Hi,Bernd, Agree! Know attacking know defense, that's principle for product security. The whole system threat modeling will be prefect thing for understanding the attacking:-)
Thanks & Regards Xiaoning -----Original Message----- From: Bernd Stramm [mailto:[email protected]] Sent: Tuesday, April 13, 2010 8:11 PM To: Li, Xiaoning Cc: Sebastian Lauwers; Ware, Ryan R; MeeGo Dev List Subject: Re: [MeeGo-dev] MeeGo Security On Tue, 2010-04-13 at 19:39 -0700, Li, Xiaoning wrote: > If The issue does not directly apply to MeeGo platform-self, we get more > sense about incident report and infrastructure security, that's not a bad > thing:-) > > >True, but again, I fail to see how this applies to MeeGo. Obviously we > >need to have good security and procedures around system access, and > >I'm sure that both Nokia and Intel's expertise in securing systems > >will be invaluable here, and obviously I would love it if Nokia or > >Intel would buy a bunch of hardware tokens that contributors could > >acquire for a diminished price (Vasco would be the cheapest provider, > >with batches going for around $12-$16 per unit, second would be [my > >previous company], third would be RSA), as having OTPs would have > >rendered the Apache attack useless, but I doubt we are anywhere near > >such measures. > > But I am interested in what you talking here. > Beyond the HW tokes ( that's depended on HW platform, if SW stack exists, > possibly team need to port it to MeeGo), why you don't think "both Nokia and > Intel's expertise in securing systems will be invaluable" > What kinds of expertise we need to secure system by your suggestion? > HW can't handle most attacking in real world, any recommendation for software > or system perspective? > > Thanks&Regards > Xiaoning Another aspect that shouldn't be forgotten is the that most frequent security problem will likely be that the entire system (the phone or tablet) will be in an opponents hands, with all it's content available for nefarious purposes. Including any authorization keys/tokens on that system, giving the opponent ways of impersonating the rightful owner. Bernd -- Bernd Stramm <[email protected]> _______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev
