Active Topics

 


Reply
Thread Tools
peterleinchen's Avatar
Posts: 4,118 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#21
Not exactly but almost.

A must-have-fartapp claiming it needs only access to the 'noise system' may get all the access it wants with that exploit.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 

The Following 4 Users Say Thank You to peterleinchen For This Useful Post:
javispedro's Avatar
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#22
Originally Posted by juiceme View Post
However you cannot (at least not easily) incorporate rootkit-like functionality into an application submitted to the Jolla Harbour as the needed library interfaces are not permitted in applications
No, and 1000 times no. The "library whitelist" in the Jolla Store basically exists out of some (in my opinion, as discussed almost two years ago, misguided) concern about binary compatibility with future SailfishOS versions.

It does absolutely nothing regarding security.

I mean, just look at what most people do to escape the library whitelist: statically link to whatever library they feel like.



Security in Sailfish basically comes to the separation between 3 users: root, privileged, and nemo.
- Root is "I just bricked your device by accident" level
- Privileged is "I can email your address book to china" level.
- Nemo is "I can convert your phone into a major spam-sending operations center, break havoc in all your other running applications, including reading their data (since you can ptrace them), but at least you may not be able to easily read the stock sailfish contacts database, and hopefully not brick the device".

Curiously enough it seems that all of this was done more to satisfy Exchange requirements than for security/privacy reasons.

Applications in the store are limited to the "nemo" level mostly because install scripts are forbidden (thus you cannot run stuff as root during install time, and therefore you cannot set the setuid bit on files).

This protection is not extended to random .rpm files. Those immediately get to the "root" level already during install time.

I have no idea how much sandboxing is done in AlienDalvik (it is proprietary) but my wild guess is also "none".
 

The Following 11 Users Say Thank You to javispedro For This Useful Post:
javispedro's Avatar
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#23
Originally Posted by pichlo View Post
I know that especially Linux users like to think in terms of root vs non-root and yes, root can cause a damage to the system, but the days when the system was the part worth protecting are gone by at least two decades. Wake up to the 21st century, people. The system is replaceable. The bits that need protecting are your user data. Those do not need a root access to be compromised.
Sorry but also wrong.


There's still a _huge_ difference between "oh, perhaps this thing deleted all my documents" and "oh, perhaps this thing deleted all my documents, corrupted my word processor so as to silently capture all my future keystrokes and insert random typos and/or menacing insults, backdoor every other program, insert a non-removable piece of itself on my firmware, which will corrupt every future backup disk I insert on my computer while trying to restore my documents (worse: do it silently), propagate itself through my cloud backup systems (if I have any) to my other computers, corrupt any type of version history-like backup system (e.g. time machine) that would have allowed me to undo the actions of the malware, etc. etc. long etc.".

Things have not changed that much in the 21st century. Not in this area. It is one thing when malware/an accident can destroy your documents. It is another thing when malware/an accident can destroy your documents, anyone else's, and the operator's backups.

Last edited by javispedro; 2016-08-09 at 18:24.
 

The Following 9 Users Say Thank You to javispedro For This Useful Post:
Dave999's Avatar
Posts: 7,075 | Thanked: 9,073 times | Joined on Oct 2009 @ Moon! It's not the East or the West side... it's the Dark Side
#24
So much wrong here...

Can we do anything to to protect device other than not using jolla or android?
__________________
Do something for the climate today! Anything!

I don't trust poeple without a Nokia n900...
 
Community Council | Posts: 4,920 | Thanked: 12,867 times | Joined on May 2012 @ Southerrn Finland
#25
Originally Posted by Dave999 View Post
So much wrong here...

Can we do anything to to protect device other than not using jolla or android?
How is this related to "not using jolla or android"?
Or to any other system, maybe "not using iOS" also?

There is a simple rule that you should follow. Really simple, and it works perfectly; Just-Do-Not-Install-Crap-On-Your-Device.
 

The Following 6 Users Say Thank You to juiceme For This Useful Post:
Dave999's Avatar
Posts: 7,075 | Thanked: 9,073 times | Joined on Oct 2009 @ Moon! It's not the East or the West side... it's the Dark Side
#26
Originally Posted by juiceme View Post
How is this related to "not using jolla or android"?
Or to any other system, maybe "not using iOS" also?

There is a simple rule that you should follow. Really simple, and it works perfectly; Just-Do-Not-Install-Crap-On-Your-Device.
Yes. We need a crapless device!
__________________
Do something for the climate today! Anything!

I don't trust poeple without a Nokia n900...
 
Posts: 1,548 | Thanked: 7,510 times | Joined on Apr 2010 @ Czech Republic
#27
Originally Posted by javispedro View Post
No, and 1000 times no. The "library whitelist" in the Jolla Store basically exists out of some (in my opinion, as discussed almost two years ago, misguided) concern about binary compatibility with future SailfishOS versions.

It does absolutely nothing regarding security.

I mean, just look at what most people do to escape the library whitelist: statically link to whatever library they feel like.
Yeah - it basically comes down to accepting random binaries from random people, which is really not a good idea unless you have a very good sandboxing.

And good sandboxing that does not reduce all applications to toys due to blocking critical functionality is hard...

That's why most "normal" Linux distros accept software to their repositories in a source form only & require it to built on the distro managed infrastructure. While this is also not foolproof (you would have to read & audit the complete source code of all the software you accept to be 100% sure), it's still much better than accepting random binaries.

Originally Posted by javispedro View Post
I have no idea how much sandboxing is done in AlienDalvik (it is proprietary) but my wild guess is also "none".
I would kinda assume it at least does the standard Android sandboxing (running apps separately, each, under it's own user, etc.). On the other hand it is indeed proprietary, so all bets are off - they might as well have left it out to make the emulation easier/faster etc. And we have no way (well, no easy way) of checking for that.
__________________
modRana: a flexible GPS navigation system
Mieru: a flexible manga and comic book reader
Universal Components - a solution for native looking yet component set independent QML appliactions (QtQuick Controls 2 & Silica supported as backends)
 

The Following 7 Users Say Thank You to MartinK For This Useful Post:
ibrakalifa's Avatar
Posts: 1,583 | Thanked: 1,203 times | Joined on Dec 2011 @ Everywhere
#28
use N3315 and your data safe, your contacts safe, win win solution.
__________________
~$
~#
 
Guest | Posts: n/a | Thanked: 0 times | Joined on
#29
I've halfway been expecting chipset exploits for quite a while. Exciting times we live in...
 

The Following 3 Users Say Thank You to For This Useful Post:
humble's Avatar
Posts: 355 | Thanked: 395 times | Joined on Dec 2009 @ USA
#30
not a big issue... you can patch all the vulnerabilities... there's an app that let's you kno if your kernel is vulnerable http://blog.checkpoint.com/2016/08/07/quadrooter/ for android... same link from first post.

next... only owners with ancient OS"s will be really effected... too bad.
__________________
Would you like to Donate?

My"Current Project(s)":
[Resurrecting] DON
 

The Following 2 Users Say Thank You to humble For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 05:41.