Posts by doublelayer

Re: "Inadvertently misrouted." Wow, that's what I call a spectacular display of contempt.

I'm not buying the "inadvertence" either, but they do manage to inadvertently misdirect other packages (not them specifically, just the general class of package delivery companies) often enough that they've probably had this statement sitting on a shelf for a while.

Re: Yes this is their Hongmeng OS

I would actually be more likely to assume a startup would do this properly, for the simple reason that most startups have fewer types of devices and use cases that need to work properly. I do not have any confidence in Huawei's ability to replace android with something else on devices in the field without requiring extra assistance from users. They will need to deal with users who have very little internal memory free, users who have made unusual system modifications, users who have replaced parts of the hardware (cracked screens, etc.), devices running on 2, 3, and 4G cell networks all over the world, and running in some cases firmware developed specially for specific mobile providers to lock them to that provider and to interact with providers' systems. These from the same people who forgot to turn off telnet for their routers (it wasn't an intentional backdoor, probably not at least, but it was a pretty bad mistake). No confidence at all. However, I also would not have confidence in any manufacturer who tried this, not Samsung, not Google, not Apple, not anybody. It's too large a change to go perfectly, at least in my experience, and I don't see any reason to believe that Huawei has a special method of escaping that.

Re: Yes this is their Hongmeng OS

They might have done that. Microsoft might have tested the 1809 build of Windows on lots of models, preventing the driver blue screens. Router manufacturers might have security tested their basic firmware, having fewer vulnerabilities. Samsung might have put some of their Galaxy Folds into the field before sending them to reviewers, catching the easily damaged mechanisms. Samsung might also have put their Galaxy Note 7s into more vigorous testing, catching the exploding batteries.

Just because a company is big, that doesn't mean they will be perfect. Huawei doesn't have a reputation as some technogenious which always knows what is going on and produces flawless products. If they did, your defense of them based on nothing might have some logic. In reality, they're a normal tech company that has its history of making mistakes and being generally fine. Saying that they might have some trouble trying to update a billion devices in the field to something that might be an entire replacement of the operating system is a very sensible worry, born out by the experience of trouble that happened every other time such a massive change was attempted.

Re: Marketing

No on all counts.

"So I can buy the one phone that I'm sure the US/UK government don't have backdoors to?"

You can't be sure of that. Nobody really knows to what extent if at all there is a backdoor running on current phones. Huawei might harbor one just as well as any other manufacturer. If the backdoor you've supposed into existence was part of Android, perhaps inside Google's blobs, it would apply to all Android phones including those from Huawei. If you're concerned enough that the U.S. and U.K. have backdoored phones, you should at least give thought to other countries, like, just to pick a name at random, the People's Republic of China having one too.

"With an open source OS and alternatives to the Google spyware?"

You've supposed the open source into existence too? Can I suppose things about these devices and that will just happen? They'll have a magic chip inside them that emits a new type of radio frequency that cures cancer. You have no basis for that. While Google's spyware will be gone, plenty of Huawei and partner's spyware will have replaced it. If you want open, get open, such as Lineage OS with FDroid apps on it. Do not expect a company to ride in as a savior; it isn't going to happen.

"And it has the same premium hardware as Apple/Samsung but costs half as much"

It has different premium hardware, and it costs the same. Their flagships are also ludicrously overpriced. They have cheaper models, and just like those from every mid-range and low-range manufacturer, they are just fine and will work for lots of people, but do not have the latest and greatest components. If you want latest and greatest at a lower pricepoint, choose a company like Xiaomi or the Oppo brand who do not have a ridiculously-expensive lineup and are better at charging a price commensurate with performance.

I've seen several of these comments recently. Just because you don't like the action of the U.S. government, that doesn't make the company harmed by that action into the best thing on Earth. I am inclined to agree that the restrictions placed on them don't make sense from the stated security benefit and are a purely political stunt for the purposes of a continued trade war. I think that, as such, they should be reversed. That doesn't make Huawei a wonderful company that is out to make my life great and is being repressed by someone who wants to keep the underdog down. The goal of this is money, not a backdoor. It's shortsighted to assign good and evil tags out without considering the large area in the middle where these things reside.

Re: Who?

In this case, the stake in the sense of how much power can be wielded is exactly the same, and better described as imaginary than real. Since there is a majority shareholder, whatever they say goes. The activist with 10% and the activist with 10 shares have exactly the same amount of power and will receive the same amount of respect. Yes, they could try to do a stunt like dropping all 10% at once, but A) they don't actually own that large a chunk, B) they wouldn't want to take that kind of loss to send a message, and C) someone else would buy it and Facebook would not care at all about the former investor.

Re: This will be fun to watch...

"He isn't charged with treason, he is charged with espionage."

This part of the discussion has escaped specifically the topic of the article and now is considering treason and related legal frameworks from a theoretical perspective. Nobody is arguing that he has committed treason; they just want to know whether a non-citizen can be charged with treason given its definition. In fact, some are arguing that it would be impossible for people in his situation to commit treason.

An app can probably be more trusted, but the more concerning one is a script on a website. A user can be tracked inside an app by many more reliable mechanisms, so the only benefit to apps. in using this is to try to track a user after they've deleted an app and reinstalled it. Concerning, yes, but not a very frequent thing to do. Meanwhile, sites that can fingerprint via scripts are much more worrying. If it takes a second to do that, lots of sites will do it successfully. If we can extend this to a minute, fewer sites will bother and plenty won't get a chance to finish before the user closes it. Still, I think the best way is to deny sites access to those measurements. If a thing needs those, they can write an app.

Re: The US refusing to sell components to China?

It's only a ban against Huawei, not China as a whole. And in practice, both countries could hurt each other quite strongly by refusing to export chips. Most of the chips concerned are designed in the U.S. and manufactured in China. If the U.S. won't export them, the Chinese can't use them. If the Chinese won't allow them to be manufactured, the U.S. can't use them. Of course, the U.S. could shift manufacturing to other places, mostly Taiwan and South Korea, and the Chinese could either design their own replacements or start manufacturing the chips from designs they had previously, but both would take longer and come with major downsides. So if either country tries that, expect some pain.

Re: apps such as Whatsapp and skype

You're troubled about the privacy implications of social media and your primary suggestion is QQ? The one that transmits a bunch of cleartext messages straight into the servers run by the Chinese government? They of social credit score fame? Viber doesn't have those implications but isn't exactly known for their privacy, either. Try things like Signal or Telegram.

Please no on the GSMA-run app store. The last thing we need is extra control over our phones by the mobile providers. They've already made it so it's hard to get a device without being locked into a provider. I don't want them deciding or even knowing what applications I can run.

I appreciate the enthusiasm. I really hope it is proven correct. Unfortunately, I don't think we will see a viable third alternative. Huawei will probably have something. Whether that is AOSP-based or something less compatible, I doubt it will be released as open source for everyone else, and I doubt that it will really provide useful things over standard AOSP let alone something less supported but more powerful like Lineage OS. Meanwhile, while other companies may indeed worry about android access being cut off, they will probably worry even more about a third OS eating into their market share because they would have to expend resources on building and maintaining it, let alone advertising it. If it dies like every other attempt at a mobile OS (Windows phone, Ubuntu Touch, Firefox OS, ...) they will be out that development cost, the hardware that didn't sell cost, the loss of android market share cost that Apple can try to pick up, and the made Google angry cost. Companies have a lot of financial people who do not like that type of mathematics.

Google services are blocked in China, including the play store. No Chinese phone accesses this store directly, though there exist side channels to access some of it. For this reason, lack of Google play availability will not dramatically impact the ability to sell the devices inside China. Outside China is a very different story. It is also worth considering that even those phones in China need chips from the various companies who have agreed not to sell them to the company, which may cause problems for them in the short term until they find alternate suppliers for the functionality or arrange for a third party to purchase the chips and send them on.

Re: As an iPhone user

I beg to differ. Let's consider the processor in an older iPhone and the one in the Pixel 3a:

Iphone 7: four cores (two 2.3GHZ high performance plus two more lower-power ones)

Pixel 3A: 8 cores, two 2.0GHZ cores and six 1.7 GHZ cores

The iPhone's cores have a pretty good single-threaded performance, better than many snapdragon cores, but not dramatically so depending on what the cores are called on to do. Now, let's look at some phones that cost less than 200 currency units, as defined by GSM Arena. I'm not sure exactly what currency unit they're using, but it's either euros, pounds, or U.S. dollars, as they use all three on various pages. Also take note that GSM Arena uses old prices, usually a price that was seen shortly after launch, so this includes only devices whose release price was under 200 units. Many other candidates are available whose price has been reduced to that level, but don't show up in the quick search I did.

Xiaomi Redmi Note 7 specs: eight cores: two at 2.2GHZ and six at 1.8GHZ, 4/6GB memory, clearly outstripping the pixel

Realme X specs: eight cores: two at 2.2GHZ and six at 1.7GHZ, 8GB memory, clearly outstripping the pixel

Samsung Galaxy A20 specs: eight cores: two at 1.6GHZ and six at 1.35GHZ, 3GB memory: not as good as the pixel, but not all that much worse

Nokia 4.2 specs: eight cores: two at 2.0GHZ and six at 1.45 GHZ, 3GB memory: A little worse than the pixel

Oppo A3S specs: eight cores: eight at 1.8GHZ: probably about on par with the pixel

These aren't all of the models, as I only considered one for each manufacturer. As you can see, several outstrip the pixel, and if I had included multiple candidates from each manufacturer, it would be even more of them. Even those that do not exceed the pixel in power have respectable processor performance, having eight cores and not having weirdly underpowered cores either. If you're doing something very processor-intensive on a phone, these might not be enough, but this is not the budget android device of old. It is perfectly capable of the standard smartphone use case.

I don't think anyone thinks Apple's prices are in any way justifiable, but that doesn't suddenly make this phone well-priced. Yes, it's better than Apple, Samsung, and Huawei in the flagship realm. But you can get a phone for much less that has similar specifications. This article has described it as similar to a flagship, but it's really not. It has a slower processor, less memory, and less internal storage than all other flagships and many other low or mid-cost phones. That doesn't make it insufficient; I've long contended that it is hard to tell whether an android phone has 4, 6, or 8 GB of memory, but it is important to avoid categorizing it as one of the most advanced, because that misleads potential customers into thinking that the price tag is a bargain, when it is in fact a bit overpriced.

Re: As an iPhone user

I would not get a pixel, instead going with a cheaper android device. There are a few good reasons to do that:

1. A lot of them have comparable specs and can't really be told apart.

2. Many of these, especially Xiaomi devices, are supported by lineage OS, so you can use that if you prefer it or want to extend the life of the device.

3. Looking in the low-cost field gives you more options so you can find a phone that has features you are more likely to want (for example, you can have a headphone jack, SD card slot, waterproofing, or a removable battery in various models, though all at once is harder to find).

4. If it turns out you really hate android, which happens from time to time, you have spent less money on your device and don't feel as bad when you sell it again.

I have to say that point 1 is the most important. While this article is extremely laudatory of the pixel, calling it low-cost, it really isn't when you compare it with the numerous good phones in the 100-200 price range. It's low-cost only when it is compared with flagships, which are all so high-cost as to be utterly ridiculous. The only thing I've consistently heard about being better in the pixel is the camera, but you will certainly get a serviceable camera in a cheaper phone, so it depends on your requirement for mobile photography.

Re: Google to host videos ...

Oh can it? I've never heard that before. Nobody's ever told me that. I have this phone over here that I can do that on. Just give me a few minutes... You want to explain why this phone, on which I don't have any google account configured, is still making DNS requests to google domains and shows play services as using a bunch of CPU and network on some occasions? It's also informed me that its performing a play protect scan of my phone. I have no malware, at least so sayeth Google when they checked my list of installed software against Google's servers. Which is some data. If this is happening, I'm guessing other data is coming out, too. Yes, I can go into settings and disable play protect. I can't disable google play services, though.

Re: Why not give users the choice?

You can do exactly that. Not many people have decided to prevent you from using hyperthreading. Google has, but their OS is so lightweight (just a big browser) that it is unlikely to have a need for it and BSD has always been a configure all you like OS. Other things leave it on. However, we can't give you an accurate number of ongoing exploits because first, this is new and people haven't really had a chance to try to use it yet and second, nobody tells us when they're starting to exploit this and it doesn't have a simple definable signature we can search for. You'll have to make your decision on whether to hyperthread or not to hyperthread based on the technical descriptions alone.

Re: What about Signal

Signal is not vulnerable to this, but could conceivably have a similar bug. It is open source, so that bug is more likely to be detected if introduced. What's app was not forked from signal (in fact it existed years earlier), nor was signal in any way forked. They're just two apps that look kind of similar. All the infrastructure, people involved, and app code is entirely different.

Re: Removing the infection

You are correct in both cases. I'm not sure if android allows it, but you can't modify binaries in place on IOS, so killing the app will close any connections. Updating will help too. Not using what's app is similarly effective.

Re: How do I know?

You can't really detect that. However, if you kill the app, which will happen automatically if you install the update, it will kill any compromised sessions and prevent new ones from starting. You would not know whether you have been attacked or, if you were, what if any data was extracted. There is no log of this from the application itself, as any logs could be written by the malware.

Re: OS level security?

It doesn't seem that it is escaping the sandbox at all. Unfortunately, from within WhatsApp's sandbox, the malware can access contacts, call history, microphone, and camera* because of videocalls. That's enough to compromise the user of the device quite a bit, even if it doesn't let you read email, browser history, or other types of data on the phone.

*If the videocall or voice call function has never been used on an IOS device, this exploit shouldn't allow those to be taken because the permission has not been granted. This distinction does not apply to android, and if a voice or video call was ever used, it wouldn't apply to IOS either.

Re: The question is

I don't think they were saying that this hack was created by NSO/anyone external, but that the expertise needed to find and exploit it in the wild, as has been happening, is likely that of NSO/someone external. I thought the exact same thing when I read that line, but the paragraph after that makes it look like the above suggestion. Given that this program is not open source and has an encryption layer on all its network traffic, I would say that it is at least somewhat hard to find and probably signifies some level of sophistication on the part of the attacker abusing it.

Re: Possible contributing factor to the 6% drop?

I think there is a lot to argue about that, and I think the margin should be lower or zero, but it is worth keeping in mind that you can have a payment system in an app that bypasses Apple's in-app purchasing system (E.G. please sign into your account, from which you will pay your bill with your credit card information). It is more difficult than letting a user press a button and authenticate with Apple, but it can be done and is in many applications. This option is very much not available when purchasing apps, although you can go the route of having a free application that makes you sign into an account and pay from there, which developers don't choose to do very often.

Re: Optional

But the case is not at all about operating systems. They're not saying that there should be some alternative to IOS that runs on iPhones. At most, they're saying that IOS should allow sideloading, and they may simply be saying that there should be more control of app pricing and a lower commission. If a case did happen with the decision saying that apple needs to provide an alternative OS loading facility, it would be problematic for every manufacturer of android devices that has ever produced a bootloader that isn't unlocked. Even those that were hacked to provide the functionality didn't actually intend to provide consumer choice. So that probably wouldn't succeed, but is definitely not what's at issue in this case.