Marlinspike's Droid Firewall Kills Tracking

← Back to Stories (view on slashdot.org)

Marlinspike's Droid Firewall Kills Tracking

Posted by timothy on Tuesday May 3, 2011 @08:19PM from the knock-knock-who's-there? dept.

mask.of.sanity writes "The first dynamic Android firewall, dubbed WhisperMonitor, has been released by respected security researcher Moxie Marlinspike. The firewall will allow users to stop location-tracking apps and restrict connection attempts by applications. Marlinspike, whose company created the application, designed WhisperMonitor in response to the incidence of location tracking and malware on Android platforms. It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

164 comments

Min score:

Reason:

Sort:

This firewall monitor non internet activities? by countertrolling · 2011-05-03 20:24 · Score: 2

Like the phone itself? The applications aren't the only thing sending out the data..

--
For justice, we must go to Don Corleone
1. Re:This firewall monitor non internet activities? by sherpajohn · 2011-05-03 20:45 · Score: 4, Interesting
  
  What do you mean "the phone itself"? What else is sending out information but applications? Little elves hiding in the keypad? Sorry, I don't understand what you mean...an android phone is a device running the android OS - I would expect everything to be an application, even the part that connects to your mobile provider. Maybe I am looking at it the wrong way.
  
  --
  
  Going on means going far
  Going far means returning
2. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-03 20:51 · Score: 0
  
  I think the op meant can the firewall monitor the kernel for access to the internet/phone network or are there secret hooks that defeat complete monitoring of incoming and outgoing info
3. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-03 21:13 · Score: 0
  
  I don't know anythign about the architecture so I can't say anythign for sure but, in old cellphones, the "applications" were usually running in a J2ME VM, where everythign else was simply part of the firmware. Until now, most cellphones didn't have a concept of "OS" the way we understand it on PCs.
  With iOS-based, Android-based and winCE-based cellphones (WP7 is winCE still) becoming common, its might now be true that most functions in the cellphone are applications not much different than the ones you can acquire in the respective stores.
  But since mobile providers are usually so paranoid, it woudln't surprise me if the concept of having the calling system be just an application was too hard for them to grasp, and the respective OS developers actually implemented most of it in the more obscure parts of the OS kernel.
4. Re:This firewall monitor non internet activities? by sherpajohn · 2011-05-03 21:55 · Score: 1
  
  These same folks have a SMS encrypter and yes, a call scrambler application, the latter does not even require an unlocked phone, though WhisperCore and WhisperMonitor (which is part of the former I think), require you unlock and replace the Android on your phone with thier custom kernel. Interesting that they can scramble calls outside the kernal or firmware.
  
  --
  
  Going on means going far
  Going far means returning
5. Re:This firewall monitor non internet activities? by cynyr · 2011-05-03 23:48 · Score: 1
  
  Have a gander at the android source if you want to know, or at the source for Cyanogenmod if that is what you are using.
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
6. Re:This firewall monitor non internet activities? by BrokenHalo · 2011-05-04 00:09 · Score: 1
  
  I think the op meant can the firewall monitor the kernel for access to the internet/phone network...
  It's just a Linux kernel (on my phone it's 2.6.29), so yes, of course it can.
7. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-04 01:26 · Score: 0
  
  You don't think the mobile provider is collecting this data on their end? Data collection on the device is a novelty compared to what the telcos are collecting on you, the data is far too valuable for them to not do anything with it.
  Is this ignorance or just naivete on your part?
8. Re:This firewall monitor non internet activities? by Anne_Nonymous · 2011-05-04 01:40 · Score: 1
  
  >> Little elves hiding in the keypad?
  Yes. Does it monitor those? Because Santa has got to be getting his information somewhere!
9. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-04 02:04 · Score: 0
  
  There is a feature installed for the FBI that allows them to listen into your cell for 24 hours without turning the phone on. The operating system doesn't even come into play. I think this is probably what the parent post was asking about. And, I think I just answered his question. No, this won't stop that.
10. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-04 02:22 · Score: 0
  
  He means telephone calls, which aren't necessarily TCP/IP data traffic (are they? i dunno)...
  As in, surreptitious eavesdropping by (this is just an example) turning on the microphone, then maybe making silent phone calls, that sort of thing.
  Sure, those calls might reveal the malware by showing up on the bill, and the cat would be out of the bag about its presence at that point, but that doesn't mean it's an unusable malicious tactic. ...blah blah blah, do you know what I am saying?
11. Re:This firewall monitor non internet activities? by Shompol · 2011-05-04 03:22 · Score: 1
  
  I would bet on the firewall only monitoring the internet traffic. Android phones also have GSM radio, which does not fall in the realm of networking, yet is capable of (a) send SMS/MMS and (b) tracked by telco.
  Of course the applications would be the ones sending the SMS -- the little elves are mighty expensive nowadays.
12. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-04 03:56 · Score: 0
  
  I think countertrolling is referring to the OS itself. If you call it an "app", then yeah, only apps phone home. If you call it the thing where apps run, then it would seem that that's what makes this firewall unique: it stands in the way of the OS, too.
13. Re:This firewall monitor non internet activities? by countertrolling · 2011-05-04 04:02 · Score: 1
  
  Little elves hiding in the keypad?
  :-) Are you sniffing the network and breaking the encrypted signals? How much do you know about the hardware that's protected by trade secrets, or the 'secret' laws now permitted that might demand access? You know what's in the chips? Unless you're not telling me something, I suspect you don't know very much, if anything at all of what's inside..
  
  --
  For justice, we must go to Don Corleone
14. Re:This firewall monitor non internet activities? by The+Archon+V2.0 · 2011-05-04 04:23 · Score: 1
  
  Because Santa has got to be getting his information somewhere!
  "You've been typing these things in chatrooms? Oh ho ho! Naughty naughty! You've been a very bad girl!"
  ...
  When I phrase it like that, I'm not sure if the elves shouldn't be checking up on Santa's PC too. Who watch^H^H^H^H^Helfs the big elf, and all that.
15. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-04 05:11 · Score: 0
  
  Location information can be sent in subchannels in the cellular signal itself, just like SMS doesn't use the data connection that this firewall is monitoring. In fact location tracking can be done via SMS, which this does not block.
16. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-04 10:58 · Score: 0
  
  Linux OS is underneath that.
17. Re:This firewall monitor non internet activities? by Anonymous Coward · 2011-05-05 13:16 · Score: 0
  
  Is there hardware behind the OS that communicates with the network? There is, and this software firewall would not interact with that hardware.
ZoneAlarm and NetBarrier by dltaylor · 2011-05-03 20:32 · Score: 2

I used to use ZoneAlarm on Windows (still a version on my Win2K Starcraft PC), and tried NetBarrier for the PPC Macs. Both worked similarly, and I thought ZA was the greatest addition to Windows, ever.
Sounds like my impending Color Nook will be getting one of these, day 1.
1. Re:ZoneAlarm and NetBarrier by Artifex · 2011-05-03 21:13 · Score: 1
  
  As an aside, if you have any machines running OSX these days, you should look into getting Little Snitch. Love it; it's been eye-opening to see how often and where browsers call home when they're started, now, for instance.
  
  --
  Get off my launchpad!
2. Re:ZoneAlarm and NetBarrier by dltaylor · 2011-05-03 21:14 · Score: 1
  
  Absolutely serious!
3. Re:ZoneAlarm and NetBarrier by Joce640k · 2011-05-03 21:21 · Score: 1
  
  How can you tell if they're working or not?
  If the malware is subverting ZoneAlarm (easy enough to do) then your sense of security could be completely false.
  The ONLY way to spot unwanted outgoing connections is with a device external to your PC (eg. another PC on the same subnet running a packet sniffer).
  
  --
  No sig today...
4. Re:ZoneAlarm and NetBarrier by Blade · 2011-05-03 21:29 · Score: 1
  
  How do you packet sniff on switched networks? The days of being able to sniff all traffic[1] on a network by having something else on the same network are gone my friend.
  You'd need to be running some software on the switch or on the internet gateway, or some other device that sees all the traffic for some other reason.
  [1] Yes, you can sniff some broadcast traffic.
5. Re:ZoneAlarm and NetBarrier by cheros · 2011-05-03 21:29 · Score: 2
  
  Used it. Little Snitch has IMHO one major problem: they decided that it should use the Macs voice system if you go into FrontRow, and it's not optional - there is no way to disable it at. Voice rendering on computers is a pet hate of mine (and Apple's system is pretty bad), so the fact that LS decided all on its own to use this was enough to start seeking an alternative.
  I switched to Hands Off, which has the added advantage that I can have it monitor what applications do with my hard disk as well. And they offer a cheap license for those switching from LS, which helps :-).
  The only question with both apps is: do THEY phone home? Haven't looked with Wireshark yet, but I will..
  
  --
  Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
6. Re:ZoneAlarm and NetBarrier by RivieraKid · 2011-05-03 21:35 · Score: 2
  
  If you want to sniff on switched networks, stop being so cheap.
  You'll need a managed switch with the ability to designate a specific switch port as a SPAN or mirror port (http://en.wikipedia.org/wiki/Port_mirroring). This will allow you to monitor any other traffic that is passing through the switch.
  Those days aren't gone, they merely got a whole lot more expensive.
  In any case, it's more likely that you'd do monitoring at the egress point(s) of your private network, not on a particular switch.
  
  --
  "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves
7. Re:ZoneAlarm and NetBarrier by soundguy · 2011-05-03 21:37 · Score: 1
  
  Port mirroring on the switch
  
  --
  Nothing worthwhile ever happens before noon
8. Re:ZoneAlarm and NetBarrier by Blade · 2011-05-03 21:42 · Score: 1
  
  Yep, that's certainly one option. And it's more than just "another PC on the same subnet running a packet sniffer". Do any home-grade ADSL / Cable devices support it? Maybe with some of the open firmware solutions?
9. Re:ZoneAlarm and NetBarrier by Blade · 2011-05-03 21:45 · Score: 1
  
  If you want to sniff on switched networks, stop being so cheap.
  You'll need a managed switch with the ability to designate a specific switch port as a SPAN or mirror port (http://en.wikipedia.org/wiki/Port_mirroring). This will allow you to monitor any other traffic that is passing through the switch.
  Those days aren't gone, they merely got a whole lot more expensive.
  In any case, it's more likely that you'd do monitoring at the egress point(s) of your private network, not on a particular switch.
  Luckily I don't want to sniff stuff on a switched network, although the comment I was replying to made it sound like it was possible to do it by simply sticking another PC on the network. We both know that's not the case.
  Your comment is happily covered by my "You'd need to be running some software on the switch or on the internet gateway, or some other device that sees all the traffic for some other reason."
10. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-03 22:00 · Score: 0
  
  but how can you tell that wireshark doesn't phone home?
  dun dun duuuuuun
11. Re:ZoneAlarm and NetBarrier by clang_jangle · 2011-05-03 22:27 · Score: 1
  
  The hands-down best firewall for OS X (and other BSDs) is ipfw. No pointy-clicky though, so most Mac users won't use it.
  
  --
  Caveat Utilitor
12. Re:ZoneAlarm and NetBarrier by cheros · 2011-05-03 22:51 · Score: 1
  
  True enough. You're in a twisty maze, with passages all alike - and your geo-location enabled phone will sell your every move..
  
  --
  Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
13. Re:ZoneAlarm and NetBarrier by cheros · 2011-05-03 23:10 · Score: 3, Interesting
  
  No pointy-clicky though, so most Mac users won't use it.
  I was building BSD firewalls based on Gauntlet more than 2 decades ago :-). You have two extra problems with ipfw - you need to know upfront what you're going to shut down or allow and it requires a lot of expertise that is not available to your average user.
  In my case, you can add that I can no longer be bothered with hacking around in a box, I want the damn thing to work so I can get stuff done. Both LS and HO pop up when they have a question, but leave me otherwise to work. FIne by me..
  
  --
  Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
14. Re:ZoneAlarm and NetBarrier by clang_jangle · 2011-05-03 23:39 · Score: 1
  
  In my case, you can add that I can no longer be bothered with hacking around in a box, I want the damn thing to work so I can get stuff done. Both LS and HO pop up when they have a question, but leave me otherwise to work. FIne by me.
  Actually, configuring ipfw is incredibly simple. Beyond most OS X users probably, but anyone who can install and configure *BSD will not be daunted by the five minutes or so it takes to set up ipfw. :)
  
  But of course your choice is valid and requires one to know or remember almost nothing, which is perhaps key for most users. Personally, I do not want popups interrupting me when I'm working, and since a proper firewall comes down to defining a handful of rules (or less) up front and then being left alone forever, that's certainly my preference.
  
  --
  Caveat Utilitor
15. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-03 23:41 · Score: 0
  
  This is simple. Go to your shelf of old gear, grab a 10/100 HUB, plug in the two devices (the machine you are monitoring and the machine running the packet capture), start your capture and get the trace. What, doesn't everyone have at least one 10/100 hub left lying around? I think I have about 3 of them between my office at home and the one at work.
16. Re:ZoneAlarm and NetBarrier by cynyr · 2011-05-03 23:51 · Score: 1
  
  You sniff it at the firewall. which in my case is a full fledged linux box. What to talk on the internet in my home, it goes though that box. I could care less usually if my phone is talking to my desktop...
  
  --
  All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
17. Re:ZoneAlarm and NetBarrier by blackest_k · 2011-05-04 00:09 · Score: 1
  
  thank you for reminding me i do have a 10/100 hub somewhere
  i was going to dig out a couple of wireless cards since i'm using one of my routers else where but that will do nicely :)
  
  --
  Blarney Quality Restaurant, Plants
18. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-04 00:36 · Score: 0
  
  How much less could you care, though?
19. Re:ZoneAlarm and NetBarrier by datapharmer · 2011-05-04 00:46 · Score: 1
  
  You are kidding right? the only difference is you have to be able to locate a choke point now, and place your interception there. Everything still goes through the network, everything just isn't broadcast out to every port now.
  
  For 10/100 use an old hub or passive network tap, for gigabit use a monitor port on a managed switch or a computer acting as a bridge to intercept and process between devices. You can put this between switches to get all traffic on a particular unmanaged switch or between the gateway and the rest of the network or directly on the gateway; those of us that do often call this "running snort".
  
  --
  Get a web developer
20. Re:ZoneAlarm and NetBarrier by datapharmer · 2011-05-04 00:48 · Score: 1
  
  compile from source?
  
  --
  Get a web developer
21. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-04 00:55 · Score: 0
  
  If the malware is subverting ZoneAlarm (easy enough to do) then your sense of security could be completely false.
  Define "malware". Maybe he just wants to know when legit software he installed (Steam, Windows Update, some random Adobe updater) is phoning home, and poke holes in the firewall accordingly.
  For example, a physical purchase of Fallout 3 (not F:NV) didn't work out of the box until it was (a) activated, which annoyed me, but I could live with, and (b) still took a minute or two to start - because the "firewall" was blocking the GFWL login attempt. As I had no interest in GFWL, instead of poking a hole for it, I manually yanked out the GFWL crap. Had I not had the software "firewall", I would never have known why the game too so long to start. The game now starts instantly, and has never tried to phone home since.
22. Re:ZoneAlarm and NetBarrier by TheRaven64 · 2011-05-04 01:06 · Score: 1
  
  The hands-down best firewall for OS X (and other BSDs) is ipfw.
  Nonsense, the best firewall for other BSDs is pf. Apparently it's also going to be the best firewall in OS X 10.7.
  
  --
  I am TheRaven on Soylent News
23. Re:ZoneAlarm and NetBarrier by Blade · 2011-05-04 01:08 · Score: 1
  
  No I wasn't kidding, but apparently, I wasn't clear either.
  I know how you intercept traffic on a switched network - but the person I was replying to didn't appear to do so. It's not been a case of 'just sticking another PC on the network' for quite a while now.
24. Re:ZoneAlarm and NetBarrier by clang_jangle · 2011-05-04 01:11 · Score: 1
  
  I prefer ipfw (Altq is a major advantage IMO), but it's a bit like arguing about vi vs emacs -- either will do the job, just depends on how you like to work.
  
  --
  Caveat Utilitor
25. Re:ZoneAlarm and NetBarrier by nabsltd · 2011-05-04 01:14 · Score: 2
  
  Those days aren't gone, they merely got a whole lot more expensive.
  I don't think a few hundred dollars for a 48-port switch is "a whole lot more expensive". Although they are around $500 each in general, I bought a pair of brand new Netgear GS748T switches on sale for $500 total. There is also a 24-port version for less than $300.
  They fall into the class of "smart switch", although they are closer to being "managed" in their feature set. One of the features is being able to set up a port to receive to all traffic on other ports. The best part is that it's fairly configurable, so that the "sniffer port" (their term) can listen to traffic on one or more other ports.
26. Re:ZoneAlarm and NetBarrier by nschubach · 2011-05-04 01:27 · Score: 1
  
  Technically, you could setup a Linux gateway fairly easily and you can tcpdump all traffic going through it. All you need is two ethernet ports on a spare/old PC. I know I have a few old motherboards laying around that have two Ethernet ports on them. (Well...this is Slashdot. How many of us don't?)
  So the expensive part is really just setting up the machine to do it and you could just remove it when you are done.
  (This is what I assume the GP was talking about when they stated: "You'd need to be running some software on the switch or on the internet gateway")
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
27. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-04 01:45 · Score: 0
  
  but how can you tell that wireshark doesn't phone home?
  compile from source?
  But how can you tell your compiler doesn't insert "phone home" functionality into the resulting binary?
  dun dun duuuuuun
28. Re:ZoneAlarm and NetBarrier by Hatta · 2011-05-04 01:58 · Score: 1
  
  I was building BSD firewalls based on Gauntlet more than 2 decades ago
  Your TTL is running out. Packet is about to die!
  
  --
  Give me Classic Slashdot or give me death!
29. Re:ZoneAlarm and NetBarrier by h4rr4r · 2011-05-04 02:38 · Score: 1
  
  Buy a better switch or use arp spoofing.
  Please tell me you do not work in this field.
30. Re:ZoneAlarm and NetBarrier by h4rr4r · 2011-05-04 02:41 · Score: 1
  
  Apparently you don't know how to intercept traffic. Go look up arp spoofing. Not as good for many reasons as a switch that will do port spanning but it would be fine for just monitoring a desktop from another one for a few minutes.
31. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-04 02:44 · Score: 0
  
  In my case, you can add that I can no longer be bothered with hacking around in a box, I want the damn thing to work so I can get stuff done. Both LS and HO pop up when they have a question, but leave me otherwise to work. FIne by me.
  Actually, configuring ipfw is incredibly simple. Beyond most OS X users probably, but anyone who can install and configure *BSD will not be daunted by the five minutes or so it takes to set up ipfw. :)
  But of course your choice is valid and requires one to know or remember almost nothing, which is perhaps key for most users. Personally, I do not want popups interrupting me when I'm working, and since a proper firewall comes down to defining a handful of rules (or less) up front and then being left alone forever, that's certainly my preference.
  Why do you have to be an elitist dick instead of realizing that not everyone is a basement nerd that wants to spend many hours configuring their firewalls? Five minutes? Your firewalls aren't configured properly, sorry.
  And yeah, right. A "handful of rules (or less)" because of course there could be less than a handful. There could be zero rules. I guess that's why your firewalls are quick and easy to configure, and somehow manage to magically let the new applications you install pass through without changing anything..
  I swear, high school kids who once ran BSD on their mom's computer and then start acting like everything is quick and easy.
  It's not. They should stop commenting on slashdot and let the grownups do it.
32. Re:ZoneAlarm and NetBarrier by clang_jangle · 2011-05-04 03:20 · Score: 1
  
  Well, I'm so sorry if my competence interferes with your poor self-image. I happen to be a busy adult professional who enjoys knowing what I'm doing. I think insecure know-nothings like you are the ones who should "stop commenting on slashdot and let the grownups do it", to use your words -- especially since this is supposed to be News for Nerds (as opposed to whiney mamby-pambies who want everything spoon fed to them). Thanks.
  
  --
  Caveat Utilitor
33. Re:ZoneAlarm and NetBarrier by blacksmith_tb · 2011-05-04 04:09 · Score: 1
  
  Don't worry, there's an app for that.
34. Re:ZoneAlarm and NetBarrier by Anonymous Coward · 2011-05-04 04:31 · Score: 0
  
  Once upon a time it was normal for slashdot users to be competent and informed about software, but that time has passed. Now it's normal to be ignorant and to be arrogant about being ignorant.
35. Re:ZoneAlarm and NetBarrier by metallurge · 2011-05-04 08:28 · Score: 1
  
  but how can you tell that wireshark doesn't phone home?
  compile from source?
  But how can you tell your compiler doesn't insert "phone home" functionality into the resulting binary?
  dun dun duuuuuun
  By using a compiler & libs cross-compiled from source by a different compiler compiled from source on a different-architecture machine?
36. Re:ZoneAlarm and NetBarrier by cheros · 2011-05-04 20:47 · Score: 1
  
  No, he isn't, he just has another approach which is equally valid but does not work for *me*. I often need to use software which I do not have the time to completely assess (and it's not weird fringe stuff, Adobe and Microsoft products are on that list too). The other issue is that ipfw is more network and less application focused, but ipfw is not hard to set up - there are GUIs such as WaterRoof and Flying Buttress available if you spend 10 seconds on Google. There is a good intro to OSX ipfw available as well (at least, *I* like it, YMMV :).
  His approach would be an upfront analysis and then tune ipfw accordingly. The problem for me with that is that software often does a lot of things you don't really know about - updates are a classic, which only happen every so often. In the ipfw case you'd end up with a failure to update and you'd have to go and dig to find out what happened and why retrospectively.
  My approach is to install the code after I have checked its origin and scanned it for malware(*), and then monitor where it's going when it talks to the Net. I caught a couple of interesting things that way (in which case I tend to fire up Wireshark and have a good look at what it's trying to do), but it does mean that I occasionally have to adjust things on the fly. This way, my filter learns and will not bother me other than when an application decides to do something new. I do, however, pay the price that I risk getting interrupted (something I hate) but this approach works best for me at present.
  The disadvantage is that this approach requires a very clean approach to installation, and presents a slightly greater risk. His approach is very low risk, but is more labour intensive. Different shades of grey..
  
  --
  Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
37. Re:ZoneAlarm and NetBarrier by Xyde · 2011-05-05 02:52 · Score: 1
  
  You Disable it by going into rules and allowing Front Row...what did you expect?
Lesson learned by Anonymous Coward · 2011-05-03 20:39 · Score: 0

Use an operating system that cooperates. It spares you the trouble of filtering your outbound traffic.
1. Re:Lesson learned by Anonymous Coward · 2011-05-03 20:49 · Score: 0
  
  Will do, as soon as one exists.
2. Re:Lesson learned by game+kid · 2011-05-03 21:05 · Score: 1
  
  They'll worry about the privacy of the Small People after they deal with those pesky phone-company-killing tetherers.
  
  --
  You can hold down the "B" button for continuous firing.
Droidwall already did a good job at it by Anonymous Coward · 2011-05-03 20:45 · Score: 4, Informative

Not dynamic, but allows you to setup white/black lists of application to access 3g or wifi network.
Does a good job. You just have to remember to add new apps to the white list of you want to allow them access to a network.
http://code.google.com/p/droidwall/
1. Re:Droidwall already did a good job at it by exabrial · 2011-05-03 21:25 · Score: 1
  
  Yep, WhisperWall is the _Second_. I've been running DroidWall for months.
2. Re:Droidwall already did a good job at it by Charliemopps · 2011-05-03 23:09 · Score: 1
  
  Yes, but did it include the OS? I think this is the difference in this application.
3. Re:Droidwall already did a good job at it by mlts · 2011-05-03 23:41 · Score: 1
  
  I'd say DroidWall has been out at least a year. It has done so far an effective job at keeping apps from phoning home.
  It would be nice to have a utility that offers the ability to keep apps away from the ability to get GPS info, either coarse or fine. This way, an app can do what it needs to, but when phoning home with whatever info it can find, it will either get the coordinates of some random place, or none at all.
4. Re:Droidwall already did a good job at it by Anonymous Coward · 2011-05-04 02:28 · Score: 0
  
  All an app would need to do is grab gps data from the EXIF data in pictures you took. You can't stop an app from reading files on the sdcard.
5. Re:Droidwall already did a good job at it by penguinchris · 2011-05-04 02:48 · Score: 2
  
  I've been using Droidwall for quite a while, and I'm going to keep using it for one primary reason - you can choose whether to allow apps access over wifi, 3g, or both. I'm mainly interested in limiting what apps do when I'm using mobile data.
  I really hate that it doesn't pop up a notification when it blocks something new, though. Every time I install a new app I forget to enable it in the Droidwall settings, and it sits there not able to connect until I remember.
  In fact, the whole interface for Droidwall is pretty awful.
  If this new one adds the option to disallow 3g on a per-app basis, then I'd switch immediately. Don't want to knock Droidwall too much because it's great and it's free and everything, but it needs a lot of work!
6. Re:Droidwall already did a good job at it by Anonymous Coward · 2011-05-04 05:11 · Score: 0
  
  The components of the OS are listed as well. Just need to be careful which ones you block or stuff stops working.
7. Re:Droidwall already did a good job at it by psyclone · 2011-05-04 05:30 · Score: 1
  
  Correct- you'd have to disable saving GPS points in the EXIF data. However, blocking the network request when the app phones home would be sufficient.
  To the parent's point, I would love a sandbox that surrounded each app with a configuration for each permission it requested. So the app could say "I need permissions to read GPS data, write SD contents, read browser history, etc" and I could happily install it knowing my sandbox would return empty/random/fixed data for those API/system calls.
8. Re:Droidwall already did a good job at it by Anonymous Coward · 2011-05-04 06:00 · Score: 0
  
  I guess my point was that the sdcard needs better access controls just like the network, gps, and everything else.
  There is too much that is stored there to leave it world readable and writable. Don't forget that all apps end up with the "write to sdcard" permission even if they don't ask for it in the market, but we need permissions per app, not per sdcard.
9. Re:Droidwall already did a good job at it by Anonymous Coward · 2011-05-04 06:12 · Score: 0
  
  Yes, Droidwall blocks the OS as well. The difference is that Droidwall requires root access which, for a mysterious but doubtless excellent reason, owners of Android devices do not have without cracking. Droidwall is also iptables based which probably means that it's faster, but I don't know if that's by a significant amount.
10. Re:Droidwall already did a good job at it by psyclone · 2011-05-04 11:46 · Score: 1
  
  Agreed that a "read from sdcard" (read_external_storage) permission should exist.
  However, the write_external_storage permission exists since API level 4 (android 1.6). Previous OS versions implicitly allowed that permission.
  http://developer.android.com/reference/android/Manifest.permission.html#WRITE_EXTERNAL_STORAGE
  http://developer.android.com/guide/topics/data/data-storage.html#filesExternal
  Technically, your camera app could mark the files private to only itself; then you'd have to use it to view them (not a gallery) and share them (or copy to a temp area to be shared).
11. Re:Droidwall already did a good job at it by Anonymous Coward · 2011-05-04 18:29 · Score: 0
  
  Do you have even one app that doesn't have write_external_storage permission?
  I understand that it exists as an option to allow or deny in theory, but every app is granted this permission even when the market doesn't tell you about it.
  Even the second link you provided says "All applications can read and write files placed on the external storage".
  Even if the user had the choice to allow or deny read or write access on the sdcard to specific apps, it would still be a cesspool of no security, but read and write are allowed globally, making it even worse.
  Since this is the only really usable storage (sure internal storage exists, but it is very size limited in comparison), it shows that this needs to be completely re-thought out. Until then, it will be a massive black eye for Android's security. It is only a matter of time before a high profile incident involves this issue.
Meh... by Loki_666 · 2011-05-03 21:00 · Score: 2

Which is why i like my mobile phone to remain a mobile phone and not a mini-computer subject to the same problems that plague PCs. We already have malware and other crap for mobile devices and the need for firewalls.... bet the anti-virus companies are wetting their pants over the move from mobile phones to mobile computers.
If i find myself in an emergency situation i'd like to be sure my mobile phone is working and not suffering from a plague of outbound traffic sending spam to half the world.
1. Re:Meh... by Anonymous Coward · 2011-05-03 21:19 · Score: 0
  
  Dude, just run Linux on your phone, then you'll be OK. Oh wait :(
2. Re:Meh... by L4t3r4lu5 · 2011-05-03 22:02 · Score: 1
  
  SMS of Death
  
  Bad coding is ubiquitous on all devices running any software. Remember that these are consumer end devices and not scrutinised in the same way as, say, military software is.
  
  Oh, wait...
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
3. Re:Meh... by Anonymous Coward · 2011-05-03 22:09 · Score: 0
  
  I often hear this claim that simple phones are considered secure, while smartphones are not. There is a very interesting podcast on the German Chaos Computer Club's site that discusses the state of GSM security, and there are many serious concerns there. For example, a SIM card is able to run programs that are installed transparently over the network, without the user knowing anything of it.
  The interviewee has a list of related publications on his university website.
  If at all possible, get someone to translate this podcast into English for you, then go ahead and treat yourself to a nice smartphone -- accepting that there is no security out there ;-)
4. Re:Meh... by jc42 · 2011-05-04 00:23 · Score: 1
  
  Which is why i like my mobile phone to remain a mobile phone and not a mini-computer subject to the same problems that plague PCs. We already have malware and other crap for mobile devices and the need for firewalls.... bet the anti-virus companies are wetting their pants over the move from mobile phones to mobile computers.
  So you still have an analog mobile phone? Do they still make those? ;-)
  Seriously; all digital phones are small computers. If one has a UI that only does phone calls, that's fine for customers that want that, but inside, there's still a cpu chip and a pile of software. It may be slow and have not much memory, but it's still a programmable computer. With a phone-only UI, it really just means that you have no way of discovering what other software the vendor might have filled it with.
  One of the other stories today is about a new video camera that's only a millimeter wide. It's probably just a matter of time before we're reading a story about someone's "phone only" device that contains this camera, with its pics or videos ending up on youtube. So be careful about where you set your phone down while you're doing something nearby. ;-)
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
5. Re:Meh... by Loki_666 · 2011-05-04 03:59 · Score: 1
  
  Depends on two things. How programmable the digital phones are, and how targeted they are. Seriously, some of the more basic phones with no real OS to speak of are going to get targeted because they are just used as phones, not used for example for online banking for example. Why even bother with them when you can swipe nice bank credentials.
Only for Nexus by __aarvde6843 · 2011-05-03 21:17 · Score: 1

It's only available as a 0.3 Beta for Nexus S and Nexus 1.
The Installers are only for Windows 7 (64Bit) and Linux 64Bit (and OSx).
It's a great idea. If it continues to be free, I'll install it when it becomes available for my HTC...
1. Re:Only for Nexus by Anonymous Coward · 2011-05-03 21:37 · Score: 3, Informative
  
  The 'installer' wipes your ROM and replaces it with their own. It isn't an app installer.
2. Re:Only for Nexus by rrossman2 · 2011-05-04 01:16 · Score: 1
  
  It's 85Megs (windows x64 installer).. unless they cut out a lot of standard apps as well, I think there's something else to it. Maybe I'm wrong and it is just a custom done ROM, as I'm use to the Galaxy S ROMs (which typically are 130-200MB)
3. Re:Only for Nexus by Anonymous Coward · 2011-05-04 01:30 · Score: 0
  
  I downloaded the installer, extracted it, then unyaffs'd the partition images. It's a ROM :).
  
  I only looked in /system/app/, but all the stock Android apps were there.
4. Re:Only for Nexus by Sancho · 2011-05-04 09:05 · Score: 1
  
  I got to your comment and was pretty disappointed. My fault for trusting a Slashdot headline, but "Droid" is a particular line of Android phones from Verizon (the kind I have, incidentally.) So I guess this is useless to me.
  Thanks, guys, for your lovely reporting.
iPhone App by AtomicJake · 2011-05-03 21:22 · Score: 2

Excellent news for Android users. I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.
1. Re:iPhone App by Anonymous Coward · 2011-05-03 21:43 · Score: 0
  
  s/user experience/ad revenue and data collection/
2. Re:iPhone App by tronicum · 2011-05-03 22:58 · Score: 1
  
  It is not in the marketplace. And it replaces the whole OS with a modified full disk encryption mod. But here is no uninstall path yet.
3. Re:iPhone App by coofercat · 2011-05-03 23:09 · Score: 1
  
  And that user experience will stop this being useful for anyone except the geeks. Once you click the "allow" button with the "always do this from now on" tick box checked, then your app leaks data for ever. You may legitimately want super-whizzo-local-knowledge-app to know your location when you use the app, but not so much when it's hidden away in the background (or otherwise not immediately in use).
  This is a good step forward, but I doubt it'll solve the problem entirely.
4. Re:iPhone App by mlts · 2011-05-03 23:45 · Score: 1
  
  Also, if an app that doesn't do anything nasty has access to items, who knows if a future update pushed out with more malicious code may affect people. A lot of people automatically update their devices, and the SMS archiver that works perfectly with the v1.0 copy is spamming contacts at random with the 1.0.1 rev.
5. Re:iPhone App by chihowa · 2011-05-04 02:07 · Score: 2
  
  I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.
  That's true, but there's one available in Cydia for jailbroken phones. Called Firewall IP, it works pretty well.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
6. Re:iPhone App by Anonymous Coward · 2011-05-04 03:42 · Score: 0
  
  Excellent news for Android users. I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.
  It couldn't possibly be that Apple made a smartphone that doesn't need a stupid firewall.
  I mean this is ridiculous. Because of all the malware crap available on the Google marketplace people actually need a firewall app to protect their phone? Thank God for my walled garden.
7. Re:iPhone App by Graham+J+-+XVI · 2011-05-04 04:37 · Score: 1
  
  It doesn't matter if Apple accepts it, there's been a great firewall available via Cydia for quite some time now.
8. Re:iPhone App by Anonymous Coward · 2011-05-04 10:35 · Score: 0
  
  Although Apple would never allow it to be added to the AppStore, there is an iOS firewall app that is similar to this, and works great. You just need to have a jailbroken phone:
  http://cydia.saurik.com/package/com.yllier.firewall
But, Android is for advertising... by irp · 2011-05-03 21:32 · Score: 1

The issue with Android is it is an advertising platform. But imho with a strangely bad implementation... At least in hindsight.
I like my HTC, but sincerely hate all the programs that "require" full internet access. The reason given is ads, which I am often alright with: I get stuff "for free" that I don't care enough to pay for (games, rarely used tools, apps I can easily live without). The problem is one newer knows what else they use this unrestricted access to. Much of this doubt could be removed if Google maintained a white-list of ad servers (also 3rd party). That way most programs would not require full internet access, but only *restricted* access to a *limited* amount of servers.
These servers can of course be hacked etc. but at least they can easily be black-listed, leaving a more well-defined security risk.
I newer understood why Google didn't implement it this way. Where they trying to "hide" that Android is made to open a new revenue source for them? Trying to make people believe they were "selling" a phone OS? Or did they sincerely not consider the risks of this implementation?
Blocking the ads is essentially stealing from the app developers (or more correctly; depriving them of income). I don't want to do that, but I would like a firewall.
Supports only two devices by Anonymous Coward · 2011-05-03 21:33 · Score: 0

This is currently supported for two devices (Nexus S and Nexus One) and not Android in general.
1. Re:Supports only two devices by Anonymous Coward · 2011-05-03 21:59 · Score: 0
  
  Dunno if it'll work on other devices (netfilter support in kernel is a must) but here's the N1 WhisperMonitor apk: https://rapidshare.com/files/460534963/WhisperMonitor.zip. Install to /system as it requires root.
  
  The two download links are for ROMs not the app.
This shouldn't need to exist by atari2600a · 2011-05-03 21:38 · Score: 1

I mean I can see the benefit of being able to install an app that requires data permissions without the data, but this really should be something built into the operating system. Then again, perhaps a built-in firewall would be too much...
1. Re:This shouldn't need to exist by green1 · 2011-05-04 04:09 · Score: 1
  
  This is something that's always bugged me on my android, every time you install an app it lists which permissions it requires, and then gives you the choice of allowing them all, or not installing the app. Why can't I choose to allow/deny any one of those permissions for any app?
  Why can't I say, yes I want the app, yes I want it to access my SD card, yes I want it to take pictures, no I don't want it reading SMS messages, no I don't want it accessing the internet.
  Let the apps ask for whatever permissions they want, but let the user decide which ones they get!
2. Re:This shouldn't need to exist by psyclone · 2011-05-04 08:16 · Score: 1
  
  It would be rad to pick and choose. And even if the apps are programmed poorly that they require access, the android OS could supply some API/system calls with your choice of random/empty/fixed data. E.g. an app wants Fine GPS acess, but doesn't need it for anything but advertising. Great, just feed it the south pole every time it asks.
Please port this to Linux A.S.A.P. by TractorBarry · 2011-05-03 22:02 · Score: 4, Insightful

> "It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."
Excellent. + 100 this is the way things should be !!!
I've been yammering on about this for ages now without being able to get any Linux devs interested. As far as I'm concerned without such a feature Linux is a dead duck as far as being an operating system suitable for the home user. I've stopped putting Ubuntu on peoples machines due to the complete lack of such a firewall. And no. IP tables and Firestarter etc. are not the same thing *at all*.
The end user should always be given the final decision before *ANYTHING* on the computer is allowed internet access. This single feature of the Zone Alarm firewall on Windows has allowed numerous "non computer savvy" friends and relatives to realise they have a problem well before malware has been able to phone home. Not to mention blocking all the crappy "auto updaters" and other such crap that idiots have started putting in their Windows apps.
1 The people who write Zone Alarm for Windows get it.
2 Moxie Marlinspike gets it.
3 The Linux devs simply do not get it. They seem to believe we live in Magic Fairyland where no program would ever do anything malicious and anything should be able to connect out without the user knowing about it. "But we're only fetching cover art/some other stuff". No you're reporting information to a third party that I do not wish sent thank you very much.
Without this simple feature your computer is simply a digital spy silently allowing any program to send any information it wants anywhere in the world.
Totally unacceptable in 2011. All machines should have firewalls that allow the user full control of what applications are allowed to talk to the local network and/or the internet.

--
Sky subscribers are morons. They pay to be advertised at !
1. Re:Please port this to Linux A.S.A.P. by Zebedeu · 2011-05-03 22:29 · Score: 2
  
  While I agree with you on principle, I think in practice these types of programs bring a lot of grief.
  I once visited the house of a friend who was having trouble connecting to the internet. Turned out ZoneAlarm (or a similar program) popped up a dialog asking if he wanted to block Windows networking (not by that name, but the library which controls it) and he said yes.
  Of course there are ways around that. For example, the firewall program should've had networking whitelisted, but even then people will try and block all kinds of stuff and then complain it isn't working.
2. Re:Please port this to Linux A.S.A.P. by clang_jangle · 2011-05-03 22:35 · Score: 1
  
  Considering there's nothing as feature-complete as IPtables on Linux, I think your best bet is to learn that rather than rely upon some limited GUI interface.
  
  --
  Caveat Utilitor
3. Re:Please port this to Linux A.S.A.P. by Luckyo · 2011-05-03 22:57 · Score: 4, Interesting
  
  Considering there's nothing as feature-complete as IPtables on Linux, I think your best bet is to learn that rather than rely upon some limited GUI interface.
  I think you just underscored his point of linux not being usable for a desktop. Modern desktop should NOT, EVER rely on command line interface for anything aimed at end-user if it is to be usable.
  There is a reason why we don't use rotary diallers in smartphones. There's a reason why we don't use command line interface on average home desktop machines (and no, your home machine is NOT average by any margin any more then a rotary dialler phone is if it's using linux).
4. Re:Please port this to Linux A.S.A.P. by irp · 2011-05-03 23:02 · Score: 1
  
  You are of course absolutely correct... Except you are missing who-is-who: You are not the end-user. You are the product! :-)
  Advertisers are the end-user, they pay for your apps, for your Gmail, and for each and every search you do on Google search... Your phone is just an extension of this package.
  I still agree with you and think Google have made a horrible implementation in Android: We SHOULD be able to deny an app full internet access. The app should still function, but just get a "not connected" exception. Ads should be presented through *restricted* access to a *limited* number of white-listed servers (also 3rd party). These server can of course go bad, but at least they are easily black-listed.
5. Re:Please port this to Linux A.S.A.P. by ron_ivi · 2011-05-03 23:16 · Score: 1
  
  Can SELinux do much/most of what you're asking? The SELinux "sandbox" utility has some examples of restricting network access on an application-by-application manner.
  For example, this firefox can access the internet:
  
  sandbox -X -t sandbox_web_t firefox
  and this one can't:
  
  sandbox firefox
  If you set up selinux policies that restrict most applications by default, it should cover that "cover art" use case you mentioned.
6. Re:Please port this to Linux A.S.A.P. by KiloByte · 2011-05-03 23:19 · Score: 2
  
  Uhm, wrong. A hostile userland program that can execute arbitrary code has ALREADY WON. There's nothing a "personal firewall" can do. Even if that firewall of yours would look at which process started the connection, there are many, many ways to control a process that is allowed. Both on Unix and on Windows.
  You'd need a sandbox of some kind: a virtual machine, a separate user who can't directly access the network, a quasi-user (like a selinux role), etc. On Windows, even separate users are not enough if both processes are in the same "window session".
  "Personal firewalls" can protect against a honest mistake or dumbest crooks. Against anything else, they're snake oil and give a false sense of security -- ie, are actually detrimental. As you said, "totally unacceptable in 2011". No one should run unreviewed code outside a sandbox.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
7. Re:Please port this to Linux A.S.A.P. by clang_jangle · 2011-05-03 23:29 · Score: 3, Insightful
  
  There's a reason the CLI remains the first choice of admins and coders, too -- it's the most powerful interface. It won't be going away in the next fifty years, and may still be with us in a thousand. Users who think "the computer needs to learn me" rather than the other way around will always have a low ceiling on their competence level and will always be frustrated.
  
  As far as the "not usable" BS, really who cares? Competent people use *nix, most people are not competent. It's old news, and I really don't care what you use, frankly. Just trying to be helpful...
  
  --
  Caveat Utilitor
8. Re:Please port this to Linux A.S.A.P. by clang_jangle · 2011-05-03 23:50 · Score: 1
  
  Ads should be presented...
  No, they should not. That's the problem with android in a nutshell -- it's TiVo-ized Linux turned into an advertising platform, provided to you via your carrier and a ginormous advertising company. Do not want.
  
  --
  Caveat Utilitor
9. Re:Please port this to Linux A.S.A.P. by SilentMobius · 2011-05-04 00:09 · Score: 1
  
  A push button dialler has _more_ functionality than the older rotary dialler (at least additional items "#" and "*")
  The transition from rotary->push button is simply one of mechanical reimplementation, not of simplification.
  Now we have address books, how would people feel if you _only_ had address books, you couldn't add any new numbers you could only choose from the numbers that were somehow "blessed" by your tellco or phone manufacturer. That is a more accurate comparison to the iPodification of tech.
  I'm all for UI's that hide complexity as long at they always allow you to express the full power of the system in question, even if they hide much of it by default. However that is rarely what these UIs do, generally they simply remove needed features.
  
  --
  Loop, twist and loop again.
10. Re:Please port this to Linux A.S.A.P. by Stray7Xi · 2011-05-04 00:09 · Score: 1
  
  The Linux devs simply do not get it. They seem to believe we live in Magic Fairyland
  
  I don't think you get it. Who is "they"? Linux isn't a brand and it's not a company. There is no such thing as "The linux devs" except the linux kernel developers. There's literally thousands of different unrelated teams working on linux packages. Frankly I have no idea who you're talking about. Linux has the support for what you're saying, someone just needs to develop it. There are/were developers for a similar tool, maybe you should talk with them. If they ever got somewhere good, maybe they'd be included in a distro. I have no personal knowledge of them:
  Tuxguardian (discontinued)
  linux-firewall.org
11. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 01:30 · Score: 1
  
  > Modern desktop should NOT, EVER rely on command line interface for anything aimed at end-user if it is to be usable.
  Oh, BS. This mentality is why the internet is the spam infested cesspool that it is. As long as we cater to people who refuse to learn things, who are proud of their stupidity, there will always be the kind of problems we see today.
  Thirty years ago everyone using personal computers was using the command line because _that is all there was_. Have people become dumber since then? I doubt it - just lazier and more unwilling to learn.
  The UI cannot express but a small fraction of the CLI's functionality. Thus, there is now and will always be good reasons to use the command line.
12. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 01:34 · Score: 0
  
  There is a reason why we don't use rotary diallers in smartphones. There's a reason why we don't use command line interface on average home desktop machines
  But those reasons are entirely different. The rotary dialer is old technology which the average Joe understands. The unix command line is modern technology which the average Joe does not understand. The reason we don't want rotary dialers on smartphones is because it is old technology. The reason we don't want the unix command line on Average Joe's computer is because he doesn't understand it.
  In conclusion, your analogy wasn't exactly a home run.
13. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 01:46 · Score: 0
  
  There is a reason why we don't use rotary diallers in smartphones.
  Speak for yourself.
14. Re:Please port this to Linux A.S.A.P. by Sycraft-fu · 2011-05-04 01:53 · Score: 1
  
  And you can crow on about power all you want, users need ease of use. People are not experts in all devices and cannot be expected to be. Neither are you, for that matter. I'm sure in short order I could find many devices you use that you have little understanding of how they work, and that an easy to use interface is important to your like of the device.
  The attitude that everyone should be "competent" and willing to be a tough guy with computers is silly. No, things should be made easy for humans. The point of automated devices is to make our lives easier, not harder.
  As a simple example: Do you buy frozen food and microwave it? If so (and I'm sure you do) why? Why not make all your own food, from scratch. It is healthier, tastes better, and is generally cheaper. Why own a microwave at all for that matter? An oven can cook anything a microwave can.
  The reasons, of course, would be convenience and understanding. It can be a lot of work to cook everything from scratch and if you are like most geeks you probably know fuck-all about cooking (particularly the harder aspects like baking).
  That's fine, I would never suggest that everyone should know how to cook, and particularly never suggest that everyone should master it (you don't need recipes when you are really good, even for baking, you can do it all yourself). However neither would I suggest that everyone should be willing to use a CLI, which is extremely unintuitive to humans, or learn to program just to be "competent."
  For most people computers are tools, no more no less. That means like any good tool they should be able to get the job done as easily as possible.
15. Re:Please port this to Linux A.S.A.P. by Luckyo · 2011-05-04 02:30 · Score: 1
  
  It won't be going away in the next fifty years, and may still be with us in a thousand. Users who think "the computer needs to learn me" rather than the other way around will always have a low ceiling on their competence level and will always be frustrated.
  
  Are you competent in what to do when your car doesn't work as it should? Are you competent in how to fix your refrigerator? Your oven? Your piping? Toilet? Carpentry? Windows (physical ones)?
  You are a professional in a narrow field of computer sciences. You are a user of massive amount of other appliances that you have NO COMPETENCE whatsoever in. By your logic, cars should still require you to be a certified mechanic, like it used to be in 1930s, you should not have any plumbing at your home if you don't know how to fix it, etc.
  Reality is, this isn't dark ages any more. People can afford to specialize in a narrow field and expect things outside that narrow field to JUST WORK. If they break, they can call a specialist, but it's expected, and normal for things to function without specialist oversight for long periods of time. If they don't, it means that designer of the appliance either hasn't made it for home use, or is incompetent.
16. Re:Please port this to Linux A.S.A.P. by Luckyo · 2011-05-04 02:35 · Score: 1
  
  Did you know that most young kids in fact DO NOT KNOW HOW TO USE A ROTARY DIALLER as they never have come in contact with one? They end up truing to press numbers in assumption that these are buttons.
  Rotary dialler is a significantly more complex device then a keyboard, and a lot less intuitive.
17. Re:Please port this to Linux A.S.A.P. by clang_jangle · 2011-05-04 02:46 · Score: 1
  
  The truth is that unskilled users have very little value to the *nix community at large, and virtually no value whatsoever to the FOSS dev community. Harsh reality, but that's how it is. If you want to use DefaultOS (windows) then there are tons of very user-friendly tweaks available because it's a ubiquitous system. If you want to use something better which is open and free the bar is higher. Clear it or don't, it makes no difference to me. There's a vocal minority of Linux zealots who make people think we all want everyone to use Linux, but most of us really don't care whether or not you find the system easy to use. We just learn what we need to learn so we can get on with life without feeling we're held hostage by some mean group of devs who won't magically make everything pointy-clicky for us. :)
  
  As for frozen food, you are wrong to assume that. I never eat frozen food, and happen to be a pretty good cook who exercises that skill daily, using fresh, natural ingredients.
  
  Some people are simply conscientious and care about the things that are important to them. Others sit around trying to tell others "how they should make it go". I guess the world would be pretty boring if we were all the same, but I like having skills. They make my life better.
  
  --
  Caveat Utilitor
18. Re:Please port this to Linux A.S.A.P. by clang_jangle · 2011-05-04 03:00 · Score: 1
  
  You sure do like making erroneous assumptions, don't you? :D I grew up on a farm, and can assure you there is very little technology in my life which is mysterious to me. When your choices are "make it go or starve" growing up, you learn to be pretty darn capable with pretty much any kind of machinery.
  
  Reality is, this isn't dark ages any more.
  It is for all you helpless people who don't like to learn anything.
  
  --
  Caveat Utilitor
19. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 03:22 · Score: 0
  
  The reason linux doesn't have such a firewall already is - NO NEED!
  There is no spyware. Maybe it will come someday, when too many vendors sell machines preloaded with linux. But we're not there yet. There is no spyware that works on linux today.
  There are linux programs that "fetch cover art", but it is documented. They are not hiding the fact, so you can freely choose not to run them.
20. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 03:33 · Score: 0
  
  There is a reason for not using rotary diallers - weight. The same can not be said for the command line.
  It is not as if you need the command line much these days. You can surf, write documents and install software without the command line. If you want to be a power user, then you will have to learn some stuff. Some of that may be command-line useage, but that is actually the easy part. Note that windows power users use the
  command line now and then too - because things like "ping" and "ipconfig" is so much faster than digging around in the GUI.
  The command line is not going away, and it is not a problem. It is not particularly hard to use either. Ordinary people managed in the DOS days, even though the DOS command line was a disaster compared to a modern command line. . .
21. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 03:38 · Score: 0
  
  Superiority complex much?
22. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 04:09 · Score: 0
  
  Inferiority complex much?
23. Re:Please port this to Linux A.S.A.P. by couchslug · 2011-05-04 04:43 · Score: 1
  
  CLI = granular control, GUI is inherently less granular.
  Most end users don't need granular control, they need to be given simple sets of choices.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
24. Re:Please port this to Linux A.S.A.P. by clang_jangle · 2011-05-04 04:48 · Score: 1
  
  A funny thing about that... When I was new to Linux and FreeBSD I often got frustrated with inadequate, semi-or-non-functional GUIs and used to think, "when I learn a little more I'm going to fix that". But then eventually I realized the CLI is where it's at. Once you learn enough of it to become resourceful enough to get by usually referring only to man pages, --help, and STFW you might come to a point where you don't want to go backwards, and that trying to achieve everything you like in a GUI is usually just a big waste of time because it probably works fine from the CLI. Especially if it can be scripted. Scriptable interfaces are infinitely more useful than "intuitive" GUIs.
  
  --
  Caveat Utilitor
25. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 05:33 · Score: 0
  
  The problem is there are 2 conflicting goals:
  Make the best system for competent people, with the most power.
  Make the best system for the most people, maximizing usability, and thus market share.
  These goals often conflict: dev time is limited, so one aspect gets cut. IPTables is an excellent firewall. PF is an excellent firewall. None of the GUI configuration interfaces for them are excellent.
26. Re:Please port this to Linux A.S.A.P. by _Knots · 2011-05-04 05:56 · Score: 1
  
  The correct design is neither this reactive monitoring nor the UNIX-standard "oh sure, go ahead!" approach. I contend that the correct approach is one of a capability system: an application which could not even name a remote network endpoint unless it was granted a handle to it is in no position to leak data.
  
  --
  Anarchy$ dd if=/dev/random of=~/.signature bs=120 count=1
27. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 06:24 · Score: 0
  
  There's a reason the CLI remains the first choice of admins and coders, too -- it's the most powerful interface.
  I agree wholeheartedly, it IS the most powerful interface. I also agree it isn't going anywhere. Whether or not there is a usable gui alternative will NOT change that fact. Why do people assume if/when there is an easier to use GUI alternative that the CLI will somehow disappear? I can't stress this enough...It isn't an either/or !!
  
  As far as the "not usable" BS, really who cares?
  Every single "desktop" distribution, and their users.
  In many ways, some parts of the Linux community remind me of teabaggers. They seem to have a willingness to vote for/do things against their own interests due to some barely applicable philosophy that has little to do with the practical world. Then they turn around and blame the "big boys" (whether that be the "gubmint" or MS or Apple) and/or the "incompetent" ("poor people" and/or "liberals" and/or users).
  Luckily this is technology we are talking about and there is very little reason people can't have their cake and eat it, too. In fact, that is pretty much what technology is all about.
28. Re:Please port this to Linux A.S.A.P. by Anonymous Coward · 2011-05-04 08:34 · Score: 0
  
  What, are you stupid? Just because you don't know how to use iptables doesn't mean there is no firewall option, especially using Ubuntu. Care to check your network connections? ntop. People like you give Linux promoters a bad name by going Chicken Little all over Slashdot.
29. Re:Please port this to Linux A.S.A.P. by mjwx · 2011-05-04 14:47 · Score: 1
  
  1 The people who write Zone Alarm for Windows get it. 2 Moxie Marlinspike gets it.
  I get it.
  
  3 The Linux devs simply do not get it.
  
  They get it too.
  
  The end user
  They don't get it.
  
  Totally unacceptable in 2011. All machines should have firewalls that allow the user full control of what applications are allowed to talk to the local network and/or the internet.
  The problem is the end user will scream bloody murder if they have to do anything to get access to their precious pron and emails. If they have to think for themselves doubly so.
  
  A popup box asking to the user to allow or disallow an application access to the internet will simply result in the users always clicking "accept" because the user has associated the accept button with pron and email.
  
  I use Sunbelt Personal Firewall on my XP machine, it's good in that it not only monitors what programs are trying to access the net but what programs are launching other programs. This is fine for me because I understand what everything it tells me means but the average idiot will be completely dumbfounded by IP addresses and domain names. Unfortunately this program has been discontinued (bought by GFI) and I'm looking for an alternative for Win 7 x64
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
This by Compaqt · 2011-05-03 22:08 · Score: 2

What happened to "appliances"? Set it and forget it?
Now it's going to be Windows all over again:
My phone's too slow, buy another one.
-reinstall OS
-upgrade OS
-install antivirus
-check for rootkits

--
I'm not a lawyer, but I play one on the Internet. Blog
1. Re:This by Anonymous Coward · 2011-05-03 23:56 · Score: 0
  
  It has been that way since the beginning with Android. The only way to get control of the hardware you own is to root the bitch and install a custom ROM like CyanogenMod. Otherwise the phone manufactorer and carrier control you.
  So yeah, every new Android phone I get has to go through a cleansing process just like any prebuilt, preinstalled computer.
2. Re:This by clang_jangle · 2011-05-04 00:11 · Score: 1
  
  Is there any such thing as full rooting on a device with a locked bootloader though? I know there might be one or two android devices left on the market without a locked bootloader, but it seems all the new stuff is locked down. I think one can only get the illusion of "root" in that case. If you're using your carrier's kernel, you still don't know for sure what the system is doing.
  
  --
  Caveat Utilitor
3. Re:This by Real1tyCzech · 2011-05-04 00:47 · Score: 1
  
  Very few devices are locked down completely. It's pretty much just the "Droids" (aka Motorola). SGSII was rooted just days ago (before US release...) and it does not have a locked bootloader iirc. HTC has, I believe also promised not to lock their bootloaders.
  There are quite a few really good phones out there that can still haev ROMS flashed on them. Just hit up XDA before buying your phone (or check the CM7 compatibility lists).
4. Re:This by crashumbc · 2011-05-04 00:59 · Score: 1
  
  you don't have to buy a "smart" phone, you know that right? Personally, having had one for a year, I would NEVER go back the convenience of a "pc" in my pocket outweighs the annoyances 1000 to 1 ...
5. Re:This by Anonymous Coward · 2011-05-04 03:18 · Score: 0
  
  Rootkit check needs to be done outside of the OS scope, doing it inside OS scope after the rootkit is present is useless.
6. Re:This by Anonymous Coward · 2011-05-04 07:24 · Score: 0
  
  This is to protect your privacy, not (necessarily) to stop malicious programs.
  You can completely ignore installing any firewalls if you don't care, and have your privacy invaded by company that will steal your privacy. Of course, I mean take without saying they are or bury them in miles of EULA. It's not stealing if a company gives users clear indications as to what they're selling. =P
DroidWall by kangsterizer · 2011-05-03 22:11 · Score: 1

While it is less detailed and has no popups, it is open source and works rather well:
http://code.google.com/p/droidwall/
The main difference being that DroidWall is all or nothing.
White Hats, Black Hats, Tinfoil Hats. by lexsird · 2011-05-03 22:22 · Score: 1

It does spark the imagination as to what might be lurking inside these phones. Could they be chipped to spy on us without anyone knowing it? Do you know what each component is in that little phone? Does anyone? And even if you did know what components they are, who's to say "they" didn't slip in a chip disguised as something else. You would have to monitor the phone's output to see if it's broadcasting anything beside what it normally should. Then you have to consider, that it's function might be "on demand" and you may never catch it spying on you because "they" haven't chose to activate it, so you set there for God knows how long monitoring this suspicious phone.
Or you could assume that if they really are wanting to use the phones to spy on us, then would they put something in the client side of the hardware? It would require the cooperation of the manufactures, their engineers and risk exposure. The human element is going to fail always in such an operation as this. They would surely not risk exposure and do their spying from inside the network its self where they could passively monitor traffic, and user locations.
Now what I could fathom them taking the risk of exposure for is the camera. Imagine being able to access any cell phone with a camera, browse its contents, or even activate it secretly. Now that is something I wouldn't be able to resist if I was administrating a nation wide intelligence operation. Just think of the possibilities of such, you could take dumps from every phone in the country, sift it continuously with shape recognition software. Bad guy takes a picture of his buddies posing with their illegal weapons thinking they are all cool, but somewhere a computer recognized the weapons, logs the recognition, the time, the date, the location and has cataloged everyone in the picture. This information is dispensed out in the field to agents for them to react to immediately.
This sounds fine and dandy from an intelligence operation point of view, but it's a nightmare for civil liberties. That is the problem with making an effective intelligence tool, the party that makes it might have the best of intentions for its use, but that doesn't mean it will experience mission creep or just fall into the wrong hands, or just morph with bad times into a tool used for evil.
But here is the rub, if you put something like that in a phone, it will be found. And when it is, its going to piss off everyone, including officials who don't want blackmailed sometime in the future with this. Needless to say, if the information about you chipping the nation's phones gets out, you are finished politically, your next intelligence operation will be listening in on the chief of the village you are hiding out in.
Frankly, if I was going to risk such a gambit, I would put the chips in disposable phones, the prepaid ones that are the prime choice of people who don't want tracked but need a phone. Its win/win if they find the chip in those or not. If they don't, you have intelligence perhaps to be farmed. If they do, you will have planted a seed of doubt at least concerning their phones and you might shoo them into getting sloppy in their search for secure communication. I think the risk factor of exposure of the chips to prying noses would be less with the demographics that use those kinds of phones.
Anyway, I doubt that "they" are operating on that kind of level. It is the government after all, which is a political body. These tend to get mired down to a glacial pace with not only the machinations of the bureaucratic beast, but annoying amounts of accountability. It would take a mandate by them to get something like this done, because it would be like herding cats to get the manufacturers on board. You just know some idiot would flip out and run screaming to the press about "they" are trying to put a "backdoor" into everyone's phones.
I am not saying it couldn't be done. I think it could be pulled off, but it would need super deep pockets and oodles of background information on the engine

--
Take the Red Pill.
1. Re:White Hats, Black Hats, Tinfoil Hats. by datapharmer · 2011-05-04 00:22 · Score: 1
  
  Could they be chipped to spy on us without anyone knowing it?
  They don't have to chip it, there's an app for that too, and it has been around for at least 5 years.
  
  Now what I could fathom them taking the risk of exposure for is the camera. Imagine being able to access any cell phone with a camera, browse its contents, or even activate it secretly.
  They can, and do
  Moral of the story, is don't carry a cell phone, monitor your home's security 24/7 to check for intrusion, do regular bug sweeps, don't talk or do business in your car, and never ever trust anyone. Your wife and kids and most trusted friends will be used as spies against you.
  
  ...or you could just put on your tin foil hat and call it a day.
  
  --
  Get a web developer
2. Re:White Hats, Black Hats, Tinfoil Hats. by mlts · 2011-05-04 02:06 · Score: 1
  
  It is possible, but once someone brings pictures and recorded conversations out in a trial obtained that way, there would be a mass uproar:
  People would start powering off their cellphones. Others would take apart the device and cut the solder traces to the cameras, snip the microphones, and use BlueTooth for all conversations. Enterprising companies will make cases out of metal and foam to guarantee the mic and camera won't pick up anything. Other cellphone case makers will make cases where only the wireless systems worked, so people could make calls via BT, but the onboard camera/mic would not be usable.
  Yes, being able to use the camera and mic will help for investigators, but only on the scale of gaining enemy intel. If they started using it to put people into prison, suddently it would be cool in the thug life to go back to citizen's band radios, and you will start seeing blinged out Cobra hand-helds as the latest style.
3. Re:White Hats, Black Hats, Tinfoil Hats. by lexsird · 2011-05-04 03:59 · Score: 1
  
  Dismay is all I feel after reading that article from C-NET. These problems are like cockroaches, by the time you see ONE, you already have an infestation. I think our goose is cooked. I have to wonder how automated the process is by now. If it's an app, it doesn't need a human to implement it then. In fact, I can imagine the whole process is done automagical with some monster computer array and storage sifting the data constantly. It puts me to mind of the last Batman movie, but I seriously doubt the man in charge is going to blow it up when he walks away from catching one badguy.
  What kills me is the complacency of many to just think that is O.K. These kind of tools don't ever go away. Human nature doesn't change. Even if those in charge had the noblest of reasons for creating this and would be perfect in their use of it, that doesn't mean those who follow them will be as trustworthy. A tool used for good can be used for destruction. These are tools that should NEVER fall into the hands of evil. But they probably already are, and in fact, it was probably evil that made them.
  Welcome to our evil future.
  
  --
  Take the Red Pill.
4. Re:White Hats, Black Hats, Tinfoil Hats. by lexsird · 2011-05-04 04:07 · Score: 1
  
  It doesn't need to come out in trial. It would be the dumbest thing in the universe to use any of the intelligence gained in a trial. Just for the reason of tipping off the entire planet and sending everyone one scurrying. You use the intelligence to figure out how to be "in the right place at the right time" to exploit a weakness. It will then look like dumb luck or just intuitive investigating. Why spook the herd when you can quietly pick off what you want one at a time?
  
  --
  Take the Red Pill.
5. Re:White Hats, Black Hats, Tinfoil Hats. by Anonymous Coward · 2011-05-04 04:08 · Score: 0
  
  ...or you could just put on your tin foil hat and call it a day.
  Good doggie... Here's your treat... Pavlov's got you all pegged
6. Re:White Hats, Black Hats, Tinfoil Hats. by Anonymous Coward · 2011-05-04 05:31 · Score: 0
  
  Exactly.
  I remember a discussion on this ages ago on the cypherpunks mailing list if $INTEL_AGENCY managed to be able to decrypt RSA without telling anyone. Similar scenarios here, having an intelligence source that has to be kept secret.
  Scenario 1: They know what someone is doing, but can't do anything about it unless the antics are so great that the job isn't a FBI item, but should be handled by JSOC.
  Scenario 2: They pass on the info to a LEO. Very risky, because it might show the peephole where the information is coming from, and people either move away from PGP/RSA, or in this case, toss their cellphones.
  Scenario 3: Other than top value enemy combatants, the info can be passed to LEOs for them to start an investigation using evidence that could be used in court. For example, EIA (elbonia intelligence agency) decrypts a note on how to build a vend a goat machine and the fact that someone has built some to sell (which is highly illegal in that country.) They pass on the note to the local police who get a search warrant on the pretext of suspicious purchases (coin machines, livestock.) Result -- a bust using the information, but without actually revealing that that info came from the defendant's phone.
7. Re:White Hats, Black Hats, Tinfoil Hats. by Zed+Pobre · 2011-05-04 08:05 · Score: 1
  
  It is possible, but once someone brings pictures and recorded conversations out in a trial obtained that way, there would be a mass uproar:
  You mean, like in United States v. John Tomero, as the grandparent referenced? I missed the uproar.
Currently only for... by nbetcher · 2011-05-03 23:02 · Score: 1

... Nexus One and Nexus S phones. Wow, what a let down. Says "More devices coming soon..." but you can pretty much count that they can't support all - or even most - devices, so this isn't an Android thing, it's a Nexus thing. Chances are it requires root which is why they can't support anything other than Nexus right now.
1. Re:Currently only for... by nbetcher · 2011-05-03 23:04 · Score: 1
  
  The above being said, they should release steps for integration with custom Android ROMs so developers like myself can extend support for this to ALL devices, not just ones of their choosing.
Technology already exists ... by DrYak · 2011-05-03 23:06 · Score: 2

On linux we have AppArmor, we have possibility to distinguish PIDs in ip tables (already used for traffic shaping by Peer-2-peer aficionados), ...
The problem is not the technology, the problems are different :
- The main one is the interface. Someone has to write something which is user-friendly enough.
- The other problem is the massive amount of executable existing on Linux. ZoneAlarm works well on windows, because of its rather monolithic structure. There aren't that many process needing to be controlled. The Unix philosophy is opposite, a swarm of small tools which each do only one thing, but do it well. Something like ZoneAlarm on Linux would produce a metaphorical Zerg-rush of pop-ups.
Also it is slightly counter productive :
- Such tools are indeed important on Windows, because there is *NO* *OTHER* *WAY* to control the software. They are mostly binary only. So you can only control them be restricting their accesses
- On linux, the software is open-source, and mostly comes from the distribution. There are lots of different and better way to do it.

They seem to believe we live in Magic Fairyland where no program would ever do anything malicious

In a way, because the code is better reviewed that is partially true. The linux community has better ways to know what is happening inside a given software.
That also means that one of the best practice would be to standardize on some access-restriction mecanism (like AppArmor) and have the developper systematically write profiles. Thus :
- it will be easier for the end user, not to have to write a profile for every single application.
- it will be easier to quickly look at the profile to know what an application could do.
- in case of exploit, the access-restriction-mechanism could easily block the abnormal behavior which the application never asked for in the first place.

"But we're only fetching cover art/some other stuff". No you're reporting information to a third party that I do not wish sent thank you very much.
And guess what ? The source code is open, and there are a lot of paranoid linux users like you out there. Thus some have added code to ask permission : on their first run, both VLC and Amarok explain you the situation and give you choice : systematically download the art / only download on demand / never touch the internet.
What we need is :
- more such efforts
- and perhaps a better centralized way to control such elements. (think like a centralized "privacy control panel" in KDE's System Settings, or some Gnome & Unity equivalent).
This requires lots of collaboration and efforts, but that's something the Linux community *CAN* do (unlike the binary wolrd, for obvious technical reasons).

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Technology already exists ... by Anonymous Coward · 2011-05-04 11:19 · Score: 0
  
  Something like ZoneAlarm on Linux would produce a metaphorical Zerg-rush of pop-ups.
  You're exaggerating hugely and even then it'd only be for a short period. Then you'd have a decent profile and could forget about it.
  That also means that one of the best practice would be to standardize on some access-restriction mecanism (like AppArmor) and have the developper systematically write profiles.
  ?? You're suggesting that profiles be created for the thousands of programs on a machine for the hundreds of different classes of users out there. That's not even remotely sensible. And it doesn't even work with trojans.
  systematically download the art / only download on demand / never touch the internet.
  Download it from where? How often? How much? Will a system patch change it? Will it upload keystrokes? Will it upload bank details when recognized? Will it download malware in a month's time long after I've forgotten about the install?
  there are a lot of paranoid linux users like you out there.
  It's not paranoia. You have thousands of programs and addons on your machine written by hundreds of thousands of programmers. You're being very silly if you think you can trust them all. I can tell you as a programmer that it is straight forward to put voluminous malicious code in what looks like clean source that would pass any but the most stringent security reviews, particularly source code that requires network access for valid reasons or has binary graphics blobs to hide things in.
having such code makes one a deletable terrorist? by Anonymous Coward · 2011-05-03 23:12 · Score: 0

should be at least tear gassed as an example to their neighbors. unknown activities? attempts to become unsurveiled? complaints about the 'weather'? no proclaimed political or religious attachments? intercepted texts include words like disaramament, hymenologist etc...? no wonder we need unspy.us code?
waking up to the big flash wednesday has arrived. the joyfully anticipated total world disarmament is proceeding as the need becomes met. the other alternatives suck, & must include injections of massive amounts of unnatural death, debt & deception of body mind & spirit for almost every one of us.
Not just good against malware by ath1901 · 2011-05-03 23:15 · Score: 1

I (still) have a Nokia Symbian based phone and turned off all email updates, GPS map updates etc before going on a trip to China. After one week I got an SMS warning me of large "roaming charges" despite only using the phone for sending a handful of SMSes. Either I missed some automatic update/sync that should have been turned off (unlikely) or the phone checks/updates something which can't be turned off.
Either way, a firewall application would have helped me to:
A) Be sure the phone isn't auto-doing anything.
B) Find which application/system component is misbehaving.
With "smarter" phones and applications we need better tools for monitoring and control.
1. Re:Not just good against malware by Zebedeu · 2011-05-04 01:02 · Score: 1
  
  I don't know about Symbian (or whatever OS you had running in your Nokia), but Android, and I believe iOS has an option to disable the data connection as soon as the phone begins roaming.
  That checkbox is checked by default In Android, and if you try to uncheck it, a dialog box pops up explaining that you risk very high data rates while roaming.
Only works for Nexus. Need desktop, too by Kamiza+Ikioi · 2011-05-03 23:32 · Score: 3, Insightful

FTA, only has installs for Nexus One and Nexus X, and installer comes in Windows, OSX, and Linux... and it looks like they're all 64bit installs only. Very limited. And there is DroidWall, which is available on the market, but I believe you need a rooted phone (which is probably true for any decent firewall). I use DroidWall and it's fantastic. It let's you choose to allow not just an app, but how it connects. You can, for instance, block Pandora on 3G, but not Wifi.

--
I8-D
1. Re:Only works for Nexus. Need desktop, too by Timmmm · 2011-05-04 01:23 · Score: 1
  
  That's because it replaces some of the android OS, and it needs a desktop installer to unlock the phone and push the files over adb.
  Tthere is also no uninstaller at the moment - you have to reflash the original ROM.
Marlinspike? by Anonymous Coward · 2011-05-04 00:00 · Score: 0

Blistering Barnacles! Thundering Typhoons!
Harrumph. by Anonymous Coward · 2011-05-04 00:12 · Score: 0

Grumble, whinge, standard functionality on a blackberry, whinge, grumble...
(get off my lawn)
Android in dangerous waters by timeOday · 2011-05-04 02:11 · Score: 1

Virtually nobody will want to use a phone that requires something like that. I say that as somebody who just dumped Windows 7 at work because the corporate setup is so laden with virus scanners, encryption software, and Corporate Big Brother spyware that it's virtually unusable - both the computer and the user do little else than maintain the computer!
If google doesn't figure out a way to make this unnecessary, it will be a huge advantage for Apple, because their "walled garden" reduces the need dramatically. Hey, I don't like the idea of gated communities, but I sooner live there than put bars on all my windows and sleep with a .45 under my pillow every night.
We can debate whether my ideas make me a bad person etc., but I am simply observing that virtually nobody will be willing to use a phone that requires this level of babysitting, and android will fail in the market if this really becomes necessary.
1. Re:Android in dangerous waters by mlts · 2011-05-04 02:30 · Score: 1
  
  Google has too much at stake for Android to get known for malware.
  Malware on Android is rare. Otherwise, if malware were common, you would hear screaming from friends and friends of friends almost everywhere.
  Take Windows, if it isn't a friend, it is a friend of a friend, or an acquaintance of a friend who has an infected machine. Android is nowhere near this point yet. If one person gets their phone infected, they will be telling everyone they know, so word would get out. As of now, there are rumors about bad apps, but as of now, a true compromise of an Android device is exceptionally rare, other than offshore knock-offs of established games which are sold overseas.
Moxie ties them in knots? by Anonymous Coward · 2011-05-04 02:40 · Score: 0

A fine display of seamanship.
Doesn't fix the core issue by Anonymous Coward · 2011-05-04 04:53 · Score: 0

The problem with this is it's not really addressing the core issue. Which is that these applications are able to access the location information in the first place.
We really need finer grained firewall like access for the gps. So that google maps can access the internal gps, yelp gets rough gps coordinates and games that have no business knowing my location get geo data from Britney Spears twitter feed...
Now it just needs anti-virus by thetoadwarrior · 2011-05-04 05:39 · Score: 1

Then it can run like shit like a windows desktop with the added bonus of a shortened battery life.
Re:Please port this to Linux A.S.A.P. NO!!! by Anonymous Coward · 2011-05-04 05:54 · Score: 0

Decent linux distributions, like Debian, have a ton of applications packaged in their repositories.
If you want an idiot proof firewall, the rules can be packaged with each application. User never sees a prompt, and can never answer incorrectly.
It is only because of the anarchy that exists on windows that windows users may think a zillion popups is a good way to do things.
That said, a decent distribution isn't packaging malware. If you are an idiot, and install random crap from untrusted sources, then you kind of deserve what you get.
Total BS by marcus · 2011-05-04 09:40 · Score: 1

The parent post has zero rational content.
That's all.

--
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
This is not an app it's an entire OS replacement by Daemonic · 2011-05-05 03:57 · Score: 1

The story, and even the article are misleading.

You need to flash your phone (if one of the two supported) with WhisperCore, and then you get this "app".

So whilst it's a brilliant idea, it's only available to a very small number of users.

Wonder if DroidWall works on a Cyanogenmod G1....?
Making my self clear ... by DrYak · 2011-05-06 00:02 · Score: 1

Something like ZoneAlarm on Linux would produce a metaphorical Zerg-rush of pop-ups.
You're exaggerating hugely and even then it'd only be for a short period. Then you'd have a decent profile and could forget about it.
How could you be sure that all the users, including the "grand-ma/grand-pa" type of user will take time to properly configure all this stuff ? And won't simply get the habit to always "ok"-click-through everything ?
(Well, in the special case of a Linux distribution, one might expect that nothing abnormal will happen during the first few weeks. The only applications asking for network access will be the networked application. Picture-displaying application will remain off-line, and if a couple of months later some maliciously crafted image-file tries to exploit a bug, it will try accomplishing actions which weren't green-lighted during the learning phase and will trip an alarm).

?? You're suggesting that profiles be created for the thousands of programs on a machine for the hundreds of different classes of users out there. That's not even remotely sensible. And it doesn't even work with trojans.
First you must understand that I distinguish two clearly separate type of problems :
- trojan, viruses, exploits of bugs, etc... : which all would do actions which are guaranteed to be considered bad by 99.999% of users out there.
- legitimate software, which might sometime query data from the network. Some users like the service because it makes using the computer more convenient, others don't like it because it basically discloses some information (I might have music from said album as my player is fetching info about it) to third parties (wikimedia, amazon, and the likes)
AppArmor profiles are very nice against the first type of problem : illegitimate access. Say you have a nice small image editor. It's supposed to be able to open image files. It's never supposed to access other user data, modify system files, spawn processes, access network, emit e-mail, etc. So you can write a profile which describes what this program is supposed to do during it's normal day-to-day operations and what is abnormal behaviour. Maybe some day in the future an exploit would be found in the way a peculiar file format is decoded. Malicious hacker could craft a special file. When the exploit drops its payload inside the software, it will attempt actions which were never authorized in the first time. It the software is only authorised to open files of "image" types on the local driver, anything that the payload will attempt will trigger a (true) alarm.
(Which could also be coupled to a "file bug report" feature.)
It will work for trojan too : They are simply a new independent software (not a software with a buffer over-run exploit running un-authorized code), for which no AppArmor profile was provided by the standard distribution. An imaginary future distribution will necessarily flag the actions of the trojan as un-expected.
But for this situations to be useful you need profiles for pretty much any piece of software complex enough to be targeted by exploits. That means a lots of profiles. So its either a "zerg-rush of pop-ups" during the learning phase... or it's the job of the software writer to provide a profile about what their software do (I think it's a better solution because it distributes the effort, the software writers know their software better and could better fine tune the profile to the strict minimum, and (Depending on the language) some form of automatic profile generation could be done).
For the second type of problems, the situation is different.
For binary software, well there isn't much possibility : you need to control their behavior from outside and there isn't much possibility beyond AppArmor, iptables, and the like. Thankfully, there aren't that many binary software on a regular Linux install, so the learning phase should remain within sanity limit of false-ala

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]