[crosswordbob]

wakajawaka, on 08 August 2010 - 03:49 PM, said:

crosswordbob said:

"Carry the hypothesis further, and you might get open source being fiddled with by people who don't necessarily understand the code written by others"

Dude, I'm pretty sure that Google distributed Android and that they also distribute the updates so... I don't know where you are going with this.

But they also distribute code that they did not write. And they may have distributed code that is based on code that they did not write, and may have broken some assumptions in the original. This is what happened to debian; my point is that however unlikely, it could happen in any similar system.

wakajawaka said:

"In other words, your argument is speculation dressed up as fact. Again. It may be right, but it is not self-evidently so."

A) It's not MY argument, it's Eric Raymond's and it is called "Linus' Law," though I happen to understand and agree with it. It was mentioned in the article and I was explaining it to somebody who didn't understand the context and was attempting to compare it to software that wasn't even open source.

B)You seem to enjoy accusing people of speculating, and then speculating yourself that they may or may not be correct without coming to any conclusions. I'm starting to think that you just enjoy rambling out senseless accusations with weak talking points and getting nowhere. It seems to be the theme of your comments.

Nope - just you, because 1) You are particularly prone to it, 2) You're so funny when you try to flounder a response without even understanding what you're being accused of and 3) You're so consistently obnoxious towards those with whom you disagree that it pleases me to help you make an idiot of yourself. As you consistently then manage. And you still fail to recognize that "may or may not" is not speculation; it is definitively true. It would only be speculation if I chose one or the other.

wakajawaka said:

"Linus' Law, according to Eric S. Raymond, states that "given enough eyeballs, all bugs are shallow." More formally: "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone." The rule was formulated and named by Eric S. Raymond in his essay "The Cathedral and the Bazaar". Presenting the code to multiple developers with the purpose of reaching the consensus about its acceptance is a simple form of the software reviewing. Researchers and practitioners have repeatedly shown the effectiveness of reviewing process in finding bugs and security issues, and also that reviews may be more efficient than testing."

"Open source opponents criticize this law, assuming that the developer base may not be big enough for it to work efficiently or simply declaring that they do not personally believe the law is true."

Read that a few times and if you still feel like arguing, go tell it to Eric Raymond or Linus Torvalds or somebody else who couldn't care less about your opinions than I could.

I do not criticize the hypothesis; I criticize the statement that when applied to large-scale open source it necessarily leads to more secure code. It has not been proved such, though it does have a reasonable probability of correctness.

wakajawaka said:

I like the part that says "Researchers and practitioners have repeatedly shown the effectiveness of reviewing process in finding bugs and security issues..." When you state your "conjecture as to how your model may be insufficient without doing the science to back it up..." my answer is that the "science" has been done to back it up. Wikipedia isn't the only place that will explain this to you if you do a little research.

BTW: Starting a sentences with "Carry the hypothesis further, and you might get," is a great way to begin a speculative argument. If you want me to speculate about something this time, I will make a reasonable conjecture that you have a sad addiction to making foolishly hypocritical accusations on the internet either because you enjoy trolling comments or because you are actually a fool.

Well done - you are correct that my extended hypothesis is indeed speculation. You fail somewhat in that you clearly didn't read the bit where I said: "This extended hypothesis is no more, but equally no less, valid than the one you presented; I state it just as an example of a reasonable conjecture as to how your model may be insufficient without doing the science to back it up." Or to put it another way, it is a speculative argument. Nothing wrong with them, so long as they are qualified as such. As I do, and you don't.

The model has been shown to be successful in a number of cases. It has not been scientifically tested sufficiently to show that it is successful in all cases. The example I quoted about debian cryptographic keys demonstrates that for nearly two years a vast number of linux servers were running with a security hole bigger than possibly any ever found. All cryptographic keys generated with debian-specific OpenSSL libraries were predictable, and that included Ubuntu as well as debian. Perhaps you don't know enough about security to know what a train-wreck that could have been had it not been found by a benevolent person.

Anyway; this grows wearisome, so let me put you out your misery and explain some debating basics. Imagine you toss a coin. Then (neglecting pathological cases where the coin fails to land), the following 3 (6) statements are definitively TRUE:

• * The coin might (might not) land heads up
  
• * The coin might (might not) land tails up
  
• * The coin might (might not) land on its edge

The following are SPECULATION correctly stated as speculation:

• * I believe the coin will (will not) land heads up
  
• * I believe the coin will (will not) land tails up
  
• * I believe the coin will (will not) land on its edge

The following are PROBABALISTIC STATEMENTS:

• * The coin will probably (probably not) land heads up
  
• * The coin will probably (probably not) land tails up
  
• * The coin will probably (probably not) land on its edge

The first 2 (4) are weak - it's roughly 50/50. The statement that the coin probably will not land on its edge is valid, as it is more probable than that it will, yet allows room for the small but non-zero probability that it will.

The following are speculation stated as fact:

• * The coin will (will not) land heads up
  
• * The coin will (will not) land tails up
  
• * The coin will (will not) land on its edge

These last are invalid. Note that the statement "The coin will not land on its edge" is highly likely to be true, but as a statement of fact it is still invalid. This is what you have been doing.

Stating that open source is more secure because of extended review is incorrect; stating that extended review gives it a greater likelihood of being secure is valid, in that it allows for those cases where the review fails to spot critical vulnerabilities, such as the one I described above.

This post has been edited by crosswordbob: 09 August 2010 - 01:39 AM

[HemDroid]

I knew what this article was going to say before clicking on it.. because you have to give the app permission.. DUHHHHHHH...

"but why do i have to give this wallpaper app access to my phone logs? meh.. who cares, its FREE!" says 99% of all android users (like my grandma)

From day one on my HTC hero.. these screens were scary.. hmm.. fart app would like permission to access every nook of my device.. wait..

It turned out that almost every app out there wanted full access.. so if you want to check out the android app store, you soon learn that you must give anyway any hope of genuine security and become immune to the warning screen.

[tevroc]

Apple's IOS will go the way of windows for a couple of reasons. One being that everybody seems to have an iphone these days and now lots of banking apps are surfacing so there is great incentive for an identity thief to spend time trying to find an exploit. They're probably going to do it before apple realizes their weakness and then apple will have to rush to produce a patch only to see hackers circumvent the patch and then another patch and so on. Of course this isn't going to happen tomorrow, but over time i think this is the way things will go.

[Elioneeye]

Working in the security and the computer industry for 25 years, let me put my 2 cents in. There seems to be a lot of propaganda in these comments. First every OS has vulnerabilities and many many applications. If the end user wishes to jailbreak or root a device, They get what they deserve. Nothing is free in this world. In my eyes, today the android is better, technically. Tomorrow, the iphone, who knows. I do like the market/app store better for the android. The sandboxing of the applications appeals to me a great deal. As for me, my privacy and security is a concern. Additionally, money… which both Google and Apple are striving for. Thanks for the article and thanks for everyones comments.

[MdMathiasi5cq]

"Whereas Android puts the user in control of evaluating an application's requirements before it installs"
I think you forgot about the time that google not only remove applications from the android store, but forcibly deleted them from people phones.

[Developer]

travisgamedev, on 06 August 2010 - 12:36 PM, said:

The jailbreakme site as it turned out, didn't do anything to iPhone users

Correct. But the article didn't say it did either. It pointed out that the exploit that jailbreak.me site used could have been used by actual malicious users elsewhere.

Quote

Also, Linux has no better security than UNIX which is what the iOS devices run on so they have the same root security level as they are security-wise practically the same. This article seems to have a lot of correct information about Android devices and incorrect about iOS devices. Very one-sided.

I'm a developer of both platforms. I didn't find any inaccuracies, but since I haven't developed for iOS in about 2 years, my knowledge there is rusty, so forgive me if my knowledge on that platform is out of date. If you could, and I mean this with all sincerity, update me on what I missed, because it's important to know. But, there's one thing I am sure of, and that is that Android apps request permission from the user at install and iOS apps do not. So, that is definitely different security. I know they have a lot of similarities, but they have plenty of differences too.

[Developer]

Jailbreaker101, on 06 August 2010 - 12:44 PM, said:

You can't compare how much more "protected" a regular Android handset is compared to a JB iPhone

I reread the article after reading what you just said. I think you misread the article. It's not comparing standard Android security to jailbroken iOS security. It's comparing out of the box security on both platforms (not jailbroken).

Quote

Also, you're arguing that the more "eyeballs" that watch over a phone, the more the security. Jailbreaking allows the same thing for iphone users.

I think you might have misunderstood. They "eyeballs" the article refers to are the eyeballs looking at the source code of the operating system. Since Apple doesn't release their source code, there are many fewer eyeballs on their source code. But, Microsoft loudly argues that that is a security advantage (to not publish source code), so the argument for open source and security could go either way. But, either way, the article is claiming that open source allows more eyes to scrutinize the security code to validate it.

Quote

The security flaw that allows Jailbreakme isn't the problem, the flaw is. Comparing them as if Jailbreakme itself was a virus is where most people are getting misinformed.

The article didn't say that jailbreak.me was a problem. It pointed out that since something like jailbreak.me was able to work is proof that there was a flaw in iOS's security (just as you said). I believe Apple patched that up quickly though.

Quote

With a name like Jailbreaker101, I'm probably going to get flamed for a fanboy/troll. But just saying...

Not from me. That's an awesome name!

[eexft]

I wouldn't normally comment on something 2 years later, I think I should respond supporting the author of the article in a case where it looks like she got it right, with a bunch of idiots responding.

travisgamedev was the first, and provided possibly the most idiotic of responses, and the one I'll use to illustrate my point:

"The jailbreakme site as it turned out, didn't do anything to iPhone users either except those who went there for the sole purpose of jailbreaking their devices so the typical iPhone customer was never affected."

This idiot completely misses the point. If one site can modify your device to the extent of jailbreaking it, then chances are that so can another.

"Also, Linux has no better security than UNIX which is what the iOS devices run on so they have the same root security level as they are security-wise practically the same."

About the only potentially correct thing here the idiot said, was that Linux has no better security than UNIX, and even that is open to discussion.

iOS is not based on UNIX; It is based on Darwin, which in turn is based on NeXTStep and FreeBSD.

Furthermore, this comparison is between Android and iOS, and not between Unix and Linux. Androids assigns a unique user id to each application, and assigns each user id certain permissions, which are supported in the underlying unix-LIKE operating system. iOS does not do this, so they are therefore not "practically the same".

"This article seems to have a lot of correct information about Android devices and incorrect about iOS devices."

For example? I couldn't find any.

"Very one-sided."

So? You hardly expect an unbiased article about why one platform is better than another.