Weekly Head Voices #160: Write stuff down.

In the foreground, the mortar and pestle I used to mash together garlic, ginger, a serenade chilli, green cardamom pods, a whole cinnamon quill, one bay leaf, some curry powder for even more oomf, turmeric, coriander, salt and a few cloves. This paste ended up in that blurry red cast iron pot on the coals to result, a few hours later, in a delectable chicken curry potjie.

Welcome to the first WHV of the year 2019 folks!

In what is hopefully just a minor incident and not a portent of calamitous events to come, we have already skipped the first two weeks of the year, which means this WHV looks back at the three weeks from Monday January 7 to Saturday January 26.

I guess this would not be the WHV if we did not start off with some sort of awkwardness or miscellaneous embarrassment, so: CHECK!

Because you are probably thirsty for your WHV now, I tried to write you a long and rambly edition, with pictures! (Because it’s so long and rambly, and because markdown, I have liberally sprinkled with headings and sub-headings, so that those of you with lives outside of blog reading can hop, skip and jump through like the professionals you are.)

The future is here: Long-form blog posts on the iPad.

This also would not be the WHV if we did not have some little digital trick to reveal: Today’s attempt is that this post is being written, for the largest part, on a 2018 iPad (the cheapest one) with an old (also very cheap) bluetooth keyboard.

Because I really don’t like the new block-based WordPress 5.0 editor, named in an entirely non-hubristic fashion “Gutenberg”, but it does fortunately support importing markdown formatted blog posts (just make sure you don’t hard-wrap anything), and because I like trying new things, I am typing this on the iPad using the iOS version of Textastic.

A few hours ago, it looked like this:

In contrast to the direct orgmode to wordpress Emacs workflow I normally use, this workflow enables me to copy and paste sections of markdown text into WordPress. Each pasted section is automatically imported as WordPress blocks, based on the markdown structure.

This means I can position and edit images using the WordPress interface, but author the text using Markdown. With org2blog the whole post, including images, has to go through life as an orgmode file, which is brilliant for my more technical posts, but not so much for prose-heavy blog posts such as this one.

BTW 1: Why I don’t (yet) like the new WordPress editor.

The old WordPress editor enabled me to focus on the content and just write.

The new Gutenberg editor now wants me to create a bunch of blocks, e.g. paragraph, image, paragraph, bullet list, etc., and then work with those blocks.

That’s really great if you’re building a site, but not so much when you would just like to get down and write that blog post.

Although this is now the standard editor in WordPress, there are still bugs, such as the fact that my cursor keeps on jumping to the start of the block while I’m typing, which is not irritating at all, and the not unimportant observation that none of the mobile apps support Gutenberg yet.

WordPress-using readers, what do you think?

(P.S. Another just-discovered issue: In Gutenberg, your biggest heading is H2. H1 is not available in the UI normally. When pasting in markdown, H1s do display, but do not show in the type-UI as anything. Here is a confusing Gutenberg bug report.)

BTW 2: Why Textastic? (AKA At least it will syntax highlight your Orgmode.)

The main reason I found and purchased Textastic, was that I ran into Jez Cope’s github repo with a TextMate Bundle (that’s an editor configuration) that was made for Textastic to support editing Emacs orgmode files.

As is the age-old open source way, there were a few small bugs which I fixed in my fork, which you should definitely get if you are in the same I-want-to-edit-Orgmode-on-my-iOS boat as I am. It’s not a very large boat, but it’s super fun!

(There is no Emacs on iOS. This is in my view the greatest downside of iOS. It turns out that Apple generally does not allow apps with embedded interpreters on the app store. However, I am still trying to find out why there are no iOS-capable Emacs source code forks available.)

BTW 3: The iPad with keyboard is a shockingly good laptop replacement.

I recently recommended to a privacy-conscious reader who was searching for an affordable Linux-running laptop in South Africa, that she instead consider buying an iPad with bluetooth keyboard.

Down here a brand new 2018 iPad costs R5999. A cheap keyboard cover (e.g. Body Glove) can be had for about R860.

If you compare this to any new laptop of R6900 (about EUR 444) which will probably be sold with Windows included, you get a computing device with a fantastic quality multi-touch screen, great battery life, best-in-class security, almost no maintenance, and a fantastic app ecosystem. To seal the deal, the iPad’s resale value is proportionally probably also much better than that entry-level laptop.

After I sent that email, I started with this iPad + cheap bluetooth keyboard experiment to try it for myself. I have to say that the experience has been way better than I expected.

For a large subset of laptop users, and for a large subset of workflows and tasks, this is a really great solution.

Please don’t worry (too much) yet, I am not planning one of those “I switched to an iPad as my main computing device” blog posts. I would not be able to survive without my development tools, and I would especially not be able to survive without my Emacs.

PV Solar installation progress

As I excitedly announced in WHV #159 (slightly more than a month ago), we had decided that it was time to get a photovoltaic solar power system installed at the house.

I found a local installer with the required PVGreenCard accreditation and started the consultation process.

Unfortunately, the installer did not seem to be prepared for a customer that would not stop asking questions. The customer even went so far as to pose questions that challenged the installer’s brand loyalty!

I really do understand that I’m probably not the easiest end-user, but I don’t think that an expert’s brand loyalty should get in the way of reason, and far more importantly in the way of basic physics.

To make a long story short, I ended up getting fired by the installer.

This was probably for the better: He can now continue doing well-practised installs for other clients who don’t ask (so many) questions, and I suddenly had the opportunity to find a new, more engineer-friendly installer, and to continue learning.

Following are two noteworthy learnings:

Learning 1: You should almost always try to oversize the photovoltaic array

If the equipment states for example 4600kVA, then you are usually quite safe installing from 25% up to 30% more kWp of solar panels.

Oversizing will mean that on very sunny days you’ll get peaks higher than the maximum rated PV, which can be handled for short periods by the solar equipment, but more importantly, you’ll be able to generate more electricity when there is less sun, which is most of the time.

In other words, you increase the area under the curve of kW generated per hour.

By the way, I emailed GoodWe (they make the hybrid inverters I have my eye on) who confirmed that their EM range supports 27.8% oversizing. The ES range advertise 30% PV oversizing on the box.

It is of course an interesting question what exactly is meant by oversizing. Do they support pumping 30% more power into the inverter for 5 minutes, or for 2 hours?

Learning 2: powerforum.co.za is a great source of information.

This forum has a surprisingly high signal to noise ratio.

There are a number of experts hanging around, including one of Victron’s super helpful and knowledgeable R&D engineers, and the archive posts are invaluable as you try to navigate the quagmire of often conflicting information.

Avocado baby progress: Very much touch and go.

The baby avocado tree, in spite of being being watered almost every day (thank you rainwater harvest!) does not seem to be doing too well.

Because the summer sun down here can be quite vicious, the tree has its own little pink umbrella.

The current plan is to feed it more compost, and, if that fails, to try to transplant it out of the big, wild garden and into a pot with softer, kinder earth.

How to explain complicated topics

The international and yearly Machine Learning Summer School took place in Stellenbosch this year, from Monday, January 7 to Friday, January 18.

As you can see from the programme, there were a bunch of heavy hitting speakers present both physically and virtually, including the super resourceful (failed super resolution pun, su(p)e(r) me) Dr Stefan van der Walt, who gave a talk on good scientific software.

Anyways, because I am currently in a more commercial configuration, I could not justify taking two weeks out, and instead opted for a day visit at the start of the congress.

It is a testament to the current prominence of the field that the list of international sponsors included Microsoft, Apple, SAP, Uber and Amazon.

It was gratifying to experience a sampling of such a well-organized international gathering here in my neck of the woods.

On the first day, we had a high throughput introduction to causality, probabilistic thinking, and variational inference. All the presenters were clearly good speakers, but they weren’t all equally experienced in teaching such complex material.

(At one point one of the statisticians I was chatting to in break admitted having difficulty keeping up with the math. I did not feel that stupid anymore.)

“What is the difference between being a good speaker and an experienced teacher?”, you might now ask.

Great question, I would then say, grateful for the opportunity to explain.

What I was missing in the one specific case I do not want to be too specific about, was that the presenter did a great job of talking about each of a long list of concepts relevant to his topic, but somehow forgot that one of the most important parts of teaching is communicating the conceptual framework into which all of those concepts fit.

Conceptual frameworks are also one of those multi-scalar things: Each group of factoids can be gratifyingly embedded into a slightly higher level component, groups of which can be slotted into the overarching “big idea”, or another level of compnonent. (It’s turtles all the way down.)

As great lecturers talk, they keep on bringing their narrative back up to the higher-level embedding construct.

It looks something like this:

Yes, I did make this especially for this post, especially for you. No, I am not sure exactly why.

By repeatedly diving deeper into the details, and then following the conceptual link back up to the higher-level constructs and especially your big idea, your listeners will start to see the beautiful fractal of understanding that you are guiding them through.

What will I be working on this year?

At this moment, 2019 is shaping up to be pretty exciting work-wise.

We just heard that we will be able to continue for some months more working on the X-Ray based surgical planning project we worked on last year.

Partly thanks to the great deep learning work of two summer interns (note: Southern Hemisphere means summer interns over December and January, which might be weird if you’re from the Northern Hemisphere) we are in great shape for all of the deep neural network-based image understanding plans we need to execute on.

This year I will also be spending more time on TeleSensi, our FDA-certified tele-auscultation product. This is less rocket-sciencey than the surgical planning project, but super interesting to work on, as it has many more users on the open market.

(That being said, we do have plans to increase the level of rocket science significantly. I am not called the science officer for nothing… (well, that and also the fact that I got to choose my own title, and so I chose the same as Spock on the USS Enterprise).)

Do you write stuff down?

You might remember from WHV #155 my trick of starting the day with a checklist.

A part of that checklist is a checklist of habits which I try to form and maintain, called The HabitFormer(tm). Every item that I sufficiently address gets a super satisfying little [X] mark, which feels a whole lot better than the sadly empty [ ] construct.

Here is the current list:

  • did you write stuff down?
  • are you satisfied with number of pomodori?
  • 7.5 hrs sleep last night
  • meditate <– (WHV hidden pro-tip: Get the Waking Up app by Sam Harris. Thanks LM for the fantastic recommendation.)
  • stand at desk
  • do valuable things
  • fruit & veg
  • reading
  • thinking
  • running or other exercise

Ironically enough, the first item is brand new on the list.

I somehow forgot my habit of writing, during the day, a little done list / random thoughts lists. After bringing this habit back I noticed what difference it made.

At regular intervals during the day, I will spend a minute or three writing down what I had completed, or what I was thinking. This moment of introspection would either result in a pleasant bit of satisfaction with some small task taken care of, or, more often, it would reel me back in from a spot of less than deliberate action and enable me to bring back my attention to the point of focus.

I’m filing this under “101 tricks to get your rider back on your elephant“.

Alright friends, thank you very much for joining me on this part of my journey. I am looking forward to our next interaction!

You’ll know if your iPhone is listening. Vice should consider toning down the sensationalism.

A Vice article titled Your Phone Is Listening and it’s Not Paranoia has been doing the rounds. In it, the author explains how they did an “experiment” demonstrating that topics they discussed verbally were later reflected in Facebook ads.

Whilst it’s prudent to be careful with modern technology around one’s privacy, Vice is being a tad sensationalist. This blog post, which will optimistically be read by three to four people, tries to fill some of the holes they left.

We already know that we can’t trust Facebook in any way, so we are dependent on the telephone’s operating system to take our privacy seriously: That’s usually Android or iOS.

Android does in theory enable background recording up to and including Android O, but starting from Android P it will disable this. Unfortunately, it shouldn’t be more than about 10 years before all phones are on Android P or later.

(I have previously indicated that I’m not the biggest fan of Android’s security story. I am happy to see that they are making such progress, but the tardiness or even worse refusal of OEMs in upgrading their devices diminishes most of that.)

In iOS on the other hand, there are at least three mechanisms that protect users against this background recording abuse:

  1. The app has to ask the user explicitly for microphone permission, which the user can easily revoke at any time (Settings | App’s name | Microphone; see screenshot below for an example).
  2. The developer has to indicate explicitly and statically in their app that they intend to use background audio. Apple’s review process is quite strict and will reject outright an app that does not have a legitimate reason to make use of this function.
  3. Even when an app has been able to convince Apple’s review process that it should be allowed to record audio in the background, there are two more privacy mechanisms in place:
    1. An app can only record in the background, if it started to record audio whilst on the foreground. When the recording stops, the app will be suspended.
    2. When any app is recording, the system will display a big red bar at the top of the iOS display, much like the blue bar which displays when a location-based app such as Google Maps or Waze is active in the background. This red bar can’t be hidden.

To see this in action (another “experiment” !!), download an app like Awesome Voice Recorder which advertises background recording, start a recording, and then switch anywhere else. The red bar looks like this (I’ve switched the app permissions screen in iOS settings, so you can also see where to disable the microphone permissions):

AVR is recording in the background, so iOS shows this red bar at the top. If you tap on the red bar, it will switch to the app which is recording. This is related to the blue bar for location, and the green bar for ongoing phone calls.

With the above measures in place, it would be fairly tricky for an iOS app to perform background recording without your knowledge.

For some extra peace of mind, you can disable the app’s (a totally random example being Facebook) microphone permissions. If the app ever really needs to record, iOS will have to ask your permission again.

P.S. In iOS, under Settings | Privacy | Microphone you can find a handy list of all apps that have successfully requested microphone permissions. From here, you can also easily remove any of these permissions.

Updates

Weekly Head Voices #145: The Narrating Self.

View of the False Bay from the Helderberg Nature Reserve.

The work part of the week flew by.

(I think this is the reason for the shortness of this post. As is often the case, we start with journal stuff, then nerd stuff and, hidden at the end, some backyard philosophy stuff.)

Dear diary

The weekend part on the other hand started with a welcome-back-braai (HI MOM!) on Friday, followed by a sublime oxtail potjie on Saturday and concluded today with a sublime long(ish, by my standards as always) run in the morning (showing a little solidarity with the Comrades participants whilst not completely busting my barefoot-style-acclimatising feet and ankles) plus Helderberg stroll and lunch, and is now ending with a WHV writing session.

(Sundays which start with a run, have family stuff in between, and end with WHV are automatically awarded a 12/10-would-do-again rating according to my patented How Was Your Day Honey evaluation system.)

Nerdy Pro-tip

Just in case you missed it, Google’s Gboard keyboard for iOS quietly shipped an update last week that includes as one of its new features support for Afrikaans. This brings the number of smart iOS keyboards (smart, as in AI-based) that support Afrikaans up to the total of two (2). The other is SwiftKey, which has supported Afrikaans for some years now.

(The lack of a mobile keyboard with native support for one’s language can really complicate effective communication. Preferring fully formed sentences, I’ve never really gotten the hang of SMS-speak.)

Homo Deus

After a slight detour with a number of other books that have featured on this blog, I have returned to Yuval Harari’s Homo Deus.

I am about 75% through, but I can already say that this is one of the best works I’ve read in the past decade.

The way in which Harari, a history professor, weaves together so many strands of history and present to extrapolate our planet’s future is nothing short of magical. Along the way, he takes the reader along on many mind-expanding tangents.

The one tangent I made note of to mention here, was his treatment of the illusion, which we are all brought up to entertain, that each human houses a single ego or individual.

By citing and discussing several examples of humans with separated brain hemispheres, he makes a strong case for the observation that most probably you house multiple identities.

There is a strong narrating self who tries to weave together the experiences and inputs of the other selves, and who will go to great lengths to make everything fit.

Thinking about all of the internal discussions one has throughout every day, and the seeming disagreements one can have between yesterday’s you and today’s you, Harari’s thesis starts to sound like a really good explanation.

This soon leads to interesting new questions: What would be the best way to manage one’s multiple aspects, especially in the light of the fact that “one” does not even know with certainty who is asking this question?

(Astute readers will have noticed that my choice of a title for this blog has finally been vindicated after all this time.)

See you next week, my suddenly multitudinous readers!

P.S. Harari says that intelligence and consciousness don’t necessarily go together. We are entering a future where many of us are going to be made obsolete by constructs which don’t possess consciousness but are far more intelligent than we are.

P.P.S. For one of the best hard sci-fi books dealing with our often-held but anthropocentrically flawed perspective that consciousness and intelligence go together, you can do a lot worse than Blindsight, by Peter Watts.  Read that book.

 

Weekly Head Voices #122: Thanks Pythagoras.

Pink sunset, as they do here in my backyard.

Welcome back everyone!

During a brilliant breakfast chat with friends who are visiting from afar, friend S (now 16.67% name-dropped) admitted that the WHV, strange unfocused mishmash of thoughts that it is, contributed positively to his information diet.

In spite of this admission adding to my already considerable posting anxiety, I am enormously grateful for the encouragement. I often worry about this mishmash, as I also aspire to enter the fabled halls of A-list bloggers one day.

Perhaps I should just embrace the mishmash. Again.

In this edition of the mishmash, I extremely sparsely review the weeks from Monday May 8 to Sunday June 11.

During our weekly extra math, science and philosophy lessons, GOU#1 (now 11 years old) and I arrived through serendipity at the topic of Pythagoras. Her mind almost visibly expanded when she discovered the relationship between the 9, 16 and 25 square adjacent squares I drew for her on the 3-4-5 example triangle. Her eyes went wide when I explained that this works for any right-angled triangle.

She was soon happily squaring, adding (long-form on paper of course) and square-rooting away on geometry problems.

Seeing your own child discover the beauty that is math is brilliant.

After complaining about subpar android security and dismal android performance on this blog, I finally decided to bite the bullet and acquired a second-hand iPhone 6S 64GB on May 10, 2017. The phone is in mint condition, and the price was excellent.

So far, the performance is substantially better than any of my previous Androids. In fact, so far I’ve never had to wait for anything on this phone, which was my main issue with the Androids. (Google Maps anyone?!) Besides that, when Apple pushes a software update, all phones immediately get that update, without interference from any third parties, including carriers.

(A word to the wise: There is no official way to transfer your complete WhatsApp message history from Android to iPhone, which was a huge disappointment. There are unofficial, closed-sourced, solutions that require one to connect one’s Android phone in USB debugging mode to the PC. That risk is a bit too great for me.)

After a period of rest, the Visible Orbit website, including the high-resolution microscopic slice data and viewer, is online again! It was quite satisfying getting all of the backed-up data back on the interwebs again.

Since the previous WHV (well actually mainly during the last week), I’ve published five posts on my nerd blog:

Three of those five posts have to do with cryptocurrency, which is to a certain extent a reflection of my free-time mental cycles at the moment. Looking at how technology such as Ethereum and its Smart Contracts (a Smart Contract blog post is currently forming in the back of my head…) seem to be breaking through, I can’t help but be reminded of stories such as those by Charlie Stross in Accelerando (at least the first bits).

Do we find ourselves at the start of something truly significant, or is this just an extremely elegant and high-tech dead-end?

What a time to be alive!

P.S. Here, have another outdoorsy photo on the house!

I tricked GOU#1 and GOU#2 to join me on a sneakily long mountain walk. They did a sterling job.

Android security in 2016 is a mess.

Summary

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

Read on for more.

Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.
Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.

An illustration: MediaTek / BLU phones are uploading your data.

You might recently have read about the incident with the popular BLU phones sold by Amazon in the US (interestingly, the author deleted their article from both hackernoon.com and from medium; I now link to the Wayback Machine’s stored copy). It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.

What about A-list phone makers?

I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.

However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)

Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.

(LG seems to be tracking Google’s security updates quite well, but somehow these updates are not reaching phones.)

A scary little aside

I just tried Check Point Labs’ QuadRooter Scanner app on my “updated” LG G3, and this is what I saw:

LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.
LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.

So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app, although I keep mostly to the official Play Market, so the risk is slightly mitigated.

At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.

Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.

It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.

The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.

Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.

What can we do?

Buy an iPhone. No really.

I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.

However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.

Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat, released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.

Stick with Android Pixel or Nexus.

If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.

Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.

In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.

Consider installing a custom ROM.

Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.

Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.

Update: David Metcalfe pointed out in the comments that you can buy a secure Android phone from Copperhead.  If you are in the US or Canada, and you have some budget, you could buy the LG Nexus 5x or the Huawei Nexus 6P with CopperheadOS pre-installed. It’s great that this is available, but due to price and geography not really accessible to most Android users.

Keep manufacturers honest.

Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.

I was happy to see that at least Huawei has a pretty good record in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.

Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!

Addendum: Android phones with acceptable security update records

Blackberry PRIV, DTEK50 and DTEK60

lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates. Read more at CrackBerry and here in the BlackBerry Android security bulletin for November: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh) and have already received the November 2016 update.

Here is the original blog post where BlackBerry explained their security patching policies for the PRIV.