Slashdot Mirror
Ten Dangerous Beliefs About Smart Phones
jcatcw writes "According to Computerworld, lots of assumptions about the security of smart phones are wrong, and any high-value targets, such as political candidates or organizations with valuable data, should treat them carefully. They are not, contrary to common beliefs: just phones with cool features: 'A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?), This worked because the desk phone was isolated from the network and system resources to which you were being given access. Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers?'"
They share the same curse as the "Smart Bomb." Given that thing's track record, this was obviously a poorly-chosen adjective.
Don't spam links to a poll, if you want a poll contact the editors about using the Slashdot poll space.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
It's a basic security problem that always comes up in encryption. You need a backchannel to communicate- a secure channel that doesn't use the same lines (data, systems, whatever) as the information it's trying to protect.
What are the same solutions? Physical security, for one thing. Access verification. Identity anlysis.
It's certainly not that new a problem.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
there's no problem. IT helpdesk would have to call you back in the first place for there to be any concern.
body massage!
When did smartphones become a religion? "Dangerous Beliefs"?! Could have been labeled better... like misconceptions... something - anything - somebody help me
There's no ads on smart phones. ...Unless of course you go to ComputerWorld's site and try to read an article. I'm not sure what #5-10 were, because all the blinking and flashing and click-through ads destroyed any sense of conveying actual useful information.
Please mod the parent down. This is the third story I've looked at today with this type of spam, the second where it's a first post! The poster is most likely benefitting from the adverts on impoll.net, but we all have to suffer his spam.
Any Slashdotter work their salt knows the flaws with surveys anyway, so posting surveys makes you look rather foolish.
All things any moderately-savy computer user should be entirely familiar with.
The point in the summary is number 6 in the article. Anyway, this is just bollocks.
You authenticated yourself to the phone on your desk with building and room access-controls.
You authenticate yourself to your cellphone with a PIN code.
I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.
Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).
Other arguments are also dubious at best:
3. Communications are encrypted from end to end.
BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.
So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.
And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).
As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?
9. Spying on my smart phone is hard.
Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.
Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.
Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.
All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.
http://www.military-information-technology.com/ar
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
Ah yes, BarrettAnderson, my old foe. I thought you might be behind these spammed poll links.
...you have policies in place to prevent the transmission of sensitive material through easily corrupted/tapped systems. For example, where I work, passwords cannot be transmitted via email, IM, or text message. If I need a password for something, I have to write it down on paper, then destroy the paper. Of course you can stick the paper in your pocket, but without any other identifying information, it wouldn't do someone a lot of good.
GetOuttaMySpace - The Anti-Social Network
This is like assuming that because A called B and asked for their social security number, that social security numbers are insecure. You still are your own best line of defense against security breaches. Just because you get a call on your deskline doesn't mean it really is I.T. calling back for your password, for example.
Furthermore, If a smartphone is too great a security risk, then choose a different option... I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.
stuff |
Here's the printable, all on one page version of the article:m mand=printArticleBasic&articleId=9014118
http://www.computerworld.com/action/article.do?co
Car analogies break down.
You mean there is a single nerd alive that didn't know every thingle thing in TFA? Jees, even the crackwhores use code when they call their crack dealers! And how many crackwhores to you know that are nerds?
Besides Zonk and CowboyNeal, I mean?
I was looking into secure communications equipment and found that Nokia offered some encrypted cell phones. You had to link them to the same key by hand. They were a bit pricey, and honestly they probably have some deal with a government or three to let them decrypt the conversations. So for some potential clients are useless.
But really, this argument seems to be silly for anyone seriously considering secure communications, as it is already known. And anyone not, it will just mildy scare.
For one potential client, I only met in person, and we drove someplace new each time we had to discuss certain aspects of the information he wanted secured. Ultimately, I told him that his mind and paper-based notes system was the safest thing he could really do, especially since he had a fireplace. I lost a pretty lucrative job, but gained many, many, referrals, as you often do when you end up telling someone not to hire you.
To anyone involved with security and operating systems, this is like a big "duh!". Fortunately, some people who are experts in this area are taking this problem seriously.
First, you start with the library which talks to the Telecommunications chip. And you make absolutely certain that security is the top priority (ala OpenBSD):
http://libgsmc.sourceforge.net/
Second, you add a completely Open Source effort, for both the hardware and the software.
http://hbmobile.org/
Experience and history has shown that there's no other solution for secure solutions.
Now there are other Open Source efforts out there, most notably OpenMoko and TrollTech's Green Phone. But neither of these efforts have impressed me as taking security seriously. They certainly haven't said as much. They are both doing an otherwise excellent job, but I do wish they'd change their attitude here.
The FBI and other U.S. agencies have used cellphones to spy on people. They can turn on the microphone and transmitter of a cell phone even if the phone is turned off. They have been caught red-handed doing this to U.S. citizens.
With smart phones, they can even turn on the camera and watch you if you placed your cell phone on your desk. Imagine making love with your spouse or significant other while some pervert in the FBI watches through your cell phone camera without your knowledge or consent. Welcome to the new America.
This won't stop until some hacker uses this same subversive technology to catch senators and presidents doing naughty things. Then a law will be passed to make such covert technologies illegal in consume goods.
This worked because the desk phone was isolated from the network and system resources to which you were being given access
Sounds like someone missed the digital PBX, VOIP, convergence etc. - in short almost a decade of telcoms change. Whoever wrote that probably thinks callerID is reliable as well.
For at least the last 7 years _all_ the desk phones I've had at various jobs have been digital (and most have been VOIP). The desk phone system is _not_ isolated from the rest of the network, or in any way reliable for security / location ID purposes.
With Windows Mobile you're essentially dealing with an SSL or VPN connection from the device to the company server. There are security issues to consider, but being "transmitted unencrypted over the public Internet by default" isn't one of them. The choice of installable applications ought to be from a whitelist -- or no list. It is, depending on the service and devices that a company rolls out. From my experience many if not most large companies do enforce restrictions like this.
There's a serious article to be written somewhere asking why companies should make security a higher priority BEFORE something goes wrong, and why they don't use what security measures are available, or allow secure communications to take place over device (e.g. employee-owned ones) that they have no control over, but this isn't it.
1. Naomi Campbell is mostly harmless (actually this should be #42)
2. The best way to charge a smart phone is to stick your finger in a light socket while talking on it
3. Your phone will protect you from lightning storms (actually, this misconception stems from some golfers not knowing the difference between a smart phone and a one iron, which WILL protect you from lightning strikes; not even God can hit a one iron)
4. If you call your bookie on a smart phone you don't have to pay him
5. Smart phones protect you from auto accidents (this is probably the most widely believed misconception, as evidenced by how SUV drivers drive when talking on one)
6. Why did you resign?
7. Your smart phone will work when your city is underwater due to a hurricane and you're stuck in your attic
8. If you call your wife from a bar with a smart phone, she won't know you're in a bar
9. Cowboy Neal
10. A smart phone makes a good crack pipe (as evidenced by how SUV drivers park)
doesn't look like he's benefitting from them.
I personally thought it was an insightful comment, except for the poll part, but everyone has random parts of their comments that aren't necessarily insightful, but that doesn't make the rest of the comment suck.
A possible abuse that hasn't been mentioned, or I have just missed it, is the ability to use any cell phone as a microphone and as a method of locating you. The FBI in a mafia case used roving wire taps without the cell phone owners permission to listen to mafia members that just happened to be in the area of the mafia members. The potential for abuse is extremely disturbing to me.