Make that 36 months + and you're getting there. Still don't have reliable 3d support and opening files from network shares without the file manager wanting to copy it to my machine temporarily (which if i want to say, stream a 4 GB video over wifi is mind numbingly retarded), and Windows had that back in the days of Windows 95.
No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.
Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to audit source code for every app they install is unrealistic.
In the case of loading an app onto an android device from a third party, it's a crap shoot. You are basically guessing that the particular installer you are running is not a trojan. You may be basing that on app reputation, etc. but have no real clue whether or not it has been time-bombed, for example. You're guessing, flying blind.
It's pure luck and lack of true malicious developers on the platform that the android malware situation right now is not a LOT worse. And it's nothing to do with exploiting the JVM, kernel or whatever - it's purely due to the end users of consumer devices not being interested in becoming security experts. They are (rightly so) not interested in it.
Signed-code only, whilst being restrictive in what you can run takes that burden off the user. If the user truly wants to run something that the vendor will not sign, in the case of iOS it is simple enough to get a developer subscription and compile it from source yourself.
Did you really just ask why there is more malware now than there was in years past? Really?
Yes.
Answer: times change; explosion in mobile device popularity; explosion in internet commerce popularity; mobile platforms have only recently been considered a serious target for criminal activity.
That's your inference, that is not backed up by any real world data. The iOS market is large and was previously larger than the android market. In terms of web usage stats, iOS leaves android for dead. So one would think that the platform most actually used would likely pose a significant target. Yet in the past 12 months there were ZERO incidents of malware reported for iOS. Zero.
Yes, the real answer is due to the "Walled garden" (which is easy enough to work around if you get your own developer cert to sign the code you want to run).
The android approach of allowing the user to just turn off all security by enabling "run code from anywhere" has been proven for the past 3-4 decades to not work. The amount of malware available for android out there is continuing to prove that to be the case.
Also, we're not just talking about smartphones - tablets also, along with ipods. The total of all those devices (i.e., the potential malware install base) would be far larger than the install base of RIM or Symbian.
And by lowering yourself to petty name calling, you've just lost any sort of credibility you may have had.
It's $100 for a number of support incidents and a developer certificate which enables you to use the free development tools to upload your code to a real device.
You completely missed my point. The entire point is that relying on the end user, who has no access to to the source code to verify the operation of the app they are about to install, and no way to verify whether or not the code that was published has been altered, to verify whether or not they want to run it is inherently flawed.
Its easy enough to run anything you want on iOS - get your own cert, and compile/sign it yourself. Doing that DOESN'T open you up to any and all possibly dodgy code running on your device.
Linux needs to provide a stable ABI. Other platforms can do it, Linux refusing to do so is just a cop out, and laziness. "We want to be able to change" = write a fucking shim like everyone else.
Valve would tend to disagree. Working intel GPU driver > shitty unreliable GPU driver or software rendering for awesome hardware.
The intel HD3000 onwards are not horrible, especially if you are comparing on performance per watt, which is the way the market is headed. The traditional desktop is dying - admittedly a long and protracted death.
Isn't the entire selling point of android that you can install software from wherever you like though? This study simply validates apples decision to more strictly control what software is allowed on their devices. For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.
Also. You are arguing that trojans are NOT malware? Seriously? Of course they're fucking trojans. That's the point. The end user is in no way qualified to determine that software is NOT a trojan, and this is why them having root on a device with full ability to run any shitware trojan they like is never going to work. WE've had 30 years hammering this point home time and time again. It's not going to change.
So, have you ever heard of a root kit? Linux has plenty of malware, and I have personally rebuilt compromised hosts. "Oh but that bug was in sendmail" or whatever you say. Cop out.
No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.
This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.
The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.
My point is that if you want to live in a society and make use of its support structure (currency, public services, etc.) then you ned to abide by its rules. Whether you agree with them or not. Just because you think pedophilia is OK, does not mean that you are free to prey on other's children who do not think it is OK.
If it isn't the company doing it, don't worry, I suspect very much that the NSA can/does MITM SSL traffic. My suspicion is that they only relaxed the crypto export restrictions when they either compromised the algorithm or compromised one of the CAs so they can generate bogus certs that will be validated correctly as desired.
Exactly. Defense in layers. Sure, you do best effort to ensure that hosts inside the firewall don't get compromsied. But you still design your edge on the basis that they HAVE been compromsied either via drive-by malware or intentional compromise by a user who may have been granted sufficient privileges on their own individual machine to do so. BYOD only makes this even more of a concern - the consequences for the LAN of malware C&C exiting your network can result in your network being added to various block-lists.
Slashdot Mirror
Make that 36 months + and you're getting there. Still don't have reliable 3d support and opening files from network shares without the file manager wanting to copy it to my machine temporarily (which if i want to say, stream a 4 GB video over wifi is mind numbingly retarded), and Windows had that back in the days of Windows 95.
Hardware replacement.
Also, windows XP mode is still a virtual machine running Windows XP, with all of the associated security issues.
Ahh bringing logic to a slashdot argument. Prepare for the down-mods.
No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.
Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to audit source code for every app they install is unrealistic.
In the case of loading an app onto an android device from a third party, it's a crap shoot. You are basically guessing that the particular installer you are running is not a trojan. You may be basing that on app reputation, etc. but have no real clue whether or not it has been time-bombed, for example. You're guessing, flying blind.
It's pure luck and lack of true malicious developers on the platform that the android malware situation right now is not a LOT worse. And it's nothing to do with exploiting the JVM, kernel or whatever - it's purely due to the end users of consumer devices not being interested in becoming security experts. They are (rightly so) not interested in it.
Signed-code only, whilst being restrictive in what you can run takes that burden off the user. If the user truly wants to run something that the vendor will not sign, in the case of iOS it is simple enough to get a developer subscription and compile it from source yourself.
Don't forget to include iPads and iPods in your market share calculations, because that is the true potential iOS malware install base.
Also: i don't post AC.
Yes.
That's your inference, that is not backed up by any real world data. The iOS market is large and was previously larger than the android market. In terms of web usage stats, iOS leaves android for dead. So one would think that the platform most actually used would likely pose a significant target. Yet in the past 12 months there were ZERO incidents of malware reported for iOS. Zero.
Yes, the real answer is due to the "Walled garden" (which is easy enough to work around if you get your own developer cert to sign the code you want to run).
The android approach of allowing the user to just turn off all security by enabling "run code from anywhere" has been proven for the past 3-4 decades to not work. The amount of malware available for android out there is continuing to prove that to be the case.
Also, we're not just talking about smartphones - tablets also, along with ipods. The total of all those devices (i.e., the potential malware install base) would be far larger than the install base of RIM or Symbian.
And by lowering yourself to petty name calling, you've just lost any sort of credibility you may have had.
It's $100 for a number of support incidents and a developer certificate which enables you to use the free development tools to upload your code to a real device.
You clearly missed the sarcasm in the first lines of my post.
You completely missed my point. The entire point is that relying on the end user, who has no access to to the source code to verify the operation of the app they are about to install, and no way to verify whether or not the code that was published has been altered, to verify whether or not they want to run it is inherently flawed.
Its easy enough to run anything you want on iOS - get your own cert, and compile/sign it yourself. Doing that DOESN'T open you up to any and all possibly dodgy code running on your device.
Linux needs to provide a stable ABI. Other platforms can do it, Linux refusing to do so is just a cop out, and laziness. "We want to be able to change" = write a fucking shim like everyone else.
Exactly. OS X pulls in a few things from FreeBSD, but it is not "based on" FreeBSD any more than Linux is based on BSD.
The intel HD3000 onwards are not horrible, especially if you are comparing on performance per watt, which is the way the market is headed. The traditional desktop is dying - admittedly a long and protracted death.
Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?
Isn't the entire selling point of android that you can install software from wherever you like though? This study simply validates apples decision to more strictly control what software is allowed on their devices. For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.
Also. You are arguing that trojans are NOT malware? Seriously? Of course they're fucking trojans. That's the point. The end user is in no way qualified to determine that software is NOT a trojan, and this is why them having root on a device with full ability to run any shitware trojan they like is never going to work. WE've had 30 years hammering this point home time and time again. It's not going to change.
So, have you ever heard of a root kit? Linux has plenty of malware, and I have personally rebuilt compromised hosts. "Oh but that bug was in sendmail" or whatever you say. Cop out.
No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.
There's.... Windows :D
Ironically, I would wager Windows mobile is probably the most secure of the mobile platforms at the moment.
Linux is secure, right? Isn't Android Linux?
This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.
The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.
RDP + SSH = tablet usable for 99% of my job.
My point is that if you want to live in a society and make use of its support structure (currency, public services, etc.) then you ned to abide by its rules. Whether you agree with them or not. Just because you think pedophilia is OK, does not mean that you are free to prey on other's children who do not think it is OK.
If it isn't the company doing it, don't worry, I suspect very much that the NSA can/does MITM SSL traffic. My suspicion is that they only relaxed the crypto export restrictions when they either compromised the algorithm or compromised one of the CAs so they can generate bogus certs that will be validated correctly as desired.
Exactly. Defense in layers. Sure, you do best effort to ensure that hosts inside the firewall don't get compromsied. But you still design your edge on the basis that they HAVE been compromsied either via drive-by malware or intentional compromise by a user who may have been granted sufficient privileges on their own individual machine to do so. BYOD only makes this even more of a concern - the consequences for the LAN of malware C&C exiting your network can result in your network being added to various block-lists.