Forgot your password?
typodupeerror

The Dumber Android Is, the Better, Say Experts 165

Posted by Zonk
from the are-we-talking-lore-dumb-or-kryton-dumb dept.
ZDOne writes "ZDNet UK is reporting that it will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based, but security experts claim that the less smart a phone is, the less vulnerable it is. Android developers should stick to a semi-smartphone platform because the Java sandbox can protect against the normal kinds of attacks, experts claim. The article also discusses some of the pros and cons of open vs. closed source security. 'The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one. Open-source software development has the advantage of many pairs of eyes scrutinizing the code, meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one of the disadvantages of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits. The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'"
This discussion has been archived. No new comments can be posted.

The Dumber Android Is, the Better, Say Experts

Comments Filter:
  • Huh? (Score:5, Interesting)

    by Matt867 (1184557) on Thursday November 08, 2007 @05:02PM (#21286181)
    The dumber the smart phone is the better? Sounds like someone doesn't want to take their programming job seriously.
  • by Billosaur (927319) * <wgrotherNO@SPAMoptonline.net> on Thursday November 08, 2007 @05:08PM (#21286247) Journal

    I know it's meant to be funny, but strangely it's one of the reasons I haven't ditched my land-line to go all wireless. Mobile phones, especially those that try to do everything, aren't particularly good at anything and the more things you cram onto them, the greater their vulnerability profile. My wife just traded her old broken-down phone for a T-Mobile Shadow, and it's not the world's greatest phone (it runs Windows Mobile, but that isn't the root of the problem). The sound quality is horrendous and I haven't tried the MP3 player in it, but I'm not holding out hope.

    I don't think we're at the point where phones can handle multiple tasks well, and using one is leaving yourself open to all sorts of mischief.

  • This is the old telecom industry chant. "Let's put the smarts in the network, they say, where they're out of touch and nobody can even get in to attack them, and have dumb devices out on the edge. Blue boxes are just a rumor."

    By all means it should be possible to make dumb phones with Java sandboxes around third party software using Android. Yes, every layer of security is good. But it's not perfect... if you put everything you want to protect inside the sandbox, who cares whether someone breaks out of it or not?

    Don't forget, the OS they're basing it on was designed for timesharing use, where it was common for people who had very different security requirements running code together on the same computer. Linux is a relatively young implementation of UNIX, but it's still using the same design that was able to keep some of the world's smartest CS undergrads from getting at the test papers and scores stored on the very same computers as their class accounts in the early '80s.

    And some of the biggest vulnerabilities available to attackers on any platform are in application layers, in code doing what it was designed to do, with no individual component violating any constraint that a sandbox would prevent. The biggest problems are not implementation flaws, they're design flaws.

    That's why, despite years of warnings from antivirus company experts, we don't have a flood of smartphone viruses... because PalmOS and Pocket PC and the rest don't have multiple internal firewalls like UNIX or Windows NT, but they're also not designed around a model of accepting code from untrusted sources and running it, like Windows is.

    Get the application design right, and you're solid. Get it wrong, and you lose... no matter whether the kernel is inviolate or not.
  • by erroneus (253617) on Thursday November 08, 2007 @05:32PM (#21286583) Homepage
    People will want to make their phones do special and complex things. To facilitate this, they will write API libraries that other parties will also use because the phone's basic API will not support much.

    The results of a non-robust API will be large amounts of object code libraries being built and installed, varying dependencies and conflicts and on and on. As much as possible, it would be best to maintain the API from a single point. This will also enable a much smoother user experience since people won't be forced to create their own GUI libraries and the like.

    It needs to be complex and it needs to support everything... at least potentially. Ideally, everything except the data and the object code should be provided through the OS and OS supplied libraries. This would best guarantee compatibility and stability. But we know it won't happen that way. We can't even get KDE and GNOME unified. Some "smarter-than-you-and-me" guy will write something that will be rejected by the masters of the API but will be used by a variety of other developers and then it all begins.

    And what happens when the OSS community rebels? Recall how XFree86 became stagnant and people rebelled to create X.org? That wasn't a disaster, but what happens when it happens on users' phones? And will there be multiple phone distros? And will AT&T and T-Mobile try to lock them up? And if they "can't" then will they block those phones from being used on their network (in spite of laws to the contrary)?
  • by sm62704 (957197) on Thursday November 08, 2007 @05:34PM (#21286603) Journal
    In March 2006 We got hit by two tornados [wikipedia.org] in one night. They went right through my neighborhood; the big tree behind my apartment looked like Godzilla had stomped on it. Half the utility poles were gone (as were a lot of buildings). My power was out for a week, my cable and internet were out for a month, and the landlines were all out as well.

    My cell phone worked, however. It also was a very handy flashlight, as there was no power AT ALL anywhere near my apartment and boy, was it dark there at night! It's been years since I've had a landline.

    -mcgrew
  • From the wha...? (Score:3, Interesting)

    by Pojut (1027544) on Thursday November 08, 2007 @05:35PM (#21286623) Homepage

    are-we-talking-lore-dumb-or-kryton-dumb depart.


    Whoa...wait...is that...no...it couldn't be...

    Is that a Red Dwarf reference right there at the top?!?!??!

    I woulda thought a place like teh slash would have had more references to that show, honestly...and for the record, Kryton was WAY smarter than Rimmer or Lister...

    Unless...this is a reference to something else, and I'm being my usual dumb self..
  • by ichthus (72442) on Thursday November 08, 2007 @07:01PM (#21287747) Homepage
    Ah, the new buzzword of the day, "consensus." There is hardly consensus on the superiority of openness in a security model. The scrutiny of many eyes argument is valid, but is arguably countered by a "probing of many eyes" for exploits argument.

    And, there are good arguments for security through obscurity -- a concept all too quickly shot down here at Slashdot. For example, leaving a house key inside a fake rock in your garden is arguably more secure than leaving the key under your welcome mat. Another example, in which I have personally experienced the behefits of security through obscurity, is network ports. I used to have ann SSH server running on the standard, port 22. Every day, my logs showed numerous login attempts by unknown individuals trying to gain access to my system. Once I moved the server to a different, more _obscure_ port, though, my logs rarely show any connection attemps. Now, is this new port more secure? No. But, because it's further hidden it does afford _more_ security.

    And, as for your final, fanny-pat statement to the "consensus" of the "scientific" world: I'm a creationist, and I'm not out of touch. For me, the incalcuably small probability of spontaneous generation of a lifeform able to be nourished by it's environment and then able to reproduce is not a large-enough foundation on which to build a scientific consensus.

  • by adamziegler (1082701) on Thursday November 08, 2007 @08:04PM (#21288461) Homepage
    "Actually I was cracking not hacking" ... ... actually you were phreaking not hacking.
  • by BizidyDizidy (689383) on Thursday November 08, 2007 @08:15PM (#21288559)
    I'm obviously a moron, but what WAS Bridge 1300?

There is nothing so easy but that it becomes difficult when you do it reluctantly. -- Publius Terentius Afer (Terence)

Working...