If there's something on those work computers worth securing, it's pretty lax to leave the security up to the whims of the individuals using them rather than forcing shut down/log in (or locking the stations after X minutes of idle time) and/or instigating physical security measures to ensure unaothorised users don't get near them. Any company allowing people to bring their bad habits into a data sensitive office deserves the slap of having its data compromised.
I've been saying the same for years. Also, banks? Why lock all the money in safes overnight, the weight of the money itself is deterrent to anyone stealing it. Leave the safe doors open and we'll promise not to steal anything (okay, this joke worked much better back in the days when banks actually had any money...)
There is no magic exploit. If I got physical access to your Android, I could root it then install a rootkit. If I got access to your iPhone, I could jailbreak it and install a rootkit. If I got access to either of your phones, why would I bother when I could just sell them for a guaranteed return? And if I have no access to your phone, how do I root it and install a rootkit? This isn't Apple vs Google, it's AV vendor FUD vs. common sense. By muddying the water you're working against common sense.
Of course anyone could write such an application. It won't have root, though, and it will have to flag up a message specifically requesting access to every process it needs to use at the point of install. If the application can survive not being spotted by someone technically competent and can convince a user that a nice icon pack needs access to their phone's dialling ability, then fair enough, there's not a lot you can do to mitigate this besides locking everything down and vetting everything. If this ever becomes problematic enough, there's nothing stopping Google instigating that kind of in-depth vetting of apps added to their market (or someone else establishing their own market with verified apps).
It contains the magic ingredients: a product by a popular or well known brand and the word "rootkit". There's probably an automated system to just greenlight all such stories without an editor ever having to intervene.
I don't think Apple or MS benefit greatly from this, okay it specifically talks about Android phones, but some mud is bound to stick to them, too. Following the money would suggest AV vendors, who for years have been unable to make much headway selling AV solutions to Linux or OSX users, are suddenly worrying about the possible move to mobile devices which primarily use systems which haven't been subject to masses of viruses. On the horizon, mobiles with tethered devices for applications which require more screen real estate could see the elimination of a desktop/laptop/netbook in many homes, and if it becomes common knowledge that phones just don't get infected, their business suddenly goes down the toilet. Better to get in now with some scare stories about the vulnerability of these devices if you want to sell your product on them in the future.
You have to be crazy to buy an Android phone and not root it. I rooted mine almost as soon as I found out how. Root gives you more options, including the ability to install custom roms, that work even better. I would expect that at least 90% of android phones are rooted, or all those people are wasting their phone's abilities. I got a backup app on my phone. I can wipe and reflash the ROM as often as I want. I do it every time a new version is released.
Likewise 87% of all statistics are completely made up without any basis in reality. I'd be very surprised if anywhere near 90%, or even anywhere near 5% of Android users had rooted their phones. Here, the latest Android phones are selling out, they're so popular, I just find it hard to believe that there are that many people competent enough to do this and willing enough to void their warranties. Same with iPhones - I know two circles of people, one technical, one non-technical, while a few of the technical people have jailbroken their iPhones, nobody I know from the non-technical field has done so. I can see why, if you were in the former, you would assume everyone was doing it, but I'm really not convinced that's true (for anecdotal evidence, just look at all the people asking on forums when Froyo will be released for their phone - if they'd rooted them they'd already be able to install it).
I consider myself to be technically competent, certainly I've cracked many devices in the past but only at the point where they no longer do everything I want - so far the Desire has done everything I've asked of it, and I don't want to lose SenseUI and void my warranty until that's no longer the case. Besides which, the users who have rooted their phones are probably the worst attack vector for a rootkit as, if they've any sense at all, they'll be backing up their data like you and they won't be running every piece of junk code they come across without independently verifying what it does.
What evidence do you have that it's any more or less difficult to execute this kind of attack against the Android over the iPhone? Both have locked down market places where regular users go for all of their app needs, the only difference is that more advanced users can install code from outside the market place on the Android. The kind of users who go to these lengths tend to have a bit more technical savvy, and would likely be the type of people who would jailbreak their iPhone anyway, exposing it to the same risk. What many/.ers object to is not that there is a walled app market, in fact the majority can probably agree that for average users this is a good thing, but that there's no means for the more advanced user to step outside that market without invalidating their warranty. Android shows that it's entirely possible to incorporate both approaches, but if you can demonstrate it's more vulnerable to attacks in the wild because of this, I'm certainly listening.
Agreed - maybe just some method of notifying users that $RANDOM_APPLICATION has been discovered to have vulnerabilities, with the option to ignore it, remove it or visit some website for further details. I might have a legitimate reason for wanting the code on my phone (if I'm a researcher, for instance), or I might need to retrieve valuable data before it gets wiped. At the very least, events of the past couple of years show people like to be informed/involved in this process, rather than some process silently modifying their device.
This is simply another case of Misleading Title Strikes Again. From TFA:
On its own, Trustwave's rootkit isn't much of a threat to Android users. That's because a criminal would first need to figure out how to install the software on a victim's phone. This could be done by building the rootkit into a rogue application sold via the Android Market, or by exploiting a new, unpatched bug in Android's Linux kernel that could allow the program to be installed.
So basically it doesn't do anything new - it's trivial to write an app that will redirect a dialled number to a different number, or hijack the browser, the hard part is, and always has been, getting that app onto the phone with sufficient privileges to be able to do these things. Always beware the claims of "security researchers", as this general translates to "people who want to sell you some piece of AV software and therefore have a massive ulterior motive in having you think your hardware is insecure". Until I hear of a valid way for them to get this onto a phone in sufficient numbers to be a worry, I'll not be losing too much sleep...
I would have thought, if it was easy, it would certainly already be happening. The smartphone market might be small compared to a desktop OS like Windows, but the possibility for profit is much more immediate, since you have a device which can connect to premium services without any further need to obtain secure passwords or banking details, etc. from the owner. You just set up a premium number in a foreign locale, have the software wait until the phone is idling (on charge maybe, and not been touched for a couple of hours, so you can assume the owner is probably asleep) then have it dial into your number and rake in the money. Much simpler than monetising a botnet, to my mind. And while the proliferation of smartphones amongst the masses is a recent thing, there have been smartphones in widespread use, in business particularly, for many years - including Windows mobile (if I had to put my trust anywhere, it would be in a *nix derived OS).
That's not to say it won't happen, but I'd go out on a limb and say the only attacks we're likely to see in the near future are of the social engineered, trick/entice the user into installing an app with a trojan piggybacking. While people are dumb enough to fall for such attacks there'll be little benefit in writing real viruses. One thing I like about the Android OS is that, when I install a piece of software, it will flag up all the phone processes that the app needs access to (so I can be justifiably suspicious if the new screensaver I'm installing wants access to the phone's dialling ability).
It's to be expected, we all know what a massive issue viruses are on Linux, so we shouldn't really expect a Linux-based phone to be any different. Oh, wait...
Of course, if you wanted people to think it was worth using, you'd occasionally flag up some "found 8 viruses, all successfully removed" kind of messages:)
Unless he wipes the OS too, there's already an app that, when your sim card is replaced, will send you a text message or email with the GPS location of the phone. If you have it send a text message, you also get the number of the new sim, so you can go directly to the police with the (reasonably) exact location of the phone and the contact details of the registered purchaser of the sim.
Actually, there's already an App on the Android marketplace that does what you describe. I think you can call, email or SMS your mobile with a command that will enable a bunch of features, such as getting the GPS location via an online service, disabling or password protecting the phone or even triggering it to start beeping at full volume every time it's turned on. There's even an App which will check for the sim card being replaced and will alert you to the location of the phone when it's switched on. Okay, none of this will defeat the really determined thief who steals the phone and immediately removes the sim and flashes the thing, but against casual theft it's pretty useful and a great advertisement for the open nature of Android development.
But then how would the AV producers sell you the same product twice? Incidentally, to answer the original question about AV proliferating on mobile phones, there are already several products out there - I'm not sure what they actually do, since I've not heard of any mobile virii in the wild affecting these devices, I suspect they just scan for Windows virii to protect your OS when you hook up the phone as a mass storage device. I'm more than happy to install AV on my phone as and when someone demonstrates the need.
Nice try, but that's the kind of attitude that causes issues in the first place. A sergeant is below a lieutenant in the chain of command, a doctor is categorically not the manager of a medical technician. If the technician's manager orders him not to do something, it's not the place of a doctor to override that.
Everyone is busy, that's the real issue. This is not about forcing anyone to be courteous (it's likely to have the opposite affect), it's about making both sides jump through artificial hoops to either reduce the likelihood of them asking for costly procedures unless they absolutely must be done, or justifying not doing them because some trivial rule wasn't followed. This is purely an exercise in trying to avoid having to recruit more staff.
Unfortunately the technicians aren't in a position to hire more people. They have to rely on the management to do that. Instead the management come up with a stupid policy (maybe their hearts were in the right place but their heads certainly weren't), probably because they didn't want to spend the money to hire people.
The relevant part of their job is to process as many blood tests as possible - if they have too many then they need a way to determine which ones to process in the time. In their infinite wisdom, the management have decided that the inclusion of "please" on the form is one of the criteria to determine whether it gets prioritised or not. Chances are they would have done the tests regardless if they had spare time but they probably ran out of time and had to use the criteria they'd been ordered to follow. Chances also are that if the technicians had been told about these criteria, then the doctors would have been told too, so the fact that he didn't bother to follow the rules in this instance and, as a result, either shows he has a lack of understanding for the amount of pressure his co-workers are under, or that he has such a high opinion of himself that he feels he alone should be exempt from the rules. Whether you agree with the rules or not, I doubt the technicians are at fault here, but hey, don't let me rain on your judgemental parade:)
I'm in the UK, and despite all the horror stories about ultra-feminists calling out men who hold the door open, I always hold the door (for everyone, regardless of gender, age, creed or ability) and so far I've never been abused. I think people still, on the whole, appreciate good manners, and while it might be true that there are a few people out there who irrationally take offence, I think if you stick to the policy of good manners, on the whole the thanks will far outweigh any negative reaction.
Actually there's a big shortage in these fields already, a lot of recruitment now has to be from overseas, and the recruitment and training process is not cheap. It's a serious misstep by the managers to think they can resolve this issue by such ridiculous means, but clearly it's better to try and reach some resolution than to ignore the issue and risk losing money as trained staff leave and have to be replaced. Probably a better approach would be to get everyone talking about the issues they're facing in their jobs, everyone is massively overstretched and they probably just need to understand that their colleagues (whether they see the jobs they're doing as being more or less skilled than their own) are in the same boat and they need to pull together, but of course that's not good for the image of the hospital and it puts the management at risk if lots of disgruntled staff are told to air their grievances, so they're trying to paper over the cracks instead.
Slashdot Mirror
The point is that it was sold as a means to counter terrorism, but it was drafted in such a way as to allow it to do so much more.
If there's something on those work computers worth securing, it's pretty lax to leave the security up to the whims of the individuals using them rather than forcing shut down/log in (or locking the stations after X minutes of idle time) and/or instigating physical security measures to ensure unaothorised users don't get near them. Any company allowing people to bring their bad habits into a data sensitive office deserves the slap of having its data compromised.
I've been saying the same for years. Also, banks? Why lock all the money in safes overnight, the weight of the money itself is deterrent to anyone stealing it. Leave the safe doors open and we'll promise not to steal anything (okay, this joke worked much better back in the days when banks actually had any money...)
There is no magic exploit. If I got physical access to your Android, I could root it then install a rootkit. If I got access to your iPhone, I could jailbreak it and install a rootkit. If I got access to either of your phones, why would I bother when I could just sell them for a guaranteed return? And if I have no access to your phone, how do I root it and install a rootkit? This isn't Apple vs Google, it's AV vendor FUD vs. common sense. By muddying the water you're working against common sense.
Of course anyone could write such an application. It won't have root, though, and it will have to flag up a message specifically requesting access to every process it needs to use at the point of install. If the application can survive not being spotted by someone technically competent and can convince a user that a nice icon pack needs access to their phone's dialling ability, then fair enough, there's not a lot you can do to mitigate this besides locking everything down and vetting everything. If this ever becomes problematic enough, there's nothing stopping Google instigating that kind of in-depth vetting of apps added to their market (or someone else establishing their own market with verified apps).
It contains the magic ingredients: a product by a popular or well known brand and the word "rootkit". There's probably an automated system to just greenlight all such stories without an editor ever having to intervene.
I don't think Apple or MS benefit greatly from this, okay it specifically talks about Android phones, but some mud is bound to stick to them, too. Following the money would suggest AV vendors, who for years have been unable to make much headway selling AV solutions to Linux or OSX users, are suddenly worrying about the possible move to mobile devices which primarily use systems which haven't been subject to masses of viruses. On the horizon, mobiles with tethered devices for applications which require more screen real estate could see the elimination of a desktop/laptop/netbook in many homes, and if it becomes common knowledge that phones just don't get infected, their business suddenly goes down the toilet. Better to get in now with some scare stories about the vulnerability of these devices if you want to sell your product on them in the future.
You have to be crazy to buy an Android phone and not root it. I rooted mine almost as soon as I found out how. Root gives you more options, including the ability to install custom roms, that work even better. I would expect that at least 90% of android phones are rooted, or all those people are wasting their phone's abilities. I got a backup app on my phone. I can wipe and reflash the ROM as often as I want. I do it every time a new version is released.
Likewise 87% of all statistics are completely made up without any basis in reality. I'd be very surprised if anywhere near 90%, or even anywhere near 5% of Android users had rooted their phones. Here, the latest Android phones are selling out, they're so popular, I just find it hard to believe that there are that many people competent enough to do this and willing enough to void their warranties. Same with iPhones - I know two circles of people, one technical, one non-technical, while a few of the technical people have jailbroken their iPhones, nobody I know from the non-technical field has done so. I can see why, if you were in the former, you would assume everyone was doing it, but I'm really not convinced that's true (for anecdotal evidence, just look at all the people asking on forums when Froyo will be released for their phone - if they'd rooted them they'd already be able to install it).
I consider myself to be technically competent, certainly I've cracked many devices in the past but only at the point where they no longer do everything I want - so far the Desire has done everything I've asked of it, and I don't want to lose SenseUI and void my warranty until that's no longer the case. Besides which, the users who have rooted their phones are probably the worst attack vector for a rootkit as, if they've any sense at all, they'll be backing up their data like you and they won't be running every piece of junk code they come across without independently verifying what it does.
What evidence do you have that it's any more or less difficult to execute this kind of attack against the Android over the iPhone? Both have locked down market places where regular users go for all of their app needs, the only difference is that more advanced users can install code from outside the market place on the Android. The kind of users who go to these lengths tend to have a bit more technical savvy, and would likely be the type of people who would jailbreak their iPhone anyway, exposing it to the same risk. What many /.ers object to is not that there is a walled app market, in fact the majority can probably agree that for average users this is a good thing, but that there's no means for the more advanced user to step outside that market without invalidating their warranty. Android shows that it's entirely possible to incorporate both approaches, but if you can demonstrate it's more vulnerable to attacks in the wild because of this, I'm certainly listening.
Agreed - maybe just some method of notifying users that $RANDOM_APPLICATION has been discovered to have vulnerabilities, with the option to ignore it, remove it or visit some website for further details. I might have a legitimate reason for wanting the code on my phone (if I'm a researcher, for instance), or I might need to retrieve valuable data before it gets wiped. At the very least, events of the past couple of years show people like to be informed/involved in this process, rather than some process silently modifying their device.
This is simply another case of Misleading Title Strikes Again. From TFA:
On its own, Trustwave's rootkit isn't much of a threat to Android users. That's because a criminal would first need to figure out how to install the software on a victim's phone. This could be done by building the rootkit into a rogue application sold via the Android Market, or by exploiting a new, unpatched bug in Android's Linux kernel that could allow the program to be installed.
So basically it doesn't do anything new - it's trivial to write an app that will redirect a dialled number to a different number, or hijack the browser, the hard part is, and always has been, getting that app onto the phone with sufficient privileges to be able to do these things. Always beware the claims of "security researchers", as this general translates to "people who want to sell you some piece of AV software and therefore have a massive ulterior motive in having you think your hardware is insecure". Until I hear of a valid way for them to get this onto a phone in sufficient numbers to be a worry, I'll not be losing too much sleep...
I would have thought, if it was easy, it would certainly already be happening. The smartphone market might be small compared to a desktop OS like Windows, but the possibility for profit is much more immediate, since you have a device which can connect to premium services without any further need to obtain secure passwords or banking details, etc. from the owner. You just set up a premium number in a foreign locale, have the software wait until the phone is idling (on charge maybe, and not been touched for a couple of hours, so you can assume the owner is probably asleep) then have it dial into your number and rake in the money. Much simpler than monetising a botnet, to my mind. And while the proliferation of smartphones amongst the masses is a recent thing, there have been smartphones in widespread use, in business particularly, for many years - including Windows mobile (if I had to put my trust anywhere, it would be in a *nix derived OS).
That's not to say it won't happen, but I'd go out on a limb and say the only attacks we're likely to see in the near future are of the social engineered, trick/entice the user into installing an app with a trojan piggybacking. While people are dumb enough to fall for such attacks there'll be little benefit in writing real viruses. One thing I like about the Android OS is that, when I install a piece of software, it will flag up all the phone processes that the app needs access to (so I can be justifiably suspicious if the new screensaver I'm installing wants access to the phone's dialling ability).
It's to be expected, we all know what a massive issue viruses are on Linux, so we shouldn't really expect a Linux-based phone to be any different. Oh, wait...
Of course, if you wanted people to think it was worth using, you'd occasionally flag up some "found 8 viruses, all successfully removed" kind of messages :)
Unless he wipes the OS too, there's already an app that, when your sim card is replaced, will send you a text message or email with the GPS location of the phone. If you have it send a text message, you also get the number of the new sim, so you can go directly to the police with the (reasonably) exact location of the phone and the contact details of the registered purchaser of the sim.
Actually, there's already an App on the Android marketplace that does what you describe. I think you can call, email or SMS your mobile with a command that will enable a bunch of features, such as getting the GPS location via an online service, disabling or password protecting the phone or even triggering it to start beeping at full volume every time it's turned on. There's even an App which will check for the sim card being replaced and will alert you to the location of the phone when it's switched on. Okay, none of this will defeat the really determined thief who steals the phone and immediately removes the sim and flashes the thing, but against casual theft it's pretty useful and a great advertisement for the open nature of Android development.
But then how would the AV producers sell you the same product twice? Incidentally, to answer the original question about AV proliferating on mobile phones, there are already several products out there - I'm not sure what they actually do, since I've not heard of any mobile virii in the wild affecting these devices, I suspect they just scan for Windows virii to protect your OS when you hook up the phone as a mass storage device. I'm more than happy to install AV on my phone as and when someone demonstrates the need.
Nice try, but that's the kind of attitude that causes issues in the first place. A sergeant is below a lieutenant in the chain of command, a doctor is categorically not the manager of a medical technician. If the technician's manager orders him not to do something, it's not the place of a doctor to override that.
Everyone is busy, that's the real issue. This is not about forcing anyone to be courteous (it's likely to have the opposite affect), it's about making both sides jump through artificial hoops to either reduce the likelihood of them asking for costly procedures unless they absolutely must be done, or justifying not doing them because some trivial rule wasn't followed. This is purely an exercise in trying to avoid having to recruit more staff.
Unfortunately the technicians aren't in a position to hire more people. They have to rely on the management to do that. Instead the management come up with a stupid policy (maybe their hearts were in the right place but their heads certainly weren't), probably because they didn't want to spend the money to hire people.
The relevant part of their job is to process as many blood tests as possible - if they have too many then they need a way to determine which ones to process in the time. In their infinite wisdom, the management have decided that the inclusion of "please" on the form is one of the criteria to determine whether it gets prioritised or not. Chances are they would have done the tests regardless if they had spare time but they probably ran out of time and had to use the criteria they'd been ordered to follow. Chances also are that if the technicians had been told about these criteria, then the doctors would have been told too, so the fact that he didn't bother to follow the rules in this instance and, as a result, either shows he has a lack of understanding for the amount of pressure his co-workers are under, or that he has such a high opinion of himself that he feels he alone should be exempt from the rules. Whether you agree with the rules or not, I doubt the technicians are at fault here, but hey, don't let me rain on your judgemental parade :)
past muster.
The saying is actually "passed muster" as in to pass muster (meaning to be judged acceptable)
The saying is actually "pass the mustard" as in uh...
I'm so sorry for wasting your time.
That's okay, I'm at work, what else am I going to do with it?
I'm in the UK, and despite all the horror stories about ultra-feminists calling out men who hold the door open, I always hold the door (for everyone, regardless of gender, age, creed or ability) and so far I've never been abused. I think people still, on the whole, appreciate good manners, and while it might be true that there are a few people out there who irrationally take offence, I think if you stick to the policy of good manners, on the whole the thanks will far outweigh any negative reaction.
Actually there's a big shortage in these fields already, a lot of recruitment now has to be from overseas, and the recruitment and training process is not cheap. It's a serious misstep by the managers to think they can resolve this issue by such ridiculous means, but clearly it's better to try and reach some resolution than to ignore the issue and risk losing money as trained staff leave and have to be replaced. Probably a better approach would be to get everyone talking about the issues they're facing in their jobs, everyone is massively overstretched and they probably just need to understand that their colleagues (whether they see the jobs they're doing as being more or less skilled than their own) are in the same boat and they need to pull together, but of course that's not good for the image of the hospital and it puts the management at risk if lots of disgruntled staff are told to air their grievances, so they're trying to paper over the cracks instead.
The government should have warned you about the dangers of screaming too loud - I smell a juicy lawsuit...