Slashdot Mirror
Kaspersky's Exploit-Proof OS Leaves Security Experts Skeptical
CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."
... doesn't mean that Kaspersky isn't still tied to Russian military interests. Proceed with caution.
www.chihuahuarescue.com- Help to end dog abuse, abandonment and cruelty
In other words, I know how to build the perfect henhouse. Trust me. I'm a fox. If there's one thing I know, it's henhouses...
Your 4-function desktop calculator has no operating system, by any accepted definition of the term operating system.
A rigorous definition of "exploit" could be a challenge, and proving an operating system to be safe against them would be a major theoretical challenge.
So start with something easier to assess: prove whether the operating system will halt.
If you can't solve the easier problem, don't pretend to have solved the harder problem.
I can guarantee they will find a way to infect that machine.
Hello,
This is a very interesting move by Eugene Kaspersky. Speaking as both someone who has worked at an embedded systems manufacturer (VoIP telephony gear) and also as a competitor (antimalware) I know that each one has very specialized toolchain requirements and that expertise in one area does not necessarily translate to mastery of the other.
Probably more curious is the timing of the announcement: It seems an odd time for a Russian antimalware company whose founder has close ties to that country's intelligence agencies to announce a new operating system for critical infrastructure tasks, especially since the US House Intelligence Committee is tearing into Chinese telecom gear vendors Huawei Technologies and ZTE over concerns about the security of their products.
That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.
Regards,
Aryeh Goretsky
Dexter is a good dog.
This will fly right until the first exploit, after which all belief will be broken. I'm in an optimistic mood: I'll give it a year.
"It's too bad that stupidity isn't painful." - Anton LaVey
Yeah, I think there's a sort of analogue to Godel's incompleteness theorems here, in that any computer powerful enough to be interesting is powerful enough to do things that some stakeholder didn't want and will consider an "exploit." Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.
I know its not exploit proof but becoming a platinum sponsor and insisting they spend the money on code review. Then make custom modifications to remove all functionality and you should get close.
If the people buying and operating these systems really cared about security I am sure they could piece together a far more secure solution at the expense of cost and convenience from current software.
I think it would be great if he could actually pull this off. He's made himself into a huge target, though. Also, even if he does, our government would never use it, because they'd be worried about spying.
It just shuts itself down on the first attempt to use it. Just to be safe.
Thinking about it further, it might be possible if you make it totally unusable. (No you can't install a browser (are you NUTS?), no you can't download a file, no you can't run a server, no you can't do anything, get away from my keyboard you LUSER!). Should be great fun.
"It's too bad that stupidity isn't painful." - Anton LaVey
is the only way there can be an OS everybody trusts.
There are a lot of levels of trust. For a machine that doesn't handle anything secret or financial data (including personal), Windows is generally good enough, for all its long history of exploits. Even then, many, many people and organizations use it for things that are secret or financial data anyway. Sometimes they get burned that way. A Mac is (maybe) a little better. Linux is better still.
Then there's a level of trust way out at the extreme end. If the secrets are serious enough, you can't trust the system you built it yourself from source and audited every single line of said source. Since hardly anyone can do that, having it audited and built by people you trust (in the case of the government, the NSA, for example) has to due. If it's even more sensitive, the network, or maybe even the machine, should also be air-gapped.
If you have a sensitive use case such as, oh, I don't know, running centrifuges to enrich uranium, should you trust a binary OS that wasn't built by your people to be either secure against exploits or to not be already trojaned? Of course not. Just ask the Iranians. Or the Russians themselves, who had a little refinery trouble during the cold war because of that.
In such a case, you either want your people writing the code, or at least very carefully auditing every single line of the source, then building the binaries from that code. If you don't or can't, especially in the case of embedded systems, you cannot have any confidence that software is even secure against exploits, let alone that it won't turn on you.
Many modern operating systems, from Linux to BSD to yes, even Windows, can be quite secure if you use them responsibly.
The problem is that very, very few people know anything at all about how to do that. Even on slashdot, you have people defending terrible insecure practices because "it's easier". As long as people value the ease that comes with not-thinking over security, there can be no exploit-proof OS.
1 - The cold war is over. Capitalism won (not democracy).
2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.
I'll see your Constitution and raise you a Queen.
If it's man made and accessible, it's exploitable.
Thinking otherwise is foolish.
Visit the Arcade Restoration Workshop @ http://www.arcaderestoration.com
Slashdot headline: 'Russian is Russian'
Thanks for underlining the mistake. It's impossible to miss that way.
Your 4-function desktop calculator has no operating system, by any accepted definition of the term operating system.
Some of us are more accepting in our definitions. Or does your definition require that an OS must be something that presents a "C:" prompt?
It's on my 4-function desktop calculator. You didn't specify what the OS had to be able to -do-...
[/obligatory]
Wasn't there at least one book that dealt with how to do tricks by exploiting quirks in the designs of various calculators?
Yeah, I think there's a sort of analogue to Godel's incompleteness theorems here, in that any computer powerful enough to be interesting is powerful enough to do things that some stakeholder didn't want and will consider an "exploit." Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.
Translation: That's not a bug, it's a feature!
Probably. Still, I subscribe to the idea that the only way to make a computer exploit proof is to either lock it down so that virtually every possible action and combination is accounted for or isolate it with a hypervisor - idea being that the encapsulated computer would be restricted by the hypervisor.
Show me an exploit-proof OS and I'll show you something that hasn't been fully tested.
Although improvements can certainly be made, it's simply not possible to make a useful computer totally exploit proof,
This is because ultimately, the PEBKAC.
It is possible, Kaspersky wrote, because it will not be something for the masses, but, "highly tailored, developed for solving a specific narrow task, and not intended for playing 'Half-Life' on, editing your vacation videos, or blathering on social media."
Odd, I thought blathering was one of his favorite past times! :-)
Something in me thinks that we've been down this path before....
It all comes down to who's watching the watchers....
Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?
If you have the source code and the policies, both of which can be externally audited, how can you (As an external person) screw this up?
I remember back in the old old Solaris days dealing with buffer overflows in the driver stack to get remote root, but those days are gone, you would never get that permission to access that executable, let alone open a socket.
If you've got SELinux + policies it's here and it's here now.
Just in case you think this is a pro-Linux rant...
Microsoft have spent a truck load of money on "trustworthy computing" to find new exploits, to the extent that they have honeypots to find new stuff for back testing.
They don't have a watchdog yet, they've started with Windows Defender, but that's nowhere near low level enough yet, and the whole anti-competitive landscape, plus developer buy in (And unfortunately a lot of devs don't know exactly what they're really doing) makes it difficult to say the least. They are still a couple of OS released away from making it work.
Curiosity was framed; ignorance killed the cat. -- Author unknown
I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?
And why is the hacker scene so big there?
That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.
Regards,
Aryeh Goretsky
"I have little experience but trust him". Why? Considering this article specifically questions the integrity of his ability to be partial, you should say why.
And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in alengthy profile forWired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.
Can you as a business trust ANYONE who says stuff like that to protect your critical infrastructure/production lines?
Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...
"It's such a simple system though! Surely it's limited to it's base rules, isn't it?"
The qualifier at the end of your statement is a major problem if you mean you'd be afraid to use it because you personally have something to fear because you are a competitor, and therefore might be a target for maliciousness from him. I suspect you meant you can't because you must eat your own dog food, so to speak, but I think the first interpretation is more important. If you even might have something someone else wants badly enough, there are ways to make it happen. So the OS you use is exploit proof? Then they make the maker of you OS build an exploit into it. Either by legislation, or blackmail, or threats, or traitors, there's always a way.
Bull (bull shyte)
The most secure modern operating systems you can get are OpenBSD or FreeBSD. They are based on stable mature open source, and don't have the bloat and featureitus problems of Linux.
--libman
follow the "Ferengi Rules of Aquisition". That way the only thing that's exploited is your wallet.
Mod me up/Mod me down: I wont frown as I've no crown
I wish I had your calculator. Rouge hackers with physical access can cause a DOS attack by install masking tape over my calculator's solar cell and thus prevent useful operations until the tape is physically removed.
greed@All_Evils:~#
"Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran"
I'm worried by this blurring of distinctions in the historical significance of the two events. Whatever your political persuasion, Pearl Harbor was a de facto declaration of war. It was a strike against a military target carried out by a true nation state. The "9/11" terrorist attack was something else. It was carried out by an independent group that at worst can be described as being in an alliance of convenience with some foreign government.
By confusing our figures of speech for two clearly different types of cyberattacks, the danger is that the same counterattack methods will be used for both. Treating "9/11" as an act of war, and not simply as a well-coordinated distributed terrorist attack, led to a trillion-dollar War on Terror. On hindsight did it make sense to send out a nation's armies to deal with a few hundred suspected terrorists? Wouldn't it have been better if the intelligence agencies dealt with the issue, resorting to large military strikes only when the intelligence and situation warranted?
So now will the hometowns/countries of suspected Anonymous members be the target of the same massive disruption of IT services that US would launch in retaliaton for a supposed cyberattack from Iran or China?
One way I know of to be "reasonably" secure would be to have the OS totally in ROM. Malware infections will still occur, but since the entire OS is read only, any infection would not be able to survive a re-boot. Every time you turned on the computer it would be clean. I think this would be an ideal Internet appliance for non-techies or those who just want to visit web sites, do email, play on-line games and stream video. Not quite a "dumb" terminal, but darn close. It would suffice for probably 98% of what I do on-line.
Only major problem would be on-line retail, even a temporary infection could steal your VISA number. I don't have an easy fix for that one.
Really, the definition of "secure" should be "enforces a specific policy with high assurance". High assurance comes from a rigorous development process, code review, testing, etc. For the highest levels of assurance, per the ISO/IEC 15408, there must be mathematical proofs that the implementation conforms to a mathematical model of security. If done this way, it doesn't matter that "any computer powerful enough to be interesting is powerful enough to do [other things]". The point is that the computer can be shown, with high-assurance, to do only what is intended.
I haven't seen any details about how Kaspersky intends to create his secure system, but, if it has any chance at all of success, he'll have to use the well-known principles prescribed by the ISO standard (and older standards, like the old US DoD "Orange Book").
Oh, really? I can make it say "boobies" if you turn it upside down!
Exploit-Proof was one of the main requeriments of OpenBSD when it started 17 years ago.
Right. And I consider my hot and cold water taps in my bathroom to be an operating system.
You are welcome on my lawn.
While it would certainly be nice if this claim were true (I doubt it is), social engineering is a bigger problem and one that, one would think, we could see more benefit in working to eliminate than the benefit we might see from buying some outrageous claim.
I do not respond to cowards. Especially anonymous ones.
Deducing whether the code is safe or not based on the authors' nationality or background is just ridiculous.
To claim that anything is exploit proof requires a level of arrogance and/or stupidity I hadn't thought possible outside of government.
Want to try hacking my abacus?
Sorry, but i hacked your calculator - i entered 0.1134 and flipped it over to deface your screen and say "hello"!
In the last interview with Wired magazine (http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/), Eugene Kaspersky was advocating securing internet (or a part of it) with something alike state issued IDs. No ID -- no internet. That made me very skeptical, what would it take to use someone else's ID, there might be a new market for such IDs. Not sure his ideas of having the secure OS would work either. From the article:
What is mentioned is Kaspersky’s vision for the future of Internet security—which by Western standards can seem extreme. It includes requiring strictly monitored digital passports for some online activities and enabling government regulation of social networks to thwart protest movements. “It’s too much freedom there,” Kaspersky says, referring to sites like Facebook. “Freedom is good. But the bad guys—they can abuse this freedom to manipulate public opinion.”
There's no such thing as "illegal download"
This idea that we could build a magical "exploit proof" OS if only we want to bad enough is stupid. While some exploits happen because of stupid design decisions, far more happen because of simple unintended consequences.
With an OS you are in the difficult position of needing to offer access but trying to keep out unauthorized access, and to do so in an ecosystem of arbitrary software on the system. That's a real hard problem to solve. Any time you build a door, it can be used for both wanted and unwanted visitors to enter through.
So sure, you can completely secure something by completely securing it from being accessed, but then it isn't useful. If you want to have an OS that connects to the Internet, which is totally wild and untamed, and you want to be able to have end users install arbitrary software, and you want to let it be used in arbitrary ways, well it'll be open to exploits. Design as carefully as you like, something unintended will pop up at some point.
The more you lock it down, the more secure it'll be, but the less useful.
There's no magic bullet, were there, it would already be in use. It is all tradeoffs. That's why some systems that need to be really secure are in a situation where they can only run verified code, and they are not on public networks and can only be accessed in specified ways and so on. Even that isn't perfect, just better.
People need to understand that digital security really is like physical security: There is NO perfect security. There in only defense in depth, practice monitoring and mitigation, and eternal vigilance.
type in 58008 then turn it upside down: I just exploited your calculator with pornographic malware!
OpenVMS. Severe security. Very much proven. Its here and ready to rock. How could a russian anti virus maker possibly create something from scratch that rivals VMS or SELinux? It would take his company many many years and take some serious brain power to solve a problem THATS ALREADY BEEN SOLVED.
Super secure systems exist. They are (nearly) attack proof. They just aren't Windows.
What is his market? Those who need this level of security HAVE IT. The NSA isn't going to run out and buy his stuff anytime soon.
In theory? Yes. Without oversight or public code review?
Heh. ...
Wait, you were serious?
exploit-proof OS
No OS can be exploit proof if is an algorithmic system, i.e., a Turing machine. Why? Because time is not an inherent part of the Turing computing model. The most important part of a secure software system is timing. No system can be reliable and safe unless it provides a deterministic way to impose which operations should occurr concurrently and which should occur sequentially.
Kaspersky's OS will fail miserably unless he reinvents the computer such that the timing of operations is deterministic. With a deterministic system, it's easy to detect intruders and malfunctions because every intruder and bug will invariably mess up the expected timing and trigger alarms created automatically for that purpose.
But in order to properly reinvent the computer, Kaspersky must first solve the parallel programming crisis.
F.U.D.
Sure its a binary system with a manual (as in hand-based) power supply.
As a child of the 70's and 80's, that combination of words still seems weird to me, it still strikes me today as a bit of an oxymoron.
What's a Star Wars force field? I've heard of Star Wars deflector shields but never any mention of force fields. Perhaps the author was thinking of Star Trek.
I think we all know that the Death Star shield was not impenetrable... All it took to take it down was a small group of rebels and a clever social hack (aka, "we've got the rebels on the run, sir!")
No sig for you! Come back one year!
Come on man, it's 2012. Are we still misspelling "rogue"?
There is a difference you you know. Not that it would change who you bomb though.
No, he was referring to a sect of hackers who wear bright red lipstick while performing DoS attacks against calculators.
Doesn't seem like odd timing to me at all. By all accounts the US, possibly along with Israel, have launched attacks on civil nuclear infrastructure of Iran, infecting Buhsher plant along with other locations. Who knows what MAY have happened when nuclear equipment goes on the fritz due to cyber attack. AFAIK, initiatives towards Russian OS have already been initiated for smartphones for Russian government employees, as well as interest in backing other general purpose OS. A secure OS for critical infrastructure would only make sense.
As someone who's known Aryeh professionally over many years, I do know that he's well qualified to make these comments.
While I've never worked for a competitor, as he has, I have been at times extremely active in the antimalware circuit and do trust Kaspersky software. They're good people, and smart as hell, just need to work on improving their products some.
That aside; Hey goretsky, long time no see :)
You will be baked, and there will be cake.
Oh yeah? Well I got an easter egg on any basic calculator!
Wanna see who really made that calculator?
Enter 71077345 and turn it upside down!
Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?
SELinux wasn't intended to be highly secure. It's an add-on to Linux, after all, not a new OS. The purpose of SELinux was to get a mandatory-security system out and widely used so that applications would be written to run under tight restrictions. Read what NSA originally wrote about it.
A big problem with secure operating systems is getting applications to run in a secure environment. That means saying "no" a lot. No, your game can't find out what else is running. No, Photoshop can't snoop the LAN for other instances of Photoshop with the same serial number. No, you can't run code in a spreadsheet attached to an email. No, you can't have a browser which has pages from multiple sites in the same memory space. That's what it means to have a secure OS.
The hope of SELinux was that applications would gradually be rewritten to run under tight restrictions like that. It didn't happen.
Look how much whining there is whenever Microsoft tightens up Windows. Users will choose ad-supported games that phone home over security.
Want to try hacking my abacus?
Abacus, meet my hatchet.
What he's saying is he wants to limit the traffic to critical infrastructure much the same way you are required to have a ticket to board a plane. That system keeps lots of unwanted people off of planes, and while some bad apples may still board, many, many, many more do not. That is exactly what you want from a security standpoint--not a complete lack of restrictions.
Russia and Russian firms probably have as much reason to want to build truly secure systems as the US does, and let's put our cards on the table here: No one should trust the US to make truly secure software anymore than they should trust the Chinese. If their parts didn't come from China, you still have a government that can't help but keep it's dirty little fingers in everything. Even the open source movement isn't safe. Even discounting the possibility that a corrupt entity infiltrates a team, a corrupt entity is free to fork code almost on a whim without oversight or authorization, and they can use techniques used in the obfuscated code contests to make their malware look legitimate.
So, maybe you can keep pretending to know something about security, but I certainly won't trust what you say about it.
Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.
Exploits are like weeds. If it's my garden and I don't want it growing there, it's a weed. If it's my computer and I don't want it running there, it's an exploit, or a virus, or malware, etc.
title says it all. I don't even understand how the news can be expressed this way on /.
If you accept a closed source, get yourself a Blackberry Playbook.
With signed bootblocks and full disk encription, it's definitely unbreakable, an appliance indeed. Lost it, buy a new one, reload all bought apps for free, reload file backup and just forget the thief.
When comparing to what I had to do when we were stolen our last Mac, it's really like living in a different world.
Then it's still closed source.
I have one, while patiently waiting for the first Linux tablet.
Sounds like what I have started calling "My Law of Program Bugs", which states that no program of sufficient complexity can ever be bug-free. That somehow regression testing and simulation can never encompass the entire possible realm of user stupidity, and once you reach a certain level of complexity, that you will _never_ be _totally_ sure your program is _completely_ bug-free, or there is some obscure combination of seemingly impossible conditions that will screw it up, or expose a hidden bug.
-- You are in a maze of little, twisty passages, all different... --
Allow me to explain further. My direct interaction with Mr. Kaspersky has been minimal—it has been several years since we exchanged emails. He is the CEO of a security firm that clocks in at a sizable fraction of a billion dollars, and I'm a researcher at a smaller competitor. On the other hand... I interact professionally with his researchers on a regular basis and we all go to the same conferences and so forth so there's more face time at that level.
From everything that I have seen, we all want the same thing: The ability to use our computers safely without fearing malicious activity on (or towards) them. Now, the means towards that end may differ, and I would imagine our sales and marketing departments probably don't care for each other much, but at the end of the day, I would say pretty much all of the antimalware researchers that I know in the industry want that to happen.
Regards,
Aryeh Goretsky
Dexter is a good dog.
Why don't they build upon sel4 from Open Kernel Labs (which has just be acquired by General Dynamics). sel4 has already been mathematically proven to be secure.
I do indeed avoid running or even looking at any competitor's antimalware product. A large part of that (the largest part, as a matter of fact) is because I believe my employer's software is the best. After all, if I did not believe that, I would not be working for them, would I? But the other part is because I have been deposed in numerous patent lawsuits over the years, and the last thing I want to do is get dragged into another one because of something I did.
I hope that explains things with sufficient clarity.
Regards,
Aryeh Goretsky
Dexter is a good dog.
Well yeah sure, given physical access. Physical access is a whole other ballgame as opposed to remotely hacking into that abacus and making it your own. Multi-user workgroups can get complicated though, while they do have advantages. So does cloud-computing from a distance.
Get real.
You can't be ahead of the curve, if you're stuck in a loop.
If he seriously wants to brag about his exploit-free OS, let him put it out there in the world. Better yet, let us look at the source. Anything else is just words. Let's see the code.
... the real reason is you can have computers delay and analyze all incoming requests then pass the data on to the 'real computer' or you can keep your computers off the net and whitelist what it can communicate with. The only failure being the human element (who has access to your computers).
You can have high performance or tight security, pick one. The more "secure" you make a computer the more time you spend in observing and analyzing requests.
An operating system is just an interface between the programs and the hardware. You can make a computer without an operating system if your programs just access the hardware directly. That is ok if you only write a few programs, when you need to write more it helps to produce a library of common routines to simplify programs access to the hardware. Something like a C: prompt is not the OS rather it is a program running on the OS that enables the user to load different programs into the computer.
In older computers you could write a program that accessed the hardware directly. On modern computers the OS can allow more than one computer to execute at the same time (even if in timed slices) because of this the OS restricts access to the hardware and you can no longer write programs that directly access it unless you remove the operating system first.
A device like a 4 function calculator is designed to only run one program ever so it makes no sense to use an OS. Just make the program access the hardware directly.
The range of comments left on this thread provide insight into just how miserable the "state of the art" of secure computing has become. Its sad that practically none of the comments here reflects what research was done in the 60's, 70's and 80's to consider whether it was possible, and if so, figure out an approach to accomplish it.
The goal of the effort that led to the Trusted Computer Security Evaluation Criteria (TCSEC) was to figure out a way for the U.S. Department of Defense (the NSA) and intelligence agencies to buy software and computers from the KGB, and to be able to trust they were secure for use to manage the cryptograhic keys and control systems for the nation's most precious secrets (think ICBM launch codes). The fact is, they knew that's what they were doing, at the time - because there was no way to know what manufacturers and developers in their supply chain had been infiltrated by the KGB. The question was not whether this vendor was good or bad, but whether computers could be used securely (with confidence they were secure) at all.
The science recorded there, in the Rainbow series, is the codification of much or most of the knowledge, methods and processes necessary to create verifiably secure systems that are useful and perform valuable work.
Reading that, some will immediately start talking about "secure bricks". Go ahead. In today's world of commodity computers, your first challenge is to figure out if your computer is ever actually inert. If some one else on another computer somewhere can flash your BIOS or update your OS while your machine is turned off, just what do you think you're secure from? Today's commercial computer industry has grown up with deliberate ignorance of, and total lack of customer interest in high assurance security. I know because I came out of that industry.
Yes, the need for Trusted Hardware was addressed in the TCSEC. That's where "Beyond A1" would take you, to A3, if you will. In the absense of that, don't run hardware that creates a haven for autonomous, untrusted software to have unimpeded access to your system memory. Like video cards with graphics accelerators that can bypass hardware memory managers.
Note well - I'm not saying you can't use graphic accelerators - I'm saying you shouldn't use ones that deliberately bypass every attempt to use hardware security features you put into place to enforce security. Or, build your accelerators on chips that can be built using verifibly secure (from deliberate subversion) foundations.
There is a large, influential cadre who believe that the only way to secure data is to encrypt it using custom-made hardware.
As a result, the manipulation of unencrypted data has been left to the commercial market place, whose developers really only wanted a flat address space everyone could share.
Case in point - the (in)famous argument with Linus Torvolds over monolithic vs modular kernel architectures.
Why are you relating this to a model theory theorem that you don't really understand?
Some of us are more accepting in our definitions.
So what is this definition of yours, then?
Assume:
1) that you aren't (for whatever reason, not necessarily that you're a fucktard and a pompous ass) able to get a job at the better firm, and
2) that you have bills to pay.
It follows that yes, you would.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
... how an eploit-proof OS could be possible, not whether to trust Russians or not.
I am disappoint.
I've met the guy, and he's one of the few who doesn't play ball in the intercept world of "please don't recognise our code as a virus so we can listen in. We're the good guys, honest".
What I see is a lot of conjecture that what Kaspersky is doing cannot be secure because of reasons that have zilch to do with the code in question.
It is very simple: if you want to use it, you will have to have it evaluated by people YOU trust. Stop with the political BS, that has nothing to do with the security of the platform as you evaluate it, only with what you should do with bugs, updates, patches and upgrade (because your eval is only valid for the software as is).
So, get a evaluation company that you trust. If you think you cannot trust something that's foreign, then don't use it. But don't try to tell others it's unsafe because you have no proof.
Facts count. BS doesn't.
Would *I* use it? If I could use and it passed my own audit, why not?
Insert
I confronted the problem of trust when evaluating PGP for private use. How could I be sure that PGP wasn't a ruse sponsored by the US government?
PGP was supposedly written by Phil Zimmerman, a counterculture hero. It's authenticity is vouched for by numerous institutions and academics.But I don't know Zimmerman personally,nor am I familiar with those institutions, nor do i know those academic names personally. On the other hand, i do know that criminal confidence men easily build up phones web sites mimicing trusted financial institutions. They can also easily mimic phony certifications and endorsements from trustworthy people. How could I know that the whole PGP thing wasn't a ruse? Believe what I read on Slashdot? Not on your life.
I concluded that there was only three ways for an individual like me to acquire the trust.
1) invest a whole lot of my time to investigate the certifying institutions and the endorsing academics to verify that they are real and trusted. Then, contact each of them to verify that they really did supply those certifications and endorsements. In other words, iinvest a huge amount of my own time on original research.
2) Find an unimpeachable source of trusted endorsements and certifications that has an unshakable way to communicate with me. In other words, trustworthy. I'm not holding my breath on that one.
3) Believe in the "too big to keep secrets" theory. Huge companies like Microsoft, Apple, and Google have so many employees and so many detractors that they are unable to keep dark secrets. If I use their products and I am careful to avoid getting phony copies of their products, I may feel more secure.
Since number 3 is they only option that works for an individual with limited resources, that's what I do.
Anyhow, the whole thought exercise made me realize the real truth. For end users, cyber security has very little to do with technology. It is almost entirely an exercise in trust.
Some of us are more accepting in our definitions.
So what is this definition of yours, then?
I didn't have a specific definition in mind, but was considering the fact that most computer science has mathematical underpinnings (for example, the Turing Machine). And when you look at almost any problem mathematically and abstractly, you tend to come up with variants that differ considerably from common usage. Which is, in fact one of the best reasons to do so, since the Way We've Always Done Things isn't always the best way for a given class of real-world problems.
I think most people consider an OS to be a program that runs other programs. But I can name at least 2 instances where that is not the case.
Back in the 1970s, one of the better-known names in the minicomputer business was Prime Computer. The primary OS options were known as DOS (Primos2) and DOS/VS (Primos3). But they also had another option: RTOS, the Real Time Operating System. I have a copy of the RTOS manual. Basically, RTOS was a skeleton system where you added custom functionality to provide a bootable standalone real-time process control system.
RIght about the same time, Per Brinch Hansen created Concurrent Pascal. Concurrent Pascal was designed to provide a means of creating provably correct real-time systems by using the concepts he called Processes, Monitors and Classes. Which actually takes us back to the original topic, since a provably-correct system is (in theory) not exploitable. Concurrent Pascal in its pure form didn't require an OS, because - as with Prime's RTOS, the application was the OS. However, instead of providing a set of components to wire together with user-written code, Concurrent Pascal did it all in the VM, and therefore the entire "OS" was user-written code.
I definitely would take exception to the definition that an OS is how applications talk to hardware. Most OS's do at least some form of software resource management as well. Some OS's devote entire address spaces to load-balancing and resource management (for example, IBM's OS/MVS and later products).
Finally, don't forget that the very first mass-market microprocessor: Intel's 4004, was a general-purpose CPU created specifically to be the core of a calculator. If you accept the idea that products like Prime's RTOS are OS's, then the resulting Intel calculator did, in fact have an OS, even if your definition of OS would otherwise rule out the possibility only software could be an OS component and that hard-wired logic circuits could not be OS components in an OS considered as an abstract concept.
Q.E.D.
Weren't they the ones who said they would not flag up the USA secret services keylogger as a trojan/virus, McAffee?
Really. The only problem here for slashdotters in the USA is that this guy may not be beholden to the USA's law enforcement.
Wouldn't this require the OS to be complete or something? E.g. if the OS only turned on a light, surely that's provable secure?
If 1 and 2 were applicable, then it also possible that the person could be unemployed. There would be consequences for being unable to pay bills, of course, but they would still not be working at a place that they believed was not the best, which is what the GP had asserted.
File under 'M' for 'Manic ranting'
Given the uber-paranoid viewpoint of the Dept of Defense on things computer, does anyone know if Kaspersky's AV is not allowed on DOD computer systems? Not that the guys/gals running DOD cybersecurity are perfect and on top of things, but the are paranoid enough to be worried about KAV if they see K's involvement with the Russion government and/or crime syndicates as a potential problem.
The OS is just the basic software you need to use a computer. On a general purpose computer 'use' normally means to load an application. On a calculator, it just needs to handle input and output, so an argument could easily be made that it consists entirely of hardware and OS.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Next time READ the post you are replying to. He said the same thing you're saying (except clearer).
For a given program, there MAY BE a way to determine if it halts. Some programs obviously don't halt, and some obviously do. There are many useful programs that fall into one or the other of those categories. There are algorithms that can prove one property or the other, for some classes of input program. There's just no possible algorithm that can solve this problem (proving that it halts or doesn't halt) for EVERY PROGRAM.
If you accept the idea that products like Prime's RTOS are OS's, then the resulting Intel calculator did, in fact have an OS
This does not follow. An RTOS is indeed an OS, and I work with RTOSes every day, but an RTOS is still a piece of software that has a definition, and you can run an processor without an RTOS. I would assume most very simple calculators do run without even an RTOS. There is certainly nothing about the 4004 in your example that would force it to run an RTOS. It can, and did, run just fine without an OS, RTOS or not.
If you accept the idea that products like Prime's RTOS are OS's, then the resulting Intel calculator did, in fact have an OS
This does not follow. An RTOS is indeed an OS, and I work with RTOSes every day, but an RTOS is still a piece of software that has a definition, and you can run an processor without an RTOS. I would assume most very simple calculators do run without even an RTOS. There is certainly nothing about the 4004 in your example that would force it to run an RTOS. It can, and did, run just fine without an OS, RTOS or not.
In theory, ALL my programs have a definition, even if I sometimes despair of what they turn into in practice. That includes things like the control program that I used to develop for the 8085 that ran a sewage processing plant, or the core software that comes pre-installed in the Arduino and runs the user-written code.
The OS for a basic 4-banger calculator is typically going to be something like a master loop that invokes a keyboard scanning module, numeric encode/decode modules, an arithmetic function dispatcher and arithmetic calculation routines. Some or all of these can be interrupt-driven, depending on hardware design.
I fail to understand why such a program does not qualify as an OS merely because it's a relatively small number of lines of code or because it doesn't allow arbitrary binary code to be installed and run. PRIMOS RTOS systems could be disqualified on both those counts. Conversely, I don't see any reason why the definition of OS should be "control program supplied by a third-party commercial software vendor". By that definition, early versions of Linux wouldn't have made the cut.
/me waves @ AJ :)
Dexter is a good dog.
Hello,
Well, I don't think there are currently any better firms than my employer in the industry. Come to think of it, Kaspersky Lab is probably the closest thing we have to a direct competitor, at least in terms of researchers.
Regards,
Aryeh Goretsky
Dexter is a good dog.
Well yeah sure, given physical access. Physical access is a whole other ballgame as opposed to remotely hacking into that abacus and making it your own.
So he can just throw the hatchet from a distance? Sure, it just needs a better aim, and more skill, much like comparing a remote exploit with a local one...what's your point?
Your use of the term 'physical access' destroys the analogy.
This seemed like a reasonable sig at the time.
...that Kaspersky's PLANS for an exploit-proof OS leave experts skeptical. Or maybe, his "ambitions" or even "promises". At the moment, there's no actual OS to be skeptical of.
That the article questions his integrity doesn't mean anything. I have read lots of articles questioning Obama's birth certificate and when you just want to smear somebody, it doesn't take a genius to figure out what's going on.
First, all Chinese companies have links with government, now Russian companies have links with their government. And they want you to believe that there is some sort of plot behind this. It's like talking crap about Google or Microsoft because they work with (not for) the government. I really thought we were over this propaganda bs, but as long as the Pentagon needs funding, we will always need to create new enemies.
Even if you get the source, can you trust your compiler?
/ The Arrow
"How lovely you are. So lovely in my straightjacket..." - Nny