Security, Linux and the Roving Bug - Security

This is a discussion on Security, Linux and the Roving Bug - Security ; In article , CptDondo wrote: > It seems to be more a bug in the cell-phone protocol/hardware. Or > possibly a hardware mod to the cell phones. I can well imagine the cell > phone companies would have a way ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 28 of 28

Thread: Security, Linux and the Roving Bug

  1. Re: Security, Linux and the Roving Bug

    In article <13885j98uu1do0b@corp.supernews.com>,
    CptDondo wrote:

    > It seems to be more a bug in the cell-phone protocol/hardware. Or
    > possibly a hardware mod to the cell phones. I can well imagine the cell
    > phone companies would have a way to update the firmware in your phone
    > remotely.


    Actually, it seems to be none of the above. It's more likely to be
    total BS.

    http://www.computerworld.com/action/...ArticleBasic&t
    axonomyName=mobile_and_wireless&articleId=9025893

  2. Re: Security, Linux and the Roving Bug

    The Man wrote:

    >
    >> The only reason it's not *also* a windows problem is that windows can't
    >> possibly run on a cellphone....

    >
    > http://www.windowsfordevices.com/art...468909181.html
    >
    > Do you have any other clueless comments you'd like to make Cpt Dungo?


    Those are "smartphones" and PDA. Not what I call a cellphone. My
    linux-based Motorola is about 3.5 x 1.75", way smaller and lighter than
    the PDAs listed in that article.

    >> As to the "horror story" - why don't they get a prepaid phone?

    > Because prepaid phones suck.
    >
    >> Or do away with cell phones altogether?

    > Sure. And let's do away with electricity too.


    I have 5 stray cats that like to roll around on a particular doormat on
    my deck. It's really aggavating, as they fight over it, and leave
    cat**** and cathair all over the place.

    I could call the paper and police and whatever, and whine about the
    horrible state of stray cats.

    Or I could just fold the doormat over so the cats can't get to the
    scratchy part.

    Hmmm... You decide.

    And, BTW, I've met Einstein's daugher and secretary several times. And
    sat in his chair. (And probably peed in the same urinal....) So
    calling me "Einstein" is pretty neat.

    --Yan

  3. Re: Security, Linux and the Roving Bug

    The Ghost In The Machine wrote:
    > In comp.os.linux.advocacy, CptDondo
    >
    >>
    >> Presumably, once the phone is off, the linux kernel is not running; yet
    >> according to the reports, the phone can still transmit conversations.

    >
    > That is an interesting but probably false assumption,
    > though I'll admit to some curiosity on the details.
    > Presumably, there are three modes:
    >
    > [1] The thing is really off, as in
    > removal-of-the-battery-pack off. Some might also
    > have a power switch that cannot be remotely actuated.
    > Windows, Linux, Symbian, HURD -- it doesn't matter;
    > only one's finger (or brushing against something)
    > can flip that switch.
    >
    > [2] The thing is in a mode where it takes a minimum of
    > power, listening to its antenna at most, waiting
    > for a call. IINM, this is "standby" mode, and is
    > characterized by low power consumption. This is the
    > mode which is allegedly hackable, according to the OP.
    > Whether it's actually possible may depend on the phone.
    >
    > [3] The thing is on and the mike and speaker are active,
    > either for an actual phone call or for video.
    >
    > Which mode is everyone's cell phone in? Most likely, [2].
    > This is not off, just on standby.
    >


    I am somewhat curious about this as well. All the phones I've seen,
    when "off" - i.e. power button pushed - are pretty much doorstops. When
    you push the power button, they go through a boot process - display a
    logo, show some graphics, play a cheesy sound - so I would assume the
    kernel is booting.

    I can't see how a phone in the off state can transmit anything unless
    specially modified.

    In standby, there is a way for the phone to wake up - incoming calls,
    flip it open, etc. Presumably in this state the phone can be updated
    remotely.

    I actually turn mine off quite a bit; whenever I don't want to be
    disturbed. Heck, I leave it at home when I go on vacation.

    I still stand by my original statement - if the phone bothers you, get
    rid of it. It's really simple. Use a landline.

  4. Re: Security, Linux and the Roving Bug

    On Jun 28, 3:43 pm, "Cassandra" wrote:
    > Her advocates claim Linux is more secure than Windows and as proof they
    > offer
    > the list of viruses that target Windows. The rebuttal is typically that
    > Window is an attractive target for virus writers due to its ubiquity. The
    > Linux advocate's reply is that, Linux's architecture makes it impossible to
    > hack. I think we've all seen this exchange. Whether Linux is immune from
    > hacking is an open question. What if Linux were ubiquitous? Would hackers
    > try to break in? Could hackers succeed? The answer to these questions is
    > yes.
    >
    > Motorola has embraced Linux as the OS to run on its line of cell phones
    > (http://news.com.com/2100-1001-984424.html). The following link includes
    > over a dozen cell phone offering, including the Razr, which feature Linux:http://www.linuxdevices.com/news/NS4504156025.html. Motorola is a leading
    > cell phone company. Motorola's market share has reached the critical mass
    > required to make the devices attractive to the l33t haxtorz.
    >
    > Cell phones are venerable to a security threat called 'The Roving Bug'. The
    > bug allows people to listen in on you conversations even when the cell phone
    > is off. People can remotely turn on your cell phone, listen in on your
    > conversations, upload and download data, and take photos without you knowing
    > it. The only way to secure your cell phone and your privacy is to remove
    > the
    > battery.
    >
    > Here's what one site has to say:
    >
    >
    > Nextel and Samsung handsets and the Motorola Razr are especially vulnerable
    > to software downloads that activate their microphones, said James Atkinson,
    > a
    > counter-surveillance consultant who has worked closely with government
    > agencies. "They can be remotely accessed and made to transmit room audio all
    > the time," he said. "You can do that without having physical access to the
    > phone."
    >
    > Because modern handsets are miniature computers, downloaded software could
    > modify the usual interface that always displays when a call is in progress.
    > The spyware could then place a call to the FBI and activate the microphone--
    > all without the owner knowing it happened
    >
    http://hootsbuddy.blogspot.com/2006/...oving-bug.html
    >
    > The article says, ". the Motorola Razr [running Linux] are especially
    > venerable ."
    >
    > It turns out that Linux's security model is porous as a sieve. Devices
    > running Linux are being hacked and taken over by remote hackers. The
    > security hole persists even when the device is turned off. But is it some
    > secret 'back door' that only the government knows how to access? Nope, the
    > world knows how to by pass and exploit Linux's so-called security. Here's a
    > horror story describing the hell created because of Linux's weak security:http://www.thenewstribune.com/news/c...ory/91460.html.
    >
    > I am sure so will say, "B-b-b-but Windows blah, blah, blah." to which I
    > reply, "Irrelevant!"
    >
    > This issue is about a bug in Linux. This is about a known bug in Linux
    > that's been hanging around for months. It is a bug a known bug in Linux
    > that's been hanging around for months that has not been fixed. This is
    > about
    > a security hole in Linux. Windows is not the issue here. This is a Linux
    > problem and not a Windows problem.


    This post is weird, because it has more to do with how the phone was
    designed and how they made their linux flavor work, than an actual
    problem with linux. Not only that, since the phone os is closed
    source, it's their responsibility to fix the bug anyway, and the OSS
    community doesn't have anything to do with it. I'm going to go ahead
    and make a generalized statement about telco -- they way over-
    complicate things so they can charge outrageous prices for their
    support. This is nothing more than a phone company doing the same as
    phone companies have always done.

    Really this is a linux advocacy forum and you bringing an argument in
    here about an embedded os on a propietary system doesn't really fight
    linux or support it, stick to the cellular forums


  5. Re: Security, Linux and the Roving Bug

    tblanchard001@gmail.com wrote:

    > On Jun 28, 3:43 pm, "Cassandra" wrote:
    >> Her advocates claim Linux is more secure than Windows and as proof they
    >> offer
    >> the list of viruses that target Windows. The rebuttal is typically that
    >> Window is an attractive target for virus writers due to its ubiquity.
    >> The Linux advocate's reply is that, Linux's architecture makes it
    >> impossible to
    >> hack. I think we've all seen this exchange. Whether Linux is immune
    >> from
    >> hacking is an open question. What if Linux were ubiquitous? Would
    >> hackers
    >> try to break in? Could hackers succeed? The answer to these questions
    >> is yes.
    >>
    >> Motorola has embraced Linux as the OS to run on its line of cell phones
    >> (http://news.com.com/2100-1001-984424.html). The following link includes
    >> over a dozen cell phone offering, including the Razr, which feature
    >> Linux:http://www.linuxdevices.com/news/NS4504156025.html. Motorola is a
    >> leading
    >> cell phone company. Motorola's market share has reached the critical
    >> mass required to make the devices attractive to the l33t haxtorz.
    >>
    >> Cell phones are venerable to a security threat called 'The Roving Bug'.
    >> The bug allows people to listen in on you conversations even when the
    >> cell phone
    >> is off. People can remotely turn on your cell phone, listen in on your
    >> conversations, upload and download data, and take photos without you
    >> knowing
    >> it. The only way to secure your cell phone and your privacy is to remove
    >> the
    >> battery.
    >>
    >> Here's what one site has to say:
    >>
    >>
    >> Nextel and Samsung handsets and the Motorola Razr are especially
    >> vulnerable to software downloads that activate their microphones, said
    >> James Atkinson, a
    >> counter-surveillance consultant who has worked closely with government
    >> agencies. "They can be remotely accessed and made to transmit room audio
    >> all the time," he said. "You can do that without having physical access
    >> to the phone."
    >>
    >> Because modern handsets are miniature computers, downloaded software
    >> could modify the usual interface that always displays when a call is in
    >> progress. The spyware could then place a call to the FBI and activate the
    >> microphone-- all without the owner knowing it happened
    >>
    http://hootsbuddy.blogspot.com/2006/...oving-bug.html
    >>
    >> The article says, ". the Motorola Razr [running Linux] are especially
    >> venerable ."
    >>
    >> It turns out that Linux's security model is porous as a sieve. Devices
    >> running Linux are being hacked and taken over by remote hackers. The
    >> security hole persists even when the device is turned off. But is it
    >> some
    >> secret 'back door' that only the government knows how to access? Nope,
    >> the
    >> world knows how to by pass and exploit Linux's so-called security.
    >> Here's a horror story describing the hell created because of Linux's weak
    >> security:http://www.thenewstribune.com/news/c...ory/91460.html.
    >>
    >> I am sure so will say, "B-b-b-but Windows blah, blah, blah." to which I
    >> reply, "Irrelevant!"
    >>
    >> This issue is about a bug in Linux. This is about a known bug in Linux
    >> that's been hanging around for months. It is a bug a known bug in Linux
    >> that's been hanging around for months that has not been fixed. This is
    >> about
    >> a security hole in Linux. Windows is not the issue here. This is a
    >> Linux problem and not a Windows problem.

    >
    > This post is weird, because it has more to do with how the phone was
    > designed and how they made their linux flavor work, than an actual
    > problem with linux. Not only that, since the phone os is closed
    > source, it's their responsibility to fix the bug anyway, and the OSS
    > community doesn't have anything to do with it. I'm going to go ahead
    > and make a generalized statement about telco -- they way over-
    > complicate things so they can charge outrageous prices for their
    > support. This is nothing more than a phone company doing the same as
    > phone companies have always done.
    >
    > Really this is a linux advocacy forum and you bringing an argument in
    > here about an embedded os on a propietary system doesn't really fight
    > linux or support it, stick to the cellular forums


    It probably developed that way. It started off as the relative merits of
    Linux vs Windows. Then it became "This is a Linux issue, therefore it is a
    matter for the Linux community," which is false. It overlooked the point
    that Linux is not the same thing as Open Source - the two simply go hand in
    hand, most of the time. At least it remained technical. Many threads go
    off at a tangent - usually humorously.

    Actually, I am becoming the Roving Blog - more interested in garrulous
    blogging than in contributing usefully. Wish never to grow old.

    Doug.
    --
    I am a part of all that I have met.
    - Lord Tennyson, "Ulysses."


  6. Re: Security, Linux and the Roving Bug

    On 2007-06-29, CptDondo wrote:
    > I am somewhat curious about this as well. All the phones I've
    > seen, when "off" - i.e. power button pushed - are pretty much
    > doorstops. When you push the power button, they go through a
    > boot process - display a logo, show some graphics, play a
    > cheesy sound - so I would assume the kernel is booting.
    >
    > I can't see how a phone in the off state can transmit anything
    > unless specially modified.


    That's actually the point of roving bug mode. Once this mode is
    activated, a "turned off" phone is no longer, strictly speaking,
    off. The screen is off and the thing won't accept calls to the
    owner, but despite all appearances it's secretly doing the
    network operator's bidding.

    On the other hand, I don't know what the precise mechanism for
    enabling roving bug mode is -- does the phone check in with the
    network as it shuts down as to whether it's supposed to stay
    awake? Does a turned-off cell phone actually periodically power
    up to check the network for roving bug status? It's an
    interesting technical question, even if it does give me the
    heebie jeebies...

    --
    Mark Shroyer
    http://markshroyer.com/

  7. Re: Security, Linux and the Roving Bug

    CptDondo wrote:

    > The Ghost In The Machine wrote:
    >
    > I am somewhat curious about this as well. All the phones I've seen,
    > when "off" - i.e. power button pushed - are pretty much doorstops. When
    > you push the power button, they go through a boot process - display a
    > logo, show some graphics, play a cheesy sound - so I would assume the
    > kernel is booting.


    On most designs, the power button is a software thing. What you see
    is a simulation of 'OFF' - display and radio get shut down, the processor
    goes on a slow clock and the power consumption drops low enough to
    not matter any more.

    Some simple phones go through a "boot process" when switched on, but
    most modern ones actually just come out of what you would call hibernation
    for a laptop.

    Some phones take minutes to boot when they start from scratch.

    >
    > I can't see how a phone in the off state can transmit anything unless
    > specially modified.


    It normally doesn't. But the software in the phone is exchangeable and
    on many phones this can be done remotely over the network. Law enforcement
    can and will do this.

    There is no hardware feature which could stop the software to fire up
    the radio and transmit a conversation while you think the phone is off.

    >
    > In standby, there is a way for the phone to wake up - incoming calls,
    > flip it open, etc. Presumably in this state the phone can be updated
    > remotely.


    Again, this is behavior entirely defined by software. There is a
    good chance that a software update can only happen when in standby,
    but after that, all bets are off.

    The only sure-fire way to switch the phone off is to pull the battery.
    It takes energy to transmit and apart from the battery, a phone can
    not store any significant amount of energy.

    BTW, the 'bug' in "roving bug" is not a bug in a software sense. It's
    a surveillance bug, which may or may not be implemented by hacking or
    otherwise modifying a phone.

    Kind regards,

    Iwo


  8. Re: Security, Linux and the Roving Bug

    In article ,
    The Ghost In The Machine wrote:

    >[1] The thing is really off, as in
    > removal-of-the-battery-pack off. Some might also
    > have a power switch that cannot be remotely actuated.
    > Windows, Linux, Symbian, HURD -- it doesn't matter;
    > only one's finger (or brushing against something)
    > can flip that switch.


    Is there another battery inside that isn't removable?

    --
    http://www.spinics.net/lists/

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2