![BlackBerry 10 OS will have multi layered security model]( "BlackBerry 10 OS will have multi layered security model")
RIM's upcoming BlackBerry 10 operating system is intended to be as secure, if not more so, than the OS running on RIM's current crop of BlackBerry devices. Mobile security could become a major selling point for the new platform, for enterprises, carriers and end users alike.
Essentially, RIM is blending security elements from its BlackBerry heritage with the security architecture of the new OS, which is based on the QNX Neutrino real-time operating system, acquired when RIM bought QNX Software Systems in 2010. while RIM has not revealed BlackBerry 10 security in detail, Scott Totzke, RIM's senior vice president, BlackBerry security, talked about the topic generally during a briefing at last week's BlackBerry World conference.
BACKGROUND: RIM CEO vows to wow with BlackBerry 10
"Security is becoming more complex for consumers than for the enterprise," Totzke says. The enterprise typically has a security infrastructure in place, often with dedicated security staff. The BlackBerry Enterprise Server lets administrators set hundreds of device and data policies for the BlackBerry phones, and forges an encrypted link for the devices through RIM's Network Operations Center. "The industry has been promising mobile commerce [to consumers] for years: the idea of using your phone as your wallet. but if that happens, it better be secure," he says. "If the user can't trust the [mobile] platform, it's a tough sell."
BB10 security will have multiple integrated layers, with the tight, cooperating relationship between hardware and software that's been a BlackBerry hallmark. For mobile users, there will be a permissions-based security model for apps, in plain, understandable English, coupled with a various OS-level security and safety features borrowed from QNX's experience in the embedded systems market.
At the OS level, QNX has offered a hardened variant of its OS called Neutrino RTOS Secure Kernel for several years. The secure kernel has been certified under the Common Criteria ISO/IEC 15408 Evaluation Assurance Level (EAL) 4+. The Common Criteria is intended to show that a computer security product has been specified, implemented and evaluated in a standard and thorough way. QNX says Neutrino was the first full-featured RTOS certified under this standard.
(In December 2011, QNX announced that Neutrino has also been received a safety certification, under the IEC 61508 standard for Safety Integrity Level 3 (SIL 3). Strictly speaking, this isn't a security certification, but one intended to reduce the rate of "dangerous failures" to a system.)
But RIM doesn't appear to be using the Secure Kernel variant. rather, after RIM acquired QNX, the device maker's security architects began working closely with the QNX software engineers, according to Totzke. The works seems to be focused on how to exploit the microkernel's strengths while adding new security features.
This combined group has been focusing on a range of protections, such as:
- Blocking root access, which enables a user or hacker to gain administrative access to the OS.
- Memory randomization, which in effect "scrambles" where in memory routines may run, making it harder for these to be leveraged by attackers.
- Adding security management, including auditing, to the kernel.
It's a work in progress. Code to jailbreak or root the QNX-based PlayBook OS (so you can load apps apart from BlackBerry App World) is available from DingleBerry.it, specifically Version 3.3, which was a big step up in simplicity and ease of use. A 4.0 version is in development. The PlayBooks will eventually run BlackBerry 10, so if blocking root access is a priority for RIM, then they may be harder to jailbreak with the release of the new OS.
One advance to protect data is already present in the PlayBook OS and will be a key part of BlackBerry 10, according to Totzke. BlackBerry Balance creates separate and secure work and personal "perimeters" at the data level. Corporate apps and data are encrypted in the work perimeter, and can't be transferred or copied to the personal perimeter. (Encryption for personal data will be available in the next release of the PlayBook OS, he says.)
"But I [as the end user] don't have to think about this separation," says Totzke. "There's a unified presentation to the data [in the user interface], but under the covers, the system separates the data." There is only one email system and UI, for example, on the device, but work and personal emails are kept separate by the underlying system.
Neutrino's microkernel architecture keeps an essential set of services in the core, but drivers, applications, protocol stacks, and the file system run outside the microkernel, effectively sandboxed in what's called memory-protected user space. this means that almost any of these external components can fail and be replaced and restarted without affecting other components or the kernel itself, according to QNX. Presumably malware designed to compromise the kernel likewise will be isolated in these protected spaces.
Another layer of protection lies in QNX Neutrino conforming to the POSIX standard, which specifies an API, and some shells and interfaces, for software compatibility between POSIX-compliant operating systems. "A POSIX API prevents the use of proprietary interfaces with the potential for insecure behavior and misunderstood results," among other benefits, according to the QNX website. The RTOS was designed from the outset for POSIX support, an approach that eliminates the need for adding a "complex POSIX adaptation layer" that some rivals RTOSs require. The result is faster performance and lower memory requirements for applications, according to QNX.
Much of this security infrastructure will be invisible to end users. but if mobile payment technologies actually find some traction, security or at least the need for it may become more pressing for end users. RIM been an enthusiastic adopter of near-field communications (NFC) in its BlackBerry smartphones, to support using them for "contactless" mobile payments. U.K.-based The Inquirer reported this week that RIM says it accounted for 80% of NFC phones shipped to U.K. retailers in the first quarter.
"I think that's where people want to go," says Totzke. "I sometimes forget my wallet, but I never forget my phone."
"Security has to become a little more in the forefront for consumers and a lot more in the forefront for device makers and app developers," he adds.
John Cox covers wireless networking and mobile computing for Network World. Twitter: twitter.com/johnwcoxnww Email: Blog RSS feed: networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.
<a href="http://www.arnnet.com.au/article/424018/blackberry_10_os_will_multi-layered_security_model/tag:news.google.com,2005:cluster=http://www.arnnet.com.au/article/424018/blackberry_10_os_will_multi-layered_security_model/Wed, 09 May 2012 02:20:23 GMT">BlackBerry 10 OS will have multi-layered security model
Linkbaiters will feel the wrath of Google for fake stories – TECH.BLORGE.com
Getting links and counting traffic is the name of the game for just about every web publisher out there. However, some have decided to go about the hunt for viewers by posting completely made-up stories as fact. Though that might be all fun and games to certain folks, Google is the ultimate authority on what’s funny and what isn’t, and it seems the verdict is prank posting as linkbait is decidedly not funny.
In fact, it could earn you a big old backhand, straight from Google, or so Matt Cutts of Google suggested after Lyndon Antcliff made up a story as linkbait and spread it across social networking sites, according to SearchEngineLand. The story got so big, it was picked up by nearly everyone, including Fox news…maybe you read it? It was called “13-Year Old Steals Dad’s Credit Card to buy Hookers.”
After tons of traffic and coverage, the dust has settled, and some discovered that Antcliff actually created the story simply as a social experiment; Matt Cutts left some poignant commentary on Antcliff’s site, saying:
Google may respond negatively to other misleading practices not listed here (e.g. tricking users by registering misspellings of well-known websites). It’s not safe to assume that just because a specific deceptive technique isn’t included on this page, Google approves of it.
The problem here, of course, is that Antcliff didn’t disclose the story as fiction. if this was a case of something like The Onion, a site which is known for exclusively creating satirical and humorous stories, then there wouldn’t be an issue. However, by publishing content as real news, not only did Antcliff dupe social sites into promoting content that wasn’t real, Antcliff also indirectly discredited all the sites that covered his fake story.
There’s no way to monetize a loss in credibility, but the offense does directly affect people other than Antcliff.
What’s even worse is that Antcliff is completely unconcerned with the implications of linkbaiting, and even intends to instruct people in the best ways to linkbait. He says on his site, “I have little interest in discussing the ethics of linkbait, as far as I am concerned if it works and results are achieved then do it. I am soon to launch a subscription only coaching program for linkbaiters, where tactics will be discussed and consultation given.”
Frankly I find the whole affair deplorable, and the fact that Antcliff can’t recognize the implications of his purposed linkbaiting deserves punishment, not only from Google, but from whomever else can punish his actions. Granted, this particularly story didn’t seem to have a huge impact, but by training people how to linkbait, Antcliff is effectively destroying much of the hard work that others do to promote real stories for a living.
Related Posts:
<a href="http://tech.blorge.com/Structure:%20/2012/05/18/entire-town-turns-into-live-wikipedia-site/tag:news.google.com,2005:cluster=http://tech.blorge.com/Structure: /2012/05/18/entire-town-turns-into-live-wikipedia-site/Fri, 18 May 2012 12:06:05 GMT">Linkbaiters will feel the wrath of Google for fake stories - TECH.BLORGE.com