Silicon Shecky

Infosec Practitioner

Connect

Security Slimebags or How to be forced to pay for security

By Leave a Comment

Android is the most popular mobile OS in the world. It also has some of the most frightening security holes, currently Stagefright. The carriers know this and use it to legally to seemingly extort their customers.

Apple has one thing that Android doesn’t have, and that is a decent patch cycle. You can see people still using the iPhone 4s today. They don’t have to get a new device just to be secure, but not everyone likes the iPhone. Android, on the other hand, is awash in situations. From the heavy fragmentation of the OS, to the majority of phone snot getting critical security updates thanks to the carriers, it really is the wild west. The best bet is to get an unlocked phone that will get updates directly from Google, but the cost of an unlocked phone is high, and the everyday person might not realize that is an option.

Carriers such as Verizon, AT&T, T-Mobile, and Sprint know this and use it against the everyday person. Heck, last year when Android 5 came out, the list of phones to get it included mine. I still have not seen that update, even though Android 6 was just announced. So in my wisdom with Stagefright out there, now in two versions original and even better, I went through my phone settings to see when the last update was pushed out to me. The answer was June, before Stagefright, even though there have been patches made by Google and approved by the phone makers to patch Stagefright version 1, and soon version 2. Now why would a carrier not push out such critical patches? The only answer I can come up with is profit.

Think about it, they don’t send out the patches, you need a new phone to be secure! With the changes all the companies have been making this year to move away from plans and phone subsidies, it is the perfect plan. Extort the customers to make them secure! It is a perfect plan, especially considering no one has done the one thing that could end this. Sue the carriers once hacked. Lawsuits, especially class action ones are going to be the only way to get non-rooted, locked phones timely updates. The carriers have to be held responsible. The problem is those of us that know the carriers are doing this, root our phones, or get the Nexus line of phones. The lack of communication with the layman who uses an Android phone, continues to allow this pattern to continue.

The only other option is for everyone to move to iPhones, but without the competition how bad will the iPhone get? Think about it, most of the “great new features” on a iPhone are features that were already available on an Android phone. Apple just refines the feature a bit and whammo, now people are saying how Apple invented x, y, and z. Without Android what would spur iOS’s development?

One last thought though on all of this, and that is mobile payment, buying things online. Maybe someone else out there knows, but doesn’t being able to use your phone to make payments and the way it does subject the phones or carriers to some part of the PCI standard? If so, how many of us or them are truly compliant?

Google.. what are you doing?

By Leave a Comment

Google’s Bradley Horowitz recently announced that Google+ will be accepting Nicknames and Pseudonyms. Considering other changes, is Google+ drowning?

People from day one have been asking for anonymity on Google+ and now Google has a few ways to hide your real name from the world. At least that is how it seems. With the announcement a couple of friends tried setting up nicknames. And while they could add them into their profile, they couldn’t change the name that people saw. Hopefully that portion just hasn’t rolled out yet.

The Pseudonym Policy on the other hand will require some verification. The methods could be rather arbitrary as they say the will require either real world or online verification of some sort. The arbitrary nature of the verification process is where I see problems coming in. The other question is what should be a nickname and what a Pseudonym?

Finally, Google is forcing people to sign up for Google+ when they get any of Google’s services. While we all know that this is a sure fire way to artificially increase the numbers for Google+, there is another problem with this. The naming policy, unless you get an approved pseudonym, requires real information such as your full name. This limits the usefulness of Gmail as an anonymous e-mail account. Not only that, but it could drive people to picking up Yahoo or Hotmail accounts again. Forcing people to sign up for a service they don’t want and will not use is a bad business decision on any company’s part. It really makes you wonder if Google+ is drowning in its own hype.

Right now I am taking a wait and see approach. I have a Google+ account already, and I do have a Google+ page set up for SiliconShecky, which eventually I will find a tool that will post my articles to Google+ like I post to twitter automatically. Also check out this article from Ars Technica for more information.

What good is social media when your friends leave it?

By Leave a Comment

Google Plus, the honeymoon is over. Is social Media any good when you have no one to talk to?

So there we go. Google is really bringing the hammer down on people who use Pseudonyms. Not only for Plus, but also for Buzz, and other Googley apps. What good is it though? People get pissed and leave those services. That means less ad money for Google. It gives people a bad taste in their mouth, so they stop purchasing things that Google supports. It can be a nightmare, especially in this day and age of Twitter and Facebook also.

A friend of mine who just left google plus wrote the following as their last post:

Dear +Bradley Horowitz

I really thought you guys had figured it out, but its pretty clear from the Google Name Policy that Google has once again failed at recognizing the basic tenant of social networking, namely that relationships made and maintained online are just as real as those made in real life if not more so because of the greater pool of finding like minded individuals. Clearly those at the top have never been part of a forum community, an MMO, or been to a spontaneous community event whether it be out in the desert at Burning Man, inside the track at the Indy 500, or just waiting in a line for a concert. Those who have understand that a chosen name is just as real as one printed, stamped and filed by someone’s parents.

Everyone else has already mentioned the safety and legal concerns of denying the protection of a pseudonym to a wide array of people who would be in significant danger should they use their legal names on a public, datamining, service, so I won’t belabor the point.

For Google, I only ask you to watch the numbers as people begin to walk away and try to understand the significance of having a network where no one is, because none of their friends can participate safely.

For everyone else, please repost on your own accounts, you can give me a mention, if you like, but don’t just share it, you never know when I won’t be considered ‘real’ enough for Google.

Collapse this post
They are right. We are living in a world where people are becoming known more for their pseudonyms than their real names. A world where privacy means something.
Google overall has been deviating and basically given up on not being Evil. Android was originally marketed as open source, but now is only semi-open. Chrome browser is out there, but more heavily controlled now. Web apps, have become more and more secretive.
Page and Brin are what they are. Paranoid, secretive, wanting in the end to do good, but now are doing more bad than good. 2 brilliant minds who really don’t understand the real world, nor care about our concerns. Just like their mentor, and now enemy, Steve Jobs, they want to force things down our throats. the want to get all the information they can from everyone, and use that information to force us to the cloud for everything. They shouldn’t have to force us. they should do what they started doing, which was give us the tools we need to make the leap, and open them up so we have reason to. Maybe, someday they will get back to their original vision. I don’t count on it though.
Meanwhile, Google Plus is becoming a ghost town for me. A good number of my friends left due to the naming policy. Even people like Will Wheaton and Felica Day don’t seem to be posting as much. I’ll stick around there until they kick me out for using a nick name most people know me by. It really is a shame, because without the name policy, Google Plus could have laid the smack down on Facebook. People liked the setup, the circles, the security on it. Its too bad that Google doesn’t listen to us about names.