What is Responsible Disclosure? - Security Discussion

Responsible Disclosure is a term often used in security, but what is it?
In essence, responsible disclosure is the process of making the vendor or OEM of the vulnerable software or system aware of the problem before disclosing details of the vulnerability to the public. The idea here is that the vendor will promptly solve the issue, and release a fix to users of the software, and accredit the finding of the issue to the researcher, who then discloses the vulnerability in full, now the software has been patched.
Responsible disclosure is named as such, as vendors feel it's the most responsible way to go about handling a security issue you have found. It's often the best strategy to try if you do find an issue - look for a security contact for the company, and give them a shout.
Unfortunately, some companies are rather poor at dealing with security issues, and either don't respond, or don't issue a patch or inform users of a mitigation strategy. Or in severe cases, might not even inform users of there being an issue whatsoever, and appear to ignore the vulnerability. Do bear in mind though when dealing with mobile devices that many carriers add significant delays to software releases (where on the desktop, a fix may be available the next day, the OEM might take a week or more to make a patch available on unbranded firmware, since devices and firmwares often must be approved by regulators before release, and carriers will then want further changes applied to these firmwares before their own testing).
Often if a vendor acts like this, the only solution is Full Disclosure, a process where the full details of the vulnerability are publicly released, in order to raise awareness of the vendor's insecurity and inaction (particularly if efforts were already made to contact them). Full disclosure permits the end user to be made aware of the extent and details of the security issue, and attempt to mitigate or resolve it themselves (for example, by removing an affected plugin, deleting an APK, or using a firewall to prevent access to a vulnerable service until a fix is produced).
If you are new to security, and are unsure, responsible disclosure is usually the best way forwards, but there are plenty of people around who can give good advise about this. This may well change, in light of recent practices by some companies pertaining to how they handle security vulnerabilities which are responsibly disclosed (see https://www.openrightsgroup.org/blog/2013/nsa-affects-responsible-disclosure)

Good writeup, thanks!
Is full disclosure really an effective way of handling things though? I can understand that the intention is to make the vulnerability so well known that vendor has no choice but to fix it, but during that lead time there's going to be a vulnerability going around that people could really capitalize on. I don't have figures, but I would imagine that even if a user-made solution is found, the number of people that would actually adopt it has got to be a tiny fraction of a percent. If you're going full-disclosure, aren't you essentially ensuring the worst-case scenario? Security through obscurity is weak, but isn't it still better to sit on your hands and just hope that the vendor will get around to fixing it eventually?

Grand Guignol said:
Good writeup, thanks!
Is full disclosure really an effective way of handling things though? I can understand that the intention is to make the vulnerability so well known that vendor has no choice but to fix it, but during that lead time there's going to be a vulnerability going around that people could really capitalize on. I don't have figures, but I would imagine that even if a user-made solution is found, the number of people that would actually adopt it has got to be a tiny fraction of a percent. If you're going full-disclosure, aren't you essentially ensuring the worst-case scenario? Security through obscurity is weak, but isn't it still better to sit on your hands and just hope that the vendor will get around to fixing it eventually?
Click to expand...
Click to collapse
True, but also depends on the type of vulnerability. Is not the same finding a vulnerability where you need physical access to the device (ie a way of unlocking without PIN) than finding a vulnerabilty that allows remote access to sensite data without user action. I suppose that some sort of waiting can be defined. Like waiting for a week for the first type of vulnerabity and 3 months for the other....just my 2 cents.
Great writeup BTW!

For the security enthusiasts here: The Full DIsclosure Mailing List has been reopened. ENJOY!

Talking about responsible disclosure, I have the following question for you guys:
I found a vulnerability that can be exploited to drain the battery of a device. I informed the application vendor and they reacted that they agree with my finding and will fix it soon. I send my vulnerability and PoC 24th of February and they responded 3 weeks after. Now I am waiting for the vulnerability to be fixed.
I found this bug when writing my thesis and I really want to include it in my paper which should be published on the 31th of May. Does that fit responsible disclosure? Should I send them an e-mail stating that I will publish the details at the end of May?

It can't hurt to let them know youre doing it.
Sent from my Xperia ZL using XDA Free mobile app

Is full disclosure really an effective way of handling things though?

rakoczy12 said:
Is full disclosure really an effective way of handling things though?
Click to expand...
Click to collapse
If the end result of the disclousre is that the users can protect themselves, then yes. As the OP pointed out:
pulser_g2 said:
Full disclosure permits the end user to be made aware of the extent and details of the security issue, and attempt to mitigate or resolve it themselves (for example, by removing an affected plugin, deleting an APK, or using a firewall to prevent access to a vulnerable service until a fix is produced).
Click to expand...
Click to collapse

How did I just now see this forum? Pulser I was talking to you about such an area for many many moons ago.
@pulser_g2
I have a question about posting things I find that script kiddies would love. Like today, I opened up an apk that was supposed to be an icon pack. Instead, it has @Stericson 's RootTools package in it and someone else's libpush work. So it starts out as a script kiddies dream, cause that's all it is. But it would be good for people to learn from.
When I came here, before I installed @DaveShaw 's power menu .cab, I first learned what a cab was, what it did, how it worked, and what all the little bits and pieces did inside of it. You just can never be too safe. Which is probably why I don't go jumping on a new ROM, or app someone just released. I'll mull it over and let some other people be the testers. How could I post something like without giving away how it works, but showing what's inside. So as to let people know to be careful? Teach them how to open it up, the different parts of an apk, how to read it and such. That's the kind of thing I was meaning way back when I was asking you about making this kind of area. But you had the same concerns as me. It not turning into a scriptkiddy funhouse.
Are we going to be able to disclose threats among ourselves? You can't make everyone wear a white hat. Lord knows we didn't all wear one back in compsci. I see it like teaching firemen how to put out a fire. Yea they are going to learn what makes a really big fire that's hard to stop. But if you don't teach them how to build the fire, just put it out, then they have to go through just that extra bit of effort to do bad.

Maybe some parts of this thread belongs here. http://forum.xda-developers.com/general/security/security-threat-middle-attack-umts-t3374626

It is Awesome

wow

Related

ROM License Agreement - What do you think?

Hey guys! I put together this license agreement for all the ROM chefs to use. What do you think? What should I change, add or remove?
It was partly created as a joke, but looking around, it looks as if people are getting upset with their chefs for very dumb reasons... this isn't to make the user's life miserable, but to aliviate the pressure chefs are put under or at the very least raise some awareness on the user's parts.
This is NOT the final version. Consider it a beta.
Updated: 1/1/2008 - 9:09pm Eastern Standard Time - Edited for proper syntax.
Updated: 1/1/2008 - 9:15pm Eastern Standard Time - Fixed numbering issue. Added article #16.
Over a hundred views and no comments? Was the document that horrible?
I don't release anything but if I did I probably wouldn't want to attach that to it.. It's already known that there have been legal problems on the site with redistribution of ROM's even in their original form..
Adding your licence to it makes it look like the chef would be saying that they absolutely own the code and that could be a little bit of a dangerous thing to say.
It's almost like commercialising the ROM's and that would definitely be bad. Once you try and do that you are in danger of becoming a target for Microsoft and it's partners for you ripping off their property.
Providing fixes and tweaks is different to claiming responsibility for their work and code in my eyes. I'm sure thats part of why its still being tolerated to some extent.
It's also a little bit cheeky really to say "We grant you the usage of this ROM on an unlimited number of devices, unless otherwise stated. We hold the right to restrict who is allowed to use the ROM and to stop any and all distribution of this ROM." when everyone who releases a ROM has broken the original licence term that says that.
sambartle said:
I don't release anything but if I did I probably wouldn't want to attach that to it.. It's already known that there have been legal problems on the site with redistribution of ROM's even in their original form..
Adding your licence to it makes it look like the chef would be saying that they absolutely own the code and that could be a little bit of a dangerous thing to say.
It's almost like commercialising the ROM's and that would definitely be bad. Once you try and do that you are in danger of becoming a target for Microsoft and it's partners for you ripping off their property.
Providing fixes and tweaks is different to claiming responsibility for their work and code in my eyes. I'm sure thats part of why its still being tolerated to some extent.
It's also a little bit cheeky really to say "We grant you the usage of this ROM on an unlimited number of devices, unless otherwise stated. We hold the right to restrict who is allowed to use the ROM and to stop any and all distribution of this ROM." when everyone who releases a ROM has broken the original licence term that says that.
Click to expand...
Click to collapse
Truth be told, most of it is just filler. lol It was mostly a way to say "If you use this, don't complain."
You do bring up valid points, though.

a thought on antipiracy measures for devs.

Now let me just say right here and now that I'm not a coder so hang with me. It seems to me that google has an issue with pirates (due to the blocking of paid apps for dev phones) until they create a better solution I was hoping somebody might create some kind of module that any dev could use to prevent and curb piracy. I know it's not a huge deal as there's really not that much out there for downloading paid .apk but there are some.
What I would do breaks down into two parts, preventing redistribution of the .apk and then nagging users who have an outdated version (as with download-copy-refund-reinstall). If you made the program run at the moment it was installed and pull and then archive a piece of unique info such as the phone number and then force the whole app to double check the internal archive to the actual phone number it would not only prevent the giving away of apps but archiving the initial release person's info to the dev.
Step two is to force a version check from the app to a sever that has the current version. If you made some kind of update (even if very so minor about once a month) and gave let's say a month so that you're not forcing folks to update that day you could then make the program "nag" a user into updating (that you cannot do if you didn't pay for it) and after some length of time have the program stop working at all.
Now yes it is work for something that may only cost .99 but if the anti-piracy measures were open source then you could not only retrofit an existing program but build new pirate proof apps.
Thoughts?
Both methods are still fairly easily crackable. Just like it's impossible to "DRM" game cd's, music, and video - preventing piracy of software is a very difficult and always flawed things.
You can make copy protection pretty decent but eventually it's all still very crackable. There is no 'good' copy protection. If Google is waiting until they do have a 'good' system for it - it will never happen.
And yes, I actually am a coder with commercial interests that are copy "protected". In the end the question is always if people find it valuable enough to purchase or their time invaluable enough to spend it on cracking these things.
How about release all your code under an open source license and get paid through donations?
I LOL'd! Seriously, if you ever went that route you'd know usually people hardly ever donate, at all. You'll be working for $0.01 an hour. That's ok if it's a hobby project, but bigger projects are just not feasable that way.
It also depends a lot on the community though. For example, I've made freeware tools for gameserver admins and got a lot of donations. I've made mods for games that practically every player used - and these were RCE games, so they cost $$$ - and the total of donations was less than $100 for 100's of hours of work. It depends on the situation, the crowd, how useful the software is, etc, but in the end it comes down to people being cheapskates, but in a weird way.
By 'in a weird way' I mean that it is rather strange that if you ask for donations, hardly anybody will donate $5, but if you were to charge $5, lots of people would purchase and not care about the $5.
Of course this is not true for everybody. Personally I try to donate to free projects that I use - and I know there are several people who also do this. But it's not the 'general public'.
this isnt an issue about open source vs charging for a product. Nobody is doing anything about piracy for this particular handset. it so easy to steal these apps, and if nothing is done to stay ahead of the curve then everyone suffers. do we have to wait till the average user figures it out, or till somebody makes a blog and/or a youtube post on how to release paid apps and that even non root users can pirate these in seconds?
one of two people need to step up, either the devs and try and be a step ahead of the crackers or what i imagine as widespread piracy and the degrading of all app quality.
some have said that people wont bother stealing a .99 app, but i disagree.
robotmaxtron said:
this isnt an issue about open source vs charging for a product. Nobody is doing anything about piracy for this particular handset. it so easy to steal these apps, and if nothing is done to stay ahead of the curve then everyone suffers. do we have to wait till the average user figures it out, or till somebody makes a blog and/or a youtube post on how to release paid apps and that even non root users can pirate these in seconds?
one of two people need to step up, either the devs and try and be a step ahead of the crackers or what i imagine as widespread piracy and the degrading of all app quality.
some have said that people wont bother stealing a .99 app, but i disagree.
Click to expand...
Click to collapse
Well i believe chainfire answered the question already, there is nothing they can do. Are you a dev? The only ones suffering are the developers. Piracy is here and no one can really do anything about it. There are more important issues to deal with in the world then piracy. Look at smartphone files - cabs - wm, you dont have to pay for one of those anymore they are out there for the taking. How long have they been around? One look at their situation and its pretty clear nothing can be done.
ummm
piracy is nothing new.... piracy has been around since back on the commodore 64, i cant even explain how many shoebox's of 5 1/4" floppys of games. Pirating windows..... the first version ever. Theres no way to stop it, what is made can always be undone. The use of online connectivity is the only way to stop people from pirating software. Those "servers" are at the expense of the company that released the software. All installs have to have a "phone-home". Why do you think WifiRouter for WM (i think thats what its called) can never be cracked for more than a week. Because the serial numbers are registered in a database, and hardware id's and whatnots are sent regarding that individual phone. If more than a few of set "phones" with the serial number given is used. That serial is blacklisted and deactivated. The software checks for serial status everytime it loads. Very good way of using such software. But others are a little different, like programs that can be cracked using a serial number, but the program is in a site that normally wouldnt ever have acccess to internet (construction sites, etc.) Its just something that cant be stopped.....
p.s. http://tinyurl.com/dczb66 and you will realize what chainfire meant by ruin and destroying software due to copy protection
piracy done right
they need to stop trying to figure out how to solve the problem and just say there is no problem. there is no single "market" for software for my pc.... there will never be one for android. developers will never be comfortable trusting security they have no say so in. apps will come from all edges of the cloud and google is sadly mistaken if they think they can control it.
here is what they should do.. Nothing
Let the developers on their own find ways to secure their apps. wether it be a simple pin number or a log in. as developers make security hackers will break it, then the devs make more, its that cycle that made Linux work in the first place.
regardless of what google does people will start protecting their apk's
If you want to sell programs, do the following and you won't have a problem.
Don't worry about piracy (DRM, Copy Protection, etc)
Make a good product
Don't over-charge for the product
Be upfront with the support offerings
Offer a reasonable satisfaction guarantee if demo is not available
Trying to limit and stop piracy is a failing battle and will ultimately end up costing the developer in the long run.
I come from both sides of the track, i'm a pirate (aka lacking moral compass) and developer. When I come across good software at a reasonable price, I don't think twice about purchasing it.
You could do likesome programmers who sell their product online and on the market at the same time.
http://forum.xda-developers.com/showthread.php?t=487790
Thanks to the masterBaron I have this program on my dev phone and I live in france.
soundwire said:
How about release all your code under an open source license and get paid through donations?
Click to expand...
Click to collapse
The Windows Mobile version of Klaxon has had around 200,000 downloads, and I have received less than $200 in donations. I spent several months on that project. Donationware/open source is does not work.
robotmaxtron said:
What I would do breaks down into two parts, preventing redistribution of the .apk and then nagging users who have an outdated version (as with download-copy-refund-reinstall). If you made the program run at the moment it was installed and pull and then archive a piece of unique info such as the phone number and then force the whole app to double check the internal archive to the actual phone number it would not only prevent the giving away of apps but archiving the initial release person's info to the dev.
Step two is to force a version check from the app to a sever that has the current version. If you made some kind of update (even if very so minor about once a month)....
Thoughts?
Click to expand...
Click to collapse
I'd rather my number not be freely given out.
This would also be a problem if my number changed, but I don't buy apps that force version checks / expire / phone home. If it's good enough I look for a copy cleansed of such behavior, while i'd buy a good app without that behavior and if its not locked to hardware/providers. Copy protection can backfire and drive off customers.
How about release all your code under an open source license and get paid through donations?
Click to expand...
Click to collapse
Although I have some open source projects this will never work... A lot of people just like to get everything for free and are actually upset when needed to pay 1€ for an application.
I have people send me like 20€ but this is a very rare case! I would be lucky to have at most one costless weekend of drinking in a month, but no way to actually make a living that way.
And if you look into the work put in to most open-source projects ( in terms of hours ) its better to just do 1% of that work for a boss and get payed a lot more. Ofcourse I love doing this and thats mainly the reason why I join open-source projects... Making some money is a nice aspect which "could" happen.
As for copy protection... Like cf stated... There isnt an uncrackable copy protection and if creating one takes up half of the time of your projects development how much good would it be in terms of earning money. Its not a copy-protection problem but its a mind-set problem... People just dont like paying for things they use everyday...
inpherno3 said:
piracy is nothing new.... piracy has been around since back on the commodore 64, i cant even explain how many shoebox's of 5 1/4" floppys of games. Pirating windows..... the first version ever. Theres no way to stop it, what is made can always be undone. The use of online connectivity is the only way to stop people from pirating software. Those "servers" are at the expense of the company that released the software. All installs have to have a "phone-home". Why do you think WifiRouter for WM (i think thats what its called) can never be cracked for more than a week. Because the serial numbers are registered in a database, and hardware id's and whatnots are sent regarding that individual phone. If more than a few of set "phones" with the serial number given is used. That serial is blacklisted and deactivated. The software checks for serial status everytime it loads. Very good way of using such software. But others are a little different, like programs that can be cracked using a serial number, but the program is in a site that normally wouldnt ever have acccess to internet (construction sites, etc.) Its just something that cant be stopped.....
p.s. http://tinyurl.com/dczb66 and you will realize what chainfire meant by ruin and destroying software due to copy protection
Click to expand...
Click to collapse
Bull****. WifiRouter or whatever it is could easily be cracked by using fake DNS servers, manually editing the servers to a custom, or bypassing the online checks completely.
Their system is crap, and any skilled cracker could defeat online checks in just a bit of work.
The only truly invincible copy protection I've seen are either hardware, or extremely internet based (something that relies on external servers so much that it's useless without them, such as MMOs). Hardware can be modded, and you can recreate the servers for internet based.
Gary13579 said:
Bull****. WifiRouter or whatever it is could easily be cracked by using fake DNS servers, manually editing the servers to a custom, or bypassing the online checks completely.
Their system is crap, and any skilled cracker could defeat online checks in just a bit of work.
The only truly invincible copy protection I've seen are either hardware, or extremely internet based (something that relies on external servers so much that it's useless without them, such as MMOs). Hardware can be modded, and you can recreate the servers for internet based.
Click to expand...
Click to collapse
Or you could just remove the TPM (or Variant) requirements from the software like the Hackintosh version of OSX.
piracy won't ever be stoped.. might take a vbbit longer for some one to bypass it's protecting but it will always be cracked sooner or later
best thing u can do is.. as said before just make a good product be craeative, dont over-charge, people will buy it support you..
heck better is better to make 20 bucks thank nothing at all

Unsafe ROMS?

I've been playing around with all the 6.5 ROMS available on this forum (plus have been lurking for a while so felt like doing some contribution could be appreciated ).
My company is very stringent about enforcing Exchange ActiveSync policies, especially PIN CODE, timeout to lock and remote wipe.
I noticed that on the 230XX series (I have tested up to 23053) posted here, there are two different behaviors, one serie works with my Exchange Active Sync, one does not.
Since the PIN request and lock timeout work fine with them, I have to assume the remote wipe feature has somehow be disabled by this ROM.
I have been able to identify that a ROM will give me this problem even without connecting with my Exchange Server.
in 100% of the case, if I try to import a root certificate on a "hacked" ROM, it will be installed without any warning, just a "Certificate successfully installed, press OK" dialog.
Now, on a ROM that is not "hacked", when you try to import a root certificate, you are warned that this may be an unsafe operation and have actually to confirm.
This is very concerning to me, because the warning being removed means that any bad guy can leverage these ROM to deploy a rogue root certificate to your device and your device can start trusting wrong sites.
I do not intend this to be an exhaustive list, but as of my testing only the following two ROMs work correctly:
- NATF
- RRE
All the others do not. The source of the non-working ones is either the same, or these people have purposedly altered the ROM to change the security settings. But the result is the same, security altered ROMS.
If anyone could confirm they are experiencing the same, I would not feel alone on the planet
UM
I'd just like to reiterate that this is a development community- most of the cooked ROMS you've tried are experimental works in progress. We tend to take our experimenting a bit far here- but as none of our 'products' are really production tested, it's fairly safe to say that all of them are just a bit unsafe.
A stock ROM has the benefit of being tested in a production environment- and while performance on these ROMs may not be optimal, they are composed of a set recipe of components established between the OEM and Microsoft.
Many of our ROMs are conglomerations of various different components- so it's not exactly safe to say that any of them can be held completely accountable for device security- there may be plenty of exploits present behind the scenes that never have been exposed or rectified.
We're small-scale individual developers. Most, if not all of us, do this for fun. Many of our packages deliberately alter the way in which devices handle certificates and signing- because it allows us to expand the boundaries we develop within.
If you're looking for guaranteed security, your best bet is to stick with a completely stock device. If you choose to use another ROM, any insecurity is not on the developer, but you.
Very well said! On top most, actually all of the 6.5 based ROMs have a microsoft beta as a base. Though it may be a save bet that the latest built # may be the closest to the final release at Oct. 9 it's a common practice to reduce/alter some "security" settings an policies for an "easier" way to success. None of these facts is to blame on any ROM chef or developer or however you want to name these creative heads here.
Their work is just incredible and I bet that ms or HTC would be proud to have such guys on board.
Note:
I bet that some individuals of both companies keep a close eye on what's going on here.
Guys,
Don't get me wrong, I know what I'm doing when installing a beta that has been leaked.
First, it's illegal, we are stealing non published source code, infringing intellectual property and probably making ourselves guilty of too many felony counts to be able to get out of jail without a long white beard.
But, joke aside, this was not the point of my post and I am sorry if I didn't explain myself clearly.
There are 23053 builds that work well are 23053 that do not, as was the case with any previous build number and, consistantly, I have had two out of the pack working exactly as expected from a security perspective, and all of the rest not working as expected.
So, since I do not believe MS is deliberately compiling one tree of the code with embedded security and another without, it means that someone in the middle is affecting it.
That was my point.
UM
Hummm...
Wrong approach fellow...
Wrong place, wrong time and wrong people.
Don't expect to be received with an open heart while commenting such things...
Imagine the following scenario:
A priest enters a strip bar and tells the owner of his concerns of moral ground, about the practices that take pace there... LOL
I may understand your point, definitely not your purpose.
If you are lucky enough not the get flamed, you will at least see some frown faces...
Leave it...
As someone suggested before, remember this is a development community...
If what you find doesn't suit your needs simply suggest changes or don't use it at all.
If you concluded, after experimenting, that the only functional ROMs are NATF and RRE ones, allow me the following suggestion:
Choose between 3 options:
1. Use a stock ROM so you don't «steal» form anyone and don't risk having to spend 5 days in a row shaving...
2. Use a NATF ROM
3. Use an RRE ROM
I believe i made my point as gently as I could...
If i may have hurt some feelings, i am deeply sorry for that.
Cheers
Well, 2 points in answer to your post where you obviously did not read mine:
1) Did you miss the sentence that starts with "Joke aside" ??
2) Don't care of being flamed, I provided evidence to people that want to make up their miind, they don't need you to tell them what is safe or not for them
Bottom line is:
- if you do not want to have a phone crashing on you, use a stock ROM (that's actually a good joke... Stock ROMs do not crash less than their beta counterpart).
- if you do not want your passwords, contacts or personal data to end up into some hackers site, be careful about what ROM you install
wearing my flame proof vest.
UM
unlockMe said:
Well, 2 points in answer to your post where you obviously did not read mine:
1) Did you miss the sentence that starts with "Joke aside" ??
2) Don't care of being flamed, I provided evidence to people that want to make up their miind, they don't need you to tell them what is safe or not for them
Bottom line is:
- if you do not want to have a phone crashing on you, use a stock ROM (that's actually a good joke... Stock ROMs do not crash less than their beta counterpart).
- if you do not want your passwords, contacts or personal data to end up into some hackers site, be careful about what ROM you install
wearing my flame proof vest.
UM
Click to expand...
Click to collapse
Dear UM,
I had a good laugh reading your last sentence LOL
I believe that wither you misunderstood me either I was not clear...
1. I am not accusing you of anything.
2. I read you whole message (points 1 and 2 included... They were there, weren't they...?)
3. I am not trying to demote you of you purposes... I was only trying to pass a message but given the fact the message wasn't delivered, I will try to rephrase...:
You are expressing both facts and opinions.
That is, indeed, you right given the fact we are in an open community and we, still, are in a free world (so to speak...).
I do not endorse or condemn none of your previous statements.
Knowing this community for quite some time and specially knowing it's member, active ones, passive ones, contributing ones, parasite ones, etc... I just know for sure that your comment in which you address people in such manner will have one of two possible outcomes:
1. Total ignorance
2. Flaming
Now, after this, do whatever you like Don't get me wrong and sorry if I made myself misunderstood
Nuff said.
Cheers.
This thread is not development related, moved to the appropriate section

Cyanogens Current State!

The current state..
The last few days have been difficult. What has become clear now is that the Android Open Source Project is a framework. It’s licensed in such a way so that anyone can take it, modify it to their needs, and redistribute it as they please. Android belongs to everyone. This also means that big companies likes Google, HTC, Motorola, and whomever else can add their own pieces to it and share these pieces under whatever license they choose.
I’ve made lots of changes myself to the AOSP code, and added in code from lots of others. Building a better Droid, right?
The issue that’s raised is the redistribution of Google’s proprietary applications like Maps, GTalk, Market, and YouTube. These are not part of the open source project and are only part of “Google Experience” devices. They are Google’s intellectual property and I intend to respect that. I will no longer be distributing these applications as part of CyanogenMod. But it’s OK. None of the go-fast stuff that I do involves any of this stuff anyway. We need these applications though, because we all rely so heavily on their functionality. I’d love for Google to hand over the keys to the kingdom and let us all have it for free, but that’s not going to happen. And who can blame them?
There are lots of things we can do as end-users and modders, though, without violating anyones rights. Most importantly, we are entitled to back up our software. Since I don’t work with any of these closed source applications directly, what I intend to do is simply ship the next version of CyanogenMod as a “bare bones” ROM. You’ll be able to make calls, MMS, take photos, etc. In order to get our beloved Google sync and applications back, you’ll need to make a backup first. I’m working on an application that will do this for you.
The idea is that you’ll be able to Google-ify your CyanogenMod installation, with the applications and files that shipped on YOUR device already. Or, you can just use the basic ROM if you want. It will be perfectly functional if you don’t use the Google parts. I will include an alternative app store (SlideMe, or AndAppStore, not decided yet) with the basic ROM so that you can get your applications in case you don’t have a Google Experience device.
I’ll have more updates soon as I get all the code hammered out.
Thanks for all the support thru all of this.
http://www.cyanogenmod.com/home/the-current-state
The stuff Dreams are really made of....
I knew! Where there's a will there's a way! You can't keep a real boss down! Cyanogen I look forward to playing with this new stuff in the works. Rage on brother rage on, I for one honestly didn't want to leave android really, but I will continue to research back-up plans in case Google has anymore monkey wrenches laying around itching to be thrown...Good luck Cyanogen. We all owe you donations...real recognizes real! Dueces
This is great news Thank you!
fkn awesome!
this exactly what i thought and hoped would happen. everyone got in a tizy over nothing. so we have to back up before we flash which is just another way that the basic moder like myself can better understand the phone.
Does this means we need to wipe every time we flash a new rom?
tomvleeuwen said:
What do you guys think of sharing the 4.0.4 version over p2p networks?
Click to expand...
Click to collapse
Everyone already has it.
Great
This sounds good, there is more than one way to skin a cat. I think they got upset when the new market app was released before they could get it out. They had to do something, but I think it will die down.
don't go there
tomvleeuwen said:
What do you guys think of sharing the 4.0.4 version over p2p networks?
Click to expand...
Click to collapse
Cyanogen is doing his best to respect Google's legitimate copyrights, so suggesting that XDA get involved in distributing proprietary applications without a license only serves to undermine what is going on here. Mods: please remove.
ei8htohms said:
Cyanogen is doing his best to respect Google's legitimate copyrights, so suggesting that XDA get involved in distributing proprietary applications without a license only serves to undermine what is going on here. Mods: please remove.
Click to expand...
Click to collapse
I posted this in another thread but it would seem to be pertinent to here too:
Loccy said:
Let's face it, strictly speaking, all ROMs are warez.
Personally I'm surprised that it wasn't the Hero devs who got into trouble first, but this was all just a matter of time. I never understood the bizarre fixation that cropped up recently with QuickOffice and everyone going "omfg it's warez can't include it in romz!!!111!1one!". Why QuickOffice and not, say HTC_IME, or Work Email, or any number of other binary blobs that ROM cookers include as a matter of course now that have been "acquired" from non-orthodox source?
The Hero ROMs, let's face it, give people a means of "turning" their old phone into the latest and greatest HTC device. Each stable Hero ROM on the Dream/Magic potentially means a Hero device purchase lost. HTC are being far more hit in the pocket than Google are here - which is why I'm surprised the cease and desist wasn't directed at them.
I do think, however, this site and the people who run it are going to have to pick a side at some point. Either the position is "this is a site for developers, and as long as copyrighted material is not hosted on here in a fashion that would make us liable*, we will not suppress the work of individual devs". Or, their position is "no copyrighted material in any form, be that in the form to links to offsite storage repositories (eg. Rapidshare), or any other method". XDA doesn't *need* to do this in order to ensure the site does not get into legal hot water. I suspect they *might* do it, however, as some kind of misguided moral stance (and in my view the QuickOffice preoccupation was an example of just this). But in my opinion if they choose the latter then XDA is over as a site for realistic Android ROM development (and indeed, Windows Mobile and other OSes, if they apply the same standards across all their boards).
* elaborating on what I mean here - if people attach zips directly to their posts, and those zips are stored on the XDA servers, then XDA as a site is potentially liable. Alternatively, if instead people give a URL or a search string whereby people can find a ROM, but those files are not physically stored on XDA, they are not - any more than Google is liable for the many copyrighted MP3s you can find links to via their search engine.
Click to expand...
Click to collapse
The bottom line is that if ROM devs decided they were going to respect ALL legitimate copyrights, there'd be no Hero ROMs, no Windows Mobile ROMs, in fact no ROMs apart from barebones AOSP ROMs which do less than a stock ROM.
ei8htohms said:
Mods: please remove.
Click to expand...
Click to collapse
And I'm sorry, that's just ignorant. Just because you don't agree with a sentiment doesn't entitle you to demand the mods remove it. If the mods want to remove it they will (and in my view that would indicate which "side" they were choosing.) Personally, I don't know what it's like elsewhere around the world, but here in the UK one is at least allowed to speak freely, if not necessarily act freely.
kudos to cyanogen!
Loccy said:
If the mods want to remove it they will (and in my view that would indicate which "side" they were choosing.) Personally, I don't know what it's like elsewhere around the world, but here in the UK one is at least allowed to speak freely, if not necessarily act freely.
Click to expand...
Click to collapse
I think common U.S. practice is: if you speak freely, you get called names by people until you either cry or shoot them, thus proving to everyone that your original point is invalid.
But XDA has always had a policy of "if it doesn't get the site admins in trouble, it's probably ok." If memory serves, the site is in the Netherlands, and is subject to EU laws as to copyright, etc. I think that's important to remember when it comes to such things, since the EU laws as to intellectual property are in flux and not quite the same as those in the US or UK.
But the official policy is available in one of the toplevel forums here:
Flar said:
Hi Everybody,
We noticed that there is some confusion when it comes to posting sensitive material on xda-developers.com and mostly about what can and can't be posted.
We would like to clarify our point of view through this post.
Since the start of xda-developers this has always been a site that once in while has some sensitive material online, through the years this site has grown so big it's no longer possible to check every file on our servers or every post on the board, we also feel it wouldn't benefit the community if we did.
However with increased popularity comes an increased amount of legal complaints when sensitive material is found on our servers. Which is the reason why we have been more careful lately. Recently some sensitive material has shown up on the servers and we received legal complaints from companies who have the copyrights for this material, although we all feel this is very interesting and valuable material we cannot risk the future of xda-developers by ignoring the legal requests we receive, therefore this material has been taken offline.
We understand that maintaining the balance between legal and illegal is sometimes confusing and/or difficult but that is unfortunately how it works.
When it comes to posting sensitive material there are a couple suggestions we can make:
- if possible do not post the files on the xda-developers servers.
- use your common sense (if you feel something might not be legal it probably isn't).
- always keep in mind when posting software of any kind, that we will take it offline if there is a legal complaint from the copyright owner.
Warez is in no way accepted and will be removed upon discovery.
I hope this post will serve as a clear and valuable guideline.
Greetz,
Flar
Site admin.
P.s. When you have any questions you can always contact me or one of the moderators.
Last edited by Flar; 17th January 2007 at 10:14 AM..
Click to expand...
Click to collapse
Everyone has an opinion, and they have, or should have, the right to decide for themselves what is correct. I am on the side of Cyanogen. I do not think what he did caused any harm or loss of revenue to anyone. We can not always have our way though, and I think that's the case here. I don't know him, but I do think he's smart enough to keep doing what he is EXTREMELY good at without putting himself in a bad position. It's just a stumbling block to get past. We are puting a lot of effort into pointing fingers and throwing around ideas, but if we placed this much energy into finding a fuctional solution, we might get past it a whole buch faster. A good army fights the war, not the battle.
Warez is in no way accepted and will be removed upon discovery.
Click to expand...
Click to collapse
But every single ROM on here is warez to some extent or another! Certainly (just for example, I'm not picking on anyone specific here) Drizzy doesn't own the IPR for the contents of his Hero ROMs. I'm pretty sure the WinMo ROMs aren't being posted by Microsoft. If the policy is that "warez is in no way accepted and will be removed upon discovery", they're not doing much of a job, are they - every other post is "warez", if you take a strict interpretation.
I suppose I'm saying that "warez is in the eye of the beholder". I fully endorse the attitude "if it doesn't get the site admins in trouble, it's probably ok" - but I can't help thinking that relaxed attitude has been firmed up of late for whatever reason, given the QuickOffice oddness. I'm pretty sure no-one who own the IPR for QuickOffice was ever in touch (although do correct me if I'm wrong), so why the odd fixation recently?
Bottom line: stick to the attitudes and approaches that have made this site what it is, please don't start getting over zealous when there's no reason to.
Honestly did this need another topic though? I mean I'm all for good news like this, but add it on to one of the many topics that are out there. -.- (ready for flaming)
easy now
Loccy said:
The bottom line is that if ROM devs decided they were going to respect ALL legitimate copyrights, there'd be no Hero ROMs, no Windows Mobile ROMs, in fact no ROMs apart from barebones AOSP ROMs which do less than a stock ROM.
And I'm sorry, that's just ignorant. Just because you don't agree with a sentiment doesn't entitle you to demand the mods remove it. If the mods want to remove it they will (and in my view that would indicate which "side" they were choosing.) Personally, I don't know what it's like elsewhere around the world, but here in the UK one is at least allowed to speak freely, if not necessarily act freely.
Click to expand...
Click to collapse
First off, I'm not demanding anything. I politely requested that the mods remove a suggestion that clearly seeks to circumvent the policies of XDA: We won't distribute warez. The poster knew the suggestion was specifically aimed at getting around the XDA policy, otherwise there would be no reason for a P2P distribution alternative in the first place.
A key component of intellectual property and copyright laws (at least in the US) is that the holder of the copyright must act to defend the copyright to some reasonable extent (no, I'm not a lawyer and I don't know what this entails exactly). Now that Google has acted to defend their copyrights in these instances, the line is clear. Google apps are paid apps (licensed to the handset manufacturers or service providers) and are not free to distribute without a license. Consequently, there shouldn't be much further debate about the fact that these are warez and are not to be distributed on or through XDA.
I'm not trying to attack anyone (the original poster, ROM devs or certainly yourself), but I am interested in XDA maintaining the high ground here and continuing to operate in a respectful and respectable manner.
Perhaps we should stay on topic?
te5ter said:
Perhaps we should stay on topic?
Click to expand...
Click to collapse
Fair point. Maybe we should take the "warez is in the eye of the beholder" debate to this thread. I do actually think it's a fascinating debate, personally. Oh, incidentally, just re-read my earlier post, and want to apologise to ei8htohms - I didn't mean to come off quite so brusque.
First, I'm very happy that there seems to be a workaround that Cyanogen feels comfortable in using.
However, I see it as a band-aid to a much larger problem. Yes, it addresses those few apps that Google specifically mentioned. But there seems to be potential future conflicts that could adversely affect this whole Android community.
What about all the other apps in there? The Camera/Camcorder/Gallery app for instance. The UI? Other HTC bits? And the biggie, the Search component? Does Google also lay claim to unified search, the widget, the particular framework involved in that?
I don't know the answer to that, I'm just asking. So much is left unanswered, I just feel this is only the beginning. For now, I guess it may be enough. But it still leaves so much up in the air.
Now the 2nd major issue: Cyanogen should be commended for taking the high road here and doing his best to adhere to Google's current request. I think we all know that there was never ever any question that no one saw this coming. It came from left field and shocked everyone beyond belief.
But will other rom devs be as diligent as Cyanogen? Will theme developers adhere to this? And with all of these added steps required to get a functioning "Google Experience", consider the flood of newbie questions this forum is about to endure. We all thought "brick" and "hardspl" questions were tedious at best ... prepare yourselves for the onslought of mass confusion. That fun has just begun.
I still believe the burden lies with Google to make this right. I'm not saying they should make their apps open source by any means. I'm just saying that there must be a way for Google to allow the inclusion of their apps (perhaps a different license or maybe some encryption trick that protects the apps from modification <I don't know, I'm not that smart>). Google needs to step up to the plate in this. They also need to save-face and stifle this PR nightmare. Android does not need this, Google does not need this, HTC does not need this, carriers do not need this, Cyanogen does not need this, and users do not need this. Growth of the entire Android project is simply too important. I see this as speed bump. They just made the bump too big and it needs to be shaved down some so everyone can get it over without damaging anything else.
this is great news indeed. can't wait to see what is to come!

[KNOX] Searching for users with root, active SELinux and a not tripped Knox

Hello,
I'm involved in trying to collect information regarding Knox, the illegal destruction of private property and possibility to run unknown code and I badly
looking certain configurations to get more answers.
If someone has root, not tripped Knox and preferably SELinux set to "Enforcing", please send me a message! Your help is needed!
I was too late. The "Rules update #16" that blocked "Root de la Vega" was pushed to my phone against my will. Other got it as well.
That means they already have some form of control and disregard your configuration. What can they do more?
With an SELinux they can control your device as they wish if they configure it to hide processes that run, as of today, unknown code.
I'm an "BOFH Unix kick ass consultant" by trade. I know how nicely you can do this. "Living in a box". Oh yes.
This is about our future, the right for privacy and the right to do what we want with out own private property!
The extreme measures taken against just obtaining root are disproportionately harsh. If they succeed, others will follow.
We might end up with iNdroid in a few years. I want to prevent that. But we need more knowledge. They destroy evidence if you trip Knox.
Rooting is not illegal, but the active action of destroying someones property with indent is, whatever cause, warranty claims or not.
There will be consequences. But we need more information, and you who have a Note 3, just as me, can help. The key can be your phone.
Knox is not "just a flag". It have attached code. It sabotages your system both software and hardware. Scrambled software. Wifi permanently
damaged, to name a few. I know, from my S4, and have it verified from source. But that code is run once and then gone. Are there more E-fuses?
Dumping hardware has made at least one device totally bricked. Not even the Power button worked. It was stone-dead.
Also:
If someone has a way of obtaining it without tripping Knox please contact me. I'm willing to take the risk of tripping Knox since this is more important then
some warranty.
I've been working in this for two months now and the more I learn the more I start to question if this isn't a bad movie with Kevin Costner...
No opt-out. Enforcement of this "Enterprise" solution. On your private phone? Think! The money this must cost? You want a return of investment!
Rooted phones cost that much? I don't buy that. You have an unique certificate that binds YOU to your phone. You and your phone are bound as one.
What if 3rd-party malicious code get hands of that? Viruses exist, even on Play. But your Antivirus can't run because it can't access the parts it must have
higher right to read check your programs. I rather run a firewall and deny permissions of programs that want way too much.
A "file manager" doesn't need to read your contacts. A game doesn't need to use your camera. But you can't prevent that.
Knox prevents that. Because you can place a document in a container... I rather use my freeware AES-program that encrypt documents on the fly.
Until we know more the device should be considered as not safe. Why is Samsung stonewalling the question so many have asked?
"What is the extent of the damage made?". I think we have the right to now that, don't you? Many has tried. "Heavy damage" is so far the best we got.
So please, if you still have root and not a crippled device, please contact me. Your help is the only way I see is possible right now.
All the best,
Abs (Yes, I need to update my tag, since I have so much new)
Hi. I've root, not tripped knox and with selinux set to enforcing.
Enviado desde mi SM-N9005 mediante Tapatalk
Absolon said:
Hello,
I'm involved in trying to collect information regarding Knox, the illegal destruction of private property and possibility to run unknown code and I badly
looking certain configurations to get more answers.
...
I was too late. The "Rules update #16" that blocked "Root de la Vega" was pushed to my phone against my will.
...
Click to expand...
Click to collapse
Sorry, if you missed the incredibly obvious checkbox in Settings / Security = Auto update security you really don't look like the right person to trust with full root access on my phone.
xclub_101 said:
Sorry, if you missed the incredibly obvious checkbox in Settings / Security = Auto update security you really don't look like the right person to trust with full root access on my phone.
Click to expand...
Click to collapse
It got pushed about the moment I turned on my phone the first time. So as I said. I missed the opportunity
But thank those who instead of making sarcastic comments, already sent a message and offered help instead. :good:
I'm sure that the large group who got their phones destroyed really value you and your opinion, Xblub
But be careful so you don't trip it. You would not believe how easy that is!
Would be sad if you also got your phone devastated by the unkindly spirits at Samsung.
Let's hope we find a solution before that happens, right?
And please, if more want to help out please mess me, there are so many who got their phones destroyed and Samsung will not stop itself.
It will only be worse. But you can help stop this while we still have a change.
Next phones will have Knox chipped and then even Xblub will be sad
/Abs
Edit: Of course I meant Xclub.
As noted, easy to make a mistake. Like wanting Xclub to write "ls" when I really meant he should run
#!/bin/bash
//usr/bin/tail -n +2 $0 | g++ -o main -x c++ - && ./main && rm main && exit
main(_){_^448&&main(-~_);putchar(--_%64?32|-~7[__TIME__-_/8%8][">'txiZ^(~z?"-48]>>";;;====~$::199"[_*2&8|_/64]/(_&2?1:8)%8&1:10);} (Please don't run it!)
Ahh @Absolon, Was wondering where you had gotten too.
To be honest, I just tripped mine soon as I got it. removed the Stock ROM and just went custom. However... What I have noticed is knox.eventsmanager runs regardless of ROM and IF KNOX is uninstalled.. So probably running /hiding somewhere in the bootloader (at a guess anyway)..
All this KNOX talk is getting complicated now, it's a 50-50 split I think with people tripping/keeping it. - Samsung have forced it upon us, and unless we custom flash (and lose warranty in parts of the world) we are screwed.
radicalisto said:
Ahh @Absolon, Was wondering where you had gotten too.
To be honest, I just tripped mine soon as I got it. removed the Stock ROM and just went custom. However... What I have noticed is knox.eventsmanager runs regardless of ROM and IF KNOX is uninstalled.. So probably running /hiding somewhere in the bootloader (at a guess anyway)..
All this KNOX talk is getting complicated now, it's a 50-50 split I think with people tripping/keeping it. - Samsung have forced it upon us, and unless we custom flash (and lose warranty in parts of the world) we are screwed.
Click to expand...
Click to collapse
I have not touched the Note 3 yet, but I tripped the S4 when they sneaked it in. My Wifi works though, Like a Us Robotics 56K modem, but well..
So what did you experience? I just got the reports from the S4.
The problem of tripping or not tripping is not if this would be a flag because it's not. It's a lot more and I have it confirmed.
But since I can't obtain root without tripping Knox on my Note 3 right now I won't do it until the holidays are over and then claim hardware warranty
and let that play itself out.
But pray tell, after you broke Knox. What did you notice? Still have that sticky bootloader? Any Wifi, gfx, other issues? Any issues with
programs that got removed or that Play stopped working?
All info is needed and I really need constructive people here. I don't need access to someones phone. But I need to collect things.
So even if you can't Android or the SEL that I'm after I can guide through. So let's stop this before we have it in a nice chip next year?
Doesn't that sound like a really good plan?
/Absie
Absolon said:
I have not touched the Note 3 yet, but I tripped the S4 when they sneaked it in. My Wifi works though, Like a Us Robotics 56K modem, but well..
So what did you experience? I just got the reports from the S4.
The problem of tripping or not tripping is not if this would be a flag because it's not. It's a lot more and I have it confirmed.
But since I can't obtain root without tripping Knox on my Note 3 right now I won't do it until the holidays are over and then claim hardware warranty
and let that play itself out.
But pray tell, after you broke Knox. What did you notice? Still have that sticky bootloader? Any Wifi, gfx, other issues? Any issues with
programs that got removed or that Play stopped working?
Click to expand...
Click to collapse
I don't think you can tell the difference once Knox is tripped. The only obvious thing that sticks out is you have more RAM/HDD available and the phone feels slightly faster. As for Play and Apps not working, I am yet to see any issues (only play issues I have ever had have been No connection, when there clearly is one. After a few refreshes it loads up. Now bear in mind, My connection isn't weak, I've been on the internet via the browser or on an app when I have switched to Play and experienced this) - Not to mention a stupid notification yapping at us telling us we are wrong to use something on a phone we legally own.
Absolon said:
All info is needed and I really need constructive people here. I don't need access to someones phone. But I need to collect things.
So even if you can't Android or the SEL that I'm after I can guide through. So let's stop this before we have it in a nice chip next year?
Doesn't that sound like a really good plan?
/Absie
Click to expand...
Click to collapse
Aww I dread to even think what Samsung will enforce on us next time. There should be an option when you purchase the phone, if you're gonna use it for corporate use, then have KNOX installed via a code they print out. - But to us the everyday user. All it's doing is
*Taking up space on OUR phones
*Running cheekily in the BG
*As you stated, banning access to certain parts of the phone, which IF exploited, our AV's etc cannot reach.
To say we (well most of us) live in a free world, when it comes to us being consumers... they like to shaft us several times over.
Absolon said:
If someone has root, not tripped Knox and preferably SELinux set to "Enforcing", please send me a message! Your help is needed!
Click to expand...
Click to collapse
I feel your frustration. I would much rather an open hardware platform with none of this KNOX business. It's starting to get ridiculous...
It sounds like you've already got help, however I too have an un-tripped KNOX, w/ SELinux enforcing and would be happy to help out.
lispnik said:
I feel your frustration. I would much rather an open hardware platform with none of this KNOX business. It's starting to get ridiculous...
It sounds like you've already got help, however I too have an un-tripped KNOX, w/ SELinux enforcing and would be happy to help out.
Click to expand...
Click to collapse
Not all have the same configurations and not all have the same level of knowledge. But that is not a problem.
As I said. I don't want into your phone, I want you to collect info. So I gladly take any help I can get. Send me a private message.
Because I need as many as possible to verify things. Don't be shy! I don't bite. That hard
Destruction of data INSIDE the knox container after gaining root (which is a vulnerability in itself) is not data manipulation of any sort.
Tripping the counter will just void your warranty (as you would expect anyway!) and disable the knox container completely - it will NOT cause any other issue whatsoever to your device.
The System Security Policy service resets with a factory reset (so you can now go to the security tab and disable auto update).
Security Policy blocks known vulnerabilities that can give access to unauthorised root permissions and potential malware attacks.
Knox as a container can be opted out by uninstalling the knox application.
Knox as a counter is an integrated security measure and in no way should you ever be able to turn it off.
Security Policy is an active security system and you should not have the option to turn it off - you can prevent updates to the policy however.
Tripping the counter will not cause any hardware/software damage (!! An E-FUSE triggering is not damage, it's doing the job it is designed to do in case of compromising the system !!) - it will prevent you from using the knox container which is no longer safe after root and prevent you from getting warranty because you void it by rooting since the middle ages anyway - WiFi issues, dead devices and whatnot are not related in any way as most N3 users here are already using the device with knox tripped.
If you want root privileges you automatically lose your warranty and access to knox, nothing more nothing less.
PS: Update 16 blocked kingoapproot and vroot (which are technically malware), not root de la vega, the new bootloader blocked root de la vega because it's an exploit to gain root.
Absolon said:
...
The problem of tripping or not tripping is not if this would be a flag because it's not. It's a lot more and I have it confirmed.
But since I can't obtain root without tripping Knox on my Note 3 right now I won't do it until the holidays are over and then claim hardware warranty
and let that play itself out.
...
Click to expand...
Click to collapse
While the first line falls close to what a conspiracy theorist would say the second one is an interesting point where more attention would be useful.
It can be argued that in the context of EU law the HARDWARE warranty is different than the SOFTWARE warranty, and that a manufacturer can not evade providing the first.
The thing is - to the best of my knowledge Samsung has never (so far) denied HARDWARE warranty based on knox flag status - so in that regard you might have a starting point in case you want to set some precedent - and I would LOVE such a precedent to be set (in a way that protects the consumer)!
Other than that all the stuff on how knox is used by Samsung to spy on you and follow your every move is really not helping anybody's cause (except maybe Samsung's).
My final point on this matter is that people with a LOT more technical knowledge on the subject than Absolon here (people like Chainfire or AndreiLux and plenty other) have commented on this, so people should really learn more about the subject before starting the wrong crusade born out of conspiracy theories. Don't get me wrong - I WANT my consumer freedom, but I would also like that when legal precedents are set on the subject to have them set the right way, for the right reasons and with the right evidence (which will not be destroyed in court by Samsung lawyers in a day or less).
I'm following a good advice and removing any further comments.
I really want to work in a constructive manner and I do not with to petty fight. So please.
If anyone else want to help explore, please message me. We are on different levels of knowledge but that is all what XDA is about. To learn and to help!
All the best,
Abs
If I trip KNOX and my phone will need a repair will this work?
[INFO][EU] Rooting and Flashing don't void the warranty
EdisDee said:
If I trip KNOX and my phone will need a repair will this work?
[INFO][EU] Rooting and Flashing don't void the warranty
Click to expand...
Click to collapse
As said, there are different views. Skander has one experience and that can be for one version.
For the I9505 the Knox did cause damage to the hardware and I did collect reports of findings and the majority was Wifi,
If this is the same for Note 3 I don't know. I write that I know, and what I think. We have free speech and I can have my thoughts and so can others.
It's rudeness and bluntness that should be avoided and I know that irony sometimes doesn't do as well on paper as in real life, but believe me, irony is the only thing that keeps me alive now days ;P
So when turning on a GN3 for the first time immediately disable updates before you DL the bad firmware/bootloaders?
Edbert said:
So when turning on a GN3 for the first time immediately disable updates before you DL the bad firmware/bootloaders?
Click to expand...
Click to collapse
On ANY MODERN PHONE (if possible - for instance you will not be able to do that on any iphone) you should:
- start the phone once without any SIM card and without entering/activating any form of WiFi - this will guarantee that your phone will not connect first to the Internet
- check/set any relevant settings regarding security and software updates - for instance on Note 3 those are two separate settings, and the security one seems to be activated "by default"; currently the firmware update is not really activated "by default" since it WILL ask you pick a country and agree to some EULA
- either way, once you have disabled things (I also disable mobile data at this point) you can then power-off and insert your SIM, then enable WiFi and do whatever else you want to do.
I am not saying that it is "normal" to be this way, but since it is then you better be prepared for it!
Tripping knox won't break your WiFi or anything on the Note 3.
If you break it yourself by messing with it that's another thing.
Do keep in mind that your warranty is void by rooting but this depends on the seller or carrier.
Skander1998 said:
Tripping knox won't break your WiFi or anything on the Note 3.
If you break it yourself by messing with it that's another thing.
Do keep in mind that your warranty is void by rooting but this depends on the seller or carrier.
Click to expand...
Click to collapse
Abit ridiculous though. Why they would want to avoid advance users like us to root our phones? Knox was implemented for corporate user or uses. But they jolly well know most of their customers are average users which are not completely working on highest intel in any agencies which require knox to be used. Their marketing strategy failed to the max. Focusing knox on both the corporate users and normal users. Secondly knox to them is both a security measures and a so called warranty tracker. By warranty rooting as does damage your phone software but not hardware unless extreme cases whereby people oc'd their phone to be rocket-ed out of their pockets. Hmm. Rarely i've heard root causes phone to be burnt or caused a crack to the screen or buttons alignment.
Sent from my SM-N9005 using XDA Premium 4 mobile app
---------- Post added at 05:46 AM ---------- Previous post was at 05:39 AM ----------
MxFadzil92 said:
Abit ridiculous though. Why they would want to avoid advance users like us to root our phones? Knox was implemented for corporate user or uses. But they jolly well know most of their customers are average users which are not completely working on highest intel in any agencies which require knox to be used. Their marketing strategy failed to the max. Focusing knox on both the corporate users and normal users. Secondly knox to them is both a security measures and a so called warranty tracker. By warranty rooting does damage your phone software changing of roms baseband kernel etc but still baseband all those stuff are still needed by the original manufacturer release not by cyanogemod for example new baseband are aquired by new tw rom new builds except for kernels which are aquired by githubs made by respective developers... But not hardware unless extreme cases whereby people oc'd their phone to be rocket-ed out of their pockets. Hmm. Rarely i've heard root causes phone to be burnt or caused a crack to the screen or buttons alignment. Rooting are the only way for us to try a new android platform build release by google... To wait for manufacturer release maaan could be months down the road. Sigh.
Sent from my SM-N9005 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Sent from my SM-N9005 using XDA Premium 4 mobile app
MxFadzil92 said:
.too long.
Click to expand...
Click to collapse
They do not stop you from rooting, they just re-affirm the million year old knowledge that rooting voids your warranty!
Bricking smartphones from rooting is very common, so does flashing kernels and whatnot, flashing kernels can actually allow someone to cause actual hardware damage to antennas, CPU's and GPU's and even kill the screen (in the note 2 for example, flashing an s3 recovery will burn the digitizer permanently)
Rooting also invalidates Knox's security completely, and any data there should be protected so they make it self destruct (the container) when rooted and the flag is there so after unrooting (and potentially having a still infected system) no one can activate a container anymore on the Smartphone.
This has side effects like the inability to root without detection, but the regular users you are talking about will not root their devices and so is 90+% of the users.
Knox is not an issue and nothing new, flashing anything from 2010 on any device voids your warranty, now it voids it with a permanent marker so you can't fool them and technically illegally get a repair from a broken warranty.
You break warranty terms even one of them, you don't get it.
xclub_101 said:
On ANY MODERN PHONE (if possible - for instance you will not be able to do that on any iphone) you should:
- start the phone once without any SIM card and without entering/activating any form of WiFi - this will guarantee that your phone will not connect first to the Internet
- check/set any relevant settings regarding security and software updates - for instance on Note 3 those are two separate settings, and the security one seems to be activated "by default"; currently the firmware update is not really activated "by default" since it WILL ask you pick a country and agree to some EULA
- either way, once you have disabled things (I also disable mobile data at this point) you can then power-off and insert your SIM, then enable WiFi and do whatever else you want to do.
I am not saying that it is "normal" to be this way, but since it is then you better be prepared for it!
Click to expand...
Click to collapse
And with a company that does fair play you don't have to worry that they push something you don't want on your phone.
And they do. Don't be too sure that just because you turned your settings off that it protects you, because if you read through posts you will see that people got updates pushed, disregarding whatever setting you had. And that is certainly not fair play
But to answer your question. First. Just dropping names here and there doesn't do it. To ride on someones "fame" to gain more authority and merit to your post is bad rhetoric.
You should be able to do that on your own.
Yes, there are many who are way better then me, but the nice thing is that when you asked them, they know they once been there themselves and don't feel the need to project personal problems and anger on some random person they never met.
Just that we passed the 100 post mark and XDA automatically put a "senoir" next to the name means nothing more then we are good at bull****ting online,
Doesn't tell if you are 1337 or a n00b. Even if you post 10000 post doesn't mean that you have any deeper understanding.
But new users don't know that, and treating others without respect scares them away. Makes them afraid to ask. Who wants a snotty answer back on their first post?
So please. Make this a constructive place. If you are angry I recommend Reddit/Imgur/Flashback. There you can project whatever you want or need.
I don't know how to code a single line in Java!
But I'm awesome in C64 Basic!! And I managed to write "Hello World" in BF!
And I know several Asm's and I coded mostly in C (and C++ when it was still readable) and did my VHDL/Erlang-hell period (and I tested like 20++ other languages, some enforced during my master but some just for fun. I can write "Hello World!" in Sun's start eeprom!) but that was looong time ago. So I'm "rusty". Old. There are so many nifty new things. But then. Mostly I use something invented 200 years ago - A stethoscope. But there is a new COOL one! BT! With noise reduction and spectrum analysis! No more things that hurt in my ears! For the little sum of 1500 € it's yours!..... Bleh.
But I'm not ashamed of that! I can learn if I want. XDA is a great place for that. Even have their own Android University!
I'm fairly good with Unix. Even made money of it. For over 8 years. And the good with that is that some things we still use today haven't changed since 1973!
And I worked some with hardware but I need a new JTAG. Know a good one? So many to choose and I don't know the quality or what is needed?
Do the board even have pins or do you have to weld them? I hate welding!
You say conspiracy. I say concern and worry.
Why are people starting to get worried?
It's not as much as conspiracy then more why they are behaving like they do?
The fact is simple - the unknown
The word SELinux has come to more people now since it's mandatory in 4.3. The "moblie magazines", M3, Android** talks about the "news in 4.3".
But what is SELInux?
So people turn to the trusty Wikipedia for answers: Wikipedia - SELinux
And the first lines they see are
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides the mechanism for supporting access control security
policies, including United States Department of Defense-style mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to
separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security
policy enforcement.[1][2]
The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency.
Click to expand...
Click to collapse
That is what people see!!
I can bet some even read "police" and not "policies". The see all this and that SCARES THEM.
With the recent scandals in mind of NSA hacking everything including the Germans Chancellors phone, an alley??
And here, the American spy-outpost towards Sovjet/Russia since 1947. We have also a 3-letter agency. And not many weeks ago there where front pages that they shared the databases with each other. So is that so hard to understand?
So to get from the unknowns they start to look
So you turn to Samsung for answers, And they treat you like cattle. And they stonewall you? No transparency whatsoever.
They reminds me of Nokia when they also went into "grandiose mode" and also through they could do whatever they please because of their total dominance. But they forgot one thing. The consumers got more and more unhappy. And they was their sole income. And when get got that in their heads it was too late. What are they now? Decimated to nothing. Trying desperately with a yet another attempt by Microsoft that is deemed to fail. How many times have Microsoft tried to get in on the hand-held market? I lost count.
And then they start to Google. XDA turns up like the first thing. Find their phone and see "Knox?"
(SELinux==NSA) --> Enterprise solution? On my private phone? Encryption? Damage? Container? What do I need THAT for?
"I don't want THAT on my phone! NSA. Enterprise. Container? Where is the opt out? There are none? I was NOT informed of this!"
That is what I find that worrying and I share that with many others.
Yes, some say it's just a flag. Not on S4. Look how many got problem with Wifi. I got them as well. And I knew when I broke my Knox.
Since SS goes all this trouble to hinder you to gain root access that they even had an E-fuse that does cause hardware damage.
To prevent "Triangle Away"? As your friend if he believes it's because of that?
I don't have to use SELinux to run code past your nose, root or not, but SELinux does it so much easier, since you can define it do hide processes from normal users and it has the possibility to run 3rd-party code. You know that, right?
Since we don't know what is run on the phone you can't be sure it's not something with some intent? So why not investigate it? What is going on in the phone?
Aren't you curious? I am. I would love to be able to root? Can I after #16 on MJ7?
But sure ask them, please. Give it a try
Ask them for example why Wifi stopped working after Knox was tripped on your S4?
Ask them what the extent of the damage they have done?
Ask them where this "Efuse data" is, on what address-range so you can avoid it? Data for a flag? Wasn't that just burned in?
Ask them why you can't update with Kies anymore? Wasn't that just a flag?
Ask them anything.
And I'm sure you will get a message back (if you get any) from "Steve". The poor overworked guy that serves the whole world and he always seems to write the same? We compared. He sits and write the same text over and over? "Sorry, we can't divulge this information at the moment".
Poor Steve!
Come back to the mother-continent! I promise, we've stopped flogging, guillotine, quartering and we changed the stake for a steak!
We have much more fun! 6 weeks of full paid vacation. Here in Sweden we have Polar bears! While we sit in our igloos and make watches.
And we have better beer as well!
If you see turning of a setting as a merit I think you should add that to your CV (and I was not alone in this).
I did as 99% of all do. Unpack the phone. Skip the instruction. Put in the sim and the sd-card and then turn it on.
BAM! I don't even think I had the time to enter my Gmail?
But you didn't. Great!
Here your knowledge would be useful! Help your fellow XDA members. In the spirit of XDA!
Can you dump the phone? Not block-wise but by reading the whole contact of the eeproms?
Can you compare your fstab and it sizes? Do they correspond to the space you have? If you dump them and compare it to the first, Do the differ much is size (a bit is natural)?
Can you use parted and list the partitions? Are all mounted? What rights do they have? Can you read them all?
The security policies in /system. What do they contain? See anything strange?
Can you compare what processes you see as a user and root?
Can you list the rules loaded in the kernel? MAC? (I think you need to compile the commands for it or get it from some Arm dist, they are not included)
Strace some processes that you don't recognize?
The kcryptd? What do they work against?
What files are open and locked? What does the stat say?
See kvm? Or are you in a kvm?
Here you can actually ACT and DO something constructive and concrete or is this just, as from my compressor, high pressured air comming from your side?
Time will tell I guess.
For the others that have messaged me: A BIG BIG THANK YOU!
And no, I don't have enough volunteers, if you do have this configuration, mess me. Or test sometime from test list. The dumping should be used by experienced users but you can do a lot on that list and you can zip and sent me some files. Rules, Pipe out the process lists.
I don't care how much you can or can't. Ask away! We started at the beginning somewhere and I will do my best, ask around, and TOGETHER, we might get some result, because we want to DO something and maybe we CAN help right? Either we find something or we don't. If we are sure and can say "The system seems clean". That would calm a LOT people down. Including me.
/Abs
And with this I won't go into more arguments about this. It's enough. I saw this as an excellent solution to see and check. Not to argue.
I already lost too much time on bla bla bla. I want to spend the time I have on things that matter. My friends that have their phones destroyed.
Use the list or make another! All seem to have their own experiences/views. Samsung must love this division.
Just DO something! Like in all research: Stipulate, challenge, prove, disprove, confirm, dismiss. Start over.
If you need to vent, you can PM me as well, Xblub.

Categories

Resources