[Dunt Dunt Dunt]

Sorry, yes you're right. In usa, data unlimited... but expensive. But I'm less worried about my phone than about the home setting. How will Krack affect the wifi on an Echo, for instance?

No data compression on passport, true, but I mostly use a 9900.

Signature: Still typing away on my Passport SE!

Amazon has responded at least and says that they will be patching devices... at some point.

9900 with BBOS... why worry about vulnerabilities then.

[A Noise Annoys]

It's shameful how slow mobile devices are with critical updates like this. The whole distributed model of responsibility for security patching is a major vulnerability.

In Linux, Mac OS and Windows, most issues are patched before they're widely known. With this bug, any reasonably intelligent person can research it, put together a hacking toolkit, and successfully exploit it for weeks before it will be addressed for the vast majority of users.

Posted with my trusty Z10

Agreed. Poor old Microsoft does get a bum-rap for these sorts of things but apparently they had this patched a couple of months ago. I did read why they didn't announce it, something about giving others the opportunity to use the patch themselves, or something. Didn't quite get their reasoning.

Just checked my Alcatel Idol 4s w/W10 and Lumia 650DS and both were patched at the same time as my laptop, once again putting all the major mobile manufacturers to shame. What takes them so long?

[app_Developer]

Agreed. Poor old Microsoft does get a bum-rap for these sorts of things but apparently they had this patched a couple of months ago. I did read why they didn't announce it, something about giving others the opportunity to use the patch themselves, or something. Didn't quite get their reasoning.

There is always an embargo on announcing vulnerabilities like this so that all manufacturers have time to make their fixes. Otherwise bad guys get even more opportunity to exploit such things. Granted, they can do that now, but it would be even worse without the embargoes.

Just checked my Alcatel Idol 4s w/W10 and Lumia 650DS and both were patched at the same time as my laptop, once again putting all the major mobile manufacturers to shame. What takes them so long?

Yeah, Microsoft did a great job with this!

Here is the entirety of the patch for OpenBSD. It's not a ton of code, but there is a lot of work in making sure the device continues to work well with all the thousands of different routers and configurations in the world. Standards and security are one thing, but users get upset if their phones don't work at the coffeeshop. So regression testing is a big deal here, and takes time.

https://ftp.openbsd.org/pub/OpenBSD/...play.patch.sig

[A Noise Annoys]

There is always an embargo on announcing vulnerabilities like this so that all manufacturers have time to make their fixes. Otherwise bad guys get even more opportunity to exploit such things. Granted, they can do that now, but it would be even worse without the embargoes.



Yeah, Microsoft did a great job with this!

Here is the entirety of the patch for OpenBSD. It's not a ton of code, but there is a lot of work in making sure the device continues to work well with all the thousands of different routers and configurations in the world. Standards and security are one thing, but users get upset if their phones don't work at the coffeeshop. So regression testing is a big deal here, and takes time.

https://ftp.openbsd.org/pub/OpenBSD/...play.patch.sig

Thanks for the explanation

[anon(10321802)]

Tech companies were made aware of KRACK back in July.

By the time the public was made aware of it, Microsoft had already patched Windows - including Windows 10 Mobile.

Apple's iOS patch is still in beta.

Google says an Android patch will be issued "in the coming weeks".

BlackBerry? Their Android patch is dependent on Google. This is a prime example of why transitioning to Android makes BlackBerry's claims of ultimate smartphone security and privacy a complete joke. And if they issue a patch for BB10, I will be extremely surprised. Don't expect anything for BBOS 7, either.

When I learned about KRACK, it became painfully obvious to me that it is unacceptable to be using a phone that doesn't get regular security updates. By regular, I mean every 2-3 months at the very least. Preferably once a month.

I've stopped using my Classic, which hasn't received an update in ages. I'm using my Moto E4, which was at least has a patch date of May 2017, until I can get a phone that is guaranteed to receive monthly patches.

Honestly, I'm very impressed with Microsoft right now. And Apple already having the patch in beta and having the ability to send out an update to all supported iOS devices without carrier interference makes it a strong second.

The vast majority of Android phones being used around the world will never receive the KRACK fix.

[app_Developer]

BlackBerry? Their Android patch is dependent on Google. This is a prime example of why transitioning to Android makes BlackBerry's claims of ultimate smartphone security and privacy a complete joke.

I think a lot BB's smartphone security reputation rests on BES/Good now. I don't actually believe that the hardening they do to Android kernels and bootloaders is very helpful for most users (even enterprise users.) There are much more serious security issues in smartphones to think about, like this example (KRACK) or data leakage, etc.

Today if I were going to use a smartphone on WiFi, and I didn't have access to the developer builds of iOS, I'd want to be running Windows.

When I learned about KRACK, it became painfully obvious to me that it is unacceptable to be using a phone that doesn't get regular security updates. By regular, I mean every 2-3 months at the very least. Preferably once a month.

YES! Security is, always has been, and always will be, the Red Queen's race.

[conite]

Google says an Android patch will be issued "in the coming weeks".

BlackBerry? [B]Their Android patch is dependent on Google. This is a prime example of why transitioning to Android makes BlackBerry's claims of ultimate smartphone security and privacy a complete joke.

Google is responsible for patching AOSP, and the KNACK vulnerability is scheduled for the Nov patch level. BlackBerry works with all of the component vendors to complete the rest of the job.

I don't think this brings the device security to the level of "joke". Google takes this very seriously and its reputation depends on it too.

And patching is only one component of device security. BlackBerry has a good handle on the rest.

[Dunt Dunt Dunt]

Tech companies were made aware of KRACK back in July.

By the time the public was made aware of it, Microsoft had already patched Windows - including Windows 10 Mobile.

Apple's iOS patch is still in beta.

Google says an Android patch will be issued "in the coming weeks".

BlackBerry? [B]Their Android patch is dependent on Google. This is a prime example of why transitioning to Android makes BlackBerry's claims of ultimate smartphone security and privacy a complete joke.

The vast majority of Android phones being used around the world will never receive the KRACK fix.

If BlackBerry and TCL kept their partnership going.... for four of five years and a dozen devices, I doubt we'd see the kind of long term support that Apple currently offers. As it is too dependent on both Google and hardware suppliers - probable not good to use the low end stuff for long term support. Which is why they only offer two years of security patches. It very well might go longer, but it's kinda out of BlackBerry's hands.

BlackBerry had no choice but to go Android.. That doesn't mean it offers the best long term security solution for users or to their target market... Enterprise.

I think for Enterprise, Windows would have been a great solution... one they know. If they could have gotten more developer support and won over consumers. As I don't think any Enterprise only solution is going to be viable.

[Nguyen1]

Agreed. Poor old Microsoft does get a bum-rap for these sorts of things but apparently they had this patched a couple of months ago. I did read why they didn't announce it, something about giving others the opportunity to use the patch themselves, or something. Didn't quite get their reasoning.

Just checked my Alcatel Idol 4s w/W10 and Lumia 650DS and both were patched at the same time as my laptop, once again putting all the major mobile manufacturers to shame. What takes them so long?

Wait, what? I have the idol 4s windows, as you know. Did windows put out a Krack patch for it? Did I miss it?

Signature: Still typing away on my Passport SE!

[A Noise Annoys]

Wait, what? I have the idol 4s windows, as you know. Did windows put out a Krack patch for it? Did I miss it?

Signature: Still typing away on my Passport SE!

You didn't miss it necessarily as Windows Phone has a tendency to update in the background while you're on, ironically, WiFi. When you first booted your device up it ran an update almost immediately, the patch was probably included in that. W10 devices that were already up and running got the patch a couple of months ago.

When I say my Idol was updated the same time as my laptop, I mean it was updated with the same update release as my laptop.

[anon(10321802)]

Google is responsible for patching AOSP, and the KNACK vulnerability is scheduled for the Nov patch level. BlackBerry works with all of the component vendors to complete the rest of the job.

I don't think this brings the device security to the level of "joke". Google takes this very seriously and its reputation depends on it too.

And patching is only one component of device security. BlackBerry has a good handle on the rest.

Apparently Google doesn't take this as seriously as Microsoft or Apple. They've all known about KRACK since July. Compared to how their competition has responded, Android security is, indeed, a joke. There are times - such as this - when waiting until the next monthly update isn't good enough. Microsoft and Apple have the ability to push ad-hoc updates whenever they want.

BlackBerry couldn't issue an ad-hoc update to their Android devices even if they wanted to. They don't have complete control over the OS like Microsoft and Apple do. They have ceded that power to Google and component vendors. Witness the result.

Ironically, they do still have complete control over BB10, but do you think they even have enough resources still devoted to it to develop, test, and release another major OS update, let alone a patch?

I really want to use a BlackBerry. I love their physical keyboards - always have, always will. For crying out loud, I started using a Classic a few weeks ago after using an iPhone for 6 months because I couldn't stay away from that keyboard and trackpad. But I've been slapped upside the head with reality (again) with this KRACK news. It made me realize that I really do care about security - of which regular and timely OS updates and patches are an integral part.

Yes, OS updates and patches are only one component of device security, but we should not - indeed, we must not compromise in ANY of those areas. That's like locking the front door of your home and leaving the window wide open.

[conite]

Apparently Google doesn't take this as seriously as Microsoft or Apple. They've all known about KRACK since July. Compared to how their competition has responded, Android security is, indeed, a joke. There are times - such as this - when waiting until the next monthly update isn't good enough. Microsoft and Apple have the ability to push ad-hoc updates whenever they want.

BlackBerry couldn't issue an ad-hoc update to their Android devices even if they wanted to. They don't have complete control over the OS like Microsoft and Apple do. They have ceded that power to Google and component vendors. Witness the result.

Ironically, they do still have complete control over BB10, but do you think they even have enough resources still devoted to it to develop, test, and release another major OS update, let alone a patch?

I really want to use a BlackBerry. I love their physical keyboards - always have, always will. For crying out loud, I started using a Classic a few weeks ago after using an iPhone for 6 months because I couldn't stay away from that keyboard and trackpad. But I've been slapped upside the head with reality (again) with this KRACK news. It made me realize that I really do care about security - of which regular and timely OS updates and patches are an integral part.

Yes, OS updates and patches are only one component of device security, but we should not - indeed, we must not compromise in ANY of those areas. That's like locking the front door of your home and leaving the window wide open.

Ok. Then using your criteria, Apple is your only choice into the known future.

I myself feel very secure with Pixel / BlackBerry Android and their rapid-enough patch release schedule.

I can mitigate minor bumps like this one by using mobile data or my paid VPN service.

You still can't patch stupid.

[anon(10321802)]

If BlackBerry and TCL kept their partnership going.... for four of five years and a dozen devices, I doubt we'd see the kind of long term support that Apple currently offers. As it is too dependent on both Google and hardware suppliers - probable not good to use the low end stuff for long term support. Which is why they only offer two years of security patches. It very well might go longer, but it's kinda out of BlackBerry's hands.

BlackBerry had no choice but to go Android.. That doesn't mean it offers the best long term security solution for users or to their target market... Enterprise.

I think for Enterprise, Windows would have been a great solution... one they know. If they could have gotten more developer support and won over consumers. As I don't think any Enterprise only solution is going to be viable.

Yeah, I don't expect BlackBerry TCL to support their devices as long as Apple does. Google doesn't even do that with their own Pixel line - they guarantee 2 years of major OS updates and 1 year of security patches beyond that. Apple's iPhone 5S - released 4 years ago - just got the update to iOS 11 and will be supported for at least another year. That will extend its supported life to at least 5 years. That's unheard of for any other smartphone.

The demise of Windows Mobile is unfortunate. So many bad decisions and blunders by Microsoft. Very similar to BlackBerry and BB10. I had high hopes for Continuum on Windows 10 Mobile - for ages I have wanted a smartphone-like device that I can also dock with tablet, laptop, or desktop hardware to drive experiences on each platform.

I feel like a smartphone refugee. No place to call home.

[anon(10321802)]

Ok. Then using your criteria, Apple is your only choice into the known future.

I myself feel very secure with Pixel / BlackBerry Android and their rapid-enough patch release schedule.

I can mitigate minor bumps like this one by using mobile data or my paid VPN service.

I'm glad you feel secure enough with Android. A lot can happen in 3 weeks.

I'm not thrilled with Apple, either, as their patch is still in beta. But at least it will come out sooner than Android's.

I fully admit the likelihood of the average smartphone user being compromised through KRACK is probably small (I hope). There have been no known instances of compromise through this vulnerability in the wild...at least, that we have been told.

But I keep going back to the fact that tech companies have known about KRACK since July, and that only one of them (Microsoft) seems to have taken it seriously enough to patch it before it was made public.

I mean, couldn't Google have included a patch in their October security update if they really wanted to? Surely they have the manpower and resources to make that happen - they're Google.

You still can't patch stupid.

Not sure what you're referring to, here. Are you implying that Apple products are stupid? Or products other than those you prefer?

[conite]

Not sure what you're referring to, here. Are you implying that Apple products are stupid? Or products other than those you prefer?

I mean the user is the main source of security vulnerabilities.

[anon(10321802)]

I mean the user is the main source of security vulnerabilities.

Agreed on that point.

[A Noise Annoys]

Has anyone yet confirmed that there is a KRACK vulnerability in BB10 yet? I can't find any reference to it but just to make sure I've switched my WiFi off and am running on carrier network only.

[Nguyen1]

You didn't miss it necessarily as Windows Phone has a tendency to update in the background while you're on, ironically, WiFi. When you first booted your device up it ran an update almost immediately, the patch was probably included in that. W10 devices that were already up and running got the patch a couple of months ago.

When I say my Idol was updated the same time as my laptop, I mean it was updated with the same update release as my laptop.

Oh I see. In that case, I should feel confident using my idol with continuum then yes?

It's funny, but I used to think of microsoft as an evil empire and Apple as the innovator. How things change.

I have little interest in the droidberry phones, sadly. I pay attention but I am unlikely to ever buy one. I suspect that windows phone, what remains of it, is more secure than android phones on average.

Signature: Still typing away on my Passport SE!

[Nguyen1]

The demise of Windows Mobile is unfortunate. So many bad decisions and blunders by Microsoft. Very similar to BlackBerry and BB10. I had high hopes for Continuum on Windows 10 Mobile - for ages I have wanted a smartphone-like device that I can also dock with tablet, laptop, or desktop hardware to drive experiences on each platform.

I feel like a smartphone refugee. No place to call home.

Continuum works! It is great, I can do word documents then pickup from the desktop setting and continue on the go until I return. The browser is as fast as my usual desktop, maybe better because there seem to be less ads for some reason. Sadly, there are few continuum apps, but the microsoft office ones work just fine. Too bad the OS is a maintenance mode now.


Signature: Still typing away on my Passport SE!

[Dunt Dunt Dunt]

Has anyone yet confirmed that there is a KRACK vulnerability in BB10 yet? I can't find any reference to it but just to make sure I've switched my WiFi off and am running on carrier network only.

Confirmation would really need to come from BlackBerry....

Proable waiting until Google has release a fix. And hoping no one asks them about BBOS or BB10, as I doubt they want to addressee either of these defunct OS.

[Invictus0]

Oh I see. In that case, I should feel confident using my idol with continuum then yes?

It's funny, but I used to think of microsoft as an evil empire and Apple as the innovator. How things change.

I have little interest in the droidberry phones, sadly. I pay attention but I am unlikely to ever buy one. I suspect that windows phone, what remains of it, is more secure than android phones on average.

Signature: Still typing away on my Passport SE!

If Windows Mobile works good for you as is and all you're really looking for is security patches and fixes then you might as well continue using it. Assuming you're on the latest OS, Microsoft will continue supporting it until sometime in 2019,

Windows 10 Mobile (version 1703) mainstream support ends in June 2019

[Invictus0]

I've stopped using my Classic, which hasn't received an update in ages. I'm using my Moto E4, which was at least has a patch date of May 2017, until I can get a phone that is guaranteed to receive monthly patches.

What version of BB10 is your Classic on? Depending on the version and the exploits you're worried about, your Classic might actually be more secure than a recently patched version of Android.

A good example is BlueBorne which doesn't impact BB10 but does impact any Android device not running on at least the September 2017 patch,

BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products

[anon(10321802)]

What version of BB10 is your Classic on? Depending on the version and the exploits you're worried about, your Classic might actually be more secure than a recently patched version of Android.

A good example is BlueBorne which doesn't impact BB10 but does impact any Android device not running on at least the September 2017 patch,

BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products

My Classic is running 10.3.3. But that's beside the point for me, really. If it isn't receiving regular (as in every 2-3 weeks at the very least) OS updates for bug fixes, security patches, etc. then it's really not as secure as it could be.

Some would argue that BB10 devices are not a high-visibility or enticing target, being an unpopular platform with such a small remaining userbase. But I'm not willing to take the risk anymore. Not with all the security breach craziness only getting crazier. I love the keyboard, but I don't love it enough to risk my personal data being compromised if I can help it.

[Richard Buckley]

My Classic is running 10.3.3. But that's beside the point for me, really. If it isn't receiving regular (as in every 2-3 weeks at the very least) OS updates for bug fixes, security patches, etc. then it's really not as secure as it could be.

Some would argue that BB10 devices are not a high-visibility or enticing target, being an unpopular platform with such a small remaining userbase. But I'm not willing to take the risk anymore. Not with all the security breach craziness only getting crazier. I love the keyboard, but I don't love it enough to risk my personal data being compromised if I can help it.

Only you can assess your security needs. But before you do you should think about what you are using to make that decision and how reliable those metrics are. I will address one that keeps coming up, but no one gives it critical thought.

Frequent patches are necessary for security. Do you remember where that came from? Mainly Microsoft who after claiming that XP was the most secure couldn't keep up with the vulnerabilities in the system without going to a regular patch schedule. Othes climbed on and now it is accepted without, it seems any critical thought. To keep it short we have traded good software development practice for feature and bug rich code with rapid patching that one previous poster aptly called the red queen's race. We have been swindled. I have been developing high security, mission critical, security software since 1985. I have never been involved in a rapid patching cycle because we have very few bugs and almost all of them are mitigated by the depth of the security and defensive nature of the code. My employer values correct, secure and durable over frivolous features.

I had a chance to review the Wi-Fi protocol documents, some of the patches and how some devices managed to stay invulnerable because they were not implemented according to the specifications. Anyone coding the software who had knowledge of how cryptography works, and why would you not have someone like that coding this software, would have known that the specifications would result in a loss of cryptographic protection. I can say quite confidently that I would not have coded it per the specifications, but very much like what the patched code is like. I can say that because an equally bad cryptographic specification came across my desk not long ago and I refused to code it as written.

I don't know what happened in the QNX Wi-Fi driver, we will have to see. But I wouldn't be surprised if it was written in a safe way rather than as specified. As we know both patched, broken per the spec and broken in novel ways are all interoperable.

Unlike you I am not concerned by infrequent patches in the absence of evidence of the requirement. What does concern me is a monthly patch cycle that never makes any progress. But as I said, only you can decide what is safe enough for you.

LeapSTR100-2/10.3.3.2205

[Invictus0]

My Classic is running 10.3.3. But that's beside the point for me, really. If it isn't receiving regular (as in every 2-3 weeks at the very least) OS updates for bug fixes, security patches, etc. then it's really not as secure as it could be.

Some would argue that BB10 devices are not a high-visibility or enticing target, being an unpopular platform with such a small remaining userbase. But I'm not willing to take the risk anymore. Not with all the security breach craziness only getting crazier. I love the keyboard, but I don't love it enough to risk my personal data being compromised if I can help it.

That's not necessarily true, vulnerabilities are found in small platforms all the time. There were reported vulnerabilities in Windows Phone and Tizen this year for example. A good patching schedule certainly helps but it's not the greatest indicator for how secure an OS is. Windows Phone and Android both receive monthly patches yet I think many would argue the former is more secure.

At this point your best bet for a secure platform that's actively supported is iOS.