Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Android Security Discussions
Home
+ new post
About this group
Join this group
Not a single security announcement?
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   21 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
jan  
View profile  
 More options Sep 9 2010, 5:17 am
From: jan <jan.niggem...@gmail.com>
Date: Thu, 9 Sep 2010 02:17:53 -0700 (PDT)
Local: Thurs, Sep 9 2010 5:17 am
Subject: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
Hi,

citing http://developer.android.com/guide/appendix/faq/security.html#informed
"We will publicly announce security bugs when the fixes are available
via postings to the android-security-announce group on Google Groups."

That particular group is empty (except for a welcome post).
I can hardly believe that there were no security bugs in the past - or
are they all unfixed and therefore not published?

Anyway, Google (through his employee Tavis Ormandy), goes for
"responsible disclosure":
"Serious bugs should be fixed within a reasonable timescale. Whilst
every bug is unique, we would suggest that 60 days is a reasonable
upper bound for a genuinely critical issue in widely deployed
software.
[...]
We of course expect to be held to the same standards ourselves."*

If I remember correctly, Google is a huge player in the Open Handset
Alliance. Applying this policy to Android security would lead me to
the conclusion that there are no security relevant bugs in Android
that are older than 60 days.

Is that true?
Regards
jan

*http://googleonlinesecurity.blogspot.com/2010/07/rebooting-
responsible-disclosure-focus.html


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Chris Stratton  
View profile  
 More options Sep 10 2010, 3:56 am
From: Chris Stratton <cs07...@gmail.com>
Date: Fri, 10 Sep 2010 00:56:11 -0700 (PDT)
Local: Fri, Sep 10 2010 3:56 am
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
As a practical matter, there is a large difference between google
employees fixing something in git vs waking up to find that your
carrier has pushed an OTA update to your phone.

The irony of course is that the only way to stay patched on most
consumer phones is to exploit one of the current bugs to obtain do it
yourself update permissions ;-)


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Jan Niggemann  
View profile  
 More options Sep 10 2010, 5:19 am
From: Jan Niggemann <jan.niggem...@gmail.com>
Date: Fri, 10 Sep 2010 11:19:49 +0200
Local: Fri, Sep 10 2010 5:19 am
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

2010/9/10 Chris Stratton <cs07...@gmail.com>

> As a practical matter, there is a large difference between google
> employees fixing something in git vs waking up to find that your
> carrier has pushed an OTA update to your phone.

Although I agree, that's not my point. I'm wondering if there are really no
security bugs at all, as I can hardly believe that.

> The irony of course is that the only way to stay patched on most
> consumer phones is to exploit one of the current bugs to obtain do it
> yourself update permissions ;-)

Also true, but also not what I wanted to know.

The Android Security Team introduced itself on 18 Aug 2008 to the full
disclosure mailing list, saying:
"Our vulnerability bulletins will credit responsible reporters of any
flaws."
Now, where *are *those bulletins?
Can someone plase confirm that since its very beginning, there are no
noteworthy security bugs in Android?

jan


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Tauren  
View profile  
 More options Sep 10 2010, 9:21 am
From: Tauren <tauren...@gmail.com>
Date: Fri, 10 Sep 2010 06:21:06 -0700 (PDT)
Local: Fri, Sep 10 2010 9:21 am
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
First off, there have been a number of "android" vulnerabilities, go
look at haxxor news and see what you turn up.  Secondly the most
common method to attack a phone is to have you install something you
shouldn't.   I could make you install an image that has my own
personal backdoor onto it.   Most vulnerabilities are introduced by
the user.  More so those bulletins probably were taken down when the
vulnerability was removed in the followup emergency push.

Lastly what is your definition of noteworthy?  Is note worthy DOSing
your phone via SMS? that has been done
I'm sure there are also other areas of the phone that need to be
researched and looked at.  Having some toolrod open a PDF and pwn
their phone just like they did on the iphone is an example.

The point is, you have a phone, its actually a computer, it will have
vulnerabilities, they are doing their best to remove them.   The most
you may hear of it is a little blurb with someones name on it for
finding the bug.

On Sep 10, 5:19 am, Jan Niggemann <jan.niggem...@gmail.com> wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Jan Niggemann  
View profile  
 More options Sep 10 2010, 9:53 am
From: Jan Niggemann <jan.niggem...@gmail.com>
Date: Fri, 10 Sep 2010 15:53:00 +0200
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

2010/9/10 Tauren <tauren...@gmail.com>

> First off, there have been a number of "android" vulnerabilities, go
> look at haxxor news and see what you turn up.

I'm aware of the attack vectors and possibilities, thank you.

> More so those bulletins probably were taken down when the
> vulnerability was removed in the followup emergency push.

That's absurd. If so, why isn't there an archive for those security
bulletins?
And where are the postings to the full-disclosure mailing list? Let me
remind you that in 2008, the Android security team posted to that list, that
they'll publish security bulletins "when the fixes are available".
And I'm pretty certain that there have been no security bulletins so far.
Neither in the Google group, nor on said mailing list.

> Lastly what is your definition of noteworthy?

I'm pretty sure that no one cares about _my_ definition.
Google writes:

"We will publicly announce security bugs when the fixes are available
via postings to the android-security-announce group on Google Groups." (link
in my 1st post).
So it all boils down to this:

IF security_bug found AND fixed
THEN publish bulletin.

> Is note worthy DOSing
> your phone via SMS? that has been done
> I'm sure there are also other areas of the phone that need to be
> researched and looked at.  Having some toolrod open a PDF and pwn
> their phone just like they did on the iphone is an example.

The question is: Would that be a design flaw in the OS implementation or in
an app?
If it's the OS, following their own guidelines, Google should publish a
security bulletin. Either after the availability of a fix, or after 60 days.

> The point is, you have a phone, its actually a computer, it will have
> vulnerabilities, they are doing their best to remove them.   The most
> you may hear of it is a little blurb with someones name on it for
> finding the bug.

So please show me the blurbs - where are they to be found?
You say there _are_ security issues. If that assertion is true, then there
should inevitably be a publication of that issue, if Google respects their
own guidelines.
At least if the issue is fixed, if I understand correctly.
Or it's just a matter of misintepretation, maybe because my 1st language
isn't English ;-)
I just can't get straight that there _are_ security issues* AND there's no
publication of bulletins yet.

Regards
jan
* No big deal for me, every piece of software has 'em.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Tauren  
View profile  
 More options Sep 10 2010, 10:18 am
From: Tauren <tauren...@gmail.com>
Date: Fri, 10 Sep 2010 07:18:08 -0700 (PDT)
Local: Fri, Sep 10 2010 10:18 am
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
I'm gonna go ahead and assume that with 9/900 some messages on this
board, and how slow things are this is probably not the place that
those bulletins get posted.  Secondly look at patch notes for the
android mobile phone, I am sure they mention it.   Also keep in mind
that there is a good probability that posts get archived that aren't
current, including old fixed bulletins.

That said... please check here: http://groups.google.com/group/android-security-announce

As for your definition, how can we answer your question without your
definition?

On Sep 10, 9:53 am, Jan Niggemann <jan.niggem...@gmail.com> wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Jeff Enderwick  
View profile  
 More options Sep 10 2010, 11:12 am
From: Jeff Enderwick <jeff.enderw...@gmail.com>
Date: Fri, 10 Sep 2010 08:12:49 -0700
Local: Fri, Sep 10 2010 11:12 am
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
All vulnerability 'management' should use the same system that every
other earthing uses:
http://cve.mitre.org/


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Chris Stratton  
View profile  
 More options Sep 10 2010, 2:21 pm
From: Chris Stratton <cs07...@gmail.com>
Date: Fri, 10 Sep 2010 11:21:30 -0700 (PDT)
Local: Fri, Sep 10 2010 2:21 pm
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
On Sep 10, 5:19 am, Jan Niggemann <jan.niggem...@gmail.com> wrote:

> 2010/9/10 Chris Stratton <cs07...@gmail.com>
> Although I agree, that's not my point. I'm wondering if there are really no
> security bugs at all, as I can hardly believe that.

Some of the major ones that have resulted in pushed updates have not
been unique to android but inherited from the linux kernel -
disclosed, discussed, and fixed upstream with only the patches showing
up in android git.

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
jan  
View profile  
 More options Sep 11 2010, 1:02 pm
From: jan <jan.niggem...@gmail.com>
Date: Sat, 11 Sep 2010 10:02:19 -0700 (PDT)
Local: Sat, Sep 11 2010 1:02 pm
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
Chris, Jeff: Thank you.
Assuming that all Android issues were originating from the Linux
kernel,don't you think that these bugs (leading to fixes from
upstream) should be published, too?
Imean, no need to reproduce the whole information, but a short notice
with a pointer to the kernel bug tracker should suffice.

Or am I asking for too much?You know, not everyone is reading the
LKML...
Anyway, if the said google group is not the place to stay informed
about Android specific security issues:
Where do I stay tuned?


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Hadi Nahari  
View profile  
 More options Sep 11 2010, 1:24 pm
From: Hadi Nahari <hadi.nah...@gmail.com>
Date: Sat, 11 Sep 2010 10:24:40 -0700
Local: Sat, Sep 11 2010 1:24 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

>> Anyway, if the said google group is not the place to stay informed
>> about Android specific security issues:
>> Where do I stay tuned?

I've been eagerly following this thread to hear Google's answer to this
question, and nobody as of yet provided an answer. This is one of the cases
where RTFC won't do.

-Hadi


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Duane Blanchard  
View profile  
 More options Sep 12 2010, 5:48 pm
From: Duane Blanchard <dblanch...@gmail.com>
Date: Sun, 12 Sep 2010 14:48:08 -0700
Local: Sun, Sep 12 2010 5:48 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
I too have been hoping for some official response.

D


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Hadi Nahari  
View profile  
 More options Sep 12 2010, 10:10 pm
From: Hadi Nahari <hadi.nah...@gmail.com>
Date: Sun, 12 Sep 2010 19:10:47 -0700
Local: Sun, Sep 12 2010 10:10 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

Dianne, et al;
When can we expect Google to respond to this thread?

-H

On Sun, Sep 12, 2010 at 2:48 PM, Duane Blanchard <dblanch...@gmail.com>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
jan  
View profile   Translate to Translated (View Original)
 More options Sep 28 2010, 11:53 am
From: jan <jan.niggem...@gmail.com>
Date: Tue, 28 Sep 2010 08:53:59 -0700 (PDT)
Local: Tues, Sep 28 2010 11:53 am
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
On Sep 13, 4:10 am, Hadi Nahari <hadi.nah...@gmail.com> wrote:
> Dianne, et al;
> When can we expect Google to respond to this thread?

I wrote a letter to one of Europes most-read computer magazines c't
and asked them the same question. They even printed my letter,
together with the remark:
"We asked Google the same question and have not received an answer".
Google: Such behaviour won't satisfy customers who bought Android
cellphones.
The sales of Android powered devices are soaring, so having up-to-date
information on security issues (and fixes / workarounds) will be
crucial for more and more people.

jan


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Disconnect  
View profile  
 More options Sep 28 2010, 12:11 pm
From: Disconnect <dc.disconn...@gmail.com>
Date: Tue, 28 Sep 2010 12:11:08 -0400
Local: Tues, Sep 28 2010 12:11 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

You can be sure there is an internal list or similar announcement forum for
OHA members. Maybe you need to join the OHA before you get security
announcements.. it wouldn't be out of character..


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Jeff Enderwick  
View profile  
 More options Sep 28 2010, 1:47 pm
From: Jeff Enderwick <jeff.enderw...@gmail.com>
Date: Tue, 28 Sep 2010 10:47:43 -0700
Local: Tues, Sep 28 2010 1:47 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
Why would security announcements be limited to OHA members? Of course,
there are public-disclosure-when-fixed scenarios, but everyone else on
the planet discloses security vulnerabilities publicly so that people
can make their own informed decisions.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
jan  
View profile  
 More options Sep 28 2010, 3:09 pm
From: jan <jan.niggem...@gmail.com>
Date: Tue, 28 Sep 2010 12:09:54 -0700 (PDT)
Local: Tues, Sep 28 2010 3:09 pm
Subject: Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
On 28 Sep., 19:47, Jeff Enderwick <jeff.enderw...@gmail.com> wrote:
> Why would security announcements be limited to OHA members? Of course,
> there are public-disclosure-when-fixed scenarios, but everyone else on
> the planet discloses security vulnerabilities publicly so that people
> can make their own informed decisions.

Jeff, IMHO you're approaching this from a developers point of view.
You and I might know where to look for certain information, but you'll
never get Joe Average to check the CVE DB to find out about issues.
And of course let's not forget that Google itself wrote that
vulnerabilites, once fixed, would be listed in a Google Group. And
that's my point, they just don't live up to their promise.
Were there means for average users to easily stay informed about
issues, be it a forum, a blog or something else, then security-aware
users could at least apply workarounds for issues until Google /
manufacturers / carriers release patches.

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Hadi Nahari  
View profile  
 More options Sep 28 2010, 3:06 pm
From: Hadi Nahari <hadi.nah...@gmail.com>
Date: Tue, 28 Sep 2010 12:06:52 -0700
Local: Tues, Sep 28 2010 3:06 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

>> Maybe you need to join the OHA before you get security
>> announcements.. it wouldn't be out of character..

Well, that's weird and not doesn't bode well with the open nature of
Android. I'm hoping that the reason Dianne, et al from Google aren't
responding to this thread is that they're just busy

-Hadi

On Tue, Sep 28, 2010 at 10:47 AM, Jeff Enderwick
<jeff.enderw...@gmail.com>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Jeff Enderwick  
View profile  
 More options Sep 28 2010, 3:17 pm
From: Jeff Enderwick <jeff.enderw...@gmail.com>
Date: Tue, 28 Sep 2010 12:17:30 -0700
Local: Tues, Sep 28 2010 3:17 pm
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author
No - I'm approaching this from the POV of enterprise customers that
I've had in prior lives. InfoSec wants the details, and wants to make
their own decisions w/r/t risk.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Roman  
View profile  
 More options May 19 2012, 7:46 am
From: Roman <roman.schoenbich...@gmail.com>
Date: Sat, 19 May 2012 04:46:33 -0700 (PDT)
Local: Sat, May 19 2012 7:46 am
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

So what has happened in the last 1 1/2 years?

Am Dienstag, 28. September 2010 21:17:30 UTC+2 schrieb jeff.en...@gmail.com:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Jeff Enderwick  
View profile  
 More options May 20 2012, 1:20 am
From: Jeff Enderwick <jeff.enderw...@gmail.com>
Date: Sat, 19 May 2012 22:20:50 -0700
Local: Sun, May 20 2012 1:20 am
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

AFAIK, nothing.

On Sat, May 19, 2012 at 4:46 AM, Roman <roman.schoenbich...@gmail.com>wrote:


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
stuartbunderwood@gmail.co m  
View profile  
 More options May 20 2012, 10:26 am
From: "stuartbunderw...@gmail.com" <stuartbunderw...@gmail.com>
Date: Sun, 20 May 2012 09:26:32 -0500
Local: Sun, May 20 2012 10:26 am
Subject: Re: [android-security-discuss] Re: Not a single security announcement?
Print | Individual message | Show original | Report this message | Find messages by this author

Sent from my HTC on the Now Network q éfrom Sprint!lu

----- Reply message -----
From: "Jeff Enderwick" <jeff.enderw...@gmail.com>
To: "Roman" <roman.schoenbich...@gmail.com>
Cc: <android-security-discuss@googlegroups.com>
Subject: [android-security-discuss] Re: Not a single security announcement?
Date: Sun, May 20, 2012 12:20 am
AFAIK, nothing. 

On Sat, May 19, 2012 at 4:46 AM, Roman <roman.schoenbich...@gmail.com> wrote:

So what has happened in the last 1 1/2 years?

Am Dienstag, 28. September 2010 21:17:30 UTC+2 schrieb jeff.en...@gmail.com:
No - I'm approaching this from the POV of enterprise customers that
I've had in prior lives. InfoSec wants the details, and wants to make

their own decisions w/r/t risk.On Tue, Sep 28, 2010 at 12:09 PM, jan <jan.niggem...@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.

To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/sXO1FqAb4RkJ.

To post to this group, send email to android-security-discuss@googlegroups.com.

To unsubscribe from this group, send email to android-security-discuss+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.

--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To post to this group, send email to android-security-discuss@googlegroups.com.
To unsubscribe from this group, send email to android-security-discuss+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google