[ale] Cory Doctorow, right again
Michael H. Warfield
mhw at WittsEnd.com
Fri Mar 16 16:27:51 EDT 2012
On Fri, 2012-03-16 at 14:02 -0400, James Sumners wrote:
> Which all boils down to exactly what I said. Either ignore installing
> third party software altogether, or do the best you can with the time
> you have. The argument that open source is safer because you,
> yourself, can look at the code before installing it is ludicrous. If
> you have the time to do that for _every_ piece of software you
> install, then you must not be doing anything else.
As one of the resident security experts handing around this watering
whole, I would have a lot of bones to pick with you on the above... I
could not possibly disagree with you more. I do find OpenSource
software to be much more robust and secure largely because it subject to
a higher level of scrutiny and the forces of an active evolution drive
it. If it's not fit for survival, it sinks. Unlike locked in software
where you have no choice and are stuck with the crap your given. Your
best defense is in numbers. Apps with high numbers of downloads and
high approval ratings are a positive sign. Don't read just the positive
reviews. Read the negative reviews! Read what people don't like. Read
the complaints. Be informed. Also be aware that most of what you are
running on Android is just as proprietary and just as closed source as
that on iOS and the iPhone.
I've seen and analyzed buggy proprietary software and I've submitted
fixes to things I've found in OpenSource software. I've been a project
lead on several closed source projects, a VP of engineering in charge of
multiplatform products, and worked on things from DSP microcode all the
way to 4th generation languages. And it's not so much that YOU must
examine each piece of code yourself. That a myth promulgated by the
anti-OpenSource types. The point is that, with OpenSource, there's a
very high chance that someone will so someone trying to pull a fast one
deliberately has fewer ways to hide his trickery and it's much higher
risk to them of getting caught and getting caught quicker. How many
proprietary packages have "Easter eggs"? You can't tell but it's a lot.
You think those "unadvertised features" were approved? You think a
manager approved the xyzzy cheat to MS Minesweeper or those other Easter
eggs? You think they're all benign?
Bugs are bugs and closed source is zero protection from outsiders
discovering bugs but it's a major impediment to getting them fixed (and
confirmed fixed) and not just covered up or worked around. Look at the
credits in the Microsoft releases. Those are not Microsoft employees
and those are not people with access to the Microsoft source code but
there you have it. They found the bugs that MS hadn't. They're the
good guys and they're reporting it to MS. Where are the bad guys and
what are they doing with it?
Apple is not better, actually maybe (probably) much worse. Microsoft
has gotten much better and much more transparent. Apples more recent
patch drops for OS X and iOS were HUGE (I did the write-ups). iOS 5.1
had over 80 CVE identified issues fixed in this month's drop. Oh, to
"protect their customers" they're not going to hand out details. Liers.
The bad guys are really really good and binary diffs and deltas and
tearing apart patches to see what makes them tick. They're not keeping
anything from the bad guys. They're only covering up what they screwed
up and not letting you know how bad it really is.
I look at what Apple does with the iPhone and I have to ask myself that
if that were a computer, why would anyone tolerate that sort of abusive
control from their vendor? Ooopppsss! My bad! It is a computer! A
very powerful computer. It's more powerful than some laptops not too
long ago. Yet people give up control over their property to a
corporation whose sole interest is in protecting and expanding its
revenue stream. Would they even dream of that with the MacBook or their
Dell laptop?
So far, we've seen plenty of examples of "Proof of Concept" code
published flauntingly to the Apple store. Apple takes them down as soon
as they find out about them but they find out about them from the news
when the researchers embarrass them by announcing it! So much for them
scanning and protecting you. Oh, if it's an app they want to market,
they'll pull it from the app store quick enough (happened a couple of
times - developers have no appeal). Oh, and that GPL code, yeah you can
forget about that (too bad vlc). They don't approve of GPL. There's
plenty of bugs to go around in those apps and iOS. Jailbreaking iOS is
just about a joke. If the good guys can do it, what makes you think the
bad guys aren't?
I see this kinds of stuff all the time:
http://arstechnica.com/apple/news/2012/03/loose-lipped-iphones-top-the-list-of-smartphones-exploited-by-hacker.ars
Still fell safer on that closed platform?
Gotta love that CarrierIQ debacle. You think that would have ever come
to light in a pure Apple walled garden? In the light of day, the
backlash from that (deserved or not) hit the carriers and vendors like
an epic level storm. Even if it was benign (and I'll withhold judgment
there) how dare the carriers and vendors stoop to those tactics and what
makes anyone think that Apple would not do something similar (there were
traces of CarrierIQ there but no firm evidence that it was active in
iOS). CarrierIQ may be back, but, if they are, they all better do it
above board and correctly next time.
Before Android, the number 1 exploited platform for malware was Symbian
and that's even more closed source than Apple! This is nothing new.
Blackberrie's another one. It's not immune. As rapidly as Android rose
to dominance, we've been expecting it to be the number one platform to
come under attack. Goes with the territory. It's the old bank robber's
story. "Why do you rob banks?" "Well, it's because that's where the
money is."
OTOH, we've got security tools available on Android that are simply flat
out not available on iOS. They require a level of access you can't get
unless you jailbreak it (requires root on Android). I've got OpenVPN
and advanced IPsec on Android and I can deploy LUKS filesystem
encryption if I want. Yeah, the iOS encryption ain't so hot. Someone
has a device that can suck the keys out of memory through the usb
port. :-P I haven't played with it yet but I noticed that CGROUPS (LXC
container virtualization) are enabled on Android. Why noone has used
that for setting up virtual profiles yet, I don't know. Could be
interesting... I've got much more powerful tools for creating REAL FULL
backups of my device and encrypt those backups.
Neither proprietary or OpenSource has an intrinsic claim to being
"secure" and vendors do not have your security at heart if it conflicts
with their ability to make money off you or your (lack of) privacy at
their hands. Google is just as bad there. Problem is that Android is
largely OpenSource, but not totally OpenSource and these malicious apps?
You think they're OpenSource? Most of the apps on the markets are just
as closed as any other market. That's why we have static, dynamic, and
virtualized analyzers to pull some of them apart. The criminals are
hiding in the closed bits. Apple is no better in that department at
all.
Regards,
Mike
> On Fri, Mar 16, 2012 at 13:42, mike at trausch.us <mike at trausch.us> wrote:
> > On 03/16/2012 01:29 PM, James Sumners wrote:
> >> It has applications that are shipped with it. And you can use webapps
> >> all day long. You don't _have_ to use the AppStore. But if you do use
> >> it, then you still have to decide if you trust the developer. If you
> >> install something that seems scummy in the description (poorly
> >> translated descriptions, bad reviews, etc.) then that's on you. It
> >> isn't the fault of anyone, or anything, else.
> >
> > And what if you install a highly-rated, seemingly legitimate app that
> > does things that you aren't aware of because you have no way to possibly
> > be aware of them?
> >
> > There are security concerns with any application software on any
> > platform or device that are a mile long and simply cannot be addressed
> > by the average user. These problems will likely never go away, unless
> > the entire world moves to a model where the source code for all software
> > becomes generally available. And even then, you have the problems that
> > were discussed in “Reflections on Trusting Trust” (a very worthwhile
> > read if you haven't), making it almost completely impossible to sanely
> > be able to settle on any level of trust in software. One would have to
> > take a copy of a (as Thompson calls it) "bugged" binary and examine it
> > on a system that is known to not be bugged.
> >
> > I don't know about you, but I don't have the means to create a
> > completely isolated environment in which to be able to assert such
> > levels of trust. At least not yet; it would be possible to do but it
> > would not be really doable without a great deal of time, effort and money.
> >
> > And even then, who would be insane enough to trust anyone else to create
> > such a thing for them? :-)
> >
> > --- Mike
> >
> > --
> > A man who reasons deliberately, manages it better after studying Logic
> > than he could before, if he is sincere about it and has common sense.
> > --- Carveth Read, “Logic”
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts
> pathological personalities. It is not that power corrupts but that it
> is magnetic to the corruptible. Such people have a tendency to become
> drunk on violence, a condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120316/e91714ce/attachment-0001.bin
More information about the Ale
mailing list