Re: Security on Nits?
 

What I find interesting but hard to understand here is your "any platform" comment, combined with the statement about Windows firewalls. It isn't really a Nit question, but why do you feel this way?

Re: Security on Nits?
 

Come back to the real world. Under that theory there are NO secure desktops, laptops, or ATM's sold today.

Imperfect != inherently insecure.

Re: Security on Nits?
 

What a waste of time. Write yourself a free downloadable game on windows. 1,000,000 downloads, of which 90% have some anti-spyware/virus/firewall thing. That gives you 100,000 x your $500.

And the programming would take a lot less time as well.

The NiTs I would put as so far under the radar it wouldn't be worth the overhead of programming for them.

Re: Security on Nits?
 

A firewall is not a magic bullet. Even if it is properly configured, it is not the end all of security. It will do very little against random third-party apps that are installed as root that want to do bad things. Your best bet against something like that is SELinux but that is *a lot* of work to do right and it frequently gets in the way of random third-party apps that you might want to run. It also would be a bit heavy on a limited-resource mobile platform.

Likely the most bang for the buck will come from organizing a central repository of software that is simple to submit code to, where the source code is actually audited and the apps are built with a trusted compiler so that your source -> binary -> distribution chain is trusted. For those who want to stay in the protective bubble, they can just have that repo enabled. I think Nokia has come part of the way but is not completely there yet. I am not sure if this goal is even on their radar. All other Linux distros do this is some way so that trojan programs don't slip in and their users have a safe harbour.

For those who are more daring, third party repos abound. There is very little that can be done to secure those who don't care to be. The biggest weakness in computer security is generally between the keyboard (or the touch-screen in this case) and the chair.

Re: Security on Nits?
 

If you can write a game that can generate a million downloads, then you can probably do quite well on adware. 1000-50,000 are more realistic.

Anyway, leaving this aside, you're still wrong: the security tools on decently configured PC's will pickup a naughty application being naughty in the first few days. After which the app will be removed from download sites, before it has time to spread. You might say that the app could wait six months to build decent user numbers before doing naughty things, but a lot of people delete this things every couple of weeks or so.

Which is why the world economy isn't collapsing because of $50M videogame thefts, in case you were wondering. In the real world, investing serious effort in a free game would probably only yield a few hundred successful attacks.

You seem to be implying that maemo tools are poor? I can't comment. (Btw: an Evil Programmer would have few qualms about stealing open source code - I know, it's shocking, but there you are. Criminals have no respect for the law. He/she'd probably start with the GNU apps, fix the alarm functionality, and go on from there.)


So you're basing your personal security on Nokia's continued lack of success? I think the strategy will probably work, but as I said, personally I'd find it undignified.

Re: Security on Nits?
 

Based on the posts above, I'm astonished by how potentially ineffective Linux firewalls are, as opposed to Windows ones.

Depends what you mean by "audited". I'm unaware of any process that can give a reasonable assurance of security without a lot of expense or donated free eyeball, which probably wouldn't be given.

Sandbox execution, otoh, can make the engineering effort for an attacker very high to impossible: that's the way I'd go. It's what Google are doing with Android, and it seems pretty bloody obvious as a solution.

Edit to add:
Nokia seem to going for a form of sandboxing on Symbian:
http://www.forum.nokia.com/main/plat.../security.html

Re: Security on Nits?
 

Sheesh. Running as root; what do you propose to stop a process running as root? Kernel-space or hardware only. And kernel-space is hard, since you can flash the kernel and reboot the device as root. Windows firewalls are not as effective as you might think, when applied to a system with a real security system, but with a crazy nut installing random things. In Windows, many applications can be installed without administrative privileges. (Which is not the way to go; even if trojans can't automatically get root, they can still compromise privacy, destroy data, and use exploits (local exploits, of course) to get root.) A port of Windows firewall would not be any better.
Sandbox execution, otoh, can make doing some things bloody near impossible. It works great for daemons with narrowly defined jobs; it works great for nice little applications. It doesn't work for, say, updating the kernel, or anything else outside the sandboxes. So unless you want to completely close the package management system, or require only Nokia signed OS packages, you're still in the same mess.

The trouble is giving a (clueless) user root, even for the limited purpose of installing packages. There's nothing that can (or should) stop a determined sysadmin from hosing a system, or a careless one from doing it by accident.

Re: Security on Nits?
 

How about "Only allowing a process to run as root if installed with specific root permission by the user"? It's not rocket science. Very few apps need this.

Sorry: the first clause isn't a sentence, so I can't understand what you meant. No criticism: typos happen.

That's opinion, your argument is..? Anyway, my concern isn't a "crazy nut" but a moderately sensible user who isn't a linux developer, and who wants to install an independent PIM on his Nit.

What this means is that the firewall isn't perfect but that it greatly increases the cost of a successful attack. Perfect would be nice, but in the real world I'll settle for good locks and a decent alarm over nothing, nada, zip or bupkis.

That's the point. A sandbox lets me run 99% of apps safely. Conveniently, the 1% it can't handle are those that I expect to get from the platform owner - OS updates.

No, as I said users could have the option of non-sandbox apps. But with a decent design they would be rarely needed - certainly not for a PIM, a media player (given a decent api), or the other apps most users care about.

This is doubly wrong.

Firstly, installing OS's should be an usual procedure that can have all sorts of special warnings and affordances (eg turning off the machine and following a special reboot procedure) to cue the user that he is performing an usual task and get him to read and think about warnings. I doubt many users could be persuaded to load a non Noka OS even without security warnings, but with them - forget it. Not a practical method of attack.

Secondly, ***most potential users would be willing to give non-Nokia OSes to get better security!*** Otoh, I can't count on Nokia for decent apps - not even an ebook reader or a PIM.

This is just irrelevant to how a sandbox model works.

The current security model (ie none) is a fairly good explanation why the Nit hasn't been picked up for vertical applications and other corporate development.

Anyway, I suspect that Nokia will be ditching Maemo/ITOS for Android (which does use a sandboxed virtual machine) if they continue updating firmware after the next release. It's hard to see why they'd carry on with Maemo after this point.

Re: Security on Nits?
 

The big download sites, maybe. Not all of the download sites. And as I specifically mentioned the non-decently configured PCs, it being picked up is a moot point (actually not a moot point, but what people accept as being a moot point, which is in fact the opposite!).


indeed they do.

That sounds pretty good to me. Write a few games then, rather than one.

I don't think I implied that. Maemo tools are linux tools, they are ok. They are not as good as some, but better than they used to be. Just things tend to be harder to write under linux than, say, the pocketPC.
Maemo tools have come on leaps and bounds in the last year from what I can see.

No, I am basing my personal security on the law of probabilities. Compared to using a windows machine on the network I am orders of magnitude safer. Statistically, all the time I am using the nokia, I am not using a PC, therefore my safety is increasing. Note, my views on software firewalls are the same on PCs, they are better than nothing, but they aren't foolproof. They are certainly the first thing switched off by almost all successful viruses.

Its like anything. Yes, I could get blown up in a tube train by terrorists (or in my case in the UK, shot by the police thinking I was a terrorist) but it really isn't worth putting any effort worrying about because I am thousands of times more likely to be hit by a truck driver on the motorway who fell asleep.

When I connect to my bank I have a hardware encrypted password generator, supplied by my bank. They can log every detail of my bank transaction, but without that hardware dongle it won't do any good.

The rest of it? It doesn't work like you seem to think. it works by a low hanging fruit idea. However clever and complicated your scheme making this nokia key logger, your profits will always be dwarfed by those who put their effort into getting people to enter their passwords on your website by offering them money for nothing, claiming to be their bank or a request from ebay/paypal. A large number of people are fairly clueless, and that isn't going to change.
It is much easier, and it works.

I am going to carry on using my nokia without a firewall and I am not going to lose any sleep over it!

Re: Security on Nits?
 

Oh, do Windows firewalls do that? Anyway, yes, you could warn over any packages with SUID/SGID files. A user wants to install an app; a box pops up asking them allow or deny; how do they know that games do not need SUID root, and bail? They (mostly) don't understand that; they do understand that if they click deny, they can't have their game. You wanna bet that they click deny?No typo; those are categories of possible answers to that semi-rhetorical question. (Semi- because if you have other options, I am interested to hear them; I'm no expert on Windows firewall.)
My argument is that since they have precisely the same capabilities, they have precisely the same degree of protection; WRT installation of malware by the sysadmin, that would be "none".
How does software tell the difference? When you grant administrative privileges to any moderately sensible user, you grant them to everyone. Single-user machines run by people who don't know better can will get pwnz0red, and there's nothing you can do to stop that.
Any clue how many people are running KDE, xrandr, and other cool things? Just guess how many downloads a purported "App Mugger Fix" would get now! Lots of people would indeed download, trust, and run all sorts of things that did need full access, from all kinds of sources. And they'd be safe enough of the time that it would seem safe, until some malware did show up, because there are lots of system enhancements that can be made that would require it.

If they have the option, they will use it. And if they're used to using it ever, they won't even hesitate when some app they want claims to need to "update system libraries", no matter how obvious (to the knowledgable) that it should not.

Strawmen are triply wrong. :p

I didn't say new OSes, did I? I did mention the kernel rather than libraries, because it's possible to (at some cost) pack any library dependencies of an app into either an all-in-one sandbox, or an app-specific sandbox. (Major subversions are possible if I can replace shared libraries used by other apps with a modified version, but the latter means you might as well have everything statically linked.) But updating the kernel is not limited to "installing OSes". Xrandr, SDHC support on 770s, high-speed MMC, backlight control, DVB, various USB-OTG related modules... Lots of stuff here that requires root access.
Precisely; it's not a comment on sandboxes (which are a good idea, used in their place), it's an alternative explanation of why the NITs are not secure (vs. because we don't sandbox our apps, or as you originally suggested, because Linux firewalls are "potentially ineffective, as opposed to Windows ones").

Unless you suggest some sort of signing system or other lockdown for anything outside the sandbox (in which case Nokia can forget working with the F/OSS community to work through to step 5, as per their indicated plan), you still have that problem. Because it's "irrelevant to how a sandbox model works", a sandbox model can't fix it.

The current security model is the same as any UNIX box, which somehow get used anyway. The only difference is the application manager's automatic grant of root access; it's trivial to lock users out of (or remove) App Mugger, and require IT authentication to update software. It's an explanation alright, but it doesn't seem to hold much water when it can be rectified in half an hour. I think anyone who knows enough to see the vulnerability can see the solution.