I want a secure phone that does not suffer from the security issues found in many products. The recent review by the Library of Congress has been interpreted to mean that it is OK to Jail Break but not OK to use the tools to jail break, the usual legalese, why can’t lawyers write in plain English. The excerpt below is from www.loc.gov/today/pr/2010/10-169.html
(2) Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.
(3) Computer programs, in the form of firmware or software, that enable used wireless telephone handsets to connect to a wireless telecommunications network, when circumvention is initiated by the owner of the copy of the computer program solely in order to connect to a wireless telecommunications network and access to the network is authorized by the operator of the network.
I don’t want the reality of having to buy additional programs to protect myself from programs I don’t want. If Apple is willing to do this and a consequence is a restriction on some of my choices I am OK with it so far. I don’t see what the issue is. If you want to jail break your phone and put untrusted non checked apps on it great. If you want to offer your competitive mail program for the iPhone, take on some liability insurance that you are not going to infect my phone. I look at Apple as an innoculation shot, not perfect but better than the alternatives. There are alternative platforms that give you more choice buy those instead. In this copy and paste world of programming where many developers have no understanding of what they are doing from a security perspective, I want protection from them.
Where code comes from is very important. As a developer or compnay you are utilimately repsonsibel for what you have provided your user. Recently I have been using Maven for some projects friends have asked for help on. I have always avoided use of Maven because I found the security model very weak. I would never deploy a production application using Maven without a rigorous audit of the jars it is using and by the time that is done you have lost the productivity gain. Let’s ignore what it could inject into your development environment. That was my view and still is.
How can I trust that the code I am getting is valid– Digests and trusting the people that run the repositories not good enough, need some an independent third party system.for me to ever use Maven to go from development to production without an Audit. Maven has the potential to inject one of the largest viruses in Internet History into the Internet IMO. One of the problems with all of the security models is that the security is only as good as the service provider in the end., so you need checks and process. Initially checks and processes slow things down until they are developed. What is preventing a disgruntled individual close to Maven from injecting a sleeper thread into a crtical say JSON library that one day wakes up and starts reading the disk on the servers it is on and unloading it to the internet. Even worse it does this at a very low level over several years so it is not really detected until massive amounts of data have been copied. As a professional developer there is a minimum due diligence one must apply to the components one uses to build something. This is no different than a Chef picking products for a meal. The blame game begins.
When Java first arrived there was quite a bit of discussion about trusting Mobile code I think the Mobile issue clouded things up and the Industry should have focused on code from a third party, mobile is practically the default case, trust and computing at a distance via delegation are the two issues. It is curious how know we are getting code from the Internet practically at the OS level produced by developers having dependency trees that they can’t even enumerate. See “Ultra-Large-Scale Systems Ultra-large-scale (ULS) systems will be interdependent webs of software-intensive systems, people, policies, cultures, and economics.”
Is the access to Maven Repositories Over SSL
Does the SSL certificate point to a document defining how the repository is managed and checked
Are the code segments signed
Is there a log file produced that relates where the jars came from and where the source is
Is there one developer that verifies that the source
What is the legal entity when of the jar files has a virus introduced by an Open Source programmer
What is the relative risk factor of an application based on the third party code and how it was put into the system
…. We all know how easy it is to present security issues, kind of like yelling fire or saying Sarbanes Oaxley
When I use Maven, I put all artifacts that an end user will run into my own repository and I will not use jars that do not have source that reproduce them, curiously proprietary jars don’t cause this concern for me. It would be nice if maven had a recreate system from source option and this option would produce all the documentation about the release, similar to ideas Richard Gabriel discussed in “Conscientious Software“. I am still concerned about the plugins that are loaded into my development system, I seem to have 100s of them. This has an issue also in that the source code that has been inserted into the repository does not have a history of where the change came from and who reviewed it. Do I really beleive that every open source change has been seen my more than one knowledgabel ethical person, no and that it goes into a secure trusted repository constantly monitored for fraud no. Hopefully I am wrong about all the above issues and there is active work on improving managing all the artifacts one needs to build an application. I would go as far to say that I would like to see this type of thinking in the Language.
I am just not into most sports with me as the player or the observer. It isn’t that I never tried them. I actually played little league baseball and was a big NY Knicks fan during the DeBusschere, Frazier, Reed, Monroe, Bradley, Barnett era. So I don’t like Robots playing sports because it makes me feel good to see a Robot win, I find it encouraging — sports may be where humans are performing at peak physical and sensory input levels — watching machines approach that using different technologies can lead to many good things. I wonder what the handicaps will be for that inevitable day when there is machine human competition, maybe an Electro Magnetic Pulse generator directed at the 1 cm diameter vulnerability area. I came across a news story about Soccer Playing Robots www.cs.cmu.edu/~robosoccer/small/ that prompted this blog entry. I was feeling encouraged about the progress and then brought down to earth by the “experts” view that it will be 2050 before a robot can play against a human in soccer. I, who really know very little about this, think they are way off. I bet the next Trillion dollar Market Cap will have roots back to participants to events such as the one in the following video.
When will I be able to buy a tennis ball pickup machine/robot for under 200.00? Of course it might be better to pick each ball up yourself and remember how it ended up there but a video with analysis would be more to my liking. Cheap personal “form” analysis seems like it would be useful, maybe it would help me exercise more, unlikely.
