Both mentioned CVEs seem to be about local privilege escalation. So basically yes, if you don't install crap apps, there's a high chance that you are protected. Problem is that it might not seem to be a crap app, but a nice-looking game, etc. Also an attack can come in with an update of any app you have already installed on your phone.
Threat model is probably third party ad and tracking libraries that pay to get into apps. If I caught it, I'd expect it to be from an app to use a parking deck, a colorful desk lamp, an otoscope etc where the developers sold out years ago
The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.
Except the Play Store is a hot mess, and Google does little to no review of apps. Trusted repositories work best when the repository maintainers build and read the code themselves, like on f-droid or Debian. What Google and Apple are doing with their respective stores is security theater. I would not be surprised if they don't even run the app.
Again though, that's mixing things up. The question is whether or not mitigating the exploit requires an OS patch be applied promptly.
And it seems like it doesn't. If there is a live exploit in the wild (as seems to be contended), then clearly the solution is to blacklist the app (if it exists on the store, which is not attested) and pull it off the store. And that will work regardless of whether or not Samsung got an update out. Nor does it require an "audit" process in the store, the security people get to short circuit that stuff.
> if I don't install any crap on my phone I am safe?
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
Whilst the play store supposedly scans all apps for malicious behaviour, it's pretty easy to detect the test environment they use for testing and make malicious behaviour only trigger in situations Google doesn't test - eg. 5 days after installation, only if the device IP address changes at least once.
In todays world, web based exploits are pretty rare. The only time you really see this happen is with full proprietary systems like IPhones because the software stack on those is all intertwined between kernel code and user code, and things like sending a text message with some formatted characters can lead to reboots of phones. But even then, to gain a full command line shell or steal secrets is either impossible due to attack surface, or requires the phone to be in a specific state, like fully factory reset.
The only real danger is chains of trust being compromised, as in some attacker manages to insert malitious code into an already trusted app that uses these exploits.
On a side note i get kick out of reading HN comments about exploitation and hacking. I think people firmly believe that with enough time, a hacker can figure out how to basically take over your phone given any exploit, no matter what it is.
One, I'm not sure what American founding ideals have to do with Germany.
Two, Germany, like most countries and frankly human populations, has a male surplus in its fighting-age population [1]. This is why, historically, large socities tended to wage war with men first. (Even those that e.g. held elite units in reserve, which undermines the usual biological argument.)
The reason for war has always been to kill off young men, since they are disposable fertility wise and an internal threat to current holders of power. This has been the case since the stone age and will be the case until the end of time.
Money is nothing but a representation of power. If it was about money itself, rulers could just print limitless amounts (which they have tried a number of times).
> make surplus is a few tens of thousands, way to small to make up an army
...why would you populate your army solely with the surplus? The point is you have a buffer that you can burn without immediately impacting your demographics for the long term.
> that is not the reason why men and not women go to war
It's a serious theory [1]. (It's more correct to say the surplus and it share a common cause.)
>has a male surplus in its fighting-age population
The "male surplus fighting-age population" in Germany will flee to the next European host or back to the MENA country they fled from if conscription begins.
Very well said, thank you for this. I would add though, that money (or lack thereof) causes unhapiness as well, because people want to live how "they" live on Instagram, and they can't.
Instagram moved expectations up significantly for a large portion of global populations so yes what you say is absolutely true but isn’t the Reality part but the Expectations part of the Happiness formula.
One even responded to an earlier comment of mine that we shouldn't be optimizing software for low-end machines because that would be going against technological progress...
Yes, that’s why we all do our meetings in the metaverse, and then return home on our segways to watch some 3d tv, while the robotic pizza making van delivers robot-made pizza.
Ultimately, you can spend what you want; if the product is bad people won’t use it.
I'm intrigued by this thought, and I'm not sure it's the right way to look at the current situation.
Think about it via a manufacturing analogy. I think we can all agree that modern cnc machining is much better for mass manufacturing than needing to hire an equivalent number of skilled craftspeople to match that throughput.
Imagine we had a massive runup of innovation in the cnc manufacturing industry all in one go. We went from cnc lathes to 2d routing tables to 3, then 4, then 5 axis machining all in the span of three years. Investment was so sloshy that companies were just releasing their designs as open source, with the hope that they'd attract the best designers and engineers in the global race to create the ultimate manufacturing platform. They were imagining being able to design and manufacture the next generations of super advanced fighter jets all in one universal machine.
Now these things are great at manufacturing fully custom one-off products, and the technicians who can manipulate them to their fullest are awestruck by the power they now have at their fingertips. They can design absolutely anything they could imagine.
But you know what people really want? Not fighter jets, but cheap furniture. Do you know what it takes to make cheap furniture? Slightly customized variants of the early iterations that were released as open source. Variants that can't be monitized by the companies that spent millions on designing and releasing them.
The tech might work great, but that doesn't mean the investment pays off with the desired returns.
People keep comparing LLMs (and AI, I suppose) to specialised machines like the printing press or the harvester or something, and often throwing in a luddite comparison.
The glaring difference is that specialised machines, usually invented to do an existing task better, faster or more safely, do indeed revolutionise the world. As you pointed out, they perform necessary functions better, faster, and / or more safely.
Note that segues, that weird juice machine etc, we not built to fill a gap or to perform a task better, faster or more safely. Neither were pet rocks or see-through phones. Nobody was sitting around before the Metaverse going 'man, I wish Minecraft could be pre-made and corporate with my work colleagues", and when these things launched the sales pitches were all about "look at the awesome things this tech can do, isn't it great?!", rather than "look at the awesome things this tech will allow you / help you to do, aren't they great?!".
LLMs are really impressive tech. So are segues and those colour-changing t-shirts we had in the 80s. They looked awesome, the tech was awesome, and there were genuine practical applications for doomerist, somewhere.
But they do not allow the average poison to do anything awesome. They don't make arduous tasks faster, better or safer without heavily sacrificing quality, privacy, and sanity. They do not fill a gap in anybody's life.
That's the difference.
Most AI is currently a really cool technology that can do a bunch of things and it's very exciting to look at, just like the Segway and the Metaverse. And, really, an ant, or a furby.
They are not going to revolutionise anything, because they were more built to. They weren't built to summarise your emails or to improve your coding (there are many princes of software that were built to assist with coding, and they are pretty good) or to perform any arduous or dangerous tasks.
They were built to experiment, to push boundaries, to impress, and to sell.
So yes, I 100% agree with you and take your point a little further it's not even that LLM's are too high tech and fancy for most periods. I don't even think that they're products. They are components, or add-ons, being sold as products like extension power cables
50 years before the invention of the plug socket, or flexible silicone phone cases being sold in the era of landlines and phone boxes.
And I'm legit still baffled that so many people seem to have jobs that revolve around reading and writing emails or producing boilerplate code, who are not able to confidently do those things, but aren't just looking for a new job.
Like, it's a tough market, but if you haven't learned to skim-read an email by now, do yourself a favour and find a job that doesn't involve so much skim reading of emails. I don't get it.
AKA "too big to fail". The interests of major and early AI capital owners will be prioritized over those of the later capital and non-capital-owning public.
> Things that are too big to fail can end up being nationalized when they do fail.
And if that happens, will the taxpayer be on the hook to make investors whole? We shouldn't. If it is nationalized, it needs to be done at a small fraction of the private investment.
When the government takes your property with eminent domain, they don't give you what you've put into it or what you owe, they give you the market value for the property.
If one or more of the AI companies fail, the government would pay what they feel is the market value for the graphics cards, warehouses, and standing desks and it will surely be way less than what the investors have put in.
reply