<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Arial">Dave,<br>
<br>
if you think of the N800 simply as an entertainment device then
security is not a significant issue. <br>
<br>
However, if and when users start to use this device to store important
and sensitive info whether related to business or personal use then OS
and application security, and especially the latter has to be properly
addressed. It does not matter that the LInux kernel is very secure
because once applications/add-ons (or whatever you want to call them )
which use a protocol stack to get access to the Internet, then there is
a risk that misbehavior of such apps can result in a vulnerability,
especially if the app inadvertently breaks code.<br>
<br>
</font>
<div class="moz-signature">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 10">
<meta name="Originator" content="Microsoft Word 10">
<link rel="File-List"
href="ASN%20End%20of%20Message%20Signature%2004%2022%2006_files/filelist.xml">
<title>Best Regards,</title>
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="phone">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>John B. Holmblad</o:Author>
<o:LastAuthor>John B. Holmblad</o:LastAuthor>
<o:Revision>5</o:Revision>
<o:TotalTime>8</o:TotalTime>
<o:Created>2006-04-22T20:38:00Z</o:Created>
<o:LastSaved>2006-10-20T20:57:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>52</o:Words>
<o:Characters>302</o:Characters>
<o:Company>Televerage International</o:Company>
<o:Lines>2</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>353</o:CharactersWithSpaces>
<o:Version>10.6817</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[
if !mso]><object
classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id=ieooui></object>
<style>
st1\:*{behavior:url(#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-alt:"\FF2D\FF33 \660E\671D";
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
@font-face
{font-family:Papyrus;
panose-1:3 7 5 2 6 5 2 3 2 5;
mso-font-charset:0;
mso-generic-font-family:script;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"MS Mincho";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
span.grame
{mso-style-name:grame;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="7170"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</o:SmartTagType></o:SmartTagType></o:SmartTagType>
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: Papyrus; color: navy;">Best
Regards,</span><span style=""><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 6pt; font-family: Papyrus; color: navy;"> </span><span
style="font-size: 6pt;"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: Papyrus; color: navy;">John
Holmblad</span><span style=""><o:p></o:p></span></p>
<br>
<p class="MsoNormal"><st1:PersonName><span
style="font-size: 11pt; font-family: Papyrus; color: navy;"></span></st1:PersonName><span
style=""><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: Papyrus; color: navy;"><o:p> </o:p></span></p>
</div>
</div>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:dave@cridland.net">dave@cridland.net</a> wrote:
<blockquote cite="mid15651.1171902195.898863@peirce.dave.cridland.net"
type="cite">On Mon Feb 19 15:59:25 2007, Acadia Secure Networks wrote:
<br>
<blockquote type="cite">Has Nokia published any documentation on the
subject of how to secure the N800 OS from attack from both a software
developer perspective as well as an end user perspective?
<br>
<br>
<br>
</blockquote>
Not that I know of, but I'm not clear what the point would be.
<br>
<br>
<br>
<blockquote type="cite">I mention this because, as more Internet
aware/dependent applications are developed for the N800 (it is an
Internet tablet after all) the "attack surface" for the product will
increase. I have asked previously about whether or not the N800 has a
stateful firewall but so far the answer seems to be no.
<br>
<br>
<br>
</blockquote>
... because it would be pointless. Anyone opening passive sockets on
such a device really needs so much more than mere firewalling. In
general, I've found firewalling on Linux to be a waste of time if the
idea is to protect the machine itself, even if you do have passive
sockets open. In principle, the layer of software doing the stateful
inspection is essentially the same software doing the processing -
packets arriving which are in the wrong state get discarded *anyway*.
<br>
<br>
<br>
<blockquote type="cite">And this does not even consider
vulnerabilities introduced by latent software defects (e.g. not
safely/properly dealing with malformed input), which as this community
knows only too well, can lead to openings for attack.
<br>
<br>
<br>
</blockquote>
Well, where's the input coming from? This is typically only a security
problem with multiuser systems or open network services. Malicious
payloads (like, say, email, web pages) can cause issues, but in general
they're much less of a serious issue, and they're certainly no
different to any other platform.
<br>
<br>
<br>
<blockquote type="cite">It would be interesting to know what, if
anything, the Nokia development team has in its OS software product
plan regarding further OS/TCP/IP stack/Application hardening. As more
end users come to depend upon this device to perform sensitive tasks
(e.g. online banking) then this issue will move to the forefront of
concern for those users.
<br>
</blockquote>
<br>
I'm just really not clear that this is as much of a big deal as you
seem to think, and I can't see anything specific to Maemo which needs
addressing. If anything, the 770/N800 are a lot more secure than the
average Linux box, let alone the average computer.
<br>
<br>
Dave.
<br>
</blockquote>
</body>
</html>