Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
2786 posts

Uber Geek
+1 received by user: 226


  Reply # 1880350 10-Oct-2017 13:56
Send private message quote this post

vyfster:

 

CYaBro:

 

I had a similar talk with a colleague here at work.

 

He bought a brand new Mazda 3 about 18 months ago, and one of the nice features of the entertainment system was the built in Pandora support.

 

Now that Pandora is no longer available in NZ he must be able to get a replacement car surely?! :)

 

 

The difference here is that Pandora is a third party / external service.  It has nothing to do with the functioning of the entertainment system - other than integration with an external provider.  So no, no new car expected under this circumstance.  However, if integration with Pandora was such that the entertainment system no longer functioned then I would argue that the software would need to be patched so that it is functional.  

 

I don't believe this to be the same thing as having to switch off a feature of the device in order for the device to be secure.

 

 

 

 

Except that if you had told the sales person that Pandora was the reason you were buying that car, and they said yes this car has Pandora, and now that feature no longer exists, then what?







67 posts

Master Geek
+1 received by user: 9


  Reply # 1880353 10-Oct-2017 14:05
Send private message quote this post

CYaBro:

 

 Except that if you had told the sales person that Pandora was the reason you were buying that car, and they said yes this car has Pandora, and now that feature no longer exists, then what?

 

 

I honestly don't see this as being the same.  One is integration with a third party supplying a service and the other is a feature of the device / OS.  The manufacturer has no say / control over how that service provider operates.  But they do have control over the functioning of the features within their devices.


 
 
 
 


647 posts

Ultimate Geek
+1 received by user: 170


  Reply # 1880354 10-Oct-2017 14:08
Send private message quote this post

Do phones have user licenses attached to cover use of the operating system? I think my Apple does, but to be honest, its part of the set up process that is usually skipped (who reads those things anyway).

 

If there is, I suspect that there are appropriate disclaimers within said user license that would specifically indemnify the phone manufacturer and operating system developer from liability by someone creating an exploit.


6704 posts

Uber Geek
+1 received by user: 3078

Moderator
Trusted
Subscriber

  Reply # 1880355 10-Oct-2017 14:16
Send private message quote this post

vyfster:

 

Awesome, thanks for the link!  I wasn't aware of Lineage.  Will look into it.

 

I think that when it comes to security, manufacturers should be made to be responsible for what they produce.  If not, then best case, everything just becomes another node in a botnet.  At worst, who know what information you lose.  Identity theft, bank account cleaned out, who knows what else.  Maybe I'm just paranoid or maybe I'm not paranoid enough!?

 

I do completely see your point but my phone was patched rather quickly too (OnePlus 5) so I was only stressing for a few weeks. I just don't think it is a CGA issue. I do also agree with major high visibility vulnerabilities that more companies should take responsibility but on the flipside of that there are phones that people are still using (older iPhones) that will remain unpatched and vulnerable. Companies have to draw a line at some point and will likely have usage stats of each device otherwise they'll be forced to keep paying staff (and for infrastructure) to package and release updates to phones technically beyond their shelf life.

 

But with Android you almost always have options with third party firmware and companies like Sony often make it easy to flash these since it is still your device. Also some people are stupid to the point a security update wouldn't fix them downloading pirated apps from third party sources bundled with malware (Link).

 

Android is a great platform but unless if you're buying direct from Google you can almost expect your updates to slow down after a single year which is why I always check out XDA before buying a phone to ensure there is an active community working on third party roms.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


13233 posts

Uber Geek
+1 received by user: 1564


  Reply # 1882162 11-Oct-2017 23:01
Send private message quote this post

CYaBro:

 

I had a similar talk with a colleague here at work.

 

He bought a brand new Mazda 3 about 18 months ago, and one of the nice features of the entertainment system was the built in Pandora support.

 

Now that Pandora is no longer available in NZ he must be able to get a replacement car surely?! :)

 

 

 

 

 

 

That doesn't stop you driving the car though, and it could be replaced with something else in the future via a software update. Also it is a third party service.  Hopefully they are going to add apple carplay to it, because I find the infosystem not great, and laggy, and I also found the pandora app on it crashy. Also can't you still access Pandora if you use something like getflix?

 

However bluetooth also isn't really needed to use the phone either. 




67 posts

Master Geek
+1 received by user: 9


  Reply # 1882323 12-Oct-2017 10:06
Send private message quote this post

mattwnz:

 

However bluetooth also isn't really needed to use the phone either. 

 

 

You do realise that a mobile phone is more than just a phone nowadays?  I take it you don't use hands free when driving?  What about using bluetooth earphones?  Or streaming to a media player via bluetooth from the mobile mini computer that is capable of making calls?  I also use it to connect my garmin heartrate monitor, via bluetooth, when out running / working out.

 

It's not needed to make calls (unless using hands free), but it is a feature of the mobile device (that is not only a phone).  IMHO all features should work and be free of defects for the mobile device.


1363 posts

Uber Geek
+1 received by user: 836

Trusted
Subscriber

  Reply # 1882324 12-Oct-2017 10:09
2 people support this post
Send private message quote this post

Defect and vulnerability are two different things and still don't beleive you have a case zero , zip , nada

 

Linux


25464 posts

Uber Geek
+1 received by user: 5271

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1882332 12-Oct-2017 10:24
One person supports this post
Send private message quote this post

In all seriousness you need to do two things - either commit some serious money to trying to take on every corporate in NZ who will certainly lawyer up or build a bridge and move on.

 

All products have a lifespan. The Z3 is now an end of life unsupported device that is now 3 years old. Sony are one of the best manufacturers out there when it comes to updates, and they are supporting all phones with updates for around 2 years. This is well beyond that many phone manufacturers are doing.

 

Are you prepared to pay 2-3x the price you do for a phone if a manufacturer was forced to provide software updates for an infinite period for every device they've ever made?

 

As for the actual issue itself maybe you need to weight up the risk of it actually occurring vs the risk of everything else in life. From a risk analysis point of view there is a significantly greater chance of you being hit by a bus today than having your phone hacked. Tomorrow the chances of you being diagnosed as having cancer will be significantly greater than having your phone hacked. 

 

 




67 posts

Master Geek
+1 received by user: 9


  Reply # 1882333 12-Oct-2017 10:25
Send private message quote this post

Linux:

 

Defect and vulnerability are two different things and still don't beleive you have a case zero , zip , nada

 

 

I accept that you don't believe I have a case.  I have taken the advice to cut my losses, which I'll do.  However, I don't accept that vulnerabilities are not defects.  I don't understand why security isn't seen as an important "feature" of the mobile device.  Especially since we seem to be storing more and more data on our mobile devices.  We also use them to do banking when out and about.  And then there's Android Pay which stores credit card information. 

 

To my mind, the vulnerability is a defect in the software and therefore should be considered as such - a defect.  And no, it doesn't operate as intended as I'm sure the intention wasn't to expose the device to vulnerabilities in this way.


2055 posts

Uber Geek
+1 received by user: 613

Subscriber

  Reply # 1882336 12-Oct-2017 10:33
Send private message quote this post

I have to ask...did you seriously think you would make any progress on this as a genuine issue, or were you just trying it on to get a new phone?




67 posts

Master Geek
+1 received by user: 9


  Reply # 1882338 12-Oct-2017 10:35
Send private message quote this post

sbiddle:

 

In all seriousness you need to do two things - either commit some serious money to trying to take on every corporate in NZ who will certainly lawyer up or build a bridge and move on.

 

 

I have built a bridge and have moved on.  I'm pretty sure I have said as much too.  I am debating the points people are raising, which I thought was one of the reasons for having a forum?

 

sbiddle:

 

All products have a lifespan. The Z3 is now an end of life unsupported device that is now 3 years old. Sony are one of the best manufacturers out there when it comes to updates, and they are supporting all phones with updates for around 2 years. This is well beyond that many phone manufacturers are doing.

 

Are you prepared to pay 2-3x the price you do for a phone if a manufacturer was forced to provide software updates for an infinite period for every device they've ever made?

 

 

Apple support their devices for 5 years.  Why should Android phones be any different?

 

sbiddle:

 

As for the actual issue itself maybe you need to weight up the risk of it actually occurring vs the risk of everything else in life. From a risk analysis point of view there is a significantly greater chance of you being hit by a bus today than having your phone hacked. Tomorrow the chances of you being diagnosed as having cancer will be significantly greater than having your phone hacked.  

 

 

 

Until someone turns this vulnerability into a worm where all infected devices infect other devices around them.  Also, you wouldn't necessarily know if someone were to take advantage of this vulnerability.  

 

So to be clear - I have taken the advice and am not interested in lodging a CGA claim.  But I am interested in understanding why people don't seem to place much value in the security of a device.  Any device for that matter.  Given the explosion of IoT devices, this (security) should be priority number one, but unfortunately it isn't.  And if manufacturers are not spanked for it, then they'll continue to ignore it.

 

 




67 posts

Master Geek
+1 received by user: 9


  Reply # 1882343 12-Oct-2017 10:38
Send private message quote this post

lxsw20:

 

I have to ask...did you seriously think you would make any progress on this as a genuine issue, or were you just trying it on to get a new phone?

 

 

I'm not interested in getting a new phone.  There is nothing wrong with my phone.  I would've been happy with a firmware update that addressed this vulnerability. 

 

To me, this is a genuine issue because I lose a feature that I use all the time by having to turn off bluetooth.

 

I'd also like to point to the title - I was asking for advice and to get a general consensus on whether I had a case or not.  


345 posts

Ultimate Geek
+1 received by user: 215


  Reply # 1882357 12-Oct-2017 10:55
Send private message quote this post

IMHO having import information in a portable or connected device is inherently risky. People who are hyper concerned about security need to be mindful of what data is on their phones in the first place, and possibly shouldn't use a smart phone at all. An OS vulnerability is one thing but is it really your primary security concern?

 

Phones get physically stolen and lost every day and you are consequently vulnerable to loss of data and thief of valuable/compromising information. I know no one who has been hacked via bluetooth but many people who have physically lost their phones. Once a lost phone has been disconnected from data services, and a hacker physically has your phone (it could be moths later) there is nothing you can do to stop them having their wicked way with your data.

 

If your phone gets hacked or ends up as a node in a bot net and you have no valuable info on it - mhhha? Shrug it off and you can probably do a factory reset to get rid of the problem. 

 

 


6704 posts

Uber Geek
+1 received by user: 3078

Moderator
Trusted
Subscriber

  Reply # 1882359 12-Oct-2017 10:56
Send private message quote this post

@vyfster upgrade to lineage already...




Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


2912 posts

Uber Geek
+1 received by user: 828

Trusted
Subscriber

  Reply # 1882362 12-Oct-2017 10:59
One person supports this post
Send private message quote this post

vyfster: Maybe I'm just paranoid or maybe I'm not paranoid enough!?

My thoughts are closely aligned with what @sbiddle has said. The chances of an actual attack (whether bluebourne or bluesnarf etc) are exceptionally low. Your phone will have either a class 1 or class 2 Bluetooth radio - most likely class 2, so any attacker would need to be within 10 metres of you to initiate an attack and remain within 10 metres of you for the duration.

Tbh - swiping down on the status bar and turning Bluetooth off when you're not using it is hardly onerous and good for your battery life. I'd suggest getting into this habit is a reasonable solution to your 'problem'.

Modding, a-la the suggestion from USS @michaelmurfy, is another possibility as is the purchase of a different phone. A different phone could encompass something such as a second hand Nexus which won't be as expensive as a new phone but will have patches available, if not already installed.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.