When hacking is purely done in private, is it still hacking?
Published by Steve Litchfield at 17:03 GMT, March 27th 2008
Steve Litchfield dismisses the latest Symbian hacking scare story....
Oh, the blogosphere does like a good scare story, and combining the previously impregnable Symbian OS 9 and S60 3rd Edition in the same sentence as the word 'hacked' is bound to raise a few eyebrows and generate some page hits. After all, 'Windows Mobile hacked' doesn't really have the same ring of surprise.
'Hacked' - visions of web sites falling over, visions of altered versions of legitimate applications, flooding the world with malevolent code and so on...
But it's important to put the efforts of the uber-hackers over at Symbian Freak* into perspective. And when I say uber-hackers, I mean UBER. We're talking wires everywhere, multiple software development kits, lengthy lists of hack instructions, illicit tools, the works. And the procedure that they came up to implement the hack with isn't much simpler, with steps that should rightly make any sane person run a mile. Of course, it's possible that easier-to-use utilities may appear in the future, to achieve the same effect with less effort, but it's absolutely vital to point out that these 'hacks' are expressly only for single, connected devices. And currently they only work until the phone is turned off, after which the hack procedure has to be done again.
* Using the official Software Development kit and its associated debugging tools, together with some detective work and [doutbless] a little guessing, some users have worked out a way to patch the internal disk of a device in order to allow temporary but unrestricted access to the normally hidden and locked away \sys folder, the place where the operating system and its control files live.
In other words, the hacks in question are very much a private thing. One uber-geek rising to the challenge of bypassing the security in Symbian OS on his or her own device, presumably with a view to carrying out further hacks, altering the OS even further and generally having 'fun'.
So visions of these hacks leading to malware for general release that can bypass the standard protection for the average user are grossly misplaced. In terms of exposure to the Internet, to the world of S60 software, to incoming emails and Bluetooth messages, the fiddling around of some geeks in the privacy of their own bedrooms using their own personal smartphones for experimentation are of no relevance whatsoever - your smartphone is still 100% secure. And you still don't need to panic into buying firewalls, anti-virus, etc - they're simply not needed.... [steady on Steve, you've done this rant already! - Rafe]
Of course, a hacked S60 smartphone could, in theory, host a malevolent application which might, shock horror, send out something nasty to another phone user (who would still be protected in the usual way, don't worry) - but even this scenario is very, very unlikely. Any user technical enough to both want to and know how to hack their device to this extent is going to know exactly what's installed on his or her smartphone and won't let a would-be piece of malware within a mile of its operating system.
So claims on Symbian-Freak that 'S60 3rd Edition security is broken' are melodramatic, to say the least. And talk on Engadget Mobile about this being 'jailbreaking' S60 is also twisting the truth - after all, nearly every S60 application could already run on the platform - we're talking here about a tiny subset of power utilities that do things to the S60 interface now working, after a lot of effort, on a single device for a while.
So - S60 hacking - it may be a hobby, it certainly isn't a profession.
And for you, the end user, my advice would be to leave well alone - it's simply not worth it. Against the 'benefit' of seeing what's inside your smartphone's OS folders, the adrenaline rush of grabbing scripts from the underworld, and -possibly- slightly easier installation of some accelerometer utilities a few weeks ahead of official availability, there's a real risk that you'll wreck your current S60 install completely and will have to hard reset your phone. Meaning an hour of app installations and data resyncing at best - and data loss and a voided warranty at worst. I know which way I'd jump....
Steve Litchfield, All About Symbian, 27 March 2008
Share This (Digg, del.icio.us, Facebook, etc.)
Categories: Comment, Develop
Platforms: S60 3rd Edition
Feature Discussion
Richard Ross
...our brothers and sisters at Symbian Freak are out there stickin' it to the man while you exhort us all to bend over for the military-industrial complex.
Shame on you, maaan, you're harshing our buzz!
eletrix
'windows mobile hacked' doesn't have the same ring of surprise ???
you mean that what have been done with symbian S60V3 (see system file + all permissions)
have already been done with windows mobile 6.0 ???
or in windows mobile you see these system files from the beginning like in symbian OS 6.1-8.1 ???
kflyer
Linked from
http://mobileroyale.tk
Mr. Richard, if it's their hobby, why don't they keep it to themselves without putting lives of other Symbian users into danger? Do you call it a charity or a crime?
Hardeep1singh
Quote:
|
Mr. Richard, if it's their hobby, why don't they keep it to themselves without putting lives of other Symbian users into danger? Do you call it a charity or a crime?
|
Lives of other Symbian users into Danger? Are you serious???
I remember an article written by Steve Litchfield a month ago,
http://www.allaboutsymbian.com/featu...a_full_N96.php, it talks about a button named 'Are you Steve Litchfield?', this hacking initiative wants just that. Hope it brings Nokia's attention towards the fact that S60 became successful because it 'used to' be Open and that's something users really want. May be that's the only reason why N70 still sells.
By the way, Read the instructions over at symbian-freak, a noob can't even understand it, so he's still out of danger.
slitchfield
@Richard: you missed the smiley off 8-)
@eletrix: I was mainly talking about people's expectations that Windows in all its forms is errr... hacked quite often. It's not exactly news. And yes, WinMob is a LOT less secure than Symbian OS 9
@kflyer: Hmm..... don't go over-dramatic in the *other* direction, please!
@hardeep: S60 *is* very open. It's only that the problems with the Symbian Signed programme over the last year that led to the whole unsigned app phenomenon and (indirectly) drove hackers to fiddle even deeper. Personally, I'd much rather wait until official Open Signed versions of things like RotateMe come along rather than waste hours of precious family time locked away in my study fiddling with utilities...
Unregistered
Is it really you Steve!?!??? Just curious?
This is a little bit weird article Steve, you see, if I remember right you have covered and appraise some of the hacks that appeared in the past on Symbian Freak and I just can’t realize why you suddenly changed your opinion radically. What is different between this hack and hacks that you wrote about before with approbation?
Speaking about the hack I tend to disagree with you, S60 is now hacked, totally, it is not a temporary solution, now you can hack it without PC on demand or permanently give the allfiles attributes to certain applications. Also it is not as dangerous as you said; it is the quite simple procedure that can be done in a few minutes and there is no real danger for the end users. Of course I am talking about so called power users, not about aliens in the Smartphone world that buying S60 phones just because of the price and amount of megapixels!! This si not aimed for the “regular” users and regular users aren’t affected as they’ll newer now that there is a hack that allows full system access, actually most of them don’t even know what the hacking is what the full system access means so you shouldn’t worry about that much.
To sum up, the only shameless thing in whole story is fact that we have to hack our phones to get the unlimited access and to change the trivial thing op logo for example !?
Hardeep1singh
Flash News: The Process has been improved, now a phone has to be hacked on PC only once, after that you just need to run an app on phone on every restart. :o
ares
Dotsisx
I totally agree with you Steve, and join my voice with yours. I despise these "hacked" red alerts that go on every now and then, because every single normob I see that reads a blog/site once in a while, comes running to me and asks me if they should buy an AntiVirus and which one I would recommend. I also despise it, because I have never seen good things come out of hacking, and I think being able to have access to the private folders is one step closer to having the possibility of fiddling with malware for the platform. I know we're a long long way from seeing the first S60 3rd virus, but we're getting there, in small steps.
I also agree that I'd rather wait for the application to have an Open Signed UID, than fiddle with my device this much to get it there.
Solnyshok
Hardeep1singh, please be so kind to throw a link at me here or in PM.
On a sidenote, this article at AAS looks more like a foundation to a anti-hack PR damage control that Nokia will start shortly, trying to calm down unexperienced users. And all those articles will link to the professional opinion at AAS... Whatever, if this utility will weigh below 100k and autostart on my phone, it will allow for easier installation of free software. Which is good (IMHO) for the masses.
slitchfield
"it will allow for easier installation of free software. Which is good (IMHO) for the masses."
Whoa there. There's already a flourishing freeware scene for S60, with no need for hackery. What you mean is that the latest hacks will let ultra-geeks fiddle with unchecked and possibly dangerous low-level utilities.
*Totally* different things.
Unregistered
Vaibhav Sharma
I completely agree with you on this. In fact it made me write a post of my own!
http://thesymbianblog.com/2008/03/28...iruses-on-s60/
I really do appreciate the work over at SF to break the caged directories and make S60 more open, what I'm afraid of is the word 'hacking' making people paranoid enough to start buying AV apps, which add bloat, burden the processor, occupy precious RAM and drain battery.
bartmanekul
Quote:
Originally Posted by slitchfield
"it will allow for easier installation of free software. Which is good (IMHO) for the masses."
Whoa there. There's already a flourishing freeware scene for S60, with no need for hackery. What you mean is that the latest hacks will let ultra-geeks fiddle with unchecked and possibly dangerous low-level utilities.
*Totally* different things.
|
Slightly OT, but I have changed my view in light of recent posts on that.
There really isnt that much you can do if the platform was open, and as long as SS keep signing things at a reasonable pace, I think its a good thing.
There was various angry posts from people, which almost always ended up due to them not being able to sign a bit of pirated software.
Im wondering, if anyone can give me good solid reasons for opening up S60? As far as I have seen so far, its just been cosmetic (removing icons, changing colours etc).
Guess Who
Stop whining. Something that closed will get opened sooner or later. If you can't take it buy something else.
kflyer
Sure, the platform needs to be open, but not too open. Because it then leads to the disaster (ie-viruses). Like Lord Buddha said medium is the best. Steve, please don't change your views. After reading on apps, my mind got changed too, but it is not the right thing. I mean there's a proper way if they want to open the platform. There are two mistakes on this whole problem, if we look from a "wide angle"
1. They should have used a word other than hacking
2. Mistakes of Symbian Signed - If the process was much more simple and efficient, while still being strong at security, none of these problems will exist.
Unregistered
Symbian Signed and SymbianOS Platform Security are two completely separate things with only an artificial relation to each other.
Platform security is the security model that lets "someone" define which services need protection and which applications can access which protected services. This is what protects you from viruses etc. Every good OS needs a security model. Your data needs protecting. Your OS needs protection from outsiders hacking it. It's not inherently evil.
Symbian signed is the control model that makes Symbian and the device manufacturers the "someone" in the above security model. It's about controlling what you can do with your phone that you paid for. It is about restricting your freedom to do what you want with your property. It *is* inherently evil.
So the relationship between the two is a power relationship. Symbian is exercising their power over you under the false guise of protecting you, when in reality the someone in the security model could just as well be you (and is you in just about every other OS out there).
elaverick
I think advice for "end users" to avoid trying to bypass these security measures is a little unnessicary. The kind of people who are able to do this already know enough not to need to be warned... its a little like printng health warnings on Challenger Tank.
I also think you may have underestimated the usefulness of such severe geekery. Unlimited acces to system folders give us the chance to easily install new items into the boot chain... things such as a Linux kernel.
While this is all years away in terms of what could actually be useful, there is still some promise here.
Unregistered
I don't know if this is even possible, but if it is...
Maybe this is for the best because maybe now the *community* can cook custom ROMs for the older phones that Nokia has abandoned and dumped by the roadside. Imagine being able to get FP2 on the N80 or the E50...
Unregistered
Same goes for SE phones...people can now make some decent firmware for P990, M600 W950
Hardeep1singh
Nice Idea, One copy of S60v3 firmware for my N70 please :D
rbrunner
This I call an innovative argument: These hacks are good because now hackers can start working on "decent" new firmware versions for some SE phones.
Amazing, those hackers today. Yep, that's what they will do, work on new firmware versions.
Consider me convinced...
bartmanekul
Quote:
Originally Posted by rbrunner
This I call an innovative argument: These hacks are good because now hackers can start working on "decent" new firmware versions for some SE phones.
Amazing, those hackers today. Yep, that's what they will do, work on new firmware versions.
Consider me convinced...
|
Believe it when I see it ;)
CPS
RBrunner: Yeah, and they will also bring back eternal life and free beer, that Symbian took from us :-) Well, those nice hackers just widened the door for all the funny guys out there, that is software pirates and virus writers.
Serious 60
First of all, products which advertise themselves as "secure" are taking shit and deserve everything they gett. You can maybe describe a system as being more secure if you have a validated heuristic for defining the direction which is being travelled on a "secure" curve.
No product is immune from a disenchanted or mischievous employee - security has a technology and a human component (it's not possible to remove one or the other).
We have had what, 9 years of symbian mobile phones where anyone could download a program which which spam SMSs, wipe contacts etc.
One of the biggest problems within that time was a bug in the SMS stack which allowed a phone to be nuked simply by sending a corrupted SMS message (the sms stack asserted, panicing a system thread which forcess a reboot). With a system composed of millions of lines of code, you have to assume that the problems are not only rife, but virtually undetectable.
'Ethical' Hacking culture has evlolved to provide a useful service (as well as a wonderfully addictive puzzle) to the practitioner. A published hack is valuable - beacuse it can be fixed. A hidden hack can be exploited and even sold on the black market.
So anyeone who says "keep their hacks to themselves" need to think about this statement a little longer to follow through to the obvious conciquence.
Open systems are far more expensive than closed systems, and it has become apparent that open systems need a different approach to firmware update. FOTA has been on the cards for many years now, but is not that pervasive.
One of the problems is that even a small fix to the firmware to fix a security hole could introduce countless regressions. THis means that as S60 grows, so does the effort to change and validate each increment.
Luckily nokia are being smart. THey are releasing features to early adopters in the N95 (people who are willing to update their phones) - features which may have initially been prept for the N96. By the time N96 hits the shop, the quality , reliablity should have a maturity for a post 3 month release firmware rather than the pile of horse shit that often gets shovled into the first run of a mobile phone these days (not just nokia, but the industry).
Those firmware upgrades will contain securty patches but are released to far too little of the population to guarantee a plug in a security hole. Malicious software howver, needs to go through Symbian signed - so going back to original issue.
I know that security will continue to worry more in the future. BUt what worries me right now is my phone crashing due to unreliable software.
36 Comments / Post New Comment