Nokia ending support for MeeGo and Symbian applications

[Nokia advised developers that no new apps, or updates to existing apps, are to be accepted for MeeGo and Symbian products starting Jan 1, 2014.]

Retrieved from wiki.maemo.org:

Subject: Changes to supported content types in the Nokia Store

Dear Nokia Developer,

With the growing business opportunities available on the Asha, we have been reviewing our developer content programs to see how we can maximize our support to you, our developers. As a result of this review, we have decided to focus our support and investment in new content toward Asha and Windows Phone. Over the next few months we will be transitioning our active developer support away from Symbian and MeeGo.

If you have Symbian and MeeGo content in the Nokia Store, it will continue to be available for download to customers, and you will continue to receive download and revenue reports as well as payouts for downloaded content. However, starting January 1, 2014, you will no longer be able to publish any new content or update existing content for Symbian and MeeGo.

We are very excited about the opportunities available with Asha and hope that you will bring your talents to these platforms. We believe that these changes will help improve our ability to support you as you develop fantastic apps for your customers.

Best regards,

The Nokia Developer Team

More

Theodore and Linus about NSA

Two important figures in the Linux community talked about NSA and their code-breaking at googl+, Theodore posted

This is came up late in the comment thread of an earlier G+ post of mine, but I think it’s an interesting enough topic that it’s worth its own top-level post.    Suppose you are an NSA agent, and your goal is to enable bulk dragnet-style surveillance, covertly, in the face of widespread adoption of encryption.   Requirements: (1) it should be operationally easy for the NSA to exploit; (2) it should be hard to discover; (3) being able to break into the target computer is a non-goal, at least for this program.   (Individually targetting one machine at a time doesn’t scale if the goal is dragnet surveillance; let’s just assume for the sake of argument that if the NSA wants to compromise any single machine, they probably can do it if they are willing to throw enough resources at the problem.)

I nominated corrupting the RDRAND output in the x86 chip so that it is the encryption of some increasing counter (how to initialize the counter on each boot-up is an interesting question; see the earlier set of comments), encrypted by a key known by the NSA.  Then convince people that it is a good idea to use the output of RDRAND directly when creating session keys for IPSEC, SSH, and SSL connections.

Can you think of other similar attacks, targeting other commonly used software or hardware systems?   It is said that you shouldn’t create your own encryption algorithm until you have spent a lot of time doing code breaking.  Now that we know that the NSA is gunning after civilian computer systems and trying to introduce back doors to enable their SIGINT mission, if we want to design systems which are resistant to such attacks, we need to first start by trying to think up ways that we could engineer such attacks, if we worked at the NSA and this was the mission given to us.

Linus replied to the post and was critical about the assumption about RDRAND could be part of making a key simple to break:

Theodore Ts’o I don’t believe in the rdrand theory, for the very simple reason that it breaks your own #1 requirement.

It does not matter one whit if the NSA knows the AES key that is used to whiten the rdrand output, unless the NSA also knows enough to then be able to look up the initial state for whatever was then whitened using that AES key.

And quite frankly, rdrand is very much not amenable to that. Any other noise will basically kill your theory. Not just noise like the Linux kernel randomness pool. In fact, even if you use the output of rdrand without any other noise at all, and build your private key using that boot-time clean rdrand output, I doubt that the NSA can reasonably figure it out from your public keys.

No, the whole “sabotage ipsec standards bodies and infiltrate the commercial trust verifiers” approach sounds a hell of a lot more likely. Screw the random numbers, just make sure that the encryption is weak enough (or down-gradable enough) that it doesn’t even matter what your keys are..

Side note: don’t get me wrong. I think it’s good that we don’t use rdrand mindlessly in /dev/random. But if you want to look at likely targets, I’d look at site certificates and the verifying agencies etc long long long before I worry about rdrand.

Theodore countered with a defence of his earlier statement:

Linus Torvalds Consider what happens with using RDRAND to generate session keys (not just the user’s long-term public key).     See my earlier comment about how if the NSA can get access to a single RDRAND output, and decrypt it, it can now use that to find the initial counter value.   Yes, if you never give out the RDRAND output, but do something as simple as running SHA or MD5 on the output before you use it, it would defeat this potential attack.   The problem is there are programs out there which use the output of /dev/urandom without any whitening to generate session keys, and so if you were to connect the output of RDRAND to /dev/urandom, the external attacker might be able to get their hands on raw RDRAND output, and from that, be able to predict future RDRAND output (if RDRAND was compromised as I described).

BTW, I’m not trying to beat up on Intel.   There’s a very good chance that Intel chips are clean.    It’s the exercise of “Think Like The NSA”  which I’m trying to encourage people to consider.   In that context, it’s important not to focus on just one potential attack, and then blind ourselves to other potential approaches.

For those who want to read the original post and other peoples comments can read it at google+.

Microsoft bought Nokia mobile unit for peanuts.

rip_nokia
Bluescreen on the last Nokia phone

 

It was announced like a happy event the death of Nokia mobile unit, after years of mismanagement by Elop, where all profitable units were closed down and good factories sold, he managed to conjure the false feeling of profit to the stockholders by selling Nokias core business, the mobile unit to microsoft for peanuts, just 5 milliard Euro. Of course no customers wants a WP phone, so with todays bad business it’s not worth much of money, but if they had been staying with the much profitable MeeGo and released more of the extremely popular N9/N950 phones, Nokia wouldn’t have lost it’s crown to Samsung. Don’t forget that the N9 was only sold in small markets and the Lumia line was released world wide, and anyhow the N9 out sold the Lumia 3 to 1.

Tomi Ahonen has written a analysis on Nokias horrible microsoft experience, the conclusion should be, never hire a “former” microsoft employee.

Some reaction from Finland, I guess there are quite many volunteering to put a knife in the back of traitor Elop.

Samsungs mobile flagship of poor quality

Back in the time when Nokia still was the mobile King (before Microsoft Elop and WP), you could expect good quality on the hardware in the flagship models and even the cheaper models was above average. You could even get a replacement phone if you had to repair your flagship device. How did Samsung miss to copy this and avoid bad publicity? Samsung has copied everything else that Nokia did well and avoided all the bad decisions which Nokia made.

A common issue with Galaxy S3 was the “Black screen of Death” (number of different versions), for some it worked with a device reset which could be done with holding a combination of keys for 3 to 10 seconds (seems to been different depending on operator modifications and version of Andriod), those who got this would in many cases end up with a broken device which had to be sent to reparation.

You would think that a new flagship device would not have the flaw, but apparently it’s not that unusual problem with the Galaxy S4, quite many have been asking for help and they get the same advice from other users which Samsung is quiet about the issue, using the Microsoft mentality that you don’t confirm a problem, then it don’t exist.

Yesterday my dearest took at look at her phone when she woke up, everything looked okey and she went to study, a couple of hours later the phone was turned off, she first thought that the battery had run out, but the phone didn’t charge at all, tried different chargers, hooked it to the computer and even used an external battery which could tell if a device charge from it or not and the battery told that the cellphone didn’t charge at all. Just to be on the safe side, tested all the recommended “reset” key combinations and battery removals and so on without any result at all. Good quality phone shouldn’t break in less than 3 months or at least there shouldn’t be too many which does this, but apparently there are quite many who got this issue.

When  got to the Hi3G store, the saleswoman just thought you can buy a new one, as if it was funny, really think that was quite distasteful. Then you have to wait two weeks to get the phone back without getting a temporary replacement phone. I have to say two weeks is damn long time to replace the main board of a cellphone, which is the most common way of repairing a cellphone and then send the broken one to refurbishment (this is the reason that you may find someones else photos or contacts when you get your phone back from reparation).

This shows how highly customers are regarded by both Samsung and Hi3G, sell things expensively and give the customer no real value for the money.

Black Screen of Death

Jolla shows up their first device

Today we seen Jolla introduce their new cellphone, with a covers which affects your theme to harmonize it’s colours to the one of the back cover.

The presentation itself can be seen at jolla.streamforce1.tv, the important things are:

  • 399€ (ship by end of 2013)
  • Jolla original design with ample 4.5” Estrade display
  • Dual core and 4G
  • Keep it and share with 16GB + microSD
  • 8MP AF camera
  • User-replaceable battery
  • The Other Half
  • Gesture based Sailfish OS
  • Android™ app compliant

It will be interesting to see the device later this year and see how it will compete with Samsungs Tizen devices.