I reckon that securing software is a thankless job. Few of us on the user side of things truly understand it. The day-to-day, I imagine, is not particularly sexy. But here we are, at the beginning of the end of Android, apparently. At the point of no return for ... well, whatever point you're trying to make.
Only, not really. Or, rather, not any more than just a few weeks ago, when the annual hype ahead of the BlackHat security conference began in earnest. Or two years ago, when when the "StageFright" flaw was already several years old, unnoticed (and unexploited, by most accounts) deep in the heart of the operating system.
And therein lies the Catch-22. Can a critical security issue — and make no mistake, Stagefright falls into that category — truly be critical if we don't actually need to panic over it? And if we don't panic over it, will it be taken seriously?
The real security work is being done by men and women who deserve better than scary-sounding stories once or twice a year.
The bigger flaw, at least from my purview, is in the reporting on security issues. The initial Stagefright stories didn't contain complete information, awaiting the security researcher's talk at BlackHat. (And not immediately disclosing all details of a bug is also an important part of the process.) But journalists know that. Or, at least they should. Google's Adrian Ludwig did a good job explaining the multi-layer security that goes into Android. (And that's exactly what you need given the mess that is software updates.) Why, then, did doomsday pieces published just a day later initially ignore that not-so-little detail? That does no justice to readers, users, or the security researches who deal with this stuff every day.
Same went for a poorly written pre-disclosure report on a flaw in fingerprint security. My favorite line: "The threat is for now confined mostly to Android devices that have fingerprint sensors." No shit. But the real sin was this line buried eight paragraphs in:
"Affected vendors have since provided patches after being alerted by the researchers."
Great! Glad to hear it! But you can't put that at the top of a story, because nobody will continue reading.
And that's the real problem. Security disclosures are important. (Stories leading up to the disclosure can be useful, but by nature they're prone to sensationalism.) Security conferences are important. Discussing security flaws after they've been fixed is important, the better to keep something like that occurring in future code. But the way they're being reported by those of us who aren't actual security experts — and also weren't in the weeks leading up to this latest man-made shitstorm — is quite possibly worse than any of these theoretical exploits. Details are important. Context is key.
And above all, don't panic. There are really smart people at work here, on both sides. Of that I have zero doubt.
But this has all happened before, and it no doubt will happen again. My recommendation is to read security stories from the bottom up. You'll be surprised just how much more you might learn.
A few other thoughts on things:
- We've had a little fun over the weekend sharing on Instagram some of the pics we've taken with the new Moto G. We'll probably do more of that what other new phones going forward.
- Seriously, that's a hell of a lot of good stuff in a $200 phone.
- Odd that Samsung's stuff has leaked so badly.
- The problem isn't that Jon Stewart left the Daily Show. The problem is those of us without TV shows haven't been calling folks out on the same bullshit all this time, particularly on Election Day.
- And I can only hope that at some point the media ceases to treat the process as entertainment.
- Not likely, though.
- Beautiful moments from Junior Seau's family at the NFL Hall of Fame induction ceremony.
- It's just shame so much was made about his daughter not being "allowed" to give a full speech. Turns out, there was nothing controversial there.
- That ceremony to me will always ring of family. It's what was on while my wife and I awaited our first daughter's birth. Especially poignant this year.
That's it for this week. See y'all Monday.