"This includes the user and the hacker physically being on the same unprotected network while downloading a language update."
Such as both the user and the attacker being 'on the Internet'?
Samsung has promised to deploy updates to resolve a serious mobile keyboard snooping bug, with security policy fixes expected in the coming days, the company said on Thursday – while simultaneously downplaying the issue. As previously reported, researchers at security firm NowSecure warned that a problem involving the keyboard …
"Such as both the user and the attacker being 'on the Internet'?"
No, the attacker must have control of either a gateway, transparent proxy, DNS server, etc. between the target and the update server. This is why this is more of a threat on dodgy WiFi networks where setting this up would be easy for a technically literate person.
While we're both 'on the Internet', you are using all of the above from your ISP and I'm using them from mine, so there is no way we can interfere with each other.
That said there is nothing stopping someone at our ISPs interfering with either of us.
"Such as both the user and the attacker being 'on the Internet'?"
Actually the AC is perfectly correct and Samsung have given out bad/misleading advice. What Samsung should have said is that there must be another compromised device on the same network/subnet - quite significantly different to saying the attacker has to be on the same subnet or network. Attacks by any miscreant hacker worth his salt are almost always conducted using a proxy devices and there are plenty of bad/old routers that can be exploited and/or compromised and run remotely and left waiting for a Samsung phone to join. To describe such a common scenario as the attacker having to be on the same network is at best misleading spin (most likely) at worst revealing of a worrying ignorance on Samsung's part. A release relating to a security compromise is no place for spin or propaganda.
This post has been deleted by its author
Your devices getting updates depend on your carrier re-jigging them and pushing them. Blame your carrier. This is why Kies works - because that's the Samsung update mechanism. Samsung have no direct control on if/when/how your carrier pushes published updates to your phone.
Security policy updates are pushed all the time, however. It's an option in the menus for Samsung Android devices. It happens in the background and - I believe - is basically SELinux profiles.
That the device does not update from non-Windows? That's an issue but that's true of basically EVERYTHING. Try and reinstall/update/unlock an iPhone from anything other than a Mac, for instance.
This post has been deleted by its author
The fact that Samsung has little control over their own updates highlights a glaring weakness with Android - one never knows whether they will get the updates pushed by Samsung. Consider the number of people who are eligible for Android upgrades but never get them. This fractured system Google has created is annoying at best & dangerous at worst. Google seriously needs to rethink the way Android & its updates are controlled. The present system clearly isn't working.
"The fact that Samsung has little control over their own updates highlights a glaring weakness with Android - one never knows whether they will get the updates pushed by Samsung"
Except this isn't an android issue, same way it isn't a Swiftkey issue - it's a Samsung issue. Samsung made sloppy decisions when integrating third party software, Samsung are the ones who network and region lock device updates, and Samsung are the ones who decide to drop supporting year old phones.
Samsung have complete control over their updates... in reality they've spent a good amount of resources to add the capability to their update system to pick and choose which ones your phone will install - based on decisions like if it's signed by the operator that owns the phone, what region your phone is from, etc... rather than Samsung not having enough control, to get the utopia you're suggesting in android land we'd need less control - no 3rd party keyboards, updates to google keyboard pushed out by the only allowable app store on android (play store). Not just keyboard... we'd need it for everything - one unified platform that manufacturers are not allowed to skin / modify in any way other than that sanctioned by google. But then we have things like that, they're called iPhone, and to a lesser degree, WinPhones.
This post has been deleted by its author
Samsung just tell me to use Kies to update it myself. Right. Where is the OpenBSD version of Kies?
Certainly, there doesn't seem to be any reason why Samsung couldn't make updates available as APKs1 for download using Plain Old HTTP, so tech-savvy users who don't have a Windows system handy could upgrade from Linux, BSD, etc. I'm not expecting them to port Kies to *ix platforms, but then I wouldn't expect most *ix users to want that anyway.
Unfortunately the economic incentives are all against providing decent support for smartphones. Root-and-flash seems to be the best option for people with the requisite knowledge and time.
1Or whatever format is appropriate for the update in question.
Plenty of professionals make equally serious and dumb security mistakes in software every day.
Directory traversal attacks, as an example, are common enough to merit specific mention in Howard et al's The 19 Deadly Sins of Software Security (under Sin 14, "Improper File Access"; note the book has since been upgraded to 24 sins). That means they're very common indeed.
Code this bad should not be sold
True. Unfortunately that leaves us with very little software that should be.