Of course, F-Secure sell mobile anti-virus software, and he could have easily avoided infection by employing a more sensible use of Bluetooth, so I always take these sorts of comments with a pinch of salt. Having said that, the F-Secure blog is pretty good, and probably essential reading for anyone interested in this discussion.
I've said it before, but is anyone thinking of bitfrost on the openmoko platform? http://wiki.laptop.org/go/Bitfrost Joseph On 11/01/2008, Christopher White <[EMAIL PROTECTED]> wrote: > Regarding security and mobile phones.. > > I recently read an interesting interview with Mikko Hypponen, chief > research officer of F-Secure in IIEE Security and Privacy (Nov/Dec 07). > > He touched on the topic of security and mobile phones, even mentioned > that he has received four worms on his mobile phone (they didn't infect, > as he had antivirus protection), all variations of the Cabor or the > CodeWarrior worms. One was beamed to his phone from a passing car, > likely from an infected phone. > > The most interesting point he makes is that while infecting computers > can indirectly be costly (identity theft, time spent, loss of critical > data, etc.), infecting mobile phones can be *directly* costly. This is > due to the built in billing system in mobile phones. > > I would imagine lack of a serious attention to security might be a > barrier to wider scale deployment, particularly in a business > environment. As the device will potentially carry highly sensitive data > such as contacts, email, even documents, security will be key. > > ...cj > > On Thu, 2008-01-10 at 15:53 -0800, Michael Shiloh wrote: > > Hi Brandon, > > > > (I encourage everyone to use meaningful subject lines) > > > > I suspect the real reason was that it was the easiest and quickest thing > > to do at the time, and allowed the developers to focus on more pressing > > issues, like getting the rest of the system working. > > > > I'm sure this will change in the future to a more secure system, and I > > welcome all the ideas that have been suggested of what that might look > > like. I'm pretty sure there is a wiki page where that's been started > > already. If not, anyone is welcome to create one and to post these ideas > > there. > > > > Michael > > > > Brandon Kruse wrote: > > > I cannot speak for them, but look at your market place. > > > > > > Not secure servers but mobile telephony. > > > > > > The phone is as secure as you make it, and they have faith in the > > > programs that are on there. > > > > > > Heck you could even make a security package to lock it down a little for > > > those who want something extra. > > > > > > Anyone else? > > > > > > -------------------------------- > > > Brandon > > > > > > On Jan 10, 2008, at 4:30 PM, Denis <[EMAIL PROTECTED]> wrote: > > > > > >> So why did OpenMoko developers decided to run everything as root? > > >> > > >> 2008/1/11, Brandon Kruse <[EMAIL PROTECTED]>: > > >>> Good luck easily hacking over a GPRS connection. Make your password > > >>> longer than 6 characters, a ban after retry attempts, take it off port > > >>> 22 and that will save 95% of attacks from script kiddies. (everything > > >>> I listed is controllable on sshd_config, I believe) > > >>> > > >>> Just imho it helps, opinion and experience :) > > >>> > > >>> But overall, I agree, but your privileges are only as safe as your > > >>> software. > > >>> (eg when you run a socket based process as root, you trust it.) > > >>> > > >>> However, you make a good point :) > > >>> > > >>> Kde and gnome take that precaution with gtk based Sudo when you login > > >>> as a normal user (at least in debian/ubuntu) and I like that method. > > >>> > > >>> -------------------------------- > > >>> Brandon > > >>> > > >>> On Jan 10, 2008, at 3:43 PM, Denis <[EMAIL PROTECTED]> wrote: > > >>> > > >>>> But as far as I understand it's not secure, esp. for a device with > > >>>> wi-fi, bluetooth, gprs and running ssh daemon! Linux gives us a great > > >>>> power of user privilegies management but we waste it. Woldn't it be > > >>>> better to run everything as an unprivileged user, or at least ask for > > >>>> password at first run time? > > >>>> > > >>>> _______________________________________________ > > >>>> OpenMoko community mailing list > > >>>> [email protected] > > >>>> http://lists.openmoko.org/mailman/listinfo/community > > >>> > > >>> _______________________________________________ > > >>> OpenMoko community mailing list > > >>> [email protected] > > >>> http://lists.openmoko.org/mailman/listinfo/community > > >>> > > >> > > >> _______________________________________________ > > >> OpenMoko community mailing list > > >> [email protected] > > >> http://lists.openmoko.org/mailman/listinfo/community > > > > > > _______________________________________________ > > > OpenMoko community mailing list > > > [email protected] > > > http://lists.openmoko.org/mailman/listinfo/community > > > > _______________________________________________ > > OpenMoko community mailing list > > [email protected] > > http://lists.openmoko.org/mailman/listinfo/community > > > _______________________________________________ > OpenMoko community mailing list > [email protected] > http://lists.openmoko.org/mailman/listinfo/community > _______________________________________________ OpenMoko community mailing list [email protected] http://lists.openmoko.org/mailman/listinfo/community
