Active Topics
-
Camera phone competition March 2023 "Endless" (35)
to General by Maemish - 1 day ago -
TLS 1.2 for N9 is ready (28)
to MeeGo / Harmattan by smartblu9 - 1 day, 1 hr ago -
Maemo repository (3)
to Community by torsen - 1 day, 17 hrs ago -
Error after installing Leste on sdcard (11)
to Maemo 7 / Leste by Maemish - 2 days, 14 hrs ago -
Introducing ubiboot N9 (multiboot OS loader) (1,393)
to Alternatives by smatkovi - 3 days, 21 hrs ago - more...
| The Following User Says Thank You to Dave999 For This Useful Post: | ||
|
2016-02-08
, 21:02
|
|
Posts: 201 |
Thanked: 410 times |
Joined on Dec 2013
|
#192
|
What I don't get:
Turingphone is advertising a "secure" phone.
But Sailfish OS as of today is nothing secure at all: the disk is not encrypted and screenlocking is only half baked. Anyone can just connect via USB and read all data in cleatext.
Turingphone is advertising a "secure" phone.
But Sailfish OS as of today is nothing secure at all: the disk is not encrypted and screenlocking is only half baked. Anyone can just connect via USB and read all data in cleatext.
| The Following 10 Users Say Thank You to gaelic For This Useful Post: | ||
|
|
2016-02-08
, 21:43
|
|
Posts: 479 |
Thanked: 1,284 times |
Joined on Jan 2012
@ Enschede, The Netherlands
|
#193
|
Originally Posted by gaelic
… yet there's no known malware, and afaik Sailfish is quite up-to-date with security patches for CVE's. Unlike most Androids.
What I don't get:
Turingphone is advertising a "secure" phone.
But Sailfish OS as of today is nothing secure at all: the disk is not encrypted and screenlocking is only half baked. Anyone can just connect via USB and read all data in cleatext.
Also, who knows what they have coming? Things like full device encryption don't seem to be too hard using the default Linux tooling (which does beg the question why it still isn't in our devices). And Jolla was touting extra security features from the SSH-guys. Perhaps they sold that to Turing? Indeed it remains to be seen what of that is going back upstream.
|
|
2016-02-08
, 22:32
|
|
Guest |
Posts: n/a |
Thanked: 0 times |
Joined on
|
#194
|
Originally Posted by gaelic
Security via obscurity?
What I don't get:
Turingphone is advertising a "secure" phone.
But Sailfish OS as of today is nothing secure at all: the disk is not encrypted and screenlocking is only half baked. Anyone can just connect via USB and read all data in cleatext.
Any device that you can get your hands on is susceptible to exploits. The lock screens, et al... those are nice. But if I have access to a device, I'd not say that it's entirely safe by no stretch of the imagination.
Besides... where's the user rights exploits? The trojans? The browser exploits? iOS and Android have plenty of those. None so far for Sailfish.
I'd still not say it's "secure" but there's no USB connector on the Turing phone - well, there's the proprietary connector. But you're right about the lack of encryption.
Edit: Crap, didn't see the above post.
|
|
2016-02-09
, 06:02
|
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#195
|
Originally Posted by gaelic
That's a fairly tall order, how are you going to do that?
What I don't get:
Turingphone is advertising a "secure" phone.
But Sailfish OS as of today is nothing secure at all: the disk is not encrypted and screenlocking is only half baked. Anyone can just connect via USB and read all data in cleatext.
I assume you are talking about the case that user has set up the USB port in "automatic filesystem export" mode. And even in that case I think you cannot access anything if the device is locked, right?
(at least SSH via USB cannot connect to device when it is locked... I am not sure about the disk export because I don't use that.)
If you have bootlock in the device there's not possibility for Evil Maid attack either.
Just about the only way to get at some data is to remove the SD card, and if you do not have that encrypted.... well that's your problem then.
And BTW, this is all beside the point anyway; The rumoured "Turing Phone" if it ever exists is without USB and without SD card so those attack vectors are out-of-scope....
| The Following 6 Users Say Thank You to juiceme For This Useful Post: | ||
|
|
2016-02-09
, 08:07
|
|
Posts: 1,548 |
Thanked: 7,510 times |
Joined on Apr 2010
@ Czech Republic
|
#196
|
Originally Posted by Fuzzillogic
Could be performance reasons or just plain lack of time. But indeed using LUKS for the encryption should be quite simple.
Also, who knows what they have coming? Things like full device encryption don't seem to be too hard using the default Linux tooling (which does beg the question why it still isn't in our devices).
I kinda remember that the Jolla Tablet was supposed to have that, but who knows if it was actually implemented in the end.
__________________
modRana: a flexible GPS navigation system
Mieru: a flexible manga and comic book reader
Universal Components - a solution for native looking yet component set independent QML appliactions (QtQuick Controls 2 & Silica supported as backends)
modRana: a flexible GPS navigation system
Mieru: a flexible manga and comic book reader
Universal Components - a solution for native looking yet component set independent QML appliactions (QtQuick Controls 2 & Silica supported as backends)
| The Following User Says Thank You to MartinK For This Useful Post: | ||
 |
|
2016-02-09
, 08:45
|
|
Posts: 1,389 |
Thanked: 1,857 times |
Joined on Feb 2010
@ Israel
|
#197
|
Originally Posted by Fuzzillogic
CVE patches are released only on updates and not as a patches.
… yet there's no known malware, and afaik Sailfish is quite up-to-date with security patches for CVE's. Unlike most Androids.
Also, who knows what they have coming? Things like full device encryption don't seem to be too hard using the default Linux tooling (which does beg the question why it still isn't in our devices). And Jolla was touting extra security features from the SSH-guys. Perhaps they sold that to Turing? Indeed it remains to be seen what of that is going back upstream.
If Android is more popular and thus has more malware doesn't mean Sailfish is more secure. Sailfish can run Android apps and as there is no official Google store and people are getting apk from internet shady sites - same chances to get malware as on Android.
There are vulrnabilities and malware on Linux today and thus on Sailfish.
It's not less secure than android but is not more secure as well (especially with no per app permissions support).
But yes "Android is baaaaaad!!! boooooo!!! Sailfish is more linux and this means be default is better"
| The Following 5 Users Say Thank You to ZogG For This Useful Post: | ||
|
|
2016-02-09
, 10:33
|
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#198
|
Regarding security; all security measures are only as strong as the weakest link in the system and we DO know fairly certainly that for all systems designed to be operated by humans it is always the human part.
Any security measures that are built into devices will be subverted by the users if they require to do that in order to adapt the said devices to their use patterns.
Hence I believe it is out-of-scope to try to compare which systems or devices are "by themselves" more secure; it would be more appropriate to compare which systems could be easily used as secure environment, given a hypotethical user-who-understands-security-concerns...
Any security measures that are built into devices will be subverted by the users if they require to do that in order to adapt the said devices to their use patterns.
Hence I believe it is out-of-scope to try to compare which systems or devices are "by themselves" more secure; it would be more appropriate to compare which systems could be easily used as secure environment, given a hypotethical user-who-understands-security-concerns...
|
|
2016-02-09
, 14:51
|
|
Posts: 201 |
Thanked: 410 times |
Joined on Dec 2013
|
#199
|
Originally Posted by juiceme
If I have device encryption an the device is locked normally noone should be able to access mmy data.
Any security measures that are built into devices will be subverted by the users if they require to do that in order to adapt the said devices to their use patterns.
Sailfish doesn't even have this possibility. That's a shame.
| The Following 3 Users Say Thank You to gaelic For This Useful Post: | ||
|
|
2016-02-09
, 17:37
|
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#200
|
Originally Posted by gaelic
Just out from interest, if you have device locked how is someone going to access your data?
If I have device encryption an the device is locked normally noone should be able to access mmy data.
Sailfish doesn't even have this possibility. That's a shame.
The most effective way that I know is to open the device and directly access the memory chip. Mind you, it might well be popchip when you canot even get at the die witout etching open the package...
What else, maybe interface to internal serial IO or JTAG? or maybe FBUS? Do you know how to do that?
 |
| Tags |
| dave999scam, sailfish, scamfish, turing, turingphone |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 10:58.
one day it's android, next day sailfish. then its google play and next day its not, One day its promised to be shipped next day its not...
Do something for the climate today! Anything!
I don't trust poeple without a Nokia n900...
Last edited by Dave999; 2016-02-06 at 13:45.