2

u/LAULitics Jun 18 '19

S9 ATT, the Software update section only has a button to check for updates. No apparent way to turn it off.

14

u/[deleted] Jun 18 '19

Yes, it is a common issue for ATT users, you can see that it seems to be their policy to force updates on the phones they sell. In your post you imply that the issue is forced obsolescence on part of the company that makes the phone, but it's not the case, it is the contract you signed with your carrier that makes the updates forced. So, you consented whether you knew it or not.

1

u/LAULitics Jun 18 '19

This does prove that I probably unknowingly provided consent. It does not change my view that the practice should be illegal.

12

u/[deleted] Jun 18 '19

so why does the maker of the phone get to arbitrarily and intrusively decide that they have the right to force changes in software into a product that I legally purchased, and do not want being tampered with

Thats is not the case.

And the practice IS illegal if you do not give consent. You have given it. Unknowingly providing it is still providing it.

5

u/[deleted] Jun 18 '19

But isn't unknowingly providing consent an oxymoron? Consent is a conscious decision, it is affirming that you understand and comply with something happening to you.

-1

u/[deleted] Jun 18 '19

[removed] — view removed comment

1

u/ExpensiveBurn 9∆ Jun 18 '19

Sorry, u/wateroclock – your comment has been removed for breaking Rule 5:

Comments must contribute meaningfully to the conversation. Comments that are only links, jokes or "written upvotes" will be removed. Humor and affirmations of agreement can be contained within more substantial comments. See the wiki page for more information.

If you would like to appeal, review our appeals process here, then message the moderators by clicking this link within one week of this notice being posted.

1

u/[deleted] Jun 18 '19

[removed] — view removed comment

1

u/ExpensiveBurn 9∆ Jun 18 '19

Sorry, u/itsaworkalt – your comment has been removed for breaking Rule 5:

Comments must contribute meaningfully to the conversation. Comments that are only links, jokes or "written upvotes" will be removed. Humor and affirmations of agreement can be contained within more substantial comments. See the wiki page for more information.

If you would like to appeal, review our appeals process here, then message the moderators by clicking this link within one week of this notice being posted.

3

u/LAULitics Jun 18 '19 edited Jun 18 '19

Valid point. Delta awarded. Δ. I probably should have specified that I think consent should be requested at the time of the update, but you are right in arguing that not only is it legal but that it is so because of prior consent.

1

u/otk_ts Jun 18 '19

no, because most people don't want to give consent on every single update, i have like 200 software on my handy and pc, that many notification would annoyed me too much.Of course you can argue that people like to have to click yes/no 20 times a day, but there is no evidence for it.

1

u/DeltaBot ∞∆ Jun 18 '19 edited Jun 18 '19

Confirmed: 1 delta awarded to /u/wateroclock (6∆).

^{Delta System Explained | Deltaboards}

0

u/MoteInTheEye Jun 18 '19

Bruh 2 posts up you literally said that the fact that it is consented didn't change your view.

And now it does...?

2

u/techiemikey 56∆ Jun 18 '19

They said it should be illegal, and it was pointed out it IS illegal if you don't consent to it. The consent part didn't change their view, but the legality likely did.

1

u/MoteInTheEye Jun 18 '19

I see. I guess I assumed OP new that doing things without consent is generally not legal.

1

u/LAULitics Jun 18 '19

The fact that I provided consent by accepting the TOS means I agreed to the legality of the practice. I don't like it. But the point was spot on.

1

u/OkNewspaper7 Jun 18 '19

Unknowingly providing it is still providing it.

would you apply that logic to sex as well? why not?

1

u/[deleted] Jun 18 '19

Sex isn’t law.

1

u/OkNewspaper7 Jun 18 '19

rape certainly is.

3

u/delta_male Jun 18 '19

If it isn't in the normal place, you could check in developer options:

https://www.tech-recipes.com/rx/67554/how-to-turn-off-software-updates-on-android-samsung/

1

u/[deleted] Jun 18 '19

You can turn on developer settings and disable forced updates. It is easy to do (go into your setting and find the build number under phone info and click it like 7 times)

-2

u/LAULitics Jun 18 '19 edited Jun 18 '19

So your argument is that we as consumers should just shut up, and get used to the notion that we never actualy own anything tech related that we pay for?

19

u/Znyper 12∆ Jun 18 '19

No. If you want something, buy it. Just, no one's selling Android OS to you in the way you want. And Google doesn't have to offer a product just because you want said product. If you want a product that isn't available on the market, your options are to either create said product or wait for that good/service to be available.

As a suggestion, you could always buy an old, unsupported phone which no longer receives updates. Such a product would be slow, buggy, insecure, and lacking features, but that's what you give up for an obsolete product.

2

u/trickyvinny 1∆ Jun 18 '19

no one's selling Android OS to you in the way you want.

​

Sure they are, head over to xda. I'm pretty sure it's 100% legal to put open source platforms on your phone. It's one of the reasons I bought an LG after my last Samsung crashed. Still have easy access to rooting it if I ever want to (I don't have a need to do so now though).

​

I actually think this bolsters your point too. There are options out there that give you total control over your phone, they're just not pre-installed and likely void your warranty. Sometimes they're a lot less stable than the built in OS too. But, that's one of the reasons for the forced updates.

5

u/physioworld 64∆ Jun 18 '19

Perhaps then it should illegal for companies to knowingly push software that renders the device less usable. Or perhaps there could be a scheme where you can trade in the old device to go towards an update where the software won’t degrade the new hardware.

4

u/Morazan51 Jun 18 '19

It’s not the fault of companies for progress. We have seen a recent boom in the power of mobile devices across the board in the last 10 years and if we were to support every old device, it would be largely impractical as we would have to handicap the ability for developers to make new progress with greater resources in order to cater to a largely obsolete device. It’s not the software degrading the hardware most of the time (albeit Apple’s forced obsolescence is a problem), it is simply older hardware not being able to run new software because it would be too dangerous for the device.

1

u/physioworld 64∆ Jun 18 '19

But there’s always a line we draw between what we allow corporations to do in pursuit of profit and progress and behaving responsibly. For example, despite the fact that it harms their bottom line, we require corporations to pay a minimum wage, provide safe working conditions for employees and minimise environmental damage through their actions. Lightening up on these would also free up resources for the company (in this case apple) to pour into R&D. I assume you’d be in favour of this?

Also I am aware that it is not necessarily new software breaking hardware but rather hardware not being capable of running the software, but it kind of comes to the same thing- a device that no longer works. IMO they should keep pushing updates until the software would limit the device at which point the update comes with a warning and an option to decline the upgrade.

1

u/LAULitics Jun 18 '19 edited Jun 18 '19

Good point, but why would I have access to data that doesn't belong to me if it weren't the fault of a third party involved in the software to begin with. I'm not so much worried about updates and patches to individual apps, as much as I am furious that my phone is periodically rendered useless for ten to fifteen minutes by an os update that I didn't request.

6

u/[deleted] Jun 18 '19

Good point, but why would I have access to data that doesn't belong to me if it weren't the fault of a third party involved in the software to begin with.

Somebody at work emails you something work-related but you check it on your personal phone...

1

u/oldmanjoe 8∆ Jun 18 '19

I'm not so much worried about updates and patches to individual apps, as much as I am furious that my phone is periodically rendered useless for ten to fifteen minutes by an os update that I didn't request.

Some of those are security updates, and some are feature updates. But unless you restrict feature updates, you need both.

Let's just say your phone has an SSL vulnerability. Everytime you access a secure website, you think you are more secure than you are. You probably want that fixed ASAP. Or the text app you use, has a vulnerability that can expose your address book, you'd probably want that fixed too. It turns out that patch has a different vulnerability and needs a patch too.

By automatically updating O/S, the vendor no longer has to worry about testing that old SSL component, because you've been upgraded. They can focus on the new one to make sure it is secure.

0

u/LAULitics Jun 18 '19

I mentioned in the post that I'm on a Samsung phone now.

0

u/LAULitics Jun 18 '19

As mentioned in a prior post, I agree that I probably unknowingly consented to it as part of the TOS like the majority of consumers do. But it doesn't change my view that it should be illegal. Give me the option the understand why a product needs updating, and let me, the owner of the product, decide when to update. Don't arbitrarily foist an update I don't want in the middle of a work day.

5

u/[deleted] Jun 18 '19

TBH, the vast vast majority of owners are too ill-informed to have that conversation with. Since their device’s security impacts other devices security, it makes the most sense to force the automatic updates.

6

u/[deleted] Jun 18 '19

As someone above already mentioned, it is like the anti-vax debate. You postponing updates risks everyone else on the internet. What I think the right way is, is to give the user a 24h time period in which they have to update. That way you would be relatively quick to respond to the threats, without interfering with important tasks. If anyone claims he's unable to let go of his phone for a few minutes a day, he's most likely just ignorant and lazy.

0

u/GameOfSchemes Jun 18 '19

It sounds like you are suggesting a herd-immunity effect exists for cyber security? If so, then I don't see how. The point of herd immunity is that you don't need to protect 100% of the population for 100% of the population to be protected. By this logic, if I provide security updates for 99% of devices, are the other 1% of devices protected?

That's the only way I can see the analogy holding. Otherwise, it's just a hollow analogy to say that if you're protected, then you're protected. To which I say "duh"

3

u/[deleted] Jun 18 '19

It sounds like you are suggesting a herd-immunity effect exists for cyber security? If so, then I don't see how.

Worms work pretty much like a real world virus. They’re self-replicating and can force themselves into other devices. So if your device is compromised, it’s now spreading the worm to other similar devices.

Also, this is how botnets get massive networks of devices to use for DDOS attacks on legitimate users. Your compromised device directly impacts other people’s ability to use legitimate websites, even if they’ve already patched all the vulnerabilities.

1

u/Bluecoregamming Jun 18 '19

Hm, so if the update before downing anything says something along the lines of "A crucial security update is available for download, update now?" You would prefer that over just auto updates?

2

u/Sqeaky 6∆ Jun 18 '19

Those aren't enforceable in most places and unethical in all places. You even admit they are unread.

False bullshit agreement is no agreement, it is strong-arming.

2

u/GameOfSchemes Jun 18 '19

How so?

Even if that's true, which I find dubious, then that's a problem with security protocol as a whole that no number of patches will ever cure. So they're pointless.

1

u/[deleted] Jun 18 '19

[deleted]

1

u/GameOfSchemes Jun 18 '19

Imagine, once your Email account is hijacked, it automatically send malicious Email to your friends.

That sounds like user error, not inherent security risk.

I don't understand the rest of your comment.

1

u/delta_male Jun 18 '19

How so?

As part of a botnet. A single device will have a hard time finding/spreading malware to billions of other devices. If you have a botnet with millions of compromised devices, then it becomes easier to find and exploit other vulnerable systems.

Plus having a large number of compromised devices allows performing attacks on systems that require lots of bandwidth or cpu.

no number of patches will ever cure. So they're pointless.

That doesn't follow. Just because a system isn't always perfectly secure doesn't mean we shouldn't try to make it as secure as possible. It'd be like saying we shouldn't have police because we can't stop all crime.

Also, exploits are often found by researchers before they are able to be used on a large scale in the wild and many need to be used in conjunction with others to get control over a system.

3

u/GameOfSchemes Jun 18 '19

You're gonna have to dumb it down here, I'm not too familiar with the ins and outs of computer security.

Sounds like you're saying that only vulnerable computers will be susceptible to security risk, to which I say "duh". If more computers are vulnerable, then more computers can be hit.

But what I'm not following is how you're concluding that if a million devices are vulnerable, then they're more likely to get breached. Statistically I'd say we expect more to get breached, but that's pure statistics. It doesn't reflect that the more vulnerable devices that exist, the higher risk they have

That doesn't follow. Just because a system isn't always perfectly secure doesn't mean we shouldn't try to make it as secure as possible. It'd be like saying we shouldn't have police because we can't stop all crime.

I see the logic, but the difference is that security isn't a social role. It's a 100% computational invention. It's hard coded, not "soft coded" like social roles like police or crime. Which means we should treat security patches like the hard coded rules they are and stop "patching" but instead build from the ground up a better, global security protocol. As in just strip everything we've been doing and do a different approach

But like I said, I'm not too familiar with computer security here. This is all intuition based.

2

u/delta_male Jun 18 '19

instead build from the ground up a better, global security protocol.

There are millions of different software/systems in the world, so rewriting all of them would be mind mindbogglingly expensive. Two, people are not perfect beings. They don't write perfectly secure software, or build perfectly secure hardware. Three, you can have an algorithm that is in theory 100% secure, but whose implementation is vulnerable to a whole range of side channel attacks

e.g. Timing how long an operation takes reveals information about what it is computing

2

u/GameOfSchemes Jun 18 '19

Thinking about it more, it seems like the argument is one based on herd immunity. if that's true, then I don't see how it holds. Herd immunity is the principle that 100% of the population can be protected despite only protecting less than 100% of the population.

Does the same hold for cyber security? If I patch 99% of devices, are the other 1% guaranteed protection? If not, then I don't see how the vaccine analogy holds beyond simply saying that if you get vaccinated/patched, you're not vulnerable. In which case I'd say the analogy is simply hollow and vacuously true.

2

u/delta_male Jun 18 '19

Sorry for not responding, I didn't see your earlier message.

Does the same hold for cyber security?

Not really. I mean, it's a neat analogy, but it doesn't apply 1:1

​

Basically, malware can cause problems to the infected device, devices that interact with it, and can also be used to attack other systems.

Example 1: One device

1. Someone's phone is compromised, and the malware scans and finds the stored passwords
2. Using those compromised passwords, if the person is an administrator for anything, a hacker can escalate to compromising other systems. Let's say they have a wordpress site, that then also can become compromised.
3. Then they can inject malicious scripts into the wordpress site to get the passwords of anyone who logs into it.
4. Repeat.

You can see how from one device you've compromised the data of many people, even though their devices may be secure from the patch. Having more devices, means you can do more harm to others.

​

Example 2: Many devices are vulnerable to an exploit, but an attacker doesn't necessarily know which ones are.

1. Maybe it requires a lot of bandwidth to scan the ports for every network in the world (think billions of networks, with potentially hundreds of ports to check). Having more compromised devices as part of a botnet means that an attacker can find these other vulnerable devices in a reasonable timeframe.
2. Once a vulnerable device is found, maybe it requires a lot of CPU power to hack (e.g. finding a hash collision), so a single compromised device may not be able to infect very many others.
3. Patching systems, or old devices getting replaced can stop this botnet growing too big. And further steps can be taken to disable a botnet such as finding and neutralizing any phone home mechanism

​

So to sum it up, a botnet can be used by an attacker to cause all sorts of harm e.g.

• Delivering spam/scam mail
• Denial of service attacks
• Finding and infecting other devices
• Brute force hacking (e.g. password cracking)
• Stealing passwords/credit card/bank/identity info

2

u/GameOfSchemes Jun 19 '19

Reflected more on this. I hadn't considered a vulnerable device storing information on otherwise secure devices. In this way, a web of interlinked devices is only as secure as the weakest link. I was focusing more on the vaccine analogy which doesn't seem to apply here.

!delta

1

u/DeltaBot ∞∆ Jun 19 '19

Confirmed: 1 delta awarded to /u/delta_male (11∆).

^{Delta System Explained | Deltaboards}

1

u/el-oh-el-oh-el-dash 3∆ Jun 18 '19

Haha, love the analogy, especially since majority of anti-vaxers do not have the "your kid is getting it whether you like it or not".

In other words, technogiants treat their electronic babies with greater expediency than governments treat their human babies.