[maemo-developers] Security Guidance for N800 OS development

From: Acadia Secure Networks acadiasecurenets at aol.com
Date: Thu Feb 22 21:22:30 EET 2007 
Paul,

yes "click fatigue/click cluelesness" is an issue but the dialog box 
does provide one more potential barrier to a successful attack.

By the way there is a wwwcast series on mobile device security over the 
next 5 weeks that is sponsored by sybase/ianywhere. The speaker in the 
first wwwcast, Jack Gold, actually specifically mentions Nokia devices. 
For those interested, below are the urls to the wwwcast series.


    Compliance in the Mobile Enterprise (featuring J. Gold Associates)
    Date: Thursday, February 22, 2007
    Time: 10 am Eastern time - 3 pm UK time - 16 Uhr German time and
               2 pm Eastern time - 7 pm UK time - 20 Uhr German time
    At the time of the 10 am Eastern time - 3 pm UK time - 16 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=JMDK7M&role=attend&pw=Compliance
    At the time of the 2 pm Eastern time - 7 pm UK time - 20 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=NB9PW3&role=attend&pw=Compliance
    Audio Access information is below.
    ________________________________________
    Managed Security -- The Key to a Comprehensive Mobile Security Strategy
    Date: Thursday, March 1, 2007
    Time: 10 am Eastern time - 3 pm UK time - 16 Uhr German time and
               2 pm Eastern time - 7 pm UK time - 20 Uhr German time
    At the time of the 10 am Eastern time - 3 pm UK time - 16 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=J44HNQ&role=attend&pw=Security
    At the time of the 2 pm Eastern time - 7 pm UK time - 20 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=MDZ3F6&role=attend&pw=Security
    Audio Access information is below.
    ________________________________________
    Securing Handheld Devices, Data and Applications
    Date: Thursday, March 8, 2007
    Time: 10 am Eastern time - 3 pm UK time - 16 Uhr German time and
               2 pm Eastern time - 7 pm UK time - 20 Uhr German time
    At the time of the 10 am Eastern time - 3 pm UK time - 16 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=78T32S&role=attend&pw=Handheld
    At the time of the 2 pm Eastern time - 7 pm UK time - 20 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=D3C4PX&role=attend&pw=Handheld
    Audio Access information is below.
    ________________________________________
    Encryption and Security Strategies for Laptops
    Date: Thursday, March 15, 2007
    Time: 10 am Eastern time - 3 pm UK time - 16 Uhr German time and
               2 pm Eastern time - 7 pm UK time - 20 Uhr German time
    At the time of the 10 am Eastern time - 3 pm UK time - 16 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=6XK6RF&role=attend&pw=Laptop
    At the time of the 2 pm Eastern time - 7 pm UK time - 20 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=KWC4TK&role=attend&pw=Laptop
    Audio Access information is below.
    ________________________________________
    Secure Wireless Email -- Top Considerations
    Date: Thursday, March 22, 2007
    Time: 10 am Eastern time - 3 pm UK time - 16 Uhr German time and
               2 pm Eastern time - 7 pm UK time - 20 Uhr German time
    At the time of the 10 am Eastern time - 3 pm UK time - 16 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=4CG6WS&role=attend&pw=Email
    At the time of the 2 pm Eastern time - 7 pm UK time - 20 Uhr German
    time webinar, please click on the following URL:
    https://www.livemeeting.com/cc/sybase/join?id=Z8CW4N&role=attend&pw=Email
    Audio Access information is below.
    ________________________________________
     

Best Regards,

 

John Holmblad

 


 



Paul Brook wrote:
>> by way of example, my PC has a firewall (Symantec) that does outbound
>> filtering. I appreciate the fact that when I  launch an application  for
>> which I have not previously provided authorization to access the
>> Internet (defined here as an IP range beyond my LAN subnet), the
>> firewall warns me before allowing the connection to take place and lets
>> me decide whether to block, allow this one time, or allow permanently
>> the access.  With this kind of protection  on devices such as the N800,
>> it is more likely that the outbound filter will also catch a silent
>> rogue app that, by some means, has gotten installed on the device.(these
>> days typically by a user being socially engineered to do something that
>> they should not do).
>>     
>
> I think you're over-estimating the knowhow and patience of an "average user".
>
> In my experience this kind of warning triggers sufficiently often on a 
> sufficiently wide range of applications that most users either disable it or 
> automatically click yes without even reading it properly.
> The sort of person that pays attention to this sort of firewall is also the 
> sort of person that probably knows better than to install untrusted software 
> on their machine.
>
> Outgoing firewalls aren't totally useless, but IMHO they're greatly overrated.
>
> Paul
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.maemo.org/pipermail/maemo-developers/attachments/20070222/857ce20a/attachment.htm
More information about the maemo-developers mailing list