Page 2 of 5 FirstFirst 12345 LastLast
Results 21 to 40 of 86
  1. #21  
    Good discussion.
    Qualcomm QCP 2700 -> ... Palm m125 ... -> Instinct -> Palm Pre

    I tweet a lot about the Pre! @bshedwick
  2. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #22  
    Quote Originally Posted by emoney_33 View Post
    Why would you download and run a script that you don't know anything about? There is no way I know of from getting accross the web through the browser into your shell to execute commands.

    What are you saying here?
    Plenty of people get fooled into downloading all sorts of things. They also believe Nigerian scams.

    Have you downloaded any homebrew apps? If so, did you review the code, line by line, to ensure that it wasn't doing something nasty?
  3. #23  
    Quote Originally Posted by T3CK View Post
    You don't download any script. I go to your Pre, through your public IP and upload myself a script into your /tmp folder. Then, it will execute by itself at next boot. You have no idea I'm on your phone, during all this time.
    Erm, what? So, you would have to somehow capture someone's IP address who is currently using a Pre and and not only did they open up their firewall for the USB port (ala developer mode) but they somehow modified it so it's open for WAN
    as well.

    Has anyone even done that yet on a Pre? You're pretty paranoid...
    Quote Originally Posted by T3CK View Post
    I totally agree. I'm sure you helped site owners who were getting hacked recently through /var/www/html/page dirs (chmoded at 0777, instead of being owned by a specific user). It is crazy sometimes how you can overlook simple details.
    Erm, what? That's not a simple detail. That's one of the first things you should look at and ensure.
  4. #24  
    Quote Originally Posted by squeff View Post
    Plenty of people get fooled into downloading all sorts of things. They also believe Nigerian scams.

    Have you downloaded any homebrew apps? If so, did you review the code, line by line, to ensure that it wasn't doing something nasty?

    I have no sympathy for people who believe such obvious scams. Who cares if you can get a small minority of the human race to do whatever you want them to do?

    Homebrew apps aren't all that risky. If any homebrew app has access to the private bus (com.palm namespace) then absolutely I would review the code. It's not like homebrew apps can access the underlying linux user land.
  5. #25  
    Quote Originally Posted by ssrjazz View Post
    Almost every 'hack' out there for linux involves gaining root access to a shell via some vulnerable service running on that box. So either you have to have local access to it, or find and exploit a vulnerability in apache, sshd, or some other program. If you're not exposing any services over EVDO or wifi, then you'll most likely be fine.


    Not to say it isn't still possible. There may be holes in the sdk or some other app you run that is exploitable by visiting a malicious web page, email attachment, picture or otherwise. Still far less likely to get a compromise on your Pre than a windows desktop machine.

    Wasn't talking about the Pre as much as the previous posters dig on Windows saying it is easy to Hack and Linux wasn't.

    At least windows now has the ability to push security updates (windows is fairly secure if you have all updates installed). There are just a lot more people targeting it than there are Linux.

    Nothing is hack proof, especially if the user doesn't constantly update with all know security fixes.
  6. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #26  
    Quote Originally Posted by emoney_33 View Post
    How do you "go to my Pre"?

    Am I on wifi, with ssh server setup? How do you know my password?
    I was thinking at the EVDO scenario. I never looked into it but if is easy to share an IP on other phones, it must be a way to get inside the phone the same way? We are talking hypotetical scenarios here, there is no need to nickel and dime details.
    Floren Munteanu
    why queued - My blog
  7. #27  
    Quote Originally Posted by DavidRR View Post
    Wasn't talking about the Pre as much as the previous posters dig on Windows saying it is easy to Hack and Linux wasn't.

    At least windows now has the ability to push security updates (windows is fairly secure if you have all updates installed). There are just a lot more people targeting it than there are Linux.

    Nothing is hack proof, especially if the user doesn't constantly update with all know security fixes.

    That tired argument of "more people target Windows" is crap. Linux is more secure by design, period. Doesn't mean it's perfect.
  8. #28  
    same question but for other phones....whats stopping hackers from hacking android phones or the iphone?
  9. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #29  
    Quote Originally Posted by emoney_33 View Post
    I have no sympathy for people who believe such obvious scams. Who cares if you can get a small minority of the human race to do whatever you want them to do?

    Homebrew apps aren't all that risky. If any homebrew app has access to the private bus (com.palm namespace) then absolutely I would review the code. It's not like homebrew apps can access the underlying linux user land.
    So, you're smarter than the millions of people that have been hit by viruses, scams, etc.

    But, I suppose, you're also someone that blames the victims of terrorist attacks for being stupid, aren't you?
  10. PreGame's Avatar
    Posts
    540 Posts
    Global Posts
    550 Global Posts
    #30  
    You guys are full of WHAT IF's.

    T3ck First off if a script is downloaded to your /tmp it cannot execute on boot. There is no way for it to run in the /tmp. The webbrowser doesn't run as root so it cannot execute crap to install it as a service to automatically start after reboot.

    In order to hack your phone you HAVE to have it connected to your PC with developermode enabled. I would say WebOS is pretty darn secure.
    MyFlashlight - The Original Palm Pre Flashlight Application
    fileCoaster - The Original On Pre Application Installer

    Donations are greatly appreciated and can be donated HERE!. Again thank you ALL for your continued support!

    Follow us on Twitter @vertigoapps
  11. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #31  
    Quote Originally Posted by emoney_33 View Post
    777 is not a simple detail...
    There are like a zillion popular PHP scripts out there who tell you to chmod certain public dirs to 0777. People will do it, because they are told to. For them, it is a simple technical detail... not a big security flaw.
    Floren Munteanu
    why queued - My blog
  12. #32  
    Quote Originally Posted by T3CK View Post
    I was thinking at the EVDO scenario. I never looked into it but if is easy to share an IP on other phones, it must be a way to get inside the phone the same way?
    What can you do with my phone's evdo ip? I'll give you all my ips right now if you want... How is anyone going to access my phone given the IP address? Do I have no firewall, are there open ports, do you know my ssh password and know I have it setup over evdo?

    You can't use this hypothetical nonsense in such general terms to the point of well if I have a public IP I can be hacked...

    We are talking hypotetical scenarios here, there is no need to nickel and dime details.

    Uhh yes there is, you can't just assume "It has internet access and therefore can be hacked and destroyed with a virus"...
  13. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #33  
    Quote Originally Posted by PreGame View Post
    You guys are full of WHAT IF's.

    T3ck First off if a script is downloaded to your /tmp it cannot execute on boot. There is no way for it to run in the /tmp. The webbrowser doesn't run as root so it cannot execute crap to install it as a service to automatically start after reboot.

    In order to hack your phone you HAVE to have it connected to your PC with developermode enabled. I would say WebOS is pretty darn secure.
    Said by the person that wrote one of the most useful apps on the Pre: something that lets stupid people install programs on their Pre without thinking about it.
  14. #34  
    Quote Originally Posted by squeff View Post
    So, you're smarter than the millions of people that have been hit by viruses, scams, etc.

    But, I suppose, you're also someone that blames the victims of terrorist attacks for being stupid, aren't you?

    Yup, let's jump from victims of nigerian "give me your bank account" scams to terrorist attack victims. You are close to being on ignore.
  15. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #35  
    Quote Originally Posted by emoney_33 View Post
    Yup, let's jump from victims of nigerian "give me your bank account" scams to terrorist attack victims. You are close to being on ignore.
    My original point is that it's easy to get tricked. Or to simply be unaware.

    I thought you were arguing that anyone that every gets anything hacked, scammed, or whatever is simply too stupid to care about.

    Wasn't that your point? That anyone that would run a program without knowing, 100% sure, that it was safe is stupid?
  16. Shado.F's Avatar
    Posts
    263 Posts
    Global Posts
    266 Global Posts
    #36  
    A Pre is a phone, not a PC. I doubt anyone would constantly be on the verge of downloading ridiculous files on to their phone. The likely hood of this even happening is pretty low.
  17. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #37  
    Quote Originally Posted by PreGame View Post
    You guys are full of WHAT IF's.

    T3ck First off if a script is downloaded to your /tmp it cannot execute on boot. There is no way for it to run in the /tmp. The webbrowser doesn't run as root so it cannot execute crap to install it as a service to automatically start after reboot.

    In order to hack your phone you HAVE to have it connected to your PC with developermode enabled. I would say WebOS is pretty darn secure.
    But the browser executes JSJSJS ($injection$ $actions$ $etc$.)?

    As I said, we nickel and dime details that are not even explored... I'm just discussing friendly with you guys about the possibility to wakeup in one morning and instead of an update to get a nice e-bomb. That was the idea of this thread, not how to prove that I could hack into your phone.
    Floren Munteanu
    why queued - My blog
  18. #38  
    Quote Originally Posted by squeff View Post
    My original point is that it's easy to get tricked. Or to simply be unaware.

    I thought you were arguing that anyone that every gets anything hacked, scammed, or whatever is simply too stupid to care about.

    Wasn't that your point? That anyone that would run a program without knowing, 100% sure, that it was safe is stupid?


    No it was the small minority that fall for ANYTHING (e.g. nigerian scams). You can't take away a users freedom over their product. Therefore you can never protect against someone who will listen to step by step instructions with blind faith no matter what. Because if there is a way for me to do anything locally to my computer or device, then I can give you instructions to do anything. If you have blind faith in everything I tell you to do... you can NOT protect against that.
  19. #39  
    Quote Originally Posted by T3CK View Post
    But the browser executes JSJSJS ($injection$ $actions$ $etc$.)?

    As I said, we nickel and dime details that are not even explored... I'm just discussing friendly with you guys about the possibility to wakeup in one morning and instead of an update to get a nice e-bomb. That was the idea of this thread, not how to prove that I could hack into your phone.

    So the discussion is basically "There MIGHT be vulnerabilities in the sandboxes"? Yea there probably are, and hopefully the good guys find them first. But that is true for every device and OS, we can't really discuss non-specifics or unknowns.

    There aren't any known vulnerabilities in the web browser and adapter plugin that control your browsing experience. Also there are people who search for and find vulnerabilities that go directly to Palm.
  20. #40  
    Quote Originally Posted by gabbott View Post
    Just because it is easy to "hack" doesn't mean it lacks security.
    I'll go back to my original reply. Not saying there are not security vulnerabilities but the premise that because the user can gain root access to the device inherently makes it insecure is not necessarily a valid assumption.
Page 2 of 5 FirstFirst 12345 LastLast

Posting Permissions