Android vulnerable. How does Puppy Linux compare?

For discussions about security.
Post Reply
Message
Author
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

Android vulnerable. How does Puppy Linux compare?

#1 Post by nooby »

Android has many highly paid programmers and if that still
makes them this vulnerable then is it not logical that also
puppy linux is similar?

http://www.gizmag.com/security-htc-andr ... nes/20010/
Now Gizmag is no computer or software mag so it can be written by
somebody relying on others info and maybe misunderstanding it.

It is way too complicated for me so I share it to get your views on it.
The reported vulnerability, which has left those who discovered it
- Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police - speechless,
involves a suite of logging tools included in recent HTC modifications
to the Android operating system in EVO and Thunderbolt models that
collect a stack of information on the user's phone.
But not only do the modifications collect a swathe of information,
they also allow nefarious types to send that data to wherever on the Internet they like.

"It's like leaving your keys under the mat and expecting nobody
who finds them to unlock the door," says Russakovskii.
The list of compromised data includes but is not limited to:

* List of user accounts, including email addresses
* Last known GPS location and history of previous locations
* Phone numbers from the phone log
* SMS data, including phone numbers and encoded text
* System logs, which track everything your running apps do
* System information, including build number, bootloader version,
CPU info, running processes, list of installed apps, battery info
and status, and network info, including IP addresses.

Eckhart only released the information after contacting HTC
on September 24th and receiving no real response for five days
in the hopes that making the security vulnerability public would
prompt HTC to address the issue.
Although the team at Android Police believes HTC is looking into
the issue, there's been no statement from the company as yet.

The team also uncovered an app added by HTC called androidserver.apk
that is basically a remote access server that could allow third parties
access to the phone.

They say that, while the addition of the app "could end up being insignificant,"
it is still "very suspicious." Although the app isn't started by default,
it isn't clear what or who can trigger it.

While open source software, such as Android, has many advantages
over a closed system, such as allowing greater creativity on the part
of developers, the vulnerability the Android Police team claims to have
uncovered highlights one of the major downsides of open source
software.
While users expect problems from sources in the darker corners
of the Internet and are extra vigilant in looking out for anything
that may compromise the security of their devices, the fact this problem
comes from one of the biggest players in the Android space is a real concern.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#2 Post by Makoto »

I haven't looked into it, but I've read that the vulnerability is with HTC's code/interface, not Android. Whether or not that's true, I don't know.
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#3 Post by DPUP5520 »

Makoto wrote:I haven't looked into it, but I've read that the vulnerability is with HTC's code/interface, not Android. Whether or not that's true, I don't know.
It was a modification to the Android OS made my HTC that caused the vulnerability.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#4 Post by nooby »

Ah yes I should have pointed out that part too :) Sorry!

But that is exactly my point. Puppy is a rewrite of Standard ? Linux.

That would either makes Puppy very vulnerable or only vulnerable
when the criminals find it worth their time to write an exploit of that
potential vulnerability.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#5 Post by Pizzasgood »

No, Puppy is not a rewrite of Linux, and no, Puppy's being weird compared to most distros does not make it "very vulnerable". Most of the weirdnesses in Puppy have no bearing on security at all.

Yes, Puppy and phones are both weird. But they are weird in different ways. Phones are weird in a network way - they have custom network code. Their software is also much less widely tested, and is often closed-source so that only people in the actual company have audited it.

Puppy is not at all weird in a network way. The network code is the same as any other Linux, whether server or desktop. The things that are weird in Puppy are the filesystem, the application choices, stuff like that.

You should be far more worried about how secure your network-related software is than Linux itself. Your browser, your browser's plugins, your chat program, any online games you play, any servers you run, etc. Those things all get far less individual attention than the OS's network code. (In particular, I would worry about Flash, as that is closed source and has a history of being a buggy piece of excrement.) And that applies equally to any distro you use - the only impact Puppy has would be that Puppy tends to have older versions of software.


Also, keep in mind that when some server, which happens to run on Linux, gets hacked into, that doesn't mean anything regarding the security of Linux. (Yes I know this thread is about a phone, not a server.) Most of the time when somebody "hacks into a server", what they actually do is exploit a bug in whatever webapps the server is running. Stuff like this forum, or a wiki, or what-have-you. Or they might somehow obtain an administrator's password (lucky guess, keylogger, surveillance, brute force, network sniffing, etc.). Failing that, they probably exploited a bug in a server program (php, apache, mysqld, sshd, etc.), which normal desktop Linuxes don't have. It is much rarer that they get in via a problem with Linux itself.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#6 Post by nooby »

Yes thanks, good that you reminded me of those details.
I use Google Search on Puppy Forum
not an ideal solution though

Post Reply