MokSec - The Security Framework

thomasg thomas at gstaedtner.net
Mon Jul 14 10:03:35 CEST 2008 

On 7/14/08, Kalle Happonen <kalle.happonen at iki.fi> wrote:
>
> Hello,
> I've only had my freerunner for a week or so, so I'm not too into the
> security aspects yet. One thing I did notice was of course passwordless
> root login. Now over usb this can be acceptable, but if this is possible
> over wifi (I haven't actually tested), it needs the firewall / make it
> listen only to the usb.


There's no need for a firewall at all (in fact it's probably the worst
idea).
Just set a root password (you're probably a win user, the command is simply
"passwd") and it'll be fine.


In addition to that, a separate encrypted partition for /root (or /home
> if the account will changed to a non-privileged user) could be nice, but
> maybe too heavy and battery draining?


Imho it's not needed to encrypt the whole system.
Would be the better choice to have some crypto-containers for the files that
really need to be secured (phonebook, messages, important documents). We had
some discussion in IRC a while ago and my idea would be to have that
containers and a daemon in background who handles encryption/decryption,
asks for passwords if needed and makes sure that applications who want
access to a encrypted container get it (e.g. dialer wants to look up a
number in the phonebook).
This way the containers can stay decrypted while the phone is on and access
is granted dynamically (as needed).
Yeah, it's a little much effort, but there is no security without it.
If you'd encrypt the whole rootfs you'd have it decrypted the whole time the
phone is on (otherwise nothing would work), what means, the security is
gone.
Well, that's only a part of a possible security framework, but this are only
some thoughts.


> In addition to that, I'd say all linux security administration best
> practices should be at least considered, including automatic security
> updates.


It's a standard linux system with a lightweight, but still standard, packet
management, so that's how it already is handeled (well, without the
automatic, but I don't like automatic updating anyway).

After the basic security is in good shape, one could move on to fun
> things like phone lock/unlock/shutdown with an sms, personal data
> backups / remote removal... the possibilities! :)


Possibly to be implemented in a (modular) "security-daemon", as mentioned
before.

Cheers,
> Kalle
>
> Yorick Moko wrote:
> > This mail was posted on the devel list
> > (
> http://lists.openmoko.org/pipermail/openmoko-devel/2008-July/003594.html).
> > Thought it would interest a lot of people who are not subscribed to
> > that list:
> >
> >
> > Hi Guys,
> >
> > a few months ago we have planned to improve the security of our beloved
> > Neo, after we have read about desires of the community regarding to the
> > security issue.
> >
> > And here we are. Today I will present you our project MokSec.
> >
> > What is MokSec?
> > ===============
> >
> > MokSec is framework which target is to improve the security of the mobile
> > devices which are based on OpenMoko (and other frameworks which are
> running on
> > Neos)
> >
> > What is our main focus at the moment?
> > =====================================
> >
> > The main focus is the encryption over GSM. This is very complicated issue
> and
> > for this we searching developer which are willing to work with us on this
> > interesting project.
> >
> > What are the other components?
> > ==============================
> >
> > At the moment we only working on a phone firewall, which will be
> > blocking/accepting incoming calls. Later one we will add other projects
> or
> > developer will be able to add their projects.
> >
> > Were you can find more informations?
> > ====================================
> >
> > http://moksec.networld.to                         : The main page
> > http://moko.networld.to                           : The git repositories
> > http://networld.to/mailman/listinfo/moksec-public : The mailinglist
> >
> > We hope that a lot of people will work with us on the security issue.
> >
> > Happy programming
> >
> > Alex Oberhauser
> >
> > _______________________________________________
> > Openmoko community mailing list
> > community at lists.openmoko.org
> > http://lists.openmoko.org/mailman/listinfo/community
> >
>
>
> _______________________________________________
> Openmoko community mailing list
> community at lists.openmoko.org
> http://lists.openmoko.org/mailman/listinfo/community
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openmoko.org/pipermail/community/attachments/20080714/1020465f/attachment.htm

More information about the community mailing list