Neo security: running everything as root, and lacking a root password (was: Re: root)
Joseph Reeves
iknowjoseph at gmail.com
Fri Jan 11 12:44:45 CET 2008
Of course, F-Secure sell mobile anti-virus software, and he could have
easily avoided infection by employing a more sensible use of
Bluetooth, so I always take these sorts of comments with a pinch of
salt. Having said that, the F-Secure blog is pretty good, and probably
essential reading for anyone interested in this discussion.
I've said it before, but is anyone thinking of bitfrost on the
openmoko platform?
http://wiki.laptop.org/go/Bitfrost
Joseph
On 11/01/2008, Christopher White <chris at grierwhite.com> wrote:
> Regarding security and mobile phones..
>
> I recently read an interesting interview with Mikko Hypponen, chief
> research officer of F-Secure in IIEE Security and Privacy (Nov/Dec 07).
>
> He touched on the topic of security and mobile phones, even mentioned
> that he has received four worms on his mobile phone (they didn't infect,
> as he had antivirus protection), all variations of the Cabor or the
> CodeWarrior worms. One was beamed to his phone from a passing car,
> likely from an infected phone.
>
> The most interesting point he makes is that while infecting computers
> can indirectly be costly (identity theft, time spent, loss of critical
> data, etc.), infecting mobile phones can be *directly* costly. This is
> due to the built in billing system in mobile phones.
>
> I would imagine lack of a serious attention to security might be a
> barrier to wider scale deployment, particularly in a business
> environment. As the device will potentially carry highly sensitive data
> such as contacts, email, even documents, security will be key.
>
> ...cj
>
> On Thu, 2008-01-10 at 15:53 -0800, Michael Shiloh wrote:
> > Hi Brandon,
> >
> > (I encourage everyone to use meaningful subject lines)
> >
> > I suspect the real reason was that it was the easiest and quickest thing
> > to do at the time, and allowed the developers to focus on more pressing
> > issues, like getting the rest of the system working.
> >
> > I'm sure this will change in the future to a more secure system, and I
> > welcome all the ideas that have been suggested of what that might look
> > like. I'm pretty sure there is a wiki page where that's been started
> > already. If not, anyone is welcome to create one and to post these ideas
> > there.
> >
> > Michael
> >
> > Brandon Kruse wrote:
> > > I cannot speak for them, but look at your market place.
> > >
> > > Not secure servers but mobile telephony.
> > >
> > > The phone is as secure as you make it, and they have faith in the
> > > programs that are on there.
> > >
> > > Heck you could even make a security package to lock it down a little for
> > > those who want something extra.
> > >
> > > Anyone else?
> > >
> > > --------------------------------
> > > Brandon
> > >
> > > On Jan 10, 2008, at 4:30 PM, Denis <shulyaka at gmail.com> wrote:
> > >
> > >> So why did OpenMoko developers decided to run everything as root?
> > >>
> > >> 2008/1/11, Brandon Kruse <admteamkruz at gmail.com>:
> > >>> Good luck easily hacking over a GPRS connection. Make your password
> > >>> longer than 6 characters, a ban after retry attempts, take it off port
> > >>> 22 and that will save 95% of attacks from script kiddies. (everything
> > >>> I listed is controllable on sshd_config, I believe)
> > >>>
> > >>> Just imho it helps, opinion and experience :)
> > >>>
> > >>> But overall, I agree, but your privileges are only as safe as your
> > >>> software.
> > >>> (eg when you run a socket based process as root, you trust it.)
> > >>>
> > >>> However, you make a good point :)
> > >>>
> > >>> Kde and gnome take that precaution with gtk based Sudo when you login
> > >>> as a normal user (at least in debian/ubuntu) and I like that method.
> > >>>
> > >>> --------------------------------
> > >>> Brandon
> > >>>
> > >>> On Jan 10, 2008, at 3:43 PM, Denis <shulyaka at gmail.com> wrote:
> > >>>
> > >>>> But as far as I understand it's not secure, esp. for a device with
> > >>>> wi-fi, bluetooth, gprs and running ssh daemon! Linux gives us a great
> > >>>> power of user privilegies management but we waste it. Woldn't it be
> > >>>> better to run everything as an unprivileged user, or at least ask for
> > >>>> password at first run time?
> > >>>>
> > >>>> _______________________________________________
> > >>>> OpenMoko community mailing list
> > >>>> community at lists.openmoko.org
> > >>>> http://lists.openmoko.org/mailman/listinfo/community
> > >>>
> > >>> _______________________________________________
> > >>> OpenMoko community mailing list
> > >>> community at lists.openmoko.org
> > >>> http://lists.openmoko.org/mailman/listinfo/community
> > >>>
> > >>
> > >> _______________________________________________
> > >> OpenMoko community mailing list
> > >> community at lists.openmoko.org
> > >> http://lists.openmoko.org/mailman/listinfo/community
> > >
> > > _______________________________________________
> > > OpenMoko community mailing list
> > > community at lists.openmoko.org
> > > http://lists.openmoko.org/mailman/listinfo/community
> >
> > _______________________________________________
> > OpenMoko community mailing list
> > community at lists.openmoko.org
> > http://lists.openmoko.org/mailman/listinfo/community
>
>
> _______________________________________________
> OpenMoko community mailing list
> community at lists.openmoko.org
> http://lists.openmoko.org/mailman/listinfo/community
>
More information about the community
mailing list
