379: Tech That Slipped Through Our Fingers

Download as MP3

Support the show by becoming a patron at tuxdigital.com/membership or get some swag at tuxdigital.com/store

Hosted by:

Ryan (DasGeek) = dasgeek.net
Jill Bryant = jilllinuxgirl.com
Michael Tunnell = michaeltunnell.com

Chapters:

00:00:00 Intro
00:00:42 Results of Michael’s Ratpoison Challenge
00:03:54 Community Feedback
00:15:13 Tech That Slipped Through Our Fingers
00:53:33 Canonical goes distro’less
01:02:03 New Sneaky Android Malware
01:10:32 Software Spotlight: Echo
01:13:13 Outro

Links:

Leave a Comment

Notable Replies

  1. The nickname of kubernetes is k8s because kubernetes starts with a k, ends with an s, and in between there are 8 letters.

  2. that is a disappointing revelation but at least now I know :smiley: thanks

  3. I’m sorry to tell you this, but Jill isn’t unhackable. Because “security through obscurity” isn’t security.

    Obscurity in the context of security engineering is the notion that information can be protected, to a certain extent, when it is difficult to access or comprehend. This concept hinges on the principle of making the details or workings of a system less visible or understandable, thereby reducing the likelihood of unauthorized access or manipulation.

    It might make it more difficult, but still very much possible. For the same reason you change the SSH default port to something else, to reduce your attempted login log-file. Not for actual security.

    See also: https://wikiless.org/wiki/Security_through_obscurity

  4. First, welcome back to the forum @RyuKurisu :smiley: and to respond to your comment, we don’t actually believe using floppies unhackable. With that said, Jill doesn’t just use floppy disks alone, the data on the floppies is encrypted and most of the time not connected to the internet due to the age of the hardware and there are other factors . . . however that is way too much stuff to put on a t-shirt :laughing:

  5. I think the review of the Xamalicious malware was seriously flawed, especially the harping on Google not managing file permissions correctly:

    1. Android file permissions management has been improved massively since 2020 - mainly due to the security concerns you mentioned. Specifically the “full access” permission was deprecated and constrained in Android 10 and has been completely removed in Android 11. Applications on those versions can only request access to their own data, and also can ask the user to go through a lengthy manual process to allow access to one folder that isn’t a system folder.
    2. The malware in question does not even use the file system permission. As reported by McAfee and elsewhere, the malware uses the accessibility permissions that allows an app to manipulate screen controls. Granted this could be used more invasively than just file system permissions, but at least get your facts straight.
    3. The process for enabling the accessibility control permission isn’t just “press OK on this notification” as you claimed - it requires pressing “OK”, then the app triggers the accessibility control panel where the user has to locate and select the application that they’ve just installed, then go through another dialog that says scary things such as “have full control of your device” and an eye and hand icons, and then click on “allow” button, instead of “deny” and then go back to the app.
    4. The comparison to iOS is indeed apt - iOS does not allow application to implement accessibility features, which is why many many people cannot use iOS as it doesn’t offer the accessibility features that they need to function and they cannot install 3rd party applications to help them on iOS. These users must choose Android as there are tons of helpful accessibility applications that can function on Android and can never be made to work on iOS because of Apple restrictions.

    Using the fact that Android is a better OS - because it allows use cases that Google never designed into the system - and the fact that some users are so oblivious that they go through a rigmarole just to give malware some permissions, to attack Google about not putting enough hurdles in front of good well meaning developers that want to offer useful accessibility services to people who need it, because… “think of the children!” - this is just FUD.

    This is like saying that if a Linux user goes to a web page where they read “to fix this or that problem, copy rm -rf / --do-what-i-mean and paste it in your command line” and trash their system - then that is a problem with the Linux permission system and the Linux company should really get their act together.

    In order to provide useful features that a single system developer did not envision, consider and design into the system - some freedoms must be afforded application developers. This is a hard choice and its benefits and drawbacks are apparent in the Android ecosystem that both has a flourishing good and useful accessibility app market, and requires users of those apps to go through a manual process to grant the required permissions - often requiring help from friends or family to do so, because of their disabilities that necessitated such apps. If you look at any decent smart-phone accessibility review you’d note that one of Android strengths is quoted as having third-party accessibility app support while in iOS accessibility-challenged people are limited to only what iOS designers have put in place.

    I find the fact that in a podcast calling itself “Destination Linux” and supposedly extolling the virtues of an open and free software ecosystems, there will be such disparaging of an open and free ecosystem in favor of a commercial closed garden with limited capabilities offered by an oppressive commercial company that mistreats app developers - to be deeply disappointing.

Continue the discussion at forum.tuxdigital.com

2 more replies

Participants

Avatar for vogelsaurier Avatar for MichaelTunnell Avatar for guss77 Avatar for RyuKurisu