Kaspersky Labs reports:
A security researcher has tossed a giant bucket of ice water on Samsung's thumbs-up from the NSA approving use of certain Galaxy devices within [...] the agency.
The NSA's blessing, given under the agency's Commercial Solutions for Classified program, meant that the Samsung Galaxy 4, 5 and Galaxy Note 3 and Note 10.1 2014 Edition cleared a number of security stipulations and could be used to protect classified data.
The agency's approval was also seen as a solid endorsement for Samsung's Knox technology, which provides for separate partitions, or containers, on the Android devices in order to keep personal and business data from co-mingling. The containers have their own encrypted file systems as well, keeping secured apps separate from applications outside the container.
An unnamed researcher, however, on [October 23] published a lengthy report that claims a PIN chosen by the user during setup of the Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.
(Score: 3, Funny) by cyrano on Sunday October 26 2014, @05:31PM
We already knew the NSA is composed of criminals, now we know they are incompetent criminals.
The quieter you become, the more you are able to hear. - Kali [kali.org]
(Score: 2) by hemocyanin on Sunday October 26 2014, @05:33PM
No, easy break-in is required to get NSA approval for consumer devices. The NSA probably has their own secure version and this approval is just a way to trick non-NSA users into using compromised equipment.
(Score: 0) by Anonymous Coward on Monday October 27 2014, @02:36AM
I don't know why it seems that the NSA seems to be considered to be so much more competent than other government agencies. The CIA, the FBI, and the DOD have all had their share of screw-ups over the years, and I doubt that the NSA is any exception. They're populated with the same proportion of bumbling idiots as the rest of the United States Government, and probably they make many fuck-ups like this, they just aren't so publicised.
(Score: -1, Flamebait) by Anonymous Coward on Sunday October 26 2014, @05:54PM
Let's suppose that there's a computer that you have to use. You want to know if it's safe to use. Luckily there's a simple test you can perform to check if it's safe.
Here is the test:
Step 1) See if it's running OpenBSD.
That's it! That's the entire test! If OpenBSD is being used, then it's probably a safe device. If OpenBSD is not being used, then you should probably be careful!
(Score: 2) by wonkey_monkey on Sunday October 26 2014, @06:35PM
Someone needs to learn the critical difference between "safe" and "safer."
Also you forgot Steps 2 and onwards, all of which involve auditing said installation of OpenBSD to see what else has been done to it before it got to you.
If OpenBSD is not being used, then you should probably be careful!
But if OpenBSD is being used, you can be careless? Brilliant.
systemd is Roko's Basilisk
(Score: 2) by nyder on Sunday October 26 2014, @06:03PM
What the NSA approves, you don't use.
(Score: 2) by mendax on Monday October 27 2014, @04:35AM
Then we're doomed given the widespread use of DES and AES, both encryption schemes approved the that particular criminal organization.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by jbernardo on Monday October 27 2014, @05:53AM
Well, Google has gone full speed with selinux in android , so I guess you won't be using any smartphone from now on.
(Score: 1) by rogueippacket on Sunday October 26 2014, @06:31PM
In contrast, Apple has been forcing full-device encryption for several years now. Every iOS MDM Policy begins with a User Passcode combined with a device wipe policy after a certain number of attempts (to prevent brute force) - which doesn't actually wipe the device at all, it just deletes the user's key, rendering all data on the device unreadable.
It's a little bit sad that Samsung hasn't caught up yet. Android may have large market share, but iOS is very quickly becoming the mobile platform of choice for business.
(Score: 2) by Nerdfest on Sunday October 26 2014, @09:24PM
Android has the same thing, and I believe had it first. What they're talking about here is different. This relates to BYOD capability where your work and personal information are stored in different containers that are kept separate. This software specifically is limited to Samsung devices. I have to say that Samsung screwing up security, or most other things software related does not surprise me in the least. Doing security right is hard, but that's an amateur level mistake if this is true.
(Score: 2) by frojack on Sunday October 26 2014, @08:08PM
First it says:
The containers have their own encrypted file systems as well,
Then it says
Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp
So, an unencrypted key, stored on an encrypted container is still not cleartext in my book.
Further, Samsung's rebuts each point in the big scoop. [samsungknox.com]
(Not posted on purpose I suspect.)
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @08:21PM
I usually just ignore submissions from Greg. They're usually rather idiotic submissions, like Hugh Pickens', but they're also usually much stupider and poorly-written than Hugh's.
(I don't care if he spells his name "Gewg". It should be spelled "Greg", so that's how I'll spell it.)
(Score: 2) by frojack on Sunday October 26 2014, @08:46PM
I usually just ignore submissions from Greg. They're usually rather idiotic submissions, like Hugh Pickens', but they're also usually much stupider and poorly-written than Hugh's.
Hugh, and his many alter-egos, at least researches the stories a little bet better, and he bothers to include useful links. I don't always find the subject of the posts to be of high interest to me personally, but at least they are well done, and not always direct copies of his posts on slashdot.
No, you are mistaken. I've always had this sig.
(Score: 1, Insightful) by Anonymous Coward on Monday October 27 2014, @12:32AM
(Not posted on purpose I suspect.)
You're reading more into it than is there.
Hugh, and his many alter-egos, at least researches the stories a little bet better
Yeah. Guilty.
It was late here and I was in a hurry to get some items into the queue before the count dropped below 2.
My haste had a negative effect on the quality.
I'll try to do better.
-- gewg_
(Score: 0) by Anonymous Coward on Sunday October 26 2014, @08:58PM
SeaWee, Can you Wecommend a Westurwant?
(Score: -1, Troll) by Anonymous Coward on Monday October 27 2014, @12:45AM
It should be spelled "Greg"
Explain why that is, child.
Do you think I can't spell a name I've had since before you were born?
-- gewg_
(Score: 0) by Anonymous Coward on Monday October 27 2014, @03:00AM
I don't know why you can't spell your name properly, Greg. To be honest, I really don't care why, either.
(Score: 2) by FakeBeldin on Monday October 27 2014, @08:42AM
The rebuttal has been rebutted again (update to The Fine Article).
In a nutshell: "I bought this device (S4) commercially, set up the security and then was able to find this. How should I have spent my money to get security, Samsung?"
Some points of interest from The Fine Article:
What is the purpose of the pin in Knox anyway? [...] you have to provide your password to get access to [...] Knox. But there is a small button [...] called "Password forgotten?". By tapping it, you have to provide your pin. If the PIN is correct the Knox app will show you a little password hint...
So having the pin is not the same as being able to access Knox. (first+last chars are revealed, + passwd length).
The main problem found is how the password is encrypted. Based on analysis of the decompiled source, the fine article claims that the password is stored encrypted with a given encryption function ('mealy') using as key the Android Device ID and a fixed string.
That'd be less than optimal.