Linked by David Adams on Sun 9th Nov 2008 16:50 UTC, submitted by Hakime
Bugs & Viruses There's a bug in Android that crosses over from the realm of serious into self-parody: "It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!"
Thread beginning with comment 336776
To read all comments associated with this story, please click here.
casuto
Member since:
2007-02-27

this is the evidence that Linux security sucks: in fact G1 is Linux-based

Edited 2008-11-10 07:42 UTC

Reply Score: -4

setec_astronomy Member since:
2007-11-17

No. This is evidence, that Linux based OSes in particular (and *nix systems in general) enable a myriad different ways to shoot yourself marvelously in the foot, especially if you are sloppy with your quality control process which is the most likely cause for this blunder of epic dimensions.

You would have a point, if this setup would somehow be
recomended by some kind of semi-official documentation, or if it were common practice, or .... . But since this is not the case (and since similar configurations would be without a doubt possible with other *nix systems too), I can't agree to blame a certain family of operating systems for the stupidity of the packagers of this phone.

Reply Parent Score: 2

Jokel Member since:
2006-06-01

Nope - it is a proof the developers where more than a bit stupid. The Linux kernel where you referring to does not have this bug. It is the software added to it and stupid use of user rights.

Don't forget this software is not developed by an open source process, but "out-of-sight" of the OS community. In other words - it was closed source until the source was published.

Only AFTER the source was published the bug was discovered. This bug probably was not discovered in the short term if the software was closed source. In other words - closed source would prevent to discover this bug, leaving the phones unsafe until someone stumbled upon it by accident. And that's the best scenario. If that someone would keep it silent and use it, it would be a different matter.

And that's the problem with closed source. There could be (and most probably are) a lot of bugs in closed software the "normal" user does not know. If they are discovered by not good willing people, the "normal" user is in danger without even knowing about it. There is no way he could know it. That makes closed source in fact more dangerous to use than open source.

I do not belief in "security by obscurity", and this is a perfect example. If the source was not opened this bug could be in the software forever, only known by a few bad willing guys. I must admit the bug is not that disastrous (only people with direct access could do something with it), but how many phones with closed software have a similar or worst bug? This last question cannot be answered, because nobody (except maybe a few "shady" people - and the developers) know about it.

Reply Parent Score: 3