You may find this odd coming from a relatively security-conscious sysadmin-type person, but I’m not totally convinced that having everything run as root (if that is indeed true) on the iPhone is a bad thing. See The iPhone’s biggest security pitfall: All applications run as root at iPhone Atlas and Effective UID: 0 at Rixstep.
As first blush, yes, it seems like a horrible idea. Enabling root is bad. Running as root is bad. It’s anathema to even think these things … the whole device running as root? What about privilege separation? Doesn’t that expose user data and so on?
Yes and no. It exposes more than if the device were running everything in an unprivileged account, certainly.
But … the user will presumably always have access to his or her own data. You could probably separate privileges here somehow, but I’m sure that would have downstream effects on performance, usability, complexity, and even on the amount of storage required to run the iPhone’s operating system.
So, if you can get malware onto the device, it appears illogical to me to think that you could really protect the user data simply by not running everything as root. Therefore, root or not, the data must depend upon other protections. Presumably the attacker would get access to the system, but on a 4 or 8 GB device, the delta between that and the user data is small; most of the value to the attacker would be in user data. This would probably be followed by some kind of input logging to collect more such data over time.
If you’re going to trojan the iPhone, wouldn’t it be just as easy to do that in user space? It looks like launchd is there (and being PID 1 on Mac OS X, I’d assume it would have to be), so all you’d have to do is slip in a Launch Agent running as the user. Boom, as we Mac people like to say now, you have a process that starts up with the user. I don’t know how or if Mac OS X protects input, but the possibility of capturing it is probably the greatest risk of running everything as root rather than a less privileged user.
Don’t misunderstand me, though. I think the iPhone is less secure with everything running as UID 0 than it would be if that were not the case. Security — like many things in life — is all about tradeoffs. The tradeoff here is probably a smaller operating system that fits on the device and is still able to provide some pretty amazing capabilities that we wouldn’t have associated with a phone one year ago. We will see if the tradeoffs are worth it over time.
One bit of good news, however, is that the iPhone is, for all intents and purposes, a single click away from a complete restore. Let’s for a moment assume that this wipes the file system and doesn’t just overwrite existing files. (Am I the only one concerned about Securely deleting the iPhone? Can’t be.) If so, we can nuke and pave it, eliminating harmful files/executables that may be in its storage.
A difficult problem: What if someone manages to get something malicious on an iPhone, and it is able to jump the barrier from the device back to the host computer?
It struck me today that when running Entourage, I have two script menus. One is specific to Entourage, the other is for the optional — but handy — system-wide Script menu. Yet both have the same icon — the stylized black and white paper-rolled-into-an-S icon — in my menu bar.
The app-specific script menu was probably more common in classic Mac OS days than it is under Mac OS X. (But yet, as I type this, I noticed that MarsEdit has its own script menu, too. I think that just shows how wired into classic’s scripting Brent Simmons was — I mean, he worked on UserLand Frontier, the original scripting environment for the Mac.)
Ah, I just wish the two menus could be one and the same. If Entourage (or any other application) detected that you had the system’s Script menu enabled, it ought to just turn its own off in favor of the system menu. Or maybe the system-wide menu could show the app-specific scripts first, so that they are always in a known location (top of list, right side of menu bar), and take over the function of the application’s scripting menu. Or, they could just have two different icons, or one could be an icon while the other was text, or whatever.
I’m wondering if there’s a way to securely delete the data contents of the iPhone. Since there will be a mix of personal data and media on the device, it seems like a secure deletion routine would be of value. I haven’t heard of one in any of the reviews, so perhaps it is time to start digging.
I know this is an option on my Treo 650, and I recall an NPR story that mentioned feature as one of the better such options for mobile phone and smartphones on the market at the time.
Wow, Apple bought the Common UNIX Printing System (CUPS) back in February, and the announcement has just come out. (I have to wonder why the delay … perhaps it has something to do with Leopard?) The software continues to be licensed under its regular terms.
Michael Sweet, one of the principals behind Easy Software Products and developer of CUPS, is now an Apple employee.
I’m sure this all means something.
In reviewing Jesper's list of requirements for The Email Client That Doesn't Suck, I was somewhat surprised how many of his points are already handled by Microsoft Entourage 2004.
I’d give it 19 out of 26 points. There are some places where I’m being charitable towards Entourage, partly because it can support the requirement with a little work (which does not always mean scripting — and it should be noted that Entourage is very scriptable) or I didn’t understand what Jesper meant by the requirement.
Many Mac users discount Entourage. There are a couple of reasons that may be cited:
That said, there are many valid concerns about Entourage. I voice many through the Microsoft feedback channels available to me.
However, I think there is a huge impediment to creating a new e-mail client today, simply because of how connected this kind of product is to your whole computing experience. Any developer should take that into consideration, and realize that it’s probably an unending effort.
I don’t know if I will get one. I certainly won’t get one until my Verizon Wireless contract has expired … and even then, there are factors to weigh.
But in the meantime, I’ve been staring squinty-eyed at articles about iPhone objections. You know, the ones about how it won’t work in the enterprise because it’s not secure, doesn’t have a firewall, and lacks critical Exchange support. Right now, I don’t know how we can make any evaluation about its security, other than to guess more of its OS has been written by experienced, senior programmers (sworn to secrecy) than the rest of Mac OS X probably is … and that may be a blessing. Given what’s riding on the rollout, hopefully some serious security audits have been done on the code, too.
How does some yahoo columnist trolling for hits know that the phone has no firewall? Do we have proof yet? Why isn’t the lack of open ports good enough in the first place? Do any phones, smart or otherwise, have a firewall?
We have Mary Jo Foley saying that Apple+is+rumored+to+be+licensing+Exchange+ActiveSync. On the face of it, enabling Exchange ActiveSync would not suck at all. However, that would certainly muddy the waters for the local iTunes sync to your data, especially if you’re using Sync Services with Entourage (which itself can be connected to Exchange) at the same time.
Also, I fail to see how local iTunes synchronization with Outlook on Windows, for the people that want data from that Exchange client, is not good enough — even though it tends to be for non-BES BlackBerry users.
My request to Microsoft for “Entourage Mobile” would go “pop,” the need fulfilled.
What about remote wipe? I almost forgot! Who is to say that it won’t be available as some option in iTunes later, sort-of like de-authorizing a computer you’ve lost or sold?
And then there are objections about it being expensive — like duh, smartphones aren’t expensive? With their high initial cost, the regular cost of cell phone voice plans that generally start at $40/month, and the data plans that hover around that much, they are pricey items. Hey, I projected that my lousy, half-broken Treo 650 would cost me a minimum of$1700 over the two-year lifetime of my contract — making it the most expensive PDA I’d ever owned. It would have been, too, if I hadn’t cancelled the data plan and consolidated two contracts into a family plan. I doubt I’ve made enough phone calls to justify it, although I write down a lot of funny quotes in the note pad.
Finally, we have the performance objections. EDGE is too slow, they say. AT&T doesn’t have good coverage. This are both true, from what I can tell right now, particularly in the specific areas I might use a phone.
But then again, I cancelled my Treo’s data plan because the equivalent Verizon network was too slow, the browser too annoying (even for the lightweight Google Mobile), and when I was roaming I couldn’t get data anyway — so I’ve already demonstrated my lack of tolerance for that. The addition of Wi-Fi ameliorates many of my concerns. I do agree with Glenn Fleishmann, who would like to see the iPhone data plan bundle connections to AT&T’s Wi-Fi network; I might never actually use that or be within range of one of their hotspots, but it would certainly sweeten the deal.
Half the places I want to use my Treo, I already get bad or non-existent voice service. I miss a high percentage of my inbound calls. This may be due to my phone, which the service department claims is defective, or it may be due to other factors. The point is that my experience with the almighty of Verizon is substandard now, so if I move to something that’s even close to equivalent it’s not going to break me.
Frankly, I don’t need a cell phone. But if I’m going to have one, it seems like the iPhone isn’t a bad choice. At least the software doesn’t look like it’ll drive me mad, like my StarTAC did. The software looks like it’s the most accessible of any phone I’ve seen.
Mentioning Plugin <em></em> Not Found reminded me that I’d never tooted my own horn here regarding another press placement. Why? I was interviewed by Lisa Nadile for CIO Magazine back in spring, and the article appeared quite some time ago (after I’d almost forgotten about it or thought I’d missed it).
So, read below the fold to find my quoted moments — not necessarily quotable moments, mind you — in the article: Hi, I’m a Mac and I’m your Enterprise Computer.
The small corner of the ‘net I inhabit is already abuzz with things that have broken with the Mac OS X 10.4.10 update. Software seems to be breaking not because of significant changes in this update, but because of poor version checking routines.
Awesome — isn’t it?
Anyway, here are some reports I’ve heard:
Yeah, I know … I guess I’m becoming a Python fanboy. Apologies.
Since the on-line frenzy surrounding the iPhone is building feverishly before its June 29 release, I thought I would try out Marketcircle’s iPhoney browser simulator. It’s bare bones, but interesting nonetheless.
Basically, it showed me that my site will look like crap on the iPhone. Even in landscape, the Garland template for Drupal, along with my Drupal block configuration, makes Irreality far too wide to be seen without scrolling on the iPhone’s screen.
Ah, well. I’m not going to bother fixing that now. Too much else on my plate.
Thanks to Nadyne for point out the Wall Street Journal’s PowerPoint+Turns+20,+As+Its+Creators+Ponder+A+Dark+Side+to+Success. It was great to see Dennis’ name in print! (One drawback of not going to WWDC last week was that I missed catching up with him.)