1000$ phone - no security updates

I don't immediately install the latest updates on my million dollar servers at work.
Patches can and often do break applications and/or disrupt the proper operation of hardware.

Just recently I patched openssh for a security vulnerability, then couldn't login because the patch changed to encryption and the app used to login couldn't use it. The app which is 3rd party, also needed an update.

My WAS servers need to be parched, but I know the patches will break some of the apps on the server, so I can't just patch them without thorough testing of the apps using WAS.

My point is, just because a patch exist doesn't mean immediately roll it out. It needs thorough testing.
Exactly.

There was recently a notifications issue on some devices when a patch came out a few months ago.

Honestly if having a device that gets Security Updates immediately is the only thing that matters, you are best off getting a Pixel.
 
I put phone updates and security updates on a different level to server/enterprise updates for many reasons but there are more complexities and moving parts to enterprise updates over many more years. I don't think you can really compare them the same way.

Tha's why, like you, and from experience I am not quick to push updates on an Enterprise level but there is a value of having such support and updates available.

But anyways even though I mentioned having the latest updates as they come out, my point was also about getting the proper support through the life of the product or at least the warranty.

I don't immediately install the latest updates on my million dollar servers at work.
Patches can and often do break applications and/or disrupt the proper operation of hardware.
 
I don't immediately install the latest updates on my million dollar servers at work.
Patches can and often do break applications and/or disrupt the proper operation of hardware.

Just recently I patched openssh for a security vulnerability, then couldn't login because the patch changed to encryption and the app used to login couldn't use it. The app which is 3rd party, also needed an update.

My WAS servers need to be parched, but I know the patches will break some of the apps on the server, so I can't just patch them without thorough testing of the apps using WAS.

My point is, just because a patch exist doesn't mean immediately roll it out. It needs thorough testing.
That is exactly how Experian got hacked. Delaying security patches.
 
That is exactly how Experian got hacked. Delaying security patches.

No. Experian got hacked because someone didn't install it, not because they took extra time to make sure it didn't break something.
 
I put phone updates and security updates on a different level to server/enterprise updates for many reasons but there are more complexities and moving parts to enterprise updates over many more years. I don't think you can really compare them the same way.

Tha's why, like you, and from experience I am not quick to push updates on an Enterprise level but there is a value of having such support and updates available.

But anyways even though I mentioned having the latest updates as they come out, my point was also about getting the proper support through the life of the product or at least the warranty.

Sure, but it shows price doesn't dictate updates. It also shows how much testing needs to go on just for the few to hundreds of users on a particular server, within the same organization.

With the mobile devices, you have multiple carriers, each having made different changes, adding/removing apps, changing/removing settings, the patches require extensive testing before pushing out to millions of devices, with any number of differences.
 
That is exactly how Experian got hacked. Delaying security patches.

No, equifax was told about holes in their security and chose not to act on it. Not to mention, equifax has out facing servers in a DMZ or TZ.
Outward facing servers should be handled a bit differently, but still requires testing before implementing.
For all we know a particular patch could have made them even more vulnerable.

I have been patching servers like crazy, but I can't patch everything because the apps need to work with the patches, which means the developers have to fix their code.

No one in their right mind will simply patch prod, especially if they know their apps will break. Doing so takes your servers offline for an undetermined amount of time. On test or development servers that may be ok, but not on prod.
 
Last edited:
Didn't Samsung incorporate some of the the security patches from September into the August one (ie. Bluebourne)?
 
Doesn't extra time equal a delay?

What you said concerning Equifax was factually incorrect. They did not delay anything. Someone just didn't install it. The two situations are not at all the same.

This also doesn't change the fact that it is just as irresponsible to NOT install a security patch as it is to install one that hasn't been thoroughly tested and could cause more harm than good.
 
Mine says 'Security Enhancements for Android Status" Fri Sep 15. I did see that update come through.
 
Samsung (and also some US carriers) has a long and sordid history of glacier slow updates. It’s just the way it is.
 
What you said concerning Equifax was factually incorrect. They did not delay anything. Someone just didn't install it. The two situations are not at all the same.

This also doesn't change the fact that it is just as irresponsible to NOT install a security patch as it is to install one that hasn't been thoroughly tested and could cause more harm than good.

I agree with most of your points. I believe this has run its course.
 
S8 on T-Mobile here still waiting on update, stuck on August security. :(
 
FWIW, the update that was released on T-Mobile Note 8 devices on launch date / August 15th, left the security patch level at August, as one would expect, but did address Blueborne (install the Armis app, and you'll see it says the phone is no longer vulnerable, while doing the same on my daughters Axon ZTE with August updates says that device is vulnerable. I think Blueborne has brought us into a dangerous and unprecedented era. I was ok with delays in security updates because I'm extremely careful with what I click on, and even receiving MMS messages.

But Blueborne, if the vulnerability is used, will allow hackers close to you physically, to hack in without any action on your part other than having BT turned on. In this day and age, Samsung and Google need to figure out a solution for these urgently, and not over many different releases.

Also FWIW, my wife's S8 from T-Mobile was stuck on July update until mid-September at which point the August update with the Blueborne fix was pushed out. And last year, I had unlocked S7 Edge and a T-Mo branded one at different times. The T-Mo ones updated more frequently. I have no idea why.
 
My Note 8 is still on the August 1 patch level - has anyone gotten any later security updates?

If Samsung thinks they can sell this thing at 1000$ and then not issue at least basic Android security patches, they're wrong.

LOL, not for nothing, but since YOU bought one, and I bought one, and a whooole bunch of other people did as well, I'm betting they don't think they're wrong.
 
LOL, not for nothing, but since YOU bought one, and I bought one, and a whooole bunch of other people did as well, I'm betting they don't think they're wrong.

Especially given that consumers can easily search for evidence on Samsung's update track record.

Caveat Emptor.
 
My Note 8 is still on the August 1 patch level - has anyone gotten any later security updates?

If Samsung thinks they can sell this thing at 1000$ and then not issue at least basic Android security patches, they're wrong.

The only way to ensure updates for any phone is to have one directly from Google. Other manufacturers seem to be good for the first few months then just drop off completely.
 

Forum statistics

Threads
958,646
Messages
6,977,390
Members
3,164,119
Latest member
Suhanisinghs