Slashdot Mirror
A Closed Off System?
AnarkiNet wonders: "In an age of malware which installs itself via browsers, rootkits installing themselves from audio cds, and loads of other shady things happening on your computer, would a 'Closed OS' be successful? The idea is an operating system (open or closed source), which allows no third party software to be installed, ever. Yes, not even your own coded programs would run unless they existed in the OS-maker-managed database of programs that could be installed. Some people might be aghast at this idea but I feel that it could be highly useful for example in the corporate setting where there would be no need for a secretary to have anything on his/her computer other than the programs available from the OS-maker. For now, let's not worry if people can 'get around' the system. If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need', would you really have an issue with being unable to install a different program that did the same thing?"
Doesn't a live OS CD such as Knoppix achieve this goal? These are usually built for "everything you need" for a particular purpose. You can still access and create data on disks on that system, but you never corrupt the programs themselves. If all the applications being used are web based, then things are even simpler - simply boot up with Knoppix, open Firefox and you are ready to go.
Amanda: Open Source Backup Software
fun you must be to think up questions like that.
Windows has long been able to do this via Group Policy. You can specify that only programs signed with specified Authenticode keys can be run, effectively locking the system. Since all OS files are signed by Microsoft and anything a corporation would need could be signed, then if a corporation wanted a locked-down box, then they'd just specify the allowed keys and block everything else.
It'd be a huge nuisance but it's possible today.
For office use, a linux distro (such as Debian or Ubuntu) which allowed you to specify the repositories, and not allow modification of the list, would work just fine, in general.
...
System admin's would only allow updates from the offical repository, with a local repository for mirror/caching and business specific software packages.
I use something like this for my relatives. Give them a linux, don't give them root, make all updates/installations go through me.
Then print out a poster for my door "setup.exe will not run on your system"
Think about this: If that database included the infamous Sony rootkit as "allowed" due to them laying pressure on whoever maintains it, doesn't it render the whole thing pointless?
This would be "mostly secure", but unless strict data-space separation would use it might still be vulnerable to a buffer overflow or similar attack that would allow arbitrary code provided as data to be executed. The attacker would use this opportunity to establish a "beachhead", modifying whatever integrity-checking system the OS is using to allow it to continue to exist.
"If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need',"
Considering that is impossible, the question is pretty much moot, isn't it. I am always going to find more needs for things, and chances are I'm going to need a new piece of software. Even if an OS shipped with "everything", new things are invented all the time. Maintaining a "Closed OS" to allow for new things would be difficult, and to keep it relatively up to date even more so... but then it wouldn't really be closed if new stuff kept getting added to it...
This is exactly what Microsoft would like to do with Treacherous Computing, although the issue would cover things like security from the user rather than for the user.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Yeah, turns out somebody was doing this for kind of a while. Called them "typewriters" or somesuch.
Really, much of the value of a computer lies in the fact that it's an extremely versatile device. Choosing to discard all that, and believe that you can know ahead of time every single thing you will ever want to accomplish with it, seems like a pretty bad deal.
already does this. See here, under "Application Access: You Decide". You can set up another user account for yourself (not just any children) which would be protected. I'm pretty sure Windows has similar things (not sure if you need 3rd party software to do this) and as mentioned, there are live CDs of Linux/BSD/etc.
No. LiveCDs do offer read-only system images. But they do nothing whatsoever to prevent other programs from being run. I.e. programs downloaded from the net, autorun(or manually) from cd. LiveCDs get you the benefit that each reboot resets you to an known state. That is quite different from an OS which only allows programs from a blessed whitelist to execute. One scenario might be the discovery of way to remotely log into the system. In the livecd case, the attacker can now run whatever program they want, and likely regain entry in an identical fashion should the system be rebooted. What the author of this post is interested in, is a system what would not let the attacker with remote login be able to execute any code not on the blessed whitelist. Now mind you, the idea that such a system would be 'invulnerable' is ludicrous. The XBox seems the quintessential example of a system which tried to achieve this design goal. My XBox currently runs ssh, freevo, and any executable I want, proving it is difficult to achieve a successful implementation of such a design. -jdog
Huh. Imagine that... Something which can be done by having a Microsoft OS set to run only signed binaries while running on top of a 'trusted computing platform'.
As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the apps we specifically approve and sign. This would lock out all unapproved software *and* malware. If the OS is secure enough to keep there from being any ways around this, it'll be ideal.
Oh, and of course, as long as such trusted computing stuffs can be turned off for users who purchase the hardware and don't wish to use it, it's a win-win all around.
Anyone else think this sounds a lot like the xbox 360? encryption keys and all.
The war with islam is a war on the beast
The war on terror is a war for peace
Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
You mean like a Mac?
This sig intentionally left blank.
...it could be highly useful for example in the corporate setting...
Oh, for fuck's sake! Don't give them any more ideas.
The extra cost of technology staff and the risk of a shittastrophe are nothing compared to abysmal employee morale. If you don't let 'em stroke off for a few minutes a couple of times an hour by going to ebay or playing snood you're going to end up with a resentful staff. And they'll produce awful, crappy work for you.
Speaking as a user who understands their computer reasonably well and doesn't click on stuff just because animated characters tell me to, would this be a good thing?
If we (hypothetically) closed off the "stupid user" vulnerabilities that are the major attack vectors right now, wouldn't the malware authors instead just concentrate on other, more technical, avenues of attack?
Here's my thought: maybe having systems vulnerable to idiot users is actually a good thing for the informational ecosystem as a whole. They're more than just the canaries in the coal mine (although they serve that function, too), they provide a steady stream of marks for the virus/trojan/malware writers and phishing-scheme authors of the world.
If these people weren't able to basically throw themselves on the swords of their own stupidity on a regular basis, couldn't this just lead to smarter malware, which affected more of us (not just the stupid/ignorant)?
Malware authors are inherently lazy and opportunistic. While there are still lots of "the monkey told me to click it so I did" people around, and ways to exploit this idiocy, that's what they're going to do. They're not going to mess around with esoteric buffer overflows to steal your information, when they can just send out some fake PayPal emails and watch the data roll in.
Given the choice, I'd rather have the primary attack vectors be ones that rely on user stupidity, rather than technical flaws, because 0-day technical flaws are too 'egalitarian,' attacking both the clueless user and the experienced person without warning. Personally, anything that keeps the collective attention of the Russian Mafia focused on people too dumb to check the URL line in IE before typing in their bank account information is a good thing in my book.
I know this isn't a very nice sentiment to hold, but if there was some hypothetical way to remove user stupidity as a vulnerability (not possible, so this is all just a mind game), maybe we'd be better off not implementing it?
I'm not suggesting that we shouldn't attempt to educate people on good computing practices, but if people are too lazy or disinterested to become educated, maybe in their laziness they can do the rest of us a favor by acting as the collective decoys?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
... pay particular attention to noexec flag -- yes, one can configure his/her generic U**x system not to be able to execute anything off "other media" (including home directories) for what, like, 20 years... ;-)
Amazing what those guys back then thought of, is not it?
Paul B.
SELinux policies. You can configure SELinux to have a default deny to execute files that aren't on an approved list of executables, and also ensure that only trusted persons have access to change those files.
Marxism is the opiate of dumbasses