Kaspersky To Build Secure OS For SCADA Systems

Trailrunner7 writes "Attacks against SCADA and industrial-control systems have become a major concern for private companies as well as government agencies, with executives and officials worried about the potential effects of a major compromise. Security experts in some circles have been warning about the possible ramifications of such an attack for some time now, and researchers have found scores of vulnerabilities in SCADA and ICS systems in the last couple of years. Now, engineers at Kaspersky Lab have begun work on new operating system designed to be a secure-by-design environment for the operation of SCADA and ICS systems. 'Well, re-designing ICS applications is not really an option. Again, too long, too pricey and no guarantees it will fit the process without any surprises. At the same time, the crux of the problem can be solved in a different way. OK, here is a vulnerable ICS but it does its job pretty well in controlling the process. We can leave the ICS as is but instead run it in a special environment developed with security in mind! Yes, I'm talking about a highly-tailored secure operating system dedicated to critical infrastructure,' Eugene Kaspersky said in an interview."

Free with every purchase...

[Splat]

Monitoring and "remote support" by KGB included free with every purchase!

Re:Free with every purchase...

Good point. I'll wait for the Chinese, or the Persians, to come out with their version.

Re:Free with every purchase...

The Persians? Bah! Nothing but Sumerian operating systems for me!

Re:Free with every purchase...

When you say "Monitoring and "remote support" by KGB included free with every purchase!", are you Putin us on?

Re:Free with every purchase...

Sumerians? A bunch of amateurs! If you want a great OS, you have to with a Hittite OS.

Re:Free with every purchase...

[arglebargle_xiv]

Sumerians? A bunch of amateurs! If you want a great OS, you have to with a Hittite OS.

I'm sorry, we're Medes and we're lost in this desert of a web board. Could you direct us to the exit? And sorry about the arrows.

Re:Free with every purchase...

[socceroos]

I was russian to say the same thing but you beat me to it. I'm stalin to think that this whole thing is a hoax.

Re:Free with every purchase...

Sumerians? A bunch of amateurs! If you want a great OS, you have to with a Hittite OS.

I'm sorry, we're Medes and we're lost in this desert of a web board. Could you direct us to the exit? And sorry about the arrows.

As the old saying goes.... .... one man's Mede is another man's Persian.

Re:Free with every purchase...

KGB? That's like saying your computer has core instead of RAM. It's been the FSB for about 20 years now. Same oppression, great new acronym!

This is a good idea with countless benefits.

[Revotron]

They'll never go for it.

Re:This is a good idea with countless benefits.

[jythie]

Yeah.. secure systems tend to be ineffient to use or more work to maintain, so often people just switch off a lot of the security, esp when they are being used/maintained by people who just want to use them in order to complete other tasks.

Re:This is a good idea with countless benefits.

[bluefoxlucid]

I think a Linux system that used PaX would be easy. Actually I used to maintain the list of incompatible apps--mostly Java itself, a handful of other things that turned out to be broken (and occasionally have critical security holes, none of which I personally found)--for Gentoo Linux. Thing about PaX is when something is killed, it's logged, and you get a wealth of debug data--when your program misbehaves, it usually dies from it early and it's easier to find the problem. This means developers have an easier time getting their software more correct, and the system doesn't do odd unexpected things (by bad software or by being hacked and worm-infested), and so the more secure system becomes the more usable system and the more maintainable system.

Similarly, for Unix environments, you could work on building out Minix and bolt on services that supply security guarantees as PaX does, and that interface between the user space utilities and the OS (because the OS Syscall handler is itself a service, you run the program under a DIFFERENT SERVICE) to implement namespaces and act as functional jails--virtualization, semi-virtualization. Services supplied under full microkernels like GNU HURD, L4, or Minix are small and thus easily audited for correctness--and thus improve security.

It all requires policy, of course. The PaX stuff is policy: no write/execute and no !execute to execute. If that crashes the program, you need to fix the program or remove that policy restriction. Semi-virtualization is mainly a file access policy--hide (can't see it), read-through (can see it, writes are redirected a la UnionFS), read-write (can see and change it, object is shared)--and a resource policy--PIDs, network devices/addresses, etc are hidden or shared. It's on the developer to do that, although forced policy on deployment is possible (you can externally generate a policy). grsecurity has always supplied a learning mode that logs and then develops policy automatically, which you can then audit for monkey business.

Re:This is a good idea with countless benefits.

[AK+Marc]

It won't work. SCADA was built off the assumption of physical security. It would take firing everyone who ever worked in SCADA to design the next generation of applications to get anything with security in it. Why would anyone switch to this "secure" system, when it's already more secure (physically) than any "program" can make it?

Re:This is a good idea with countless benefits.

[Chris+Mattern]

It all requires policy, of course. The PaX stuff is policy: no write/execute and no !execute to execute. If that crashes the program, you need to fix the program or remove that policy restriction.

And right there you've put your finger precisely on the problem. Fixing the program is hard--if you got it from a vendor, it might well be impossible. Removing the policy, on the other hand, is easy.

Re:This is a good idea with countless benefits.

[jythie]

And that is the crux of the problem... while OSes have a wealth of security problems, generally when you drill down into break ins, one often finds that the hole was human (or institutional) in nature. Outside unintended consequences, making something secure and making something functional are mutually exclusive (or at least often conflicting) goals that humans will often just turn off security when it gets in the way of doing tasks they need done.

Re:This is a good idea with countless benefits.

[bluefoxlucid]

This is actually not as much of a problem as you think. Programs don't last forever, and they get rewritten a lot. Upgrades. New features. Refactoring, replacement. Remember the shiny new thing is more attractive, so businesses throw out the old and make new just for the sake of being more up-to-date than the competition.

As such, a feature that says "Requires you to disable the security features of your OS for this particular program" and a big scary warning box that says "Program is requesting policy to disable anti-hacker security protections for itself, may be susceptible to viruses and hackers [X]Allow [ ]Deny" will become a blight next to the competitor's app that "Takes advantage of advanced security protections." Eventually everyone fixes the minor bugs that cause this shit, and then everything just 'works' and we simply expect it to.

Your vendor doesn't want people looking at him funny. Fixing the problem is usually easy--with dynamic compilation (Java, .NET, etc) it's fundamentally impossible, but otherwise it's a matter of not doing a certain thing like self-modifying hand-optimized assembly.

Re:This is a good idea with countless benefits.

[bluefoxlucid]

No, that's stupid. As I said, the stricter guarantees that you must follow under PaX-alikes tend to make programs easier to debug. ASLR and W^X policies cause hard failures to happen more often and earlier in the failure process, rather than letting the program off-by-one and get away with it or just hobble along half-dead until it sputters out and dies miles away from where the error actually occurred. Debugger intervention and proper core dumps (with library layouts and other memory mappings) can be used to reconstruct the program state at the time of the error.

That means security makes the system easier to develop correct programs for, in this case. Correct programs are easier to use because they don't fuck up so much. Incorrect programs that run until you do something you really normally wouldn't do will of course get exploited...resulting in a crash because the security system doesn't allow for the basic required functionality that allows those kinds of exploits. There's a log, and the programmer scratches his head and issues a patch ten minutes later, correcting some poor bounds checking.

Re:This is a good idea with countless benefits.

[Platinumrat]

It won't work. SCADA was built off the assumption of physical security. It would take firing everyone who ever worked in SCADA to design the next generation of applications to get anything with security in it. Why would anyone switch to this "secure" system, when it's already more secure (physically) than any "program" can make it?

That's a bit of a stretch. I work in SCADA and it's not the developer's who are the problem. I, myself, harp on about security every other week. However, the marketing and development managers don't give a rats arse. If it's not a new "shiny" or something the competition has, then no money gets put into it.

Even when security is called out in the standards or client specifications, it's usually just security theater. The maintainers and end users don't want security and tend to bypass the token methods implemented anyway.

Re:This is a good idea with countless benefits.

[AK+Marc]

I wasn't talking developers specifically, but usually SCADA is written by engineers and supported by IT, so you'd have to get rid of the engineers that made/designed it, as well as the managers that supported it. There's so much inertia around SCADA, and it started as an electrical spec for monitor, with an idea on someday using electricity to control. The "original" SCADA was electrically driven analogue gauges for monitor, with no control ability. Later, it evolved into a 2-way control, assuming you are in a locked room with the equipment and no external connectivity, so security was not even a passing thought, as if you were in the room alone, you has 100% control of the system in the first place, so securing the voltage on a few short wires was idiocy. I still use SCADA that is nothing other than analog voltage, which isn't securable in any form (increase voltage to increase opening, decrease to decrease opening, output gauge is a voltage, and +12V = 100%, and linerly decreases from there to 0V=0% or sometimes -12V = 0%).

Re:This is a good idea with countless benefits.

[grantspassalan]

Why do critical control systems need to be connected to the Internet? Computerized control systems such as SCADA have existed far longer than the Internet. There is also a difference between allowing critical quantities to be controlled remotely and these same critical quantities being monitored remotely. It MAY be permissible to allow read only monitoring over the Internet, but certainly, critical controls should never, ever at any time under any circumstances, be accessible from the Internet, so that some hacker in Russia, China, Iran or elsewhere in the world can change the parameters of a critical process.

Re:This is a good idea with countless benefits.

[mikael]

It's cheaper to run traffic over an Internet link that it is to buy a dedicated line. Knew one oil company who wanted to run an RGB composite video cable all the way underwater from an oil rig to the head office, just so the CEO's could see what was happening on the control system offshore. Fortunately, the consultants persuaded him that converting the video signal to digital and running that through the existing fibre-optic network would do just as well.

Re:This is a good idea with countless benefits.

[rioki]

Whats the deal?! Modern SCADA systems are secure by them selves. (Save a few implementation flaws, like any other system.) The problem is that the installations often are ridiculously unsafe. You get things like the Industrial Ethernet being switched with the office network, default passwords, the SPS in program/run mode and the likes. The important thing to remember about SCADA systems is that physical security is also part of the deal, who cares about the SCADA systems when you can access the petro chemical plant directly. I think the entire issue is overblown after Stuxnet and every security researcher wants to pitch in. The real weak spot are the engineering machines, which mostly run windows and are probably connected to the internet. You all know what that means. But apparently nobody ever considered this bit in the debate. Oh yea, how did Stuxnet work, yes it infected the engineering machines and altered the program and config. After that the program and config was totally valid in itself, thought not what it was originally meant to do.

Re:This is a good idea with countless benefits.

[AK+Marc]

The engineers are the worst, almost as bad as doctors. They have a "technical" degree, like a degree in petroleum engineering makes you an expert in computers or programming. So they'll develop the thing themselves then demand the IT department hook it up to the network, and the IT manager doesn't want the fight with the COO, so yes it goes. And they are one virus away from a serious problem.

Re:This is a good idea with countless benefits.

[jythie]

Stricter programming tends to fall by the wayside as soon as development encounters things that the requirements make more difficult to prevent completely since, even if underwriters are putting pressure on, there is usually a more dirrect pressure to get something hacked together and out the door. If you have the luxary of time and funding you can build something using strict methodology.. but in corperate development that is rarely the case... esp when stricter development only covers a narrow class of exploits like PaX does.. leading to debugging that isn't all that much easier (unless the error falls into that specific range) and doesn't lead to that much better security (unless, again, the exploit is in that range). While still good practices, the cost is often seen as outweighing the benifit, and a false sense of security is part of that cost.

Re:This is a good idea with countless benefits.

[cusco]

businesses throw out the old and make new just for the sake of being more up-to-date than the competition.

Not so much for SCADA systems and the like. I worked at a place that still had a knee-high pile of 386 laptops in 2005, because the control program for their half million dollar radio tower wouldn't run on any other architecture. Finding a SCADA system that runs, for example, a power dam which is less than five years old will be difficult, since that's really a situation where "if it's not broke don't fix it" is really, really important. Even something as simple as an access control or video monitoring system will frequently stay in place without being touched for years. We have a customer whose access control system resides on a Win95 box, and which will stay there until the "server" finally dies. Very soon I'm going to be upgrading an access control system whose last update was 2002, and last year I moved one off of NT 4.0 SP3.

Not a problem when the system lives on its own network that touches nothing else in the world. The problem with these ancient systems is that in the name of efficiency they're getting put on the network backbone. Too many executives think that a VLAN is a security measure. Why would they run two separate networks with all of their attendant costs when both apps could run across the same switch? You know as well as I that people who get to make budgetary decisions in big companies don't get their positions by "wasting" their division's budget.

I've been looking for an actual secure architecture, at least for the server, for years. Not an OS like Windows or Linux that acquires "security" by a series of patches slapped on months/years after the fact, but one that is designed secure out of the box. We need to be able to at least secure the environment that these critical infrastructure systems run in, and the app should be prohibited from doing something stupid outside of its own memory space. Once the OS is secure we can start pointing fingers at Siemens and Bosch and the other vendors to fix their own products, but until that happens they don't have a whole lot of incentive to spend the money to do so since "everyone else has the same issue" and they can point the finger for any problems (rightfully or not) at the operating system.

Re:This is a good idea with countless benefits.

[bluefoxlucid]

Narrow class? 86% of the first 60 security exploits published as advisories by Ubuntu were covered by ASLR and W^X supplied by PaX.

Also, as I"ve stated repeatedly, the development changes under ASLR policy are: DON'T MAKE BROKEN CODE (really, the only break here is to assume an address for a dynamically allocated resource is always the same and hard-code it; or subtle corruption that semi-works because generally things don't move around). For the W^X protections supplied by PaX, W^X, ExecShield, and a host of other things, the most common problem encountered by non-broken software is that somebody wrote self-modifying hand-optimized assembly code or, ridiculously, thought they were clever by accomplishing a task with a small strip of assembly they put on the stack. That's actually harder to do than it is to NOT do.

These specific changes have minimal, predictable effects. W^X protections have to be disabled for i.e. Java and .NET, due to runtime code generation; otherwise triggering W^X is either a result of something being very broken--and it will tell you where--or someone being clever writing hand-optimized assembly that self-modifies or loads into a program variable on the stack or heap (neither of which is very clever). In either case, failures are both more predictable (i.e. easier to reproduce) and earlier in the failure sequence (i.e. easier to trace to root cause), meaning easier to debug.

If your argument consists of "well, sometimes, in development, there are trade-offs, and the changes can do some things, but it makes other things happen that have to be figured out, and that can be hard..." then you obviously don't understand computers as much more than a nebulous box that runs programs and sometimes gets a virus. Don't comment on program execution flow restrictions unless you actually understand program execution flow.

Re:This is a good idea with countless benefits.

[bluefoxlucid]

businesses throw out the old and make new just for the sake of being more up-to-date than the competition. Not so much for SCADA systems and the like.

Your entire argument becomes irrelevant because such systems aren't going to upgrade the underlying OS into a "secure OS" anyway. The OS is going to rot away with the underlying program because the WHOLE PACKAGE works, and if management wants it upgraded they're going to want the WHOLE PACKAGE upgraded--why the hell would you move a program from the 90s off an NT4 box onto an XP box? You get a NEW program and install it on shiny new Server 2008r2.

You want a secure architecture without bolt-on bullshit, go microkernels. Thing about microkernels is you can actually bolt-on bullshit without it BEING bolt-on bullshit. The pieces are largely like Legos, instead of like buildings in which you're trying to reenforce doors and add surveillance and alarms. In the very worst case, they're fairly easy to completely rework fundamentally--you can change pieces and wedge the interface in, then move through and correct everything piece-by-piece without getting lost.

Re:This is a good idea with countless benefits.

[cusco]

Actually very few are connected to the Internet, and then only by morons. More often what happens is the dedicated SCADA network gets "upgraded" and put on the corporate backbone by IT executives who think that a VLAN is "just as good" as a private network. This makes it a lot easier for the operator, who no longer needs a dedicated workstation just for the SCADA part of his job and who no longer has to sneaker-net reports from one network to the other, but the utter security failure is obvious to anyone below the level of Management.

Re:This is a good idea with countless benefits.

[cusco]

you can change...

Well, maybe YOU can, but I can't. I just install the stuff and make it work, I rely on folks like to give me the parts to put it together. I don't really **want** to move that 2002 package from NT to Server 2008 or Red Hat version whatever, and then repeat the exercise again in a few years. If the underlying OS is secure enough that it doesn't have to go through a major upgrade every two years (with all the necessary testing and downtime that involves) we can start poking vendors with sharp objects to get them to fix their own products. What we (the people out in the field) really need is a system that we can install and configure and then not touch until time to replace the hardware. The vendors have to remember who their target audience is, and that the vast majority of them are **NOT** computer security specialists.

I'm probably preaching to the choir.

Re:This is a good idea with countless benefits.

[bluefoxlucid]

Well, maybe YOU can, but I can't. I just install the stuff and make it work, I rely on folks like to give me the parts to put it together.

Bolt-on bullshit is bolt-on bullshit because refactoring a huge multi-million-line codebase is really freaking hard. Microkernels and other modular programming designs rely on small, specialized tasks so that the pieces can be shuffled, improved, and have other pieces interposed without the whole system needing a reworking front-to-back. Even Andrew Morton would have an easier time adding stuff like LSM to Minix rather than the (already completed, obviously) task of adding it to Linux.

Micro-modular software can get incremental updates more easily, for example notice you update library files easily enough and they rarely break. New versions of programs, completely reworked, still use the same core facilities in .dll or .so files. Similarly, microkernels like Minix and HURD tend to evolve in such a way that you can test new services individually and effectively upgrade the kernel in pieces. That makes things a bit easier, and security patches a lot easier to target and review (it's in this 4000 line service, these two lines. Not something that has major impact on the other 18 million lines of code, or a small 20,000 line subset thereof scattered amongst the sea of 18 million lines of code, which often happens).

Internet passports

[EmperorOfCanada]

Aren't Kaspersky Labs the bozos who supported Internet passports? That is such a dumb idea that my computer lost 100Mhz just browsing the article. These guys just have verisign envy and want to get between users and hardware in order to charge rent.

Re:Internet passports

> That is such a dumb idea that my computer lost 100Mhz just browsing the article

If you didn't gain it back, on the bright side your system will run cooler!

Just take them off the internet

[Billly+Gates]

Make the client OS use DNS SEC and encrypted traffic for a secure network that is not physically connected to the internet or any network with a gateway to the internet. Why is this so hard?

This secure OS will eventually get compromised too if it has USB ports enabled, physically access to the machine, or be on a network.

Re:Just take them off the internet

All of the SCADA systems I have installed are wireless. A potential hacker doesn't need physical access, they just need to be in range.

True story: The largest wireless SCADA system I did was for an oilfield company. I originally set up passwords made of random letters and numbers, making them as secure as possible. But less than a week after the system was up and running, they complained the passwords were too difficult to remember. So I was forced to change them all to something similar to President Skroob's luggage combination or not get paid.

(The SCADA radios ran Linux, in case you're interested...)

Re:Just take them off the internet

Holy crap! Was the network at least encrypted with a decent algorithm. Please do not say WEP or I will have to fly down and kick someone's ass in. Iran could come in easily and destroy all the equipment. There should be laws against this.

To me a wireless or public network to something so critical is like allowing public access to area 51 or the Pentagon. Security exists for a reason even if it costs convenience.

Re:Just take them off the internet

No it wasn't WEP, and I'm in Canada. Iranians would never survive our winters.

Re:Just take them off the internet

[AK+Marc]

Why encrypt the network if you encrypt and secure the application?

Re:Just take them off the internet

[Billly+Gates]

For one I can install a network sniffer on it to gain passwords. Then upload my own program to interact with the SCADA and destroy your equipment. With slashdot's earlier story of Iran planning a 9-11 like attack on American Infrastructure this is a very real concern.

Even Linux has security holes. They are not exploited on the net like Flash or Java ones but a rogue government or terrorists can use them to gain access.

Re:Just take them off the internet

[ibsteve2u]

Concur. Makes me shudder to think of running SCADA over wireless....even if it were encrypted spread-spectrum technology. Between RF noise and signal injection/interception...lollll...makes my whole background want to throw up. Gimme that fiber!

Re:Just take them off the internet

[Billly+Gates]

Just like the nuclear powerplant disaster in Japan the PHBs and cost accountants only care about costs as in have it all wireless so we can have 1 guy do the work of 20 by having it on the internet instead instead of having someone there.

This should be regulated if SCADA is used for any public infrastructure and one of them is no networking. Even a fiber link can get spliced. It is more difficult and expensive to do but Iran has the dough to do it and would be a target.

Re:Just take them off the internet

[MozeeToby]

There's more than one way to infect a system, and yes, most of them require user stupidity but there is no end to the supply of stupid users. The most commonly described example is to drop a few USB thumb drives in the parking lot with your worm on them, then just wait for some well intentioned (or not) employee to pick it up and either plug it in to see who it might belong to or start using it for day to day activities, such as updating software on the 'secure', air-gapped systems.

Re:Just take them off the internet

[Chris+Mattern]

Make the client OS use DNS SEC and encrypted traffic for a secure network that is not physically connected to the internet or any network with a gateway to the internet. Why is this so hard?

Because management wants the real-time reports on their desks. What do mean it's not secure? Everybody else does it. You're the only one who seems to have trouble doing this!

Re:Just take them off the internet

[LordLimecat]

For one I can install a network sniffer on it to gain passwords

Not if youre using a secure application like SSH, which was his point.

Re:Just take them off the internet

[AK+Marc]

For one I can install a network sniffer on it to gain passwords.

How do you sniff gain passwords of a properly encrypted and secured application?

With slashdot's earlier story of Iran planning a 9-11 like attack on American Infrastructure this is a very real concern.

You give me 20 Iranians willing to die following my every order, and I'll collapse any single industry you choose in the USA. One suicide bombing a week at various fast food restaurants, and after 2 months, the cashflow for Yum! Brands, and McDonalds franchisees, and even Macaroni Grill and Darden, though I couldn't guarantee a collapse of something like McDonalds or Subway, as those are mainly franchised restaurants, but Darden is 100% corporate owned restaurants, and 4 bombings would be enough to send them to bankruptcy. Or electric power grid, or phones, or airlines (attacking the airports on the ground and bombs in luggage that goes off before loading on a plane or after loading but before liftoff would shut down the industry and bankrupt every carrier other than some regional ones).

The US is teetering on the edge, and everything is on the edge of collapse without Iran's help. For all I can tell, the government is spreading FUD now as a pre-cover for unrelated problems. Like a false flag operation, but reversed. We are pretending to see some flag that isn't there, but nobody is actually flying someone else's flag.

Re:Just take them off the internet

[grantspassalan]

Please explain to me how you can destroy equipment, if none of that equipment is connected to the Internet? Why do the controls say for a generator in a power station be made accessible over the Internet?

Re:Just take them off the internet

[Billly+Gates]

Then someone will find another. The point is exploits do exist and the best solution is to focus on the problem. Not the symptoms. That is access. A more secure app or OS just reduces the symptoms that are totally preventable.

Power, telecommunications, water, nuclear, and oil/gas need regulation as dirty as that word is in the US because of idiot managers who love real time reports and remote manageability to cut down on costs. Something horrible will happen one of these days and it will be a very expensive problem to fix.

I do not trust kaspersky as I am sure Russia would love to have its own STUXNET as well.

Re:Just take them off the internet

[Billly+Gates]

Easy to reduce costs and PHB can get their real time reports. If you have lets say 45 oil wells out in the field over a 700 mile area it is much more cost effective to have them on the internet where Bob with IE 6 with is all secure non signed activeX control, can work on each of them and check settings etc.

In the old days you would need 20 people doing Bob's job driving to oil well after oil well doing work, shutting off leaky valves, and documenting paperwork. Nuclear powerplants love internet enabled controls because it reduces the personnel in potentially dangerous areas.

These are targets Iran would love to attack and the State department said are in the process of doing. It seems retarded for safety reasons but it can cut on costs and automated software and do things like shut down values on leaky oil pipes. The PLC in the SCADA can easily destroy the equipment as they instruct the motors what to do.

Re:Just take them off the internet

> . One suicide bombing a week at various fast food restaurants, and after 2 months, the cashflow for Yum! Brands, and McDonalds franchisees, and even Macaroni Grill and Darden, though I couldn't guarantee a collapse of something like McDonalds or Subway,

Sausage or Pepperoni? This is how it begins.

Re:Just take them off the internet

[F.Ultra]

Probably becayse encrypting the network is easier than securing a bunch of applications. Also there are standarads for how to secure a network so buggy and insecure implementations are less likely than with each application developer trying to secure their app.

Re:Just take them off the internet

[ibsteve2u]

Just like the nuclear powerplant disaster in Japan the PHBs and cost accountants only care about costs as in have it all wireless so we can have 1 guy do the work of 20 by having it on the internet instead instead of having someone there.

This should be regulated if SCADA is used for any public infrastructure and one of them is no networking. Even a fiber link can get spliced. It is more difficult and expensive to do but Iran has the dough to do it and would be a target.

Splicing is a mechanical action, and since humans do not move faster than light, that means that you can detect the signal alteration/disruption resulting from tampering with fiber.

I will concede that ability to safeguard the nation's SCADA networks does not rule out the possibility...the likelihood...that one or more CEOs will/have decided that short term profits - that is, increasing the value of their stock options, which is called "increasing shareholder value" for public consumption - outweighs the public's and the nation's safety and security and so the nation's industrial control systems are...Swiss cheese-y.

That - the only priority is "increasing shareholder value" - has been the rule in America since Jack Welch made it so...and he indeed was involved in the nuclear industry.

Re:Just take them off the internet

How does that work when you need to be able to troubleshoot an installation in the middle of the night, when the client is losing $M dollars an hour in production... In another country?

How does that work when you want to use low level process data in your Manufacturing Execution System,or Enterprise Resource Planning solution, to improve productivity?

etc etc etc.

I'm surprised the 'air gap' solution got modded to +5 insightful, because if the last 20 years of industrial control have shown us anything, it's that air gaps don't exist in real world installations. And even if they do, there are a bunch of other attack vectors which can compromise your perfectly 'safe' system, including the elements of the control system itself! The answer is much more measured and subtle than 'durr, just close it off'.

Re:Just take them off the internet

[cusco]

Splicing a piece of fiber can, and will, be detected as a momentary interruption in comms, but will anything be done about it? 99 % likelihood that as long as the original comm traffic resumes as normal the answer is 'No'. Switches reboot, GBICs lose connection momentarily, do you send someone to inspect the entire 20 miles of fiber run every time that happens? None of our customers do.

Re:Just take them off the internet

[cusco]

The worst problems aren't in the hardware or the software, but in the wetware. You can't fix stupid.

Re:Just take them off the internet

[foniksonik]

What's so hard about a one way dump of data? Open an outgoing port and send the data. Block all incoming requests.

(another) BSD fork()?

[i.r.id10t]

Why waste the time in new development. Start with one of the BSD systems (already approved under iso9001/9002 type stuff) and either set up custom configurations, or fix what needs fixing.

Re:(another) BSD fork()?

[gentryx]

Exactly what I thought. Why reinvent the wheel? Shouldn't be too difficult to make BSD real-time capable.

Re:(another) BSD fork()?

[bluefoxlucid]

Minix. It's easier to do a major modification--the fact that it's only basically functional is not an issue, since it's a functional Unix OS without bells and whistles and you're going to be designing and implementing most of the bells and whistles.

Re:(another) BSD fork()?

[buttfuckinpimpnugget]

Agreed, but why beat around the bush? Start with OpenBSD.

Re:(another) BSD fork()?

Once again the OpenBSD clan has stepped forward with a reasonable plan for saving the world, unfortunately as is par for the course with OpenBSD, their chosen representative refers to himself as buttfuckinpimpnugget to which the world replied with "oh god, what is wrong with you, go away, just go away!" and promptly returned to their course of apathetic self destruction.

Re:(another) BSD fork()?

Finally, some sanity. Ignore the dislike of Theo... that is probably just because he didn't want USA DoD stagnation money.

Re:(another) BSD fork()?

It took me a while to realise you were not referring to Theo... or where you?

I like the idea

[kasperd]

I do like the idea of an operating system designed with such security in mind. The operating system is probably also going to require some sort of real time guarantees, but otherwise no requirements for ultra high performance.

As far as security goes, I think one important aspect is transparency. Code running on the operating system should probably not have much freedom to modify the underlying system, but it is crucial that they can see what is going on, such that you can monitor that nothing unexpected is running on the system.

I guess for most SCADA systems the risk of bad stuff happening due to unauthorized changes is a much greater concern than leaking information from the system.

Are Kaspersky the right people to build the OS? Time will show.

Re:I like the idea

[TubeSteak]

As far as security goes, I think one important aspect is transparency.

FTFA:

Threatpost: What are the most important features for the new OS?

Eugene Kaspersky: Alas, I cannot disclose many details about it.

A secure OS shouldn't need to be kept secret.
It should be publicly vetted like an encryption algorithm

Re:I like the idea

[kasperd]

As far as security goes, I think one important aspect is transparency.

FTFA:

Threatpost: What are the most important features for the new OS?

Eugene Kaspersky: Alas, I cannot disclose many details about it.

A secure OS shouldn't need to be kept secret. It should be publicly vetted like an encryption algorithm

That wasn't the sort of transparency I had in mind, when writing my comment. But I still agree with you. However I don't see a problem with it being kept secret in their design phase, as long as it is publicly vetted before being put in production. A bug bounty would also be a good idea.

VLANs

My SCADA network is on a separate VLAN. Remote access via a VPN. How hard is that?
I would be more impressed if they came up with a secure-by-design OS for us to generally migrate into.

Re:VLANs

[cusco]

Ohh, a separate VLAN! Security by obscurity! How innovative!

New Business Model

1) Hype up suggestions that SCADA systems are vulnerable to attack.
2) Build a secure OS for SCADA systems (while knowing full well that no OS will ever be hack-proof)
3) Profit!

BONUS POINTS: Continue with these steps even after it comes out that SCADA attacks never happened in the first place. http://www.zdnet.com/contractor-explains-water-pump-scada-hack-4010024927/

Security through obscurity

[jader3rd]

"re-designing ICS applications is not really an option". If redesigning the apps isn't an option, how would a new OS help?

Re:Security through obscurity

[JWW]

I'm assuming they want to sandbox access to lower level hardware, which can be done with a modified OS.

Except SCADA's a strange bird in that respect. While low level access to network hardware might not be needed by the control interface, low level access to the controllers and monitoring systems is needed.

They're onto something when they're talking about a custom OS. But that problem had largely been solved in the past, until all the engineers and operators wanted SCADA interfaces that ran on Windows. After that security was always an afterthought and you reap what you sow.

Re:Security through obscurity

[Kaenneth]

I would guess the new OS would be binary compatible with the old OS; just like you can run Windows 1.0 applications on Windows 7 (subject to quirks...)

Which would also be why just using BSD wouldn't work.

Re:Security through obscurity

[VortexCortex]

I've made several OSs -- It's not that hard. Protected Mode should have been the end of it, but you see, even hardware has bugs. Perfect software can be vulnerable on different hardware. Just look at any BIOS interrupt listing -- some BIOS interrupts are known to trash certain registers in an undocumented way. If our hardware doesn't always perform per spec then you're barking up the wrong fucking tree when it comes to security... Software is only part of the problem.

Re:Security through obscurity

I've sent several probes to Mars -- It's not that hard.

I've reconstructed several heavily damaged internal organs to working condition -- It's not that hard.

Re:Security through obscurity

[future+assassin]

how would a new OS help?

Magic.

Re:Security through obscurity

[sapphire+wyvern]

I'm confused about what, exactly, is supposed to run on top of this new operating system.

Is it supposed to be a new OS for devices with physical-layer control capability like PLCs (Programmable Logic Controllers), DCSs (Distributed Control Systems) and RTUs (Remote Terminal Units)?

If so, I don't see how it would help, since each of these devices has its own unique proprietary hardware architecture. It's highly unlikely Kaspersky could effectively support the hardware.

Or is it supposed to be for hosting central SCADA servers, and historian/MES server type applications?
This is probably the easiest place to gain some traction, although most of the SCADA servers, historians and MESs I've ever worked with have been based to a lesser or greater extent on Microsoft technologies. For example, the OPC APIs are one of the most common ways of interconnecting server-side ICS software from different vendors, and that's based on COM/DCOM - so it's unlikely to be supported on non-Windows platforms. One way you can make it work is to have the SCADA server itself run on a non-Windows platform which then communicates using a proprietary protocol to a Windows data interchange "gateway" which runs an OPC interface. But if your data interface gateway gets pwned, you might not have gained much from having the main server process running on some kind of ultra-hard OS.

Or is it supposed to be for hosting client applications that humans interact with directly (HMI) for control, monitoring, data analysis, or engineering (configuration/programming/diagnostics/troubleshooting) purposes?
At the moment, the actual operator interface for most SCADA systems are proprietary desktop apps, although there does seem to be a trend towards using HTML5 and other web technology for the operational HMI. That eliminates the need to deploy & manage client software and reduces the dependency on Windows. With appropriate access controls on the SCADA server (DON'T allow access from the internet!), that's not necessarily a problem. But right now, an operator generally interacts with their SCADA server by running a desktop (usually Windows) application which connects to the server. The desktop apps are maintained by the ICS software vendors and for reasons of cost and market penetration, almost all the "modern" ones target Windows primarily and other OSs secondarily if at all.

But aside from the fact that most of the client apps are Windows apps, the operator interfaces generally need to run on a general-purpose OS because analysts need to be able to collate & correlate data from ICS and non-ICS sources, and plant operators need to be able to access other business systems like maintenance planning & dispatch tools, weather data, security camera systems, work plans, enterprise reporting systems, etc. There's no point in collecting extensive data about your operations if you can't actually use it to improve your business's operations!

Basically, you need to be able to run Excel, a web browser, and (for the engineers) more proprietary tools from your hardware vendors for things like configuring/troubleshooting the SCADA hardware.

Web browsers are of course very cross-platform, and non-Excel spreadsheet software does exist (although Excel basically owns corporate data analysis at the low to middle end, at least in the West). But web browsers on all platforms are pretty flakey from a security perspective and almost all the configuration, programming and diagnostic software tools which come with industrial hardware are, again, based on the Win32 or .NET APIs because that's what corporate computers have. There is little likelihood that industrial hardware vendors will be enthusiastic about rewriting all these tools for an exotic new OS. And since the primary design objective of the exotic new OS is security, it presumably doesn't use existing complex and bug-riddled desktop environment software stacks.

Is a WINE + Mono compatibility layer on

Re:Security through obscurity

[gnalre]

If I had the points, I'd mod you up. Basically summed up all I was thinking

The 1970's called

They want their capabilities architecture back.

Re:The 1970's called

[kasperd]

They want their capabilities architecture back.

Capabilities leads to complexity, complexity leads to bugs, bugs leads to vulnerabilities.

To build something secure, you need to aim for simplicity.

Re:The 1970's called

Mod parent up. I can't think of anything more insightful. Needless to say, I agree 100%.

Won't help much..

The problem isn't the os. The problem is the programmers.
The culture, the style, the programming best practices.. It needs to change when it comes to embedded systems that need high security.

You need high standards for these things.. Instead mostly they are still slapped together like the crappiest web apps.

So now you're going to build an idiotproof os?
Well you know what they say about that...

Good - keep mickey out

[shalomsky]

Keep M$ out of mission critical and high-danger environments? Good, and it's about time. Nothing could be smarter.

Re:Good - keep mickey out

http://it.slashdot.org/comments.pl?sid=3189435&cid=41672457

That looks like they are reinventing...

...Linux or xBSD, it would be cheaper and probably faster to move SCADA systems away from Windows.

Coincidence...

...that all the anti-virus firms are from the same area that generates the most of them?

Wired article about Mr. Kaspersky

In case you missed it...

http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/

Re:Wired article about Mr. Kaspersky

Mod parent up. Toward the end of the Wired article, it mentions this SCADA project.

Good Luck

Best of luck to them, but at the end of the day you need to get SCADA system developers AND integrators on board.

As it stands there are a number of SCADA systems that run on Linux (Redhat or otherwise). It is entirely possible to secure those OSes sufficiently. Combined with an air gap and suitable monitoring you've got a pretty secure system.

The problem comes from shitbox software that requires processes to run as root, installed by people with an electrical engineering background with no experience in IT or security that plug it into the corporate LAN. No amount of secure OS is going to help that.

Re:Good Luck

[mlts]

That is exactly the same problem general desktop computing has. The OS is secure, the hardware is secure, it is the poorly engineered browser addons (and sometimes browsers) which bring the system to its knees from a security persepective.

Yes, this embedded OS is secure, but what gives me the ability to trust it? Old Cold War tensions aside, if someone hands me a lock and says, "trust me, its secure", that doesn't give me much assurance. Having source code available for peer review (even if it is commercial like PGP's source) would go a long way in assuring.

Otherwise, I don't see that much improvement between what it offers, and Linux's AppArmor/SELinux. I do like the fact that writes can be redirected elsewhere which isn't a part of any UNIX OS, but if need be, that functionality could be sort of cobbled together by making a snapshot and having a clone be a new filesystem.

Re:Good Luck

[lennier]

That is exactly the same problem general desktop computing has. The OS is secure, the hardware is secure, it is the poorly engineered browser addons (and sometimes browsers) which bring the system to its knees from a security persepective.

If an operating system is written in such a way that it blindly gives full root-level access to untrusted third-party binary add-ons -- then your definition of "secure OS" is not the same as mine.

Seriously, it seems like in the last 20 years we've forgotten (or deliberately chosen to unlearn) everything we knew in the 1980s about security. The trend then was away from monolithic kernels towards microkernels, because, well, it's the only mathematically possible way to achieve security and reliability. (In the same way that "not distributing the decryption keys with the content" is the only mathematically possible way to achieve secure encryption.) But it was slow, at least back in the days when 4 Mhz CPUs and 1MB of RAM was a lot. So... we threw away security for speed. Raw C/C++ everywhere. And then built an entire global Internet based on operating systems built on a completely non-securable model. That includes Linux. Yes, do let's run native x86 machine code shared libraries everywhere, we can mitigate the damage after the fact with sufficiently clever code signing / virus scanning / patching. Except that, of course, in practice we can't.

Security of arbitrary x86 binaries is as much of a pipe dream as DRM is. It's simply impossible to close all the gaps when you're passing raw memory pointers and rewritable memory blocks around. The only way to do this right is to start from scratch, use a tiny security-audited microkernel at the bare metal level, with a securely designed message passing architecture everywhere above it. It'll be slow, it'll cost trillions of dollars in coder hours to rewrite all the incorrect code we wrote in the 1990-2000s boom, but it will be mathematically provable to be secure and not kill people.

So, of course, we won't be doing that anytime soon. Welcome to the Gibsonian cyberpunk present. System cracking as a videogame where everything is vulnerable and it's just a matter of how much you want to pay the Somalian Pirate Mafia or disgruntled USAF cyberwarfare cadets to buy the latest exploit. I used to think Neuromancer was a ridiculous scenario, that of course we'd fix the obvious bugs before Internet went 1.0; but we didn't, and now we're living the result.

We could have done it right. But we're stuffing up everything else on the planet, why did we expect that software would be any better?

Re:Good Luck

It won't be mathematically provably secure. Mathematicians cannot even agree on whether such a thing is possible. The L4 microkernel people have claimed it has been formally verified (machine checked). This is true, but it only holds for certain propositions (and then you have to be sure your propositions really prove what you think they prove). Proving the correctness of code mathematically for every possible attack vector is impossible.

Re:Good Luck

[mlts]

Even though SELinux and AppArmor provide limits on executables so something that has full root really doesn't, I will agree with you on the general point.

In the 1980s, we had many CPU architectures, with many varying bit lengths from 4 bits on up.

Come the 1990s and 2000s, we ended up with a fairly limited set of CPU architectures in the mainstream. Basically, ARM, x86, x86 with AMD 64 bit extensions, Itanium, SPARC, and POWER.

Yes, they are "good enough". However, these architectures were either designed for speed or squeezing the maximum performance out of every watt of energy used. Security is an afterthought.

I do agree that we need to start from scratch with a new CPU architecture designed from the ground up for security. Real security as stated above -- a microkernel and a proper message passing architecture. Perhaps we might even go on a limb and use the Harvard architecture so there is no way that data can ever be executed as code by accident, ever.

The reason we got to the mess we are in, are two things:

First, the "good enough" fallacy. x86 is cheap, so might as well use that, even though a future F0 0F bug, or even worse, a bug that allows escalation to ring 0 from ring 3 can be possible. Similar with ARM, ARM has "worlds" support which can have stuff run not just on different access levels on the same CPU, but split the security sensitive code to a completely separated, virtual CPU. However, few companies actually bother using this.

Second is the mantra of "security has no ROI/Geek Squad can clean up the mess" which has been the norm in companies. It is far cheaper to sweep the mess under the rug than actually do stuff the right way.

I'm sad to say, but this will keep going on. CPU architectures with security as an afterthought will continue to be the norm. If there is a "cyber-9/11", the only things that will change at a hardware level are added DRM stacks and backdoors, not actual security.

15krpm

[Alex+Belits]

That's how my eyes are rolling right now.

Kaspersky Lab is a company that has its whole business centered around digging through compromised insecure systems. They wouldn't know a secure design if it bit them in their faces.

Re:15krpm

[VortexCortex]

That's how my eyes are rolling right now.

Kaspersky Lab is a company that has its whole business centered around digging through compromised insecure systems. They wouldn't know a secure design if it bit them in their faces.

Man, I've still got this head-ache...
Well, damn, man. Don't you think you should see about getting that bear trap removed from your head.
What bear trap?!

Take your time, please

[netwarerip]

We aren't done completely hosing Iran's nuke program just yet. Once that is completely kaput then have at it!

Surely the military has solved this problem

[davidwr]

But then again, anyone who knows the solution would have to kill you if they told you.

Re:Surely the military has solved this problem

They have. Presentation: Open Source Software and the U.S. Department of Defense (DoD)

Re:"Argue with the numbers" vs. these companies

I'm confused... GP never mentioned a hosts file...

This problem has already been solved.

Kapersky is late to the game on this one.

http://www.integrityglobalsecurity.com/index.html

Is that the topic here? No.

"I'm confused... GP never mentioned a hosts file..." - by Anonymous Coward on Tuesday October 16, @03:11PM (#41672617)

Are YOU on topic?? Again, no...

* Go away - "Shoo", little troll... lol!

APK

P.S.=> Yes - It TRULY makes me laugh to NO END, lol, whenever I post data that the /. trolls can't overcome or disprove & "the best they've got"? See the quote above - mere off-topic trolling, nothing more... lmao!

... apk

Re:Is that the topic here? No.

have you ever posted a comment that didnt have a PS on it?

Hahaha, APK gets the nix trolls all pissed off

So much so that all they had is off topic b.s. and unjustifiable down mods of his post. What's the matter boys? Cat got your tongue versus data apk put up?

Re:"Argue with the numbers" vs. these companies

Uptime is not the same thing as security.

You mean like Linux "security"?

"Uptime is not the same thing as security." - by Anonymous Coward on Tuesday October 16, @03:22PM (#41672753)

Ahem - The poster I replied to mentioned "mission-critical" systems.

Thus, I posted roughly 40 (of nearly 400 I have) high tpm examples in mission-critical/enterprise class environs that MS products did extremely well in & have continued to do so, for years, in.

* So, that "all said & aside"? What IS your point??

I'd also like to add that uptime IS security (the security of knowing your stuff is up & running in a stable fashion...) &, that REALLY securing Windows, is a snap (about 1 hour of work tops).

APK

P.S.=> Lastly, per my subject-line above? Well, ok - here's some "fine Linux security" from the past few years now for you to "chew on":

2012:

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach:

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

http://uptime.netcraft.com/up/graph?site=StartCom.com

http://uptime.netcraft.com/up/graph?site=GlobalSign.com

http://uptime.netcraft.com/up/graph?site=Comodo.com

http://uptime.netcraft.com/up/graph?site=DigiCert.com

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811

---

The Stratfor SECURITY hack: (can't blame it on poor setup, this IS a security firm that uses Linux)

http://yro.slashdot.org/story/11/12/28/1743201/data-exposed-in-stratfor-compromise-analyzed

What's that domain run? Yes kids - you guessed it: LINUX -> http://uptime.netcraft.com/up/graph?site=www.stratfor.com

Re:You mean like Linux "security"?

Care to list the Windows exploits out there? I could, but it would take several weeks to compile them all.

And as for kernel.org being hacked. It happened, yes. But the kernel itself was not compromised. How do we know that? Because of Git.

Re:You mean like Linux "security"?

Because of git the hell outta here. You know nothing. Nobody does. All I heard for years here was Linux is secure. Look at Android. Who knows how long it was really going on and how large of a scale.

Amen to that

See my subject-line above, and you hit the nail right on the head. All they ever have is off-topic trolling or bogus downmods of my posts that contain data that makes their b.s. look like what it is - bullshit.

APK

P.S.=> It amuses me to NO END to watch the puny /. *NIX trolls have to resort to those things vs. data I put out...

... apk

first, redesign the assumptions.

[swschrad]

assumption 1: we can have remote control work. FALSE. any backdoor anywhere will open.

assumption 2: the vendor is secure. FALSE. any fixed system password is known to somebody bad.

assumption 3: we can use lowest-cost hardware. FALSE. there will be flash drives and dongles and games placed on these machines from who knows where.

assumption 4: we can firewall the net and have Smart Grid work safely. FALSE. it's >ALL fixed passwords out there in StupidGrid, wireless here and there, customer access... it's all bad. all. bad.

dump these bogus assumptions, and reconsider 50s systems management for SCADA... big box in the middle, no intelligence elsewhere, and no connections to anything outside the control room. much more secure.

Won't work -- they'll turn off everything

A lot of SCADA can be somewhat secured. Basic plaintext passwords, networks put inside VPNs... etc.

There *are* buffer overflows and overruns, and registers doing /weird/ not-so-standard things.

But the bottom line is most installs ... have the password left at a default. Or the password is the same across the entire company or given field/factory.

At the first hint of any error or problem whatsoever, the first thing that will happen is passwords will be set to empty, and any encryption will be turned wholly off.

The next thing is the device will be put into world-write mode. And any communication port will be plugged directly into the 'primary' or 'all purpose' communication line directly into whatever logging software or controller they have.

That's the way the hands, bosses, and factory managers do it. That's why SCADA will be insuecre no matter what happens.

It's a people problem that needs to be solved with very public job terminations.

I wish them luck in making a better SCADA O/S, but the root of the problems with scada are social, not technical.

I'm sure there's people who work at big companies that will say there network isn't like this. Maybe they are correct. I suspect, having been subcontracted some of the top-10's -- that their foreman lie to them about the configuration so they can get home at 5 for a cold one. Seen that happen right in front of me many times.

But Windows is secure - NOT!

[hamster_nz]

Those of us who have been around a while will remember Microsoft trumpeting Windows NT's security.

"Microsoft included security as part of the initial design specifications for Windows NT, and it is pervasive in the operating system"

The whole Orange Book / Red book, C2 security level and so on,

They would be better off improving the failings of the existing system, rather than inventing a whole new set of ways to fail.

Re:But Windows is secure - NOT!

The whole Orange Book / Red book, C2 security level and so on,

Yeah, on a particular obsolete Compaq server with CD and floppy drives removed, not connected to a network, so many services disabled it was running basically nothing and likely the keyboard and mouse covered in concrete just to be sure.

So maybe they get lucky and get 99.9% of the bugs

That still leaves a few bugs to interest the bad guys.

Another useful layer would be to build a cpu with a dual stack for each user mode thread.
      One half for the data where things can overflow.
      The other half protected by the hardware for control information to help prevent overflows from happening and causing harm.
      The protected half could contain return addresses and pointer bounds information.

Maybe that will provide a few of more 9's.

Come cross checks in the app might provide a few more.

They will never get to 100%, but if it's more trouble than it's worth to break in, then maybe that's good enough.

TCP for SCADA

[aaarrrgggh]

Wow.... You know what I really want... Trusted Computing Platform for SCADA. Because, hey... If I don't have verifiable challenge-response between a sensor and controller, how can I really trust it. Maybe they can even make the Thunderbiolt connector the standard, with authentication for all the cables! That would be great... Then we could just blame system failure in a bug on the authentication layer!

The need for interoperability is where most of the problems seem to come from. Properly securing and making a system truly bulletproof just isn't always justified.

Secure OS from ground up?

[aglider]

Or maybe Kaspersky will engineer some tightly security checked distribution of Linux/*BSD/Solaris?
Kaspersky should also take into account solutions like L4 or Minix3. I fear that really witing an OS from zero would be overkilling.

ICS?

[SuperMooCow]

Ice Cream Sandwich? Android?

Useless Waste of Resources

I am not sure whether these people realize, but SCADA systems are highly proprietary, integrated, dedicated systems. Very few run on general purpose hardware. Most run on very constrained resources, require certification from safety bodies to put into the field, and have been tested for thousands if not tens of thousands of hours of operation.

The last system I put into operation, was based on a 50 MHz 8051 derivative, with 48kiB ROM and 2kiB RAM. Sorry, but there is no room for "security" from a 3rd party. It is assumed that the SCADA master my product was connected to, was responsible for all security. None of these systems are connected to the internet, either.

Quite a few of the companies I deal with, have built their own SCADA controllers over the years. They are not interested in divulging details of these systems to anyone. They generally contain highly secretive algorithms for controlling processes, optimizing well production, or ensuring flows across different parts of the their pipelines.

But, here's a security firm who has no exposure to real life, who thinks they will go play with the big kids. So reminiscent of http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage.

Good luck with that.

In Soviet Russia...

In Soviet Russia, OS secures *you*!

Re:"Argue with the numbers" vs. these companies

Do you even dream of how many examples that state the oposite, can quoted here ????
London Stock Exchange for one comes to mind ...
Windows and M$ are the CANCER of computer tech ...

London Stock Exchange, eh? LMAO!

"London Stock Exchange for one comes to mind ... -

LMAO - see my subject-line, & this (which you MISSED skimming troll):

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

---

I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE there 2 minutes into the job
http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch

AND, crash not only ONCE, but TWICE there?

* Please - make me laugh some more, ok??

APK

P.S.=>

"Do you even dream of how many examples that state the oposite, can quoted here ????" - by Anonymous Coward on Tuesday October 16, @05:12PM (#41674063)

Ahem - Like I said in my initial post here (which YOU skimmed over obviously, troll) -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41672457 I quite LITERALLY have 100's MORE examples of Windows in LARGE academic environs, OR, those in corporate america...

Additionally on this note - You "talk" a lot, but produce ZERO of those examples you speak of but, that's your typical /. troll in action, alobng... lol!

---

"Windows and M$ are the CANCER of computer tech ...????" - by Anonymous Coward on Tuesday October 16, @05:12PM (#41674063)

Sure, kind of like LINUX (especially ANDROID) did in 2011 - 2012 -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41672829

(YOU need to read THAT, troll... & "eat your words"!)

... apk

Re:London Stock Exchange, eh? LMAO!

[socceroos]

It's interesting to study the motivations behind posts like these. I find these posts quite hilarious and to absolutely miss the point.

One the one hand we're told, "don't feed the trolls", and this person is an obvious troll. But, some part of me wishes to implore them to see the bigger picture.

To whoever you are: circumstance should dictate the tools you use - sometimes this means Windows, sometimes this means Linux. You will rarely see Linux running the domain of a large business, but you would equally rarely see Windows running on the planet's super computers. Also, no operating system is secure. There are relative levels of security, yes, but please keep things in perspective.

Personally, I think the OS needs to be reinvented (I'll drool over a realtime, event sourced, distributed microkernel) - but it is prudent to recognize that this is merely one spoke in the wheel of security. Another spoke would be 3rd party applications, another would be uptime - the list goes on. Widen your field of view and smell the roses: everything sucks - make it work the best you can and be smart.

Re:London Stock Exchange, eh? LMAO!

I think it's interesting you suddenly post in defense of an anonymous coward giving away you are that ac and microkernels and their messaging overheads? Give us a break. What'd you read that in some magazine and think it sounded cool but you know nothing about them hands on??

Re:London Stock Exchange, eh? LMAO!

[socceroos]

Oh yes, microkernels and especially event driven ones have high overheads - I just think that the trade-offs in this day and age are worth it. In terms of an event driven microkernel, I haven't really used one for my daily computing, no - but I am very interested in them, I'm a hobbyist in this area (however terrible I may be at it). I completely recognise that there is no silver bullet and that my wet dream of an OS could well be proven inadequate in the long run, but that doesn't change the fact that the industry at large has recognised the shortcomings of current designs.

Re:London Stock Exchange, eh? LMAO!

So much for your suggestions then. You go back on them.

Re:London Stock Exchange, eh? LMAO!

[socceroos]

Which suggestion did I go back on, sorry?

To prevent a Stuxnet repeat

Sounds like Siemens wants to avoid future Stuxnet attacks. And, surprize, the Russians want to help them out.

Kaspersky will get the job

Why? Low pay to the coders is why. I've seen this happen in the Fortune 100-500 before too. CO$T$ ARE EVERYTHING nowadays.

* Personally speaking - I think it'd be STUPID to have a foreign power doing the work here (yes, even IF it's Kaspersky) actually, but... then again, we live in a world of insanity, where the "holy dollar", rules!

APK

P.S.=> A pal of mine rose to VP status @ a LARGE ISP (very large) & his secret? Making projects under budget (not necessarily under the timeframe allotted, as in deadlines) - & how? His secret was what I noted above!

E.G. - He's from Russia, & knew TONS of coders there (and, he's an EXCELLENT one himself, which was such a shame he went into mgt., but, the money was there, & I can't blame him that with a new family started etc.)... it goes on, like mad (or, is not "offshoring/outsourcing" a problem?) - he pay them $5 per hour (whatever the rate was, it was way, Way, WAY below what was allotted for wage-per-hour to the coders), & yet, the ISP was paying out $150/hr. ranges (guess who POCKETED the $145/hr. difference, people...

... apk

oh and

oh and its made secure buy locking it into a box and the users cant touch it...never ever gets a virus again....

Kaspersky is part of the problem...

Kaspersky? Seriously?

It would be like asking a company that sells poor tire patchs in order to fix cheap tires (that shouldn't need patches in the first place btw) to suddenly start building 'Y' rated tire to put on a Bugatti Veyron.

Re:"Argue with the numbers" vs. these companies

I'm bookmarking this one and calling it "The Day of the Devastator". It actually silenced the trolls on slashdot and their fud.

Will only work if we get rid of the biggest issue

[rat7307]

This is all good in theory, but let's not forget WHY we have ended up here:

The Customer.

The Customer WANTED to have Windows based servers, the customer wanted to have integration on to their business networks using Windows protocols and standards.

DCS vendors for DECADES had their own OS's from the PLC up to the HMI , granted they were not secure, but they didn't need to be as they were not externally accessible, nor could they run anything untoward.

When the customer sees this new OS and can't get the data they want on to the managers desktop without expensive interfaces/hardware they will vote with their wallets and maintain the status quo.

I don't believe this will go anywhere.

SCADA/DCS/ICS Vendors will harden up their systems end-to-end and customers will still go and put VNC on their servers negating any work on the vendors behalf.

Qubes: the secure OS

[dgharmon]

"After nearly three years of development, Invisible Things Labs has finally released Qubes 1.0, a Fedora 17-based Linux distribution that tries to be as secure as possible by isolating various applications in their own virtual machines using Xen. If one of the applications is compromised, the damage is isolated to the domain it's running in" link

Android & Linux (pot calling kettle black)

Windows = FAR more used & has MORE users (that make mistakes online at times). Most used = most attacked.

Anyone knows that!

Malware makers do too, so they go after it - from their "economical viewpoint", it makes the most sense

And, guess what ELSE too?

Ah - Just as it does for hardware oems in the world of business, market usage steers product designs too, & from a stable + solid multi-billion dollar company (as in "it's not going to disappear anyday soon" etc./et al!)

Windows has more going for it, in momentum, which is basically everything.

(That's what? 95% of market on desktops + servers combined of departmental class into "mission-critical"/"enterprise class" clustering scenarios with 99.999% high 'transactions-per-minutes' fabled "5-9's" uptime & I showed prime examples of that...)

After all, & above all else - What is most used, IS most attacked, & even happened to Linux, albeit on a diff. computing platform... that's smarphones.

* So, thus: Per my subject-line above - On 'smartphones' ANDROID, a Linux variant, exemplifies the same!

(Exploits galore are EXPLODING on it...)

APK

P.S.=> 1 thing you ac trolls (who have real accounts, but know I'm going to just plain outthink you in the end) give away, is that you're NOT confident enough to post under your "registered 'lusername'", lol, because of it -it really gives that much away! Then again, I've probably/most likely DUSTED you before under said registered username you use here, and you don't want another 'spanking' being attached to that again, courtesy of "yours truly" vs. your technical blunders... Yours, again, here? "POT CALLING A KETTLE BLACK", since a Linux in Android smartphones is getting "dusted daily" by exploits galore... lol!

... apk

Posting truths != trolling

Care to show this isn't truth & on topic -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41674277

?

* By the same token + by way of comparison with YOUR reprehensibly trollish OFF-TOPIC reply?

Bottom-line, & quite succinctly put??

Your trying to insinuate I am a troll is utterly ludicrous, & illogical!

You fail!

(Since I merely stated facts, & you are off topic, "to-the-max" as well as performing a failing illogical ad hominem attack on my person).

APK

P.S.=> Thus, you expose yourself as an off-topic troll, giving yourself away by "projecting" & you blew it, as trolls such as yourself are wont to do, by going off-topic, as well as insinuating I am a troll, lol, I mean - please: You're off-topic and failing in your ad hominem attack on my personnage there, and I'd wager I've been @ computing longer than you've been alive, & done VERY WELL from it, by it, and in it I'd quite possibly wager, before you were ever born using systems of varying natures from desktops to mainframes, hands-on, for years from academia into decades in the professional world - so please, don't call me a troll, & especially NOT for my merely stating facts...

... apk

Re:Posting truths != trolling

[socceroos]

I'm not stating you're a troll because all your information is incorrect - not so. But the manner and circumstance in which you have delivered this information lends yourself to be defined as such.

For the sake of brevity, I'm going to say you're not a troll.

Now, I've read many of the links you've posted and found them quite interesting and informative. What is your opinion of the Linux kernel? Also, what do you think of my opinion of the state of all the major OS kernels out there?

Like I said before - posting truth != trolling

"I'm not stating you're a troll because all your information is incorrect - not so. But the manner and circumstance in which you have delivered this information lends yourself to be defined as such." - by socceroos (1374367) on Tuesday October 16, @09:18PM (#41676751)

The manner was using facts I put up vs. circumstances of b.s. 'fud', posted here -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41672367

(Since I posted concrete, verifiable, & undeniable facts vs. THAT rather utter bullshit that is utter misinformation/disinformation/propoganda, here -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41672457 )

---

"For the sake of brevity, I'm going to say you're not a troll" - by socceroos (1374367) on Tuesday October 16, @09:18PM (#41676751)

First you insinuate I am, then state I am not... that's wishy-washy, & imo, attempting to "placate me" (& all I can say to that is, "jedi mind tricks don't work on me"... lol!)

APK

P.S.=> I think Linux has potential, like any other OS, & I've used it over time (1994 Slackware 1.02, 1999 RedHat 6.x, all of Summer 2010 I used KUbuntu 10.4 - 10.10 while I toured Europe) - but, I always come back to Windows... so, that's what I think of it, in a nutshell by exemplary truth... apk

Re:Like I said before - posting truth != trolling

[socceroos]

Ah, so you're a linux desktop user of past releases? Slackware + Ubuntu/Kubuntu have been the ones I have tried too. And before Web 2.0 I spent most of my time on the FreeBSD command line using lynx! Wasn't maintainable though if I wanted to be involved in the WWW. =D

Just to help out your posts for future benefit (the ones that are concrete, verifiable, & undeniable facts as per your post: http://it.slashdot.org/comments.pl?sid=3189435&cid=41672457), it is worth noting that the second item on that list (NASDAQ) is misleading. Firstly, the comparisons are incorrect since they're not talking about the same transaction method (TPC-C vs TPC-E: http://www.siemon.com/uk/white_papers/08-03-03-latency.asp) and secondly, NASDAQ actually runs Linux for all the real market transactions (http://www.computerworlduk.com/in-depth/open-source/3246835/london-stock-exchange-linux-record-breaking-system-faces-new-challengers/) - they do this at over a million transactions per second (approximately 1,390,000 a second - please note that this is a bit faster than 65,000 per second). It's worth noting that nearly all exchanges run Linux for their core trading platform - that doesn't mean Linux is perfect though!

But I'm not attacking Microsoft Windows! I'm just helping you clear some things up. For example, the last semi-major stock exchange to use Windows was this one: http://www.microsoft.com/en-us/news/press/2010/dec10/12-15directedgepr.aspx

As you can see, Microsoft lauds the low latency of their new system (340 microseconds), but did you know that the latency of NASDAQ's Linux system is under 40 microseconds? That is unfortunately a huge difference in the Trade world: http://www.nasdaqomx.com/technology/marketplacesolutions/trading/

Anyway, I think there are OS's out there that can do better than both Windows and Linux in this area, but that's another discussion. I haven't got time to check all of your other links to verify that they are indeed all concrete, verifiable, & undeniable facts, but I'll leave that to you.

QNX...

Isn't QNX already suitable for this? It has desktop level security and is a hard RTOS. I wouldn't trust linux for these applications from the perspective of SCADA/ICS but from a security standpoint it can be configured well (gotta watch those kernel based buffer overflows though!).

Security and RTOS is a difficult problem, most OSs can't get either of these right... good luck in creating something better than QNX though. If you are successful, please make it affordable as it's the only thing that keeps me from using QNX regularly or a real community like linux or opensolaris had.

Re:QNX...

[moogla]

QNX has had some security issues in the past, weaknesses built-in access control mechanisms and legacy capabilities that I think are dangerous to the uninformed, maybe giving you enough rope to hang yourself.
But he certainly seems to be reinventing the wheel; if security is paramount I'd recommend GHS Integrity RTOS. If you need something more well-known, it's certainly possible to develop secure firmware with VxWorks as a base.

The real security comes from a sound design on top of the COTS product(s), and a workable way to integrate that with external C&C, which is the responsibility of the group designing the whole package, and it can only be enhanced, not enforced, by the developer of the RTOS and other components.

If Kaspersky builds something that, as he claims, cannot be used insecurely, he may also develop something no one would want to use.

It's in C/C++. Can't be taken seriously.

[Animats]

They're writing it in C/C++. What could possibly go wrong? There are already embedded operating systems with reasonably good levels of assurance, such as LynxOS and QNX.

Warning! High level troll alert.

Warning! High level troll alert.

The above post is by a known, high-level ancient troll lord. Attempts to respond or feed him are highly hazardous, and are very likely to trap one in perpetual debate. Under no circumstances should you make eye contact or attract his attention. In case of emergency, it is advised that you delete your hosts file and log out of slashdot.

This has been a friendly internet reminder to not feed the trolls.

An operating system running on what?

An operating system running on what? Usually control systems are mostly 74xx logic chips, and just enough software on a prom to make it work. There may or may not be a processor attached. Most of these systems work on 32k of memory. I've never seen an industrial control system with 64k of memory.

If You Anglosaxons

..could make decent operating systems, there would be no need for the likes of Kaspersky Labs. He is doing the right thing and the anti-commie rants here are disgusting. Mr Kaspersky is not the same as the Kremlin.

Bull

he wants to keep his technology/business strategy secret for the time being, as he is a businessman who has competitors. Wait until it is a product. Then your complaints could potentially apply.

Are you on tppic? Again, no...

When you manage to get on topic, I'll answer your questions...

APK

P.S.=> Until then? Well, you're only showing us your "true colors" (lol) -> http://www.blogworld.com/wp-content/uploads/2011/09/troll.jpg

... apk

Linux can't maintain 99.999% uptime

LMAO - see my subject-line, & this (which you MISSED skimming troll):

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

---

I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE there 2 minutes into the job

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch

BUT, it "CraSheD"... &, not only ONCE, but TWICE!

---

* There is NOTHING misleading about that...

Now - The person I replied to stated THIS? Please:

"Keep M$ out of mission critical and high-danger environments? Good, and it's about time. Nothing could be smarter." - by shalomsky (952094) on Tuesday October 16, @02:51PM (#41672367)

?

1 THING YOU'VE GOT TO TRY TO UNDERSTAND IS, I DO NOT LIKE "MISINFORMATION/FUD" SPREADING.... which is *why* I posted the material I did, to disprove & dispell that poster's bogus notions!

So, please - Give me a break: I posted roughly 40 (& I can do a hell of a lot more than that from other companies &/or top academic institutions too) in production actual shop-floor Fortune 100-500 style companies using Windows in a 99.999% uptime high transactions-per-second volume, 24x7, for YEARS now, coming up on a decade...

APK

P.S.=>There's a reason Linux won't make it on the desktop either: Windows is ALREADY there, & marketshare DRIVES innovation + new designs (since the demand's there)!

Same reason malware makers go after "most used" holds true in business as well!

(So, just like ANDROID, a Linux, on "smartphones" - what gets used most, gets attacked most... everyone KNOWS this by seeing what's happening out there, in reality...)

Plus, in business - devices get drivers for Windows, FIRST, everytime, from oem's of hardware too, just like how malware makers attack it most on PCs + Servers...

Face it - Windows just works, Linux does MOSTLY (but not as completely)...

I try Linux here & there - it HAS grown & gotten a hell of a lot better than it was in 1994, but then, it had the ROOM TO GROW & needed to... still not Windows, yet!

... apk

I'll answer FOR him... apk

"microkernels and especially event driven ones have high overheads" - by socceroos (1374367) on Tuesday October 16, @09:10PM (#41676699)

1st - Ask Linus Torvalds what he thinks about microkernel architecture since you're a Linux fan.
2nd - Face facts: On PC's + Servers combined, "Windows RULES"... due to having drivers/devices of high quality out there first that work well...

* This is NOT the case with Linux for as many types of equipment & many hardware oems don't even produce drivers for said devices where Windows does!

(Being most used, has its advantages, but also has disadvantages of being MOST ATTACKED... just like ANDROID, a Linux, on smartphones!)

APK

P.S.=> You're suggesting SLOWER METHODS of doing things in a time we're speaking of reliability in uptime AND PERFORMANCE too (which your suggestion adversely affects), as well as exploitability in other conversations/debates here...

... apk

Re:I'll answer FOR him... apk

[socceroos]

I guess you didn't answer my question.

Posting facts != trolling

These are undeniable facts -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41672457

APK

P.S.=> You FAIL, troll... & you're off-topic!

... apk

Putting words in my mouth I never said?

"NASDAQ actually runs Linux for all the real market transactions " - by socceroos (1374367) on Tuesday October 16, @10:56PM (#41677543)

Ahem: Did I say they didn't? No. I said MS Windows runs their "official trade data dissemination system", which IS A DIFFERENT ANIMAL but DOES maintain 99.999% uptime, period... for years now, coming up on a decade (and, at HIGH TPM).

* Don't try to "put words in my mouth" I NEVER ONCE STATED... that, ticks me off (& is a LOW "troll-trick"...)

APK

P.S.=> Besides, as I said before also in my other reply to this post of yours? Linux couldn't even maintain 99.999% uptime, & *CRASHED* right off the bat in the 1st 2 minutes of work @ LSE, & then was found spreading malware too (so much for "security on Linux' too, eh?)... apk

(another) BSD fork()? No!

Making a kernel real-time is actually incredibly difficult. You'd be better off starting with a hard real-time Linux kernel and building a super secure OS around it.

an actual secure architecture

[r00t]

Qubes OS, previously seen on Slashdot, ought to do nicely.

It looks like Linux, but it isn't. It's more like VMWare ESX Server. It's a tiny kernel that provides a desktop consisting of composited windows from guest VMs. Each window is labled according to the VM it runs in, with window borders colored according to security compartment.

You answered for me... apk

See subject-line: Now, You obviously use Linux, ask Linus Torvalds his thoughts on microkernels (he's right - as far as performance is concerned with contemporary consumer-grade systems' componentry).

* And, there you are...

APK

P.S.=> In theory, a good idea. In reality? Today, is NOT that day for microkernel architectures & high-performance for consumer grade equipment users...

... apk

Re:You answered for me... apk

[socceroos]

Still didn't answer my question.

Linus Torvalds can... apk

See subject-line above...

APK

Re:Linus Torvalds can... apk

[socceroos]

No, sorry, that doesn't answer my question in any way whatsoever. You still haven't answered my question.

I replied on your ideas ... apk

On implementing microkernels. Ask Linus Torvalds about them!

* That's all...

APK

P.S,=> After all - you DO use Linux... right? Who better to ask, than "the man" himself in that world - forget about "lil' ole me", ask L.T. ...

... apk

Re:I replied on your ideas ... apk

[socceroos]

I'm not sure you understand - even if I did talk to Linus about microkernels it would not answer the question I asked you. You still haven't answered my question.

Why don't you just ask it again

Show me where YOU asked ME this "Question", first. On microkernels, since you're a Linux fan? Ask "L.T."...

* He'll mirror my sentiments...

APK

P.S.=> I offered my sentiments on them, low-performance due to message passing overheads (it's a LOT like the diff. between writing a tty-term/character mode/DOS Window app vs. GUI ones - the performance diff. is @ least 10x better on intensive tasks in the former, & when you go RPL 0/Ring 0/Device Driver-KernelMode, even moreso, by FAR) - in the suggestion you're proposing, it's even worse by far, compounding with interest...

... apk

Re:Why don't you just ask it again

[socceroos]

You still haven't answered my question: http://slashdot.org/comments.pl?sid=3189435&cid=41677587

Wasn't me on that one

Sorry, wrong door - I guess you didn't notice that. I "sign off" on my posts as "APK"...

* There you go!

APK (see)

P.S.=> The post I made to you HERE was this one -> http://it.slashdot.org/comments.pl?sid=3189435&cid=41680345 ...

... apk

Re:Wasn't me on that one

[socceroos]

Yeah, I know that. But it still doesn't answer my question. You're not very good at this are you.

Re:Wasn't me on that one

What question, for Pete's sake? What did you ask I didn't answer??

APK

Re:Wasn't me on that one

[socceroos]

About 13 posts above you attempted to answer my question but you didn't - as you have already stated. So, you still haven't answered my question.

Fine: Ask it again here then...... apk

Fine: Ask it again here then...

(Then, we'll see if I 'failed to answer' - or not!)

APK

P.S.=> IF I did? Well, then just ask it again & I'll do my best...

... apk

A provably secure OS is actually possible.

[jcr]

Look into the work that Jon Shapiro et al did on EROS and COYOTOS when he was at Johns Hopkins.

-jcr