<div><span class="gmail_quote">On 7/14/08, <b class="gmail_sendername">Kalle Happonen</b> <<a href="mailto:kalle.happonen@iki.fi">kalle.happonen@iki.fi</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br>I've only had my freerunner for a week or so, so I'm not too into the<br>security aspects yet. One thing I did notice was of course passwordless<br>
root login. Now over usb this can be acceptable, but if this is possible<br>over wifi (I haven't actually tested), it needs the firewall / make it<br>listen only to the usb.</blockquote>
<div> </div>
<div>There's no need for a firewall at all (in fact it's probably the worst idea).</div>
<div>Just set a root password (you're probably a win user, the command is simply "passwd") and it'll be fine.</div>
<div> </div><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">In addition to that, a separate encrypted partition for /root (or /home<br>if the account will changed to a non-privileged user) could be nice, but<br>
maybe too heavy and battery draining?</blockquote>
<div> </div>
<div>Imho it's not needed to encrypt the whole system.</div>
<div>Would be the better choice to have some crypto-containers for the files that really need to be secured (phonebook, messages, important documents). We had some discussion in IRC a while ago and my idea would be to have that containers and a daemon in background who handles encryption/decryption, asks for passwords if needed and makes sure that applications who want access to a encrypted container get it (e.g. dialer wants to look up a number in the phonebook).</div>
<div>This way the containers can stay decrypted while the phone is on and access is granted dynamically (as needed).</div>
<div>Yeah, it's a little much effort, but there is no security without it.</div>
<div>If you'd encrypt the whole rootfs you'd have it decrypted the whole time the phone is on (otherwise nothing would work), what means, the security is gone.</div>
<div>Well, that's only a part of a possible security framework, but this are only some thoughts.<br> </div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">In addition to that, I'd say all linux security administration best<br>practices should be at least considered, including automatic security<br>
updates.</blockquote>
<div> </div>
<div>It's a standard linux system with a lightweight, but still standard, packet management, so that's how it already is handeled (well, without the automatic, but I don't like automatic updating anyway).</div>
<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">After the basic security is in good shape, one could move on to fun<br>things like phone lock/unlock/shutdown with an sms, personal data<br>
backups / remote removal... the possibilities! :)</blockquote>
<div> </div>
<div>Possibly to be implemented in a (modular) "security-daemon", as mentioned before.</div><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Cheers,<br>Kalle<br><br>Yorick Moko wrote:<br>> This mail was posted on the devel list<br>> (<a href="http://lists.openmoko.org/pipermail/openmoko-devel/2008-July/003594.html">http://lists.openmoko.org/pipermail/openmoko-devel/2008-July/003594.html</a>).<br>
> Thought it would interest a lot of people who are not subscribed to<br>> that list:<br>><br>><br>> Hi Guys,<br>><br>> a few months ago we have planned to improve the security of our beloved<br>> Neo, after we have read about desires of the community regarding to the<br>
> security issue.<br>><br>> And here we are. Today I will present you our project MokSec.<br>><br>> What is MokSec?<br>> ===============<br>><br>> MokSec is framework which target is to improve the security of the mobile<br>
> devices which are based on OpenMoko (and other frameworks which are running on<br>> Neos)<br>><br>> What is our main focus at the moment?<br>> =====================================<br>><br>> The main focus is the encryption over GSM. This is very complicated issue and<br>
> for this we searching developer which are willing to work with us on this<br>> interesting project.<br>><br>> What are the other components?<br>> ==============================<br>><br>> At the moment we only working on a phone firewall, which will be<br>
> blocking/accepting incoming calls. Later one we will add other projects or<br>> developer will be able to add their projects.<br>><br>> Were you can find more informations?<br>> ====================================<br>
><br>> <a href="http://moksec.networld.to">http://moksec.networld.to</a> : The main page<br>> <a href="http://moko.networld.to">http://moko.networld.to</a> : The git repositories<br>
> <a href="http://networld.to/mailman/listinfo/moksec-public">http://networld.to/mailman/listinfo/moksec-public</a> : The mailinglist<br>><br>> We hope that a lot of people will work with us on the security issue.<br>
><br>> Happy programming<br>><br>> Alex Oberhauser<br>><br>> _______________________________________________<br>> Openmoko community mailing list<br>> <a href="mailto:community@lists.openmoko.org">community@lists.openmoko.org</a><br>
> <a href="http://lists.openmoko.org/mailman/listinfo/community">http://lists.openmoko.org/mailman/listinfo/community</a><br>><br><br><br>_______________________________________________<br>Openmoko community mailing list<br>
<a href="mailto:community@lists.openmoko.org">community@lists.openmoko.org</a><br><a href="http://lists.openmoko.org/mailman/listinfo/community">http://lists.openmoko.org/mailman/listinfo/community</a><br></blockquote></div>
<br>