Good analysis on the Android security ecosystem

I recently blogged about Google and Samsung starting to offer regular security patches for their Android devices.

Over on ars technica, Ron Amadeo has an interesting article describing why the current Android ecosystem is not conducive to the quick and widespread distribution of security fixes and why this needs to change, urgently.

At this point in time it seems that in order to be halfway secure, one has to basically root the phone and run well-tested and well supported distribution like CyanogenMod. While I – and presumably most, if not all, readers of this blog – certainly have the technical know how and abilities to root a phone, that’s a poor approach to security because most people either will not or cannot root their phones.

Why I’m suspicious of car insurance dongles

Some security researchers from UCSD showed a proof of concept exploit via one of the dongles that appears to be also used by car insurance companies to monitor your driving “to give you discounts for good driving”. I’m not really a fully paid up subscriber of the tin foil hat brigade but stuff like this makes me glad that I’m still opting for the old-fashioned way of paying for car insurance. Of course the fact that over half our fleet is too old to be OBD-II compliant may have some bearing on that as well…

Not knowing much about CAN bus, my assumption is that in order to get access to certain pieces of data, the dongle will have to put commands on the bus and read the responses. That part is blindingly obvious. Good security practices however would suggest that such a dongle would have a built-in mechanism that restricts the commands it can issue to the set of commands it actually needs to issue to fulfill its function rather than just allowing commands through unfiltered, especially if said dongle is connected to the outside world. I mean, with the ability to issue arbitrary commands to a pile of steel weighing a couple of tons and potentially moving at 70-80 miles per hour, what could possibly go wrong?

On the other hand, instead of having to invent one of those EMP devices as “showcased” in Fast & Furious to stop a street racer, all law enforcement has to do is to send the car an appropriate (or rather, inappropriate) text message.

If anybody needs me, I’m over on Hemmings.com looking for a Ford model A. Try texting that one to stop.

Dear Apple, are you really forcing me to choose between buying new hardware and a Windows license?

We have an early 2008 MacBook “Blackbook” that is still working perfectly well and does everything we ask from it. It’s one of the reasons I love Apple hardware – it’s well engineered and works without a major fuss. Obviously we’re not playing games on it but it’s perfect for us to use for tasks that need a bit more power or typing than you’d want to do on a tablet. It’s also perfect for doing tasks that I want to use a separate computer for, like online banking.

Unfortunately it just stopped being perfect for those tasks because the last operating system that supports it is OS X 10.7 (aka “Lion”). It doesn’t meet the requirements for Mountain Lion and subsequent versions of OS X. I don’t need the latest and shiniest OS X on this machine but with the release of OS X 10.10, the security updates for Lion appear to have stopped. I write “appear to” because I couldn’t find an official announcement from Apple, just some references from the commentariat that Apple seems to be following the same procedures it has followed in the past when releasing a new version of OS X. There’s also no officially published end of life schedule, so it’s hard to guess those things.

Either way, this leaves me with a headache. I really like the 2008-2011 Apple hardware due to its robustness, but now I have to go look for an alternative OS. Nobody knows what undiscovered security issues lurk in Lion and I can’t get any security updates from the manufacturer anymore. So in effect if I care about security, I have an expensive doorstop with an Apple logo on it unless I install either Windows or Linux on it. Linux is out because my wife isn’t technical and I can’t really inflict even something like Linux Mint on her. That leaves me with Windows unless I want to spend at least $500 on new Apple hardware. Realistically I’d end up spending at least $700, because I don’t see the entry-level Mac Mini as good value for money, much like the entry-level really slow iMac isn’t either. Oh, and that one will probably end up being obsoleted by the same issue in another 4-5 years.

As a developer I’m obviously used to regularly replacing computers but in the last five years there wasn’t that much of an incentive to do so; my main hack-at-home machine is still a 2009 Mac Pro that’s been tweaked to pretend it’s an early 2010 one. It’s fast enough, it’s quiet and Just Works. It can also be easily extended with PCI cards, graphics cards and hold up to four HDDs. Yes, it has all the visual appeal of an overgrown toaster but it’s a professional workstation and clearly designed as one. I however take issue with obsoleting perfectly working and viable hardware.

So I guess this is a reason to give Microsoft more money for another Windows license and use it as an excuse to stick an SSD or a hybrid disk into the MacBook. Unfortunately this doesn’t help sway me in my decision that when the time comes to buy a new workstation for me. The next box I’ll buy or build will very likely be a dual-boot Windows/Linux box again instead of buying another Apple pro-level workstation.