Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What To Do About Mobile Devices That Lie

timothy posted more than 3 years ago | from the spanking-is-harmful-to-the-screen dept.

Google 107

GMGruman writes "InfoWorld has caught two Android devices that falsely report security compliance that the Android OS does not actually support, and Apple quietly has dropped its jailbreak-detection API from iOS 4. So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? There's no easy answer, but Galen Gruman explains what current technologies can do to help — and how Apple, Google, and others might increase the trustworthiness of their platforms in the future."

cancel ×

107 comments

Sorry! There are no comments related to the filter you selected.

Nothing (4, Insightful)

xnpu (963139) | more than 3 years ago | (#34597782)

Do nothing. Didn't we read yesterday that the NSA assumes they're compromised. Sounds like a healthy way to operate - for everyone. While it may sound slightly paranoid and a "hassle", this is only true initially IMHO.

Re:Nothing (3)

Kalidor (94097) | more than 3 years ago | (#34597792)

Agreed, so much of "security" from a lot of these companies is simply ruthless marketing these days anyway.

Re:Nothing (1)

Anonymous Coward | more than 3 years ago | (#34597804)

This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it. US and its companies do the same, but they hide it.

Re:Nothing (0)

xnpu (963139) | more than 3 years ago | (#34597832)

Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.

I looked at my BlackBerry. (0)

Anonymous Coward | more than 3 years ago | (#34598302)

It's just sitting there.

Re:Nothing (3, Insightful)

IchBinEinPenguin (589252) | more than 3 years ago | (#34598818)

Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.

Perhaps it's because when some governments go after their citizens they don't bother with niceties like 'evidence', 'logs' or even 'trials'.

Re:Nothing (0)

Anonymous Coward | more than 3 years ago | (#34598920)

It really not as bad as you may think. China treats it's 'dissidents' harshly, but we can't exactly say that that's any different in the US. Manning and Assange are good current examples.

The general population in China is just blocked, nothing more. Meanwhile in the US 12 year old girls are sued for copyright infringement and kids not much older go behind bars for 'hacking'.

I know the general Slashdot crowd is not all that capable to think outside of US propaganda, but you may want to give it a shot. It's really not all that bad here in China.

Re:Nothing (2, Informative)

Anonymous Coward | more than 3 years ago | (#34599116)

I am certain that Liu Xiaobo agrees with you, not that bad at all . . . .

Re:Nothing (3, Informative)

icebraining (1313345) | more than 3 years ago | (#34599364)

Manning released thousands of confidential papers. Regardless of what we think about him (I support his actions, but then again, I'm not American), it's still more grave than a single re-tweet [allheadlinenews.com] .

Re:Nothing (1)

camperslo (704715) | more than 3 years ago | (#34600350)

This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it.

Are we forgetting what happened last April? A huge amount of traffic, including that for .mil and .gov was routed through China. Monitoring that traffic could make future phishing attacks much easier, having had access to things like individual IPs and mail traffic.
What's honest or likeable about that? It's the stuff nightmares are made of.

http://slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

Re:Nothing (2)

Opportunist (166417) | more than 3 years ago | (#34600530)

Nothing. Not even if you're in the IT sec business. My first reaction was "oh goodie, consulting will increase!"

It didn't.

Nobody gave a shit.

Imagine this: You go to a company that not only has a lot of IP but also deals with China on a day to day basis because most of their manufacturing is there, present this to them and they dismiss it as "aw, that couldn't happen to us, our contractors are honest".

It's one thing to be spied on. It another to make it trivially easy.

Re:Nothing (1)

fahlenkp (1939942) | more than 3 years ago | (#34599112)

I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification. Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one layer may be completely trusted. You have to make the best decision you can per layer and move on. In this situation it is easy. Continue to use only FIPS-140 approved devices. The encryption, security and central management on Blackberry is a lot better than the (none) on the other platforms.

Re:Nothing (0)

poetmatt (793785) | more than 3 years ago | (#34600812)

what are you talking about?

NIST is not a guarantee of security. It's just saying that you are compliant with a gov't standard required to sell products to the government.

even FIPS 140-3 is not foolproof.

Blackberry encryption is also a joke and has been compromised in every country in the world, in a variety of ways.

Re:Nothing (1)

fahlenkp (1939942) | more than 3 years ago | (#34602532)

In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none. Have countries outlawed iphone because the encryption is too difficult for government agencies to tackle? If it is so easy, why does this happen? Maybe you can link some examples and educate us. I am often wrong and would like some help if this is the case. I find a lot of youtube videos showing any idiot how to break in to any iphone OS version, where are the videos for Blackberry? I for one feel more comfortable having grandmas's ssn on some doctors blackberry than his iphone. Judging from your other flamebait comments, I think I am wasting my keystrokes here.

Re:Nothing (0)

poetmatt (793785) | more than 3 years ago | (#34608558)

gutless? you don't know shit.

try working with fips and you might know a ltitle more.

just because it isn't 100% doesn't mean you don't use it, it means you don't use it for anything critical.

how hard is this to understand?

hey, we've got something vulnerable, but let's put critical/valuable information on it. What can possibly go wrong?

try to learn about basic security and then get back to me bub. the first step is not the encryption on the device.

Re:Nothing (2)

The End Of Days (1243248) | more than 3 years ago | (#34597812)

Shocking, people figure out ways around the tightest security when the target is worth it.

Re:Nothing (2)

Z00L00K (682162) | more than 3 years ago | (#34597858)

Assume that all security claims are false. It's just that any security hole hasn't been found yet.

There is always a way to hack something running software. Live with it, just make sure that you accept the risks of being overheard and that your address book may be downloaded to some third party that uses it for their own purposes.

As for companies - considering the large amount of phones and crap around anyone that really wants to listen in on secret conversations/information uses more targeted methods. Only a few in a company have something really secret. And most of those secrets are short-lived anyway.

The classic spy/bug method is still one of the best methods to use.

But security in devices is something that the manufacturer shall allow for, but it shall not constrain the user. Because if users have freedom in their devices every device will look different and it's harder to do a massive harvesting of interesting information.

You don't. (4, Insightful)

PhrostyMcByte (589271) | more than 3 years ago | (#34597794)

So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware?

You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.

Re:You don't. (4, Informative)

arivanov (12034) | more than 3 years ago | (#34598024)

That is the case anyway. At least to some extent.

The problem is elsewhere. Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance" while it is not from the user viewpoint is actually a useful feature.

Example - I have a Nokia E71. I was seriously stupid at some point to configure my company exchange server on it. As a result it started autolocking itself in 2 mins requiring a security code. So far so good, however it autolocked and put screensaver on in applications which _MUST_ run in foreground - GPS navigation and the media player. It also autolocked itself when docked on a car craddle, etc.

After a couple of near misses on the motorway trying to get myself from A-Z or trying to dig out the name someone from contacts I tried to turn it off. Guess what, settings uploaded via these APIs _CANNOT_ be turned off. Even if you wipe out the mail for exchange application, disconnect, etc the settings are either not allowed to be changed any more or come back after a change. At the end I had to factory reset the phone and reset the settings partially from backup to recover the phone to a useable state.

Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

Similarly, I am not surprised about Apple starting to take away powers away from the security software (and the people who use it). Apple's key selling point is user experience. The way some corporate security people use these APIs sends the user experience into "Mordok, denier of information services" territory. Knowing Apple, they are guaranteed to do something about it and in the land of "i" noone will hear the security people scream.

Re:You don't. (2)

Bert64 (520050) | more than 3 years ago | (#34598584)

The "standard" way of implementing security these days seems to be to try and restrict users as much as possible...
The problem is that doesn't work for a number of reasons, the restrictions are onerous enough to hamper people's ability to do their work which causes them to seek ways to bypass the restrictions and the restrictions are often poorly implemented and therefore easy to bypass.

Incidentally, if your company wants you to read mail when your away from your desk they should supply you with a handset from which to do it, the idea of using your own handset is ludicrous... That's your handset, with their data on it, but because its your handset they lose control... They have no right to enforce policies on it, nor to wipe the handset...

Re:You don't. (1)

melstav (174456) | more than 3 years ago | (#34599100)

Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

If the company you work for requires that you be able to read your email on your cellphone, they damn well be providing you a cellphone to do it with.

Re:You don't. (0)

Anonymous Coward | more than 3 years ago | (#34599684)

Bah! If only that were the case. My 'frugal' company reimburses up to $50/month for cell phone usage. That's it. They also don't 'require' we use cell phones, at least officially. But try to work effectively without instant e-mail, at work and at home, and you'll quickly find that it is required to be able to do your job. I wish the company would provide phones, it would solve many problems. Never going to happen.

Re:You don't. (0)

Anonymous Coward | more than 3 years ago | (#34600318)

Do you really want to carry around two phones all the time? Maybe in a few more generations we can do some kind of VM setup that segregates business/personal access but both lines ring through.

Re:You don't. (2)

melstav (174456) | more than 3 years ago | (#34602998)

As was pointed out in the comment I originally replied to, if you allow your phone to interact with an Exchange server, you end up giving the Exchange admins the ability to do a LOT of things to your phone without your knowledge.

Including, erasing everything saved on the phone. [gigaom.com]

I am not willing to give up that level of control.

If I'm on call, or if my employer wants to replace my desk phone with a cellular one to make it easier to reach me, or they want me to be able to read and respond to email from my phone, I'm perfectly happy carrying two phones.

But if I'm on my own time and I'm not on call, the work phone goes on a shelf, and it may or may not get turned off in the process.

Re:You don't. (2)

Rich0 (548339) | more than 3 years ago | (#34602850)

Yup. I could make a killing if I sold an Email app that spoofs whatever is most common in major corps but which silently ignores the security policies.

If employers want to control the phone, they should issue the phone. If they issue it, then they can be sure that it supports whatever features they need. They can reclaim and reissue phones once a quarter to reimage them or whatever for extra security.

The problem is that employers want employees to use their shiny toys to do work off-hours, without paying for them. However, they don't like the fact that they now lose control over the platform.

Them's the breaks - the owner controls the phone.

Re:You don't. (0)

Anonymous Coward | more than 3 years ago | (#34598872)

You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.

Bravo parent was modded correctly for a change!

Remember we are talking about MS exchange here!!! Do you really think that the recommended devices to access it will run anything other than Phone 7 or perhaps Windows Phone and the Iphone? This is what this whole bugaboo over "Android Lying about security" is really all about. What is about to come out of Microsoft and it's vaunted so called "hardware partners" is a shit load of security FUD against Android, Rim and to a lesser extent IOS. I would not be too surprised if Apple gets in on the act along with Microsoft though. The real target of the Microsoft sponsored hand held security FUD that is starting to show up is Rim and Android. I am surprised that the tech savvy geeks at /. have not picked up on what is really going on ...yet.

I do not trust anything published that says using a different OS to access MS exchange servers is a security risk.

Different Strokes for Different Folks (-1)

Anonymous Coward | more than 3 years ago | (#34597796)

If your Android phone lies to you punch it in the face.

If your iPhone lies to you fuck it in the ass without a condom.

Stop thinking of them as phones. (4, Insightful)

Kenja (541830) | more than 3 years ago | (#34597892)

Treat them like any other computer.

What a Phenomenally Stupid Question (5, Insightful)

ewhac (5844) | more than 3 years ago | (#34597894)

Let me get this straight: You've been acquiring personal computers, integrating them into your businesses, and installing on them software products so monumentally shitty that it beggars the imagination that anyone with even the slightest sense of pride would admit to writing them. What's more, you were told by people who actually know what the fsck they're talking about that the products were shitty, both at a superficial and fundamental level -- and you systematically ignored them, and kept throwing bad money after worse money, all the while complaining when your systems crashed, your data was corrupted, and your networks infiltrated...

And you've been doing this for at least the last 30 years...

And NOW you suddenly claim to give a shit about platform integrity?

And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

What selective, partisan crap.

Re:What a Phenomenally Stupid Question (3, Insightful)

IchBinEinPenguin (589252) | more than 3 years ago | (#34598730)

And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

Windows was excluded because neither of the Windows users have reported any problems. Yet.

P.S. Couldn't agree more.
You reap what you sow.
Keeping your eye firmly planted on next quarter's profit margin (and the resulting bonuses) will eventually bite you in the ass.

Re:What a Phenomenally Stupid Question (0)

Anonymous Coward | more than 3 years ago | (#34603848)

Windows was excluded because neither of the Windows users have reported any problems.

I understand both of them are quite happy with their phones.

Re:What a Phenomenally Stupid Question (1)

moxley (895517) | more than 3 years ago | (#34599824)

WIth an analysis that insightful in it's ability to see through a false, consensus reality, allow me to introduce you to the American political system!

You got the wrong Partisans (4, Insightful)

IBitOBear (410965) | more than 3 years ago | (#34601334)

If you RTFA you discover that the whole second half is boosterism for putting "Trusted Computing" modules inside cell phones. In that light the agnostic condensation of both "jailbroken iThingies" and "that unreliable open source Android thing" makes perfect sense.

This article has nothing to do with exchange boosterism etc, it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.

The article _is_ an attack on reason, but the goal isn't about Exchange etc, its about re-initializing the idea of corporate capture of your personal property and turning your device from a personal resource to a limited media consumption node. The media used this time isn't movies, its "corporate email" etc.

Disclaimer: I would _love_ TPM hardware if there were a law that required that _I_ get the _master_ _keys_ for my hardware when I buy it. This would, of course, allow me to lie to an exchange server if I so chose, and would do _nothing_ to prevent jailbreaks. Of course I would also have to demand that there was no "government key" etc. With those elements in place, a TPM would let my paranoia be soothed when I boot my gear.

So anyway, bitching about how bad exchange software is etc, falls into the hands of the author who is trying to false-flag some emergency to spur on "trusted computing" on the "new platform battlefield".

Re:You got the wrong Partisans (0)

Anonymous Coward | more than 3 years ago | (#34601902)

it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.

Revive? If you've bought a motherboard in the past few years, it has a TPM module.

Re:You got the wrong Partisans (1)

IBitOBear (410965) | more than 3 years ago | (#34606248)

I've bought several computers in the last few years and all but one have been absent any TPM. One board from several years back had one, and several I have considered lately had a TPM header, but no actual TPM. My amd64 dual-core has a suspicious connector next to the memory connectors that I think _could_ accept a TPM, but said adapter is blank.

So far "Trusted Computing Modules" are common on HP/Compaq gear, and some Dell stuff, but not so much on any of the pieces-parts you can get hither and yon.

I know, I've looked. TPMs usually have (must have?) a hardware random number source so I actually like boards that have them for that.

But I would never buy a board that had a certified boot chain to windows enforcement environment. Blarg. Like I said, the idea is great if _I_ have the master key to my gear so that _I_ can trust my computing environment. When it's a mater of the MAFIAA and Microsoft that want to trust my computer, well I could give a rat's ass...

dsfv (-1)

Anonymous Coward | more than 3 years ago | (#34597914)

Sheepskin Boots Sale [sheepskinboots-uggs.com] boots accept abided been the go to name casting Cheap women Uggs [cheapwomenuggboots.com] and actualization. The Ugg Sheepskin Boots [uggs-sheepskinboots.com] actualization, with blubbery sheepkin, has beappear emblematic. actioned in the ambit boots advanceed men and women akin, and in sheep's accouterment with an bulk of several blush options. For archetype, Ugg Boots Online Store [uggbootsonlinstore.com] Bailey leash could about-face button aloft or beneath the bandage to betrayal, possibly the bleed or absorb calefaction independent, added blushs and some altered architectures on action, but we accept that the bceremony is to accomplish a lot of acceptable to bang the big artery. Ugg Boots Outlet [uggsaustralia-outlet.com] boots are the bigger shoe baddestion for anyone who adores winter.

One beabideds to the ideal another to buy Cheap Womens Uggs [cheap-womens-uggs.com] - both ambition of onband abundances that accept a array of discounted Ugg Sheepskin Boots [sheepskinboots-uggs.com] on the amazing. attendingup for any aberrant fit, and be abiding to get advantaged. You can asable-bodied absorb a lot beneath for a brace of Women Uggs [cheapwomenuggboots.com] of above above, and a lot of acceptable be animated you did.

Tags:Ugg Boots Online Store [uggbootsonlinstore.com] ,Uggs Australia Outlet [uggsaustralia-outlet.com] ,Sheepskin Ugg Boots [uggs-sheepskinboots.com] ,Cheap Womens Uggs [cheap-womens-uggs.com] , Sheepskin Boots Sale [sheepskinboots-uggs.com] ,Cheap women Uggs [cheapwomenuggboots.com]

increase trustworthiness? (0)

Anonymous Coward | more than 3 years ago | (#34597926)

This is a good thing. Hack everything, open it all up. Trust is illusory, it's all about control.

English_101 EPIC FAIL (1, Insightful)

Zero__Kelvin (151819) | more than 3 years ago | (#34597940)

"So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? "

Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware. So long as the general public, and even Slashdot readers, are clueless, then cluelessness will map the security landscape.

Re:English_101 EPIC FAIL (1)

maxwell demon (590494) | more than 3 years ago | (#34597996)

I guess they used the term "Trojan Horse" in its original meaning, which is older than computer technology.

Re:English_101 EPIC FAIL (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34598058)

Yes. I already said that ignorance is the root cause.

Re:English_101 EPIC FAIL (1)

Shadow of Eternity (795165) | more than 3 years ago | (#34598280)

The word "let" used to mean to hinder or delay hence why passports say "without let or hindrance".

Incidentally this is also the nuclear argument against people who bitch about using the phrase "begs the question".

Re:English_101 EPIC FAIL (0)

Anonymous Coward | more than 3 years ago | (#34601180)

Incidentally this is also the nuclear argument against people who bitch about using the phrase "begs the question".

Those people are claiming that the phrase can only mean its original meaning and not the more common usage. The OP is claiming that "Trojan Horse" can only mean its specialised computing meaning and not the original general meaning. The OP more closely resembles the "bitch"ers in your scenario.

Incidentally, it's pretty hilarious that the OP thinks the computing definition of "Trojan Horse" would be covered by an English 101 course.

Re:English_101 EPIC FAIL (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34602406)

You apparently failed English as well. It would be ridiculous to say that the Trojan Horse was for the Greeks.

Re:English_101 EPIC FAIL (0)

Anonymous Coward | more than 3 years ago | (#34603934)

You apparently failed English as well. It would be ridiculous to say that the Trojan Horse was for the Greeks.

harumff...we are talking geeks...you know the ones who go around bighting heads off chickens on the Internet or if you really think about what might have happened your left hand index finger just missed a key before the middle finger did it's thing. This is the only real difference between geek and greek on /. Failing English has very nothin' to do with it.

Re:English_101 EPIC FAIL (0)

Anonymous Coward | more than 3 years ago | (#34606360)

That has nothing to do with my post, as I didn't say anything of the sort. However, the Trojan Horse was "for the Greeks" in the sense that it was used to allow the Greeks to sneak into Troy. The article uses the term "Trojan Horse for malware" because it suggests that these devices might be used to allow malware to sneak into corporate networks.

Re:English_101 EPIC FAIL (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34606772)

First of all, you are clearly a troll, as you are posting AC, but making a point to follow up on my posts. Second you claimed that I implied that an English class would teach the definition of "Trojan Horse" because you couldn't figure out the semantic error in the sentence. Finally, you have now verified that you cannot understand English, by claiming that you "could say" it was for the Greeks. Now off you go little troll ...

Re:English_101 EPIC FAIL (0)

Anonymous Coward | more than 3 years ago | (#34608858)

First of all, you are clearly a troll, as you are posting AC, but making a point to follow up on my posts.

Don't like when people point out how wrong you are, do you?

Second you claimed that I implied that an English class would teach the definition of "Trojan Horse" because you couldn't figure out the semantic error in the sentence.

You claimed that the article fails English 101 by not using the computing definition of "Trojan Horse". If you don't expect said meaning to be taught in said class, why did you mention it?

Finally, you have now verified that you cannot understand English, by claiming that you "could say" it was for the Greeks. Now off you go little troll ...

It's perfectly consistent with the meaning of "for". You, on the other hand, have verified that you don't understand that the world doesn't revolve around computing and computing terminology.

Re:English_101 EPIC FAIL (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34609866)

"You claimed that the article fails English 101 by not using the computing definition of "Trojan Horse"."

This sums up your ignorance in a nutshell.

Re:English_101 EPIC FAIL (0)

Anonymous Coward | more than 3 years ago | (#34610094)

Your subject line is "English_101 EPIC FAIL". Your post is complaining that the article is using the term "Trojan Horse" incorrectly, and states that the correct definition is the computer-specific one. Therefore, either you posted completely random garbage, or you claimed that the article fails English 101 by not using the the computing definition of "Trojan Horse". I really don't see how I can make this any simpler for you. Either you're the troll here, or you're the ignorant one. Which is it?

Re:English_101 EPIC FAIL (2, Funny)

Anonymous Coward | more than 3 years ago | (#34598510)

WTF is a Trojan Horse for Malware?

Well, you see, you leave a gigantic wooden Clydesdale with a firewire port in the parking lot. Some fool is going to plug it in because they want to see what possible use firewire could have in a giant wooden horse. Once they do, you've got access to their systems.

Re:English_101 EPIC FAIL (1)

surferx0 (1206364) | more than 3 years ago | (#34600976)

Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware.

More like History 101 epic fail...

It actually makes perfect sense, given the Trojan Horse's meaning. Perhaps you've forgotten what a Trojan Horse actually is given that the name has become so synonymous with malware. A Trojan Horse could mean anything that appears non-threatening to slip behind your security, which in this case is a cell phone, containing malware inside of it.

Re:English_101 EPIC FAIL (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34602386)

You're right. You failed on the history part. In recent history the term Trojan Horse, when used in a malware context, has taken on a very specific meaning, which has nothing to do with trying to steal Helen of Troy back. If one wants to refer to the actual Trojan Horse of the Iliad it is necessary to upcast the reference. Anything else is just ignorance.

Re:English_101 EPIC FAIL (0)

Anonymous Coward | more than 3 years ago | (#34606374)

Is your login name an allusion to your intelligence? Wait, never mind, you probably have no idea what an allusion is and you're going to be all butthurt that intelligence isn't measured in kelvins.

Re:English_101 EPIC FAIL (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34606784)

Take the absolute value of the temp in Celsius and and you get a number much closer to mine than to yours ;-)

You mean like the ... (1)

doramjan (766519) | more than 3 years ago | (#34598038)

Palm Pre? I love my Pre, but in the early days it "lied" about what it was so it could sync via USB with iTunes as an Apple iPod.

Re:You mean like the ... (1)

toriver (11308) | more than 3 years ago | (#34598290)

Yes, it was easier for Palm to violate its agreement with the USB-IF and exploit Apple's sync software implemented in iTunes than to actually make the fscing effort to write their own sync software that read the music files and XML that any program has access to, or make user instructions how you could copy files from the music folders.

But I wonder what the old Palm would have said if e.g. Sony had made a device that pretended to be a PalmOS device and talked to their HotSync software...

Re:You mean like the ... (0)

Anonymous Coward | more than 3 years ago | (#34600890)

You mean like this http://en.wikipedia.org/wiki/CLIE [wikipedia.org]

Re:You mean like the ... (1)

toriver (11308) | more than 3 years ago | (#34603040)

Hm, Sony was a bad example, I had forgotten they were an actual licensee... but the point still stands. If your device need sync software you write it, don't piggy-back on someone else's.

Don't ask stupid questions in the first place? (1)

WaffleMonster (969671) | more than 3 years ago | (#34598048)

If your going to take the bold step of asking a device if it is safe to use you might as well just go all in and mandate full evil bit compliance for all malicious IP packets. To test evil compliance simply invoke the javascript function iamastupidfoolEvilSupported(EVIL_FA_IL); If it returns true or raises a javascript error the device is totally secure and you have NOTHING to worry about.

End all computer problems! (2)

Paco103 (758133) | more than 3 years ago | (#34598138)

Hackers, please stop lying to our computers and telling them you have permission to do things when you know you don't. There. . . . now nobody will get anymore spam or viruses.

I love when people say something "cannot be hacked". I also like the idea of security by requiring the client to tell the truth about what it is and what it can do. If everything would just tell the truth. . . we'd have better security. Sounds like the EA boss saying "To take the market back from Call of Duty, you just have to make a better game"

How's this crap get published?

Ignore stupid policies (2)

Improv (2467) | more than 3 years ago | (#34598180)

If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

Re:Ignore stupid policies (1)

raburton (1281780) | more than 3 years ago | (#34598366)

Yes, give us the option to ignore them! My uni (I'm a student, not staff) requires permission to wipe my phone and force me to pin protect it, etc. The whole works.
Why? So nobody could steal my phone and access all the internal spam I get about alcoholic events and recruitment for societies so odd that they apparently don't have the 3 members needed to fill their committee posts.
So instead of using the built in exchange support I use a third party that ignores these. I run a cyanogen based rom that I build myself from source so I could just modify the built in exchange support, but life's too short - Android should already be ignoring them for me.

Richard.

Re:Ignore stupid policies (1)

aristotle-dude (626586) | more than 3 years ago | (#34601062)

If you have so little regard for the rights and privacy of others then do you do not deserve a well paying job. If you cannot handle being responsible with your position in student government, how can anyone trust you with a "real" job in the future?

Re:Ignore stupid policies (1)

raburton (1281780) | more than 3 years ago | (#34601172)

WTF are you talking about? What do the rights and privacy of others have to do with the ability of my university to wipe my phone? And as for not "handle being responsible with your position in student government", this doesn't make any sense at all. I have no position in student government (whatever that even means) and I'm not sure what part of what I said had anything to do with my responsibility to it.

Can I suggest if English is not your first language, and you don't understand what you read, you don't waste your time (and mine) writing incomprehensible replies to it.

Re:Ignore stupid policies (1)

repapetilto (1219852) | more than 3 years ago | (#34605346)

Why does your university know anything about the phone you have? Why wouldn't you just tell them you have no phone?

Re:Ignore stupid policies (1)

aristotle-dude (626586) | more than 3 years ago | (#34601184)

If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

Ok. Fine. So what is your account number? Publish your account numbers, your SIN, Credit Card numbers with expiry dates, your real name, address and phone numbers. No? But information wants to be free right? If you expect to get paid to work in IT then you should treat the security of other peoples information like you would want your bank to treat your private information.

The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there was a security breach caused by an employee with a "hacked" phone that was lost and could not be remotely wiped.

Re:Ignore stupid policies (1)

icebraining (1313345) | more than 3 years ago | (#34601866)

The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there was a security breach caused by an employee with a "hacked" phone that was lost and could not be remotely wiped.

I don't understand the contradiction. Information not being property doesn't stop me from signing a contracting binding someone to protect it. Contracts were never limited to the protection of property...

What it does mean is that I can't sue the recipient of such information (the guy who finds the data), even if he shares it with the world, because he wasn't bound to me through any contract not to divulge such information.
In the case of file-sharing, for example, the companies could sue the original sharer (if they legally prove the act of selling the product entails also a binding obligation not to redistribute it), but they couldn't sell subsequent downloaders or uploaders, who have no contract with the company.

http://mises.org/journals/jls/15_2/15_2_1.pdf [mises.org] [pdf]

Re:Ignore stupid policies (1)

Improv (2467) | more than 3 years ago | (#34603242)

You're confusing authentication with ownership.

broomstick lickers, inc. (0)

Anonymous Coward | more than 3 years ago | (#34598372)

watch us live as we syncronize broomstick licking on broomstick lickers, inc.!

TPM (1)

Anonymous Coward | more than 3 years ago | (#34598386)

There's no inherent reason Android devices could not use a verified boot (TPM+remote attestation). This would allow servers to know exactly what firmware image they're talking to, so whilst it wouldn't exactly stop devices lying about their capabilities, it'd allow you to catch devices that were lying once the general class of problem was detected.

The reason phones don't come with TPMs is simply cost and demand. If businesses really care about this, they'll make it clear that a TPM is as important to them as remote wipe and other things, manufacturers keen to find an edge will listen and the necessary changes can be made to Android as it's open source.

So .... let the free market operate and we'll see what happens. TPMs are cheap. It wouldn't take much pushing.

Re:TPM (0)

Anonymous Coward | more than 3 years ago | (#34598630)

Honestly it doesn't matter much what the businesses want. If it's a private phone, what the end-users want matters, and a TPM chip isn't it.
If it's a company-provided phone, the lockdown-possibilities might mean the employees no longer want it. What's the point of providing your employees with a phone they don't want to use and thus don't have with them whenever they can avoid it?
Also I don't see the point, a jailbroken phone is on about the same security level as the standard company-WindowsXP-PC where the users have admin permission IMHO.

Re:TPM (1)

perlchild (582235) | more than 3 years ago | (#34601856)

If it's an enterprise-provided phone, you can bet your ass it'll be a fireable offense soon enough not to have it with you...
Mandating being a covered area is trickier though.

Re:TPM (1)

IchBinEinPenguin (589252) | more than 3 years ago | (#34598766)

So .... let the free market operate and we'll see what happens. TPMs are cheap. It wouldn't take much pushing.

Once you have TPM the _last_ thing you have is a free market.

Re:TPM (1)

CaptainJeff (731782) | more than 3 years ago | (#34600000)

Please explain. Some manufactures put a TPM in their devices. Some do not. If you decide you want a phone that cannot do remote attestation with a tamper-resistant hardware root-of-trust, you buy one of the later. If your organization, *who gets to set their own policies for remote access to their environments*, chooses to buy a phone for your use (or require you to do so as a condition of that remote access) that can do remote attestation with a tamper-resistant hardware root-of-trust, they (or you) buy one of them. That is the crux of a free market - multiple options and solutions are available and the one(s) that people actually want win out. Just because you don't like the idea of a tamper-resistant store in a mobile device, it actually DOES solve the exact problem that this article is about. I, in no way, intend to indicate that it does not introduce other problems, however.

Re:TPM (0)

Anonymous Coward | more than 3 years ago | (#34601380)

In practice, companies will go for the highest price and the least consumer-friendly options that people are willing to put up with. For example, ridiculous EULAs, DRM, $20 music cds, etc.

Similarly, employees are at a huge disadvantage when it comes to their workplace. You play by your employer's rules. Sure you can quit and go to another job with a better work environment. But more likely you'll just end up putting up with all of the minor stupidities.

The free market: keeping people just satisfied enough not to revolt.

Re:TPM (1)

Opportunist (166417) | more than 3 years ago | (#34600680)

...or a secure machine.

TPM is about securing the machine from you. Not for you.

Trustworthiness... (1)

Bert64 (520050) | more than 3 years ago | (#34598554)

End user devices are not trustworthy, regardless of the type of device a user could modify it to report anything back to an upstream server...

Re:Trustworthiness... (1)

shutdown -p now (807394) | more than 3 years ago | (#34601598)

You can make such modifications prohibitively expensive, however. It is precisely what a hardward TPM chip would do. Hope you have a well-equipped lab and knowledge to operate it...

What To Do... (1)

Odinlake (1057938) | more than 3 years ago | (#34598610)

What To Do About Mobile Devices That Lie
"Have you ever tried simply turning off the TV, sitting down with your mobile devices, and hitting them?"

Re:What To Do... (1)

Totenglocke (1291680) | more than 3 years ago | (#34598622)

I was going to suggest grounding them or sending them to bed without dinner, but hitting would work too.

Just don't allow them. (0)

dreamchaser (49529) | more than 3 years ago | (#34598658)

Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way. Personally if I were starting a new company I wouldn't allow anything other than a Blackberry to be used as a smartphone. One of the reasons RIM has been and continues to be successful in the business space is the security of their devices.

If people want their shiny toys they are free to get one on their own dime and use it with their own resources.

Re:Just don't allow them. (1)

joebagodonuts (561066) | more than 3 years ago | (#34599128)

Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way.

Why stop there? Add Rim and Windows to the list as well. I challenge you to find a good business reason for any phone to be connected. When desire is great enough, a business justification will be made.

I need to get email on my phone! The fate of the free world is in the balance!

It's nonsense. Since we're caving in to give folks their wants rather than needs, might as well go all they way and let them use their iPhones & Droids.

Re:Just don't allow them. (1)

dreamchaser (49529) | more than 3 years ago | (#34611794)

Actually you make a good point. If there ever really is a business need for a connected device though it should be something completely locked down. People are still free to have their own personal device that they pay for; there isn't a need to cave to user demand for features if they don't help give a competetive advantage.

Admins (1)

DarkOx (621550) | more than 3 years ago | (#34598808)

Better question, what to do about admins that don't test policies on devices they support before deployment?

Re:Admins (1)

Rich0 (548339) | more than 3 years ago | (#34603068)

That doesn't help when the user jailbreaks it and the new OS doesn't have the same capabilities as the OS you audited.

The solution is to simply issue your own hardware and make employee tampering a terminable offense. I'd fully support that as long as the company provided the device and its plan.

If I get to provide the device, then I get to decide what security policies it implements, and what policies it lies about implementing. Don't like that? Simple, stop sending me email after 5PM...

Enforce choice of auditing (1)

jago25_98 (566531) | more than 3 years ago | (#34598832)

Turn on phone for the first time,

"Which application auditor would you like to choose?"
"Which search engine would you like to use?"
"Which Browser would you like to use?"

Re:Enforce choice of auditing (2)

Opportunist (166417) | more than 3 years ago | (#34600654)

Cue customer of a new phone.

"Ohhh shiny! I wanna use it, I wanna toy with it, I wanna see all the features and all the ... huh? What's an "auditor"? Ah, a list, uh... (thumbs through manual), whatever, this one looks spiffy. Now, where that feature I bought the phone for... huh? Search engine? Get off my back, dammit! I wanna toy with the billion megapixel cam! So, here, now let me... browser?"

Tosses phone onto the counter.

"Here's your crap back, gimme a phone that lets me do stuff!"

And this is why we do not get that. Unfortunately.

What happened to lists? (1)

thogard (43403) | more than 3 years ago | (#34599044)

Microware's OS9 from the early 1980s had a table that it checked for each module it loaded into memory. Each library or executable had a CRC that it checked against and then that CRC was checked in a lookup table of stuff to accept or not load. You could load that table with a list of approved memory objects and then only those things would be loaded and run or you could list things to exclude like an old runtime library in which case it would try to find an approved one in the path. This stuff was being done 30 years ago on 8 bit CPUs. It should be an option on every OS today.

Re:What happened to lists? (0)

Anonymous Coward | more than 3 years ago | (#34599954)

whitelists suck.

Re:What happened to lists? (1)

Opportunist (166417) | more than 3 years ago | (#34600626)

Only if that whitelist has to change too often. Whitelists can be very valuable when you are dealing with resources that change rarely. Like the modules in the aforementioned example. It's not like the modules you want to load change every time you use the system, or that you might suddenly get to load modules you didn't know about.

Whitelists are useless when it comes to mail addresses and webpages, unless you plan to only communicate with known sources. But when it comes to drivers and OS modules, they are quite useful.

They could... (0)

Anonymous Coward | more than 3 years ago | (#34599232)

Start using BlackBerries if device security is an issue. When you need a hammer, don't use a screwdriver simply because everyone else is telling you that all the cool kids use screwdrivers.

Just use a blackberry. Duh. (0)

Anonymous Coward | more than 3 years ago | (#34599514)

If you want real security, get yourself a real smartphone: blackberry.

http://us.blackberry.com/ataglance/security/certifications.jsp [blackberry.com]

The blackberry platform has been tested, audited & certified from end to end by the governments of United States, Canada, the United Kingdom, Austria, Australia, Turkey, New Zealand, and NATO.

Android & iphone have been certified by... nobody.

And the way to deal with fraudulent advertising is the American way: sue the bastards.

Re:Just use a blackberry. Duh. (1)

Opportunist (166417) | more than 3 years ago | (#34600602)

So I may trust Blackberry if I trust the governments of the US, Canada, UK, Austria, Australia, Turkey, New Zealand and the NATO.

What if I do not?

Re:Just use a blackberry. Duh. (2)

perlchild (582235) | more than 3 years ago | (#34601928)

They've been found to meet the specifications of those places. If you don't know those specifications it tells you little.

The legal troubles blackberry has had mostly indicate the one you care about is Canada, as Canada's privacy laws were a problem with the UAE, India and a few other countries. The solution was always for those countries to get blackberry servers/datacenters that they could seize, since the ones in Canada were out of reach. If you truly don't trust Canada's privacy laws, that's your business. If you find a better country for laws dealing with that, please let us know, I'm sure a few people on Slashdot want to move there.

Re:Just use a blackberry. Duh. (1)

Opportunist (166417) | more than 3 years ago | (#34605030)

Just because I agree with some laws of a country does not mean that I trust its government.

For reference, see US constitution and US government.

Depends (1)

gmuslera (3436) | more than 3 years ago | (#34599856)

you use windows in your desktop computers? Then the phone is the least of your actual risks.

Do not trust your devices (2)

Opportunist (166417) | more than 3 years ago | (#34600590)

"Trusted computing" my ass...

There's nothing to be trusted about anything you did not make yourself. And even if you made something yourself, trusting it is a bit overconfident. Do not trust anything you own to be "secure". It is not. It is as secure as the company that made it thinks is necessary.

Now, you know how security conscious the average person is, right?

Why do you think security would be high up on the priority scale of the company making it if it is no selling point AT ALL?

Do not trust anything you did not audit. If you cannot audit it yourself, have someone you trust audit it. Yes, at some point in that chain you will have to trust someone, especially if you do not have the knowledge and experience to do such an audit yourself.

But for $deity's sake, do NOT trust the maker of a device to be security conscious. They make a device with the bare minimum required to sell it. That means it will have all the features the customer will request. And as stated above, security is a feature that is rarely, if ever, requested!

The user is the weakest link (1)

aristotle-dude (626586) | more than 3 years ago | (#34600966)

If one of your end users jailbreaks their company supplied iPhone, fire them. If the company paid for the phone and pays for the phone service then it is the property of the company, not the end user.

If you officially allow employee iPhones to be used on the company exchange, ensure that it supports full device encryption before you enrol it on the network (iPhone 3GS or newer). Then periodically perform random audits of those phones to check to see if they are jailbroken. If they are, perform a remote wipe immediately to brick the device, remove the phone from exchange and discipline the user. Make sure that you include jailbreaking or any other circumvention of security policies in your policy documents as forbidden activities and have each employee sign it before allowing their device on the network.

The real question is how much do you trust your employee because they are always the potential weakest link.

A non-jailbroken iPhone 3GS or iPhone 4 is about as secure as a blackberry if you use exchange in your organization and perform a remote wipe when the phone is either lost or the employee leave the organization.

You can't (1)

koan (80826) | more than 3 years ago | (#34601122)

Frankly (feel free to flame) it appears to me that the virus/trojan/botnet programmers/scammers are far more intelligent than the majority of security professionals working the other side of the fence.

Re:You can't (1)

dido (9125) | more than 3 years ago | (#34605460)

No. It's just an instance of that old military truism: in the battle between warhead and armor, the warhead always wins. The defender's job is always harder than that of the attacker. The defender needs to plug every possible hole while the attacker just needs to find only one that can be exploited, and once that happens, the game is over. The security professionals may be much smarter than the malware writers and black hats, but sadly, because their job is much harder, they aren't anywhere sufficiently smart enough to beat them at a game where the deck is stacked against them.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>