Slashdot Mirror
Clean System to Zombie Bot in Four Minutes
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
So this is why my new Dell tried to eat my brain this morning!
First Post from a Bot!
I am curious how effective NAT (e.g. a cable modem router) is at slowing or stopping these attacks for the the typical user.
I know it works well enough for me, but I am not a typical user -- even my Windows box is locked down tight.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
this is news?
...
Next up: People who see a dollar bill on the sidewalk will pick it up and put it in their pocket. See our analysis
I wasn't expecting this to get Slashdotted. Kevin and I set up the honeypot machines and monitored the network during the test. If anyone has any questions, I'm happy to answer.
Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast
...statistics for all the other versions of windows in common use, particularly Windows 2000, as well as XP SP2. Last time I looked XP machines could only account for a maximum of ~50% of all the potential zombie bots in the world.
Moderation Total: -1 Troll, +3 Goat
Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean
Yes, yes, we know this is not surprising, since the exploits in question target Windows specifically, and therefore obviously will not affect Macs.
But the larger points you should take away from this is twofold:
1. The simple fact of the matter is that, for whatever reason, Macs are clearly affected far less than PCs by all types of exploits. This is not because of just marketshare. But whatever the reason, it is true nonetheless. But this brings be to:
2. Even a completely unpatched Mac OS X 10.0.0 machine would not be vulnerable to any kind of remote attack, because no ports whatsoever are open to the outside world, and on most consumer Mac OS X systems, never will be. The fundamental and intrinsic security design and considerations of Mac OS X are just better, period. Even local exploits, such as might travel freely and easily on Windows via email, aren't as possible or practical on Mac OS X (e.g., a potential Mac exploit of this nature that spread via email would have to have its own MTA or a lot more complexity than a simple script on Windows where Outlook and the OS does all the work for you). Yes, marketshare, i.e., the chances of the next host encountered being a Mac, certainly doesn't hurt, but that is not the sole or primary reason Macs aren't vulnerable. No effective automatic vectors of infection or spread, either local or remote, exist, period. When external ports are opened, they usually represent open source services such as apache and OpenSSH, which as a matter of course are usually updated long before theoretical exploits become reality because of the intense scrutiny and peer review such products receive by the community.
When will people learn, that after three and a half years of Mac OS X, with the market growing, it's not just because of "marketshare" that Macs are rarely affected by these types of issues? Can people admit that it's possible that security decisions that were simply and fundamentally better than those of Microsoft were made? I get a kick out of articles that trumpet "MACS JUST AS INSECURE AS WINDOWS" when a text shell script is "discovered", one that must be run by someone with root or physical access no less, with no worthwhile vector or method of automated propagation of any kind![1] This is in the face of completely remote and automated exploits that can hit a Windows machine in minutes of being on the network, or exploits that own your machine by simply visiting a web page, or viewing an email message in Outlook (yes, these have continued to exist, some even very recently).
[1] For the nit-pickers out there, copying itself to other remote Mac OS X system volumes to which the local user has root-equivalent access and has manually connected to doesn't exactly rise to the level of the unprivileged, automatic propagation we see in the Windows world.
from the takes-five-minutes-to-download-patches dept
Yeah right...
[n8.r0n] http://petesweb.spymac.net/
Our experience with operating system maintenance costs has been that Windows systems typically are the most expensive in terms of total required hours. Linux boxes initially are difficult to set up, but are more difficult for novice users necessitating frequent support, Windows boxes are easy for novices to use and recently have become much more stable, but have malware issues. Solaris and IRIX boxes are somewhere inbetween in terms of ease of use but require "privileged" knowledge in how to deal with certain issues, leaving us with OS X.......
OS X/Macintosh has proven to be the absolute most productive environment for us to date, least susceptible to malware/hacking has the lowest support costs and is why we have been in the process of replacing most machines with OS X boxes.
Visit Jonesblog and say hello.
I'm using my new unpatched XP system right now and it works gre45h3@#$!dd11f
NO CARRIER
Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.
I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.
Many IT-people brand the persons that get these bots / infections as clueless lusers who get their comeuppance. I don't.
A machine isn't supposed to act this way. It is very simple, but we forget that proper behaviour for the machine is to NOT get infected in seconds. I have abandoned windows some time ago, but still help friends with their machines. But it is a battle they're losing. Nothing seems to help, mostly due to the extremely bad security paradigms. They now think its normal having to run 2 - 3 different anti-adware programs, virusscanner, be on eternal vigilance at every corner of the internet.
It is not supposed to be like this. Don't forget that.
This kind of news kind of makes me wish for white knight virus's that run out there and plug the wholes (carefully) before the bot net virus's attack. Possibly even faking a Microsoft message requesting the use download all the newest patches from windowsupdate.com
With the recent news that lycos has publicaly released a DDOS (mince words if you want to, that's what it is) tool to use on spammers, I wonder if a corporate sponsored virus of this type is far off.
paul reinheimer
My advice to anyone with Windows XP SP1 planning a clean install - get the SP2 CD (free from Microsoft) and install it before connecting to the internet.
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
ARG! The patches! They do nothing!
Erm, if you look at the article summary and the article itself, it says that Attackers successfully compromised the Dell Windows XP computer using Service Pack 1 nine times, and the Dell Windows 2003 Small Business server once. Windows XP SP2 is what many would consider a collection of patches, so yes, it seems to have done something.
Last night I installed Windows 2000 SP4 onto a machine (not mine) connected to an NTL (British ISP) Cable set-top-box by ethernet.
Windows came up, I chose a username, and it froze due to gaobot infection.
I hasten to add that normally I unplug modems but I was under the impression that Set top box Cable access uses NAT and is thus secured against this sort of thing... I'll be recommending a Motorola Surfboard and router to my friend !
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Zone Alarm and Firefox get on the system from a flash drive before ethernet cable is ever pluged in.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
Bah, that's a load -BUYVIAGRANOW2FOR1!- of BS. I haven't patched my PC since I bought it -FREEMORTGAGEQUOTES!- and it's running just -TIREDOFCONSOLIDATEDDEBT?- fine. No viruses, no trojans, -TIREDOFSPAM?BUYTHISCRAP!- nothing.
"The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks."
They act like how often it's attacked is a detractor from how secure it is ("it's not exploited because no one ever attacks it!") In fact, I'd say the systems that are attacked the least is *because* they are so difficult to exploit. Well, that and they only are about 2 or 3 out of every 100 systems you'll ping.
If you've installed any programs from Download.com, Cnet.com or ZDnet.com, beware.
I started getting reports of malware being attached to a program I work on and discovered the affected parties had obtained their copies of the program from Download.com. I had never submitted the program to them, but someone else had -- and they'd contaminated it with malware while they were at it. I complained, and the program was removed. (Actually, they first switched the links to the official server, but removed it when I complained further that they needed to tighten up their submission procedures.)
While Download.com is no longer distributing my program, they are still distributing malware attached to other programs (just went to their site to confirm it) via xeol.net and probably others. They don't seem too interested in fixing the problem. I also sent a complaint to the FBI's cybercrime division, and they apparently weren't interested, either.
My shit-hole apartment would be cleaned out in about 4 minutes if I didn't lock the door, too. So what does this prove? That there are nasty things out there? That shouldn't be news to anybody, especially not the Slashdot crowd. Lock down your computer the same way you'd lock your car doors and you'd lock your house.
I don't respond to AC's.
That's just the sort of thing a Zombie Bot would say!
Duh. They arn't testing how fast someone can install a firewall. They're testing how prone a typical user is to T3H H4X0RS - the same typical user will turn on and go which is why SP2 is a good thing (tm).
This is why operating systems should use delta compression for distributing security patches. You're never going to have a perfectly secure operating system; you can, however, make sure that you can fix the security flaws before they are exploited. Put another way: Size matters!
For the record, using FreeBSD Update and my binary diff tool, downloading all existing security patches for FreeBSD 4.8 (released April 2003) only requires 568kB of files to be downloaded -- which takes under 3 minutes even with a 28.8kbps modem.
Tarsnap: Online backups for the truly paranoid
guess you better learn to type faster, huh.
12:50 - press return.
I have a few questions.
1. How do you count attacks? The number of attempted attacks differs between the various systems. Does that mean some machines actually were attacked more often than others, or do you simply not count certain attempts? (E.g. malicious packets sent to closed ports)
2. Wouldn't it be fairer to run every machine with the firewall off (including those that have it on by default)? Obviously, if no traffic gets through to a machine, it can't be compromised no matter how insecure the software.
Please correct me if I got my facts wrong.
Also it would clog up a 28.8 so fast that it would be impossible for us to not notice. ;)
I understand what your saying, but two points:
1. All users should be patching, or letting the OS do it. We do want patched systems, right? So we have to educate users, and they have to follow through, or the OS has to be allowed to do it for them. To a degree I blame MS for taking so long to make auto-update the default, but frankly if they had it set to auto from the start everyone would be screaming bloody murder about privacy concerns and such. Can't have it both ways.
2. As for the pirated versions, I think if MS is smart they will let the pirated versions update as well regardless. I think that's better for everyone. I think they should separate out the patches from the updates. Patches should always be allowed no matter if the copy is legit or not (and it shouldn't even be checked), but updates, things like a new version of Movie Maker or Media Player (that doesn't involve security fixes) should require validation of your copy. I'd be OK with that.
But, that being said, the pirates shouldn't be pirating, so I don't have much sympathy for them. In fact, I could give a shit if their systems gets hosed by a virus or worm or whatever else, if it wasn't for the fact that it could harm ME if they get zombified, I wouldn't care at all. But, since they CAN affect me, MS should allow them to be patched, security-wise, but that's it. If they don't, I'm against the policy.
But in the end, the update mechanism, certanly for legit users, is there, and they need to be taking advantage of it, whether it's automatic or not.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
Guess what, there's millions of Windows users out there who don't know what an "SP2" is, or why they should care about it, or have a clue how to download such a behemoth over their 28.8 AOL dialup.
Come to the University of Mars! Classes starting soon!
I'm suprised that ISP's don't provide some kind of firewall on their side, and charge people for it.
Like imagine when you sign up for compnay's X DSL
they offer a firewalled connection, or a non firewalled.
For the simple users ( my mom ) you could have a default firewall that just blocks windows ports that have know exploits. Does 445 really need to come in from the outside world
For the more advanced user you could have an interface that allows them to choose which ports.
How hard would it be to setup a dynamic firewall solution like this? People would pay 5 to 10 bucks a month extra for it. Even someone like me so I don't have to use a router. I just don't trust a desktop firewall.
You think because AV finds nothing, your box is clean? Not necessarily. If you're rooted, you're rooted, and you'll never know unless you boot from trusted media. Once your box is not your own, the OS will never tell you the truth again.
Using a router to check bandwidth usage or even a firewall or rrdtools-type system of graph would show if an external user is using your box.
- dshaw
This is a flame for everybody who keeps making these assnine comparisons and believes that they're OS integrity is somehow extra special or that Windows M$ is extra bad.
Well, I hate to break it to you, but Windows security is extra bad. Popularity aside, Windows does some really dumb things from a security perspective, both historically and currently, and and security professional will tell you that Windows needs some serious changes to their underlying system if they ever want to make it reasonably secure.
No system is bulletproof, but some of them at least put the bulletproof vest on their chest and the helmet on their head. Windows puts them both on it's ass.
Just because Windows is popular, you should not excuse the designers their crappy security decisions.
P.S. Get a spellchecker.
Zombie bots generally don't know the difference between dialup and broadband.
Perhaps you don't "have" any spyware or viruses is because your line is too slow to update your scanners?
Seriously, install a squid proxy so you can download the patches on one machine and all the other machines can just use the cache.
I bet if you let it go overnight it would be done in the morning.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Windows XP, SP1 does include a firewall that is off by default. Google will give you plenty of instructions for enabling it. SP2 merely enables it by default.
But seriously. If Linux ever becomes as popular as windows, I guarantee malcontents will find any and every way to comprimise your system in under 4 minutes.
This is like the New Pig Times reporting that if brick ever becomes as popular as straw then wolves would just start blowing them down as easily. In other words you are arguing under the Fallacy of the General Rule; namely that all platforms have exactly the same vulnerabilities, if only someone would bother to look for them.
Windows has large, exploitable holes that other platforms don't. Period. End of sentence. It is the height of tunnel sighted arrogance to think today's hackers wouldn't each love to be the one that finally writes the mighty virus that gets through OS X or Linux.
Yes, a large percentage of problems are from copy cats. But you will not convince me there aren't those who take pride in their hacking that wouldn't love to be the one to break the OS X/Linux barrier and aren't working at doing so just to show it can be done.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Windows firewall was one of the "New features" of windows xp, but you have to turn it on first - no need for service pack 1.
You can get an unpatched windows 2000 machine to connect to the internet [without being comprimised] to download updates just fine, (from my experience, your milage may vary) Just enable TCP/IP filtering in advanced networking and set TCP to permit only (nothing). Can do this on XP as well.
Yes, a NAT firewall is effective against remote exploits, but will do nothing against malicious web pages and other IE based vulnerabilities.
Snowden and Manning are heroes.
Second, the linux box isn't necesarily representative. Mandrake, for example, has open ports and no firewall. I would like to see a fresh mandrake box put on the net rather than the more secure Linspire. Additionally, was it ever figured out what port 7741 was used for? In a digital attack simulation we had, Linspire boxes were hard to characterize for the attackers because of the lack of any ports open on them. 7741 may be a good way to characterize the OS of the box. (Also, I worry more about open ports I don't recognize than ones I do, even if they aren't connected to extremely strong programs.)
Also, the abstract seems to indicate the OSX box was NOT one of the better ones since it seemed to draw so many attempts. (I think this explained in comments as having to do with samba being turned on. Was samba on by default? And is there any implications of having a cloned service on as it draws more attacks even though these attacks are fundamentally hopeless.)
I do security
I mentioned it elsewhere here, someplace...
The die-hard Mac user in the group felt that having a few services on might better represent a typical Mac user. If I'm remembering right (I didn't personally set up the Mac) it prompts you with a group of items to check on and off during the install. Several services, including Samba, were turned on. This was an extra handicap on the Mac. All the Windows machines were installed by Kevin, with some discussion from the rest of the group. The Linspire box was the only one that was literally used out of the box. We unpacked it, gave it a weak root password, and got it on the Internet.
All boxes were given weak passwords, at least initially. It was part of the test that the reporter chose not to emphasize. That was how the Win2K3 box got popped the one time. After that mechanism was used (per box), the password was changed to something harder. Only the Win2K3 and XP SP1 boxes got nailed due to weak password.
My point is that you should declare both just as loudly:
* People should know that unpatched boxes are trouble, that's completely fair
* People should know that the patched and secured boxes are just as good (based on the published results at least) as just about any other OS.
I can accept that maybe the Slashdot slant as represented by the front-page post may have made the article seem like something it wasn't, namely a Windows bash piece. But, having read the actual article, it didn't seem like both conclusions were fairly represented. It seemed as though the positive outcome of the "secured" XP box only got a small blurb, while the negatives of the unpatched box got much more air time. I believe it should have been more well-balanced. That is my point.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
There is a fundamental problem with your myth.
How does a fresh install of Windows get compromised so quickly? Through ports on services, mostly.
Now consider a fresh OS X install. Let us imagine a future where 99% of the computers are Macs. You go to install the OS, and - you have no compromises when you are done (much less ten minutes later). How is this possible? Because there are NO NETWORK SERVICES RUNNING BY DEFAULT. None! You have literally no way for the four-minute phenominom to strike you.
Different Linux distros are more or less along these lines, depending on how many services they, too, leave off by default.
Perhaps in a different future with a more popular OS you might have quite a few more Malware programs that would seek to have the user install them or attack browser flaws. That is a different issue, but doesn't address the fundamental weakness of a system that can be compromised without user action in under four minutes.
Windows solved a lot by adding a default firewall, though you are still at the mercy of the firewall working properly instead of fundamentially being more secuure by leaving services off. It only takes one bit of malware to disable the firewall without telling you and it's off to the races again for your PC. SInce other systems as of yet have no need for these programs, they are not as fundamentially weak.
As a side note, I hope that people doing software performance reviews from now on are doing them with firewall and anti-virus programs in full operation, otherwise the results are meaningless. Especially on an Intel platform, why would you not use an OS that requires a lot less background processing just to keep other people off your system? It's like hiiring a full time bodyguard and agent when you work at K-Mart - it just should not be needed.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If I'm remembering right (I didn't personally set up the Mac) it prompts you with a group of items to check on and off during the install.
Nowhere during the OS X install process does it present the user with an option to enable Samba. That has to be done separately from the Sharing preference pane.
In other words:
1) IE: bad security
2) IE: good security => breaks sites
3) IE is Windows (let's assume)
4) Windows breaks sites/Windows has security issues
Oh sigh... man, I'm not even going to look for an analog syllogism because it's just so obviously wrong.
What I get really irrate about is this little fact: 90% of sites out there that tout anything cool don't work without IE. That's not to say IE is good, it's just to say these people who designed the sites were LAZY and fucking did not follow W3C standards. On top of that, most of them blatantly used IE's lax security to get cool features. Changing security settings for IE, or simply using Firefox breaks those sites.
So here's the tricky part class: it's not IE or firefox that's broken, it's the sites.
If you look at the statistics compiled by the investigators, you'll see that the Window XP SP1 box and the Mac OS X 10.3.5 box both logged the overwhelming majority of attacks (45% each), and equal to within less than 1%.
The Windows box was compromised multiple times. The Mac OS X box was never compromised. The Linux box was never compromised, but it only was hit a tiny fraction of the times the Mac OS X and Win XP SP1 boxes were.
Oddly, the authors conclude that the best systems are Linux, and Win XP SP2. WTF?
The obvious winner is the platform that sustained the highest number of attacks with the fewest number of compromises. That would be Mac OS X, with essentially half of all the attacks (just like Win XP SP1) but ZERO successful compromises.
The authors seem to be bending over backwards to come up with a "winner" that runs on intel compatible hardware (Linux and Win XP SP2) but the obvious choice is Mac OS X.
Why the biased interpretations?
"Because this system responded to ICMP ping requests, there was a low number of attempts to compromise the system--795 attacks." Makes sense?
Also, from their methodology I really don't quite understand how they count attack attempts. Especially for MacOS X they say that ~44% of total attacks observed in experiment were targeting MacOSX machine, but later they honestly say that almost all of attacks were some kind of Microsoft exploits. Does this means that they counted microsoft exploits attempting to compromise MacOS X as a mac attacks?
And, finally, I really like their babbling about most secure platforms being THREE (linspire, SP1 + zoneAlarm, windows SP2) and mentions the fact that mac were not compromised just in one table.
If you would like to see conspiracy, I would say that this is a Microsoft PR with goal to:
a) SP2 is good.
b) Don't fucking use our products without additional security software (a marvelous reccomendation by the article)
c) the only real operating envorement in this article is irrevelant and we just added it at the latest moment to gain some credibility.
Simply put, Linux does have a better security model than Windows does.
Even Firefox has a better security model than IE. Firefox starts with the deny everything that is not specifically allowed by the user.
IE starts with the allow everything that isn't specifically denied by the user.
Now, a very knowledgable person can achieve the same level of protection with both of these systems. But that does not mean that both models are equally secure.
Linux vs Windows is the same. Particularly since IE is "integrated" with the OS.
Read the other responses. The Mac was targetted so often because it was running Samba and the attacking machines' scans saw that port and tried to exploit the vulnerabilities associated with Windows.
On the Internet, it doesn't matter if you only have 1 million boxes to Microsoft's 100 million. A scanner can find them. If they are vulnerable, they will be cracked. Maybe not in 4 minutes
But the Linux box in the article was being attacked a couple of times an hour.
If you're vulnerable, one attack will crack you.
If you are not vulnerable, a million attempts won't crack you.
It's Security. Not Marketshare.
We've got 1536/256 ADSL at my hosue (Whoever thought of making connections asynchronous should be made to suffer, along with the "let's change IP's for no reason" guy). It's connected straight to my gateway box, which is a psycho-paranoid IP-masquerade for our LAN as well as a limited internet server (http/ftp/ssh/bzflag).
And oh, does a lot of crap ever go *plink* against that firewall. This is an IP that is not on Google, and does not advertize it's presence to the 'Net. There are probably 10 to 20 attempts to exploit Apache every day (Including some damn attempt to overflow it with a huge garbage query that makes my logs very ugly), along with a litany of thing requesting stuff from a windows directory. Probably as many attacks against proftpd, usually erroneous login attempts. Loads of garbage attempts to log in to sshd as root, test, and admin along with a few null passwords. On the packet filter level, I get probably 500 incoming connections from p2p programs (both because I use them and from the previous guy) a day. And believe it or not, Sasser, Slammer, Bagel, and Satan's Backdoor still come knocking. So, yeah... If all that crap got relayed to my dad's win2K box, it'd be pwn3d 20 times a day.
Now, let's not talk about my relatives who use Windows 98, even on dialup.
Boot the machine without connecting it to a network. Enable IP sec. And enable the built-in firewall (it was there all along, SP2 tried to improve on it). Or buy a damn $50 NAT'ing router (some of them evern support dialup). THEN, connect to Windows Update. Patch, etc...
I'm sure they use linux too but OS X provides a secure environment and free GUI development tools that are easy to use (X-code (formerly Project builder which came from OpenStep/NextStep) and Interface builder (which started out on NeXTStep).
Jesus was a compassionate social conservative who called individuals to sin no more.
My old man use to program back in the mid 70's and early 80's.
;)
Yep, he's a youngster
I support a non drm pallidium like architecture which demands an encryption key for each set of data that needs to be executed. It sounds insane but its the only way to stop unathorized code from executing. Cpu level bound checking would also be nice.
That's like a lock that's so good you lock yourself out. Permanently.
Actually the Burroughs computers a bit before your old man's time, did precisely that, the bounds checking. Problem is, a number of programs that were aparently running ok would fail because they were actually doing something illegal.
but it will never be 100% secure.
Right. The question is how much effort is worthwhile and how good a security do you really need anyway? Elaborate security setups and junking old computers with hard drives intact
really the resulting assembly level code from the compiler which really leaves the door open for hackers.
This is the level at which code is exploited. The exploits do not use the source, they use the machine language. You need source to fix the exploit, not to exploit the code. In particular, any differences between what the machine code does and what the source code plus comments implies is probably capable of aloowing something undesirable.
The whole reason to migrate to NT back in the 90's was to avoid the security problems of Unix oddly enough.
Unix security is poor, but extremely effective considering the effort.
Anyway my old man was shocked when I told him that is the problem today with worms infecting computers.
Remember Melissa? Melissa was nice. Everything since has been pretty much predictable. The assumption or attitude that computers are nice and trustworthy paints a large target that can and does draw fire. It's a bad idea to claim that you are more secure than you are.