Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

The Dumber Android Is, the Better, Say Experts 165

Posted by Zonk
from the are-we-talking-lore-dumb-or-kryton-dumb dept.
ZDOne writes "ZDNet UK is reporting that it will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based, but security experts claim that the less smart a phone is, the less vulnerable it is. Android developers should stick to a semi-smartphone platform because the Java sandbox can protect against the normal kinds of attacks, experts claim. The article also discusses some of the pros and cons of open vs. closed source security. 'The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one. Open-source software development has the advantage of many pairs of eyes scrutinizing the code, meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one of the disadvantages of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits. The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'"
This discussion has been archived. No new comments can be posted.

The Dumber Android Is, the Better, Say Experts

Comments Filter:
  • First: She's always like, "I'm sorry, I don't know who you are." her policy is to never buzz anyone in. She angered the chairman once over it, who was talked out of firing her precisely because he's in the office like 3 times a year. She won't buzz people in and she's unrepentently steadfast about it. She's dumb as dirt.

    She's not dumb, she's smart.

    Second: Simple systems are more likely to be secure than more complex systems in general as they are less prone to component failure.

    The Java sandbox is an extremely complex system, with trusted and untrusted code running in the same address space calling the same libraries, with the security managed by code that's also using the same libraries and running in the same address space. I am honestly amazed that it's worked as well as it has.

    The multiuser protection in UNIX is an extremely simple system, with untrusted code running in separate address spaces and, traditionally, with the ability to run security applications using no shared libraries at all. It's also proven extremely effective, and it has the advantage that even if flawed code is run those flaws do not automatically provide an escape route from the whole sandbox the way flaws in libraries called from Java do.

    This is not to say that the Java sandbox isn't a useful tool, but rather to say that when analyzing the security of the system as a whole the fact that an application is written in Java should not be given the kind of importance that it seems to be getting here.
  • by sm62704 (957197) on Thursday November 08, 2007 @04:25PM (#21286487) Journal
    The rotary dial was a pain in the ass, but we never knew that until they invented pushbutton phones. And you had to look up your police/fire/ambulance in the phone book as there was no 9-1-1 service. Although most people just dialed "O" and when the lady answered (a real live human being, we didn't have voice mail either) you said "MY HOUSE IS ON FIRE" and she'd plug some plug on her switchbopard in and the fire department would come out.

    But the Western Electric 500s were hackable! Some of them had no dials; businesses used the dial-less phones for where they wanted a low level employee, like the teenaged me at the ticket booth at the drive in theater, to be able to answer them but not make outgoing calls.

    You could, however, "dial" them by repeatedly hitting the hangup buttons. So I was hacking your "unhackable" phone when I was 16. Actually I was cracking not hacking; I was hacking when I made guitar fuzzboxes out of $10 transistor radios and selling them for $50 each to other teenaged guitar players.

    -mcgrew

    PS- I've almost forgotten this, but in the Metro East St Louis area you could dial Bridge 1300 and a spooky noise cane out of the phone. The other kids said it was a ghost, I never had the heart to educate them about the reality.
  • Re:Open is better (Score:4, Informative)

    by starfishsystems (834319) on Thursday November 08, 2007 @04:39PM (#21286689) Homepage
    From the parent article:

    The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one

    Indeed. The principle of open security was first proposed by Auguste Kerckhoffs in 1883.

    Any time security depends on the secrecy of some mechanism, that security is pepetually at risk. All these millions of instances of the same vulnerable mechanism, no way to tell in general whether their security has been broken, and -- as you point out -- a certainty that the vulnerable secret cannot be contained.

    In what way exactly does this remain a matter of debate?

  • by tjwhaynes (114792) on Thursday November 08, 2007 @04:46PM (#21286807)

    The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'

    This is so wrong it isn't funny. I need know NOTHING about the internals of a program to exploit it - I only need to find a set of inputs that make it crash in interesting ways. Buffer overflows can be trivially used to redirect a running program to jump to a stack frame supplied as part of the crafted inputs. There are other ways to play the game against binaries without reverse engineering.

    Cheers,
    Toby Haynes

  • by Mi1ez (769713) on Thursday November 08, 2007 @05:01PM (#21287037)
    Grammatically, quotes in the right places would help too. "The Dumber Android Is, The Better," Say Experts
  • Re:From the wha...? (Score:4, Informative)

    by Kryten107 (1128675) on Thursday November 08, 2007 @05:59PM (#21287711)
    The world needs more Red Dwarf references. And it's spelled Kryten. I should know.
  • by SL Baur (19540) <steve@xemacs.org> on Thursday November 08, 2007 @06:50PM (#21288297) Homepage Journal

    My power was out for a week ... My cell phone worked, however. It also was a very handy flashlight, as there was no power AT ALL anywhere near my apartment
    I'm amazed that your battery kept power for that long with the backlight enabled. Even my Japanese cellphones wouldn't stay charged that long.
  • by glitch23 (557124) on Thursday November 08, 2007 @06:53PM (#21288335)

    You could, however, "dial" them by repeatedly hitting the hangup buttons. So I was hacking your "unhackable" phone when I was 16. Actually I was cracking not hacking; I was hacking when I made guitar fuzzboxes out of $10 transistor radios and selling them for $50 each to other teenaged guitar players.

    Actually, you were doing an early version of phreaking [wikipedia.org].

Line Printer paper is strongest at the perforations.

Working...