Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Dumber Android Is, the Better, Say Experts

Zonk posted more than 6 years ago | from the are-we-talking-lore-dumb-or-kryton-dumb dept.

165

ZDOne writes "ZDNet UK is reporting that it will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based, but security experts claim that the less smart a phone is, the less vulnerable it is. Android developers should stick to a semi-smartphone platform because the Java sandbox can protect against the normal kinds of attacks, experts claim. The article also discusses some of the pros and cons of open vs. closed source security. 'The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one. Open-source software development has the advantage of many pairs of eyes scrutinizing the code, meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one of the disadvantages of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits. The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'"

cancel ×

165 comments

Sorry! There are no comments related to the filter you selected.

Yes...but... (2, Funny)

monkeyboythom (796957) | more than 6 years ago | (#21286089)

Dumb terminals can never defeat idiots. That's why nothing is idiot proof.

Re:Yes...but... (2, Funny)

A non-mouse Coward (1103675) | more than 6 years ago | (#21287833)

You're just a paranoid android [wikipedia.org] .


What?! Somebody had to make the Radiohead reference.

Security : Paranoid
Gphone : Android

Slasddot Grammary Advisory (0)

Anonymous Coward | more than 6 years ago | (#21286131)

"The dumber android is, the better say experts." IS NOT

a sentence. Now return to your seance with the world's most dangerous criminal [whitehouse.org] ,

Cheers.

Re:Slasddot Grammary Advisory (1)

smitty_one_each (243267) | more than 6 years ago | (#21286245)

Perhaps the /. article text, itself, was produced by Android.

Re:Slasddot Grammary Advisory (4, Funny)

sm62704 (957197) | more than 6 years ago | (#21286277)

Isn't Ann Droid Cowboy Neal's latest girlfriend?

Re:Slasddot Grammary Advisory (3, Funny)

smitty_one_each (243267) | more than 6 years ago | (#21288153)

Thought she was Ann Flatable.

Re:Slasddot Grammary Advisory (1)

An ominous Cow art (320322) | more than 6 years ago | (#21286601)

"Linguo... dead?"

It certainly is a sentence. (0)

Anonymous Coward | more than 6 years ago | (#21286761)

A comma would help ("The Dumber Android Is, The Better, Say Experts"), but you're just being an ass.

Re:It certainly is a sentence. (2, Informative)

Mi1ez (769713) | more than 6 years ago | (#21287037)

Grammatically, quotes in the right places would help too. "The Dumber Android Is, The Better," Say Experts

Re:It certainly is a sentence. (0)

Anonymous Coward | more than 6 years ago | (#21287225)

Don't want to be tooo picky here but it still doesn't make sense! 'Proper English' version needs an extra 'the' :

"The dumber the android is, the better", say experts

Re:It certainly is a sentence. (1)

msuarezalvarez (667058) | more than 6 years ago | (#21287573)

You went all the way from too picky to wrong, actually. `Android', in this context, is a proper noun, so it does not take a definite article, as you propose...

Re:It certainly is a sentence. (0)

Anonymous Coward | more than 6 years ago | (#21287637)

YHBT.

Re:It certainly is a sentence. (1)

Frnknstn (663642) | more than 6 years ago | (#21287605)

"The less able to talk the android is, the better" say experts.

The most secure phone ever! (5, Funny)

reverseengineer (580922) | more than 6 years ago | (#21286151)

Experts suggest security-conscious consumers consider the Western Electric 500 [wikipedia.org] for their next smartphone. Lacking Java, JavaScript, ActiveX, and any other type of software, its spartan phone interface makes it virtually immune to any security vulnerabilities, and its innovative "rotary dial" system circumvents attacks possible on touch-tone phones. The casing is constructed of nearly indestructible Bakelite plastic, making it far more durable than the average smartphone. It does however require a service agreement with AT&T.

Re:The most secure phone ever! (0)

Anonymous Coward | more than 6 years ago | (#21286229)

That's exactly what I have been looking for! Anyone have a link for where to purchase one?

Oh, and is it GSM or the other one?-)

Thanks

Re:The most secure phone ever! (0)

Anonymous Coward | more than 6 years ago | (#21286231)

You can get the retro look for modern phones.. http://www.thinkgeek.com/gadgets/cellphone/7830/ [thinkgeek.com]

Re:The most secure phone ever! (4, Interesting)

Billosaur (927319) | more than 6 years ago | (#21286247)

I know it's meant to be funny, but strangely it's one of the reasons I haven't ditched my land-line to go all wireless. Mobile phones, especially those that try to do everything, aren't particularly good at anything and the more things you cram onto them, the greater their vulnerability profile. My wife just traded her old broken-down phone for a T-Mobile Shadow, and it's not the world's greatest phone (it runs Windows Mobile, but that isn't the root of the problem). The sound quality is horrendous and I haven't tried the MP3 player in it, but I'm not holding out hope.

I don't think we're at the point where phones can handle multiple tasks well, and using one is leaving yourself open to all sorts of mischief.

Re:The most secure phone ever! (4, Interesting)

sm62704 (957197) | more than 6 years ago | (#21286603)

In March 2006 We got hit by two tornados [wikipedia.org] in one night. They went right through my neighborhood; the big tree behind my apartment looked like Godzilla had stomped on it. Half the utility poles were gone (as were a lot of buildings). My power was out for a week, my cable and internet were out for a month, and the landlines were all out as well.

My cell phone worked, however. It also was a very handy flashlight, as there was no power AT ALL anywhere near my apartment and boy, was it dark there at night! It's been years since I've had a landline.

-mcgrew

Re:The most secure phone ever! (0)

Anonymous Coward | more than 6 years ago | (#21287267)

Springfield? that darn Mr Burns at it again?

You should have had lights, I mean your truck must have been spared, otherwise how would you charge the cell phone? Just face it toward the window, it should light up the entire trailer.

Re:The most secure phone ever! (2, Informative)

SL Baur (19540) | more than 6 years ago | (#21288297)

My power was out for a week ... My cell phone worked, however. It also was a very handy flashlight, as there was no power AT ALL anywhere near my apartment
I'm amazed that your battery kept power for that long with the backlight enabled. Even my Japanese cellphones wouldn't stay charged that long.

Re:The most secure phone ever! (1)

Andy Dodd (701) | more than 6 years ago | (#21289403)

The sound quality of my AT&T Tilt (same manufacturer as the Shadow - HTC) is just fine. I'd say it was great, in fact.

What is the signal strength when you get this "awful sound quality" - T-Mobile has the smallest network (read: least coverage) of the four U.S. carriers. That's why they're so dirt cheap - you get what you pay for.

This article is just a pile of FUD. I laugh at the morons who buy antivirus software for Windows Mobile phones, when there is little to no risk of contracting a virus unless you are utterly and completely idiotic.

Re:The most secure phone ever! (5, Informative)

sm62704 (957197) | more than 6 years ago | (#21286487)

The rotary dial was a pain in the ass, but we never knew that until they invented pushbutton phones. And you had to look up your police/fire/ambulance in the phone book as there was no 9-1-1 service. Although most people just dialed "O" and when the lady answered (a real live human being, we didn't have voice mail either) you said "MY HOUSE IS ON FIRE" and she'd plug some plug on her switchbopard in and the fire department would come out.

But the Western Electric 500s were hackable! Some of them had no dials; businesses used the dial-less phones for where they wanted a low level employee, like the teenaged me at the ticket booth at the drive in theater, to be able to answer them but not make outgoing calls.

You could, however, "dial" them by repeatedly hitting the hangup buttons. So I was hacking your "unhackable" phone when I was 16. Actually I was cracking not hacking; I was hacking when I made guitar fuzzboxes out of $10 transistor radios and selling them for $50 each to other teenaged guitar players.

-mcgrew

PS- I've almost forgotten this, but in the Metro East St Louis area you could dial Bridge 1300 and a spooky noise cane out of the phone. The other kids said it was a ghost, I never had the heart to educate them about the reality.

Re:The most secure phone ever! (0)

Anonymous Coward | more than 6 years ago | (#21287985)

"I never had the heart to educate them about the reality."

Which was?

Re:The most secure phone ever! (2, Informative)

glitch23 (557124) | more than 6 years ago | (#21288335)

You could, however, "dial" them by repeatedly hitting the hangup buttons. So I was hacking your "unhackable" phone when I was 16. Actually I was cracking not hacking; I was hacking when I made guitar fuzzboxes out of $10 transistor radios and selling them for $50 each to other teenaged guitar players.

Actually, you were doing an early version of phreaking [wikipedia.org] .

Re:The most secure phone ever! (2, Interesting)

adamziegler (1082701) | more than 6 years ago | (#21288461)

"Actually I was cracking not hacking" ... ... actually you were phreaking not hacking.

Re:The most secure phone ever! (2, Interesting)

BizidyDizidy (689383) | more than 6 years ago | (#21288559)

I'm obviously a moron, but what WAS Bridge 1300?

Re:The most secure phone ever! (1)

vtscott (1089271) | more than 6 years ago | (#21286585)

Or you could get the Port-O-Rotary [sparkfun.com] .

Re:The most secure phone ever! (1)

markov_chain (202465) | more than 6 years ago | (#21286907)

It's not immune to virus infections, I got a nasty cold from one just last week. Damn mouthbreathers!

Huh? (5, Interesting)

Matt867 (1184557) | more than 6 years ago | (#21286181)

The dumber the smart phone is the better? Sounds like someone doesn't want to take their programming job seriously.

Re:Huh? (1)

xouumalperxe (815707) | more than 6 years ago | (#21287907)

"Make it smart enough to be useful, but not so smart that it starts becoming a liability". That's what they're saying. Actually it's a very fine line to tread, and one that requires very good programming skills to actually accomplish.

No wrong... (5, Insightful)

El_Muerte_TDS (592157) | more than 6 years ago | (#21286187)

The smarter the user is the more secure the phone is.

Re:No wrong... (4, Funny)

ceeam (39911) | more than 6 years ago | (#21286399)

I thought all companies established long ago that "smart users" market is so tiny it can safely be ignored.

Still wrong: (3, Funny)

norminator (784674) | more than 6 years ago | (#21286467)

Actually... I think it should be: the smarter the user thinks they are, the less secure the phone is. Reminds me of my PC Tech Support days long ago... "My neighbor came over, and he knows a lot about computers, so he started fixing my computer, now it won't start..."

Duh.... (0, Redundant)

Actually, I do RTFA (1058596) | more than 6 years ago | (#21286203)

security experts claim that the less smart a phone is, the less vulnerable it is.

Other brilliant revolations offered by the experts:

  1. Locking doors and windows helps keep burglers out.
  2. Carrying your life savings in cash is a bad move, as muggers exist.
  3. Alcohol is inflammable.
  4. Shooting yourself is unhealthy...

More parts == more places things can go wrong == more vulnerable.

Re:Duh.... (0)

norminator (784674) | more than 6 years ago | (#21286503)

3. Alcohol is inflammable.

Don't worry, it says it's in-flammable
BOOM!
Who would have thought that inflammable means flammable!?!?

Re:Duh.... (1)

davidsyes (765062) | more than 6 years ago | (#21286563)

"inflammable"?

Why, that is UNpossible!

Re:Duh.... (1)

seededfury (699094) | more than 6 years ago | (#21287935)

Definitions of inflammable on the Web:
Capability of a combustible material to ignite easily, burn intensely or have rapid rate of flame spread. Also see Flammable.,
www.usg.com/Glossary.do

Easily set on fire.
www.federated.ca/gloss/i.htm

Same as flammable. Capable of catching fire easily and burning rapidly. Also, having a flash point below 100 Fahrenheit.
www.union.edu/Academics/Departments/Science/Safety/Hazcom/hazcomManualGlossaryMSDS.htm

flammable: easily ignited
wordnet.princeton.edu/perl/webwn

Mods? (0)

Anonymous Coward | more than 6 years ago | (#21288349)

Look, it's a rough paraphrase of a Simpson's quote...

But my real beef with the mods is how can this be moderated "Overrated" when it hadn't been modded up by anyone?!?!? Who overrated it?

perhaps completely unrelated (1, Insightful)

BewireNomali (618969) | more than 6 years ago | (#21286207)

social scientists have long inferred that dumber people are less likely to fall for hustles/social engineering/hacking/etc., because they lack the imagination to consider alternate realities.

i've been consulting for a new york firm for about 9 months now. i do a lot of traveling, but i'm in the new york home base office at least 4 times a week. i often misplace my card-key - and the receptionist refuses to buzz me in, EVERY TIME. She's always like, "I'm sorry, I don't know who you are." her policy is to never buzz anyone in. She angered the chairman once over it, who was talked out of firing her precisely because he's in the office like 3 times a year. She won't buzz people in and she's unrepentently steadfast about it. She's dumb as dirt.

Simple systems are more likely to be secure than more complex systems in general as they are less prone to component failure.

I think you've come to the wrong conclusion. (4, Informative)

argent (18001) | more than 6 years ago | (#21286441)

First: She's always like, "I'm sorry, I don't know who you are." her policy is to never buzz anyone in. She angered the chairman once over it, who was talked out of firing her precisely because he's in the office like 3 times a year. She won't buzz people in and she's unrepentently steadfast about it. She's dumb as dirt.

She's not dumb, she's smart.

Second: Simple systems are more likely to be secure than more complex systems in general as they are less prone to component failure.

The Java sandbox is an extremely complex system, with trusted and untrusted code running in the same address space calling the same libraries, with the security managed by code that's also using the same libraries and running in the same address space. I am honestly amazed that it's worked as well as it has.

The multiuser protection in UNIX is an extremely simple system, with untrusted code running in separate address spaces and, traditionally, with the ability to run security applications using no shared libraries at all. It's also proven extremely effective, and it has the advantage that even if flawed code is run those flaws do not automatically provide an escape route from the whole sandbox the way flaws in libraries called from Java do.

This is not to say that the Java sandbox isn't a useful tool, but rather to say that when analyzing the security of the system as a whole the fact that an application is written in Java should not be given the kind of importance that it seems to be getting here.

Re:I think you've come to the wrong conclusion. (1)

node 3 (115640) | more than 6 years ago | (#21286723)

She's not dumb, she's smart.
So "smart", she almost got herself fired.

"A foolish consistency is the hobgoblin of little minds" - Ralph Waldo Emerson

Re:I think you've come to the wrong conclusion. (1)

blueskies (525815) | more than 6 years ago | (#21287077)

She almost got fired for keeping her workplace secure? That's a really stupid chairman.

Notice that in your quote that Emerson is referring to "foolish consistency." It sounds like she is foolishly consistent. She lets some people in without their key card, so she is inconsistent.

Why would it be a good idea to buzz people in she doesn't know?

Re:I think you've come to the wrong conclusion. (1)

argent (18001) | more than 6 years ago | (#21287507)

Getting fired for following appropriate policy is probably NOT a career limiting move.

Re:I think you've come to the wrong conclusion. (1)

imsabbel (611519) | more than 6 years ago | (#21288609)

Which shows that the people who wanted to fire her are the real idiots.

They should value her as an asset, as she is obviously very resitent to social engineering.

Re:perhaps completely unrelated (2, Insightful)

starfishsystems (834319) | more than 6 years ago | (#21286453)

Based on the evidence you've supplied, she's not dumb, just principled. It's entirely possible that this organization has a security policy which requires staff to act this way. That would explain why the chairman found that he couldn't just tell her to do it differently.

With that in mind, consider the possibility that you often misplace your security card as your failing. Instead of blaming someone else because they won't fix your life for you, take a little responsibility.

I know, it's a bit of a novel concept at first, but just try it on and see if life gets any better. Likely, it will, because this is one of those aspects of life over which you are actually in control. Or could be.

Re:perhaps completely unrelated (0)

Anonymous Coward | more than 6 years ago | (#21286621)

Does embracing this new way of life also require speaking to people in a condescendingly paternal manner?

Re:perhaps completely unrelated (1)

zippthorne (748122) | more than 6 years ago | (#21288605)

People who complain about and call others stupid for not bending security policies to accommodate their own sloppiness and convenience have demonstrated a level of maturity consistent with the condescension heaped upon them.

Re:perhaps completely unrelated (1)

imsabbel (611519) | more than 6 years ago | (#21288631)

No, thats a natural side effect of a normal, sensible person confronted with a slimy maggot like the OP.

Speaking of Dumb Androids... (0, Offtopic)

Anonymous Coward | more than 6 years ago | (#21286253)

looks like we have a junk science blog (Client Audit) leading the best science blog in the best Science blog award. Polls close in an hour, so Making a firehose entry won't do a bit of good because it simply won't be visible enough and I know Mods are going to knock this off topic, but durn it, vote for bad astronomy (which is in second place), heck vote for anyone, we're slashdot, we should be able to sway the vote.

http://2007.weblogawards.org/polls/best-science-blog-1.php [weblogawards.org]

Did I miss something? (5, Funny)

zappepcs (820751) | more than 6 years ago | (#21286267)

However, one of the disadvantages of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits. The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'"
If I remember right, that closed source thing... hmmm it seems to be working out really well for Microsoft.

Re:Did I miss something? (1)

Kjella (173770) | more than 6 years ago | (#21286647)

If I remember right, that closed source thing... hmmm it seems to be working out really well for Microsoft.
Yep, they're practicly eradicated by now. Along with every other closed source company. No? If you take the big three - price, functionality and quality, pick any two, then either they can't be far behind in security or their product are a lot better, since they sure don't win on price. And you can't accuse all of them of having the deskatop monopoly of our favorite hate object...

Re:Did I miss something? (3, Insightful)

DanielJosphXhan (779185) | more than 6 years ago | (#21287115)

I think researchers and experts, when they talk about how exploits are found, fundamentally mistake the issues. No-one reads source to find exploits: that's the hard way to go about it. Closed source has only disadvantages in this regard, especially with fewer hands to fix things.

The "many eyes" argument fails as well, though, simply because many eyes do not make for better security. Many hands, on the other... um... hand, make for better response time. Open source code tends to be more agile because it's open.

Re:Did I miss something? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21289013)

No-one reads source to find exploits
You're joking, right? A while back I was hacked, quickly figured out the vector was an open source application I was running, pulled down the source and found a gaping hole in it within a couple of hours. Of course I don't know for a fact that the entry point was the hole I found, but finding one was enough for me, thankyou. Oh, and FWIW this particular FOSS application is widely used.

Re:Did I miss something? (3)

Torvaun (1040898) | more than 6 years ago | (#21289195)

Did you just fix your own, or did you give back to the community that provided the app?

Re:Did I miss something? (1)

Gadzinka (256729) | more than 6 years ago | (#21287495)

Yeah, look how well this closed source secure environment played for Apple's latest gadget. Or Xbox, Playstation, Nintendo consoles. It was supposed to be impossible to install and run unauthorised software.

Robert

Closed source is even more hackable in this way (1)

DrYak (748999) | more than 6 years ago | (#21288525)

Closed source happen to be even more hackable in that situation :
because here we have a situation were the various software have to communicate together. They have to speak a common language.
And that standard used to communicate between the device, HAS to be documented well.
from the /. entry :

meaning vulnerabilities need to be found through reverse engineering

False.
You don't need to actually reverse engineer it.
Just get the documentation for the used standard. Then try every possible corner situation :
data packets bigger than normal, empty packets, parameters set to undocumented value, etc...
Chance are at least some of them will crash the code (giving a nice tool for DOS attacks) or even buffer overruns (giving a nice lead to explore to develop remote execution exploits).

And most companies producing proprietary code are small and have limited resource (small number of programmers and/or available eyes to do quality checking).
Thus they concentrate their efforts on the most critical features and important bugs (read: to be able to ship at least something - by ironing out bugs that prevent the code from even starting up) and read secondary bugs for later or never (read: every other possible bug).

Whereas in big open-source community you'll always find some psychopath whose hobby on friday nights is to run every single piece of code through Valgrind and similar tools. Or anal-retentive maniacs who won't stop before eliminating all compiler "warnings".
In a corporate world, those people would be kindly asked to concentrate on the main features before the deadline arrives. In open-source environment everyone is free to do what he wants with the code (the freedoms that license like GPL try to protect) and those people can even be useful if they provide patches and not alienate the rest of the developers when communicating with them.

security experts? (1)

abes (82351) | more than 6 years ago | (#21286293)

Yes, security through obfuscation always It seems that perhaps people would learn by now that simply isn't true. Maybe the obfuscation slows down the attacks, but the real issue is how fast the fix can be had. No matter whether the software is open or closed sourced, there will be bugs, and therefore potential attacks on it. At least with open-sourced software anyone can potentially fix the problem, instead of waiting for a company to take potentially very long times to patch it (which is fairly frequent, as documented by /.).

Also, something to consider is that both the HW and OS play a larger role overall in security. It is possible to design a system with automatic sandboxing, such that one program cannot touch the memory of any other program including the OS. You don't need Java for this. If the HW and OS are done correctly, all Java really buys you (in terms of security) are programs that won't segfault (though often exceptions aren't fully handled, which usually gives the same end result).

Androids... Robots... (1)

Kazrath (822492) | more than 6 years ago | (#21286301)

At first I thought this was a repeat of the previous robot article. I guess I really should brush up on the difference between androids and robots.

Anyway, More complex is effectivly as safe as less complex as long as the default options do not immediatly provide vulnerabilities. The more complex a device is the less features ID10T users will be able to misconfigure as it will be to complex for them to move much past the basics such as voice/text messaging.

This is more "smart network, dumb device" logic. (4, Interesting)

argent (18001) | more than 6 years ago | (#21286309)

This is the old telecom industry chant. "Let's put the smarts in the network, they say, where they're out of touch and nobody can even get in to attack them, and have dumb devices out on the edge. Blue boxes are just a rumor."

By all means it should be possible to make dumb phones with Java sandboxes around third party software using Android. Yes, every layer of security is good. But it's not perfect... if you put everything you want to protect inside the sandbox, who cares whether someone breaks out of it or not?

Don't forget, the OS they're basing it on was designed for timesharing use, where it was common for people who had very different security requirements running code together on the same computer. Linux is a relatively young implementation of UNIX, but it's still using the same design that was able to keep some of the world's smartest CS undergrads from getting at the test papers and scores stored on the very same computers as their class accounts in the early '80s.

And some of the biggest vulnerabilities available to attackers on any platform are in application layers, in code doing what it was designed to do, with no individual component violating any constraint that a sandbox would prevent. The biggest problems are not implementation flaws, they're design flaws.

That's why, despite years of warnings from antivirus company experts, we don't have a flood of smartphone viruses... because PalmOS and Pocket PC and the rest don't have multiple internal firewalls like UNIX or Windows NT, but they're also not designed around a model of accepting code from untrusted sources and running it, like Windows is.

Get the application design right, and you're solid. Get it wrong, and you lose... no matter whether the kernel is inviolate or not.

Are they gonna make it unhackable? (0, Offtopic)

ceeam (39911) | more than 6 years ago | (#21286359)

$SUBJ. If so (they gonna "tivoize" it as RMS would say) I'm sure backlash will be huge. If not - it's pretty clear that "Java-only" will not hold for more than a day or two.

proprietary security is like creationism (4, Insightful)

Ba3r (720309) | more than 6 years ago | (#21286361)

There is an overwhelming consensus amongst real security professionals that security is achieved through openness, not obscurity and closed source. Just look at the systems that hyper secure organizations like the NSA advocate. Those who continue to rail against open source systems as being insecure because "hackers can look at the source" (yeah but they can't look at my key) seem as out of touch as creationists.

Re:proprietary security is like creationism (3, Interesting)

ichthus (72442) | more than 6 years ago | (#21287747)

Ah, the new buzzword of the day, "consensus." There is hardly consensus on the superiority of openness in a security model. The scrutiny of many eyes argument is valid, but is arguably countered by a "probing of many eyes" for exploits argument.

And, there are good arguments for security through obscurity -- a concept all too quickly shot down here at Slashdot. For example, leaving a house key inside a fake rock in your garden is arguably more secure than leaving the key under your welcome mat. Another example, in which I have personally experienced the behefits of security through obscurity, is network ports. I used to have ann SSH server running on the standard, port 22. Every day, my logs showed numerous login attempts by unknown individuals trying to gain access to my system. Once I moved the server to a different, more _obscure_ port, though, my logs rarely show any connection attemps. Now, is this new port more secure? No. But, because it's further hidden it does afford _more_ security.

And, as for your final, fanny-pat statement to the "consensus" of the "scientific" world: I'm a creationist, and I'm not out of touch. For me, the incalcuably small probability of spontaneous generation of a lifeform able to be nourished by it's environment and then able to reproduce is not a large-enough foundation on which to build a scientific consensus.

Re:proprietary security is like creationism (2, Insightful)

Repossessed (1117929) | more than 6 years ago | (#21288741)

What you describe is more security through difference than security through obfuscation. The problem with the closed source models is that inevitably, all of the targets are the same as what the attacker has, so the attacker can study his copy, find vulnerabilities, and then exploit them elsewhere. Being different than the standard will protect from this, obfuscating the attackers copy will only slow him down slightly.

Re:proprietary security is like creationism (1)

ichthus (72442) | more than 6 years ago | (#21289199)

The problem with the closed source models is that inevitably, all of the targets are the same as what the attacker has...

This is not necessarily true with closed source, but is ALWAYS true with open source.

Re:proprietary security is like creationism (1)

Fred Ferrigno (122319) | more than 6 years ago | (#21288781)

To be clear, you're talking about abiogenesis, not evolution. Evolution merely describes the natural processes that are known to occur in living organisms here on Earth and doesn't make any claims to how that life got here in the first place.

There's not much direct evidence in support of abiogenesis. It's more of a logical argument that life had to come from somewhere, at some point. Even if you accept that God created the Earth and all the life on it, God himself is a living being so the creation of Earth was not the beginning of life. Unless you don't consider God to be a living being, in which case creationism is abiogenesis.

Re:proprietary security is like creationism (1)

ichthus (72442) | more than 6 years ago | (#21289345)

You're right -- I was talking about abiogenesis. I never mentioned evolution. But, abiogenesis IS a prerequisite to rejecting creationism, and therein lies my point.

As for your last sentence, if you include supernatural in your definition of "living being", then you are once again correct. If, however, you assert that creationists must believe the Creator to be a mortal creation Himself, then you're stuck back at the problem of God's spontaneous generation. In that case, nothing is gained and, as you stated, creationism would be abiogenesis.

So, as I understand it, the non-creationism standpoint relies on the improbable concept of abiogenesis. The creationism stanpoint relies on the as yet unprovable concept of the supernatural -- an extra-temporal God who has no beginning or end. Thus, the Creator of the beginning does not Himself depend on His own beginning.

Re:proprietary security is like creationism (0)

Anonymous Coward | more than 6 years ago | (#21289561)

So, as I understand it, the non-creationism standpoint relies on the improbable concept of abiogenesis.
This would be true, if it weren't for the fact that creationists tend to reject evolution as well as abiogenesis. But there are many people who believe strongly in evolution but take a more agnostic view of the abiogenesis vs. intelligent design question. I doubt many scientists would have the same objection to creationism if creationists would agree to something along the lines of, "regardless of how life came to be many millions of years ago, it has evolved into what it is." Then the only area of debate would be whether life spontaneously came to be or whether an supernatural force brought it into being. Both standpoints would basically be equally unprovable.

The problem comes with creationists who insist that 6000 years ago, God created everything the way that it currently is. That viewpoint is provably wrong. We know life pre-dates that and we can see the effects of evolution. It's only the religious element that believes that the Bible is the word of God and 100% accurate in every way that gives the more rational Christians a bad rap.

Disclosure gets you better security (1)

Russ Nelson (33911) | more than 6 years ago | (#21286403)

Disclosure gets you better security. Yes, it means two steps forward and one step backwards. If you only look at the step backwards then you'll miss that you've gotten better security overall.

Douglas Adams? Anyone? Bueller? Bueller? (1)

jackpot777 (1159971) | more than 6 years ago | (#21286413)

"A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." - Douglas Adams.

You're welcome.

Android (3, Insightful)

hansamurai (907719) | more than 6 years ago | (#21286419)

This is the second article about Google Android today already and we never even discussed the original announcement, just what Ballmer and now ZDNet have to say. But I suppose there will be a long line of articles in the future so maybe it won't matter, just seems odd.

Re:Android (1)

UnanimousCoward (9841) | more than 6 years ago | (#21287325)

Be this a troll? Where hast thou been?

http://linux.slashdot.org/article.pl?sid=07/11/06/0223211 [slashdot.org]

Re:Android (0)

Anonymous Coward | more than 6 years ago | (#21287559)

Ahh, thanks, missed the original announcement I guess.

Open is better (2, Insightful)

dnoyeb (547705) | more than 6 years ago | (#21286429)

Thats foolishness. Open source is far and away a more secure platform than "closed" source. One problem with closed source is that no software is truly closed. So you still have a handful of perhaps underpaid folks that get to see the holes just for themselves. Not to mention same folks can add their own holes. And still when holes are found the closed source companies tend to act like they don't exist. And try to write for themselves contracts that prevent them getting in trouble for said holes. There are just too many problems with security in "closed" source software.

Open source does not have any of these problems. Only problem with open source is if you have one person who is significantly smarter than everyone else looking at the code and can come up with an exploit before anyone else notices. This is a more comfortable position to be in as far as I am concerned.

Re:Open is better (1)

davidsyes (765062) | more than 6 years ago | (#21286665)

I thought a decompiler can see the code, that is if the cracker/hacker HAS the relevant decompiler. So, how 'expert'are these so-called experts?

Re:Open is better (1)

moderatorrater (1095745) | more than 6 years ago | (#21287515)

When you compile a program about 90% of the information in the original code is lost. The variable names, the object names, function names, and all comments are stripped out and replaced with something else. A decompiler can see some code, but not the code, and for large applications, that makes a huge difference.

Re:Open is better (3, Informative)

starfishsystems (834319) | more than 6 years ago | (#21286689)

From the parent article:

The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one

Indeed. The principle of open security was first proposed by Auguste Kerckhoffs in 1883.

Any time security depends on the secrecy of some mechanism, that security is pepetually at risk. All these millions of instances of the same vulnerable mechanism, no way to tell in general whether their security has been broken, and -- as you point out -- a certainty that the vulnerable secret cannot be contained.

In what way exactly does this remain a matter of debate?

Re:Open is better (0)

Anonymous Coward | more than 6 years ago | (#21287167)

You misunderstood Kerckhoffs principles, as they have nothing to do with the open/closed software debate. Kerckyboy was talking about ciphers, and how you shouldn't RELY on the secrecy of their design to preserve their security. It wasn't a question of per-review at all.

The open/closed code debate is really about code review. The real benefit for open source software in the debate is that you get in theory a number of "free code reviewers" out there by releasing your software as open source. I said in theory because the true worth of these "reviewers" is notoriously difficult to evaluate - it probably depends a lot of the software's popularity and it's type of users. But nothing stop closed source shop from hiring code reviewers - I wouldn't claim that the practice is widespread enough considering the current state of code security, but it is certainly being done in many places.

In the end, of course secrecy can help the security of a system, even if it is not by no mean sufficient nor necessary. For example, you don't publish your network map, even thought in theory your network is "secure".

Re:Open is better (1)

moderatorrater (1095745) | more than 6 years ago | (#21287533)

They need to remember the cryptography community and the history of the field. The NSA has made a lot of cryptographic algorithms with some of the most talented mathematicians in their generations. Years later, when they're declassified, the cryptography experts pick them apart and they've found some of the core algorithms were deeply flawed. If the NSA can't keep a closed-source algorithm secure, what makes any private company think they can do it?

Can you say DLL Hell? (4, Interesting)

erroneus (253617) | more than 6 years ago | (#21286583)

People will want to make their phones do special and complex things. To facilitate this, they will write API libraries that other parties will also use because the phone's basic API will not support much.

The results of a non-robust API will be large amounts of object code libraries being built and installed, varying dependencies and conflicts and on and on. As much as possible, it would be best to maintain the API from a single point. This will also enable a much smoother user experience since people won't be forced to create their own GUI libraries and the like.

It needs to be complex and it needs to support everything... at least potentially. Ideally, everything except the data and the object code should be provided through the OS and OS supplied libraries. This would best guarantee compatibility and stability. But we know it won't happen that way. We can't even get KDE and GNOME unified. Some "smarter-than-you-and-me" guy will write something that will be rejected by the masters of the API but will be used by a variety of other developers and then it all begins.

And what happens when the OSS community rebels? Recall how XFree86 became stagnant and people rebelled to create X.org? That wasn't a disaster, but what happens when it happens on users' phones? And will there be multiple phone distros? And will AT&T and T-Mobile try to lock them up? And if they "can't" then will they block those phones from being used on their network (in spite of laws to the contrary)?

Re:Can you say DLL Hell? (1)

mattgreen (701203) | more than 6 years ago | (#21287623)

There won't be a single API that is maintained. Inevitably such a project will eventually fork because one of the chief maintainers will go crazy because someone deviated from using the correct brace style.

As quaint as it sounds, I'm a big fan of static linking when it comes to APIs that are not a part of the base operating system. This is probably because I expect the user to lose each and every related dependency, configuration file, and other random file that my app needs to run. You don't know how nice it is to have a single executable file that you know will run on most everyone's computer without any problems. I will gladly take slightly larger executable size in exchange for this. The biggest problem with static linking is that your program won't benefit from updates to the libraries because they're statically linked in. Only you can determine whether that is acceptable or not, based on how often the library is updated, the nature of the updates, and your application's attack surface.

I really hope that people who want to program for the phone be extra careful. A few security slip-ups can easily result in customers getting charged outrageous data fees, provider networks being saturated with worms, and cellular providers having second thoughts about the whole thing.

Re:Can you say DLL Hell? (2)

fbartho (840012) | more than 6 years ago | (#21288755)

Assuming, like many, that for libraries, disk space and bandwidth is close to no concern, just make sure to provide an auto-update feature to your application. (If the device is really constrained then you'll run into problems with that mentality) You get all the benefit of static linking's portability, and for the minor cost of maintaining an online site for distribution, you can update any time any of your libraries get important updates. You could probably even automate the update cycle with a couple scripts that check the respective library sites, pull down new versions as they update, and then run your build scripts, and then run your unit-tests, then, assuming it passes (you do use unit testing right?) automatically update your website with the latest build if version numbers of your external sources get bumped. Thus on a daily basis your stable release can be updated. Then as time moves on you tag new versions of your personal code as stable (merge them into the right svn branch, etc) and by the end of the day, your users are happy. Just make the autoupdate process seamless to your users, (easy, clear preference to autoupdate or not), an info box linked from a simple icon indicating that new updates have been downloaded and will be installed at launch, etc. To reduce security risks you can host digital signatures of the latest builds on a separate site (along with appropriate public key), and your app will only install if the signature matches. On mac you can take advantage of the codesigning of leopard.

Note, this whole autoupdate mechanism should be done on the computer side (assuming there is a computer involved). Every time the user syncs their device they can then get the application synced as well.

Black Hat Microsoft? (0, Flamebait)

kuipersm (1186451) | more than 6 years ago | (#21286599)

Perhaps this is a really dumb idea, but I can't get it out of my head. Please someone tell me I'm wrong and why. I can't stop myself from considering the possibility that there could be Microsoft lackeys that would purposely release malware for things like the Android so that people don't buy it. I feel like Microsoft has more than enough money to cover up their tracks too, so really - what's stopping them?

From the wha...? (2, Interesting)

Pojut (1027544) | more than 6 years ago | (#21286623)

are-we-talking-lore-dumb-or-kryton-dumb depart.


Whoa...wait...is that...no...it couldn't be...

Is that a Red Dwarf reference right there at the top?!?!??!

I woulda thought a place like teh slash would have had more references to that show, honestly...and for the record, Kryton was WAY smarter than Rimmer or Lister...

Unless...this is a reference to something else, and I'm being my usual dumb self..

Re:From the wha...? (1)

aproposofwhat (1019098) | more than 6 years ago | (#21287563)

Of course, Kryton is a reference to J M Barrie's The Admirable Crichton [wikipedia.org] , a story about a shipwreck that results in the butler ascending to rule over his erstwhile 'betters'.

The 1957 film starring Kenneth More is well worth watching, and nearly as funny as Red Dwarf itself.

Re:From the wha...? (4, Informative)

Kryten107 (1128675) | more than 6 years ago | (#21287711)

The world needs more Red Dwarf references. And it's spelled Kryten. I should know.

Wonders of open source (2, Insightful)

BlueBoxSW.com (745855) | more than 6 years ago | (#21286653)

I like open source projects (mysql and subversion are tops in my book), but I have to take exeption with the notion that open source software is great because thousands of people from around the world are looking at and trying to fix the code. I think this is bull$h!t. Open source code is coded by a small fraction of it's userbase. And each project still has one, or myme two people at the top that approve and integrate each real change. It's not this automated machine. When developing any kind of software, you still need a someone in charge. Any software project needs a way to align the needs of the market with the efforts of the developers. In closed-source software, this is provided by the market. Money. And coordinated by non-coders, who try to find the greatest need in the market and fill it, because there's cash to be made. In open source, there's no such mechanism. Coders with features because they need them for their particular purpose, or because they are cool. As a result, some important features always seem to get overlooked.

Re:Wonders of open source (2, Insightful)

cptdondo (59460) | more than 6 years ago | (#21288459)

Yabut...

The beauty of open source is that it lets people like me contribute little dribbles here and there. I've probably touched a couple of dozen projects; typically only contributing a single fix or small feature, even something as small as the ability to daemonize hot-babe.

Now by itself that's not much, and in the context of progress it's miniscule, but it adds a tiny feature. Certainly I'm not a cathedral builder, I'm more of the guy who comes in and sweeps up the dust by one door.... But with enough sweepers pretty soon the whole place is clean.

So your argument is predicated on the need for cathedral builders, but there are many, many more sweepers like me who contribute one small thing here and there.

That's what closed source is missing. There's no room for the sweepers; the folks who scratch that one minor itch.

XUL would be a better widget set (0, Offtopic)

tvlinux (867035) | more than 6 years ago | (#21286687)

XUL is the widget set of Mozilla. Because it is XML based, it is more secure because there is less parsing and less chance of programming errors. It will also allow digitally signed remote XUL applications to run. Mozilla is working on a phone version browser.

shaun

most basic of basic programming trumps security (1)

poetmatt (793785) | more than 6 years ago | (#21286733)

If I remember correctly from the brief days of my programming, isn't it possibly to copy an entire program into a text copy of the executable simply by mirroring the source output from an exe into a separate text file, which can even be done in things such as pascal? Doesn't this trump the whole "you can't seeeeee that" false sense of security?

So why is it that people think that not being able to look would be more secure when you really can't lock it out? Isn't it also a fact that when a vulnerability is abused in open source that it can be fixed just as fast?

Reverse engineering not required (4, Informative)

tjwhaynes (114792) | more than 6 years ago | (#21286807)

The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'

This is so wrong it isn't funny. I need know NOTHING about the internals of a program to exploit it - I only need to find a set of inputs that make it crash in interesting ways. Buffer overflows can be trivially used to redirect a running program to jump to a stack frame supplied as part of the crafted inputs. There are other ways to play the game against binaries without reverse engineering.

Cheers,
Toby Haynes

A big 'duh!' from this end (1)

l0b0 (803611) | more than 6 years ago | (#21287303)

[S]ecurity experts claim that the less smart a phone is, the less vulnerable it is.

Next they'll be telling us that "smart" functionality is a buzzword-compliant euphemism for complex code, that complex code is harder to debug than simple code, and that code which is hard to debug often has a lot of, surprise, vulnerabilities. How is this news?

Embedded systems - feature vs. bug (2, Insightful)

cdrguru (88047) | more than 6 years ago | (#21287351)

The thing that a lot of people do not understand is that for the most part cell phones are one-time-programmable consumer electronic devices. Once the code is released to manufacturing, that is it. There are no more bugs - just unexpected features.

It matters not who is looking at the code in terms of fixing it. It is not updatable. I suppose it is possible that someone might come up with an updatable phone that was 100% impossible to "brick" but so far I've not see it. The risks do not outweigh the rewards with that and the current "experiment" with the iPhone is not proving to be very satisfying. Yes, they have a distribution technique for software updates through iTunes, but how many phones did they lose with the first update?

Treo has a slightly better record, except they do not have a distribution method. You have to download stuff and jump through all kinds of hoops. Perhaps 1 in 10 people update their Treo. I suspect Blackberry isn't much different from that. Also, it is far, far too easy to utterly destroy a Treo with a bad update.

No, I would not count on updates. Too risky and too little penetration. The end result is bugs that get released are features. And they are there to stay.

What kind of phones do you use? (1)

SmallFurryCreature (593017) | more than 6 years ago | (#21288395)

Phones have been updatable for a long time, simply by selecting an option somewhere in the settings will it check and download the latest software for that phone.

You would really have to travel back in time to get phones that don't have this.

Re:Embedded systems - feature vs. bug (1)

2nd Post! (213333) | more than 6 years ago | (#21288427)

Huh? The iPhone and the Treo model is identical. The difference is that Apple provides a download manager called iTunes to facilitate the distribution. You still have to go through hoops to install the update (IE, click yes to download, click yes to install, click yes to confirm install).

I also suspect they did not lose many phones at all, though, or we would have heard about it in the earnings... in other words the returns/repairs would have hit them (much like the XBox 360 repair/returns hit Microsoft).

As Scotty always said... (0)

Anonymous Coward | more than 6 years ago | (#21287751)

"The more they overthink the plumbing, the easier it is to stop up the drain."

-- Chief Engineer Montgomery Scott

Obviously (1)

proxy318 (944196) | more than 6 years ago | (#21288107)

The Dumber Android Is, the Better Say Experts
Well, obviously. It's the smart ones that rise up against their human masters in a bloody revolution. The ones that only know how to clean toilets never do that.

very promising (1)

m2943 (1140797) | more than 6 years ago | (#21288805)

Symbian say it's no good, Microsoft says it's no good, the Java lobby says it's no good. It looks to me like Android must be a winner if all these people declare their undying hate for it.

The dumber android the better... (1)

Brad1138 (590148) | more than 6 years ago | (#21288911)

Ya, a dumb Android 18 [wikipedia.org] would be fun.

Nice headline. (1)

saveourskyline (1103211) | more than 6 years ago | (#21289709)

Wouldn't it be great if /. editors learned how to use a frickin' comma?

Of course!! (1)

Snaller (147050) | more than 6 years ago | (#21289747)

It doesn't matter if your android is not so bright, as long as she is hot!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>