Slashdot Mirror
Kaspersky's Exploit-Proof OS Leaves Security Experts Skeptical
CWmike writes "Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to 'save the world' with an exploit-proof operating system. Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran, this sounds like the impossible dream come true — the cyber version of a Star Wars force field. But on this side of that world in need of saving, the enthusiasm is somewhat tempered. One big worry: source. 'The real question is, do you trust the people who built your system? The answer had better be yes,' said Gary McGraw, CTO of Cigital. Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin. Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and he is said have a 'deep and ongoing relationship with Russia's Federal Security Service, or FSB,' the successor to the KGB and the agency that operates the Russian government's electronic surveillance network."
... doesn't mean that Kaspersky isn't still tied to Russian military interests. Proceed with caution.
www.chihuahuarescue.com- Help to end dog abuse, abandonment and cruelty
Your 4-function desktop calculator has no operating system, by any accepted definition of the term operating system.
A rigorous definition of "exploit" could be a challenge, and proving an operating system to be safe against them would be a major theoretical challenge.
So start with something easier to assess: prove whether the operating system will halt.
If you can't solve the easier problem, don't pretend to have solved the harder problem.
Hello,
This is a very interesting move by Eugene Kaspersky. Speaking as both someone who has worked at an embedded systems manufacturer (VoIP telephony gear) and also as a competitor (antimalware) I know that each one has very specialized toolchain requirements and that expertise in one area does not necessarily translate to mastery of the other.
Probably more curious is the timing of the announcement: It seems an odd time for a Russian antimalware company whose founder has close ties to that country's intelligence agencies to announce a new operating system for critical infrastructure tasks, especially since the US House Intelligence Committee is tearing into Chinese telecom gear vendors Huawei Technologies and ZTE over concerns about the security of their products.
That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.
Regards,
Aryeh Goretsky
Dexter is a good dog.
Yeah, I think there's a sort of analogue to Godel's incompleteness theorems here, in that any computer powerful enough to be interesting is powerful enough to do things that some stakeholder didn't want and will consider an "exploit." Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.
I know its not exploit proof but becoming a platinum sponsor and insisting they spend the money on code review. Then make custom modifications to remove all functionality and you should get close.
If the people buying and operating these systems really cared about security I am sure they could piece together a far more secure solution at the expense of cost and convenience from current software.
There are a lot of levels of trust. For a machine that doesn't handle anything secret or financial data (including personal), Windows is generally good enough, for all its long history of exploits. Even then, many, many people and organizations use it for things that are secret or financial data anyway. Sometimes they get burned that way. A Mac is (maybe) a little better. Linux is better still.
Then there's a level of trust way out at the extreme end. If the secrets are serious enough, you can't trust the system you built it yourself from source and audited every single line of said source. Since hardly anyone can do that, having it audited and built by people you trust (in the case of the government, the NSA, for example) has to due. If it's even more sensitive, the network, or maybe even the machine, should also be air-gapped.
If you have a sensitive use case such as, oh, I don't know, running centrifuges to enrich uranium, should you trust a binary OS that wasn't built by your people to be either secure against exploits or to not be already trojaned? Of course not. Just ask the Iranians. Or the Russians themselves, who had a little refinery trouble during the cold war because of that.
In such a case, you either want your people writing the code, or at least very carefully auditing every single line of the source, then building the binaries from that code. If you don't or can't, especially in the case of embedded systems, you cannot have any confidence that software is even secure against exploits, let alone that it won't turn on you.
1 - The cold war is over. Capitalism won (not democracy).
2 - If I had a choice between something checked by the Russians, the US and the Chinese, the only one I would flat out reject would be the Chinese one. I see US spooks as no more concerned with my happiness and wellbeing than Russian ones.
I'll see your Constitution and raise you a Queen.
If it's man made and accessible, it's exploitable.
Thinking otherwise is foolish.
Visit the Arcade Restoration Workshop @ http://www.arcaderestoration.com
Yeah, I think there's a sort of analogue to Godel's incompleteness theorems here, in that any computer powerful enough to be interesting is powerful enough to do things that some stakeholder didn't want and will consider an "exploit." Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.
Translation: That's not a bug, it's a feature!
This will fly right until the first exploit, after which all belief will be broken. I'm in an optimistic mood: I'll give it a year.
IBM has a mainframe program named IEFBR14. Officially, it does absolutely nothing. It's a dummy program used for things like anchoring JCL file allocations.
There have been at least 5 releases of it, although one was an upgrade to 64-bit integers. The others all count as bugfixes. Because when it comes to computers, even doing nothing does something.
Although improvements can certainly be made, it's simply not possible to make a useful computer totally exploit proof,
This is because ultimately, the PEBKAC.
Something in me thinks that we've been down this path before....
It all comes down to who's watching the watchers....
Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?
If you have the source code and the policies, both of which can be externally audited, how can you (As an external person) screw this up?
I remember back in the old old Solaris days dealing with buffer overflows in the driver stack to get remote root, but those days are gone, you would never get that permission to access that executable, let alone open a socket.
If you've got SELinux + policies it's here and it's here now.
Just in case you think this is a pro-Linux rant...
Microsoft have spent a truck load of money on "trustworthy computing" to find new exploits, to the extent that they have honeypots to find new stuff for back testing.
They don't have a watchdog yet, they've started with Windows Defender, but that's nowhere near low level enough yet, and the whole anti-competitive landscape, plus developer buy in (And unfortunately a lot of devs don't know exactly what they're really doing) makes it difficult to say the least. They are still a couple of OS released away from making it work.
Curiosity was framed; ignorance killed the cat. -- Author unknown
I often hear of "Russian hackers" and the hacker scene is supposedly pretty big, and I've always wondered to what extent the government there had a hand in that. Anyone here have any experience with the Russian scene?
And why is the hacker scene so big there?
That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.
Regards,
Aryeh Goretsky
"I have little experience but trust him". Why? Considering this article specifically questions the integrity of his ability to be partial, you should say why.
And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in alengthy profile forWired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.
Can you as a business trust ANYONE who says stuff like that to protect your critical infrastructure/production lines?
Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...
"Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a 'digital Pearl Harbor' or 'digital 9/11' from hostile nation states like Iran"
I'm worried by this blurring of distinctions in the historical significance of the two events. Whatever your political persuasion, Pearl Harbor was a de facto declaration of war. It was a strike against a military target carried out by a true nation state. The "9/11" terrorist attack was something else. It was carried out by an independent group that at worst can be described as being in an alliance of convenience with some foreign government.
By confusing our figures of speech for two clearly different types of cyberattacks, the danger is that the same counterattack methods will be used for both. Treating "9/11" as an act of war, and not simply as a well-coordinated distributed terrorist attack, led to a trillion-dollar War on Terror. On hindsight did it make sense to send out a nation's armies to deal with a few hundred suspected terrorists? Wouldn't it have been better if the intelligence agencies dealt with the issue, resorting to large military strikes only when the intelligence and situation warranted?
So now will the hometowns/countries of suspected Anonymous members be the target of the same massive disruption of IT services that US would launch in retaliaton for a supposed cyberattack from Iran or China?
Oh, really? I can make it say "boobies" if you turn it upside down!
Right. And I consider my hot and cold water taps in my bathroom to be an operating system.
You are welcome on my lawn.
Deducing whether the code is safe or not based on the authors' nationality or background is just ridiculous.
To claim that anything is exploit proof requires a level of arrogance and/or stupidity I hadn't thought possible outside of government.
Want to try hacking my abacus?
No, he was referring to a sect of hackers who wear bright red lipstick while performing DoS attacks against calculators.
That's called "trying to define the problem away." The point is that the mathematical model of security will never capture all of the users' security needs because the basic objectives (e.g. "privacy") are not well-defined nor objective.
Besides, some of the most practically useful security techniques are not mathematically proven. There is no proof that the basis of encryption (integer factorization) is NP-complete. There is no mathematical proof that tamper-resistant chips or devices are effective, yet in practice cable companies use them for a reason.
Linux + SELinux, (SELinux, which was originally built by the NSA for those who don't know enough history to realise) is an operating system with an immutable watchdog. What more do you want?
SELinux wasn't intended to be highly secure. It's an add-on to Linux, after all, not a new OS. The purpose of SELinux was to get a mandatory-security system out and widely used so that applications would be written to run under tight restrictions. Read what NSA originally wrote about it.
A big problem with secure operating systems is getting applications to run in a secure environment. That means saying "no" a lot. No, your game can't find out what else is running. No, Photoshop can't snoop the LAN for other instances of Photoshop with the same serial number. No, you can't run code in a spreadsheet attached to an email. No, you can't have a browser which has pages from multiple sites in the same memory space. That's what it means to have a secure OS.
The hope of SELinux was that applications would gradually be rewritten to run under tight restrictions like that. It didn't happen.
Look how much whining there is whenever Microsoft tightens up Windows. Users will choose ad-supported games that phone home over security.
Want to try hacking my abacus?
Abacus, meet my hatchet.
Of course "exploit" is fundamentally a subjective label, so of course it can't be "solved," outside some more formal definition of "exploit" that will inevitably fall short of people's wishes.
Exploits are like weeds. If it's my garden and I don't want it growing there, it's a weed. If it's my computer and I don't want it running there, it's an exploit, or a virus, or malware, etc.
Why are you relating this to a model theory theorem that you don't really understand?