[maemo-developers] Security Guidance for N800 OS development

From: Paul Klapperich maemo.org at bobpaul.org
Date: Wed Feb 21 00:34:21 EET 2007 
On 2/20/07, Gavin O' Gorman <gavin.ogorman at gmail.com> wrote:
>
> Out of curiosity, how many mobile phones have you encountered that run
> firewalls ?
>
> How many mobile phones have you found that provide unfettered access to
3rd party applications?

Network providers are extremely fearful about what applications can run on
phones--and thus access their network. Can you honestly tell me that there
aren't mobile phones that run firewalls, or are you just speculating? Just
because there's no user accessible gui doesn't mean there's no firewall
integrated.

On 2/20/07, Simon Budig <simon at budig.de> wrote:

> *If* you install an internet service, then you know about it. Then you
> can also judge on how to secure it. If you cannot do it then simply
> don't install this service and you're fine.


That's true. I accept the risk and would like to secure it. How the hell am
I supposed to do that without a firewall?

Nokia really doesn't have to do anything to "guarantee" that 3rd party apps
are safe, but I would certainly trust the integrity an official iptables
compiled by Nokia. They certainly have something to loose by somehow
subverting it, so I would trust it. And as it really wouldn't take anything
more than a checking the option in the kernel config before building, I
really don't think this is any additional burden to them.

Hell, for all I care they could leave iptables unconfigured. Power users,
Linux users, and IT Staff should have no problem setting it up. There's no
reason to include a gui or do anything beyond compiling it into the kernel
and releasing it as part of an update/new OS image. Absolutely no
customization should be needed.

Can you give me ANY argument against including iptables beyond the argument
that you don't feel it's necessary or that you somehow think Nokia would
have to spend more than 5 minutes on this?[1]  I'm sure this is why Zora
didn't feel bothered to make an actual argument; there's no argument on the
other side.

[1] Ok, I'm in the software industry, so I realize it WOULD take more than 5
minutes. Test procedures would need to be updated and more time/money would
need to be spent testing the update. This would be pretty marginal if it's
released as part of a planned major update, however, and we know there's one
in the works already.

--Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.maemo.org/pipermail/maemo-developers/attachments/20070220/b35ad225/attachment.htm
More information about the maemo-developers mailing list