Forgot your password?
typodupeerror
Google Handhelds Iphone

What To Do About Mobile Devices That Lie 107

Posted by timothy
from the spanking-is-harmful-to-the-screen dept.
GMGruman writes "InfoWorld has caught two Android devices that falsely report security compliance that the Android OS does not actually support, and Apple quietly has dropped its jailbreak-detection API from iOS 4. So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? There's no easy answer, but Galen Gruman explains what current technologies can do to help — and how Apple, Google, and others might increase the trustworthiness of their platforms in the future."
This discussion has been archived. No new comments can be posted.

What To Do About Mobile Devices That Lie

Comments Filter:
  • Nothing (Score:5, Insightful)

    by xnpu (963139) on Saturday December 18, 2010 @03:02AM (#34597782)

    Do nothing. Didn't we read yesterday that the NSA assumes they're compromised. Sounds like a healthy way to operate - for everyone. While it may sound slightly paranoid and a "hassle", this is only true initially IMHO.

    • by Kalidor (94097) on Saturday December 18, 2010 @03:05AM (#34597792) Homepage

      Agreed, so much of "security" from a lot of these companies is simply ruthless marketing these days anyway.

      • by Anonymous Coward

        This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it. US and its companies do the same, but they hide it.

        • by xnpu (963139)

          Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.

          • Re:Nothing (Score:4, Insightful)

            by IchBinEinPenguin (589252) on Saturday December 18, 2010 @08:28AM (#34598818)
            Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.

            Perhaps it's because when some governments go after their citizens they don't bother with niceties like 'evidence', 'logs' or even 'trials'.
            • by Dellama (1965862)
              On line shop: www.android-tablet-pc-wholesale.com Latest Android 2.2os tablet pc MX822: CPU:Freescale iMX515 ARM Cortex.A8 kernel, CPU Speed 800M DDR:512MB DDR2 OS:Android2.2 OS Storage:Built-in 4GB Nand Flash speaker:Built-in double horn network:devices wireless WiFi,support IEEE 802.11b/
        • by camperslo (704715)

          This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it.

          Are we forgetting what happened last April? A huge amount of traffic, including that for .mil and .gov was routed through China. Monitoring that traffic could make future phishing attacks much easier, having had access to things like individual IPs and mail traffic.
          What's honest or likeable about that? It's the stuff nightmares are made of.

          http://slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

          • Nothing. Not even if you're in the IT sec business. My first reaction was "oh goodie, consulting will increase!"

            It didn't.

            Nobody gave a shit.

            Imagine this: You go to a company that not only has a lot of IP but also deals with China on a day to day basis because most of their manufacturing is there, present this to them and they dismiss it as "aw, that couldn't happen to us, our contractors are honest".

            It's one thing to be spied on. It another to make it trivially easy.

      • by fahlenkp (1939942)
        I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification. Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one la
        • by poetmatt (793785)

          what are you talking about?

          NIST is not a guarantee of security. It's just saying that you are compliant with a gov't standard required to sell products to the government.

          even FIPS 140-3 is not foolproof.

          Blackberry encryption is also a joke and has been compromised in every country in the world, in a variety of ways.

          • by fahlenkp (1939942)
            In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none. Have countries outlawed iphone because the encryption is
            • by poetmatt (793785)

              gutless? you don't know shit.

              try working with fips and you might know a ltitle more.

              just because it isn't 100% doesn't mean you don't use it, it means you don't use it for anything critical.

              how hard is this to understand?

              hey, we've got something vulnerable, but let's put critical/valuable information on it. What can possibly go wrong?

              try to learn about basic security and then get back to me bub. the first step is not the encryption on the device.

              • I am fairly well versed on FIPS standards for both HIPAA, PHIPA and rusty on DoD work. I 'try' every day... Please return to your assertion that blackberry encryption is weak and comprimised. I will state my challenge to you again in simple plain terms so you might understand before replying this time. 1. Cite articles from sources displaying proof of your assertion. I can't find any. Perhaps you could inform NIST of these breaches so that they can remove the offender from the certified list. 2. Provide de
                • by poetmatt (793785)

                  HIPAA? HIPPA has nothing to do with FIPS. way to pull some stuff out your ass there. What's next? OSHA? UL? IBC? CE/EN?

                  just because you throw a name doesn't mean you have anything to show for it.

                  Lazy example 1 [zdnet.com] or how about lazy example 2 [infoworld.com].

                  Now shut the fuck up and stop trolling.

                  That was first couple results on google. No phone is secure. Storing anything company, corporate, etc is not going to be secure on any mobile device. Duh.

                  Youtube has nothing to do with how legitimate or not cracking is, if the first r

                  • by fahlenkp (1939942)
                    Hi, I can help you understand many of these subjects. HIPAA as put forth by Centers for Medicare Services on behalf of the US Government has partnered with NIST to establish controls for protection of patient data. The end result being that HIPAA data is protected by FIPS-140-2 standards. PHIPA - I'm assuming the name I threw in, is the health regs modeled on the US HIPAA but used in Canada. The Ministry of Health decided to use US NIST FIPS 140-2 standards or better as well. Military uses a mix of FIPS 140
    • Shocking, people figure out ways around the tightest security when the target is worth it.

    • by Z00L00K (682162)

      Assume that all security claims are false. It's just that any security hole hasn't been found yet.

      There is always a way to hack something running software. Live with it, just make sure that you accept the risks of being overheard and that your address book may be downloaded to some third party that uses it for their own purposes.

      As for companies - considering the large amount of phones and crap around anyone that really wants to listen in on secret conversations/information uses more targeted methods. Only

    • by Dellama (1965862)
      On line shop: www.android-tablet-pc-wholesale.com Latest Android 2.2os tablet pc MX822: CPU:Freescale iMX515 ARM Cortex.A8 kernel, CPU Speed 800M DDR:512MB DDR2 OS:Android2.2 OS Storage:Built-in 4GB Nand Flash speaker:Built-in double horn network:devices wireless WiFi,support IEEE 802.11b/
  • You don't. (Score:5, Insightful)

    by PhrostyMcByte (589271) <phrosty@gmail.com> on Saturday December 18, 2010 @03:06AM (#34597794) Homepage

    So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware?

    You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.

    • Re:You don't. (Score:5, Informative)

      by arivanov (12034) on Saturday December 18, 2010 @04:01AM (#34598024) Homepage

      That is the case anyway. At least to some extent.

      The problem is elsewhere. Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance" while it is not from the user viewpoint is actually a useful feature.

      Example - I have a Nokia E71. I was seriously stupid at some point to configure my company exchange server on it. As a result it started autolocking itself in 2 mins requiring a security code. So far so good, however it autolocked and put screensaver on in applications which _MUST_ run in foreground - GPS navigation and the media player. It also autolocked itself when docked on a car craddle, etc.

      After a couple of near misses on the motorway trying to get myself from A-Z or trying to dig out the name someone from contacts I tried to turn it off. Guess what, settings uploaded via these APIs _CANNOT_ be turned off. Even if you wipe out the mail for exchange application, disconnect, etc the settings are either not allowed to be changed any more or come back after a change. At the end I had to factory reset the phone and reset the settings partially from backup to recover the phone to a useable state.

      Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

      Similarly, I am not surprised about Apple starting to take away powers away from the security software (and the people who use it). Apple's key selling point is user experience. The way some corporate security people use these APIs sends the user experience into "Mordok, denier of information services" territory. Knowing Apple, they are guaranteed to do something about it and in the land of "i" noone will hear the security people scream.

      • by Bert64 (520050)

        The "standard" way of implementing security these days seems to be to try and restrict users as much as possible...
        The problem is that doesn't work for a number of reasons, the restrictions are onerous enough to hamper people's ability to do their work which causes them to seek ways to bypass the restrictions and the restrictions are often poorly implemented and therefore easy to bypass.

        Incidentally, if your company wants you to read mail when your away from your desk they should supply you with a handset f

      • by melstav (174456)

        Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

        If the company you work for requires that you be able to read your email on your cellphone, they damn well be providing you a cellphone to do it with.

      • by Rich0 (548339)

        Yup. I could make a killing if I sold an Email app that spoofs whatever is most common in major corps but which silently ignores the security policies.

        If employers want to control the phone, they should issue the phone. If they issue it, then they can be sure that it supports whatever features they need. They can reclaim and reissue phones once a quarter to reimage them or whatever for extra security.

        The problem is that employers want employees to use their shiny toys to do work off-hours, without paying

      • > Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance"
        > while it is not from the user viewpoint is actually a useful feature.

        There's actually a useful compromise that's so obvious, it completely blows my mind that it appears to have not even occurred to Microsoft -- keep the corporate data on the server, and give the end users Android and iPhone customized RDP clients that connect to a hosted email app on the server (with the ability to launch

  • by Kenja (541830) on Saturday December 18, 2010 @03:28AM (#34597892)
    Treat them like any other computer.
  • by ewhac (5844) on Saturday December 18, 2010 @03:29AM (#34597894) Homepage Journal
    Let me get this straight: You've been acquiring personal computers, integrating them into your businesses, and installing on them software products so monumentally shitty that it beggars the imagination that anyone with even the slightest sense of pride would admit to writing them. What's more, you were told by people who actually know what the fsck they're talking about that the products were shitty, both at a superficial and fundamental level -- and you systematically ignored them, and kept throwing bad money after worse money, all the while complaining when your systems crashed, your data was corrupted, and your networks infiltrated...

    And you've been doing this for at least the last 30 years...

    And NOW you suddenly claim to give a shit about platform integrity?

    And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

    What selective, partisan crap.

    • by IchBinEinPenguin (589252) on Saturday December 18, 2010 @07:50AM (#34598730)
      And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

      Windows was excluded because neither of the Windows users have reported any problems. Yet.

      P.S. Couldn't agree more.
      You reap what you sow.
      Keeping your eye firmly planted on next quarter's profit margin (and the resulting bonuses) will eventually bite you in the ass.
    • by moxley (895517)

      WIth an analysis that insightful in it's ability to see through a false, consensus reality, allow me to introduce you to the American political system!

    • by IBitOBear (410965) on Saturday December 18, 2010 @02:54PM (#34601334) Homepage Journal

      If you RTFA you discover that the whole second half is boosterism for putting "Trusted Computing" modules inside cell phones. In that light the agnostic condensation of both "jailbroken iThingies" and "that unreliable open source Android thing" makes perfect sense.

      This article has nothing to do with exchange boosterism etc, it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.

      The article _is_ an attack on reason, but the goal isn't about Exchange etc, its about re-initializing the idea of corporate capture of your personal property and turning your device from a personal resource to a limited media consumption node. The media used this time isn't movies, its "corporate email" etc.

      Disclaimer: I would _love_ TPM hardware if there were a law that required that _I_ get the _master_ _keys_ for my hardware when I buy it. This would, of course, allow me to lie to an exchange server if I so chose, and would do _nothing_ to prevent jailbreaks. Of course I would also have to demand that there was no "government key" etc. With those elements in place, a TPM would let my paranoia be soothed when I boot my gear.

      So anyway, bitching about how bad exchange software is etc, falls into the hands of the author who is trying to false-flag some emergency to spur on "trusted computing" on the "new platform battlefield".

  • "So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? "

    Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware. So long as the general public, and even Slashdot readers, are clueless, then cluelessness will map the security landscape.

    • I guess they used the term "Trojan Horse" in its original meaning, which is older than computer technology.

      • Yes. I already said that ignorance is the root cause.
      • The word "let" used to mean to hinder or delay hence why passports say "without let or hindrance".

        Incidentally this is also the nuclear argument against people who bitch about using the phrase "begs the question".

    • Re: (Score:2, Funny)

      by Anonymous Coward

      WTF is a Trojan Horse for Malware?

      Well, you see, you leave a gigantic wooden Clydesdale with a firewire port in the parking lot. Some fool is going to plug it in because they want to see what possible use firewire could have in a giant wooden horse. Once they do, you've got access to their systems.

    • by surferx0 (1206364)

      Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware.

      More like History 101 epic fail...

      It actually makes perfect sense, given the Trojan Horse's meaning. Perhaps you've forgotten what a Trojan Horse actually is given that the name has become so synonymous with malware. A Trojan Horse could mean anything that appears non-threatening to slip behind your security, which in this case is a cell phone, containing malware inside of it.

      • You're right. You failed on the history part. In recent history the term Trojan Horse, when used in a malware context, has taken on a very specific meaning, which has nothing to do with trying to steal Helen of Troy back. If one wants to refer to the actual Trojan Horse of the Iliad it is necessary to upcast the reference. Anything else is just ignorance.
  • Palm Pre? I love my Pre, but in the early days it "lied" about what it was so it could sync via USB with iTunes as an Apple iPod.
    • by toriver (11308)

      Yes, it was easier for Palm to violate its agreement with the USB-IF and exploit Apple's sync software implemented in iTunes than to actually make the fscing effort to write their own sync software that read the music files and XML that any program has access to, or make user instructions how you could copy files from the music folders.

      But I wonder what the old Palm would have said if e.g. Sony had made a device that pretended to be a PalmOS device and talked to their HotSync software...

  • If your going to take the bold step of asking a device if it is safe to use you might as well just go all in and mandate full evil bit compliance for all malicious IP packets. To test evil compliance simply invoke the javascript function iamastupidfoolEvilSupported(EVIL_FA_IL); If it returns true or raises a javascript error the device is totally secure and you have NOTHING to worry about.
  • Hackers, please stop lying to our computers and telling them you have permission to do things when you know you don't. There. . . . now nobody will get anymore spam or viruses.

    I love when people say something "cannot be hacked". I also like the idea of security by requiring the client to tell the truth about what it is and what it can do. If everything would just tell the truth. . . we'd have better security. Sounds like the EA boss saying "To take the market back from Call of Duty, you just have to make a

  • by Improv (2467) <pgunn@dachte.org> on Saturday December 18, 2010 @04:35AM (#34598180) Homepage Journal

    If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

    • by raburton (1281780)
      Yes, give us the option to ignore them! My uni (I'm a student, not staff) requires permission to wipe my phone and force me to pin protect it, etc. The whole works.
      Why? So nobody could steal my phone and access all the internal spam I get about alcoholic events and recruitment for societies so odd that they apparently don't have the 3 members needed to fill their committee posts.
      So instead of using the built in exchange support I use a third party that ignores these. I run a cyanogen based rom that I buil
      • If you have so little regard for the rights and privacy of others then do you do not deserve a well paying job. If you cannot handle being responsible with your position in student government, how can anyone trust you with a "real" job in the future?

        • by raburton (1281780)
          WTF are you talking about? What do the rights and privacy of others have to do with the ability of my university to wipe my phone? And as for not "handle being responsible with your position in student government", this doesn't make any sense at all. I have no position in student government (whatever that even means) and I'm not sure what part of what I said had anything to do with my responsibility to it.

          Can I suggest if English is not your first language, and you don't understand what you read, you don'
          • Why does your university know anything about the phone you have? Why wouldn't you just tell them you have no phone?

    • If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

      Ok. Fine. So what is your account number? Publish your account numbers, your SIN, Credit Card numbers with expiry dates, your real name, address and phone numbers. No? But information wants to be free right? If you expect to get paid to work in IT then you should treat the security of other peoples information like you would want your bank to treat your private information.

      The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there

      • The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there was a security breach caused by an employee with a "hacked" phone that was lost and could not be remotely wiped.

        I don't understand the contradiction. Information not being property doesn't stop me from signing a contracting binding someone to protect it. Contracts were never limited to the protection of property...

        What it does mean is that I can't sue the recipient of such information (the guy who finds the data), even if he shares it with the world, because he wasn't bound to me through any contract not to divulge such information.
        In the case of file-sharing, for example, the companies could sue the original sharer

      • by Improv (2467)

        You're confusing authentication with ownership.

  • by Anonymous Coward

    There's no inherent reason Android devices could not use a verified boot (TPM+remote attestation). This would allow servers to know exactly what firmware image they're talking to, so whilst it wouldn't exactly stop devices lying about their capabilities, it'd allow you to catch devices that were lying once the general class of problem was detected.

    The reason phones don't come with TPMs is simply cost and demand. If businesses really care about this, they'll make it clear that a TPM is as important to them a

    • So .... let the free market operate and we'll see what happens. TPMs are cheap. It wouldn't take much pushing.

      Once you have TPM the _last_ thing you have is a free market.
      • Please explain. Some manufactures put a TPM in their devices. Some do not. If you decide you want a phone that cannot do remote attestation with a tamper-resistant hardware root-of-trust, you buy one of the later. If your organization, *who gets to set their own policies for remote access to their environments*, chooses to buy a phone for your use (or require you to do so as a condition of that remote access) that can do remote attestation with a tamper-resistant hardware root-of-trust, they (or you) buy
      • ...or a secure machine.

        TPM is about securing the machine from you. Not for you.

  • End user devices are not trustworthy, regardless of the type of device a user could modify it to report anything back to an upstream server...

    • You can make such modifications prohibitively expensive, however. It is precisely what a hardward TPM chip would do. Hope you have a well-equipped lab and knowledge to operate it...

  • What To Do About Mobile Devices That Lie
    "Have you ever tried simply turning off the TV, sitting down with your mobile devices, and hitting them?"
    • I was going to suggest grounding them or sending them to bed without dinner, but hitting would work too.
  • Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way. Personally if I were starting a new company I wouldn't allow anything other than a Blackberry to be used as a smartphone. One of the reasons RIM has been and continues to be successful in the business space is the security of their devices.

    If people want their shiny toys they are free to get one on their own dime and use it with their own resources.

    • Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way.

      Why stop there? Add Rim and Windows to the list as well. I challenge you to find a good business reason for any phone to be connected. When desire is great enough, a business justification will be made.

      I need to get email on my phone! The fate of the free world is in the balance!

      It's nonsense. Since we're caving in to give folks their wants rather than needs, might as well go all they way and let them use their iPhones & Droids.

      • Actually you make a good point. If there ever really is a business need for a connected device though it should be something completely locked down. People are still free to have their own personal device that they pay for; there isn't a need to cave to user demand for features if they don't help give a competetive advantage.

  • by DarkOx (621550)

    Better question, what to do about admins that don't test policies on devices they support before deployment?

    • by Rich0 (548339)

      That doesn't help when the user jailbreaks it and the new OS doesn't have the same capabilities as the OS you audited.

      The solution is to simply issue your own hardware and make employee tampering a terminable offense. I'd fully support that as long as the company provided the device and its plan.

      If I get to provide the device, then I get to decide what security policies it implements, and what policies it lies about implementing. Don't like that? Simple, stop sending me email after 5PM...

  • Turn on phone for the first time,

    "Which application auditor would you like to choose?"
    "Which search engine would you like to use?"
    "Which Browser would you like to use?"

    • Cue customer of a new phone.

      "Ohhh shiny! I wanna use it, I wanna toy with it, I wanna see all the features and all the ... huh? What's an "auditor"? Ah, a list, uh... (thumbs through manual), whatever, this one looks spiffy. Now, where that feature I bought the phone for... huh? Search engine? Get off my back, dammit! I wanna toy with the billion megapixel cam! So, here, now let me... browser?"

      Tosses phone onto the counter.

      "Here's your crap back, gimme a phone that lets me do stuff!"

      And this is why we do no

  • Microware's OS9 from the early 1980s had a table that it checked for each module it loaded into memory. Each library or executable had a CRC that it checked against and then that CRC was checked in a lookup table of stuff to accept or not load. You could load that table with a list of approved memory objects and then only those things would be loaded and run or you could list things to exclude like an old runtime library in which case it would try to find an approved one in the path. This stuff was being

  • you use windows in your desktop computers? Then the phone is the least of your actual risks.
  • by Opportunist (166417) on Saturday December 18, 2010 @01:30PM (#34600590)

    "Trusted computing" my ass...

    There's nothing to be trusted about anything you did not make yourself. And even if you made something yourself, trusting it is a bit overconfident. Do not trust anything you own to be "secure". It is not. It is as secure as the company that made it thinks is necessary.

    Now, you know how security conscious the average person is, right?

    Why do you think security would be high up on the priority scale of the company making it if it is no selling point AT ALL?

    Do not trust anything you did not audit. If you cannot audit it yourself, have someone you trust audit it. Yes, at some point in that chain you will have to trust someone, especially if you do not have the knowledge and experience to do such an audit yourself.

    But for $deity's sake, do NOT trust the maker of a device to be security conscious. They make a device with the bare minimum required to sell it. That means it will have all the features the customer will request. And as stated above, security is a feature that is rarely, if ever, requested!

  • If one of your end users jailbreaks their company supplied iPhone, fire them. If the company paid for the phone and pays for the phone service then it is the property of the company, not the end user.

    If you officially allow employee iPhones to be used on the company exchange, ensure that it supports full device encryption before you enrol it on the network (iPhone 3GS or newer). Then periodically perform random audits of those phones to check to see if they are jailbroken. If they are, perform a remote wipe

  • by koan (80826)

    Frankly (feel free to flame) it appears to me that the virus/trojan/botnet programmers/scammers are far more intelligent than the majority of security professionals working the other side of the fence.

    • by dido (9125)

      No. It's just an instance of that old military truism: in the battle between warhead and armor, the warhead always wins. The defender's job is always harder than that of the attacker. The defender needs to plug every possible hole while the attacker just needs to find only one that can be exploited, and once that happens, the game is over. The security professionals may be much smarter than the malware writers and black hats, but sadly, because their job is much harder, they aren't anywhere sufficiently

  • by Cyrock (610182)
    Seems to me this is another case of MS not able to write secure software. If a device can access Exchange when it shouldn't be able to, the problem is not with the device but with the buggy MS software.....

You will be successful in your work.

Working...