I said "yourself" for a reason. I am well aware of the benefits of many people reading the code. I'm not a member of this list because I hate Linux. But whe the thread is started off with the statement that the platform is inherently bad because _you_ don't control it, that leads to the assertion that _you_ should be vetting all the code run on it. <br>
<br>I read the Ars article this morning. And I shared it with other people. But the essence of that exploit is "don't trust a wireless network" and we should all know that one. And I know that the phone is never truly locked once it gets into the hands of someone who knows a couple things. But no device is once it is in an intruder's possession. <br>
<br>My argument is simple: the claim that one platform is better simply because you "control" and some people download bad software is silly. The platform "you control" has seen many more instances of malware, and completely bogus, stolen, applications that the one that you don't control. Does that make it an inherently bad platform? No. You have to use your good judgement just like with every other platform on which you can install software on your own. <br>
<br>On Friday, March 16, 2012, Michael H. Warfield <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>> On Fri, 2012-03-16 at 14:02 -0400, James Sumners wrote:<br>>> Which all boils down to exactly what I said. Either ignore installing<br>
>> third party software altogether, or do the best you can with the time<br>>> you have. The argument that open source is safer because you,<br>>> yourself, can look at the code before installing it is ludicrous. If<br>
>> you have the time to do that for _every_ piece of software you<br>>> install, then you must not be doing anything else.<br>><br>> As one of the resident security experts handing around this watering<br>
> whole, I would have a lot of bones to pick with you on the above... I<br>> could not possibly disagree with you more. I do find OpenSource<br>> software to be much more robust and secure largely because it subject to<br>
> a higher level of scrutiny and the forces of an active evolution drive<br>> it. If it's not fit for survival, it sinks. Unlike locked in software<br>> where you have no choice and are stuck with the crap your given. Your<br>
> best defense is in numbers. Apps with high numbers of downloads and<br>> high approval ratings are a positive sign. Don't read just the positive<br>> reviews. Read the negative reviews! Read what people don't like. Read<br>
> the complaints. Be informed. Also be aware that most of what you are<br>> running on Android is just as proprietary and just as closed source as<br>> that on iOS and the iPhone.<br>><br>> I've seen and analyzed buggy proprietary software and I've submitted<br>
> fixes to things I've found in OpenSource software. I've been a project<br>> lead on several closed source projects, a VP of engineering in charge of<br>> multiplatform products, and worked on things from DSP microcode all the<br>
> way to 4th generation languages. And it's not so much that YOU must<br>> examine each piece of code yourself. That a myth promulgated by the<br>> anti-OpenSource types. The point is that, with OpenSource, there's a<br>
> very high chance that someone will so someone trying to pull a fast one<br>> deliberately has fewer ways to hide his trickery and it's much higher<br>> risk to them of getting caught and getting caught quicker. How many<br>
> proprietary packages have "Easter eggs"? You can't tell but it's a lot.<br>> You think those "unadvertised features" were approved? You think a<br>> manager approved the xyzzy cheat to MS Minesweeper or those other Easter<br>
> eggs? You think they're all benign?<br>><br>> Bugs are bugs and closed source is zero protection from outsiders<br>> discovering bugs but it's a major impediment to getting them fixed (and<br>> confirmed fixed) and not just covered up or worked around. Look at the<br>
> credits in the Microsoft releases. Those are not Microsoft employees<br>> and those are not people with access to the Microsoft source code but<br>> there you have it. They found the bugs that MS hadn't. They're the<br>
> good guys and they're reporting it to MS. Where are the bad guys and<br>> what are they doing with it?<br>><br>> Apple is not better, actually maybe (probably) much worse. Microsoft<br>> has gotten much better and much more transparent. Apples more recent<br>
> patch drops for OS X and iOS were HUGE (I did the write-ups). iOS 5.1<br>> had over 80 CVE identified issues fixed in this month's drop. Oh, to<br>> "protect their customers" they're not going to hand out details. Liers.<br>
> The bad guys are really really good and binary diffs and deltas and<br>> tearing apart patches to see what makes them tick. They're not keeping<br>> anything from the bad guys. They're only covering up what they screwed<br>
> up and not letting you know how bad it really is.<br>><br>> I look at what Apple does with the iPhone and I have to ask myself that<br>> if that were a computer, why would anyone tolerate that sort of abusive<br>
> control from their vendor? Ooopppsss! My bad! It is a computer! A<br>> very powerful computer. It's more powerful than some laptops not too<br>> long ago. Yet people give up control over their property to a<br>
> corporation whose sole interest is in protecting and expanding its<br>> revenue stream. Would they even dream of that with the MacBook or their<br>> Dell laptop?<br>><br>> So far, we've seen plenty of examples of "Proof of Concept" code<br>
> published flauntingly to the Apple store. Apple takes them down as soon<br>> as they find out about them but they find out about them from the news<br>> when the researchers embarrass them by announcing it! So much for them<br>
> scanning and protecting you. Oh, if it's an app they want to market,<br>> they'll pull it from the app store quick enough (happened a couple of<br>> times - developers have no appeal). Oh, and that GPL code, yeah you can<br>
> forget about that (too bad vlc). They don't approve of GPL. There's<br>> plenty of bugs to go around in those apps and iOS. Jailbreaking iOS is<br>> just about a joke. If the good guys can do it, what makes you think the<br>
> bad guys aren't?<br>><br>> I see this kinds of stuff all the time:<br>><br>> <a href="http://arstechnica.com/apple/news/2012/03/loose-lipped-iphones-top-the-list-of-smartphones-exploited-by-hacker.ars">http://arstechnica.com/apple/news/2012/03/loose-lipped-iphones-top-the-list-of-smartphones-exploited-by-hacker.ars</a><br>
><br>> Still fell safer on that closed platform?<br>><br>> Gotta love that CarrierIQ debacle. You think that would have ever come<br>> to light in a pure Apple walled garden? In the light of day, the<br>> backlash from that (deserved or not) hit the carriers and vendors like<br>
> an epic level storm. Even if it was benign (and I'll withhold judgment<br>> there) how dare the carriers and vendors stoop to those tactics and what<br>> makes anyone think that Apple would not do something similar (there were<br>
> traces of CarrierIQ there but no firm evidence that it was active in<br>> iOS). CarrierIQ may be back, but, if they are, they all better do it<br>> above board and correctly next time.<br>><br>> Before Android, the number 1 exploited platform for malware was Symbian<br>
> and that's even more closed source than Apple! This is nothing new.<br>> Blackberrie's another one. It's not immune. As rapidly as Android rose<br>> to dominance, we've been expecting it to be the number one platform to<br>
> come under attack. Goes with the territory. It's the old bank robber's<br>> story. "Why do you rob banks?" "Well, it's because that's where the<br>> money is."<br>><br>
> OTOH, we've got security tools available on Android that are simply flat<br>> out not available on iOS. They require a level of access you can't get<br>> unless you jailbreak it (requires root on Android). I've got OpenVPN<br>
> and advanced IPsec on Android and I can deploy LUKS filesystem<br>> encryption if I want. Yeah, the iOS encryption ain't so hot. Someone<br>> has a device that can suck the keys out of memory through the usb<br>
> port. :-P I haven't played with it yet but I noticed that CGROUPS (LXC<br>> container virtualization) are enabled on Android. Why noone has used<br>> that for setting up virtual profiles yet, I don't know. Could be<br>
> interesting... I've got much more powerful tools for creating REAL FULL<br>> backups of my device and encrypt those backups.<br>><br>> Neither proprietary or OpenSource has an intrinsic claim to being<br>
> "secure" and vendors do not have your security at heart if it conflicts<br>> with their ability to make money off you or your (lack of) privacy at<br>> their hands. Google is just as bad there. Problem is that Android is<br>
> largely OpenSource, but not totally OpenSource and these malicious apps?<br>> You think they're OpenSource? Most of the apps on the markets are just<br>> as closed as any other market. That's why we have static, dynamic, and<br>
> virtualized analyzers to pull some of them apart. The criminals are<br>> hiding in the closed bits. Apple is no better in that department at<br>> all.<br>><br>> Regards,<br>> Mike<br>><br>>> On Fri, Mar 16, 2012 at 13:42, <a href="mailto:mike@trausch.us">mike@trausch.us</a> <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<br>
>> > On 03/16/2012 01:29 PM, James Sumners wrote:<br>>> >> It has applications that are shipped with it. And you can use webapps<br>>> >> all day long. You don't _have_ to use the AppStore. But if you do use<br>
>> >> it, then you still have to decide if you trust the developer. If you<br>>> >> install something that seems scummy in the description (poorly<br>>> >> translated descriptions, bad reviews, etc.) then that's on you. It<br>
>> >> isn't the fault of anyone, or anything, else.<br>>> ><br>>> > And what if you install a highly-rated, seemingly legitimate app that<br>>> > does things that you aren't aware of because you have no way to possibly<br>
>> > be aware of them?<br>>> ><br>>> > There are security concerns with any application software on any<br>>> > platform or device that are a mile long and simply cannot be addressed<br>
>> > by the average user. These problems will likely never go away, unless<br>>> > the entire world moves to a model where the source code for all software<br>>> > becomes generally available. And even then, you have the problems that<br>
>> > were discussed in “Reflections on Trusting Trust” (a very worthwhile<br>>> > read if you haven't), making it almost completely impossible to sanely<br>>> > be able to settle on any level of trust in software. One would have to<br>
>> > take a copy of a (as Thompson calls it) "bugged" binary and examine it<br>>> > on a system that is known to not be bugged.<br>>> ><br>>> > I don't know about you, but I don't have the means to create a<br>
>> > completely isolated environment in which to be able to assert such<br>>> > levels of trust. At least not yet; it would be possible to do but it<br>>> > would not be really doable without a great deal of time, effort and money.<br>
>> ><br>>> > And even then, who would be insane enough to trust anyone else to create<br>>> > such a thing for them? :-)<br>>> ><br>>> > --- Mike<br>>> ><br>>> > --<br>
>> > A man who reasons deliberately, manages it better after studying Logic<br>>> > than he could before, if he is sincere about it and has common sense.<br>>> > --- Carveth Read, “Logic”<br>
>> ><br>>> ><br>>> > _______________________________________________<br>>> > Ale mailing list<br>>> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> > <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>>> ><br>>><br>>><br>>><br>>> --<br>
>> James Sumners<br>>> <a href="http://james.roomfullofmirrors.com/">http://james.roomfullofmirrors.com/</a><br>>><br>>> "All governments suffer a recurring problem: Power attracts<br>>> pathological personalities. It is not that power corrupts but that it<br>
>> is magnetic to the corruptible. Such people have a tendency to become<br>>> drunk on violence, a condition to which they are quickly addicted."<br>>><br>>> Missionaria Protectiva, Text QIV (decto)<br>
>> CH:D 59<br>>><br>>> _______________________________________________<br>>> Ale mailing list<br>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>><br>><br>> --<br>> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>
> /\/\|=mhw=|\/\/ | (678) 463-0932 | <a href="http://www.wittsend.com/mhw/">http://www.wittsend.com/mhw/</a><br>> NIC whois: MHW9 | An optimist believes we live in the best of all<br>> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
><br><br>-- <br>James Sumners<br><a href="http://james.roomfullofmirrors.com/">http://james.roomfullofmirrors.com/</a><br><br>"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted."<br>
<br>Missionaria Protectiva, Text QIV (decto)<br>CH:D 59<br>