In article <telecom25.387.3@telecom-digest.org>, Lee Hudson, MSNBC
<msnbc@telecom-digest.org> wrote:
> Cell Phones: Viruses Are Catching
> Newsweek Nov. 20, 2006 issue - Trojan horses, worms and other nasty
> viruses have gone wireless and could be targeting your cell phone.
> ... Phone companies and service providers are scrambling to block
> mobile malware. Jan Volzke, an executive at McAfee, says some
> mobile-phone companies now implant virus protection directly in
> handsets, but adds that the vast majority of users remain vulnerable.
> ... Experts say the most important protection may be caution -- not
> opening odd-looking text messages, for starters. But most people
> remain unaware there's a threat. "Anything that abuses this naivete
> could really hit big time," says Volzke.
This story raises a fundamental question for me, akin to the question
I asked when the Microsoft Office macro viruses first emerged about 11
or 12 years ago. In that case, the question was why anyone would ever
want to be able to silently erase the entire hard disk with an
auto-run macro in a Word or Excel document -- why did the macros have
unlimited access to all system functions in the first place, when
there is no possible benign use for the capability? Why would I want a
macro in one document to be able to change _anything_ outside that
document?
Why on EARTH would I ever *WANT* my cellphone to be programmable via a
text message I received? The cellular company has -- or is culpably
negligent if it doesn't have -- some other means to send programming
updates to my phone. Things like ringtones should be
compartmentalized, if not strictly limited to non-executable
data. Games and other programs should also have some other point of
entry to the absolute exclusion of text messages. No program should
ever be able to initiate a message of any kind without specific and
explicit confirmation by the user.
It's not as if the potential for abuse was unforeseeable. No software
is ever perfect, but these products are apparently designed without
the slightest attention to basic security issues. It's like worrying
about the latch on the gate when there's a fifty-foot [15m] hole in
the fence.
One of the very first questions in designing the software for a device
like this should be, "What programs might the user want to download
and why?" That leads into, "How should programs be allowed access into
the device?" and "How do we make sure that unauthorized programs don't
sneak in?" That's your fence; *then* you can worry about the gate.
Linc Madison * San Francisco, California * Telecom at Linc Mad dot com
URL: < http://www.lincmad.com > * North American Area Codes & Splits
Read my political blog, "The Third Path" <http://LincMad.blogspot.com>
US, California, and Washington State laws apply to LINCMAD.COM e-mail.
Linc Madison (lincmad@suespammers.org)