subject:"What's the best attack\? \(Re\: How to use extras\-testing correctly\?\)`"

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-28 Thread Benoît HERVIER

Yeah ... come back to the old time where every developpers create his
own repository. :)


2009/9/28 gary liquid :
>
>
> On Fri, Sep 25, 2009 at 5:29 PM,  wrote:
>>
>> - Original message -
>> > the apps in maemo extras *should* be trusted because we, the community,
>> > trust
>> > the developers who put them there.
>>
>> Gary, I trust the community, but I really want to be sure.
>>
>> It is also because I like the community so much that I want to keep extras
>> a safe place. For some new users it will be the first point of contact to
>> OSS. If that contact is good, more people will find the community and more
>> will join.
>
> nobody can anonymously upload to extras without first applying.
> from a community perspective, there is already a feeling of being vetted
> prior to getting upload rights.
>>
>> > it would take 1 bad report to have the software removed from extras.
>> >
>> > its a worrying scenario for some people,  but this isnt the wild west
>> > and like
>> > all trust based mechanisms, people in the community are given rights to
>> > upload
>> > hopefully based on their standing.
>>
>> That would be one form of security I would be ok with.
>> But screening people (karma or participation or whatever) for the right to
>> upload is even more questionable than having a team of testers go through
>> the apps. Everyone has to have the right to right to put their stuff to
>> devel and testing.
>
> as said, there is already an application stage.
> if the community mindset is there of vetting, no matter how vague, it helps.
>>
>> > There are many steps along the way to being involved in the community
>> > and i do
>> > not see why an individual would be nefarious enough to go through all
>> > those just
>> > to infect a few machines.
>> >
>> > people are given rights and responsibilities and mechanisms are in place
>> > to
>> > hopefully prevent an incident such as you are describing.
>>
>> Pretty much so. But I don't want to risk even a single case however
>> unlikely it is.
>
> *nod* this is a common goal.
>>
>> > it falls on each and every one of us to maintain that trust.
>>
>> It is about trust, but there is the question of security too.
>>
>> I hope the solution that is now implemented is one that works, but as
>> always, if practise shows that it needs to be rethought, then we will.
>
> yes, testing is the further step and should help to prevent even the most
> determined of individuals.
> it is rare to see applications coming through maemo.org where there isn't
> community participation at some level
>
> gary
>>
>> Tero
>>
>> Tero
>>
>> > gary
>> >
>> >
>> >
>> >
>> > On Fri, Sep 25, 2009 at 3:40 PM, David Greaves
>> >  wrote:
>> >
>> > tero.k...@nokia.com wrote:
>> > > - Original message -
>> > > >
>> >
>> > > > I realise this is a slightly different question (hence the new
>> > > > subject)
>> > > >
>> > > > OK, say I have an evil twin who wants to attack ('own') a lot of
>> > > > Nokia
>> > > N900
>> > > > devices. How do I do this?
>> > >
>> > > I hope that was retorical. Tell your evil twin to do something
>> > > usefull.
>> >
>> >
>> > Err, no it wasn't retorical; it was hypothetical though in case you were
>> > worried.
>> >
>> > It's more about being responsible :)
>> > Actually it is very late in the day to be asking... but hey, it sounds
>> > like a
>> > topic worth raising.
>> >
>> > > > Does extras-testing factor into this?
>> > >
>> > > At least so that I would prefer maemo.org extras to be clean from
>> > > malware. It is much easier to promote it in Nokia internally when
>> > > extras
>> > > contains good software.
>> >
>> >
>> > I agree 100% ... all it takes is one example of malware introduced into
>> > an OSS
>> > product and we (and Nokia) could lose a lot of credibility.
>> >
>> > I wonder how much that could be worth to some people? Maybe worth a
>> > deliberate
>> > attack? Maybe someone is playing a longer game?
>> >
>> > I just hope we are not planning on taking the "cross your fingers and
>> > toes
>> > *REALLY HARD* and hope everyone is nice to us" approach to security ;)
>> >
>> > Discuss...
>> >
>> > David
>> >
>> >
>> > --
>> > "Don't worry, you'll be fine; I saw it work in a cartoon once..."
>> >
>> >
>> >
>> > ___
>> > maemo-developers mailing list
>> > maemo-developers@maemo.org
>> > https://lists.maemo.org/mailman/listinfo/maemo-developers
>> >
>> >
>> >
>> >
>> >
>> >
>>
>
>
> ___
> maemo-developers mailing list
> maemo-developers@maemo.org
> https://lists.maemo.org/mailman/listinfo/maemo-developers
>
>



-- 
Benoît HERVIER - http://khertan.net/
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-28 Thread gary liquid

On Fri, Sep 25, 2009 at 5:29 PM,  wrote:

>  - Original message -
> > the apps in maemo extras *should* be trusted because we, the community,
> trust
> > the developers who put them there.
>
> Gary, I trust the community, but I really want to be sure.
>
> It is also because I like the community so much that I want to keep extras
> a safe place. For some new users it will be the first point of contact to
> OSS. If that contact is good, more people will find the community and more
> will join.
>

nobody can anonymously upload to extras without first applying.
from a community perspective, there is already a feeling of being vetted
prior to getting upload rights.

>
> > it would take 1 bad report to have the software removed from extras.
> >
> > its a worrying scenario for some people,  but this isnt the wild west and
> like
> > all trust based mechanisms, people in the community are given rights to
> upload
> > hopefully based on their standing.
>
> That would be one form of security I would be ok with.
> But screening people (karma or participation or whatever) for the right to
> upload is even more questionable than having a team of testers go through
> the apps. Everyone has to have the right to right to put their stuff to
> devel and testing.
>

as said, there is already an application stage.
if the community mindset is there of vetting, no matter how vague, it helps.


>
> > There are many steps along the way to being involved in the community and
> i do
> > not see why an individual would be nefarious enough to go through all
> those just
> > to infect a few machines.
> >
> > people are given rights and responsibilities and mechanisms are in place
> to
> > hopefully prevent an incident such as you are describing.
>
> Pretty much so. But I don't want to risk even a single case however
> unlikely it is.
>

*nod* this is a common goal.

>
> > it falls on each and every one of us to maintain that trust.
>
> It is about trust, but there is the question of security too.
>
> I hope the solution that is now implemented is one that works, but as
> always, if practise shows that it needs to be rethought, then we will.
>

yes, testing is the further step and should help to prevent even the most
determined of individuals.
it is rare to see applications coming through maemo.org where there isn't
community participation at some level

gary

>
> Tero
>
> Tero
>
> > gary
> >
> >
> >
> >
> > On Fri, Sep 25, 2009 at 3:40 PM, David Greaves
> >  wrote:
> >
> > tero.k...@nokia.com wrote:
> > > - Original message -
> > > >
> >
> > > > I realise this is a slightly different question (hence the new
> subject)
> > > >
> > > > OK, say I have an evil twin who wants to attack ('own') a lot of
> Nokia
> > > N900
> > > > devices. How do I do this?
> > >
> > > I hope that was retorical. Tell your evil twin to do something usefull.
>
> >
> >
> > Err, no it wasn't retorical; it was hypothetical though in case you were
> worried.
> >
> > It's more about being responsible :)
> > Actually it is very late in the day to be asking... but hey, it sounds
> like a
> > topic worth raising.
> >
> > > > Does extras-testing factor into this?
> > >
> > > At least so that I would prefer maemo.org extras to be clean from
> > > malware. It is much easier to promote it in Nokia internally when
> extras
> > > contains good software.
> >
> >
> > I agree 100% ... all it takes is one example of malware introduced into
> an OSS
> > product and we (and Nokia) could lose a lot of credibility.
> >
> > I wonder how much that could be worth to some people? Maybe worth a
> deliberate
> > attack? Maybe someone is playing a longer game?
> >
> > I just hope we are not planning on taking the "cross your fingers and
> toes
> > *REALLY HARD* and hope everyone is nice to us" approach to security ;)
> >
> > Discuss...
> >
> > David
> >
> >
> > --
> > "Don't worry, you'll be fine; I saw it work in a cartoon once..."
> >
> >
> >
> > ___
> > maemo-developers mailing list
> > maemo-developers@maemo.org
> > https://lists.maemo.org/mailman/listinfo/maemo-developers
> >
> >
> >
> >
> >
> >
>
>
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-27 Thread Marius Vollmer

"Kojo Tero (Nokia-D/Helsinki)"  writes:

> But screening people (karma or participation or whatever) for the
> right to upload is even more questionable than having a team of
> testers go through the apps. Everyone has to have the right to right
> to put their stuff to devel and testing.

Hmm, I think there is a fine line here worth emphasizing.

Everyone should have the right to _apply_ for upload rights and be
considered equal.  I.e., there should be no discrimination based on
irrelevant things.  For example, we should not exclude people just
because they are on IPv6 or only have a PowerPC Mac.

But not everyone has a natural right to upload to Maemo Extras.  It is
OK to screen people and demand certain references.  Maemo Extras does
not need to be free for all.

I think this is a ethically sound position, since Maemo Extras is not
the only channel for getting software to the devices.  Software
authors do not, technically, need the help or approval of maemo.org to
get into contact with their users.

If we get the balance wrong between being useful and protecting from
harm, other can show how to do it right.  You could say that the market
place will keep us honest by allowing healthy competition.
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-25 Thread tero.kojo

- Original message -
> the apps in maemo extras *should* be trusted because we, the community, trust
> the developers who put them there.

Gary, I trust the community, but I really want to be sure.

It is also because I like the community so much that I want to keep extras a 
safe place. For some new users it will be the first point of contact to OSS. If 
that contact is good, more people will find the community and more will join.

> it would take 1 bad report to have the software removed from extras.
>
> its a worrying scenario for some people,  but this isnt the wild west and like
> all trust based mechanisms, people in the community are given rights to upload
> hopefully based on their standing.

That would be one form of security I would be ok with.
But screening people (karma or participation or whatever) for the right to 
upload is even more questionable than having a team of testers go through the 
apps. Everyone has to have the right to right to put their stuff to devel and 
testing.

> There are many steps along the way to being involved in the community and i do
> not see why an individual would be nefarious enough to go through all those 
> just
> to infect a few machines.
>
> people are given rights and responsibilities and mechanisms are in place to
> hopefully prevent an incident such as you are describing.

Pretty much so. But I don't want to risk even a single case however unlikely it 
is.

> it falls on each and every one of us to maintain that trust.

It is about trust, but there is the question of security too.

I hope the solution that is now implemented is one that works, but as always, 
if practise shows that it needs to be rethought, then we will.

Tero

Tero

> gary
>
>
>
>
> On Fri, Sep 25, 2009 at 3:40 PM, David Greaves
> mailto:da...@dgreaves.com>> wrote:
>
> tero.k...@nokia.com wrote:
> > - Original message -
> > >
>
> > > I realise this is a slightly different question (hence the new subject)
> > >
> > > OK, say I have an evil twin who wants to attack ('own') a lot of Nokia
> > N900
> > > devices. How do I do this?
> >
> > I hope that was retorical. Tell your evil twin to do something usefull.
>
>
> Err, no it wasn't retorical; it was hypothetical though in case you were 
> worried.
>
> It's more about being responsible :)
> Actually it is very late in the day to be asking... but hey, it sounds like a
> topic worth raising.
>
> > > Does extras-testing factor into this?
> >
> > At least so that I would prefer maemo.org extras to be clean from
> > malware. It is much easier to promote it in Nokia internally when extras
> > contains good software.
>
>
> I agree 100% ... all it takes is one example of malware introduced into an OSS
> product and we (and Nokia) could lose a lot of credibility.
>
> I wonder how much that could be worth to some people? Maybe worth a deliberate
> attack? Maybe someone is playing a longer game?
>
> I just hope we are not planning on taking the "cross your fingers and toes
> *REALLY HARD* and hope everyone is nice to us" approach to security ;)
>
> Discuss...
>
> David
>
>
> --
> "Don't worry, you'll be fine; I saw it work in a cartoon once..."
>
>
>
> ___
> maemo-developers mailing list
> maemo-developers@maemo.org
> https://lists.maemo.org/mailman/listinfo/maemo-developers
>
>
>
>
>
>

___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-25 Thread gary liquid

the apps in maemo extras *should* be trusted because we, the community,
trust the developers who put them there.

it would take 1 bad report to have the software removed from extras.

its a worrying scenario for some people,  but this isnt the wild west and
like all trust based mechanisms, people in the community are given rights to
upload hopefully based on their standing.

There are many steps along the way to being involved in the community and i
do not see why an individual would be nefarious enough to go through all
those just to infect a few machines.

people are given rights and responsibilities and mechanisms are in place to
hopefully prevent an incident such as you are describing.

it falls on each and every one of us to maintain that trust.

gary

On Fri, Sep 25, 2009 at 3:40 PM, David Greaves  wrote:

> tero.k...@nokia.com wrote:
> > - Original message -
> >>
> >> I realise this is a slightly different question (hence the new subject)
> >>
> >> OK, say I have an evil twin who wants to attack ('own') a lot of Nokia
> > N900
> >> devices. How do I do this?
> >
> > I hope that was retorical. Tell your evil twin to do something usefull.
>
> Err, no it wasn't retorical; it was hypothetical though in case you were
> worried.
>
> It's more about being responsible :)
> Actually it is very late in the day to be asking... but hey, it sounds like
> a
> topic worth raising.
>
> >> Does extras-testing factor into this?
> >
> > At least so that I would prefer maemo.org extras to be clean from
> > malware. It is much easier to promote it in Nokia internally when extras
> > contains good software.
>
> I agree 100% ... all it takes is one example of malware introduced into an
> OSS
> product and we (and Nokia) could lose a lot of credibility.
>
> I wonder how much that could be worth to some people? Maybe worth a
> deliberate
> attack? Maybe someone is playing a longer game?
>
> I just hope we are not planning on taking the "cross your fingers and toes
> *REALLY HARD* and hope everyone is nice to us" approach to security ;)
>
> Discuss...
>
> David
>
> --
> "Don't worry, you'll be fine; I saw it work in a cartoon once..."
> ___
> maemo-developers mailing list
> maemo-developers@maemo.org
> https://lists.maemo.org/mailman/listinfo/maemo-developers
>
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-25 Thread David Greaves

tero.k...@nokia.com wrote:
> - Original message -
>>
>> I realise this is a slightly different question (hence the new subject)
>>
>> OK, say I have an evil twin who wants to attack ('own') a lot of Nokia
> N900
>> devices. How do I do this?
> 
> I hope that was retorical. Tell your evil twin to do something usefull.

Err, no it wasn't retorical; it was hypothetical though in case you were 
worried.

It's more about being responsible :)
Actually it is very late in the day to be asking... but hey, it sounds like a
topic worth raising.

>> Does extras-testing factor into this?
> 
> At least so that I would prefer maemo.org extras to be clean from
> malware. It is much easier to promote it in Nokia internally when extras
> contains good software.

I agree 100% ... all it takes is one example of malware introduced into an OSS
product and we (and Nokia) could lose a lot of credibility.

I wonder how much that could be worth to some people? Maybe worth a deliberate
attack? Maybe someone is playing a longer game?

I just hope we are not planning on taking the "cross your fingers and toes
*REALLY HARD* and hope everyone is nice to us" approach to security ;)

Discuss...

David

-- 
"Don't worry, you'll be fine; I saw it work in a cartoon once..."
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-25 Thread tero.kojo

- Original message -
>
> I realise this is a slightly different question (hence the new subject)
>
> OK, say I have an evil twin who wants to attack ('own') a lot of Nokia N900
> devices. How do I do this?

I hope that was retorical. Tell your evil twin to do something usefull.

> Does extras-testing factor into this?

At least so that I would prefer maemo.org extras to be clean from malware. It 
is much easier to promote it in Nokia internally when extras contains good 
software.

Tero

> David
>
> tero.k...@nokia.com wrote:
> > - Original message -
> > >
> > > On Thu, September 24, 2009 13:01, Aniello Del Sorbo wrote:
> > >
> > > > > > I am well aware of that :)
> > > > > > But if I go thru extras-testing (and I really want to!) then it
> > looks
> > > > > > like the Community has the last word on my application.
> > > > > >
> > > > > Yes, they do. It's a community effort, but look at it from the other
> > > > > side. Not one single person or entitiy can block your app. It
> > takes more
> > > > > people to block it.
> > > > >
> > > >
> > > > I know.. but still.. scares me.. :)
> > > >
> > > I tried to make this as transparent as possible, by showing each vote
> > > together with the user. If people are trolling we should be easily be
> > able
> > > to spot this.
> > >
> > > By letting the community doing this QA out in the open, we can prevent
> > > rejections without reasoning by a certain entity like we have seen in the
> > > news lately.
> >
> > This transparency is actually the thing that makes me feel secure about
> > the process. The testers are independent and operate with their own names.
> >
> > The (ex-)qa-manager in me is also excited by the fact that for once the
> > testers are really independant.
> >
> > > However, in a democracy not everybody can be satisfied. Let's tackle
> > > issues when we actually get there.
> >
> > Hear hear!
> > If the process does not work, then it get's changed. If it works we'll
> > just be happy and discuss how to make it more efficient.
> >
> > I'm already thinking that there might be a need for a Maemo testers'
> > club that makes sure that even niche apps don't get stranded in testing.
> >
> > Also I'll take the time to ask Nokia testing to look at the tooling
> > issue. I would like to have some nice set of tools for testing the
> > measurable aspects of applications (like battery usage as Igor pointed
> > out).
> >
> > And in any case we need to talk about Anidello's idea on feedback, with
> > beer or not.
> >
> > Tero
>
>
> --
> "Don't worry, you'll be fine; I saw it work in a cartoon once..."
>
>

___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

What's the best attack? (Re: How to use extras-testing correctly?)`

2009-09-24 Thread David Greaves

I realise this is a slightly different question (hence the new subject)

OK, say I have an evil twin who wants to attack ('own') a lot of Nokia N900
devices. How do I do this?

Does extras-testing factor into this?

David

tero.k...@nokia.com wrote:
> - Original message -
>>
>> On Thu, September 24, 2009 13:01, Aniello Del Sorbo wrote:
>>
>> > > > I am well aware of that :)
>> > > > But if I go thru extras-testing (and I really want to!) then it
> looks
>> > > > like the Community has the last word on my application.
>> > > >
>> > > Yes, they do. It's a community effort, but look at it from the other
>> > > side. Not one single person or entitiy can block your app. It
> takes more
>> > > people to block it.
>> > >
>> >
>> > I know.. but still.. scares me.. :)
>> >
>> I tried to make this as transparent as possible, by showing each vote
>> together with the user. If people are trolling we should be easily be
> able
>> to spot this.
>>
>> By letting the community doing this QA out in the open, we can prevent
>> rejections without reasoning by a certain entity like we have seen in the
>> news lately.
> 
> This transparency is actually the thing that makes me feel secure about
> the process. The testers are independent and operate with their own names.
> 
> The (ex-)qa-manager in me is also excited by the fact that for once the
> testers are really independant.
> 
>> However, in a democracy not everybody can be satisfied. Let's tackle
>> issues when we actually get there.
> 
> Hear hear!
> If the process does not work, then it get's changed. If it works we'll
> just be happy and discuss how to make it more efficient.
> 
> I'm already thinking that there might be a need for a Maemo testers'
> club that makes sure that even niche apps don't get stranded in testing.
> 
> Also I'll take the time to ask Nokia testing to look at the tooling
> issue. I would like to have some nice set of tools for testing the
> measurable aspects of applications (like battery usage as Igor pointed
> out).
> 
> And in any case we need to talk about Anidello's idea on feedback, with
> beer or not.
> 
> Tero


-- 
"Don't worry, you'll be fine; I saw it work in a cartoon once..."
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

Re: What's the best attack? (Re: How to use extras-testing correctly?)`

What's the best attack? (Re: How to use extras-testing correctly?)`

8 matches

Site Navigation

Mail list logo

Footer information