Samsung embeds IronSource spyware app on phones across WANA

(smex.org)

845 points the-anarchist | 4 comments | 21 Jun 25 03:06 UTC | HN request time: 0.725s | source

Show context

userbinator ◴[21 Jun 25 04:22 UTC] No.44334486[source]▶

making it nearly impossible for regular users to uninstall it without root access, which voids warranties and poses security risks

Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.

replies(12): >>44334515 #>>44334549 #>>44334577 #>>44334616 #>>44334661 #>>44334912 #>>44335283 #>>44335463 #>>44335597 #>>44336211 #>>44336257 #>>44336433 #

perching_aix ◴[21 Jun 25 04:29 UTC] No.44334515[source]▶

>>44334486 #

Didn't we backslide hard enough at this point that it is now architecturally ensured that there is a security downside to rooting? Prevents verified boot for example, since the attestation is tied to said corporations, and not you.

replies(3): >>44335600 #>>44335942 #>>44336193 #

franga2000 ◴[21 Jun 25 09:08 UTC] No.44335942[source]▶

>>44334515 #

Not having verified boot is not a security downside for most people. Unless your threat model includes the evil maid attack, which it doesn't for thr vaaaaaast majority of people, verified boot is just another DRM anti-feature.

replies(1): >>44336067 #

ignoramous ◴[21 Jun 25 09:33 UTC] No.44336067[source]▶

>>44335942 #

Verified Boot isn't merely to thwart Evil Maids, but by and large provide what's known as "Trusted Computing Base". And yes, given the proliferation of smartphones and the nature of sensitive applications built on top, most people, even if they don't realise it, need it.

replies(1): >>44336233 #

1. userbinator ◴[21 Jun 25 10:08 UTC] No.44336233[source]▶

>>44336067 #

but by and large provide what's known as "Trusted Computing Base".

In other words, DRM.

https://en.wikipedia.org/wiki/Trusted_Computing#Criticism

(I knew from the beginning that this was known as the Palladium project, and until recently, a search for "Palladium TCG" would find plenty of information about that history, yet now references to that group and its origins in DRM have seemingly disappeared from Google. Make of that what you will...)

replies(2): >>44336609 #>>44337135 #

2. cam_l ◴[21 Jun 25 11:20 UTC] No.44336609[source]▶

>>44336233 (TP) #

Are you saying that someone is using yugiyoh trading cards to cover up incriminating historical details of Microsoft's long term plan to purge general purpose computing from the world?

https://www.tcgplayer.com/product/593140/yugioh-quarter-cent...

Bizarre, I did find it on bing though..

https://www.cl.cam.ac.uk/archive/rja14/tcpa-faq-1.0.html

3. perching_aix ◴[21 Jun 25 12:41 UTC] No.44337135[source]▶

>>44336233 (TP) #

This should not be a surprise. Mechanistically enforced trust (like in trusted computing), and even better, mechanistically assured trust (like in verifiable computing), will be relied upon by anyone seeking trust. This means both consumers and producers, and anyone else in-between.

If I want my device to be secure, I want this trust. If I want to sell a copy of my virtual asset to only be used in ways I approve of, I want this trust. You can't have only one of these at the same time, either your device can provide this trust or it cannot. That's not the battle in my view. The battle is to implement this appropriately, such that e.g. if we're representing access control, identity, and ownership, then that representation should match reality. So if I'm said to own a device, the device can and will attest so, and behave accordingly. It's just that instead of that, I'm always somehow just being loaned these things, only have some specified amount of control over these things, and am just a temporary user somehow. That's the issue. And that these systems are not reimplementable, and as such entitlements do not carry around.

replies(1): >>44350402 #

4. fc417fc802 ◴[22 Jun 25 21:23 UTC] No.44350402[source]▶

>>44337135 #

> If I want my device to be secure, I want this trust.

Device security and mediated trust between mutually distrustful entities are separate things.

> If I want to sell a copy of my virtual asset to only be used in ways I approve of, I want this trust.

I don't want you to be able to do that. At least not with general purpose computing devices (ie my phone). Maybe for something like a game console or set top box but that doesn't seem to be what's being discussed here.

> either your device can provide this trust or it cannot

It is entirely possible for device firmware to do nothing more than verify that the bootloader was signed with a particular user configurable key.

↑