Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices

Soulskill posted about a year ago | from the going-a-bit-far dept.

Android 318

chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."

cancel ×

318 comments

WARNING ABOUT SLASHDOT ABUSE... apk (-1)

Anonymous Coward | about a year ago | (#43474825)

A corrupt slashdot luser has pentrated the moderation system to downmod all my posts while impersonating me.

Nearly 230++ times that I know of @ this point for all of March/April 2013 so far, & others here have told you to stop - take the hint, lunatic (leave slashdot)...

Sorry folks - but whoever the nutjob is that's attempting to impersonate me, & upset the rest of you as well, has SERIOUS mental issues, no questions asked! I must've gotten the better of him + seriously "gotten his goat" in doing so in a technical debate & his "geek angst" @ losing to me has him doing the:

---

A.) $10,000 challenges, ala (where the imposter actually TRACKED + LISTED the # of times he's done this no less, & where I get the 180 or so times I noted above) -> http://it.slashdot.org/comments.pl?sid=3585795&cid=43285307 [slashdot.org]

&/or

B.) Reposting OLD + possibly altered models - (this I haven't checked on as to altering the veracity of the info. being changed) of posts of mine from the past here

---

(Albeit massively repeatedly thru all threads on /. this March/April 2013 nearly in its entirety thusfar).

* Personally, I'm surprised the moderation staff here hasn't just "blocked out" his network range yet honestly!

(They know it's NOT the same as my own as well, especially after THIS post of mine, which they CAN see the IP range I am coming out of to compare with the ac spamming troll doing the above...).

APK

P.S.=> Again/Stressing it: NO guys - it is NOT me doing it, as I wouldn't waste that much time on such trivial b.s. like a kid might...

Plus, I only post where hosts file usage is on topic or appropriate for a solution & certainly NOT IN EVERY POST ON SLASHDOT (like the nutcase trying to "impersonate me" is doing for nearly all of March/April now, & 230++ times that I know of @ least)... apk

P.S.=> here is CORRECT host file information just to piss off the insane lunatic troll:

--

21++ ADVANTAGES OF CUSTOM HOSTS FILES (how/what/when/where/why):

Over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs).

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program). A truly "multi-platform" UNIVERSAL solution for added speed, security, reliability, & even anonymity to an extent (vs. DNS request logs + DNSBL's you feel are unjust hosts get you past/around).

2.) Adblock blocks ads? Well, not anymore & certainly not as well by default, apparently, lol - see below:

Adblock Plus To Offer 'Acceptable Ads' Option

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org] )

AND, in only browsers & their subprogram families (ala email like Thunderbird for FireFox/Mozilla products (use same gecko & xulrunner engines)), but not all, or, all independent email clients, like Outlook, Outlook Express, OR Window "LIVE" mail (for example(s)) - there's many more like EUDORA & others I've used over time that AdBlock just DOES NOT COVER... period.

Disclaimer: Opera now also has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..

3.) Adblock doesn't protect email programs external to FF (non-mozilla/gecko engine based) family based wares, So AdBlock doesn't protect email programs like Outlook, Outlook Express, Windows "LIVE" mail & others like them (EUDORA etc./et al), Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, OR make you reach them faster since you resolve host-domain names LOCALLY w/ hosts out of cached memory, hosts do ALL of those things (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions (in-addr.arpa) via NSLOOKUP, PINGS (ping -a in Windows), &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles (or ELECTRICITY) like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can since hosts files run in MORE EFFICIENT & FASTER Ring 0/RPL 0/Kernelmode operations acting merely as a filter for the IP stack (via the "Plug-N-Play" designed IP stack in Windows) vs. SLOWER & LESS EFFICIENT Ring 3/RPL 3/Usermode operations (which webbrowsers run in + their addons like AdBlock slow down even MORESO due to their parsing operations).

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than remote DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server, typically 30-100's of ms, vs. 7-10ms HardDisk speed of access/seek + SSD seek in ns, & back to you - hosts resolutions of IP address for host-domain names is FAR faster...). Hosts are only a filter for an already fast & efficient IP stack, no more layered b.s. (remote OR local). Hosts eat less CPU, RAM, I/O in other forms, + electricity than a locally running DNS server easily, and less than a local DNS program on a single PC. Fact. Hosts are easier to setup & maintain too.

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
  http://someonewhocares.org/hosts/ [someonewhocares.org]
  http://hostsfile.org/hosts.html [hostsfile.org]
  http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
  http://hosts-file.net/?s=Download [hosts-file.net]
  https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
  https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]
  http://ddanchev.blogspot.com/ [blogspot.com]
  http://www.malware.com.br/lists.shtml [malware.com.br]
  http://www.stopbadware.org/ [stopbadware.org]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398 [slashdot.org]
  http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500 [slashdot.org]

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code (to customize it better than the GUI front does @ least). With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL (even moreso "automagically" for Vista, 7/Server 2008 + beyond by UAC by default) &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

Adbanners slow you down & consume your bandwidth YOU pay for:

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org]

---

AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search [google.com]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

HOSTS files are NOT THAT EASILY "webbug" BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked on AdBlock in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

21.) Custom HOSTS files gain users back more "screen real estate" by blocking out banner ads... it's great on PC's for speed along with MORE of what I want to see/read (not ads), & efficiency too, but EVEN BETTER ON SMARTPHONES - by far. It matters MOST there imo @ least, in regards to extra screen real-estate.

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock ( http://adblockplus.org/en/ [adblockplus.org] ), IE 9's new TPL's ( http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] ), &/or NoScript ( http://noscript.net/ [noscript.net] especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock ( http://adblockplus.org/en/ [adblockplus.org] ) does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

---

DNS flaw reanimates slain evil sites as ghost domains:

http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/ [theregister.co.uk]

---

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com]

---

DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org]

---

Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org]

---

Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com]

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

---

High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org]

---

Photobucketâ(TM)s DNS records hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com]

---

Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com]
  ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
  OpenDNS -> http://www.opendns.com/ [opendns.com]

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

20++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398) Homepage Journal

"I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ [someonewhocares.org] and http://winhelp2002.mvps.org/hosts.htm [mvps.org] FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

"Let me introduce you to the file: /etc/hosts" - by fahrbot-bot (874524) on Monday December 19, @05:03PM (#38427432)

"I use a hosts file" - by EdIII (1114411) on Tuesday December 13, @01:17PM (#38357816)

"I'm tempted to go for a hacked hosts file that simply resolves most advert sites to 127.0.0.1" - by bLanark (123342) on Tuesday December 13, @01:13PM (#38357760)

"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525) Homepage Journal

"A hosts file certainly does not require "a lot of work" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. . In fact, I never would have considered trying to use it for ddefending against viruses or malware." - by RocketRabbit (830691) on Thursday December 30 2010, @05:48PM (#34715060)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECURITYFOCUS.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

---

* POSTS ABOUT HOSTS FILES I DID on "/." THAT HAVE DONE WELL BY OTHERS & WERE RATED HIGHLY, 26++ THUSFAR (from +3 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org]
  HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
  HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
  APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
  HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
  HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
  HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
  HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
  HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
  HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
  HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
  HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
  HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]
  0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1139705&cid=26977225 [slashdot.org]
  HOSTS MOD UP:2009 -> http://hardware.slashdot.org/comments.pl?sid=1319261&cid=28872833 [slashdot.org] (still says INSIGHTFUL)
  HOSTS MOD UP vs. botnet: 2012 -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216 [slashdot.org]

---

Windows 7, VISTA, & Server 2008 have a couple of "issues" I don't like in them, & you may not either, depending on your point of view (mine's based solely on efficiency & security), & if my take on these issues aren't "good enough"? I suggest reading what ROOTKIT.COM says, link URL is in my "p.s." @ the bottom of this post:

1.) HOSTS files being unable to use "0" for a blocking IP address - this started in 12/09/2008 after an "MS Patch Tuesday" in fact for VISTA (when it had NO problem using it before that, as Windows 2000/XP/Server 2003 still can)... & yes, this continues in its descendants, Windows Server 2008 &/or Windows 7 as well.

So, why is this a "problem" you might ask?

Ok - since you can technically use either:

a.) 127.0.0.1 (the "loopback adapter address")
b.) 0.0.0.0 (next smallest & next most efficient)
c.) The smallest & fastest plain-jane 0

PER EACH HOSTS FILE ENTRY/RECORD...

You can use ANY of those, in order to block out known bad sites &/or adbanners in a HOSTS file this way??

Microsoft has "promoted bloat" in doing so... no questions asked.

Simply because

1.) 127.0.0.1 = 9 bytes in size on disk & is the largest/slowest
2.) 0.0.0.0 = 7 bytes & is the next largest/slowest in size on disk
3.) 0 = 1 byte

(& HOSTS files extend across EVERY webbrowser, email program, or in general every webbound program you use & thus HOSTS are "global" in coverage this way AND function on any OS that uses the BSD derived IP stack (which most all do mind you, even MS is based off of it, as BSD's IS truly, "the best in the business"), & when coupled with say, IE restricted zones, FireFox addons like NoScript &/or AdBlock, or Opera filter.ini/urlfilter.ini, for layered security in this capacity for webbrowsers & SOME email programs (here, I mean ones "built into" browsers themselves like Opera has for example))

MS has literally promoted bloat in this file, making it load slower from disk, into memory! This compounds itself, the more entries your HOSTS file contains... & for instance? Mine currently contains nearly 654,000 entries of known bad adbanners, bad websites, &/or bad nameservers (used for controlling botnets, misdirecting net requests, etc. et al).

Now, IF I were to use 127.0.0.1? My "huge" HOSTS file would be approximately 27mb in size... using 0.0.0.0 (next smallest) it would be 19mb in size - HOWEVER? Using 0 as my blocking IP, it is only 14mb in size. See my point?

(For loads either in the local DNS cache, or system diskcache if you run w/out the local DNS client service running, this gets slower the larger each HOSTS file entry is (which you have to stall the DNS client service in Windows for larger ones, especially if you use a "giant HOSTS file" (purely relative term, but once it goes over (iirc) 4mb in size, you have to cut the local DNS cache client service)))

NO questions asked - the physics of it backed me up in theory alone, but when I was questioned on it for PROOF thereof?

I wrote a small test program to load such a list into a "pascal record" (which is analagous to a C/C++ structure), which is EXACTLY what the DNS client/DNS API does as well, using a C/C++ structure (basically an array of sorts really, & a structure/record is a precursor part to a full-blown CLASS or OBJECT, minus the functions built in, this is for treating numerous variables as a SINGLE VARIABLE (for efficiency, which FORTRAN as a single example, lacks as a feature, @ least Fortran 77 did, but other languages do not))!

I even wrote another that just loaded my HOSTS file's entirety into a listbox, same results... slowest using 127.0.0.1, next slowest using 0.0.0.0, & fastest using 0.

And, sure: Some MORE "goes on" during DNS API loads (iirc, removal of duplicated entries (which I made sure my personal copy does not have these via a program I wrote to purge it of duplicated entries + to sort each entry alphabetically for easier mgt. via say, notepad.exe) & a conversion from decimal values to hex ones), but, nevertheless? My point here "holds true", of slower value loads, record-by-record, from a HOSTS file, when the entries become larger.

So, to "prove my point" to my naysayers?

I timed it using the Win32 API calls "GetTickCount" & then again, using the API calls of "QueryPerformanceCounter" as well, seeing the SAME results (a slowdown when reading in this file from disk, especially when using the larger 127.0.0.1 or 0.0.0.0 line item entries in a HOSTS file, vs. the smaller/faster/more efficient 0).

In my test, I saw a decline in speed/efficiency in my test doing so by using larger blocking addresses (127.0.0.1 &/or 0.0.0.0, vs. the smallest/fastest in 0)... proving me correct on this note!

On this HOSTS issue, and the WFP design issue in my next post below?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> http://blogs.msdn.com/e7/archive/2009/02/09/recognizing-improvements-in-windows-7-handwriting.aspx?CommentPosted=true#commentmessage [msdn.com] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I am convinced they (MS) do NOT have a good reason for doing this... because of their lack of response there on this note. Unless it has something to do with IPv6 (most folks use IPv4 still), I cannot understand WHY this design mistake imo, has occurred, in HOSTS files...

AND

2.) The "Windows Filtering Platform", which is now how the firewall works in VISTA, Server 2008, & Windows 7...

Sure it works in this new single point method & it is simple to manage & "sync" all points of it, making it easier for network techs/admins to manage than the older 3 part method, but that very thing works against it as well, because it is only a single part system now!

Thus, however?

This "single layer design" in WFP, now represents a SINGLE POINT OF FAILURE/ATTACK for malware makers to 'take down'!

(Which is 1 of the 1st things a malware attempts to do, is to take down any software firewalls present, or even the "Windows Security Center" itself which should warn you of the firewall "going down", & it's fairly easy to do either by messaging the services they use, or messing up their registry init. settings)

VS. the older (up to) 3 part method used in Windows 2000/XP/Server 2003, for protecting a system via IP Filtering, the Windows native Firewall, &/or IPSEC. Each of which uses diff. drivers, & layers of the IP stack to function from, as well as registry initialization settings.

Think of the older 3 part design much the same as the reason why folks use door handle locks, deadbolt locks, & chain locks on their doors... multipart layered security.

(Each of which the latter older method used, had 3 separate drivers & registry settings to do their jobs, representing a "phalanx like"/"zone defense like" system of backup of one another (like you see in sports OR ancient wars, and trust me, it WORKS, because on either side of yourself, you have "backup", even if YOU "go down" vs. the opponent)).

I.E.-> Take 1 of the "older method's" 3 part defenses down? 2 others STILL stand in the way, & they are not that simple to take them ALL down...

(Well, @ least NOT as easily as "taking out" a single part defensive system like WFP (the new "Windows Filtering Platform", which powers the VISTA, Windows Server 2008, & yes, Windows 7 firewall defense system)).

On this "single-part/single-point of attack" WFP (vs. Windows 2000/XP/Server 2003's IP stack defense design in 3-part/zone defense/phalanx type arrangement) as well as the HOSTS issue in my post above?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> http://blogs.msdn.com/e7/archive/2009/02/09/recognizing-improvements-in-windows-7-handwriting.aspx?CommentPosted=true#commentmessage [msdn.com] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I'll stick to my thoughts on it, until I am shown otherwise & proven wrong.

----

Following up on what I wrote up above, so those here reading have actual technical references from Microsoft themselves ("The horses' mouth"), in regards to the Firewall/PortFilter/IPSec designs (not HOSTS files, that I am SURE I am correct about, no questions asked) from my "Point #2" above?

Thus, I'll now note how:

----

1.) TCP/IP packet processing paths differences between in how Windows 2000/XP/Server 2003 did it (IPSEC.SYS (IP Security Policies), IPNAT.SYS (Windows Firewall), IPFLTDRV.SYS (Port Filtering), & TCPIP.SYS (base IP driver))...

2.) AND, how VISTA/Server 2008/Windows 7 do it now currently, using a SINGLE layer (WFP)...

----

First off, here is HOW it worked in Windows 2000/XP/Server 2003 - using 3 discrete & different drivers AND LEVELS/LAYERS of the packet processing path they worked in:

http://technet.microsoft.com/en-us/library/bb878072.aspx [microsoft.com]

The Cable Guy - June 2005: TCP/IP Packet Processing Paths

====

The following components process IP packets:

IP forwarding Determines the next-hop interface and address for packets being sent or forwarded.

TCP/IP filtering Allows you to specify by IP protocol, TCP port, or UDP port, the types of traffic that are acceptable for incoming local host traffic (packets destined for the host). You can configure TCP/IP filtering on the Options tab from the advanced properties of the Internet Protocol (TCP/IP) component in the Network Connections folder.

* "Here endeth the lesson..." and, if you REALLY want to secure your system? Please refer to this:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

APK [mailto]

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also in the form of TPL (tracking protection lists -> http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] , good stuff )) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once? GET CACHED! Right into the kernelmode diskcaching subsystem (fast & efficient RAM speed), for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcac

Lithium (2, Funny)

Anonymous Coward | about a year ago | (#43474893)

Dude, you really need to get your Lithium prescription refilled!

Re:WARNING ABOUT SLASHDOT ABUSE... apk (0)

Anonymous Coward | about a year ago | (#43475209)

Ok... this is flat out wrong. DNS resolution is not performed in kernel/ring 0, it's performed in libc (unix) or a DLL on Windows. Think of how many BIND or Microsoft DNS bugs there have been. Do you want that in the kernel?

Second issue - the BSD DNS resolver does not cache the hosts file. Every time you do a DNS lookup, it opens the file, scans it line-by-line, and then closes it. In Windows, if you're running the DNS client, it will load and parse the hosts file (and reload when it changes). If the DNS client is not running, it loads and parses the hosts file every time you resolve an address.

Not Owning Your Hardware... (5, Informative)

Anonymous Coward | about a year ago | (#43474837)

I think this shows one of the greatest flaws in the not owning your hardware debate. What happens when you the company that owns it simply gives up on support??? You're left holding the bag but can't change it's content.

Re:Not Owning Your Hardware... (1, Insightful)

Anonymous Coward | about a year ago | (#43474923)

It all depends on the contract or EULA that you agreed to when purchasing the phone.

On the flip side of this issue is the US Government declaring it a crime to root your own phone (you know, the one you bought and paid for even if it was via ridiculous "subsidized" monthly fees from your US carrier). You're not allowed to upgrade it or you're a criminal, so you're at the mercy of criminals and carriers (who are their own type of criminals).

Re:Not Owning Your Hardware... (1)

Anonymous Coward | about a year ago | (#43475279)

Technically speaking, you don't need to root your Android device as long as it has a bootloader you can use.

Remember, Root is like admin access, and locked bootloader is UEFI.

If you install an OS that provides root -- like Windows -- (instead of hacking the existing software), that is not illegal.

Re:Not Owning Your Hardware... (1)

FuzzNugget (2840687) | about a year ago | (#43475393)

Wait, what? Are you sure "unlocking" doesn't actually refer to the cellular communication and not the operating system? They're completely different things.

Criminalizing either one is asinine, but at least locking the communication system to one carrier during the contract period makes an ever-so-slight amount of sense.

But We Are Open - We are Google - We are Good (-1, Troll)

BoRegardless (721219) | about a year ago | (#43474845)

Yeah, I know our stock is down near $12 right now, but that's nothing...

Re:But We Are Open - We are Google - We are Good (1)

h4rr4r (612664) | about a year ago | (#43474881)

The google branded devices are going to be the up to date ones. The other brands and especially the carrier specific devices are what is out of date.

Re:But We Are Open - We are Google - We are Good (1)

the eric conspiracy (20178) | about a year ago | (#43475207)

This is one of the reasons I recommend Google phones to my friends who like Android.

Re:But We Are Open - We are Google - We are Good (2)

dreamer.redeemer (1600257) | about a year ago | (#43475321)

Oh really? Because I have a Nexus One here which would disagree (if it were able to go long enough without crashing to do so). Running 2.3.6 and it will forevermore report itself as "up to date," because google decided the phone was too old to receive updates after less than 2 years.

Re:But We Are Open - We are Google - We are Good (1)

h4rr4r (612664) | about a year ago | (#43475433)

The Nexus one is ancient.

The Nexus line gets updates quickly, not for a longer period of time.

You could easily find community Roms for it if you wanted.

Re:But We Are Open - We are Google - We are Good (2, Insightful)

Anonymous Coward | about a year ago | (#43475639)

In other words, just like the GP said, Google said go fuck yourself after 1.5 years.

Yeah, that's SO much better than the carriers.

Re:But We Are Open - We are Google - We are Good (1)

RatherBeAnonymous (1812866) | about a year ago | (#43475487)

I have a Nexus One as well.

I don't really mind not getting an update to ICS or Jelly Bean. I DO mind not getting bug fixes.

Re:But We Are Open - We are Google - We are Good (1)

ArhcAngel (247594) | about a year ago | (#43475633)

Just because Google isn't actively providing updates it doesn't mean you can't still install them. [xda-developers.com] If your phone has a locked bootloader that isn't the case.

Re:But We Are Open - We are Google - We are Good (1)

pepty (1976012) | about a year ago | (#43475351)

The carriers want you to agree to a new phone/contract, not keep using your current phone. Preventing your current phone from running apps that require Android 4.x by preventing you from upgrading to 4.x is a great (great as in "heads I win, tails you lose", "you" as in "you've never heard of Slashdot") way of motivating you to get a new phone and a new contract.

Re:But We Are Open - We are Google - We are Good (0)

Anonymous Coward | about a year ago | (#43475641)

Carriers are interested in 2 things. Keeping you with them, and making money off you. Carriers sell new phones at a loss, they don't want you to buy a new phone if you are already on a high margin plan and aren't thinking about leaving.

  When people buy a new phone, for example an iPhone, the carrier sells the phone at a substancial loss and will generally not make a profit off you as a customer for at least 12 months. If people are already on a smartphone plan with data the carrier would much rather have you sit there and simply pay your bill after you have paid back the subsidy then upgrade to a new device. Verizon pushing back their upgrades to 24mo from 20 a few weeks ago is proof of this.

Re:But We Are Open - We are Google - We are Good (1)

thetoadwarrior (1268702) | about a year ago | (#43475609)

Google branded devices are also not that popular. Android is more of a Samsung thing.

Re:But We Are Open - We are Google - We are Good (5, Informative)

ddtmm (549094) | about a year ago | (#43474909)

I think you missed the point. Google has published the patches but the carriers have not distributed them.

Re:But We Are Open - We are Google - We are Good (1)

LordLimecat (1103839) | about a year ago | (#43474925)

What part of "carrier" made you think that a post about Google was relevant here?

Re:But We Are Open - We are Google - We are Good (0, Troll)

BoRegardless (721219) | about a year ago | (#43475359)

Very good question and it deserves to be answered.

If you are going to be good and do good, you should plan things in such a manner so that result occurs. Setting up a whole multi-hundred million or billion set of hand held computers that does not have inherent auto-upgrades (at least for security) as a part of the agreement to license your OS and use it safely is rather absurd in this day and age. We have gone through 20 years of malware on desktop PCs before Android hit the mainstream and Google could have been done right.

When you design a complex system and then go to implement it and tell everyone it is great and the future and the way it should be done, it must encompass maintenance issues to EOL conditions.

Google by putting out an entirely open system and promoting it without any constraints sounds nice but obviously puts users at risk and this was understandable when the project was started by Andy Rubin, so don't say Google was not warned.

Open is nice until users are harmed.

Re:But We Are Open - We are Google - We are Good (5, Informative)

Dancindan84 (1056246) | about a year ago | (#43474949)

'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers'

Highlighted the important part from TFS. Google's released patches. Carriers are refusing to give them to their customers. There's nothing Google can do about that. Hence why the ACLU is lobbying the FTC to force the carriers into action.

It took two years to get here (0)

Anonymous Coward | about a year ago | (#43474851)

Remember the riots that took place because people running Gingerbread were arbitrarily deemed to be using devices too slow to handle the demands of Ice Cream Sandwich?

Google has no control over handset makers, who have chosen to not only make their own versions of Android (greatly complicating the process of making patches) but also have to deal with carriers. These carriers will not foot the bill for OTA updates and they demand features on these phones be crippled in order to sell their own versions.

Re:It took two years to get here (1)

firex726 (1188453) | about a year ago | (#43475289)

So why not let users update the SW themselves over the internet?
Have it make a notice for users to update next time they are on a wifi network, or connected to a computer.

Carriers don't want to not because it'll cost them money, but because it wont sell any more decides so what do they care?

Re:It took two years to get here (2)

h4rr4r (612664) | about a year ago | (#43475317)

Because someone still has to port the update to the phone. This is because many devices are not running stock android. If the kernel changes or the issue is with a driver then you are looking at a whole ball of wax.

The issue here is that ARM has nothing like PCI, and has traditionally not had to worry about this sort of thing. This means bootloaders and everything else can and are different across devices.

Carriers don't want to pay for updates because they want you to buy another device.

Re:It took two years to get here (1)

Krojack (575051) | about a year ago | (#43475537)

So why not let users update the SW themselves over the internet?
Have it make a notice for users to update next time they are on a wifi network, or connected to a computer.

Carriers don't want to not because it'll cost them money, but because it wont sell any more decides so what do they care?

If anything, maybe force the carriers & phone manufacturer to release all the source code for the device they stop updating. Let the community take over if they wish. This is the only reason ROMS for rooted users have bugs. The devs have to guess how various things like the radios work.

Re:It took two years to get here (1)

firex726 (1188453) | about a year ago | (#43475579)

Nice idea, but impractical due to all the proprietary HW in the phone; they can't release since they do not have permission. You'd need dozens of companies to grant permission for that.

Re:It took two years to get here (1)

Krojack (575051) | about a year ago | (#43475617)

Remember the riots that took place because people running Gingerbread were arbitrarily deemed to be using devices too slow to handle the demands of Ice Cream Sandwich?

I love when they use the "your device is too slow" excuse while hundreds if not thousands of rooted people are running versions of Android 1/2 major versions ahead without any problem. I remember putting 4.1 on my HTC Thunderbolt and having it runs leaps and bounds faster than the bloated 2.3.4 that it was on.

I sometimes wonder if they tweak the Android system to run slower just so people will go out and buy a new phone.

android lol (1, Informative)

Anonymous Coward | about a year ago | (#43474861)

your average user exposes themselves to more risk than if they use WinXP. At least the patches are available if they choose to install them.

Android: a shameful security risk

Re:android lol (4, Funny)

greentshirt (1308037) | about a year ago | (#43475605)

Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.

Jailbreak. (1)

Anonymous Coward | about a year ago | (#43474865)

Install Cyanogenmod. Maybe not for the vast majority of users.

Re:Jailbreak. (0)

Anonymous Coward | about a year ago | (#43474929)

Will never work for the vast vast majority of android users.

Please consider taking your posting career to the xda forums.

Thanks.

Re:Jailbreak. (3, Informative)

MightyYar (622222) | about a year ago | (#43475173)

I run (unofficial) Cyanogenmod and mostly like it, but I wouldn't wish it on anyone. Every release has a little something important broken. Don't get me wrong, I'm very grateful to the people doing this stuff for free, but when your battery life suddenly gets cut in half and you have to choose between a working camera in the newest release or short battery life, it gets to be a PITA. Plus, it's a time sink...

Re:Jailbreak. (1)

synapse7 (1075571) | about a year ago | (#43475477)

When I was running CM10 on an s3 I found it to be very stable. I would not recommend unofficial or nightly releases in situations where you are depending on a reliable device.

Re:Jailbreak. (1)

greentshirt (1308037) | about a year ago | (#43475569)

There are a stable M builds that work well for general users. Nightlies of anything will be unstable, because they are automatically built and untested.

sounds like the market has spoken (1)

Anonymous Coward | about a year ago | (#43474869)

why did Google discontinue bug fixes on 2.3.x? Please explain the contorted logic to link phone firmware levels to Civil Liberties.

Re:sounds like the market has spoken (1)

h4rr4r (612664) | about a year ago | (#43474905)

Why would they continue to make bug fixes for an OS version they no longer use?

Re:sounds like the market has spoken (0)

Anonymous Coward | about a year ago | (#43475189)

Why are you still running windows xp?

Re:sounds like the market has spoken (1)

h4rr4r (612664) | about a year ago | (#43475237)

What makes you think I am?
I have 0 windows machines that I own.

Re:sounds like the market has spoken (2, Informative)

Anonymous Coward | about a year ago | (#43474957)

why did Google discontinue bug fixes on 2.3.x

For the exact same reason Microsoft doesn't make new patches for Windows 95, Windows 3.1 or DOS 6.22.

You already knew that answer, however, so go troll elsewhere.

Re:sounds like the market has spoken (1)

thetoadwarrior (1268702) | about a year ago | (#43475631)

I'd say consumers do have the right to buy into something that isn't broken and if they're put into a contract then really they should get a secure device for the length of the contract.

No law is needed (1)

Rinisari (521266) | about a year ago | (#43474889)

Customer education is needed. Many of theses devices have upgrades available. Those that don't may not be able to run the newer versions satisfactorily. If a law like this is passed, I see carriers and makers having to shoehorn updates that don't fit and run terribly onto consumer devices that are years out of date.

Carriers and handset makers need to educate customers in order for the customer to protect themselves. The customers themselves need to take responsibility for their device and its security. Carriers' and makers' security history should affect their reputation.

Re:No law is needed (3, Informative)

falcon5768 (629591) | about a year ago | (#43474921)

"Many of theses devices have upgrades available." Actually part of the problem is many of them do, but the carriers are specifically blocking them from being released.

Re:No law is needed (0)

Anonymous Coward | about a year ago | (#43475137)

The carriers contract with the phone manufacturers for a certain period of patch support or quantity of MR's. Once that time period has expired or they have met their requirements there is no longer a financial benefit to the manufacturers to release the updates. Carriers want to get their phones updated, the only thing carriers do is hold back patches for testing. The carriers can't patch the devices, they aren't allowed to by the manufacturers, they don't have the closed source bits (not all of android is open), and they couldn't' even if they wanted to due to the locked boot loaders loaded on by the manufacturers.

The problem is much like what is happening in the PC market right now. There are less and less compelling reasons to upgrade. Many customers who have smartphones will proudly declare "I just use it as a phone" and have no reason to upgrade to newer models. If the FTC were to do what the ACLU wants here, it would add so much cost to android phones that it would cause a dramatic change in the industry. Google is actively trying to downplay how bad the actual situation is. The quoted numbers are based off google's new tracking system. The old tracking system would count phones phoning home to google, the new system only counts phones when people click on google play. Google's new numbers reflect the people actively using the "google play ecosystem" not what phone are actually out there and in use.

Re:No law is needed (1)

ericloewe (2129490) | about a year ago | (#43475277)

You're missing a very important aspect: The fact that carriers have mostly no motivation to keep "their" devices updated, and thus no motivation to validate patches, effectively leaving them to be forgotten.

Re:No law is needed (0)

Anonymous Coward | about a year ago | (#43475347)

Carriers want to keep their devices updated. Service and repair for old phones is a huge money sink. Phone issues are a number one reason of churn.

Re:No law is needed (1)

h4rr4r (612664) | about a year ago | (#43475391)

Carriers want to sell new phones and signup new contracts not pay to update devices.

Service and repair is mostly for hardware issues, for software they normally tell a use to screw off.

Phone issues are why I am changing carrier. Since VZW screwed with the GN they will not likely get another Nexus. My next device will be a Nexus.

Re:No law is needed (0)

Anonymous Coward | about a year ago | (#43475485)

Thanks for making my point for me.

Phone issues are the number one reason for churn. Carriers do not want churn. Carriers want you to be happy with your phone and keep using it beyond your upgrade date. The subsidies get paid off by your upgrade date, once your subsidy is paid off the amount we make off your plan monthly goes up by about 15-20 dollars depending on the phone.

Re:No law is needed (1)

h4rr4r (612664) | about a year ago | (#43475337)

Why would it add a lot of cost?
The Nexus line gets updated fine and costs less than many phones.

Re:No law is needed (0)

Anonymous Coward | about a year ago | (#43475431)

The initial contract between the manufacturer and the carrier determines how long and for how many patches the manufacturer will support the devices. Increasing that time adds a substantial financial burden to the manufacturers and therefore to the bottom line cost of the devices.

The carriers have to pay the manufacturers to keep supporting their devices after they are no longer making money off sales. Most phones are on the shelves for a year or less. The manufacturer doesn't get sales money once the phones are EoL. The future support is via contract. People in this thread keep forgetting that the carriers cannot patch their phones. The manufacturers are the people who patch. The carrier gets the money from the subscribers, not the manufacturers.

Re:No law is needed (1)

rickb928 (945187) | about a year ago | (#43475625)

Ignoring a previous post complaining about the Nexus One no longer getting updates.

No phone, manufacturer, or model is immune to this, nor is any innocent. My G-1 still works fine, but it is clearly an obsolete version of Android, even with CM7 running on it.

And by running, I mean limping. How CM7 got ported to the G1 is scary clever, no complaints, but it's sloooow and unstable, even the stable release. Just not enough RAM to work well.

Re:No law is needed (1)

h4rr4r (612664) | about a year ago | (#43474969)

Actually all they have to provide is security patches, not an upgrade to the next version of the OS.

So far unless the device is a nexus updates will likely be few and far between. Samsung has being doing better recently, but still very poorly. The GS2 just a week or so ago finally got 4.2.

Re:No law is needed (5, Interesting)

najay (733875) | about a year ago | (#43475031)

I own a Motorola Atrix 4G. It is an excellent smartphone platform. It has been abandoned
by Motorola even though the phone can easily run ICS and Jellybean. We Atrix 4G users
may never see an official update, on a phone they originally PROMISED to update.

Sad thing is Motorola Mobility is now owned by Google. Go Figure.

Re:No law is needed (1)

jopsen (885607) | about a year ago | (#43475217)

Customer education is needed.

I doubt that will scale... The world is complex, you can't ask customers, or even highly skilled technical experts like you and me to understand everything. For example I'll gladly admit that I don't have a clue how bank transfers etc. works, and what security I have that my money doesn't just disappear. And even if I wanted to understand the protocols and security measures the documentation isn't publicly available...

I see carriers and makers having to shoehorn updates that don't fit and run terribly onto consumer devices that are years out of date.

Nobody is talking about major upgrades, just security patches... These usually don't change the functionality or performance parameters.

Buy Android Nexus (0)

Anonymous Coward | about a year ago | (#43475001)

The Nexus branded Android phones get updates and do not have crapware.

I had a TMobile Galaxy S4G Android.
It does not get updates.
It came with crap ware. Tricked my wife into signing up for a bullshit ringtone service with monthly fee.
Tmobile says phone cannot be updated. Thats bullshit. Rooted it and Flashed Cyanogen.
Maybe its too much effort to port all the crapware.

Re:Buy Android Nexus (1)

Svartalf (2997) | about a year ago | (#43475315)

It's too much effort to port all the crapware. Seriously.

The problem with the Nexus lineup is that unless you're on AT&T or T-Mobile, you're SOL. AT&T's mediocre where I mostly use my phone these days. They were that way in prior years in different areas. T-Moble? They'll tell you they've got rocking coverage and blazing "4G" speeds. Maybe. If you're in the downtown area of the major metripolitan markets they're in. If you're in the edges, on the road, etc. you will get decidedly mixed results leaning towards craptastic.

Re:Buy Android Nexus (2)

LiENUS (207736) | about a year ago | (#43475387)

Nexus branded phones aren't much better. The galaxy S2 got an update to ICS (4.0) then an update to Jellybean (4.1) before updates were discontinued. That's two major updates for the S2. The Nexus S got an update to ICS (4.0) then an update to Jellybean (4.1) and google announced no 4.2 would be coming for the nexus S... That's just two major updates the the Nexus S, no better than the S2. The Nexus one was the same, update to Froyo (2.2) and gingerbread (2.3), then announced no more updates. The sad thing is the nexus series of phones really dont get more updates than anyone else, they just get to release the software update for their own devices first.

Re:Buy Android Nexus (1)

h4rr4r (612664) | about a year ago | (#43475421)

The GS2 got Jelly bean last week. The updates for it have not yet been discontinued.

The Nexus S is still well supported in the community and has gotten bug fix versions of 4.1.

Android: unsafe at any version (-1)

Anonymous Coward | about a year ago | (#43475003)

How's that "open" thing working out for ya?

Re:Android: unsafe at any version (1)

greentshirt (1308037) | about a year ago | (#43475623)

Did you hear the new iPhone 5 is out! It's.... taller?

Bloatware (4, Insightful)

yesterdaystomorrow (1766850) | about a year ago | (#43475007)

Much of the trouble is that the carriers load the phones with worthless bloatware, and block the user's ability to remove it. There's then not enough free space to install updates.

Re:Bloatware (2, Interesting)

Anonymous Coward | about a year ago | (#43475077)

Apple's approach to phones is objectively superior in every way. They do not allow the worthless carrier's to touch their hardware or OS, other than to verify that it will work on their network.

Google allowing the carriers to be involved at all in hardware and especially the OS itself was a huge mistake, one they may never recover from.

Re:Bloatware (2)

h4rr4r (612664) | about a year ago | (#43475131)

May never recover from? They sell more units.

Apple's approach to carriers is the right one, but this end result is because most phones are subsidized. The carriers get the OEM to load crapware and disable features for their advantage. If smartphones were commonly bought right from the OEM they would have no incentives to do these things.

Re:Bloatware (0)

Anonymous Coward | about a year ago | (#43475333)

Except if you read the forums (and I hear personally from users)... I've heard at least 2-3 people (without me asking) tell me that their two year old i4 is feeling sluggish and they don't know why. Oops, updated beyond it's capacity?

Re:Bloatware (0)

Anonymous Coward | about a year ago | (#43475423)

oh, and do recall that APL does a lot of tricks to simulate speed (using screenshots for animation, i.e. during a screen rotation). I've no idea why basic usage would slow down that much.

Re:Bloatware (1)

poetmatt (793785) | about a year ago | (#43475367)

"objectively superior"

yes, from your perspective maybe. the rest of us like to install things if we want to. If you think carriers don't add bloat to apple I'd like to a: sell you this bridge I own and b: remind you of the apple facetime issue where you'd get a message saying you couldnt' do that.

Apple one upped google: instead of google letting the carriers do whatever they want, apple instead made the carriers doing what they want into something embedded into the phone!

Re:Bloatware (1)

Anonymous Coward | about a year ago | (#43475205)

You know, this is considered a "feature" that was used to sell android to a lot of carriers.

Say what you will about apple, but they don't let carriers load a bunch of system crippling crap on to iphones. (This pisses off carriers, who think they deserve to cripple devices and nickle and dime their customers to death)

Google does maintain some control, though. In order to be called "Google Andriod", carry google branding, and be officially able to use the suite of google services you do have to follow some google rules. You can't, for example, hack off google maps and other google services, then sell premium versions of your own to your customers in their place (The maps thing was an actual, specific incident with one carrier).

I tend to agree (1)

peppepz (1311345) | about a year ago | (#43475027)

Current smartphones are computers and Google / manufacturers / carriers should enable them to be patched or upgraded as one would expect of a computer. There is no strictly technical reason if things don't work this way already - only disinterest, laziness or desire to control. If regulation can push the three to behave, to me it'd be welcome.

However, I wouldn't know exactly what the practical terms of such regulation could be. They certainly can't force manufacturers to support obsolete hardware forever. Perhaps they could prescribe a minimum timespan of guaranteed security fixes.

Re:I tend to agree (1)

h4rr4r (612664) | about a year ago | (#43475113)

There are lots of reasons why it does not work that way.

ARM has no pci like system, so you need to know what devices are there before you boot. You need drivers that the vendor may not even have, and the OEM will want money for every new version. All this means that every device needs a specific system image and patches can't be applied by everyone the same way like it is in the x86 PC world.

Re:I tend to agree (0)

Anonymous Coward | about a year ago | (#43475479)

Bullshit. The devices don't change. No discovery is needed for anything except blutooth attached devices. That's done by the OS. It's all FUCKING SOLDERED ON. There is no need, at all, ever, for discovery on the bootloader.

The lack of updates is due to maliciousness on the part of the carreirs.

Not surprised ... (2)

gstoddart (321705) | about a year ago | (#43475035)

A couple of months ago my carrier was offering me a new phone.

In the set of phones they were offering me, there were some Samsung models running Android 2.x, and an HTC model running 4.x. The Samsung had better specs, but since it was running such an old version of the OS I decided I'd rather have the HTC.

Of course the big problem is that carriers all put on their own shit to make as much money from you as possible. Selling ringtones, wallpapers, their own app stores, all sorts of crap. They don't want to have to re-certify their apps for new versions, so they're not interested in getting these updates rolled out to customers. In fact, I've heard that many of them actively prevent it.

It took me several days of disabling/uninstalling the crap my carrier had installed to make the phone mostly usable, because they literally try to inject their branding/cash grabs into as much as they can do. I'm not sure I've gotten it all, but there was an awful lot of extra crap that needed to be culled.

Carriers aren't interested in your security, they're interested in maximizing their own revenue. If that leaves you with an old and insecure phone, well, the contract shields them from any liability doesn't it?

Re:Not surprised ... (4, Insightful)

h4rr4r (612664) | about a year ago | (#43475147)

Why did you buy a carrier phone?
Why not get a device that might actually get updates?

You voted for this system with your purchase, you are part of why it exists.

Re:Not surprised ... (0)

Anonymous Coward | about a year ago | (#43475245)

A bit over a year ago, my wife got a new phone, and she wanted me to remove the bloatware. In order to do this, I needed to root the phone, which wasn't that hard, and then the bloatware apps were gone. At least for a while.

Then later on there were some android updates to get up to 4.x, and I needed to un-root the phone before any of those would apply..

But this year, her company has a new BYOD policy and they require people to install a new tool which rejects the phone as having been "compromised". Their techs say the only way to "fix" it is to do a factory reset, but to me that sounds like a guess more than anything else - kind of like someone telling you to reboot because they can't think of anything better to do. I suppose I could do a backup/restore around the operation, but it would still be quite a waste of my time. So we said nuts to that nonsense. She is eligible for a new phone in a few months.

At my own company, we also have a new BYOD policy, and they insist that we install a different piece of crap software that demands that the phone not be rooted. In my case it isn't but we are all just refusing to install the thing. No email out of hours means we get a better work/life balance.

Re:Not surprised ... (1)

h4rr4r (612664) | about a year ago | (#43475371)

With 4.x she will be able to disable bloatware without root. You go into apps, select the app and hit disable. You might have to hit uninstall updates first.

You should be able to also just unroot the device and her work tool should be happy. There are simple tools available in the market to do this.

About time! (4, Insightful)

onyxruby (118189) | about a year ago | (#43475099)

About bloody time that someone does this. It is absolutely indefensible that the carriers have refused to release patches for known security holes for extended periods of time if they release them at all. This blatantly leaves their customers vulnerable and their customers have no way of circumventing this short of rooting their phones.

I read the article before it appeared on Slashdot and many of these phone will literally never receive any patches from the carrier. These phones are effectively being sold as known defective devices and I hope someone initiates a class action lawsuit on the matter as I can't think of any other way to fix this issue. Patch Management really should not be an afterthought and it affects every device, every operating system and unfortunately there are still legions of idiots out there equate Patch Management with Microsoft Windows patch Tuesday.

That it would require a lawsuit in order to patch your phone and secure it against a known vulnerability say much about about the state of American cell phone industry. This country desperately needs to adopt the standards used by the rest of the world and it's a point of shame that we have the industry we do. Most Americans don't know how bad things are here because they never go abroad, and once they do it's like walking into a candy store for the first time with "you can do that?", again and again.

Re:About time! (0)

Anonymous Coward | about a year ago | (#43475223)

i've spent the last few days converting old test phones into rooted/rommed web-browsing music players, just for fun. the number of old devices stuck on 1.6 or 2.1 is depressingly high...and it really comes down to (hardware) vendor support. i've found many hacks/mods for phones long out of service, but very few official updates for phones even a few months old.

i fail to see how this is the responsibility of a carrier - most of the issues arise from locked bootloaders and difficulties in rooting...fundamentally the domain of the handset vendor.

Re:About time! (0)

Anonymous Coward | about a year ago | (#43475275)

The carrier can't patch a phone, they only do compliance testing. The manufacturer is the one who can write the patch. The problem is the manufacturer makes money at the point of sale, they have no financial benefit to releasing patches once a phone is off the store shelves.

Re:About time! (1)

onyxruby (118189) | about a year ago | (#43475583)

RTFA! Many of the phones have been patched by the manufacturer and they in turn have handed over the patch to the carrier. The carriers sit on the patches because they don't want to be bothered taking the time and money to test them. The carriers make the patches because the phones are sold worldwide for many models and they are expected to support them in other markets. If you can't find your patch for your phone in the US you can often the patch for the international version if you look.

And in other news ... (-1, Troll)

daveime (1253762) | about a year ago | (#43475115)

Millions of users still run unpatched Windows XP systems. Is the ACLU on a freebie from Apple ?

Re:And in other news ... (1)

the eric conspiracy (20178) | about a year ago | (#43475163)

The difference is MS makes patches available.

Now for the people still running Windows 2000, not so much.

Re:And in other news ... (4, Insightful)

Lunix Nutcase (1092239) | about a year ago | (#43475243)

No, the difference is that no one is blocking anyone from getting the XP updates that Microsoft releases. This isn't about Google no longer supplying updates to old Android versions, it's about carriers blocking users from getting updates.

Re:And in other news ... (0)

Lunix Nutcase (1092239) | about a year ago | (#43475193)

Hey look a Fandroid idiot. Are millions of users still running unpatched Windows XP because the company who sold them the hardware is blocking the updates from Microsoft? Unless the answer is "yes" your question is retarded beyond reason.

Re:And in other news ... (0)

Anonymous Coward | about a year ago | (#43475373)

Thanks for the valuable insight, iDrone.

Re:And in other news ... (0)

Anonymous Coward | about a year ago | (#43475383)

so do you feel like a big boy now that you've called someone an idiot and a retard? you could have posted the same information in a civil manner and been taken a lot more seriously. as it is you come off as an unpleasant individual with a chip on your shoulder, it makes taking your comment seriously and only invites someone else to come along and call you names, which creates an endless cycle of bad behavior. do yourself and everyone else a favor and strive to be better, the internet is filled with enough thoughtless hate. don't you think it's time we all started to act civil?

Re:And in other news ... (0)

daveime (1253762) | about a year ago | (#43475389)

Who exactly is "blocking" them ? If you can't get patches from your carrier OTA, use the damn WiFi and download them from Android direct ? Who doesn't have WiFi these days ? This is like arguing Microsoft is "blocking" Windows patches because you didn't pay your electricity bill.

Re:And in other news ... (0)

Anonymous Coward | about a year ago | (#43475495)

The versions of Android per handset isn't standard so the user isn't able to simply download an update. If that were the case, there would be nothing blocking the owner.

The ACLU has officially jumped the shark (0)

Anonymous Coward | about a year ago | (#43475145)

A civil rights organization is now complaining about security patching policies on smartphones?

"Ay-y-y-y-y-y" -->
<shark>

Verizon is Horrible About This (2)

VeryBest52 (2897689) | about a year ago | (#43475175)

Verizon took months to roll out the last Galaxy Nexus android update to end users. This is despite the fact that other users got their update within a couple days of it going live. Verizon is horrible when it comes to updates.

Differences in the U.S? (2, Interesting)

Anonymous Coward | about a year ago | (#43475181)

Here in Norway, the carriers are not involved in the phone software. They merely provide a SIM card. Software updates are received from Google and sometimes the handset manufacturer. And to save on phone bills, the updates are usually done over wifi. You don't even need the carrier for that - only an ISP. The 'computer' part of the smartphone don't need the carrier (or their SIM card) to operate.

The carriers are only for phoning someone up and talk to them, sms and conference calls. Oh, and they provide 2/3/4G internet, but wifi is always cheaper when available.

The carrier don't provide software at all, except for setting up the SIM card. The "smart" side of the phone is entirely between the user and Google.

Re:Differences in the U.S? (0)

Anonymous Coward | about a year ago | (#43475637)

you mean between user and manufacturer.

Get your device straight from Google (1)

Turmoyl (958221) | about a year ago | (#43475203)

The problems of both carrier bloatware and abandonment are why I will never again buy a phone from a carrier. If you get your device straight from Google you get timely updates for a much longer period.

Re:Get your device straight from Google (0)

Anonymous Coward | about a year ago | (#43475263)

The problem lies in that Verizon doesn't allow that as an option...and Verizon's got better overall coverage than the other three major players. Seriously.

Re:Get your device straight from Google (0)

Anonymous Coward | about a year ago | (#43475457)

My phone is from 'google'. It is a motorola phone. It got 3 updates 2 years ago. One of the updates was to un-mess up the previous update. Other than that the phone runs fine. It is a phone.

Motorola abandoned my phone when shiney v2 of it came out. Basically I want new software I need to buy a new phone or 'root' it. Which apparently is now illegal again on new phones.

Imagine a phone bomb (0)

Anonymous Coward | about a year ago | (#43475211)

Caused by an unpatched phone vulnerability. Terrorism for nerds, gaping holes that matters.

Yes but (1)

maroberts (15852) | about a year ago | (#43475233)

most of these older phones do not have the memory to run the latest Android version. I can't upgrade my old HTC Desire any more, not because I'm prevented by the supplier, but because the new versions of Android won't comfortably fit.

My experience with Android phones (0)

Anonymous Coward | about a year ago | (#43475251)

I distinctly remember being stuck on Gingerbread while Google was describing the great advancements of ICS for over a year. Then I finally got ICS a week before Google released jellybean. Decided to avoid any android phone after that stupidity

If they force the phone manufactures then (0)

Anonymous Coward | about a year ago | (#43475269)

Microsoft should be forced to continue to make updates for my Windows 95 machine as well. /s

And the ACLU cares about this why? (3, Interesting)

XxtraLarGe (551297) | about a year ago | (#43475427)

I agree that security on peoples' private phones is important, but I have no idea why the ACLU is getting involved. It's one thing to fight against government intrusion into privacy, and quite another to fight to have the government compel private companies to force updates on users' phones.

Of course... (1)

BitingChaos (2786797) | about a year ago | (#43475471)

A history of terrible software support? Blame the users. The comments here are funny.

Clearly (1)

visucks (1074761) | about a year ago | (#43475481)

Clearly... you're better off with an iPhone
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...