Page 4 of 7 « First 23 4 56 Last »
Reply
Thread Tools
TA-t3 is offline TA-t3
2008-04-15 , 08:02
Posts: 3,841 | Thanked: 1,079 times | Joined on Nov 2006
#31
I would reply to many of the above postings, but it's just too much - so I summarize:

Q) Why doesn't a firewall help (on any platform) if you install a trojan?
A) Because the trojan (which, if it's an effective trojan) has root access and can thus simply deactivate whatever it wants in the firewall. Any security measures you have set up locally are useless if you install malicious software.

The above is true for any platform where the firewall is on-board.

EDIT: I should add, before someone comments, _yes_, I know about what's called 'capabilities' in Linux, and the feature called 'selinux'. With that it is possible to severely restrict what can be done on the system, it is for example possible to, at boot time, irreversibly turn off the possibility (or capability) of the root account to reconfigure the internal firewall. So, in _principle_, the NIT can be made a bit more tricky for trojans to do their dirty work (and tricky for you, as your own sysadm, to do what you want as well.. there's always a price).
__________________
N800/OS2007|N900/Maemo5
-- Metalayer-crawler delenda est.
-- Current state: Fed up with everything MeeGo.
Last edited by TA-t3; 2008-04-15 at 10:31.
 

The Following 3 Users Say Thank You to TA-t3 For This Useful Post:
meanwhile is offline meanwhile
2008-04-15 , 14:31
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#32
Originally Posted by TA-t3 View Post
I would reply to many of the above postings, but it's just too much - so I summarize:

Q) Why doesn't a firewall help (on any platform) if you install a trojan?
A) Because the trojan (which, if it's an effective trojan) has root access and can thus simply deactivate whatever it wants in the firewall. Any security measures you have set up locally are useless if you install malicious software.
Bold added to show where the logic of this argument breaks down. By analogy, one might say "Locks and policeman are worthless in preventing burglary; because an effective burglar will overcome them." An effective burglar being defined, for the purposes of TA's argument, as someone capable of overcoming locks and guards! The point is that locks and similar security devices alter the effort-reward ratio of an attack.*

This the most basic thing to understand about the economics and psychology of security, and variants of TA's argument above have been repeated throughout the thread without anyone being willing to come to grips with the answer: all security is about raising the effort barrier to attackers. With Android (sandbox virtual machine) and Symbian (privilege and certification system), or even a decently configured Windows system (firewalls and virus checkers with daily updates) this barrier is enormously higher than for the Nit. In fact, Nokia don't seem to have thought about security at all with the Nit - and it should have been the starting point and key feature for a consumer device designed for accessing the Internet.

Of course, Nokia haven't been alone in their mistakes. Apple have made exactly the same errors with the iPhone, and are now rushing to correct them: http://www.theregister.co.uk/2007/10/24/omtp_security/

*Very, very amusingly, there's a story about exactly this realization on Nokia's leader NIT developer's blog:

http://jaaksi.blogspot.com/search?q=taxi&x=0&y=0

Open is good, eh? Not necessarily. Let me give you an example...

I go down the stairs and see a big guy sitting on our floor. A total stranger. He’s talking to himself saying ooh, ohh ****, ohh, I don’t feel that good, …ooh. I approach the guy and I ask him what an earth are you doing here? He doesn’t seem to recognize me. I can see he is drunk as a skunk. He’s reasonably clean, proper clothes and so forth but you can tell he drinks a lot. A lot.

...I asked him if there is anything I could do for him. He keeps on apologizing and asks if I can get a taxi for him. Sure can. The taxi arrives in 5 minutes. I help this guy to stand up and put on his shoes and jacket. Then I walk him to the taxi. He apologizes once more. I say not a big deal – take care of yourself! And he’s gone.

...I have this bad habit to leave doors open. I better start locking them up. For nights at least. Open is not always good.
Now, I doubt this gentleman's house will be able to withstand the efforts of a skilled lockpick or an assault team even once he starts using those locks he was ignoring, but that doesn't mean that he isn't getting a worthwhile and important benefit from using them! There are more drunks than lockpicks in this world, and more minimally competently security attackers than superbly able ones.

Shutting down a firewall - especially on a system with decent anti virus and malware - is not easy. It's much harder than merely adding a keylogger to a PIM; if its doable at all it will probably only be because of a temporary vulnerability that will get patched before 999 in 1000 attackers have a chance to use it. By comparison, the Nit is a house with no locks on its doors and a big "Come on in!" sign.
Last edited by meanwhile; 2008-04-15 at 14:38.
 
brontide's Avatar
brontide is offline brontide
2008-04-15 , 15:27
Posts: 868 | Thanked: 474 times | Joined on Oct 2007 @ Capital District, NY, USA
#33
Originally Posted by meanwhile View Post
By comparison, the Nit is a house with no locks on its doors and a big "Come on in!" sign.
If I had a spare unit I would place it on a public IP address and give it to the first hacker that cracked it. I would even tell you what firmware and 3rd party software was installed.
 
TA-t3 is offline TA-t3
2008-04-15 , 15:42
Posts: 3,841 | Thanked: 1,079 times | Joined on Nov 2006
#34
I think I'll abandon this discussion. meanwhile, in my opinion you don't know as much as you think you know about this. That it should be difficult to turn off a firewall is simply not true. At some point a user will end up installing a program with root (admin) access, simply because that particular application (whatever it says it's supposed to do) will have to be installed that way. For Windows, for example, there's almost nothing that installs without admin rights. From there on it's simple - you (the trojan) can do whatever you want.

But this is what I've been repeating, so I'll stop the repeat cycle there. Disagree if you want, I've said my piece.
__________________
N800/OS2007|N900/Maemo5
-- Metalayer-crawler delenda est.
-- Current state: Fed up with everything MeeGo.
 
tabletrat's Avatar
tabletrat is offline tabletrat
2008-04-15 , 17:41
Posts: 481 | Thanked: 65 times | Joined on Aug 2007 @ Westcountry, UK
#35
Originally Posted by meanwhile View Post
Bold added to show where the logic of this argument breaks down. By analogy, one might say "Locks and policeman are worthless in preventing burglary; because an effective burglar will overcome them." An effective burglar being defined, for the purposes of TA's argument, as someone capable of overcoming locks and guards! The point is that locks and similar security devices alter the effort-reward ratio of an attack.*
What a bizzarre argument!

OK, lets go with your argument. Do you have the capability of walking through an unlocked door? Yes? good. Do you know anyone else who knows how to walk through an unlocked door? Good so far.

ok. Do you know how to make a linux keylogger? Yes? Do you know anyone else who knows how to make a linux keylogger? yes? Do you know an equal amount of people who know how to walk through an unlocked door as can write a unix keylogger? yes? Good, that means your argument is valid.
Whats that? You don't? hmm..

Do you know anyone who can write a unix keylogger who couldn't write an application to disable a software firewall? I certainly couldn't think of anyone.

Originally Posted by meanwhile View Post
This the most basic thing to understand about the economics and psychology of security, and variants of TA's argument above have been repeated throughout the thread without anyone being willing to come to grips with the answer: all security is about raising the effort barrier to attackers.
and what you seem to not be able to grasp is that you are not raising the effort barrier to attackers, you are tricking yourself into thinking you are nice and safe.
You know when you are in a car and the brakes have failed and you are heading towards a truck? Closing your eyes doesn't actually work!

Originally Posted by meanwhile View Post
With Android (sandbox virtual machine) and Symbian (privilege and certification system), or even a decently configured Windows system (firewalls and virus checkers with daily updates) this barrier is enormously higher than for the Nit. In fact, Nokia don't seem to have thought about security at all with the Nit - and it should have been the starting point and key feature for a consumer device designed for accessing the Internet.
That is why windows has no viruses and I don't get any spam.

Originally Posted by meanwhile View Post
Of course, Nokia haven't been alone in their mistakes. Apple have made exactly the same errors with the iPhone, and are now rushing to correct them:
Indeed, that is why we have so many iPhone viruses.

Originally Posted by meanwhile View Post
Shutting down a firewall - especially on a system with decent anti virus and malware - is not easy.
It really is. Unless you are one of the things that the anti-virus knows about. The first people to pick up a new virus get no benifit from anti-virus. The people do later one.

Originally Posted by meanwhile View Post
It's much harder than merely adding a keylogger to a PIM; if its doable at all it will probably only be because of a temporary vulnerability that will get patched before 999 in 1000 attackers have a chance to use it. By comparison, the Nit is a house with no locks on its doors and a big "Come on in!" sign.
OK, your right. It is too dangerous. I suspect it is better if you just get rid of the nokia and go back to your nice safe windows.
 

The Following 3 Users Say Thank You to tabletrat For This Useful Post:
Brucealeg is offline Brucealeg
2008-04-15 , 20:15
Posts: 8 | Thanked: 2 times | Joined on Mar 2008
#36
<< This is an argument that the Religious Right uses over condoms and Aids. The empirically observed result is death among believers. >>

I was interested in this topic and went to read your reply and saw this, now I have to wonder if you are a ***** or not. Why not stick to the facts and leave your social, political and religious stupidity at home where they belong? The thread is about security not condoms and aids, per you initial post.
Last edited by Brucealeg; 2008-04-15 at 20:18.
 

The Following 2 Users Say Thank You to Brucealeg For This Useful Post:
Brucealeg is offline Brucealeg
2008-04-15 , 20:19
Posts: 8 | Thanked: 2 times | Joined on Mar 2008
#37
I thought the advantage of Linux was that keylogers and viruses were rare to none existent? I know that doesn't, in itself, make people feel more secure. I am curious how someone would exploit the NIT in a meaningful way.
 
brontide's Avatar
brontide is offline brontide
2008-04-15 , 20:23
Posts: 868 | Thanked: 474 times | Joined on Oct 2007 @ Capital District, NY, USA
#38
kernel module or X extension could probably implement a keylogger although neither is exactly trivial to write. Using standard command line tools I could dump passwords for IM, Mail, and network access trivially. Grabbing cookies might allow for attacks on several sites like google as well.

But the user still has to install and run this malicious software so some amount of social engineering is required.
 
Brucealeg is offline Brucealeg
2008-04-15 , 20:31
Posts: 8 | Thanked: 2 times | Joined on Mar 2008
#39
<< With Android (sandbox virtual machine) and Symbian (privilege and certification system), or even a decently configured Windows system (firewalls and virus checkers with daily updates) this barrier is enormously higher than for the Nit. In fact, Nokia don't seem to have thought about security at all with the Nit - and it should have been the starting point and key feature for a consumer device designed for accessing the Internet. >>

I didn't really think that Windows software firewalls were as good as you think or securing Windows wouldn't be the industry that it is. I've seen to many trojans disable the best Windows security, because it was just to easy for the user to accidently subvert system security. Maybe it's obscurity, but I have never really heard of this happening on a linux system - outside academic forum postings.

I would imagine that just being a NIT raises the bar of irritation, as mentioned in another post, for a hacker. Where is the benefit to trying to create a NIT trojan? There is an endless sea of Windows boxes and tools that anyone can use to make quick money. Hacking a NIT via a trojan takes some skill and the pay off just doesn't seem obvious to me - how about you?
 
Securix's Avatar
Securix is offline Securix
2008-04-15 , 20:48
Posts: 107 | Thanked: 26 times | Joined on Jan 2008 @ New Jersey
#40
As far as security goes, I'd worry more about someone physically stealing my N800 (and the data on it) than it getting hacked or hit with a virus/worm/etc.
 

The Following 4 Users Say Thank You to Securix For This Useful Post:
Reply
Page 4 of 7 « First 23 4 56 Last »

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 23:07.

Contact Us - Home - Archive - Top