Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Worms Security Handhelds Wireless Networking Hardware

Mabir.A Virus Targets Symbian Phones 199

adennis writes "Exploiting bluetooth and weaknesses in the OS, the Mabir.A virus, like its predecessor, targets the version of the Symbian operating system running on Nokia Series 60 handsets. Since Symbian is the dominant smartphone OS, found on phones made by Motorola, Siemens, Sony Ericsson Panasonic and Nokia, this virus could have great impact. Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"
This discussion has been archived. No new comments can be posted.

Mabir.A Virus Targets Symbian Phones

Comments Filter:
  • Same thing? (Score:5, Insightful)

    by soniCron88 ( 870042 ) on Wednesday April 06, 2005 @06:12AM (#12152441) Homepage
    Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?

    Wouldn't an automatic update system serve to make the software more secure?
    • It depends. If the malware authors get their hands on the patches before the vast majority of users do, and manage to figure out what was patched, you would theoretically see an upsurge in the number of exploits, assuming that the vulnerability which was patched was exploitable.

      With the slow move towards 3G services, it is a given that exploits will rise, and malware will spread faster.

      I, for one, will stick with 2.xG services and phones, because all I really want is a phone.
    • Re:Same thing? (Score:3, Interesting)

      by badfish99 ( 826052 )
      No. It means that the software company doesn't have to put so much effort into security, because they can go back and fix problems afterwards with an update.
      So they get into a cycle of virus .. patch .. new virus .. new patch ... and many people have viruses all the time. Look at Windows for an example of this.
      Of course you need an update system, because you can't guarantee to find every possible security hole before you issue your code, but it's no substitute for good quality code.
    • by amling ( 732942 )
      Patching mistakes after your customers have suffered for them is a little different than doing it right the first time around.
    • Will the mobile phone companies charge for these updates like they charge for everything else?
    • Re:Same thing? (Score:5, Insightful)

      by ManikSurtani ( 764890 ) <manik.surtani@org> on Wednesday April 06, 2005 @06:58AM (#12152609) Homepage
      Yep, pretty much, except that I believe the author meant that s/ware should be written with security in mind from the outset.

      On a different note, what I'd loathe to see (but may be inevitable) are goddamn antivirus programs for phones. Imagine those things updating their virus dbs, etc. every time you switch on your phone...
      • Ah, but the phone operators would probably be too happy to charge you in some fashion to download the antivirus updates. Too tempting to resist :)

    • The implication is that, if you go to a lot of time and effort, you strip naked at midnight and dance in the moonlight while chanting the secret name of the creator, that you'll somehow manage to make an OS that's "secure" and you'll never need to patch it again.

      Many people seam to believe in this "secure" OS that never fails under any cirumstances, even if you hit the spinning hard drives with a hammer and unplug the power cord. They know it's out there so they proclaim anything that needs patching as "u
    • Let's look at Microsoft's history with Win2K and WinXP and then re-ask that question, shall we?
    • Wouldn't an automatic update system serve to make the software more secure?

      As long as it's the phone company that pays for the updates. GPRS is about £1 per MB in the UK - it can be as high as £4 though.

    • Re:Same thing? (Score:4, Insightful)

      by Cat_Byte ( 621676 ) on Wednesday April 06, 2005 @07:51AM (#12152892) Journal
      Wouldn't an automatic update system serve to make the software more secure?

      From TFA...this is a bluetooth virus. This is no different than all of the wireless routers broadcasting ssid with no encryption and the default admin password still on there. The only update that would save people would be one that forces you to change the password from 1234 if you have bluetooth enabled and are broadcasting your ID.

    • Wouldn't an automatic update system serve to make the software more secure?

      Band-aids are a cure for cuts and scrapes.
      Insulin injections are a cure for diabetes.
      Various drug cocktails are a cure for aids.

      Well, these are actually not cures, and prevention is better than a treatment.

      Or let's try this one...

      Every time your house gets broken into, try installing a new lock somewhere. First on a window. Next time you are robbed, install another lock, say, on a door somewhere. Etc., etc. Don't th
    • Wouldn't an automatic update system serve to make the software more secure?

      Not if virus writers managed to use the automatic update system as a vector for malicious code, which I suspect could have a pretty high likelihood of happening.
      • Exactly. What we're seeing is just the first round. This problem will keep getting worse as long as we keep making our cell phones into computers.

        What I think will eventually happen is that the public will start saying 'no' to all this crap. I'm already sick of it. I don't want a phone that can browse the web. I don't want a camera. I don't want a phone that I can use to play games. I want a phone that allows me to reliably make calls and receive calls, with a phone book that I can sync with my com

    • Hmmm... I was puzzled by the phrasing of this question, too. What is the poster trying to get at?

      If Symbian/Nokia make System 60 more secure, then that's all very well for phones released after they improve their security, but for phones running older, less secure versions of the platform, it's not really much use. So, presumably, if they do improve the security of System 60, they'll need some way to push out those security enhancements to existing System 60 phones. In other words, the only possible logica
  • virus (Score:3, Insightful)

    by theseeria ( 849566 ) on Wednesday April 06, 2005 @06:12AM (#12152444) Homepage
    again?....whats the point of viruses in the first place.. evil teens with no life
    • Darwinism (Score:2, Interesting)

      by Anonymous Coward
      Just as the predominant, most accelerated technology growth comes out of human conflict (ie. war), computer security evolves fastest when it is forced to react to real-world situations.

      There is no point in asking what their motivation is; heck, I was 16 once too. Plus, nowadays many virus writers are actually commissioned by greater evils, like spam/malware/etc.. comprimised (zombie) machines (of any type) can be misused in a variety of ways..
    • You get a whole article in places like slashdot devoted to your virus, and if you're lucky, a mention on the news. It's anonymous fame for people with nothing better to do.
    • Ever heard of premium rate numbers and premium rate text message services ?

  • by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Wednesday April 06, 2005 @06:12AM (#12152445) Journal
    There was a time when a virus could install itself just be latching onto a 3.5" disk boot sector and infect tons of machines without anyone having the slightest clue as to its existence.

    Nowadays, viruses are so pussified that they need to ask the machine owner to install them. How sad.
    • I wonder if this is a result of viruses being "pussified" or as a result of improved security for the platforms.

      It's a good thing viruses aren't that powerful anymore. It'd be nice to see viruses having EULAs.
    • There was a time when a virus could install itself just be latching onto a 3.5"

      You had 3.5" floppies?

      5 1/4"-floppies (1.2M) were the norm, and 8" ones weren't entirely dead yet either. Back then.

      infect tons of machines without anyone having the slightest clue as to its existence.

      Technically they possibly could pass unnoticed, but most of the viruses back then would do something to attract attention. Like displaying a low-res graphic, hiding the cursor, or trying to delete files or zap hard disks.

    • Nowadays, users are so pussified, that if you tell them there's a virus called "*.*", and it's in the windows folder, they will happily check which files are infected - just tell them to type "dir *.*" at a command prompt, and then believe you when you tell them that to remove the virus, all they have to do is type "del *.*"
    • For people that doesn't get what you talk about, here is my favorite DOS.

      http://www.f-secure.com/v-descs/goldbug.shtml [f-secure.com]

      Respect, really :)

      You should be glad the elite ones like below:
      http://www.f-secure.com/v-descs/hybris.shtml [f-secure.com]

      Was killed by their author I suppose.
    • Well, maybe the true viruses are so advanced that really no one has a clue about their existence (which would be the reason why you don't hear of them), and the "permission to install" viruses are actually a way to detract attention from them ...
      • Well, maybe the true viruses are so advanced that really no one has a clue about their existence (which would be the reason why you don't hear of them), and the "permission to install" viruses are actually a way to detract attention from them ...

        Maybe all the malware is a way to distract attention away from the real malware.

        What if the real malware is the one that you willingly agree to install. Pay huge amounts of money for. Give up your freedom for. Give up control of your hardware. Willingly bu
    • There was a time when a virus could install itself just be latching onto a 3.5" disk boot sector and infect tons of machines without anyone having the slightest clue as to its existence.

      That brings back horrific memories. I remember my brother tried to install doom off a disk borrowed off his friend. The friend had a virus -> the disk had a virus -> our computer had a virus.

      It took us hours to even realise it existed, wondering wtf was happening to our computer. In the end we completely form

  • Security? (Score:4, Insightful)

    by Morlark ( 814687 ) on Wednesday April 06, 2005 @06:13AM (#12152447) Homepage
    I'd say they'll be wanting to make these phones secure, and be sharp about it. Fair enough, these phones with sophisticated OSes are fairly new, and you might expect them to get hit by viruses to start with, but now that the first few viruses have struck the phone companies are going to want to get these phones as secure as possible, so that they can't get attacked so easily in future. Obviously, there's going to be a need to continued updates, as viruses continue to develop and evolve, but more basic levels of protection need to be introduced first.
    • Re:Security? (Score:2, Interesting)

      by brainnolo ( 688900 )
      Viruses are going to be a problem on Symbian Phones sooner or later, all the manufacturers can do is to make it impossible to run without user stupidity. But now, smartphones users may not think about these risks, because they do not yet acknowledge they own a PDA that can make phone calls as well, not a phone.

      What would be useful is to make the users aware of this problem, but this could harm the sales of this relatively new product (i wouldn't be going to buy it knowing of this risk).
  • Vulnerability (Score:3, Interesting)

    by Anonymous Coward on Wednesday April 06, 2005 @06:13AM (#12152448)
    I wonder if the fact that the recent OS X vulnerability still unpatched after more than 2 months with the symbian component of iSync is related to this? would it be possible for an infected mobile phone to use the exploit in the mrouter code on OS X to infect the OS X machine remotely?
    • Re:Vulnerability (Score:1, Informative)

      by Anonymous Coward
      If you are referring to the iSync mrouter exploit it was patched within a week after release.
  • by flubbergust ( 818863 ) on Wednesday April 06, 2005 @06:13AM (#12152449) Journal
    Why shouldnt the creators make the system more secure? Its their responsibility to make it more secure. What if you have to dial 112 (911 for people in other parts of the world) and you cant? Phones have to be secure. I can live with my Windows box isnt but damned if my phone isnt secure.
    • by jcostom ( 14735 ) on Wednesday April 06, 2005 @06:17AM (#12152461) Homepage
      You know, in fairness, that even if you're foolish enough to leave your bluetooth device set to be discoverable, you still have to accept the file being sent to you, unless it's coming from an already trusted device - something you've paired with.

      Anyone that gets infected with this gets what they deserve. Hopefully at this point, you wouldn't open a strange file attachment, so why would you accept a strange file on your phone?

      • The sad thing is that people do open strange file attatchments. I don't really expect this behavious to significantly change on phones. People who make software, whether for PC or mobile phone just have to account for the fact that users are stupid.
    • by hc00jw ( 655349 ) on Wednesday April 06, 2005 @06:27AM (#12152506)
      I can live with my Windows box isnt but damned if my phone isnt secure.

      Why? Why can you live with your computer being insecure? Why do you accept this? Especially when there are secure alternatives!

      • Because most computers are nothing more than media center + game console. And secure alternatives are only as secure as their "root"s are. And if you can manage a "secure alternative" than there are good bets that you can manage your Windows box secure. And there are far fewer games for "alternatives". Yes, an email + browser pre-set Linux box for grannies is generally (slightly) more secure than the same box running Windows.
    • Perhaps they decided the extra time and effort required to make it that much more secure wasn't worth the wait. Decisions such as these are based more on marketing and business than IT and security.

      I'm sure we'd all love to have super-secure devices and software. But that takes time. And competitors whose products are not as secure would steal your market-share. Do you think users are going to wait months to use a product with similar functionality but that is 10% more secure?

      Neither did I. It's about the
      • Of course the guy who ran to the market early to steal your market share, had to have a major recall in order to restore 3 million phones that were infected with a virus. Now that compnay is on the verge of bankruptcy and your selling phones like hot cakes.

        In ANY other industry the security holes of Windows would be considered unsafe, and MSFT would be facing billions of dollars of damage and recalls.

        Because Software doesn't really exsist as a physical item, they don't have that problem.
  • virus free os (Score:1, Interesting)

    by freddej ( 122902 ) *
    So, I guess this is becoming more and more ordinary, writing secure code is not going to happen, and with new ways in (bluetooth, browsing with the phone, wireless access via phone in the future?) and so on I think we just have to rely on autoupdates for every os with no exception of PAN-devices. Just like we humans have constant amount of bacteria in our mouths we have to get used to having a constant flow of viruses through our computers/phones/pda's etc.
    • I'm not too worried about viruses on phones now. However, if I ever see an "Antivirus Fee.....$3.23" on my cell phone bill, my head is going to explode.
  • Repeat after me... (Score:5, Informative)

    by jcostom ( 14735 ) on Wednesday April 06, 2005 @06:14AM (#12152452) Homepage
    I will turn off bluetooth or set my phone's visibility to off.

    I will turn off bluetooth or set my phone's visibility to off.

    I will turn off bluetooth or set my phone's visibility to off.

    There, was that so hard? If for some reason, you refuse to do that, don't accept files from other devices unless you specifically know they're ok. You know, just like you do with your email.

    • by DarkHelmet ( 120004 ) * <.mark. .at. .seventhcycle.net.> on Wednesday April 06, 2005 @06:24AM (#12152494) Homepage
      Honestly, that shouldn't be an excuse.

      Bluetooth is used commonly for things like headsets nowadays, which is particularly useful when driving of all things.

      It's kind of like saying that a system is "waiting to be hacked" by having its firewall turned off. A firewall is just one layer of security that's used in order to secure a computer.

      Phones are computers nowadays. The phone manufacturers simply cannot use bluetooth being left on as an excuse.

      Anyway, I imagine virii like this over the next few years will spark a much greater concern for security within nextgen phones.

      • The virus does not get installed on the phone without user intervention. The user has to install the virus. How the hell do you protect a computer from people who install programs after they have been told that the program might be harmful?
      • Phones are computers nowadays. The phone manufacturers simply cannot use bluetooth being left on as an excuse.

        You dont need to turn off bluetooth. Turn off "bluetooth visibility".

        With bluetooth visibility off, then anyone who wants to bluetooth to your phone must ALREADY KNOW THE BLUETOOTH NAME. That is to say, they must already have had access to your phone.

        With bluetooth visibility is off, you can still use wireless headsets or whatever else you like. The only difference is that you will not receive u
    • So your idea for security is that everyone in the world should strictly follow this rule all the time, with no exceptions, and should never forget it? That isn't going to happen.
      What could happen is that the phone manufacturers could make the effort to install a secure operating system. Then I could accept files from other users all the time, without worrying about how much I trusted them to follow such rules. You know, just like I do with my email.
      • You can accept files from other users just like you can with email. And just like the recent email viruses, you must explicitly run and install the virus.

        There is nothing a phone manufacturer can do about that. Well, except not allowing any non-pre-packaged software to be installed.
    • what about toothing [google.com]?

      And why is Symbian wors than Microsoft's alternative?

      I remember when MS said they were doing a phone all the jokes were "Blue Screen LOLOROTFLMAOLOLOL!!!!!" and "Virus OMG LOLOLOLOLOLOLOL!!!!!", but it seems that in the end it is Symbian with the virus troubles.
      • It's not quite about Microsoft vs. Symbian to most people here. Most people take the piss out of Microsoft because it's sooo easy to do, but actually have no real grudge against them.

        I think looking at this case Microsoft scores really big here. Microsoft don't have a good track record but really there's no excuse for a security hole as bad as this. If you grab input from another computer you secure yourself against it as much as possible, including and especially wireless technology, as you can't ver
    • by hgavin ( 259102 )
      > I will turn off bluetooth or set my phone's visibility to off.

      This version of the worm propagates by MMS.
    • by Zayin ( 91850 ) on Wednesday April 06, 2005 @07:02AM (#12152626)

      I will turn off bluetooth or set my phone's visibility to off.

      Setting your phone's visibility to off is not enough to stop attacks.

      There are already tools [securiteam.com] out there that find non-discoverable bluetooth devices. A worm might use the same technique.

    • Didn't the name "bluetooth" already imply that it would eventually bite you? :-)
  • Not much threat? (Score:5, Informative)

    by Richie1984 ( 841487 ) on Wednesday April 06, 2005 @06:16AM (#12152459)
    I had to read quite a way down TFA before I actually came to the information detailing what the virus actually does.

    "At this point, mobile viruses are more of an irritant than a serious security...the messages that Mabir sends do not contain any text message, only the info.sis file.

    So it seems this virus is more of a proof that they can be spread via phones, which we already knew, rather than an attempt to actually damage or corrupt the OS. Hopefully it'lll persuade manufacturers to work more on their phone security, rather than obvious new features for the user.
    • Forget media. While passing by, ask a Nokia or Ericsson,siemens service center if they had some phones completely dead and had to flash over service hardware.

      Those companies spend BILLIONS to advertising. No sane reporter will make 2-3 infections news but doesn't change those viruses REALLY exist and believe or not, spreads.

      There are people who automatically say "yes" to everything pops up at their phone. I know one myself personally. Not me.

      Had 2 cabir requests in 5000 people Prodigy concert myself.
  • Saying that this virus exploits Bluetooth is similar to saying that a windows virus exploits CAT5. The software running on the phone is vulnerable, not the transmission medium.
    • Actually, having had a Symbian Phone (P800) and knowing exactly how things are transfered to/from it. its not even the software in the phone that makes it vulnerable, but more often than not, its the wetware in between the ears of the users
  • by Albinoman ( 584294 ) on Wednesday April 06, 2005 @06:20AM (#12152473)
    A lot of people already have to update their roaming info. Why cant this stuff be updated at the same time? Current phones wouldnt be able to, but Im sure cellular providers would rather do that than suffer the wireless version of a DOS attack (you know it will happen).
    • already has. back in 2000, when ICQ could send SMS in the UK (i dont *think* it can anymore), we used to bang off twenty or thirty to a friends's phone - since SMS capacity in 2000 on the average phone was low (10-15), this would swiftly fill the memory, and then they would queue up in the message centre. delete one, get another one. renders the phone useless until you have churned through deleting the whole lot. we actually used to call it a DDoS

      send a couple of hundred off, and you can basically prevent

  • by KonijnenBunny ( 761868 ) on Wednesday April 06, 2005 @06:22AM (#12152484)
    I own a Nokia 60-series phone and much to my surprise I encountered the above mentioned predecessor (Caribe/Cabir) in the wild. (Yep, my bluetooth's always on)
    I received over 20 identical messages by Bluetooth messaging, all containing a single application-installation file: caribe.sis I had to approve the reception of the message first before I could view the contents. As I browsed the message contents, a further warning that it contained an application was issued, and I image the standard "not-signed" warning would as well if I'd try to actually install it.

    That's 3 warnings I would have to ignore before the virus is installed. Surely in this day and age anyone's brains would have kicked in and wonder whether it would be a wise idea to install an unknown program sent to you by an anonymous stranger? Mobile-phone virii are all still very proof-of-concept in my book...
    • That's precisely the reason why I never leave Bluetooth on. I've often sat on a bus and out of curiosity looked for other bluetooth handsets on the same bus, they all usually have the default ID for their phone. Most customers who buy their phones will have never heard of Bluetooth before and so when they see messages like that, they will naturally open them. It doesn't take too long to turn bluetooth on, so unless you're using a Bluetooth headset, it should remain off until needed. Customers should also
    • Many of the users who've really been hit by any of the phone Bluetooth worms (there are several) have explained themselves along these lines: "I got a cryptic message on my phone. I didn't understand what it was asking...so I clicked 'No'. When I did that, the message popped up again. So I clicked 'No'. Again. 'No'. Again. Then I tried 'Yes', and the message went away..." It makes sense, kind of.
    • You are a Slashdot user and you know what ".sis" is.

      Do not generalize. It would be an excellent world if persons of your type weren't only 2% or less of population.

      I speak about people paying $5! for a single midi ringtone!
    • Leave the basement and you'll find that some non-geeks are stupid. Really stupid.
  • by Savage-Rabbit ( 308260 ) on Wednesday April 06, 2005 @06:27AM (#12152504)
    Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"


    Not having every single Bluetooth service known to man switched on by default when the phone leaves the factory would be a good start. The first thing I did when I got my new PDA phone was to switch everything off except the BT Headset and File Transfer which I set to Maximum possible security since it wasn't set like that by default. Strictly speaking the FT services should only be activated on a need-to-use basis but I don't carry alot of sensitive information on my PDA phone and what there is I have encrypted on an SD card. That would incidentally be another good idea, if manufacturers were to install some sort of file-vault software as standard. I had to install the file-vault software as an optional software package from the companion CD that came with my phone.
    • I completely agree with you, and it would be nice if more manufacturers of most electronic equipment (wireless APs would be another example) started to make their stuff more secure by default. The major problem is that they're trying to give users "ease of use" over "more security," which has already been proven to be an approach that's flawed.
  • by S3D ( 745318 ) on Wednesday April 06, 2005 @06:28AM (#12152512)
    This theme is beat to death. So called "virus" require answer "Yes" three times to be installed. The most vocal reporter of these viruses is F-Secure, manufacturer of anti-virus software for symbian phones. Their CEO speaking on one of the previous virus: "somehow, I'm not sure exactly how this virus get installed on my phone" He did't remember answering "Yes" three times ?
    • You're assuming they're not the ones who wrote the virus in the first place...

      Simple trick, don't buy phones known for crappy security. Symbian phones have been attacked before...

      Though I agree this highly bad virus that requires the users permission to install is hardly a "virus" and more of a darwinism.

      tom
      • Symbian phones hardly have crappy security. They are targeted by "virus" authors because they are the only popular open smartphone OS around.

        Incidentally, there is basically no way that an open OS can protect against this sort of thing. If the user has the ability to install applications, the user has the ability to install viruses. There are two obvious ways to stop trojans like this spreading over Bluetooth:

        1. Disallow the reception of applications over Bluetooth. But then how would users get legitimate
        • I seem to recall stories a few months ago about it...

          Eitherway, stupid users can darwin their cell phones. So long as they don't add to the email spam problem I don't care!

          BTW [ot] if you want to have a lot of fun with spam, open a yahoo account, post the address in a bunch of usenet forums, turn off spam filtering and wait a couple of weeks.

          Then open up your inbox (which will likely have around 1500 spams in it) and sort based on subject.

          Seeing 23 "CONGRATUALATIONS" in a row is just hilarious...

          Tom
          • (fud my ass in fact) (Score:2, Informative)

            by Ilgaz ( 86384 )
            The symbian community learned to bypass all security alerts saying "yes, yes".

            You know the reason? Even the best symbian coders have to instruct users to IGNORE security alerts because they can't afford to buy a Symbian signed license for their application.

            Only being a user, I suppose Nokia wants money for it.

            About your OT: Got no spam for 3 weeks, looks like even spammers have some kind of brain ;)
    • Comment removed based on user account deletion
    • Their CEO speaking on one of the previous virus: "somehow, I'm not sure exactly how this virus get installed on my phone" He did't remember answering "Yes" three times ?

      Of course he remembered answering it - well, probably didn't remember actually answering yes, but he remembered the sales and marketing meeting where the Marketing Director told them all about the plan to have the CEOs phone "infected" with a virus of an "unknown" origin - and told them that this would get press releases and make the news b

    • You blame F-Secure, makers of F-prot distributing FUD?

      How old are you? 16?

      Read some IT history about F-Prot. You will understand they really don't care about your $something.

      I am just afraid of people like you administering Symbian sites, really afraid.

      If I ever buy f-prot for my mobile, if there will be a reason ever, it will be people like you.

      How many users of you care about exact 3 warnings when they download/purchase any sis from your site?

      For people never used Symbian, you must PAY to Symbian/No
    • " This theme is beat to death. So called "virus" require answer "Yes" three times to be installed."

      It was the same for computers 10 years ago. Now they can infect you without your knowledge by going down wire. How long before our nation's high schools are one big spambot farm?

      If we are going to put computers in phones, we need to put firewalls and anti-virus protection in them with the ability to be updated. Which is a security hole itself. In terms of computer technology, it is 1995 in cell phone land. S
  • Handheld viruses (Score:3, Interesting)

    by springbox ( 853816 ) on Wednesday April 06, 2005 @06:39AM (#12152552)
    I'm not familiar with this particular handheld OS, but it would be funny if someone tried to write a virus for the PalmOS, because it largely wouldn't work.

    "Please execute this program to destroy your system" is what the approach would have to be and doing a hard reset of all of the memory and hotsyncing it would completely wipe the thing out of the system. This is where volatile memory and a somewhat restrictive setup will benefit the user.

  • by akadruid ( 606405 ) <slashdot&thedruid,co,uk> on Wednesday April 06, 2005 @06:43AM (#12152559) Homepage
    will the OS creators have to start making their software secure?

    All commercial operating systems are written to the point where the security is just good enough to sell the product and no further.

    When operating systems are tied to the product or the vendor has a monopoly on their market then the point of 'just good enough' is reached long before the end user can regard the product as secure.

    I predict: Software security will only become worse as consumor adoption of future devices hostile environments such as the internet increases. Within 10 years, end users will be comfortable with performing routine software maintainence on a myriad of devices they currently consider reliable over the life of the product. This will include: all communications products; vehicles; home automation and security; entertainment systems; electrical white goods and diy tools.

    When the dominant multi-purpose operating system can be regarded as usuably secure out of the box for the life time of the product, then I'll reconsider.
  • Worms (Score:4, Insightful)

    by nmg196 ( 184961 ) * on Wednesday April 06, 2005 @06:43AM (#12152562)
    Why is Slashdot's icon (top right) for the "worms" section a picture of a caterpillar, which is in no way related to a worm?
  • Make secure (Score:3, Informative)

    by fozzmeister ( 160968 ) on Wednesday April 06, 2005 @06:44AM (#12152564) Homepage
    The evil empire (MS) would have done this ages ago (yes they'd still be bugs that would let things thru, but it'd be better) if it wasn't for programs assuming they can write anywhere etc. MS trapped themselves. With phones being so young, and also being a new product every version (the OS dependencies are small), it'd be hard for them to excuse there being security problems.

    But auto update would also be needed, no software is perfect.
  • "Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"


    Both. Or maybe... isn't it far better for socializing that you're able to talk about how Windows didn't work and you fixed it than to own a machine / gadget / technology that simply works.?

    So maybe the answer truly is Neither.

  • by Anonymous Coward on Wednesday April 06, 2005 @06:51AM (#12152593)
    I'm am an experience commercial software developer on the Symbian platform. I have a strong background in many other platforms and i the context of this message, my anonyminity is important since my company can be sued by Symbian just for a biased negative opinion of Symbian made publicly.

    Symbian OS is the most expensive platform to develop on. This means more expensive money and time wise. It takes 3 times as many developers to deliver the same product in twice the time as on comparible platforms (brew, iTron, etc...) as for platforms with real development tools such as Windows Mobile, we use ten developers on Symbian to every one on Windows Mobile to produce a lesser product.

    Symbian has limited hardware level debugging support (if any at all), they lack so much as a command prompt to log to.

    They lack decent compilers and you're stuck with GCC or ARM Realview (neither are that good, satisfactory at best on ARM).

    Documentation is aweful at best.

    A simple program requires you to just through hoops, more complex sets the hoops on fire.

    The emulator environment emulates nothing and simply tries to implement the Symbian UI APIs on Windows and all system level stuff is just layered on Windows. That's fine if you don't need to do anything at the system level.

    The development environment is heavily based on CodeWarrior these days. I find this funny since every other company (Nintendo, Sony, Be, Apple, etc..) where Metrowerks had a good footing, the companies found it more profitable to dump CodeWarrior and do it themselves instead. Symbian is the only company stupid enough to choose to rely on Metrowerks, especially with their pathetic resume.

    As for security, the fact that anyone could possibly ship a product based on Symbian is a miracle in itself. As for securing it as well, I think you're just asking too much.
    • As for securing it as well, I think you're just asking too much.


      For somebody who claims to be so experienced, you know surprisingly little. Does the term Platform Security ring a bell?

    • by Anonymous Coward on Wednesday April 06, 2005 @08:13AM (#12153013)
      10 odd years of reading /. and it takes this to get me to post...

      I've been working with the Symbian OS for some time and the parent smells strongly of BS...

      > Symbian has limited hardware level debugging support (if any at all), they lack so much as a command prompt to log to.

      There is support for both hardware level debugging and there has been a working command prompt for several versions. I suggest you ask Symbian (nicely) how to access these.

      > They lack decent compilers and you're stuck with GCC or ARM Realview (neither are that good, satisfactory at best on ARM).

      What's wrong with GCC suddenly? It's bad compared to what? MS Visual Studio? Arm compilers are what you get for ARM chips - still the undisputed leader for the mobile market.

      > Documentation is aweful at best.

      It is patchy. It's getting better...

      > That's fine if you don't need to do anything at the system level.

      I've seen a variety of system level debugging on the emulator. Maybe you need some pointers?

      > The development environment is heavily based on CodeWarrior these days.

      I'm told Symbian has good feedback into Metroworks and gets their CW specifically tailored for them so maybe it's better than their usual product.

      > As for security, the fact that anyone could possibly ship a product based on Symbian is a miracle in itself.

      Which is obviously why they have something like 80% of the smart mobile market...

      > As for securing it as well, I think you're just asking too much.

      The next big release is supposed to be all about security.

      > as for platforms with real development tools such as Windows Mobile, we use ten developers on Symbian to every one on
      > Windows Mobile to produce a lesser product.

      So why are Microsoft content to deals with Symbian that hurt their own mobile devision? Even they seem to have given up on their own product...
      • >I'm told Symbian has good feedback into Metroworks and gets their CW specifically tailored for them so maybe it's better than their usual product. As far as I know Nokia bought the Symbian OS parts of Metrowerks last year. At least it says so here [allaboutsymbian.com]. I would call that rather complete tailoring. Of course it is a bit worrying for companies using other flavors of Symbian OS than Series 60/80/90 as Nokia will probably focus on those.
  • Once again we see that security in software design often is an afterthought. I can understand a small software company not having the time or resources to address these issues -- and even then that's questionable. But what are the "big boys'" excuses?

    I think it is quite silly and worrisome that PC users have to be so concerned about virii and spyware and have to invest time and effort in dealing with these hassles. Now we've got to have these same annoyances for our cell phones and PDAs? Excuse me?

    No on

  • by Zemplar ( 764598 ) on Wednesday April 06, 2005 @07:42AM (#12152840) Journal
    Am I the only one that misses some of the great cell phones that were actually designed specifically to be the best form of wireless voice communication? I sure wish I could buy a new manufacture Motorola StarTac today!! Black-on-green screen - NO crappy color screens. No stupid ring tones. No photo album. No crappy camera. Two-WEEK standby time!! Just a damn good PHONE...nothing else.

    /rant
  • Go back to stupidphones. My now-ancient StarTAC does everything I want in a telephone, and a lot of stuff I'd like to take out of the menus altogether. If I wanted to lug around lots of other functions, I'd keep them in a separate piece of equipment and only connect it to the phone when I need to connect to somewhere else.

    Either that, or just carry a general-purpose computer and plug in a wireless module when I want to have it emulate a telephone or obtain some networked service.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...