bit-tech.net

Go Back   bit-tech.net Forums > bit-tech.net > Article Discussion

Reply
 
Thread Tools
Old 4th Jul 2013, 09:59   #1
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,834
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Android 'master key' discovery raises security risk

Ne'er-do-wells just got a new tool.
http://www.bit-tech.net/news/bits/20...ebox-android/1
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 4th Jul 2013, 10:38   #2
Snips
I can do dat, giz a job
 
Snips's Avatar
 
Join Date: Sep 2010
Location: wiv me kids
Posts: 1,867
Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.Snips is definitely a rep cheat.
Since February? Wow, this is very bad.

I think Google are keeping quiet whilst they work day and night to patch this, right?
Snips is offline   Reply With Quote
Old 4th Jul 2013, 10:50   #3
Spreadie
http://goo.gl/vNwEky
 
Spreadie's Avatar
 
Join Date: Apr 2009
Location: an island in the south
Posts: 7,276
Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.Spreadie is definitely a rep cheat.
Quote:
Originally Posted by Snips View Post
I think Google are keeping quiet whilst they work day and night to patch this, right?
You'd like to think so, wouldn't you?

Even so, an awful lot of devices are likely to be left unpatched and vulnerable.

Nice timing for Firefox OS though.
__________________
It is not "should of", "could of" or "would of". Educate yourself

2500K|Z77E-ITX|8GB|680|3007WFP-HC|DS Cube
Spreadie is offline   Reply With Quote
Old 4th Jul 2013, 10:53   #4
Jaybles
Hypermodder
 
Jaybles's Avatar
 
Join Date: Feb 2011
Location: Somerset, UK
Posts: 981
Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!Jaybles - it's over 9000!!!!!!!!1!1!1!!!
And Jolla
__________________
i7 950 @ 3.8 1.192v|Noctua NH-U12P SE2|Asus P6X58D-E|12 GB DDR3 1600|1TB Samsung Spinpoint F3|Samsung 830 64GB|XFX Double D R7950|Asus Xonar DG|Antec Quattro 850w|Bitfenix Colossus|Dell U2311H|Dell E173FP
Steam|PSN:nythraln
Jaybles is offline   Reply With Quote
Old 4th Jul 2013, 10:54   #5
Nexxo
Whatever's Geek.
 
Nexxo's Avatar
 
Join Date: Oct 2001
Location: Birmingham, UK
Posts: 25,916
Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.Nexxo is definitely a rep cheat.
Quote:
Originally Posted by Snips View Post
Since February? Wow, this is very bad.

I think Google are keeping quiet whilst they work day and night to patch this, right?
Er...yes. Yes, of course they are.
__________________
"You actually hope to achieve your ideals, I just use mine as an excuse to hate everything" --specofdust
"Right wing Republicans, all the murderousness of nut-job Iranian ayatollahs, none of the bearded coolness" --specofdust


Nexxo is offline   Reply With Quote
Old 4th Jul 2013, 11:03   #6
Dave Lister
Hypermodder
 
Dave Lister's Avatar
 
Join Date: Sep 2009
Location: France / UK
Posts: 667
Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.
Following in microsofts footsteps, I wonder if custom roms still have this master key ! Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
__________________
Main Rig:Case: BitFenix Prodigy, Motherboard: MSI Z97I Gaming, CPU: Intel i7 4790K, RAM: 16Gb 2400Mhz Kingston HyperX Beast GPU: XFX ATI 5870, Primary HDD: 128Gb Kingston SSDNOW 200, Games Drive: 1Tb Toshiba SSHD, Cooler: Corsair H105, OS: Win 7 - 64
HTPC:Case: Gutted out VCR, Motherboard: Asus AT5IONT-I, CPU: Intel Atom D525 @ 1.94Ghz, RAM: 4Gb 1333Mhz Kingston GPU: Nvidia Ion 2, Primary HDD: Hitachi 500Gb, Optical Drive: NEC ND-6500A Laptop Drive, OS: Win 8.1 32
Dave Lister is online now   Reply With Quote
Old 4th Jul 2013, 11:08   #7
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,834
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Quote:
Originally Posted by Dave Lister View Post
Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
Prove it, and an article shall appear. Alternatively, use the search function to bring up such classics as Windows 7 security courtesy of the NSA or Crypto 'backdoor' in Vista SP1.
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 4th Jul 2013, 11:16   #8
Dave Lister
Hypermodder
 
Dave Lister's Avatar
 
Join Date: Sep 2009
Location: France / UK
Posts: 667
Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Dave Lister View Post
Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
Prove it, and an article shall appear. Alternatively, use the search function to bring up such classics as Windows 7 security courtesy of the NSA or Crypto 'backdoor' in Vista SP1.
Damn I'll have to go hunting for the article now !
__________________
Main Rig:Case: BitFenix Prodigy, Motherboard: MSI Z97I Gaming, CPU: Intel i7 4790K, RAM: 16Gb 2400Mhz Kingston HyperX Beast GPU: XFX ATI 5870, Primary HDD: 128Gb Kingston SSDNOW 200, Games Drive: 1Tb Toshiba SSHD, Cooler: Corsair H105, OS: Win 7 - 64
HTPC:Case: Gutted out VCR, Motherboard: Asus AT5IONT-I, CPU: Intel Atom D525 @ 1.94Ghz, RAM: 4Gb 1333Mhz Kingston GPU: Nvidia Ion 2, Primary HDD: Hitachi 500Gb, Optical Drive: NEC ND-6500A Laptop Drive, OS: Win 8.1 32
Dave Lister is online now   Reply With Quote
Old 4th Jul 2013, 11:26   #9
Dave Lister
Hypermodder
 
Dave Lister's Avatar
 
Join Date: Sep 2009
Location: France / UK
Posts: 667
Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.
http://www.washingtonsblog.com/2013/...s-by-1999.html

http://katenews2day.com/2013/06/24/t...osoft-windows/

Admittedly some sites are saying this was debunked years ago, but MS have never dismissed the claims apparently.
__________________
Main Rig:Case: BitFenix Prodigy, Motherboard: MSI Z97I Gaming, CPU: Intel i7 4790K, RAM: 16Gb 2400Mhz Kingston HyperX Beast GPU: XFX ATI 5870, Primary HDD: 128Gb Kingston SSDNOW 200, Games Drive: 1Tb Toshiba SSHD, Cooler: Corsair H105, OS: Win 7 - 64
HTPC:Case: Gutted out VCR, Motherboard: Asus AT5IONT-I, CPU: Intel Atom D525 @ 1.94Ghz, RAM: 4Gb 1333Mhz Kingston GPU: Nvidia Ion 2, Primary HDD: Hitachi 500Gb, Optical Drive: NEC ND-6500A Laptop Drive, OS: Win 8.1 32
Dave Lister is online now   Reply With Quote
Old 4th Jul 2013, 11:30   #10
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,813
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Dave Lister View Post
I wonder if custom roms still have this master key !
Technically there is no such thing as "master key" to include in any ROM in this case. Publishers have their private key, and the installer in Android checks if the signature is valid using the public key. The issue is that there is a vulnerability in Android which allows you to modify the packages without the ownership of the publishers private key. That is why they call it "master key", but there is no such thing to "have" in the Android ROM.

It is exactly meant as a master key in terminology of locks and lockpicking. You got your lock (APK package) and your key (private key), and others have their own locks and keys too, which can open only their own locks. But someone got the "master key", which can open all those locks. It doesn't mean it was made by the lock manufacturer, or that your keys are not good anymore - it is simply that someone can use a different means to access your locks; or in case of this vulnerability, to modify packages of publishers without the knowledge of their private signing key.
__________________
Cerberus Core i7-2600K Asus P8Z77-I Deluxe GSkill RipjawsX 2x8GB DDR3-1600CL9 watercooled EVGA GTX670 Samsung 840 Pro 512GB+840 EVO 1TB Bitfenix Prodigy Seasonic X-460 Windows 8.1 Pro
Prometheus i5-4460 ASRock Z97 Extreme6 4x8GB DDR3-1333 NH-D15 Samsung XP941 256GB+6xWD30EFRX+2xWD20EARS+6xWD20EARX+WD40EFRX Seasonic X-460
faugusztin is online now   Reply With Quote
Old 4th Jul 2013, 11:36   #11
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,834
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Quote:
Originally Posted by Dave Lister View Post
Admittedly some sites are saying this was debunked years ago, but MS have never dismissed the claims apparently.
It was. There has never been any evidence of a back door in Windows for government agents - which is why you've never seen a story on Bit-Tech saying that there's a back door in Windows for government agents. Even when Microsoft accidentally leaked the Windows source code, guess what? No back door.

I'm not saying there isn't one in there - in fact, I reckon there probably is - just that there is absolutely no evidence, and without evidence there's no story to tell. Like I said, if you can find evidence - not random conspiracy theory blogs rehashing a pre-millennial rumour long debunked - then I'd be more than happy to write it up and see it run as a front-page exclusive.
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 4th Jul 2013, 11:47   #12
SAimNE
Multimodder
 
Join Date: Oct 2012
Posts: 107
SAimNE has yet to learn the way of the Dremel
it's not as bad as it sounds for the users.... worst case scenario install a custom OS that supplies a fix if google doesnt(there are going to be some). though for google this is going to be a decent blow to credibility if they dont fix this. not to mention they would probably loose quite a few customers to the overpriced mess iOS.
SAimNE is offline   Reply With Quote
Old 4th Jul 2013, 11:51   #13
Dave Lister
Hypermodder
 
Dave Lister's Avatar
 
Join Date: Sep 2009
Location: France / UK
Posts: 667
Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Dave Lister View Post
Admittedly some sites are saying this was debunked years ago, but MS have never dismissed the claims apparently.
It was. There has never been any evidence of a back door in Windows for government agents - which is why you've never seen a story on Bit-Tech saying that there's a back door in Windows for government agents. Even when Microsoft accidentally leaked the Windows source code, guess what? No back door.

I'm not saying there isn't one in there - in fact, I reckon there probably is - just that there is absolutely no evidence, and without evidence there's no story to tell. Like I said, if you can find evidence - not random conspiracy theory blogs rehashing a pre-millennial rumour long debunked - then I'd be more than happy to write it up and see it run as a front-page exclusive.
I'm guessing this story has just recently popped up on the radar because of the proven spying that has happened recently. But the second link does say that the second key has been shown to blong to the NSA, and the article is dated June of this year.
__________________
Main Rig:Case: BitFenix Prodigy, Motherboard: MSI Z97I Gaming, CPU: Intel i7 4790K, RAM: 16Gb 2400Mhz Kingston HyperX Beast GPU: XFX ATI 5870, Primary HDD: 128Gb Kingston SSDNOW 200, Games Drive: 1Tb Toshiba SSHD, Cooler: Corsair H105, OS: Win 7 - 64
HTPC:Case: Gutted out VCR, Motherboard: Asus AT5IONT-I, CPU: Intel Atom D525 @ 1.94Ghz, RAM: 4Gb 1333Mhz Kingston GPU: Nvidia Ion 2, Primary HDD: Hitachi 500Gb, Optical Drive: NEC ND-6500A Laptop Drive, OS: Win 8.1 32
Dave Lister is online now   Reply With Quote
Old 4th Jul 2013, 11:54   #14
Dave Lister
Hypermodder
 
Dave Lister's Avatar
 
Join Date: Sep 2009
Location: France / UK
Posts: 667
Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.
Quote:
Originally Posted by faugusztin
Quote:
Originally Posted by Dave Lister View Post
I wonder if custom roms still have this master key !
Technically there is no such thing as "master key" to include in any ROM in this case. Publishers have their private key, and the installer in Android checks if the signature is valid using the public key. The issue is that there is a vulnerability in Android which allows you to modify the packages without the ownership of the publishers private key. That is why they call it "master key", but there is no such thing to "have" in the Android ROM.

It is exactly meant as a master key in terminology of locks and lockpicking. You got your lock (APK package) and your key (private key), and others have their own locks and keys too, which can open only their own locks. But someone got the "master key", which can open all those locks. It doesn't mean it was made by the lock manufacturer, or that your keys are not good anymore - it is simply that someone can use a different means to access your locks; or in case of this vulnerability, to modify packages of publishers without the knowledge of their private signing key.
Consider me more educated on the matter now, cheers for the explanation faugusztin
__________________
Main Rig:Case: BitFenix Prodigy, Motherboard: MSI Z97I Gaming, CPU: Intel i7 4790K, RAM: 16Gb 2400Mhz Kingston HyperX Beast GPU: XFX ATI 5870, Primary HDD: 128Gb Kingston SSDNOW 200, Games Drive: 1Tb Toshiba SSHD, Cooler: Corsair H105, OS: Win 7 - 64
HTPC:Case: Gutted out VCR, Motherboard: Asus AT5IONT-I, CPU: Intel Atom D525 @ 1.94Ghz, RAM: 4Gb 1333Mhz Kingston GPU: Nvidia Ion 2, Primary HDD: Hitachi 500Gb, Optical Drive: NEC ND-6500A Laptop Drive, OS: Win 8.1 32
Dave Lister is online now   Reply With Quote
Old 4th Jul 2013, 12:22   #15
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,834
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Quote:
Originally Posted by Dave Lister View Post
But the second link does say that the second key has been shown to blong to the NSA, and the article is dated June of this year.
The story which appears on a right-wing conspiracy site run by a single individual, you mean. Yeah, the source for that claim? Joseph Farah, a conspiracy theorist who was vocal in claiming that Barack Obama was not a US citizen, and therefore could not serve as president. After the birth certificate proving Obama's heritage was released, he claimed that he wouldn't believe it without seeing the long-form version of the birth certificate - going so far as to promise $15,000 to the hospital if it released the certificate. When the long-form birth certificate was released, he reneged on his offer and claimed that the certificate was fraudulent.

What I'm trying to say here is this: don't trust news you read from anti-government right-wing types (or, indeed, left-wing types - basically, any extremism is bad extremism) especially when the news paints the government in a bad light. Especially don't trust people like Farah, who is neither a security expert nor a cryptographer, to have any idea what he's talking about when it comes to cryptographic signing keys.
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 4th Jul 2013, 12:37   #16
Andy Mc
I *am* a Dremel
 
Andy Mc's Avatar
 
Join Date: May 2002
Location: In a house.
Posts: 1,627
Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.Andy Mc is definitely a rep cheat.
So. Is this how Prisim is logging our mobile meta data then?




Brb, Just getting my tinfoil hat.
__________________
Andy Mc is offline   Reply With Quote
Old 4th Jul 2013, 12:37   #17
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,813
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Dave Lister View Post
Consider me more educated on the matter now, cheers for the explanation faugusztin
Just to be more detailed - while this "security hole" increases risk, it does only for those who are already living a dangerous life in first place. The reason is that while technically you could inject your own dangrous code in application of another publisher, that is only a part of the publishing process. You would also need to distribute the app, and this is where you hit a wall - to put it on Play Store or Amazon Appstore, you would need to get the logon credentials of the publisher, to upload your modified version as a new version of the app from the publisher.

Otherwise you would need to choose one of the less optimal distribution paths :
- Play Store/Amazon Appstore, but app would have to published with a different publisher and different namespace, which pretty much defies the point of doing this in first place
- manual distribution (warez sites etc) - this realistically the only place where this hole could work.

In short - if you only use official application stores, you still don't have to fear about the security of your phone unless the publisher of the application got hacked.
__________________
Cerberus Core i7-2600K Asus P8Z77-I Deluxe GSkill RipjawsX 2x8GB DDR3-1600CL9 watercooled EVGA GTX670 Samsung 840 Pro 512GB+840 EVO 1TB Bitfenix Prodigy Seasonic X-460 Windows 8.1 Pro
Prometheus i5-4460 ASRock Z97 Extreme6 4x8GB DDR3-1333 NH-D15 Samsung XP941 256GB+6xWD30EFRX+2xWD20EARS+6xWD20EARX+WD40EFRX Seasonic X-460
faugusztin is online now   Reply With Quote
Old 4th Jul 2013, 12:40   #18
Dave Lister
Hypermodder
 
Dave Lister's Avatar
 
Join Date: Sep 2009
Location: France / UK
Posts: 667
Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.Dave Lister is a hoopy frood who really knows where their towel is.
Fair enough. Nobody should be trusted really. Anyway it's good to know you guys are on the ball and know about the murkier side of things
__________________
Main Rig:Case: BitFenix Prodigy, Motherboard: MSI Z97I Gaming, CPU: Intel i7 4790K, RAM: 16Gb 2400Mhz Kingston HyperX Beast GPU: XFX ATI 5870, Primary HDD: 128Gb Kingston SSDNOW 200, Games Drive: 1Tb Toshiba SSHD, Cooler: Corsair H105, OS: Win 7 - 64
HTPC:Case: Gutted out VCR, Motherboard: Asus AT5IONT-I, CPU: Intel Atom D525 @ 1.94Ghz, RAM: 4Gb 1333Mhz Kingston GPU: Nvidia Ion 2, Primary HDD: Hitachi 500Gb, Optical Drive: NEC ND-6500A Laptop Drive, OS: Win 8.1 32
Dave Lister is online now   Reply With Quote
Old 4th Jul 2013, 13:09   #19
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,834
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Quick update: CIO has word from third parties that Google's recent move to ban apps from self-updating outside Google Play was in response to this, and that Google Play itself has been updated to detect if files that are uploaded have been tampered with. It's also claimed that, while Google's stock Android install found on the Nexus family is still vulnerable, Samsung has apparently patched the Galaxy S4 to remove the flaw. No details yet on how, or how quickly other manufacturers will do the same for their own handsets.
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 4th Jul 2013, 13:28   #20
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,813
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Dave Lister View Post
Fair enough. Nobody should be trusted really. Anyway it's good to know you guys are on the ball and know about the murkier side of things
It's not really a "murkier side", there are simply steps to publish an app in play store and you can't just go and publish an "Angry Birds" application with "ROVIO MOBILE LTD." set as publisher without really being "ROVIO MOBILE LTD.", as you can't register 2 publishers with the same name and you need to be able to access the Google Play Developer Console of the publisher to publish an app in their name in the first place.

Sure, in case when your user name and password is compromised and someone knows this "master key" trick, then yes, he could upload an updated version of an app without knowledge of the original signature - but in that case you have much bigger problem than a malicious app uploaded in your own name .
__________________
Cerberus Core i7-2600K Asus P8Z77-I Deluxe GSkill RipjawsX 2x8GB DDR3-1600CL9 watercooled EVGA GTX670 Samsung 840 Pro 512GB+840 EVO 1TB Bitfenix Prodigy Seasonic X-460 Windows 8.1 Pro
Prometheus i5-4460 ASRock Z97 Extreme6 4x8GB DDR3-1333 NH-D15 Samsung XP941 256GB+6xWD30EFRX+2xWD20EARS+6xWD20EARX+WD40EFRX Seasonic X-460
faugusztin is online now   Reply With Quote
Reply

Tags
android, bluebox, bluebox security, google, google play, jeff forristal, malware, security, trojan, trojan horse, vulnerability

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 17:20.
Powered by: vBulletin Version 3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.