Cell Phones, Open Source, and Security
In his most recent Geekazine podcast, Jeffrey expressed some concerns about open source software on cellphones.
I do not share those concerns.
The issue is not open source; the issue is the Linux/Unix security model, which underlies the open source cell phone operating systems (“*nix” is sometimes used to refer to Linux and Unix to the extent that they have common traits).
That model has proven itself far more secure than any of its competitors over the years.
“Open source” means that the source code of an operating system or of applications is made available to anyone using them. Under the terms of the Gnu General Public LIcense (commonly referred to as the “GPL”), the most common license used for open source software, any changes someone makes to the software must also be made available, if the changed software is also made available.
This does not mean that the software itself is open to intrusion. Theoretically, it implies that hundreds bad guys could comb the source code looking for vulnerabilities; practically, it means that thousands of good guys do the same thing, usually resulting in flaws being identified and fixed much more quickly than is the case with closed source software.
Here is a good description of the Linux Security Model. A simplified version, as it applies to most computer users, is this:
Only a root user has access to the operating system to install, uninstall, and modify programs and system configuration files. Regular users may use programs and have access to their own data files stored in their home directories (roughly equivalent to C:\Documents and Settings\[username] in a Windows system, but easier to understand).
Day-to-day computing is done as user, not as “root”; this applies to both computers and Linux cellphones. To do something as root, a user must login as “root” or otherwise obtain root privileges.
Some Linux distributions do not allow a user to log in as root; instead, the user must use the su or sudo commands from a terminal (command window) after logging is as user. In Debian and its variants, including Ubuntu, if user starts a program with a graphical interface that requires root privileges (such as the software update or software installation programs), the program demands a password before doing anything.
In Linux-based cellphones, the security model is even tighter. In Google’s Android, root access by the user is disabled by default. There are hundreds of pages on the web with work-arounds, but I’m not going to link to any of them; if you want to hack your Android, you’re on your own.
So this is why I’m not concerned about Linux-based open source software on mobile phones. Some coder may mess with the source code he or she finds out there, but he or she will not be able to get it onto a phone, at least not without the user’s help.
In contrast to Windows, which pretty much allows anyone to install anything anywhere, Linux demands credentials before someone can change stuff. Of course, if a user chooses to make those credentials available, that is not the fault of the operating system. That is PEBCAK.
By the way, the iPhone uses a variant of a *nix operating system. The recent intrusions to iPhones happened because users jailbroke the phones and failed to change the default root password (many of them, having come from the World of Windows, probably had no idea that there was any such thing). They violated Rule One of using a device: Always change the default password.*
No computer security can outwit users’ lack of diligence.
*By the way, if you didn’t change the default password on your router when you installed it, your network is vulnerable. I noticed that router I bought recently came with an installation CD. I wondered why, since there is nothing to install, so I found a Windows computer and ran the CD. It does nothing that you can’t do simply by jacking the device into a computer with an Ethernet cable and going to http://192.168.1.1 from your browser, but it does force users to set up a password for the router and, when applicable, for the wireless network.