AT&T | Silicon Shecky

Security Slimebags or How to be forced to pay for security

October 5, 2015 By Michael Kavka Leave a Comment

Android is the most popular mobile OS in the world. It also has some of the most frightening security holes, currently Stagefright. The carriers know this and use it to legally to seemingly extort their customers.

Apple has one thing that Android doesn’t have, and that is a decent patch cycle. You can see people still using the iPhone 4s today. They don’t have to get a new device just to be secure, but not everyone likes the iPhone. Android, on the other hand, is awash in situations. From the heavy fragmentation of the OS, to the majority of phone snot getting critical security updates thanks to the carriers, it really is the wild west. The best bet is to get an unlocked phone that will get updates directly from Google, but the cost of an unlocked phone is high, and the everyday person might not realize that is an option.

Carriers such as Verizon, AT&T, T-Mobile, and Sprint know this and use it against the everyday person. Heck, last year when Android 5 came out, the list of phones to get it included mine. I still have not seen that update, even though Android 6 was just announced. So in my wisdom with Stagefright out there, now in two versions original and even better, I went through my phone settings to see when the last update was pushed out to me. The answer was June, before Stagefright, even though there have been patches made by Google and approved by the phone makers to patch Stagefright version 1, and soon version 2. Now why would a carrier not push out such critical patches? The only answer I can come up with is profit.

Think about it, they don’t send out the patches, you need a new phone to be secure! With the changes all the companies have been making this year to move away from plans and phone subsidies, it is the perfect plan. Extort the customers to make them secure! It is a perfect plan, especially considering no one has done the one thing that could end this. Sue the carriers once hacked. Lawsuits, especially class action ones are going to be the only way to get non-rooted, locked phones timely updates. The carriers have to be held responsible. The problem is those of us that know the carriers are doing this, root our phones, or get the Nexus line of phones. The lack of communication with the layman who uses an Android phone, continues to allow this pattern to continue.

The only other option is for everyone to move to iPhones, but without the competition how bad will the iPhone get? Think about it, most of the “great new features” on a iPhone are features that were already available on an Android phone. Apple just refines the feature a bit and whammo, now people are saying how Apple invented x, y, and z. Without Android what would spur iOS’s development?

One last thought though on all of this, and that is mobile payment, buying things online. Maybe someone else out there knows, but doesn’t being able to use your phone to make payments and the way it does subject the phones or carriers to some part of the PCI standard? If so, how many of us or them are truly compliant?

Android Security: Google or Carriers issue?

January 16, 2015 By Michael Kavka Leave a Comment

In the world of Android a couple of disturbing articles have come out recently. Google is no long patching 4.3 (Jellybean) and earlier versions. Also the amount of malware for Android increased by 75% last year. This begs, who is to receive blame on the vendor side?

We all know people do not patch apps. Maybe they don’t like “new” terms that come with the update (most terms are the same as the prior versions). A lot get not the best information. Patching is important, and we all know that. In the world of PC’s we all know about Patch Tuesday (Microsoft, Adobe), and know how long it can take Apple to patch flaws in OSX and iOS (which they completely control and is out of the carriers hands). So what about Android, the worlds most popular phone OS?

The announcement this week that Google is no long patching WebView for versions 4.3 and earlier started me thinking more about this. Yes, Google is “abandoning” 930 Million users. Yes, They come out with new versions of Android so fast that the OS is fractured all over the place. The question is though, is Google doing the right thing? I personally think so. The reasoning why places a bunch of blame on the carriers.

Outside of iOS (iPhone), the carriers control when consumers get updates to their Android (and Windows) phones. In the world of Android, Google announces a patch, update, new version, then it gets sent to the device manufacturers. They have to test against their hardware and customization that they have done to Android for their devices (the look and feel of the OS you see). Then it gets sent to the carriers (Verizon, AT&T, Sprint, etc.) where even more testing has to be done against the carriers modifications to the OS (special built in apps, their radios, any network lock downs or features such as tracking cookies). Basically once Google releases the new version/patch/update getting it onto most peoples phones is out of their hands, the exception being the Nexus devices which Google controls. The longer an update take to get out there, the more chance there is for a breach. The easier it also may be for malware to get on the phones, and could be a reason the amount of malware for Android increased by 75% last year.

So the question arises, why does it take so long to hit our phones. the obvious and simple answer to me is money. Why bother pushing patches and updates, let alone new versions of the OS to phones especially ones that are only a year or two old, when you can try to force people to get new hardware, and either extend or get new contracts to get the latest? Security as a Service you can almost think of it as, but not quite. Seriously, the carriers have a cash cow on their hands with Android and doing things this way. The lastest verion of iOS is out and works on phones that are years old. Apple has it available for those older phones through their updater, although some features may not work on the older phones, it is still available. I am by no means an Apple fan, but the control they have over their updates is what Google needs to have over Android. The carriers don’t care, and won’t unless they lose some major lawsuit because someone’s phone got hacked due to a security update not having been available for that model. When I tweeted to my carrier (Verizon) about this, they sent me a link to their “news” page which has no information on updates. I also tweeted them back as they asked about what I was looking for (latest Windows Phone update, Android Lollipop) for specific devices. Never heard back from them.

The bottom line on this, from my perspective, is that both Google and the carriers are to blame. Google is to blame, not for not patching, but for not controlling the push out of patches and updates to the OS, and the carriers for not pushing out updates and patches in a timely fashion. Until this gets resolved, Android is going to stay heavily fragmented, and security for everyday peoples phones is going to be shaky at best.

Why Cloud Computing Hasn’t Completely Taken Off

July 13, 2010 By Michael Kavka Leave a Comment

So Microsoft is declaring this year, yet again, the year of cloud computing. I’m going to a meeting with a different partner on cloud computing. You hear that cloud computing is the wave of the future and can save SMBs money. while all that might be true based on a cost per on site server and maintenance versus cost of having a hosted solution, there are reasons why cloud computing hasn’t quite taken off the way everyone figures it will.

The biggest issue with hosted solutions, otherwise known as cloud computing, can be summarize in one word, bandwith. From experience with my clients, they get a T1 line, a business class cable line, or some other line that at best offers them maybe 3MB upstream and 6MB downstream. Most use T1’s which is only 1.5MB up and down stream. Heck I have clients that constantly complain about their speed, and yet are not willing to pay more than the $500-$1000 that they are already paying for Internet access. Some have remote locations where a user or two sits, and then complains about load times (even when they are just going into a terminal server) because of lack of bandwith.

Now, you take an average SMB office and the people in it. for a 5person office, you have e-mail, documents, maybe some web sites they need to connect to. Now add on the family type atmosphere that allows, music streaming, YouTube, and all sorts of other fun stuff that can eat up bandwith. All of a sudden that T1 is filled. Now if you try to move that server up to the cloud, you hit more traffic that needs to go up and down that 1.5MB pipe. Talk about lag city.

Unfortunately, we are a culture where T1 is fast has been ingrained in our brains. My home Internet has 1.5MB upstream but is 18MB downstream. Yeah, that’s 12 times as fast. People who have Verizon’s FIOS can get 50-100MB up and down. A T1 line now compared to what one can get for their house for way less, is like a 36K modem compared to a T1 10 years ago. The pricing for a T1 is way out of whack with the times, and faster speeds for business become cost prohibitive. The slow upgrade of the ISPs to a full cost effective fiber solution is the biggest barrier to point of entry for cloud computing.

The day will come when bandwith will be affordable enough that cloud computing will take off. That day though, is not here yet.