[maemo-developers] What's the best attack? (Re: How to use extras-testing correctly?)`

From: gary liquid liquid at gmail.com
Date: Mon Sep 28 10:40:51 EEST 2009
On Fri, Sep 25, 2009 at 5:29 PM, <tero.kojo at nokia.com> wrote:

>  ----- Original message -----
> > the apps in maemo extras *should* be trusted because we, the community,
> trust
> > the developers who put them there.
>
> Gary, I trust the community, but I really want to be sure.
>
> It is also because I like the community so much that I want to keep extras
> a safe place. For some new users it will be the first point of contact to
> OSS. If that contact is good, more people will find the community and more
> will join.
>

nobody can anonymously upload to extras without first applying.
from a community perspective, there is already a feeling of being vetted
prior to getting upload rights.

>
> > it would take 1 bad report to have the software removed from extras.
> >
> > its a worrying scenario for some people,  but this isnt the wild west and
> like
> > all trust based mechanisms, people in the community are given rights to
> upload
> > hopefully based on their standing.
>
> That would be one form of security I would be ok with.
> But screening people (karma or participation or whatever) for the right to
> upload is even more questionable than having a team of testers go through
> the apps. Everyone has to have the right to right to put their stuff to
> devel and testing.
>

as said, there is already an application stage.
if the community mindset is there of vetting, no matter how vague, it helps.


>
> > There are many steps along the way to being involved in the community and
> i do
> > not see why an individual would be nefarious enough to go through all
> those just
> > to infect a few machines.
> >
> > people are given rights and responsibilities and mechanisms are in place
> to
> > hopefully prevent an incident such as you are describing.
>
> Pretty much so. But I don't want to risk even a single case however
> unlikely it is.
>

*nod* this is a common goal.

>
> > it falls on each and every one of us to maintain that trust.
>
> It is about trust, but there is the question of security too.
>
> I hope the solution that is now implemented is one that works, but as
> always, if practise shows that it needs to be rethought, then we will.
>

yes, testing is the further step and should help to prevent even the most
determined of individuals.
it is rare to see applications coming through maemo.org where there isn't
community participation at some level

gary

>
> Tero
>
> Tero
>
> > gary
> >
> >
> >
> >
> > On Fri, Sep 25, 2009 at 3:40 PM, David Greaves
> > <david at dgreaves.com> wrote:
> >
> > tero.kojo at nokia.com wrote:
> > > ----- Original message -----
> > > >
> >
> > > > I realise this is a slightly different question (hence the new
> subject)
> > > >
> > > > OK, say I have an evil twin who wants to attack ('own') a lot of
> Nokia
> > > N900
> > > > devices. How do I do this?
> > >
> > > I hope that was retorical. Tell your evil twin to do something usefull.
>
> >
> >
> > Err, no it wasn't retorical; it was hypothetical though in case you were
> worried.
> >
> > It's more about being responsible :)
> > Actually it is very late in the day to be asking... but hey, it sounds
> like a
> > topic worth raising.
> >
> > > > Does extras-testing factor into this?
> > >
> > > At least so that I would prefer maemo.org extras to be clean from
> > > malware. It is much easier to promote it in Nokia internally when
> extras
> > > contains good software.
> >
> >
> > I agree 100% ... all it takes is one example of malware introduced into
> an OSS
> > product and we (and Nokia) could lose a lot of credibility.
> >
> > I wonder how much that could be worth to some people? Maybe worth a
> deliberate
> > attack? Maybe someone is playing a longer game?
> >
> > I just hope we are not planning on taking the "cross your fingers and
> toes
> > *REALLY HARD* and hope everyone is nice to us" approach to security ;)
> >
> > Discuss...
> >
> > David
> >
> >
> > --
> > "Don't worry, you'll be fine; I saw it work in a cartoon once..."
> >
> >
> >
> > _______________________________________________
> > maemo-developers mailing list
> > maemo-developers at maemo.org
> > https://lists.maemo.org/mailman/listinfo/maemo-developers
> >
> >
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.maemo.org/pipermail/maemo-developers/attachments/20090928/69a518e5/attachment.htm 
More information about the maemo-developers mailing list