Month: November 2015

Misguided attacks against the Linux leader

I've just seen this article from the +Washington Post​​​ circulating, and it is worth questioning the real motivations behind it.

Lets start with the author: writes an article attacking +Linus Torvalds​​​ as a person and using fear regarding Linux security as a method to gain legitimacy.

But doesn't understand the difference between an OS and a Kernel, or at least has no issue confusing readers.

"Yet even among Linux’s many fans there is growing unease about vulnerabilities in the operating system’s most basic, foundational elements — housed in something called “the kernel"

And here's the type of stuff the security experts say:

"If you don’t treat security like a religious fanatic, you are going to be hurt like you can’t imagine."

Because we all known dogma and fanatism are the best answers – to any problems.. right?
Best of all, this is from a security expert associated to the NSA.

No wonder why Linus ends up saying fuck to this kind of crap.
Also, maybe he's not as vulnerable as some would like to initiatives to take control of the Linux project for the wrong reasons, using fear as justification.
I'm no conspiracy theorist, but curious elements are right here in the article already.

#supercurioBlog #security #critic



Meet the man who holds the future of the Internet in his hands — and thinks most security experts are “completely crazy”
Linus Torvalds created Linux, the operating system that dominates the online world. But a rift exists between Torvalds and security experts.

Source post on Google+

How most audio equipment reviews seem to happen

I wouldn't say reviewing headphones with a scientific approach and objective methods is an easy thing to do: It is not.
It doesn't mean it's impossible, by any means.

Today's article from +Engadget​​​​​​​​​​​ illustrates how it looks to me most audiophile equipment (or audio equipment altogether) is evaluated.
Heck, for ultra expensive audiophile stuff, broken is good enough!

At the point where function itself is optional, you can guess the importance given the the actual product performance…

Quoting:
"But the more I think about it, the more it doesn't matter."

#supercurioBlog #audio #critic



I didn’t listen to a pair of $55,000 headphones

Source post on Google+

Android 6.0 Marshmallow on Nexus S

Thank you once again +Dmitry Grinberg 🙂

This one, starting from 4.1.2 AOSP and binaries required more work, including on:

* RIL, for Radio Interface Layer: the software allowing the modem and CPU to communicate, managing phone calls, text messenger and data transfer

* HAL, for Hardware Abstraction Layer: what allows Android OS to communicate with low-level drivers

* Kernel: support Android M required features

* ART Runtime tuning to adjust for large apps compilation

* Partitioning: using the larger partition as Ext4 /data instead of FAT32 /sdcard, like introduced on HoneyComb tablets and used in all current devices.

* BGRA8888 supported added in Android as it's what the GPU has instead of RGBA8888

I'm gonna try that shortly after copying a backup of the 4.1.2 stock rooted (with Voodoo Sound of course) running on mine at the moment!

#supercurioBlog #Nexus

Originally shared by +Dmitry Grinberg

Forgot to post this last night



Android M on Nexus S – Dmitry Grinberg
How to build Android Marshmallow on Nexus S. The story… Nexus S (crespo) got its last update in Oct 2012. It was Android 4.1.2 Jelly Bean. Android M (marshmallow) just came out recently. I decided to port M to crespo for fun, and as a demo taht old hardware can in fact run new versions of …

Source post on Google+

Android One evolution

While +Ron Amadeo​​​'s article is mostly negative, here is a different interpretation of the same elements:

Google integrated its partners feedback as well as the market response with pragmatic and realistic changes benefiting everyone.

Launch

It made sense when launching the Android One program for Google to keep a tight control on specs, software development and distribution.

– Less hardware variety allowing to reduce development costs and delays, improving user experience consistency and reducing the amount of bugs in the beginning.

– Google controlled updates was the best way to enforce their priority to deliver updates, and through this channel gain immediate feedback on how to reshape as needed the Android platform to be best suited for the new markets targeted.

Maturity

– Boarder choice of components and suppliers allows to drive costs down by enabling more competition.

– Distributed software update processing as well as bug handling instead of centralized allows to scale.
As we could observe on Android Wear, Google-only management lead to severe bugs staying unfixed for months.

– OEMs becoming more involved encourage them to advertise and sell more Android One devices, now having a chance to develop a relationship with their customers and build their brand long term.
This relationship is crucial in market like India.
OEMs can now capitalize on brand loyalty obtained through affordable Android Ones devices with good hopes of selling higher margin devices to the same customers next.

– Google keeps contractual guarantees negotiated with OEMs partners in terms of software update distribution which was or still is the main problem to solve.
Same results at a lower cost.

From this perspective, it doesn't sound too bad!

#supercurioBlog



Google’s “Android One” gets watered down again, now a shell of its former self
Cheap smartphone plan compromises on hardware and software, so what’s the point?

Source post on Google+

Sony​​​ Smartwatch 3 battery bug fixed?

Since the Android wear update upgrading Google Play Services to the 8.2.98 version, my unit didn't experience the battery emptying bug I mentioned so often before.

https://plus.google.com/+supercurioFrancoisSimond/posts/SBZU9H2w8rB

I am hopeful that this issue, which was making the watch essentially a defective product is now fixed, possibly thanks to the involvement of +Wayne Piekarski​​​​​​​ who gave my many bug reports to the right people.
Last month he mentioned that the bug was fixed internally, although without more details or an ETA.

The bug occurrence was random however so it's hard to tell for sure by definition hence my question:

Is it fixed for you too?

The screenshot shows battery statistics with light usage – sitting on my desk aside from a few hours a day when I go for a walk: the watch battery performance is now pretty solid.

#supercurioBlog #battery

 

Source post on Google+

Android source becomes faster to build

Building Android from its gigabytes of source code take a little bit of time.
And yes this is an euphemism, as we are talking about roughly 2 hours for a reasonably powerful quad core desktop CPU.

Of course when working with this gigantic project, you learn quickly how to build only what's necessary and its dependencies.

Still it's very good news that AOSP is switching from an optimized use of the venerable "make" tool to a duo of better optimized replacements named Kati and Ninja.
https://github.com/google/kati/blob/master/README.md
https://martine.github.io/ninja/

It's only the beginning since there's an effort to rework the build files design and WebView chromium now comes pre-built (which alone divides the full build time by almost two).

#supercurioBlog #development



Re: ANN: AOSP builds with ninja
Publié le 28/10/15 13:47 (4 messages)

Source post on Google+

Let's encrypt beta invite

Fantastic! The same day as I was mentioning them on a post about UK HTTP sniffing logs retention perspectives, Let's encrypt sent me an invite for the closed beta I subscribed to a few weeks ago.

I'm very proud to be able to experiment early with the tools that'll help converting massive chunks of the Internet to encrypted connections for everyone.

And.. perfect timing really.

#supercurioBlog #encryption



Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.

Source post on Google+

Dear UK, what are you doing?!

It might be time to throw out your current leaders.

In case anyone was ever doubting that adult content filters were just a first step for control freak authorities having no limit on how ready they are to violate any citizen privacy… here's your proof.

On the positive side if there is any, it will only encourage every site owner to switch to HTTPS, either with their own certificates with http://letsencrypt.org or via +CloudFlare​​​​ free solution, sufficient to avoid HTTP requests logging from ISPs in a few clicks.

I've activated that for my sites until http://letsencrypt.org is shipping. Unless you prefer to obtain full-fledged certificates, I would strongly encourage you to do that too given the current direction of things.

#supercurioBlog #security #encryption

Originally shared by +TNW

UK bill forcing ISPs to store users’ browsing history to be published today http://tnw.me/gzmimWk



UK bill forcing ISPs to store users’ browsing history on its way
New surveillance laws in the works will require broadband providers to store details of every site citizens visited in the past 12 months, reports the BBC.

Source post on Google+

Google Project Zero targeting Samsung

Project Zero made the news a few months ago by publishing unfixed vulnerabilities with their exploit in Microsoft operating systems before Redmond's company succeeded to ship patches.
A lot was written back then about the fact Google was attacking their competitor, accusing also this team to be irresponsible by operating following a fixed 90 days time-frame.

Well, this time they went against the worldwide leader Android manufacturer and its Galaxy 6 Edge, with the same rules and similar results which should address any bias concerns.

The report itself is fascinating and illustrates how additional software, like apps or support for more media formats natively (Samsung always has been good with that) increases the attack surface with more code, that might also not be as solid as AOSP's.
Then there is hardware drivers (like for the GPU) and you can't really skip shipping that.

How many vulnerabilities can be found in the phone you are using right now (any phone) with a few weeks of work from a dedicated team?
It's safe to assume quite a few. With sufficient resources it seems there will be ways to find a way in which is not reassuring given the amount of data our gadgets have access to – especially through Google account credentials.
Location history being the perfect example of over the top tracking yet required for Google Fit and probably enabled after tapping a Google Maps launch dialog without realizing the consequences by many.
This is why I highly recommend two factora authentication… Yet it doesn't change anything if a root vulnerability allows to escape the sandbox and steal credentials from the active device or access the data from there directly.

It is also difficult to know where to learn about manufacturers' security practices.
Do they have a security team like Project Zero evaluating their products internally continuously with fuzzing and more?
There are no guarantee of results and certainly no such thing as perfect security, but it's something it would be good to know.

#supercurioBlog #security



Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge
Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post …

Source post on Google+