Re: Security in OpenMoko
Le samedi 06 octobre 2007 à 23:57 +0200, Torfinn Ingolfsen a écrit : Hello, On 10/6/07, Cailan Halliday [EMAIL PROTECTED] wrote: Hey everybody, I just found this device: http://www.linuxdevices.com/news/NS4756295876.html I don't know anything about it really, but it's security related and This seems to be a HSM[1] device, it provides a hardware crypto accelerator and a secure key store. HSM's are commonly used on web and / or application servers for secure internet applications. And in PKI solutions. Useful if anybody comes up with application(s) that needs hardware-secured crypto keys on the mobile device. Hmmm. Might be useful in fact. I have always dreamed that I could use the smartcard in my phone to do some real authentication with a third party computer. However, the conventional SIM card is pretty much locked by the operator (and well, even if you can reasonably expect the phone itself to be unlocked, it becomes much more questionable to ask the operator to share the smart card capabilities too...). If another private smart card can fit in the micro sd slot, well, I find that it opens interesting opportunities, and the Neo itself would be a nice engine for trying to ensure compatibility with a non-smartcard aware environment... Well, just my 0.02, but thanks for the link. Rodolphe PS: One could imagine doing the same thing with keys directly stored on the Neo. I dreamed of this too, but well, that's not the same security level. ___ OpenMoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Security in OpenMoko
Hey everybody, I just found this device: http://www.linuxdevices.com/news/NS4756295876.html I don't know anything about it really, but it's security related and might provide some inspiration? Cheers, Cailan From: Mikkel Meyer Andersen [EMAIL PROTECTED] To: community@lists.openmoko.org Date: Wed, 03 Oct 2007 20:44:00 +0200 Subject: Security in OpenMoko Hi all, First of all I'll like to say hello to all. I'm quite new at the OpenMoko-thingie (a Neo 1973 is on the way although - waiting with patience), so I hope you'll bear with me for minor (and major :-)) mistakes. And now to the actual subject: is every application on OpenMoko running as root? For a couple of weeks ago I wrote a post on this matter on my blog [1] and just today I saw that iPhone had exactly that flaw [2]. Allow me to quote myself partly from a mail to Sean Moss Pultz about this [3] sent 17th of September 2007, and partly to refer to me writing about it at the discussion site for the wiki [4]. I don't hope that I've offended anyone, that was certainly not the purpose. I just think security is a huge point of interest and should draw a sufficient amount of focus from us developers. Regards, Mikkel Meyer Andersen aka. mikl-dk Denmark --- [1]: http://www.scienco.org/2007/openmoko/always-root/ [2]: http://www.eweek.com/article2/0,1895,2191373,00.asp 3 Triggered by the question whether every execution of an application is done by the root-user, I started to wondering about the security in OpenMoko in general. Actually I found very little - near to nothing - about it, and I personally think that's inappropriate for this project. We simply have to focus very much on security so that isn't going to be a pitfall. So please, let's focus on this! If desired, I'll be glad to join such a task-force. Many other manufactures don't focus that much on security, and one is starting to talk about viruses on mobile phones and so on. I think it's very important to make security an issue in OpenMoko. (It could be a small-scale solution known from *nix such as the daily use was under a normal user account and the root account was required in order to install applications and change certain system settings; and the root should have a password - or maybe even use sudo or something.) /3 [4]: http://wiki.openmoko.org/wiki/Talk:Main_Page ___ OpenMoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Re: Security in OpenMoko
Hello, On 10/6/07, Cailan Halliday [EMAIL PROTECTED] wrote: Hey everybody, I just found this device: http://www.linuxdevices.com/news/NS4756295876.html I don't know anything about it really, but it's security related and This seems to be a HSM[1] device, it provides a hardware crypto accelerator and a secure key store. HSM's are commonly used on web and / or application servers for secure internet applications. And in PKI solutions. Useful if anybody comes up with application(s) that needs hardware-secured crypto keys on the mobile device. 1) http://en.wikipedia.org/wiki/Hardware_Security_Module -- Regards, Torfinn Ingolfsen ___ OpenMoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community
Security in OpenMoko
Hi all, First of all I'll like to say hello to all. I'm quite new at the OpenMoko-thingie (a Neo 1973 is on the way although - waiting with patience), so I hope you'll bear with me for minor (and major :-)) mistakes. And now to the actual subject: is every application on OpenMoko running as root? For a couple of weeks ago I wrote a post on this matter on my blog [1] and just today I saw that iPhone had exactly that flaw [2]. Allow me to quote myself partly from a mail to Sean Moss Pultz about this [3] sent 17th of September 2007, and partly to refer to me writing about it at the discussion site for the wiki [4]. I don't hope that I've offended anyone, that was certainly not the purpose. I just think security is a huge point of interest and should draw a sufficient amount of focus from us developers. Regards, Mikkel Meyer Andersen aka. mikl-dk Denmark --- [1]: http://www.scienco.org/2007/openmoko/always-root/ [2]: http://www.eweek.com/article2/0,1895,2191373,00.asp 3 Triggered by the question whether every execution of an application is done by the root-user, I started to wondering about the security in OpenMoko in general. Actually I found very little - near to nothing - about it, and I personally think that's inappropriate for this project. We simply have to focus very much on security so that isn't going to be a pitfall. So please, let's focus on this! If desired, I'll be glad to join such a task-force. Many other manufactures don't focus that much on security, and one is starting to talk about viruses on mobile phones and so on. I think it's very important to make security an issue in OpenMoko. (It could be a small-scale solution known from *nix such as the daily use was under a normal user account and the root account was required in order to install applications and change certain system settings; and the root should have a password - or maybe even use sudo or something.) /3 [4]: http://wiki.openmoko.org/wiki/Talk:Main_Page ___ OpenMoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community