The Nexus S isn't really new, although for any modders, it is the only game in town for making ROMs that don't require kexec() tricks to get around signed kernels and other crap.
What I'm looking forward is Google's next reference model with the hardware to support the 3.x Android versions. Hopefully this model will have a SDXC card slot, a decent amount of RAM, multiple cores. Maybe even a model with a sliding keyboard, which makes a life a lot easier when doing some serious UNIX commands.
The problem is with desoldering chips, the defense can state that the drive was completely mangled by the prosecution that there is no proof that the data has not been fabricated.
This is why in conventional forensics, there is a rule about using a hardware write blocker and make an image before going anywhere else. Otherwise, a good defense attorney could get the case thrown out of court.
How this can be solved? Who knows. There is always a tug-of-war underway between one group that wants unfettered access to data for law enforcement reasons, and another group just as powerful that wants to be sure that destroyed data stays that way so secrets do not end up leaked.
Who will win is anyone's guess. Most likely SSDs will be sold as two different models... "consumer" models which are cheap and pretend to delete data, versus "enterprise" models which ensure that bits are scrubbed pronto.
If I had my way, Open.org would be a repository indexing, signing, and a mirror service. It would piggyback on akamai for mirrors geographically close to people.
What advantage would this have? A decent system of blahblah.open.org for repos pertaining to major distributions, and blahblah.open.org/whatever for minor projects. All packages on this site would not just be validated upon upload, but sites and mirrors would be randomly checked just to catch tampering.
It also would offer a mechanism for installing and updating apps that works regardless of OS. The client would grab a list of versions via a SSL based query, the server would reply what needs upgraded/updated, and the client would fetch, check the signature and upgrade those packages.
If done right in a secure manner, almost any OS can take advantage of the system.
How will this make revenue? A platform generic app store. Want open.org to handle purchasing distribution, and updating of commercial apps? We take a commission (percentage will depend), and in return, the commercial application developer doesn't have to worry about distribution, updates, charging customers. The app developer just needs to make sure their code is signed and has a contract on file stipulating that they have standards for security for their code signing server (HSM, offline box, etc.)
There is also another argument at well, which not just applies to OS X, but Linux, AIX, Solaris, and other platforms:
Windows has always been a commercial, closed source platform. Developers write on it because it brings them cash. In general, there is no respect for the platform itself, so people don't think twice about writing malicious code. There is no respect in general by developers for it. This puts Microsoft in a bind because they have to drag lazy coders kicking and screaming to allow for basic security features (not running with Administrator rights.) Another example of this was Vista's more secure driver model. A lot of hardware makers released alpha/beta quality drivers, stuff broke and users bitched, and the companies told the end users to blame it on Microsoft, when in reality, it was the laziness/incompetance of the hardware/software makers.
However, other platforms don't have this issue. Devs tend to have some respect for $OTHER_OS. Even when $OTHER_OS gets a fundamental change which requires a lot of man hours for applications to work with the latest version, devs grumble, but they do it, and they put out at least a usable product, and a good product in their 0.0.1 or 0.0.2 release. On $OTHER_OS, devs know that malware will reduce their whole ecosystem base (when users move away from that platform), so are not going to write malicious code.
Because of the fact that programmers tend not to shit where they sleep on non-Windows platforms adds significantly to why Windows gets singled out for attackers as opposed other platforms like Solaris.
The thing about the market share argument is that even if Macs had as many pieces of malware as Windows, but scaled down to their percentage of market share, there would be screaming left and right about how insecure OS X is.
Even when scaling things down, OS X is not getting hit nearly as hard as Windows.
On an anecdotal level -- ever seen an infected Mac? The last time I did was about two years ago when someone decided that the copy of iWork '09 available on a P2P distribution was a good idea, and downloaded a Trojan horse.
You hit the nail on the head. It isn't hard to get so much information out there, fake or not, that people just don't care. If people get so many factoids that they can't tell if it is another The Onion headline or actual news, they will stop caring.
The only way this will be gotten around is to have anon news sources which vet any information they get, either by corroborating it with other stories, or by other means, then signing that the information is actually real.
Similar here. "When confidential information (including credit card info, banking info on customers, account payable, account receivable) gets disseminated by a PFY at the cloud provider who did a quick copy to sell the info to someone offshore, I can point at the cloud and say that they assured me of complete security, where I didn't even need to encrypt PII data. I'd just pay their fees, and they would do all the legwork and locking for me."
Blah. Only way I'd bother to store confidential data offsite is by copying my TrueCrypt volumes (which are protected by a good passphrase, as well as keyfiles.)
The problem is that most established firms bigger than a SMB require a degree for any significant rank in the company. For example, yes, a computer company may allow people with no degree to man the phones, or perhaps even make it to team lead or MOD status. Development, similar, they make a supervisor role. However, good luck crossing out of those fields into engineering or other places where the real money is made without at least a B. S.
However, if one wants to get past that, the HR people and the PHBs want to see degrees. Certificates [1] are pretty papers justifying why you are even employed there, but to be taken seriously, you need a degree from an accredited college. [2].
Finally, don't forget that a job today doesn't mean being on the street tomorrow. In this market, to PHBs, "computer people" are a fungible resource, fired when felt like, because there are always replacements. No local talent? The H-1B pool is inexhaustable and cheap, especially if you have a "secret requirement". So, any edge above the competition is important. This is why I'm seriously considering a master's in CS or IT.
[1]: There are some exceptions. The CISSP certification and having a TS/SCI clearance are the ones considered good by the PHBs.
[2]: Thankfully only law school has the tier system officially, although if you and the PHBs above you share the same alma mater, it can mean a fast track inside a firm.
Dell and HP have decent business lines, provided you get the premium level of support with the machine.
Apple doesn't piece things out, other than AppleCare. You buy a Mac, you get a known good quantity, and you get a good support level. It is a heck of a lot easier to bring a machine into a Genius Bar if something is broken as opposed to sitting on hold for 3 hours only to get yelled at (and hung up on) for being "non-cooperative" because you are not booting Windows on a box that doesn't even POST.
For people who are versed in computer hardware, it may not make a difference. However, for people who use their computers for a living, having CS that is actually usable can be well worth the difference in price between a Mac and a big box store PC.
A company can't depend on one single thing for their security. These days, it does take network security, host security, having policies in place that people follow, and periodic (scheduled and unscheduled) audits/pen tests. Without all these, it is only a matter of time before a blackhat easily gets their way in.
This doesn't mean paranoia, but it also means that one can't hide their head behind a fence and expect a blackhat not to target the derriere that is exposed.
There are always ways around anything. If there is really want for it, even MMOs can have emulator servers built with the same or similar mechanics as the original game.
Granted, this is something more on the edges as opposed to mainstream use, but if single player games start having their content dribbled to users level by level, someone will cache it, and then make a server emulator so people can play without having to have 24/7 access to the "mother ship".
I must not be up to current events, but from what I see, Ubuntu is still a very strong distribution being arguably the front-runner when it comes to the desktop Linux offerings.
Every distro has their growing pains. RedHat went through theirs, Slackware had its trials, and so on.
Regardless of the drama that might surround Ubuntu, it still will be one of the top distributions out there. Of course, there may be forks, but Ubuntu has a solid development effort behind it and is standing up to the test of time.
I don't see any "bad linux" distros in the mainstream. In my book, only way a distro can be "bad" is if they stomp on GPL requirements and refuse to have source code available as per the license. Or if they are outrageously sloppy in how they build binaries, so the executables might not be what the source code compiles to.
You were assuming Windows... the SPARC workstation I was using back then definitely didn't have a Windows key.
Yes, I had a macro with CDE that would lock the screen, but I wouldn't trust my job to making sure I nailed it for a quick coffee break. Especially with people who would be zooming for an unattended machine with a root prompt on it.
What is ironic is that IBM Zurich was predicting this exact type of attack.
This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.
Why is the ZTIC so unique that IBM made it? Couple reasons:
1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web browser is saying that a transaction was successful, the ZTIC will show if it got modified and turned into a large bank withdrawal heading to Elbonia in reality.
2: Low attack surface. Almost anything can be hacked, but it only does one task. If the device is constructed right, reflashing the device without taking it apart and finding the JTAG parts on a chip would be almost impossible.
3: Even Joe Sixpack might wake up and not let a transaction through if the $100 that was going to his bookie for a Superbowl game showed up as a $10,000 transfer to an offshore bank. So, it does contribute to slowing down even PEBKAC issues.
When I worked about a decade ago at a place where people with dubious intentions could access the work area, I ended up making a switch embedded in a seat cushion that was connected to the serial port of my workstation. When I got up, the program sitting and monitoring that port would automatically xlock the machine.
It was an ugly hack, but I never had unattended terminal issues unlike some cow-orkers.
Agreed. There are "features" which constitute little more than security theater, like the annoying firewalls of times past.
However, there are true security features that operating systems must have.
UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.
There are features that are needed, and not theater though. A couple:
1: Filesystem encryption, either file by file like AIX's EFS, Window's EFS, EncFS/FUSE, raw image level like TrueCrypt, LUKS, encrypted disk images on OS X [1], or even hardware level encryption like on IronKeys, IBM disk arrays like the DS5100s and up, or encrypted drive controllers. This is the court of last resort if a blackhat gets physical access to a machine and decides to pull media, be it tapes from a silo, or drives out of a RAID enclosure.
2: ASLR, DEP, and other memory protection. By making sure that data is not executable with a NX bit, this protects the OS against a lot of buffer overflow attacks. Combine this with a malicious program not knowing where the stack is using ASLR, and this slams the door on a whole type of attacks.
3: Limited application context. This is called different on different operating systems, but essentially it means an application does not have the full privs of the user it is running under. This can be done via policies (SELinux, AppArmor), jail(), or Microsoft's low priv functionality (how IE7 and IE8 are run under). It can even be done by a third party program like SandboxIE [2]. This is a definite security feature because it limits the damage malware can do if it gets the ability to execute in the context of a browser add-on or a browser (which is one of the most common infection vectors these days.)
4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.
5: Ability to check for unauthorized modifications to the operating system. AIDE/Samhain/TripWire are good tools for that, but I'm sure there are always ways to get around those. The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.
6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.
So, I agree -- there are security theater "features", but general use operating systems have to have true security features to deal with today's attack vectors as well.
[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.
[2]: SandboxIE may not be perfect, but it definitely goes a long way for helping priv isolation. It also is easier to use than keeping your web browser in a separate VM.
The good news is Windows 8 (from a previous/. article) is getting an "App Store". What it will be like when it gets released, who knows. However, it is a step in the right direction.
This makes me wonder about having NICs with an embedded firewall OS. Of course, this can be a target for remote flashing of malware, but this can be minimized with both signatures, and having a DIP switch that has to be physically pressed before a write to the OS can be done.
With the NIC handling the IDS/IPS capability, as well as being able to handle enterprise network configurations, the OS can be isolated and happily think it is receiving a DHCP address while in reality, an enterprise server has it on a static IP. This way, someone compromising the OS can't get another IP, or change the subnet mask.
The NIC with this capability can be also used on the enterprise for security, regardless of the OS running on the machine. The enterprise admin or an IPS can tell the box not to connect to the corporate net for "x" amount of time, or if it does connect, route all traffic to a remediation server. Perhaps (with enough flash space) it can even store an image of the OS, so re-imaging the box can happen quickly without any network traffic.
I beg to differ, especially with Windows 7. Windows has its issues, but its security features are on par with everyone else.
The problem oftentimes is with the third party developers which don't allow the OS to enforce DEP, much less ASLR. Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.
Of course, Windows has problems, but saying it is fundamentally insecure isn't accurate.
I don't see any multinational company doing this because of what you said (no ability to manage/audit workstations), plus the EULA would be violated as MSE is for personal/home use and defines it.
This is what Forefront is for. Forefront is essentially MSE, but it has enterprise-level features, as well as that MS advertised that a few years ago that it can deter zombie invasions. Just the fact that the undead won't be attacking the workplace alone makes Microsoft's offering worth getting on an enterprise level.
How about not just "app stores", but a repository system?
The OS can include the app store, a place for OS updates, and a well secured repo for F/OSS software. The updating programs can grab a list of packages, see what needs updating, then grab those via curl or wget. Further repos can be added by the user, assuming they click through a dialog that one can't just walk into Mordor, other repositories may not be trustworthy, do at own risk, etc.
Oh, of course, all install packages (RPM, MSI, installp,.deb, etc.) are all cryptographically signed, and the signatures are checked before the package is installed. This way, a break-in to the repo server doesn't mean the files stored can be tampered with.
Repositories have served the F/OSS community well for over a decade, and have proven to be historically clean (with an exception here and there, of course that gets fixed posthaste.) I just wish Apple and Microsoft would build this in, and not just "App Store or install manually" functionality.
What antivirus/antimalware is good at is stopping the stuff after the first wave, and the companies get updates out. However, the blackhats know this, so they know their moneymaking is during the 0 day wave, before Patch Tuesday and the Malicious Software Removal Tool is run.
True resistance to malware requires a defense in depth philosophy, and until recently, this was not implemented in a significant fashion. For example, the usual setup of Windows XP would give Admin rights to any process by default that would get on as a user. This can be fixed, but most users wouldn't create limited users, nor run the Web browser with the Run As... command.
In reality, there needs to be a number of levels before malware gets to execute with a root/admin context. The first starts with browser add-ons, the browser, the OS's security in a jail or other restricted context. Ideally there should be a HIPS present in the OS that can catch unknown intrusions, but a HIPS does cost CPU cycles and can give false positives.
Ultimately, what one group can secure, another can break. However, OS and program design that is in primary use now can really be made much better. AppArmor, SELinux, and having app profiles built into every program telling the minimum, best, and maximum privs it should have would go a long way into isolating issues.
Even if the traffic is not blocked, a lot of places will not accept mail if dumped through an IP address on a known dynamic range.
So, one needs to split mail two ways:
Incoming mail, cable ISPs tend to block just because. Telcos tend to allow incoming 25. This plus dynamic DNS solves this part.
Outgoing mail can be routed through the ISP's SMTP server, or if the mail volume is too much for that, there are third party outgoing SMTP services which act as relay hosts.
One company I knew that still had a 3.12 machine had it for the express reason that they believed it was far more secure than any currently made server operating system.
That, plus the fact that the antediluvian versions of Netware would hide any files and directories a user would have access to, rather than showing and giving an "access denied" error.
How they got Netware to work with modern drive capacities, I will never know.
I solve that by stating "UNIX flavor", "UNIX variant", or "UNIX-like OS" when splitting hairs. This essentially covers the gamut of anything like this. If I know it is a true UNIX (TM), I will state "UNIX". However, only a relative few operating systems have the Open Group trademark (OS X, AIX, and Solaris are the main ones.)
The Nexus S isn't really new, although for any modders, it is the only game in town for making ROMs that don't require kexec() tricks to get around signed kernels and other crap.
What I'm looking forward is Google's next reference model with the hardware to support the 3.x Android versions. Hopefully this model will have a SDXC card slot, a decent amount of RAM, multiple cores. Maybe even a model with a sliding keyboard, which makes a life a lot easier when doing some serious UNIX commands.
The problem is with desoldering chips, the defense can state that the drive was completely mangled by the prosecution that there is no proof that the data has not been fabricated.
This is why in conventional forensics, there is a rule about using a hardware write blocker and make an image before going anywhere else. Otherwise, a good defense attorney could get the case thrown out of court.
How this can be solved? Who knows. There is always a tug-of-war underway between one group that wants unfettered access to data for law enforcement reasons, and another group just as powerful that wants to be sure that destroyed data stays that way so secrets do not end up leaked.
Who will win is anyone's guess. Most likely SSDs will be sold as two different models... "consumer" models which are cheap and pretend to delete data, versus "enterprise" models which ensure that bits are scrubbed pronto.
If I had my way, Open.org would be a repository indexing, signing, and a mirror service. It would piggyback on akamai for mirrors geographically close to people.
What advantage would this have? A decent system of blahblah.open.org for repos pertaining to major distributions, and blahblah.open.org/whatever for minor projects. All packages on this site would not just be validated upon upload, but sites and mirrors would be randomly checked just to catch tampering.
It also would offer a mechanism for installing and updating apps that works regardless of OS. The client would grab a list of versions via a SSL based query, the server would reply what needs upgraded/updated, and the client would fetch, check the signature and upgrade those packages.
If done right in a secure manner, almost any OS can take advantage of the system.
How will this make revenue? A platform generic app store. Want open.org to handle purchasing distribution, and updating of commercial apps? We take a commission (percentage will depend), and in return, the commercial application developer doesn't have to worry about distribution, updates, charging customers. The app developer just needs to make sure their code is signed and has a contract on file stipulating that they have standards for security for their code signing server (HSM, offline box, etc.)
There is also another argument at well, which not just applies to OS X, but Linux, AIX, Solaris, and other platforms:
Windows has always been a commercial, closed source platform. Developers write on it because it brings them cash. In general, there is no respect for the platform itself, so people don't think twice about writing malicious code. There is no respect in general by developers for it. This puts Microsoft in a bind because they have to drag lazy coders kicking and screaming to allow for basic security features (not running with Administrator rights.) Another example of this was Vista's more secure driver model. A lot of hardware makers released alpha/beta quality drivers, stuff broke and users bitched, and the companies told the end users to blame it on Microsoft, when in reality, it was the laziness/incompetance of the hardware/software makers.
However, other platforms don't have this issue. Devs tend to have some respect for $OTHER_OS. Even when $OTHER_OS gets a fundamental change which requires a lot of man hours for applications to work with the latest version, devs grumble, but they do it, and they put out at least a usable product, and a good product in their 0.0.1 or 0.0.2 release. On $OTHER_OS, devs know that malware will reduce their whole ecosystem base (when users move away from that platform), so are not going to write malicious code.
Because of the fact that programmers tend not to shit where they sleep on non-Windows platforms adds significantly to why Windows gets singled out for attackers as opposed other platforms like Solaris.
The thing about the market share argument is that even if Macs had as many pieces of malware as Windows, but scaled down to their percentage of market share, there would be screaming left and right about how insecure OS X is.
Even when scaling things down, OS X is not getting hit nearly as hard as Windows.
On an anecdotal level -- ever seen an infected Mac? The last time I did was about two years ago when someone decided that the copy of iWork '09 available on a P2P distribution was a good idea, and downloaded a Trojan horse.
You hit the nail on the head. It isn't hard to get so much information out there, fake or not, that people just don't care. If people get so many factoids that they can't tell if it is another The Onion headline or actual news, they will stop caring.
The only way this will be gotten around is to have anon news sources which vet any information they get, either by corroborating it with other stories, or by other means, then signing that the information is actually real.
Similar here. "When confidential information (including credit card info, banking info on customers, account payable, account receivable) gets disseminated by a PFY at the cloud provider who did a quick copy to sell the info to someone offshore, I can point at the cloud and say that they assured me of complete security, where I didn't even need to encrypt PII data. I'd just pay their fees, and they would do all the legwork and locking for me."
Blah. Only way I'd bother to store confidential data offsite is by copying my TrueCrypt volumes (which are protected by a good passphrase, as well as keyfiles.)
The problem is that most established firms bigger than a SMB require a degree for any significant rank in the company. For example, yes, a computer company may allow people with no degree to man the phones, or perhaps even make it to team lead or MOD status. Development, similar, they make a supervisor role. However, good luck crossing out of those fields into engineering or other places where the real money is made without at least a B. S.
However, if one wants to get past that, the HR people and the PHBs want to see degrees. Certificates [1] are pretty papers justifying why you are even employed there, but to be taken seriously, you need a degree from an accredited college. [2].
Finally, don't forget that a job today doesn't mean being on the street tomorrow. In this market, to PHBs, "computer people" are a fungible resource, fired when felt like, because there are always replacements. No local talent? The H-1B pool is inexhaustable and cheap, especially if you have a "secret requirement". So, any edge above the competition is important. This is why I'm seriously considering a master's in CS or IT.
[1]: There are some exceptions. The CISSP certification and having a TS/SCI clearance are the ones considered good by the PHBs.
[2]: Thankfully only law school has the tier system officially, although if you and the PHBs above you share the same alma mater, it can mean a fast track inside a firm.
Dell and HP have decent business lines, provided you get the premium level of support with the machine.
Apple doesn't piece things out, other than AppleCare. You buy a Mac, you get a known good quantity, and you get a good support level. It is a heck of a lot easier to bring a machine into a Genius Bar if something is broken as opposed to sitting on hold for 3 hours only to get yelled at (and hung up on) for being "non-cooperative" because you are not booting Windows on a box that doesn't even POST.
For people who are versed in computer hardware, it may not make a difference. However, for people who use their computers for a living, having CS that is actually usable can be well worth the difference in price between a Mac and a big box store PC.
Three words: Defense in depth.
A company can't depend on one single thing for their security. These days, it does take network security, host security, having policies in place that people follow, and periodic (scheduled and unscheduled) audits/pen tests. Without all these, it is only a matter of time before a blackhat easily gets their way in.
This doesn't mean paranoia, but it also means that one can't hide their head behind a fence and expect a blackhat not to target the derriere that is exposed.
There are always ways around anything. If there is really want for it, even MMOs can have emulator servers built with the same or similar mechanics as the original game.
Granted, this is something more on the edges as opposed to mainstream use, but if single player games start having their content dribbled to users level by level, someone will cache it, and then make a server emulator so people can play without having to have 24/7 access to the "mother ship".
I must not be up to current events, but from what I see, Ubuntu is still a very strong distribution being arguably the front-runner when it comes to the desktop Linux offerings.
Every distro has their growing pains. RedHat went through theirs, Slackware had its trials, and so on.
Regardless of the drama that might surround Ubuntu, it still will be one of the top distributions out there. Of course, there may be forks, but Ubuntu has a solid development effort behind it and is standing up to the test of time.
I don't see any "bad linux" distros in the mainstream. In my book, only way a distro can be "bad" is if they stomp on GPL requirements and refuse to have source code available as per the license. Or if they are outrageously sloppy in how they build binaries, so the executables might not be what the source code compiles to.
You were assuming Windows... the SPARC workstation I was using back then definitely didn't have a Windows key.
Yes, I had a macro with CDE that would lock the screen, but I wouldn't trust my job to making sure I nailed it for a quick coffee break. Especially with people who would be zooming for an unattended machine with a root prompt on it.
What is ironic is that IBM Zurich was predicting this exact type of attack.
This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.
Why is the ZTIC so unique that IBM made it? Couple reasons:
1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web browser is saying that a transaction was successful, the ZTIC will show if it got modified and turned into a large bank withdrawal heading to Elbonia in reality.
2: Low attack surface. Almost anything can be hacked, but it only does one task. If the device is constructed right, reflashing the device without taking it apart and finding the JTAG parts on a chip would be almost impossible.
3: Even Joe Sixpack might wake up and not let a transaction through if the $100 that was going to his bookie for a Superbowl game showed up as a $10,000 transfer to an offshore bank. So, it does contribute to slowing down even PEBKAC issues.
When I worked about a decade ago at a place where people with dubious intentions could access the work area, I ended up making a switch embedded in a seat cushion that was connected to the serial port of my workstation. When I got up, the program sitting and monitoring that port would automatically xlock the machine.
It was an ugly hack, but I never had unattended terminal issues unlike some cow-orkers.
Agreed. There are "features" which constitute little more than security theater, like the annoying firewalls of times past.
However, there are true security features that operating systems must have.
UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.
There are features that are needed, and not theater though. A couple:
1: Filesystem encryption, either file by file like AIX's EFS, Window's EFS, EncFS/FUSE, raw image level like TrueCrypt, LUKS, encrypted disk images on OS X [1], or even hardware level encryption like on IronKeys, IBM disk arrays like the DS5100s and up, or encrypted drive controllers. This is the court of last resort if a blackhat gets physical access to a machine and decides to pull media, be it tapes from a silo, or drives out of a RAID enclosure.
2: ASLR, DEP, and other memory protection. By making sure that data is not executable with a NX bit, this protects the OS against a lot of buffer overflow attacks. Combine this with a malicious program not knowing where the stack is using ASLR, and this slams the door on a whole type of attacks.
3: Limited application context. This is called different on different operating systems, but essentially it means an application does not have the full privs of the user it is running under. This can be done via policies (SELinux, AppArmor), jail(), or Microsoft's low priv functionality (how IE7 and IE8 are run under). It can even be done by a third party program like SandboxIE [2]. This is a definite security feature because it limits the damage malware can do if it gets the ability to execute in the context of a browser add-on or a browser (which is one of the most common infection vectors these days.)
4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.
5: Ability to check for unauthorized modifications to the operating system. AIDE/Samhain/TripWire are good tools for that, but I'm sure there are always ways to get around those. The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.
6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.
So, I agree -- there are security theater "features", but general use operating systems have to have true security features to deal with today's attack vectors as well.
[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.
[2]: SandboxIE may not be perfect, but it definitely goes a long way for helping priv isolation. It also is easier to use than keeping your web browser in a separate VM.
The good news is Windows 8 (from a previous /. article) is getting an "App Store". What it will be like when it gets released, who knows. However, it is a step in the right direction.
This makes me wonder about having NICs with an embedded firewall OS. Of course, this can be a target for remote flashing of malware, but this can be minimized with both signatures, and having a DIP switch that has to be physically pressed before a write to the OS can be done.
With the NIC handling the IDS/IPS capability, as well as being able to handle enterprise network configurations, the OS can be isolated and happily think it is receiving a DHCP address while in reality, an enterprise server has it on a static IP. This way, someone compromising the OS can't get another IP, or change the subnet mask.
The NIC with this capability can be also used on the enterprise for security, regardless of the OS running on the machine. The enterprise admin or an IPS can tell the box not to connect to the corporate net for "x" amount of time, or if it does connect, route all traffic to a remediation server. Perhaps (with enough flash space) it can even store an image of the OS, so re-imaging the box can happen quickly without any network traffic.
Devil's advocate here:
I beg to differ, especially with Windows 7. Windows has its issues, but its security features are on par with everyone else.
The problem oftentimes is with the third party developers which don't allow the OS to enforce DEP, much less ASLR. Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.
Of course, Windows has problems, but saying it is fundamentally insecure isn't accurate.
I don't see any multinational company doing this because of what you said (no ability to manage/audit workstations), plus the EULA would be violated as MSE is for personal/home use and defines it.
This is what Forefront is for. Forefront is essentially MSE, but it has enterprise-level features, as well as that MS advertised that a few years ago that it can deter zombie invasions. Just the fact that the undead won't be attacking the workplace alone makes Microsoft's offering worth getting on an enterprise level.
How about not just "app stores", but a repository system?
The OS can include the app store, a place for OS updates, and a well secured repo for F/OSS software. The updating programs can grab a list of packages, see what needs updating, then grab those via curl or wget. Further repos can be added by the user, assuming they click through a dialog that one can't just walk into Mordor, other repositories may not be trustworthy, do at own risk, etc.
Oh, of course, all install packages (RPM, MSI, installp, .deb, etc.) are all cryptographically signed, and the signatures are checked before the package is installed. This way, a break-in to the repo server doesn't mean the files stored can be tampered with.
Repositories have served the F/OSS community well for over a decade, and have proven to be historically clean (with an exception here and there, of course that gets fixed posthaste.) I just wish Apple and Microsoft would build this in, and not just "App Store or install manually" functionality.
What antivirus/antimalware is good at is stopping the stuff after the first wave, and the companies get updates out. However, the blackhats know this, so they know their moneymaking is during the 0 day wave, before Patch Tuesday and the Malicious Software Removal Tool is run.
True resistance to malware requires a defense in depth philosophy, and until recently, this was not implemented in a significant fashion. For example, the usual setup of Windows XP would give Admin rights to any process by default that would get on as a user. This can be fixed, but most users wouldn't create limited users, nor run the Web browser with the Run As... command.
In reality, there needs to be a number of levels before malware gets to execute with a root/admin context. The first starts with browser add-ons, the browser, the OS's security in a jail or other restricted context. Ideally there should be a HIPS present in the OS that can catch unknown intrusions, but a HIPS does cost CPU cycles and can give false positives.
Ultimately, what one group can secure, another can break. However, OS and program design that is in primary use now can really be made much better. AppArmor, SELinux, and having app profiles built into every program telling the minimum, best, and maximum privs it should have would go a long way into isolating issues.
Even if the traffic is not blocked, a lot of places will not accept mail if dumped through an IP address on a known dynamic range.
So, one needs to split mail two ways:
Incoming mail, cable ISPs tend to block just because. Telcos tend to allow incoming 25. This plus dynamic DNS solves this part.
Outgoing mail can be routed through the ISP's SMTP server, or if the mail volume is too much for that, there are third party outgoing SMTP services which act as relay hosts.
One company I knew that still had a 3.12 machine had it for the express reason that they believed it was far more secure than any currently made server operating system.
That, plus the fact that the antediluvian versions of Netware would hide any files and directories a user would have access to, rather than showing and giving an "access denied" error.
How they got Netware to work with modern drive capacities, I will never know.
I solve that by stating "UNIX flavor", "UNIX variant", or "UNIX-like OS" when splitting hairs. This essentially covers the gamut of anything like this. If I know it is a true UNIX (TM), I will state "UNIX". However, only a relative few operating systems have the Open Group trademark (OS X, AIX, and Solaris are the main ones.)