The opening up of the mobile industry is great news for application developers but not so good for IT security professionals, according to experts. For example, Symbian, the single most widely used mobile software platform, has already wrestled with the dangers of openness to third-party developers, said Khoi Nguyen, group product manager in mobile security at Symantec. Symbian 7 and 8 were fairly open and allowed almost any application to be installed and run. This led to a few hundred viruses being introduced within a couple of years, so Symbian 9 was locked down significantly, he said.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-06
Member since:2005-07-06
Member since:2007-09-06
Knowing how the mechanism works does not make it less secure. It only means that peer review can figure out how to make it better.
SSL; open source yet it still works pretty damn well, why has that not been invalidated (other than Debian's meddling where Crypto experts should have been consulted).
Safe locks; known yet still secure
Key locks; known, still secure
PAM; source is out there, security isn't compromised by that
Cryptography research; a purely open science valueing peer review. This is not by accident but by the understanding that it results in better crypo.
You should be able to publish the blueprints of your security mechanism and still not allow anyone to walk through it without having a valid authentication key. Keeping that key safe is not obscurity either. It's not that I have an SSL certificate hidden some place that makes it secure, it's that breaking the encryption it provides will take you so long that the information is no longer relevant by the time you get it. Keeping your keys in your pocket is not obfuscation, it's keeping your personal authentication with you and safe so you can use it in the security mechanism on your front door when you get home that night.
Member since:2006-02-05
I am not saying that. If you are implementing a security system, it is better if potential attackers do not know what you are using then if they do. What is more important then that is that the system is inherently secure, but all things being equal, it is better if they do not know how it works then if they know.
Also, just because something is published, does not mean the peer review is really worth anything. I would go out on a limb and say I would be willing to put down money that at least 90% of open source code is not peer reviewed by anyone with any level of competence. There are some shining exceptions to this (like openbsd for example), but most of the source code I have read off the net has been fairly average in quality, compared to what I have seen from inside companies throughout my career, and I have worked at several places that did not implement automated testing or peer reviews. Anyone who publishes security code that is not reviewed is only making it easier for the bad guys to identify attack vectors.
Member since:
2006-02-05
But what techniques you are using to implement them are. If you know exactly how security is implemented, that knowledge is better to have then not to have when attacking it. If that is all that is protecting you, it isn't enough. But a well implemented security scheme that nobody knows of is more secure then a well implemented security scheme that everyone has the source code to.