The opening up of the mobile industry is great news for application developers but not so good for IT security professionals, according to experts. For example, Symbian, the single most widely used mobile software platform, has already wrestled with the dangers of openness to third-party developers, said Khoi Nguyen, group product manager in mobile security at Symantec. Symbian 7 and 8 were fairly open and allowed almost any application to be installed and run. This led to a few hundred viruses being introduced within a couple of years, so Symbian 9 was locked down significantly, he said.
To read all comments associated with this story, please click here.
Member since:2006-08-25
For example, Symbian, the single most widely used mobile software platform, has already wrestled with the dangers of openness to third-party developers, said Khoi Nguyen, group product manager in mobile security at Symantec.
For Example, Microsoft Windows From over the years has been closed sourced, Ergo the reason for Mr Khoi Mguyen's employment at said Company.
While Another Example is OpenBSD. It is VERY Open Sourced OS and is more than robust enough to be used as an Enterprise Grade Firewall.
Member since:2005-07-23
Third party developers haven't got shit to do with the openness of the source code, learn to read. Open platform for third party applications isn't the same as open source platform.
And part of the actual issue with Windows insecureness is that it trust any application, so you are wrong on both points. Try again.
Member since:2006-07-25
They aren't talking about security through obscurity. They're talking about how much the phone trusts applications. From the sounds of it Symbian is "Insanely too much" and MIDP is "So little you can hardly do anything". The article even says old versions of symbian allowed silent sending of text messages and use of the phone's mic! What idiot allowed that? In contrast MIDP will ask your permission for each file access and there is no way to disable this behaviour.
Clearly there is a sensible middle ground that no-one is taking. Apps shouldn't require expensive signing, and API's should be smart about what they allow. For example for sending texts there should be the options:
* Always deny
* Always allow
* Ask permission
* Ask permission for numbers not in my address book
I seriously doubt many (any?) of those viruses were really viruses. They were probably of the 'Please press OK to send this to everyone in your address book' type.
Member since:2006-02-05
Member since:2005-07-24
Actually "security through obscurity is a myth" is a myth. Good security is layered. Obscurity can legitimately be one of those layers. (What are passwords if not security through obscurity?) Security *solely* through obscurity has been shown to be inadequate. But the old adage which you quote goes further, and is wrong.
Edited 2008-09-12 17:49 UTC
Member since:2005-07-06
Member since:2007-09-06
Good security is indeed a layered approach but putting obscurity anywhere in the official strategy only reduces your overall security posture. If you want to tack on obscurity after the security strategy is confirmed then by all means, enjoy the blue icing on top but, here's the thing as I see it.
Obscurity is only of use to the attacker and has no place in the official defense policy; itâs too short lived. When you are the outsider, you want to remain hidden and sneaky and until your found with your eyes covered crouched behind a tree saying "you can't see me".. it's all good. The gig is up once your detected so obscurity is the attackers entire world.
On the other hand, you still have to defend when your obscurity is blown. Anyone coming into your network or device is going to be looking for what you have hidden:
"oh look, they have a clear IDS/IPS on the wire.. good for them.. we'll just step around that and continue on".. now your obscure detection device is useless.
"Say, that's an interesting obscure OS they are using but I really want to get in so I'll have to learn it".. and, your nifty mainframe or obscure software platform is useless.
"say, this software is only available as a binary.. where's my binary auditing tools".. and your security through keeping source code obscure is useless. The police search your house and you have bad stuff hidden; they'll find it and your screwed.
Your child figures out how to open door handles; time for child proofing locks for real security.
If your including obscurity in your security planning with the idea that it is increasing your potential security posture in any way, your already begging failure. Obscurity on the part of the defender in a computer network is nothing more than "security theater"; It's feeling safe instead of actually being safe.
It may not be fully applicable to this article being that the point is platforms trusting any third party program thrown at it without having a strong approach to security from the ground up. In general though, it's just bad planning to think that hiding stuff makes you safer.
Edited 2008-09-12 20:04 UTC
Member since:2005-07-06
Member since:2007-02-26
Member since:2005-07-23
Except he don't seem to talk about the source code but rather as application platform. And validated traceable trusted applications will always be more secure than unknown ones.
But then he may use that as an argument against another platform which uses open source, and eventually is open for any developers as well, and then he just uses the argument wrong and makes no sense at all. But that's another thing.
Member since:
2006-01-14
Security through obscurity is a myth. Any system with a bad security model, open or closed, is just asking for trouble. Don't go blaming it on being Open.