Slashdot Mirror
Windows Mobile Security Software Fails the Test
boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."
The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data.
Tip #1: Use a Palm OS device.
The theory of relativity doesn't work right in Arkansas.
.... at least it doesn't blue screeen like every other Micro$oft OS.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
More details on this shocking discovery at Eleven. ....
perpetually dwelling in the -1 pits
I pretend to know more than I really do by mooching off google and wikipedia.
Sounds like they are application design problems, not platform problems. How is Palm OS any better? I'm seriously interested, does Palm OS immune to these issues?
How is Palm more secure? Are we talking about the platform or the apps which run on it?
It would be interesting to along with each application and its security flaw(s) see how many users they have. Some of these seem to be rather poor shareware that is probably as bad on a desktop as on a PDA.
Still, an informative article, I've never really considered security at all on a PDA. Since they are nowadays wifi connected and used as password managers and for company email, obviously the concern should be greater.
What'd they do, strip down & re-interface Windows 98 ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Those who actually RTFA will find that most of the complaints have nothing to do with Microsoft or Windows Mobile itself. (The exceptions are MS Money and complaints about the lack of a Task Manager / msconfig / regedit etc.) The issue is that vendors are writing 'security' software (password managers, antivirus) using terrible methods. In analyzing these programs, they found passwords stored as plaintext, some ROT-N encrypted, and other very poor methods of 'securely' storing data. OS security matters, but in this case it wouldn't matter if you were running OpenBSD, assuming you had chosen to (and could) run these programs.
The Linux that runs on phones is the same code that runs on desktops, servers etc. This means that by looking at Linux for servers etc, those paranoid security people have also verified Linux for mobile.
Of course you can still do dumb thing with mobile Linux (eg. running as root) and mobile-specific software can still give some vulnerabilities, but at least you have a half-decent start.
Engineering is the art of compromise.
This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.
My device is relatively expensive and is a smartphone, so if anyone stole it I'd be far more worried about them receiving the monetary value of my device and unfettered access to my phone account than about my passwords (which I could change from a PC anyway). I have my university account password saved, but I use SSH and encrypted IMAP to access these services so there isn't any significant risk so long as I possess the device.
People who use services like Remote Keyboard that don't ask for a login on the PC should expect that this service is unencrypted and unauthenticated. Similarly, people who use ActiveSync over the network should anticipate that if they haven't just plugged in their device, any password prompt must be spoofed.
I can write a similar article about a "vulnerability" in Facebook: I received 5 e-mails yesterday asking me to confirm account creation. I've had an account for over a year now, so I knew these requests weren't legitimate. Had I clicked on the verification links, I would've surrendered to this attacker my Facebook identity (they'd've had a blank profile under my e-mail address), but I'm smart enough not to. Or perhaps someone can submit an "insecurity" in Firefox, that even with a master password, JavaScript from a plug-in can read my passwords through the DOM once I've accessed a site.
We all know that Microsoft's software is insecure and shouldn't be used. I think the /. editors post these stories to let frustrated network administrators vent.
Does this sig remind you of Agatha Christie?
Seriously, since when has a Microsoft product been safe?
You fail it! Your skill is not enough, see you next time, bye-bye!
Ok if its the adverage user were talking about then this changes things. I dont recall the adverage user knowing what an msconfig is some dont even know how the task manager works. Since when did you go help someone at there desk and they said "Well I did an msconfig and a regedit but couldnt find anything bla bla bla" You dont see this at all. I would clasify msconfig, regedit and mabye even task manager under an advanced or intermediate user...and for the record yes there is a way to check startup on WM5, just takes alil lookin around.
So is the adverage PC user. You say the word registry and they wont know what you are talking about.
I really feel this artical confuses the adverage user to an advanced user.
I also feel that the aritcal is really aiming its fire at the software vendors and not so much Microsoft.
I really feel that this headline is giving a false statement as to what the artical is really trying to say. Seems to me that its the software vendors that are being targeted in this artical and not so much windows. The word Third party is showing itself much more than windows is in this artical.
The greatest revenge in life is massive success.
This is surprising... not trying to be flamebait, but how about saving space for better stories by posting when (if) MS releases a secure platform. Label this flamebait if you want, but the truth is every "this is the most secure"/"this is the best yet"/"security is our new mantra" release of their OS's always end up needing tons of patches for security vulnerabilities that are caused by poor coding (how many unpatched buffer overflows can one OS have? Oh wait, many are the same ones or related to them and just poorly patched to begin with)? How many MEGABYTES of patches come out EACH MONTH for an OS that is 5 years old (namely XP)?
So, why is this story newsworthy?
Humor value perhaps to amuse us who expect no less and enjoy when it makes it to print?
While I am not the least bit surprise about a M$ product with massive holes in it, I will also say that no machine/software is completely secure from the moment it is connected to the network. If you want secure, unplug it, lock it in a nuclear waste transport container, and sink it in the Marianas Trench.
Other than this text, there is no discernible information contained in this sig.
"Insecurity is better than NO security!"
Actually, what is pretty cool is that you can be modded +4, Insightful when you clearly haven't read the article (or even the summary, actually).
Hint: the article is not about security vulnerabilities in Windows Mobile, it's about security problems in the apps people run on it, with the apps using poor/no encryption, or leaking data/passwords into the registry, etc. Most of these apps are not written by MS (although the example of MS Money, and it's 'pmoney' algorithm is amusing, if a little familiar).
Wow. For once, I actually learned something from a slashdot comments post. I never read that example!
Regardless, the article had more than one example of some shaddy 'security' schemes...it honestly makes me wonder what else is happening behind the scenes!
My mistake - it was PocketMoney that used the dodgy encryption algorithm based on 'pmoney'. MS Money has its own lame encryption algorithm. There were so many personal finance apps with crap encryption that I mixed them up.
Aside: even though I'm pretty cynical, I was surprised that the programs whose primary purpose is to encrypt/protect your personal data have such utterly lame/easily circumvented encryption methods. I know I shouldn't be surprised, but I was. (I could have sworn there was stuff like blowfish available, or they could even just use the MS Crypto APIs, as mentioned in the article.)
Honestly. Big Fucking Deal.
Life is insecure. You build your own level of insecurity, and deal with it.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
"insecure and buggy"? why is this news? news is supposed to be new
Here I was using unsecured wifi at Hong Kong international, you know the one by the shady young-looking guys milling around with stolen laptops? Anyhoo, I was working on an unprotected pocket excel document which I stored in my Shared files folder containing all the Soc. Security numbers of my company's employees while trying to connect to the bluetooth device of this stewardess I had taken a liking to when I happened upon this article. For shame, Microsoft, for shame.
the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto
"Each software contains a bug.you can not stop it."
http://www.secgeeks.com/
http://www.coderlance.com/
If i'm a clueless/lazy app developer and write an insecure "password storage" app on linux and store the passwords in plain text or ROTn in a public place, i'm a stuiped developer and it's not the OS's fault for my insecurity.
:)
If i write the same app on windows or windows mobile, MS sucks.
I'm going to do a whole lot more windows development so i'm not responsible for my own lazyness.
Thanks!
For people who can't code they're quite successfull doing it.
I have seen a few people use their stuff (and being quite happy with it).
They mus do something right, and more than marketing, looking at all he repeat orders (and happy users actualy).
What I never really understood is why 802.1X connections on Windows Mobile 5 claim to require a client certficate. PEAP works fine without, and on XP the supplicant doesn't complain at all. WTF? If anyone knows how to convince the thing to do PEAP without client certs, I'd be happy!
Continuous positive slashdot karma since... uh, maybe next year.
Recently, at work, I have had to switch form palmos to pocketpc.
From my experience, pocketpc just sucks. It is overloaded with useless features, it's slow and buggy, it's more complicated and less intuitive to use, and - of course - has the typical msft arm-twisting to buy msft only products.
Small wonder msft is the 4th most popular mobile device OS.
- I had no trouble syncing my palmos with linux, I don't think I can do that with pocketpc
- with hotsync, you just put the PDA in a cradle, hit the button and you're done. With activesync you get out your stylus and chose to export the data first. By default, activesync does not sync, only connects. To sync you tinker with the activesync settings - if the options are not mysteriously greyed out. I think activesync may be set to work only one PC.
- When my batteries ran out on my pocketpc, I lost my apps, and had to re-install, and re-register. This did not happen with my palmos device.
- palm is happy to provide you with palm's PIM software for your PC. Msft expects you to buy outlook.
Bottom line: I far prefer PalmOS's simple system, that just works.
Aircanner seems to me to be a company that is willing to mislead users on very sensitive matters. Take, for example, their volume encryption tool, Encrypter, that doesn't actually work like every other volume encryption tool, encrypting and decrypting on the fly, but rather decrypts all data from a volume onto the storage device when you mount it and leaves all of that data unencrypted until the volume is mounted again. If, for example, you dropped your phone/pda that had a mounted volume and the thing broke and you sent it in for repair, all of the data of your mounted volume would be unencrypted for the service people to see. Or if your battery died while the volume was mounted, once again, all data would remain in unencrypted form. Compare this to using loop-aes or dm-crypt/luks with a mounted volume, or pgp disk.
http://forums.pocketpcfaq.com/viewtopic.php?t=1757 1
I believe in such sensitive matters as data encryption/privacy/security that if one is doing something outside the norm that is detrimental to the user and their intentions with the software, then it is the responsibility of the vendor/producer to make people aware of it. To mislead by omission on a matter such as this is, in my opinion, akin to to flat out lying.
If it was the case that the Airscanner people actually weren't smart enough to realize the problems with their Encrypter software before it was pointed out to them recently, then that would be even less reason to trust anything that comes out of their mouths. As it stands, I have to assume that they knew the shortcomings of their software that could jeopardize users who took for granted that the software would work as expected but decided not to make that information obvious because it would hurt sales.
Given the fact that Airscanner may be doing more to jeopardize the average user who uses their Encrypter product and therefore thinks their data is secure in cases where it is not, I am more inclined to say shame on you, Airscanner, for profiting off of deception. Honestly, I can't help but think the post I'm replying to is an advertisement by someone connected with Airscanner rather than a truthful statement from an average user. However, I do appreciate them picking apart the competition. Too bad they didn't include a section on their own software in the article. Their excuse would probably be similar to the responses from the vendors they queried: It's that way by design, so it's not a problem.
Really, nobody says it better than Seth Fogie, the author of TFA, himself. From TFA:
Palm's "inability" to multi-task is vastly overstated. On my 650, I can switch applications and not lose network or telephone connectivity. In fact, I regularly copy things to and from memos from the Blazer browser, and the connection is always still active when I switch back. Of course, Blazer is coded so that it always does a page load on startup (configurable to your home page or the last page visited) which isn't really bandwidth friendly.
The main issue with multitasking revolves around Palm's stated programming guidelines, which instruct developers to save their application's state when the launcher (or another application) is called. I've carefully read the SDK (back when I was writing Palm software for a previous employer as a sideline to my main job) and I don't see any reason that an SSH application couldn't keep its connection even during an application switch. The network stack doesn't appear to require a change in connection state during application exit.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
I have heard of symbian viruses that spread via unsecured bluetooth but feel free to keep bashing the microsoft's OS...
Something people should realise : Aside from some visual similarities and interopability between MS Office and Windows Mobile, the OS has little in common with desktop Windows
From TFA:
"The reason for this is because it is our belief that Windows Mobile platform creates an environment conducive to poorly designed security software"
Sounds to me like they're blaming to OS as much as the app.
This is about the software. The fact that they don't even look at Palm's software products makes me think the publisher of the article has an axe to grind.
Here's a hint, if I write an email program for you and store your password in plaintext, there's *NOTHING* Windows can do to stop me.
The fact of the matter is that sadly, a huge amount of software has security flaws in it, which is why most of us real developers aren't so quick to whip out the "MS is the only software company that makes insecure software" card at the drop of a hat.
And the only reasoning they give to back that up is really rather nebulous, and can be paraphrased as "you can't run task manager or regedit on Windows Mobile machines easily".
Do they really think any significant number of Windows users run those programs, or that if they were available on Windows Mobile, that they would run them on that platform?
To be honest, I've seen horse-shit that had less horse-shit in it. If your OS being secure requires users to run regedit/taskman type programs on a regular basis to see 'what's going on', then you've already lost anyway.
The rest of the article seems fair though.
I was told by an inside source that the Microsoft programmers ar a very unhappy bunch of people and unhappy programmers write unhappy code. Programmers that are happy in their work take the time to write complete and elegant code.
Elegant code??????
Elegant code != good code. At least not on the real world.
Elegant code works well in academia, not if money is being made...
I actually know a few happy coders at MS which are quite happy, I guess that's like in any big company, there are happy and unhappy people around.