×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mabir.A Virus Targets Symbian Phones

timothy posted about 9 years ago | from the what's-a-good-synonym-for-malice dept.

Worms 199

adennis writes "Exploiting bluetooth and weaknesses in the OS, the Mabir.A virus, like its predecessor, targets the version of the Symbian operating system running on Nokia Series 60 handsets. Since Symbian is the dominant smartphone OS, found on phones made by Motorola, Siemens, Sony Ericsson Panasonic and Nokia, this virus could have great impact. Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

199 comments

I dress myself (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#12152437)

yay!

Same thing? (5, Insightful)

soniCron88 (870042) | about 9 years ago | (#12152441)

Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?

Wouldn't an automatic update system serve to make the software more secure?

Re:Same thing? (1)

0x461FAB0BD7D2 (812236) | about 9 years ago | (#12152454)

It depends. If the malware authors get their hands on the patches before the vast majority of users do, and manage to figure out what was patched, you would theoretically see an upsurge in the number of exploits, assuming that the vulnerability which was patched was exploitable.

With the slow move towards 3G services, it is a given that exploits will rise, and malware will spread faster.

I, for one, will stick with 2.xG services and phones, because all I really want is a phone.

Re:Same thing? (3, Interesting)

badfish99 (826052) | about 9 years ago | (#12152483)

No. It means that the software company doesn't have to put so much effort into security, because they can go back and fix problems afterwards with an update.
So they get into a cycle of virus .. patch .. new virus .. new patch ... and many people have viruses all the time. Look at Windows for an example of this.
Of course you need an update system, because you can't guarantee to find every possible security hole before you issue your code, but it's no substitute for good quality code.

No (1)

amling (732942) | about 9 years ago | (#12152487)

Patching mistakes after your customers have suffered for them is a little different than doing it right the first time around.

Re:Same thing? (5, Insightful)

ManikSurtani (764890) | about 9 years ago | (#12152609)

Yep, pretty much, except that I believe the author meant that s/ware should be written with security in mind from the outset.

On a different note, what I'd loathe to see (but may be inevitable) are goddamn antivirus programs for phones. Imagine those things updating their virus dbs, etc. every time you switch on your phone...

Re:Same thing? (0)

Anonymous Coward | about 9 years ago | (#12152617)

Who cares! With the source code [geeknet.nl] of shadow warrior released you can watch wong wash wong on your symbian in no time!!

you have a new friend.. sticky bomb...

Re:Same thing? (1)

corevps (871362) | about 9 years ago | (#12152644)

I think you have to be careful with the update as if its inthe firmware it could easily delete the users settings knowing how much fun I've had with phone

Re:Same thing? (1)

Total_Wimp (564548) | about 9 years ago | (#12152729)

The implication is that, if you go to a lot of time and effort, you strip naked at midnight and dance in the moonlight while chanting the secret name of the creator, that you'll somehow manage to make an OS that's "secure" and you'll never need to patch it again.

Many people seam to believe in this "secure" OS that never fails under any cirumstances, even if you hit the spinning hard drives with a hammer and unplug the power cord. They know it's out there so they proclaim anything that needs patching as "unsecure" and move on, with disgust, to the next candidate.

I never know quite what to believe, myself. But sometimes, on warm, summer nights when the moon is full, you might catch a glimpse of me... dancing naked in the moonlight. (You may scream and wake up now)

TW

Re:Same thing? (1)

ThJ (641955) | about 9 years ago | (#12152822)

Isn't it possible to design an operating system using some very strict and controllable principles? Maybe even design a compiler/language that enforces them? Has anybody done something like this already?

Re:Same thing? (1)

caluml (551744) | about 9 years ago | (#12152838)

Wouldn't an automatic update system serve to make the software more secure?

As long as it's the phone company that pays for the updates. GPRS is about £1 per MB in the UK - it can be as high as £4 though.

virus (4, Insightful)

theseeria (849566) | about 9 years ago | (#12152444)

again?....whats the point of viruses in the first place.. evil teens with no life

Re:virus (0)

Anonymous Coward | about 9 years ago | (#12152455)

Teens being paid hundreds of thousands of dollars to write code that can take remote control of zombie machines for any nefarious purposes.

evil teens with no life? more like rich kids with an easy income source.

Darwinism (2, Interesting)

Anonymous Coward | about 9 years ago | (#12152693)

Just as the predominant, most accelerated technology growth comes out of human conflict (ie. war), computer security evolves fastest when it is forced to react to real-world situations.

There is no point in asking what their motivation is; heck, I was 16 once too. Plus, nowadays many virus writers are actually commissioned by greater evils, like spam/malware/etc.. comprimised (zombie) machines (of any type) can be misused in a variety of ways..

Re:virus (1)

rpozz (249652) | about 9 years ago | (#12152702)

You get a whole article in places like slashdot devoted to your virus, and if you're lucky, a mention on the news. It's anonymous fame for people with nothing better to do.

Remember when viruses were cool? (5, Insightful)

Dancin_Santa (265275) | about 9 years ago | (#12152445)

There was a time when a virus could install itself just be latching onto a 3.5" disk boot sector and infect tons of machines without anyone having the slightest clue as to its existence.

Nowadays, viruses are so pussified that they need to ask the machine owner to install them. How sad.

Re:Remember when viruses were cool? (-1)

Anonymous Coward | about 9 years ago | (#12152469)

Do You Wish to Install "FBI PhOnE mOnItOr virus?"

Press 1 to install. Press 2 to abort.

Sadly, I'm sure people would press 1.

Re:Remember when viruses were cool? (1)

0x461FAB0BD7D2 (812236) | about 9 years ago | (#12152518)

I wonder if this is a result of viruses being "pussified" or as a result of improved security for the platforms.

It's a good thing viruses aren't that powerful anymore. It'd be nice to see viruses having EULAs.

Re:Remember when viruses were cool? (1)

Trejkaz (615352) | about 9 years ago | (#12152547)

A click-through EULA on a virus might actually be a good idea. It could shift all blame for any damage to the user, that way, so any attempt to sue the creator would surely fail. ;-)

Re:Remember when viruses were cool? (0)

Anonymous Coward | about 9 years ago | (#12152527)

So true.

Most things today that are considered viruses are not. It is like me writing a program to format your hard drive but then calling it "Supper Happy Fun Game.exe".

It is a given that more then 1 person woudl have their drive formatted and Super Happy Fun Game woudl be called a virus.

Also, remember when they actually did cool stuff to your box (well as cool as a virus can be)

Remember Stoned. That was a real virus.

Re:Remember when viruses were cool? (1)

badger.foo (447981) | about 9 years ago | (#12152568)

There was a time when a virus could install itself just be latching onto a 3.5"

You had 3.5" floppies?

5 1/4"-floppies (1.2M) were the norm, and 8" ones weren't entirely dead yet either. Back then.

infect tons of machines without anyone having the slightest clue as to its existence.

Technically they possibly could pass unnoticed, but most of the viruses back then would do something to attract attention. Like displaying a low-res graphic, hiding the cursor, or trying to delete files or zap hard disks. Virus coders were generally attention-seekers too.

Re:Remember when viruses were cool? (0)

Anonymous Coward | about 9 years ago | (#12152640)

I spent my workstudy time in college working in the largest computer lab on campus. This was the equivalent of working is a computer brothel. I got to see most of the viruses that were out at the time. One of my favorites was one hooked the keyboard interrupt and randomly switched the character the user typed.

It was funny as hell. I had many students furious as they went to spell check their papers only to see them riddles with errors.

I think the worst I did was write one that hooked into the IBM PS2 mouse driver and rebooted the machine if you moved the mouse too fast. I never got the self replicating down to well though so random abort retry fail errors were common.

the *.* virus (1)

Mr_Tulip (639140) | about 9 years ago | (#12152635)

Nowadays, users are so pussified, that if you tell them there's a virus called "*.*", and it's in the windows folder, they will happily check which files are infected - just tell them to type "dir *.*" at a command prompt, and then believe you when you tell them that to remove the virus, all they have to do is type "del *.*"

Re:Remember when viruses were cool? (0, Funny)

Anonymous Coward | about 9 years ago | (#12152643)

I'm still hoping for a North American release of the Tamagotchi Plus [ananova.com]. Spreading a Tamagotchi plague via its IR port might be cool, and the only way to stop a plague of Tamagotchis. For great justice!

Re:Remember when viruses were cool? (-1)

Anonymous Coward | about 9 years ago | (#12152757)

Its all about psychology now.

Re:Remember when viruses were cool? (1)

maxwell demon (590494) | about 9 years ago | (#12152813)

Well, maybe the true viruses are so advanced that really no one has a clue about their existence (which would be the reason why you don't hear of them), and the "permission to install" viruses are actually a way to detract attention from them ...

Security? (4, Insightful)

Morlark (814687) | about 9 years ago | (#12152447)

I'd say they'll be wanting to make these phones secure, and be sharp about it. Fair enough, these phones with sophisticated OSes are fairly new, and you might expect them to get hit by viruses to start with, but now that the first few viruses have struck the phone companies are going to want to get these phones as secure as possible, so that they can't get attacked so easily in future. Obviously, there's going to be a need to continued updates, as viruses continue to develop and evolve, but more basic levels of protection need to be introduced first.

Re:Security? (2, Interesting)

brainnolo (688900) | about 9 years ago | (#12152533)

Viruses are going to be a problem on Symbian Phones sooner or later, all the manufacturers can do is to make it impossible to run without user stupidity. But now, smartphones users may not think about these risks, because they do not yet acknowledge they own a PDA that can make phone calls as well, not a phone.

What would be useful is to make the users aware of this problem, but this could harm the sales of this relatively new product (i wouldn't be going to buy it knowing of this risk).

Vulnerability (3, Interesting)

Anonymous Coward | about 9 years ago | (#12152448)

I wonder if the fact that the recent OS X vulnerability still unpatched after more than 2 months with the symbian component of iSync is related to this? would it be possible for an infected mobile phone to use the exploit in the mrouter code on OS X to infect the OS X machine remotely?

Re:Vulnerability (1, Informative)

Anonymous Coward | about 9 years ago | (#12152467)

If you are referring to the iSync mrouter exploit it was patched within a week after release.

Ofcourse they have to be secure. (4, Insightful)

flubbergust (818863) | about 9 years ago | (#12152449)

Why shouldnt the creators make the system more secure? Its their responsibility to make it more secure. What if you have to dial 112 (911 for people in other parts of the world) and you cant? Phones have to be secure. I can live with my Windows box isnt but damned if my phone isnt secure.

Re:Ofcourse they have to be secure. (3, Insightful)

jcostom (14735) | about 9 years ago | (#12152461)

You know, in fairness, that even if you're foolish enough to leave your bluetooth device set to be discoverable, you still have to accept the file being sent to you, unless it's coming from an already trusted device - something you've paired with.

Anyone that gets infected with this gets what they deserve. Hopefully at this point, you wouldn't open a strange file attachment, so why would you accept a strange file on your phone?

Re:Ofcourse they have to be secure. (2, Insightful)

Morlark (814687) | about 9 years ago | (#12152586)

The sad thing is that people do open strange file attatchments. I don't really expect this behavious to significantly change on phones. People who make software, whether for PC or mobile phone just have to account for the fact that users are stupid.

Re:Ofcourse they have to be secure. (0)

Anonymous Coward | about 9 years ago | (#12152758)

...so why would you accept a strange file on your phone?

It might be a female toother sending you a promiscuous request ! ;-)

Re:Ofcourse they have to be secure. (3, Insightful)

hc00jw (655349) | about 9 years ago | (#12152506)

I can live with my Windows box isnt but damned if my phone isnt secure.

Why? Why can you live with your computer being insecure? Why do you accept this? Especially when there are secure alternatives!

Re:Ofcourse they have to be secure. (-1, Troll)

Anonymous Coward | about 9 years ago | (#12152539)

Can you offer the names of the secure alternatives?

I would have to say that so far, DOS is the most secure I've used since I no longer own a floppy drive, I can't get online with the DOS machine, and it barely runs applications in the foreground, never mind hidden in the background.

Re:Ofcourse they have to be secure. (2, Insightful)

ceeam (39911) | about 9 years ago | (#12152576)

Because most computers are nothing more than media center + game console. And secure alternatives are only as secure as their "root"s are. And if you can manage a "secure alternative" than there are good bets that you can manage your Windows box secure. And there are far fewer games for "alternatives". Yes, an email + browser pre-set Linux box for grannies is generally (slightly) more secure than the same box running Windows.

Re:Ofcourse they have to be secure. (0)

Anonymous Coward | about 9 years ago | (#12152804)

i have tons and tons of data stored on ntfs partitions.

o sure i have messed around with fedora(i like that one)
knopix and i tried openbsd(the later one i installed only to become confused and remove it)
none of these gave me direct acces to my files
i'm not about to install a not jet 100% proof hack that can read ntfs files nor am i planning on getting more hdd's so i can transfer everything over ftp.
and i'm sure as hell not going to ntfs to fat
over 700GB of data(read crap but i like my crap).
give me something that can read and edit ntfs
so i can make the trasition without to much hastle over time

thats the main reason why i'm still useing windows
i'm open to sugestions

Re:Ofcourse they have to be secure. (1)

0x461FAB0BD7D2 (812236) | about 9 years ago | (#12152550)

Perhaps they decided the extra time and effort required to make it that much more secure wasn't worth the wait. Decisions such as these are based more on marketing and business than IT and security.

I'm sure we'd all love to have super-secure devices and software. But that takes time. And competitors whose products are not as secure would steal your market-share. Do you think users are going to wait months to use a product with similar functionality but that is 10% more secure?

Neither did I. It's about the bottomline. Plain and simple.

Re:Ofcourse they have to be secure. (1)

peragrin (659227) | about 9 years ago | (#12152582)

Of course the guy who ran to the market early to steal your market share, had to have a major recall in order to restore 3 million phones that were infected with a virus. Now that compnay is on the verge of bankruptcy and your selling phones like hot cakes.

In ANY other industry the security holes of Windows would be considered unsafe, and MSFT would be facing billions of dollars of damage and recalls.

Because Software doesn't really exsist as a physical item, they don't have that problem.

Re:Ofcourse they have to be secure. (1)

0x461FAB0BD7D2 (812236) | about 9 years ago | (#12152774)

Right. In any other industry. But Symbian is in the same industry - software. They, both Symbian and its competitors, don't have to make it that extra bit secure, because they can patch it later on.

People are used to their software having flaws. People are not going to ask Symbian or the phone manufacturers to change their phones because of a virus, just as those same people don't ask Dell or HP to change their PCs for them when they get hit by the latest adware from Golden Palace.

Knowing all that, I, too, would release a marginally insecure product to get marketshare. It's not right, but I can understand.

virus free os (2, Interesting)

freddej (122902) | about 9 years ago | (#12152450)

So, I guess this is becoming more and more ordinary, writing secure code is not going to happen, and with new ways in (bluetooth, browsing with the phone, wireless access via phone in the future?) and so on I think we just have to rely on autoupdates for every os with no exception of PAN-devices. Just like we humans have constant amount of bacteria in our mouths we have to get used to having a constant flow of viruses through our computers/phones/pda's etc.

Repeat after me... (4, Informative)

jcostom (14735) | about 9 years ago | (#12152452)

I will turn off bluetooth or set my phone's visibility to off.

I will turn off bluetooth or set my phone's visibility to off.

I will turn off bluetooth or set my phone's visibility to off.

There, was that so hard? If for some reason, you refuse to do that, don't accept files from other devices unless you specifically know they're ok. You know, just like you do with your email.

Re:Repeat after me... (0)

Anonymous Coward | about 9 years ago | (#12152477)

I have enough trouble finding where I left my phone without turning is visibility off.

Re:Repeat after me... (3, Interesting)

DarkHelmet (120004) | about 9 years ago | (#12152494)

Honestly, that shouldn't be an excuse.

Bluetooth is used commonly for things like headsets nowadays, which is particularly useful when driving of all things.

It's kind of like saying that a system is "waiting to be hacked" by having its firewall turned off. A firewall is just one layer of security that's used in order to secure a computer.

Phones are computers nowadays. The phone manufacturers simply cannot use bluetooth being left on as an excuse.

Anyway, I imagine virii like this over the next few years will spark a much greater concern for security within nextgen phones.

Re:Repeat after me... (1)

badfish99 (826052) | about 9 years ago | (#12152516)

So your idea for security is that everyone in the world should strictly follow this rule all the time, with no exceptions, and should never forget it? That isn't going to happen.
What could happen is that the phone manufacturers could make the effort to install a secure operating system. Then I could accept files from other users all the time, without worrying about how much I trusted them to follow such rules. You know, just like I do with my email.

Re:Repeat after me... (1)

AvitarX (172628) | about 9 years ago | (#12152536)

what about toothing [google.com]?

And why is Symbian wors than Microsoft's alternative?

I remember when MS said they were doing a phone all the jokes were "Blue Screen LOLOROTFLMAOLOLOL!!!!!" and "Virus OMG LOLOLOLOLOLOLOL!!!!!", but it seems that in the end it is Symbian with the virus troubles.

Re:Repeat after me... (2, Insightful)

hgavin (259102) | about 9 years ago | (#12152606)

> I will turn off bluetooth or set my phone's visibility to off.

This version of the worm propagates by MMS.

Re:Repeat after me... (5, Interesting)

Zayin (91850) | about 9 years ago | (#12152626)

I will turn off bluetooth or set my phone's visibility to off.

Setting your phone's visibility to off is not enough to stop attacks.

There are already tools [securiteam.com] out there that find non-discoverable bluetooth devices. A worm might use the same technique.

Not much threat? (4, Informative)

Richie1984 (841487) | about 9 years ago | (#12152459)

I had to read quite a way down TFA before I actually came to the information detailing what the virus actually does.

"At this point, mobile viruses are more of an irritant than a serious security...the messages that Mabir sends do not contain any text message, only the info.sis file.

So it seems this virus is more of a proof that they can be spread via phones, which we already knew, rather than an attempt to actually damage or corrupt the OS. Hopefully it'lll persuade manufacturers to work more on their phone security, rather than obvious new features for the user.

Re:Not much threat? (1)

Ilgaz (86384) | about 9 years ago | (#12152694)

Forget media. While passing by, ask a Nokia or Ericsson,siemens service center if they had some phones completely dead and had to flash over service hardware.

Those companies spend BILLIONS to advertising. No sane reporter will make 2-3 infections news but doesn't change those viruses REALLY exist and believe or not, spreads.

There are people who automatically say "yes" to everything pops up at their phone. I know one myself personally. Not me.

Had 2 cabir requests in 5000 people Prodigy concert myself.

Exploiting Bluetooth? (2, Informative)

gonzo-wireless (847083) | about 9 years ago | (#12152463)

Saying that this virus exploits Bluetooth is similar to saying that a windows virus exploits CAT5. The software running on the phone is vulnerable, not the transmission medium.

I have doctora! (-1)

Anonymous Coward | about 9 years ago | (#12152470)

I kiss you, Mabir.A

Not a big deal.... yet (3, Interesting)

Albinoman (584294) | about 9 years ago | (#12152473)

A lot of people already have to update their roaming info. Why cant this stuff be updated at the same time? Current phones wouldnt be able to, but Im sure cellular providers would rather do that than suffer the wireless version of a DOS attack (you know it will happen).

Re:Not a big deal.... yet (2, Interesting)

kyojin the clown (842642) | about 9 years ago | (#12152708)

already has. back in 2000, when ICQ could send SMS in the UK (i dont *think* it can anymore), we used to bang off twenty or thirty to a friends's phone - since SMS capacity in 2000 on the average phone was low (10-15), this would swiftly fill the memory, and then they would queue up in the message centre. delete one, get another one. renders the phone useless until you have churned through deleting the whole lot. we actually used to call it a DDoS

send a couple of hundred off, and you can basically prevent someone from using their phone for the best part of a day. possibly this is why the networks stopped allowing ICQ to send SMS. it was bloody great when used sensibly though, i wish trillian could do it now.

Want a surefire solution?? I have the answer. (-1, Troll)

pair-a-noyd (594371) | about 9 years ago | (#12152478)

And it ain't pretty.

Death penalty for virus writers.
No second offenders. Public execution broadcast on ALL forms of media, all channels, including CELL PHONES!

Write a virus, get a bullet in the head on international TV...

Simple. Cost effective. Guaranteed..

Re:Want a surefire solution?? I have the answer. (-1, Troll)

Anonymous Coward | about 9 years ago | (#12152501)

And it ain't pretty.

Death penalty for trolls.
No second offenders. Public execution broadcast on ALL forms of media, all channels, including WEB FORUMS!

Write a troll comment, get a bullet in the head on international TV...

Simple. Cost effective. Guaranteed..

Re:Want a surefire solution?? I have the answer. (5, Insightful)

imipak (254310) | about 9 years ago | (#12152508)

Want a surefire solution?? I have the answer. [...] And it ain't pretty. Death penalty for virus writers.

What a great idea. I'm sure this will work just as effectively as the USA executing alleged murderers - brutal as it sounds, it has at least reduced the murder rate to one of the lowest in the world.

Re:Want a surefire solution?? I have the answer. (0)

Anonymous Coward | about 9 years ago | (#12152569)

You're joking aren't you? The UK has a per-capita murder rate about one quarter that of the US, and many European countries are significantly lower.

Re: [OT] USA Murder rate (actually among highest). (-1)

Anonymous Coward | about 9 years ago | (#12152665)

What a great idea. I'm sure this will work just as effectively as the USA executing alleged murderers - brutal as it sounds, it has at least reduced the murder rate to one of the lowest in the world.

I'm not sure if that was sarcasm, but in case it wasn't ... We're actually in the top 10, we're very much one of the highest. Here's a well documented report on the issue. [guncite.com]

An older article, though its more about gun deaths [cdc.gov] I believe it is still relavent.

~Rebecca
(Posted anonymously as this has nothing to do with cell phone viruses)

Well, I'm not impressed (5, Insightful)

KonijnenBunny (761868) | about 9 years ago | (#12152484)

I own a Nokia 60-series phone and much to my surprise I encountered the above mentioned predecessor (Caribe/Cabir) in the wild. (Yep, my bluetooth's always on)
I received over 20 identical messages by Bluetooth messaging, all containing a single application-installation file: caribe.sis I had to approve the reception of the message first before I could view the contents. As I browsed the message contents, a further warning that it contained an application was issued, and I image the standard "not-signed" warning would as well if I'd try to actually install it.

That's 3 warnings I would have to ignore before the virus is installed. Surely in this day and age anyone's brains would have kicked in and wonder whether it would be a wise idea to install an unknown program sent to you by an anonymous stranger? Mobile-phone virii are all still very proof-of-concept in my book...

Re:Well, I'm not impressed (1)

Kevok (873638) | about 9 years ago | (#12152560)

That's precisely the reason why I never leave Bluetooth on. I've often sat on a bus and out of curiosity looked for other bluetooth handsets on the same bus, they all usually have the default ID for their phone. Most customers who buy their phones will have never heard of Bluetooth before and so when they see messages like that, they will naturally open them. It doesn't take too long to turn bluetooth on, so unless you're using a Bluetooth headset, it should remain off until needed. Customers should also be notified of threats like this by their network.

Re:Well, I'm not impressed (1)

rmccann (792082) | about 9 years ago | (#12152571)

It should be off when you turn on your phone. Most people don't change from the default settings. Better to be secure by default than the slight inconvience of turning it on.

Re:Well, I'm not impressed (0)

Anonymous Coward | about 9 years ago | (#12152584)

Surely in this day and age anyone's brains would have kicked in and wonder whether it would be a wise idea to install an unknown program sent to you by an anonymous stranger?

Just rename it to crazyfrog.sis then they'll install it.

Re:Well, I'm not impressed (1)

h3rmanni (797836) | about 9 years ago | (#12152706)

Many of the users who've really been hit by any of the phone Bluetooth worms (there are several) have explained themselves along these lines: "I got a cryptic message on my phone. I didn't understand what it was asking...so I clicked 'No'. When I did that, the message popped up again. So I clicked 'No'. Again. 'No'. Again. Then I tried 'Yes', and the message went away..." It makes sense, kind of.

Re:Well, I'm not impressed (1)

Ilgaz (86384) | about 9 years ago | (#12152733)

You are a Slashdot user and you know what ".sis" is.

Do not generalize. It would be an excellent world if persons of your type weren't only 2% or less of population.

I speak about people paying $5! for a single midi ringtone!

Elementary measures (4, Insightful)

Savage-Rabbit (308260) | about 9 years ago | (#12152504)

Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"


Not having every single Bluetooth service known to man switched on by default when the phone leaves the factory would be a good start. The first thing I did when I got my new PDA phone was to switch everything off except the BT Headset and File Transfer which I set to Maximum possible security since it wasn't set like that by default. Strictly speaking the FT services should only be activated on a need-to-use basis but I don't carry alot of sensitive information on my PDA phone and what there is I have encrypted on an SD card. That would incidentally be another good idea, if manufacturers were to install some sort of file-vault software as standard. I had to install the file-vault software as an optional software package from the companion CD that came with my phone.

Re:Elementary measures (1)

springbox (853816) | about 9 years ago | (#12152580)

I completely agree with you, and it would be nice if more manufacturers of most electronic equipment (wireless APs would be another example) started to make their stuff more secure by default. The major problem is that they're trying to give users "ease of use" over "more security," which has already been proven to be an approach that's flawed.

Another FUD from F-Secure (5, Insightful)

S3D (745318) | about 9 years ago | (#12152512)

This theme is beat to death. So called "virus" require answer "Yes" three times to be installed. The most vocal reporter of these viruses is F-Secure, manufacturer of anti-virus software for symbian phones. Their CEO speaking on one of the previous virus: "somehow, I'm not sure exactly how this virus get installed on my phone" He did't remember answering "Yes" three times ?

Re:Another FUD from F-Secure (2, Insightful)

tomstdenis (446163) | about 9 years ago | (#12152579)

You're assuming they're not the ones who wrote the virus in the first place...

Simple trick, don't buy phones known for crappy security. Symbian phones have been attacked before...

Though I agree this highly bad virus that requires the users permission to install is hardly a "virus" and more of a darwinism.

tom

Re:Another FUD from F-Secure (1)

Catullus (30857) | about 9 years ago | (#12152669)

Symbian phones hardly have crappy security. They are targeted by "virus" authors because they are the only popular open smartphone OS around.

Incidentally, there is basically no way that an open OS can protect against this sort of thing. If the user has the ability to install applications, the user has the ability to install viruses. There are two obvious ways to stop trojans like this spreading over Bluetooth:

1. Disallow the reception of applications over Bluetooth. But then how would users get legitimate applications from their PCs to their phones?

2. Only allow "signed" applications to use Bluetooth. But then small third-party developers would find it difficult to develop and market their software without it getting "signed" (at probable expense). And what about freeware?

In any case, Symbian are changing [symbian.com] their security model to try to combat threats like this one, no matter how based on FUD it is.

Re:Another FUD from F-Secure (0)

tomstdenis (446163) | about 9 years ago | (#12152683)

I seem to recall stories a few months ago about it...

Eitherway, stupid users can darwin their cell phones. So long as they don't add to the email spam problem I don't care!

BTW [ot] if you want to have a lot of fun with spam, open a yahoo account, post the address in a bunch of usenet forums, turn off spam filtering and wait a couple of weeks.

Then open up your inbox (which will likely have around 1500 spams in it) and sort based on subject.

Seeing 23 "CONGRATUALATIONS" in a row is just hilarious...

Tom

Re:Another FUD from F-Secure (1)

Afty0r (263037) | about 9 years ago | (#12152798)

Their CEO speaking on one of the previous virus: "somehow, I'm not sure exactly how this virus get installed on my phone" He did't remember answering "Yes" three times ?
Of course he remembered answering it - well, probably didn't remember actually answering yes, but he remembered the sales and marketing meeting where the Marketing Director told them all about the plan to have the CEOs phone "infected" with a virus of an "unknown" origin - and told them that this would get press releases and make the news because of his very position.

He remembered that all right, and he followed the script when talking to the press.

You insinuate the CEO is slow for not remembering clicking "yes" - I insinuate you are slow for not realising this was fiction, a marketing trick.

Re:Another FUD from F-Secure (2, Informative)

Ilgaz (86384) | about 9 years ago | (#12152846)

You blame F-Secure, makers of F-prot distributing FUD?

How old are you? 16?

Read some IT history about F-Prot. You will understand they really don't care about your $something.

I am just afraid of people like you administering Symbian sites, really afraid.

If I ever buy f-prot for my mobile, if there will be a reason ever, it will be people like you.

How many users of you care about exact 3 warnings when they download/purchase any sis from your site?

For people never used Symbian, you must PAY to Symbian/Nokia as a developer (free or not!) to get a "security signature" for your application.

I'd expect something like "This is what Nokia deserved, they tried to rip off developers by Symbian security signature and entire community 'learned' not to care about security alerts"

Not some bs like F-secure cares about your money.

I just wonder how many threats Karpersky labs does found and not announcing because of people like you. Who are them? Oh, just another crooks, going for money!

Handheld viruses (3, Interesting)

springbox (853816) | about 9 years ago | (#12152552)

I'm not familiar with this particular handheld OS, but it would be funny if someone tried to write a virus for the PalmOS, because it largely wouldn't work.

"Please execute this program to destroy your system" is what the approach would have to be and doing a hard reset of all of the memory and hotsyncing it would completely wipe the thing out of the system. This is where volatile memory and a somewhat restrictive setup will benefit the user.

No OS creator cares about security. (2, Insightful)

akadruid (606405) | about 9 years ago | (#12152559)

will the OS creators have to start making their software secure?

All commercial operating systems are written to the point where the security is just good enough to sell the product and no further.

When operating systems are tied to the product or the vendor has a monopoly on their market then the point of 'just good enough' is reached long before the end user can regard the product as secure.

I predict: Software security will only become worse as consumor adoption of future devices hostile environments such as the internet increases. Within 10 years, end users will be comfortable with performing routine software maintainence on a myriad of devices they currently consider reliable over the life of the product. This will include: all communications products; vehicles; home automation and security; entertainment systems; electrical white goods and diy tools.

When the dominant multi-purpose operating system can be regarded as usuably secure out of the box for the life time of the product, then I'll reconsider.

Make secure (2, Informative)

fozzmeister (160968) | about 9 years ago | (#12152564)

The evil empire (MS) would have done this ages ago (yes they'd still be bugs that would let things thru, but it'd be better) if it wasn't for programs assuming they can write anywhere etc. MS trapped themselves. With phones being so young, and also being a new product every version (the OS dependencies are small), it'd be hard for them to excuse there being security problems.

But auto update would also be needed, no software is perfect.

Simple answer to Article's question (2, Funny)

phooka.de (302970) | about 9 years ago | (#12152575)

"Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"


Both. Or maybe... isn't it far better for socializing that you're able to talk about how Windows didn't work and you fixed it than to own a machine / gadget / technology that simply works.?

So maybe the answer truly is Neither.

Symbian OS will never be secure (5, Interesting)

Anonymous Coward | about 9 years ago | (#12152593)

I'm am an experience commercial software developer on the Symbian platform. I have a strong background in many other platforms and i the context of this message, my anonyminity is important since my company can be sued by Symbian just for a biased negative opinion of Symbian made publicly.

Symbian OS is the most expensive platform to develop on. This means more expensive money and time wise. It takes 3 times as many developers to deliver the same product in twice the time as on comparible platforms (brew, iTron, etc...) as for platforms with real development tools such as Windows Mobile, we use ten developers on Symbian to every one on Windows Mobile to produce a lesser product.

Symbian has limited hardware level debugging support (if any at all), they lack so much as a command prompt to log to.

They lack decent compilers and you're stuck with GCC or ARM Realview (neither are that good, satisfactory at best on ARM).

Documentation is aweful at best.

A simple program requires you to just through hoops, more complex sets the hoops on fire.

The emulator environment emulates nothing and simply tries to implement the Symbian UI APIs on Windows and all system level stuff is just layered on Windows. That's fine if you don't need to do anything at the system level.

The development environment is heavily based on CodeWarrior these days. I find this funny since every other company (Nintendo, Sony, Be, Apple, etc..) where Metrowerks had a good footing, the companies found it more profitable to dump CodeWarrior and do it themselves instead. Symbian is the only company stupid enough to choose to rely on Metrowerks, especially with their pathetic resume.

As for security, the fact that anyone could possibly ship a product based on Symbian is a miracle in itself. As for securing it as well, I think you're just asking too much.

Security in software (1)

flajann (658201) | about 9 years ago | (#12152607)

Once again we see that security in software design often is an afterthought. I can understand a small software company not having the time or resources to address these issues -- and even then that's questionable. But what are the "big boys'" excuses?

I think it is quite silly and worrisome that PC users have to be so concerned about virii and spyware and have to invest time and effort in dealing with these hassles. Now we've got to have these same annoyances for our cell phones and PDAs? Excuse me?

No one wants to think about security until it's too damned late. Better to deal the issue up front than take a hit later. But will they listen to little ole' me? Nope!

So I sit by the side lines and watch with glee the idiots making the same lame-brain mistakes over and over again, and then have to suffer for it -- or their customers have to suffer for it. Talk about divine comedy. Now that's entertainment!

Symbian team are fools. I interviewed with them... (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#12152637)

The Symbian team are fools. I interviewed with them and though I did not get the position, I realized taht they were incompetent and that a long series of exploits and user desired exploits (hacks for DRM) await them.

I predict delivery targets via not only code, but otherwise "assumed safe" statisc data files such as malformed ringtones, malformed MIDI, malformed text messges, malfromed photos, malformed desktop patterns, malformed fonts, man in the middle on the SHA-1 initial exchange of 3gpp (a lame crypto protocol that avoid signed keys for initial hash setup), and all manner of bluetooth fun and game.

But the sheer incompetance of the managers with hiring authority on Symbian is staggering.

Its twice as lame as the OMA DRM schemes for cell phones, that admit (best effort only).

When a company shuns hacker personalities for meeting-loving head-nodding yes men kiss asses that know crap about real anti hacking... then they get whats coming to them.

thanks.. (-1)

Anonymous Coward | about 9 years ago | (#12152711)

thanks god I have my old superb Nokia 5110 :P

All I want is a phone! (3, Interesting)

Zemplar (764598) | about 9 years ago | (#12152840)

Am I the only one that misses some of the great cell phones that were actually designed specifically to be the best form of wireless voice communication? I sure wish I could buy a new manufacture Motorola StarTac today!! Black-on-green screen - NO crappy color screens. No stupid ring tones. No photo album. No crappy camera. Two-WEEK standby time!! Just a damn good PHONE...nothing else.

/rant
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...