> This story raises a fundamental question for me, akin to the question
> I asked when the Microsoft Office macro viruses first emerged about 11
> or 12 years ago.
It now asks about macros every time I open something, and I always
disable them. Is there any way now to globally disable macros: don't
ask, don't enable, not even on internal parts of Office, or stuff I'm
composing, ever again? Or at least not until a full OS reinstall?
> Why on EARTH would I ever *WANT* my cellphone to be programmable via a
> text message I received?
> The cellular company has -- or is culpably
> negligent if it doesn't have -- some other means to send programming
> updates to my phone.
Nextel seemed to use this as a way of updating an address list from a
web interface. The guy at my company responsible for updating the
corporate list of company phones would push the list out when
important changes happened. At least I *was* asked whether to accept
it - but it wasn't very verbose about who it came from before I had to
decide, and the guy sending them out didn't announce it ahead of time.
I do not know whether it was possible to send such a message from
outside Nextel to one of their phones. I suspect it was, if you knew
how.
> Things like ringtones should be compartmentalized, if not strictly
> limited to non-executable data. Games and other programs should also
> have some other point of entry to the absolute exclusion of text
> messages. No program should ever be able to initiate a message of
> any kind without specific and explicit confirmation by the user.
Agreed. I will note, however, that Outlook allows sending email that
can put stuff in other people's calendar when it is opened, and there
is no warning that it is such an entry before you open it. I expect
soon I will have hourly reminders to "order Natural Male Enhancement"
... Security seems to go out the window in favor of user convenience.
I'm surprised there aren't complex passwords, and you are given three
multiple-choices for the password, and the correct one is always the
middle one.
> It's not as if the potential for abuse was unforeseeable. No software
> is ever perfect, but these products are apparently designed without
> the slightest attention to basic security issues. It's like worrying
> about the latch on the gate when there's a fifty-foot [15m] hole in
> the fence.
One of the 1400-mile holes in the 2100-mile border is the ability to
double-click on something from an external source and execute it. I
consider that a fundamental mistake for a web browser or email client.
Another fundamental mistake is not being able to tell what it is
beforehand.
> One of the very first questions in designing the software for a device
> like this should be, "What programs might the user want to download
> and why?" That leads into, "How should programs be allowed access into
> the device?" and "How do we make sure that unauthorized programs don't
> sneak in?" That's your fence; *then* you can worry about the gate.
Gordon Burditt (gordonb.qzh9j@burditt.org)