Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Marlinspike's Droid Firewall Kills Tracking

timothy posted more than 3 years ago | from the knock-knock-who's-there? dept.

Android 164

mask.of.sanity writes "The first dynamic Android firewall, dubbed WhisperMonitor, has been released by respected security researcher Moxie Marlinspike. The firewall will allow users to stop location-tracking apps and restrict connection attempts by applications. Marlinspike, whose company created the application, designed WhisperMonitor in response to the incidence of location tracking and malware on Android platforms. It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

cancel ×

164 comments

This firewall monitor non internet activities? (2)

countertrolling (1585477) | more than 3 years ago | (#36021504)

Like the phone itself? The applications aren't the only thing sending out the data..

Re:This firewall monitor non internet activities? (4, Interesting)

sherpajohn (113531) | more than 3 years ago | (#36021584)

What do you mean "the phone itself"? What else is sending out information but applications? Little elves hiding in the keypad? Sorry, I don't understand what you mean...an android phone is a device running the android OS - I would expect everything to be an application, even the part that connects to your mobile provider. Maybe I am looking at it the wrong way.

Re:This firewall monitor non internet activities? (0)

Anonymous Coward | more than 3 years ago | (#36021614)

I think the op meant can the firewall monitor the kernel for access to the internet/phone network or are there secret hooks that defeat complete monitoring of incoming and outgoing info

Re:This firewall monitor non internet activities? (1)

cynyr (703126) | more than 3 years ago | (#36022472)

Have a gander at the android source if you want to know, or at the source for Cyanogenmod if that is what you are using.

Re:This firewall monitor non internet activities? (1)

BrokenHalo (565198) | more than 3 years ago | (#36022624)

I think the op meant can the firewall monitor the kernel for access to the internet/phone network...

It's just a Linux kernel (on my phone it's 2.6.29), so yes, of course it can.

Re:This firewall monitor non internet activities? (0)

Anonymous Coward | more than 3 years ago | (#36021716)

I don't know anythign about the architecture so I can't say anythign for sure but, in old cellphones, the "applications" were usually running in a J2ME VM, where everythign else was simply part of the firmware. Until now, most cellphones didn't have a concept of "OS" the way we understand it on PCs.

With iOS-based, Android-based and winCE-based cellphones (WP7 is winCE still) becoming common, its might now be true that most functions in the cellphone are applications not much different than the ones you can acquire in the respective stores.

But since mobile providers are usually so paranoid, it woudln't surprise me if the concept of having the calling system be just an application was too hard for them to grasp, and the respective OS developers actually implemented most of it in the more obscure parts of the OS kernel.

Re:This firewall monitor non internet activities? (1)

sherpajohn (113531) | more than 3 years ago | (#36021920)

These same folks have a SMS encrypter and yes, a call scrambler application, the latter does not even require an unlocked phone, though WhisperCore and WhisperMonitor (which is part of the former I think), require you unlock and replace the Android on your phone with thier custom kernel. Interesting that they can scramble calls outside the kernal or firmware.

Re:This firewall monitor non internet activities? (0)

Anonymous Coward | more than 3 years ago | (#36023254)

You don't think the mobile provider is collecting this data on their end? Data collection on the device is a novelty compared to what the telcos are collecting on you, the data is far too valuable for them to not do anything with it.

Is this ignorance or just naivete on your part?

Re:This firewall monitor non internet activities? (1)

Anne_Nonymous (313852) | more than 3 years ago | (#36023382)

>> Little elves hiding in the keypad?

Yes. Does it monitor those? Because Santa has got to be getting his information somewhere!

Re:This firewall monitor non internet activities? (0)

Anonymous Coward | more than 3 years ago | (#36023626)

There is a feature installed for the FBI that allows them to listen into your cell for 24 hours without turning the phone on. The operating system doesn't even come into play. I think this is probably what the parent post was asking about. And, I think I just answered his question. No, this won't stop that.

White Hats, Black Hats, Tinfoil Hats. (1)

lexsird (1208192) | more than 3 years ago | (#36022014)

It does spark the imagination as to what might be lurking inside these phones. Could they be chipped to spy on us without anyone knowing it? Do you know what each component is in that little phone? Does anyone? And even if you did know what components they are, who's to say "they" didn't slip in a chip disguised as something else. You would have to monitor the phone's output to see if it's broadcasting anything beside what it normally should. Then you have to consider, that it's function might be "on demand" and you may never catch it spying on you because "they" haven't chose to activate it, so you set there for God knows how long monitoring this suspicious phone.

Or you could assume that if they really are wanting to use the phones to spy on us, then would they put something in the client side of the hardware? It would require the cooperation of the manufactures, their engineers and risk exposure. The human element is going to fail always in such an operation as this. They would surely not risk exposure and do their spying from inside the network its self where they could passively monitor traffic, and user locations.

Now what I could fathom them taking the risk of exposure for is the camera. Imagine being able to access any cell phone with a camera, browse its contents, or even activate it secretly. Now that is something I wouldn't be able to resist if I was administrating a nation wide intelligence operation. Just think of the possibilities of such, you could take dumps from every phone in the country, sift it continuously with shape recognition software. Bad guy takes a picture of his buddies posing with their illegal weapons thinking they are all cool, but somewhere a computer recognized the weapons, logs the recognition, the time, the date, the location and has cataloged everyone in the picture. This information is dispensed out in the field to agents for them to react to immediately.

This sounds fine and dandy from an intelligence operation point of view, but it's a nightmare for civil liberties. That is the problem with making an effective intelligence tool, the party that makes it might have the best of intentions for its use, but that doesn't mean it will experience mission creep or just fall into the wrong hands, or just morph with bad times into a tool used for evil.

But here is the rub, if you put something like that in a phone, it will be found. And when it is, its going to piss off everyone, including officials who don't want blackmailed sometime in the future with this. Needless to say, if the information about you chipping the nation's phones gets out, you are finished politically, your next intelligence operation will be listening in on the chief of the village you are hiding out in.

Frankly, if I was going to risk such a gambit, I would put the chips in disposable phones, the prepaid ones that are the prime choice of people who don't want tracked but need a phone. Its win/win if they find the chip in those or not. If they don't, you have intelligence perhaps to be farmed. If they do, you will have planted a seed of doubt at least concerning their phones and you might shoo them into getting sloppy in their search for secure communication. I think the risk factor of exposure of the chips to prying noses would be less with the demographics that use those kinds of phones.

Anyway, I doubt that "they" are operating on that kind of level. It is the government after all, which is a political body. These tend to get mired down to a glacial pace with not only the machinations of the bureaucratic beast, but annoying amounts of accountability. It would take a mandate by them to get something like this done, because it would be like herding cats to get the manufacturers on board. You just know some idiot would flip out and run screaming to the press about "they" are trying to put a "backdoor" into everyone's phones.

I am not saying it couldn't be done. I think it could be pulled off, but it would need super deep pockets and oodles of background information on the engineers and chip designers. This involves coercion of course and cries for problems because you can't predict the outcome and you end up placing considerable risk on everyone and everything. Thinking it through, it's too far fetched and problematic to be much of a concern.

Thinking it through, I would wager they aren't chipping the phones. I would go on to say they probably don't need to, they probably have the best passive and subtle system set up to just monitor the traffic without altering it. But seriously, who even needs that? Google and Facebook, with the later being free intelligence and the other all you need is a business looking for demographics information. I am shocked there isn't a "Google Badguys" app for agents yet, free for the curious and pay per use for agents. (Lots of features in the agent version, you will be able to torrent it of course before its out of beta.)

As far as this Firewall app, it's a good idea. I am infinitely more worried about some dipshit app burning power up sending data, and thus contributing to the plight of the already steady drain on my OMFGPOWERHUNGRY Android Incredible, than "they" having a peek at what I am up to.

Re:White Hats, Black Hats, Tinfoil Hats. (1)

datapharmer (1099455) | more than 3 years ago | (#36022724)

Could they be chipped to spy on us without anyone knowing it?

They don't have to chip it, there's an app for that [cnet.com] too, and it has been around for at least 5 years.

Now what I could fathom them taking the risk of exposure for is the camera. Imagine being able to access any cell phone with a camera, browse its contents, or even activate it secretly.

They can, and do

Moral of the story, is don't carry a cell phone, monitor your home's security 24/7 to check for intrusion, do regular bug sweeps, don't talk or do business in your car, and never ever trust anyone. Your wife and kids and most trusted friends will be used as spies against you.

...or you could just put on your tin foil hat and call it a day.

Re:White Hats, Black Hats, Tinfoil Hats. (1)

mlts (1038732) | more than 3 years ago | (#36023638)

It is possible, but once someone brings pictures and recorded conversations out in a trial obtained that way, there would be a mass uproar:

People would start powering off their cellphones. Others would take apart the device and cut the solder traces to the cameras, snip the microphones, and use BlueTooth for all conversations. Enterprising companies will make cases out of metal and foam to guarantee the mic and camera won't pick up anything. Other cellphone case makers will make cases where only the wireless systems worked, so people could make calls via BT, but the onboard camera/mic would not be usable.

Yes, being able to use the camera and mic will help for investigators, but only on the scale of gaining enemy intel. If they started using it to put people into prison, suddently it would be cool in the thug life to go back to citizen's band radios, and you will start seeing blinged out Cobra hand-helds as the latest style.

ZoneAlarm and NetBarrier (2)

dltaylor (7510) | more than 3 years ago | (#36021536)

I used to use ZoneAlarm on Windows (still a version on my Win2K Starcraft PC), and tried NetBarrier for the PPC Macs. Both worked similarly, and I thought ZA was the greatest addition to Windows, ever.

Sounds like my impending Color Nook will be getting one of these, day 1.

Re:ZoneAlarm and NetBarrier (-1)

Anonymous Coward | more than 3 years ago | (#36021550)

can't tell if troll or serious

Re:ZoneAlarm and NetBarrier (1)

dltaylor (7510) | more than 3 years ago | (#36021722)

Absolutely serious!

Re:ZoneAlarm and NetBarrier (1)

Joce640k (829181) | more than 3 years ago | (#36021756)

How can you tell if they're working or not?

If the malware is subverting ZoneAlarm (easy enough to do) then your sense of security could be completely false.

The ONLY way to spot unwanted outgoing connections is with a device external to your PC (eg. another PC on the same subnet running a packet sniffer).

Re:ZoneAlarm and NetBarrier (1)

Blade (1720) | more than 3 years ago | (#36021790)

How do you packet sniff on switched networks? The days of being able to sniff all traffic[1] on a network by having something else on the same network are gone my friend.

You'd need to be running some software on the switch or on the internet gateway, or some other device that sees all the traffic for some other reason.

[1] Yes, you can sniff some broadcast traffic.

Re:ZoneAlarm and NetBarrier (2)

RivieraKid (994682) | more than 3 years ago | (#36021826)

If you want to sniff on switched networks, stop being so cheap.

You'll need a managed switch with the ability to designate a specific switch port as a SPAN or mirror port (http://en.wikipedia.org/wiki/Port_mirroring). This will allow you to monitor any other traffic that is passing through the switch.

Those days aren't gone, they merely got a whole lot more expensive.

In any case, it's more likely that you'd do monitoring at the egress point(s) of your private network, not on a particular switch.

Re:ZoneAlarm and NetBarrier (1)

Blade (1720) | more than 3 years ago | (#36021876)

If you want to sniff on switched networks, stop being so cheap.

You'll need a managed switch with the ability to designate a specific switch port as a SPAN or mirror port (http://en.wikipedia.org/wiki/Port_mirroring). This will allow you to monitor any other traffic that is passing through the switch.

Those days aren't gone, they merely got a whole lot more expensive.

In any case, it's more likely that you'd do monitoring at the egress point(s) of your private network, not on a particular switch.

Luckily I don't want to sniff stuff on a switched network, although the comment I was replying to made it sound like it was possible to do it by simply sticking another PC on the network. We both know that's not the case.

Your comment is happily covered by my "You'd need to be running some software on the switch or on the internet gateway, or some other device that sees all the traffic for some other reason."

Re:ZoneAlarm and NetBarrier (2)

nabsltd (1313397) | more than 3 years ago | (#36023160)

Those days aren't gone, they merely got a whole lot more expensive.

I don't think a few hundred dollars for a 48-port switch is "a whole lot more expensive". Although they are around $500 each in general, I bought a pair of brand new Netgear GS748T switches on sale for $500 total. There is also a 24-port version for less than $300.

They fall into the class of "smart switch", although they are closer to being "managed" in their feature set. One of the features is being able to set up a port to receive to all traffic on other ports. The best part is that it's fairly configurable, so that the "sniffer port" (their term) can listen to traffic on one or more other ports.

Re:ZoneAlarm and NetBarrier (1)

nschubach (922175) | more than 3 years ago | (#36023272)

Technically, you could setup a Linux gateway fairly easily and you can tcpdump all traffic going through it. All you need is two ethernet ports on a spare/old PC. I know I have a few old motherboards laying around that have two Ethernet ports on them. (Well...this is Slashdot. How many of us don't?)

So the expensive part is really just setting up the machine to do it and you could just remove it when you are done.

(This is what I assume the GP was talking about when they stated: "You'd need to be running some software on the switch or on the internet gateway")

Re:ZoneAlarm and NetBarrier (1)

soundguy (415780) | more than 3 years ago | (#36021834)

Port mirroring on the switch

Re:ZoneAlarm and NetBarrier (1)

Blade (1720) | more than 3 years ago | (#36021862)

Yep, that's certainly one option. And it's more than just "another PC on the same subnet running a packet sniffer". Do any home-grade ADSL / Cable devices support it? Maybe with some of the open firmware solutions?

Re:ZoneAlarm and NetBarrier (0)

Anonymous Coward | more than 3 years ago | (#36022424)

This is simple. Go to your shelf of old gear, grab a 10/100 HUB, plug in the two devices (the machine you are monitoring and the machine running the packet capture), start your capture and get the trace. What, doesn't everyone have at least one 10/100 hub left lying around? I think I have about 3 of them between my office at home and the one at work.

Re:ZoneAlarm and NetBarrier (1)

blackest_k (761565) | more than 3 years ago | (#36022628)

thank you for reminding me i do have a 10/100 hub somewhere
i was going to dig out a couple of wireless cards since i'm using one of my routers else where but that will do nicely :)

Re:ZoneAlarm and NetBarrier (1)

cynyr (703126) | more than 3 years ago | (#36022500)

You sniff it at the firewall. which in my case is a full fledged linux box. What to talk on the internet in my home, it goes though that box. I could care less usually if my phone is talking to my desktop...

Re:ZoneAlarm and NetBarrier (0)

Anonymous Coward | more than 3 years ago | (#36022854)

How much less could you care, though?

Re:ZoneAlarm and NetBarrier (1)

datapharmer (1099455) | more than 3 years ago | (#36022930)

You are kidding right? the only difference is you have to be able to locate a choke point now, and place your interception there. Everything still goes through the network, everything just isn't broadcast out to every port now.

For 10/100 use an old hub or passive network tap, for gigabit use a monitor port on a managed switch or a computer acting as a bridge to intercept and process between devices. You can put this between switches to get all traffic on a particular unmanaged switch or between the gateway and the rest of the network or directly on the gateway; those of us that do often call this "running snort".

Re:ZoneAlarm and NetBarrier (1)

Blade (1720) | more than 3 years ago | (#36023112)

No I wasn't kidding, but apparently, I wasn't clear either.

I know how you intercept traffic on a switched network - but the person I was replying to didn't appear to do so. It's not been a case of 'just sticking another PC on the network' for quite a while now.

Re:ZoneAlarm and NetBarrier (0)

Anonymous Coward | more than 3 years ago | (#36023000)

If the malware is subverting ZoneAlarm (easy enough to do) then your sense of security could be completely false.

Define "malware". Maybe he just wants to know when legit software he installed (Steam, Windows Update, some random Adobe updater) is phoning home, and poke holes in the firewall accordingly.

For example, a physical purchase of Fallout 3 (not F:NV) didn't work out of the box until it was (a) activated, which annoyed me, but I could live with, and (b) still took a minute or two to start - because the "firewall" was blocking the GFWL login attempt. As I had no interest in GFWL, instead of poking a hole for it, I manually yanked out the GFWL crap. Had I not had the software "firewall", I would never have known why the game too so long to start. The game now starts instantly, and has never tried to phone home since.

Re:ZoneAlarm and NetBarrier (1)

Artifex (18308) | more than 3 years ago | (#36021712)

As an aside, if you have any machines running OSX these days, you should look into getting Little Snitch. Love it; it's been eye-opening to see how often and where browsers call home when they're started, now, for instance.

Re:ZoneAlarm and NetBarrier (2)

cheros (223479) | more than 3 years ago | (#36021792)

Used it. Little Snitch has IMHO one major problem: they decided that it should use the Macs voice system if you go into FrontRow, and it's not optional - there is no way to disable it at. Voice rendering on computers is a pet hate of mine (and Apple's system is pretty bad), so the fact that LS decided all on its own to use this was enough to start seeking an alternative.

I switched to Hands Off [metakine.com] , which has the added advantage that I can have it monitor what applications do with my hard disk as well. And they offer a cheap license for those switching from LS, which helps :-).

The only question with both apps is: do THEY phone home? Haven't looked with Wireshark yet, but I will..

Re:ZoneAlarm and NetBarrier (0)

Anonymous Coward | more than 3 years ago | (#36021928)

but how can you tell that wireshark doesn't phone home?

dun dun duuuuuun

Re:ZoneAlarm and NetBarrier (1)

cheros (223479) | more than 3 years ago | (#36022128)

True enough. You're in a twisty maze, with passages all alike - and your geo-location enabled phone will sell your every move..

Re:ZoneAlarm and NetBarrier (1)

datapharmer (1099455) | more than 3 years ago | (#36022952)

compile from source?

Re:ZoneAlarm and NetBarrier (0)

Anonymous Coward | more than 3 years ago | (#36023422)

but how can you tell that wireshark doesn't phone home?

compile from source?

But how can you tell your compiler doesn't insert "phone home" functionality into the resulting binary?

dun dun duuuuuun

Re:ZoneAlarm and NetBarrier (1)

clang_jangle (975789) | more than 3 years ago | (#36022038)

The hands-down best firewall for OS X (and other BSDs) is ipfw. No pointy-clicky though, so most Mac users won't use it.

Re:ZoneAlarm and NetBarrier (3, Interesting)

cheros (223479) | more than 3 years ago | (#36022232)

No pointy-clicky though, so most Mac users won't use it.

I was building BSD firewalls based on Gauntlet more than 2 decades ago :-). You have two extra problems with ipfw - you need to know upfront what you're going to shut down or allow and it requires a lot of expertise that is not available to your average user.

In my case, you can add that I can no longer be bothered with hacking around in a box, I want the damn thing to work so I can get stuff done. Both LS and HO pop up when they have a question, but leave me otherwise to work. FIne by me..

Re:ZoneAlarm and NetBarrier (1)

clang_jangle (975789) | more than 3 years ago | (#36022410)

In my case, you can add that I can no longer be bothered with hacking around in a box, I want the damn thing to work so I can get stuff done. Both LS and HO pop up when they have a question, but leave me otherwise to work. FIne by me.

Actually, configuring ipfw is incredibly simple. Beyond most OS X users probably, but anyone who can install and configure *BSD will not be daunted by the five minutes or so it takes to set up ipfw. :)

But of course your choice is valid and requires one to know or remember almost nothing, which is perhaps key for most users. Personally, I do not want popups interrupting me when I'm working, and since a proper firewall comes down to defining a handful of rules (or less) up front and then being left alone forever, that's certainly my preference.

Re:ZoneAlarm and NetBarrier (1)

Hatta (162192) | more than 3 years ago | (#36023546)

I was building BSD firewalls based on Gauntlet more than 2 decades ago

Your TTL is running out. Packet is about to die!

Re:ZoneAlarm and NetBarrier (1)

TheRaven64 (641858) | more than 3 years ago | (#36023096)

The hands-down best firewall for OS X (and other BSDs) is ipfw.

Nonsense, the best firewall for other BSDs is pf [wikimedia.org] . Apparently it's also going to be the best firewall in OS X 10.7.

Re:ZoneAlarm and NetBarrier (1)

clang_jangle (975789) | more than 3 years ago | (#36023140)

I prefer ipfw (Altq is a major advantage IMO), but it's a bit like arguing about vi vs emacs -- either will do the job, just depends on how you like to work.

Lesson learned (0)

Anonymous Coward | more than 3 years ago | (#36021564)

Use an operating system that cooperates. It spares you the trouble of filtering your outbound traffic.

Re:Lesson learned (0)

Anonymous Coward | more than 3 years ago | (#36021608)

Will do, as soon as one exists.

Droidwall already did a good job at it (4, Informative)

Anonymous Coward | more than 3 years ago | (#36021594)

Not dynamic, but allows you to setup white/black lists of application to access 3g or wifi network.
Does a good job. You just have to remember to add new apps to the white list of you want to allow them access to a network.

http://code.google.com/p/droidwall/

Re:Droidwall already did a good job at it (1)

exabrial (818005) | more than 3 years ago | (#36021768)

Yep, WhisperWall is the _Second_. I've been running DroidWall for months.

Re:Droidwall already did a good job at it (1)

mlts (1038732) | more than 3 years ago | (#36022426)

I'd say DroidWall has been out at least a year. It has done so far an effective job at keeping apps from phoning home.

It would be nice to have a utility that offers the ability to keep apps away from the ability to get GPS info, either coarse or fine. This way, an app can do what it needs to, but when phoning home with whatever info it can find, it will either get the coordinates of some random place, or none at all.

Re:Droidwall already did a good job at it (1)

Charliemopps (1157495) | more than 3 years ago | (#36022216)

Yes, but did it include the OS? I think this is the difference in this application.

Meh... (2)

Loki_666 (824073) | more than 3 years ago | (#36021650)

Which is why i like my mobile phone to remain a mobile phone and not a mini-computer subject to the same problems that plague PCs. We already have malware and other crap for mobile devices and the need for firewalls.... bet the anti-virus companies are wetting their pants over the move from mobile phones to mobile computers.

If i find myself in an emergency situation i'd like to be sure my mobile phone is working and not suffering from a plague of outbound traffic sending spam to half the world.

Re:Meh... (0)

Anonymous Coward | more than 3 years ago | (#36021746)

Dude, just run Linux on your phone, then you'll be OK. Oh wait :(

Re:Meh... (1)

L4t3r4lu5 (1216702) | more than 3 years ago | (#36021940)

SMS of Death [schneier.com]

Bad coding is ubiquitous on all devices running any software. Remember that these are consumer end devices and not scrutinised in the same way as, say, military software is.

Oh, wait... [slothmud.org]

Re:Meh... (0)

Anonymous Coward | more than 3 years ago | (#36021962)

I often hear this claim that simple phones are considered secure, while smartphones are not. There is a very interesting podcast on the German Chaos Computer Club's site that discusses the state of GSM security [chaosradio.ccc.de] , and there are many serious concerns there. For example, a SIM card is able to run programs that are installed transparently over the network, without the user knowing anything of it.

The interviewee has a list of related publications on his university website [virginia.edu] .

If at all possible, get someone to translate this podcast into English for you, then go ahead and treat yourself to a nice smartphone -- accepting that there is no security out there ;-)

Re:Meh... (1)

jc42 (318812) | more than 3 years ago | (#36022734)

Which is why i like my mobile phone to remain a mobile phone and not a mini-computer subject to the same problems that plague PCs. We already have malware and other crap for mobile devices and the need for firewalls.... bet the anti-virus companies are wetting their pants over the move from mobile phones to mobile computers.

So you still have an analog mobile phone? Do they still make those? ;-)

Seriously; all digital phones are small computers. If one has a UI that only does phone calls, that's fine for customers that want that, but inside, there's still a cpu chip and a pile of software. It may be slow and have not much memory, but it's still a programmable computer. With a phone-only UI, it really just means that you have no way of discovering what other software the vendor might have filled it with.

One of the other stories today is about a new video camera that's only a millimeter wide. It's probably just a matter of time before we're reading a story about someone's "phone only" device that contains this camera, with its pics or videos ending up on youtube. So be careful about where you set your phone down while you're doing something nearby. ;-)

Only for Nexus (1)

masterfpt (1435165) | more than 3 years ago | (#36021738)

It's only available as a 0.3 Beta for Nexus S and Nexus 1.

The Installers are only for Windows 7 (64Bit) and Linux 64Bit (and OSx).

It's a great idea. If it continues to be free, I'll install it when it becomes available for my HTC...

Re:Only for Nexus (3, Informative)

Anonymous Coward | more than 3 years ago | (#36021846)

The 'installer' wipes your ROM and replaces it with their own. It isn't an app installer.

Re:Only for Nexus (1)

rrossman2 (844318) | more than 3 years ago | (#36023174)

It's 85Megs (windows x64 installer).. unless they cut out a lot of standard apps as well, I think there's something else to it. Maybe I'm wrong and it is just a custom done ROM, as I'm use to the Galaxy S ROMs (which typically are 130-200MB)

Re:Only for Nexus (0)

Anonymous Coward | more than 3 years ago | (#36023302)

I downloaded the installer, extracted it, then unyaffs'd the partition images. It's a ROM :).

I only looked in /system/app/, but all the stock Android apps were there.

iPhone App (2)

AtomicJake (795218) | more than 3 years ago | (#36021758)

Excellent news for Android users. I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.

Re:iPhone App (0)

Anonymous Coward | more than 3 years ago | (#36021870)

s/user experience/ad revenue and data collection/

Re:iPhone App (1)

tronicum (617382) | more than 3 years ago | (#36022152)

It is not in the marketplace. And it replaces the whole OS with a modified full disk encryption mod. But here is no uninstall path yet.

Re:iPhone App (1)

coofercat (719737) | more than 3 years ago | (#36022222)

And that user experience will stop this being useful for anyone except the geeks. Once you click the "allow" button with the "always do this from now on" tick box checked, then your app leaks data for ever. You may legitimately want super-whizzo-local-knowledge-app to know your location when you use the app, but not so much when it's hidden away in the background (or otherwise not immediately in use).

This is a good step forward, but I doubt it'll solve the problem entirely.

Re:iPhone App (1)

mlts (1038732) | more than 3 years ago | (#36022442)

Also, if an app that doesn't do anything nasty has access to items, who knows if a future update pushed out with more malicious code may affect people. A lot of people automatically update their devices, and the SMS archiver that works perfectly with the v1.0 copy is spamming contacts at random with the 1.0.1 rev.

Re:iPhone App (2)

chihowa (366380) | more than 3 years ago | (#36023658)

I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.

That's true, but there's one available in Cydia for jailbroken phones. Called Firewall IP [saurik.com] , it works pretty well.

But, Android is for advertising... (1)

irp (260932) | more than 3 years ago | (#36021812)

The issue with Android is it is an advertising platform. But imho with a strangely bad implementation... At least in hindsight.

I like my HTC, but sincerely hate all the programs that "require" full internet access. The reason given is ads, which I am often alright with: I get stuff "for free" that I don't care enough to pay for (games, rarely used tools, apps I can easily live without). The problem is one newer knows what else they use this unrestricted access to. Much of this doubt could be removed if Google maintained a white-list of ad servers (also 3rd party). That way most programs would not require full internet access, but only *restricted* access to a *limited* amount of servers.

These servers can of course be hacked etc. but at least they can easily be black-listed, leaving a more well-defined security risk.

I newer understood why Google didn't implement it this way. Where they trying to "hide" that Android is made to open a new revenue source for them? Trying to make people believe they were "selling" a phone OS? Or did they sincerely not consider the risks of this implementation?

Blocking the ads is essentially stealing from the app developers (or more correctly; depriving them of income). I don't want to do that, but I would like a firewall.

Supports only two devices (0)

Anonymous Coward | more than 3 years ago | (#36021816)

This is currently supported for two devices (Nexus S and Nexus One) and not Android in general.

Re:Supports only two devices (0)

Anonymous Coward | more than 3 years ago | (#36021926)

Dunno if it'll work on other devices (netfilter support in kernel is a must) but here's the N1 WhisperMonitor apk: https://rapidshare.com/files/460534963/WhisperMonitor.zip [rapidshare.com] . Install to /system as it requires root.

The two download links are for ROMs not the app.

This shouldn't need to exist (1)

atari2600a (1892574) | more than 3 years ago | (#36021848)

I mean I can see the benefit of being able to install an app that requires data permissions without the data, but this really should be something built into the operating system. Then again, perhaps a built-in firewall would be too much...

Please port this to Linux A.S.A.P. (4, Insightful)

TractorBarry (788340) | more than 3 years ago | (#36021938)

> "It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

Excellent. + 100 this is the way things should be !!!

I've been yammering on about this for ages now without being able to get any Linux devs interested. As far as I'm concerned without such a feature Linux is a dead duck as far as being an operating system suitable for the home user. I've stopped putting Ubuntu on peoples machines due to the complete lack of such a firewall. And no. IP tables and Firestarter etc. are not the same thing *at all*.

The end user should always be given the final decision before *ANYTHING* on the computer is allowed internet access. This single feature of the Zone Alarm firewall on Windows has allowed numerous "non computer savvy" friends and relatives to realise they have a problem well before malware has been able to phone home. Not to mention blocking all the crappy "auto updaters" and other such crap that idiots have started putting in their Windows apps.

1 The people who write Zone Alarm for Windows get it.

2 Moxie Marlinspike gets it.

3 The Linux devs simply do not get it. They seem to believe we live in Magic Fairyland where no program would ever do anything malicious and anything should be able to connect out without the user knowing about it. "But we're only fetching cover art/some other stuff". No you're reporting information to a third party that I do not wish sent thank you very much.

Without this simple feature your computer is simply a digital spy silently allowing any program to send any information it wants anywhere in the world.

Totally unacceptable in 2011. All machines should have firewalls that allow the user full control of what applications are allowed to talk to the local network and/or the internet.

Re:Please port this to Linux A.S.A.P. (2)

Zebedeu (739988) | more than 3 years ago | (#36022048)

While I agree with you on principle, I think in practice these types of programs bring a lot of grief.

I once visited the house of a friend who was having trouble connecting to the internet. Turned out ZoneAlarm (or a similar program) popped up a dialog asking if he wanted to block Windows networking (not by that name, but the library which controls it) and he said yes.

Of course there are ways around that. For example, the firewall program should've had networking whitelisted, but even then people will try and block all kinds of stuff and then complain it isn't working.

Re:Please port this to Linux A.S.A.P. (1)

clang_jangle (975789) | more than 3 years ago | (#36022074)

Considering there's nothing as feature-complete as IPtables on Linux, I think your best bet is to learn that rather than rely upon some limited GUI interface.

Re:Please port this to Linux A.S.A.P. (4, Interesting)

Luckyo (1726890) | more than 3 years ago | (#36022146)

Considering there's nothing as feature-complete as IPtables on Linux, I think your best bet is to learn that rather than rely upon some limited GUI interface.

I think you just underscored his point of linux not being usable for a desktop. Modern desktop should NOT, EVER rely on command line interface for anything aimed at end-user if it is to be usable.

There is a reason why we don't use rotary diallers in smartphones. There's a reason why we don't use command line interface on average home desktop machines (and no, your home machine is NOT average by any margin any more then a rotary dialler phone is if it's using linux).

Re:Please port this to Linux A.S.A.P. (3, Insightful)

clang_jangle (975789) | more than 3 years ago | (#36022348)

There's a reason the CLI remains the first choice of admins and coders, too -- it's the most powerful interface. It won't be going away in the next fifty years, and may still be with us in a thousand. Users who think "the computer needs to learn me" rather than the other way around will always have a low ceiling on their competence level and will always be frustrated.

As far as the "not usable" BS, really who cares? Competent people use *nix, most people are not competent. It's old news, and I really don't care what you use, frankly. Just trying to be helpful...

Re:Please port this to Linux A.S.A.P. (1)

Sycraft-fu (314770) | more than 3 years ago | (#36023492)

And you can crow on about power all you want, users need ease of use. People are not experts in all devices and cannot be expected to be. Neither are you, for that matter. I'm sure in short order I could find many devices you use that you have little understanding of how they work, and that an easy to use interface is important to your like of the device.

The attitude that everyone should be "competent" and willing to be a tough guy with computers is silly. No, things should be made easy for humans. The point of automated devices is to make our lives easier, not harder.

As a simple example: Do you buy frozen food and microwave it? If so (and I'm sure you do) why? Why not make all your own food, from scratch. It is healthier, tastes better, and is generally cheaper. Why own a microwave at all for that matter? An oven can cook anything a microwave can.

The reasons, of course, would be convenience and understanding. It can be a lot of work to cook everything from scratch and if you are like most geeks you probably know fuck-all about cooking (particularly the harder aspects like baking).

That's fine, I would never suggest that everyone should know how to cook, and particularly never suggest that everyone should master it (you don't need recipes when you are really good, even for baking, you can do it all yourself). However neither would I suggest that everyone should be willing to use a CLI, which is extremely unintuitive to humans, or learn to program just to be "competent."

For most people computers are tools, no more no less. That means like any good tool they should be able to get the job done as easily as possible.

Re:Please port this to Linux A.S.A.P. (1)

SilentMobius (10171) | more than 3 years ago | (#36022620)

A push button dialler has _more_ functionality than the older rotary dialler (at least additional items "#" and "*")
The transition from rotary->push button is simply one of mechanical reimplementation, not of simplification.
Now we have address books, how would people feel if you _only_ had address books, you couldn't add any new numbers you could only choose from the numbers that were somehow "blessed" by your tellco or phone manufacturer. That is a more accurate comparison to the iPodification of tech.

I'm all for UI's that hide complexity as long at they always allow you to express the full power of the system in question, even if they hide much of it by default. However that is rarely what these UIs do, generally they simply remove needed features.

Re:Please port this to Linux A.S.A.P. (1)

Anonymous Coward | more than 3 years ago | (#36023300)

> Modern desktop should NOT, EVER rely on command line interface for anything aimed at end-user if it is to be usable.

Oh, BS. This mentality is why the internet is the spam infested cesspool that it is. As long as we cater to people who refuse to learn things, who are proud of their stupidity, there will always be the kind of problems we see today.

Thirty years ago everyone using personal computers was using the command line because _that is all there was_. Have people become dumber since then? I doubt it - just lazier and more unwilling to learn.

The UI cannot express but a small fraction of the CLI's functionality. Thus, there is now and will always be good reasons to use the command line.

Re:Please port this to Linux A.S.A.P. (0)

Anonymous Coward | more than 3 years ago | (#36023330)

There is a reason why we don't use rotary diallers in smartphones. There's a reason why we don't use command line interface on average home desktop machines

But those reasons are entirely different. The rotary dialer is old technology which the average Joe understands. The unix command line is modern technology which the average Joe does not understand. The reason we don't want rotary dialers on smartphones is because it is old technology. The reason we don't want the unix command line on Average Joe's computer is because he doesn't understand it.

In conclusion, your analogy wasn't exactly a home run.

Re:Please port this to Linux A.S.A.P. (0)

Anonymous Coward | more than 3 years ago | (#36023428)

There is a reason why we don't use rotary diallers in smartphones.

Speak for yourself. [youtube.com]

Re:Please port this to Linux A.S.A.P. (1)

irp (260932) | more than 3 years ago | (#36022168)

You are of course absolutely correct... Except you are missing who-is-who: You are not the end-user. You are the product! :-)

Advertisers are the end-user, they pay for your apps, for your Gmail, and for each and every search you do on Google search... Your phone is just an extension of this package.

I still agree with you and think Google have made a horrible implementation in Android: We SHOULD be able to deny an app full internet access. The app should still function, but just get a "not connected" exception. Ads should be presented through *restricted* access to a *limited* number of white-listed servers (also 3rd party). These server can of course go bad, but at least they are easily black-listed.

Re:Please port this to Linux A.S.A.P. (1)

clang_jangle (975789) | more than 3 years ago | (#36022490)

Ads should be presented...

No, they should not. That's the problem with android in a nutshell -- it's TiVo-ized Linux turned into an advertising platform, provided to you via your carrier and a ginormous advertising company. Do not want.

Technology already exists ... (2)

DrYak (748999) | more than 3 years ago | (#36022204)

On linux we have AppArmor, we have possibility to distinguish PIDs in ip tables (already used for traffic shaping by Peer-2-peer aficionados), ...

The problem is not the technology, the problems are different :
- The main one is the interface. Someone has to write something which is user-friendly enough.
- The other problem is the massive amount of executable existing on Linux. ZoneAlarm works well on windows, because of its rather monolithic structure. There aren't that many process needing to be controlled. The Unix philosophy is opposite, a swarm of small tools which each do only one thing, but do it well. Something like ZoneAlarm on Linux would produce a metaphorical Zerg-rush of pop-ups.

Also it is slightly counter productive :
- Such tools are indeed important on Windows, because there is *NO* *OTHER* *WAY* to control the software. They are mostly binary only. So you can only control them be restricting their accesses
- On linux, the software is open-source, and mostly comes from the distribution. There are lots of different and better way to do it.

They seem to believe we live in Magic Fairyland where no program would ever do anything malicious

In a way, because the code is better reviewed that is partially true. The linux community has better ways to know what is happening inside a given software.
That also means that one of the best practice would be to standardize on some access-restriction mecanism (like AppArmor) and have the developper systematically write profiles. Thus :
- it will be easier for the end user, not to have to write a profile for every single application.
- it will be easier to quickly look at the profile to know what an application could do.
- in case of exploit, the access-restriction-mechanism could easily block the abnormal behavior which the application never asked for in the first place.

"But we're only fetching cover art/some other stuff". No you're reporting information to a third party that I do not wish sent thank you very much.

And guess what ? The source code is open, and there are a lot of paranoid linux users like you out there. Thus some have added code to ask permission : on their first run, both VLC and Amarok explain you the situation and give you choice : systematically download the art / only download on demand / never touch the internet.

What we need is :
- more such efforts
- and perhaps a better centralized way to control such elements. (think like a centralized "privacy control panel" in KDE's System Settings, or some Gnome & Unity equivalent).

This requires lots of collaboration and efforts, but that's something the Linux community *CAN* do (unlike the binary wolrd, for obvious technical reasons).

Re:Please port this to Linux A.S.A.P. (1)

ron_ivi (607351) | more than 3 years ago | (#36022272)

Can SELinux do much/most of what you're asking? The SELinux "sandbox" utility has some examples of restricting network access on an application-by-application manner.

For example, this firefox can access the internet:

sandbox -X -t sandbox_web_t firefox

and this one can't:

sandbox firefox

If you set up selinux policies that restrict most applications by default, it should cover that "cover art" use case you mentioned.

Re:Please port this to Linux A.S.A.P. (2)

KiloByte (825081) | more than 3 years ago | (#36022294)

Uhm, wrong. A hostile userland program that can execute arbitrary code has ALREADY WON. There's nothing a "personal firewall" can do. Even if that firewall of yours would look at which process started the connection, there are many, many ways to control a process that is allowed. Both on Unix and on Windows.

You'd need a sandbox of some kind: a virtual machine, a separate user who can't directly access the network, a quasi-user (like a selinux role), etc. On Windows, even separate users are not enough if both processes are in the same "window session".

"Personal firewalls" can protect against a honest mistake or dumbest crooks. Against anything else, they're snake oil and give a false sense of security -- ie, are actually detrimental. As you said, "totally unacceptable in 2011". No one should run unreviewed code outside a sandbox.

Re:Please port this to Linux A.S.A.P. (1)

Stray7Xi (698337) | more than 3 years ago | (#36022622)

The Linux devs simply do not get it. They seem to believe we live in Magic Fairyland

I don't think you get it. Who is "they"? Linux isn't a brand and it's not a company. There is no such thing as "The linux devs" except the linux kernel developers. There's literally thousands of different unrelated teams working on linux packages. Frankly I have no idea who you're talking about. Linux has the support for what you're saying, someone just needs to develop it. There are/were developers for a similar tool, maybe you should talk with them. If they ever got somewhere good, maybe they'd be included in a distro. I have no personal knowledge of them:
Tuxguardian (discontinued)
linux-firewall.org

This (2)

Compaqt (1758360) | more than 3 years ago | (#36021960)

What happened to "appliances"? Set it and forget it?

Now it's going to be Windows all over again:

My phone's too slow, buy another one.
-reinstall OS
-upgrade OS
-install antivirus
-check for rootkits

Re:This (0)

Anonymous Coward | more than 3 years ago | (#36022544)

It has been that way since the beginning with Android. The only way to get control of the hardware you own is to root the bitch and install a custom ROM like CyanogenMod. Otherwise the phone manufactorer and carrier control you.

So yeah, every new Android phone I get has to go through a cleansing process just like any prebuilt, preinstalled computer.

Re:This (1)

clang_jangle (975789) | more than 3 years ago | (#36022642)

Is there any such thing as full rooting on a device with a locked bootloader though? I know there might be one or two android devices left on the market without a locked bootloader, but it seems all the new stuff is locked down. I think one can only get the illusion of "root" in that case. If you're using your carrier's kernel, you still don't know for sure what the system is doing.

Re:This (1)

Real1tyCzech (997498) | more than 3 years ago | (#36022942)

Very few devices are locked down completely. It's pretty much just the "Droids" (aka Motorola). SGSII was rooted just days ago (before US release...) and it does not have a locked bootloader iirc. HTC has, I believe also promised not to lock their bootloaders.

There are quite a few really good phones out there that can still haev ROMS flashed on them. Just hit up XDA before buying your phone (or check the CM7 compatibility lists).

Re:This (1)

crashumbc (1221174) | more than 3 years ago | (#36023030)

you don't have to buy a "smart" phone, you know that right? Personally, having had one for a year, I would NEVER go back the convenience of a "pc" in my pocket outweighs the annoyances 1000 to 1 ...

DroidWall (1)

kangsterizer (1698322) | more than 3 years ago | (#36021982)

While it is less detailed and has no popups, it is open source and works rather well:
http://code.google.com/p/droidwall/ [google.com]

The main difference being that DroidWall is all or nothing.

Currently only for... (1)

nbetcher (973062) | more than 3 years ago | (#36022166)

... Nexus One and Nexus S phones. Wow, what a let down. Says "More devices coming soon..." but you can pretty much count that they can't support all - or even most - devices, so this isn't an Android thing, it's a Nexus thing. Chances are it requires root which is why they can't support anything other than Nexus right now.

Re:Currently only for... (1)

nbetcher (973062) | more than 3 years ago | (#36022186)

The above being said, they should release steps for integration with custom Android ROMs so developers like myself can extend support for this to ALL devices, not just ones of their choosing.

having such code makes one a deletable terrorist? (0)

Anonymous Coward | more than 3 years ago | (#36022252)

should be at least tear gassed as an example to their neighbors. unknown activities? attempts to become unsurveiled? complaints about the 'weather'? no proclaimed political or religious attachments? intercepted texts include words like disaramament, hymenologist etc...? no wonder we need unspy.us code?

waking up to the big flash wednesday has arrived. the joyfully anticipated total world disarmament is proceeding as the need becomes met. the other alternatives suck, & must include injections of massive amounts of unnatural death, debt & deception of body mind & spirit for almost every one of us.

Not just good against malware (1)

ath1901 (1570281) | more than 3 years ago | (#36022262)

I (still) have a Nokia Symbian based phone and turned off all email updates, GPS map updates etc before going on a trip to China. After one week I got an SMS warning me of large "roaming charges" despite only using the phone for sending a handful of SMSes. Either I missed some automatic update/sync that should have been turned off (unlikely) or the phone checks/updates something which can't be turned off.

Either way, a firewall application would have helped me to:
A) Be sure the phone isn't auto-doing anything.
B) Find which application/system component is misbehaving.

With "smarter" phones and applications we need better tools for monitoring and control.

Re:Not just good against malware (1)

Zebedeu (739988) | more than 3 years ago | (#36023064)

I don't know about Symbian (or whatever OS you had running in your Nokia), but Android, and I believe iOS has an option to disable the data connection as soon as the phone begins roaming.

That checkbox is checked by default In Android, and if you try to uncheck it, a dialog box pops up explaining that you risk very high data rates while roaming.

Only works for Nexus. Need desktop, too (3, Insightful)

Kamiza Ikioi (893310) | more than 3 years ago | (#36022366)

FTA, only has installs for Nexus One and Nexus X, and installer comes in Windows, OSX, and Linux... and it looks like they're all 64bit installs only. Very limited. And there is DroidWall, which is available on the market, but I believe you need a rooted phone (which is probably true for any decent firewall). I use DroidWall and it's fantastic. It let's you choose to allow not just an app, but how it connects. You can, for instance, block Pandora on 3G, but not Wifi.

Re:Only works for Nexus. Need desktop, too (1)

Timmmm (636430) | more than 3 years ago | (#36023240)

That's because it replaces some of the android OS, and it needs a desktop installer to unlock the phone and push the files over adb.

Tthere is also no uninstaller at the moment - you have to reflash the original ROM.

Marlinspike? (0)

Anonymous Coward | more than 3 years ago | (#36022564)

Blistering Barnacles! Thundering Typhoons!

Harrumph. (0)

Anonymous Coward | more than 3 years ago | (#36022646)

Grumble, whinge, standard functionality on a blackberry, whinge, grumble...

(get off my lawn)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...