Let me try to summarize my point with some quotes. First, I like this quote on how to build a good architecture.
Quote:
The architecture of a well-built (constructed designed) OS or applications needs to take security into account. A secure solution does not allow new or unsanctioned programs extensive access to files or potentially dangerous services. This leads to difficulties, as a fully secure system, will block not only malware, but 'friendly' programs as well. As a result, none of the widely available systems can be called truly secure.
Java machines that launch Java applications in 'sandbox' mode come close to achieving secure conditions. As a matter of fact, there have been no viruses or Trojans which pose a serious threat written in Java for a long time, though non-viable proof of concept malware does occasionally appear. Malware written in Java appeared only when vulnerabilities in Java Virtual Machine security were discovered and publicized.
|
I think the key here is "there have been no viruses or Trojans which pose a serious threat written in Java for a long time, though non-viable proof of concept malware does occasionally appear". This does not say ever, or that it cannot happen. It also goes on to say that malware was created after vulnerabilities in the JVM were published, which seems to be the same road for MSFT (both pc and mobile) malware.
Now, against that information, I'd like to include this quote on how many view the BB security features.
Quote:
For the love of god, PLEASE show me where a Blackberry has EVER been infected with anykind of malware or virus. Yes there are spy programs out there but they MUST BE INSTALLED ON THE DEVICE MANUALLY. You can NOT go to a webpage, no matter how it's coded and it will install it without prompting the user first. I've seen first hand MANY Windows Mobile devices crash because of malware and badly coded websites.
It the device isn't so secure then why is it the number 1 device for the US Government? They check these things out much deeper then any carrier does before the certify them.
|
This is what I'm arguing against. It's this and the purely anecdotal argument that goes along the lines of "if there isn't any virus reported to date then it's impossible to infect". It's similar to the argument that Linux must be superior to Windows OS security because the volume of viruses is larger (and not maybe because the hackers are targeting the larger audience).
Against that I'd like to quote this which I think says what I've been trying to say about how both can be secure if you put forth an effort.
Quote:
President Obama is keeping his BlackBerry, according to the White House press office. While he'll be able to keep in touch with some personal friends using the device, if he wants to do secret government business he'll need one of two Windows CE smartphones: the Sectera Edge or the L3 Guardian.
The Edge and the Guardian are the result of an $18 million, NSA-sponsored program to develop a top-secret smart phone, according to Randy Siegel, Microsoft's lead enterprise mobility strategist.
Most BlackBerrys and Windows Mobile devices can work with "sensitive, but unclassified" data, according to Tom Liggett, the Sectera Edge product manager at General Dynamics. Those smart phones work with the FIPS 140-2 standard, which encrypts both data traffic and voice calls to a certain extent. And there are a lot of government functions, even in war, that aren't classified. In Iraq, for instance, FIPS 140-2-certified Windows Mobile devices are used for battle triage, roadside bomb detection, and even as sniper aids, Siegel said.
-- cut --
The Edge runs Windows CE, not Windows Mobile. Windows CE is the underlying kernel of Windows Mobile, but the Edge has more secure applications lying on top than the standard Windows Mobile suite. It can still do most of the things Windows Mobile devices do, Liggett said, including push email with Microsoft Exchange servers, playing media through Windows Media Player and editing Microsoft Word documents. (Yes, the government uses Microsoft Exchange, apparently.) Defense department users wanted something that looked like their Windows PCs, Liggett said.
|
All I'm trying to say is that some of the arguments I've seen are emotional and anecdotal. While a BB virus may not exist that doesn't mean that it's even been tried. People used to think Apple was immune until some hacker got fed up and gave it a try.
Also you can flip the WM argument the other way. More MSFT viruses may exist because more MSFT OS devices exist. Just because it's MSFT don't automatically think it's all bad. If the government sees fit to put BB and WM into the same security classification, and even put Win CE beyond those two into the ultra secure mobile device, it must mean that there is something, just a little something, that MSFT is doing right with security. Unless we want to say the government was totally stupid in their choosing the Win CE and WM phones being used today and that seems like a political topic.
Perhaps I am coming across as being too biased so I'll just let this be my last post on the topic as to not upset people more.