Google confirms Android attacks; no fix for most Samsung users

No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

I hoped with a move to Fuschia, Google would attempt to fix this, but unfortunately Fuschia on mobile is dead.

> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.

Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.

Provide a way to unlock the phones and a standard BSP, it should be the law.

It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?

As Randall Munroe pointed out in https://blog.xkcd.com/2010/05/03/color-survey-results/, almost nobody knows how to spell "fuchsia" correctly. I only remember it by the mnemonic of it's fuck, but with an s.

I vote to just change the spelling to what almost everyone already thinks it is anyways.

It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.

Please try to e-recycle rather than normal land-fill trash.

It comes from the surname of a German botanist. Which just happens to mean "fox". Never had problems with it.

It would probably help if you pronounced it right, with a /ks/.

The beginning of the English word "fuchsia" is not pronounced like the German word Fuchs, so indeed the spelling does not match the pronunciation. This is independent of the fact that it comes from that word. Plenty of things in English (and, in fact, loanwords in every language) sound different from the words they're derived from; that doesn't mean trying to imitate the source language is the "right" pronunciation. If you pronounce fuchsia like "fuksia" nobody will understand you.

That's always the case, even on Windows, even on Linux for closed-source third party drivers. The only exception is macOS because Apple insists on writing the drivers themselves - that was, in addition to Soldergate, the reason why Apple dropped NVIDIA.

If you are buying now, you want a device on a v5 Linux kernel with BPF support, where the bootloader can be unlocked and VoLTE is implemented in the 3rd-party ROM.

LineageOS has a build roster of current devices at this URL:

https://lineageos.org/Changelog-30/

The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).

Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).

If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.

e-recycling is only marginally better than a landfill. At least a landfill in pseudo-regulated government economy has the chance to be safely abated in 100 years. Though a few things of value are sometimes extracted, mostly it all ends in places like Turkey or India and burned or buried.

Sorry for the cynical take, but patronizing folks like this is worse than cynicism because it suggests that you actually believe what you're saying is true.

> But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling

In the word "french" C H is pronounced sh and nobody bats an eye, I don't think it's that outlandish that someone once read it as fuch-sia, incorrectly splitting it compared to the original.

In the language French, fuchsia is unequivocally read something more like few-shia, and I'd bet that even though it comes from German Fuchs-ia (fooks-ia) English has picked it up from the French side.

If you find such a loanword weird, don't you dare try reading Japanese.

https://aethermug.com/posts/the-beautiful-dissociation-of-th...

It’s helps if you know that the flower the fuchsia, was discovered by Dr Fuchs

Are apples drivers open source?

I switched away from my flagship Samsung tablet when they pushed it to quarterly updates, meaning security issues often went unpatched for a while. In the fine print of the "X years of updates" they mention that they switch devices to updates only every 3 months and then every 6 months down the road.

> In the word "french" C H is pronounced sh

No, it's not. Unless you think the "n" in french is pronounced "nt".

Unfortunately, even with the best after-market support, banking apps and/or contactless payments becomes a cat-and-mouse game, that, even if it works, can stop working at the drop of a hat.

No. Which is why "the only exception is macOS" is also false. At some point Apple drops support for that model and then that hardware not only gets no more driver updates, because the whole system is tied to the rest of it, it gets no more updates at all.

So the only exception is systems with open source drivers. Those are basically supported as long as the hardware architecture is and enthusiasts even have the option of adding support themselves. You can install the latest version of many Linux distributions on the first generation of x86-64 hardware from 2003 and some on 32-bit PC hardware going back to the 1980s.

It should literally be a crime that you can't do the same thing on a five year old phone.

> Being reliant on a single OS permanently nailed to the hardware is no less crazier.

Locking OS upgrades to a network vendor is substantially crazier. It creates pockets where the hardware vendor ships a security update but your network doesn't care to ship it and isn't incented to. It is BANANAS.

> If you pronounce fuchsia like "fuksia" nobody will understand you.

TIL and yet another case of "English is fucking weird".

I can tell you that Wells Fargo works both on Lineage with Mind the Gapps, and Graphene with the Play store installed. I have it on my OnePlus 5 and Pixel 6a.

I understand that most U.S. banking apps work on Graphene.

As far as contactless payments, try a Pixel watch. I understand that it is entirely separate from the phone.

Provisioning payment cards on your watch without being able to run the phone app will be quite a challenge, however!

I have never tried this, as I am happier with RFID on my individual credit cards.

However, Google Pay will certainly run on my Lineage OnePlus 5. It will not provision localhost, but I am guessing that it will provision a watch.

I would go buy the parts and try it just to know, but I doubt interest would remain here by the time I assembled everything.

Edit: Graphene has a page on this subject, and Garmin appears to be the best option.

https://discuss.grapheneos.org/d/1040-compatibility-with-sma...

Just because one layer of the security stack is compromised doesn't turn your device into a paperweight. I know many people who use out-of-support and vulnerable devices and I am not aware of a single one getting pwned by a system exploit, it is always some kind of phishing or scam. This is anecdotal evidence but I couldn't find actual data, as most don't distinguish between malware that rely on system-level vulnerabilities (as in 0-day) and the ones that don't (like fake apps that steal credentials, mine crypto or inject ads). But it is clear that the former are a minority on Android.

If you don't know what to do with it because your security standards are so high, just give it to someone with lower standards then you, or use it for some project that doesn't involve sensitive data. And if security is broken to the core, there is probably some vulnerability you can exploit to root your phone and do whatever you want with it, including installing a custom ROM.

Still, I agree with you on making it mandatory to provide an unlock method, at least for out-of-support phones.

Damn, I always thought Fuchsia is just a colour, but today I learned

  - Fuchsia is a flower
  - which is named after a German botanist (Leonhart Fuchs)
  - Fuchsia in English is pronounced completely different than in German. 
  - Google is surprisingly bad at naming their products

Fuching weird, even.

It's not 1999 anymore. If you get RCEd today as a nobody you don't get a purple gorilla.

Just silently enlisted into a "Residential VPN" and a background script that checks for the SSID "Iranian Research Facility" every time you turn your wifi on for some reason.

> In the word "french" C H is pronounced sh

It's not, though.

"I've never had someone steal from my car, so the fact that my car lock doesn't work is not a problem."

More like: "Every time someone stole from my car, that's because I forgot to lock the door, that the lock can be picked is not a problem".

Sure, a thief may pick your lock, but unless he knows there is something valuable in there, he will probably go find a car the owner forgot to lock, it less effort and there are plenty of them, or he may look for more valuable targets.

Fine, and legit. I get what I deserve for not looking it up!

Scaramouch and crochet though.

My point is that with macOS, Apple writes the drivers which means at least as long as the hardware is supported you can be pretty sure that there will be prompt fixes for any issue. With Android, Windows or closed-source Linux drivers (cough NVIDIA) you're left entirely at the mercy of whoever made the tiny little component controlled by the driver to provide a fix, which then has to bubble up through the ODM/OEM until it finally appears in an update you can install.

If you want fast responses to driver bugs, you only have Apple or a fully open-source Linux systems as an option.

I can't see how the situation with apple is any better considering what you've said, you're still beholden to apple to provide a fix. Even if that fix might be quicker coming IF apple is currently supporting the device; not at all otherwise.

Named after, apparently. https://en.wikipedia.org/wiki/Fuchsia#Taxonomy

> The first to be scientifically described, Fuchsia triphylla, was discovered on the Caribbean island of Hispaniola (Haiti and the Dominican Republic) about 1696–1697 by the French Minim friar and botanist, Charles Plumier, during his third expedition to the Greater Antilles. He named the new genus after German botanist Leonhart Fuchs

See also https://en.wikipedia.org/wiki/Fuchsia_triphylla .

:) Yeah, probably in this case English is doing the right thing, pronunciation wise. Anyway, checking in Google Translate the pronunciation it plays "fuksia", while Wikipedia has the right version.

Fuchsia isn't dead. People just like to spread random misinformation on the internet. Source: I work on fuchsia.

The intention is to have a stable driver abi which should allow you to build an arbitrary OS on top (fuchsia itself is exceptionally modular and doesn't have a lot of opinions it imposes on products built above it). Of course similar to a Linux BSP not helping Fuchsia run, such a layer wouldn't enable you to run other OS on top that are not built on top of fuchsia. There is also a limit to what you can generalize in the OS layers as some products may implement private apis between themselves and specific hardware drivers. A stable ABI also implies that the drivers won't necessarily need to be open source, but if the goal is to keep the rest of the OS updatable even if drivers themselves are not updated, that is a necessary concession. There are also many other practical benefits to keeping drivers open source regardless of license obligations to do so. That all said I'm very optimistic about this direction regardless of these caveats.

> I can't see how the situation with apple is any better

Because in the Windows world, there often are no updates after maybe 1, 2 years. Chances are high, if you look in Device Manager of any reasonably new system, you'll find a lot of drivers dating back to before Covid and that's 5 years ago. Chances are even higher that if you look close enough, you'll find something being exploitable.

With Apple? Their track record for support is around 7 years.

Sure, and cache and cloche.

But the question here is chs, not ch. Which though rare, is widely understood to be a kind of guttural sound or "k" sound followed by an s. In -uchs or -ichs coming from German.

Not the "sh" sound in fuchsia.

Let's concede that Windows sucks.

If you have macOS, it's supported until the OEM (Apple) stops supporting it. If you have Linux with some proprietary driver, it's supported until the OEM (e.g. Nvidia) stops supporting it. If you have Linux with open source drivers, it keeps working pretty much indefinitely.

Meanwhile 10+ year old hardware is serviceable for many uses. A 15 year old machine from the scrap heap could have 64GB of RAM, a different one could have a low idle power draw for a use where that's the only thing that matters. Put a cheap SSD in a machine of that vintage and someone who is just using web and email could keep using it for the rest of their life.