This story raises a fundamental question for me, akin to the question I asked when the Microsoft Office macro viruses first emerged about 11 or 12 years ago. In that case, the question was why anyone would ever want to be able to silently erase the entire hard disk with an auto-run macro in a Word or Excel document -- why did the macros have unlimited access to all system functions in the first place, when there is no possible benign use for the capability? Why would I want a macro in one document to be able to change _anything_ outside that document?
Why on EARTH would I ever *WANT* my cellphone to be programmable via a text message I received? The cellular company has -- or is culpably negligent if it doesn't have -- some other means to send programming updates to my phone. Things like ringtones should be compartmentalized, if not strictly limited to non-executable data. Games and other programs should also have some other point of entry to the absolute exclusion of text messages. No program should ever be able to initiate a message of any kind without specific and explicit confirmation by the user.
It's not as if the potential for abuse was unforeseeable. No software is ever perfect, but these products are apparently designed without the slightest attention to basic security issues. It's like worrying about the latch on the gate when there's a fifty-foot [15m] hole in the fence.
One of the very first questions in designing the software for a device like this should be, "What programs might the user want to download and why?" That leads into, "How should programs be allowed access into the device?" and "How do we make sure that unauthorized programs don't sneak in?" That's your fence; *then* you can worry about the gate.
Linc Madison * San Francisco, California * Telecom at Linc Mad dot com URL: <