Slashdot Mirror
2010 Will Be the Year of Sandboxing Apps
Trailrunner7 writes "In a guest editorial on Threatpost, Mac hacker and security researcher Dino Dai Zovi writes that 2010 will be the year that software vendors get religion about sandboxing untrusted data in desktop apps. 'Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time. The largest Internet security threats now arrive through malicious web pages or e-mail attachments. This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall. Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get a hold of if they can exploit vulnerabilities in that software.'"
.. bloat.
Just look at how slow IE8 is to use.
This is much more of a wish, not a prediction. Microsoft has only barely just started to offer sandboxing. It's also not common practice by other desktop application developers.
Developers: We can use your help.
Great, I just upgraded from XP to Windows 7 and now all my apps have to be run in XP Mode's virtual machines. Thanks Microsoft. :)
Sandboxes are a tried and true idea, they work well. It's about time
sandboxie... Great program, will NOT work on a 64 bit OS.
IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it. Click on everything, it's all sandboxed.
Do not look at laser with remaining good eye.
Fire up your VM-based Windows XP machine and head to http://www.offensivecomputing.net/
Their site contains tons of live malware. I believe it requires free subscription, however.
About time...I was getting the impression that the solution was going to be $20 netbooks...use one to browse the web, it gets contaminated, and you throw it away and get a new one. Not very efficient, resource-wise.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Sandboxes are a tried and true idea, they work well. It's about time
So, sandboxes will see as much success as Java desktop apps? What?
Maybe we should just stop using the goddamn browser as an operating system. It was never meant to be anything more than a way to view mainly static documents, and quickly access other linked documents.
While some interactivity is of course useful and sensible, some fools have gone off the deep end and think we should treat the browser as some sort of an application development platform.
Of course, anyone who has done real application development under a real operating system, even if it is just Windows, knows how poorly the browser is as such a platform. It's clear that everything, from JavaScript to AJAX to Flash, has been tacked on as a shitty afterthought.
The answer isn't sandboxing. The answer is that we need to go back to using the browser as just a browser, and nothing else. And any real applications that demand network connectivity should be written as such, and run outside of the browser.
Whoa! Your daughter is off the rails, and your soft approach to parenting is not helping.
Install linux on her system right now, and don't give her the root password until she's 18!
All security problems are easy to solve if you have users who are sophisticated about security, and motivated to put up with inconveniences. The real world isn't like that.
A proposal like this inevitably requires that the user understand something about the sandbox, and also requires that the user go through various hassles because of the sandbox. They're going to perceive it as a hassle, because the sandbox is going to prevent them from doing things they would otherwise have done. If they're unsophisticated and unmotivated, they'll just see it as something to work around.
Not only that, but this isn't an optimal solution. A flash game has to be a Turing-complete program. A memo doesn't have to. The simple solution is just to stop embedding Turing-complete programming languages in file formats that don't require them. Adobe actually started by designing postscript as a Turing-complete language. That had some unfortunate consequences, since, e.g., you can't predict whether a program written in a Turing-complete language will halt, so in principle you can't predict whether a document will take forever to come out of the printer. The realized that that was a mistake, and when they designed pdf, they intentionally made it not Turing complete. Now we've come full circle, and they've added a Turing-complete language, javascript, back into pdf. That's just bad design. The solution for users is actually pretty easy: if you're using Adobe Reader, turn off javascript.
Find free books.
.. bloat.
Just look at how slow IE8 is to use.
What does this offtopic post have to do with sandboxing?
And I predict this will be the year of 'Spun getting freaky with Kari Byron of MythBusters.'
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Wasnt sandboxing the cool word about 10 years ago?
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
"Windows 64-bit: Full support for 64-bit is available in recent beta versions of Sandboxie. Click here"
Looks like they are working on that. :)
LOL you just successfully stopped a future professional gamer by not teaching her how to install GTA 4 in Ubuntu.
New Economic Perspectives
Sounds like a good plan for the future. As far as I'm concerned, 2009 was the year for portable apps. All those useful apps we have on our thumbdrives and thinstalled. The registry and local app dirs have been virtualized and redirected to local stores in a subdirectory of the app dir. All the settings remain local to the app dir (just like the old days) and migrate with a simple copy. A full sandbox is an incremental step above this.
I suspect VMware wont be alone for long with their thinstaller. I suspect MS sees the future of app deployment being more like the portable apps we use today.
"Windows 64-bit: Full support for 64-bit is available in recent beta versions of Sandboxie. Click here"
Looks like they are working on that. :)
Cool. When can we get this for Linux? Oh wait... we've already had chroot for years.
Yup, WAYYYY off the rails... she turns 18 this week. Sadly she is very much like her mother.
Do not look at laser with remaining good eye.
Yes. Linux has many, many things that are pretty cool.
Unfortunately, they haven't had a good all-together tied-in user experience.
Claiming things like "we have chroot" and "we have sudo" and other code/geek-ish type of coolnesses is like claiming that your car has awesome engine with new piston technology, very secure door locks, and can run on almost ANY fuel currently available; unfortunately, the seats are rather uncomfortable and the controls on the dashboard look more like a commercial airliner's cockpit.
Yes, I know it's getting better. That's good. I hope they keep it up and continue to improve issues that apparently many geeks don't care about and many average users do (like flash video [youtube] and audio) and being able to use their iPods and scanners). :)
Just the 3D acceleration is a little bit iffy.
But otherwise, one can debug VAC or Warden in a sandbox and find a way to disable these spyware to make the gaming experience more enjoyable.
New Economic Perspectives
[dont-take-it-personal][joke-to-easy-to-resist]
"Much like her mother"? she has poor taste in men?
[/joke-to-easy-to-resist][/dont-take-it-personal]
Not trying to be a total troll but... I kind of like running XP in VMware as a virtual machine (especially when it is busy grinding through critical security updates and reboot cycles - while I am getting work done on the host OS)
Java sucks for the desktop because of the long startup times and huge memory usage, but that doesn't mean that all sandboxes have to be that way. For example, you can run a program in a chroot jail in Linux, and its performance won't be much worse than running it normally.
I predict that 2010 will be the year of the year of predictions.
Usually when I hear the term used, it refers to implementation of an interpreter of bytecode (java or dot net).
So, then it will just be an intrepeter layer, that removes direct access to hardware APIs?
That would seem to require more clock cycles to run, and some more RAM, and even would mean that the interpreter could be reverse-engineered so it could be ported to other platforms....
Uh, Linux geek since 1999.
Web servers don't serve html documents any more, they serve remote procedure calls from javascript front ends.
Deleted
Security is about everything, period.
http://www.masturbateforpeace.com/
Let us all know how that works out for you this time next year, big boy?
Home of The Suki Series
Just yesterday was reading about Isolate (http://code.google.com/p/isolate/) that looks going to the core of the problem. You can sandbox any app, but not needing to sandbox all the desktop/OS/etc for that. So if your browser or media player, or other programs could have a risk of doing locally something you dont want, you can run it in a way that don't touch or modify anything private. in a very easy way.
really? sandboxing desktop apps? Look at what one of the design goals of any real OS is and providing security, memory protection( from other apps and OS space ), indirect access to hardware, and smooth multitasking between apps and OS are right up there near the top. Memory protection is WAY up there near the top unless you're looking at special purpose realtime applications or micro-controller apps. Now what we are seeing on Windows is yet another layer in an attempt to fix a bad design and one which will continue to slow down the system while pushing the hardware. It's great if you are out to sell more expensive hardware and you don't want lower end( cheaper priced ) hardware to run your software. You know, like how Vista ran so good on netbooks and how Windows 7 is better than Vista at that but still worst than Windows XP.
Sandboxing is basically what virtual machines like VMWare, VirtualBox, KVM, VirtualPC all do. Off of Windows, it gives users a way to run Windows without rebooting their main OS. On Windows, it gives businesses a way to keep one crashing Windows server from taking down the other servers and in the desktop it lets users boot Linux without rebooting Windows. But for app protection? That's what the OS is supposed to be doing.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
[joke-too-easy-to-resist]
"Much like her mother"? she has poor taste in men?
Hey! There's nothing wrong with me!
[/joke-too-easy-to-resist]
Then she has a chance at a life.
I was just handed a memo from a collection of all major software and hardware vendors on Earth, saying that security will be put ahead of profits from now on! It was delivered by a Unicorn, who got here on the gumdrop express via the rainbow highway.
I use that too. Program I'm not sure about? Run it in SandboxIE and delete the Sandbox when I'm done. Website that might impact my security? Run it while my browser is under SandboxIE so I'm safe from viral threats.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Microsoft might be doing more than you think. TFA brings up Protected Mode Internet Explorer, but Microsoft is incorporating sandboxing-type ideas into Office 2010, too. For example, before it opens files, Word 2010 will validate them against known-good and known-bad schema. The idea is to detect potentially risky files/actions and run them with reduced privilege. So if a given file was created using an old version of Word that includes implicit vulnerabilities, for example, Word 2010 will open it in read-only mode with macros disabled, while giving the user a button to activate the disabled features (with an "it's your funeral" warning message).
This is not exactly "sandboxing," but it serves the same purpose: It helps to keep bad things from happening accidentally or out of user ignorance. In the past, if a user tried to open a file with dangerous macros, the app might throw up a warning message: "OMG if I open this file all hell will break loose!" But the user really wants to see what's in that file, so he just clicks "OK," and the damage is done. With Office 2010, there are more situations where a file will open with a slightly degraded user experience (no macros, etc), which lets users do 90 percent of what they want to do -- read the text, or copy and paste it into a new file -- without putting them at risk.
Breakfast served all day!
...because nearly nobody needs even more power...
Just sandbox everything, and sandbox it again, then interpret, sandbox, and interpret again. Until you can barely get the framerate of a small handheld console from 15 years ago (remember that JavaScript Tetris?)
Just don’t feel the urge to actually write clean code. And cling to C-like languages, ’till the bitter end. Since C in a generic VM is oh-so-much faster, than Java (in its Hotspot VM) or Haskell on the bare metal...
Yay. I wonder how much I will kick the butts of others by writing clean straight-to-the-metal code without having to micromanage (C-style)... ;)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
You can sandbox without users noticing 95% of the time,
web browsers and anything launched by browsers get access to (browser configs, download folder and read access to relevant configs and executables)
non-network apps (except update apps) do not get web access without a dialog.
etc...
sure if your 100% clueless you'll let word access imhaxoringyourpc.cn, but simple profiles will let people with 1/2 a clue about security safe without ridiculous tricks like running chrome in a VM (which btw is retarded because if your host os, is compromised your screwed anyway)
"unless you're using SBS " or run unix/linux " most organizations will only run Exchange or SQL or one major app on a server"
There, fixed it for you. Curiously unix can generally cope with running more than one app/DB without falling over or having one app
screw up the other.
"we even put all the third party database drivers on a separate server so as not to cause any potential issues."
Well that sums up running a Windows server doesn't it.
So many tasteless jokes in such a short thread. Root, Box, turning 18, like her mother .... I ... must ... resist ...
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Slashdot needs to retire the Bill Gates Borg picture.
But for app protection? That's what the OS is supposed to be doing.
Sandboxing and virtual machines are not interchangeable terms. VMs are one way to sandbox applications, but not the only way. For example, SELinux and the iPhone sandbox all applications by default. MacOS X currently sandboxes a subset of executables, mostly services at risk of exploitation (like their zeroconf service). A move towards more sandboxing of desktop apps doesn't necessarily mean more VMs. It may well mean sandboxing being applied by the OS, by default, to desktop apps based upon any number of trust criteria, like whether it is signed or not.
Point is you don't gain anything if the users don't understand the sandbox.
Android tells you precisely what every app is allowed to do, most people blithely ignore the part where a variety of apps have access to "Read phone call state and identity."
Security did used to be very much about SYN packets and not much else. Hi, I used to build ISPs in the early 90s.
I can hardly wait for the flurry of sandboxing
patents.
Where are we going and why are we in a handbasket?
Cool, instead of screwing up the simple task of validating inputs, we'll simply screw up the complicated task of sandboxing. Awesomeness!
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
That horse bolted the barn a long, loooong time ago.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Been using SandboxIE for 3 years now. Highly recommended utility.
Right-click any program and run it sandboxed.
Additionally, useful for testing captured malware. In a VM is recommended, never know if/how/when it may be subverted.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
This isn't a Windows specific problem. The fundamental problem is the user/process model that's been popular since the inception of UNIX (maybe even earlier, I don't know enough about Multics to say): the idea that only users have identities and programs run under the identity (and permissions) of the user who runs it. If I'm running a game, there's no reason why it needs access to my tax spreadsheets, etc...
All software should be running under its own identity and access to user documents should be through standardized user interfaces... i.e., the 'File Open' dialog is actually a part of the OS not the application, and also grants temporary permissions in addition to just selecting a file.
We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.
Yes it is, because even if the browser didn't have everything but the kitchen sink in it, it could still (for example) have a buffer overflow bug in an image decode library. When that bug gets triggered, you want that process to be "nobody."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
> 2010 will be the year that software vendors get religion about sandboxing...
A prerequisite is that software vendors will get religion about security. Haha.
The fundamental problem is that users want their computer to do things. They want responsive rich media web applications so conventional wisdom to turn off everything but HTML rendering causes their computer to not do stuff it used to be capable of. The second problem is that in order for computers to do things, particularly in networked environments, is that processes could be working with trusted, semi-trusted or untrusted stuff (be-it content, code, whatever, it doesn't matter for the purpose used.) When security tools attempt to figure out what ought to be trusted or not trusted and gets it wrong, you either do something unsafe or you block the user from doing what they want to do (even if you or me would consider what they want to do as foolish or downright dangerous.) When users are expected to indicate what is trusted or not trusted they generally lack the insight to know what to pick, and vendors are at peril of designing annoying software that provides little true security if users always click "yes" causing the unsafe action to happen, or prevents their computer from working as expected, if they always click "no." Sandboxing can be effective to limit access to other application's data, but can greatly limit interoperability and requires the developer make some decisions on behalf of the user, or makes the developer ask the user how isolated the process is from other resources in a way that is meaningful and they they can understand what the consequences in either case will be if they approve (ideally at setup).
Forgive my spelling from time to time. I'm often posting during short breaks.
Then, clearly, 2011 will be the year of the Sandboxed Linux Desktop.
Sandboxing means that once the attacker has used an input exploit to own the process, it has to perform a privilege escalation exploit to get out of the sandbox. The problem is that applications running in sanboxes have to be able to write files, read files, load and install plugins, execute helper applications, and generally do just about anything a regulat application has to. So the sandbox can't be very "strong".
Instead of adding a leaky sandbox, how about reducing the surface area exposed to attack in the first place? Simplify the application. Get rid of things like XPI in Firefox and ActiveX in IE. Get rid of the need for third party plugins like Java and Flash (HTML5 goes a long way here). Get rid of the ability for network apps to masquerade as local apps (there's no reason a web page should be allowed to remove the status and address bar, for example). Don't even *offer* to automatically open a file after downloading. Remove that option from the browser completely. Get rid of Acrobat and other plug-in document viewers.
Yes, this might make it less convenient for websites to "wow" the user. So what? I'd rather be safe than "wow"ed.
Also, Sandboxie has another interesting use-case that isn't really mentioned.
Sandboxie is GREAT for making pretty much any application portable.
How annoying is it when programs need to be reinstalled because you reinstalled the OS and it no longer has any registry items?
Well, no longer, install inside sandbox, backup before reinstalling, copy sandbox back over, bham.
Of course, applications that depend on USER keys won't work. Only solution there is to write a script to replace the key IDs with the current users ID.
I might write in to the developer to see if he could possibly add a tool in to do this automatically.
There is plenty of sandboxing technology out there, but few are willing to use it.
I had some discussions on the Haiku OS forums about using some type of application virtualisation or sandboxing as a way to take care of OS level security. Links to these are Here... and Here.
There is many ways to skin a cat, but its almost impossible to find the "best" way when you are trying to balance security and user experience.
I herd u like sandboxing, so I put a sandbox in your sandbox so you can run in a sandbox when you're running in a sandbox.
At the bottom of the
Sandboxes usually get filled with cat scat. We'll have to see what happens with software sandboxes, but definitely the term they were taken from - playground sandboxes - sure don't stay clean.
obligatory
Per my subject-line above?
http://www.sandboxie.com/
Now, from what I understand as to EXACTLY what it does & how it works? Well, what it does, is use a FILTERING DRIVER to "intercept" interrupts that send calls to the OS & filesystem to do writes to your local Hard Disk Drives, creating a 'virtual HDD' (really a set of folders, wherever YOU choose to place them also, mind you)
Foor that?? Well - I use a solid-state drive called a GIGABYTE IRAM to do this, less latency this way (because unfortunately, this DOES add somewhat of a speed-hit to things if you use a std. mechanical HDD, even IF it's say, a 10,000rpm 16mb buffered WD Velociraptor)
That's "sandboxing", in a nutshell, WITHOUT the use of a VM...
(Folks MOSTLY tend to use it for internet surfing with a LOT more safety, & today/nowadays what with javascript exploits & such being foisted on us potentially @ least? Makes sense... but, it's NOT just restricted to webbrowsers either, so you all know this "up front", and, it works pretty well!)
APK
P.S.=> I suppose that *NIX folks MIGHT call it analogous to a chroot jail, but... well, there you are: Basically a GUI model of chroot, albeit for Windows rigs! apk
Even in Windows.
My home system? Windows XP. And I use VMware Player to access the internet. And nothing else. That's the trick. Towards that end here's what I've done:
Step 1. I got a USB 2.0 10 Base T network doohickey. Then I plugged it in to my Windows box. It has never heard of the thing and wanted a driver. Cool! Step one - passed. There is no way my main machine can use this thing to get on the net. FWIW, if it had known how to connect to this thing I would have went and found the INF file that describes it and erase that. For part one the main thing is to have a USB gizmo that can connect you to the internet, and make sure your machine cannot use it. So for all purposes my main machine is not on the net.
Step 2. I load up a VMware Player machine (also XP) and disconnect the virtual network adapter, so there is no network link between it and the host machine. Just in case the VM gets owned. Then I have VMware transfer the USB device to the VM. And I install the USB driver there. And there *only*.
Viola! My main machine is 100% off the net, and not able to be owned. But I can still get on the net. I'm *sandboxed*. Zip up a copy of your VM and restore it every so often and Bob's your uncle. Be sure to save off your bookmarks and email to a shared folder. And if anything icky happens to your network VM, a full restore is just a file copy away.
The only thing this doesn't work well for is online gaming. You won't be able to WoW with this setup. Well, you won't be able to do it very well. I'd imagine the game would suck in a VM. But since I don't play I don't worry about it much.
Weaselmancer
rediculous.
"sandboxie... Great program, will NOT work on a 64 bit OS. IT has kept my Daughter's PC free of crap because she refuses to not click on everything and not use Internet explorer... so I sandboxed it. Click on everything, it's all sandboxed." - by Lumpy (12016) on Wednesday January 06, @03:32PM (#30674480) Homepage
Per my subject-line above Lumpy, again: GOOD CHOICE!
http://tech.slashdot.org/comments.pl?sid=1500360&cid=30676292
Albeit, I extolled what I am PRETTY SURE is the "mechanics" of HOW it works, which is via a FILTERING DRIVER (and that's WHY it won't work on 64-bit OS, because it doesn't have a 64-bit driver ported for it... not yet @ least, but, I am sure it will one day!).
I use it myself, albeit, on a TRUE SSD (so its F A S T on writes too, because of how it works? It helps... less latency, & especially on writes to disk!).
It's probably the CLOSEST thing Win32 has right now to a *NIX-style "Chroot jail" basically... @ least in effect.
APK
P.S.=> Again: Good choice on your part though... &, always NICE to meet another "coinnoiseur" of Win32 freeware/shareware apps also! Glad this post on /. reminded me to look if there was an update, & recently (last month)? There was, so I went "up" from version 3.30 to 3.42, which is usually always good! apk
Well, it's nice if Microsoft and Apple get their desktops upgraded, but AppArmor is standard on Ubuntu and has rules for common desktop apps in place.
You mean like SELinux? Brought to you by the NSA since 2000 and included in the kernel since 2003? I remember when it first became enabled in Fedora and broke all my games that used PunkBuster...
At the same time some people in the industry are talking about sandboxes other people are talking about adding yet more features to the browser so we apps can compete with boxed software. Added functionality nearly always wins over added security, so I expect we'll go into 2011 with even more avenues for Russian mobsters to lift your identity.
Java has had a sandbox since forever, and it's virtually unused in commercial applications. Why? Because it's a pain in the ass to give the user everything he wants when you can't do things like connect to random URLs, use a printer, or open ports.
Why not just create a highly restricted user account and setup the IE icon to launch as that user? Pretty simple and very fast (no performance hit at all). Deny write and delete access to all drives, deny write access to the registry, remove all privileges... that should do it.
Yes. Linux has many, many things that are pretty cool.
Unfortunately, they haven't had a good all-together tied-in user experience.
Claiming things like "we have chroot" and "we have sudo" and other code/geek-ish type of coolnesses is like claiming that your car has awesome engine with new piston technology, very secure door locks, and can run on almost ANY fuel currently available; unfortunately, the seats are rather uncomfortable and the controls on the dashboard look more like a commercial airliner's cockpit.
Yes, I know it's getting better. That's good. I hope they keep it up and continue to improve issues that apparently many geeks don't care about and many average users do (like flash video [youtube] and audio) and being able to use their iPods and scanners). :)
And you can't drive it into town because it's a boat, not a car. And the "road compatibility mode" is a little wonky.
Can I sandbox DNF on my I-Opener running Linux ?
I want to delete my account but Slashdot doesn't allow it.
So give each system process its own user ID. That's how it's done on production servers. Problem solved.
I take it you haven't used WIndows or Linux lately, there really isn't that much difference in terms of usability or ease of use. It's mostly the people who refuse to learn how to deal with Windows after a new service pack has been installed.
Drilling holes in the hard drive and encasing the whole PC in concrete and then cutting the power cord works better. Problem is it makes a windows box just as useful as your idea.
I use both daily, along with a few Unix flavors.
There's some major, major differences in terms of usability and ease of use, depending on the distro. I was almost pulling my hair out dealing with Pulse vs. ALSA vs. OSS for sound. Using a half-baked audio solution by default is not a good idea (I'm looking at Ubuntu...).
Flash video was another one of my woes. It was very stuttery when fullscreen on my machine, even though any other video was fine. I'm not sure if it was audio or video related, or even video drivers.
I installed Windows 7 shortly after this on the same laptop (it's my OS "play" machine). I have had no troubles with it whatsoever. It even boots faster (that was pretty surprising).
I'm sure there are other issues; those are just the major ones I ran into.
And I said it had improved. I've used a lot of different distros... MEPIS based, PuppyLinux, SLAX based, PCLinuxOS based, SuSE (and SLES), Ubuntu (and various flavors of it), RedHat (and RHEL), Mandriva(/Mandrake), etc. Haven't really used Debian much, but have used Debian-based ones.
She has a daughter and a husband as well? :p
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
If you have the skill, and are willing to troubleshoot the process, installing multiple applications on a Windows server is quite entirely doable.
The problem comes from the fact that it's so complicated to get it working correctly and even more difficult to troubleshoot it in the event of issues that you end up with a lower TCO in a virtualized "one VM per app" type of scenario.
I, not having a large amount of Windows licenses or servers to work with on certain occasions (and having worked for peanuts on occasions) have gotten pretty good at it.... But even I will never [again] install Exchange on a multipurpose Windows install.
Boot Windows, Linux, and ESX over the network for free.
The whole sandbox idea is utterly broken on all mainstream OS's that I know of as there is no fine grain capabilities that are even remotely close to what a capability based operating system can do. This includes the security circus that is Linux.
We talk about the principle of 'least privilege' but in practice (with a few notable exceptions) the 'low-privilege' processes have the most important privileges of all: access to all our stuff.
What are you talking about? None of my users---whom I've made the embodiment of "least privilege"---have access to any of my stuff...
-- your friendly neighbourhood BOFH
But that's unrealistic! We all know that unicorns are pink and invisible. But by being invisible, the light they emit doesn't fracture in the same way as the sun's, so it couldn't have gone by the rainbow highway.
I think a much more plausible hypothesis is that it was riding a flying pig.
If you are willing to use the 32 bit version (which is all you need for standard desktop stuff), all of that stuff works.
user understand something about the sandbox
Why? The user has no clue about ssh privilege separation and still it works extremely well.
user go through various hassles because of the sandbox
I agree Microsoft nor Linux can do it well, but just perhaps Apple might be able to do it seamless.
A flash game has to be a Turing-complete program.
Turing complete does not mean "must have access to whole system".
Actually it means nothing in this context (there exist exactly zero Turing complete systems in the "real world"). AFAIK a PDF can take "long enough" to print that it makes no difference whether it is ever going to halt or not.
But the game you play does have. Or "ls" (dir in Windows), although it needs only read access to directories.
Can someone explain how "sandboxing" is different then what chroot does?
Sandboxes are a tried and true idea, they work well. It's about time
Ummm... didja mean "Sandboxes are a tried and true idea, they work well if Microsoft doesnt write the code"?
Because it seems to me that it's been of no help with IE and Vista/Windows 7. Yeah, in theory, it's a great plan - and probably will work well everywhere else. But the key problem is it's ineffectiveness on Microsoft platforms/browsers - but then again, their failures keep business coming in for me. No complaints here. Forget what I said above...
StarTrekPhase2 - The Five Year Mission Continues!
May I point you to: The Thin Line Between 'Victim' and 'Idiot' and The isolate utility
And also a shoutout to lwn.net from whom I've been stealing much information for my Slashdot submissions and not giving them appropriate credit.
I didn't say that it did.
A Turing machine is of course a mathematical idealization. That doesn't mean that theorems about Turing machines don't tell us useful things. There's a mathematical theorem about mathematically ideal Turing machines that says that a Turing machine can't predict whether another Turing machine will halt. The real-world interpretation of this is that if real-world program A is written in something resembling a Turing-complete language (modulo the finite amount of memory, etc.), then in general it is not practical to write another such program, B, that can take programs like A as input and tell us anything useful about their behavior.
The difference is that it's at least theoretically possible for an automatic computer program to look at a PDF at determine how long it will take to print. That's not even theoretically possible in the case of a PostScript file (again, modulo issues like finite memory, which do not invalidate the result for all practical purposes).
Find free books.
When a prediction spurs on nothing but agreement in /. on how to implement it, you know it's bound to happen.
and what exactly is the point of having RAM go unused?
For one thing, on a computer under low load, the chipset or virtual machine monitor can turn off the second RAM stick. For another, some applications do a poor job of figuring out how much free memory should be left available to the operating system for caching and room to start other applications.
Here is how it'd work:
Download and run applications on someone else's computer via one of those nifty remote desktops.
If it has a virus, you don't download and run it on your own computer.
God spoke to me.
I have a separate sandbox user for each application that accesses the net (mail, browser, ...). Each of these sandbox users is in its own group, and thus has access only to their own files and world readable (and eventually writeable, like /tmp) locations. Applications get started from my "real" account with sudo. I wonder why distros don't support that out of the box at least for the browser, because it would be fairly trivial to set up as part of a "create new user" script.
Yeh, let the user run a dedicated PDF app or Flash app, and maybe idiots would create web pages in HTML
You propose to replace Java applets with JNLP, Flash with AIR, Silverlight with plain old .NET apps, and Adobe Reader plug-in with Adobe Reader executable. But your replacements don't work on a platform that doesn't allow downloads, such as a dedicated web terminal or a video game console. For example, Wii Internet Channel supports in-page Flash but not AIR. So how would a web application work if it requires more low-latency (that is, local) computing power than common JavaScript engines are able to provide, or if it needs a machine feature for which Java and Flash expose an API but web browsers don't?
Not everything that's a web application should be a web application.
On the platforms I'm talking about, everything that isn't a web application must be 1. developed by a sufficiently large company and 2. digitally signed by the entity in control of the platform. This limits smaller entities to making only web applications, which leads to complaining that the API exposed to web applications is incomplete.
I was using the 32 bit, as my old laptop, while a dual core, is one of the early dual core chips from Intel and was only 32 bit :)
Yeh, DRM sucks, and locked platforms suck. We know that. There's a much better solution to the problem of rich homebrew apps on platforms like that, one that doesn't carry with it the implication that huge bleeding maggot-infested security holes are a good idea. I'll let you think about that for a while. I'm sure you'll get it.
Does the next step up from JavaScript on a locked-down platform involve A. switching all our users to PCs, B. becoming a larger company, C. rendering everything server-side and increasing bandwidth use and latency to unacceptable levels (like OnLive), or D. something else? If so, which of the four? If D, please describe in more detail.
Based solely on the subject of your comment, I'm guessing A, but then a $20 product suddenly becomes a $270 product because then we have to bundle a nettop PC and a VGA-to-SDTV scan converter (for CRT SDTV owners) with each copy. I've found that most people who game on a console own a PC but don't own a spare PC to put by the TV.
2010 will not be the year of sandboxing applications. Give that another couple years, I think. System specifications are nowhere near high enough yet to make that a non-tedious infringement upon performance: consumers likely won't stand for it, and they're difficult features to implement (well) anyway. Poorly implemented sandboxing - which could arguably be considered 'infrastructural' to an application - isn't the kind of poorly implemented feature to walk forward with. Poorly implemented features at the infrastructure level = Windows engineering. Please, no.
What I think 2010 will give us: a speedy departure from the Desktop, for both home and business users. The only people still using them predominantly in a couple years will be the geeks, and the setbacks.
To move away from something, there's got to be something to move to... and with that, we've got a whole mess of inexpensive laptops and netbooks, and cellular phones/smartphones.
Most people have very simple Internet "needs". Facebook, email, youtube... that's the Internet to them. Even crappy smartphones (Blackberry, LG) can do that pretty well (albeit somewhat slowly). In the next year we're going to see a slew of smartphones coming out with fast, capable processors, more advanced frontend software, and some pretty impressive specifications.
So my prediction is: 2010 will be the year of smartphone malware and/or use.
I don't think we'll be to the "my cell phone is also my desktop computer" for another couple years, but if someone releases a smartphone with DisplayPort or similar technology, well... could be.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
From what I've read over time, it's purely an Adobe Problem. Of course, having stable and modern APIs would go a long way in helping them. It's almost there.
Flash Video, Ipods, & Scanners all work much better than they once did, though they have a ways to go still. The things that get me are the "sys admin" tasks like setting a program to start per-user vs once-as-root or once-as-a-user. And if they have a GUI, trying to change it programmatically (since they all save to places and use commands unspecified in the GUI). Then there's the lack of multi-system synchronized actions like settings, updates, etc. Modern homes have 2+ PCs and increasing.
Science & open-source build trust from peer review. Learn systems you can trust.