Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 41
  1. #21  
    If you notice purely Malicious Viruses are pretty uncommon lately, they always have something they want to accomplish. Most will either attempt to have you buy something (namely virus protection software with the Internet Security 2010(2009) circulating), or will turn your computer into a spamming machine.

    Additionally most are pointed toward the mass population, being able to hit as many people as possible. That is why virus' are rare on Apple products, it's not that they're secure in any way (less so since they haven't built an immunity), it's just that a lower population use them. Mobile phones are even more rare.

    You really have nothing to worry about, the way Palm has developed their system it's pretty secure, there are also much less people using it meaning a virus will be very rare, and the most important thing, it'd take you 20 minutes to completely wipe the virus clean, that'd mean that for all the work a malicious person would have they could easily be thwarted by the most simplistic user, not something they really want to waste time on.
  2. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #22  
    Quote Originally Posted by alex.dobeck View Post
    You really have nothing to worry about, the way Palm has developed their system it's pretty secure
    this is fundamentally untrue.

    the Pre has no built in security isolating applications (there's a reason it was so easy to get homebrew working on it)

    there are also much less people using it meaning a virus will be very rare
    this is true. it's a smaller paltform so less benefit for a malicious attacker to target it.

    and the most important thing, it'd take you 20 minutes to completely wipe the virus clean
    this is also untrue

    now why is it untrue? Because with a device like the Pre, it doesn't matter if one can completely wipe it quickly, if the attacker has/had access to all your important data. i.e. passwords stored for accounts accessed by the device. emails sent to you with billing information, passwords or other items. Being easy to fix is one thing, but it doesn't matter if the attacker could access your data.

    Now, I strongly believe this is fixable (at least to isolate native apps) in that each app could be run within its own container that is made independent from every other native app on the system, and as long as there are no kernel exploits (rare, but they do occur), should protect from rogue native apps. However palm doesn't do this (though they should know about this idea of mine, sent them two papers I wrote on the subject when I was talking with them about how I figured out how to fake out package signature checks, back in the email link to install days of homebrew)
  3. #23  
    Quote Originally Posted by spotter View Post
    this is fundamentally untrue.

    the Pre has no built in security isolating applications (there's a reason it was so easy to get homebrew working on it)



    this is true. it's a smaller paltform so less benefit for a malicious attacker to target it.



    this is also untrue

    now why is it untrue? Because with a device like the Pre, it doesn't matter if one can completely wipe it quickly, if the attacker has/had access to all your important data. i.e. passwords stored for accounts accessed by the device. emails sent to you with billing information, passwords or other items. Being easy to fix is one thing, but it doesn't matter if the attacker could access your data.

    Now, I strongly believe this is fixable (at least to isolate native apps) in that each app could be run within its own container that is made independent from every other native app on the system, and as long as there are no kernel exploits (rare, but they do occur), should protect from rogue native apps. However palm doesn't do this (though they should know about this idea of mine, sent them two papers I wrote on the subject when I was talking with them about how I figured out how to fake out package signature checks, back in the email link to install days of homebrew)
    not true. At least I understood Dev mode functions similar to a firewall.(not an actual firewall, but as a defense from someone sending an email and installing an application with no notice) as well as blocking installs outside of palms universe.... Try and get anything on the Pre that is not available in the app catalog or scanned by palm with dev mode off. Your not gonna be able to. Not without holding the device in your hand or it being on your network..come to think of it, you cant ssh into a pre with dev mode off and not rooted....at least idk how it could be done....so yeah rock with it off, dont ssh and you will be safer than with it on...but the chances are very slim of any type of intrusion with less than, idk 5million maybe, webos devices out there....You would have to be a really bored programmer to go after webos users....
    Last edited by mrloserpunk; 01/13/2010 at 03:57 PM.
    "When there is no more room in hell, the dead will walk the earth"


    PM me your questions, If I cant find an answer, I'll show you who can.
  4. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #24  
    but that's not the attack I'm worried about, that attack should never succeed, and would only suceed to do horribly buggy applications.

    What I'm worried about is a user choosing to install an application and the application having a malicious side to it. This is generally how machines get infected today. i.e. "you need to install this codec to view this funny video"
  5. #25  
    Quote Originally Posted by spotter View Post
    but that's not the attack I'm worried about, that attack should never succeed, and would only suceed to do horribly buggy applications.

    What I'm worried about is a user choosing to install an application and the application having a malicious side to it. This is generally how machines get infected today. i.e. "you need to install this codec to view this funny video"
    it could happen if............but keep in mind.... Pigs could also fly if.................. they had wings
    "When there is no more room in hell, the dead will walk the earth"


    PM me your questions, If I cant find an answer, I'll show you who can.
  6. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #26  
    and that was tha attack that the originally questioner asked. could these apps have malicious code and the answer is yes.
  7.    #27  
    Quote Originally Posted by spotter View Post
    and that was tha attack that the originally questioner asked. could these apps have malicious code and the answer is yes.
    Yep, this is what i'm talking about.
  8. #28  
    Quote Originally Posted by Doc31 View Post
    Theses apps like the apps in the app store are still hosted by palm. They just aren't reviewed and "approval" if anyone reports something like a worm Palm will remove the link.
    They go through a security review before the link is published.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  9.    #29  
    Quote Originally Posted by rwhitby View Post
    They go through a security review before the link is published.

    -- Rod
    Ok. But wasn't it said that apps of this type would be available to users within just a couple of hours of being submitted?
    If so, then when they start pouring in by the dozens and hundreds, how much scrutiny are they actually going to be put through?
    How would there be enough manpower or time to assure that these will be safe for the end-user?
  10. #30  
    Also can't the file be changed AFTER the link is posted? Not trying to be argumentative, just trying to know what exactly I'm getting into with these apps.
  11. #31  
    Quote Originally Posted by dbd View Post
    Ok. But wasn't it said that apps of this type would be available to users within just a couple of hours of being submitted?
    If so, then when they start pouring in by the dozens and hundreds, how much scrutiny are they actually going to be put through?
    How would there be enough manpower or time to assure that these will be safe for the end-user?
    My understanding is that it's an automated process.

    -- Rod
  12. #32  
    Quote Originally Posted by speak easy View Post
    Also can't the file be changed AFTER the link is posted? Not trying to be argumentative, just trying to know what exactly I'm getting into with these apps.
    The actual file is stored on Palm's servers, and any updates go through the same automated submission review process.

    -- Rod
  13. #33  
    Quote Originally Posted by rwhitby View Post
    My understanding is that it's an automated process.

    -- Rod
    very similar to androids app approval process, is my understanding. If I have read right the app can't be changed without palm...they own the url.
    "When there is no more room in hell, the dead will walk the earth"


    PM me your questions, If I cant find an answer, I'll show you who can.
  14.    #34  
    Well,
    I got some confidence inspiring answers-- and i also got some possibly disturbing answers.
    I guess i'll just see how it goes.
    Thanx, ppl.
  15. tejoe's Avatar
    Posts
    156 Posts
    Global Posts
    166 Global Posts
    #36  
    My advice is stick to in-browser for online banking and such. As everybody has say'd before hacking and * malicious* coding has become a business. I heard a story about a kid in Germany(i think) that ransomwared iphones five dollars a pop. Which i was thinking about doing a proof-of-concept on that since the only real malicious code would be to open the dev mode port. Once its open you don't have a password to contend with so you can do some bulk damage that way. All in all though the pre in relatively safe from hackers. The only worry i see is when palm regains market and mindshare till then the pre is a mini fortress. Oh yeah even the unofficial app channel has palms name on it so i think they kept a close eye on it. The only way to be completely secure in the question you asked is to know the palm security process but if they let you know then by proxy they let hackers know.
    Last edited by tejoe; 01/15/2010 at 11:34 PM. Reason: spelling
  16. #37  
    Wow. We have a bunch of discussion going around here about different attack vectors. Lets categorize.
    Attacking the system would be very hard, and very unlikely. Linux in general is about as good as they come in regards to remote exploits. If you need something more secure, then don't go on the Internet.
    The rest of the discussion is a more of a user attack vector.

    Quote Originally Posted by spotter View Post
    What I'm worried about is a user choosing to install an application and the application having a malicious side to it. This is generally how machines get infected today. i.e. "you need to install this codec to view this funny video"
    And that's a PEBKAC problem. No matter how secure your system is, a better ***** will come along who just wants to see the naked celebrity. No matter how many warnings or barriers you throw up, they'll click through them without looking. This is a problem that exists on all platforms, everywhere.
    Quote Originally Posted by Brain_ReCall
    I'm an Embedded Software Engineer. My idea of a Good User Interface is printf().
  17.    #38  
    Quote Originally Posted by Brain_ReCall View Post
    ....... that's a PEBKAC problem. No matter how secure your system is, a better ***** will come along who just wants to see the naked celebrity. No matter how many warnings or barriers you throw up, they'll click through them without looking......
    I'm not talking about clicking here, there and there to see this or to win that.
    Anybody with half a brain knows not to do that.
    I'm talking about installing a "web-linked and/or based" application (I.E.- from AppScoop) that could be for something as benign as a math calculator, that would be running in the backround like roaches, to seek out the personal info you have on your phone (passwords, acct #'s, keystrokes, etc. etc.) and even what you have stored (through Synergy) in that cloud.
    Stuff that would be going on while you think you're just using a plain old calculator or language translator or anything else that seems so innocent.
  18.    #39  
    Anybody else think this is possible (maybe a better word is likely) for us?

    http://www.phonearena.com/htmls/Malicious-banking-app-found-in-the-Android-Marketplace-article-a_8744.html
    Last edited by dbdoinit; 01/16/2010 at 12:49 PM.
  19. #40  
    Quote Originally Posted by dbd View Post
    I'm not talking about clicking here, there and there to see this or to win that.
    Anybody with half a brain knows not to do that.
    I'm talking about installing a "web-linked and/or based" application (I.E.- from AppScoop) that could be for something as benign as a math calculator, that would be running in the backround like roaches, to seek out the personal info you have on your phone (passwords, acct #'s, keystrokes, etc. etc.) and even what you have stored (through Synergy) in that cloud.
    Stuff that would be going on while you think you're just using a plain old calculator or language translator or anything else that seems so innocent.
    Ok, people were running off in tangents getting away from the core issue.

    What you describe is more like phishing. I highly suggest you read that Wikipedia article. Lots of people have been trying to figure out good detection and prevention, but essentially it becomes a PEBCAK issue (because they would be going to untrusted third-parties to install some weird app). No platform is immune, and all platforms are likely to deal with it (Apple and Android both had issues with it recently).

    I suspect Palm is taking this issue very seriously, especially since Synergy condenses down lots of personal information into a small attack surface (probably why we don't have APIs yet for accessing contacts and such outside each app). Pretty much the solution comes down to trust. The requester of the information has to be trusted, otherwise you're gambling. I'd imagine whenever Palm implements some more powerful API, they'll be dragging those apps using through the coals to ensure they are legit.
    If the web-linked apps can not run in the Palm namespace (which is what I believe the case is), then they would have none of the available APIs to do any of the tasks you pointed out.
    Quote Originally Posted by Brain_ReCall
    I'm an Embedded Software Engineer. My idea of a Good User Interface is printf().
Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions