Page 1 of 5 12345 LastLast
Results 1 to 20 of 86
  1. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #1  
    I just thought about it... You know those pesky websites that try to instal backdoors in your PC. What if I go to that site with my Pre?

    I mean, this is an OS that could be easy to hack, due to the lack of security. You can gain root access easy and you start spamming or sending other virus without the owner knowing.
    Floren Munteanu
    why queued - My blog
  2. #2  
    Just because it is easy to "hack" doesn't mean it lacks security.
  3. #3  
    actually, thats exactly what it means....

    a script can easily execute everything you do to root your phone, and at that point, it can wreak havoc. it can delete apps, steal your contact info, and so on
  4. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #4  
    Ya, that's what I'm worried about.
    Floren Munteanu
    why queued - My blog
  5. #5  
    The malware those sites try to sneak in is likely specific to Windows. Most exploit problems in specific browsers, generally IE.
    I guess if there is any malware around that exploits WebKit and Linux it could be possible to get it on the Pre.
  6. #6  
    Not possible.

    First off, those sites are 99.99% of the time using Windows vulnerabilities and / or Windows binaries. No way they could even run.

    Secondly, the Web Browser is sandboxed (just like everything else). You cannot connect to the Mojo framework from within a web page.

    Thirdly, even webOS applications are sandboxed. You can't just execute framework commands from them. You also cannot execute scripts to root your phone from them.

    Rooting takes place when your Firewall is partially disabled (i.e. developer mode) and you run a script via SSH on your phone.

    Stop being paranoid.
  7. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #7  
    If you are concerned about such things (and, at some level, aren't we all?), then do not install anything on your Pre. Most definitely not homebrew, but even stuff from the app catalog (how much do you REALLY trust Palm to confirm that there aren't hidden bombs?).

    Because, once you install something, it can do all sorts of nasty things, such as randomly call people in your phone book, spam those in your e-mail list, etc.

    And this is true for non-rooted devices, too. As long as you install things on your Pre, you run the risk.

    Now, what about visiting web sites? Can that do it? Maybe. I don't know enough about the browser to know if there are holes, but chances there are. If there is a hole, at some point, someone will exploit it.

    This, in fact, was the reason that Palm released that emergency OS release to fix the hole that allowed an ipk install via e-mail. And why, we hope, anything that's added to allow software downloads from the browser, are very limited.
  8. #8  
    Your computer may be broadcasting an IP Address!
  9. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #9  
    Quote Originally Posted by alpinejag View Post
    The malware those sites try to sneak in is likely specific to Windows. Most exploit problems in specific browsers, generally IE.
    I guess if there is any malware around that exploits WebKit and Linux it could be possible to get it on the Pre.
    Exactly. Because a hacker knows it is more difficult to take over a Linux OS.
    However, for WebOS, all I have to do is download a script into /tmp directory and make it execute as a service when you reboot your Pre (very easy to do since the root user is open to everyone). That will import all needed files to gain complete invisible access and from there ... sky is the limit.

    I'm very comfortable with Linux, I build my own RPM's and do pretty much everything on this OS. That is the main reason also why I got the Pre. The only way you could protect your Pre is by adding a custom passord to root user. That will take care of the issue. However, that will disable future upgrades because root is protected...
    Last edited by T3CK; 09/11/2009 at 01:07 PM.
    Floren Munteanu
    why queued - My blog
  10. #10  
    Quote Originally Posted by squeff View Post
    Because, once you install something, it can do all sorts of nasty things, such as randomly call people in your phone book, spam those in your e-mail list, etc.
    The SDK currently doesn't allow access to your list of contacts.
  11. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #11  
    Quote Originally Posted by Kasracer View Post
    The SDK currently doesn't allow access to your list of contacts.
    People that are looking to do mischief or prove their powers don't let SDK limits stop them.

    Mark my words, someone will figure out how to grab e-mail addresses and phone numbers.
  12. #12  
    Quote Originally Posted by T3CK View Post
    Exactly. Because a hacker knows it is more difficult to take over a Linux OS.

    It's actually real easy to hack a linux box, most people don't fool with it though, since the majority of users are smart enough to not do things to get hacked. Windows is a rich environment of people who will click on links, or open attachments that they shouldn't.

    Linux is an Open OS, a good developer can easily find any holes (and there are lots of know holes in linux) and exploit them.
  13. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #13  
    Quote Originally Posted by Kasracer View Post
    The SDK currently doesn't allow access to your list of contacts.
    Who is stopping the hacker to build a script that sends a virus to all your contacts? The same script will use your phone email app to send to hacker the contact details, is the same time it sends the virus to your friends. It is really not difficult.
    Floren Munteanu
    why queued - My blog
  14. #14  
    Quote Originally Posted by T3CK View Post
    Exactly. Because a hacker knows it is more difficult to take over a Linux OS.
    However, for WebOS, all I have to do is download a script into /tmp directory and make it execute as a service when you reboot your Pre (very easy to do since the root user is open to everyone). That will import all needed files to gain complete invisible access and from there ... sky is the limit.

    I'm very comfortable with Linux, I build my own RPM's and do pretty much everything on this OS. That is the main reason also why I got the Pre. The only way you could protect your Pre is by adding a custom passord to root user. That will take care of the issue. However, that will disable future upgrades because root is protected...

    Why would you download and run a script that you don't know anything about? There is no way I know of from getting accross the web through the browser into your shell to execute commands.

    What are you saying here?
  15. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #15  
    Quote Originally Posted by DavidRR View Post
    It's actually real easy to hack a linux box, most people don't fool with it though, since the majority of users are smart enough to not do things to get hacked. Windows is a rich environment of people who will click on links, or open attachments that they shouldn't.

    Linux is an Open OS, a good developer can easily find any holes (and there are lots of know holes in linux) and exploit them.
    I totally agree. I'm sure you helped site owners who were getting hacked recently through /var/www/html/page dirs (chmoded at 0777, instead of being owned by a specific user). It is crazy sometimes how you can overlook simple details.
    Floren Munteanu
    why queued - My blog
  16. #16  
    Quote Originally Posted by T3CK View Post
    I totally agree. I'm sure you helped site owners who were getting hacked recently through /var/www/html/page dirs (chmoded at 0777, instead of being owned by a specific user). It is crazy sometimes how you can overlook simple details.

    777 is not a simple detail...
  17. T3CK's Avatar
    Posts
    414 Posts
    Global Posts
    423 Global Posts
       #17  
    Quote Originally Posted by emoney_33 View Post
    Why would you download and run a script that you don't know anything about? There is no way I know of from getting accross the web through the browser into your shell to execute commands.

    What are you saying here?
    You don't download any script. I go to your Pre, through your public IP and upload myself a script into your /tmp folder. Then, it will execute by itself at next boot. You have no idea I'm on your phone, during all this time.
    Floren Munteanu
    why queued - My blog
  18. ssrjazz's Avatar
    Posts
    786 Posts
    Global Posts
    790 Global Posts
    #18  
    Quote Originally Posted by DavidRR View Post
    It's actually real easy to hack a linux box, most people don't fool with it though, since the majority of users are smart enough to not do things to get hacked.

    Almost every 'hack' out there for linux involves gaining root access to a shell via some vulnerable service running on that box. So either you have to have local access to it, or find and exploit a vulnerability in apache, sshd, or some other program. If you're not exposing any services over EVDO or wifi, then you'll most likely be fine.


    Not to say it isn't still possible. There may be holes in the sdk or some other app you run that is exploitable by visiting a malicious web page, email attachment, picture or otherwise. Still far less likely to get a compromise on your Pre than a windows desktop machine.
  19. #19  
    Quote Originally Posted by T3CK View Post
    You don't download any script. I go to your Pre, through your public IP and upload myself a script into your /tmp folder. Then, I execute it or simply make it execute at boot. You have no idea I'm on your phone, during all this time.

    How do you "go to my Pre"?

    Am I on wifi, with ssh server setup? How do you know my password?
  20. squeff's Avatar
    Posts
    581 Posts
    Global Posts
    623 Global Posts
    #20  
    Quote Originally Posted by Kasracer View Post
    The SDK currently doesn't allow access to your list of contacts.
    Besides, even if it were totally impossible to get contact information, this is actually simple to work around.

    There are several "contacts" applications out there, including the excellent QuickContacts app. These apps, at the core, are about getting a user to select contacts and giving access to that contact data to the app.

    All an evil-doer needs to do is write their own "contacts" app. Or take an existing one, for that matter. Then, let the user load up their "quick contact" list with all the contacts the user wants. Meanwhile, the app is also collecting phone numbers and e-mail addresses that will be used, later, for various purposes.

    Social engineering is a lot more powerful than any SDK.
Page 1 of 5 12345 LastLast

Posting Permissions