CVE-2021-1048 Critical Zero-Day exploit. Patches available from Google

Should have said ‘any experience’ that’s not to say they won’t given how slack most of my acquaintances are regarding not just passwords but providing real detail like DoB, Mother maiden name, favourite, colour, pet, holiday etc.

I always make up stuff for each access hence I have an encrypted file with up to a hundred weird values.

My last job and or my mother was sometimes a beggar sometimes an astronaut:

I have my work email on it.

Right now, in another window I’m reviewing a document on corporate mobile device policy for my boss and for the colleague who wrote it. The boss (CISO) is calling for Android Enterprise as a minimum, even for BSOD use.

So, unless Fairphone can roll these updates out more quickly there’s no chance of receiving the Android Enterprise sign-off, and I will have to get a different phone for at least work email, etc.

Now, I know that loads of people carry around two different phones for this reason, but doesn’t that run counter to the idea of a sustainable mobile device? To my mind, sustainability should be something I can have in both professional and private spheres.

Better, I should be able to make a recommendation for the organization to buy a fleet of Fariphones because Fairphone is aligned with our sustainable development goals. But not only can I not make that recommendation, but worse, my FF3 is about to be banned from work use.

1 Like

Seems to be an ongoing concern

Then why dont you install an OS which is alligne with thos things? There is more then one to use on the fairphone

:rofl: I take it you meant BYOD.

Anyway, good luck arguing with ignorant(/stupid) :slight_smile: its probably best not to waste your time on such.

BYOD or not is a company policy. I am not self employed, so if my boss says I am not allowed BYOD its tough luck, and it goes that way for a lot of people. On top of that, having your work and personal device separated yields some advantages (and some disadvantages).

With regards to quick updates, FP2 was good with that with LineageOS. Fairphone was often among the quickest to apply security updates. At the end of FP2 it fell a bit (but nothing dramatic yet). FP3 is outsoured to Arima, and its no longer as quick with security updates, but you should have a look at how slow Samsung (the market leader on Android) is. I think if you want the quickest updates, its best to apply firmware updates manually and use a custom OS like LineageOS or /e/ or use an other device such as Pixel with GrapheneOS.

Please don’t be rude to the majority that work in the mines, the factories and are the bulk buyers of the technology you want to exploit. :cry:

If someone doesn’t have your specific knowledge are they really stupid? Maybe ignorant of your peculiarity but I imagine everyone can point the finger. :slight_smile:

1 Like

Gee what a surprise its you who’s quoting that particular sentence. Did you notice I wasn’t talking to you? Did you notice I put stupid behind brackets? Now, if you want to know: the problem is lacking knowledge about the subjects and sounding certain of your own PoV with anecdotal evidence such as “I don’t know anyone who’s impacted” [1] which you previously said elsewhere as well. Of course you don’t; if you don’t know how shit smells you’re not gonna observe it.

[1] “I am at pains to add that like previously said not many people have a bad experience, well none that I know.”

With regards to [2]

[2] “most people (including myself) don’t care, as most people don’t no any instance where one was hacked and don’t see a real danger”

is flat out ignorance, and as the saying goes, ignorance is bliss. Why is it ignorance? It lacks any kind of imagination or knowledge of real-world threats.

You want examples? OK, I’ll give two:

  • Sextortion (and other cases where very private data got leaked; a known case involving celebrities is called “The Fappening”)
  • Implants (for example in journalists iPhone’s, but also which involved advanced techniques to avoid detection)

Now, maybe you’re gonna reply: “I don’t know anyone who’s affected by (for example) sextortion”. Maybe you don’t. I do know someone who got an implant on Windows back around ~2004, it was sheer coincidence she found it out because it was malfunctioning, so what must I conclude from this? OTOH, I don’t personally know anyone who’s bike got stolen in Amsterdam. But it sure as hell happens all the time. The key point is: lack of evidence does not equal evidence of the contrary.

1 Like

Yeah, I don’t know why I type S intead of Y.

1 Like

My team is tasked with writing one, so go figure.

I wish. However my boss is quick to point out (rightly) that we can’t make one set of rules for those of us who are ready to take our security into our own hands, and the general population of medical doctors and other professionals who are too busy to learn how to install Lineage OS.

2 Likes

I don’t think @amoun was the one making anti-security arguments. Let’s be nice, please.

1 Like

I’d love to. See above.

1 Like

You roll it out for them, just like a device with MDM is rolled out before them.

Usually a few people are exempt from the main strict policy (for whatever reason). I get you can’t do that for the general users. I did provide an alternative: GrapheneOS on Pixel devices. You get the benefit of being privacy minded, and also quick security fixes. Its available as we speak.

You could wait for FP4 to take off, but nobody knows how its gonna be. However, I hope and expect it to be akin to FP2 in the hay-days because like with FP2, Fairphone do the software development in-house instead of third party (via Arima with FP3).

Yes they did, I quoted them in that post with [1] and [2] (a quote by another person).

So although security is an issue to some degree for just about everyone it’s not the same and I am interested and so follow the topic.

Sure I don’t understand very much of it but calling me or anyone else stupid etc. is well off topic as I see it and provocative.

So are you really surprise it was me that took issue with your dispersions or more that no one else can be bothered.

You are clearly upset not just about security but ~ well I just don’t know and then to add

do you really want to be ignored ???

Given security is a personal issue I see no reason not to comment on how I am effected by it and it would be reasonable for anyone reading my experience to know it isn’t everyone else’s without you calling me ~ whatever you have at your disposal.

I said ignorant, with stupid behind brackets. If you want to be positive about it you can read ignorant, if you want to be negative you can read stupid.

I argued very clearly how your standpoint is at least ignorant. Which, as this reply states is a big problem in this field.

The reality is the following:

Practically EVERYONE has very personal data on their smartphones. You want to keep this data secure and private.

For example, I have a password manager on my smartphone. You may have one or not. If someone has root, they have access to all my passwords. Does that mean they figure that out, does that mean they will use any of these? No, but the danger is there, and very real. I already mentioned sextortion as well, as well as implants being applied world-wide on a certain job description (journalists).

If you want to, for example, install some random application via the Play Store which is shady, then this is your choice, and its your freedom to do that. User B might decide not to. That’s akin to the liberty of visiting a website. It involves free will. Here in this specific case, we don’t have the freedom to work around this issue barring installing some third party OS. We cannot patch this ourselves. We’re at the mercy of Fairphone/Arima. Which is why saying ‘Given security is a personal issue’ is a non-starter.

FYI: I don’t care if I get ignored by you. I don’t think you’re reasonable when it comes to this subject (given this isn’t the first time you pull this very argument from your hat), and I want to warn the other readers your viewpoint is unreasonable. Given that, if you decide to not reply to my arguments, that’s actually a Good Thing :smiley: so, feel free!

1 Like

I’m not getting what the problem you have is although I take it you think I am ignorant and not stupid (to be further assessed no doubt)

  • I have an encrypted areas, virtual volumes, on my PCs etc and I have a password manager too where I consider it necessary, which is for all internet sites for example.
  • I want to warn the other readers your viewpoint is unreasonable. ( JerornH quote not mine :slight_smile:

So why would you think I wouldn’t respond to you, whatever gave you that idea? My apologies that you thought I may ignore you, but I still don’t understand how my view point is unreasonable to you, and further what viewpoint do you have such an unrequited issue over?

Can’t we all just get along?

And of course we all support sustainable technology. Right?

So we should support the notion of our favourite sustainable technology provider being widely used. To get there we need the certification, and to get the certification we need timely security updates.

We’re all on the same side here. This is what’s required to achieve our shared goals.

6 Likes

Not going to happen. Pretty much every monthly patch from Google contains critical patches. The only way to make sure that you receive those in a timely manner is to buy a Pixel phone (or a recent Galaxy S, Samsung is also pretty quick these days).

Fairphone for example has (at least to the best of my knowledge) outsourced its OS development to its main assemlby partner in Taiwan. So they cannot even directly control the availability of OS patches AFAIK.

Best wishes,
Thomas

2 Likes

Looks like the required update is available for the FP2 now!

5 Likes

Just wondering if authors here have read

and more

What makes you think that update is related?