Newer Windows and now iPhone's version of macOS X have some heap/mmap/base adresse randomisation built-in...

I think it would be very important to the platform's future to integrate such features as they don't cost much in terms of cpu cycles but saves a lot of headaches if a worm was to be written for it...
And we all know every platform has holes!

A project like grsecurity should be ported to the base kernel in time for Harmattan (hopefully grsec is not too x86 specific).

Other security measures are of course to be considered but this would really put a basic trust level on the system by stopping most remote attacks (granted this is not a server and won't get exploited through some php coding errors like it's most often the case).

If you think exploits only work on servers, think again!
People are hacking servers to modify them so they can then trigger exploits in the clients visiting the server, this solution would result in your application crashing, but that's all, your n900 will not be owned by some remote mob... This is very important as this platform contains everything that is personal in your life.

Can you add a brainstorm ticket about this please, describing the problem you currently see plus providing a potential solution that you have in mind? Thanks!
http://maemo.org/community/brainstorm/

I avoided commenting on this yesterday. But after reading all those features. I think this is something the user should be allowed to do in one's own choice. Not something pre-set in stone.

What I would like is simply the ability to roll my own kernel and still have everything work, preferably from vanila sources.

I agree that this would be nice, but are you saying you don't want security measures added by default even if they don't block you from doing anything?

My N810 already has heap base address randomization enabled.

Really? Custom kernel? ... the new ones also have canaries that really should be enabled if we don't add grsecurity (which i forgot to mention also add non executable stacks and stuff like that).

If you are going to the Maemo Summit don't miss http://wiki.maemo.org/Maemo_Summit_2...s_and_Concepts

No, I did not replace the default kernel.

Randomize_va_space is enabled by default in n810's kernel version, and no COMPAT_BRK enabled.

And grsecurity is still very much a server thing, as a quick look to the supported archs reveals.

Capability-based security and signed binaries. Oh, wait...

IMO one big issue is when Gecko engine isn't updated anymore. Or its plugins, like Flash. Or just lack of Maemo security updates in general.

My Nokia N900 will be behind NAT a lot, so I'm not so afraid for services being exploited. Because worms exploit services they're not an issue. Trojan horses via e-mail, or malicious web content are the culprits I foresee.

Plus, at some point those who kept ranting about Symbian's 'horrible' certificate-based signed binaries and capability-based security will see the other side of the blade: the disadvantage of the lack thereof.

Correct. It's a computer. I want to be the one that defines what "security" should be. Give me a vanila kernel and allow me to configure i t to my specs. Yes this includes applying things like grsec if I want it and so on.