Google's "solution" can't do anything for bootlooping devices:
It's the start of November, and that means a new Android security patch. Google claims this one is fixing a high-profile Android 14 storage bug that was locking some people out of their devices. The November Security Bulletin contains the usual pile of security fixes, while consumer-oriented Pixel patch notes list a few user-facing changes. The important line is "Fix for issue occasionally causing devices with multiple users enabled to show out of space or be in a reboot loop." A footnote points out that this is for the "Pixel 6, Pixel 6a, 6 Pro, 7, 7 Pro, 7a, Tablet, Fold, Pixel 8, Pixel 8 Pro."
We're on about day 33 of the Android 14 storage bug. For devices with multiple users set up, there is some kind of storage issue that is locking users out of their device. Some are completely unusable, with the phone bootlooping constantly and never reaching the home screen. Others are able to boot up the device but don't have access to lock storage, which causes a huge amount of issues. Some users likened the bug to "ransomware," a type of malware that encrypts your local storage and then demands money for your data. One fix is to completely erase your device with a factory reset, but a lot of users don't want to do that.
The earliest reports of this started just days after the October 4 launch date. Google usually rolls updates out slowly so it can pull them if issues like this pop up to minimize damage. That didn't happen here, though. Google failed to respond quickly to initial reports and just let the bug roll out to everyone. Some people even report being freshly hit with the bug just four days ago because Google 1) let the update roll out without stopping it and 2) can't patch its software quickly enough. The biggest issue tracker thread on this bug is up to 1,000-plus likes and 850 comments of people locked out of their devices, and it took two separate rounds of news coverage for Google to acknowledge the bug after about 20 days.
[...] This whole fiasco has been a complete failure of most of the controls and protections Google has in place in Android. The company slowly rolls out updates to stop problems before it hits a wide number of users, but it failed to pull the update when problems arose. Android has dual system partitions so that you always have a backup if the device fails to boot after an update, but that system didn't work here because Google's "boot failure" detection isn't accurate enough. The company shipped a quick-fix patch via Google Play System Updates in the Play Store, but because those passively wait around for a reboot to get applied, users still got hit by the bug days after that patch came out. Android is supposed to have a data backup system for apps, but because that doesn't work well and isn't forced on every app, many users have no backups at all.
We get sold technical explainers for all these features, but when they were really needed, none of these poorly thought-out, half-baked systems worked. This disaster is a complete technical failure of several Android systems, and many changes need to happen.
(Score: 4, Insightful) by pTamok on Saturday November 11 2023, @07:56AM (7 children)
What this underlines is: YOU DO NOT CONTROL 'YOUR' PHONE.
In a sensible world, you would have the encryption keys, and you would have the means to back up your phone.
You would be able to:
1) Connect the phone to your PC via its USB port.
2) Make a copy of all the data. Worst case, by a block-by-block transfer of the phone's storage device, but better if you can mount the filesystem and transfer the files.
The phones are not set up to trust the end consumer who paid for them. The opposite is true. Now there are reasons for this. Banks like to have some assurance that nefarious software isn't grabbing your banking app(lication)'s login details, Media owners like to make sure you are not making unauthorised copies of content they are the copyright holders of. In both cases, they trust Google/Alphabet more than the end-user. So Google/Alphabet retains control of the phone. They have the keys.
It has been like this for a long time. You never controlled your SIM card (when phones had them: many are now virtual SIM cards 'for customer convenience'), and several applications relied on assured software running in the SIM for authentication.
Google/Alphabet is not your friend.
(Score: 4, Insightful) by Rosco P. Coltrane on Saturday November 11 2023, @09:03AM (3 children)
Agreed.
This is the Android security model: the OS distributor trusts itself but not the user.
As a computer-savvy user, I've been livid about this ever since Android came out. It's *MY* phone, *I* paid for it but Google - or whoever pushes the updates - controls it. This is preposterous!
Having said that though, I'll play devil's advocate: the key thing is what I've just said: I'm a computer-savvy users. Most people are dumb as bricks with computers and tend to keep ultra-sensitive data on their phones all the time. If you gave them full control, the whole cellphone ecosystem would rapidly turn into a complete security shitshow.
Google thinks it makes more sensible security decisions than the overwhelming majority of cellphone users, and much as I hate Google, they're right. So they yank control of their devices from users and it's sadly the right thing to do, because people have neither the desire nor the time to educate themselves on healthy computing hygiene: they just want Stuff that Works[tm].
And of course, that's why sensitive industries accept to make sensitive apps for the Android platform, like banking apps: they too rightfully trust Google more than they trust cellphone users. And that's also why, if you have a rooted phone, you have to play a game of cat and mouse with said banking apps to get them to work. Because the last thing banks want is their apps running on a device that isn't secured by Google.
The problem of course is that Google, besides being a technically-responsible company, is also a privacy nightmare. Combine a company that's hungry for your most sensitive data with complete control of most of the world's devices where people put their most sensitive data is a recipe for societal disaster.
But... there ya go. You and I computer-savvy, responsible users are forced to wrestle control of our devices from fucking Google and hide what we're doing from banks. In a sensible world, everybody would have a basic computer education before being allowed near one, and the computers would give them full control, as they should. That's not how the world turns, sadly.
Irresponsible computer users are the reason savvy ones can't have nice things. And as much as I hate to say it, it's a pretty good rationale.
(Score: 3, Interesting) by pTamok on Saturday November 11 2023, @09:52AM (1 child)
I've moderated you 'Insightful', agree mostly with what you wrote, and want to write a long screed about the state of IT security and privacy today, but to be honest, I don't have the time, and I have discovered recently that I have run out of outrage - using up energy to scream into the void just doesn't work when I'm low on 'energy', possibly permanently (no, I don't have ME/CFS).
I've worked in both 'IT security' and 'GDPR/privacy/curation of personal data', and in both cases, it is so very frustrating to deal with people who Just Don't Get It.
"Only our engineers know about the engineering back door" (From the board-level head of engineering of a large technology company)
"I've no idea what personal data the application I'm responsible for processes. Does it matter? The organisation has a privacy policy that covers everything, doesn't it?" (From the 'owner' of a healthcare application in a large organisation with a portfolio of such applications)
So yes, protecting people from their own incompetence is a good idea. But we don't give people the tools to enable them to manage things better for themselves, if they wish (and some, like us, do wish); and in a lot of cases the tools don't exist because the whole design of 'the system' is rotten to the core.
There exist subject matter experts (I'm not one) in both fields who are simply ignored, both as a result of commercial interests, and political interests. There's a lot of wilful ignorance and wilful incompetence going around, and I'm beginning to understand the dirty and corrupt reasons why - partly down to being able to disclaim liability if (when) things go wrong.
Hell, I can feel another rant coming on.
(Score: 2) by mcgrew on Monday November 13 2023, @05:04PM
So get to work porting Linux Mint to Android phones with an easy way to install it. On a computer, installing Linux is easier and far less hassle than setting up a brand new Windows computer.
And yes, I'm aware that Android uses the Linux kernel, but anything that a giant corporation touches is poison.
It is a disgrace that the richest nation in the world has hunger and homelessness.
(Score: 5, Funny) by darkfeline on Saturday November 11 2023, @10:36AM
It IS your phone, and you can run whichever OS you want (AFAIK all of the phones Google makes at least are unlocked). if you choose to run an OS developed by a separate party, updated by that party, and has automatic updates, then that's on you, isn't it? You're free to develop your own OS, or use an OS developed by someone who won't write any bugs.
Join the SDF Public Access UNIX System today!
(Score: 1) by Runaway1956 on Saturday November 11 2023, @12:27PM
You overlooked, or at least didn't mention a big reason why you lack control over your phone. Those sweet financing deals encouraged locked down phones. Google had a layer of control that was hard to shrug off. The manufacturer added their own layer of control. Then the telcos (or whoever financed your phone) added a third layer.
A few projects have promised to remove most of those layers of control, but, since Android is a Google project through and through, you can probably never remove all the control.
The only solution is to dump Google, and install another OS. Even then, by it's very nature, your phone will be subject to some tracking. You can't connect to a cell tower without letting the cell tower know where you are.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 1, Interesting) by Anonymous Coward on Saturday November 11 2023, @06:17PM
> Banks like to have some assurance
Old fart / boomer comment:
What's the big attraction to online banking for everything? I don't get it. I've always gone to the bank to cash/deposit checks, open/close accounts, get cash (now from an ATM, at the bank), etc. At least where I live all the banks have local branch offices that are convenient and friendly people staffing them.
The few times I've experienced any sort of bank fraud or attack on my funds, the fact that bank officers at a local branch knew me personally went a long way toward clearing things up with a minimum of trouble.
I will admit that the bookkeeper for my tiny company has the company bank accounts online using a laptop, but, the company account never has much money in it, I take out any surplus to a personal account (and return if needed).
(Score: 2) by mcgrew on Monday November 13 2023, @04:58PM
Google/Alphabet is not your friend.
Neither is Apple. I won't use a phone for commerce. I do my shopping at home on the computer, or in a store with a credit card. However, I do transfer my photos to the network file system with Wi-fi, and transferring data with a USB is built into Android devices without installing an app has been built-in since Android was first produced.
Anyone who doesn't back their data up is a fool begging to lose their data. Especially a phone, phones not only break, they get lost and stolen.
It is a disgrace that the richest nation in the world has hunger and homelessness.
(Score: 3, Interesting) by Rosco P. Coltrane on Saturday November 11 2023, @08:47AM
CalyxOS always gets Android updates a bit later than other ROMs. If you read most deGoogled OS comparisons, this is viewed as a con.
But one of my reason for choosing CalyxOS is exactly that: it only gets updates *after* everyone else has played guinea pig for Google and issues have been resolved - or undesirable featured declawed.
This whole storage bug mess vindicates my choice.