[Cryptography] [FORGED] Re: Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

Tom Mitchell mitch at niftyegg.com
Wed Oct 18 22:14:27 EDT 2017


On Mon, Oct 16, 2017 at 9:22 PM, Henry Baker <hbaker1 at pipeline.com> wrote:

> At 06:42 PM 10/16/2017, John Levine wrote:
> >In article <1508202259012.9724 at cs.auckland.ac.nz> you write:
> >>Not to mention that fact that it's a forever-day on most devices...
> >
> >Depends what devices.
>
..........

>
> Biggest problem IMHO is Android.  There doesn't appear to be any way --
> short of a class-action lawsuit -- to force the Android phone vendors to
> supply a firmware upgrade.  They're already 12-24 months behind on CVE's.
> And I doubt that Google is willing to upgrade every Android phone on its
> own.


It is more than the hardware vendor.   Serious constipation exists within
carriers.
To get a phone from anyone other than the hardware vendor inserts the
carrier
in the chain of dependencies.   If  a Samsung phone is sold by AT&T there
is nothing
Samsung can do because the update path requires AT&T.

Google does issue patches.  Some patches are picked up and applied.  Some
handful
of devices are bricked in the process and that generates bad press that is
not tempered
by the real threat addressed.

I picked on Samsung -- their phones, tablets, TVs, Blu Ray Players all
suffer from
vendor imposed service life that is much too short when compared with the
price
and hardware service life.  About two years... or one year after the last
device of a
specific model gets shipped to distribution.  They are not alone but I have
not found
a worse large vendor.

Some would make it illegal to research and root these devices.
The numbers of devices in so many US homes makes the risk of Kaspersky Lab
and a Russian Government connection seem to be a small risk.
Analysis of Kaspersky Lab and if necessary purging of software that lives on
top of an OS seems easy compared to the logistics of the DHS blocking
all the Samstung devices in the US.



-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171018/1b5c8d41/attachment.html>


More information about the cryptography mailing list