[HN Gopher] Samsung embeds IronSource spyware app on phones acro...
___________________________________________________________________
Samsung embeds IronSource spyware app on phones across WANA
Author : the-anarchist
Score : 666 points
Date : 2025-06-21 03:06 UTC (19 hours ago)
(HTM) web link (smex.org)
(TXT) w3m dump (smex.org)
| sneak wrote:
| Buying a device that only runs OEN Android is ridiculous for this
| exact reason.
|
| We need to decouple phone hardware from phone software, as we did
| with computers.
| bilkow wrote:
| We do, but I don't see it happening anytime soon. Many banking
| / government apps and even some games use the Play Integrity
| API, which AFAIK is starting to require remote attestation for
| newer devices.
|
| As it's usually not viable to opt-out of those, the solution
| seems to be having a separate device.
| AlotOfReading wrote:
| Because the link is down:
|
| https://web.archive.org/web/20250506145643/https://smex.org/...
|
| The article leaves out quite a lot about what AppCloud is, but
| it's essentially how Samsung monetizes their non-flagship device
| users and can do things like insert installation advertisements
| into the notification tray, and silently install apps.
|
| Personally, if I found this on my device it'd be the final straw
| to grit my teeth and finally get a personal apple device.
| andrewflnr wrote:
| Or just don't get Samsung? I guess I don't know for sure that
| my phone brand doesn't do anything similar, but it at least
| hasn't hit the news yet.
| boramalper wrote:
| > AppCloud--pre-installed on Samsung's A and M series
| smartphones.
|
| Samsung's A and M series smartphones are their cheapest
| models so their buyers probably cannot afford better phones.
| I don't know of any other brands selling in the region with
| similarly priced models that have better privacy practices
| than Samsung either--they're all the same at that price point
| I'm afraid.
| hedora wrote:
| Looking around, you can get an A series or unlocked iPhone
| 13 new from a prepaid mvno for $0.
|
| A refurbished iPhone 13 is $300 on amazon, which is close
| to the cheapest M ($250). I can't find new 13's for sale
| except via budget carriers.
|
| (Sent from my 12 mini which is better than all that
| followed it: $200-ish for excellent condition,
| refurbished.)
| bigyabai wrote:
| You're better off getting a preowned Pixel to flash with
| a secure ROM in this scenario. Getting an iPhone won't
| help if you if later down the line Apple decides to push
| an OTA update that forces the same functionality. A Pixel
| won't protect you from _every_ vulnerability, but it goes
| much further towards stopping these sorts of attacks than
| the iPhone does.
|
| Now hey, I won't suggest that Apple would stoop as low as
| Samsung has here. But discerning customers might not want
| Tim Apple's phone if he's been cozying up to a crusty
| politician that can remember to stay for dinner but can't
| recall his name.
| boramalper wrote:
| > A refurbished iPhone 13 is $300 on amazon
|
| Is this Amazon US? Because even in Ireland, iPhone 16
| costs 41% higher than in the US (979 EUR = 1,128 USD in
| Ireland vs 799 USD in the US).
| beagle3 wrote:
| Half of the difference is likely VAT, which is included
| in European listings but the similar US sales tax is more
| often NOT included in listings.
|
| (Some US states have no sales tax, but most do)
| anonymars wrote:
| In my case I wanted a damn SD card slot. And more than 2
| years of security updates.
| imp0cat wrote:
| Ano now you see why Samsung is able to provide all that
| at an attractive price. The real costs are hidden.
| more-nitor wrote:
| hmm have you actually read the article? did you find
| anything of "substance" other than hand-wavy "this
| company is from israel, so must be mosad" or "has
| notorious for its questionable practices" (without even
| giving actual examples or incidents)?
|
| I mean, if I was the mosad guy planting a deal with
| samsung, I wouldn't even name the app "AppCloud"
|
| heck, why would you even make it appear to the user?
|
| this is a classic competitor-bashing article -- no
| substance, only hand-wavy "this guys bad!"
|
| I'm guessing this can be traced to others like
| xiami/huawei/etc who definitely want to get samsung's
| slice of the market there
| anonymars wrote:
| The more expensive phones don't have SD card slots!
|
| But yeah, presumably in the cheaper markets the Candy
| Crush whales are subsidizing the phones. Like with
| Windows these days. Anyway time to go back to playing
| Fortnite and Marvel Rivals
| pomian wrote:
| Motorola. Plus it still has an audio port.
| anonymars wrote:
| I miss the flashlight chop, but at the time I moved away
| updates were short and migration was "you're on your own"
| lmm wrote:
| Sony still sells flagship phones with an SD slot. I wish
| my Xperia was cheaper but other than that I'm very happy
| with it.
| mellow-lake-day wrote:
| Not in the US.
| chaosbolt wrote:
| No there are lots of Chinese phones with minimal bloatware,
| like the nothing phone cmf 1, sure they only come with 2
| years of updates but what you gonna do at that price...
|
| If you're in the middle east, I'm sure you'd rather be
| spied on by China.
|
| Do you imagine that shit? You're a nuclear scientist,
| working on a program for generating electricity, your
| country is open to being audited and complies with the
| restrictions and has no weapon's program, one day you come
| home and then a fucking rocket comes right inside your
| appartment and kils you and your whole family.
|
| Ain't that a bitch? I get Khamas was hiding there too...
| And since they have all that precise rockets that can take
| a single appartment down, why did they reduce Gaza to
| rubble?
|
| The ramifications of this make me sick: evil not only wins
| but also writes history... And yeah the midwits here will
| unironically look you in the eye and explain how killing
| children is ok because of this of that... You being able to
| explain horrors doesn't make you smart or pragmatic, it
| makes you have no self respect and makes your personal
| boundaries weak, and the same mind that finds arguments to
| cope with the horror his tax money funds will find
| arguments to cope with a lot more until it's his turn on
| the grinder and by then it'll be too late.
| j-bos wrote:
| Motorola has well priced excellent phones with minimal
| bloat.
| rs186 wrote:
| From first hand experience, I can confirm that AppCloud is
| installed on certain carrier versions of S series phone as
| well.
| aucisson_masque wrote:
| All Android phone but pixel ones have bloatware preinstalled.
| Some are worst, like Xiaomi.
|
| If you don't want bloatware (spyware), it's either pixel or
| iPhone.
| burnt-resistor wrote:
| The trick is to define "bloatware". Is that known knowns
| (stuff that's visible), known unknowns (stuff that's added
| that's not visible), and/or unknown unknowns (stuff added
| we are pretty sure is there but can't prove)? Apple adds
| all kinds of carrier-specific crap on every phone, but it's
| not readily discoverable. Android mfgrs must also because
| of carrier contracts and country-specific regulatory
| approval requirements. There's likely little means of
| escaping this without a BYOD non-Android, non-overseas,
| non-Apple phone that may or may not exist. Surely there is
| an obvious, viable alternative somewhere I'm missing that I
| hope exists.
| scarface_74 wrote:
| What carrier specific crap does Apple add?
| sabellito wrote:
| That's incorrect. Zenphone is a bliss.
| Danjoe4 wrote:
| OnePlus has a phenomenal software experience
| torginus wrote:
| Just buy a 5 year old iPhone - it's likely to be still better
| than the cheapo phone, and will get longer support as well,
| while being sold at rock bottom prices.
|
| I just replaced my iPhone XS, not out of necessity, but I
| wanted to see what the new ones were like. The 16 is barely
| better and I was suprised to find just how little the old one
| was worth second hand, considering it still runs circles around
| most midrange Android handsets.
| rs186 wrote:
| I can assure you that they do the same thing with flagship
| phones, especially carrier versions of the phones -- speaking
| from first hand experience. I have seen notifications from apps
| I have never heard of multiple times.
|
| That's what I have been thinking recently -- given that Samsung
| is quietly doing these shady things with my phone, and other
| annoyances like Samsung forcing Galaxy AI on me (try selecting
| some texts in a browser or webview) which cannot be uninstalled
| and the terrible Samsung Pay interface, I am questioning my
| device choice every day.
| chrisjj wrote:
| > Samsung forcing Galaxy AI on me (try selecting some texts
| in a browser or webview)
|
| I did. No Galaxy AI.
| rs186 wrote:
| Open an email from any email client and give it a try.
| hkt wrote:
| No need to ditch Android. Fairphone exists:
| https://fairphone.com
|
| Their stock android is fine. If you want more privacy,
| installing e/OS/ is trivial. It blows my mind that anyone is
| concluding Samsung stuff is worth buying under any
| circumstances.
| rs186 wrote:
| What about people who are not in Europe?
|
| And for US carriers, you are basically locked out of Wi-Fi
| calling if you are not using one of the whitelisted devices.
| subscribed wrote:
| GrapheneOS if you can live without Google Wallet and
| hardened Google Pixel (the only secure Android device
| family to date).
| subscribed wrote:
| Fairphone has astonishingly bad upgrades and patches policy.
| Very late, very delayed, not all of them.
|
| Sure, better than, say, Sony (and as an ex-Sony user I kind
| of know what I'm talking about), but far from calling it
| good.
| ggm wrote:
| Would sufficient people change purchase decisions in ways which
| they could recognise this as a root cause?
| nguyenkien wrote:
| There not much of choice if you don't have money.
| Zak wrote:
| Used premium phones often cost as little as new entry-level
| phones. There may be some markets where things get weird
| because of carrier subsidies though.
| akersten wrote:
| In my experience, Samsung is a label that means "stay far, far
| away." From the Galaxy Note fiasco to my microwave to my
| dishwasher to ... Probably at least three other products before I
| learned my lesson.
|
| I even refuse to buy QD-OLED monitors out of indignation that
| Samsung makes the panels. Maybe I'm alone but maybe one day we'll
| boycott lousy companies out of business.
| Gigachad wrote:
| Samsung phones have been filled with preinstalled spyware since
| the beginning. Outside of fairly unusable Linux phones, Apple
| seems to be the only one taking privacy seriously.
| compootr wrote:
| manufacturers aside, grapheneos and lineage work well because
| of Google's work on their phones
| sitzkrieg wrote:
| apple privacy is marketing but ok
| int_19h wrote:
| If it's mostly marketing, why was Facebook so up in arms
| about forced opt-in for tracking in iOS?
| Grimeton wrote:
| Because Apple blocks everybody else from spying on you
| but Apple themselves are still perfectly spying on you.
| And not just that, by disallowing all other apps to get
| their hands on your data you even tell Apple which data
| it can sell for a higher price because it's only
| available via Apple and noons else...
|
| Let that sink in.
| joshstrange wrote:
| Let what sink in? Your completely unprovable/unproven
| conspiracy theory?
|
| You are suggesting that Apple is actively tracking you in
| other apps (apps that aren't allowed to track you
| themselves). I find that completely preposterous and a
| huge risk for Apple to take given their marketing.
|
| > Because Apple blocks everybody else from spying on you
| but Apple themselves are still perfectly spying on you.
|
| Extraordinary claims require extraordinary evidence.
| Specifically Apple spying on users and collecting info
| tied to their identities in 3rd party apps.
| Grimeton wrote:
| I never said they monitor you in 3rd party apps. Don't
| put words into my mouth.
|
| https://www.apple.com/privacy/labels/
| oefrha wrote:
| You mean extraordinary evidence like selling Apple Ads
| and associated attribution data that third parties aren't
| allowed to collect? Their ads revenue is now $10B+ and
| growing. You must know nothing about the mobile
| measurement industry if you think this very mundane claim
| is some extraordinary conspiracy theory; it's not even
| controversial there.
|
| https://ads.apple.com/app-
| store/help/attribution/0093-adattr...
| newdee wrote:
| All marketing? None of it is real? Citation?
| blacksmith_tb wrote:
| I have a Samsung clothes washer and a drier, they've been solid
| (but they aren't net-enabled... luckily).
| makeitdouble wrote:
| > Galaxy Note fiasco
|
| Has any smartphone maker succeeded in getting more than a few
| percent of market share, released more that 2 phones while
| being immune to that level of fiasco ?
| brianbest101 wrote:
| It's really hard to beat the "it's a felony to knowingly
| carry our phones on to an airplane" level of fiasco
| makeitdouble wrote:
| Why does this become a competition where we're looking for
| a winner ?
| Zak wrote:
| Yes. I have never been asked "do you have any weapons,
| explosives or [phone model]?" before boarding an airplane
| about any other phone, ever.
|
| There have been other phones that had very occasional battery
| fires, but nothing on remotely the same level.
| makeitdouble wrote:
| On the other side Apple dealt with the BatteryGate of 2017
| and Google paid back all remaining users of the Pixel 4a.
|
| Each of these is also unique and unseen ever before for a
| phone.
| anonymars wrote:
| In favor of what? The Android ecosystem is pretty lousy. Which
| manufacturers allow you to easily migrate to a new phone
| (Samsung has Smart Switch) and have, let's say, 4+ years of
| security updates?
|
| Genuine question.
|
| In my case I also wanted an SD card slot so it was slim slim
| pickings indeed. (And still there are some misfits who insist
| that there is no such thing as progress!)
| ryukoposting wrote:
| LG back in the day. I miss my V20. What a weird, but
| wonderful phone.
| moooo99 wrote:
| I was an LG G3 user a long time ago. With the exception of
| the overheating issue, it was a lovely phone. LG really did
| have some unique devices
| gblargg wrote:
| I'm still using a V20 as my main phone. The recent app
| icons at the extra top section of the screen really make
| juggling active apps fast. I don't think any phone has had
| this feature since.
| ryukoposting wrote:
| I loved the second screen. Does Spotify still work with
| it? That was a cool thing.
| tock wrote:
| I love the phones Nothing makes. And they are offering five
| years of Android updates and seven years of security upgrades
| on their upcoming Nothing phone 3.
| mellow-lake-day wrote:
| All the nothing phones are too big. Give me something the
| size of the s25.
| msgodel wrote:
| Get a UMPC with a modem card, put Linux on it, use jmp.chat
| to do all your carrier value add over IP.
| Thorrez wrote:
| >Which manufacturers allow you to easily migrate to a new
| phone (Samsung has Smart Switch) and have, let's say, 4+
| years of security updates?
|
| Pixel phones get 7 years of OS and security updates. Do you
| consider Pixel phones to allow you to easily migrate to a new
| phone?
|
| Disclosure: I work at Google, but not on Android or Pixel.
| fud101 wrote:
| Pixel phones have been awful hardware since the 5. So there
| is that. The tensor chip is a dud and can't be fixed. I'm
| done with Samsung for good after my current phone which I
| bought a few months ago. I'll probably replace it with an
| Oppo or something again, never going back to Samsung.
| throw123xz wrote:
| Going from a phone with a Snapdragon SoC to a Pixel with
| the Tensor SoC was a big downgrade for me. It gets hotter
| quicker when doing more demanding tasks, battery drains
| faster if network conditions are not perfect, etc.
|
| We've been having some warm weather (~30oC) around here and
| the other day my Pixel 8 Pro started warning me about the
| phone being too hot when I tried to record a video.
|
| I like Google's Android skin and their long support
| periods, but Tensor holds these newer Pixels back.
| amlib wrote:
| Pixel phones are available in very few regions, Samsung is
| available virtually anywhere.
| npteljes wrote:
| Pixel of course. And yeah the Androids suck mostly. Pixels
| suck too in some ways, for example, they are quite bulky, and
| heat up a bunch. But overall, by far the best Android
| experience in my opinion. No SD slot though.
| acidburnNSA wrote:
| No SD slot is a showstopper for many.
| danparsonson wrote:
| Great SSDs though, generally speaking
| grishka wrote:
| The "unremovable" part is inaccurate. While you can't completely
| remove it because it resides on the system partition, you most
| probably can still disable it with an adb command:
| adb shell pm uninstall --user 0 com.package.name
|
| This command is very powerful as it works for any app, even those
| that have "disable" greyed out in the settings. I disabled the
| Galaxy Store on my S9 this way for example.
| awaisraad wrote:
| Do you know if the same apps remain installed in "Secure
| Folder" as well?
| AzzyHN wrote:
| Yes, but for most people (I'd guess 99% or more), they would
| never know to use the above, and I'm those who did find a guide
| might have issues using adb on their likely Windows or MacOS
| machine.
| hysan wrote:
| > "unremovable"
|
| > you can't completely remove it
|
| Maybe my English isn't very good but that sounds like the
| definition of unremovable.
| charcircuit wrote:
| It's in a read only filesystem. You can't modify read only
| data, but you can choose to ignore it.
| ashirviskas wrote:
| Only because it is mounted as one. It is like saying that
| you can't have your house in pink because it is green.
| charcircuit wrote:
| If you modify a file on the partition the device will
| fail to boot. Your metaphor is not equivalent because it
| ignores security.
| sedatk wrote:
| There's an enormous difference between "it can't be stopped"
| and "its storage area can't be reclaimed" though.
| grishka wrote:
| To be pedantic, yes, but not in a way that matters. The
| system partition is read-only. Mounting it read-write would
| require root and any modifications would break system
| updates. The apk will still be physically present in the file
| system, _however_ , none of its code will run and it will be
| _removed_ from your launcher and installed app list in
| settings, which IMO still counts as a removal.
|
| Also, English is not my native language. I feel like I did
| get my point across anyway.
| hmcq6 wrote:
| It's not being pedantic. Disabling the application does not
| give me the storage space back.
|
| If people are paying for upgrades to storage space it's
| completely reasonable for them to be annoyed by bloatware
| grishka wrote:
| The system partition is usually the same size regardless
| of which storage option of the same phone model you get.
| bracketfocus wrote:
| But if the system partition could be smaller, other
| partitions could be larger.
| grishka wrote:
| The system partition is made some fixed size, the same
| way disk partitioning works on PCs, and never resized,
| because resizing file systems is still a non-trivial
| task. It often has some free space too to accommodate
| future system updates.
|
| On my 128 GB Pixel 9 Pro, /data is 109 GB. The rest is
| /system (although `df -h` doesn't show it explicitly, no
| idea what's up with that) and various other system-
| related partitions.
| bracketfocus wrote:
| Yes, but if the phone shipped with less bloatware on the
| system partition, then maybe that partition would be made
| smaller initially.
|
| Meaning the user would have access to more of the phone's
| advertised storage.
| Henchman21 wrote:
| You have succeeded in splitting hairs down to the atomic
| level. Fissionable HN comments!!
| Dylan16807 wrote:
| Even with the outrageous prices for phone storage
| upgrade, an entire gigabyte of inactive bloat would be a
| $1 impact. It's not a big deal.
| scalableUnicon wrote:
| I had a Samsung phone and did the same with mine. Wrote a small
| tutorial here(https://harigovind.org/notes/removing-samsung-
| android-bloatw...). But even then, these apps will pop right
| back after system updates and those were becoming more
| frequent. I got rid of it shortly after, nowadays I use Moto
| where bloatwares are comparatively minimal.
| gblargg wrote:
| I've had a few Moto phones and have also been pleased with
| the fairly stock OS and durability.
| mvdtnz wrote:
| So you're saying it can't be removed?
| ehnto wrote:
| Don't even need that, you can disable it within the OS app
| settings.
| encom wrote:
| I had a OnePlus whatever as a work phone in my last job. Every
| time I used adb to purge the OnePlus crap, it would somehow
| find its way back. Eventually I settled on disabling
| autoupdates from the play store, so it was stuck at whatever
| outdated, and hopefully broken, version the phone shipped with.
| npteljes wrote:
| Words don't just have a literal, technical meaning. If the
| phone itself doesn't allow a straightforward, user friendly
| happy-path for removal, it might as well be "unremovable" in a
| sense that it is indeed unremovable for most users. "adb shell
| etc" implies that one has a PC with this tool correctly
| installed, and many people don't even have a PC in the first
| place. Then comes the case of installing adb, setting it up
| correctly, and having a cable to connect the two, enabling
| debug mode, and doing the thing. This is much more like a
| service thing, than a do it yourself at home thing. Not much
| unlike "chip tuning" for cars.
| grishka wrote:
| This doesn't strictly require a PC. There's this trick with
| using the wireless debugging feature to connect the phone to
| itself. You can do it with a terminal app like Termux but
| Shizuku is a nice GUI that streamlines this process and
| exposes an API for other apps to use. After a quick web
| search I found https://github.com/samolego/Canta which is,
| again, a GUI app that uses Shizuku to uninstall apps via adb.
|
| I agree that it's not _easy_ , but anyone sufficiently
| annoyed by these non-otherwise-removable apps who is able to
| follow instructions should be able to get it done without
| needing a computer or special knowledge or messing with the
| command line.
| Zak wrote:
| The article claims the app can only be removed with root
| access, which requires more difficult and technical steps to
| attain than running an adb command. If uninstalling the app
| with adb works and doesn't result in the app being promptly
| reinstalled, then the article has a significant factual
| error.
| Concept5116 wrote:
| Except uninstallining the app does not equal removing it,
| as you claim. Removing it from list of apps to load is not
| removal. Not to mention it resets back to installed and you
| have to rerun the command.
| acdha wrote:
| Samsung has an entire PR team who get paid to misrepresent
| things -- you should at least get paid for what you're doing.
| You've already admitted that it can't be removed and if it
| takes some shell work you're not even sure about to disable it,
| that almost certainly means it's coming back on every update.
| kotaKat wrote:
| This does not work on all phones. Some OEMs (like Motorola)
| leverage the 'nodisable' feature to prevent this and other APKs
| from being disabled.
|
| On my 2025 Motorola RAZR 5G, in /product/etc/nondisable are a
| series of XML files listing carrier and activation apps for
| Dish Wireless, Tracfone/Verizon Value, T-Mobile, the Amazon App
| Manager, and two apps provided for finance providers PayJoy
| (who lock and disable phones for financial product recovery)
| and one for Claro internally (that operates similar to Payjoy).
| johnisgood wrote:
| How would one go about using adb? Motorola, stock Android. Do I
| need to root my phone for this to work or what are the
| requirements, or how do I perform it?
| contingencies wrote:
| 1. Install android SDK / android studio on your computer.
|
| 2. Plug phone in to computer using USBC cable.
|
| 3. Answer prompt on phone granting permission to computer.
|
| 4. Run adb commands.
| johnisgood wrote:
| Thanks, my issue so far was with the 2nd step, as if my
| Linux did not recognize my device. I might have a go on
| Windows if Linux will not work again.
| Izkata wrote:
| It only works for me with one of my two USB ports, and my
| Kobo ereader has the same issue. Not sure why, best guess
| is one might be USB 2.0 and the other 3.0
| johnisgood wrote:
| That could very well be the issue. We will see. I think I
| only have 2.0 working right now. I hope it works with 2.0
| too. :/
| catlikesshrimp wrote:
| Knoppix has an old android adb and drivers. Still
| recognizes Samsung A and chinese androids and is
| functional.
|
| Other dristros surely offer the same support
| johnisgood wrote:
| Not sure what the issue was, I did not debug it. I will
| try again and see if it works or not, and will debug it
| further if it does not work. Arch Linux or Void Linux
| definitely should offer the same or more (or better)
| support.
| danieldk wrote:
| You also have to enable developer options (tap the Android
| build number N times) and then enable USB debugging. You
| can disable USB debugging and the developer options
| afterwards (keeping USB debugging on is insecure).
|
| The universal android debloater makes uninstalling packages
| easier, it has descriptions and categorizes packages by how
| safe they are to uninstall.
| subscribed wrote:
| It's not trivial for most and will most likely get reenabled
| after the firmware upgrade.
| catlikesshrimp wrote:
| that doesn't work for every package. Some packages aren't
| authorized to be disabled this way, i.e. you can't disable them
| this way. * Some packages can technically be disabled this way,
| but they cause unrelated issues like the phone wasting
| processing resources, even overheating the device; or
| bootloops. * Less relevant, but the package is disabled, but
| removed. The system can still reenable it, reinstall it, or
| upgrade it. * Edit: I can't find a way to format this. It shows
| as a text block.
| gmerc wrote:
| If anyone needed another reason to stay the fuck away from Unity
| boramalper wrote:
| I suspect a strong link between mass surveillance (by
| corporations for advertising or by states for intelligence
| purposes) and the very recent targeting of the senior Iranian
| nuclear scientist and military officers at their homes in Iran.
|
| Wherever you are from or whatever side of the conflict you are
| on, I think we can all agree that it's never been easier to infer
| so much about a person from "semi-public" sources such as
| companies selling customer data and built-in apps that spy on
| their users and call home. It allows intelligence agencies to
| outsource intelligence gathering to the market, which is probably
| cheaper and a lot more convenient than traditional methods.
|
| "Privacy is a human right" landed on deaf ears but hopefully
| politicians will soon realise that it's a matter of national
| security too.
| aussieguy1234 wrote:
| Weather apps are one of the worst offenders here. Almost all
| share your location info with data brokers if you give them
| location access.
|
| Check the weather today, get bombed tomorrow.
| bongodongobob wrote:
| Politicians are just the sales and marketing department for
| multinational corporations and defense contractors. They will
| never care.
| FilosofumRex wrote:
| Almost all of Iran's cell network system was originally
| installed by S. Korean firms. They've changed some to Chinese
| brands, but apparently the compromised S. Korean brands are
| still around.
| Digital28 wrote:
| Changing from SK to CN is a trade from intentional
| vulnerability to unintentional vulnerability. I've yet to see
| a secure piece of software come out of China in my 30+ years
| of coding.
| Dah00n wrote:
| Yet in telco it is much easier and faster to get a bug
| fixed in Chinese equipment. IMO it is more likely you don't
| work with critical infrastructure than the problem being
| Chinese equipment.
| ReptileMan wrote:
| Supermicro IPMI comes to mind. If it was compromised we
| would have known by now.
| iamtedd wrote:
| Not only is Supermicro headquartered in USA, but it's
| operations are in Taiwan, which they would very much like
| you to acknowledge is not the same as mainland China.
| riffic wrote:
| *its
| cluckindan wrote:
| Memory sure is short around here.
|
| https://www.bloomberg.com/features/2021-supermicro/
| FirmwareBurner wrote:
| _> I've yet to see a secure piece of software come out of
| China in my 30+ years of coding._
|
| SW coming out of Korea's domestic industry giants isn't any
| better. Because they used to treat SW like a cost center or
| another item on the BoM.
|
| IIRC, the only way to do online banking in Korea years ago,
| was you needed Internet explorer and some active-X plugin
| that supported encryption.
|
| Some Korean giants do have good SW, but a lot of it is
| developed internationally by offices outside of Korea.
| jeroenhd wrote:
| When a security analysis was done of Chinese parts of the
| Dutch mobile network, that was pretty much the conclusion:
| Chinese vendors deliver software and components full of
| vulnerabilities, but none of them seem to be intentional.
|
| Since then there has been a movement to reduce Chinese
| vendors in general our if security concerns, as well as to
| improve the security posture of the mobile networks by
| doing things like "encrypting connections" and "switching
| away from telnet".
|
| On the other hand, the Chinese managed to break into the US
| wiretapping system, so it's not like other networks aren't
| vulnerable either.
| vardump wrote:
| > Chinese vendors deliver software and components full of
| vulnerabilities, but none of them seem to be intentional.
|
| Plausible deniability.
| GTP wrote:
| If we're talking about cheap products, then it's more
| likely due to cost savings rather than malice. But yeah,
| no one can give you defitive proof of this.
| monster_truck wrote:
| Brother you cannot be serious with this racist take
| bbarnett wrote:
| Saying that a culture is poor at security dev, such as
| Chinese business culture, is not even remotely rasist.
|
| There are many ethnicities in China, people of all
| genetic backgrounds. It is the culture that is the
| problem, not the race.
|
| For example, there are many ethnically Chinese people who
| grew up in the West, working in businesses, in countries
| where there is a culture of security.
|
| Now, you could label it 'culturalist', and maybe it is,
| but there are definitely inferior and superior cultures.
| Especially, there are parts of cultures which are quite
| comparable this way.
| gruez wrote:
| >>Brother you cannot be serious with this racist take
|
| >There are many ethnicities in China, people of all
| genetic backgrounds. It is the culture that is the
| problem, not the race.
|
| This just seems like nitpicking to me. Colloquially most
| people would classify discrimination based on country of
| origin, or "culture" (whatever that means) as racism,
| even if it doesn't meet the technical definition. For
| instance Trump's travel bans have been called by many as
| "racist", even though it covers a bunch of countries, and
| even though the countries are majority muslim, it also
| excludes major muslim countries like Pakistan and
| Indonesia.
| exe34 wrote:
| Just because most people are wrong doesn't mean we should
| encourage the dilution of words.
| gruez wrote:
| I might be sympathetic to this argument if the severity
| actually differed, eg. people calling mean tweets
| "violence" or something, but that's not what's happening
| there. I don't see any meaningfully difference between
| "I'm discriminating against you because you're Chinese"
| (culture/nationality) and "I'm discriminating you're Han
| Chinese" (ethnicity). I doubt the average racist actually
| knows the distinction between the two anyways, and I
| doubt people are going to be like "oh you're
| discriminating based on culture instead of ethnicity? I
| guess that's fine then!".
| exe34 wrote:
| > I don't see any meaningfully difference between "I'm
| discriminating against you because you're Chinese"
| (culture/nationality) and "I'm discriminating you're Han
| Chinese" (ethnicity).
|
| It's interesting you would write this as if nobody's
| pointed out actual cultural differences yet.
| Dylan16807 wrote:
| > This just seems like nitpicking to me. Colloquially
| most people would classify discrimination based on
| country of origin, or "culture" (whatever that means) as
| racism, even if it doesn't meet the technical definition.
|
| Nobody is going to believe you're talking about real
| things if you let people call your argument "racism" so
| it's not nitpicking if you can explain why it's not. Also
| the word "discrimination" is itself a loaded term.
|
| And yes areas having cultures is real. Sometimes it's
| tied to country, sometimes it's not.
|
| > Trump's travel bans have been called by many as
| "racist", even though it covers a bunch of countries,
|
| I'm confused? Covering a whole bunch of countries sharing
| a demographic is much more likely to be a racist move
| than picking one or two.
|
| > and even though the countries are majority muslim, it
| also excludes major muslim countries like Pakistan and
| Indonesia.
|
| That's a good argument against saying "muslim ban" but
| I'm pretty sure a focus on the middle east makes it
| _more_ about race.
| AJ007 wrote:
| There's also another point that security is really
| fucking expensive. Apple on Google spend billions a year
| on security, yet their phones are broken in to once they
| are a couple of years old. Big American software
| companies have large margins and large budgets. Those
| Chinese companies are running on fumes (and credit.)
|
| Security and encryption is taken as a given by Western
| regulators given how many times they pass laws to break
| encryption. If you look at targeted 0-days, the
| conclusion would be more along the lines of the very best
| hardware+software is barely secure.
| greenchair wrote:
| is it racist to wonder why I rarely see a chinese
| restaurant with inspection score above 80? culture
| differences are a real thing (if you don't have your head
| buried in the sand that is).
| dragonelite wrote:
| Better to swallow the poison that doesn't kill you(for now)
| than to swallow the one that is intended to kill you.
| throw123xz wrote:
| It's a mistake to assume that a very capable country can't
| get into a network that uses Chinese equipment/software.
| Dah00n wrote:
| It's also a mistake to assume that a very capable country
| can't get into a network that uses US equipment/software...
| especially Cisco equipment with all the "forgotten"
| hardcoded logins. Iran is better off with Chinese equipment
| than American or Korean.
| kragen wrote:
| Nobody knows enough to say whether Iran is better off
| with Chinese equipment, because most of the intentional
| backdoors on every side of this struggle remain
| undiscovered by the other sides.
| dse1982 wrote:
| Well, China is more on the side of Iran than the US or US
| allies. So there is that.
| kragen wrote:
| Yes, but that doesn't imply they want Iran's
| telecommunications network to be a black box to the PLA.
| mensetmanusman wrote:
| Not if you know math...
| mike_d wrote:
| > I suspect a strong link between mass surveillance [...] and
| the very recent targeting of the senior Iranian nuclear
| scientist and military officers at their homes in Iran.
|
| We all like to imagine this super cool clandestine hacking
| operation using peoples mobile phones to secretly track people
| who visit nuclear facilities back to their homes.
|
| The much more logical explanation is someone approached a low
| level employee at the MEAF who turned over a USB stick with the
| governments org charts and payroll records in exchange for
| their kids getting a full ride to a prestigious foreign
| university.
| boramalper wrote:
| Israel, like any other state, must be using a variety of
| methods including good old "human intelligence" so it's not
| either-or.
|
| In addition, saying that
|
| > someone approached a low level employee at the MEAF who
| turned over a USB stick with the governments org charts and
| payroll records in exchange for their kids getting a full
| ride to a prestigious foreign university
|
| is an oversimplification on multiple levels:
|
| 1. Low-level employees typically don't have access to
| sensitive information.
|
| 2. With human intelligence, there is always a risk that the
| person you (e.g. Israel) are in touch with (e.g. an Iranian
| officer) who pretends to be a "double agent" (e.g. leaking
| info to Israel), is in fact a "triple agent" (e.g. actually
| working for Iran to mislead Israel).
|
| 3. You can send your kids to foreign universities but not
| your siblings, your parents, your wife's family, and so on...
| Some of your beloved ones are almost certain to suffer the
| consequences of your actions. High treason is no joke.
| SirHumphrey wrote:
| > 1. Low-level employees typically don't have access to
| sensitive information.
|
| You would think, but when I was interning (well, it was a
| paid internship) for a company, I was fixing an excel
| spreadsheet with payroll information for an entire
| department of a few hundred people. Not the best piece of
| "opsec", but when you are in a hurry (pay was due in a
| couple of days) and most people are on vacations "hey the
| junior kid can probably fix it, he seems fine" is a way too
| common approach. And it is fine - sometimes for a long
| time. Until it isn't.
| aswanson wrote:
| Yeah I recall being a new hire at a defense contractor,
| getting a login, and accidentally opening an excel sheet
| with a ton of management user names and logins. People
| are sloppy.
| michaelt wrote:
| _> The much more logical explanation is someone approached a
| low level employee at the MEAF who turned over a USB stick
| with the governments org charts and payroll records in
| exchange for their kids getting a full ride to a prestigious
| foreign university._
|
| If there are spies in foreign countries going around offering
| life-changing sums of money for USB sticks, which people are
| accepting
|
| is it not also plausible that folks at
| google/samsung/apple/aws/cloudflare/microsoft are getting
| offered life-changing sums of money for leaving their work-
| from-home laptop unattended for 5 minutes?
| heavyset_go wrote:
| Yes, this happens. Industrial espionage is popular.
|
| From what I've seen with bribes, it doesn't even take life-
| changing amounts of money.
| bawolff wrote:
| I imagine in a country like Iran where there is a sizable
| minority that hates the regime, someone might have done
| it for free.
| AnthonyMouse wrote:
| This is the thing that has always concerned me about
| Cloudflare. The structure of their operation is "we do a
| MITM on most of the encryption on the internet". Even if
| that doesn't make you immediately suspicious that it was
| set up as a spying operation on purpose (compare
| "encryption added/removed here" Snowden slide), it makes
| them a _massive_ state espionage target. Do they really
| have the ability to resist that level of persistent
| targeting from every country in the world?
| htowi3j4324234 wrote:
| If a state actor is after you, cookie and GAIA-id tracking
| should be the least of your concerns.
| chaosbolt wrote:
| I suspect Israel has backdoor access to most CPUs.
|
| Here is how Pegasus seems: - China has 1.5 billion people, lots
| of resources, would profit a lot economically if they found a
| way to hack iOS, etc. But yet couldn't hack it. - Israel with
| its 7 million people, not only hacks iOS multiple times, but
| does it to spy on its allies.
|
| Now I've seen the threads analysing Pegasus' complexity, I
| don't know if it's been reproduced, and if it has then I guess
| it logically proves me wrong (the tinfoil hatter in me still
| thinks its right though).
|
| Here is why:
|
| Israel has a lot of silicon fabs or R&D centers, now it makes
| ZERO sense for the US to have fabs or R&D centers in Israel,
| since that country is (allegedly) always at the risk of being
| bomber for no reason at all (yeah right).
|
| Intel has had fabs in Israek since the 80s, why not in Japan or
| France or the UK (France and the UK are close allies to the US
| and have no earthquakes or risk of being bombed), why not even
| Canada?
|
| And I compared the dates of when intel started putting the
| Intel Management Engine in all of their CPU and the date of
| which they built their biggest fab in Israel, then I went down
| the rabbit hole of when AMD started using PSP (similar tech to
| Intel ME), and it coinciding with it buying a large pentesting
| startup in Israel, then starting to build its R&D centers
| there, Apple and Qualcomm have similar stories.
|
| Obviously this is all tinfoil, and while the dates coincide
| it's obviously not enough.
|
| But to each their own, and I choose to treat my tech as if it
| was all was backdoored already, because for me the evidence
| (while not enough to be sure) is enough for how much I value my
| privacy.
| saagarjha wrote:
| > China has 1.5 billion people, lots of resources, would
| profit a lot economically if they found a way to hack iOS,
| etc. But yet couldn't hack it.
|
| What makes you think China can't hack iOS?
| Hizonner wrote:
| > Here is how Pegasus seems: - China has 1.5 billion people,
| lots of resources, would profit a lot economically if they
| found a way to hack iOS, etc. But yet couldn't hack it.
|
| That you know of. Maybe they just don't indiscriminately sell
| the results to anybody who shows they have money. Or maybe
| they have different strategies for spying.
|
| > - Israel with its 7 million people, not only hacks iOS
| multiple times,
|
| NSO and friends find zero-days or buy them on the open market
| (not just from Israel). Citizen Lab has identified specific
| vulnerabilities used to install Pegasus. The exploits don't
| require or use CPU back doors.
|
| ... and you think Israel's smaller population somehow
| translates into better infiltrators than China has, but not
| better hackers than China has? Israel also makes better halva
| than China, by the way.
|
| That kind of "logic" is what turns you into a loony raving on
| a street corner somewhere.
|
| > but does it to spy on its allies.
|
| Everybody spies on their allies, at least opportunistically.
| But Pegasus is a commercial product, sold to basically every
| government and mostly used to spy on normal people, not other
| governments. The people writing it have ties to Israeli
| spies, and I'm sure it's been used by Israeli spies, but it's
| general-purpose.
|
| > Israel has a lot of silicon fabs
|
| As far as I can tell, Israel has _one_ facility capable of
| making remotely serious CPUs. It 's owned by Intel. There are
| no phones using Intel processors.
|
| The processors in iPhones are "Designed by Apple in
| Cupertino" and fabbed by TSMC in Taiwan. The processors in
| basically all other phones are ARM, and most of them also
| come from TSMC. Pegasus does not run on Intel processors,
| ever.
|
| > And I compared the dates of when intel started putting the
| Intel Management Engine in all of their CPU and the date of
| which they built their biggest fab in Israel
|
| So the fab somehow reached out into the rest of Intel and
| retroactively caused it to develop a heavily advertised
| feature?
| 1oooqooq wrote:
| pegasus Occam's razor:
|
| - the smaller country hacked ios, have to sell it to recoup
| r&d costs, got caught many times.
|
| - the larger country hacked ios, don't need to sell it
| around, haven't been caught.
| PartiallyTyped wrote:
| Europol now argues that privacy is not a right and that we need
| to "think of the children". EU is now pushing some abhorrent
| policies and legislation to demand backdoors.
|
| We, the people, need to demand and force our politicians to
| work for us.
| kragen wrote:
| The truth is far outside the Overton window.
|
| Yes, privacy is a question of civil defense in the drone age.
| But the existing crop of states will never acknowledge that;
| their structure and institutions presume precisely the kind of
| mass databases of PII that create this vulnerability, as well
| as institutional transparency for public accountability. This
| makes them structurally vulnerable to insurgencies that
| expropriate those databases for targeting. The existing states
| will continue to clutch at their fantasies of adequately
| secured taxpayer databases until their territorial control
| (itself an anachronism in the drone age; boots on the ground
| can no longer provide security against things like Operation
| Spiderweb) has been reduced to a few fortified clandestine
| facilities.
|
| Things are going to be very unpredictable and, I suspect,
| extremely violent.
| drewbug wrote:
| I used to feel this way until I learned about counter-UAS
| tech.
| kragen wrote:
| That's wishful thinking. Flying drones aren't the only
| threat, or the main threat, and there isn't such a thing as
| "counter-UAS tech", only counter-yesterday's-UAS tech.
| Radio jamming was "counter-UAS tech" until the mass
| production of fiber-optic-controlled FPV drones starting
| five months ago, for example. You can still find vendors
| marketing it as such.
|
| 30 milligrams of high explosive is enough to open your
| daughter's skull, or, more relevantly, your commanding
| officer's daughter's skull, and there are a thousand ways
| to deliver it to her if she can be tracked: in pager
| batteries, crawling, swimming, floating, waiting for
| ambush, hitchhiking on migratory birds, hitchhiking on car
| undercarriages, in her Amazon Prime deliveries, falling
| from a hydrogen balloon in the mesosphere, and so on. And
| if 30mg is too much, 2mg of ricin on a mechanical
| ovipositor will do just as well.
|
| All of this is technically possible today without any new
| discoveries. At this point it's a straightforward systems
| development exercise. And you can be sure that there are
| bad people working for multiple different countries' spy
| agencies who know this; they don't need me to tell them.
| bostik wrote:
| > _30 milligrams of high explosive is enough to open your
| daughter 's skull, or, more relevantly, your commanding
| officer's daughter's skull, and there are a thousand ways
| to deliver it_
|
| While we are talking about flying drones, we are not far
| off from Slaughterbots becoming reality.[0] Why bother
| with surgical assassinations if you can blanket entire
| regions with with swarms of autonomous seek-and-destroy
| explosives?
|
| After all, as last two years have so amply demonstrated:
| people are fine with genocide.
|
| 0: https://www.youtube.com/watch?v=O-2tpwW0kmU
| gruez wrote:
| >After all, as last two years have so amply demonstrated:
| people are fine with genocide.
|
| Last two years? Try last few decades at the very least.
| People only care about the war in Gaza more because it's
| controversial. For non-controversial cases people just
| agree it's bad but shrug their shoulders.
|
| https://en.wikipedia.org/wiki/Bosnian_genocide
|
| https://en.wikipedia.org/wiki/Rwandan_genocide
|
| https://en.wikipedia.org/wiki/Darfur_genocide
| jonah wrote:
| What's ridiculous is that it's even seen as controversial
| by some.
| tomalbrc wrote:
| It is will how some people will live in their bubble and
| not see the controversies
| kragen wrote:
| Slaughterbots is just the beginning; it's definitely too
| late to prevent that scenario now.
|
| Why bother? For the same reason to bother with surgical
| assassinations if you can blanket entire regions with
| nuclear fireballs. Radioactive wastelands are
| unprofitable! This is a general problem with genocide: it
| only gets you land, and since the Green Revolution land
| is abundant. Protection rackets, on the otehr hand, are
| highly profitable, but only with some exclusivity; if
| extortionists multiply, the unique Nash equilibrium is
| multiple gangs that collectively demand many times the
| victims' total revenues, resulting in ecological
| collapse.
|
| More generally, the threat of violence is only effective
| as a form of coercion when you can credibly _withdraw_
| the violence as a reward for compliance. Violence
| provides no incentive to comply to someone who believes
| they are just as likely to be a victim whether they
| comply or not.
|
| But swarms of autonomous seek-and-destroy explosives are
| plausibly the most effective way to provide that
| surgical-assassination threat, perhaps combined with
| poisons, solid penetrators, and/or incendiaries. The
| Minority Report spiders (not yet technically feasible) or
| a quadcopter can be enormously more selective than a
| GBU-57, a Hellfire missile, or even a hand grenade, and
| can choose to avert their attack at the last millisecond
| upon the presentation of properly signed do-not-
| assassinate orders, even if long-distance communication
| is jammed.
| godelski wrote:
| What's important to remember is that we get to
| Slaughterbots with "best intentions." Trying to feel
| safer. Trying to kill our enemies. Trying to protect our
| friends, families, children. Little by little is how it
| happens. The road to hell is paved, after all.
| autoexec wrote:
| It's sad that it was only months after that video was
| released that autonomous drones were being used to kill
| people in war. That video was meant as a warning but it
| was totally ignored.
| fpoling wrote:
| This has been going on in Russia on massive scale. For bribes
| officials sells anything including highly sensitive
| databases. Those were used to uncover various Kremlin-run
| assassins targeting oppositions. Then Ukrainian special
| services used those to target high-ranking Russian military
| officers. Russia tried to crack down on that but it just
| increased the database price tag.
| kragen wrote:
| Do you have sources for that? No problem if they're not in
| English.
| ponector wrote:
| Here is an example of such investigation into russian
| general: https://youtu.be/alUPgLLIxeM?si=0x1QtJrJf2yfPCZi
|
| Or investigation into some russian topics:
| https://theins.ru/en/inv
| mattigames wrote:
| If Putin didn't want bribery to go rampant he would set the
| example, and force other top leaders to do the same, but
| instead he flaunts his properties, yats, women that he
| enjoys; but it's probably a price too high for him to pay.
| I bet Xi Ping enjoys similar privileges but in much more
| private manner.
| lm28469 wrote:
| If you're a valuable enough target, like these Iranians
| generals/scientists they just need to find you once and then
| they can continuously track your movements via satellite. They
| don't need much precision, just which building to level
| mousethatroared wrote:
| "Just which building to level"
|
| What's "just" a war crime amongst friends?
| Henchman21 wrote:
| When there is no one willing to prosecute it, is it still a
| crime?
| consp wrote:
| Yes, though one without consequences. Until the next guy
| comes along and actually enforced it.
| bawolff wrote:
| Nothing stopping Iran from joining the ICC. Except that
| the investigations would go both ways.
| bawolff wrote:
| Some of the footage coming out of Iran of the aftermath of
| these assinations have shown specific rooms in buildings
| targeted, leaving the rest of the building in-tact. For a
| high value military target like chief of the armed forces,
| it seems unlikely that would be a warcrime as the civilian
| casualities would be low compared to the military advantage
| of the target.
|
| [The nuclear scientists on the other hand are much more
| questionable because its pretty unclear if they are legal
| targets at all]
| beeflet wrote:
| this is a totally illogical way of understanding warfare in
| terms of absolutes. Not every target is worth leveling a
| building over. It isn't that black and white
| crawsome wrote:
| Someone needs to go into congress and demonstrate to them,
| live, how easy it is to lift their phone numbers and call them
| all at once.
| larrled wrote:
| "hopefully politicians will soon"
|
| The gop is controlled by donors who are mostly free market
| liberals. Elon won't let anyone "censor" (regulate) x. The
| democrats don't care about national security historically, and
| it's not currently an issue their cosmopolitan TikTok loving
| base cares anything, at all, about. "Security" is something
| that most democrats I talk to now associate with deportation or
| military spending, both of which they ferociously hate. Across
| parties, policy and discourse are reactive. Security requires a
| proactive orientation that it seems the public sector may
| structurally lack.
| the-anarchist wrote:
| As this post is trending quicker and more than I would have
| expected it to, I would like to add to this story:
|
| It appears to be a similar case across the MENA region. While the
| SMEX post primarily focuses on WANA, it is possible to find other
| reports (e.g. [1]) from the MENA region that describe similar
| practices by Samsung. There, however, the stories talk about
| "Aura", rather than "AppCloud".
|
| [1] https://www.moroccoworldnews.com/2025/06/212144/samsung-
| embe...
| eddythompson80 wrote:
| What is the difference between WANA and MENA. Sounds like the
| same territory
| the-anarchist wrote:
| Yes, but, no. It's one of these things where multiple terms
| mean the same thing but then again come from different
| times/areas and, upon closer inspection, mean different
| things. But they're the same. But not really. [1]
|
| A.k.a. I tried to be as politically correct and cite the term
| used by the respective reporting. The main point I was trying
| to bring across was that apparently there are two apps
| involved, not only a single one.
|
| [1]
| https://en.wikipedia.org/wiki/Middle_East_and_North_Africa
| eddythompson80 wrote:
| Ah, I see. Trying to find a way to include Pakistani,
| Afghanistan, Somalia i.e non-Arab or Persian Muslim states
| in the vicinity.
| averysmallbird wrote:
| Same same. SMEX is based in Lebanon -- (S)WANA is an obnoxious
| term that's going around for MENA.
| Mistletoe wrote:
| We don't know what any of these acronyms mean!
| hmcq6 wrote:
| MENA - Middle East & North Africa
|
| WANA - West Asia & North Africa
|
| SMEX - "a non-profit that advocates for and advances human
| rights in digital spaces across West Asia and North
| Africa." (from their website)
| more-nitor wrote:
| "non-profit" doesn't mean "this guys are morally right
| and only conveys truths"
|
| it just means that they don't pay taxes
| bapak wrote:
| "Arab countries"
| ehnto wrote:
| Was installed on my device bought in Australia as well.
| nacos wrote:
| I used to manage an enterprise fleet of mobile devices.
|
| This AppCloud crap has also been pushed to devices in the
| Europe Open Market.
|
| I also know that this shouldn't have been installed on
| enterprise devices (either Android Enterprise managed by MDM or
| E-FOTA managed - don't remember exactly). We had an akward
| conversation with some Samsung representatives..
| userbinator wrote:
| _making it nearly impossible for regular users to uninstall it
| without root access, which voids warranties and poses security
| risks_
|
| Stop parroting the corporate propaganda that put us into this
| stupid situation in the first place. Having root access on
| devices you own should be a fundamental right, as otherwise it's
| not ownership.
| perching_aix wrote:
| Didn't we backslide hard enough at this point that it is now
| architecturally ensured that there is a security downside to
| rooting? Prevents verified boot for example, since the
| attestation is tied to said corporations, and not you.
| fc417fc802 wrote:
| AFAIK that's true for many vendors but for example Pixels
| (and IIRC also OnePlus at least a few years ago) you can
| relock the bootloader with other keys.
|
| The crazy thing is that on all the devices I've had AVB is
| implemented _on top of_ secureboot. Being able to set your
| own secureboot keys is bog standard on corporate laptops. The
| entire situation makes absolutely no sense.
|
| Also for the record I think it's a silly attack vector for
| the average person to worry about. A normal person does not
| have secret agents attempting to flash malicious images to
| his phone while he's in the shower.
| perching_aix wrote:
| > AFAIK that's true for many vendors but for example [on]
| Pixels you can relock the bootloader with other keys
|
| Oh that's pretty cool, wasn't aware.
|
| > The crazy thing is that on all the devices I've had AVB
| is implemented on top of secureboot. Being able to set your
| own secureboot keys is bog standard on corporate laptops.
| The entire situation makes absolutely no sense.
|
| Hold on, could you elaborate a bit on this? I thought it
| was an either/or type deal cause they do the same thing.
| fc417fc802 wrote:
| Many devices if you load up fastboot mode (is that the
| right name?) it will give you chipset and other
| information and it will have secureboot info there. It's
| permanently locked to chain into the AVB image. AVB is a
| much more complicated beast that specifies the existence
| of multiple partitions including (IIRC) one for storing
| authorized keys, one for the recovery, and a bunch of
| other stuff.
|
| It's possible this has changed or was never widespread in
| the first place. I have a very limited (and historic)
| sample size.
| acdha wrote:
| > A normal person does not have secret agents attempting to
| flash malicious images to his phone while he's in the
| shower.
|
| No, but millions of women have controlling partners or
| friends who betray their trust and, for example, many
| people going through U.S. Customs are being asked to
| surrender control of their devices so they can be used
| without their knowledge. There's a well-funded malware
| industry with a lot of customers now.
| franga2000 wrote:
| Not having verified boot is not a security downside for most
| people. Unless your threat model includes the evil maid
| attack, which it doesn't for thr vaaaaaast majority of
| people, verified boot is just another DRM anti-feature.
| ignoramous wrote:
| _Verified Boot_ isn 't merely to thwart Evil Maids, but by
| and large provide what's known as "Trusted Computing Base".
| And yes, given the proliferation of smartphones and the
| nature of sensitive applications built on top, _most_
| people, even if they don 't realise it, _need_ it.
| userbinator wrote:
| _but by and large provide what 's known as "Trusted
| Computing Base"._
|
| In other words, DRM.
|
| https://en.wikipedia.org/wiki/Trusted_Computing#Criticism
|
| (I knew from the beginning that this was known as the
| Palladium project, and until recently, a search for
| "Palladium TCG" would find plenty of information about
| that history, yet now references to that group and its
| origins in DRM have seemingly disappeared from Google.
| Make of that what you will...)
| cam_l wrote:
| Are you saying that someone is using yugiyoh trading
| cards to cover up incriminating historical details of
| Microsoft's long term plan to purge general purpose
| computing from the world?
|
| https://www.tcgplayer.com/product/593140/yugioh-quarter-
| cent...
|
| Bizarre, I did find it on bing though..
|
| https://www.cl.cam.ac.uk/archive/rja14/tcpa-faq-1.0.html
| perching_aix wrote:
| This should not be a surprise. Mechanistically enforced
| trust (like in trusted computing), and even better,
| mechanistically assured trust (like in verifiable
| computing), will be relied upon by anyone seeking trust.
| This means both consumers and producers, and anyone else
| in-between.
|
| If I want my device to be secure, I want this trust. If I
| want to sell a copy of my virtual asset to only be used
| in ways I approve of, I want this trust. You can't have
| only one of these at the same time, either your device
| can provide this trust or it cannot. That's not the
| battle in my view. The battle is to implement this
| appropriately, such that e.g. if we're representing
| access control, identity, and ownership, then that
| representation should match reality. So if I'm said to
| own a device, the device can and will attest so, and
| behave accordingly. It's just that instead of that, I'm
| always somehow just being loaned these things, only have
| some specified amount of control over these things, and
| am just a temporary user somehow. That's the issue. And
| that these systems are not reimplementable, and as such
| entitlements do not carry around.
| torginus wrote:
| I don't follow the reasoning behind this - even in a verified
| boot scenario you can just choose to not load the offending
| kernel module without compromising security.
| charcircuit wrote:
| Root access is an outdated security concept from the previous
| century. Trying to mandate such a concept is parroting UNIX
| propaganda. Users can be given control of devices without them
| having a "root" account.
| mrusme wrote:
| How?
| burnt-resistor wrote:
| By having a "maintenance mode" that can be entered and
| left.
| peterbraden wrote:
| Maintenance mode == root
| burnt-resistor wrote:
| You're projecting your meaning of it, not mine. Not if it
| can't be undone in a way other than reinstalling
| everything. A mode that allows changing things with a
| temporary reduction of security system-wide and restoring
| them later, but putting all of the upgrade and support
| liability on the user without sacrificing functionality.
| Think VMware ESXi. If tech support wants to not support
| it, that's fine, but payments and such should still work.
| charcircuit wrote:
| By following the principle of least privilege. Like with
| apps the user should only have privileges for what they are
| allowed to control and nothing more. So if the user should
| have privilege to disable apps, then the settings app could
| expose a way for the user to do so.
|
| Yes, this is kind of approach of coming up with a design to
| security instead of going with the easy route of everything
| being allowed is harder to do and takes more time, but it
| leads to better security.
| tsegers wrote:
| I believe that the top-level comment you replied to is
| making the point that there should not be any authority
| that either allows or disallows what a user can do with
| the device they own. Purchasing a device should make one
| that authority, free to decide how much security to trade
| for how much privilege.
| charcircuit wrote:
| But really it's all about framing. For example on desktop
| computers it's not possible for people to create new
| instructions for their CPU to handle. At some layer there
| will be an API that user needs to use to interact with
| the device. As times goes on I think it's natural for
| that layer that users are expected to interact with their
| device with to become higher level. I believe the top
| level comment is framing this issue such that current
| phones don't have an API that matched how it worked for
| UNIX computers and that is a bad thing. The commenter is
| too focused on how things worked in the past and doesn't
| want to allow for things to change.
| arendtio wrote:
| Okay, and how am I going to give the user the right to
| wipe all software from the device and use a completely
| custom software?
|
| I mean, we all agree that such permissions are not
| required during everyday operations, but there should be
| a way for the consumer to have control over the software
| being used. And I mean all aspects of the software:
| firmware should be updatable, the OS should be
| replaceable, and the security concepts within the OS
| should be customizable by the user as well. I have no
| problem with hiding such functionality and requiring
| users to read the documentation to find out how it can be
| done, but it should still be possible.
| charcircuit wrote:
| Sure, but such a product requirement can be made to be
| legally required without legally requiring root access.
| WarOnPrivacy wrote:
| > Users can be given control of devices without them having a
| "root" account.
|
| _Can be given control_ [by handset manufacturers] is an
| unfulfilled potential. And it will always be unfulfilled -
| because otherwise, users could protect themselves from
| manufacturers /providers foistware.
|
| Given their reality, users root.
| realusername wrote:
| Well maybe in theory but in practice they don't. How do I
| restrict or inspect what the Play Store is doing on my device
| at the moment without root?
| Zak wrote:
| I agree. I would love to have an "advanced permissions
| manager" that lets me specify that AccA can write to the /sys
| devices for the charge controller and AdAway can write to
| /etc/hosts, but not the reverse.
|
| That doesn't give _me_ any less power than root, but does
| give those apps less power and limits the potential impact if
| one gets compromised. I think when most people say the device
| owner should be able to get root, they mean that the owner,
| rather than the manufacturer or OS vendor should have the
| final say in all cases, not that it has to literally work
| just like root on Unix.
| jrflowers wrote:
| This is a good point. While there is nothing factually
| incorrect in the statement "rooting your phone can void your
| warranty and pose a security risk", if you imagine factual
| statements are the same thing as value judgments it becomes
| very problematic.
|
| Similarly it is pretty messed up when people say stuff like
| "fire can burn you if you aren't careful" because so many
| people rely on fire for food and warmth.
| fc417fc802 wrote:
| Having your vehicle serviced by someone other than the dealer
| could void your warranty and poses a safety risk.
|
| Cooking animal products at home poses a health risk. You
| should be sure to only ever consume animal products prepared
| by a duly licensed establishment.
|
| The chauffeur's union would like to take this opportunity to
| remind you that amateurs operating their own motor vehicles
| risk serious injury and even death.
|
| The FSD alliance would like to point out that hiring a
| licensed chauffeur also poses a non-negligible risk. Should
| you choose to make use of a personal vehicle it is strongly
| recommended that you select one certified by the FSD
| alliance. Failure to do so could potentially impact your
| health insurance premium.
| jrflowers wrote:
| You make an interesting point here. While "rooting your
| phone can void your warranty and pose a security risk" may
| be a factually true statement, we must also consider some
| entirely unrelated and possibly untrue statements that
| could be theoretically uttered in another reality.
|
| We can get so bogged down with "things that are real" and
| "exist in this universe" that we completely fail to focus
| on the vital stuff like "Bigfoot is circumcised" and "Who
| did it?" and "Why?"
| fc417fc802 wrote:
| On the contrary. My statements bear equivalent accuracy
| to yours in our current reality. My statements are also
| very obviously FUD. So is yours.
|
| Or do you dispute that you could be hospitalized for
| salmonella if you botch cooking poultry at home? Or
| perhaps you feel that there is no straightforward way to
| inadvertently endanger your life by servicing your
| vehicle incorrectly?
| jrflowers wrote:
| Interesting. While there is no such thing as a chauffeurs
| union or an FSD alliance, if we say that they exist maybe
| they do. Similarly, if you say something is "FUD" then
| maybe it becomes that.
|
| I genuinely do not understand the last two sentences. Are
| you pro- or anti- "telling people that salmonella exists"
| ? Is saying "salmonella exists and can be a problem" FUD
| or what? Do you think salmonella isn't real
| fc417fc802 wrote:
| Yes, the final two were tongue in cheek but follow the
| same pattern and thus serve to illustrate the point being
| made. You don't seem to be engaging in good faith.
|
| > Is saying "salmonella exists and can be a problem" FUD
| or what?
|
| Obviously that depends on context. If a bunch of
| restaurants form a PAC and start lobbying with that
| message to restrict the sale of animal products at the
| grocery store then it is. If the FDA mentions it on a
| page about basic food handling safety then it probably
| isn't (depending on the surrounding text ofc).
|
| Rooting your device is a security risk the same way that
| servicing your own car is a safety risk. When I hear
| "security risk" or "safety risk" I'm expecting something
| that's inherently dangerous like wingsuit jumping or cave
| diving. I'm not expecting something that should only ever
| fail if I don't exercise due diligence. This difference
| in perceived meaning is being exploited by those
| spreading the message similar to when Coca-Cola got sued
| for a label that implied pomegranate juice when the
| bottle contained only 0.3 percent.
|
| When device vendors lock end users out of their own
| devices and then aggressively spread such a message to
| justify doing so it qualifies as FUD or propaganda. A
| vested interest has disenfranchised people as part of a
| long term strategy to enrich themselves and is attempting
| to manipulate the public narrative regarding their
| actions.
| theluketaylor wrote:
| > Having your vehicle serviced by someone other than the
| dealer could void your warranty and poses a safety risk
|
| Good tongue in cheek post, but in the US Magnuson-Moss
| prohibits warranty claim denials merely on the basis of
| non-OEM parts and service. It also puts the burden on the
| manufacturer to demonstrate the defect or failure was the
| direct result of the non-OEM part. Other jurisdictions have
| similar laws on the books.
|
| Right to repair already exists in certain aspects and needs
| to be expanded (and enforced. Tons of those 'will void
| warranty' stickers are lies and you have legal rights to
| poke around)
| franga2000 wrote:
| In fact there is a lot factually incorrect.
|
| For starters, in most places, warranty is a legal requirement
| and the manufacturer isn't allowed to void it for whatever
| reason they want. If my phone's battery starts getting really
| hot in normal use, or I start getting dead pixels on my
| screen or whatever else, the fact I have a custom OS on my
| phone isn't relevant to the warranty claim any more than
| having it in a case or putting some stickers on it. Yes,
| it'll make claiming it more difficult, but that doesn't mean
| it's void, just that you'll have to fight through a few more
| tiers of support agents to get it fixed.
|
| More importantly, rooting is only a security risk in the
| sense that it increases the attack surface for exploits. The
| same can be said for any other system-level software. Like if
| you buy an Nvidia graphics card in your computer and that
| loads its kernel driver, malware now has one more place to
| exploit. Are Nvidia graphics cards a security risk?
|
| We've come an incredibly long way from just dropping /xbin/su
| and calling it a day. Modern (as in the last 10 years) root
| solutions have caller checks based on a user-defined
| whitelist and really modern implementations use kernel-level
| checks to make sure the app wanting root access is allowed to
| get it. The only way this can be dangerous is if one of those
| apps or the root solution itself has a code execution
| exploit. But again, the same can be said for the plethora of
| system-level bloatware vendors install these days.
| jrflowers wrote:
| >For starters, in most places, warranty is a legal
| requirement and the manufacturer isn't allowed to void it
| for whatever reason they want.
|
| This only makes the statement untrue if you use "can" and
| "will" interchangeably.
|
| >More importantly, rooting is only a security risk in the
| sense that it increases the attack surface for exploits.
|
| This is a good point. What even is "attack surface" anyway?
| Does anybody actually consider it when "evaluating security
| posture"? If I simply choose not to care about attack
| surface because I don't want to, then doesn't it simply
| become a factual nonissue? There are no answers to these
| questions
| throwaway290 wrote:
| Stop parroting orthodox agenda without thinking of what it
| means. If everyone had root access it would be heaven for
| ransomware/spyware/malware operators.
|
| Having root access is not in the interest OR benefit of most
| regular users. Rooting your phone is a footgun for 99% of
| people who install random apps and will get hacked and have
| their life savings transferred or ransomed.
|
| For them the article does the right thing. For everyone else,
| like you or me, we will not care what this article says anyway.
|
| That's why what Samsung does is double bad. Noot rooting phone
| is good hygiene if your phone respects you. But if it comes
| with malware then thats a stab in the back.
| callc wrote:
| > Having root access is not in the interest OR benefit of
| most regular users.
|
| What about desktop OSes for the last 40/50 years?
|
| Sure they aren't the foam-padded locked down phone OSes, but
| isn't this fear a case of leaving said padded room?
| throwaway290 wrote:
| Computer usage and consequently threat landscape went
| through a crazy change from 40/50 years ago. Desktops are a
| minority of devices. If you take personal devices even more
| so. Most people in the world with a computer have just a
| pocket one. Especially in WANA countries discussed
|
| If you talk to regular non IT savvy people many of them
| don't bother and correctly assume that at some point it
| will "get a virus" or something. And it is fine for them
| because almost no one uses desktop for critical stuff like
| payment or finance. But majority do use phones for that.
| They jumped from cash straight to phones and now it's a
| lucrative attack vector.
|
| Edit to reply because throttled by downvotes: yea I'm in
| your boat, we live in a bubble. It's hard to believe. But
| now I'm using a payment system that literally has "get app"
| on its site and no other way to manage money or even sign
| up. And apps like that can be the only way for many people
| to get some sort of plastic card to pay cashless
|
| And I see how it happened. Many people have no personal
| desktop computers. Many payment vendors don't trust desktop
| computers because an ordinary person's windows machine is a
| malware breeder.
|
| So many people in the world depend on mobile security
| (especially underprivileged people). Anyone who wants them
| all to get fucked for own libertarian ideal of "hardware
| ownership" is basically a psychopath to me. Especially
| considering that he is literally free to root his device
| and not make it a problem for others.
| mumbisChungo wrote:
| >almost no one uses desktop for critical stuff like
| payment or finance.
|
| I'm not saying this is wrong (in fact I assume it is
| accurate), but relative to my life experience this is
| crazy to me.
| tokioyoyo wrote:
| Worked on some financial stuff before, and dashboards
| showed the opposite of your experience, if I'll be
| honest. An average user is very different from us.
| devilbunny wrote:
| Financially savvy people are much more likely to have a
| desktop, I would think.
|
| Mu mother-in-law does not have a laptop or desktop. She
| barely uses her iPad. If it's not on the phone, it might
| as well not exist. My father-in-law has a PC at work and
| a Mac laptop, but he uses them only for work - his casual
| internet use is entirely on the phone. My wife uses
| multiple iPads and her phone, but only uses a desktop at
| work or when working at home.
|
| Most people I know don't actually own personal computers
| other than their phone or tablet.
| jjav wrote:
| > almost no one uses desktop for critical stuff like
| payment or finance
|
| What? This makes no sense. For something where security
| matters, using the desktop is the only rational choice. I
| never, ever, allow any sensitive information through the
| phone since it is not a trusted device.
| throwaway290 wrote:
| You are just another example why most people ranting on
| HN about the topic of rooting phones are out of touch. No
| offense.
| devilbunny wrote:
| And yet it is the truth.
| ulrikrasmussen wrote:
| We need regulation which defines that any hardware device
| capable of running software developed by a third party
| different from the hardware manufacturer qualifies as a general
| purpose computing device, and that any such device is
| disallowed to put cryptographic or other restrictions on what
| software the user wants to execute. This pertains to all
| programmable components on the device, including low-level
| hardware controllers.
|
| These restrictions extend outside the particular device. It
| must also be illegal as a commercial entity to enforce security
| schemes which involve remote attestation of the software stack
| on the client device such that service providers can refuse to
| service clients based on failing attestation. Service providers
| have other means of protecting themselves, taking away users
| control of their own devices is a heavy handed and
| unnecessarily draconian approach which ultimately only benefits
| the ad company that happens to make the software stack since
| they also benefit from restricting what software users can run.
| Hypothetically, they might be interested in making it
| impossible to modify video players to skip ads.
| akoboldfrying wrote:
| > any such device is disallowed to put cryptographic or other
| restrictions on what software the user wants to execute
|
| Won't this also forbid virus scanners that quarantine files?
|
| > This pertains to all programmable components on the device,
| including low-level hardware controllers.
|
| I don't think it's reasonable to expect any manufacturer to
| uphold a warranty if making unlimited changes to the system
| is permitted.
| fc417fc802 wrote:
| It wouldn't forbid shipping the device with a virus
| scanner. It would only forbid refusing the user control
| over what software does and does not run.
|
| There might be a couple messy edge cases if applied at the
| software level but I think it would work well.
|
| Applied at the hardware level it would be very clear cut.
| It would simply outlaw technical measures taken to prevent
| the user from installing an arbitrary OS on the device.
|
| Regarding warranties, what's so difficult about flashing a
| stock image to a device being serviced? At least in the US
| wasn't this already settled long ago by Magnuson-Moss? http
| s://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...
| afeuerstein wrote:
| > Won't this also forbid virus scanners that quarantine
| files?
|
| Yes. If I really _want_ to execute malware on my device, I
| should be allowed to do so by disabling the antivirus or
| disregarding a warning.
|
| > I don't think it's reasonable to expect any manufacturer
| to uphold a warranty if making unlimited changes to the
| system is permitted
|
| It is very reasonable and already the rule of law in "sane"
| jurisdictions, that manufacturer and mandated warranties
| are not touched by unrelated, reversable modifications to
| both hard- and software.
| encom wrote:
| >virus scanners
|
| You can (and should, imho) remove anti-virus software.
| miki123211 wrote:
| I agree, but I think three extra conditions would need to be
| added here.
|
| 1. Devices should be allowed to display a different logo at
| boot time depending on whether the software is manufacturer-
| approved or not. That way, if somebody sells you an used
| device with a flashed firmware that steals all your financial
| data, you have a way to know.
|
| 2. Going from approved to unapproved firmware should result
| in a full device wipe, Chromebook style. Possibly with a
| three-day cooldown. Those aren't too much of an obstacle for
| a true tinkerer who knows what they're doing, but they make
| it harder to social engineer people into installing a
| firmware of the attackers' choosing.
|
| 3. Users should have the ability to opt themselves into
| cryptographic protection, either on the original or modified
| firmware, for anti-theft reasons. Otherwise, devices become
| extremely attractive to steal.
| gmueckl wrote:
| 4. Apps with special security needs are allowed to detect
| whether a device is unlocked and can either disable
| themselves or go into a mode that shifts ALL related
| liability onto the user. It's not the bank's fault if the
| user disabled protections and some spyware logs the online
| banking password or something like that.
| mmh0000 wrote:
| It is the banks fault if they allow non-reversible, weird
| or large transactions without a secondary authorization
| capability.
|
| The bank's bad processes are not an end device fault.
| Zak wrote:
| I'm pretty sure I'm against this. I could be convinced
| otherwise by documentation of significant fraud involving
| compromised devices (especially Android phones) that
| would have been stopped by a device attestation scheme.
|
| I should note Google has such an attestation scheme, and
| there are reliable defeats for it in most situations
| given root access. Apps have been able to insist on
| hardware-backed attestation which has not been defeated
| for some time, but that isn't available for old devices.
| Almost none do so.
|
| If this had a meaningful impact on fraud, more apps would
| insist on the hardware-backed option, but that's quite
| rare. Even Google doesn't; I used Google Pay contactless
| with LineageOS and root this week. I'm currently
| convinced it's primarily a corporate power grab; non-
| Google-approved Android won't be a consumer success if it
| doesn't run your banking app, and the copyright lobby
| loves anything that helps DRM.
| ulrikrasmussen wrote:
| Also, online banking has been a thing for so long on PCs
| which never had that kind of remote attestation. I also
| do not believe the security argument, but I believe that
| the banks believe it.
| Zak wrote:
| I suspect the banks want to do checkbox-based compliance
| with regulators and insurers without any deep
| understanding of the underlying issues.
| gmueckl wrote:
| Online banking doesn't need remote attestation. Some
| additional locked down hardware with its own minimal
| display is enough. My banks force me to use devices like
| those made by Kobil or ReinerSCT.
| xg15 wrote:
| Yeah, nope. All apps have "special security needs"
| according to their manufacturers. Every app that relies
| on spying for revenue will use that to disable itself.
| (Or worse, actively malfunction - e.g. that banking app
| could switch into a special mode where it does
| transactions on its own that are not in the interest of
| the user. If the user has accepted all liability, there
| isn't much they could do against that)
|
| I'm alright with limiting liability for an
| unlocked/customized phone (for things that happen from
| that phone) - but that's a legal/contractual thing. For
| that to work, it's enough for a judge to understand that
| the phone was customized at that time - it doesn't
| require the _app_ to know.
| ulrikrasmussen wrote:
| My bank app refuses to work on LineageOS, but I can use
| the web interface just fine which has the exact same UI
| and functionality as the app. In both the native app and
| the web app I have to authorize any transactions using my
| national ID, which for me is a hardware token (the app
| for my national ID also refuses to run). Why is it
| somehow insecure to initiate this flow from a native app
| on LineageOS while it is not insecure to do the exact
| same via a browser on LineageOS? If the app can be
| compromised, so can the browser - the bank cannot trust
| all its browser based clients anyway.
|
| The web app has been running with this security model for
| decades on PCs, and it has been fine. The whole narrative
| about remote attestation being necessary to protect users
| is an evil lie in my opinion, but it is an effective lie
| which has convinced even knowledgeable IT professionals
| that taking away device ownership from users is somehow
| justified.
| gmueckl wrote:
| A hardware device that doesn't confirm transaction
| details on its own locked down display enables man in the
| middle attacks. I have to use such devices with my bank
| card when banking online.
| Dylan16807 wrote:
| Screw that. I want nearly the opposite. I don't really
| own my device if apps will look at my ownership flag and
| refuse to run.
|
| We can talk about the consequences of spyware but
| definitely not a total liability shift. Also preventing
| root doesn't prevent spyware.
| xg15 wrote:
| > _Devices should be allowed to display a different logo at
| boot time depending on whether the software is
| manufacturer-approved or not._
|
| Not sure how to phase this legally, but please also add a
| provision against manufacturers making the "custom
| firmware" logo hideously ugly on purpose to discourage
| rooting - like e.g.Microsoft did for Surface tablets.
|
| > _3. Users should have the ability to opt themselves into
| cryptographic protection, either on the original or
| modified firmware, for anti-theft reasons._
|
| Full agreement here. I very much would like to keep the
| bootloader locked - just to my own keys, not the OEMs.
| harvey9 wrote:
| Someone with the motivation to install custom firmware
| would consider the bootsplash aesthetic a deal breaker?
| xg15 wrote:
| If you want to promote alternative bootloaders or OSes
| for wider, nontechnical audiences (like LineageOS etc),
| then absolutely.
|
| I think it's a difference in mindset whether you view
| custom firmware as a grudging exception for techies (with
| the understanding that "normal" people should have a
| device under full control of their respective vendor), or
| whether you want an open OS ecosystem for everyone.
| AshamedCaptain wrote:
| Yes -- bootsplash showing "DANGER! YOUR SECURITY AT RISK!
| HACKERS CAN NOW STEAL YOUR GIRLFRIEND AND SHUFFLE YOUR
| PAIRS OF SOCKS!" in big bold red letters only because you
| enabled root to remove manufacturer malware (which if
| anything likely _increases_ your security) is a deal
| breaker, because it will frighten most users from doing
| it .
| xg15 wrote:
| > _Devices should be allowed to display a different logo at
| boot time depending on whether the software is
| manufacturer-approved or not._
|
| Another thought on that point: Why of all things is
| _manufacturer_ approval so important? We know manufacturers
| often don 't work for - or even work against - the
| interests of their end users. Manufacturer approval is not
| an indicator for security - as evidenced by the OP article.
|
| If anything, we need independent third parties that can vet
| manufacturer _and_ third party software and can attach
| their own cryptographic signatures as approval.
| Sophira wrote:
| While I agree in theory, this is never going to happen.
| There's too much DRM in use for it to work out.
| jimjimwii wrote:
| Repeal and outlaw drm. It was a mistake that violates
| everyone's constitutional rights.
| mmh0000 wrote:
| "constitutional rights"
|
| Words written on toilet paper. Only thing that exists
| today are "billionaire rights".
| reactordev wrote:
| Exactly. DRM isn't going anywhere so long as copyrights
| exist.
| xg15 wrote:
| Not even that. Companies are already lobbying massively
| for selective enforcement of copyright as to not harm the
| AI boom (immediate jail terms for individuals torrenting
| a movie, "it's a complex issue" for AI companies scraping
| the entire internet)
|
| But even the DRM that is already there often only uses
| copyright laws as suggestions. E.g. YouTube's takedown
| guidelines are defined through their TOS, not through the
| DMCA.
| mensetmanusman wrote:
| _Are there billionaires in the room with us right now?_
| al_borland wrote:
| DRM is a barrier to legally protected purchasing digital
| media for me. I will buy an album from iTunes (no DRM), but
| I will not buy digital movies the same way.
| AshamedCaptain wrote:
| What there are is many people utterly convinced that this
| brings some security to end-users. See the other messages
| in this thread. DRM is only a fraction of the problem.
| Incipient wrote:
| I'm pretty sure the recent switch 2 "license to use the
| hardware" has entirely killed any notion that you actually own
| the hardware and are free to do anything with it.
|
| Especially in Africa, where privacy and consumer rights are
| probably less relevant than the US/EU.
| hilbert42 wrote:
| _" "license to use the hardware"...."_
|
| Well, then it's high time the _laws of ownership_ in just
| about evey country in the world were updated.
|
| As it stands, if I buy something then I own it.
| makeitdouble wrote:
| > if I buy something then I own it.
|
| That's the point: you can't buy it, only license.
| hilbert42 wrote:
| I've never had to license hardware I've bought, only
| software. There's no way I do so.
| makeitdouble wrote:
| I'm not saying it's a good thing. But we shouldn't hide
| from the fact that door has been opened and I see no
| practical reason we won't see more of it.
|
| The minute Apple sees a clear path to get away with it,
| iPhone will essentially become licensed devices.
|
| Then other phone makers will jump through the opening, at
| some point it becomes the standard, and we'll laugh at
| the "voting with your wallet" joke again.
|
| > software
|
| We're already full in licensing books, as truly the most
| pragmatic choice. Amazon opened the door, and many other
| ebook stores have jumped on the bandwagon.
| hilbert42 wrote:
| This can end in several ways, users and third-party
| repairers will reverse-engineer phones encryption
| notwithstanding--simply remove the 'offending' chips and
| replace tbem with open tech.
|
| To say it's unlawful is moot. Apple may have jurisdiction
| in the US but not across the globe, there are plenty of
| places I can think of to send an iPhone to have it fixed
| the way I want (and I'd do so the moment that market is
| established). There's no way Apple can police what people
| do with their hardware once it's in their hands, it's
| fanciful to think otherwise.
|
| Open hardware is on the move, eventually considerably
| cheaper open products will become popular just on price
| alone. Competition will then be fierce, Apple will have
| to change its policies if changes to laws don't beat them
| to it. Remember also the US isn't the whole world, so
| those changes are likely to be enacted first outside the
| US. If Apple wants to sell there then it'll have to
| comply with those laws just as it did with USB-C in
| Europe.
|
| Also keep in mind Apple, Google, Microsoft etc. have
| become the richest and fastest growing corporations in
| human history--they even beat out the previous contenders
| the Dutch and British East India Companies of the 17th
| and 18th Centuries.
|
| These corporations became so rich so quickly because of a
| confluence of circumstances--the new tech paradigm of the
| personal computer, the wow factor that took the world by
| storm and a compete lack of regulations worldwide.
| Without regulations to keep these corporations in check
| they simply ran amuck.
|
| That's now over. Yes, it will be some while before
| they're brought to heel but they'll never get such a
| straight run again.
|
| Apple is on top now but let's see where it'll be in 20
| years.
| menzoic wrote:
| How is the security risk propaganda?
| ahoka wrote:
| It's the hardware vendor's "think of the children".
| msgodel wrote:
| If your security model means me having access to my own
| hardware is a security risk you're malicious and your
| security model is bad.
| flotzam wrote:
| It's not (only) propaganda. Rooting disables or bypasses
| verified boot, allowing exploits to persist across a reboot.
| franga2000 wrote:
| Malware van persist across reboots regardless of verified
| boot. What it can't do is persist through a factory reset.
|
| But if you really want a thorough reset, simply re-lock the
| bootloader and flash stock firmware from there. Nothing can
| persist through that without an exploit in the verification
| chain and if you have that kind of exploit, you don't need
| the bootloader to be unlocked in the first place.
|
| Also, there are devices out there that let you enroll your
| own keys, like the Google Pixel series.
| flotzam wrote:
| > Malware [c]an persist across reboots regardless of
| verified boot.
|
| Some can, some can't. Even when it can persist,
| escalating to root after every reboot may be unreliable
| or noisy (e.g. 70% chance of success, 30% crash) compared
| to straight persistence _as root_ without verified boot.
|
| > Also, there are devices out there that let you enroll
| your own keys, like the Google Pixel series.
|
| This still applies to those devices. It's the main reason
| GrapheneOS (which exclusively runs on Pixels, with the
| bootloader relocked to a GrapheneOS key) is opposed to
| building in root access: Verified boot would be
| "enabled", but effectively bypassed.
| https://xcancel.com/GrapheneOS/status/1730435135714050560
| ozim wrote:
| My grandma should not have root on her phone and a lot of
| younger people as well.
|
| Making it easy to root phone makes it easy for scammers to ask
| people to unlock it.
|
| It should not void warranty if you unlock the phone. But
| security concerns are real. Mobile banking apps refuse to run
| on rooted phones.
| poisonborz wrote:
| The same people can be scammed to give passwords, click
| links, perform any human action, so what's the difference
| besides giving up yet another freedom?
| npteljes wrote:
| The current legal reality might be corporate propaganda, but
| not exclusively corporate propaganda, it's the current legal
| reality as well. "root access voids warranties" is a fact in
| many jurisdictions, regardless of how it came to be. Hence,
| it's not as much parroting propaganda, as in furthering a
| cause, but just stating it how it is.
| smokel wrote:
| Even though you seem to have a lot of support on Hacker News, I
| don't think making root access a fundamental right is
| preferable.
|
| Historically, computers have not granted you access to
| everything. Most home computers used to have ROM cartridges,
| which could not be modified, at least not by an average user.
| Also, when using unrestricted operating systems, such as as MS-
| DOS, a simple virus could wipe all your hard work.
|
| In our current time, devices are connected to other machines,
| and the problem of security and privacy has increased
| dramatically. Unfortunately, we still don't have operating
| systems that are secure enough to be used by untrained persons.
| It makes perfect sense to lock down these devices.
|
| I basically see only two ways out:
|
| 1. Allow developers exclusive access to development systems,
| similar to how console development works.
|
| 2. Implement a secure operating system.
|
| It will take an extreme amount of effort to do the latter, and
| it might even be impossible to gradually absorb the mess of
| interfaces that people and companies expect to work.
|
| So that probably leaves us with the first option. Personally, I
| would love devices to be locked down more, so that the crazy
| threats from hackers will be less severe. But I would also love
| to keep developing software. Having to jump through some hoops
| is probably unavoidable. The situation could be compared to
| requiring a driver's license in order to safely drive on the
| shared infrastructure.
|
| As much as I agree with your sentiment to have freedom, it
| still seems somewhat overly optimistic to expect this to work
| in our complex society.
| poisonborz wrote:
| Why? What is the reason root would be dangerous, if it's not
| the default? People can be scammed to activate it, but those
| same people can be scammed to click links and give passwords
| and personal data. Any action requiring root would need a
| warning and raise suspicion, or put behind an activation
| mechanism that's complex enough.
|
| Anything else and you lose freedom, and the whole ethos that
| enabled the advanced IT landscape of today.
| smokel wrote:
| Having root access implies that you can do all sorts of
| things: change files, install new software, new kernel
| modules, etc. Locking this down makes the attack surface
| for malicious parties much smaller. Many exploits start in
| user-space and then obtain root access to install rootkits.
|
| Of course you lose freedom, but that is exactly what is
| needed, because some people just cannot help themselves
| from exploiting that freedom.
|
| Unless someone figures out a way where we can safely share
| computing power and connections to real-life services (e.g.
| banking, having an identity, communication in general), I
| think there is no real alternative.
|
| Perhaps having separate internets for various purposes
| would be an option. Ond where we can socialize anonymously,
| but not trust each other, and one where it's pretty boring,
| but where you can safely buy goods using your paycheck.
| beeflet wrote:
| https://imgs.xkcd.com/comics/authorization.png
|
| >Unless someone figures out a way where we can safely
| share computing power and connections to real-life
| services (e.g. banking, having an identity, communication
| in general), I think there is no real alternative.
|
| I think the opposite is true. We don't have adequate
| sandboxing of userspace on most desktop OSes. If your
| malware has access to the victim's home directory and can
| phone home, they've been pwned for all intents and
| purposes. Root access would matter if userspace programs
| were well sandboxed.
|
| On OSes where this is true like android, you have
| terrible interoperability of userspace programs and it's
| impossible to get "real work" done. Not to mention that
| without root access, you are just relying on the
| corporation to manage your system for you, which isn't
| tenable for a democracy.
|
| You don't need all of this trusted computing stuff to
| have secure, private payments. Chaumian ecash and
| cryptocurrencies have known this for a while. Just use a
| digital signature scheme instead of relying on open-
| source information.
| smokel wrote:
| I don't think these problems are opposing; both are real.
|
| I totally agree that user space is not as much of a
| useful concept on a single-user device. Originally, it
| helped to shield users of the same system from each
| other. Most of this was based on file system
| authorization. This hasn't been extended to internet
| access in a very useful way.
|
| However, even on single-user devices, having root access
| makes it easier to hide malicious processes. Granted that
| in modern operating systems it is already totally unclear
| what most processes are doing, so one can simply hide in
| plain sight.
|
| I'm still not convinced we can get by without a lot of
| trusted computing stuff to have secure payments.
| ingohelpinger wrote:
| we need a satslink now!
| OutOfHere wrote:
| Samsung currently has an unremovable spyware app on North
| American phones that pastes (records) everything copied to the
| clipboard by any app. It is the Samsung Keyboard app. It cannot
| be removed. It doesn't matter if you're using any other keyboard
| app. Samsung Keyboard pastes (records) everything that gets
| copied to the clipboard by any app. The Samsung Keyboard app
| cannot even be disabled from Android.
|
| As an aside, I recall getting a lot more ads when I used Samsung
| Keyboard.
| noisy_boy wrote:
| Sometimes I will see a small random "copied" floating
| notification (not in the notification tray) and I always
| wondered where it came from. Maybe they have put in some code
| to suppress it but due to some bug, it leaks out. No proof but
| I can only hypothize.
| bapak wrote:
| Every day it feels like regulators need to increase enforcement
| by an order of magnitude. For every fine they dish out, 10 more
| abuses go unnoticed.
| logicchains wrote:
| The regulators work for the same governments and intelligence
| agencies that are making companies add such clandestine
| spyware.
| stevenhuang wrote:
| https://www.reddit.com/r/samsunggalaxy/comments/mtakqq/how_t...
|
| Yeah, all Samsung software is a liability.
|
| Don't even get me started on the Samsung smart TVs. Just
| horrible all-around.
| spinlock_ wrote:
| Thats why my Samsung TV has no internet access and I'm using
| Apple TV instead.
| Dah00n wrote:
| From the fire into....
| spinlock_ wrote:
| Into what? Though I have no illusions about any tech
| company, I trust Apple more than Samsung right now. It's
| all relative, not absolute.
| amlib wrote:
| It's a slippery slope. Apple is as bad as Google was
| about 10 years ago and things seems to be degrading
| faster and faster. Give it another 5 years and they will
| be as bad as Google/Samsung is today.
| joshstrange wrote:
| Do you wanna expand on that or just make vague statements
| with no facts?
| rs186 wrote:
| Thanks for mentioning this! I saw it but never put much
| thoughts into it. Now it seems a huge security risk/active
| security exploit.
|
| Strangely enough, I cannot reproduce this now.
|
| I'll see when it happens again, and if I can uninstall keyboard
| via adb. It's just a pre-installed app, after all.
| OutOfHere wrote:
| What do you mean you cannot reproduce it? Enable the setting
| in your Android to notify you whenever any app pasted from
| the keyboard.
|
| Unless you have already used adb to disable or remove the
| app, the issue is guaranteed.
| Atlas667 wrote:
| THEY WILL TARGET YOU too if you ever find yourself against
| western and/or Israeli interests.
|
| Capitalist technologies are the surveillance state incarnate.
| They must study people in order to manufacture consent.
|
| Remember democracy is majority rule, when have you ever had true
| control over your political destiny? You KNOW the answer is
| never.
|
| Democracy =/= trust.
|
| Democracy = control.
| v5v3 wrote:
| Many 'democracies' are not democracies, as you can only really
| vote for one of 2 parties. The system is fully designed to
| supress smaller parties and independents.
|
| Only countries with regular coalition governments can be
| classed as a actual democracies.
| maigret wrote:
| For Europe that hosts many democracies the exact opposite is
| happening. Previous systems with two main parties are
| becoming 5-6 parties system, making decisions and agreement,
| and just plain majorities, harder.
| Atlas667 wrote:
| The will of the masses is NEVER enacted. This is what
| bourgeois capitalism is.
|
| Oh you like phones? Well our phone companies require us to
| directly or indirectly create proxy wars in this region in
| order to acquire the raw materials necessary.
|
| This is the democracy of western nations: policy hidden
| behind capitalist interests that the people engage with
| through consumption.
|
| Its democracy for the rich not for the millions of us.
|
| That's why they NEED to manufacture consent, in order to get
| you on board with murder and fabricated poverty in order to
| have goods and services.
| beeflet wrote:
| >Oh you like phones? Well our phone companies require us to
| directly or indirectly create proxy wars in this region in
| order to acquire the raw materials necessary.
|
| I think that is the will of the masses.
|
| I've got this fairphone in my pocket that has a replaceable
| cobalt-free battery and a replaceable OS for a reasonable
| price. But people by-and-large don't want fairphones, they
| want iphones.
|
| The third worlders fighting over cobalt don't want peace,
| they want wealth for themselves.
|
| People don't want niche third parties and alternative
| stuff, they want to be part of a larger cultural group.
|
| Captialism is based on individual voluntarism, and the
| problems you describe are not caused by manufactured
| sentiment but a lack thereof. The problems are caused by
| the distributed actions of a silent majority, as opposed to
| some greater rational plan.
| Atlas667 wrote:
| > The third worlders fighting over cobalt don't want
| peace, they want wealth for themselves.
|
| They are enabled into fighting by big, huge interests.
| They ship them weapons and rationales.
|
| Who are the customers in the end? Western nations. They
| create the abject poverty, they use poor governments to
| exploit and enslave their own people. There is no
| "poverty" in the world only exploitation. All poverty is
| fabricated and sustained.
|
| Why is it that Mali is one of the poorest nations on
| earth but is also one of the top 10 exporters of gold?
| How does that work?
|
| Capitalism is not voluntarism. That is the myth of
| philosophical liberalism.
|
| To say that someone who owns as much wealth as a few
| million people is equal to those same millions of persons
| who directly own nothing except credit(debt)? It's a
| myth.
|
| Voluntarism would only be true if we were on equal
| economic standing. Therefore voluntarism implies that no
| one can be coerced or leveraged, its a moot and infantile
| viewpoint of social dynamics.
|
| The "silent majority" has no real way to speak. You
| choose candidates based on talking points who can then
| REALLY do anything they please. That is called "trusting
| campaigns", not democracy.
|
| In reality what happens in elections is that we are
| choosing a group of people to enact policies based on the
| market-demands of a society that cannot control its
| market/production. There is a huge disconnect. It's not a
| real influence WE have. It's an influence that is given.
|
| IE. The majority of people dont want to use plastic
| materials for anything related to their consumption. But
| plastic is cheap and easy to produce. I'm sure that if
| given a choice people would rather their society work a
| bit more, spend a bit more of human-energy if it means we
| dont have nuts full of microplastics.
|
| It is how we produce that determines what choices we
| have, and how we produce is determined by market dynamics
| which are reduced to sustainability of production and
| profits. It is profits that determines production, not
| consumers' will.
|
| So tell me: if we dont directly control the options we
| have, but you say _we are making_ a choice, what is that?
|
| There is another word for that. Coercion, manipulation.
|
| I dont want child soldiers killing for control over
| resources or kids mining for 12 hours a day, I want a
| good, cheap phone. It is not the same.
|
| Is there really no other way? I would sure as hell try to
| have it any other way.
|
| Whoever conflates these is doing so because they profit
| off of it, not because its the only way.
|
| In capitalism the heads of production and their profits
| determine the directions of our societies.
| weatherlite wrote:
| > THEY WILL TARGET YOU too if you ever find yourself against
| western and/or Israeli interests.
|
| I guess you shouldn't find yourself against Western and/or
| Israeli interests then. It's time you learned to love Big
| Brother.
| thenthenthen wrote:
| _AppCloud, developed by the controversial Israeli-founded company
| ironSource (now owned by the American company Unity)_
|
| Yes the Unity 3D engine company wow.
| willtemperley wrote:
| So Unity can now be considered malware by association.
| more-nitor wrote:
| lol the article simply doesn't have 0.000001 ounce of
| substance
|
| "this company is from israel (so must be mosad)" or "has
| notorious for its questionable practices" (without even
| giving actual examples or incidents)?
|
| I mean, if you're the mosad guy making a deal with samsung,
| why would you even make it appear to the user?
|
| this is a classic competitor-bashing article -- no substance,
| only hand-wavy "this guys bad!"
|
| "non-profit" doesn't make "smex" the morally-right side of
| the game. it just means they don't pay taxes and receive
| donations...
|
| maybe it's time to trace where those donation money comes
| from? smells like competitors (xiaomi, huawei) who wants to
| take a cut from samsung?
| miohtama wrote:
| Discussed in 2022 here
|
| https://www.pcgamer.com/unity-is-merging-with-a-company-
| who-...
| Nition wrote:
| The weirdest part of that merger was Unity paid $4.4billion for
| IronSource.
| JohnHaugeland wrote:
| ironsource was the owner and runner of the largest sleazy
| game ad network, which was unity specific
|
| unity was dying for lack of revenue
| Nition wrote:
| The fact that they were struggling for revenue just made
| the massive spend seem even weirder to me, but I suppose it
| could make sense if they truly expected to somehow get >4.4
| billion back from ad revenue eventually. They also bought
| Weta FX for $1.6 billion around the same time and did
| basically nothing with it.[1]
|
| [1] https://www.fxguide.com/quicktakes/unity-software-with-
| a-com...
| b0a04gl wrote:
| we're past the point of blaming carriers or oems individually.
| the entire supply chain is complicit. you want clean firmware?
| you either flash it yourself or buy from the handful of vendors
| that haven't sold out yet. that's where we are
| TiredOfLife wrote:
| "Otherwise please use the original title, unless it is misleading
| or linkbait; don't editorialize."
| theyinwhy wrote:
| Should we expect to have trojans in every unity game now?
| ArtTimeInvestor wrote:
| I sometimes think that "track record" is the main value of Google
| and Apple. They have been around for decades, and except in their
| own interest to collect data for themselves, I am not aware of
| any blatant privacy violations of these companies. And one can
| hope that in their own interest, they keep it that way. That's
| not great, but it's better than the other companies.
|
| I don't see how any company can compete with this unless they
| somehow figure out how to make a vastly superior product.
| bapak wrote:
| What's your definition of "collect data for themselves?"
| Because both do, albeit in substantially different amounts.
| ArtTimeInvestor wrote:
| Can you elaborate on those "substantially different amounts"?
| dgb23 wrote:
| What about PRISM?
|
| https://en.m.wikipedia.org/wiki/PRISM
| ArtTimeInvestor wrote:
| Do Apple and Google have a choice to legally opt out of it?
| danparsonson wrote:
| What difference does that make to the outcome? If anything,
| being automatically subject to that without any option is
| worse.
| Zak wrote:
| Yes, by incorporating end-to-end encryption in their
| services.
| Abishek_Muthian wrote:
| Even in India the entry level Samsung phones are subsidised by
| bloatwares, Unfortunately there's not many options for an entry
| level phone with regular updates.
|
| So the question is who would we like to be exploited by?
| ehnto wrote:
| Samsung Phone on Australia, it was present on my device also. So
| not just West Asia and Africa.
|
| I was able to disable it but not remove it, unclear if it will
| re-enable itself. It had sent about 35mb of data since March 1st,
| and was enabled as a background service.
| ahmedfromtunis wrote:
| Did try to see if using blockada (or similar apps) to block the
| apps access to the internet would work or cause and side
| effects (like other core apps not loading, ...)?
| 0rzech wrote:
| Same thing in Europe and North America. AppCloud is present on
| Samsung devices. Sometimes from the get go, sometimes after
| system update, sometimes after security update (the irony of
| that!). Carrier-locked or not, it doesn't matter. Sometimes it's
| visible only after switching the "Show system applications"
| toggle on application list in device settings. There are many
| people reporting that their Galaxy S series phones have it too.
| This AppCloud stuff is absolutely outrageous!
| mightyrabbit99 wrote:
| The only phone brands that I am aware of which sells phones that
| are able to be rooted are Samsung and Xiaomi. I'm also in need of
| a phone that has an SD card slot so I don't see myself switching
| to any other brand.
| TZubiri wrote:
| "AppCloud is developed by ironSource, an Israel-founded company
| (now acquired by American company Unity)"
|
| I did not expect the thing I made games with as a teen to be
| involved in a global war.
| anshumankmr wrote:
| I observed this when I purchased a Samsung phone in 2022. My
| phone cost 35K INR. Even I found it alarming, apart from having
| bs apps pre-loaded. Switched to an iPhone a year or so later.
| Never looked back.
| bdavbdav wrote:
| Is this where we discover we've got another Pegasus preloaded.
| hd4 wrote:
| it's now a case of choosing between who you least care about
| spying on you - think I'll choose a Chinese phone next time, at
| least they're not currently engaged in genociding children
| danparsonson wrote:
| They're currently engaged in doing all kinds of awful things
| that we know about, and no doubt lots of even worse things that
| we don't. Try looking up Xinjiang, Tibet, or the Falun Gong for
| a taste.
|
| There are no innocent world superpowers.
| Dah00n wrote:
| No, but China has a better track record than the US.
| danparsonson wrote:
| I disagree; I think all we can really say about China in
| this regard is that they have more control over the press.
| anticodon wrote:
| Was situation in Tibet really good before China came?
|
| I've recently learned that movie "7 years in Tibet" is full
| of lies, starting with the fact that the main character was
| hardcore Nazi follower in real life.
|
| There are a lot of things that we don't know because media
| are not interested in enlightening people. They are
| interested in pushing the current agenda.
|
| E.g. Tibet was a poor feudal state with slavery, but you
| won't easily find this information, because all you can find
| now if you search for it is: "China is bad, bad, and Tibet is
| very good, enlightened people, very warm and kind". It is not
| like that.
| danparsonson wrote:
| > Was situation in Tibet really good before China came?
|
| Well I imagine there was a lot less persecution by the
| Chinese government at that time.
|
| > media are not interested in enlightening people
|
| You're right, the media in China are mostly or exclusively
| mouthpieces for the state.
| msgodel wrote:
| I've given up on smartphones. They're _all_ unacceptably bad and
| for the most part take value out of your life rather than adding
| it.
|
| I own a $50 Android tablet just for the required certificates to
| run DUO for work and other than that just use a UMPC with a modem
| card and VOIP for everything.
| djrj477dhsnv wrote:
| There is a lot of bad, but GPS maps (Google Maps for business
| reviews and public transport info and OSMAnd for hiking tracks)
| is extremely valuable to someone who travels a lot.
|
| And as much as I hate sending all the data to Google, their
| Translate app is indispensable for communicating in non-English
| speaking countries.
| v5v3 wrote:
| Samsung is a South Korean company.
|
| South Korean needs USA to protect it.
|
| Consider everything from South Korea to be under the blessings of
| the NSA.
| nottorp wrote:
| > AppCloud, developed by the controversial Israeli-founded
| company ironSource (now owned by the American company Unity)
|
| Unity the ones doing a game engine?
| detaro wrote:
| yes: https://investors.unity.com/news/news-details/2022/Unity-
| Ann...
| nottorp wrote:
| So in addition to the licensing controversy, it's a good idea
| to assume any Unity game contains spyware now?
| Iolaum wrote:
| A user may not be able to uninstall it, but can they disable it?
| angst wrote:
| 1. Open Settings on your phone.
|
| 2. Scroll down and tap Apps.
|
| 3. Look for AppCloud in the list of apps. If it's not visible,
| tap the three-dot menu in the top-right corner and choose Show
| system apps to find it.
|
| 4. Once you've found AppCloud, tap it, and then tap Disable to
| stop it from running.
|
| https://hackerdose.com/tips/remove-appcloud-from-samsung/#:~...
| rs186 wrote:
| User can uninstall via adb (computer required).
| xchip wrote:
| > AppCloud, developed by the controversial Israeli-founded
| company ironSource (now owned by the American company Unity), is
| embedded into devices
|
| We have new spyware coming from Israel, let's update the list:
|
| - Pegasus
|
| - Candiru
|
| - QuaDream
|
| - Cellebrite
|
| - Paragon Solutions
|
| - Nemesis
|
| - AppCloud
| yahoozoo wrote:
| That feel when you're going to make an Israeli spy joke then read
| the article headline and it's ACTUALLY about an Israeli spy
| operation.
| mellosouls wrote:
| Editorialized title. Even the original calls it bloatware not
| spyware.
| reccy wrote:
| This article has basically no technical details and scant
| evidence for the claims made by the authors. It's rage bait that
| is intended for emotional reaction rather than a curious and
| intelligent analysis.
| hamdouni wrote:
| I think this is an open letter addressed to Samsung, not an
| article trying to convince readers... Perhaps, the takeaway can
| be the call for transparency as a minimum ?
| viktorcode wrote:
| Fact of life: cheap Android phones are funded by ads. Same holds
| true for TV sets.
| noisy_boy wrote:
| The only thing that is stopping me from switching to an iPhone is
| file level access and Syncthing - is that a solved issue? Anyone
| care to share?
| armsaw wrote:
| Yes, for ~7 years now the Files app has existed. Sandboxing is
| still a thing.
|
| Mobius Sync and Synctrain are the options for Syncthing. Both
| work, neither are official (nor is the currently-maintained
| Syncthing fork for Android).
| mousethatroared wrote:
| Not in this field but, if you're willing to sacrifice performance
| for security (by avoiding closed, western, hardware) how hard
| would it be to for a group of top hardware and software engineers
| to make a secure smartphone?
|
| Id gather you could go very far with the following list:
|
| - Proved correct micro kernel
|
| - Encrypted messaging by default
|
| - Encrypted memory
|
| - Encrypted messaging between processes.
|
| - hardware switches for modems, peripherals and battery
| elternal_love wrote:
| I believe a proven correct micro kernel for a production system
| in smartphone scale is a sufficiently complex engineering task.
| Henchman21 wrote:
| Technical feasibility one way or the other is meaningless in
| the face of the power of Capital. IMO, Capital won't allow the
| creation of devices it cannot control. So truly secure devices
| are a pipe dream -- again my opinion.
| Grandeculio wrote:
| I found the app on my Samsung phone but I also found something
| interesting.
|
| Go to Settings->Apps and find the app in the list. Click
| "Configure in AppCloud" and then click "Personal Data". A form
| shows up where you can request access to the data or request a
| deletion of the data.
|
| I just requested access to my data, received an email
| confirmation where I had to click a link. I am curious to see
| what they will send me (if they will send me anything).
| chrisjj wrote:
| > Click "Configure in AppCloud"
|
| Not found on this Samsung phone.
| like_any_other wrote:
| It's time to start treating such actions, including/especially
| when done by corporations, as criminal hacking or an act of war,
| because as many commenters noted, that is what it amounts to.
| It's frustrating seeing the consequence be an open letter, where
| if an individual did this, there would international warrants
| issued against them.
| aszantu wrote:
| Couldn't get rid of some assistant that I would have to have
| registered with Samsung last phone. When it broke I switched over
| to a used Nokia. Little bit less convenient but I wish they
| wouldn't keep pushing that annoying spyware stuff on us... I'm
| perfectly fine to just use my phone for browsing and staying in
| touch with ppl... Why the f. Do I need Google Assistant which I
| also can't cancel...I swear, next phone will be one of those
| bricks for the elderly...
| AbuAssar wrote:
| IronSource spyware is made by an Israeli company
| 31337Logic wrote:
| Soooo... What do y'all recommend if I want to run a rooted
| Android phone? Seems like our options are becoming more and more
| limited each year. :-(
| Henchman21 wrote:
| The manufacturers will continue to take user choice away until
| users start tossing their devices in the trash. Sooner is
| better IMO.
| djrj477dhsnv wrote:
| Pixel with self-built userdebug version of GrapheneOS. (It's
| quite easy, just modify one step of their published buiod
| instructions.)
| autoexec wrote:
| Samsung embeds spyware on every device they sell in the US too,
| we just don't have any privacy laws to stop them.
| midtake wrote:
| Supply chain compromise is maybe one of the most cyberpunk
| aspects of modern security. It's not mathematical but it depends
| on allegiances, power, and money. Is it too late to introduce
| cryptographic verification into the supply chain in a way that
| the customer can be secure, or is it too late and a cyberpunk
| dystopia is the only future? Can mathematics change the meta?
___________________________________________________________________
(page generated 2025-06-21 23:00 UTC)