secrets

Put it this way. The kind of secrets that would either render them a "bad country" that others will immediately embargo or (worse) directly threaten their very existence.

Charles 9

It's almost to the point that perhaps legislatures have to get into the act and put a cork in all this IoT stuff. This kinda feels like the days of the foot x-ray machine: people throwing stuff against the wall to see if they stuck, not realizing some of them are going THROUGH the wall. Perhaps once someone finds a way to use an IoT item used everyday to jump air gaps and potentially reveal scary state secrets (like espionage info or nuclear data), then they'll be forced to act in the name of sovereign security.

Sure, encrypt your email – while your shiny IoT toothbrush spies on you

Charles 9

Re: The problem is that cloud services are allowed for such things

So what if you're in the supermarket trying to recall if you have milk in the fridge or not? It'd be too much effort to go home just to check (if you go home, you might as well not come back), and your memory really isn't that swift. An app like that could save some serious time and money, particularly if you're in an edge case like you just got off the late shift and you're trying to get a quick gallon before the store closes.

PS. Since milk is perishable, it may not be wise to just get it anyway since you may not get through it before it sours.

Charles 9

Re: IoT - "you'll get what you deserve"

Going without a TV can be considered much like going without electricity: you could, but man is it gonna suck, especially as other forms of information gathering become no-mans'-lands (like the Internet) or fall by the wayside (like the newspaper).

Charles 9
Black Helicopters

Re: IoT - "you'll get what you deserve"

"Its also easy to forget that many shops have stopped selling TV's that aren't smart! Sure, don't connect it, but what if your neighbor's kid does when you're out one day, and you don't discover it for six months!"

Or worse, it comes with Whispernet, OTA, or Powerline communication capabilities that you can't kill without killing the TV AND voiding the warranty (and you can't even Faraday-cage a Powerline network)? I bet pretty soon chatback will become a standard, essential feature of all electric appliances in the future such that trying to kill the feature kills the device cold.

And as for moving to the forest, there's the matter of the satellites...

Charles 9

Re: Orwell

You haven't been keeping up with the Presidential campaigns, have you? Or all the arguing at the Flat Earth Society? It's happening, and the worst part is that people are completely blind to that revelation. They're spoon-fed lies, told it's the truth, and believe it with such absolute conviction that they will argue with everyone else about it until Doomsday.

Samsung trolls Google, adds adblockers to phones

Charles 9

Then the adwalls start popping up everywhere and people are left with a choice: bend over or bow out...of the Internet.

Charles 9

Re: Two fingers to google then?

Given their current financials, it might as well be. Look, until it puts them in the red, Google/Alphabet won't budge. Fiduciary duty mandates it.

Charles 9

Re: Not the most urgent job

And even that's starting to get dicey. More and more root detectors are popping up, starting a sort of retaliation: Go Stock or Go Home being the battle cry.

Charles 9

Web page size was important because people were still connecting to the Internet on 14.4kbps modems (I know I did, upgrading to a 28.8k in the late 90's was considered a big step up until I built a machine that could tap the campus Ethernet network). With overhead, that meant you pretty much had to cram everything into documents of a few KB or less to avoid the user (or browser) giving up. Nowadays, dial-up Internet is considered Stone Age (since even the boonies can use satellite).

Charles 9

Re: What are you going to do about it, Alphabet?

"I'm not convinced of that. Unless they control the entire stack of my device, what stops me from routing anything I identify as an ad to /dev/null ?"

With Marshmallow, they pretty much get you from the ground floor. Even without dm-verity, they can make the ads part and parcel with the stuff you want, so you end up with a Take It Or Leave It scenario. In other words, you block the ads, you block the content as well, leaving you empty. Leaving It basically means abandoning Android. Thing is, Apple and Microsoft, basically, the rest of the market for anyone who cares, do the same thing except maybe in other ways. If all roads lead to Tartarus and you can't go back the way you came, what do you do?

Charles 9

Re: If nothing else ...

Thing is, none of these do much for ads in APPS, for which you need an OS-level firewall to block.

Charles 9

Re: Industry examples

"I don't root my phone for my own reasons, and i don't think i should need to, in order to have control of the network details the way i do on a laptop.... eg. set fixed DNS for all connections (open DNS) and allow user access to a hosts file of some kind (perhaps a non root hosts file, so it could be separated from the core system stuff google doesn't want you to mess with)."

And you know why that won't happen? Two things. First, malware can mess with a user-mode hosts file and redirect you to more malware, particularly privilege escalation that'll let them pwn the phone. Second, and more importantly, this'll let you block Google. Thus why all this dm-verity stuff that's becoming enforced with Marshmallow. It's not Google's way or the highway, and if you take the highway, you're completely on your own.

Charles 9

Re: Adverts are not the essence of the problem ...

Trouble is, the ONLY way to get phone-goers attention these days is to be loud and proud. Odds are if ads were as unobtrusive as you wanted, people wouldn't even notice them (which is why banner ads are not really in vogue these days).

Charles 9

Re: If nothing else ...

But what about when you're on the go? And BTW, NRF doesn't work on LTE because NRF is IPv4-only (LTE supports IPv6).

Intel's SGX security extensions: Secure until you look at the detail

Charles 9

Re: Anybody out there want to do a helicopter-level comparison

That sounds more or less accurate. Whereas TrustZone is a binary "protected/unprotected" demarcation, SGX can have multiple protected enclaves, each exclusive to each other except where inter-process communication is necessary.

Charles 9

The thing is that the malware could both create a protected world for itself AND hook onto those necessary inter-process parts of the legitimate processes (protected or not) and still be able to wreak havoc while simultaneously staying protected in its own little bunker. After all, no program is an island these days. Programs eventually need to get in touch with other programs (like a web browser contacting the TCP/IP stack), and these links can still be tapped.

Charles 9

That said, the situation does appear to be an intractable problem of "Whom do you trust?" If a program can secure its own enclave, absolutely nothing will prevent a malware from doing the same thing, thus bunkering itself beyond hope of extrication. If you trust any other party (be it Intel or whatever), Trent gets a big fat target on his back.

Why a detachable cabin probably won’t save your life in a plane crash

Charles 9

I don't think it was the loo. Rather it was one of the flight attendants in the backwards-facing attendant's seat all the way in the back of the plane (which broke up in mid-flight) and landed upside-down, meaning she didn't get the full brunt of the impact. The top crumpled, taking most of the impact while she (strapped in) didn't fall the rest of the way.

Charles 9

Re: I'll tell you one thing...

I think the problem is that CFIT sensors can be fooled, throw false alarms, or be overridden. As long as there is meat in the cockpit, there's always the risk of a CFIT. Also, many CFITs occur during the already-dangerous landing phase, where planes are supposed to be close to the ground, rendering a CFIT sensor useless.

Charles 9

Re: Looks as though it requires a high-wing aircraft configuration.

"I've actually wondered whether it would be feasible to have a plane where you can basically slide the entire passenger deck out of the actual plane into a gate area so you can have passengers leaving and boarding over the entire length of the plane instead of through a limited number of doors, then having to get past other people who have seats closer to the door you came in through."

Airlines are looking into the concept. However, the logistics behind such a change would be so radical compared to today that any consideration into the detachable passenger cabin is considered long-term at best. Plus there's the matter of maintaining the craft's structural integrity with such an idea.

Most of the world still dependent on cash

Charles 9

But how do they charge their phones in an area with no electricity?

PS. Reminds me of the short where Paddington tried to sell a vacuum cleaner to a man on gas.