Comments Regarding Symbian Signed.

Johan du Plessis wrote:

> If anybody can tell me where I'm wrong please reply.

I totally agree. Why not simply allow users to install 3rd party keys on
their phones (and then applications signed with those keys)? That's how
for example Linux distributions operate, and they are pretty secure
regardless. Just say that the responsibility lies with the user when
he's using those apps, and voila.

I want to add one more thing: 1984. In particular, this bit makes me
worried:
==========
- By submitting your application(s) to the third party for testing, you
agree to co-operate with us and our partners in investigating and
resolving any security or operational issues arising out of use of your
applications.

- You agree that, in Symbian's sole discretion, we may procure the
revocation of the Content Certificate (the certificate uniquely
associated with your Application, created upon signature of that
application such that it becomes a Symbian Signed Application) relating
to any of your Symbian Signed Applications if:

- Your Symbian Signed Application or its use breaches the intellectual
property rights of any third party;
==========

Note the "or its use" bit.

So, data caging and platform security: good, centralised authority that
approves your apps: bad. Hopefully Symbian will see that it's only going
to strangle itself by this.

Alex

Alexander Kanavin wrote:

> So, data caging and platform security: good, centralised authority that
> approves your apps: bad. Hopefully Symbian will see that it's only going
> to strangle itself by this.

Okay, I want to clarify: it's not Symbian itself, but operators and
manufacturers - it's up to them how they configure the security model of
the actual phones that they sell. I misunderstood that Symbian imposes
that on them: that's not true.

It's possible that some handsets only allow installation of Symbian
Signed applications and reject everything else outright - this is
obviously bad for the platform. Others might give more control to the
user, perhaps as I proposed in the previous message. The market and user
demands will hopefully sort out which security model is the most balanced.

Alex

Johan du Plessis wrote:

> 1) You need to sign beta software. For big complex applications you REALLY
> need to the users to test it. IF Symbian only want small applications for

It seems that Developer Certificate are what comes closest to this:

https://www.symbiansigned.com/Developer_Certificate_FAQ.pdf

However, the limitation of up to 20 IMEIs would preclude a lot of the
alpha and beta testing we are currently doing, which is through a fairly
diverse group of dealers, support technicians, advanced users, with
frequently changing handsets, and who sometimes receive new builds every
two weeks or so - this type of "incremental" (or, as you say,
"evolutionary"😉 development model may be the hardest hit by the new
rules, at least for applications that depend on restricted capabilities.

It might be possible to avoid some of this by strictly factoring out
code that needs protected access into separate packages (e.g. as server
EXEs that encapsulate network communications and device access), which
need updating and testing less often.

Whether this is good or bad for security and application design will
probably become clear only some time down the road, and also depend on
the signing policies for packages that do not contain testable
applications, but only IPC2 servers.

> 4) This model does not provide a simple way software can be
> "uncertified" (Which would be possible with Automatic Updates).

In theory, the fact that there is only a discrete number of binaries
with known hashes would allow the distribution of "revocation lists",
just as for compromised certificates - but the mechanism to do this has
yet to be developed.

I would consider mobile virus scanners to be the most likely first line
of defense once the need fo this arises - how much easier is it to scan
for a vulnerability if you can simply look for a package hash from a
list? And they should be the first to deal with the practicalities of
regular signature distribution anyway...

ciao marcus

"Johan du Plessis" <[email protected]>
schreef in bericht news:Qu5$5sY1FHA.1940@extapps30...
>I have several comments regarding this Symbian Signing. I do really hope
>I'm wrong, or there are ways to :
>
> 1) You need to sign beta software. For big complex applications you
> REALLY need to the users to test it. IF Symbian only want small
> applications for their devices they must let developers know so we can
> move over to devices which DOES support larger software packages without
> these fees. The problem is not only the money it is the fact that the
> signing process makes software development more complex than it needs to
> be, adds delays, and stops the user from having the best version of the
> software at any one time.

You only need to sign software if the target device doesn't support
downloading unsigned apps.

Or, you should be able to create specific signed developer versions for your
beta testers. If the software is really complex, you will want to keep very
much in touch with your testers.

Or, because beta software is free, you should be able to get beta software
signed for free 😉

> 2) Automatic updates are nearly impossible. I know device software has
> traditionally been on ROM but we are moving into an era were software gets
> updated ALL the time. In fact, Symbian Signing can reduce the security of
> a device because software already installed cannot be patched easiliy.
> Will developers really spend money to fix a bug?

Software that is updated all the time might not be appropriate for the bulk
of mobile phone users. It costs money, it will startle them because the app
suddenly does things differently, the app wants to update itself when users
must use it.

Automatic updates have become possible because lots of PC's are connected to
the internet all the time, and the bandwith limit for broadband users is so
high that for most people it is essentially infinite. For those people
automatic updates can be convenient. For ISDN or modem users it is a pain in
the ass.

> 3) Software evolves. For custom business applications there are LOTS of
> minor versions and only a few major versions. This is the way business
> software is often developed (Evolutionary model). Developers do NOT have
> control over this process - user feedback drives the design. This cause a
> lot of companies to choose WAP (which also reduces dependence on Symbian
> in future) which is a pain for the users.

If you look carefully at the kind of customer the manufacturers and
operators are targetting, you will see that they talk about prosumers,
consumers and business people on the move, using the device for voice and
some other stuff, which hopefully uses lots of bandwidth.. They do not talk
at all about businesses as such.

Anyway, if you want to target businesses, Symbian Signing is something you
must take into account. Becoming a self-signer appears to me to be a good
option, if it is cost-effective.

> 4) This model does not provide a simple way software can be "uncertified"
> (Which would be possible with Automatic Updates). It will only take one
> signed application with a remote execution bug to enable virus writers
> hacking again making all the effort and money going to waste (Virus
> writers also don't tend to worry about Copyright). This program provides a
> false sense of security.

But then software can only be uncertified when automatic updates are on. Not
very reliable either.

>
> If anybody can tell me where I'm wrong please reply.

Wrong, wrong.....

You shouldn't assume the smartphone market (assuming this is a unified
market, which it isn't) is exactly like the PC market (assuming this is a
unified market, which it isn't either). There are similarities and their are
differences. Look for the needs of your customers and try finding out
whether a smartphone is the right solution for them.

--
Sander van der Wal
www.mBrainSoftware.com

Maybe you will understand if I say it like this:

We want to replace several thousand user's ( a saleforce) laptops with
cellphones.

We really don't care what other peoples perceptions are. It is technically
possible to cram what we did with PC's and laptops into the cellphone. Now
suddenly it becomes politically impossible. In general the mobile market
differs from the PC market. BUT the idea of the smartphone was to bring PC
like functionality to the mobile world.

It is also assumed that software is sold. Custom enterprise software is
rarely sold, and mostly part of a bigger package which is part of a bigger
deal. I don't care about handago or users actually figuring out how WAP
works or nonsense like that.

The other big thing about enterprise environments is a thing called private
IAP's. The cellphone user is never billed for the traffic, but the business
gets a big bill at the end of the month.

Now the argument is that if the enterprise is so big and whatnot they can
afford to pay for signing on a daily basis. This is not so. Specifics like
Symbian development is outsourced and the margins are already small. Whereas
500 euros might be a developers salary for a month it is the salary for a
skilled programmer in poor countries for a month. Why don't Symbian just
place a sticker on their head that says:
1) We want only big companies develop software for our handset (with lots of
capital)
2) We only want developers in rich countries to develop software for our
handset
3) We really want to use the word "smartphone" for marketing purposes.
Technically it is smart - then politics makes it stupid again.

If all of us are honest with each other then we would agree that Symbian
Signed was either conceived by somebody braindead (because it does not solve
the problem it claims to) or is a BIG POLITICAL MOVE.

"Sander van der Wal" <[email protected]> wrote in message
news:kjFvIyh1FHA.2612@extapps30...
>
> "Johan du Plessis"
> <[email protected]> schreef in
> bericht news:Qu5$5sY1FHA.1940@extapps30...[color=green]
>>I have several comments regarding this Symbian Signing. I do really hope
>>I'm wrong, or there are ways to :
>>
>> 1) You need to sign beta software. For big complex applications you
>> REALLY need to the users to test it. IF Symbian only want small
>> applications for their devices they must let developers know so we can
>> move over to devices which DOES support larger software packages without
>> these fees. The problem is not only the money it is the fact that the
>> signing process makes software development more complex than it needs to
>> be, adds delays, and stops the user from having the best version of the
>> software at any one time.
>
> You only need to sign software if the target device doesn't support
> downloading unsigned apps.
>
> Or, you should be able to create specific signed developer versions for
> your beta testers. If the software is really complex, you will want to
> keep very much in touch with your testers.
>
> Or, because beta software is free, you should be able to get beta software
> signed for free 😉
>
>> 2) Automatic updates are nearly impossible. I know device software has
>> traditionally been on ROM but we are moving into an era were software
>> gets updated ALL the time. In fact, Symbian Signing can reduce the
>> security of a device because software already installed cannot be patched
>> easiliy. Will developers really spend money to fix a bug?
>
> Software that is updated all the time might not be appropriate for the
> bulk of mobile phone users. It costs money, it will startle them because
> the app suddenly does things differently, the app wants to update itself
> when users must use it.
>
> Automatic updates have become possible because lots of PC's are connected
> to the internet all the time, and the bandwith limit for broadband users
> is so high that for most people it is essentially infinite. For those
> people automatic updates can be convenient. For ISDN or modem users it is
> a pain in the ass.
>
>> 3) Software evolves. For custom business applications there are LOTS of
>> minor versions and only a few major versions. This is the way business
>> software is often developed (Evolutionary model). Developers do NOT have
>> control over this process - user feedback drives the design. This cause a
>> lot of companies to choose WAP (which also reduces dependence on Symbian
>> in future) which is a pain for the users.
>
> If you look carefully at the kind of customer the manufacturers and
> operators are targetting, you will see that they talk about prosumers,
> consumers and business people on the move, using the device for voice and
> some other stuff, which hopefully uses lots of bandwidth.. They do not
> talk at all about businesses as such.
>
> Anyway, if you want to target businesses, Symbian Signing is something you
> must take into account. Becoming a self-signer appears to me to be a good
> option, if it is cost-effective.
>
>> 4) This model does not provide a simple way software can be "uncertified"
>> (Which would be possible with Automatic Updates). It will only take one
>> signed application with a remote execution bug to enable virus writers
>> hacking again making all the effort and money going to waste (Virus
>> writers also don't tend to worry about Copyright). This program provides
>> a false sense of security.
>
> But then software can only be uncertified when automatic updates are on.
> Not very reliable either.
>
>>
>> If anybody can tell me where I'm wrong please reply.
>
> Wrong, wrong.....
>
> You shouldn't assume the smartphone market (assuming this is a unified
> market, which it isn't) is exactly like the PC market (assuming this is a
> unified market, which it isn't either). There are similarities and their
> are differences. Look for the needs of your customers and try finding out
> whether a smartphone is the right solution for them.
>
> --
> Sander van der Wal
> www.mBrainSoftware.com
>[/color]

"Johan du Plessis" <[email protected]>
schreef in bericht news:qY3%231UX2FHA.1660@extapps30...
> Maybe you will understand if I say it like this:
>
> We want to replace several thousand user's ( a saleforce) laptops with
> cellphones.
>
> We really don't care what other peoples perceptions are. It is technically
> possible to cram what we did with PC's and laptops into the cellphone.

The 100.000 dollar question is : is it economically possible to do so?

> Now suddenly it becomes politically impossible. In general the mobile
> market differs from the PC market. BUT the idea of the smartphone was to
> bring PC like functionality to the mobile world.

That was how it was sold to ISV's. But you surely do not believe everything
you are being told. I mean, this is the industry that thought WAP was a good
idea, and that thought that buying 3G licenses for huge amounts of money was
a good idea, and who's probably now thinking that watching adult content on
public transport is a good idea....

> It is also assumed that software is sold. Custom enterprise software is
> rarely sold, and mostly part of a bigger package which is part of a bigger
> deal. I don't care about handago or users actually figuring out how WAP
> works or nonsense like that.
>
> The other big thing about enterprise environments is a thing called
> private IAP's. The cellphone user is never billed for the traffic, but the
> business gets a big bill at the end of the month.
>
> Now the argument is that if the enterprise is so big and whatnot they can
> afford to pay for signing on a daily basis. This is not so. Specifics like
> Symbian development is outsourced and the margins are already small.

Enterprise software on smartphones will be sold if it is better value than
enterprise software on laptops and, especially for new technology, if it
gives businesses a competetive edge. Both these reasons should give you
better margins than doing things on laptops.

If daily downloads are the norm, maybe you should start thinking of using a
scripting language for those parts that are frequently updated.

And another thing, it might be possible to install extra certificates on the
phones of your enterprise clients. You can do your signing for free then.

> Whereas 500 euros might be a developers salary for a month it is the
> salary for a skilled programmer in poor countries for a month. Why don't
> Symbian just place a sticker on their head that says:
> 1) We want only big companies develop software for our handset (with lots
> of capital)
> 2) We only want developers in rich countries to develop software for our
> handset
> 3) We really want to use the word "smartphone" for marketing purposes.
> Technically it is smart - then politics makes it stupid again.

I would say that an ISV's in a low wage country still has lots of advantages
because he can sell software at high-wage-country prices.

I believe the cheapest Symbian Signed test is now close to EUR 100,--. With
the free testing tool from Digia, I expect prices to go down even further,
and everybody passing the test the first time.

> If all of us are honest with each other then we would agree that Symbian
> Signed was either conceived by somebody braindead (because it does not
> solve the problem it claims to) or is a BIG POLITICAL MOVE.

As I am saying in my other post, it is a indication of the power
distribution within the mobile software market. PC and PDA developers must
remember that there are a lot of other software businesses where they have a
lot less influence (Gaming devices come to mind, and then there is the
mainframe software business). And, that is all because Microsoft has
commoditized PC's.

--
Sander van der Wal
www.mBrainSoftware.com

> "Sander van der Wal" <[email protected]> wrote in message
> news:kjFvIyh1FHA.2612@extapps30...[color=green]
>>
>> "Johan du Plessis"
>> <[email protected]> schreef in
>> bericht news:Qu5$5sY1FHA.1940@extapps30...[color=darkred]
>>>I have several comments regarding this Symbian Signing. I do really hope
>>>I'm wrong, or there are ways to :
>>>
>>> 1) You need to sign beta software. For big complex applications you
>>> REALLY need to the users to test it. IF Symbian only want small
>>> applications for their devices they must let developers know so we can
>>> move over to devices which DOES support larger software packages without
>>> these fees. The problem is not only the money it is the fact that the
>>> signing process makes software development more complex than it needs to
>>> be, adds delays, and stops the user from having the best version of the
>>> software at any one time.
>>
>> You only need to sign software if the target device doesn't support
>> downloading unsigned apps.
>>
>> Or, you should be able to create specific signed developer versions for
>> your beta testers. If the software is really complex, you will want to
>> keep very much in touch with your testers.
>>
>> Or, because beta software is free, you should be able to get beta
>> software signed for free 😉
>>
>>> 2) Automatic updates are nearly impossible. I know device software has
>>> traditionally been on ROM but we are moving into an era were software
>>> gets updated ALL the time. In fact, Symbian Signing can reduce the
>>> security of a device because software already installed cannot be
>>> patched easiliy. Will developers really spend money to fix a bug?
>>
>> Software that is updated all the time might not be appropriate for the
>> bulk of mobile phone users. It costs money, it will startle them because
>> the app suddenly does things differently, the app wants to update itself
>> when users must use it.
>>
>> Automatic updates have become possible because lots of PC's are connected
>> to the internet all the time, and the bandwith limit for broadband users
>> is so high that for most people it is essentially infinite. For those
>> people automatic updates can be convenient. For ISDN or modem users it is
>> a pain in the ass.
>>
>>> 3) Software evolves. For custom business applications there are LOTS of
>>> minor versions and only a few major versions. This is the way business
>>> software is often developed (Evolutionary model). Developers do NOT have
>>> control over this process - user feedback drives the design. This cause
>>> a lot of companies to choose WAP (which also reduces dependence on
>>> Symbian in future) which is a pain for the users.
>>
>> If you look carefully at the kind of customer the manufacturers and
>> operators are targetting, you will see that they talk about prosumers,
>> consumers and business people on the move, using the device for voice and
>> some other stuff, which hopefully uses lots of bandwidth.. They do not
>> talk at all about businesses as such.
>>
>> Anyway, if you want to target businesses, Symbian Signing is something
>> you must take into account. Becoming a self-signer appears to me to be a
>> good option, if it is cost-effective.
>>
>>> 4) This model does not provide a simple way software can be
>>> "uncertified" (Which would be possible with Automatic Updates). It will
>>> only take one signed application with a remote execution bug to enable
>>> virus writers hacking again making all the effort and money going to
>>> waste (Virus writers also don't tend to worry about Copyright). This
>>> program provides a false sense of security.
>>
>> But then software can only be uncertified when automatic updates are on.
>> Not very reliable either.
>>
>>>
>>> If anybody can tell me where I'm wrong please reply.
>>
>> Wrong, wrong.....
>>
>> You shouldn't assume the smartphone market (assuming this is a unified
>> market, which it isn't) is exactly like the PC market (assuming this is a
>> unified market, which it isn't either). There are similarities and their
>> are differences. Look for the needs of your customers and try finding out
>> whether a smartphone is the right solution for them.
>>
>> --
>> Sander van der Wal
>> www.mBrainSoftware.com
>>[/color]
>
>[/color]

You are missing the point.

1) You assume software will be sold. This is not the case. It is part of a
bigger service etc.etc.
2) It will be economically possible IF Symbian Signed wasn't such a major
stumbling block. It is more a question about money saved than money spent.
The choice is between giving a salesperson a laptop and cellphone or just a
cellphone.
3) Giving the option above it is a lot cheaper to put a larger salesforce
out there. This is especially important in LOW wage countries without
infrastructure and cities etc. (Think of Africa).
4) So it is not just a case of a large corporation saving money - it will
enable a business that did not previously make sense in the poorest of
countries.
5) From this it is obvious you are not going to sell your software at first
world prices.
6) Scripting Language? What about java? It wouldn't work. It doesn't make
sense to turn a 100MHz machine into an 8MHz machine. Multimedia may play an
integral part in this (e.g. digital photo's a) Signatures b) Faces etc.)
There are other multimedia options as well.
7) If Symbian and the phone manufacturers do not want to commoditized the
phone market should we rather go for Microsoft who would be willing to do so
(in the long run?) That is why the PC market has been such a success in the
first place.

"Sander van der Wal" <[email protected]> wrote in message
news:%23f2AK8f2FHA.2948@extapps30...
>
> "Johan du Plessis"
> <[email protected]> schreef in
> bericht news:qY3%231UX2FHA.1660@extapps30...[color=green]
>> Maybe you will understand if I say it like this:
>>
>> We want to replace several thousand user's ( a saleforce) laptops with
>> cellphones.
>>
>> We really don't care what other peoples perceptions are. It is
>> technically possible to cram what we did with PC's and laptops into the
>> cellphone.
>
> The 100.000 dollar question is : is it economically possible to do so?
>
>> Now suddenly it becomes politically impossible. In general the mobile
>> market differs from the PC market. BUT the idea of the smartphone was to
>> bring PC like functionality to the mobile world.
>
> That was how it was sold to ISV's. But you surely do not believe
> everything you are being told. I mean, this is the industry that thought
> WAP was a good idea, and that thought that buying 3G licenses for huge
> amounts of money was a good idea, and who's probably now thinking that
> watching adult content on public transport is a good idea....
>
>> It is also assumed that software is sold. Custom enterprise software is
>> rarely sold, and mostly part of a bigger package which is part of a
>> bigger deal. I don't care about handago or users actually figuring out
>> how WAP works or nonsense like that.
>>
>> The other big thing about enterprise environments is a thing called
>> private IAP's. The cellphone user is never billed for the traffic, but
>> the business gets a big bill at the end of the month.
>>
>> Now the argument is that if the enterprise is so big and whatnot they can
>> afford to pay for signing on a daily basis. This is not so. Specifics
>> like Symbian development is outsourced and the margins are already small.
>
> Enterprise software on smartphones will be sold if it is better value than
> enterprise software on laptops and, especially for new technology, if it
> gives businesses a competetive edge. Both these reasons should give you
> better margins than doing things on laptops.
>
> If daily downloads are the norm, maybe you should start thinking of using
> a scripting language for those parts that are frequently updated.
>
> And another thing, it might be possible to install extra certificates on
> the phones of your enterprise clients. You can do your signing for free
> then.
>
>> Whereas 500 euros might be a developers salary for a month it is the
>> salary for a skilled programmer in poor countries for a month. Why don't
>> Symbian just place a sticker on their head that says:
>> 1) We want only big companies develop software for our handset (with lots
>> of capital)
>> 2) We only want developers in rich countries to develop software for our
>> handset
>> 3) We really want to use the word "smartphone" for marketing purposes.
>> Technically it is smart - then politics makes it stupid again.
>
> I would say that an ISV's in a low wage country still has lots of
> advantages because he can sell software at high-wage-country prices.
>
> I believe the cheapest Symbian Signed test is now close to EUR 100,--.
> With the free testing tool from Digia, I expect prices to go down even
> further, and everybody passing the test the first time.
>
>> If all of us are honest with each other then we would agree that Symbian
>> Signed was either conceived by somebody braindead (because it does not
>> solve the problem it claims to) or is a BIG POLITICAL MOVE.
>
> As I am saying in my other post, it is a indication of the power
> distribution within the mobile software market. PC and PDA developers must
> remember that there are a lot of other software businesses where they have
> a lot less influence (Gaming devices come to mind, and then there is the
> mainframe software business). And, that is all because Microsoft has
> commoditized PC's.
>
> --
> Sander van der Wal
> www.mBrainSoftware.com
>
>> "Sander van der Wal" <[email protected]> wrote in message
>> news:kjFvIyh1FHA.2612@extapps30...[color=darkred]
>>>
>>> "Johan du Plessis"
>>> <[email protected]> schreef in
>>> bericht news:Qu5$5sY1FHA.1940@extapps30...
>>>>I have several comments regarding this Symbian Signing. I do really hope
>>>>I'm wrong, or there are ways to :
>>>>
>>>> 1) You need to sign beta software. For big complex applications you
>>>> REALLY need to the users to test it. IF Symbian only want small
>>>> applications for their devices they must let developers know so we can
>>>> move over to devices which DOES support larger software packages
>>>> without these fees. The problem is not only the money it is the fact
>>>> that the signing process makes software development more complex than
>>>> it needs to be, adds delays, and stops the user from having the best
>>>> version of the software at any one time.
>>>
>>> You only need to sign software if the target device doesn't support
>>> downloading unsigned apps.
>>>
>>> Or, you should be able to create specific signed developer versions for
>>> your beta testers. If the software is really complex, you will want to
>>> keep very much in touch with your testers.
>>>
>>> Or, because beta software is free, you should be able to get beta
>>> software signed for free 😉
>>>
>>>> 2) Automatic updates are nearly impossible. I know device software has
>>>> traditionally been on ROM but we are moving into an era were software
>>>> gets updated ALL the time. In fact, Symbian Signing can reduce the
>>>> security of a device because software already installed cannot be
>>>> patched easiliy. Will developers really spend money to fix a bug?
>>>
>>> Software that is updated all the time might not be appropriate for the
>>> bulk of mobile phone users. It costs money, it will startle them because
>>> the app suddenly does things differently, the app wants to update itself
>>> when users must use it.
>>>
>>> Automatic updates have become possible because lots of PC's are
>>> connected to the internet all the time, and the bandwith limit for
>>> broadband users is so high that for most people it is essentially
>>> infinite. For those people automatic updates can be convenient. For ISDN
>>> or modem users it is a pain in the ass.
>>>
>>>> 3) Software evolves. For custom business applications there are LOTS of
>>>> minor versions and only a few major versions. This is the way business
>>>> software is often developed (Evolutionary model). Developers do NOT
>>>> have control over this process - user feedback drives the design. This
>>>> cause a lot of companies to choose WAP (which also reduces dependence
>>>> on Symbian in future) which is a pain for the users.
>>>
>>> If you look carefully at the kind of customer the manufacturers and
>>> operators are targetting, you will see that they talk about prosumers,
>>> consumers and business people on the move, using the device for voice
>>> and some other stuff, which hopefully uses lots of bandwidth.. They do
>>> not talk at all about businesses as such.
>>>
>>> Anyway, if you want to target businesses, Symbian Signing is something
>>> you must take into account. Becoming a self-signer appears to me to be a
>>> good option, if it is cost-effective.
>>>
>>>> 4) This model does not provide a simple way software can be
>>>> "uncertified" (Which would be possible with Automatic Updates). It will
>>>> only take one signed application with a remote execution bug to enable
>>>> virus writers hacking again making all the effort and money going to
>>>> waste (Virus writers also don't tend to worry about Copyright). This
>>>> program provides a false sense of security.
>>>
>>> But then software can only be uncertified when automatic updates are on.
>>> Not very reliable either.
>>>
>>>>
>>>> If anybody can tell me where I'm wrong please reply.
>>>
>>> Wrong, wrong.....
>>>
>>> You shouldn't assume the smartphone market (assuming this is a unified
>>> market, which it isn't) is exactly like the PC market (assuming this is
>>> a unified market, which it isn't either). There are similarities and
>>> their are differences. Look for the needs of your customers and try
>>> finding out whether a smartphone is the right solution for them.
>>>
>>> --
>>> Sander van der Wal
>>> www.mBrainSoftware.com
>>>
>>
>>[/color]
>
>[/color]

"Johan du Plessis" <[email protected]> wrote in message news:f6$jPzg2FHA.1408@extapps30...
> You are missing the point.
>
> 1) You assume software will be sold. This is not the case. It is part of a
> bigger service etc.etc.

Even when developed �in house� the software is "sold" by the IT department to your fleet of salesmen. There is requirement, a budget allocation, a price and a gain/loss reported at the end of the business cycle. Therefore your software is not freeware and there is no reason to expect special treatment for it. However this is irrelevant, PlatSec costs are supposed to be compensated by the security gains. If not, do not invest in PlatSec ... it is a free market as Symbian all though is high and mighty is not the only mobile option. In this context you have to appreciate their move towards PlatSec as either courage or stupidity. I'll go with the first option.

> 2) It will be economically possible IF Symbian Signed wasn't such a major
> stumbling block. It is more a question about money saved than money spent.
> The choice is between giving a salesperson a laptop and cellphone or just a
> cellphone.

The price difference between a laptop and a smartphone is big enough to cover the PlatSec/Symbian Signed costs. You will have to pay 100� per software release. Divide this to your �several tausends� of users. The cost per �license� is less than 0.09�. So you buy extra security with less than 9 cents and you still think is too expensive. Are you from Scotland?

> 3) Giving the option above it is a lot cheaper to put a larger salesforce
> out there. This is especially important in LOW wage countries without
> infrastructure and cities etc. (Think of Africa).

Think of your laptop versus phone choice and place it in this African scenario with your sales guy in some isolated area having:
1) Laptop + (cheap) phone. The laptop is affected by malware � from the games installed by your guy's kids. Your salesman can still call you on the phone and you can help him solve the problem or get the data via voice
2) No laptop, just an insecure smart phone. An MMS arrives from your competitors and the next think you know your device is sending over the net all your company's business data. You do not suspect a thing but your business is dying. Or if some malware is crashing the phone altogether. Your guy will have to use drum signals to let you know that he has a problem.
3) A secure phone, still less expensive than a phone but more reliable. No access allowed to private data, no suspicious background applications that can affect your business. And voice functionality 24/7 (* if charged and network available).
Now pick the best solution from those 3 above. If the solution selected is 2 add 0.09� expenses (to make it 3) and analize the problem again .... If now you chose something else then 3 then consider the 4th option:

4) Animal skins � your guy will write your business orders on them and send them to your office. You enter them in your country as mail(virtually free), process the data and then process the exotic skins. A new business opportunity for you in fur and skin fashion industry. An you will gain ~100� for every message received 😊

> 4) So it is not just a case of a large corporation saving money - it will
> enable a business that did not previously make sense in the poorest of
> countries.

If still not convinced thin again about option 4 above. This bussines really makes sens man and is enabled by your infrastructure choice...

> 5) From this it is obvious you are not going to sell your software at first
> world prices.
The price of the software/license only counts where the final business reporting is done. If the overall cost still allows you to make good business than the impact in the poor country is not relevant (for as you said, you are not really retailing the software)

> 6) Scripting Language? What about java? It wouldn't work. It doesn't make
> sense to turn a 100MHz machine into an 8MHz machine. Multimedia may play an
> integral part in this (e.g. digital photo's a) Signatures b) Faces etc.)
> There are other multimedia options as well.

The scripting language can be a solution to compensate in part the auto update feature missing from device. But the auto-update feature is not missing. Is just ... well hidden. Auto-update means download followed by silent install. Downloading is still very much possible without hassle from PlatSec. Now how about the silent install? Already available ... in fact it was always available on Symbian OS (think about embedded sis files). Is just that is not accessible. But this can be solved, all is needed is a bit of lobbying from the interested parties (ISV, businesses). It will have to be limited to signed applications having certain capability (just because I don't want a signed porn dialler application silently installed on my device) but it still possible. We just need to prove that we know how to ask while Symbian will need to show that it listens. Anyone taking the initiative?
Multimedia is not limited in any way by PlatSec/Symbian Signed/auto-update feature. Just download and use ... if not DRM protected.

> 7) If Symbian and the phone manufacturers do not want to commoditized the
> phone market should we rather go for Microsoft who would be willing to do so
> (in the long run?) That is why the PC market has been such a success in the
> first place.

Talking from a business perspective can you estimate how much of your IT department's budget goes to security solutions (firewall, anti-virus, anti-spyware, anti-spam, anti-----). Not to mention the price of a Microsoft OS license. So you are righ, the PC is a success story for the human society ... but a even bigger succes for companies like Symantec and FSecure
My advice is to chose Linux.... as far as I remember there is/was a Motorola phone with Linux OS. You can buy a cheap one for Affrica, with console mode only 😊

Best regards,
Lasse

"Johan du Plessis" <[email protected]>
schreef in bericht news:f6$jPzg2FHA.1408@extapps30...
> You are missing the point.
>
> 1) You assume software will be sold. This is not the case. It is part of a
> bigger service etc.etc.

It doesn't matter whether software is part of a bigger package.

> 2) It will be economically possible IF Symbian Signed wasn't such a major
> stumbling block. It is more a question about money saved than money spent.
> The choice is between giving a salesperson a laptop and cellphone or just
> a cellphone.

I am hard pressed to believe this. Let's assume that you do a signing each
week. This fact alone should give you a lower rate with a test house, which
means you are going to spend EUR 5000 a year on signing, EUR 100 per
signing, 50 times a year and two weeks holiday/festivities. On a project
with a couple of developers writing enterprise software, that is peanuts.

> 3) Giving the option above it is a lot cheaper to put a larger salesforce
> out there. This is especially important in LOW wage countries without
> infrastructure and cities etc. (Think of Africa).

If you give lots of people a smartphone that is capable of replacing a
laptop, and not just any cellphone, you are saving large amounts of money.
If I read you wage figures earlier correctly, EUR 5000 is the salary of one
person a year (EUR 500 a month). So having the program symbian signed will
set you back a single sales person. In some countries maybe even two or
three sales persons. That is peanuts on a large salesforce, which in my mind
is about a hunderd people. You also need to buy smartphones for these
people, which will be about EUR 500 a piece.

> 4) So it is not just a case of a large corporation saving money - it will
> enable a business that did not previously make sense in the poorest of
> countries.

I don't buy this. The way I do the maths, Symbian signed is a minor issue.
Not the decisive factor. If it is I would like to see your figures instead.

> 5) From this it is obvious you are not going to sell your software at
> first world prices.

Sorry, but to me this is not obvious given your data.

> 6) Scripting Language? What about java? It wouldn't work. It doesn't make
> sense to turn a 100MHz machine into an 8MHz machine. Multimedia may play
> an integral part in this (e.g. digital photo's a) Signatures b) Faces
> etc.) There are other multimedia options as well.

Who cares? As long as it works for your salesforce, what does it matter if
the processor is working full time or idling away?

If 8 Mhz is fast enough, why not buy as many secondhand 9210 and 9290's as
possible?. No Symbian Signed problems on that device, can probably be bought
for eur 100,-- a piece, or even less. Software is reasonably portable to the
9300/9500 which can also install unsigned programs. When the next generation
of nokia communicators comes along the S80 V2 devices become cheap again and
you repeat the cycle, staying one step behind the latest devices. You are
after all running a business and not a employee gadget distribution outfit.

> 7) If Symbian and the phone manufacturers do not want to commoditized the
> phone market should we rather go for Microsoft who would be willing to do
> so (in the long run?) That is why the PC market has been such a success in
> the first place.

Preventing the commodization of the phone market by a powerfull OS vendor is
the sole reason of Symbian's existence. And that hasn't been a secret
either. Besides, don't think that this powerfull OS vendor would give the
value coming out of the commodization back to the customer. He would keep
all that money for himself, or spend it by subsidizing a games console 😉

--
Sander van der Wal
www.mBrainSoftware.com

>
>
> "Sander van der Wal" <[email protected]> wrote in message
> news:%23f2AK8f2FHA.2948@extapps30...[color=green]
>>
>> "Johan du Plessis"
>> <[email protected]> schreef in
>> bericht news:qY3%231UX2FHA.1660@extapps30...[color=darkred]
>>> Maybe you will understand if I say it like this:
>>>
>>> We want to replace several thousand user's ( a saleforce) laptops with
>>> cellphones.
>>>
>>> We really don't care what other peoples perceptions are. It is
>>> technically possible to cram what we did with PC's and laptops into the
>>> cellphone.
>>
>> The 100.000 dollar question is : is it economically possible to do so?
>>
>>> Now suddenly it becomes politically impossible. In general the mobile
>>> market differs from the PC market. BUT the idea of the smartphone was to
>>> bring PC like functionality to the mobile world.
>>
>> That was how it was sold to ISV's. But you surely do not believe
>> everything you are being told. I mean, this is the industry that thought
>> WAP was a good idea, and that thought that buying 3G licenses for huge
>> amounts of money was a good idea, and who's probably now thinking that
>> watching adult content on public transport is a good idea....
>>
>>> It is also assumed that software is sold. Custom enterprise software is
>>> rarely sold, and mostly part of a bigger package which is part of a
>>> bigger deal. I don't care about handago or users actually figuring out
>>> how WAP works or nonsense like that.
>>>
>>> The other big thing about enterprise environments is a thing called
>>> private IAP's. The cellphone user is never billed for the traffic, but
>>> the business gets a big bill at the end of the month.
>>>
>>> Now the argument is that if the enterprise is so big and whatnot they
>>> can afford to pay for signing on a daily basis. This is not so.
>>> Specifics like Symbian development is outsourced and the margins are
>>> already small.
>>
>> Enterprise software on smartphones will be sold if it is better value
>> than enterprise software on laptops and, especially for new technology,
>> if it gives businesses a competetive edge. Both these reasons should give
>> you better margins than doing things on laptops.
>>
>> If daily downloads are the norm, maybe you should start thinking of using
>> a scripting language for those parts that are frequently updated.
>>
>> And another thing, it might be possible to install extra certificates on
>> the phones of your enterprise clients. You can do your signing for free
>> then.
>>
>>> Whereas 500 euros might be a developers salary for a month it is the
>>> salary for a skilled programmer in poor countries for a month. Why don't
>>> Symbian just place a sticker on their head that says:
>>> 1) We want only big companies develop software for our handset (with
>>> lots of capital)
>>> 2) We only want developers in rich countries to develop software for our
>>> handset
>>> 3) We really want to use the word "smartphone" for marketing purposes.
>>> Technically it is smart - then politics makes it stupid again.
>>
>> I would say that an ISV's in a low wage country still has lots of
>> advantages because he can sell software at high-wage-country prices.
>>
>> I believe the cheapest Symbian Signed test is now close to EUR 100,--.
>> With the free testing tool from Digia, I expect prices to go down even
>> further, and everybody passing the test the first time.
>>
>>> If all of us are honest with each other then we would agree that Symbian
>>> Signed was either conceived by somebody braindead (because it does not
>>> solve the problem it claims to) or is a BIG POLITICAL MOVE.
>>
>> As I am saying in my other post, it is a indication of the power
>> distribution within the mobile software market. PC and PDA developers
>> must remember that there are a lot of other software businesses where
>> they have a lot less influence (Gaming devices come to mind, and then
>> there is the mainframe software business). And, that is all because
>> Microsoft has commoditized PC's.
>>
>> --
>> Sander van der Wal
>> www.mBrainSoftware.com
>>
>>> "Sander van der Wal" <[email protected]> wrote in message
>>> news:kjFvIyh1FHA.2612@extapps30...
>>>>
>>>> "Johan du Plessis"
>>>> <[email protected]> schreef in
>>>> bericht news:Qu5$5sY1FHA.1940@extapps30...
>>>>>I have several comments regarding this Symbian Signing. I do really
>>>>>hope I'm wrong, or there are ways to :
>>>>>
>>>>> 1) You need to sign beta software. For big complex applications you
>>>>> REALLY need to the users to test it. IF Symbian only want small
>>>>> applications for their devices they must let developers know so we can
>>>>> move over to devices which DOES support larger software packages
>>>>> without these fees. The problem is not only the money it is the fact
>>>>> that the signing process makes software development more complex than
>>>>> it needs to be, adds delays, and stops the user from having the best
>>>>> version of the software at any one time.
>>>>
>>>> You only need to sign software if the target device doesn't support
>>>> downloading unsigned apps.
>>>>
>>>> Or, you should be able to create specific signed developer versions for
>>>> your beta testers. If the software is really complex, you will want to
>>>> keep very much in touch with your testers.
>>>>
>>>> Or, because beta software is free, you should be able to get beta
>>>> software signed for free 😉
>>>>
>>>>> 2) Automatic updates are nearly impossible. I know device software has
>>>>> traditionally been on ROM but we are moving into an era were software
>>>>> gets updated ALL the time. In fact, Symbian Signing can reduce the
>>>>> security of a device because software already installed cannot be
>>>>> patched easiliy. Will developers really spend money to fix a bug?
>>>>
>>>> Software that is updated all the time might not be appropriate for the
>>>> bulk of mobile phone users. It costs money, it will startle them
>>>> because the app suddenly does things differently, the app wants to
>>>> update itself when users must use it.
>>>>
>>>> Automatic updates have become possible because lots of PC's are
>>>> connected to the internet all the time, and the bandwith limit for
>>>> broadband users is so high that for most people it is essentially
>>>> infinite. For those people automatic updates can be convenient. For
>>>> ISDN or modem users it is a pain in the ass.
>>>>
>>>>> 3) Software evolves. For custom business applications there are LOTS
>>>>> of minor versions and only a few major versions. This is the way
>>>>> business software is often developed (Evolutionary model). Developers
>>>>> do NOT have control over this process - user feedback drives the
>>>>> design. This cause a lot of companies to choose WAP (which also
>>>>> reduces dependence on Symbian in future) which is a pain for the
>>>>> users.
>>>>
>>>> If you look carefully at the kind of customer the manufacturers and
>>>> operators are targetting, you will see that they talk about prosumers,
>>>> consumers and business people on the move, using the device for voice
>>>> and some other stuff, which hopefully uses lots of bandwidth.. They do
>>>> not talk at all about businesses as such.
>>>>
>>>> Anyway, if you want to target businesses, Symbian Signing is something
>>>> you must take into account. Becoming a self-signer appears to me to be
>>>> a good option, if it is cost-effective.
>>>>
>>>>> 4) This model does not provide a simple way software can be
>>>>> "uncertified" (Which would be possible with Automatic Updates). It
>>>>> will only take one signed application with a remote execution bug to
>>>>> enable virus writers hacking again making all the effort and money
>>>>> going to waste (Virus writers also don't tend to worry about
>>>>> Copyright). This program provides a false sense of security.
>>>>
>>>> But then software can only be uncertified when automatic updates are
>>>> on. Not very reliable either.
>>>>
>>>>>
>>>>> If anybody can tell me where I'm wrong please reply.
>>>>
>>>> Wrong, wrong.....
>>>>
>>>> You shouldn't assume the smartphone market (assuming this is a unified
>>>> market, which it isn't) is exactly like the PC market (assuming this is
>>>> a unified market, which it isn't either). There are similarities and
>>>> their are differences. Look for the needs of your customers and try
>>>> finding out whether a smartphone is the right solution for them.
>>>>
>>>> --
>>>> Sander van der Wal
>>>> www.mBrainSoftware.com
>>>>
>>>
>>>
>>
>>[/color]
>
>[/color]