[ale] Cory Doctorow, right again

Michael H. Warfield mhw at WittsEnd.com
Fri Mar 16 23:19:57 EDT 2012 

On Fri, 2012-03-16 at 17:48 -0400, James Sumners wrote:
> I said "yourself" for a reason. I am well aware of the benefits of
> many people reading the code. I'm not a member of this list because I
> hate Linux.

That much is obvious.  It shows.

> But whe the thread is started off with the statement that the platform
> is inherently bad because _you_ don't control it, that leads to the
> assertion that _you_ should be vetting all the code run on it. 

Let me turn it around on you then.  You have demonstrated no reason why
OpenSource would be a disadvantage, security wise, and many of us have
reasons why it would be an advantage.  If you had some advantages to the
closed source proprietary models, then we could compare them.  Bring
them on.  But I have yet to see any that stand in the light of day.

Even in my recent article in (In)Secure magazine (which I posted the URL
to in another article earlier), I mention that those of us who root our
phones have a demonstrable advantage, security wise, from those who
don't, just due to the availability of tools which are not available to
you.  But, I go on to write, that's NOT something to recommend to anyone
who is not technically competent.  If they can not take advantage of the
tools, then taking this step is no advantage.  But the closed model is
no better and Apple's arguments are specious simply because they are
predicated on a false assertion, that they did this for the user's
security.  Even if they had, they have already failed miserably as would
be expected.  Google could have done better and they are catching up,
now, by scanning apps in their market and the eco system of security
tools for analyzing software in the Android environment is expanding
rapidly with releases of more and more tools for static and dynamic
analysis which can not come close to being matched in iOS.  You're
totally dependent on that one source for your protection and they have
already demonstrated that their model is flawed.

> I read the Ars article this morning. And I shared it with other
> people. But the essence of that exploit is "don't trust a wireless
> network" and we should all know that one. And I know that the phone is
> never truly locked once it gets into the hands of someone who knows a
> couple things. But no device is once it is in an intruder's
> possession. 

Even if it isn't.  If it's on the net, you can still be had.  There have
already been two SMS exploits out here that only fortuitously did not
get exploited and turned into worms in those Apples.  :-)  You will not
always be so lucky.

> My argument is simple: the claim that one platform is better simply
> because you "control" and some people download bad software is silly.
> The platform "you control" has seen many more instances of malware,
> and completely bogus, stolen, applications that the one that you don't
> control. Does that make it an inherently bad platform? No. You have to
> use your good judgement just like with every other platform on which
> you can install software on your own. 

Again...  You have demonstrated no advantage to NOT having this control
and some of us have demonstrated where there is an advantage TOO having
this control.  So...  What have you got to offer?  What advantage is
there to giving up this control and being oblivious to what's under the
hood and trusting implicitly in the benevolence of the vendor?  For a
person who is not interested, too lazy, or able to look deeper, it's
probably a wash.  No advantage on either side.  But I see no
circumstance where there's an advantage on that side and we have
circumstances where there is a clear advantage on the OpenSource side.
Where is your balance?  Where is your advantage to outweigh the
advantage that many of us CAN take advantage of.  For those who can't,
who cares?  Enjoy your little walled garden and quit crying to us if we
have toys you can't have and can maintain our devices more securely.
Just don't try to tell us there is no difference for those of us who
can.

> On Friday, March 16, 2012, Michael H. Warfield <mhw at wittsend.com>
> wrote:
> > On Fri, 2012-03-16 at 14:02 -0400, James Sumners wrote:
> >> Which all boils down to exactly what I said. Either ignore
> installing
> >> third party software altogether, or do the best you can with the
> time
> >> you have. The argument that open source is safer because you,
> >> yourself, can look at the code before installing it is ludicrous.
> If
> >> you have the time to do that for _every_ piece of software you
> >> install, then you must not be doing anything else.
> >
> > As one of the resident security experts handing around this watering
> > whole, I would have a lot of bones to pick with you on the above...
>  I
> > could not possibly disagree with you more.  I do find OpenSource
> > software to be much more robust and secure largely because it
> subject to
> > a higher level of scrutiny and the forces of an active evolution
> drive
> > it.  If it's not fit for survival, it sinks.  Unlike locked in
> software
> > where you have no choice and are stuck with the crap your given.
>  Your
> > best defense is in numbers.  Apps with high numbers of downloads and
> > high approval ratings are a positive sign.  Don't read just the
> positive
> > reviews.  Read the negative reviews!  Read what people don't like.
>  Read
> > the complaints.  Be informed.  Also be aware that most of what you
> are
> > running on Android is just as proprietary and just as closed source
> as
> > that on iOS and the iPhone.
> >
> > I've seen and analyzed buggy proprietary software and I've submitted
> > fixes to things I've found in OpenSource software.  I've been a
> project
> > lead on several closed source projects, a VP of engineering in
> charge of
> > multiplatform products, and worked on things from DSP microcode all
> the
> > way to 4th generation languages.  And it's not so much that YOU must
> > examine each piece of code yourself.  That a myth promulgated by the
> > anti-OpenSource types.  The point is that, with OpenSource, there's
> a
> > very high chance that someone will so someone trying to pull a fast
> one
> > deliberately has fewer ways to hide his trickery and it's much
> higher
> > risk to them of getting caught and getting caught quicker.  How many
> > proprietary packages have "Easter eggs"?  You can't tell but it's a
> lot.
> > You think those "unadvertised features" were approved?  You think a
> > manager approved the xyzzy cheat to MS Minesweeper or those other
> Easter
> > eggs?  You think they're all benign?
> >
> > Bugs are bugs and closed source is zero protection from outsiders
> > discovering bugs but it's a major impediment to getting them fixed
> (and
> > confirmed fixed) and not just covered up or worked around.  Look at
> the
> > credits in the Microsoft releases.  Those are not Microsoft
> employees
> > and those are not people with access to the Microsoft source code
> but
> > there you have it.  They found the bugs that MS hadn't.  They're the
> > good guys and they're reporting it to MS.  Where are the bad guys
> and
> > what are they doing with it?
> >
> > Apple is not better, actually maybe (probably) much worse.
>  Microsoft
> > has gotten much better and much more transparent.  Apples more
> recent
> > patch drops for OS X and iOS were HUGE (I did the write-ups).  iOS
> 5.1
> > had over 80 CVE identified issues fixed in this month's drop.  Oh,
> to
> > "protect their customers" they're not going to hand out details.
>  Liers.
> > The bad guys are really really good and binary diffs and deltas and
> > tearing apart patches to see what makes them tick.  They're not
> keeping
> > anything from the bad guys.  They're only covering up what they
> screwed
> > up and not letting you know how bad it really is.
> >
> > I look at what Apple does with the iPhone and I have to ask myself
> that
> > if that were a computer, why would anyone tolerate that sort of
> abusive
> > control from their vendor?  Ooopppsss!  My bad!  It is a computer!
>  A
> > very powerful computer.  It's more powerful than some laptops not
> too
> > long ago.  Yet people give up control over their property to a
> > corporation whose sole interest is in protecting and expanding its
> > revenue stream.  Would they even dream of that with the MacBook or
> their
> > Dell laptop?
> >
> > So far, we've seen plenty of examples of "Proof of Concept" code
> > published flauntingly to the Apple store.  Apple takes them down as
> soon
> > as they find out about them but they find out about them from the
> news
> > when the researchers embarrass them by announcing it!  So much for
> them
> > scanning and protecting you.  Oh, if it's an app they want to
> market,
> > they'll pull it from the app store quick enough (happened a couple
> of
> > times - developers have no appeal).  Oh, and that GPL code, yeah you
> can
> > forget about that (too bad vlc).  They don't approve of GPL.
>  There's
> > plenty of bugs to go around in those apps and iOS.  Jailbreaking iOS
> is
> > just about a joke.  If the good guys can do it, what makes you think
> the
> > bad guys aren't?
> >
> > I see this kinds of stuff all the time:
> >
> >
> http://arstechnica.com/apple/news/2012/03/loose-lipped-iphones-top-the-list-of-smartphones-exploited-by-hacker.ars
> >
> > Still fell safer on that closed platform?
> >
> > Gotta love that CarrierIQ debacle.  You think that would have ever
> come
> > to light in a pure Apple walled garden?  In the light of day, the
> > backlash from that (deserved or not) hit the carriers and vendors
> like
> > an epic level storm.  Even if it was benign (and I'll withhold
> judgment
> > there) how dare the carriers and vendors stoop to those tactics and
> what
> > makes anyone think that Apple would not do something similar (there
> were
> > traces of CarrierIQ there but no firm evidence that it was active in
> > iOS).  CarrierIQ may be back, but, if they are, they all better do
> it
> > above board and correctly next time.
> >
> > Before Android, the number 1 exploited platform for malware was
> Symbian
> > and that's even more closed source than Apple!  This is nothing new.
> > Blackberrie's another one.  It's not immune.  As rapidly as Android
> rose
> > to dominance, we've been expecting it to be the number one platform
> to
> > come under attack.  Goes with the territory.  It's the old bank
> robber's
> > story.  "Why do you rob banks?"  "Well, it's because that's where
> the
> > money is."
> >
> > OTOH, we've got security tools available on Android that are simply
> flat
> > out not available on iOS.  They require a level of access you can't
> get
> > unless you jailbreak it (requires root on Android).  I've got
> OpenVPN
> > and advanced IPsec on Android and I can deploy LUKS filesystem
> > encryption if I want.  Yeah, the iOS encryption ain't so hot.
>  Someone
> > has a device that can suck the keys out of memory through the usb
> > port.  :-P  I haven't played with it yet but I noticed that CGROUPS
> (LXC
> > container virtualization) are enabled on Android.  Why noone has
> used
> > that for setting up virtual profiles yet, I don't know.  Could be
> > interesting...  I've got much more powerful tools for creating REAL
> FULL
> > backups of my device and encrypt those backups.
> >
> > Neither proprietary or OpenSource has an intrinsic claim to being
> > "secure" and vendors do not have your security at heart if it
> conflicts
> > with their ability to make money off you or your (lack of) privacy
> at
> > their hands.  Google is just as bad there.  Problem is that Android
> is
> > largely OpenSource, but not totally OpenSource and these malicious
> apps?
> > You think they're OpenSource?  Most of the apps on the markets are
> just
> > as closed as any other market.  That's why we have static, dynamic,
> and
> > virtualized analyzers to pull some of them apart.  The criminals are
> > hiding in the closed bits.  Apple is no better in that department at
> > all.
> >
> > Regards,
> > Mike
> >
> >> On Fri, Mar 16, 2012 at 13:42, mike at trausch.us <mike at trausch.us>
> wrote:
> >> > On 03/16/2012 01:29 PM, James Sumners wrote:
> >> >> It has applications that are shipped with it. And you can use
> webapps
> >> >> all day long. You don't _have_ to use the AppStore. But if you
> do use
> >> >> it, then you still have to decide if you trust the developer. If
> you
> >> >> install something that seems scummy in the description (poorly
> >> >> translated descriptions, bad reviews, etc.) then that's on you.
> It
> >> >> isn't the fault of anyone, or anything, else.
> >> >
> >> > And what if you install a highly-rated, seemingly legitimate app
> that
> >> > does things that you aren't aware of because you have no way to
> possibly
> >> > be aware of them?
> >> >
> >> > There are security concerns with any application software on any
> >> > platform or device that are a mile long and simply cannot be
> addressed
> >> > by the average user.  These problems will likely never go away,
> unless
> >> > the entire world moves to a model where the source code for all
> software
> >> > becomes generally available.  And even then, you have the
> problems that
> >> > were discussed in “Reflections on Trusting Trust” (a very
> worthwhile
> >> > read if you haven't), making it almost completely impossible to
> sanely
> >> > be able to settle on any level of trust in software.  One would
> have to
> >> > take a copy of a (as Thompson calls it) "bugged" binary and
> examine it
> >> > on a system that is known to not be bugged.
> >> >
> >> > I don't know about you, but I don't have the means to create a
> >> > completely isolated environment in which to be able to assert
> such
> >> > levels of trust.  At least not yet; it would be possible to do
> but it
> >> > would not be really doable without a great deal of time, effort
> and money.
> >> >
> >> > And even then, who would be insane enough to trust anyone else to
> create
> >> > such a thing for them?  :-)
> >> >
> >> >        --- Mike
> >> >
> >> > --
> >> > A man who reasons deliberately, manages it better after studying
> Logic
> >> > than he could before, if he is sincere about it and has common
> sense.
> >> >                                   --- Carveth Read, “Logic”
> >> >
> >> >
> >> > _______________________________________________
> >> > Ale mailing list
> >> > Ale at ale.org
> >> > http://mail.ale.org/mailman/listinfo/ale
> >> > See JOBS, ANNOUNCE and SCHOOLS lists at
> >> > http://mail.ale.org/mailman/listinfo
> >> >
> >>
> >>
> >>
> >> --
> >> James Sumners
> >> http://james.roomfullofmirrors.com/
> >>
> >> "All governments suffer a recurring problem: Power attracts
> >> pathological personalities. It is not that power corrupts but that
> it
> >> is magnetic to the corruptible. Such people have a tendency to
> become
> >> drunk on violence, a condition to which they are quickly addicted."
> >>
> >> Missionaria Protectiva, Text QIV (decto)
> >> CH:D 59
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >
> >
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >   /\/\|=mhw=|\/\/          | (678) 463-0932 |
>  http://www.wittsend.com/mhw/
> >   NIC whois: MHW9          | An optimist believes we live in the
> best of all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
> of it!
> >
> 
> -- 
> James Sumners
> http://james.roomfullofmirrors.com/
> 
> "All governments suffer a recurring problem: Power attracts
> pathological personalities. It is not that power corrupts but that it
> is magnetic to the corruptible. Such people have a tendency to become
> drunk on violence, a condition to which they are quickly addicted."
> 
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120316/27680d2e/attachment-0001.bin

More information about the Ale mailing list