Newer Windows and now iPhone's version of macOS X have some heap/mmap/base adresse randomisation built-in...

I think it would be very important to the platform's future to integrate such features (http://grsecurity.net/features.php) as they don't cost much in terms of cpu cycles but saves a lot of headaches if a worm was to be written for it...
And we all know every platform has holes!

A project like grsecurity (http://grsecurity.net/) should be ported to the base kernel in time for Harmattan (hopefully grsec is not too x86 specific).

Other security measures are of course to be considered but this would really put a basic trust level on the system by stopping most remote attacks (granted this is not a server and won't get exploited through some php coding errors like it's most often the case).

If you think exploits only work on servers, think again (http://zeltser.com/client-side-vulnerabilities/)!
People are hacking servers to modify them so they can then trigger exploits in the clients visiting the server, this solution would result in your application crashing, but that's all, your n900 will not be owned by some remote mob... This is very important as this platform contains everything that is personal in your life.

Can you add a brainstorm ticket about this please, describing the problem you currently see plus providing a potential solution that you have in mind? Thanks!
http://maemo.org/community/brainstorm/

I avoided commenting on this yesterday. But after reading all those features. I think this is something the user should be allowed to do in one's own choice. Not something pre-set in stone.

What I would like is simply the ability to roll my own kernel and still have everything work, preferably from vanila sources.

I avoided commenting on this yesterday. But after reading all those features. I think this is something the user should be allowed to do in one's own choice. Not something pre-set in stone.

What I would like is simply the ability to roll my own kernel and still have everything work, preferably from vanila sources.

I agree that this would be nice, but are you saying you don't want security measures added by default even if they don't block you from doing anything? :)

Newer Windows and now iPhone's version of macOS X have some heap/mmap/base adresse randomisation built-in...

My N810 already has heap base address randomization enabled.

My N810 already has heap base address randomization enabled.

Really? Custom kernel? ... the new ones also have canaries that really should be enabled if we don't add grsecurity (which i forgot to mention also add non executable stacks and stuff like that).

If you are going to the Maemo Summit don't miss http://wiki.maemo.org/Maemo_Summit_2009/Schedule/Day_3#Maemo_Platform_Security:_Principles_and_Conc epts

Really? Custom kernel?
No, I did not replace the default kernel.

Randomize_va_space is enabled by default in n810's kernel version, and no COMPAT_BRK enabled.

And grsecurity is still very much a server thing, as a quick look to the supported archs reveals.

Capability-based security and signed binaries. Oh, wait... ;)

IMO one big issue is when Gecko engine isn't updated anymore. Or its plugins, like Flash. Or just lack of Maemo security updates in general.

My Nokia N900 will be behind NAT a lot, so I'm not so afraid for services being exploited. Because worms exploit services they're not an issue. Trojan horses via e-mail, or malicious web content are the culprits I foresee.

Plus, at some point those who kept ranting about Symbian's 'horrible' certificate-based signed binaries and capability-based security will see the other side of the blade: the disadvantage of the lack thereof.

I agree that this would be nice, but are you saying you don't want security measures added by default even if they don't block you from doing anything? :)

Correct. It's a computer. I want to be the one that defines what "security" should be. Give me a vanila kernel and allow me to configure i t to my specs. Yes this includes applying things like grsec if I want it and so on.

I've used both grsec and selinux, and I think selinux would be more appropriate here.
The main issue here is the initial volume of work required to get apps to actually work, this is something I may look at once I finally get my n900 ;-)

The main problem is that selinux (may be historical) adds a 10% overhead...

Correct. It's a computer. I want to be the one that defines what "security" should be. Give me a vanila kernel and allow me to configure i t to my specs. Yes this includes applying things like grsec if I want it and so on.OK, so if I dialup to your phone number or telnet to your server and I log in with lp I get shell access, and your root passwd is empty? Nice, secure by default... :p

OK, so if I dialup to your phone number or telnet to your server and I log in with lp I get shell access, and your root passwd is empty? Nice, secure by default... :p

How about keeping it in the scope.
a) There won't be any default services running on the public IPs of the phone, if they are that's just insane from Nokia side of things

b) dial-in you seem to have this misperception that these things work out of the box with no setting it up and so on? They don't.

So yes I'm not worried about remote exploits in the form of services running on the phone. As it's locked down quite well.


telnet to your server and I log in with lp I get shell access

You seem to think you can login to any user that doesn't have a password set. Having a blank password and not having one set are two very different things.

When one is not set usually there is some char: ! or x where the password should be. So no matter what you try you will fail to authenticate.

You also have this misconception that all the features of grsec/selinux/rbac/etc... will give you some magical security bullet if you run the device without a firewall or any other basic pre-existing security setups.

Security is a process not a state.

a) don't run external services - this is the easiest one to do
b) have a firewall in place that by default blocks anything unrelated coming in - not that hard to do as well
c) set a root pw - a default one doesn't make sense but generating a password based on wlan mac+imei+something else as salt for it could do well.
d) consider what most users will be doing with the device(I mean most not those like myself that will run various things like openssh and openvpn on it). They'll be uploading photos, using maps, chatting etc. And won't worry about all that security stuff.
e) all the hardened security ideas are there really if you have a firewall/router that's running linux, or running services that are exposed to the outside.
f) And in the end this should still be the users choice. If they want to run something secure they should be the one to do so.

I would have to say there's a greater possibilty of something coming in through an SMS than through IP.

If you are worried about local exploits then you have much bigger problems than a simple security issue.

It's simple: do you trust the app that you are installing. If you don't then don't install it. What's so hard about it. Yes apps should possibly be veted through some security checks and so on but that won't catch everything. But adding I don't know what extra security checks for such things doesn't make sense unless it's something of real importance.

I would consider encrypted data store, and an easy OTA backup/sync a more pressing need. That way if you need to ever restore the system you still have everything.

In my book privacy and personal control trump security each and every time.

Hmm... I was joking about wardialing, IRIX, default usernames with no passwords, and so on... point being, that these default settings were not good.

My previous post already outlined the problem: lack of capability-based security, lack of signed binaries, and client software.

Stuff like firewalls and services are boring because they're already a given, and these devices usually hang behind NAT. :)

Well I don't take "hints" well in general ;)

As for signed binaries I actually want that using something like signelf. The only problem is an absent loader that could verify on load. But what I don't want is this enforced in a manner similar to symbiansigned. But sadly that's how a corporation would understand it. Hence why I oppose this as enabled by default and so on.

But again I still don't get it what you would benefit from all of this. I mean once you have local access nothing really will help much.