Your statements are generally accurate about how the iOS 4 cryptosystem works. However, they apply only when the applications in question are actually requesting data protection services from the OS. If an application doesn't require data protection, these restrictions won't be enforced. See this presentation from last year's WWDC (the person who posted it probably broke NDA, but whatever).
The Fraunhofer paper states that some types of sensitive materials could be obtained without the passcode. Hence the screaming headlines. But it is just as interesting to note that some items WERE NOT accessible without the passcode, which implies that they were protected using the data protection techniques you described (and as outlined in the PDF).
I think what happened here is that the items that the Fraunhofer researchers were able to access were related to apps didn't require data protection, OR the specific keychain items were marked kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly. That's a guess.
If that's true, then all that is needed is for Apple to make a few minor code changes to the apps so that they observe the proper data protection policies.
I listened to this story on NPR. Instead of actually relying on hard data, the reporter simply found someone who estimated there are only 1,000 qualified "cyber" professionals in the US. The source presented no hard data, just a gut feel that there aren't enough people. This figure is about as well-sourced as the claim (often repeated) that the underground malware economy is bigger than the market for illegal drugs.
Meanwhile, instead of calling outside the beltway, NPR also called up Alan Paller, the head of the SANS Institute, who parroted the same line. How Paller can say that there are less than 1,000 qualified security professionals with a straight face is beyond me. SANS claims to have trained over 150,000 people. Does that mean that 99% of their "graduates" are therefore unqualified?
The worst part about this is that NPR did not even bother to disclose Paller's blatant conflict of interest. Contrary to popular belief, SANS is NOT a non-profit. It's in business to make a buck. I can't think of a better way to plump up the attendance rolls than to manufacture scare stories about "shortages" of professionals.
I've got no real issues with Paller other than the fact that he's just another garden-variety huckster. I've got a bigger problem with NPR, who was just plain sloppy.
There are a lot of "go-to" commentators that the press goes to for supposed insights about security. Graham is one of them. He's a smart guy, but also one of the worst carnival-barkers in the industry; always chasing stories. Here are a few classics:
On Bluetooth phone viruses, apparently the next big thing in malware (2004): "If you don't know about bluejacking these messages can be quite a shock" (2004)
On the groundswell of Mac malware: "This means two real viruses have emerged for the Mac OS X platform in less than a week. The question on everyone's lips is - when will we see the next one, and will it have a more malicious payload?" (2006)
On "naming and shaming" (his words) countries from whose IP address space spam appears to emanate: "A new dirty 'gang of four' - South Korea, Brazil, India and their ringleader USA - account for over 30% of all the spam relayed by hacked computers around the globe." (2010)
It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.
...when Google started vacuuming up a lot of stray Java talent?
I'm thinking of folks like Josh Bloch (author of Effective Java, one of the best books I've ever read on Java) and Adam Bosworth (former CTO of BEA). I was always sort of curious about what Google was up to. I've got no proof that either of these gentlemen we involved in GWT, but I'd be surprised if they weren't. Good job, Google.
McNealy's funniest quote is probably the following one from a 1996 Red Herring article. His letter to the editor is even funnier.
NORTHWEST PASSAGE: Microsoft's plans to navigate the Java waters. August 1, 1996
"Microsoft is on the offensive again because its hegemony is threatened by Java's potential to obsolete Windows and Microsoft Office. This is not only financially threatening, but seen as a personal insult. Sun CEO Scott McNealy ceaselessly goads developers to adopt Java and overthrow what he bluntly calls Redmond's mediocre standards of quality--'Windows 95 is just dogshit with whipped cream on top.'"
LETTER TO THE EDITOR. December 1, 1996
McNealy euphemizes
I enjoyed Jonathan Burke's article "Northwest Passage." Mr. Burke did a fine job of laying out the reasons that software developers are pushing for a multiplatform Internet and how this poses a threat to Microsoft.
However, I was shocked, puzzled, and offended when I came to a passage in the story that seriously misquoted me referring to Windows 95 as "[expletive] with whipped cream on top." As chairman and CEO of Sun Microsystems, a $7 billion publicly held company, I am very aware that my shareholders and the public take a dim view of crude, unprofessional language from executives. I make it a rule never to curse in public. I don't do it. I would never do it. I didn't do it with Mr. Burke or anyone else. In fact, in a carefully worded and deliberately inoffensive manner, I called Win 95 "whipped cream on a road apple."
Scott G. McNealy
President and CEO
Sun Microsystems
Mod parent UP!
Heads have most pointedly NOT rolled. Jim Allchin is still employed by the company, and will be there until his scheduled retirement. None of the management team in charge of the development of Windows have been fired. Ballmer is still running the joint. Gates is still "chief software architect", in spite of the fact that the glorious innovations he dreamed up, like the relational-database file system (WinFS) and the next-gen API (WinFX) have been gutted from Vista.
Microsoft has just shuffled around the senior executives a bit. How this could possibly be interpreted as "heads rolling" is beyond me.
Every time I see one of these articles about "when will Linux be ready for the desktop" or "what can we do to excite people about Linux on the desktop", I just substitute "laptop" for "desktop". Given that some analysts are reporting that a majority of PCs sold are in notebook form factors, it's important that the user experience be seamless -- and in most cases, it isn't. Folks wanting to know what it will take to make Linux mainstream need look no further than the laptop in front of them.
Maybe I'm missing something. It's conventional wisdom that "best practice" is that "everyone" should change their password every x number of days. But often times folks have to change their passwords so often they end up writing them on sticky notes, or choosing the same easy eight-character password over and over and over, with the only variant being the numbers stuck at the end. And this is good for security how?
At a previous company our policy was to have fairly long (16 character) passwords that never expired. For my own password, I chose a pnemonic one that had certain combinations of substituted numbers and special characters. It was never cracked, even though we ran password scans regularly on our Windows domain and Linux boxen.
Show me the empirical evidence that frequently-changing, short passwords are better than long, unchanging ones, and not only will I change my password, but I might even change my mind as well. Until then articles like this are just perpetuating a mythology that people have come to accept as fact.
As it happens, I think passwords have outlived their usefulness. But that's another thread entirely...
They left @stake en masse when the company was acquired by Symantec in 2004, and in so doing decimated the San Francisco office. Every one of the folks at iSec is absolutely top-notch. And no, I'm not astroturfing...
This may or may have not been Google's intention, but the net effect is defiant middle finder thrust in the general direction of places like Provo and Redmond.
This program is remarkably cheap for Google compared to the publicity (read: mischief) it will cause. $4500 x 200 developers = less than a million dollars cash outlay. Compare that to the vein-in-forehead-throbbing reactions it will induce in Ballmer and Butthead. Priceless.
Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.
Things I commented on, among others:
No detailed breakdown of individual vulnerabilities. Which components were affected? How are they distributed?
No indication of which version of Apache being used. 1.x? 2.x? Were the vulnerabilities for both versions counted erroneously?
Prominence given to a dubious metric: "days of risk," which biases scores in favor of Microsoft since Red Hat, Apache et al don't follow the same "responsible" disclosure process
Comparison of a managed runtime script engine (CLR+ASP.NET) with one that isn't (PHP). The correct "apples-to-apples" comparison (that's the authors' phrase, not mine) would be with JRE+JSP (e.g., Tomcat). Gee, no buffer overflow problems with ASP.NET. What a surprise!
In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.
It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.
The same old canard is being recycled again here... if only OS X, GNU/Linux, et al were more popular, they'd be plagued by security holes just like Windows. Anybody who's thought about this for more than ten seconds knows this is crap for a single reason: not all software coded in the same language (C-ish variants, in this case) is created equally. Some software is just designed badly.
Just as a f'rinstance, here are three aspects of Windows that show just how much design, not installed base, drives vulnerabilities:
Windows registry. All users (and by extension all programs) need read-write access by default to a small number of files that are critical for system functioning: the Windows registry. All the houses in the neighborhood, so to speak, are emptying their sewage onto the same grassy field. Why commingle security concerns this way? In OS X, by contrast, applications manage their own preferences, and these are in almost all cases stored in the user's home directory in separate files. This makes security issues potentially much easier to compartmentalize, because applications are (or can be) restricted at the file system level.
Vulnerable services run by default. Much ink has been spilled in other places about how Windows (especially pre-XP SP2) leaves vulnerable network services listening by default, even in an out-of-the box install. Under such conditions, the half-life of a virgin XP desktop is what, 15 minutes? In contrast, the Mac ships with exactly zero ports open.
No "speed bump" for administrative operations. Windows doesn't have the concept of Unix sudo. Instead, users with administrative privileges can do anything without being challenged or even audited. Privileged users typically include Windows service accounts, application runtime accounts, and even Aunt Millie -- who granted herself admin rights at install just like the nice wizard told her to do. Compare this to OS X (or Linux). An operation requiring extra privileges forces the user to re-authenticate interactively; the command itself is logged for posterity.
None of these issues have anything to do with the language they were coded in. For that matter, they could have been done in.NET. But they do help explain how certain design choices have helped create the Windows Security Pandemic. That monoculture's one hell of a petri dish.
My point here is not to trumpet the marvelous advantages of OS X (or, say, Linux) over Windows. It is simply this: there is no Law that says that the number of vulnerabilities automatically increases with popularity but without regard to design. "Duntemann's Assertion" (aka Ballmer's Baked Wind) ain't like Moore's Law.
There are two models, canvas and leather. The leather is definitely more pricey, but looks terrific. It doen't scream "PLEASE STEAL ME BECAUSE THERE'S A LAPTOP INSIDE." It just fits in with the rest of your everyday flashy urbanwear.
Oh, and it is the only piece of computer luggage I've ever owned that has gotten spontaneous, umprompted compliments.
For those of you who tote PowerBooks, it has just enough headroom for a 15-incher (because it's wider than, say, the average Stinkpad -- which fits just fine).
This has probably been covered elsewhere, but I found that Tim Bray's short essay on WS-Overload summed it up better than I could have:
"I'm going to stay out of the way and watch the WS-visionaries and WS-dreamers and WS-evangelists go ahead and WS-build their WS-future. Because I've been wrong before, and maybe they'll come up with something that WS-works and people want to WS-use. And if they do that, I'll stand up and say 'I was WS-wrong.'
Re-writing from scratch is eminently feasible... just ask Apple.
As for breaking backwards compatibility, I don't see why this is so objectionable. Microsoft wants this to happen anyway, since the company is encouraging customers to write code in languages that use the.NET CLR ("managed code"). Most of today's most critical business applications will almost certainly need to be re-written for Longhorn.
If Apple can create a virtual "Classic" OS 9 environment that runs under OS X, why can't Microsoft create an OS with a virtual Win32 environment, sort of like the way VMWare does it but with a (much) stricter security sandbox around it? All new code would run in the "new" environment (presumably CLR-based).
As for breakage, frankly I don't see how on earth you're going to get better security for without breaking something. When Gates stated that "when we have a choice between functionality and security, we must choose security," do you really think he meant it would be painless? Far better, I say, to rip the Band-Aid off quickly then r-e-a-l s-l-o-w-l-y, which is what we're doing now.
First, Microsoft gets no points for "taking security more seriously," because that's a DUH! instinct. Consider that large parts of the public sectors in Israel, the UK, India, China and Germany have decided to go the open source route -- in part because of security fears. Consider also that Microsoft's deferred revenues (new contracts!) were off by ~$600M last quarter; Connors specifically pointed out that this was because "salespeople were helping customers deal with security." Ballmer must be crapping himself. So what we're seeing is a survival instinct, not shrewdness, on Microsoft's part. So, no points for that.
Second, the scourge that is the Windows security problem has reached the level of pandemic in 80-90% of all companies. The patch-and-pray vicious cycle is overwhelming everything else. For IT staffs, it's Love in the Time of Cholera out there. As we speak, the spreadsheet monks at Gartner and IDC are probably flailing wildly as they attempt to update their TCO models.
Third, I resent the fact that Microsoft has commingled the need to fix a serious quality and customer satisfaction issue (shoddy code) with the implementation of market-preserving technologies (e.g., Palladium^H^H^H^H^H^H^H^H^H er, the "Next Generation Trusted Computing Base"). Business model enforcement through cryptography should not be confused with security.
Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.
The success of ITMS is that it shows that Jobs understands two things the RIAA does not: microeconomics and marketing. Think about it: iTunes Music Service isn't competing with the PressPlay, Napster 2, Real, or any of the other turkeys who assumed that people would simply want to buy their unfriendly, ad-crippled, bloated services out of a sense of duty, or just because they were feeling guilty.
No, I believe Apple intended all along to compete with a different class of "competitor:" Kazaa, LimeWire, AIMster and the others. Apple, in essence, pretended it was competing in a commoditized market, by which I mean a market in which the price of goods are in free-fall (or in this case, actually free). How does one compete in a commoditized market? By differentiating the brand with things the other commodity players can't provide: quality ("CD-quality" tracks), convenience (reliable, near-instant downloads), ease-of-use (easy searching and browsing), and bundling (integration with iTunes). This is something the other (albeit "illegal") competitors cannot match.
Folks can -- and undoubtedly will -- argue until the cows come home about whether ITMS is simply perpetuating the RIAA's cartel. (I personally feel that the RIAA's destruction is as pre-ordained as the setting sun, but that's a thread for another discussion). But you have to give Jobs credit for outside-the-box thinking, and for a willingness to take on an unconventional class of competitor.
Ugh. Another flame-war sparked by those who favor "disclosure". In the minds of some, "disclosure" and "exploit code" are synonymous; anyone who feels differently must be in the "anti-disclosure" camp. As expected, the "disclosure" mujahedin trot out their usual line of reasoning, which is roughly: "if sploits are outlawed, only outlaws will have sploits." And of course, they make the
same shrill, baseless ad hominum accusations
of sell-outs and cover-ups. Please.
I have some bad news for those who believe that the value of vulnerability information will somehow
be irretrievably reduced simply because exploit details are not included.
Let's go to the videotape, shall we? In 2000, Arbaugh, Fithen, and McHugh at the University of Maryland published an IEEE article on the lifecycle of vulnerabilites, based on CERT/CC reporting data. The article contains quite a bit of empirical data and several useful charts. Here is the money quote:
The argument for releasing vulnerability information to the public stems from the belief that crackers already know the information -- but system administators don't... In our research, we found that automating a vulnerability, not just
disclosing it, serves as the catalyst for widespread intrusions.
The notion that somehow it doesn't matter if the exploit code is published is just hogwash. It does matter. It makes a decisive difference in the rate of incident occurrences, as the data shows. The number of zero-day exploits is a tiny trickle compared to those that come later, after scripts are widely circulated.
Vulnerability disclosure is critical to making systems more secure. Vulnerability information needs to be freely available to the public. But posting detailed "proof of concept" code that can be easily converted into an automated attack script is another thing entirely. Posting exploit scripts in public forums is, as
P.J. O'Rourke
once put it, "like giving whiskey and car keys to teenage boys." It is reckless, and irresponsible.
Self-important glory-seekers who wail that their livelihoods are at risk, it seems to me, need to develop some more marketable skills.
Slashdot Mirror
Your statements are generally accurate about how the iOS 4 cryptosystem works. However, they apply only when the applications in question are actually requesting data protection services from the OS. If an application doesn't require data protection, these restrictions won't be enforced. See this presentation from last year's WWDC (the person who posted it probably broke NDA, but whatever).
The Fraunhofer paper states that some types of sensitive materials could be obtained without the passcode. Hence the screaming headlines. But it is just as interesting to note that some items WERE NOT accessible without the passcode, which implies that they were protected using the data protection techniques you described (and as outlined in the PDF).
I think what happened here is that the items that the Fraunhofer researchers were able to access were related to apps didn't require data protection, OR the specific keychain items were marked kSecAttrAccessibleAlways or kSecAttrAccessibleAlwaysThisDeviceOnly. That's a guess.
If that's true, then all that is needed is for Apple to make a few minor code changes to the apps so that they observe the proper data protection policies.
This story is the biggest bunch of BS.
I listened to this story on NPR. Instead of actually relying on hard data, the reporter simply found someone who estimated there are only 1,000 qualified "cyber" professionals in the US. The source presented no hard data, just a gut feel that there aren't enough people. This figure is about as well-sourced as the claim (often repeated) that the underground malware economy is bigger than the market for illegal drugs.
Meanwhile, instead of calling outside the beltway, NPR also called up Alan Paller, the head of the SANS Institute, who parroted the same line. How Paller can say that there are less than 1,000 qualified security professionals with a straight face is beyond me. SANS claims to have trained over 150,000 people. Does that mean that 99% of their "graduates" are therefore unqualified?
The worst part about this is that NPR did not even bother to disclose Paller's blatant conflict of interest. Contrary to popular belief, SANS is NOT a non-profit. It's in business to make a buck. I can't think of a better way to plump up the attendance rolls than to manufacture scare stories about "shortages" of professionals.
I've got no real issues with Paller other than the fact that he's just another garden-variety huckster. I've got a bigger problem with NPR, who was just plain sloppy.
It is a bit rich that he's asking Tavis whether he "feels good about himself." Just saying.
...when Google started vacuuming up a lot of stray Java talent? I'm thinking of folks like Josh Bloch (author of Effective Java, one of the best books I've ever read on Java) and Adam Bosworth (former CTO of BEA). I was always sort of curious about what Google was up to. I've got no proof that either of these gentlemen we involved in GWT, but I'd be surprised if they weren't. Good job, Google.
McNealy's funniest quote is probably the following one from a 1996 Red Herring article. His letter to the editor is even funnier.
NORTHWEST PASSAGE: Microsoft's plans to navigate the Java waters. August 1, 1996
"Microsoft is on the offensive again because its hegemony is threatened by Java's potential to obsolete Windows and Microsoft Office. This is not only financially threatening, but seen as a personal insult. Sun CEO Scott McNealy ceaselessly goads developers to adopt Java and overthrow what he bluntly calls Redmond's mediocre standards of quality--'Windows 95 is just dogshit with whipped cream on top.'"
LETTER TO THE EDITOR. December 1, 1996
McNealy euphemizes
I enjoyed Jonathan Burke's article "Northwest Passage." Mr. Burke did a fine job of laying out the reasons that software developers are pushing for a multiplatform Internet and how this poses a threat to Microsoft.
However, I was shocked, puzzled, and offended when I came to a passage in the story that seriously misquoted me referring to Windows 95 as "[expletive] with whipped cream on top." As chairman and CEO of Sun Microsystems, a $7 billion publicly held company, I am very aware that my shareholders and the public take a dim view of crude, unprofessional language from executives. I make it a rule never to curse in public. I don't do it. I would never do it. I didn't do it with Mr. Burke or anyone else. In fact, in a carefully worded and deliberately inoffensive manner, I called Win 95 "whipped cream on a road apple."
Scott G. McNealy
President and CEO
Sun Microsystems
The Herring Responds
Ah, "a road apple"--that's much more genteel.
Mod parent UP! Heads have most pointedly NOT rolled. Jim Allchin is still employed by the company, and will be there until his scheduled retirement. None of the management team in charge of the development of Windows have been fired. Ballmer is still running the joint. Gates is still "chief software architect", in spite of the fact that the glorious innovations he dreamed up, like the relational-database file system (WinFS) and the next-gen API (WinFX) have been gutted from Vista. Microsoft has just shuffled around the senior executives a bit. How this could possibly be interpreted as "heads rolling" is beyond me.
Every time I see one of these articles about "when will Linux be ready for the desktop" or "what can we do to excite people about Linux on the desktop", I just substitute "laptop" for "desktop". Given that some analysts are reporting that a majority of PCs sold are in notebook form factors, it's important that the user experience be seamless -- and in most cases, it isn't. Folks wanting to know what it will take to make Linux mainstream need look no further than the laptop in front of them.
Maybe I'm missing something. It's conventional wisdom that "best practice" is that "everyone" should change their password every x number of days. But often times folks have to change their passwords so often they end up writing them on sticky notes, or choosing the same easy eight-character password over and over and over, with the only variant being the numbers stuck at the end. And this is good for security how?
At a previous company our policy was to have fairly long (16 character) passwords that never expired. For my own password, I chose a pnemonic one that had certain combinations of substituted numbers and special characters. It was never cracked, even though we ran password scans regularly on our Windows domain and Linux boxen.
Show me the empirical evidence that frequently-changing, short passwords are better than long, unchanging ones, and not only will I change my password, but I might even change my mind as well. Until then articles like this are just perpetuating a mythology that people have come to accept as fact.
As it happens, I think passwords have outlived their usefulness. But that's another thread entirely...
They left @stake en masse when the company was acquired by Symantec in 2004, and in so doing decimated the San Francisco office. Every one of the folks at iSec is absolutely top-notch. And no, I'm not astroturfing...
This correlates with research published by others earlier this year. [Disclaimer: I know the author.]
This may or may have not been Google's intention, but the net effect is defiant middle finder thrust in the general direction of places like Provo and Redmond.
This program is remarkably cheap for Google compared to the publicity (read: mischief) it will cause. $4500 x 200 developers = less than a million dollars cash outlay. Compare that to the vein-in-forehead-throbbing reactions it will induce in Ballmer and Butthead. Priceless.
Nice one.
...but aren't you supposed to be finishing up Longhorn instead of reading Slashdot? :)
...acccording to Amazon. It's the top Amazon software and electronics item, which is pretty amazing considering it's outselling TurboTax and the iPod.
I ordered mine already, of course...
...and found it lacking in several respects.
Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.
Things I commented on, among others:
In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.
It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.
More proof that the entertainment industry has Congress in its pocket.
I'd love to see the RIAA and MPAA prosecuted under the RICO statute. (Wishful thininking, I know.)
The same old canard is being recycled again here... if only OS X, GNU/Linux, et al were more popular, they'd be plagued by security holes just like Windows. Anybody who's thought about this for more than ten seconds knows this is crap for a single reason: not all software coded in the same language (C-ish variants, in this case) is created equally. Some software is just designed badly.
Just as a f'rinstance, here are three aspects of Windows that show just how much design, not installed base, drives vulnerabilities:
None of these issues have anything to do with the language they were coded in. For that matter, they could have been done in .NET. But they do help explain how certain design choices have helped create the Windows Security Pandemic. That monoculture's one hell of a petri dish.
My point here is not to trumpet the marvelous advantages of OS X (or, say, Linux) over Windows. It is simply this: there is no Law that says that the number of vulnerabilities automatically increases with popularity but without regard to design. "Duntemann's Assertion" (aka Ballmer's Baked Wind) ain't like Moore's Law.
There are two models, canvas and leather. The leather is definitely more pricey, but looks terrific. It doen't scream "PLEASE STEAL ME BECAUSE THERE'S A LAPTOP INSIDE." It just fits in with the rest of your everyday flashy urbanwear.
Oh, and it is the only piece of computer luggage I've ever owned that has gotten spontaneous, umprompted compliments.
For those of you who tote PowerBooks, it has just enough headroom for a 15-incher (because it's wider than, say, the average Stinkpad -- which fits just fine).
This has probably been covered elsewhere, but I found that Tim Bray's short essay on WS-Overload summed it up better than I could have:
Worth a look: http://tbray.org/ongoing/When/200x/2004/09/18/WS-Re-writing from scratch is eminently feasible... just ask Apple.
As for breaking backwards compatibility, I don't see why this is so objectionable. Microsoft wants this to happen anyway, since the company is encouraging customers to write code in languages that use the .NET CLR ("managed code"). Most of today's most critical business applications will almost certainly need to be re-written for Longhorn.
If Apple can create a virtual "Classic" OS 9 environment that runs under OS X, why can't Microsoft create an OS with a virtual Win32 environment, sort of like the way VMWare does it but with a (much) stricter security sandbox around it? All new code would run in the "new" environment (presumably CLR-based).
As for breakage, frankly I don't see how on earth you're going to get better security for without breaking something. When Gates stated that "when we have a choice between functionality and security, we must choose security," do you really think he meant it would be painless? Far better, I say, to rip the Band-Aid off quickly then r-e-a-l s-l-o-w-l-y, which is what we're doing now.
Nullum prandium gratuitum.
Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.
The success of ITMS is that it shows that Jobs understands two things the RIAA does not: microeconomics and marketing. Think about it: iTunes Music Service isn't competing with the PressPlay, Napster 2, Real, or any of the other turkeys who assumed that people would simply want to buy their unfriendly, ad-crippled, bloated services out of a sense of duty, or just because they were feeling guilty.
No, I believe Apple intended all along to compete with a different class of "competitor:" Kazaa, LimeWire, AIMster and the others. Apple, in essence, pretended it was competing in a commoditized market, by which I mean a market in which the price of goods are in free-fall (or in this case, actually free). How does one compete in a commoditized market? By differentiating the brand with things the other commodity players can't provide: quality ("CD-quality" tracks), convenience (reliable, near-instant downloads), ease-of-use (easy searching and browsing), and bundling (integration with iTunes). This is something the other (albeit "illegal") competitors cannot match.
Folks can -- and undoubtedly will -- argue until the cows come home about whether ITMS is simply perpetuating the RIAA's cartel. (I personally feel that the RIAA's destruction is as pre-ordained as the setting sun, but that's a thread for another discussion). But you have to give Jobs credit for outside-the-box thinking, and for a willingness to take on an unconventional class of competitor.
Ugh. Another flame-war sparked by those who favor "disclosure". In the minds of some, "disclosure" and "exploit code" are synonymous; anyone who feels differently must be in the "anti-disclosure" camp. As expected, the "disclosure" mujahedin trot out their usual line of reasoning, which is roughly: "if sploits are outlawed, only outlaws will have sploits." And of course, they make the same shrill, baseless ad hominum accusations of sell-outs and cover-ups. Please.
I have some bad news for those who believe that the value of vulnerability information will somehow be irretrievably reduced simply because exploit details are not included.
Let's go to the videotape, shall we? In 2000, Arbaugh, Fithen, and McHugh at the University of Maryland published an IEEE article on the lifecycle of vulnerabilites, based on CERT/CC reporting data. The article contains quite a bit of empirical data and several useful charts. Here is the money quote:
The notion that somehow it doesn't matter if the exploit code is published is just hogwash. It does matter. It makes a decisive difference in the rate of incident occurrences, as the data shows. The number of zero-day exploits is a tiny trickle compared to those that come later, after scripts are widely circulated.
Vulnerability disclosure is critical to making systems more secure. Vulnerability information needs to be freely available to the public. But posting detailed "proof of concept" code that can be easily converted into an automated attack script is another thing entirely. Posting exploit scripts in public forums is, as P.J. O'Rourke once put it, "like giving whiskey and car keys to teenage boys." It is reckless, and irresponsible. Self-important glory-seekers who wail that their livelihoods are at risk, it seems to me, need to develop some more marketable skills.