Reply
Thread Tools
Posts: 191 | Thanked: 29 times | Joined on Sep 2007 @ Ottawa
#11
There is the built in linux firewall which is controlled by /sbin/iptables. Very powerful, and very difficult to configure, if you have never used it before. It is an excellent way to block tcp/udp ports.

I hope this helps,

Craig...
__________________
N800, Think Outside Kbd, 8GB SDHC Card (OCZ, ext2), and 8GB SD Card (Patriot formatted as VFAT)
Zaurus SL-6000, IR Keyboard, 1GB SD Card
 

The Following 2 Users Say Thank You to cvmiller For This Useful Post:
Posts: 3,841 | Thanked: 1,079 times | Joined on Nov 2006
#12
A keylogger trojan would just push the data out through the email program. Can't block that in any easy way.

I know Windows firewalls (at least the good ones) can specify not only port, but also application, and say "the browser can go out to port 80, any other app can't". And so on. This isn't easy to do on Linux or Unix. It wouldn't be that useful either, even if iptables could do it, because on Windows it's much more common that every application do their input/output directly, while on *nix you can often just communicate through the daemon or service that usually handles that kind of traffic (e.g. for sending email you almost never try to send data directly on port 25, instead you use the sendmail (or equivalent) program)).

Out of the box there's almost nothing listening to any TCP/IP or UDP port on the NIT, so someone breaking their way into your NIT isn't much of an issue. However, if you install something that happens to be a trojan there's very little you can do to avoid it doing whatever harm it wants. This is such a serious situation that the only thing that helps is "don't do that". On any platform.
__________________
N800/OS2007|N900/Maemo5
-- Metalayer-crawler delenda est.
-- Current state: Fed up with everything MeeGo.
 
Posts: 244 | Thanked: 10 times | Joined on Jan 2007
#13
Lets also look at it this way.

Coding is complex. The internet tablet is a custom kernel on an armel processor. A very very very very small nitch of the linux users out there. Some one would have to write, or compile the app to run, you would have to install it... its actually a much rarer thing than most people imagine.
 
brontide's Avatar
Posts: 868 | Thanked: 474 times | Joined on Oct 2007 @ Capital District, NY, USA
#14
Originally Posted by schmots View Post
Lets also look at it this way.

Coding is complex. The internet tablet is a custom kernel on an armel processor. A very very very very small nitch of the linux users out there. Some one would have to write, or compile the app to run, you would have to install it... its actually a much rarer thing than most people imagine.
I would say it's a lot easier than people say. All I need to do is make a new build of pidgin or firefox and post them here. I would have several hundred installs within a few days.

That said it's all about risk. I have a pre-school daughter. Do I fret about "sexual predators"? Not really, day to day I'm more worried about her falling down the stairs or running into the street. In the case of the NIT's there are much bigger fish to fry before I'm going to become worried about malware.

Oh and iptables can block by process, uid, gid, and other criteria. If it's blocking is not good enough it can shunt the connections through a userspace daemon to do more complex actions.
 
Posts: 3,841 | Thanked: 1,079 times | Joined on Nov 2006
#15
iptables can do that, yes, but if you send your emails through sendmail/exim/whatever, as is easiest anyway, it won't help..
__________________
N800/OS2007|N900/Maemo5
-- Metalayer-crawler delenda est.
-- Current state: Fed up with everything MeeGo.
 
Benson's Avatar
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#16
Installing packages is done as root; no matter what you set up (other than rejecting packages before installation), a malicious package can disable or circumvent the firewall. Same as on any UNIX system; if you don't trust the software, don't do a system-wide install.

After installing, you can check sudoers, as it's reasonably likely that malware would put itself in there to permit any malicious activities that require root. All depends on the payload, of course. A keylogger can get by quite fine by itself, as long as some usable process (ssh, mail, etc.) is able to access the outside world.

Things you can do to check software you're considering installing:
Check the file-list.
Check the install scripts.
That should make the scope of things it can do clear; but even with no SUID or sudoers entries, you can do a lot.
 

The Following 2 Users Say Thank You to Benson For This Useful Post:
Posts: 3,841 | Thanked: 1,079 times | Joined on Nov 2006
#17
Yep, if malicious software gets installed, no firewall or anything else would help. So, this is what must be avoided.
__________________
N800/OS2007|N900/Maemo5
-- Metalayer-crawler delenda est.
-- Current state: Fed up with everything MeeGo.
 
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#18
Originally Posted by TA-t3 View Post
Yep, if malicious software gets installed, no firewall or anything else would help.
No, that's just wrong. A decent firewall will stop applications sending data (your passwords, credit card numbers, confidential email) outside your machine without your permission.

Wait: TA's post makes MUCH more sense when I look at one of his earlier ones too:

I know Windows firewalls (at least the good ones) can specify not only port, but also application, and say "the browser can go out to port 80, any other app can't". And so on. This isn't easy to do on Linux or Unix. It wouldn't be that useful either, even if iptables could do it, because on Windows it's much more common that every application do their input/output directly, while on *nix you can often just communicate through the daemon or service that usually handles that kind of traffic (e.g. for sending email you almost never try to send data directly on port 25, instead you use the sendmail (or equivalent) program)).

Out of the box there's almost nothing listening to any TCP/IP or UDP port on the NIT, so someone breaking their way into your NIT isn't much of an issue. However, if you install something that happens to be a trojan there's very little you can do to avoid it doing whatever harm it wants. This is such a serious situation that the only thing that helps is "don't do that". On any platform.
Very useful. Thanks.

Last edited by meanwhile; 2008-04-14 at 19:05.
 
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#19
Originally Posted by brontide View Post
I would say it's a lot easier than people say. All I need to do is make a new build of pidgin or firefox and post them here. I would have several hundred installs within a few days.
If was a Linux programmer in a low wage economy, with the connections to use credit card numbers and paypal, I'd see the Nit's as a god send. Three months programming would get the machine the decent PIM it lacks; 2000 downloads (the most any Nit app seems to get) might get me 1000 compromised individuals. Say I get $1000 from each, of which I keep $500 - I don't have to work again for the rest of my life.

I'm tempted to do it myself.

That said it's all about risk. I have a pre-school daughter. Do I fret about "sexual predators"? Not really, day to day I'm more worried about her falling down the stairs or running into the street. In the case of the NIT's there are much bigger fish to fry before I'm going to become worried about malware.
This is true. As I said in my first post, I think the platform is reasonably safe through obscurity. However, speaking personally, I'd find it undignified to rely on luck for my computer security strategy. (Plus it would be professionally embarrassing to me if anyone realized I was doing this.) So I'll make a minor effort and set up and an extra mail account.

Oh and iptables can block by process, uid, gid, and other criteria. If it's blocking is not good enough it can shunt the connections through a userspace daemon to do more complex actions.
That's good information - thanks. I don't think it would do the average user much good though.

Nokia do seem have to have designed an inherently insecure device, unfitted for most users. If I was them, I'd have firewalled the machine and given it a virtual machine with a sandbox mode, and required special effort and passwords to install apps that bypassed this.

Btw, is there a mode that stops users from being able to install apps?
 
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#20
Originally Posted by cvmiller View Post
There is the built in linux firewall which is controlled by /sbin/iptables. Very powerful, and very difficult to configure, if you have never used it before. It is an excellent way to block tcp/udp ports.

I hope this helps,

Craig...
Wait - there IS a firewall??? All they had to do was add a GUI???

Anyway, very useful - or at least very interesting, as I don't know if I'll make that much effort. Might be much simpler to carry out my extra email account plan and limit my use of the N800 to fun stuff.
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 15:44.