Android Phones the next security threat?

Take it as an axiom that older software is less secure. It’s not always true, but if the code wasn’t mature at the time of its release- meaning it hasn’t been fielded for years upon years- it’s certain to be true. In an article in PC Magazine, Sara Yin finds that only 0.4% of Android users have up to date software, as compared to the iPhone where 90% of users have their phones up to date.

This represents a serious threat to cybersecurity, and it should have been a lesson that was already learned. Friend and researcher Stefan Frei has already examined in great detail update rates for browsers, a primary vessel for attacks. The irony here is that the winning model he exposed was that of Google’s Chrome.

What then was the failure with Android? According to the PC Magazine article, the logic lies with who is responsible for updating software. Apple take sole responsibility for the iPhone’s software. There are a few parameters that the service provider can set, but other than that they’re hands off. Google, however, provides the software to mobile providers, and it is those mobile providers who must then update the phone. Guess which model is more secure? Having SPs in the loop makes the Internet more insecure. Google needs to reconsider their distribution model.

House Republicans Read the Constitution

That’s right. On day 2 of their rule in the House, the AP reports that House Republicans will read the U.S. Constitution. Better late than never, I suppose. Of course I would like a reading comprehension test to follow. Let’s hope that they don’t read the Constitution off an iPod/iPhone app. When President Obama did his recess appointments last week, I wanted to review Article II (Powers of the President), and it was at that point I thought I should carry a pocket version. I’ll leave out the names of the guilty, but one free version had truncated each of the articles, and another free version omitted Article II entirely. That’s probably the version Congress would enjoy. Fortunately the National Constitution Center in Philadelphia has done a very nice job on theirs. Funnily enough, however, the Constitution is not accessible from their home page. Here’s a link to Cornell that I like.

How to get a Time Capsule to actually work in IPv6 without wireless

I have an unusual home configuration, in that I have a routed network. If you don’t know what this means, stop reading now as you are wasting your time. While the Apple Time Capsule advertises IPv6 capability, getting it working is rather difficult. To start with, if you do not use the wireless capability of the device, the controls are really non-obvious. For another, the Time Capsule appears to ignore the default route capability in routing advertisements. Hence a manual configuration is required:

Time Capsule Configuration

Looking to the left, one must select “Router” from the IPv6 mode and not “Host” as one might logically expect. Then, because RAs are not being handled properly, one must manually enter the default route (the long way).

Finally, because you are supposed to be routing, you need to enter some address for the “LAN” side. My prefix is 2001:8a8:1006::/48. Note I’ve dedicated a bogus network ::8/64 to the effort. All of this allows me to do what should have happened automatically; not your typical Apple Plug-N-Play style, is it? For a company that claims to be IPv6 Ready, I’d say Apple still has a ways to go. Sadly, they’re better than most.

iPhone: Good or Bad for the Industry?

Take the OfCourseImRight Poll

Loading ...

Before Apple released the iPhone it irked me that the pace of technology for cell phones lagged at an incredibly slow pace, the user interfaces were crap, and the deal between cell phone providers and service providers seemed to completely leave the consumer out of the value chain.

Apple changed all of that by going “over the top”, picking a winner in each market, but limiting what deal those winners would get. That was great, and really stuck it to SPs (who got rich anyway). They’re trying to do the same thing with the iPad, but in the meantime Apple has changed the accepted development model for businesses.

It used to be that you needed rich web connectivity, and that was good enough. Now you have to have an Apple app in order to reach all of those customers who love their iPhones. Good examples of this include Facebook, Airlines, and even that dinosaur who is responsible for Formula 1 promotion, Bernie Ecclestone. Yes, even F1 has an app.

Here’s the problem: many of the Apps are nothing more than shells for garbage that companies want to shovel at you, and they don’t want others using “their data”. A perfect example is American Express, who requires an app in order to view flight reservations. THERE ALREADY ARE MANY SUCH APPS. One of them is your calendar program. One thing you might want to do is download reservation information into your calendar. But American Express‘ travel web site GetThere.Com won’t let you do it. You have to download their app.

And GetThere is getting sneakier, as they no longer send many corporate travelers a full reservation in email, but instead simply send a pointer to their web page. Why are they doing this? Because they don’t want others like TripIt to capitalize on “their” (really your) information.

And so there seems to be no incentive for these bad players to be good players in an iPhone world, in spite of the fact that there are perfectly capable standards and programs and libraries to deal with much of stuff that’s being exchanged. What can be done to change that?

iPhone Rollout Redux?

iPhone

Well, July 11th, iPhone Day, came and went. The Believers waited and most got their phones, but even I could not have predicted the farsical mess that then ensued. Apple was unable to handle the registration of some 1 million phones in the period of a weekend, while their provisioning infrastructure ground to a halt. This is the added kick in the pants Believers must really enjoy.

While we wait for news to leak out of Apple as to what actually happened, let me speculate just a bit. Let us assume the following statements are true:

Apple did in fact test their provisioning capability prior to rollout.
That of the three days the million phones were sold, most were sold and activated in the first twenty-four hours. In particular, let’s assume a 70%/20%/10% distribution. I don’t actually know the real one, but we have reason to believe that the load was top heavy on Friday, as problems dissipated later in the weekend.
There were a average of two transactions per registration. That is- one to provision the phone with services, one to create MobileMe or whatever additional functionality that Apple offers. Normally we’d include a third for creation of an iTunes account, but since we’re talking about Believers they already have their account.

700,000 sales times 2 transactions over 24 hours would be about 16 transactions per second. That’s really not that many transactions, considering that benchmarking systems measure that number in the hundreds and thousands. This makes one wonder: what if we introduced latency into a transaction. Latency can occur for many reasons, but the biggest one would be some sort of wide area communication. For instance, an 80 millisecond round trip time would mean that one might not be able to process any more than about 12.5 transactions per second. Now add a second round trip and you cut the transaction rate in half.

As to Apple’s testing, if they tested their provisioning system either on a local area network or on a network that had lower latency than the time needed to complete the day’s transactions, they wouldn’t have caught the problem. This is actually a classic concern that most database vendors fully understand, and it is often the reason to use stored procedures.

Anyway, that’s my guess.