But it doesn't really take anything being compromised. Next time you need to change your phone plan in some way, pay attention to how easy it is (especially if you're buying something, like a new phone).
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Yeah. I recently replaced my old phone, and it was ridiculously easy to move my number over to it. That's part of why I'm so concerned about this vector of attack.
I've without a doubt moved to an authenticator app wherever I can (it was probably the biggest pain in the ass, moving 17 2FA accounts to a new phone), but guess which account doesn't support anything BUT SMS 2FA?
If you guessed the bank I use, you win! They have apparently no intentions of using anything other than SMS for 2FA, which is mildly infuriating.
you can't really clone sims, that shit kind of went to the wayside in 2004
you need to do some pretty involved activation process on the network to get it to actually accept the new phone hardware
I mean, it's not literally cloning the sim, but you can have multiple phones with the same phone number no problem. In fact, I think my old Note still works with my current number alongside my pixel. Shit just gets delivered to both phones when they're both on.
Edit: In either case, even if the real correct phone just gets deactivated, they can still change a phone number to a new phone and use it before someone who no longer has a working phone can do anything about it. And it doesn't require any special knowledge about the victim.
LD50 on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I'm pretty sure the common tactic is to say "Hey, my phone was stolen, please port my old number to this new SIM and block the old one". Lets them have access to everything, while keeping the victim in the dark, and is kind of stupidly easy to do. There's not a whole lot of authentication going on for that operation, in my experience.
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
I'm pretty sure the common tactic is to say "Hey, my phone was stolen, please port my old number to this new SIM and block the old one". Lets them have access to everything, while keeping the victim in the dark, and is kind of stupidly easy to do. There's not a whole lot of authentication going on for that operation, in my experience.
The biggest security risk is always going to be people, and social engineering tops that list by a huge margin.
you can't really clone sims, that shit kind of went to the wayside in 2004
you need to do some pretty involved activation process on the network to get it to actually accept the new phone hardware
I mean, it's not literally cloning the sim, but you can have multiple phones with the same phone number no problem. In fact, I think my old Note still works with my current number alongside my pixel. Shit just gets delivered to both phones when they're both on.
Edit: In either case, even if the real correct phone just gets deactivated, they can still change a phone number to a new phone and use it before someone who no longer has a working phone can do anything about it. And it doesn't require any special knowledge about the victim.
That doesn't work in the US anymore. It doesn't/shouldn't ring both.
The old phone will still think it is connected and has access to the number and all that, but it won't work.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
So what's the password manager of choice anymore, or is the whole idea considered a bad idea anymore and just memorize a ton of random alphanumericsymbol strings?
I use lastpass, and it seems to work fine for what I need. How often do you guys change your master password? Lastpass wants me to change it like every 6 months, but that just seems like a recipe for me eventually forgetting it and being fucked.
"The world is a mess, and I just need to rule it" - Dr Horrible
I use lastpass, and it seems to work fine for what I need. How often do you guys change your master password? Lastpass wants me to change it like every 6 months, but that just seems like a recipe for me eventually forgetting it and being fucked.
I use Lastpass too, but their Android app and firefox plugin have been lacking for months (and I believe the company behind them was purchased?) while simultaneously doubling their premium cost. Last night, the browser plugin wouldn't even save a new site, so that's what's started me looking.
Which was apparently an auspicious time to do so, because BitWarden caught my eye, and then when digging deeper, it seems like a security flaw in their Chrome implementation was found which was pretty glaring (and then was subsequently patched in like 2 hours, but still).
Update: Thank you for your comments, we're reading each and every one and we appreciate your feedback. We do want to clarify, only potentially affected users will receive the email.
—
[Jan 19 Update]
Hi all,
We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.
1. What happened
One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
We have quarantined the infected server and reinforced all relevant system structures.
2. Who's affected
Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
Users who paid via a saved credit card should NOT be affected.
Users who paid via the "Credit Card via PayPal" method should NOT be affected.
Users who paid via PayPal should NOT be affected.
We have contacted potentially affected users via email.
3. What you can do
We recommend that you check your card statements and report any charges you don’t recognize to your bank. They will help you initiate a chargeback and prevent any financial loss.
For enquiries, please get in touch with our support team at https://oneplus.net/support.
If you notice any potential system vulnerabilities, please report them to security@oneplus.net. This is a monitored inbox, but please note, we may not be able to respond to all reports.
4. What we are doing
We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.
A big thank you to our forum user @superdutynick for bringing this incident to our attention!
Sincerely,
The OnePlus Team
Update 2 is bull, because from all descriptions of who's impacted (purchased during the time period, didn't have saved CC or use paypal), I'm one of them, and never got an email. Some other folks who actually HAD fraud also haven't gotten one yet. Anyway, I didn't see any bad transactions yet, but I just called Citi and had them issue another card anyway so I didn't have to worry about it. Free service (supposedly due to length of time as a customer?), and they're overnighting it, so that's cool. I was mildly amused because the tech support guy at least knew what phones OnePlus had put out, so either they're getting a few of these calls, or I hit on someone who knows what's going on.
Re: the phone thing, I also decided to try to get in front of that if I could and called T-mobile, and I found something out - if you're on a friends and family with T-Mobile and not the primary user, you can't get it transferred to a new SIM without the primary account holder's authorization ANYWAY. So amusingly enough I am 100% insulated from that attempted scam. Given in my case he's not even a direct friend, but rather a friend of my wife, and I personally can't even remember his full name off the top of my head, good luck to anyone trying to pull THAT one from my info :P
OrthancDeath Lite, Only 1 CalorieOff the end of the internet, just turn left.Registered User, ClubPAregular
Depends a little bit on the audience in my opinion.
I use keepass synced between machines using drop box. As far as I can tell, the crypto on keepass is good, so as long as your password is strong enough to survive a sustained offline attack this is pretty secure. The flipside being that if your db does leak, and your password isn't strong enough you're pretty much fecked.
Last pass on the other hand being online can (and I assume does) apply controls which substantially mitigate the risk of a weaker passwords like throtelling and timeouts. So for a normal person I'd generally consider lastpass a better choice becuase the bar for a password to survive offline attack is very high.
In terms of how often I change, because I don't reuse my master password and it's long enough to secure against offline attack the main risk I'm concerned with is keylogger or similar things. Because in those cases they'd also have the password db all site passwords have to be considered compropmised.
So I only change the master password every 2 or 3 years, but at the same time I change ever password for every site.
With something like lastpass I would change slightly more often, the risk of password disclosure with an online service integrated into browsers is rather higher, but it's a less total failure mode than with an offline database like keepass. I'd probably go yearly rather than 6 monthly.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Update 2 is bull, because from all descriptions of who's impacted (purchased during the time period, didn't have saved CC or use paypal), I'm one of them, and never got an email. Some other folks who actually HAD fraud also haven't gotten one yet. Anyway, I didn't see any bad transactions yet, but I just called Citi and had them issue another card anyway so I didn't have to worry about it. Free service (supposedly due to length of time as a customer?), and they're overnighting it, so that's cool. I was mildly amused because the tech support guy at least knew what phones OnePlus had put out, so either they're getting a few of these calls, or I hit on someone who knows what's going on.
Re: the phone thing, I also decided to try to get in front of that if I could and called T-mobile, and I found something out - if you're on a friends and family with T-Mobile and not the primary user, you can't get it transferred to a new SIM without the primary account holder's authorization ANYWAY. So amusingly enough I am 100% insulated from that attempted scam. Given in my case he's not even a direct friend, but rather a friend of my wife, and I personally can't even remember his full name off the top of my head, good luck to anyone trying to pull THAT one from my info :P
Can confirm, extreme bull. I made a purchase during that period as well, and I haven't be notified at all to date.
Interestingly, I made my purchase with a Virtual Credit Card - Basically a One-Time Card that can be generated on the fly, specifically for online purchases, and can only be used once. The number is generated as needed, and is different from the physical card's number. I'm think that makes me safe, as this happenstance is exactly why said service exists. But I won't lie when I say I'm worried anyway and am debating cancelling and reissuing my card (just re-establishing autopay is such a pain in the ass, ugh).
Also, it's exactly things like this that make me want to never sign up for any website ever anymore. It just keeps happening! When I saw I had to make an account to make the purchase, my first thought was "Oh, great. Another company that's going to get compromised and lose my credentials". Turns out I was wrong, but what actually happened was way worse.
No, I have not. I got the email from OnePlus last night but had been keeping an eye on my account since the news broke days before. I should call my bank and ask for them to issue me a card with a new number just in case, but I need to figure out what accounts/auto pay things are linked to my current number.
So what's the password manager of choice anymore, or is the whole idea considered a bad idea anymore and just memorize a ton of random alphanumericsymbol strings?
I use 1Password. Probably the only software I use that started out on Mac--a few years back it finally became compatible with OneDrive on phones, so I've stopped using DropBox.
Remember to take what this guy says with a grain of salt, but the tl;dr right now seems to be:
In Oxygen OS Beta 2 (the global OS for their phones), there is a new clipboard. This clipboard contains code which is from Hydrogen OS, which is their Chinese operating system. It looks for specific keywords, and then sends information to a Chinese server with the info that's been copy/pasted, etc. This includes things like bank account numbers. Now, hypothetically some of this is due to some ridiculous thing in China where an ISP also owns the top ebay-like store and their competitor carrier prevents links to their domain so there's an auto-replace to a server that makes the equivalent of a bitly link, and...it's weird. This seems to go beyond that though, and is probably from Chinese government.
As of yet, the code appears to be deactivated in the global beta (they haven't been able to reproduce an actual ping to the server), but....yeah. Yeah. Code's there.
I'm getting some serious buyers remorse right now, and I'm guessing as soon as there's a 5T Lineage ROM available I'll be going that route.
This time, the company is wasting no time issuing a clear explanation of the situation. Here's the official statement.
There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS , our global operating system. No user data is being sent to any server without consent in OxygenOS.
In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.
The allegation is that OP uses this file to identify data to upload to a Chinese server. According to OnePlus, badwords.txt is actually a blacklist file—it tells the OS not to monitor matching data for its smart clipboard service. You're probably not familiar with that feature because it's only used in China as part of HydrogenOS. It was originally developed as a way to get around blocking of competitor links in Chinese messaging services like WeChat, and there's no reason to do that in the US. So, the code is inactive in OxygenOS.
So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS beta. The code is inactive, but it's bound to confuse people. Everyone is watching OP closely right now and ready to believe the worst, but the company didn't do anything shady with your clipboard data. It's also important to remember this is beta software. It's possible the inactive (and harmless) HydrogenOS bits won't even be in the final software. Hopefully, OP can keep these builds separate in the future to reduce confusion.
We should absolutely keep an eye on device makers to ensure nothing untoward happens. After all, we're trusting OEMs with a lot of personal data. At the same time, let's not get carried away and turn this into a witch hunt.
it's like everywhere in the news but this is the first time I've ever heard of it
chinese android phone maker. their big claim to fame is getting flagship level specs at not flagship prices.
More specifically, they're basically a split-off from Oppo. Hypothetically separate, but same parent company, but with a somewhat more "global" orientation.
This time, the company is wasting no time issuing a clear explanation of the situation. Here's the official statement.
There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS , our global operating system. No user data is being sent to any server without consent in OxygenOS.
In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.
The allegation is that OP uses this file to identify data to upload to a Chinese server. According to OnePlus, badwords.txt is actually a blacklist file—it tells the OS not to monitor matching data for its smart clipboard service. You're probably not familiar with that feature because it's only used in China as part of HydrogenOS. It was originally developed as a way to get around blocking of competitor links in Chinese messaging services like WeChat, and there's no reason to do that in the US. So, the code is inactive in OxygenOS.
So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS beta. The code is inactive, but it's bound to confuse people. Everyone is watching OP closely right now and ready to believe the worst, but the company didn't do anything shady with your clipboard data. It's also important to remember this is beta software. It's possible the inactive (and harmless) HydrogenOS bits won't even be in the final software. Hopefully, OP can keep these builds separate in the future to reduce confusion.
We should absolutely keep an eye on device makers to ensure nothing untoward happens. After all, we're trusting OEMs with a lot of personal data. At the same time, let's not get carried away and turn this into a witch hunt.
That's big news and all but I'm just surprised that I've never heard of it outside of like the past week or two. Also, I guess I'm not super shocked either.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I hadn't heard about OnePlus until I started looking at a replacement phone for my aging old smartphone a few months ago.
A friend of mine told me I HAD to check out the 5T, because it was just such a great deal. All the smartphone reviews I could find of the phone were glowing.
Now I wish I just had a freaking 2000-era flip phone instead, because it's been nothing but "Ooops, we stole/lost your data".
I hadn't heard about OnePlus until I started looking at a replacement phone for my aging old smartphone a few months ago.
A friend of mine told me I HAD to check out the 5T, because it was just such a great deal. All the smartphone reviews I could find of the phone were glowing.
Now I wish I just had a freaking 2000-era flip phone instead, because it's been nothing but "Ooops, we stole/lost your data".
I'd heard of them slightly before that (the 5 had its screen installed wrong initially, which wasn't an entirely huge deal but made the "feel" of the screen off), but the only real negative mark I'd heard was that their customer support was kinda shit. Which...well, that goes in line with literally every phone I've ever owned, so I didn't consider it a deal breaker.
But yep, otherwise, I'm 100% there with you right now.
And since I know what the hell that androidpolice article is talking about, a bit of background:
So there are two Internet giants in China, Alibaba and Tencent
Tencent has this crap mega app pretending to be IM chat app, Wechat.
People share ebay links, oops, I am sorry, taobao links in Wechat
Wechat got jealous, the blocked all *.taobao.com *tmall.com links to "protect the customer from fraud"
But of course people love taobao & tmall because it's full of cheap shit and ppl think they can out smart scammers.
But anyway, two Internet giants, one blocking link to another.
The taobao guys invented some thing clever, they invented some kind of hash code, which is called 淘口令, which is some kind of token that uniquely link to a taobao/tmall SKU, so Wechat can not block arbitrary alphanumberic tokens, thus ppl can share the crap they bought on taobao, via Wechat
But after all, tere's the catch, how does Oneplus ROM has anything to do with this?
Well, the clever-ass part is they will match certain strings from your clipboard, send the token to taobao API, and restore the original SKU links.
That's it, that's why you will see strange URL requests going to Chinar IPs.
So that situation leads to Hydrogen OS having clipboard code to automatically query a server to see if the clipboard text is actually one of those links. It sounds like the blacklist.txt file was added specifically to NOT query if the text contains any of those words, instead of vice versa. And then the code made it into the non-China version of the OS, and is (currently) deactivated.
So it ends up being yet another "much ado about nothing, potentially" but another thing to toss on the pile of not wanting to deal with, so I'm still going to install one of the stripped down ROMs when they come available.
@TetraNitroCubane - if you're interested, I know how to disable the BugReportLite and FactoryMode (not sure, this one might already fix the EngineerMode thing) if either one of those two "much ado about nothing"s bothered you.
When I first moved to Android, I went fairly deep in the enthusiast community; and so I heard whispers about OnePlus when they popped up with the OnePlus One. It was fairly vague at the time, but the company appears to be an arm of Oppo to get them into the US/NA market; though not quite(?). It's never been fully stated; or more clearly, I stopped paying attention.
The initial reviews for the One were very good, especially for the price, as it turned out the phone received ROMs very well. The One, however, had some stumbling blocks because you could only order one if you got an "invite" from another OnePlus user. The invites were given out by the company in fits and starts, and even then, there was some issue regarding delivery time.
When the 3 rolled around, I believe it was initially also on an invite system, but later moved to open purchase. Again, it was received rather well by the same enthusiast community (basically, people who post builds and discuss discrete phone details on XDA). Then the company shifted gears slightly and released the 3T.
The 3T was released "mid-cycle" compared to other manufacturers -- only 6 months after the 3. Again, it turned out to be a very-well-performing phone for its price, and there were frequent comparisons to it and, iirc, the Google Pixel. At the time, there were multiple articles written discussing its merits considering it could compete with the Pixel XL but at half the price (and similar form factor). I seem to remember they had some issues with camera software on the 3T, but I could be confusing it with the Pixel.
The 5 was supposed to be OnePlus's next step forward into mindshare/retail, but as others said, there were some production snafus. Phones were delivered without delay, but a significant portion had the digitizer installed upside down, which caused image distortion [it's very likely I'm using the wrong term; but it's whatever portion of the display attaches to the glass].
OnePlus seems to have worked through the issue and had a relatively "clean" release for the 5T until they had the credit card breach on their website, and now these software "issues" in their OS.
======
Being a 5X owner, I am acutely aware that every day could be the last day my phone works. For a while, the 5T was going to be my emergency replacement, but now I'm not so sure. The hard part is I don't know what I'd pick in its stead. Luckily, I hope to have at least the better part of this year to figure that out.
Mugsley on
+1
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited January 2018
I'll admit I'm pretty happy with the phone with regard to functionality. It's been a rather smooth experience, and the only negatives I've had to deal with have been these data breach related ones.
It sounds like this latest issue is a bit of FUD, if I'm not misunderstanding? Then again, I've never really been comfortable with the explanation of "Yes, there is malicious code in our software, but we're not using it or anything, promise!" (Which harkens back to the earlier days of DRM and similar). Is there any assurance that this latest concern is, indeed, just a bunch of hot air, beyond OnePlus saying "Trust us"?
Fortunately I haven't opted into the beta myself, so at least this issue hasn't been rolled out to all existing phones quite yet.
I'm out right now, but when I'm back at the computer I'll give a summary of all the ones I've heard about since I was looking at the phone. They are of varying concern, but most fall under "not really a big deal, but also does not instill trust".
Okay, quick background to frame all of this - from what I've gathered, OnePlus was founded by some former Oppo employees who left the company and stated "we have connections in manufacturing, our goal is to make a stripped-down software with high end hardware at more affordable prices. We're a small team, so please understand if we have problems." It then came out that they had decent financial backing and weren't necessarily as small as claimed, and that's eroded to "we're partially owned by" and then "we're half owned by" the parent company of Oppo. So more realistically you can think of them as a branch of Oppo which is supposed to appeal globally. Like, the OnePlus 5T is basically the R11s, although they're a little different.
Things that are a Big Deal™
The data breach for credit card info - we know about this, I won't hash it out again, but it's especially bad because it happened on (at least) one of their servers, and went unnoticed for a couple months until peoples' credit cards started being used. (Sidenote: they also didn't offer to pay for credit monitoring, etc, the way you see with Target's data breach and other similar things). On one hand, in our modern capitalist society this is borderline "well, it happens to everyone," on the other hand it's still a really bad thing.
Everything else
Software bug which caused OnePlus 5s to reboot during 911 call. Glitch wasn't limited to OnePlus but rather was a problem with Qualcomm hardware, but it seems to have happened more in OnePlus devices, or at least was first noticed there. Real problem, but this is a pretty technical one and wasn't limited to just their devices (people on reddit reported some Samsung devices having problems, etc). This is a "well, that's bad, but obviously not malicious" and can be treated like any other hardware/software bug. It's also since been fixed.
EngineerMode root access* - Engineer Mode is an app which is contained in the phones which is apparently either a copy or a fork of a Qualcomm backend development app. It has a lot of useful diagnostic features which are available so superusers actually really like it, but it was exposed that, as they just straight-up included the Qualcomm stuff, it's very easy to get root on your phone, effectively leaving a backdoor. However, in order for this backdoor to work, you need to have physical access to the phone, with the phone either unlocked or set by default to connect and allow file transfer to anything it's plugged into (which is stupid if you do it already), which.....is already everything you need to root a phone. It just makes it really easy. So I don't view this as bad, just lazy. They were apparently going to remove that part in one of their updates since November, and looking at my phone I no longer see Engineer Mode but instead see Factory Mode, so I think that portion of the app has been removed now. I'd have to go google diving for confirmation, but as you can imagine, it's kinda a pain in the ass to search for after all the articles on the above.
Bug Report Lite logging* - Every phone has diagnostic tools for sending info on crashes, if you opt-in. OnePlus is no different. If you decompile their logging software, there's a ton of switches for a lot more thorough data which could get logged (which are disabled). The one questionable thing is that it logs all accounts on the phone, not just the primary one (so not just your Android account, but ANY gmail address, that sort of stuff - but I can also see where that might be useful info for debugging a crash?). Some logging still apparently happens if you don't send crash logs, but it's not sent out, and the original statement said the logging happened always, not only on crashes. However, I myself didn't notice the logs being generated, and yaddah yaddah yaddah. So basically there's lines of code (probably from production) which still exist but aren't used which could be, in some future update, turned on to log some potentially invasive stuff, which will only get sent if you opt in to sharing crash info. But as of right now, the ONLY potential thing is "email addresses other than the primary account are getting shared if you choose to send crash logs."
The most recent thing, part 1 - Was specific to Hydrogen OS, already detailed above. To get around a pissing contest between two different Internet companies in China, there's a workaround which automatically converts clipboard text to a readable link, in China. This code exists, but is not enabled in the global OS version, and only in the beta version of the OS (so far). This problem was seemingly solved by a mitm debug, you can see here if you want to look into the specifics. I think this was actually technically found on a OnePlus 3, but point still stands.
The most recent thing, part 2* - It now appears there's a "blacklist.txt" text file which looks for certain strings when computing the above. Initial statement from the person who found it is that it sends it if you hit those things (except he's on global and thus has not been able to get it to send anything to the server), official statement from the company is that it doesn't send it if it matches those strings, which if accurate, is actually a positive privacy feature, and not a privacy hole! This code, however, still exists in the global beta and is seemingly currently not enabled (but this story is still developing, so take how you will).
(some part of me is thinking I may be forgetting about something, but I really can't recall anything else specific)
*Everything marked with this was exposed by the same twitter account, a person calling himself Elliot Alderson, with an fsociety avatar. The first thing (the Engineer Mode one) actually seemed to have some Mr. Robot theming (password was angela, no I'm not making that up), so people initially wondered if it was viral marketing, but that's long since been abandoned. What he posts, as far as I can tell, is never incorrect but often lacks context. Engineer Mode, for example, didn't originally note that you needed physical access and the phone had to be unlocked, which turns it from a blatant backdoor to an "oh....okay." Bug Report logging incorrectly stated that it logs no matter what, and also neglected to mention that no data is ever communicated regardless if you don't opt in. Most recent thing part 2 is still developing, so we don't know if it's "blacklist" as in "send if these are said" or "don't send if these are said." So take that how you will. The account also has done releases on other manufacturers.
Tin-foil hat commentary in spoilers:
The account also seems to coincidentally time its releases to either blunt positive news about the company in question (the first two happened right around the time the review embargo was lifting and when sales first started), or when there's some other major announcement happening for some competition (Galaxy S9 stuff coming out about now). I don't know if I buy into it, but it seems like clockwork that there's always some context missing, sensational tweets, all news sites run with it, and within 24 hours the severity of the thing gets greatly lessened. I absolutely believe that what's being found is real, but I do wonder if the sensationalism and what have you is being done because they're being backed by a competitor. Which, in turn, makes the Mr. Robot branding hilariously ironic.
Personal tl;dr takeaway - I see laziness not maliciousness. Copy/pasting code which should have been cleared out in production, etc. But when it comes to privacy that's not necessarily better? Nothing has happened which has me actively concerned that they're out to get me, but I've gone ahead and done some extra work to disable the apps in question in the past so I don't have to waste any mental cycles worrying. Odds are once a proper ROM comes out I'll just use that and then don't have to worry about it ever again.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Very nice, and very appreciated, breakdown, Jragghen! Thanks for the helpful links, and summaries. I tend to agree that it's likely laziness instead of malicious intent, but as you point out, that distinction matters very little.
In non-phone related news, it looks like malvertisement is still going strong these days. Bleepingcomputer reports that Google's Adsense Network has been serving up cryptojackers (malicious scripts and code that use your computer to mine cryptocurrencies):
Some smart crooks found a way to insert and deliver the Coinhive in-browser miner inside ads delivered via the Google DoubleClick ad delivery platform.
Ads delivered this way made their way on countless sites, and even on Google's own property —YouTube.
I find this particularly interesting because Youtube is pretty universally regarded as a "Safe" site. Reminder that there's no such thing as safe surfing, and that keeping your adblocker and script blocker up to date is always recommended!
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Seems to me that free is good enough (i.e. Windows Defender) so long as you're not planning on doing any risky activities. I hear Microsoft hasn't been so good at keeping it perfectly up to date, but that's good enough unless you are needing protection from zero-day exploits.
Of course, I'm no security expert. Not by a long shot, but Defender hasn't let me down in the 6+ years I've been using it.
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited January 2018
The answers for which AV to use (if any) will vary widely, even here.
My sincere recommendation is that, beyond any AV you do or do not use, please look into adblocking, scriptblocking, and potentially sandboxing. If nothing else, adblocking at the top of the list. I almost feel that these measures are even more important than AV these days.
AV is still very useful, in my opinion, but experiences are going to have a wide range with different suites. I tend to prefer ESET (paid), but that's mostly because it fits in well with my personal preferences, and works well with my system.
Posts
I've without a doubt moved to an authenticator app wherever I can (it was probably the biggest pain in the ass, moving 17 2FA accounts to a new phone), but guess which account doesn't support anything BUT SMS 2FA?
If you guessed the bank I use, you win! They have apparently no intentions of using anything other than SMS for 2FA, which is mildly infuriating.
you need to do some pretty involved activation process on the network to get it to actually accept the new phone hardware
I mean, it's not literally cloning the sim, but you can have multiple phones with the same phone number no problem. In fact, I think my old Note still works with my current number alongside my pixel. Shit just gets delivered to both phones when they're both on.
Edit: In either case, even if the real correct phone just gets deactivated, they can still change a phone number to a new phone and use it before someone who no longer has a working phone can do anything about it. And it doesn't require any special knowledge about the victim.
The biggest security risk is always going to be people, and social engineering tops that list by a huge margin.
That doesn't work in the US anymore. It doesn't/shouldn't ring both.
The old phone will still think it is connected and has access to the number and all that, but it won't work.
steam | Dokkan: 868846562
I use Lastpass too, but their Android app and firefox plugin have been lacking for months (and I believe the company behind them was purchased?) while simultaneously doubling their premium cost. Last night, the browser plugin wouldn't even save a new site, so that's what's started me looking.
Which was apparently an auspicious time to do so, because BitWarden caught my eye, and then when digging deeper, it seems like a security flaw in their Chrome implementation was found which was pretty glaring (and then was subsequently patched in like 2 hours, but still).
https://forums.oneplus.net/threads/jan-19-update-an-update-on-credit-card-security.752415/
Update 2 is bull, because from all descriptions of who's impacted (purchased during the time period, didn't have saved CC or use paypal), I'm one of them, and never got an email. Some other folks who actually HAD fraud also haven't gotten one yet. Anyway, I didn't see any bad transactions yet, but I just called Citi and had them issue another card anyway so I didn't have to worry about it. Free service (supposedly due to length of time as a customer?), and they're overnighting it, so that's cool. I was mildly amused because the tech support guy at least knew what phones OnePlus had put out, so either they're getting a few of these calls, or I hit on someone who knows what's going on.
Re: the phone thing, I also decided to try to get in front of that if I could and called T-mobile, and I found something out - if you're on a friends and family with T-Mobile and not the primary user, you can't get it transferred to a new SIM without the primary account holder's authorization ANYWAY. So amusingly enough I am 100% insulated from that attempted scam. Given in my case he's not even a direct friend, but rather a friend of my wife, and I personally can't even remember his full name off the top of my head, good luck to anyone trying to pull THAT one from my info :P
I use keepass synced between machines using drop box. As far as I can tell, the crypto on keepass is good, so as long as your password is strong enough to survive a sustained offline attack this is pretty secure. The flipside being that if your db does leak, and your password isn't strong enough you're pretty much fecked.
Last pass on the other hand being online can (and I assume does) apply controls which substantially mitigate the risk of a weaker passwords like throtelling and timeouts. So for a normal person I'd generally consider lastpass a better choice becuase the bar for a password to survive offline attack is very high.
In terms of how often I change, because I don't reuse my master password and it's long enough to secure against offline attack the main risk I'm concerned with is keylogger or similar things. Because in those cases they'd also have the password db all site passwords have to be considered compropmised.
So I only change the master password every 2 or 3 years, but at the same time I change ever password for every site.
With something like lastpass I would change slightly more often, the risk of password disclosure with an online service integrated into browsers is rather higher, but it's a less total failure mode than with an offline database like keepass. I'd probably go yearly rather than 6 monthly.
Can confirm, extreme bull. I made a purchase during that period as well, and I haven't be notified at all to date.
Interestingly, I made my purchase with a Virtual Credit Card - Basically a One-Time Card that can be generated on the fly, specifically for online purchases, and can only be used once. The number is generated as needed, and is different from the physical card's number. I'm think that makes me safe, as this happenstance is exactly why said service exists. But I won't lie when I say I'm worried anyway and am debating cancelling and reissuing my card (just re-establishing autopay is such a pain in the ass, ugh).
Also, it's exactly things like this that make me want to never sign up for any website ever anymore. It just keeps happening! When I saw I had to make an account to make the purchase, my first thought was "Oh, great. Another company that's going to get compromised and lose my credentials". Turns out I was wrong, but what actually happened was way worse.
No, I have not. I got the email from OnePlus last night but had been keeping an eye on my account since the news broke days before. I should call my bank and ask for them to issue me a card with a new number just in case, but I need to figure out what accounts/auto pay things are linked to my current number.
I use 1Password. Probably the only software I use that started out on Mac--a few years back it finally became compatible with OneDrive on phones, so I've stopped using DropBox.
Remember to take what this guy says with a grain of salt, but the tl;dr right now seems to be:
In Oxygen OS Beta 2 (the global OS for their phones), there is a new clipboard. This clipboard contains code which is from Hydrogen OS, which is their Chinese operating system. It looks for specific keywords, and then sends information to a Chinese server with the info that's been copy/pasted, etc. This includes things like bank account numbers. Now, hypothetically some of this is due to some ridiculous thing in China where an ISP also owns the top ebay-like store and their competitor carrier prevents links to their domain so there's an auto-replace to a server that makes the equivalent of a bitly link, and...it's weird. This seems to go beyond that though, and is probably from Chinese government.
As of yet, the code appears to be deactivated in the global beta (they haven't been able to reproduce an actual ping to the server), but....yeah. Yeah. Code's there.
I'm getting some serious buyers remorse right now, and I'm guessing as soon as there's a 5T Lineage ROM available I'll be going that route.
Edit:
http://www.androidpolice.com/2018/01/26/no-oneplus-still-not-sending-clipboard-data-china/
it's like everywhere in the news but this is the first time I've ever heard of it
chinese android phone maker. their big claim to fame is getting flagship level specs at not flagship prices.
*Your phone may be monitored by the Chinese government.
More specifically, they're basically a split-off from Oppo. Hypothetically separate, but same parent company, but with a somewhat more "global" orientation.
http://www.androidpolice.com/2018/01/26/no-oneplus-still-not-sending-clipboard-data-china/
I mean
That's big news and all but I'm just surprised that I've never heard of it outside of like the past week or two. Also, I guess I'm not super shocked either.
A friend of mine told me I HAD to check out the 5T, because it was just such a great deal. All the smartphone reviews I could find of the phone were glowing.
Now I wish I just had a freaking 2000-era flip phone instead, because it's been nothing but "Ooops, we stole/lost your data".
I'd heard of them slightly before that (the 5 had its screen installed wrong initially, which wasn't an entirely huge deal but made the "feel" of the screen off), but the only real negative mark I'd heard was that their customer support was kinda shit. Which...well, that goes in line with literally every phone I've ever owned, so I didn't consider it a deal breaker.
But yep, otherwise, I'm 100% there with you right now.
So that situation leads to Hydrogen OS having clipboard code to automatically query a server to see if the clipboard text is actually one of those links. It sounds like the blacklist.txt file was added specifically to NOT query if the text contains any of those words, instead of vice versa. And then the code made it into the non-China version of the OS, and is (currently) deactivated.
So it ends up being yet another "much ado about nothing, potentially" but another thing to toss on the pile of not wanting to deal with, so I'm still going to install one of the stripped down ROMs when they come available.
@TetraNitroCubane - if you're interested, I know how to disable the BugReportLite and FactoryMode (not sure, this one might already fix the EngineerMode thing) if either one of those two "much ado about nothing"s bothered you.
The initial reviews for the One were very good, especially for the price, as it turned out the phone received ROMs very well. The One, however, had some stumbling blocks because you could only order one if you got an "invite" from another OnePlus user. The invites were given out by the company in fits and starts, and even then, there was some issue regarding delivery time.
When the 3 rolled around, I believe it was initially also on an invite system, but later moved to open purchase. Again, it was received rather well by the same enthusiast community (basically, people who post builds and discuss discrete phone details on XDA). Then the company shifted gears slightly and released the 3T.
The 3T was released "mid-cycle" compared to other manufacturers -- only 6 months after the 3. Again, it turned out to be a very-well-performing phone for its price, and there were frequent comparisons to it and, iirc, the Google Pixel. At the time, there were multiple articles written discussing its merits considering it could compete with the Pixel XL but at half the price (and similar form factor). I seem to remember they had some issues with camera software on the 3T, but I could be confusing it with the Pixel.
The 5 was supposed to be OnePlus's next step forward into mindshare/retail, but as others said, there were some production snafus. Phones were delivered without delay, but a significant portion had the digitizer installed upside down, which caused image distortion [it's very likely I'm using the wrong term; but it's whatever portion of the display attaches to the glass].
OnePlus seems to have worked through the issue and had a relatively "clean" release for the 5T until they had the credit card breach on their website, and now these software "issues" in their OS.
======
Being a 5X owner, I am acutely aware that every day could be the last day my phone works. For a while, the 5T was going to be my emergency replacement, but now I'm not so sure. The hard part is I don't know what I'd pick in its stead. Luckily, I hope to have at least the better part of this year to figure that out.
It sounds like this latest issue is a bit of FUD, if I'm not misunderstanding? Then again, I've never really been comfortable with the explanation of "Yes, there is malicious code in our software, but we're not using it or anything, promise!" (Which harkens back to the earlier days of DRM and similar). Is there any assurance that this latest concern is, indeed, just a bunch of hot air, beyond OnePlus saying "Trust us"?
Fortunately I haven't opted into the beta myself, so at least this issue hasn't been rolled out to all existing phones quite yet.
Things that are a Big Deal™
The data breach for credit card info - we know about this, I won't hash it out again, but it's especially bad because it happened on (at least) one of their servers, and went unnoticed for a couple months until peoples' credit cards started being used. (Sidenote: they also didn't offer to pay for credit monitoring, etc, the way you see with Target's data breach and other similar things). On one hand, in our modern capitalist society this is borderline "well, it happens to everyone," on the other hand it's still a really bad thing.
Everything else
Software bug which caused OnePlus 5s to reboot during 911 call. Glitch wasn't limited to OnePlus but rather was a problem with Qualcomm hardware, but it seems to have happened more in OnePlus devices, or at least was first noticed there. Real problem, but this is a pretty technical one and wasn't limited to just their devices (people on reddit reported some Samsung devices having problems, etc). This is a "well, that's bad, but obviously not malicious" and can be treated like any other hardware/software bug. It's also since been fixed.
EngineerMode root access* - Engineer Mode is an app which is contained in the phones which is apparently either a copy or a fork of a Qualcomm backend development app. It has a lot of useful diagnostic features which are available so superusers actually really like it, but it was exposed that, as they just straight-up included the Qualcomm stuff, it's very easy to get root on your phone, effectively leaving a backdoor. However, in order for this backdoor to work, you need to have physical access to the phone, with the phone either unlocked or set by default to connect and allow file transfer to anything it's plugged into (which is stupid if you do it already), which.....is already everything you need to root a phone. It just makes it really easy. So I don't view this as bad, just lazy. They were apparently going to remove that part in one of their updates since November, and looking at my phone I no longer see Engineer Mode but instead see Factory Mode, so I think that portion of the app has been removed now. I'd have to go google diving for confirmation, but as you can imagine, it's kinda a pain in the ass to search for after all the articles on the above.
Bug Report Lite logging* - Every phone has diagnostic tools for sending info on crashes, if you opt-in. OnePlus is no different. If you decompile their logging software, there's a ton of switches for a lot more thorough data which could get logged (which are disabled). The one questionable thing is that it logs all accounts on the phone, not just the primary one (so not just your Android account, but ANY gmail address, that sort of stuff - but I can also see where that might be useful info for debugging a crash?). Some logging still apparently happens if you don't send crash logs, but it's not sent out, and the original statement said the logging happened always, not only on crashes. However, I myself didn't notice the logs being generated, and yaddah yaddah yaddah. So basically there's lines of code (probably from production) which still exist but aren't used which could be, in some future update, turned on to log some potentially invasive stuff, which will only get sent if you opt in to sharing crash info. But as of right now, the ONLY potential thing is "email addresses other than the primary account are getting shared if you choose to send crash logs."
The most recent thing, part 1 - Was specific to Hydrogen OS, already detailed above. To get around a pissing contest between two different Internet companies in China, there's a workaround which automatically converts clipboard text to a readable link, in China. This code exists, but is not enabled in the global OS version, and only in the beta version of the OS (so far). This problem was seemingly solved by a mitm debug, you can see here if you want to look into the specifics. I think this was actually technically found on a OnePlus 3, but point still stands.
The most recent thing, part 2* - It now appears there's a "blacklist.txt" text file which looks for certain strings when computing the above. Initial statement from the person who found it is that it sends it if you hit those things (except he's on global and thus has not been able to get it to send anything to the server), official statement from the company is that it doesn't send it if it matches those strings, which if accurate, is actually a positive privacy feature, and not a privacy hole! This code, however, still exists in the global beta and is seemingly currently not enabled (but this story is still developing, so take how you will).
(some part of me is thinking I may be forgetting about something, but I really can't recall anything else specific)
*Everything marked with this was exposed by the same twitter account, a person calling himself Elliot Alderson, with an fsociety avatar. The first thing (the Engineer Mode one) actually seemed to have some Mr. Robot theming (password was angela, no I'm not making that up), so people initially wondered if it was viral marketing, but that's long since been abandoned. What he posts, as far as I can tell, is never incorrect but often lacks context. Engineer Mode, for example, didn't originally note that you needed physical access and the phone had to be unlocked, which turns it from a blatant backdoor to an "oh....okay." Bug Report logging incorrectly stated that it logs no matter what, and also neglected to mention that no data is ever communicated regardless if you don't opt in. Most recent thing part 2 is still developing, so we don't know if it's "blacklist" as in "send if these are said" or "don't send if these are said." So take that how you will. The account also has done releases on other manufacturers.
Tin-foil hat commentary in spoilers:
Personal tl;dr takeaway - I see laziness not maliciousness. Copy/pasting code which should have been cleared out in production, etc. But when it comes to privacy that's not necessarily better? Nothing has happened which has me actively concerned that they're out to get me, but I've gone ahead and done some extra work to disable the apps in question in the past so I don't have to waste any mental cycles worrying. Odds are once a proper ROM comes out I'll just use that and then don't have to worry about it ever again.
In non-phone related news, it looks like malvertisement is still going strong these days. Bleepingcomputer reports that Google's Adsense Network has been serving up cryptojackers (malicious scripts and code that use your computer to mine cryptocurrencies):
I find this particularly interesting because Youtube is pretty universally regarded as a "Safe" site. Reminder that there's no such thing as safe surfing, and that keeping your adblocker and script blocker up to date is always recommended!
I...just...words fail me.
And is it necessary to pay, or will I be ok with free?
Every website has a different list of best Antivirus software, and I trust you guys more.
If you're going to pay, I think the current preference is BitDefender for home users, but it's been awhile since I looked.
Of course, I'm no security expert. Not by a long shot, but Defender hasn't let me down in the 6+ years I've been using it.
My sincere recommendation is that, beyond any AV you do or do not use, please look into adblocking, scriptblocking, and potentially sandboxing. If nothing else, adblocking at the top of the list. I almost feel that these measures are even more important than AV these days.
AV is still very useful, in my opinion, but experiences are going to have a wide range with different suites. I tend to prefer ESET (paid), but that's mostly because it fits in well with my personal preferences, and works well with my system.