Page 4 of 5 FirstFirst 12345 LastLast
Results 61 to 80 of 86
  1. Sovvy's Avatar
    Posts
    62 Posts
    Global Posts
    70 Global Posts
    #61  
    @dbd: Besides, worry about this kinda stuff doesn't stop it form happening. I knew a kid that used to make virus' an he was an ahole through and through.

    And I do not doubt Palm's ability is sending out a fix for it in no time at all.

    (Happy Face that is faking the smile)
  2. #62  
    boy this was a waste of my reading........get a life peeps
  3. #63  
    I'm not wanting to get into the debate here (since it seems we have a very large impedance mismatch amongst the participants).

    I just want to reassure readers that the WebOS Internals team takes security very seriously, and we specifically design our packages to reduce the risk of users unwittingly installing malware. We also review any packages we release to the public to ensure they don't have vulnerabilities that can be exploited.

    One of our team has already reported a number of core webOS vulnerabilities to Palm, and Palm has responded professionally and enacted security fixes in each of the webOS releases as a result.

    The Pre is just like any other Linux computer that is connected to the Internet (e.g. the servers that run at Google, or Wikipedia). It is not immune from malware, just as Google's public facing servers are not immune. It has a robust iptables firewall enabled by default, just like any other well-managed Linux computer connected to the internet. It has separation of privilege between webOS applications and the underlying Linux operating system. WebOS Internals instructions and scripts specifically prohibit the SSH daemon we install from allowing root password logins from the Internet.

    Advanced homebrew packages (like Services and Plugins) have binaries and installation scripts that execute as the root user in Linux. The Preware application installer specifically alerts the user to such scripts, and allows the user to review the source code of the script before running it. Now we know that not many users will actually look at the source code, but enough advanced users will do so to ensure that packages in the default feeds that come with Preware are likely to remain malware-free. All WebOS Internals services and plugins are open source, so the source code is available for public security scrutiny.

    What you should be cautious about is any closed source homebrew application, service or plugin which asks you to run a script at installation time. Since the source code to such closed-source applications is not available for public security review, you then need to trust the author to ensure they are not intentionally or unintentionally reducing the security of your Pre from it's default state.

    -- Rod
    Last edited by rwhitby; 09/11/2009 at 07:06 PM.
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  4. p4trickh's Avatar
    Posts
    47 Posts
    Global Posts
    50 Global Posts
    #64  
    All devices will have exploits that's why any OS in development gets constant security fixes. I understand the original poster simply wants a friendly discussion, but this is like a discussion on the sky being blue. PreGame and rwhitby make excellent points and as long as you use common sense with any computer you use you should be safe, to a reasonable degree +/- sh!t happens.
  5. #65  
    I bet it won't be too long before some security whole is found, just like with the 500 txt message bomb that could temporarily disable an iPhone.
  6. #66  
    Quote Originally Posted by kyleamorgan View Post
    I bet it won't be too long before some security whole is found, just like with the 500 txt message bomb that could temporarily disable an iPhone.
    There already have been serious security holes found, and fixed.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  7. #67  
    Quote Originally Posted by kyleamorgan View Post
    I bet it won't be too long before some security whole is found, just like with the 500 txt message bomb that could temporarily disable an iPhone.
    Luckily Palm has setup their update process to not only require users to update, but with OTA updates users are not inconvenienced too terribly like with other certain phones, where users particularly go out of their way to not install updates.
  8. #68  
    Quote Originally Posted by kyleamorgan View Post
    I bet it won't be too long before some security whole is found, just like with the 500 txt message bomb that could temporarily disable an iPhone.
    Yes, but will it be a hole whole, or just a partial whole?
    (Sorry, couldn't resist)
  9. #69  
    Quote Originally Posted by dbd View Post
    Not everybody knows all the technical details like some of us do. I think it was a VERY legitimate question for him or anybody to ask. Why'd u have to jump down his throat like he's some kinda *****?
    Because he portrayed himself as someone who's very familiar with Linux and attempted to explain possible attack vectors that just won't work.

    I didn't want him scaring anyone.
  10. #70  
    Quote Originally Posted by Kasracer View Post
    Because he portrayed himself as someone who's very familiar with Linux and attempted to explain possible attack vectors that just won't work.

    I didn't want him scaring anyone.
    Oh, alright. I didn't realize he did that. Sorry 'bout that.
  11. nebj00la's Avatar
    Posts
    56 Posts
    Global Posts
    59 Global Posts
    #71  
    I just HAVE to throw my two cents in here... The majority of people that take the time to install SSH on their phones have the common sense to set a password. You can argue brute force, etc. all you want, but at the end of the day this is no different than any other node on the Internet.

    Vulnerabilities are found daily, and the white hat hackers fix the problems. I can honestly say we have PLENTY of white hat people in this community who would not stand for exploits to go unmonitored/unfixed.

    This thread is generalizing on security, and it's falling further and further away from the Pre as a device. The maintainers of the "homebrew" scene will make sure the end users know when code is being executed. If someone makes an application that steals all your personal information, it's bound to be discovered sooner than later.

    ...and now for something to help you sleep at night:

    Tin foil hat - Wikipedia, the free encyclopedia
    Last edited by nebj00la; 09/12/2009 at 12:28 AM.
  12. #72  
    I am working with Symantec on Norton for webOS....more details soon if you want your Pre to take 3 hours to boot.










    Just Kidding...we don't want to ruin webOS do we?
    Palm History: Palm III>IIIc>CLIÉ NR70v>CLIÉ TG50>Tungsten C>Treo 650>Treo 700p>Centro>Pre!! 6/5/09
    Phone History: Way too long

    Sorry Timmy, SERO does not work with the Pre.
    If you have an iTouch click me.
  13. #73  
    Quote Originally Posted by nebj00la View Post
    The majority of people that take the time to install SSH on their phones have the common sense to set a password.
    actually, even better, most folks (like me) who are not experts in accessing Linux on the Pre will likely wind up at WOSinternals and follow the WebOS-internals methodology... which specifically leads you through the "Next Steps" of the process to create a password and the preferred method of connection to your Pre.

    So, I guess I am saying that in the case of the Pre at least, the well informed users who ssh via evdo or wifi will know to protect themselves and n00bs like myself will probably follow the same methods set up by the well informed users and will thus protect themselves.

    I do find it lame to imply a security risk on the Pre because stupid people will download stupid things. imho that is just not a viable premise for a security thread.

    Its critical to discuss the SPECIFIC details of how you propose that it can occur and see if the hypothesis can be shot down, if not congrats for helping expose a deficiency and making the Pre more secure by allowing it to be addressed.

    Don't speak in puffy, generalized clouds, especially if you are a Linux guy. Throw your "nickels and dimes" out and see if they amount to anything... otherwise its just lame scaremongering.

    Lame like the alarmist, chicken little title of this thread. Designed to provide just enough titillating schlock to get folks to check in.
    .
    .

  14. ekuns's Avatar
    Posts
    64 Posts
    Global Posts
    74 Global Posts
    #74  
    Quote Originally Posted by gabbott View Post
    Just because it is easy to "hack" doesn't mean it lacks security.
    Quote Originally Posted by Eugefunk84 View Post
    actually, thats exactly what it means....

    a script can easily execute everything you do to root your phone, and at that point, it can wreak havoc. it can delete apps, steal your contact info, and so on
    Yes, if someone has physical access to your phone, or if someone can social-engineer you into choosing to install something dangerous and you say, "Yes, run these scripts," then all bets are off. Otherwise, you're just making much ado about nothing.

    A Pre is easy to hack when you have physical access and you connect it via USB to your computer on which you're running special software. This does not mean that a Pre is easy to hack, in general, especially via normal OTA use. Saying the Pre lacks security because it is "easily hacked" (I assume you mean "easily rooted") is simply uninformed.
  15. cjlemke10's Avatar
    Posts
    1 Posts
    Global Posts
    2 Global Posts
    #75  
    I actually had this happen last weekend (9-19 to 9-20). I went to bed Saturday Night and my roommate wakes me up about 6AM Sunday morning to tell me that my phone had dialed him about 15 times during the night. Later I came to find out it dialed everyone in my quick dialer about the same number of times between 3AM and 6AM ... which included my parent's house. When I looked at my pre it was on the dial screen just dialing number after number. I took the battery out and then erased the quick dialer screen.

    It didn't make it to my contacts, but it worries me enough to be very leery of the homebrew apps.
  16. #76  
    Quote Originally Posted by cjlemke10 View Post
    I actually had this happen last weekend (9-19 to 9-20). I went to bed Saturday Night and my roommate wakes me up about 6AM Sunday morning to tell me that my phone had dialed him about 15 times during the night. Later I came to find out it dialed everyone in my quick dialer about the same number of times between 3AM and 6AM ... which included my parent's house. When I looked at my pre it was on the dial screen just dialing number after number. I took the battery out and then erased the quick dialer screen.

    It didn't make it to my contacts, but it worries me enough to be very leery of the homebrew apps.
    If you are truly serious about this post (excuse me for being skeptical about your very first post on PreCentral detailing something that absolutely no-one else has experienced), then please run the WebOS Repair Tool and post here the list of files that it finds different.

    Note that a hardware problem with the touchscreen (which we have seen instances of before) can create the same behaviour that you just experienced (that was the real cause of the last time someone cried wolf on a Pre virus).

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  17. #77  
    Quote Originally Posted by cjlemke10 View Post
    I actually had this happen last weekend (9-19 to 9-20). I went to bed Saturday Night and my roommate wakes me up about 6AM Sunday morning to tell me that my phone had dialed him about 15 times during the night. Later I came to find out it dialed everyone in my quick dialer about the same number of times between 3AM and 6AM ... which included my parent's house. When I looked at my pre it was on the dial screen just dialing number after number. I took the battery out and then erased the quick dialer screen.

    It didn't make it to my contacts, but it worries me enough to be very leery of the homebrew apps.
    I say bull. Unless you describe, in detail, how you "erased the quick dialer screen". Do you mean you deleted the program? If so, what program? There is no single "quick dialer" program, it's part of the core OS programs. I also notice this is your one post on this forum. I think it's bogus.

    Details, please.
  18. #78  
    Rather than argue with people who don't understand the first technical detail of the most common technical (rather than social engineering) exploits, let me post a quick wishlist of things that I would like in an updated webos to limit my own risk profile and give me better privacy controls:

    • The ability to disable auto-loading of remote elements (e.g. images) when viewing HTML email.
    • The ability to disable execution of javascript in HTML email.
    • The ability to disable execution of javascript in the browser.
    • The ability to delete cookies and clear cache in the browser.


    These are no-brainers and it's pretty unacceptable that Palm doesn't make these options available.

    I'd also love to be able to run privoxy or another ad-busting agent with the browser if nothing else to reduce the amount of data transferred and rendered, but I don't expect Palm to go out of their way to make this easy.
  19. #79  
    Thread title corrected to match content.

    - Craig
  20. #80  
    Quote Originally Posted by vga4life View Post
    Rather than argue with people who don't understand the first technical detail of the most common technical (rather than social engineering) exploits, let me post a quick wishlist of things that I would like in an updated webos to limit my own risk profile and give me better privacy controls:

    • The ability to disable auto-loading of remote elements (e.g. images) when viewing HTML email.
    • The ability to disable execution of javascript in HTML email.
    • The ability to disable execution of javascript in the browser.
    • The ability to delete cookies and clear cache in the browser.


    These are no-brainers and it's pretty unacceptable that Palm doesn't make these options available.

    I'd also love to be able to run privoxy or another ad-busting agent with the browser if nothing else to reduce the amount of data transferred and rendered, but I don't expect Palm to go out of their way to make this easy.
    I could be mistaken, but I don't think my Pre has ever auto loaded photos in the email client? I always have to manually download them as attachments before they will display properly in the message.

    As for disabling javascript in the browser, and clearing cache/cookies, check your browser preferances... Don't blame Palm for included features that you didn't look for, and call missing.
Page 4 of 5 FirstFirst 12345 LastLast

Posting Permissions