Thread: Security on Nits?
View Single Post
meanwhile is offline meanwhile
2008-04-15 , 14:31
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#32
Originally Posted by TA-t3 View Post
I would reply to many of the above postings, but it's just too much - so I summarize:

Q) Why doesn't a firewall help (on any platform) if you install a trojan?
A) Because the trojan (which, if it's an effective trojan) has root access and can thus simply deactivate whatever it wants in the firewall. Any security measures you have set up locally are useless if you install malicious software.
Bold added to show where the logic of this argument breaks down. By analogy, one might say "Locks and policeman are worthless in preventing burglary; because an effective burglar will overcome them." An effective burglar being defined, for the purposes of TA's argument, as someone capable of overcoming locks and guards! The point is that locks and similar security devices alter the effort-reward ratio of an attack.*

This the most basic thing to understand about the economics and psychology of security, and variants of TA's argument above have been repeated throughout the thread without anyone being willing to come to grips with the answer: all security is about raising the effort barrier to attackers. With Android (sandbox virtual machine) and Symbian (privilege and certification system), or even a decently configured Windows system (firewalls and virus checkers with daily updates) this barrier is enormously higher than for the Nit. In fact, Nokia don't seem to have thought about security at all with the Nit - and it should have been the starting point and key feature for a consumer device designed for accessing the Internet.

Of course, Nokia haven't been alone in their mistakes. Apple have made exactly the same errors with the iPhone, and are now rushing to correct them: http://www.theregister.co.uk/2007/10/24/omtp_security/

*Very, very amusingly, there's a story about exactly this realization on Nokia's leader NIT developer's blog:

http://jaaksi.blogspot.com/search?q=taxi&x=0&y=0

Open is good, eh? Not necessarily. Let me give you an example...

I go down the stairs and see a big guy sitting on our floor. A total stranger. He’s talking to himself saying ooh, ohh ****, ohh, I don’t feel that good, …ooh. I approach the guy and I ask him what an earth are you doing here? He doesn’t seem to recognize me. I can see he is drunk as a skunk. He’s reasonably clean, proper clothes and so forth but you can tell he drinks a lot. A lot.

...I asked him if there is anything I could do for him. He keeps on apologizing and asks if I can get a taxi for him. Sure can. The taxi arrives in 5 minutes. I help this guy to stand up and put on his shoes and jacket. Then I walk him to the taxi. He apologizes once more. I say not a big deal – take care of yourself! And he’s gone.

...I have this bad habit to leave doors open. I better start locking them up. For nights at least. Open is not always good.
Now, I doubt this gentleman's house will be able to withstand the efforts of a skilled lockpick or an assault team even once he starts using those locks he was ignoring, but that doesn't mean that he isn't getting a worthwhile and important benefit from using them! There are more drunks than lockpicks in this world, and more minimally competently security attackers than superbly able ones.

Shutting down a firewall - especially on a system with decent anti virus and malware - is not easy. It's much harder than merely adding a keylogger to a PIM; if its doable at all it will probably only be because of a temporary vulnerability that will get patched before 999 in 1000 attackers have a chance to use it. By comparison, the Nit is a house with no locks on its doors and a big "Come on in!" sign.
Last edited by meanwhile; 2008-04-15 at 14:38.