This is a secondary account. My main account is listed below. The main will have a list of all the accounts that I use.

[email protected]

  • 2 Posts
  • 56 Comments
Joined 1 year ago
cake
Cake day: July 11th, 2023

help-circle

  • A smartphone is the ultimate, single-user personal computer. Choosing a device is too intimate for me to use any sort of tabular comparison tool. The device needs to be right for me qualitatively also.

    I strongly recommend picking a handful of devices and getting a variety of opinions from reviewers. Then, weigh those opinions against what features are most important to you.

    If this is your main computer which most likely it is for most people, it’s worthwhile to spend some time on selection.



  • There’s a lot of inertia to overcome here. There’s advice online everywhere that Android may not the best platform for tablets. As someone who loved the Nexus 7, until you have a large user base that’s using the tablets, it’s a tougher sell to developers and to users especially that iPads are cheaper now than they have been in the past.

    It’s an uphill battle. Google has to pay those taxes for doing such a terrible job of getting into the tablet as its own related but different market from mobile.


  • The baseband firmware is not so privileged anymore. Most new phones, like the Google Pixel 7, have IOMMU to force the baseband to communicate through a very restricted interface to the kernel. Certainly, you can interfere with texts and calls, but a baseband RCE doesn’t yet compromise the data stored on the phone by itself–not to diminish the seriousness or to suggest that we shouldn’t patch such an exploit immediately.

    RCE, the “remote” aspect, in the operating system? So directly in the kernel and accessible remotely, such as through the networking code? I’m curious now. Most of the ones I’ve seen are in some other component that is sandboxed. True system-level privilege RCEs seem to be relatively rare. Usually, you get RCE, then you need privilege escalation to do something especially interesting.

    Indeed; I’m sometimes able to leverage even a few bits of memory corruption into execution in many cases, though the hardened allocator in Android makes this a serious PITA to arrange to overwrite something useful.



  • To expand on this, most vulnerabilities that require the vendor to actually participate by providing security updates are specific to your hardware configuration. These kinds of vulnerabilities are less attractive to most attackers because of their specificity. Attackers would much prefer to have a vulnerability that applies to many different victims, not just a specific kind. Android has gone to great lengths to update these commonly targeted components regardless of your vendor support status. Unless you believe you would be specifically targeted, the risk is fairly low.

    I’m not sure it’s fair to put iPhone down. They do take security very seriously, especially physical security with their formally verified bootloader. Not seeking a flame war. I just didn’t think it was accurate. Are we so sure they don’t have individuals focused on iPhone security at Apple? Compromised devices impact their brand image while the same bugs can be used for jailbreaking. I’m sure it’s very important. I interviewed with a team up there that I believe specialized in just that. Just recently Apple implemented an emergency security patching system for their devices to get security updates out even faster.

    Full disclaimer: I use both devices for software development. I have no special preference.