Slashdot Mirror

RunAs (more precisely CreateProcessWithLogonW and similar) doesn't and can't provide any meaningful process isolation.

Are you saying this has been done? Multics had better buffer overflow protection

40 F#%îng years ago! thats right, *before unix existed*, four decades ago, thats before gates had pubic hair! (Okey, I didn`t fact check that one, but this is a long time, and I am not just talking in Internet or doggy years.)

So, where are the lines before compusa to buy one of these computers that may not have the most megahurts and marchitecture, but that doesn`t get new viruses/spyware/script kiddy zombie code every week while mailing personal files to random strangers?

I will tell you where these people are, they are right around the corner at the newsstand waiting for the latest issue of "screenshots, colors, windows and screensavers monthly". While there are billion dollar (memory) price fixing and (os) monopoly scams going on the trade media wonders what the color of Microsoft's next operating system is and where to get the newest megahurts this month....

The reason multics was secure, the people designing it figured security would make a nice feature so the designed it in by default... Ofcourse others tried that but once you add a huge piece of shell/browser/e-mail client/media player, mix in a bunch of rpc accesible administrative tools and have all this code monkey C code run with administrative privileges.... then you are gonna need systems to tell you when your remaining security is gone. (virus signature addiction systems, packet filters and intrusion detection systems).

The babysteps taken in todays "security addons" that descent from the tools dos admins used to clean out the few know viruses are pathetic. The worst part, the people making money of it. These people are evil even by atheist standards (keeping people addicted to virus signatures while selling telephone tapping equipment by comverse/the mossad, while playing "trusted" third party by selling expensive cert`s (Want a microsoft.com one? here go right ahead).... while screwing everyones DNS over just for a few quick bucks. )

The people selling computer security are snakeoil/ducttape sales scumbags

If people had just read the US DoD stuff on computer security (multics, orange book) and used it as a starting point for a one step more secure OS we could just worry about how to make computer do new usefull stuff instead of fending of the spyware/worms/ddos and god knows what people who stay out of log files do. Anyway, one can always start from scratch

This is just silly. There are well-known, but not very widely implemented techniques to prevent the scope of damage from viruses, trojans, etc. Confinement is the simplest and the most promising, but can only be found in operating systems that are properly designed with protection in mind. What's needed is for people to get their heads out of their asses and look at viable alternatives to today's poorly designed systems.

Servicepack 2 has been a big pain in the ass of almost everyone who has to do something with more then three PC`s, but its still the best thing from Redmond in years!

The reason, Microsoft has *never ever* gone though changes that would impede backwards compatability, even if such changes are the only way to fix a fundamental security oversights. For some reason the whole wintel world still hinges on backward compatability, eventhough lots of it could be done away with for years now. How many people still run dos software on systems that cant run better on a real emulator?

That is, until service pack 2.

• RPC access to buffer overflow prone code? unix proved that wasn`t the way to go from a security point of view, so Microsoft put everything administrative behind DCOM....
• Password hash algorithms that suck, lets just keep em in every windows for windows 95`s sake and put a somewhat less sucky one right next to it.... A big blob of code that does shell browser and e-mail work, but for which noone knows how it really fits together or where the security todo areas were...
• A kernel that has the best design on the general market thanks to dave cutler and his gang, A design that is of no use whatsoever because everything gets all or way to many permissions for no reason whatsoever, not even easy of use!

And now after many years Microsoft has somewhat fixed some fundamental problems... thats nothing short of a miracle! Its not because these few changes are gonna make a lot of difference its because they prove microsoft finally "got it". Microsoft figured out it has to choose between backward compatability or killing the internet and their market as we know it though worldwide armies of zombies, spyware everywhere and spam traffic reaching the limitations of any mail server. These are just the problems you can see, god knows what people do who can both find a hole and erase a log file.... The bottom line is that there is only so much spyware and worms a normal user can put up with. this line is approaching rapidly for the majority of windows users. Is has been long past for some people who, luckly for microsoft, don`t have a clue how to move. Its hard to explain to people who do think about what they buy that they need exchange if all they get though it is spam and worms...

So... with every story of applications needing to be replaced (

*) Basicly its the DoD is asking for security certification, noone asks for stuff that is "not substantially less secure then older competition like VMS". Try this, walk into compusa and ask for a computer that allows you to write texts and send email but that doesn`t get "virusses"..... they will sell you a virus scanner! those didn`t work in the dos days for christ sake! Virus scanners were intended for the admins lucky enough to get a know virus to help them find and clean it, they had to infect many files to be able to stick around back then. Scanner were never intended to solve any problem.

sigh

Longhorn will be the first release of Windows authored completely after Microsoft began their Trusted Computing Initiative and released .NET. Longhorn will reimplement and convert major Windows subsystems to managed code.

This really starts to get boring. I have already written about it countless times only to get completely ignored every time I dare to point out that the emperor is naked.

I find it truly amusing that people who say that there are other advantages than only Digital Restrictions Management of using "trusted" computing and Palladium-like platforms usually talk with great enthusiasm and excitement about the new and innovative security features that have already been implemented in the 1970s for crying out loud, only better and with no strings attached. All TCPA zealots are usually completely ignorant of the existance of such operating systems as KeyKOS or EROS with formal proofs of correctness for God's sake and without all of the silliness of "trusted" computing.

And no, this is not only my opinion that we don't need DRM to get security. I am not the only one who says that everything that TCPA can possibly do to security can also be done in software, with the only exception of DRM, and in fact it has already been done, decades ago. I am not really surprised at all why it is completely ignored by the TCPA and TCI pushing industry. I am only outraged that there are so many naïve people who once again will gladly do anything no matter how dumb it is, if only their good uncle Bill Gates says that it's good for them.

Please, people, if you want to learn about real systems security, then read some old papers by Jerome Saltzer, Michael Schroeder, Norman Hardy and Jonathan Shapiro. If you want to learn about cryptography, read texts by Bruce Schneier. Microsoft is not a reliable source of knowledge in that field.

People always ask me where are the real innovations in systems security and I always say them that they are in the seventies, and have been being ingnored since then by major software vendors because people don't demand using them. This story and this thread is a great example: "Yeah, this version of Windows may suck, but still I am looking forward to buy the next one."

This will dramatically lessen the exploitation potential of code flaws in the Windows application libraries. Microsoft has to maintain support for legacy application, but that doesn't mean they can't get a fresh start on the underlying code, and doesn't mean that existing Microsoft applications can't be converted to managed code as well.

Wait, I've already heard it... In 1995, 1998, 2000, 2003... Oh, you mean that this time they really mean it?

That's being foolish. There's plenty of "experimental" OSes around, many of them Free Software, like EROS; that isn't what the HURD should be doing. It shouldn't be this neat system where development breaks away completely from what programmers are used to writing, therefore guaranteeing that porting of applications will be a tedious, and ultimately fruitless, process.

What the HURD developers should be doing is (risking the wrath of the community) be less revolutionary, and get something going. The team spent God-knows-how-long stumped on that file system mmap() problem, which barred disks larger than 2GB from being mounted. If one runs across this kind of barrier during the development of a system, one should just drop the feature and use something else which is known to work, and leave that feature for version 2.0 or something.

Of course, if the software is too little revolutionary, it won't make any sense to use it: The L4 developers already have a Linux 2.6.10 running on top of their microkernel... There ought to be some kind of compromise, basically dropping features when the milestones keep getting pushed back.

Then again, the Hurd might have been just a victim of the Cathedral method it (used to) be developed with...

When the first programs run, it is just a matter of time before there is a functional L4 port of Debian GNU/Hurd (or just Debian GNU?). I really like the design of the Hurd, but what I'd like to see the most are not the "POSIX capabilities" but the real capabilities as described in the 1975 paper by Jerome Saltzer and Michael Schroeder, The Protection of Information in Computer Systems. (For those who don't know what am I talking about, I recommend starting from the excellent essay What is a Capability, Anyway? by Jonathan Shapiro, and then reading the capability theory essays by Norman Hardy. As a sidenone I might add that I find it amusing that people who say that there are other advantages than only Digital Restrictions Management of using TCPA/Palladium-like platforms usually quote security features, which have already been implemented in the 1970s, only better and with no strings attached. Those TCPA zealots are usually completely ignorant of the existance of such operating systems as KeyKOS or EROS with formal proofs of correctness without all of the silliness.) Are there any plans to have a real capability-based security model available in the Hurd?

When the first programs run, it is just a matter of time before there is a functional L4 port of Debian GNU/Hurd (or just Debian GNU?). I really like the design of the Hurd, but what I'd like to see the most are not the "POSIX capabilities" but the real capabilities as described in the 1975 paper by Jerome Saltzer and Michael Schroeder, The Protection of Information in Computer Systems. (For those who don't know what am I talking about, I recommend starting from the excellent essay What is a Capability, Anyway? by Jonathan Shapiro, and then reading the capability theory essays by Norman Hardy. As a sidenone I might add that I find it amusing that people who say that there are other advantages than only Digital Restrictions Management of using TCPA/Palladium-like platforms usually quote security features, which have already been implemented in the 1970s, only better and with no strings attached. Those TCPA zealots are usually completely ignorant of the existance of such operating systems as KeyKOS or EROS with formal proofs of correctness without all of the silliness.) Are there any plans to have a real capability-based security model available in the Hurd?

a project to create an operating system whose security relied on capabilities rather than the traditional Unix model of root or non-root.

This has been possible in Linux (and some proprietary Unices) for some time now. Why the need for a separate OS?

Linux? Kids these days... Capabilities is a feature from the 1970s. If Coyotos is anything like EROS or KeyKOS, then they don't mean POSIX "capabilities" but real capabilities as described in 1975 by Jerome Saltzer and Michael Schroeder in the famous The Protection of Information in Computer Systems paper: "Capability--In a computer system, an unforgeable ticket, which when presented can be taken as incontestable proof that the presenter is authorized to have access to the object named in the ticket." For an excellent introduction to capabilities, read What is a Capability, Anyway? by Jonathan Shapiro. Then read the Capability Theory by Sound Bytes essays by Norman Hardy for more informations. Those papers are classics, just like Reflections on Trusting Trust by Ken Thompson. It's a must-read for anyone who wants to have even the slightest idea about computer security at all.

I remember they got us to prove around about 5 lines of code correct as part of a module in my Comp. Sci. degree.

So you know that it is possible, even if not trivial.

It took around half an hour of non-trivial effort, so good luck getting companies who churn out millions of lines of code to do this.

I can guarantee you that if people demanded, the companies would do it, and that is exactly what I was saying. Remember that those are customers who have the power, not the companies. The companies might not like it, but they would have no choice if people stopped buying their products.

And doesn't it get more complex with increased code size?

Yes, it does, and that is why your kernel cannot be monolithic, because otherwise you have to prove the correctness of every single line of code running in the kernel space, including all of the drivers and kernel modules. The projects I was talking about in my post above use a concept of nanokernel, for that very reason.

Is it even feasible for large projects?

Yes, it is. See the EROS operating system.

And what about when you inevitably make a mistake in your calculations?

Then other people might spot it reading your proof. This problem is as old as mathematics. What if Einstein made a mistake in his calculation?

Still, you can't block every hole in security. Sometimes you just have to hope, right?

Yes, you can. No you don't. Software is just an applied form of discrete mathematics. "Beware of bugs in the above code; I have only proved it correct, not tried it," as Donald Knuth once said. It is possible to present a formal proof of correctness for any algorithm. It is nearly impossible and certainly impractical when you have a big mess of spaghetti code like with most of software that is utter crap, but it is possible nonetheless when you know what are you doing and design appropriately, with very clean, small and isolated parts of your system responsible for enforcing its security policies. Take a look at such operating systems as KeyKOS and EROS. E.g. read Verifying Operating System Security paper by J. S. Shapiro and S. Weber: "This paper presents a proof of correctness of the EROS operating system architecture with respect to confinement." Read some essays by Norman Hardy, especially those on Capability Theory. This is hardly a new idea, see GNOSIS: A Prototype Operating System for the 1990s paper by Bill Frantz, Norm Hardy, Jay Jonekait and Charlie Landau, written more than 25 years ago. The bottom line is: it is certainly possible to have a 100% secure system, but developers don't bother because users don't care.

• Plan 9
• Inferno
• EROS

• Plan 9
• Inferno
• EROS

Try EROS, which implements orthogonal persistence.

no

There have been operating systems that take this problem seriously for at least 20 years, but they are rare and have usually stayed in a research environment. An example is Eros, which is able to boot up to a [i]consistent state[/i] after a power failure. The system guarantees that when you reboot after the power failure, what you get is a state which the system was in a second or two just before the failure.

The OS you're talking about is EROS, an orthogonally persistent operating system. EROS doesn't seem to be under active development, but other OSes are. The one I know about is Unununium.

And yes, I agree it is a design issue, not a limitation of our hardware and software.

My guide to avoiding worms:

When you go to the shop for a new pc, rather then asking for the newest and fastest one with the most megahurts, ask for one that can`t get worms while you are just trying to read your mail. Now if only someone where to market this hot new (only thirty year old) technology.

If noone asks, people will sell everyone crap for many years to come.

Packet filters (traffic mutilating routers) and virus scanners (virus cleanup tools from the dos days) have little to do with security. Personal firewalls that specify the processes that get to do networking and the no execute flag in processors are babysteps back to the day when people realized how to build computers a script kiddy can`t mess with no mather how stupid the application coders behave. I am sorry did I say something to offend the billion dollar a year scaring-people-into-buying-shitty-addictive-securi ty-products "business" You know, the one threatening its own customers to pay up for signatures or die a horrible worm infested death.

It is the most secure because:

• It is build around a capability system
• It has no applications
• The scripty kiddies don't know it is there

Shapiro is the guy working on a research Operating System project (The EROS system).

EROS was originally implemented in C++, but then
it was reimplemented in C.

But, I couldn't let this slide (even giving up my mod points): counting security advisories is just not a good way to judge the relative security of an OS, especially one of the more uncommon ones. SecurityFocus has no vulnerabilities listed for either MS-DOS or EROS, but few people would conclude that both operating systems were equally secure, or that MS-DOS's unblemished security record means it's more secure than OpenBSD (which has many dozens of vulnerabilites listed, most of which are advisories for bundled programs like Apache which OpenBSD nevertheless takes responsibility for).

Even worse, the more that people are believed to be using vulnerability lists to compare OSes, the more pressure vendors feel to improve their scores by sweeping security problems under the rug. Microsoft is notorious in this regard -- years after promising to make security their #1 focus, whenever they think they can get away with it they continue to hide known security bugs from sysadmins (who would be able to deploy work-arounds if they were told about the problems) in favor of silently sneaking the fixes into the next service pack many months later.

To summarize: the traditional access controls are designed to protect users from each other. This is not enough.

What you need is a capability based system. And by capabilities I don't mean POSIX "capabilities" but the real ones. This is hardly a new idea. Read some papers by Norman Hardy. Start from Capability Theory by Sound Bytes and read the referenced articles until you start getting the idea. Then read about GNOSIS: A Prototype Operating System for the 1990s, a 1979 paper by Bill Frantz, Norman Hardy, Jay Jonekait and Charlie Landau. Then read about KeyKOS, a persistent, pure capability operating system. Then read about EROS: The Extremely Reliable Operating System. I think it will be enough for a good start. As you see all of those problems we discuss today in this article have already been solved in the '70s or '80s at worst. But those who don't know the history are doomed to repeat it.

Comparing every aspect of computing and networking to biology is not any less fallacious than trying to understand how does a car work looking at it like it was a biological organism. Real life has evolved randomly together with virii and parasites but all of the software including any kind of malware was intelligently designed. The most common misconception resulting from such a reasoning is that computer malware will always be relatively harmless because killing the victim is not smart from any parasite's point of view. Wrong. A deadly worm quickly spreading and erasing all of the data an hour later would not survive so long as Code Red, but it doesn't have to survive in the first place if that is not important for its creator. Survival is not important because software doesn't have to live long enough to evolve. It is designed and created manually and then released. It can be written for months or years and then live only few hours if that is the purpose of writing it. I think that assessing the spreading patterns of Internet malware like those of human epidemics might be very interesting but there is a hidden fallacious reasoning that comparing the virii themselves to human diseases will somehow help fighting them which leads to concentrating on spectacular effects instead of boring causes of the problem. The problems are buffer overflows which can be completely eliminated, running code from untrusted sources, etc. It has nothing to do with literally anything known in the real world any more than proving a theorem does. Another thing is comparing Internet to a population and fighting malware in the context of epidemics. This is foolish. In reality, there is a user with a computer and her data. She can lose her data or some of her secrets may become public and in that case she won't say "that's OK because this epidemic disease is contained and the population of computer users will survive" because if she loses her work she doesn't care about other computers. When she gets broken into she shouldn't think "I am sure my system will keep working because killing it would be disadvantageous from the evolutionary standpoint for the software" becuase the ultimate reason of the attack is not just the existence itself. The reason may be getting user's credit card number or performing a DDoS attack. The reason may be causing panic by deleting everything. The reason may be anything. And the problem is not millions years of evolution side by side with parasites but using "gets" instead of "fgets." It's not that we don't know how does the malware work or that we cannot write secure code. Look at KeyKOS or EROS. Look at OpenBSD. Look at Debian. Do we have any "epidemics" there to contain and to fight? No. Such studies are interesting but only because observing symptoms and effects is interesting. If we really want to stop malware we should start from reading the source code of EROS instead of analysing global patterns in problems with Windows. Please read this paper from 1979: GNOSIS: A Prototype Operating System for the 1990s. The problem is that we have 2004 and still the most popular operating system completely ignore the solutions from the 1970s.

It is now official. Netcraft confirms: Eros is dying

One more crippling bombshell hit the already beleaguered Eros community when IDC confirmed that Eros market share has dropped yet again, now down to less than a fraction of 0.0001 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Eros has lost more market share, this news serves to reinforce what we've known all along. Eros is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Research Projects That Promise Much But Go Nowhere networking test.

You don't need to be a Kreskin to predict Eros's future. The hand writing is on the wall: Eros faces a bleak future. In fact there won't be any future at all for Eros because Eros is dying. Things are looking very bad for Eros. As many of us are already aware, Eros continues to lose market share. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers.

Eros leader Jonathan Shapiro states that there are 7 users of Eros. How many users of KeyKos are there? Let's see. KeyKos is at about 8 percent of the Eros market. Therefore there are 7 + 1 = 8 users of either Eros or KeyKos. This is consistent with the number of Eros Usenet posts.

Due to troubles at University of Pennsylvania, abysmal development speed and so on, Eros went through a "focus shift" by doing a useless rewrite in C and was taken over by Johns Hopkins University, who attempted to continue development on this troubled OS. Then the project was sidetracked while precious development resources went towards creating Yet Another Useless Version Control System. Now it is dead, its corpse turned over to yet another charnel house.

All major surveys show that Eros has steadily declined in market share. Eros is very sick and its long term survival prospects are very dim. If Eros is to survive at all it will be among OS dilettante dabblers. Eros continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Eros is dead.

Fact: Eros is dying

And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.

It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.

It is now official. Netcraft confirms: Eros is dying

One more crippling bombshell hit the already beleaguered Eros community when IDC confirmed that Eros market share has dropped yet again, now down to less than a fraction of 0.0001 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Eros has lost more market share, this news serves to reinforce what we've known all along. Eros is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Research Projects That Promise Much But Go Nowhere networking test.

You don't need to be a Kreskin to predict Eros's future. The hand writing is on the wall: Eros faces a bleak future. In fact there won't be any future at all for Eros because Eros is dying. Things are looking very bad for Eros. As many of us are already aware, Eros continues to lose market share. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers.

Eros leader Jonathan Shapiro states that there are 7 users of Eros. How many users of KeyKos are there? Let's see. KeyKos is at about 8 percent of the Eros market. Therefore there are 7 + 1 = 8 users of either Eros or KeyKos. This is consistent with the number of Eros Usenet posts.

Due to troubles at University of Pennsylvania, abysmal development speed and so on, Eros went through a "focus shift" by doing a useless rewrite in C and was taken over by Johns Hopkins University, who attempted to continue development on this troubled OS. Then the project was sidetracked while precious development resources went towards creating Yet Another Useless Version Control System. Now it is dead, its corpse turned over to yet another charnel house.

All major surveys show that Eros has steadily declined in market share. Eros is very sick and its long term survival prospects are very dim. If Eros is to survive at all it will be among OS dilettante dabblers. Eros continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Eros is dead.

Fact: Eros is dying

"Windows Not Expected Secure Until 2011, Says Microsoft."

Wow, what an optimism! Personally, I wouldn't expect Windows secure until the the next ice age in Hell--but Microsoft? Those people have got vision, genius and determination! Meanwhile, any sane admin will continue using Debian and EROS for at least 7 more years, thank you very much.

The only really good security is via capabilities (see eros)

EROS is a pure capability system. A capability uniquely identifies an object and a set of access rights. Processes holding a capability can perform the operations permitted by those access rights on the named object. Holding a capability is a necessary and sufficient condition for accessing the associated object with the authority granted by that capability. There is no other way to perform operations on an object.

One advantage to the capability approach is that the EROS kernel does not need to support any notion of user identity. The login agent hands each user their initial authorities, from which they can access whatever objects are (transitively) reachable.

Most capabilities can be rescinded. For example, a process holding access to a terminal port loses its authority on that port each time the system is restarted. This is necessary to ensure that connections are re-established when appropriate.

A common confusion about capabilities is that they are incompatible with more conventional protection models. While the EROS kernel knows nothing about capabilities, user domains (processes) are free to implement whatever authentication mechanisms they wish. The EROS unix emulator, for example, implements the customary unix semantics based on user identity.

(http://www.eros-os.org/project/novelty.html#cap abilities)

But, clever as that may be (and subject, one hopes, to a thorough implementation in Eros and possibly in Linux via rsbac), it doesn't clarify how one goes about gaining the capability to run a new file downloaded from the Internet.

In that regard (unless I've missed something) it's orthogonal to Microsoft's approach (or, rather, this aspect of it)...

It is now official. Netcraft confirms: Eros is dying

One more crippling bombshell hit the already beleaguered Eros community when IDC confirmed that Eros market share has dropped yet again, now down to less than a fraction of 0.0001 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Eros has lost more market share, this news serves to reinforce what we've known all along. Eros is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Research Projects That Promise Much But Go Nowhere networking test.

You don't need to be a Kreskin to predict Eros's future. The hand writing is on the wall: Eros faces a bleak future. In fact there won't be any future at all for Eros because Eros is dying. Things are looking very bad for Eros. As many of us are already aware, Eros continues to lose market share. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers.

Eros leader Jonathan Shapiro states that there are 7 users of Eros. How many users of KeyKos are there? Let's see. KeyKos is at about 8 percent of the Eros market. Therefore there are 7 + 1 = 8 users of either Eros or KeyKos. This is consistent with the number of Eros Usenet posts.

Due to troubles at University of Pennsylvania, abysmal development speed and so on, Eros went through a "focus shift" by doing a useless rewrite in C and was taken over by Johns Hopkins University, who attempted to continue development on this troubled OS. Then the project was sidetracked while precious development resources went towards creating Yet Another Useless Version Control System. Now it is dead, its corpse turned over to yet another charnel house.

All major surveys show that Eros has steadily declined in market share. Eros is very sick and its long term survival prospects are very dim. If Eros is to survive at all it will be among OS dilettante dabblers. Eros continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Eros is dead.

Fact: Eros is dying

It is now official. Netcraft confirms: Eros is dying

One more crippling bombshell hit the already beleaguered Eros community when IDC confirmed that Eros market share has dropped yet again, now down to less than a fraction of 0.0001 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Eros has lost more market share, this news serves to reinforce what we've known all along. Eros is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Research Projects That Promise Much But Go Nowhere networking test.

You don't need to be a Kreskin to predict Eros's future. The hand writing is on the wall: Eros faces a bleak future. In fact there won't be any future at all for Eros because Eros is dying. Things are looking very bad for Eros. As many of us are already aware, Eros continues to lose market share. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers.

Eros leader Jonathan Shapiro states that there are 7 users of Eros. How many users of KeyKos are there? Let's see. KeyKos is at about 8 percent of the Eros market. Therefore there are 7 + 1 = 8 users of either Eros or KeyKos. This is consistent with the number of Eros Usenet posts.

Due to troubles at University of Pennsylvania, abysmal development speed and so on, Eros went through a "focus shift" by doing a useless rewrite in C and was taken over by Johns Hopkins University, who attempted to continue development on this troubled OS. Then the project was sidetracked while precious development resources went towards creating Yet Another Useless Version Control System. Now it is dead, its corpse turned over to yet another charnel house.

All major surveys show that Eros has steadily declined in market share. Eros is very sick and its long term survival prospects are very dim. If Eros is to survive at all it will be among OS dilettante dabblers. Eros continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Eros is dead.

Fact: Eros is dying

It is now official. Netcraft confirms: Eros is dying

One more crippling bombshell hit the already beleaguered Eros community when IDC confirmed that Eros market share has dropped yet again, now down to less than a fraction of 0.0001 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Eros has lost more market share, this news serves to reinforce what we've known all along. Eros is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Research Projects That Promise Much But Go Nowhere networking test.

You don't need to be a Kreskin to predict Eros's future. The hand writing is on the wall: Eros faces a bleak future. In fact there won't be any future at all for Eros because Eros is dying. Things are looking very bad for Eros. As many of us are already aware, Eros continues to lose market share. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers.

Eros leader Jonathan Shapiro states that there are 7 users of Eros. How many users of KeyKos are there? Let's see. KeyKos is at about 8 percent of the Eros market. Therefore there are 7 + 1 = 8 users of either Eros or KeyKos. This is consistent with the number of Eros Usenet posts.

Due to troubles at University of Pennsylvania, abysmal development speed and so on, Eros went through a "focus shift" by doing a useless rewrite in C and was taken over by Johns Hopkins University, who attempted to continue development on this troubled OS. Then the project was sidetracked while precious development resources went towards creating Yet Another Useless Version Control System. Now it is dead, its corpse turned over to yet another charnel house.

All major surveys show that Eros has steadily declined in market share. Eros is very sick and its long term survival prospects are very dim. If Eros is to survive at all it will be among OS dilettante dabblers. Eros continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Eros is dead.

Fact: Eros is dying

It is now official. Netcraft confirms: Eros is dying

One more crippling bombshell hit the already beleaguered Eros community when IDC confirmed that Eros market share has dropped yet again, now down to less than a fraction of 0.0001 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Eros has lost more market share, this news serves to reinforce what we've known all along. Eros is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Research Projects That Promise Much But Go Nowhere networking test.

You don't need to be a Kreskin to predict Eros's future. The hand writing is on the wall: Eros faces a bleak future. In fact there won't be any future at all for Eros because Eros is dying. Things are looking very bad for Eros. As many of us are already aware, Eros continues to lose market share. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers.

Eros leader Jonathan Shapiro states that there are 7 users of Eros. How many users of KeyKos are there? Let's see. KeyKos at about 8 percent of the Eros market. Therefore there are 7 + 1 = 8 users of either Eros or KeyKos. This is consistent with the number of Eros Usenet posts.

Due to troubles at University of Pennsylvania, abysmal development speed and so on, Eros went through a "focus shift" by doing a useless rewrite in C and was taken over by Johns Hopkins University, who attempted to continue development on this troubled OS. Then the project was sidetracked while precious development resources went towards creating Yet Another Useless Version Control System. Now it is dead, its corpse turned over to yet another charnel house.

All major surveys show that Eros has steadily declined in market share. Eros is very sick and its long term survival prospects are very dim. If Eros is to survive at all it will be among OS dilettante dabblers. Eros continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Eros is dead.

Fact: Eros is dying

It appears to be dead but Eros is the OS I really want...not another Unix retread, gimme that capability-based security! With E! Somebody help these guys out! :)

It would be nice if operating systems could protect applications from each other.... Are there any operating systems that do that?

My prayers have been answered, yes there are and discusing them on slashdot should have heaponed eons ago... With computers taking more sick days then people you would think people would be asking for a secure OS when they buy a new pc at compusa.

Its called capability based acces control (first implemented in the 70`s). Its just a fancy way of saying that rather then having a program get rights becouse of whoever executes it it gets all sorts of rights all by itself.... yes thats an improvement security wise becouse this way a process can get only the rights it needs.

Ofcourse you could go and build an all new operating system for this priciple. However many operating systems have been hacked to do tiny bits of this already. In fact many personal firewalls do it for windows (I never though I would be advocating something called a firewall considering I tend to call firwalls "stupid packet filters", and claim they do little for security) Ofcourse open operating systems have plenty of implementations of this idea. Now if only people were to ask microsoft for stuff like this. Windows is full of crazy features that are there becouse big customers needed them. With microsoft giving up on their "(backwards) compatibility before anything else" idea (XP sp2) structural changes might someday make it into windows. Ofcourse thats only if paying customers want them.

This article describes the quite fundamental differences between what each OS does. It's a very interesting read.

• At the 1990 uniforum vendor exhibition, key logic, inc. found that their booth was next to the novell booth. Novell, it seems, had been bragging in their advertisements about their recovery speed. Being basically neighborly folks, the key logic team suggested the following friendly challenge to the novell exhibitionists: let's both pull the plugs, and see who is up and running first.
• 
  
  Now one thing Novell is not is stupid. They refused.
  
  Somehow, the story of the challenge got around the exhibition floor, and a crowd assembled. Perhaps it was gremlins. Never eager to pass up an opportunity, the keykos staff happily spent the next hour kicking their plug out of the wall. Each time, the system would come back within 30 seconds (15 of which were spent in the bios prom, which was embarassing, but not really key logic's fault). Each time key logic did this, more of the audience would give novell a dubious look.
  
  Eventually, the novell folks couldn't take it anymore, and gritting their teeth they carefully turned the power off on their machine, hoping that nothing would go wrong. As you might expect, the machine successfully stopped running. Very reliable.
  
  Having successfully stopped their machine, novell crossed their fingers and turned the machine back on. 40 minutes later, they were still checking their file systems. Not a single useful program had been started.
  
  Figuring they probably had made their point, and not wanting to cause undeserved embarassment, the keykos folks stopped pulling the plug after five or six recoveries.

• At the 1990 uniforum vendor exhibition, key logic, inc. found that their booth was next to the novell booth. Novell, it seems, had been bragging in their advertisements about their recovery speed. Being basically neighborly folks, the key logic team suggested the following friendly challenge to the novell exhibitionists: let's both pull the plugs, and see who is up and running first.
• 
  
  Now one thing Novell is not is stupid. They refused.
  
  Somehow, the story of the challenge got around the exhibition floor, and a crowd assembled. Perhaps it was gremlins. Never eager to pass up an opportunity, the keykos staff happily spent the next hour kicking their plug out of the wall. Each time, the system would come back within 30 seconds (15 of which were spent in the bios prom, which was embarassing, but not really key logic's fault). Each time key logic did this, more of the audience would give novell a dubious look.
  
  Eventually, the novell folks couldn't take it anymore, and gritting their teeth they carefully turned the power off on their machine, hoping that nothing would go wrong. As you might expect, the machine successfully stopped running. Very reliable.
  
  Having successfully stopped their machine, novell crossed their fingers and turned the machine back on. 40 minutes later, they were still checking their file systems. Not a single useful program had been started.
  
  Figuring they probably had made their point, and not wanting to cause undeserved embarassment, the keykos folks stopped pulling the plug after five or six recoveries.

I know, there are no stupid questions but only stupid people, but... How to avoid viruses at Windows install time? By avoiding the Windows install time maybe? Seriously, asking "how to avoid viruses at Windows install time" is equally smart as asking "how to avoid viruses at anal sex without a condom time." Maybe consider some alternatives: Debian, EROS, KeyKOS or maybe even OpenBSD would be a good place to start instead of asking loaded questions.

What you are suggesting is effectively a capability based os like EROS. Now, the trouble indeed with current mainstream systems is that even when apps DON'T run as the root user, the actual normal user has way to many priviledges to give to their programs. The trouble is, in a mainstream OS it's damn near impossible to NOT let your program have all the priviledges your user account has. Capabilities are by no means a new idea, and one need not make system less usable to have them. Building an easy-to-use capability system that functions well and does everything that users expect it to do, requires quite a bit thinking and design though.

Just my .02 euro.

How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6

The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.

---------
WAP news

Is a difficult dilemma, but that's because an overly complicated scheme is used.

There is a simpler and more powerful scheme that unifies swapping and disk caches, while allowing applications to persist between reboots, all with better performance than current systems!

EROS implements such a system. Generally it is referred to as "Orthogonal persistence", and functionally it behaves as though the computer is "always on", and returns to the exact state it was in after a reboot. The thing is, with orthogonal persistence, the structure on the disk is not a file system, but just the application data.

Since applications no longer work with the disk explicitly (open/read/write) but only with one type of memory (persistent memory), the OS manages all of the disk I/O, and it allows it to eliminate almost completely the largest delay in disk-work - the seek time in all writes. Since all application memory is just mapped to disk transparently, all RAM is just considered a "disk cache", and the kernel does not have to make nasty tradeoffs between disk caches (of explicit open/read/write calls) and virtual memory.

Of course there is still a problem if large work-areas of unimportant applications "swap out" smaller areas of important applications. I suggest solving that by prioritizing pages to the memory manager. In a system like *nix it is not a problem. In more secure systems however (EROS, for instance), it may create additional covert channels between applications so it was avoided.

Yes, we can. It's called a microkernel.

True.

The most popular one is Mach

Barf. Not to sound rude, but Mach is a horrid base for an operating system. I'm sorry Apple went with it.

If you mean popular as in "most widely used", then yes, Mach is the most popular "microkernel" (though it doesn't really fit the definition).

Mach is far from the most popular in hacker or academic circles (ie. those who know any better). L4 and EROS are far more suitable hosts for a guest operating system. L4 already has Linux 2.2 and 2.4 running as hosts in fact.

Most library users are windows users...

You are right, this is probably the first we should change. I would suggest Debian GNU/Linux for starters and Debian GNU/Hurd for people willing to experiment and learn more. Next steps, as I have already mentioned, could be EROS and OpenBSD for systems less popular but extremely reliable and secure. I wonder which operating systems would other Slashdotters suggest.

I am sure that before I have finished writing this comment many people will have already suggested GNUWin, TheOpenCD, Knoppix, Morphix, Dyne:bolic, Debian and GNU CDs but instead of jumping on the bandwagon and posting links to them (even though with no doubt those are great examples of software which every library should definitely have) I will suggest including some software which is less popular but which students might learn much more from (and in the end, is that not the whole purpose of a library?), id est: Debian GNU/Hurd, OpenBSD and EROS. Lots of useful software one can buy with a magazine, but these systems are much harder to find, while much more revolutionary and unquestionably invaluable if we want people to actually learn something important instead of only "clicking" the mouse. It is also very important to note that these systems would introduce students to real security, something which is hard to find and understand, yet even much harder to overestimate in the terrorism era and the invasion of our privacy with things like NSAKEY in Windows and NSAttributedString in Mac OS X. That is why I think that actively promoting them in every library would be the most insightful idea.

There are OS (mostly academic/research) that do exactly this. EROS is one, though it looks like the project has stagnated. While it was active, some work was being done to create a *NIX compatability layer (including X) that would allow traditional GNU utilities to run on top of the capability system. (Obviously, you'd need to (re)written programs to get the most security/etc. from this system.)

It's a pretty hefty paradigm shift, but eventually, I think any system that needs to guarantee security will need to be a capaiblity based system like this one. As you indicated, user-based security just doesn't offer enough control.

Computer security problems almost always fall into a few well-known (beaten to death is more accurate) patterns. One such pattern is the "buffer overflow attack". Why does anyone accept this? There is absolutely no reason for modern software to be subject to buffer overflows. We have languages like Java which run everything within a protected virtual machine and don't use buffers. We can design CPUs which allow sections of memory to be marked "execute only, don't write". We can use safe string libraries instead of creaky old standard lib. And yet I still hear people saying that buffer overflows are a given.

Same with root escalations. For years we have had ideas of how to have systems that are compartmented and don't have root. In the Unix world, we have the idiocy of "trusted ports" (ports I could go on and on. The only reason why computers are so insecure is because we have accepted that they are and decided to live with it. This is just wrong.

--------
Create your own WAP site, or become a Wireless-Enabled Hosting(tm) provider

What about EROS? Or KeyKOS? Were they excluded from the study for some reason? Using only few other possibilities to compare with, I could be the world prettiest and smartest man as well...

Check out notes for the KeyKOS project:

http://www.eros-os.org/project/novelty.html#persis tence

There's an interesting story regarding Novell there. Anyway, that OS would take snapshots of the entire memory state every N seconds so that even if you pulled the plug out of the wall while the machine was running, you'd be back up to where you left off (minus some seconds) as it simply reloaded everything from disk again.

Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

It can be done better, by building - from the ground up - a capability-based system. It has been done as well: see EROS and The E Programming Language for example. Like other good ideas, however, it just doesn't take off because of the inertia built into the market. However, with the current rate of worms, viruses, spams, and whatnot, it won't be long before moving to a new and secure OS becomes an attractive proposal.