Active Topics

 


Page 3 of 7 12 3 45 Last »
Reply
Thread Tools
meanwhile is offline meanwhile
2008-04-14 , 19:11
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#21
Originally Posted by TA-t3 View Post
A keylogger trojan would just push the data out through the email program. Can't block that in any easy way.

I know Windows firewalls (at least the good ones) can specify not only port, but also application, and say "the browser can go out to port 80, any other app can't". And so on. This isn't easy to do on Linux or Unix. It wouldn't be that useful either, even if iptables could do it, because on Windows it's much more common that every application do their input/output directly, while on *nix you can often just communicate through the daemon or service that usually handles that kind of traffic (e.g. for sending email you almost never try to send data directly on port 25, instead you use the sendmail (or equivalent) program)).

Out of the box there's almost nothing listening to any TCP/IP or UDP port on the NIT, so someone breaking their way into your NIT isn't much of an issue. However, if you install something that happens to be a trojan there's very little you can do to avoid it doing whatever harm it wants. This is such a serious situation that the only thing that helps is "don't do that". On any platform.
What I find interesting but hard to understand here is your "any platform" comment, combined with the statement about Windows firewalls. It isn't really a Nit question, but why do you feel this way?
 
brontide's Avatar
brontide is offline brontide
2008-04-14 , 19:42
Posts: 868 | Thanked: 474 times | Joined on Oct 2007 @ Capital District, NY, USA
#22
Originally Posted by meanwhile View Post
Nokia do seem have to have designed an inherently insecure device, unfitted for most users. If I was them, I'd have firewalled the machine and given it a virtual machine with a sandbox mode, and required special effort and passwords to install apps that bypassed this.
Come back to the real world. Under that theory there are NO secure desktops, laptops, or ATM's sold today.

Imperfect != inherently insecure.
 
tabletrat's Avatar
tabletrat is offline tabletrat
2008-04-14 , 19:49
Posts: 481 | Thanked: 65 times | Joined on Aug 2007 @ Westcountry, UK
#23
Originally Posted by meanwhile View Post
If was a Linux programmer in a low wage economy, with the connections to use credit card numbers and paypal, I'd see the Nit's as a god send. Three months programming would get the machine the decent PIM it lacks; 2000 downloads (the most any Nit app seems to get) might get me 1000 compromised individuals. Say I get $1000 from each, of which I keep $500 - I don't have to work again for the rest of my life.
What a waste of time. Write yourself a free downloadable game on windows. 1,000,000 downloads, of which 90% have some anti-spyware/virus/firewall thing. That gives you 100,000 x your $500.

And the programming would take a lot less time as well.

The NiTs I would put as so far under the radar it wouldn't be worth the overhead of programming for them.
 
mwiktowy is offline mwiktowy
2008-04-14 , 20:43
Posts: 373 | Thanked: 56 times | Joined on Dec 2005 @ Ottawa, ON
#24
Originally Posted by meanwhile View Post
Anyway, *if* the above is true, then my biggest wish for OS2009 is a firewall.
A firewall is not a magic bullet. Even if it is properly configured, it is not the end all of security. It will do very little against random third-party apps that are installed as root that want to do bad things. Your best bet against something like that is SELinux but that is *a lot* of work to do right and it frequently gets in the way of random third-party apps that you might want to run. It also would be a bit heavy on a limited-resource mobile platform.

Likely the most bang for the buck will come from organizing a central repository of software that is simple to submit code to, where the source code is actually audited and the apps are built with a trusted compiler so that your source -> binary -> distribution chain is trusted. For those who want to stay in the protective bubble, they can just have that repo enabled. I think Nokia has come part of the way but is not completely there yet. I am not sure if this goal is even on their radar. All other Linux distros do this is some way so that trojan programs don't slip in and their users have a safe harbour.

For those who are more daring, third party repos abound. There is very little that can be done to secure those who don't care to be. The biggest weakness in computer security is generally between the keyboard (or the touch-screen in this case) and the chair.
 

The Following User Says Thank You to mwiktowy For This Useful Post:
meanwhile is offline meanwhile
2008-04-14 , 21:00
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#25
Originally Posted by tabletrat View Post
What a waste of time. Write yourself a free downloadable game on windows. 1,000,000 downloads, of which 90% have some anti-spyware/virus/firewall thing. That gives you 100,000 x your $500.
If you can write a game that can generate a million downloads, then you can probably do quite well on adware. 1000-50,000 are more realistic.

Anyway, leaving this aside, you're still wrong: the security tools on decently configured PC's will pickup a naughty application being naughty in the first few days. After which the app will be removed from download sites, before it has time to spread. You might say that the app could wait six months to build decent user numbers before doing naughty things, but a lot of people delete this things every couple of weeks or so.

Which is why the world economy isn't collapsing because of $50M videogame thefts, in case you were wondering. In the real world, investing serious effort in a free game would probably only yield a few hundred successful attacks.

And the programming would take a lot less time as well.
You seem to be implying that maemo tools are poor? I can't comment. (Btw: an Evil Programmer would have few qualms about stealing open source code - I know, it's shocking, but there you are. Criminals have no respect for the law. He/she'd probably start with the GNU apps, fix the alarm functionality, and go on from there.)


The NiTs I would put as so far under the radar it wouldn't be worth the overhead of programming for them.
So you're basing your personal security on Nokia's continued lack of success? I think the strategy will probably work, but as I said, personally I'd find it undignified.
Last edited by meanwhile; 2008-04-14 at 21:07.
 
meanwhile is offline meanwhile
2008-04-14 , 21:06
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#26
Originally Posted by mwiktowy View Post
A firewall is not a magic bullet. Even if it is properly configured, it is not the end all of security. It will do very little against random third-party apps that are installed as root that want to do bad things.
Based on the posts above, I'm astonished by how potentially ineffective Linux firewalls are, as opposed to Windows ones.

Your best bet against something like that is SELinux but that is *a lot* of work to do right and it frequently gets in the way of random third-party apps that you might want to run. It also would be a bit heavy on a limited-resource mobile platform.

Likely the most bang for the buck will come from organizing a central repository of software that is simple to submit code to, where the source code is actually audited...
Depends what you mean by "audited". I'm unaware of any process that can give a reasonable assurance of security without a lot of expense or donated free eyeball, which probably wouldn't be given.

Sandbox execution, otoh, can make the engineering effort for an attacker very high to impossible: that's the way I'd go. It's what Google are doing with Android, and it seems pretty bloody obvious as a solution.

Edit to add:
Nokia seem to going for a form of sandboxing on Symbian:
http://www.forum.nokia.com/main/plat.../security.html
Last edited by meanwhile; 2008-04-14 at 22:17.
 
Benson's Avatar
Benson is offline Benson
2008-04-14 , 21:35
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#27
Originally Posted by meanwhile View Post
Based on the posts above, I'm astonished by how potentially ineffective Linux firewalls are, as opposed to Windows ones.
Sheesh. Running as root; what do you propose to stop a process running as root? Kernel-space or hardware only. And kernel-space is hard, since you can flash the kernel and reboot the device as root. Windows firewalls are not as effective as you might think, when applied to a system with a real security system, but with a crazy nut installing random things. In Windows, many applications can be installed without administrative privileges. (Which is not the way to go; even if trojans can't automatically get root, they can still compromise privacy, destroy data, and use exploits (local exploits, of course) to get root.) A port of Windows firewall would not be any better.
Sandbox execution, otoh, can make the engineering effort for an attacker very high to impossible: that's the way I'd go. It's what Google are doing with Android, and it seems pretty bloody obvious as a solution.
Sandbox execution, otoh, can make doing some things bloody near impossible. It works great for daemons with narrowly defined jobs; it works great for nice little applications. It doesn't work for, say, updating the kernel, or anything else outside the sandboxes. So unless you want to completely close the package management system, or require only Nokia signed OS packages, you're still in the same mess.

The trouble is giving a (clueless) user root, even for the limited purpose of installing packages. There's nothing that can (or should) stop a determined sysadmin from hosing a system, or a careless one from doing it by accident.
 

The Following 2 Users Say Thank You to Benson For This Useful Post:
meanwhile is offline meanwhile
2008-04-14 , 22:46
Posts: 66 | Thanked: 17 times | Joined on Apr 2008
#28
Originally Posted by Benson View Post
Sheesh. Running as root; what do you propose to stop a process running as root?
How about "Only allowing a process to run as root if installed with specific root permission by the user"? It's not rocket science. Very few apps need this.

Kernel-space or hardware only. And kernel-space is hard, since you can flash the kernel and reboot the device as root.
Sorry: the first clause isn't a sentence, so I can't understand what you meant. No criticism: typos happen.

Windows firewalls are not as effective as you might think, when applied to a system with a real security system, but with a crazy nut installing random things.
That's opinion, your argument is..? Anyway, my concern isn't a "crazy nut" but a moderately sensible user who isn't a linux developer, and who wants to install an independent PIM on his Nit.

In Windows, many applications can be installed without administrative privileges. (Which is not the way to go; even if trojans can't automatically get root, they can still compromise privacy, destroy data, and use exploits (local exploits, of course) to get root.)
What this means is that the firewall isn't perfect but that it greatly increases the cost of a successful attack. Perfect would be nice, but in the real world I'll settle for good locks and a decent alarm over nothing, nada, zip or bupkis.

Sandbox execution, otoh, can make doing some things bloody near impossible. It works great for daemons with narrowly defined jobs; it works great for nice little applications. It doesn't work for, say, updating the kernel
That's the point. A sandbox lets me run 99% of apps safely. Conveniently, the 1% it can't handle are those that I expect to get from the platform owner - OS updates.

it won't let me run I can get from a trusted source.
or anything else outside the sandboxes.
No, as I said users could have the option of non-sandbox apps. But with a decent design they would be rarely needed - certainly not for a PIM, a media player (given a decent api), or the other apps most users care about.

So unless you want to completely close the package management system, or require only Nokia signed OS packages, you're still in the same mess.
This is doubly wrong.

Firstly, installing OS's should be an usual procedure that can have all sorts of special warnings and affordances (eg turning off the machine and following a special reboot procedure) to cue the user that he is performing an usual task and get him to read and think about warnings. I doubt many users could be persuaded to load a non Noka OS even without security warnings, but with them - forget it. Not a practical method of attack.

Secondly, ***most potential users would be willing to give non-Nokia OSes to get better security!*** Otoh, I can't count on Nokia for decent apps - not even an ebook reader or a PIM.

The trouble is giving a (clueless) user root, even for the limited purpose of installing packages. There's nothing that can (or should) stop a determined sysadmin from hosing a system, or a careless one from doing it by accident.
This is just irrelevant to how a sandbox model works.

The current security model (ie none) is a fairly good explanation why the Nit hasn't been picked up for vertical applications and other corporate development.

Anyway, I suspect that Nokia will be ditching Maemo/ITOS for Android (which does use a sandboxed virtual machine) if they continue updating firmware after the next release. It's hard to see why they'd carry on with Maemo after this point.
 
tabletrat's Avatar
tabletrat is offline tabletrat
2008-04-14 , 23:20
Posts: 481 | Thanked: 65 times | Joined on Aug 2007 @ Westcountry, UK
#29
Originally Posted by meanwhile View Post
If you can write a game that can generate a million downloads, then you can probably do quite well on adware. 1000-50,000 are more realistic.

Anyway, leaving this aside, you're still wrong: the security tools on decently configured PC's will pickup a naughty application being naughty in the first few days. After which the app will be removed from download sites, before it has time to spread.
The big download sites, maybe. Not all of the download sites. And as I specifically mentioned the non-decently configured PCs, it being picked up is a moot point (actually not a moot point, but what people accept as being a moot point, which is in fact the opposite!).


Originally Posted by meanwhile View Post
You might say that the app could wait six months to build decent user numbers before doing naughty things, but a lot of people delete this things every couple of weeks or so.
indeed they do.

Originally Posted by meanwhile View Post
Which is why the world economy isn't collapsing because of $50M videogame thefts, in case you were wondering. In the real world, investing serious effort in a free game would probably only yield a few hundred successful attacks.
That sounds pretty good to me. Write a few games then, rather than one.

Originally Posted by meanwhile View Post
You seem to be implying that maemo tools are poor? I can't comment.
I don't think I implied that. Maemo tools are linux tools, they are ok. They are not as good as some, but better than they used to be. Just things tend to be harder to write under linux than, say, the pocketPC.
Maemo tools have come on leaps and bounds in the last year from what I can see.

Originally Posted by meanwhile View Post
So you're basing your personal security on Nokia's continued lack of success? I think the strategy will probably work, but as I said, personally I'd find it undignified.
No, I am basing my personal security on the law of probabilities. Compared to using a windows machine on the network I am orders of magnitude safer. Statistically, all the time I am using the nokia, I am not using a PC, therefore my safety is increasing. Note, my views on software firewalls are the same on PCs, they are better than nothing, but they aren't foolproof. They are certainly the first thing switched off by almost all successful viruses.

Its like anything. Yes, I could get blown up in a tube train by terrorists (or in my case in the UK, shot by the police thinking I was a terrorist) but it really isn't worth putting any effort worrying about because I am thousands of times more likely to be hit by a truck driver on the motorway who fell asleep.

When I connect to my bank I have a hardware encrypted password generator, supplied by my bank. They can log every detail of my bank transaction, but without that hardware dongle it won't do any good.

The rest of it? It doesn't work like you seem to think. it works by a low hanging fruit idea. However clever and complicated your scheme making this nokia key logger, your profits will always be dwarfed by those who put their effort into getting people to enter their passwords on your website by offering them money for nothing, claiming to be their bank or a request from ebay/paypal. A large number of people are fairly clueless, and that isn't going to change.
It is much easier, and it works.

I am going to carry on using my nokia without a firewall and I am not going to lose any sleep over it!
 

The Following 2 Users Say Thank You to tabletrat For This Useful Post:
Benson's Avatar
Benson is offline Benson
2008-04-15 , 00:38
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#30
Originally Posted by meanwhile View Post
How about "Only allowing a process to run as root if installed with specific root permission by the user"? It's not rocket science. Very few apps need this.
Oh, do Windows firewalls do that? Anyway, yes, you could warn over any packages with SUID/SGID files. A user wants to install an app; a box pops up asking them allow or deny; how do they know that games do not need SUID root, and bail? They (mostly) don't understand that; they do understand that if they click deny, they can't have their game. You wanna bet that they click deny?
Sorry: the first clause isn't a sentence, so I can't understand what you meant. No criticism: typos happen.
No typo; those are categories of possible answers to that semi-rhetorical question. (Semi- because if you have other options, I am interested to hear them; I'm no expert on Windows firewall.)
That's opinion, your argument is..?
My argument is that since they have precisely the same capabilities, they have precisely the same degree of protection; WRT installation of malware by the sysadmin, that would be "none".
Anyway, my concern isn't a "crazy nut" but a moderately sensible user who isn't a linux developer, and who wants to install an independent PIM on his Nit.
How does software tell the difference? When you grant administrative privileges to any moderately sensible user, you grant them to everyone. Single-user machines run by people who don't know better can will get pwnz0red, and there's nothing you can do to stop that.
That's the point. A sandbox lets me run 99% of apps safely. Conveniently, the 1% it can't handle are those that I expect to get from the platform owner - OS updates.
Any clue how many people are running KDE, xrandr, and other cool things? Just guess how many downloads a purported "App Mugger Fix" would get now! Lots of people would indeed download, trust, and run all sorts of things that did need full access, from all kinds of sources. And they'd be safe enough of the time that it would seem safe, until some malware did show up, because there are lots of system enhancements that can be made that would require it.

No, as I said users could have the option of non-sandbox apps. But with a decent design they would be rarely needed - certainly not for a PIM, a media player (given a decent api), or the other apps most users care about.
If they have the option, they will use it. And if they're used to using it ever, they won't even hesitate when some app they want claims to need to "update system libraries", no matter how obvious (to the knowledgable) that it should not.

This is doubly wrong.
Strawmen are triply wrong.

I didn't say new OSes, did I? I did mention the kernel rather than libraries, because it's possible to (at some cost) pack any library dependencies of an app into either an all-in-one sandbox, or an app-specific sandbox. (Major subversions are possible if I can replace shared libraries used by other apps with a modified version, but the latter means you might as well have everything statically linked.) But updating the kernel is not limited to "installing OSes". Xrandr, SDHC support on 770s, high-speed MMC, backlight control, DVB, various USB-OTG related modules... Lots of stuff here that requires root access.
This is just irrelevant to how a sandbox model works.
Precisely; it's not a comment on sandboxes (which are a good idea, used in their place), it's an alternative explanation of why the NITs are not secure (vs. because we don't sandbox our apps, or as you originally suggested, because Linux firewalls are "potentially ineffective, as opposed to Windows ones").

Unless you suggest some sort of signing system or other lockdown for anything outside the sandbox (in which case Nokia can forget working with the F/OSS community to work through to step 5, as per their indicated plan), you still have that problem. Because it's "irrelevant to how a sandbox model works", a sandbox model can't fix it.

The current security model (ie none) is a fairly good explanation why the Nit hasn't been picked up for vertical applications and other corporate development.
The current security model is the same as any UNIX box, which somehow get used anyway. The only difference is the application manager's automatic grant of root access; it's trivial to lock users out of (or remove) App Mugger, and require IT authentication to update software. It's an explanation alright, but it doesn't seem to hold much water when it can be rectified in half an hour. I think anyone who knows enough to see the vulnerability can see the solution.
 

The Following 2 Users Say Thank You to Benson For This Useful Post:
Reply
Page 3 of 7 12 3 45 Last »

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 18:42.

Contact Us - Home - Archive - Top