Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Writing

The Painful Process of Updating Android

Android fragmentation is a very real problem; not only does it hinder software developers’ abilities to build and sell apps but, also, raises security issues. In a recent report from Open Signal, we learn that 34.1% of Android users are using the 2.3.3–2.3.7 version of Android, whereas just 37.9% of users using 4.x versions of the operating system, most of whom are themselves using a years-old version of Android. In effect, an incredibly large number of Android users are using very outdated versions of their mobile phone’s operating systems.

It’s easy to blame this versioning problem on the carriers. It’s even easier to blame the issue on the manufacturers. And both parties deserve blame. But perhaps not just for the reasons that they’re (rightly!) often crucified for: I want to suggest that the prevalence of 2.3.x devices in consumers’ hands might have as much to do with consumers not knowing how to update their devices, as it does with updates simply not being provided by carriers and manufacturers in the first place.

Earlier this month I spent some time with ‘normal’ gadget users: my family. One family member had a Samsung Galaxy S2…which was still using version 2.x of the Android operating system. Since February 2013, an operating system update has been available for the phone that would bring it up to Android version 4.1.2, but my family member neither knew or cared that it was available.

They didn’t know about the update because they had received no explicit notice that an update was available, or at least didn’t recall being notified. To be clear, they hadn’t updated the phone even once since purchasing the device about two years ago, and there have been a series of updates to the operating system since purchase time.

The family member also didn’t care about there being an update, because they only used the phone for basic functions (e.g. texting, voice calls, the odd game, social networking). They’re not a gadget monkey and so didn’t know about any of the new functions incorporated into the updated Android operating system. And, while they appreciate some of the new functionality (e.g. Google Now) they wouldn’t have updated the device unless I had been there.

A key reason for having not updated their phone was the absolute non-clarity in how they were supposed to engage in this task: special software had to be downloaded from Samsung to be installed on their computer,[1] and then wouldn’t run because the phone’s battery had possess at least a 50% charge,[2] and then it took about 3 hours because the phone couldn’t be updated to the most recent version of Android in one fell swoop. Oh, and there were a series of times when it wasn’t clear that the phone was even updating because the update notices were so challenging to understand that they could have been written in cipher-text.

Regardless of whether it was Rogers’, Samsung’s, Google’s, or the tooth fairy’s fault, it was incredibly painful to update the Android device. Painful to the point that there’s no reason why most people would know about the update process, and little reason for non-devoted Android users to bother with the hassle of updating if they knew what a pain in the ass it was going to be.

The current state of the Android OS ecosystem is depressing from a security perspective. But in addition to manufacturers and carriers often simply not providing updates, there is a further problem that Android’s OS update mechanisms are incredibly painful to use. Only after the significant security SNAFUs of Windows XP did Microsoft really begin to care about desktop OS security, and Google presently has a decent update mechanism for their own line of Nexus devices. What, exactly, is it going to take for mobile phone manufacturers (e.g. Samsung, HTC) and mobile phone carriers (e.g. Rogers, TELUS) to get their acts together and aggressively start pushing out updates to their subscribers? When are these parties going to ‘get’ that they have a long-term duties and commitments to protect their subscribers and consumers?[3]

  1. In theory there is an over the air update system that should have facilitated a system update in a relatively painless way. Unfortunately, that system didn’t work at all and so Samsung’s software had to be used to receive the updates.  ↩
  2. Really, this made no sense. To update the device it had to be plugged into a computer; why, then, did the phone (which was charging because it was plugged into the computer) need to have a 50%+ charge?  ↩
  3. I actually have a few ideas on this that will, hopefully, start coming to fruition in the coming months, but I’m open to suggestions from the community.  ↩
Categories
Quotations

2013.7.30

The idea that there is no problem with surveillance as long as you have nothing to hide simply points to the complacency of the liberal view of freedom by contrast with the republican one. The liberal thinks that you are free so long as you are not coerced. The republican agrees, of course, that if you are coerced then you are not free. But freedom for the republican consists not in being free from coercion in respect of some action, but rather in being free from the possibility of coercion in respect of it.

Quentin Skinner, “Liberty, Liberalism and Surveillance: a historic overview
Categories
Links

How Stephen Harper is rewriting history

Starting with a $25-million museum overhaul, the Conservatives want to change the way Canadians perceive their past

A good article on the relationship between changing what and how museums present as Canadian history, and contemporary Canadian identity.

Categories
Quotations

2013.7.29

If code doesn’t receive constant love it turns to shit.

Brad Fitzpatrick, Gopher at Google
Categories
Writing

New Zealand Reveals the ‘Five Eyes’ Spying on Each Other

In an interesting bit of news, it seems we can certifiably state that the NSA spied on a New Zealand journalist at the behest of the New Zealand government. The government has apparently classified journalists alongside foreign intelligence services and ‘organizations with extreme ideologies’ (read: terrorists). The government’s defence security staff “viewed investigative journalists as ”hostile“ threats requiring ”counteraction“. The classified security manual lists security threats, including ”certain investigative journalists“ who may attempt to obtain ”politically sensitive information“.”[1]

So, while the information about the surveillance is shocking in its own right, there is also an important tidbit of information that can derived from the US intelligence services’ actions: despite the supposedly sacrosanct prohibition the Five Eyes partners not spy on one another, this prohibition was broken in this instance. Though Canadian experts have previously stated that such surveillance on Five Eyes partners would be an extreme exception, it’s striking that surveillance mechanisms designed to counter the FSB are being brought to bear on investigative journalists. That the NSA and other American intelligence services turned their ‘ears’ towards a journalist at the New Zealand government’s behest suggests that, despite protestations to the contrary, ‘friendly’ intelligence services do ‘help’ one another spy on people and groups that domestic intelligence services are prohibited from monitoring for either legal or technical reasons.

Reasonable people can disagree on how and why intelligence services operate. However, the routine (mis)information that has been put forward by Western agencies concerning governmeing spying has significantly undermined any foundation for a genuine democratic debate to arise around such spying. When the United States’ Director of National Intelligence asserts that he was providing the “least untruthful” answers to elected officials questioning dragnet surveillance, and supposed ‘red lines’ are being crossed in secret to target journalists tasked with providing truthful reporting to citizens, then the ability to support or even reform intelligence practices is undermined: why shouldn’t we, the people, radically and unilaterally curtail surveillance practices if the same services and their administrative officers won’t truthfully disclose even their most basic operational guidelines?

  1. I should note that, following the revelations that the NZ government is monitoring journalists and classed them alongside foreign intelligence sources and extremist organizations, the government has publicly come out against these allegations.  ↩
Categories
Links Writing

Another ‘Victory’ for the Internet of Things

Researchers have found, once again, that sensitive systems have been placed on the Internet without even the most basic of security precautions. The result?

Analyzing a database of a year’s worth of Internet scan results [H.D. Moore]’s assembled known as Critical.io, as well as other data from the 2012 Internet Census, Moore discovered that thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic “log-off” functionality, leaving them pre-authenticated and ready to access. Although he was careful not to actually tamper with any of the systems he connected to, Moore says he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies’ gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.

Needless to say, Moore’s findings are telling insofar as they reveal that engineers responsible for maintaining our infrastructures are often unable to secure those infrastructures from third-parties. Fortunately, it doesn’t appear that a hostile third-party has significantly taken advantage of poorly-secured and Internet-connected equipment, but it’s really only a matter until someone does attack this infrastructure to advance their own interests, or simply to reap the lulz.

Findings like Moore’s are only going to be more commonly produced as more and more systems are integrated with the Internet as part of the ‘Internet of Things’. It remains to be seen whether vulnerabilities will routinely be promptly resolved, especially with legacy equipment that enjoys significant sunk costs and limited capital for ongoing maintenance. Given the cascading nature of failures in an interconnected and digitized world, failing to secure our infrastructure means that along with natural disasters we may get to ‘enjoy’ cyber disasters that are both harder to positively identify or subsequently remedy when/if appropriately identified.

Categories
Links Writing

The Significance of a ‘Three Hop’ Analysis

Washington’s Blog has an excellent, if somewhat long, post that outlines the significance of the NSA’s ‘three hop’ analysis. It collects and provides some numbers behind basic communications network analyses, and comes to the conclusion that upwards to 2.5 million Americans could be “caught up in dragnet for each suspected terrorist, means that a mere 140 potential terrorists could lead to spying on all Americans. There are tens of thousands of Americans listed as suspected terrorists … including just about anyone who protests anything that the government or big banks do.”

Go read the full post. Some of the numbers are a bit speculative, but on the whole it does a good job showing why ‘three hop’ analyses are so problematic: such analyses disproportionately collect data on American citizens the basis of the most limited forms of suspicion. Such surveillance should be set aside because it constitutes an inappropriate infringement on individuals’ and communities’ reasonable expectations of privacy; it runs counter to how a well ordered and properly functioning democracy should operate in theory and in practice.

Categories
Links Writing

Facebook’s ‘Other’ Folder

David Pogue’s recent post on Facebook’s ‘Other’ folder notes how the company is effectively hiding a significant number of legitimate messages from its users in an attempt to prevent spam and ‘unimportant’ messages from disturbing subscribers. What follows are a few examples of legitimate messages that subscribers missed because they were placed in this folder:

  • “Notification of the death of a friend was hidden in my Other box. I had been very hurt at not being told, and actually missed her funeral.”
  • “I just checked my ‘Other’ folder and found out that I won a free high-end kitchen faucet for a contest I entered last year. Rats.”
  • “Just looked at my ‘Other’ messages and found one about a job opening — in 2011. Think it’s been filled?”
  • “Whoa! There’s tons of important messages in here. Former students of mine were trying to reach out to me. I can’t believe Facebook doesn’t notify you in any way about these.”
  • “Unbelievable! My husband’s wallet was lost and presumed stolen — someone had found it a year ago and sent us a Facebook message, which was hidden until now! Thanks so much.”
  • “Just checked and found a message from someone telling me that they found my lost wallet…a year ago. They really need to redo some thinking on that ‘other’ folder.”

The intent of Facebook’s filtering is noble, insofar as it’s meant to cut down on the cruft and spam that people inevitably get in their email inboxes on a daily basis. I’m sure that the logic is as follows: if we can get people to like using Facebook messages more than email, then we can convince people to rely on our corporate system and wean people off of their traditional email services. Unfortunately, it looks like Facebook’s filtering system suffers from flaws, just as their competitors’ systems do. Worse, and unlike most of their competitors, Facebook subscribers can’t access this folder from their tablets or smartphones without visiting Facebook via the web interface. So, for people that predominantly engage with Facebook using the company’s mobile applications, this folder is effectively invisible. Messages simply vanish into a black hole. This is a very bad thing.

While Facebook’s system makes sense, I suspect that a great many people are as ignorant of the ‘Other’ folder’s existence as the people who wrote to Pogue. This information asymmetry between the developers and users suggests a problem in the UX or UI, insofar as it shouldn’t be a shock that this folder exists. Good UI and UX will prevent subscribers from getting ‘shocked’ about the existence of hidden messages, and will help ensure that the service remains ‘sticky’ for its user base.

Network effects can stymie subscriber churn but they can’t stop it entirely. If Facebook undermines professional or personal networks because of how it handles suspected ‘unimportant’ messages, then the network effect that Facebook currently enjoys could be weakened and expose a part of Facebook’s flank to companies that are more attuned to people’s communicative interests and desires. It will be curious to see how/whether Facebook incorporates the information that arose from Pogue’s columns, and if they actually modify users’ interfaces such that the ‘Other’ folder is more prominently displayed. At the very least, something should change in the mobile applications so users can at least theoretically access all of those ‘unimportant’ messages.

Categories
Aside

WiFi “Security”

This really isn’t the warning you want to get when signing into a wifi-portal.

Categories
Aside Links

AT&T’s Anti-Infringement Patent

AT&T’s recent patent to detect and act on network-based copyright infringement raises significant red flags for network neutrality advocates. However, we need to look beyond the most obvious (and nefarious!) red flags: when examining corporate surveillance prospects we need to reflect on the full range of reasons behind the practice. Only in taking this broader, and often more nuanced, view are we likely to come closer to the truth of what is actually going on, and why. And, if we don’t get closer to the specific truth of the situation, at least we can better understand the battleground and likely terms of the conflict.