Schneier on Security
A blog covering security and security technology.
« Fingerprint Scanner that Works at a Distance |
| Bin Laden Maintained Computer Security with an Air Gap »
May 17, 2011
Mobile Phone Privacy App Contest
Entries due by the end of the month.
Posted on May 17, 2011 at 1:35 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
An App that gives you an electric shock when ever any of your other apps leak your data.
No matter what it is iPhones won't allow it.
"This smartphone will self-destruct in five seconds."
Not much of a contest if you don't win anything.
"The best overall submission will be given the opportunity to discuss their app with judges and audience members at the ceremony."
What kind of award is that? How about dinner with the T-Mobile spokeswoman or something?
The best overall submission will be given the opportunity to explain to judges how they safeguarded privacy so that such loopholes can be closed.
Sorry to sound negative but we have kind of seen this sort of competition before.
Those who organise judge it end up by pretending they have "the best" of something so no further effort gets put in.
The simple fact is security is a bit like the air bubble under that piece of wallpaper you have just put up. Unless you take care each time you push the bubble down it either moves somewhere else or splits into two or more bubbles.
So as you "close a loophole" you can end up making one or more new ones.
My, what an attractive vector for distributing malware: an app that actually educates you about avoiding malware. It's like The Wolf Who Cried Wolf.
I'm pretty sure you're not going to get bang-up code when you only have two weeks to write it.
Er, an app that roots the device, clones the firmware to some cloud service and subsequently replaces it with a device specific SE-Linux kernel (or better), a Google independent FOSS version of Android and a set of userspace applications officially approved by Bruce and Clive. Until such a time, I'm sticking with my old Motorola RAZR.
It doesn't have to shock the poor user when a leak is detected, automatic countermeasures would work fine.
When it detects a leak it should just immediately do a low-level erase of the device, thus neutralizing the risk.
How about a simple visual app that shows you a hundred different ways that critical data can leak from smart phones. Once you've watched the app run, you will have no illusions of security and you'll hopefully adjust your expectations to match smart phone reality.
"demonstrate the possibility that apps for mobile devices can actually enhance the privacy of users"
hey, it's sponsored by the ACLU!
how about a firewall app that has a default-deny on outbound traffic and then pops up a new warning every time your phone tries to initiate a connection.
instead of a "yes / no" confirmation it should give the options: "yes / litigate"
if you click on litigate it sends an SMS with the offending app details to the ACLU.
do i win?
Props so far to Joe the Programmer, RobertT, Davi Ottenheimer and Dirk Praet for best suggestions.
My vote for best suggestion is Joe's idea: Catherine Zeta Jones is plenty of motivation for me to code a masterpiece in two weeks.
"Catherine Zeta Jones is plenty of motivation for me to code a masterpiece in two weeks."
Hmm, I guess you've not heard her sing then?
Then again Maestro what sort of masterpiece are you going to produce? I guess not something to compete with Richard Wagner's "Der Ring des Nibelungen" (AKA The Ring Cycle).
Mind you put Catherine Zeta Jones in chainmail and a horned helmet she might not look to bad...
But I guess you'ld want her as a goddess, such as Freia (goddess of love, youth and beauty) but I think these days she would have to play Fricka (Wotan's wife and goddess of home and marriage).
I love having a cell phone that doesn't do anything but take calls and text messages (and probably could surf the Web if I let it which I don't.)
Oh, it does have an FM radio in it. When I discovered that, I laughed heartedly because who the hell wants to try to tune a radio with a cell phone keyboard? It's insane.
"Hmm, I guess you've not heard her sing then?"
I'd make her sing...
And as either of those goddesses, she's still hot as this Golden Globes pic this year shows:
"I love having a cell phone that doesn't do anything but take calls and text messages"
I can recommend the Emporia brand of products at http://www2.emporia.at/en/products/ . This Austrian company specifically targets a senior citizen audience, and it's the brand of choice of my mom and her friends. My personal favorite is the "Shock Stick", a retro cell phone stun gun, available for about 7,000 yuan ( http://www.techeblog.com/index.php/tech-gadget/... ) .
App? Who needs an app when you've got a wrap?
Aluminum foil! Wrap your phone in it and it will stop leaking your data.
also useful for making hats.
Apropos cell phones, I would need one that also cannot receive SMS messages. Or at least only is capable of dealing with text in them. That way the government cannot install stuff on my phone through the message.
But can they install stuff through code on the GSM card?
Many people on this list seem to trust what Clive says explicitly and without question, but if he thinks it takes "chain mail and a horned helmet" to make Catherine Zeta Jones look good, I don't want him to judge any beauty contests.
...and I don't care if she sings or not.
De coloribus et gustibus non est disputandum.
From whence do you come?
If you read back you will find I was gently joking with Nick P.
However both "The Ring Cycle" and "The Lord of The Rings" are about rings made by dwarves to "Control the world".
In some old style hacker communities knowledge of both the Opera(?) and book was considered mandatory.
Both also contain a love story of how an immortal became mortal for the love of a relative.
Both stories involve gods and their fall in the world of man.
The idea of "one ring to control them all" is the idea behind most malware attacks etc.
I'm sorry if this did not come across to your liking but just one thought for you,
I did not say what sort of chain mail or helm other than it had horns. You are I guess assuming the sort of maximal sort of thing you would expect on an Opera Soprano in a Wagnerian presentation, and perhaps not the slinky little items you might find in the more select of certain clothes and other adult entertainment stores where leather rubber and other such passions are catered for?
@Clive " rings made by dwarves to "Control the world"."
Elves made the Rings - even The Seven. And Sauron himself made The One. Not sure what he was, aniu, and Valar of course but the elves were more Mair.
Yes, I believe I understood your comment and the spirit it was intended, and I intended my comment to be in the same "gently joking" vein.
"...slinky little items...leather, rubber" - I take the 5th.
@ Clive Robinson
Chainmail and helmets? I was thinking more Victoria Secret. I figure I'd just let her use her imagination. Sexy women know how to be sexy. She needs no tips from me. ;)
"Oh, it does have an FM radio in it. When I discovered that, I laughed heartedly because who the hell wants to try to tune a radio with a cell phone keyboard? It's insane."
Google: "FM Fingerprinting"
A: FM Fingerprinting. Interesting. Looks like one can "fingerprint" almost anything these days. Not too surprising, since pretty much everything is "unique" if you can get down to the bottom of it conveniently.
@A: Almost every phone I've ever seen with an FM tuner has also had RDS. No real need for any FM fingerprinting.
"No real need for any FM fingerprinting."
but the reality exists, ask yourself why it's being mandated new phones all have FM radio feature. It's for fingerprinting of the device. The new chip being added for alerts is also a concern.
Anyone who submits losses it's privacy
https://www.develop4privacy.org/rules, rule 7:
"each Participant also grants to Organizers and to Organizers’ designees an irrevocable, royalty-free right to publish, disseminate, and use the Participant’s name, likeness and biographical information (including, with respect to a Team, the name, likeness and biographical information of each member of the Team) in connection with the execution and promotion of the Challenge without further notice or consideration."
Quick response to a couple of the comments (though I'm late to the thread, unfortunately)...
Yes, we know, there's irony in requiring info about submitters for a privacy-centric competition -- but if the goal is to push this into the public dialog, it's harder to do without actually having the developers take part. Can't win 'em all.
Security and privacy are absolutely moving targets, and we don't intend to act as if we have "solved" anything. I'm well aware of the kind of response we'd get from the DEF CON audience in particular if we tried to do so.
The goal is simply to use this competition to bring together developers who have new ideas about privacy tools and organizations like the ACLU who are able to make those ideas and those tools part of the public dialog.
@Joe, davi, others: Code it and submit it - you've still got a week! :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.