|
|
|
|
|
|
by scarface74
2764 days ago
|
|
|
Of course I knew about MDM software, it’s been around forever - before the iPhone ever cane out. We used it for Windows Mobile software, deployment of vertical software for both iOS and Android, etc.
And if the product was open source, they could also fix the bug, rather than having to rely on the vendor to do it -- which they sometimes don't.
It would also be easier for them to discover the bugs, which would result in more of them being discovered. In reality, Android is suppose to be “open” but between Android, iOS, and Windows, the Android ecosystem has the worse track record of both correcting bugs and getting the patches out to users. In the real world, no one is voluntarily going through each line of either Android or iOS looking for exploits out of the goodness of thier hearts. Because it's an argument from logic rather than an argument from observation. The claim isn't that some specific number of people have been observed using published source code to discover bugs, only that the number is non-zero -- which doesn't require statistics, only a single counterexample that I can provide myself from personal experience in having done it. And that “logic” falls apart with one widespread example - the HeartBleed bug that was in the OpenSSL implementation for a year and a half. The number is also “non zero” of bugs found by third parties in closed source software.... |
|
|
The process of identifying bugs and the process of distributing patches are two separate things. And there is a very specific reason the "Android ecosystem" is slow to distribute patches -- an important piece, namely the hardware drivers, is not open. The reason you can't install the latest stock Android with all the latest patches on your device is that the device is stuck with proprietary blob drivers that aren't compatible with newer kernels.
And the operating system with the best security record is unambiguously OpenBSD.
> In the real world, no one is voluntarily going through each line of either Android or iOS looking for exploits out of the goodness of thier hearts.
They don't have to do it out of altruism, there are plenty of self-interested reasons to do it. Security researchers build their reputations by discovering vulnerabilities. iOS jailbreaks are valuable. Some companies that use Android in their own products pay to audit the code that runs on them (and incidentally on everyone else's devices). Programmers that discover their device unexpectedly doing something "weird" are more likely to investigate, and more likely to succeed in discovering the cause, when the code is available.
> And that “logic” falls apart with one widespread example - the HeartBleed bug that was in the OpenSSL implementation for a year and a half.
https://www.cvedetails.com/vulnerability-list/vendor_id-26/p...
Take a look at how many of those also affect Server 2008, implying they've been there for at least a decade before being discovered.
> The number is also “non zero” of bugs found by third parties in closed source software....
And how many of those were discovered specifically because the source code wasn't available?