mailto: blog -at- heyrick -dot- eu
Having owned my phone for a week now, I think it is time to look at some of the strong points and lesser points of the Android system as a whole.
One of the biggest "lesser points" was highlighted by Rob's comment where he said that a fair few of my criticisms were not really valid, as it was an issue to do with the applications bundled with my phone by Motorola (the so-called Motoblur). This is true, and while it is a strength that manufacturers can bundle applications, it also becomes something of a weakness if it means I could get myself a SonyEricsson next year and have a completely different experience. There should be a set of core functions that every handset supports, and this should include things such as POP/IMAP email and an MP3 player. It shouldn't be up to Motorola to provide these, they should be built-in.
This leads us to Motorola's apparently notorious lethargy in supporting Android versions. This is a problem, not for me as I don't really know the differences, but for all of us - in that Google releases a new Android. It then has to be taken apart by the mobile devs (Motorola, SE, etc) who paste in all their own stuff, and then it passes to the provider (Orange, T-Mobile, etc) to paste in their stuff, and... finally, if we're lucky, we get an update.
Why is the core OS (and featureset) not completely separate from the mobile branding? Why was this not sorted for Android 2.x?
It would be better if it were possible to update the OS without resort to relying upon the chain of command. I say this because Windows is famous for Patch Tuesday to correct security flaws, and Ubuntu's update mechanism can fix up things when updates are available. And for Android? They're on 2.3 right now, I'm on 2.1. I wonder if any important security issues have been addressed that remain an issue on my phone?
There will come a day, and it will come soon, when people realise that their phones are real little computers running a real operating system. And as such, they will expect, no, demand to be able to keep up to date with patches and fixes. No amount of vendor bull$#!+ is going to cut any ice when it comes to a serious vuln that will remain in your phone because the manufacturer is busy performing unholy acts over a mock-up of The Latest Awesome Thing.
Conversely, a fairly (if not entirely) unified system is a strength in that developers don't need to support a dozen different environments to build an app. Sure, there will be quirks peculiar to different handsets, and a plethora of screen sizes to contend with, but an Android application should (more or less) work on an Android handset. Try running an iPhone app, or apps written for specific handsets based around customised versions of the J2ME, or OPL, or any of the various other ideas out there. It would seem to me that the basic 'war' has come down to iWhatever vs Android vs J2ME. The latter will slowly lose pace as it is an older technology, so it will depend upon those who with to pay for the privilege of Apple product, or those who wish to go for a system that runs on a variety of devices.
This means, mind you, that it will be more in the attentions of malicious people. There wasn't so much interest when it was a dozen phones running a dozen different systems, but now we have a large uptake of Android devices with notoriously crappy support for firmware updates from numerous vendors, those with bad intentions will be thinking "hmmmm...". Already we've seen hacks and attacks. Fairly unimportant ones that work more on social engineering than anything else, but it's still early days.
Another problem concerns the permissions system. I have already covered this, but it is worth looking in more detail to the fact that:
It seems to me a lot like the Android system was built on the principle of "oooh, shiny!" and it is not mature enough to consider end-user security much beyond locking down what has access to what.
- The browser can remember passwords, but there is no way to view/edit/delete these.
- The browser has no options for blacklisting, whitelisting, or filtering content.
This is a situation that Google will have to take a critical look at. For while they are now the kings of Internet advertising, it is damn-near reprehensible to release a browser that is unable to filter what content is pulled from where. Google shouldn't need to worry, go to the right-hand panel and read the browser stats to see how many of my visitors are using IE still, including IE6. And I would like to think my readership is a cut above the generic Twitter crowd. So the fact is those who want security can have it, and The Bleeting Masses probably won't care so long as Facebook works...
For, yes, security will mean blocking doubleclick.net and selectively filtering scripts and Flash. Why is this not available? Remember - we are no longer looking at "a mobile phone", we are looking at a miniature computer. And as such, it is only right that those of us who care are able to attempt to control what comes in, as opposed to just letting any old site download any old content and who gives a damn what gets pulled in.
- Why can't I manage saved passwords?
- Why can't I view/delete individual cookies?
- Why isn't the scripting/flash/add-ons permissions available on a per-site basis?
- Why can't I block cross-site fetches until authorised?
- Why can't I tell an application what it can access, rather than it tell me?
It looks like Android, as a whole, has a way to go before it matures to the point of addressing user privacy and security. But, then, one could say these are concepts that Google doesn't entirely understand. ☺
A couple of side notes
I have missed a few calls from mom. I have a suspicion that there is an "issue" with my phone that it is not able to work as a phone when there is ongoing (EDGE) data transfer. I will need to experiment more to arrive at a proof, however it does make you wonder if this thing is capable of acting as a phone while I'm browsing the web. I know EDGE is disabled when actually in a call, but given its primary purpose is to be... a phone... you would have thought that notification of incoming call would kill the data transfer and ring the phone...
There is an odd behaviour with the phone when calling another mobile. I can hear an echo of myself with artefacts (like a real low bitrate MP3) and, worse, when I am speaking the other side of the conversation is muted! God help you if you plan on having an argument on a three-way call to mobiles!
This bizarre behaviour does not occur when calling a landline, and the different voice profiles don't alter it.
When did Wikileaks become crap?
The irony of Assange wailing about leaks regarding his alleged offences is killing me. But then a certain Mr. Assange is a very odd person. I'll tell you what, if I was the guy running Wikileaks, I'd do my job quietly and tell nobody. I guess perhaps he figured that if he goes about it big and bold, it would be way too obvious if a CIA operative took him out one rainy night. Perhaps he is learning that there's more than one way to approach the problem and all he did was paint himself with a bullseye of a different colour.
And what's with that pose on the main page? He looks like a Bad Guy from an Austin Powers film. With his other hand he is stroking a white cat, and that expression is because he is waiting for a reply to stating "I ransom the world for one thousand dollars"...
...actually it is Mr. Assange we're talking about. With his other hand he is... uh, you know what? Let's not go there...
Anyway. The core concept of Wikileaks is a good one. I don't know what the hell has happened in the last few decades, but we're now being pushed around by an increasingly corrupt, power-happy, paranoid-beyond-description, and - frankly - batshit mad, bunch of so-called governmental sleazebucket assholes [I'm running out of adjectives]. And clueless sheep that we are, we totally fall for the pantomime of security, even as it gets more and more ridiculous.
Yes, terrorism IS a problem, but then it has been for quite a while. Ask anybody in the UK in the '80s if we wept in the corner in abject fear of the IRA. Most people got on with their lives. In other quiet corners, people tried to build a peace between Ireland and the United Kingdom. Well, it's a hell of a lot better than taking over their country, destroying it, and then saying "welcome to the free world".
But, ask yourself, will invasive scanners and years of "you can't take anything liquid on a plane" really prevent terrorism? Isn't it a bit ridiculous to ban a passenger from taking on a potentially sharp object and then give him a steak knife to eat with? Will the security at Gatwick ever live down the big hoo-ha in order to take down a gun-carrying terrorist..... when the gun was actually a tiny plastic gun carried by a nine inch figurine?
I'm not joking. There's a picture of the "weapon" on the right. The hapless victim had the gun confiscated, and had to pop in into an envelope and post it back to Canada. It arrived a few days later, so one can presume she used airmail. And... you know what? Let's not go here either, for Common Sense has already walked out in disgust...
Does this mean if I go to Japan and fly back with a figurine of Mj. Motoko Kusanagi, all hell will break lose? I would bring back a Tachikoma too - I'd love to see the headlines about some random geek flying back with an armoured tank in his luggage. Surely (Sky News excepted) there is a limit beyond which the only possible response is "what the f....?". Surely we've already crossed this point?
Governments are full of stupid dirty little secrets, such as the assassination of Lady Diana. Sometimes these secrets are in the national interest, for diplomacy is the fine art of getting what you want while letting the opposition think they're getting what they want. And every so often, a bunch of lies and subterfuge help the process along. But it seems increasingly (US military - friendly fire / prisoner abuse as examples; UK - Tony Blair "yes Mr Bush Sir yes Mr Bush Sir yes Mr Bush Sir yes Mr Bush Sir yes Mr Bush Sir yes Mr Bush Sir" as an example) that said secrets are just ways the government has of covering its own ass. The Bush administration took the "national secrets" concept to a new level, slapping it on all sorts of crap that was definitely not a national secret, but needed silencing all the same. And thanks to leaks, we now understand that the American anger directed at that hapless/clueless Scottish hacker could well be more in retaliation for the release of the (alleged) Lockerbie Bomber than any damage the guy looking for aliens might actually have inflicted. It has also (along with the EU data sharing) highlighted a disproportionate balance in such things. In other words, extraditions and data flows down a one way street.
This is a strength of Wikileaks. To make this sort of stuff public. We are still sheep, but little by little we will start to figure out the big picture. [well, I hope... we might have more chance if Cheryl Cole starts reading leaked articles]
So it was a depressing day for me when they published those infamous "cables". Yeah, okay, it would make international relations a little more difficult, but I took the thoughts of the French government and asked some French people. Nobody was surprised. Few were even that interested. It seems more or less like they were only stating the obvious.
Will Wikileaks continue? Perhaps if the core of the organisation get their egotistical leader out of the way, and concentrate on hardcore items rather than megabytes of trivia, it might have a purpose...
There is, coming soon, a "megaleak" of stuff about the banking industry. "megaleak" - Assange's word, not mine. I just hope these leaks are decent, not cack. Because if Wikileaks provides too much cack, it will turn into a Google providing the pointless "bigresource.com" with every query, and it will get sidelined by sites that haven't lost the plot, such as Cryptome.
Getting in the car of Wednesday to go to work, it started erratically, the engine was shaking, something was definitely wrong. But the engine was working so we limped, with next to zero acceleration or power, to our mechanic, the engine fault light glowing brightly.
He wasn't there, so we waited awhile. He arrived, started the car, it was fine. Don't you hate it when it is like that? But he knew something was up because of the warning light.
Saturday morning we were in a larger town at 10am (me with like 3 hours of sleep!) to have the car hooked to a diagnostic unit. This would be a remarkably slow protocol (bit bashing something?) from a plug under the dashboard. Part of the security protocol involved telling the ECU the engine number, and then some other codes. Then it allowed access. There was a dialogue and fault from the injection system, and unknown response from the airbag system, which reported okay on the diagnostic self-test. The injection system reported unknown behaviour in cylinder 3, followed by a bunch of failure codes meaning, basically, cylinder 3 failed. So the engine behaviour was down to having only three of the four cylinders operating, the other acting more or less as a lead weight.
Everything has been okay since then, and it is everybody's impression that there was either condensation in the fuel feed pipe or some sort of obstacle which got itself dislodged and blown out the exhaust pipe. Myself, given the fault "disappeared" when the engine was left after ~10 minutes of running, I'd be inclined to think it was condensation.
On Friday my locker was broken in to. Not violently, whoever did this knew my code. And nothing was taken (you can see the KitKat and HiChu still there). Instead a box of face masks, a maintenance-man overalls, two coat hangers, and an empty cup of coffee were put in. And then the locker was closed.
It was a joke. While I have no evidence, I'm pretty sure who was the one responsible. I understand it was intended as a joke, albeit a rather naff one. However I reported it to management, not so much to get the guy in trouble, but because I intended to change my combination and, no, I didn't intend to tell the administration.
You see, three weeks ago, one of the green hats asked for my combination. They said it was necessary in case there was a need to access my locker. Somewhere my combination has been recorded.
Now, this could be completely irrelevant. It might have been the guy saw it and memorised it in a brief moment when I was using the toilet, or something like that. Or, there might be a big list stuck on a wall somewhere giving everybody's name, locker number, and combination. Who knows.
So I changed my code, and didn't tell them the new one. When this sort of compromise happens, the only sensible solution is to slam all the doors - management won't know the code and I will take special care not to leave the padlock in its active combination.
At least the person responsible didn't do anything nasty to <cute_girl> stuck to the inside of my locker door. You know, like pen in a moustache or somesuch nonsense...
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
|Anon, 1st February 2011, 22:46|
Your comment about EDGE is true. There are two network operating modes ("NOM1" and "NOM2", IIRC) which vary (among other things, probably) in whether an active data transfer can be disrupted by an incoming call.
If you are transferring data at the exact moment the network receives a call, then it is redirected to voicemail or the call is refused. In the UK (for example), Orange, T-Mobile and O2 all use this mode.
The other network operating mode allows the network to suspend a data session when a a call comes in. Vodafone UK seems to do this.
This is not a problem on 3G (where there is simultaneous data and voice anyway) but I guess where you live, 3G coverage is not great.
|opal, 6th February 2011, 22:58|
About the protocol of the ECU-PC: it is OBDII, CAN or (less probably K-Line). Judging from the photo this is Citroen after 1998. So this must be OBDII.
List all b.log entries
Return to the site index
PS: Don't try to be clever.
It's a simple substring match.
Last read at 21:03 on 2020/07/03.
© 2011 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.