I've said it before but it does worry me on software mailing lists when westerners help outsourced employees (such as Indian users) with computer problems. Talk about signing your unemployment warrant. You're helping people that are being paid to do the job (they're unqualified for) that you can do, for free.
Don't give me that shit about being 'a different part of Sony'. It ultimately gets monitored by the same executives who have the higher level strategic power. The strategic oversight at Sony is quite franky, anti-consumer. Even if they don't notice it or feel it, that doesn't matter, you won't get scerewed by Sony and your dollars won't go toward writing rootkits or whatever.
I think he is implying that the bailouts to the banks and the defecit are what we are all paying....The money that we're paying for 'society' and welfare is borrowed money, created from thin air...
I think getting the users to understand and not just accept mindlessly (like Windows UAC and Facebook Applications) is the hardest part. It's a social problem. The permission message must be clear and almost threatening. It should show the data that is being displayed. I replied to someone else about this with the same view as you:-).
The recent phone "hacking" scandal [wikimedia.org] in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.
It must have been server side then. Still, an Android or iPhone is not immune to server side attacks. So using one does not make you any more secure, I'd say it makes you less secure. All I did was some googling of the victims on phones, like, victim name + "phone" or "on the phone". They just happened to be using blackberries and what appeared to be smartphones. Of course correlation != causation. I wouldn't trust RMI.
Writing data that cannot be executed from the internet is not as bad as accessing data and uploading it. Of course as long as it cannot be read into memory and executed.
We have HIPS because it wasn't programmed in by default. The security model in the PC world is non-existent. The phone securiy model has just repeated the same mistakes from the PC industry rather than try solve it. HIPS really do help. Capability based security and appropriate permutations would be a good start for fine grained security.
I imagine it was caused by compromised ad servers. I disable Flash and PDF BHOs on computers that aren't mine for the duration that I use it. It's a good reason block advertisements too.
That's the potential to access. Not the actual access. That won't scare users enough.
The software should display the data that would have been accessed with the widgets that is appropriate to the device, say a contact card or a filename and then threaten the user.
Are you sure you want to send this information to somewebsite.com over an unscrambled channel to someone in China?
a list of your contacts as displayed in your contact list
a recent email of your naked wife (with picture rendered)
a map with lines between your last plotted geolocations
the following picture captured from your webcam
It should be displayed like numerous bits of scrap data on the screen with a picture of a pipe and the pipe attached to a shady looking figure next to the planet earth on the other side of a cloud. The implication should be obvious.
Do you really think your phone being an Android or an iPhone protects you? Any intelligency agency could pull whatever they could pull my phone from an Android or iPhone plus everything else. I don't doubt the remote code execution of phones.
The recent phone "hacking" scandal in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.
I protect myself from myself by using a dumb phone. Not from others...
The rest of the world says no, we shouldn't have to manage the security of a phone. It's a burden that the technological world has failed to recognise.
All my cellphones have been connected to the network (GSM or whatever). It's not the 'being networked' that's the problem. Nor is it code execution. My Nokia 3410 could run Java applications. Internet access was something that the phone ased me for.
I wish I could accept how easily you accept the status quo. One that only benefits big companies that harvest personal information from the clueless masses. Perfect security is impossible, I agree.
I don't want a phone that is continually monitoring my whereabouts by default or can connect to the network at the same time as accessing my data.
Should a phone be able to access my phone book AND the network at the same time? Should a phone be able to access files on the phone AND the network at the same time? What files can it access and why?
I think these are reasonable precautions. The app developer should have to go through hurdles to accomplish these things. Perhaps enforce SSL by default when your software has the capability of reading phone book information = enforces your data security when transmitting it and the identity of the recipient.
I think you're missing my point. It's a phone. You shouldn't have to install security software on something as trivial as a phone. Something is wrong with the API and security assumptions of the device that it is insecure by default, without security software.
Now that the cat is out of the bag, we can never put it back in. App companies have gotten used to the APIs that give them amazingly intimate personal and marketing information. Apple and Google (an advertising company) has a vested interest in allowing companies to phone home with all your personal data. Expect to have phones and tablets that are insecure by default. We aren't going back. It's just going to be a repeat of the PC industry.
It just sounds as ridiculous as installing security software on a walky talky or a landline telephone. The API should not be able to access data that the app store has not agreed to. It should be shipped with a list of capabilities it expects to use. It really sounds like that software on Android just runs and does whatever it pleases. We're reactive rather than proactive again...
I don't think it's an issue of running untrusted executable code, the code IS trusted but it's capable of doing things the phone should never have exposed to the application. I'd like to see security enforced for every execution of an application, so when you close an application, it gives you a list of the data the application tried to access. Rather than trying to ask the user each time to accept or decline, it should be configured BEFORE execution.
On a phone? Are you serious? Honestly I never thought you'd ever need a firewall on a phone. If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones. I always thought that the Bitfrost security architecture from OLPC was a good idea. How come this style of capabilities is not in Android?
Nokia 1661 and loving it baby. As far as I can tell, I can't put software on it!
I can definitely see the merit of having multiple monitors when you have material to work from. Most of my work has no such material, it's more of an input-only kind of thing.
When it comes to API documentation, I generally try understand, memorize the calls before going back to code window. I would never read and type at the same time because that doesn't teach you anything.
Do you know if it 'remembers' the decision the next time? Like Firefox would start on monitor X because you put it there last time? If I remember correctly, internally Windows simply extends the size of the desktop by the resolution of each monitor and then each monitor is just a viewport of that (each monitor displaying a different range of coordinates) so I guess it depends on the application remembering the coordinates. I don't know if Windows does it for you.
You can program! You just need the right motivation or teaching to do so:-)
I focus on one thing at a time. I'm an old fashioned compulsive maximizer. More screen is not always better. I've seen people use multiple monitors, they have to micromanage the windows themselves. I doubt there is a difference in productivity with two monitors. More stimuli does not necessary mean you'll perform better. I like to do one thing at a time, keep all alerts, email alerts and anything that could pop up off. It keeps you in the zone. I do the same with my phone. It's on silent and makes no noise. Check your email every 15 minutes or so, don't wait for it to pop in the corner of your eye. That context switches in your head are not worth it.
I bet there are window managers that micromanage windows it for you or let you have a different workspace on each screen. Windows is rubbish with multiple screens, always puts things on the wrong screen.
Malicious software can still be malicious while in memory, send spam, botnet etc. A running exploit of a readonly system is just as compromised as a running writable one, until you turn it off of course. You would never be able to patch it unless you patch the ROM or receive memory patches.
I hope whoever reads this thinks twice about helping people on web forums and mailing lists who have Indian names. You are helping the outsourced workers from doing the job you were supposed to be doing.
Slashdot Mirror
You are absolutely spot on.
I've said it before but it does worry me on software mailing lists when westerners help outsourced employees (such as Indian users) with computer problems. Talk about signing your unemployment warrant. You're helping people that are being paid to do the job (they're unqualified for) that you can do, for free.
Are you from GameFAQS?
Sony is a joke. You can 'get them back' by voting with your wallet.
Stop buying Blurays (they suck anyway)
Stop buying PS3s
Stop buying Sony hardware.
Don't give me that shit about being 'a different part of Sony'. It ultimately gets monitored by the same executives who have the higher level strategic power. The strategic oversight at Sony is quite franky, anti-consumer. Even if they don't notice it or feel it, that doesn't matter, you won't get scerewed by Sony and your dollars won't go toward writing rootkits or whatever.
I think he is implying that the bailouts to the banks and the defecit are what we are all paying....The money that we're paying for 'society' and welfare is borrowed money, created from thin air...
I bet I could install malware on your computer if you sat me in front of a logged in user.
I won't touch the hardware, just use it.
I think getting the users to understand and not just accept mindlessly (like Windows UAC and Facebook Applications) is the hardest part. It's a social problem. The permission message must be clear and almost threatening. It should show the data that is being displayed. I replied to someone else about this with the same view as you :-).
That's so true. I really wouldn't be surprised. There are so many adservers around, I imagine many accept payouts...
You are right. I didn't read my article.
The recent phone "hacking" scandal [wikimedia.org] in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.
It must have been server side then. Still, an Android or iPhone is not immune to server side attacks. So using one does not make you any more secure, I'd say it makes you less secure. All I did was some googling of the victims on phones, like, victim name + "phone" or "on the phone". They just happened to be using blackberries and what appeared to be smartphones. Of course correlation != causation. I wouldn't trust RMI.
Writing data that cannot be executed from the internet is not as bad as accessing data and uploading it. Of course as long as it cannot be read into memory and executed.
We have HIPS because it wasn't programmed in by default. The security model in the PC world is non-existent. The phone securiy model has just repeated the same mistakes from the PC industry rather than try solve it. HIPS really do help. Capability based security and appropriate permutations would be a good start for fine grained security.
I imagine it was caused by compromised ad servers. I disable Flash and PDF BHOs on computers that aren't mine for the duration that I use it. It's a good reason block advertisements too.
It's inbound not outbound.
That's the potential to access. Not the actual access. That won't scare users enough.
The software should display the data that would have been accessed with the widgets that is appropriate to the device, say a contact card or a filename and then threaten the user.
Are you sure you want to send this information to somewebsite.com over an unscrambled channel to someone in China?
It should be displayed like numerous bits of scrap data on the screen with a picture of a pipe and the pipe attached to a shady looking figure next to the planet earth on the other side of a cloud. The implication should be obvious.
Would that scare you?
Do you really think your phone being an Android or an iPhone protects you? Any intelligency agency could pull whatever they could pull my phone from an Android or iPhone plus everything else. I don't doubt the remote code execution of phones.
The recent phone "hacking" scandal in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.
I protect myself from myself by using a dumb phone. Not from others...
The rest of the world says no, we shouldn't have to manage the security of a phone. It's a burden that the technological world has failed to recognise.
All my cellphones have been connected to the network (GSM or whatever). It's not the 'being networked' that's the problem. Nor is it code execution. My Nokia 3410 could run Java applications. Internet access was something that the phone ased me for.
Why is my Nokia 3410 more secure than Android?
I wish I could accept how easily you accept the status quo. One that only benefits big companies that harvest personal information from the clueless masses. Perfect security is impossible, I agree.
I don't want a phone that is continually monitoring my whereabouts by default or can connect to the network at the same time as accessing my data.
Should a phone be able to access my phone book AND the network at the same time?
Should a phone be able to access files on the phone AND the network at the same time? What files can it access and why?
I think these are reasonable precautions. The app developer should have to go through hurdles to accomplish these things. Perhaps enforce SSL by default when your software has the capability of reading phone book information = enforces your data security when transmitting it and the identity of the recipient.
I think you're missing my point. It's a phone. You shouldn't have to install security software on something as trivial as a phone. Something is wrong with the API and security assumptions of the device that it is insecure by default, without security software.
Now that the cat is out of the bag, we can never put it back in. App companies have gotten used to the APIs that give them amazingly intimate personal and marketing information. Apple and Google (an advertising company) has a vested interest in allowing companies to phone home with all your personal data. Expect to have phones and tablets that are insecure by default. We aren't going back. It's just going to be a repeat of the PC industry.
It just sounds as ridiculous as installing security software on a walky talky or a landline telephone. The API should not be able to access data that the app store has not agreed to. It should be shipped with a list of capabilities it expects to use. It really sounds like that software on Android just runs and does whatever it pleases. We're reactive rather than proactive again...
I don't think it's an issue of running untrusted executable code, the code IS trusted but it's capable of doing things the phone should never have exposed to the application. I'd like to see security enforced for every execution of an application, so when you close an application, it gives you a list of the data the application tried to access. Rather than trying to ask the user each time to accept or decline, it should be configured BEFORE execution.
On a phone? Are you serious? Honestly I never thought you'd ever need a firewall on a phone. If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones. I always thought that the Bitfrost security architecture from OLPC was a good idea. How come this style of capabilities is not in Android?
Nokia 1661 and loving it baby. As far as I can tell, I can't put software on it!
I can definitely see the merit of having multiple monitors when you have material to work from. Most of my work has no such material, it's more of an input-only kind of thing.
When it comes to API documentation, I generally try understand, memorize the calls before going back to code window. I would never read and type at the same time because that doesn't teach you anything.
That's pretty cool way to manage your windows.
Do you know if it 'remembers' the decision the next time? Like Firefox would start on monitor X because you put it there last time? If I remember correctly, internally Windows simply extends the size of the desktop by the resolution of each monitor and then each monitor is just a viewport of that (each monitor displaying a different range of coordinates) so I guess it depends on the application remembering the coordinates. I don't know if Windows does it for you.
You can program! You just need the right motivation or teaching to do so :-)
If you're charging to install freeware that's practically the same thing.
I focus on one thing at a time. I'm an old fashioned compulsive maximizer. More screen is not always better. I've seen people use multiple monitors, they have to micromanage the windows themselves. I doubt there is a difference in productivity with two monitors. More stimuli does not necessary mean you'll perform better. I like to do one thing at a time, keep all alerts, email alerts and anything that could pop up off. It keeps you in the zone. I do the same with my phone. It's on silent and makes no noise. Check your email every 15 minutes or so, don't wait for it to pop in the corner of your eye. That context switches in your head are not worth it.
I bet there are window managers that micromanage windows it for you or let you have a different workspace on each screen. Windows is rubbish with multiple screens, always puts things on the wrong screen.
You are implying that a kernel booted from write-protected media is impossible to infect while running This is not true.
No kernel is impossible is impervious to attack while running.
Malicious software can still be malicious while in memory, send spam, botnet etc. A running exploit of a readonly system is just as compromised as a running writable one, until you turn it off of course. You would never be able to patch it unless you patch the ROM or receive memory patches.
I'm reading Wealth of Nations for fun
That really sucks for you.
I hope whoever reads this thinks twice about helping people on web forums and mailing lists who have Indian names. You are helping the outsourced workers from doing the job you were supposed to be doing.