Slashdot Mirror

← Back to Stories (view on slashdot.org)

Israeli Security Company Builds "Unhackable" Version of Windows

Posted by timothy on from the sure-if-it's-powered-off-and-ground-into-dust dept.

New submitter Neavey writes: Sounds too good to be true, but Morphisec, an Israeli startup, claims to have built an unhackable version of Windows. Its not yet publicly available, a red flag if ever I saw one, but internal testing has had a 100% success rate: "In a statement for BI, Dudu Mimran, the co-founder of the company, describes this new OS version as the Windows that 'Microsoft should be doing,' explaining that, while the platform was initially designed for government use, it can be actually installed by any enterprise that wants to make sure that no hack is possible. Basically, this operating can block any zero-day attack, the founder says, thanks to the operating system randomizing all memory, which means that the hacker cannot target the computer memory and compromise the data stored on the drives." What things memory randomization does not fix, left as an exercise for the reader.

7 of 253 comments (clear)

  1. Failure to understand definition of zero-day by allquixotic · · Score: 5, Insightful

    This company (or whoever wrote TFS/TFA about them) seems not to understand the concept of a zero-day vulnerability.

    It is ridiculous to say that one is not vulnerable to zero-day attacks. They are, in security parlance, the "unknown unknowns" - the things you don't even conceptually know of as vulnerabilities right now. One cannot design a networked computer system with any functionality whatsoever in which they can somehow know and anticipate the "unknown unknowns" (as opposed to the known unknowns, some of which can be mitigated if you're lucky).

    The unknown unknowns are, by definition, *not yet known*, so you can't design a mitigation against them until *after* you are aware of them. If awareness comes in the form of a zero-day hack, then you will fail to defend against the attack at the time it hit due to your lack of information about the attack vector.

    Also, unless this company has full access to all Windows source code for the build they have, it is very likely that one singular memory-based mitigation will not be effective against every possible attack vector that exists in the Windows codebase. So unless they have performed full formal methods verification of the entire Windows codebase to guarantee that there are no "unknown unknowns", and then fixed every security vulnerability that exists in the product in the original state in which they received it from Microsoft, this is basically snakeoil.

    Also, don't we already have ASLR? The mind boggles at the stupidity of these people. Who do they seriously think is going to buy this?

    Actually, forget I asked. They said their target was governments. I have no doubt they will sell thousands of licenses.

  2. As a former QA lead... by Anonymous Coward · · Score: 5, Insightful

    Oh yeah, I've seen builds that were 100% solid on internal testing. Not a thing wrong with it according to automated tests, scripted manual testing, smoke testing, and random usage testing. Not a thing! A million monkeys could bang on keyboards all day long and nothing would break. Much simpler programs than an entire OS, mind you. But still, they were bullet-proof, air-tight, divine works of software engineering.

    Then we pushed them to production. Murphy's law is a moooootherfucker.

    Captcha: enraging

  3. This has been around forever by bangular · · Score: 4, Insightful

    Memory randomization has been around a very very very long time. It's not going to help with logical programming errors.

  4. Re:Stupid for two reasons: by rudy_wayne · · Score: 4, Insightful

    Why do people still claim these things, and why to techies (not marketing people) consent to attaching their names to such nonsense?

    Stupid because:
    1) No, it is not unhackable. Throw a contest with a bounty to easily prove this.
    2) 99% of "hacks" work through social engineering nowadays, and these work regardless of how secure your software is.

    3) Selling your own modified version of Windows will get you sued by Microsoft very quickly.

  5. Fraudulent? by Futurepower(R) · · Score: 4, Insightful

    Slashdot has often featured articles from Israeli companies that seem to me to be fraudulent. For example, The Car That Makes Its Own Fuel. That Slashdot story links to this article: The Car That Makes Its Own Fuel.

  6. Difference to PaX & grsec? by niceworkthere · · Score: 3, Insightful
    So, the only actual detail on this Wonder Windows is that it "randomizes all the memory", in other words ASLR.

    Which then poses the question... just how is this any different, let alone superior to Linux's PaX patchset - which offers ASLR since 2000 - or even grsecurity?

  7. Re:Oh boy by Munchr · · Score: 3, Insightful

    You shouldn't ever need the secret ones. Software taking advantage of the secret internal API's are the whole reason why upgrading Windows can and does break software. Heck, it's the reason so many malware programs cause actual bluescreens after an update. I sometimes wish they had never been accessible to 3rd parties.