I reckon that securing software is a thankless job. Few of us on the user side of things truly understand it. The day-to-day, I imagine, is not particularly sexy. But here we are, at the beginning of the end of Android, apparently. At the point of no return for ... well, whatever point you're trying to make.
Only, not really. Or, rather, not any more than just a few weeks ago, when the annual hype ahead of the BlackHat security conference began in earnest. Or two years ago, when when the "StageFright" flaw was already several years old, unnoticed (and unexploited, by most accounts) deep in the heart of the operating system.
And therein lies the Catch-22. Can a critical security issue — and make no mistake, Stagefright falls into that category — truly be critical if we don't actually need to panic over it? And if we don't panic over it, will it be taken seriously?
The real security work is being done by men and women who deserve better than scary-sounding stories once or twice a year.
The bigger flaw, at least from my purview, is in the reporting on security issues. The initial Stagefright stories didn't contain complete information, awaiting the security researcher's talk at BlackHat. (And not immediately disclosing all details of a bug is also an important part of the process.) But journalists know that. Or, at least they should. Google's Adrian Ludwig did a good job explaining the multi-layer security that goes into Android. (And that's exactly what you need given the mess that is software updates.) Why, then, did doomsday pieces published just a day later initially ignore that not-so-little detail? That does no justice to readers, users, or the security researches who deal with this stuff every day.
Same went for a poorly written pre-disclosure report on a flaw in fingerprint security. My favorite line: "The threat is for now confined mostly to Android devices that have fingerprint sensors." No shit. But the real sin was this line buried eight paragraphs in:
"Affected vendors have since provided patches after being alerted by the researchers."
Great! Glad to hear it! But you can't put that at the top of a story, because nobody will continue reading.
And that's the real problem. Security disclosures are important. (Stories leading up to the disclosure can be useful, but by nature they're prone to sensationalism.) Security conferences are important. Discussing security flaws after they've been fixed is important, the better to keep something like that occurring in future code. But the way they're being reported by those of us who aren't actual security experts — and also weren't in the weeks leading up to this latest man-made shitstorm — is quite possibly worse than any of these theoretical exploits. Details are important. Context is key.
And above all, don't panic. There are really smart people at work here, on both sides. Of that I have zero doubt.
But this has all happened before, and it no doubt will happen again. My recommendation is to read security stories from the bottom up. You'll be surprised just how much more you might learn.
A few other thoughts on things:
- We've had a little fun over the weekend sharing on Instagram some of the pics we've taken with the new Moto G. We'll probably do more of that what other new phones going forward.
- Seriously, that's a hell of a lot of good stuff in a $200 phone.
- Odd that Samsung's stuff has leaked so badly.
- The problem isn't that Jon Stewart left the Daily Show. The problem is those of us without TV shows haven't been calling folks out on the same bullshit all this time, particularly on Election Day.
- And I can only hope that at some point the media ceases to treat the process as entertainment.
- Not likely, though.
- Beautiful moments from Junior Seau's family at the NFL Hall of Fame induction ceremony.
- It's just shame so much was made about his daughter not being "allowed" to give a full speech. Turns out, there was nothing controversial there.
- That ceremony to me will always ring of family. It's what was on while my wife and I awaited our first daughter's birth. Especially poignant this year.
That's it for this week. See y'all Monday.
It's time to stop using SMS for two-factor authentication
Not all 2FA is equal. Using SMS to get a code might not be "better than nothing" after all.
Fresh Surface Duo renders are here, reportedly coming to AT&T
Microsoft hasn't exactly been camera shy with the Surface Duo, but a new set of renders have leaked that offer an even closer look at the device. Alongside the leaked images, the leaker says Duo will be headed to AT&T in the U.S.
24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards
It's still too early to give any conclusive thoughts on the Galaxy Note 20 Ultra, but Samsung's latest flagship is already proving to be a tremendous phone in more ways than one.
Protect your new, huge Note 20 with one of these cases
The Note 20 may not have a glass back, but that doesn't mean you should let to go around in the chaotic world outside naked. Get a good case and protect your new Note 20 in style!