Security on N900
 

My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?

Anyone reading this is not a typical user. The typical user takes the 'phone' out of the box, puts the SIM in, powers up, and uses it. Security hygiene is not on their radar.

Since this device is different from the previous tablets from Nokia does anyone know what is provided to protect users from the nasties of the world?

Re: Security on N900
 

In previous Maemo version root account has been disabled by default (like in Ubuntu), so you can't log in as root without enabling it.

Re: Security on N900
 

And what privileges does it take to enable root?

Re: Security on N900
 

There isn't any standard way in UI. But since all applications are installed as root, you'll Install an application and installation scripts enables sudo or something else.

Re: Security on N900
 

And what prevents a malicious installation? [I know you have to get into the device first, what prevents that?]

Re: Security on N900
 

QA on the Extras repository (starting in Fremantle), and the trust that a user puts in the application author and the community.

What stops you installing a malicious application in Ubuntu? Or in Windows?

Re: Security on N900
 

Maemo is not a quick paint job. It does not come with any open ports by default (note that this is not really a hard job any longer; you'll have to recheck your assumptions about "Linux systems with all the standard security issues", since Ubuntu does not come with a default root password nor open ports by default).

Of course, preventing the user himself to do something with the device is against what Maemo is, so hopefully we're not going to see any of that ugly "nanny operating system" stuff.

Re: Security on N900
 

What do you mean it has no open ports by default? Its used for communicating. Something has be be open.

I did not intend for a flame here but there are always security issues with any operating system. Telling me to believe without proof just raises my concerns. Maemo is not Ubuntu so using that as a proof point is, by itself, not sufficient. Any pointers that will make your point about the security of Maemo?

Re: Security on N900
 

an "open port" implies a listening daemon that accepts outside connections that are initiated from a remote node. The fact that a given default distro can "communicate" does not, by itself, imply that it has open ports as described above. For instance, I can initiate a ssh session to a remote server without having an SSH daemon process running on my own machine which is accepting connections. Consequently, any attempt to connect to an ssh server on my machine from a remote node would be fruitless as it doesn't exist. I hope that clears up the nomenclature issue.

If you want to see what's listening, you can either log on and run "netstat -an | grep LISTEN", or you can run an nmap port scan against it from an external machine (which is probably more useful in a practical sense as it reveals what's actually reachable through the network after various firewalls and the like have been passed instead of what theoretically is running according to the kernel).

Re: Security on N900
 

I mean open ports as in "actively listening network services".

You made your initial post sound like if someone was going to take the phone out of the packaging and get rooted remotely in seconds. To do that, the phone would need to e.g. have by default a ssh server running with a default root password. There is no such server in the phone. Without such server, they could even ship "rootme" as the default root password. Nothing would happen; you would need to get at the phone's keyboard to enter it*.

Well, at least in the N810. Which you can buy and test everything we have said in this thread by yourself :)

*Of course, nobody said e.g. 0 exploits in the browser. As you said, no operating system is safe. But between 100% and suicidal there is a big difference. It's not like your average Symbian phone is 100% safe.