Page 1 of 3 1 23
Reply
Thread Tools
blivit is offline blivit
2009-09-07 , 20:18
Posts: 6 | Thanked: 1 time | Joined on Sep 2009 @ Maryland, USA
#1
My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?

Anyone reading this is not a typical user. The typical user takes the 'phone' out of the box, puts the SIM in, powers up, and uses it. Security hygiene is not on their radar.

Since this device is different from the previous tablets from Nokia does anyone know what is provided to protect users from the nasties of the world?
 
mikkov is offline mikkov
2009-09-07 , 20:21
Posts: 1,208 | Thanked: 1,028 times | Joined on Oct 2007
#2
Originally Posted by blivit View Post
My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?
In previous Maemo version root account has been disabled by default (like in Ubuntu), so you can't log in as root without enabling it.
 

The Following 3 Users Say Thank You to mikkov For This Useful Post:
blivit is offline blivit
2009-09-07 , 20:24
Posts: 6 | Thanked: 1 time | Joined on Sep 2009 @ Maryland, USA
#3
Originally Posted by mikkov View Post
In previous Maemo version root account has been disabled by default (like in Ubuntu), so you can't log in as root without enabling it.
And what privileges does it take to enable root?
 
mikkov is offline mikkov
2009-09-07 , 20:32
Posts: 1,208 | Thanked: 1,028 times | Joined on Oct 2007
#4
There isn't any standard way in UI. But since all applications are installed as root, you'll Install an application and installation scripts enables sudo or something else.
 

The Following 2 Users Say Thank You to mikkov For This Useful Post:
blivit is offline blivit
2009-09-07 , 20:44
Posts: 6 | Thanked: 1 time | Joined on Sep 2009 @ Maryland, USA
#5
Originally Posted by mikkov View Post
There isn't any standard way in UI. But since all applications are installed as root, you'll Install an application and installation scripts enables sudo or something else.
And what prevents a malicious installation? [I know you have to get into the device first, what prevents that?]
 
Jaffa's Avatar
Jaffa is offline Jaffa
2009-09-07 , 20:55
Posts: 2,535 | Thanked: 6,681 times | Joined on Mar 2008 @ UK
#6
Originally Posted by blivit View Post
And what prevents a malicious installation? [I know you have to get into the device first, what prevents that?]
QA on the Extras repository (starting in Fremantle), and the trust that a user puts in the application author and the community.

What stops you installing a malicious application in Ubuntu? Or in Windows?
__________________
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
 

The Following 8 Users Say Thank You to Jaffa For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2009-09-07 , 21:04
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#7
Originally Posted by blivit View Post
It probably comes with a default root password with lots of open ports.
Maemo is not a quick paint job. It does not come with any open ports by default (note that this is not really a hard job any longer; you'll have to recheck your assumptions about "Linux systems with all the standard security issues", since Ubuntu does not come with a default root password nor open ports by default).

Of course, preventing the user himself to do something with the device is against what Maemo is, so hopefully we're not going to see any of that ugly "nanny operating system" stuff.
Last edited by javispedro; 2009-09-07 at 21:11.
 

The Following 4 Users Say Thank You to javispedro For This Useful Post:
blivit is offline blivit
2009-09-07 , 21:43
Posts: 6 | Thanked: 1 time | Joined on Sep 2009 @ Maryland, USA
#8
Originally Posted by javispedro View Post
Maemo is not a quick paint job. It does not come with any open ports by default (note that this is not really a hard job any longer; you'll have to recheck your assumptions about "Linux systems with all the standard security issues", since Ubuntu does not come with a default root password nor open ports by default).

Of course, preventing the user himself to do something with the device is against what Maemo is, so hopefully we're not going to see any of that ugly "nanny operating system" stuff.
What do you mean it has no open ports by default? Its used for communicating. Something has be be open.

I did not intend for a flame here but there are always security issues with any operating system. Telling me to believe without proof just raises my concerns. Maemo is not Ubuntu so using that as a proof point is, by itself, not sufficient. Any pointers that will make your point about the security of Maemo?
 
texaslabrat is offline texaslabrat
2009-09-07 , 22:04
Posts: 271 | Thanked: 220 times | Joined on Sep 2009
#9
Originally Posted by blivit View Post
What do you mean it has no open ports by default? Its used for communicating. Something has be be open.

I did not intend for a flame here but there are always security issues with any operating system. Telling me to believe without proof just raises my concerns. Maemo is not Ubuntu so using that as a proof point is, by itself, not sufficient. Any pointers that will make your point about the security of Maemo?
an "open port" implies a listening daemon that accepts outside connections that are initiated from a remote node. The fact that a given default distro can "communicate" does not, by itself, imply that it has open ports as described above. For instance, I can initiate a ssh session to a remote server without having an SSH daemon process running on my own machine which is accepting connections. Consequently, any attempt to connect to an ssh server on my machine from a remote node would be fruitless as it doesn't exist. I hope that clears up the nomenclature issue.

If you want to see what's listening, you can either log on and run "netstat -an | grep LISTEN", or you can run an nmap port scan against it from an external machine (which is probably more useful in a practical sense as it reveals what's actually reachable through the network after various firewalls and the like have been passed instead of what theoretically is running according to the kernel).
 

The Following 7 Users Say Thank You to texaslabrat For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2009-09-07 , 22:08
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#10
Originally Posted by blivit View Post
What do you mean it has no open ports by default? Its used for communicating. Something has be be open.
I mean open ports as in "actively listening network services".

You made your initial post sound like if someone was going to take the phone out of the packaging and get rooted remotely in seconds. To do that, the phone would need to e.g. have by default a ssh server running with a default root password. There is no such server in the phone. Without such server, they could even ship "rootme" as the default root password. Nothing would happen; you would need to get at the phone's keyboard to enter it*.

Well, at least in the N810. Which you can buy and test everything we have said in this thread by yourself

*Of course, nobody said e.g. 0 exploits in the browser. As you said, no operating system is safe. But between 100% and suicidal there is a big difference. It's not like your average Symbian phone is 100% safe.
 

The Following 5 Users Say Thank You to javispedro For This Useful Post:
Reply
Page 1 of 3 1 23

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 20:05.

Contact Us - Home - Archive - Top