Slashdot Mirror

← Back to Stories (view on slashdot.org)

Israeli Security Company Builds "Unhackable" Version of Windows

Posted by timothy on from the sure-if-it's-powered-off-and-ground-into-dust dept.

New submitter Neavey writes: Sounds too good to be true, but Morphisec, an Israeli startup, claims to have built an unhackable version of Windows. Its not yet publicly available, a red flag if ever I saw one, but internal testing has had a 100% success rate: "In a statement for BI, Dudu Mimran, the co-founder of the company, describes this new OS version as the Windows that 'Microsoft should be doing,' explaining that, while the platform was initially designed for government use, it can be actually installed by any enterprise that wants to make sure that no hack is possible. Basically, this operating can block any zero-day attack, the founder says, thanks to the operating system randomizing all memory, which means that the hacker cannot target the computer memory and compromise the data stored on the drives." What things memory randomization does not fix, left as an exercise for the reader.

48 of 253 comments (clear)

  1. Oh boy by NotDrWho · · Score: 5, Funny

    I hope everyone at that company is prepared for a long week.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:Oh boy by Anonymous Coward · · Score: 5, Funny

      I hope everyone at that company is prepared for a long week.

      I wouldn't presume they last that long. An unhackable version of Windows... Is it April 1st on the Hebrew calendar?

    2. Re:Oh boy by Wrexs0ul · · Score: 4, Funny

      Might not take a week. I hear one of their techs just met a rather pleasant prince from Nigeria...

      --
      --- Need web hosting?
    3. Re:Oh boy by mwvdlee · · Score: 2

      Why do you think they're not releasing it?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    4. Re:Oh boy by Penguinisto · · Score: 5, Funny

      I hope everyone at that company is prepared for a long week.

      Why? All they did was rip out all the networking parts of that particular Windows box. Oh, and they also removed the USB drivers, the serial ports... then they sealed it in a welded metal box, then set that box in the middle of a concrete block 1m x 1m x 1m, with only the power cable and a couple of water cooling pipes sticking out. It's completely unhackable now.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    5. Re:Oh boy by currently_awake · · Score: 4, Funny

      No, you could still modulate the data bus using microwaves. Now if you leave out the power cable, that's unhackable.

    6. Re:Oh boy by Anonymous Coward · · Score: 3, Funny

      Because the code is on the unhackable Windows PC. They only get back some random binary files when they try to copy it.

    7. Re:Oh boy by FranTaylor · · Score: 2

      write the libraries to implement the entire Windows API

      What a joke!!!?!?!? How to do it with no memory leaks? Dream on?!? What even IS the Windows API? Is it even documented anywhere?

      With a good budget you could manage it in a year.

      Microsoft has been working on Windows for decades, what are you smoking???

    8. Re:Oh boy by Munchr · · Score: 3, Insightful

      You shouldn't ever need the secret ones. Software taking advantage of the secret internal API's are the whole reason why upgrading Windows can and does break software. Heck, it's the reason so many malware programs cause actual bluescreens after an update. I sometimes wish they had never been accessible to 3rd parties.

  2. I believe by Anonymous Coward · · Score: 5, Funny

    It is being offered to the mullahs on a flashkey.

  3. Other products by puddingebola · · Score: 5, Funny

    You may want to take a look at some of this company's other products, including flying serum and invisibility powder.

    1. Re:Other products by rogoshen1 · · Score: 3, Funny

      well in reality the invisibility powder is really just ground up lye, and when thrown into the eyes of someone else, it blinds them, thus rendering you invisible to that person.

      But it does work.

  4. It's easy to make it unhackable by taustin · · Score: 5, Funny

    Just remove all input and output capabilities, and the power supply. Most secure computer in the world.

    1. Re:It's easy to make it unhackable by singularity · · Score: 5, Funny

      I think people are missing this company's solution.

      The machine boots to Windows, and then this company's product randomizes everything in RAM. Even Windows has no idea where anything is in memory anymore. Every single bit is in a completely random location, with no relation to the bits it was next to previously.

      Granted, the machine crashes at this point, but it has successfully booted and been rendered unhackable.

      For long-term security, their follow-up product will randomize all data on a hard drive. It is completely un-hackable, even with physical access. Of course the data is also irretrievable, but there are prices to security.

      --
      - (c) 2018 Hank Zimmerman
    2. Re:It's easy to make it unhackable by Anonymous Coward · · Score: 3, Funny

      There is a non-zero chance that those random bits result in having Windows 1.0 or DR-DOS.

  5. My code is 100% working by Anonymous Coward · · Score: 3, Funny

    According to my own internal testing, of which i've done none.

  6. Not finished by edjs · · Score: 3, Interesting

    Per the article, they've raised money and it's under development. Sounds more like they're at the generate some buzz for some more money stage of development.

    But I concede that randomizing memory (contents) does make a system pretty secure.

    1. Re:Not finished by frnic · · Score: 2

      Especially if the system doesn't let the programs running know where there variables have been moved to, or where they have been moved to, or, well, where anything is. I expect the system only needs to have it's memory randomized once per boot.

    2. Re:Not finished by multimediavt · · Score: 2

      But I concede that randomizing memory (contents) does make a system pretty secure.

      And, unusable. Much like a machine with no power.

  7. Failure to understand definition of zero-day by allquixotic · · Score: 5, Insightful

    This company (or whoever wrote TFS/TFA about them) seems not to understand the concept of a zero-day vulnerability.

    It is ridiculous to say that one is not vulnerable to zero-day attacks. They are, in security parlance, the "unknown unknowns" - the things you don't even conceptually know of as vulnerabilities right now. One cannot design a networked computer system with any functionality whatsoever in which they can somehow know and anticipate the "unknown unknowns" (as opposed to the known unknowns, some of which can be mitigated if you're lucky).

    The unknown unknowns are, by definition, *not yet known*, so you can't design a mitigation against them until *after* you are aware of them. If awareness comes in the form of a zero-day hack, then you will fail to defend against the attack at the time it hit due to your lack of information about the attack vector.

    Also, unless this company has full access to all Windows source code for the build they have, it is very likely that one singular memory-based mitigation will not be effective against every possible attack vector that exists in the Windows codebase. So unless they have performed full formal methods verification of the entire Windows codebase to guarantee that there are no "unknown unknowns", and then fixed every security vulnerability that exists in the product in the original state in which they received it from Microsoft, this is basically snakeoil.

    Also, don't we already have ASLR? The mind boggles at the stupidity of these people. Who do they seriously think is going to buy this?

    Actually, forget I asked. They said their target was governments. I have no doubt they will sell thousands of licenses.

  8. Linux... by Anonymous Coward · · Score: 2, Interesting

    has had address space randomization for how many years? Hardly unexploitable still...

  9. As a former QA lead... by Anonymous Coward · · Score: 5, Insightful

    Oh yeah, I've seen builds that were 100% solid on internal testing. Not a thing wrong with it according to automated tests, scripted manual testing, smoke testing, and random usage testing. Not a thing! A million monkeys could bang on keyboards all day long and nothing would break. Much simpler programs than an entire OS, mind you. But still, they were bullet-proof, air-tight, divine works of software engineering.

    Then we pushed them to production. Murphy's law is a moooootherfucker.

    Captcha: enraging

    1. Re:As a former QA lead... by JustAnotherOldGuy · · Score: 2

      You mean like when they released windows 10 and the start menu lagged froze and crashed?

      But you you have to admit it lagged and crashed really really fast due to all the Windows 10 improvements.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  10. And in other news, DefCon and BlackHat paused... by Assmasher · · Score: 4, Funny

    ...for approximately 15 minutes to hack the unhackable today and then resumed normal business with smirking faces all around...

    --
    Loading...
  11. Okay from a tech aspect... by wardrich86 · · Score: 2

    I mean, if it's invincible to tech-based hacks, kudos to them... but the other side of that is the wall of gullible idiots that will be manning the "unhackable" systems. Some quick social engineering and their impenetrable fortress will have more holes in it than Swiss cheese.

  12. This has been around forever by bangular · · Score: 4, Insightful

    Memory randomization has been around a very very very long time. It's not going to help with logical programming errors.

    1. Re:This has been around forever by ttucker · · Score: 5, Interesting

      Memory randomization has been around a very very very long time. It's not going to help with logical programming errors.

      It is literally already implemented in every version of Windows since Vista. Windows also uses the NX/XD features in modern CPUs.

    2. Re:This has been around forever by Anonymous Coward · · Score: 5, Funny

      It's not going to help with logical programming errors.

      It is literally already implemented in every version of Windows since Vista.

      Windows has had logical programming errors before Vista.

    3. Re:This has been around forever by ttucker · · Score: 3, Informative

      It allows you to change the address for DLLs, but leaves it at a predetermined address by default.

      Windows has a setting to enable ASLR for all applications. Microsoft even provides a handy tool to enable it; the, "Enhanced Mitigation Experience Toolkit". No special compile time gesticulations are required.

  13. Pretty easy, actually: by aaron4801 · · Score: 2

    1) Disable all network access. 2) Disable all external storage access (USB, DVD, etc). 3) Most importantly, disable all user logins.

  14. Re:Stupid for two reasons: by rudy_wayne · · Score: 4, Insightful

    Why do people still claim these things, and why to techies (not marketing people) consent to attaching their names to such nonsense?

    Stupid because:
    1) No, it is not unhackable. Throw a contest with a bounty to easily prove this.
    2) 99% of "hacks" work through social engineering nowadays, and these work regardless of how secure your software is.

    3) Selling your own modified version of Windows will get you sued by Microsoft very quickly.

  15. Fraudulent? by Futurepower(R) · · Score: 4, Insightful

    Slashdot has often featured articles from Israeli companies that seem to me to be fraudulent. For example, The Car That Makes Its Own Fuel. That Slashdot story links to this article: The Car That Makes Its Own Fuel.

  16. Re:How? by Garridan · · Score: 2

    Easy. You don't need to worry about upstream updates 'cause the system is unhackable.

    Duh. Idiot.

  17. ASLR? by Anonymous Coward · · Score: 3, Informative

    Are they just talking about Address Space Layout Randomization? Let's see - Wikipedia says [https://en.wikipedia.org/wiki/Address_space_layout_randomization] for Windows - to turn it on edit a registry key. Is that what this company did, "create" a version of windows with a registry key set?

  18. I hope they succeed... by Karmashock · · Score: 2

    ... but what are the chances of that?

    Security relies on certain assumptions.

    If I have a military base, I assume that whomever comes to attack my base has fewer guys with guns than I do... and I generally it will be a cold day in hell before they'll get very far into the base.

    And you assume other things... you assume that your security people can tell the difference between someone with security clearance and a birthday clown.

    We assume that the people with clearance obtained it legitimately.

    We assume that the people that were given security didn't subsequently decide to sell us out for hookers and blow.

    Assumptions.

    And there are good assumptions... assumptions that really will hold under most circumstances and bad assumptions.

    And good security is basically a process of separating out good assumptions from dumb ones. Then recognizing that your dumb assumptions were a convenient fig leaf you put over serious vulnerabilities that you actually don't have a good solution for...

    And then you need to actually come up with a GOOD assumption that covers for what were previously laughable assumptions.

    If your security is based on interlocking layers of good assumptions... are you unhackable? I don't know... its a question of perfection and perfection is hard in this universe. BUT... really fucking good security? Near perfect? Sure. I mean... you can do "excellent"... excellent is possible.

    But that's not to say that even good security should be discounted as crap. Good is often the best security possible because excellent requires time and money and competent management and users that don't have their heads wedged up their asses.

    Now will good security keep ze germans out or whatever? Typically yeah. Even good security is a bitch to get through even for a state sponsored hacking team.

    What keeps embarressing people is SHIT security or NO security.

    That is what keeps failing. Not "good security"... not "excellent security"... not "perfect security"...

    F'ing none at all keeps failing.

    So... lets not geek out on the "perfect" or "unhackable" claim. And instead lets focus on whether or not the change to the OS makes Windows have "good security". If it accomplishes so much as that then we're doing well. If they pushed it up a notch and it's EXCELLENT... Then we're doing very very well indeed.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:I hope they succeed... by Karmashock · · Score: 2

      You're assuming your policies and procedures are meaningful.

      I frequently find polices in place that are little more than security theater. Cargo cult security.
      https://www.youtube.com/watch?...

      It gives the seeming of security without actually doing anything.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  19. that said, a version that can't be hackED is possi by raymorris · · Score: 5, Informative

    The headline is crap, of course.

    That said, it's not too hard to have a version such that you know it's unaltered when you boot each morning. You do basically a live CD, booting from a read-only lun.

    Just as you separate a normal user USING the machine from an administrator account UPDATING the OS, you can have the OS basically read-only during use and set it to writeable only when you need to update the software. That change is done outside of the OS, either via the NAS or the hypervisor.

    In that way, you can come in eqch morning knowing your Windows system hasn't been hacked (past tense). As soon as you open IE, though, you could get a new exploit. That exploit disappears when you shut the machine down, though.

  20. Almost Made It by Desiree+Hindenburg · · Score: 2

    Everything was going very well, until Shlomo installed Flash player.

  21. I know you're all joking, but how I envisioned it by GoodNewsJimDotCom · · Score: 2

    I think if Windows ran everything in something like a sandbox, where programs couldn't communicate with programs outside itself, and saw its own version of a disk system which only had itself on it, things wouldn't be bad for starters. A virus then couldn't then spread to other files on your filesystems because each program couldn't access programs outside itself.

    It doesn't help much for legacy software, but a special memory section could be used for shared memory, and a special disk location could be used for shared files.

    A system prompt would be needed before installing driver files or changing things on startup.

    This doesn't stop a keylogger from getting you though. There are ways of stopping keyloggers, but no need to get to complex stuff when people will want to shoot holes through my theory "Windows as a filesystem sandbox mode". I think about this a lot since it doesn't seem like several OSes are designed to operate in the Internet environment without getting hosed by running the wrong file. If Windows could be secure from running an occasional malware .exe, I would try out a lot more software.

    --
    God spoke to me
  22. Difference to PaX & grsec? by niceworkthere · · Score: 3, Insightful
    So, the only actual detail on this Wonder Windows is that it "randomizes all the memory", in other words ASLR.

    Which then poses the question... just how is this any different, let alone superior to Linux's PaX patchset - which offers ASLR since 2000 - or even grsecurity?

    1. Re:Difference to PaX & grsec? by gweihir · · Score: 2

      It differs by use of extreme marketing lies. It is well-known that ASLR makes some attacks on a system or application harder, but not impossible. It does nothing at all for other attacks.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  23. I think you just described by rsilvergun · · Score: 3, Funny

    My Commodore 64.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:I think you just described by FranTaylor · · Score: 2

      My Commodore 64.

      Dream on, idiot, Commodore 64 is the poster child for bad security:

      "It is commonly reported that the first known full stealth file-infecting virus was Frodo, in 1989. In fact, that is true only for the IBM PC world. The Commodore 64 world had been infected three years earlier by what was perhaps truly the first full stealth file-infecting virus: C64/BHP.A (not to be confused with the boot-sector virus for the Atari, also known as BHP)."

      http://pferrie.tripod.com/papers/bhp.pdf

  24. 100% Secure = by meerling · · Score: 2

    100% Secure = 100% Unusable
    Security is a balancing act between usability, functionality, and safety.
    You'll never get 100% in any of those without having less than that in the other two categories.
    Sure, they may get closer to 100%, but at what cost? Is the machine running slower? Does it eat up huge amounts of HD? Does it take a 5 minutes to verify an authorized users biometrics before allowing them to do anything and if they leave it's immediate 'secure' area it totally resets?
    Not that those are what this one is or isn't doing, I was just illustrating the point that you can't have perfect security, and have a usable machine because there are always trade- offs. Especially since it's under the rule of diminishing returns. Although one great way to easily improve security is to remove humans from the loop. Of course, then you are just talking about some kind of backend or infrastructure type thing since it's only 'users' would be other machines, and even that can be compromised by compromising the machines that are allowed to be users.
    That's why I say that a machine that is totally secure, is also totally unusable. It's the only way to prevent the machine being compromised, but that's not really any good to anyone either.

  25. Re:It worked for the Titanic... by Anonymous Coward · · Score: 2, Funny

    You are correct, nobody ever hacked the Titanic.

  26. no more BIOS, UEFI (secure boot) by raymorris · · Score: 2

    BIOS is dead. With EFI, most of the boot code is in the efi partition, on the "disk" which is read-only courtesy of your san, hypervisor, or the fact that it's a cd-rom.

    There is a limited firmware on the motherboard which loads the initial efi file. That could, in theory, be compromised, except that if you virtualize, you could also set that read-only in the hypervisor. So your virtual machine pretty darn safe. The host machine needs to be secured , but it doesn't need an operating system, just a hypervisor. That's quite a bit safer than running a full desktop OS.

  27. Re:that said, a version that can't be hackED is po by multimediavt · · Score: 2

    The headline is crap, of course.

    That said, it's not too hard to have a version such that you know it's unaltered when you boot each morning. You do basically a live CD, booting from a read-only lun.

    Just as you separate a normal user USING the machine from an administrator account UPDATING the OS, you can have the OS basically read-only during use and set it to writeable only when you need to update the software. That change is done outside of the OS, either via the NAS or the hypervisor.

    In that way, you can come in eqch morning knowing your Windows system hasn't been hacked (past tense). As soon as you open IE, though, you could get a new exploit. That exploit disappears when you shut the machine down, though.

    Or you can put Deep Freeze on it and have the same thing every time you reboot, morning, noon, or night. MEOW!

  28. I posted this idea to microsoft.public.security in by GrantRobertson · · Score: 2

    So, I hope they aren't trying to patent too much of this idea. It's been prior art for 10 years. Here is a link to an archived version of my post: http://www.derkeiler.com/Newsg.... It is all I could find from my phone.

    I don't mind them using the idea. I posted it publicly hoping someone would. But they can't claim to own the idea or prevent others from using it.