On 12/06/2016 01:33 PM, Rick Moen wrote: > As they point out, this results from the Signal people and the F-Droid > people fighting over acceptance criteria. You'll note that the author > says in the notes 'Wow, the Signal vs F-Droid issue is a stupid hot > mess. Can't we all just get along and share the software? Don't make me > sing the RMS song, people... I'll do it...' ;->
Heh, well the f-droid approach is *IMO* completely untenable. Basically they are saying to any software developers. Send us your binary, we will do anything we damn well want with it, change it if we want, publish it under our key, and you have no power at all over the result. Just "trust us". The weird part is I can find no reason, justification, etc. I'm totally with signal, their entire design is to prevent the local mafia, blackhats, government, whatever from spying on you. The entire idea behind e2e is to minimize trust of 3rd parties. Google play uses the developers key, thus you don't have to trust google. F-droid inserts themselves between the developer and the user. Might as well cc: every communication you make to the f-droid folks. I'd hope that f-droid would be more secure than google play, not laughably bad. > Still 'n' all, yeah, Copperhead OS and drills like the one on the Tor > blog post(s) are as good as we have, at the moment. What boggled me > was what a near-total showstopper the baseband CPU/firmware problem > continues to be. The article's April iteration > (https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy) > goes through some elaborate steps to deal with this and related > problems. (At present, they recommend decoupling the phone or tablet > from baseband problems by using a separate MiFi device.) Indeed. Unfortunately consumer devices are driven by decreasing costs, decreasing thickness, increasing battery life, etc. Used to be that often GSM support would be off chip, with no access to system memory. The OS could treat it like a modem. Sadly with everything integrated that barrier no longer exists. It's not likely to come back. Sure tethering still helps, but you still have to trust the local firmware, which is rarely open source and increasingly is network aware (like say intel's). Seems like as people start internet enabling more decives that the tether thing might take off. After all why pay for internet for your watch, tablet, laptop, phone, and car when you could just buy a WAN enabled widget smaller than a phone and get live data wherever you are. > Personally, the only Android-type device I have is a Nook Tablet running > Cyangenmod, which at least sidesteps the baseband problem. Copperhead > OS would have been much better but, as the Tor blog notes, so far, > Copperhead doesn't support any wifi-only devices, only certain > smartphones. Nexus 9 has a wifi only version I thought and has copperhead support. So there are clearly threats that copperhead doesn't protect against, but there certainly many threats that are. Increasingly it seems like consumers are more aware, and that OSX, Windows, Android, Linux Kernel, and IOS are upping their security. Those that lead like Signal, Copperhead, GR Security are working hard on improvements that are definitely trickling down. What's even more promising is Google and Apple seem to be pushing things quite hard. Here's a good PDF on the linux kernel security, seems like this one had a pretty decent impact, and I'm glad to say that the updates in the last year are pretty promising: http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf > I have my doubts about progress. The OEMs still are failing to support > meaningful service lives for their hardware, and everyone's trying to > use tricks to control customers. Nexus/Pixel and google in general do seem to be placing a relatively high priority on security. Not adding features for features sake. Most of the evil, sloppy code, and "lock in" I see if from the custom skins from Sony, Samsung, HTC, and friends. Code that's not open source, complex, written with minimal regard for security. What's worse is the skins slow down the important things like security updates. Estimates I've seen place around 85-90% of the security problems with the android customizations/skins. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech