Re: [SC-L] Mobile phone OS security changing?
Michael Silk wrote: > The last thing I want is my mobile phone updating itself. I imagine > that sort of operation would take up battery power, and possibly cause > other interruptions ... (can you be on a call and have it update > itself?) A larger issue for me (though I'm straying a bit from SC) is that phone vendors tend to show a strong desire for lock-in, and I would fear auto-update mostly because of loss of features, DRM, etc... Ryan [Ed. Let's either stay on topic or let this thread die, please. KRvW]
Re: [SC-L] Mobile phone OS security changing?
Kenneth R. van Wyk wrote: Greetings, I noticed an interesting "article" about a mobile phone virus affecting Symbian-based phones out on Slashdot today. It's an interesting read: http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220&tid=100&tid=193&tid=137 What particularly caught my attention was the sentence, "Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?" Apart from the author implying that this is an "or" situation, I think it is definitely an "or" situation: automatic updates are expensive to provision and fugly for the user. They are just a kludge used when, for some reason, the software canot be made secure. That the desktop vendor (Microsoft) has not made their software secure is manifestly obvious. Whether the "can't" or "won't" is subject to rampant debate and speculation. The "can't" view says that legacy software and fundamentally broken architecture make securing it infeasible. The "won't" view says that it was not profitable for MS to spend the effort, and they are now changing. That the alternate desktop vendors (all the UNIX and Linux vendors including Apple) have made secure desktops is also manifestly obvious (no viruses to speak of, and certainly no virus problem). Whether this is "luck" or "design" is subect to rampant debate and speculation. The "luck" view says that these minority desktops are not a big enough target to be interesting to the virus writers. The "design" view is that the virus problem is induced by: 1. running the mail client with root/administrator privilege, and 2. a mail client that eagerly trusts and executes attached code, and that until UNIX/Linux desktops have both of those properties in large numbers, there never will be a virus problem on UNIX/Linux desktops. What the phone set people will do depends on which of the above factors you think apply to phone sets. Certainly the WinCE phones with Outlook are about to be virus-enabled. I don't know enough about Symbian to answer. The Linux hand sets could be designed either way; it would not surprise me to see phone set peole architecting a phone so that the keyboard is root. It is not exactly intuitive to treat a hand set as a multi-user platform. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Re: [SC-L] Mobile phone OS security changing?
On Apr 7, 2005 3:12 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: > On Wednesday 06 April 2005 09:26, Michael Silk wrote: > > The last thing I want is my mobile phone updating itself. I imagine > > that sort of operation would take up battery power, and possibly cause > > other interruptions ... (can you be on a call and have it update > > itself?) > > I vividly remember a lot of similar arguments a few years ago when desktop PCs > started doing automatic updates of OS and app software. Now, though, my > laptop gets its updates when it's connected and when I'm not busy doing other > things. Hmm, I wasn't around then but I can see what you are saying... Still, though, a phone seems so simple, and I can completely live without net access (I guess they said this too) so it just seems wrong, and a little annoying, to bring security problems to them... > My main point, though, is that the status quo is unacceptable in my opinion. > If a nasty vulnerability is found in most of today's mobile phone software, > the repair process -- take the phone to the provider/vendor and have them > burn new firmware -- just won't cut it. For that matter, a lot of PDAs are > in the same boat. True. But I wonder if an update strategy like that allows them to be more secure? I.e. perhaps a physical interface can allow more programming options? Options that aren't available over the HTTP interface (like installing apps, for example). This could increase their security. Corporations giving phones out to employee's, or developing software for them, could buy these attachments and have policies at work. Regular people would need to go back to the phone store, or a speciality "Mobile Phone Software Installer" store to get it done. > Sure, we'd all prefer better software in those devices to begin with, but as > long as there are bugs and flaws, the users of these devices need a better > way of getting the problems fixed. Fair enough.. > > Personally, I would prefer a phone that doesn't connect to the > > internet at all rather than a so called 'secure' phone. > > For the most part, those days are over. I guess I better hold on to my 'non-internet' phone for as long as I can, then, if I won't be able to replace it :) -- Michael > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com
Re: [SC-L] Mobile phone OS security changing?
On Wednesday 06 April 2005 09:26, Michael Silk wrote: > The last thing I want is my mobile phone updating itself. I imagine > that sort of operation would take up battery power, and possibly cause > other interruptions ... (can you be on a call and have it update > itself?) I vividly remember a lot of similar arguments a few years ago when desktop PCs started doing automatic updates of OS and app software. Now, though, my laptop gets its updates when it's connected and when I'm not busy doing other things. My main point, though, is that the status quo is unacceptable in my opinion. If a nasty vulnerability is found in most of today's mobile phone software, the repair process -- take the phone to the provider/vendor and have them burn new firmware -- just won't cut it. For that matter, a lot of PDAs are in the same boat. Sure, we'd all prefer better software in those devices to begin with, but as long as there are bugs and flaws, the users of these devices need a better way of getting the problems fixed. > Personally, I would prefer a phone that doesn't connect to the > internet at all rather than a so called 'secure' phone. For the most part, those days are over. > From reading the article it seems like the application asks to be > installed, (is that correct?) so it doesn't seem like that big of a > problem [unless phones start to get into the 'trusted'/'non-trusted' > application area..] Fortunately, no one would ever think of removing that query from the worm or circumventing the mechanism in the OS, so that it copies itself without notice in the future. ;-\ Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] Mobile phone OS security changing?
The last thing I want is my mobile phone updating itself. I imagine that sort of operation would take up battery power, and possibly cause other interruptions ... (can you be on a call and have it update itself?) Personally, I would prefer a phone that doesn't connect to the internet at all rather than a so called 'secure' phone. >From reading the article it seems like the application asks to be installed, (is that correct?) so it doesn't seem like that big of a problem [unless phones start to get into the 'trusted'/'non-trusted' application area..] -- Michael On Apr 6, 2005 4:50 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: > Greetings, > > I noticed an interesting "article" about a mobile phone virus affecting > Symbian-based phones out on Slashdot today. It's an interesting read: > > http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220&tid=100&tid=193&tid=137 > > What particularly caught my attention was the sentence, "Will mobile OS > companies, like desktop OS makers, have to start an automatic update system, > or will the OS creators have to start making their software secure?" Apart > from the author implying that this is an "or" situation, it's something that > many of us have been saying for a very long time. (See my/Mark Graff's > related op-ed from over a year ago at: > http://www.securecoding.org/authors/oped/feb132004.php) > > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com >