Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Daniel Micay Profile picture
@DanielMicay
Sep 21, 2020 9 tweets 3 min read Read on X
The public Android security bulletins are not nearly as useful as they used to be since so much information was stripped out of them. Need to figure out even basic details entirely from the commit message and changes to the code. Internal bulletins still have more information.
This makes it difficult to figure out when a bug was fixed with only the details of the bug including the impacted subsystem but not a CVE ID. threatpost.com/bluetooth-spoo… says the issue is unpatched on Android but that seems based on the researchers testing a device without updates.
It's highly likely that android.googlesource.com/platform/syste… is the fix for this issue since it's a fix for a security bug in pairing tied to authentication of a device that was previously paired. I'm not entirely sure it's the same bug since there aren't enough details available for the fix.
This fix is listed as CVE-2020-0379 as part of the 2019-09-01 patch level: source.android.com/security/bulle…. The bulletin simply refers to it as a high severity Information Disclosure (ID) in "System". Are they seriously just categorizing by component based on top level AOSP directory?
I could ask someone to check the internal bulletin, or I could ask someone at Google to check b/150156492. It seems strange that so little information is being provided now. Any resourceful adversary will be able to get access to the broadly distributed internal bulletins anyway.
I could post a few examples from a past month of the internal bulletin description vs. lack of any real public bulletin information. This just seems to make things much harder for external security researchers. They should want people verifying that fixes were done correctly.
Long-term support for older major versions in AOSP is also strange. AOSP has maintenance branches for the current major OS version with all kinds of bug fixes and other improvements. It's the same source tree they use to build the stock OS with their proprietary repos added in.
For previous major releases of AOSP, which now includes Android 10, they release tags for the monthly security updates based on the earliest tag for that major release. Those only include security patches added that month and an arbitrary assortment of previous security patches.
Internal security patch previews are a bundle of security patches to be applied consecutively onto the earliest tag for a major release without all non-security improvements in the AOSP maintenance releases. So, for past major releases, they're awkwardly publishing those via Git.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Daniel Micay

Daniel Micay Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DanielMicay

Daniel Micay Profile picture
Oct 24, 2022
@RichFelker @GrapheneOS Treble makes it possible to easily run AOSP or GrapheneOS on any hardware providing an implementation of Android vendor APIs which have a stable versioned ABI with backwards compatibility for a few major versions of the OS. It provides an easy way to support any Android phone.
@RichFelker @GrapheneOS AOSP has official support for a few development boards with an entirely open source implementation of the vendor HALs based on Mesa, etc. It's entirely possible for a phone to provide that and Pixels will likely trend towards that and away from the Exynos tech due to Tensor SoC.
@RichFelker @GrapheneOS Treble makes it so that you can run the portable userspace portion of the OS on top of any underlying drivers, services, kernel, kernel modules, etc. used to support the hardware. GKI brings this to the kernel where any GKI kernel build can be used on any device supporting GKI.
Read 12 tweets
Daniel Micay Profile picture
Sep 2, 2022
I know several people working as software engineers at Cloudflare. According to one of them, this incident (blog.cloudflare.com/the-mistake-th…) was hardly a mistake. Cloudflare is including block lists sourced from far right evangelical groups as part of their 'family friendly' DNS service.
Cloudflare is aware their 'family friendly' DNS (1.1.1.3) isn't blocking sites like Kiwi Farms (kiwifarms . net) or Daily Stormer (stormer-daily . rw). It's a deliberate decision, despite their blog post claiming their filtering is meant to mimic SafeSearch, which filters them.
Cloudflare has not stopped using block lists sourced from hateful groups. They only stopped including the subsets explicitly marked for that purpose. Easy to see why getting porn block lists from groups producing LGBTQ block lists results in continuing to "mistakenly" block more.
Read 4 tweets
Daniel Micay Profile picture
Aug 31, 2022
Cloudflare drops sites from their service on a daily basis for having content they dislike. They remove sites with adult content, support for sex workers, etc. They also drop sites they deem to be posting spam. Cloudflare's censored 1.1.1.3 DNS blocks lots of LGBT content, etc.
They're too cowardly to stand behind their decisions so they won't mention sites like Kiwi Farms by name. Their official accounts and executives all have their replies disabled on Twitter to shut down dissent. Their free speech act is a ridiculous sham. They drop lots of sites.
Cloudflare does FAR MORE content moderation than required by law. They aren't a free speech host. They remove speech they disagree with every day. They host Kiwi Farms because they support the content on it. They dropped sites used by sex workers because they consider it immoral.
Read 9 tweets
Daniel Micay Profile picture
Jul 13, 2022
@burnt_disk @MishaalRahman It's problematic that they expose those directly. They either require user consent on a case-by-case or one-time basis despite not being runtime permissions or they have no real privacy model. Low-level permissions exist for static analysis of what apps can request at runtime.
@burnt_disk @MishaalRahman For example, request install packages allows the user to allow it as an app source and then approve app installations on a case-by-case update. Only thing that can be done without case-by-case consent is updating an app again after the user authorized an install initial/update.
@burnt_disk @MishaalRahman Another example is that QUERY_ALL_PACKAGES has no actual privacy model at this point. It would mislead users into thinking that apps without it can't query all the user installed apps when they can if they list queries for common intents like the one used for launcher activities.
Read 12 tweets
Daniel Micay Profile picture
Jun 29, 2022
@IntelTechniques It's unfortunate that you're giving a platform to someone making numerous false claims about both CalyxOS and GrapheneOS to promote CalyxOS. They're spreading misinformation about our project and are misleading people about multiple privacy and security topics.
@IntelTechniques The article in unredactedmagazine.com/issues/003.pdf by Zachary McIntosh should be corrected. They're misleading people about sandboxed Google Play and microG along with falsely claiming that the CalyxOS approach does not use Google services, when in fact CalyxOS always does.
@IntelTechniques It makes numerous inaccurate claims about CalyxOS, misleading people in a harmful way. It presents AOSP features as ones added by CalyxOS and makes inaccurate claims about the CalyxOS features. Many claims there are inaccurate marketing talking points about it.
Read 5 tweets
Daniel Micay Profile picture
Jun 28, 2022
nginx configuration enforcing rate limit based on a value in request body to implement a rate limit for Flarum's forgot password API based on email instead of only based on source IP of the request:

github.com/GrapheneOS/dis…

Could move some directives to http {} to reuse more.
nginx's limit_req runs very early in the request and $request_body only exists much later. That variable also only exists if you use a reverse proxy via proxy_pass, fastcgi_pass, etc. Have to get the value out of request body with map, add as a header and reverse proxy to itself.
Since it's a header, it can implement a rate limit with the email as the key for the rate limit zone once it proxies it to itself. Flarum treats the email value as an exact string so it can't be bypassed by adding whitespace, etc. Only problem is that 1r/m is the lowest rate.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(