Security on Nits?
 

I do wish that Nokia had thought of a product name that led to a better acronym, btw...

Anyway. As I understand - based on nothing but googling - the situation on security is this:

- There are such things as linux software keyloggers, and in theory any app you install on your Nit could install one? App's aren't run in a sandbox mode, or secured in any other way?

- There's no firewall software for the Nit, so a keylogger wouldn't have a problem getting your paypal password and whatever other details it could steal out to the world once it had them?

- There's no sign of this or anything like this ever having happened? although it seems to be much on the mind of Nokia's legal dept, judging from the warnings about non-Nokia sw App Mgr provides

- Virus and logger attacks on Linux systems are extremely rare in the wild (possibly because Linux systems are assumed to be competently firewalled? which, of course, the Nit's aren't, and can't be)

In summary, security seems to be based on "We hope no one ever bothers to attack." Which may well be the case, and will probably work given the (regrettably) low profile the platform has, but it still means that I won't be using the thing to access my regular mail accounts, but only the backups I keep for accessing on hotel machines, etc.

Anyway, *if* the above is true, then my biggest wish for OS2009 is a firewall.

(I remember seeing a Nokia site with advice on security on the Tablets, but every time I've clicked it, it failed to work.)

Re: Security on Nits?
 

I don't see how a firewall would help you in this situation.
A software firewall only protects you from software outside trying to get in, it can only provide minimal protection the other way (well, it could provide more, but that would be irritating). Also the other disadvantage the firewall would have is if you can control it, something running as you can control it too and switch it off.

I would say it would offer you the worst of all worlds - it would give you an sense of security that just wasnt true.
Better to make sure you know what is running on your NiT

Re: Security on Nits?
 

Its important to note that while software like keyloggers could be installed on an nit it would require the user to install it. This is why one should only install software from trusted sources. One of the advantages of open source software is that if you have the skills you can look at what the software does, so you could find out if it had maliscious code in it.

Its also important to note that because of the linux architecture no software can be automatically be installed from visiting a website as you have to set any file downloaded as executable.

Re: Security on Nits?
 

Also how many armel keyloggers do you find? ;p

Actually, one arm keylogger elf was compiled for my sony ericsson w810....

Re: Security on Nits?
 

Mine certainly only allows the connections I authorize. Implemented properly, it isn't irritating at all.

That's not a disadvantage, it's a flaw - a disadvantage would be if having the firewall was worse than not having it, whereas you're arguing that the firewall isn't *perfect*. Yes: I certainly wouldn't have a machine without a virus checker and other protective apps as well as a firewall.

Otoh, switching off a firewall probably means GUI interaction (or certainly the firewall can be designed that way) so the effort for the virus writer has gone way up. Or his job may be impossible, doing on what the OS allows.

This is an argument that the Religious Right uses over condoms and Aids. The empirically observed result is death among believers.

(Hint: do you drive through stop lights because you are wearing a seatbelt? Employing a safety measure doesn't flip a magical switch in the human mind to forget about a problem - it just means that the person has taken a step to reduce the threat level. If you believe otherwise, good luck with the campaign to ban seat belts, motorcycle helmets, firearm safeties, safe sex education, tetanus shots, safety shoes, parachutes, and fire extinguishers and exits.)


But you don't in any meaningful sense, unless you wrote every line of code running. Unless you're referring to some sort of runtime monitoring tool?

Re: Security on Nits?
 

...Which would restrict most users to Nokia's own software and very little else.

Yes: if you have excellent programming skills and nothing else to do, this is certainly an option. Hands up everyone that will work for..?

The real security advantage of Open Source is the hope that enough people are looking at the code for a project so nastiness will be revealed by one of the people on the project. I have my doubts that development is active enough on the platform for this to work.

However I would agree with openness as a crude heuristic for greater trustworthiness: if I was an attacker, I'd write a useful non-open source program for the platform - probably a good PIM.


My concern is definitely with the apps that users choose to install.

Re: Security on Nits?
 

Yes, checking source, signatures,chksums of packages is always a good practice. clamav-for virus checking works well ,also rkhunter for rootkit checks ,denyhosts for blocking ssh connections if you do leave port 22 open; and am sure other open source security tools should work well on the IT.

Re: Security on Nits?
 

Of course the keylogger could just use the web or mail to export the data. A firewall is virtually useless for stopping outgoung data.

Of course the easier vector is just to dump all the plaintext passwords store in the NIT as well as MicroB and cookies. Installing the malware is easy as most .install files are downloaded over http. and could easily be be subverted with additional code.

Easier yet is just to add code to pidgin.

Reallistically it's not worth the time... even code that subverted 50% of the NIT's thats still less systems than code that subverted .001% of the windows boxen out there.

Re: Security on Nits?
 

I have several and always have had.

Almost never means GUI interaction. Anything you can control in any way, can be controlled by any other thing If you have a virus/keylogger/whatever, it is running at the same privilege level as you, so it can control your firewall as well as you can. Maybe even better because it is putting effort into it.


That is going to an extreme to try and prove an argument. It is nowhere near the same level of importance.

Again, going to an extreme to try and prove your point doesn't make it any more valid.
But no, employing a safety measure does statistically flip a switch to reduce the thought about the problem. Ok, you are not going to go into your daft example, but many studies have shown that people employing safety mechanisms do actually think less about a problem. Especially when that safefy mechanism is more of a placebo.
A hardware firewall is a fantastic thing. A software firewall is better than nothing from protecting you from the outside, and gives you some protection from the inside.

No, I am referring to knowing what you install on your NiT, and knowing where it came from. You can't be expected to know every line of code running, but you can be expected to know what you have installed, and know what level of trust you give that code.

Re: Security on Nits?
 

So Nokia's failure to include a PIM app is actually intended to be, in a roundabout way, a security feature!

Re: Security on Nits?
 

There is the built in linux firewall which is controlled by /sbin/iptables. Very powerful, and very difficult to configure, if you have never used it before. It is an excellent way to block tcp/udp ports.

I hope this helps,

Craig...

Re: Security on Nits?
 

A keylogger trojan would just push the data out through the email program. Can't block that in any easy way.

I know Windows firewalls (at least the good ones) can specify not only port, but also application, and say "the browser can go out to port 80, any other app can't". And so on. This isn't easy to do on Linux or Unix. It wouldn't be that useful either, even if iptables could do it, because on Windows it's much more common that every application do their input/output directly, while on *nix you can often just communicate through the daemon or service that usually handles that kind of traffic (e.g. for sending email you almost never try to send data directly on port 25, instead you use the sendmail (or equivalent) program)).

Out of the box there's almost nothing listening to any TCP/IP or UDP port on the NIT, so someone breaking their way into your NIT isn't much of an issue. However, if you install something that happens to be a trojan there's very little you can do to avoid it doing whatever harm it wants. This is such a serious situation that the only thing that helps is "don't do that". On any platform.

Re: Security on Nits?
 

Lets also look at it this way.

Coding is complex. The internet tablet is a custom kernel on an armel processor. A very very very very small nitch of the linux users out there. Some one would have to write, or compile the app to run, you would have to install it... its actually a much rarer thing than most people imagine.

Re: Security on Nits?
 

I would say it's a lot easier than people say. All I need to do is make a new build of pidgin or firefox and post them here. I would have several hundred installs within a few days.

That said it's all about risk. I have a pre-school daughter. Do I fret about "sexual predators"? Not really, day to day I'm more worried about her falling down the stairs or running into the street. In the case of the NIT's there are much bigger fish to fry before I'm going to become worried about malware.

Oh and iptables can block by process, uid, gid, and other criteria. If it's blocking is not good enough it can shunt the connections through a userspace daemon to do more complex actions.

Re: Security on Nits?
 

iptables can do that, yes, but if you send your emails through sendmail/exim/whatever, as is easiest anyway, it won't help..

Re: Security on Nits?
 

Installing packages is done as root; no matter what you set up (other than rejecting packages before installation), a malicious package can disable or circumvent the firewall. Same as on any UNIX system; if you don't trust the software, don't do a system-wide install.

After installing, you can check sudoers, as it's reasonably likely that malware would put itself in there to permit any malicious activities that require root. All depends on the payload, of course. A keylogger can get by quite fine by itself, as long as some usable process (ssh, mail, etc.) is able to access the outside world.

Things you can do to check software you're considering installing:
Check the file-list.
Check the install scripts.
That should make the scope of things it can do clear; but even with no SUID or sudoers entries, you can do a lot.

Re: Security on Nits?
 

Yep, if malicious software gets installed, no firewall or anything else would help. So, this is what must be avoided.

Re: Security on Nits?
 

No, that's just wrong. A decent firewall will stop applications sending data (your passwords, credit card numbers, confidential email) outside your machine without your permission.

Wait: TA's post makes MUCH more sense when I look at one of his earlier ones too:

Very useful. Thanks.

Re: Security on Nits?
 

If was a Linux programmer in a low wage economy, with the connections to use credit card numbers and paypal, I'd see the Nit's as a god send. Three months programming would get the machine the decent PIM it lacks; 2000 downloads (the most any Nit app seems to get) might get me 1000 compromised individuals. Say I get $1000 from each, of which I keep $500 - I don't have to work again for the rest of my life.

I'm tempted to do it myself.

This is true. As I said in my first post, I think the platform is reasonably safe through obscurity. However, speaking personally, I'd find it undignified to rely on luck for my computer security strategy. (Plus it would be professionally embarrassing to me if anyone realized I was doing this.) So I'll make a minor effort and set up and an extra mail account.

That's good information - thanks. I don't think it would do the average user much good though.

Nokia do seem have to have designed an inherently insecure device, unfitted for most users. If I was them, I'd have firewalled the machine and given it a virtual machine with a sandbox mode, and required special effort and passwords to install apps that bypassed this.

Btw, is there a mode that stops users from being able to install apps?

Re: Security on Nits?
 

Wait - there IS a firewall??? All they had to do was add a GUI???

Anyway, very useful - or at least very interesting, as I don't know if I'll make that much effort. Might be much simpler to carry out my extra email account plan and limit my use of the N800 to fun stuff.

Re: Security on Nits?
 

What I find interesting but hard to understand here is your "any platform" comment, combined with the statement about Windows firewalls. It isn't really a Nit question, but why do you feel this way?

Re: Security on Nits?
 

Come back to the real world. Under that theory there are NO secure desktops, laptops, or ATM's sold today.

Imperfect != inherently insecure.

Re: Security on Nits?
 

What a waste of time. Write yourself a free downloadable game on windows. 1,000,000 downloads, of which 90% have some anti-spyware/virus/firewall thing. That gives you 100,000 x your $500.

And the programming would take a lot less time as well.

The NiTs I would put as so far under the radar it wouldn't be worth the overhead of programming for them.

Re: Security on Nits?
 

A firewall is not a magic bullet. Even if it is properly configured, it is not the end all of security. It will do very little against random third-party apps that are installed as root that want to do bad things. Your best bet against something like that is SELinux but that is *a lot* of work to do right and it frequently gets in the way of random third-party apps that you might want to run. It also would be a bit heavy on a limited-resource mobile platform.

Likely the most bang for the buck will come from organizing a central repository of software that is simple to submit code to, where the source code is actually audited and the apps are built with a trusted compiler so that your source -> binary -> distribution chain is trusted. For those who want to stay in the protective bubble, they can just have that repo enabled. I think Nokia has come part of the way but is not completely there yet. I am not sure if this goal is even on their radar. All other Linux distros do this is some way so that trojan programs don't slip in and their users have a safe harbour.

For those who are more daring, third party repos abound. There is very little that can be done to secure those who don't care to be. The biggest weakness in computer security is generally between the keyboard (or the touch-screen in this case) and the chair.

Re: Security on Nits?
 

If you can write a game that can generate a million downloads, then you can probably do quite well on adware. 1000-50,000 are more realistic.

Anyway, leaving this aside, you're still wrong: the security tools on decently configured PC's will pickup a naughty application being naughty in the first few days. After which the app will be removed from download sites, before it has time to spread. You might say that the app could wait six months to build decent user numbers before doing naughty things, but a lot of people delete this things every couple of weeks or so.

Which is why the world economy isn't collapsing because of $50M videogame thefts, in case you were wondering. In the real world, investing serious effort in a free game would probably only yield a few hundred successful attacks.

You seem to be implying that maemo tools are poor? I can't comment. (Btw: an Evil Programmer would have few qualms about stealing open source code - I know, it's shocking, but there you are. Criminals have no respect for the law. He/she'd probably start with the GNU apps, fix the alarm functionality, and go on from there.)


So you're basing your personal security on Nokia's continued lack of success? I think the strategy will probably work, but as I said, personally I'd find it undignified.

Re: Security on Nits?
 

Based on the posts above, I'm astonished by how potentially ineffective Linux firewalls are, as opposed to Windows ones.

Depends what you mean by "audited". I'm unaware of any process that can give a reasonable assurance of security without a lot of expense or donated free eyeball, which probably wouldn't be given.

Sandbox execution, otoh, can make the engineering effort for an attacker very high to impossible: that's the way I'd go. It's what Google are doing with Android, and it seems pretty bloody obvious as a solution.

Edit to add:
Nokia seem to going for a form of sandboxing on Symbian:
http://www.forum.nokia.com/main/plat.../security.html

Re: Security on Nits?
 

Sheesh. Running as root; what do you propose to stop a process running as root? Kernel-space or hardware only. And kernel-space is hard, since you can flash the kernel and reboot the device as root. Windows firewalls are not as effective as you might think, when applied to a system with a real security system, but with a crazy nut installing random things. In Windows, many applications can be installed without administrative privileges. (Which is not the way to go; even if trojans can't automatically get root, they can still compromise privacy, destroy data, and use exploits (local exploits, of course) to get root.) A port of Windows firewall would not be any better.
Sandbox execution, otoh, can make doing some things bloody near impossible. It works great for daemons with narrowly defined jobs; it works great for nice little applications. It doesn't work for, say, updating the kernel, or anything else outside the sandboxes. So unless you want to completely close the package management system, or require only Nokia signed OS packages, you're still in the same mess.

The trouble is giving a (clueless) user root, even for the limited purpose of installing packages. There's nothing that can (or should) stop a determined sysadmin from hosing a system, or a careless one from doing it by accident.

Re: Security on Nits?
 

How about "Only allowing a process to run as root if installed with specific root permission by the user"? It's not rocket science. Very few apps need this.

Sorry: the first clause isn't a sentence, so I can't understand what you meant. No criticism: typos happen.

That's opinion, your argument is..? Anyway, my concern isn't a "crazy nut" but a moderately sensible user who isn't a linux developer, and who wants to install an independent PIM on his Nit.

What this means is that the firewall isn't perfect but that it greatly increases the cost of a successful attack. Perfect would be nice, but in the real world I'll settle for good locks and a decent alarm over nothing, nada, zip or bupkis.

That's the point. A sandbox lets me run 99% of apps safely. Conveniently, the 1% it can't handle are those that I expect to get from the platform owner - OS updates.

No, as I said users could have the option of non-sandbox apps. But with a decent design they would be rarely needed - certainly not for a PIM, a media player (given a decent api), or the other apps most users care about.

This is doubly wrong.

Firstly, installing OS's should be an usual procedure that can have all sorts of special warnings and affordances (eg turning off the machine and following a special reboot procedure) to cue the user that he is performing an usual task and get him to read and think about warnings. I doubt many users could be persuaded to load a non Noka OS even without security warnings, but with them - forget it. Not a practical method of attack.

Secondly, ***most potential users would be willing to give non-Nokia OSes to get better security!*** Otoh, I can't count on Nokia for decent apps - not even an ebook reader or a PIM.

This is just irrelevant to how a sandbox model works.

The current security model (ie none) is a fairly good explanation why the Nit hasn't been picked up for vertical applications and other corporate development.

Anyway, I suspect that Nokia will be ditching Maemo/ITOS for Android (which does use a sandboxed virtual machine) if they continue updating firmware after the next release. It's hard to see why they'd carry on with Maemo after this point.

Re: Security on Nits?
 

The big download sites, maybe. Not all of the download sites. And as I specifically mentioned the non-decently configured PCs, it being picked up is a moot point (actually not a moot point, but what people accept as being a moot point, which is in fact the opposite!).


indeed they do.

That sounds pretty good to me. Write a few games then, rather than one.

I don't think I implied that. Maemo tools are linux tools, they are ok. They are not as good as some, but better than they used to be. Just things tend to be harder to write under linux than, say, the pocketPC.
Maemo tools have come on leaps and bounds in the last year from what I can see.

No, I am basing my personal security on the law of probabilities. Compared to using a windows machine on the network I am orders of magnitude safer. Statistically, all the time I am using the nokia, I am not using a PC, therefore my safety is increasing. Note, my views on software firewalls are the same on PCs, they are better than nothing, but they aren't foolproof. They are certainly the first thing switched off by almost all successful viruses.

Its like anything. Yes, I could get blown up in a tube train by terrorists (or in my case in the UK, shot by the police thinking I was a terrorist) but it really isn't worth putting any effort worrying about because I am thousands of times more likely to be hit by a truck driver on the motorway who fell asleep.

When I connect to my bank I have a hardware encrypted password generator, supplied by my bank. They can log every detail of my bank transaction, but without that hardware dongle it won't do any good.

The rest of it? It doesn't work like you seem to think. it works by a low hanging fruit idea. However clever and complicated your scheme making this nokia key logger, your profits will always be dwarfed by those who put their effort into getting people to enter their passwords on your website by offering them money for nothing, claiming to be their bank or a request from ebay/paypal. A large number of people are fairly clueless, and that isn't going to change.
It is much easier, and it works.

I am going to carry on using my nokia without a firewall and I am not going to lose any sleep over it!

Re: Security on Nits?
 

Oh, do Windows firewalls do that? Anyway, yes, you could warn over any packages with SUID/SGID files. A user wants to install an app; a box pops up asking them allow or deny; how do they know that games do not need SUID root, and bail? They (mostly) don't understand that; they do understand that if they click deny, they can't have their game. You wanna bet that they click deny?No typo; those are categories of possible answers to that semi-rhetorical question. (Semi- because if you have other options, I am interested to hear them; I'm no expert on Windows firewall.)
My argument is that since they have precisely the same capabilities, they have precisely the same degree of protection; WRT installation of malware by the sysadmin, that would be "none".
How does software tell the difference? When you grant administrative privileges to any moderately sensible user, you grant them to everyone. Single-user machines run by people who don't know better can will get pwnz0red, and there's nothing you can do to stop that.
Any clue how many people are running KDE, xrandr, and other cool things? Just guess how many downloads a purported "App Mugger Fix" would get now! Lots of people would indeed download, trust, and run all sorts of things that did need full access, from all kinds of sources. And they'd be safe enough of the time that it would seem safe, until some malware did show up, because there are lots of system enhancements that can be made that would require it.

If they have the option, they will use it. And if they're used to using it ever, they won't even hesitate when some app they want claims to need to "update system libraries", no matter how obvious (to the knowledgable) that it should not.

Strawmen are triply wrong. :p

I didn't say new OSes, did I? I did mention the kernel rather than libraries, because it's possible to (at some cost) pack any library dependencies of an app into either an all-in-one sandbox, or an app-specific sandbox. (Major subversions are possible if I can replace shared libraries used by other apps with a modified version, but the latter means you might as well have everything statically linked.) But updating the kernel is not limited to "installing OSes". Xrandr, SDHC support on 770s, high-speed MMC, backlight control, DVB, various USB-OTG related modules... Lots of stuff here that requires root access.
Precisely; it's not a comment on sandboxes (which are a good idea, used in their place), it's an alternative explanation of why the NITs are not secure (vs. because we don't sandbox our apps, or as you originally suggested, because Linux firewalls are "potentially ineffective, as opposed to Windows ones").

Unless you suggest some sort of signing system or other lockdown for anything outside the sandbox (in which case Nokia can forget working with the F/OSS community to work through to step 5, as per their indicated plan), you still have that problem. Because it's "irrelevant to how a sandbox model works", a sandbox model can't fix it.

The current security model is the same as any UNIX box, which somehow get used anyway. The only difference is the application manager's automatic grant of root access; it's trivial to lock users out of (or remove) App Mugger, and require IT authentication to update software. It's an explanation alright, but it doesn't seem to hold much water when it can be rectified in half an hour. I think anyone who knows enough to see the vulnerability can see the solution.

Re: Security on Nits?
 

I would reply to many of the above postings, but it's just too much - so I summarize:

Q) Why doesn't a firewall help (on any platform) if you install a trojan?
A) Because the trojan (which, if it's an effective trojan) has root access and can thus simply deactivate whatever it wants in the firewall. Any security measures you have set up locally are useless if you install malicious software.

The above is true for any platform where the firewall is on-board.

EDIT: I should add, before someone comments, _yes_, I know about what's called 'capabilities' in Linux, and the feature called 'selinux'. With that it is possible to severely restrict what can be done on the system, it is for example possible to, at boot time, irreversibly turn off the possibility (or capability) of the root account to reconfigure the internal firewall. So, in _principle_, the NIT can be made a bit more tricky for trojans to do their dirty work (and tricky for you, as your own sysadm, to do what you want as well.. there's always a price).

Re: Security on Nits?
 

Bold added to show where the logic of this argument breaks down. By analogy, one might say "Locks and policeman are worthless in preventing burglary; because an effective burglar will overcome them." An effective burglar being defined, for the purposes of TA's argument, as someone capable of overcoming locks and guards! The point is that locks and similar security devices alter the effort-reward ratio of an attack.*

This the most basic thing to understand about the economics and psychology of security, and variants of TA's argument above have been repeated throughout the thread without anyone being willing to come to grips with the answer: all security is about raising the effort barrier to attackers. With Android (sandbox virtual machine) and Symbian (privilege and certification system), or even a decently configured Windows system (firewalls and virus checkers with daily updates) this barrier is enormously higher than for the Nit. In fact, Nokia don't seem to have thought about security at all with the Nit - and it should have been the starting point and key feature for a consumer device designed for accessing the Internet.

Of course, Nokia haven't been alone in their mistakes. Apple have made exactly the same errors with the iPhone, and are now rushing to correct them: http://www.theregister.co.uk/2007/10/24/omtp_security/

*Very, very amusingly, there's a story about exactly this realization on Nokia's leader NIT developer's blog:

Now, I doubt this gentleman's house will be able to withstand the efforts of a skilled lockpick or an assault team even once he starts using those locks he was ignoring, but that doesn't mean that he isn't getting a worthwhile and important benefit from using them! There are more drunks than lockpicks in this world, and more minimally competently security attackers than superbly able ones.

Shutting down a firewall - especially on a system with decent anti virus and malware - is not easy. It's much harder than merely adding a keylogger to a PIM; if its doable at all it will probably only be because of a temporary vulnerability that will get patched before 999 in 1000 attackers have a chance to use it. By comparison, the Nit is a house with no locks on its doors and a big "Come on in!" sign.

Re: Security on Nits?
 

If I had a spare unit I would place it on a public IP address and give it to the first hacker that cracked it. I would even tell you what firmware and 3rd party software was installed.

Re: Security on Nits?
 

I think I'll abandon this discussion. meanwhile, in my opinion you don't know as much as you think you know about this. That it should be difficult to turn off a firewall is simply not true. At some point a user will end up installing a program with root (admin) access, simply because that particular application (whatever it says it's supposed to do) will have to be installed that way. For Windows, for example, there's almost nothing that installs without admin rights. From there on it's simple - you (the trojan) can do whatever you want.

But this is what I've been repeating, so I'll stop the repeat cycle there. Disagree if you want, I've said my piece.

Re: Security on Nits?
 

What a bizzarre argument!

OK, lets go with your argument. Do you have the capability of walking through an unlocked door? Yes? good. Do you know anyone else who knows how to walk through an unlocked door? Good so far.

ok. Do you know how to make a linux keylogger? Yes? Do you know anyone else who knows how to make a linux keylogger? yes? Do you know an equal amount of people who know how to walk through an unlocked door as can write a unix keylogger? yes? Good, that means your argument is valid.
Whats that? You don't? hmm..

Do you know anyone who can write a unix keylogger who couldn't write an application to disable a software firewall? I certainly couldn't think of anyone.

and what you seem to not be able to grasp is that you are not raising the effort barrier to attackers, you are tricking yourself into thinking you are nice and safe.
You know when you are in a car and the brakes have failed and you are heading towards a truck? Closing your eyes doesn't actually work!

That is why windows has no viruses and I don't get any spam.

Indeed, that is why we have so many iPhone viruses.

It really is. Unless you are one of the things that the anti-virus knows about. The first people to pick up a new virus get no benifit from anti-virus. The people do later one.

OK, your right. It is too dangerous. I suspect it is better if you just get rid of the nokia and go back to your nice safe windows.

Re: Security on Nits?
 

<< This is an argument that the Religious Right uses over condoms and Aids. The empirically observed result is death among believers. >>

I was interested in this topic and went to read your reply and saw this, now I have to wonder if you are a ***** or not. Why not stick to the facts and leave your social, political and religious stupidity at home where they belong? The thread is about security not condoms and aids, per you initial post.

Re: Security on Nits?
 

I thought the advantage of Linux was that keylogers and viruses were rare to none existent? I know that doesn't, in itself, make people feel more secure. I am curious how someone would exploit the NIT in a meaningful way.

Re: Security on Nits?
 

kernel module or X extension could probably implement a keylogger although neither is exactly trivial to write. Using standard command line tools I could dump passwords for IM, Mail, and network access trivially. Grabbing cookies might allow for attacks on several sites like google as well.

But the user still has to install and run this malicious software so some amount of social engineering is required.

Re: Security on Nits?
 

<< With Android (sandbox virtual machine) and Symbian (privilege and certification system), or even a decently configured Windows system (firewalls and virus checkers with daily updates) this barrier is enormously higher than for the Nit. In fact, Nokia don't seem to have thought about security at all with the Nit - and it should have been the starting point and key feature for a consumer device designed for accessing the Internet. >>

I didn't really think that Windows software firewalls were as good as you think or securing Windows wouldn't be the industry that it is. I've seen to many trojans disable the best Windows security, because it was just to easy for the user to accidently subvert system security. Maybe it's obscurity, but I have never really heard of this happening on a linux system - outside academic forum postings.

I would imagine that just being a NIT raises the bar of irritation, as mentioned in another post, for a hacker. Where is the benefit to trying to create a NIT trojan? There is an endless sea of Windows boxes and tools that anyone can use to make quick money. Hacking a NIT via a trojan takes some skill and the pay off just doesn't seem obvious to me - how about you?

Re: Security on Nits?
 

As far as security goes, I'd worry more about someone physically stealing my N800 (and the data on it) than it getting hacked or hit with a virus/worm/etc.