Security is Inconvenient, Deal With It!

Monday, December 17, 2012

Keith Mendoza


ZD Net had an article entitled "Kernel vulnerability places Samsung devices at risk" and I thought "so, what's new" until I followed the link to the forum post on xda-developers. Then I just lost it because I'm certain that this is a result of plain and simple laziness.

Here are my arguments for why I think it's laziness: First, This is Samsung we're talking about here. This error was should have been caught in code review or QA. Second, according to the first post the primary users of /dev/exynos-mem is

graphic usage like camera, graphic memory allocation, hdmi. By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires).

Third, the documentation clearly states that "This maps the platforms RAM, and typically maps all platform RAM in a 1:1 relationship." Therefore, I would say that allowing a global read-write of /dev/exynos-mem was a design decision and the decision was probably made by someone with enough clout in the company to effectively silence anyone who pointed the obvious error in taking this route.

Well guess what, security is inconvenient. It gets in the way of getting things done quickly. It'll slow your application down. It'll add to the development effort. It's hard to get it completely right. However, getting inconvenienced beats looking like a dumb idiot.

Cross-posted on Home+Power

Possibly Related Articles:
Operating Systems Viruses & Malware Security Awareness General PDAs/Smart Phones
Vulnerabilities Secure Coding Information Security Quality Assurance
Post Rating I Like this!
Alex Brook How many Samsung consumers are going to care though? Security is inconvenient, you are obviously right there but are you Samsung aren't dealing with it through intentional ignorance?
Simon Moffatt Unfortunately, security is inconvenient at lots of levels. The SDLC see it as slowly down time to delivery, users see it as being restrictive. Unless security is implicitly embedded, the inconvenience case is a hard one to overcome.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.