Interop unlock via oem.cab and cab sender - Windows Phone 7 Q&A, Help & Troubleshooting

Do you think it's possible to unlock mango via oem.cab file ?
I know one can rollback, unlock and reupgrade but this cab way would be easier
Sent from my OMNIA7 using Board Express

Can't. Unless you could sign the cab with Microsoft's certificates.
Unless for some reason they made an official cab to do this for manufacturers that got leaked.
Xboxmod cabs only work if the certs are cooked into a rom... And if your flashing custom roms you wouldn't need to do this anyway.
Sent from my HD7 T9292 using XDA Windows Phone 7 App

Incorrect. xboxmod has created a WP7 Cab Builder that you can create your own WP7 Cab Updates. I'm 95% complete. I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon. Once signed, it should be able to be sent to all devices. Providing Interop unlock for ALL devices, regardless of generation. Keep your eyes open. I MAY complete it this month or July. I'll need help from xboxmod and Heathcliff74.

AlvinPhilemon said:
I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon. Once signed, it should be able to be sent to all devices.
Click to expand...
Click to collapse
Well, that will be the problem. You don't have the necessary password, so you can't sign it. And all devices will just reject the cab. (just like reeg420 said) Sry, but the odds are against you.

AlvinPhilemon said:
Incorrect. xboxmod has created a WP7 Cab Builder that you can create your own WP7 Cab Updates. I'm 95% complete. I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon. Once signed, it should be able to be sent to all devices. Providing Interop unlock for ALL devices, regardless of generation. Keep your eyes open. I MAY complete it this month or July. I'll need help from xboxmod and Heathcliff74.
Click to expand...
Click to collapse
You asked me for help. I replied to you, but you didn't get back to me. I am reticent about this, but I always keep an open mind. Tell me what you need and I hope I can help.
Ciao,
Heathcliff74

I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon.
Click to expand...
Click to collapse
This tool is called SignTool.exe, but... Do you know the Microsoft master password for MS certificate??? How come? Do you own a 10 millions PC botnet working two years, brute-forcing MS cert?..
P.S. Seems like you don't understand what are you talking about...

So... I actually had a silly little thought about this. Not sure if it'll work for CABs, but it might work for other areas where we need a MS cert.
Anybody read about how the Flame malware was able to spoof a Windows Update package for PCs? It used a cert produced by a Microsoft tool. The tool is supposed to produce certs used for allowing PCs to connect to a Remote Desktop server, but for some reason the certs were also marked to allow code signing and other useful things. These certs also chain back to the Microsoft root certificate (meaning they are trusted as though issued by MS itself).
Now, for WP7 CABs, I don't know that this will work, because the CABs may need to be signed with a *specific* cert, not just one that chains to the same root. However, it's possibly worth checking...

GoodDayToDie said:
So... I actually had a silly little thought about this. Not sure if it'll work for CABs, but it might work for other areas where we need a MS cert.
Anybody read about how the Flame malware was able to spoof a Windows Update package for PCs? It used a cert produced by a Microsoft tool. The tool is supposed to produce certs used for allowing PCs to connect to a Remote Desktop server, but for some reason the certs were also marked to allow code signing and other useful things. These certs also chain back to the Microsoft root certificate (meaning they are trusted as though issued by MS itself).
Now, for WP7 CABs, I don't know that this will work, because the CABs may need to be signed with a *specific* cert, not just one that chains to the same root. However, it's possibly worth checking...
Click to expand...
Click to collapse
Don't you think that microsoft has learnt its lesson after Flame? Would be reat though

GoodDayToDie said:
Anybody read about how the Flame malware was able to spoof a Windows Update package for PCs?
Click to expand...
Click to collapse
Actually (according to Kaspersky Lab report), Flame malware isn't a simple worm/malware by black-hats but kinda "cyber-weapon" written by professionals from some kind of intelligence/security service (with unknown origin). And of course, some of (by unknown origin ) intelligence/security services have enough computer/human power to obtain a MS certs (by brute force attack with supercomputers or by traditional spy methods - I believe these methods are much more effective than computer-based attack).
I don't think this AlvinPhilemon is genius enough to overcome all mathematicians and security experts in the world. Probably he just has no idea what he's talking about (may be he's just discovered ability to push provisioning file via .cab files on the full unlocked handsets ).

Bah... this is why, even though I actually work in the computer security world, I don't like to even mention Flame; it's been hyped through the roof and seems to trigger some kind of "go crazy" circuit in people. Government-created malware has existed for decades, at least. No need to get all excited about it. In security terms, it is infact just a malicious worm written by blackhats (the "malicious" and "blackhat" parts are redundent; malice is how you define a blackhat). They might be "good guy" blackhats, but they're blackhats all the same.
Getting back on topic, did you actually read the rest of what I wrote? It's possible to get Microsoft-trusted certs, ready for code signing, out of a MS tool. On the PC, MS has pushed a patch that breaks the authorization chain those certs were using, so that it no longer looks like things signed by it are signed by MS itself. However, WP7 has received no such update yet. It's a long-shot, but it's a possibility.
EDIT: Agreed that trying to either brute-force the private key or find a hash collision (which apparently the Flame developers did, but they probably used massive computations resources to do it) is impractical for any individual on this forum.

Related

Universal WM6 ROM and Enterprise Policies

Hi all,
I would like to discuss about the use of Universal with Windows Mobile 6 in professional life...
Could be the base system compliant with general security policy for firms?
Let me know what's your point of view...
mamiware said:
Hi all,
I would like to discuss about the use of Universal with Windows Mobile 6 in professional life...
Could be the base system compliant with general security policy for firms?
Let me know what's your point of view...
Click to expand...
Click to collapse
All of the Windows Mobile 6 ROM's I have used fully support the security policy stuff that is enforced by Exchange when using the device for "Direct Push" email (for what its worth).
I have also found that if you add Blackberry software it works well enough with there policy software if that is your enterprises ‘thing’.
As for your unique company policy, only you and your IT guys can judge that. Just about EVERY company has a different view on what is important.
Support for Exchange policies, a few custom CABs and support for our device management tool mean that using Mobile 6 (or 5) in our enterprise is a non issue. Our only issue with the Universal is the fact that strictly speaking Mobile 6 is a licence violation on the device . Not the case with the Vox’s, TyTN2’s and other native Mobile 6 devices we have.
Your biggest hurdle is that most IT departments in any sizeable company are not going to let non company kit onto there networks, and for a lot of company’s that will extend to non approved software/ROM images etc. being banned.
I guess security enhancements with WM6 are not so... "strong".
As IT Security Integrator, i'm very waiting for Exchange 2007 SP1, that should enforce AS Policies even more than non-sp1 release.
I advise you and your IT Admin (i think they already did, though) to have a look to Exchange SP1 release notes.
There are literally hundreds of enterprise applications out there for management of mobile devices that support everything from symbian phones, to pda's, to windows mobile phone devices.
Some of the better ones are SOTI, Afaria, and Pointsec.
They give remote access to handle remote package management, as well as locking the device and access to applications by user, or user group too.
I thought he was talking about Activesync security policy.
Thank you for all replies...
But does Exchange 2003 store any information about your device? I'm thinking about Windows Mobile 6 Universal issue... And what about contacting Microsoft to buy a license upgrade (without any software delivery from them)?
I'm confused: what do you mean with "But does Exchange 2003 store any information about your device? I'm thinking about Windows Mobile 6 Universal issue... "
If you're talking about ROM Upgrades to Crossbow and license issue, well it's just a lack of support from Manufacturers. Afaik microsoft is providing WM6 license upgrade for free, but providing customers with WM6 rom on old devices would mean no market for new devices. Microsoft ships upgrades to OEM only however.. Not to final customers.
However Exchange 2003/2007 should not store any information regarding devices. I mean, any information relevant. It recognize the device assigning it a unique Idetifier at first synch (SID). I could have a deep look about that with exchange 2007, though. Just tell me what you're looking for.
Ok... If Microsoft is providing WM6 license upgrade for free... why cooked ROM are not so... "legal"?
My problem is: I would like to use my device in my professional life... and I would like to use it the best way I can! This means I need WM6... The problem is that HTC does not provide an official upgrade, but we know that we can develop our ROM... So... How can I legally install my WM6 cooked ROM on Universal? Should I buy some license from someone? Or I can simply flash my device with my ROM and run it without caring about Microsoft license because the upgrade is free?
What about the SD-card encoding "thing"? It should be compliant with any security policy, provided you only lose the card, not the whole device, since in that case, the card can't be read, right?
Yeah... The SD encoding it's fine for policies but... the question is... the encryption key is store in the device (and is deleted with an hardreset) or is created from some device hardcode data? To answer this question we can only try to encode-hardreset-access data... and see if we can still read sd files... (i'll try next weekend)
Anyway... another issue is... how encrypt all data store in device memory? is there any good (light and clean) plugin (driver or application) that can encrypt all the contacts and calendar and, above all, exchange login details?
new symantec mobile suite 5 should do that and make device super-compliat to most (all?) enterprise policy... i'd like to buy it but I do not find any way to place order through the internet!
mamiware said:
Yeah... The SD encoding it's fine for policies but... the question is... the encryption key is store in the device (and is deleted with an hardreset) or is created from some device hardcode data? To answer this question we can only try to encode-hardreset-access data... and see if we can still read sd files... (i'll try next weekend)
Anyway... another issue is... how encrypt all data store in device memory? is there any good (light and clean) plugin (driver or application) that can encrypt all the contacts and calendar and, above all, exchange login details?
new symantec mobile suite 5 should do that and make device super-compliat to most (all?) enterprise policy... i'd like to buy it but I do not find any way to place order through the internet!
Click to expand...
Click to collapse
Hi,
You could change shell paths so that all user data is stored on the SD.
Although I have not tried it, I believe it's simple enough to move all databases to the SD Card.
Cheers,
Beasty

[Q] Certificate Store in WP7

Hi,
As per the subject, I have been given a Windows Phone 7 device and been tasked to see if a root/user certificate can be extracted from the phone.
We install certificates onto mobile devices such as iPhones, to allow IPSEC VPN tunnels and secure access to exchange servers.
Using the tools I found on this site, I have managed to unlock my test WP7 device, installed the root and user certificates on my WP7 (I downloaded it from our test site) and I also install Advanced File Explorer on WP7 phone.
Based on my rudimentary research, the Certificate Store is not accessible on a WP7 device and the only to remove a certificate from the store is to reset the phone to factory settings.
In the root of the WP7 phone, there is a file called drmstore.dat. I have used Advanced File Explorer to copy this file to my desktop and using NotePad++ see that it does have some MS root certicates in there. But is this the file that would contain the user installed certificates?
My WP7 experience is limited to 3 days so far, so was hoping somebody could point me in the right direction wrt to file location. From what I've read, the OS does seem to be designed really well, so I am hoping that it is indeed impossible to extract the certificate from the device.
The only reason we are doing this test is to work out if the new phone is secure as it is getting difficult to get hold of Windows mobile 6.5 phones as the days progress. The problem is that WP7 phone dont support disk encryption yet (or so I believe) hence the worry ...
Many thanks in advance for your help and pointers.
if the phone is locked then it is really impossible to get it off the phone.
after the update from MS we aren't able to unlock the phone again so I think it is pretty save.
maybe you could look at a dump of a rom to find out where the serts are stored.
Thanks for your reply.
There are interesting times ahead.
The Chevron WP7 exploit will be closed but hte Touchxplorer developer claims that his solution will still allow full file access to system, so I am waiting with bated breadth to see how it all pans out. And who knows, we may have Nokia announcing that they will be using WP7 as an OS for their Nokia hardware on Friday.
Since I am not to au fait with the structure of WP7 phone (and I don't even know why I was given this job considering my hacking skills are about 5%) would you have an inkling as to where they sort of could be kept or how to read or even create a dump of the ROM?
Many thanks. I will search on the forums to see if I can get more information.
Thanks again.

[Q] Proximity Lock like WM6

I searched and didn't find anything related so I'm asking if anyone has thought of creating a small app that locks the device when you put it in your pocket like in WM6?
Simple and to the point:
- At the moment we cant control lock of the WP7 platform.
- Phone.Lock()
edit:
What is the app named?
Thanks for clearing that up, hopefully this feature will come in Mango. Why would Microsoft prevent us from having access?
blindpet said:
Thanks for clearing that up, hopefully this feature will come in Mango. Why would Microsoft prevent us from having access?
Click to expand...
Click to collapse
Because WP7 can only code C#, but with bypass we can code c++, but the "procces" its running under is "LEAST_PRIVILEGED" aka you cant do a **** (file access etc with leaked/extracted dll's from e.g HTC xap files that run higher).
WP7 is kind of locked down (realy) compared with WM6.
fiinix said:
Because WP7 can only code C#, but with bypass we can code c++, but the "procces" its running under is "LEAST_PRIVILEGED" aka you cant do a **** (file access etc with leaked/extracted dll's from e.g HTC xap files that run higher).
WP7 is kind of locked down (realy) compared with WM6.
Click to expand...
Click to collapse
So as long as devs continue their hacking progress being able to create such an app would be possible in the future?
or will you guys never be able to code above 'least privileged' C#?
Sorry if this makes no sense I'm just trying to wrap my head around it
blindpet said:
So as long as devs continue their hacking progress being able to create such an app would be possible in the future?
or will you guys never be able to code above 'least privileged' C#?
Sorry if this makes no sense I'm just trying to wrap my head around it
Click to expand...
Click to collapse
It may (probably will) be possible to run higher and even run ARMv4 exe so it can be alive without being killed.
- One possibility would be that we hack the certificate rights system signing our dll with a hacked cert on the system thinking of that our dll is fully trusted
- Or that custom "policy free" (no security checks) ROMs are released making also the system more hackable by external hackers (unwanted backers that hack your phone).

Windows Phone Developer Registration Program Hack

Hello,
I am a student of Computer Sciene at the University of Udine, Italy.
And recently I have received a AT&T HTC Surround with Windows Phone 7.5.
The problem is always the same. We need to INTEROP-UNLOCK a HTC device.
People greater than me have tried and I do not want to compare to them (I am a noob as stated in the introductory video) but I came up with a sort of idea on trying to develop a new method of interop unlocking.
Since as stated by Heathcliff74 the INTERP-UNLOCK is related to the number of MaxUnsignedApps and the number of max unsigned apps is determined when the Developer Phone Registration program communicates with the server I thought that it could be possible to analyze the behaviour of this app when it communicates with the server and, instead of sending to the phone 3 or 10 send the max number available.
Modifying an exe is a pain so could it be possible to create an emulated server that communicates with Developer Phone registration program by sniffing the connections between the program and the server (I do not know how to do it either since I have just started the network course )?
Maybe it has been already tried but I wanted to tell you anyway since you're great hackers and I am not.
It's a good idea, but I wouldn't hold my breath. This is how the original ChevronWP7 Unlocker hack worked, essentially - you installed a certificate on the phone for a server (normally it uses Microsoft's server and certificate). You then sent the unlock command to the phone and it would try to communicate with the server, but would get the ChevronWP7 server instead, which always said "yes, unlock!"
The catch in your idea is that the fix for ChevronWP7 was to change which certs the unlock process will use - in particular, you can't use user-installed certs anymore - and that means that a user probably can't catch the communication between the phone and the server anymore (which is, I'm sure, where the "value for MaxUnsignedApp" command comes from).
So is the phone that communicates with the server to get the number of apps, not the developer registration program?
Sorry to disappoint you, but it won't work. First of all, it is not the registration-program that communicates with the microsoft server. The registration-program simply send a command to the phone to start the registration process. The phone will contact the Microsoft registration server. The original ChevronWP7 tool spoofed the registration server. Since NoDo this is not possible anymore, because the phone only accepts ssl connections with certified servers (ie servers which have a certificate that roots to a certified authority). The maxunsignedapp is sent over the ssl connection between the phone and the microsoft server, which can't be spoofed or changed with a man-in-the-middle-attack.
Ciao,
Heathcliff74
---------- Post added at 12:57 PM ---------- Previous post was at 12:20 PM ----------
And by the way, Chevron already announced they will release a new Chevron tool, which will do a legit unlock for just a couple of bucks. Just a little more patience.
I have read they launched this now. However how many max unsigned apps till they release and since I have a legit student account on AppHub (I'm a dev) it won't invalidate my account. Just increase the max unsinged apps i think.
Wait for other methods of INTEROP-UNLOCKING.
And thanks to everybody.

Privacy Protection and Data Security in WP7/8

Hello everybody,
I am currently using an android phone and consider to switch to WP8 after it has been release due to better hardware concepts etc.
I already read that WP7 apps are executed in a sandbox and therefore the whole process aint to be more "secure". Anyhow, Iam not concerned about a virus or malware.
My biggest aim is to keep my data private and to secure my privacy.
Regarding WP7 I could not find any hint about that topic. I cannot imagine that nobody cares about this topic around this OS !?
What I want is the following:
Set for each app what it is able to access (e.g. Access to contacts, location etc.)
Control internet access for each app
Maybe it already exists and therefore nobody talks about it, maybe it is technically not possible.... Just want to know
Thank you in advance for your help.
Regards.
WP7 (and presumably WP8) apps use a "Declared Capabilities" model for controlling access to resources like you mention. That is, if an app wants to access the network, it must declare ID_CAP_NETWORKING in its manifest. If it wants to access your contacts, it must declare ID_CAP_CONTACTS... etc. When you view an app in the Marketplace, you can see what capabilities it includes.
However, there's not really any fine-grained control over such things. For example, if you install an app that wants access to your contacts and your appointments, you can't tell it "OK on Appointments, but no Contacts access" short of modifying the app prior to installing (and if you did that, there's a good chance the app would crash when you ran it). Similarly, there's no user-controllable firewall on the phone; an app that specifies ID_CAP_NETWORKING can access anything that is available on the network.
I believe this is similar to the behavior of stock Android ROMs. The advantage that WP7 (and presumably also WP8, but it's too early to tell) has over Android in this regard is that apps go through a much more extensive review process. If an app needs to access your contacts, for example, it better have a good reason for this access and and it will (well, should) be rejected if it sends them off to some advertising company or something.
GoodDayToDie said:
WP7 (and presumably WP8) apps use a "Declared Capabilities" model for controlling access to resources like you mention. That is, if an app wants to access the network, it must declare ID_CAP_NETWORKING in its manifest. If it wants to access your contacts, it must declare ID_CAP_CONTACTS... etc. When you view an app in the Marketplace, you can see what capabilities it includes.
However, there's not really any fine-grained control over such things. For example, if you install an app that wants access to your contacts and your appointments, you can't tell it "OK on Appointments, but no Contacts access" short of modifying the app prior to installing (and if you did that, there's a good chance the app would crash when you ran it). Similarly, there's no user-controllable firewall on the phone; an app that specifies ID_CAP_NETWORKING can access anything that is available on the network.
I believe this is similar to the behavior of stock Android ROMs. The advantage that WP7 (and presumably also WP8, but it's too early to tell) has over Android in this regard is that apps go through a much more extensive review process. If an app needs to access your contacts, for example, it better have a good reason for this access and and it will (well, should) be rejected if it sends them off to some advertising company or something.
Click to expand...
Click to collapse
I see. So basically this means, that I could edit the manifest file of any application myself and set the level of access I want it to have, but the application will probably not work anymore.
For instance, I have an navigation app that wants access to my contacts to offer me a direct navigation option to my friends place as well as internet access for current traffic information. Do I need to trust microsoft, that they reviewed this app so well that it does not send my contact list to the software company ?!
Moreover, this way I cannot prevent microsoft for example to collect whatever they want from my phone, right ?
It is correct, that stock Android does not offer this function, too. However there is the possibility to root it and have apps installed that control all traffic, even those of the OS itself.
ntech3333 said:
I see. So basically this means, that I could edit the manifest file of any application myself and set the level of access I want it to have, but the application will probably not work anymore.
Click to expand...
Click to collapse
Yes. Applications are expecting to see all CAPs they request, as this is an all-or-nothing thing in WP. If you'd edit their manifest, the application could behave arbitrarily, and it would likely crash because an essential assumption it made - that being either it has the CAPs it requires or isn't installed - isn't applicable anymore.
Moreover, this would require at least a developer unlock, for some applications (for instance Skype) an interop unlock and for some applications (all XBL ones at least I think) a custom ROM.
ntech3333 said:
For instance, I have an navigation app that wants access to my contacts to offer me a direct navigation option to my friends place as well as internet access for current traffic information. Do I need to trust microsoft, that they reviewed this app so well that it does not send my contact list to the software company ?!
Click to expand...
Click to collapse
Yes. There is no way to partially grant permissions.
ntech3333 said:
Moreover, this way I cannot prevent microsoft for example to collect whatever they want from my phone, right ?
Click to expand...
Click to collapse
Microsoft makes the system. If they wanted to hide something in kernel mode, and wanted to hide it from all user accessible APIs, this would be easily done. Simply spoken, if you question Microsoft's commitment to their EULA, WP is the wrong OS for you.
ntech3333 said:
It is correct, that stock Android does not offer this function, too. However there is the possibility to root it and have apps installed that control all traffic, even those of the OS itself.
Click to expand...
Click to collapse
Without a kernel built from trusted sources, hiding data streams from all APIs is always possible for an OS maker.
ZetaZynK said:
Yes. Applications are expecting to see all CAPs they request, as this is an all-or-nothing thing in WP. If you'd edit their manifest, the application could behave arbitrarily, and it would likely crash because an essential assumption it made - that being either it has the CAPs it requires or isn't installed - isn't applicable anymore.
Moreover, this would require at least a developer unlock, for some applications (for instance Skype) an interop unlock and for some applications (all XBL ones at least I think) a custom ROM.
Yes. There is no way to partially grant permissions.
Click to expand...
Click to collapse
A custom rom, unlocking etc. is not an obstacle as long as it is possible and serves the purpose
In general I would assume, that any application should be able to run without an internet connection, since it could be possible that you are just not connected to the internet for some reason ?? Therefore, removing the CAP for internet access by editing the manifest file should not lead to any unwanted behavior. Or is it more like that, that all apps check their CAPs they requested on startup and not only when they want to access some ressource ?
This way it would be possible to remove internet access for any application I do not want to send data somewhere without blocking others and without the necessity to remove other CAPs.
Microsoft makes the system. If they wanted to hide something in kernel mode, and wanted to hide it from all user accessible APIs, this would be easily done. Simply spoken, if you question Microsoft's commitment to their EULA, WP is the wrong OS for you.
Without a kernel built from trusted sources, hiding data streams from all APIs is always possible for an OS maker.
Click to expand...
Click to collapse
Generally spoken, I trust nones commitment to any EULA or something. Microsoft, Apple, Google, they all have such documents and every few weeks something comes out that they are tracking you, (anonymously ) etc. Everytime the answer is something like "oh, what a mistake, of course it was not intended to be..."
Of course I do want have the comfort of a smartphone, a tablet pc or a computer, but I want to perserve and control my privacy to such an extend that I am satisfyed with it.
Even on a Windows computer I have got the possibility to control network traffic, to limit access for certain software etc., even to limit access for the OS. So why the heck nobody is interested to have that on a smartphone, why an smartphone must be an free bazar of private information everybody can have and do what they want with it ?
What I want and hope is, that with WP8 (since it will be the same kernel than the PC version) something like that will be possible. Just like on a Andriod phone, too where you can grant internet access for everything, even for system components individually.
Removing ID_CAP_NETWORKING will result in an exception (access denied, essentially) when the app tries to call a networking API. Since the app is probably not expecting that particular exception, it will probably crash. Some apps may have very broad exception handling on their network code and simply assume that they don't have access, though.
You don't really have any control like you describe on a Windows computer. You can set the firewall, sure, but then you're trusting Microsoft to not have some leak or backdoor in the firewall. You can write your own drivers to hook it at the kernel level, but then you're trusting Microsoft not to have a direct access to the HAL that bypasses the network driver stack. You can re-write the HAL (OK, not practically, but let's say "you could install another OS" instead) but even then you're still trusting the manufacturers of your motherboard, your CPU, your network interface hardware, your router, your modem...
At some point, you have to trust somebody. A big, publicly-held corporation with many users, a clear privacy statement, and a lot to lose if they screw up fits the bill is your best bet in most cases. Microsoft fits that bill just fine.
GoodDayToDie said:
You don't really have any control like you describe on a Windows computer. You can set the firewall, sure, but then you're trusting Microsoft to not have some leak or backdoor in the firewall. You can write your own drivers to hook it at the kernel level, but then you're trusting Microsoft not to have a direct access to the HAL that bypasses the network driver stack. You can re-write the HAL (OK, not practically, but let's say "you could install another OS" instead) but even then you're still trusting the manufacturers of your motherboard, your CPU, your network interface hardware, your router, your modem...
At some point, you have to trust somebody. A big, publicly-held corporation with many users, a clear privacy statement, and a lot to lose if they screw up fits the bill is your best bet in most cases. Microsoft fits that bill just fine.
Click to expand...
Click to collapse
Ok, what should I answer ? If you use arguments like that you can extend it to what ever you want.
At some point you need to be realistic when looking at security and privacy. There always can be/is a way to bypass systems on a low level basis to do what you intend to. So what ? You cannot pervent this in any OS.
But when using a third party software firewall that comes with its own drivers, you can be sure to certain extend that you have your networktraffic under control.
This is actually not the point I wanted to make about WP7 and probably WP8.
I understand, that for example an navigation app wants to have access to your contacts to offer you the option to navigate to your friends place. I also see, that this app wants to access the internet to get traffic information. But I do not want this app to have neither access to my contacts nor to the internet since I cannot know what data will be transmitted to the software developer. I even to not want them to do some statistics with me gps positioning. NO. as simple as that. What I do with my information is what I decide.
So what I especially do not like is, that most people in the world do not care about such facts at all. They are running behind apple like lemmings, willingly giveing them all information they have and being happy that everything works so fine on their device !? What the... ?
Anyway, it does not matter, my questions got answered, I will have a closer look at WP8 when it is out and see if it possible to keep my stuff under my control or not.
First of all, EULAs are a binding contract for the first parties, which means that if such a thing were to come out, and it is not a very obvious (actual) bug in the software (Apple's local geolocation data retention bug and Microsoft's bug in WP7 that may have determined the location before you pressed "OK" in the dialog are definitely such - they give nothing of advantage to the two companies), they have a problem named "breach of contract": There will be legal action by activist in such a case.
Then, your argument is valid, a firewall would be effective if you trusted the hardware and software environment. However, I wouldn't hold my breath for it: Firewalls or capability removers are just not fitting in the image of a smartphone. On Android, you also require root for this (important point here: a 3rd party device unlock, it does not come built-in - and apps could also stop working if you withdraw rights from them, since the code might not be prepared for such a scenario either), on an iDevice and Windows Phone it's not possible. It's very much the contrary of how smartphone makers would like to market their devices, a scenario where you might possibly not trust your apps - this could even scare users away from smartphones.
Therefore it is unlikely that WP8 will come with such a capability built-in. Even though WP8 will be sharing the kernel with WinRT, it should be noted that both, WP8 and WinRT will require mandatory UEFI Secure Boot from OEMs. It's likely that this cannot be broken at all unless every a very significant hole can be found that permits to breach the chain of trust or the devices' firmware can be attacked. Hence, it isn't even said whether WP8 can be rooted. If WinRT does not come with Windows Filtering Platform (WFP), it would be the same situation as is on WP7.
You are right, of course the EULA is the first thing to mention But about what legal consequences are you talking ? They will be fined to pay some million dollar ?! Ok, nice, but they still have my data. In this case they bought the information, that's all.
Anyway, I do not want to be paranoid and of course also here at some point you need to stop
To have root access on a device that you own is natural for me. I bought it, it belongs to me, that's why I should be the master on my device. For sure, this does not fit in the global tendency of "not to care about your device, just make it run", too.
On a windows computer I can have administrator privilidges as well. Why they do not want to give me this on my smartphone that claims to be a computer somehow, too?
By the way, WFP is quite a useless piece of invention. I once experimented with WFP for some software project on a windows computer and found out, that the same way I can change every rule someone created for the firewall, everyone else can do. Means: I created a rule to pervent skype to access the internet. Guess what ? Right, Skype detected that and 2min later it deleted my rule and created an own one to grant access again. What use does such a system have ?
There's a rather simple reason, "root" is a badword for most mobile manufacturers: piracy. On Android, that's a different story because you typically can install side-loaded applications, but on the iPhone or Windows Phone you require unlocks to pirate. Typically, piracy is not a practical option on them until you have a root unlock. (If you take a look at WP7, you either require an interop unlock or a custom ROM to have more than 10 unsigned apps - if you wanted to pirate, that would impose a very tight limit on the extend you can do such. Students are even limited to 3 unsigned apps). Root is something that circumvents the control systems of the manufacturer - something that neither Microsoft nor Apple have interest in.
WP and iOS have - compared to Android - very low piracy rates, so this is paying off. (For that matter, WP is probably more locked down than iOS: It took 8 months to public availability of an unlock for my HTC Titan; iOS is usually broken much faster)
I think you're confusing Windows Firewall with WFP. The latter is just a programming interface in the network stack, which allows applications to inspect, filter and modify packets in the network stack. It does not have any rules you could set therefore. Windows Firewall comes with rules, and Skype will - if it has proper privileges to do so - attempt to automatically permit itself in the Firewall.
About the EULA, no. In literally any modern country, data found to have been obtained illegally will result in a sentence to delete the data, to pay a fine and likely to pay the victims damages.
You see, that is the point. The possibility to decide upon your own device is taken away from you due to fears and prejugdes of the manufacturer. Why it always must be connected with piracy ? It means that everybody who wants to have root access on his device is potentially criminal and therefore it is better not to ask for it. Nice.
If you buy a modern house with automatic controlled sun blinds, heating etc. Would you accept, that there is a control room in your cellar, where only the company that built your house has access to? You are only allowed to switch on and off the light in your house. Even the sun blinds open and close whenever they want and tell you when you are allowed to look out of the window and when not. Just because you have no "root" access to change that and you need to accept it.
Fur sure, it is nice to have such system where the user has not rights since most users are not experts and causing mostly only problems where in the other way the system runs smooth and stable...
About WFP, yes I just saw that with Win Vista and Win 7 they introduced such way of filtering platform. I really mixed it up with the windows firewall manager that is accessable via API.
I never saw in any case where data has been found somewhere that users got paid damages. Did Apple do when they tracked their users ? I think no. Did they delete the data ? No they did not, they excused and said something like "oh, what a pitty, we will change that in our next update" Quite safe, isn't it ?
What you fail to see is that android is riddled with issues due to its openness, it is suffering in exactly the same way WM did, you may laugh of WM but android owes its roots to WM. Apple and MS saw the issues, and did something about it.
Yes that restricts you, but you and those like you, are a tiny minority, simply put they have bigger things to worry about, and that is average jo an jane blogs. they do not need that level off access and giving it to them is one of the reasons 10,000s of computers out there are nothing but bots used for DDOS attacks
Remember, WM was slated for being buggy and slow, the reality was far from that, but the networks and OEMs had so much control over the OS they literally screwed it sideways and the magic effect was that they didn't even get the blame, MS did! (ring any bells with android!)
Why didn't WP take off as well as it could have? easy, because firstly it didn't have cool roots to an ipod, secondly because MS tightened up on the OS so much it pissed off the networks, im sorry to say, its little to do with apps and side loading, that's just the first thing people think of when they are talking about something they know nothing about.
Networks like to do things their way and I think you will see their influence in WP8 a lot more, and because of that more than anything else, the networks will like it more, if they like it they will sell it, then you will see a larger uptake in it and thus more apps
anyhow, that's off topic, fact is this, security will only get tighter and rightly so, as much a that is a pain in the arse for you an I, that is the reality, you may have perfectly legit reasons for full access, but I can promise that most who want it probably will use it for something dodgy, MS and Apple can not afford to have a time bomb on their hands in the shape of android.
I fully agree with you !
Just for the protocol: I liked WM very much and I never considered it as buggy and slow, but ok that's another topic.
The reason why Iam using android at the moment is quite simple. There was no satisfying hardware available for any other system. Iphones are useless, for WM almost nothing was there that could be used as a smartphone and WP was likely to be replaced by something else. I was waiting for years that some manufacturer releases a smartphone that has a 2.3" display like a normal mobile. I hate those laptops people try to use like phones with 4" display and what ever.
Since Iam quit unsatisfyed with the quality of my sony ericsson mobile, Iam looking forward to get a Nokia phone again. Moreover, Iam really no fan of open source software since compatiblity is quite bad and the functionality is mostly not really reliable. Iam a heavy MS Exchange user and I do appreciate nothing more than be completely synchronized with my phone laptop and everything. Only WP8 can provide that... So, Iam dealing with it.

Categories

Resources