The main reason that cyberwar is a threat is because we haven't worried about code complexity, as long as systems worked, we figured it was good enough. There are now projects in play that offer ways to manage this complexity, and reduce the number of trusted lines of code for any given function to tractable numbers. I'd even go so far as to say that it's possible to have a computer that is usable, secure and networked, with active users.
Capability based security offers one part of the approach to making this possible by limiting the side effects of any given piece of code in an effective sandbox. Microkernel based operating systems are the next part by not trusting driver code, and reducing the attack surface to manageable levels Allowing the users to make use of the above 2 parts completes the picture, as they can then choose what they want to risk for what rewards.
I've recently learned of the Genode project which looks to be good enough to get this done. They hope to be at the "eat our own dog food" / self hosted stage before the end of 2012. They've been at it a while, and seem to really know what they are doing. I'm working on getting my own copy up and running in a virtualbox so I can see just how it all works in practice.
Let's fix computer security and make cyberwar impossible.
Capability based security makes it possible to manage the complexity of our deployed software and limit damage caused by a process gone rogue. Imagine each process with it's own sandbox, and you've got an idea how powerful it is. It doesn't mean giving up Linux either... as the Genode project looks on track to give us capabilities with complete linux compatible programs clients in the tree.
Let's stop worrying about cyberwar, and help these guys get a permanent solution in place instead. Then we can worry about how to get IP6 deployed everywhere, and take our internet back.
It turns out that you should care about the "chain of trust", and "trusted computing base" type terms, but not if they are used to back DRM.
When you do want to pay attention is when the developers of Genode talk about them in their development of a microkernel based (pick 1 of the 8 they offer) operating system which uses capability based security, and yet can run linux inside of itself.
I'm going to have to write an OS, based on capability based security. Even if it sucks, it'll be the only thing left running after skynet becomes self aware, infects everything, then gets paranoid, then kills itself in a case of mistaken identity. (Total time, 4 hours, 9 minutes, 2.3 seconds)
Chain of trust doesn't do jack sh*t for the security as far as users are concerned. It's all about DRM.
If the user doesn't have a way to tell the OS exactly what side-effects they are willing to tolerate from a program they want to run, then how is the OS supposed to know?
Linux, Windows, Mac all don't even have a way to express this intent, let alone code to enforce it.
It's not the scale of the networks that is the real problem. It's the need to trust code that is the big issue. If a program can be tripped up, or in any way manipulated to do something, it becomes the basis of a system breach. If the scope of what can be done by a process is by default limited to a very select set of actions, you eliminate this basis of attack.
It the person in Alabama needs access to the payroll, that's fine. But why does she need write access to the system folder? Why does that same process need to be able to upload files to the internet at large?
Instead of running processes with all the rights of the given user account, use Capability Based Security. This means that for a given process, at run-time (not before hand like app-armor), you tell the OS which files and access type a process will need. This doesn't fix everything, but it does let you isolate security decisions and eliminate the side effects of running any code (trusted, untrusted, or downright evil) to the capabilities you chose to give it. This means that even if you confuse a process, you can't get more capabilities than it was given. Privilege escalation goes away, which is a major attack vector, along with stack injection, buffer overflows, etc. (Of course it does require a secure kernel, which you have to trust).
It's my firm believe that capability based security will eventually be what we all use... but due to the need to make people aware of the concept (which is several layers of abstraction away from what we usually deal with) and the cost of revamping everything... we're still 15 years out.
Instead of fixing this situation (our broken computer security model) we've been blaming Vendors, Users, Programmers, government. None of this is going to fix it.
When you can confuse a root process and get root, nothing is safe. Windows, Mac, Linux, all are vulnerable to this.
If gold hoarding is "kooky" why did FDR confiscate everyone's gold? It's a "worthless relic" according to you fiat fanboys... let us have our shiny precious, you don't need it.
You doubt that it would work, but at least you're thinking about it.
If the user gets to decide what to feed to a process at run-time, instead of the process having all of the users access the user can then be responsible for their choices, which the OS will respect. Right now we don't even have a good way to do this. (As I said, AppArmor isn't capabilities)
Being able to even express the idea coherently is a step in the right direction towards doing something with that idea. Thanks for helping me do that.
When you open an email, you only give it access to write to a window on the screen, and a connection to the email server. This would mean that a rogue email could at worst send out copies of itself, if it managed to confuse the reader. The process would not be able to randomly go out and open files, write them, etc.
Lots of things get fixed when you say no by default instead of yes.
The AppArmor model isn't really capabilities. It's building a kind of sandbox, but of the wrong kind.
A good model is to let the user chose what they want to allow to happen... directly. If they don't feed a file to a process, it won't be able to touch it, ever, in a capabilities based system.
Having system administrators trying to figure out all the possible uses of a program isn't going to work, for the exact reasons you gave. The users are in a far better position to decide what they want done. A capability system allows just that, without weird random side-effects or restrictions.
Blaming the users, developers, tool chains, internet, or operating systems isn't going to help fix anything because those aren't the root cause of the problem.
Complexity is the problem. The solutions we're all used to using involve adding even more complexity on top of things, which makes it impossible to secure things.
There is another approach. It's called capability based security, and here's how it works:
For a given process, create a list of the files it needs to access, and the rights it needs for each. That list goes to the operating system, along with the program to run. The OS then checks the list consistently any time a file or other resource is needed. There is a special (but not onerous) way for the process to request access for other files from the OS (like when you need to open or save a file with a new name) called a "power box".
At no time is a process allowed to just try things out and scan around.
This means that you can simply and effectively limit the side effects of a given program, and not have to worry about buffer overflows, etc... because they can only result in processes which end up with the same limited access.
A capability based security system provides a realistic, reasonable, and fairly easily understood way of providing security which does NOT require trusting code (outside that of the actual OS).
This is the way forward out of the security morass we find ourselves in. I've been preaching this message for a while, and I hope that there are some out there in this wilderness who agree with me.
Money is a durable store of wealth, until recently it was Gold, Silver or Copper coin of the realm. The role of Government was in ensuring the purity and weight of the coin.
Recently people have confused currency and paper with money, and we're seeing the results of it as the economy falls into this Greater Depression.
Eventually people are going to stop trading real goods for fiat debt instruments, it may be decades, or years. The transition period back to real money is going to be shocking to a lot of people, and profitable for a few. Try to be one of the few who doesn't lose everything when it does happen.
This is like arguing about the odds of an IED (Improvised Explosive Device) killing you based on the brand of vehicle you're driving. If you have territory which is denied to your enemies, you don't have IEDs at all.
Both Windows and Linux let any old program tunnel into things and leave all sorts of crap wherever, as a default course of action. They assume that the user is the logical point at which security questions should be answered, which was fine back when it was just kids in CS101 trying to get their C programs to compile. However, times have changed, and now any program can take out a system (just like an IED looks like litter before it kills you).
Linux is no more secure than Windows in the big picture. They both lack capability based security, and thus both suck.
Capability based security isn't a magic bullet, it's more like being able to keep the enemy out of your territory.
Lets face it, the power of the Belgians is NOT the stuff of legend... the only hint you ever really had was the brief appearance of Jean-Claude Van Damme when he decided to dabble in acting.
Anonymous has NOTHING on the Belgians, or maybe they are the Belgians...?
I'm just trying to figure out how the puzzle pieces go together.
It wouldn't surprise me to learn that when "fogbank" is turned into a million degree plasma, that it has a refractive index high enough to focus gamma rays, or high energy x-rays. Or it could turn out that there it acts as a negative index metamaterial.
Gadgets are fascinating things, one can never truly be sure of how they work, unless one has a clearance, and a well defined need to know. (I have neither).
For example,I was surprised when reading about the development of the Hydrogen bomb that cardboard and styrofoam were both critical components in the focusing of energy on the secondaries. Environments that last for billionths of a second before self destructing, which cost millions to set up aren't in the domain of the typical experimenter.;-)
There needs to be a pruning of the laws, and they need to be out in the public, like Wikipedia, not hidden in overpriced law books.
Anarchy is not a bad thing... it happens after every heavy snowfall here in the midwest, we all help each other out, cooperatively, without the need for official governance. Anarchy relies on people doing the right things for themselves, and for others. It's only when things don't scale well that other, lesser forms of governance (such as a democracy) are used as a substitute. Unfortunately, you have to use theft (taxes) to support those forms of government.
The fact that there is "consent" in a Democracy does not change the fact that all taxation is theft. If it weren't theft, there would be no need for the threat of prison for non-payment.
Taxes can be used for funding the public good, but one should never lose sight of the theft that they are based upon.
The WikiSpeed project is aimed at producing street legal cars that get 100 MPG, have 5 Star crash ratings and would be priced at $25,000. They've won an X prize already.
They are applying the principles of agile development to every aspect of the process possible. Everything is modular so that you can work on an engine system separately from other parts of the machine. You could do a hybrid, or straight electric system if you wanted to.
Slashdot Mirror
The main reason that cyberwar is a threat is because we haven't worried about code complexity, as long as systems worked, we figured it was good enough. There are now projects in play that offer ways to manage this complexity, and reduce the number of trusted lines of code for any given function to tractable numbers. I'd even go so far as to say that it's possible to have a computer that is usable, secure and networked, with active users.
Capability based security offers one part of the approach to making this possible by limiting the side effects of any given piece of code in an effective sandbox.
Microkernel based operating systems are the next part by not trusting driver code, and reducing the attack surface to manageable levels
Allowing the users to make use of the above 2 parts completes the picture, as they can then choose what they want to risk for what rewards.
I've recently learned of the Genode project which looks to be good enough to get this done. They hope to be at the "eat our own dog food" / self hosted stage before the end of 2012. They've been at it a while, and seem to really know what they are doing. I'm working on getting my own copy up and running in a virtualbox so I can see just how it all works in practice.
Let's fix computer security and make cyberwar impossible.
Capability based security makes it possible to manage the complexity of our deployed software and limit damage caused by a process gone rogue. Imagine each process with it's own sandbox, and you've got an idea how powerful it is. It doesn't mean giving up Linux either... as the Genode project looks on track to give us capabilities with complete linux compatible programs clients in the tree.
Let's stop worrying about cyberwar, and help these guys get a permanent solution in place instead. Then we can worry about how to get IP6 deployed everywhere, and take our internet back.
It turns out that you should care about the "chain of trust", and "trusted computing base" type terms, but not if they are used to back DRM.
When you do want to pay attention is when the developers of Genode talk about them in their development of a microkernel based (pick 1 of the 8 they offer) operating system which uses capability based security, and yet can run linux inside of itself.
Genode is cool stuff...
I'm going to have to write an OS, based on capability based security. Even if it sucks, it'll be the only thing left running after skynet becomes self aware, infects everything, then gets paranoid, then kills itself in a case of mistaken identity. (Total time, 4 hours, 9 minutes, 2.3 seconds)
Oh oh..... can I name the next one? Let's call it "Red Mercury", and it should be taking out a reactor in 5, 4, 3, 2
Chain of trust doesn't do jack sh*t for the security as far as users are concerned. It's all about DRM.
If the user doesn't have a way to tell the OS exactly what side-effects they are willing to tolerate from a program they want to run, then how is the OS supposed to know?
Linux, Windows, Mac all don't even have a way to express this intent, let alone code to enforce it.
It's not the scale of the networks that is the real problem. It's the need to trust code that is the big issue. If a program can be tripped up, or in any way manipulated to do something, it becomes the basis of a system breach. If the scope of what can be done by a process is by default limited to a very select set of actions, you eliminate this basis of attack.
It the person in Alabama needs access to the payroll, that's fine. But why does she need write access to the system folder? Why does that same process need to be able to upload files to the internet at large?
Instead of running processes with all the rights of the given user account, use Capability Based Security. This means that for a given process, at run-time (not before hand like app-armor), you tell the OS which files and access type a process will need. This doesn't fix everything, but it does let you isolate security decisions and eliminate the side effects of running any code (trusted, untrusted, or downright evil) to the capabilities you chose to give it. This means that even if you confuse a process, you can't get more capabilities than it was given. Privilege escalation goes away, which is a major attack vector, along with stack injection, buffer overflows, etc. (Of course it does require a secure kernel, which you have to trust).
It's my firm believe that capability based security will eventually be what we all use... but due to the need to make people aware of the concept (which is several layers of abstraction away from what we usually deal with) and the cost of revamping everything... we're still 15 years out.
Instead of fixing this situation (our broken computer security model) we've been blaming Vendors, Users, Programmers, government. None of this is going to fix it.
When you can confuse a root process and get root, nothing is safe. Windows, Mac, Linux, all are vulnerable to this.
It doesn't have to be this way.
If gold hoarding is "kooky" why did FDR confiscate everyone's gold? It's a "worthless relic" according to you fiat fanboys... let us have our shiny precious, you don't need it.
"Spoken like someone who has never had to repay a loan..."
Which sounds like someone who has no retirement account, nor life savings.
The use of a portable XRF (Xray Fluorescence) scanner can quickly determine if money has been debased or not.
This article is about currency, which is a promise of money.
You doubt that it would work, but at least you're thinking about it.
If the user gets to decide what to feed to a process at run-time, instead of the process having all of the users access the user can then be responsible for their choices, which the OS will respect. Right now we don't even have a good way to do this. (As I said, AppArmor isn't capabilities)
Being able to even express the idea coherently is a step in the right direction towards doing something with that idea. Thanks for helping me do that.
When you open an email, you only give it access to write to a window on the screen, and a connection to the email server. This would mean that a rogue email could at worst send out copies of itself, if it managed to confuse the reader. The process would not be able to randomly go out and open files, write them, etc.
Lots of things get fixed when you say no by default instead of yes.
The AppArmor model isn't really capabilities. It's building a kind of sandbox, but of the wrong kind.
A good model is to let the user chose what they want to allow to happen... directly. If they don't feed a file to a process, it won't be able to touch it, ever, in a capabilities based system.
Having system administrators trying to figure out all the possible uses of a program isn't going to work, for the exact reasons you gave. The users are in a far better position to decide what they want done. A capability system allows just that, without weird random side-effects or restrictions.
Blaming the users, developers, tool chains, internet, or operating systems isn't going to help fix anything because those aren't the root cause of the problem.
Complexity is the problem. The solutions we're all used to using involve adding even more complexity on top of things, which makes it impossible to secure things.
There is another approach. It's called capability based security, and here's how it works:
For a given process, create a list of the files it needs to access, and the rights it needs for each. That list goes to the operating system, along with the program to run. The OS then checks the list consistently any time a file or other resource is needed. There is a special (but not onerous) way for the process to request access for other files from the OS (like when you need to open or save a file with a new name) called a "power box".
At no time is a process allowed to just try things out and scan around.
This means that you can simply and effectively limit the side effects of a given program, and not have to worry about buffer overflows, etc... because they can only result in processes which end up with the same limited access.
A capability based security system provides a realistic, reasonable, and fairly easily understood way of providing security which does NOT require trusting code (outside that of the actual OS).
This is the way forward out of the security morass we find ourselves in. I've been preaching this message for a while, and I hope that there are some out there in this wilderness who agree with me.
Money is a durable store of wealth, until recently it was Gold, Silver or Copper coin of the realm. The role of Government was in ensuring the purity and weight of the coin.
Recently people have confused currency and paper with money, and we're seeing the results of it as the economy falls into this Greater Depression.
Eventually people are going to stop trading real goods for fiat debt instruments, it may be decades, or years. The transition period back to real money is going to be shocking to a lot of people, and profitable for a few. Try to be one of the few who doesn't lose everything when it does happen.
Capability based security can fix this, virus scanners and blind linux fanboyism aren't enough any more.
How many years left until people wise up and start working on Capability Based Security? It's the only way to stop this type of stuff.
This is like arguing about the odds of an IED (Improvised Explosive Device) killing you based on the brand of vehicle you're driving. If you have territory which is denied to your enemies, you don't have IEDs at all.
Both Windows and Linux let any old program tunnel into things and leave all sorts of crap wherever, as a default course of action. They assume that the user is the logical point at which security questions should be answered, which was fine back when it was just kids in CS101 trying to get their C programs to compile. However, times have changed, and now any program can take out a system (just like an IED looks like litter before it kills you).
Linux is no more secure than Windows in the big picture. They both lack capability based security, and thus both suck.
Capability based security isn't a magic bullet, it's more like being able to keep the enemy out of your territory.
Lets face it, the power of the Belgians is NOT the stuff of legend... the only hint you ever really had was the brief appearance of Jean-Claude Van Damme when he decided to dabble in acting.
Anonymous has NOTHING on the Belgians, or maybe they are the Belgians...?
I'm just trying to figure out how the puzzle pieces go together.
It wouldn't surprise me to learn that when "fogbank" is turned into a million degree plasma, that it has a refractive index high enough to focus gamma rays, or high energy x-rays. Or it could turn out that there it acts as a negative index metamaterial.
Gadgets are fascinating things, one can never truly be sure of how they work, unless one has a clearance, and a well defined need to know. (I have neither).
For example,I was surprised when reading about the development of the Hydrogen bomb that cardboard and styrofoam were both critical components in the focusing of energy on the secondaries. Environments that last for billionths of a second before self destructing, which cost millions to set up aren't in the domain of the typical experimenter. ;-)
I bet this is what the mysterious "fogbank" material that the Feds forgot how to make actually does inside Thermonuclear devices.
There needs to be a pruning of the laws, and they need to be out in the public, like Wikipedia, not hidden in overpriced law books.
Anarchy is not a bad thing... it happens after every heavy snowfall here in the midwest, we all help each other out, cooperatively, without the need for official governance. Anarchy relies on people doing the right things for themselves, and for others. It's only when things don't scale well that other, lesser forms of governance (such as a democracy) are used as a substitute. Unfortunately, you have to use theft (taxes) to support those forms of government.
The fact that there is "consent" in a Democracy does not change the fact that all taxation is theft. If it weren't theft, there would be no need for the threat of prison for non-payment.
Taxes can be used for funding the public good, but one should never lose sight of the theft that they are based upon.
The WikiSpeed project is aimed at producing street legal cars that get 100 MPG, have 5 Star crash ratings and would be priced at $25,000. They've won an X prize already.
They are applying the principles of agile development to every aspect of the process possible. Everything is modular so that you can work on an engine system separately from other parts of the machine. You could do a hybrid, or straight electric system if you wanted to.