Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile phone companies have taken an innovative approach to the problem: They ignore it. It makes perfect sense to them. If a hacker bricks your phone, they’ll sell you a new one, with a new two-year lock-in.
I suspect this is frustrating to the authors of phone software, who have their own brand to consider:
Artak Abrahamyan , Technical Support Specialist from i-Mate, responded to my email requesting when they’d be releasing MSFP [Microsoft Security & Feature Pack] updates …Although I requested information about which devices would be receiving updates, he didn’t provide that information. My hope is that it will be for all of the Windows Mobile 5.0 devices that i-Mate has released so far. Looks like we’ll see this in early March. (From “Smartphone thoughts“)
This ‘innovative’ approach to preventing customers from getting at a patch has many upsides in fewer software variants running, higher assurance for the telco, and more time for worm writers to hone their attack code.
I am reasonably confident that my phone has security issues. (I’m not slamming Microsoft here–I’m reasonably confident that all software I’ve ever touched has security issues.) However, I have a phone running Windows Mobile, and so I’m aware of my failure to patch. I’d like to see a mobileupdate.microsoft.com that allowed me to bypass this telco nonsense and get patches.
[Update: While I’m talking about telco security, let me mention the idiots at Cingular, who insist that caller-id is a good way to authenticate me to my voice mail, and refuse to give me a way to add a password. If you don’t understand why that’s a bad idea, “this google search” may enlighten you. Take a look at those ads.]
(Phone box photo by Alex Segre, on Flickr.)