Posts Tagged ‘security’

Not the recommended way to secure your bicycle

January 16th, 2013

TP'd bike

Chains? U-locks? Bicycle frames with built-in locking mechanisms? Sure, you could use any of these methods in prevention of bicycle thievery. But one enterprising local has apparently discovered a new way to secure your bicycle: toilet paper.

If potential thieves can even spot your bike under the shroud of TP, will they be able to tear through it all before the cops arrive? Probably not — as anyone who’s ever suffered a TP attack can tell you, it takes a while to clean it all up.

Unfortunately, the TP method has several drawbacks:

  • Paper is not as sturdy as a U-lock
  • Metal locks don’t get soggy in the rain
  • Street-crapping crackheads might use your bicycle lock to wipe themselves

Unless a solution can be found to these issues, toilet paper cannot be recommended for bicycle security.

(Spotted at 16th and Albion.)

Graffiti mocks CCTV camera

November 23rd, 2010

This graffiti mural mocks the CCTV camera that looms over it. It’s sort of a middle finger to the powers that be, while simultaneously integrated with its surroundings. I find it amusing.




Spotted on Valencia between 14th and 15th.

Android: not the droids you were looking for

September 22nd, 2010

When Google first released Android, it was presented as a modern, open-source operating system for phones. It sounded great; all the hip buzzwords and you can write programs in Java? Who wouldn’t want this?

But Google’s strategy for selling the OS was… odd. The OS would be sold through a chain of resellers. And Google’s license agreement allows modifications to the OS at any point in the chain.

The reseller chain starts at the manufacturers, who build a phone and install Android. Now unlike PCs, phones are proprietary devices. Even though Android apps are portable between devices, the OS itself is not.

Every piece of hardware on every phone, from the motherboard to the graphics to the input device, varies greatly from one phone to the next. Google relies on the manufacturers’ ability to develop drivers and other custom software to fit their phone. Many of the handset manufacturers went a step further, changing the look-and-feel of Android entirely.

Next in the reseller chain is the phone companies. When a phone is sold through (for example) Verizon, they often “brand” the phone with a new name, a new look, and even more custom software.

This approach of allowing resellers to modify the OS before it reaches the user has a number of unintended consequences that damage the user experience.

What’s wrong with Google’s approach?


Many of the phone companies lock down the phone to prevent unauthorized applications. Users can still get apps from the Android Market, but these applications are limited to those approved by Google. If this sounds familiar, it’s because the App Store on the iPhone works exactly the same way.

For a lot of people, the idea of Android being “open” didn’t just mean that the source was available, it also meant you could install any software you wanted. But if the OS is locked down to outside applications, then it’s not open in this respect.

Even Windows Mobile allows users to install any applications they want… and Windows Mobile is closed-source!

This app lock-down is only possible because Android’s reseller license agreement doesn’t prohibit locking-down the phone. Google could have specifically forbid this practice in their license agreement, but chose not to.


Let’s say an Android system component was found to have a security vulnerability. Unlike Windows, iOS, Linux, or other systems, Android users can’t just download the patch directly from Google. Users have to wait for the patch go from Google, to the handset manufacturer, and then to the carrier, before it has any chance of reaching them.

With Android there’s always two steps between Google and the end-user, even for critical security patches. Google simply cannot update the end users’ devices since updates could break proprietary software and drivers installed further up the chain.

And it’s not just critical software patches. Even minor patches tend to take a long time to get to the user’s phone — if they ever make it!

In general, software vendors don’t like to issue patches because it means spending money. With Android, resellers have to integrate Google’s patch into their custom versions of Android, then perform QA to make sure it all still works. This is very expensive, and it means resellers will often hold out on even the most important security updates.

If the phone model didn’t sell well, it’s difficult for manufacturers to justify spending any money at all on testing. In this case, there’s a good chance the patch will never be available.

Who to Blame

Despite strong sales, it’s clear Android hasn’t lived up to its initial hype. But is this Google’s fault? Yes and no.

Android’s default setup is actually quite nice. The ill-fated Nexus One, designed and sold by Google, ships with a default Android OS. It’s open in the sense that users control which applications they can install. And Google releases patches for the device in a timely fashion.

All other Android phones are released by third parties, so they don’t get timely updates. And apps can be locked out of them entirely. Is this Google’s fault?

Like Microsoft, Google isn’t forcing the phone manufacturers to update their software. The core OS components and drivers require developer and QA resources to be upgraded.

But what about the other components? Say the SSL validation component, or the web browser, or the e-mail client? Google could use a software updater (similar to the Chrome updater on Windows) to keep these components up to date automatically, and out of the control of resellers.

Sure, the drivers may not be upgradeable. But the kernel is only one part of Android. The other pieces could be upgraded individually without breaking comparability with existing phones.

And what about the so-called “openness” of the phone? This is a contractual issue, as it comes down to what Google is willing to ask of their resellers. There’s no technical reason that Google can’t force the manufacturers and phone companies to allow any app on their phone.

However, at this point it seems the carriers especially are scared of openness. What if someone developed an app that allowed users to bypass paid features, like SMS or tethering? This impacts the bottom line of a phone company, so it’s a scary proposition — for them. For their users, it would be awesome.

If there’s one thing Apple showed the world, it’s that a handset manufacturer can stand up to a phone company — and win. Google has the opportunity to take Apple’s users-first approach a step further by demanding openness on all Android phones.


By compromising on their values, Google has allowed the promises of Android to be forgotten.

Google needs to step up and make sure all Android installations are secure. With updates in the hands of resellers, there is little they can do.

Furthermore, the closed nature of Apple’s iOS drove both users and developers to Android. But the locked-down Android they got in return was exactly what they had run away from.

Two steps to get Android back on track would be an auto update mechanism and a reseller license agreement to make the phone truly open.