Linked by Thom Holwerda on Fri 11th May 2018 22:47 UTC
Android

Updates are easily the biggest problem facing the Android ecosystem, and Google is working hard to fix that. Project Treble has proven that it's capable of making updates easier, and now Google is stepping up requirements for OEMs when it comes to security patches.

Every little step in this department is a welcome one. It's not yet clear what, exactly, the requirements entail, but hopefully, it's a strict and hard requirement to publish every monthly security update.

Thread beginning with comment 656567
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Finally!
by Troels on Sat 12th May 2018 21:58 UTC in reply to "RE[3]: Finally!"
Troels
Member since:
2005-07-11

The real thing is that the number of people who care about updates is highly overestimated by the geek community.

I have said it many times before, but the OS updates are too frequent, there is hardly anything in them that anyone care about. Same with many other pieces of software, update notifications and list of what (nothing) is new is the new cookie warning annoyance.

Reply Parent Score: 3

RE[5]: Finally!
by oiaohm on Sat 12th May 2018 23:06 in reply to "RE[4]: Finally!"
oiaohm Member since:
2009-05-30

The real thing is that the number of people who care about updates is highly overestimated by the geek community.

I have said it many times before, but the OS updates are too frequent, there is hardly anything in them that anyone care about. Same with many other pieces of software, update notifications and list of what (nothing) is new is the new cookie warning annoyance.


You have the wrong point of view. People don't care about security until they have the device breached and their bank account emptied.

Updates are important. Now if you want to drop frequency of need updates you have to drop bug count. Drop bug count means improve quality control procedures.

Of course just like general users don't show that much interest in updates until after they are burnt. General users don't demand software makers use the best quality control processes possible either. I guess why is they don't want the pay 4 to 5 the current price for computer stuff.

Reply Parent Score: 2

RE[6]: Finally!
by Alfman on Sun 13th May 2018 06:56 in reply to "RE[5]: Finally!"
Alfman Member since:
2011-01-28

oiaohm,

You have the wrong point of view. People don't care about security until they have the device breached and their bank account emptied.

Updates are important. Now if you want to drop frequency of need updates you have to drop bug count. Drop bug count means improve quality control procedures.


Those are excellent points. Users do care about after sale support and breaches once problems arise, but they often overlook lousy support options at the time of sale. I would think that if they could know ahead of time the specific problems they would face, then it would obviously become factored into their buying decisions, but alas the future can come as a surprise.

Reply Parent Score: 3

RE[6]: Finally!
by Troels on Sun 13th May 2018 07:54 in reply to "RE[5]: Finally!"
Troels Member since:
2005-07-11

Yes, security updates should be released when needed. I am talking about feature updates. It would be much easier for everyone to handle if Google only released every 3rd android version and instead only released security and bug fixes and app updates in between.

Reply Parent Score: 2

RE[6]: Finally!
by Yoko_T on Sun 13th May 2018 15:37 in reply to "RE[5]: Finally!"
Yoko_T Member since:
2011-08-18

"The real thing is that the number of people who care about updates is highly overestimated by the geek community.

I have said it many times before, but the OS updates are too frequent, there is hardly anything in them that anyone care about. Same with many other pieces of software, update notifications and list of what (nothing) is new is the new cookie warning annoyance.


You have the wrong point of view. People don't care about security until they have the device breached and their bank account emptied.

Updates are important. Now if you want to drop frequency of need updates you have to drop bug count. Drop bug count means improve quality control procedures.

Of course just like general users don't show that much interest in updates until after they are burnt. General users don't demand software makers use the best quality control processes possible either. I guess why is they don't want the pay 4 to 5 the current price for computer stuff.
"

You are totally clueless. The threats aren't from lack of "security" or "updates" for the phones or other devices, but the online sites that handle credit card information and other places like Facebook.

Edited 2018-05-13 15:48 UTC

Reply Parent Score: 0

RE[5]: Finally!
by ahferroin7 on Mon 14th May 2018 11:34 in reply to "RE[4]: Finally!"
ahferroin7 Member since:
2015-10-30

I think a better statement is that people don't care about security proactively, only reactively. Anybody who's worked for any extended period of time in the IT industry can tell you that about 90% of users don't care about security until after they've been hacked, and a significant percentage still don't care once that's happened and they've patched that specific hole.

Reply Parent Score: 3

RE[6]: Finally!
by Alfman on Mon 14th May 2018 14:57 in reply to "RE[5]: Finally!"
Alfman Member since:
2011-01-28

aherroin7,

I think a better statement is that people don't care about security proactively, only reactively. Anybody who's worked for any extended period of time in the IT industry can tell you that about 90% of users don't care about security until after they've been hacked, and a significant percentage still don't care once that's happened and they've patched that specific hole.



Totally agree! However, I'm really ashamed to say it's not just "users". While customers would probably prefer for businesses to pay routine costs for security reviews, the reality is many businesses neglect security until after an attack. I've encountered project managers who simply don't want to allocate resources to address security issues or train employees to spot vulnerabilities.

Good security requires a long term commitment with ongoing costs to pay experts to break your product/service. It sounds funny, but if a company hasn't paid a professional to do this, then it's likely they have hidden vulnerabilities that nobody (except for outside hackers) have an incentive to find. Some clients are upset when we identify vulnerabilities that cost them money to fix, nevermind that in the event of an attack it could cost them a lot more!

Edited 2018-05-14 14:59 UTC

Reply Parent Score: 3