1, Engelbart's Demo - All of the wonders of GUI well before everyone else. 2. Lisp / Forth / APL - Pick your favorite 3. OS/9 on the Radio Shack CoCo, it supported multiple users, and the hardware didn't even have a real UART for serial communication. 4. VAX/VMS 5. Any of the "4k Demo Scene" type programs.... it's amazing what they pack into 4k, or 1k, or whatever.
NOTHING can tell the difference between 1> a program deliberately written to do something bad, 2> a program that does something bad by mistake
To make this determination requires solving the halting problem. You can not pre-determine the intent of a non-trivial program. This is the root cause of most computer security issues.
What you can do, is to pre-determine which side effects of running the program you are willing to allow. Most systems place NO limits on side effects of a program, however capability based systems do exactly this thing.
Why should a program even know about the existence of "djfhgkl.dll"? It shouldn't see any of the file system, except when handed a capability for a file or folder.
Every gas station clerk I hand $20 to as a form of payment doesn't have the ability to take out a mortgage in my name... they only have the $20. There are zero clerks asking to touch each note in my wallet by serial number, etc.
Malware are just programs that are written to do evil, everything else does evil by mistake. Capabilities just prevent most of the evil as a class.
UAC suck, quite frankly. It's a "this might be bad, do you want to do it anyway" type of question, conveying no useful information other than horrid boolean choice (Yes - your machine might get PWND along with everything on it, No - Your machine won't do what you want because of "Security")
Replacing dialog boxes with "power boxes" makes almost no difference in terms of ease of use, but it shifts permissions away from the application code and puts it back where it belongs.
Insisting that users can't manage their own computers because of stupid OS design choices is like insisting that people can't handle wallets and cash money because of the fact that Armored cars might occasionally have faulty doors which leave money flying across Indianapolis.
When you have cash money, you only hand the clerk the amount necessary to pay the bill.... the current OS design would have you hand your wallet (and a non-revocable power of attorney) to the clerk, and just hope that they take the right amount out of your account before handing it back.
Better, more transparent, easier to use, security is possible.
Time spent protecting operating systems from possible bad behaviour of applications is time wasted.
The current state of Operating Systems is akin to having only single phase AC power, but no fuses or circuit breakers anywhere in the system. Because applications are trusted with everything, any bug can result in the wholesale mis-direction of everything down the wrong path. Most (but not all) of our problems with security result from this misplaced trust.
It's probably going to be another decade before capability based security becomes mainstream, but I hope discussions of it in places like../ can help bring it forward sooner.
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route.
Amen! However, also along the way is that the entire tech community decided that real security wasn't possible, it somehow became unobtainable. The problems were SOLVED in the 1970s in response to the data processing problems encountered with multi-level data security for Viet Nam, but we failed to heed the lessons, and eventually they fell into obscurity.
Capability based security offers a way to have general purpose computing that humans can manage and secure. The core concept is to never, ever, trust any piece of code outside of the kernel of the OS. When a user needs to access a file, the application requests the OS to prompt the User for it, and is handed back a capability (like a file handing in Linux) to that specific file only.(As opposed to the current model of trusting the program to do only what it is supposed to do, and to never have a bug, or make a mistake) As far as users are concerned, it doesn't seem much different from any other system, the dialog boxes might look slightly different, but as far as the application, it can only access the specific stuff the user has decided to trust it with, and nothing else.
It's possible to have secure computing, but it's been a long time coming. GNU Hurd stalled out, Microsoft Midori stalled out, the only glimmer of hope I've seen lately is the Genode project, which might be something we can get to run in the next year or two. I estimate 10 more years before Capability Based Systems go mainstream.
So, this can join GNU Hurd and Genode in the queue of things that we all need, but nobody (else) knows it yet. I look forward to running on of these, some day, so I can ditch the virus scanners, and surf the web in perfect safety... downloading and running whatever I want without worry.
There's a lot to be concerned about here, but the thing that everyone seems to miss, over and over, is the fact that we can't secure our computers against humans, let alone an AI with infinite patience. A few years ago, all of the 128 page security clearance applications for the entire United States were digitized, and online.... who was stupid enough to let this happen? Everyone was surprised and shocked when it happened, but I bet most of you don't even remember it any more.
All this data is eventually accessible via the internet, and there's shit for security protecting it. One lucky rogue human is all it takes to take the whole thing down. I'd be deeply surprised if someone, somewhere, isn't training an AI to take over compute resources.... and once that gets sufficiently good, it's game over, because nothing is secure.
It's possible to radically increase security, and do it in a user friendly manner... but this requires re-writing everything based on a new security model. (The principle of least privilege), so it's not a "magic bullet", but rather an expensive one.
I hope we decide to spend the resources and fix security... but it's a faint hope.
1> Capability based operating systems - These allow a user to control the risks associated with running a given program in a familiar and transparent manner, thus solving most maladies associated with the use of networked computing. 2> Small scale power sources- The personal kilowatt. It should be feasible to develop a small turbogenerator capable of about 1.4 horsepower, for all manner of uses. 3> Homogeneous non-Von Neuman computation (i.e. FPGA without the pain). A grid of look up tables (LUT) can do Turing complete computation without the need for complex routing decisions to fit into the confines of current FPGA architectures. This homogenity also provides flexibility in fit to any size compute core, and the ability to route-around faults in hardware. It is also possible to guarantee the security relationship of inputs and outputs on shared devices. This chips could easily perform Exaflop scale computation if widely deployed. 4> Cold fusion and/or Wiffleball Fusor - This could go a long way towards solving our dependence on fossil fuels. 5> Mesh networking on a large scale - We need to take the internet back into our hands
WTF? If some authority can't browse the photos in your devices, they will simply seize the devices. Encryption isn't going to help you there.
Adding a digital signature, created by the camera before compression, etc.. to an image, would be a much better value add. This could help assure that images aren't tampered with after they are taken. Heck, my name is even on one of those patents, though I wouldn't get any $ from it.
I can see how funding speculative investments with credit shouldn't be encouraged, but what about people who have the money in the bank? Are they doing anything to debit cards?
Why does anyone trust any application to do what it claims it will do on the tin? Isn't it the job of the Operating System to allocate and determine access to system resources, as specified by the user? We need better OSs.
It's time for Zero Trust Operating Systems. Gone are the days when one could assume that a program would work as designed, and tolerate the odd bug. Until the software that defines our computing experience grows up and stops trusting everything put into it, we're going to be deep in shit.
Until we get systems like Genode or Hurd to the point where they can be used by most of us, and especially on servers, this is going to keep happening. The idea of trusting an application or service to voluntarily restrict its own actions is idiotic (at best).
Imagine getting a check from the bank of Windows... where after checking your ID very carefully, then handed you all of the funds for the account, and trusted you (the person delegated a small amount of the account holders money) to only take/remove the right amount..... that's what all the operating systems do. NONE of them require you to specify the capabilities to be handed to an application at run-time, but instead let the application do anything you can do, which is insane.
Capabilities are like having a cashier, who verifies the check, and only lets out the amount of money specified, and no more... if the balance permits. There's no need to trust the check-holder.
I give it about 10 more years until this insanity is resolved....So the prophecy is written, yet again.
I too am quickly getting tired of the political diatribes that just irk me, as I agree with them but just don't want to waste time in such a futile way.
What's needed is a platform where a post, or comment, can be tagged with any number of social network sourced flags, and you can filter out those flags.
So you're saying the FBI isn't smart enough to be able to put this software in a machine on an untrusted network, and firewall it so that it can only connect to a specific host, and not leak info back to any possible other sites in the world?
It's obvious this is just more Red Baiting, straight from the 1950s. Fsck that noise.
As soon as people wake up and realize that capability based security can fix all of this, "computer security professional" will be about in demand as much as "computer operator" or "system administrator". I wish these folks so employed a nice 10ish year ride until it's over.
When Hurd or Genode reaches a state where it boots and supports more than 50% of all hardware (probably by sucking in drivers from Linux), either of them will take over the desktop, and fix security, all in one fell swoop. It'll shock everyone when it happens, including me, if I'm still alive by then.
Capability based security is something everyone desperately wants, but doesn't know about existence of. Years remain for the veil to be lifted.
If we had capability based security in our systems, this kind of stuff would require the user to knowingly allow these types of activities. Until then, we're all screwed. Stop blaming everything but the OS. It's not the programmers or the users.
If your OS doesn't require you to specify what I/O is allowed for a program when you run it, you're never going to have a secure system. We need capability based security, and will be spinning our wheels until we get it.
You've taken a shallow view of this... like some one who thinks that circuit breakers aren't necessary, it's just the users of electricity who aren't careful enough. Limiting the scope of change that a instruction can execute is the primary job of an operating systems, and Linux, Windows, and all the others just can't do it. Capability based systems provide safety, in a user friendly and transparent way... just like the breaker box in your house.
What we have now, is electrical equivalent of a power grid without breakers anywhere... imagine if every circuit in your house could potentially have megawatts flowing through it. This is as close as you can get analogy wise to having a stack or buffer overflow that can be exploited.
It's a very deep design flaw, it takes a while to sink in.
Almost all security problems boil down to the absolute lack of support for the principle of least privilege. None of the commonly used systems have anything approaching this concept. The crude approximation available is to put each resource in a virtual machine and tightly limit its connections to other virtual machines that need to access it for a specific resource... then watch those like a hawk for traffic spikes etc. The other thing that could help immensely is to install Data Diodes, which are gateways specifically designed to NEVER let data flow in the non-desired direction, guaranteed by physics. The come in pairs, they have a normal network connection on one side, and one of the pair can only transmit, the other can only receive, usually via a single fiber.
This stuff can be fixed, I've been saying so for at least a decade now (go ahead, search my comment history here and elsewhere)... ya'll are slow on the uptake. I figure another 5 years before it starts sinking in, and at least 10 more to get it done.
Slashdot Mirror
1, Engelbart's Demo - All of the wonders of GUI well before everyone else.
2. Lisp / Forth / APL - Pick your favorite
3. OS/9 on the Radio Shack CoCo, it supported multiple users, and the hardware didn't even have a real UART for serial communication.
4. VAX/VMS
5. Any of the "4k Demo Scene" type programs.... it's amazing what they pack into 4k, or 1k, or whatever.
NOTHING can tell the difference between
1> a program deliberately written to do something bad,
2> a program that does something bad by mistake
To make this determination requires solving the halting problem. You can not pre-determine the intent of a non-trivial program. This is the root cause of most computer security issues.
What you can do, is to pre-determine which side effects of running the program you are willing to allow. Most systems place NO limits on side effects of a program, however capability based systems do exactly this thing.
Why should a program even know about the existence of "djfhgkl.dll"? It shouldn't see any of the file system, except when handed a capability for a file or folder.
Every gas station clerk I hand $20 to as a form of payment doesn't have the ability to take out a mortgage in my name... they only have the $20. There are zero clerks asking to touch each note in my wallet by serial number, etc.
Malware are just programs that are written to do evil, everything else does evil by mistake. Capabilities just prevent most of the evil as a class.
UAC suck, quite frankly. It's a "this might be bad, do you want to do it anyway" type of question, conveying no useful information other than horrid boolean choice (Yes - your machine might get PWND along with everything on it, No - Your machine won't do what you want because of "Security")
Replacing dialog boxes with "power boxes" makes almost no difference in terms of ease of use, but it shifts permissions away from the application code and puts it back where it belongs.
Insisting that users can't manage their own computers because of stupid OS design choices is like insisting that people can't handle wallets and cash money because of the fact that Armored cars might occasionally have faulty doors which leave money flying across Indianapolis.
When you have cash money, you only hand the clerk the amount necessary to pay the bill.... the current OS design would have you hand your wallet (and a non-revocable power of attorney) to the clerk, and just hope that they take the right amount out of your account before handing it back.
Better, more transparent, easier to use, security is possible.
Time spent protecting operating systems from possible bad behaviour of applications is time wasted.
The current state of Operating Systems is akin to having only single phase AC power, but no fuses or circuit breakers anywhere in the system. Because applications are trusted with everything, any bug can result in the wholesale mis-direction of everything down the wrong path. Most (but not all) of our problems with security result from this misplaced trust.
It's probably going to be another decade before capability based security becomes mainstream, but I hope discussions of it in places like ../ can help bring it forward sooner.
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route.
Amen! However, also along the way is that the entire tech community decided that real security wasn't possible, it somehow became unobtainable. The problems were SOLVED in the 1970s in response to the data processing problems encountered with multi-level data security for Viet Nam, but we failed to heed the lessons, and eventually they fell into obscurity.
Capability based security offers a way to have general purpose computing that humans can manage and secure. The core concept is to never, ever, trust any piece of code outside of the kernel of the OS. When a user needs to access a file, the application requests the OS to prompt the User for it, and is handed back a capability (like a file handing in Linux) to that specific file only.(As opposed to the current model of trusting the program to do only what it is supposed to do, and to never have a bug, or make a mistake) As far as users are concerned, it doesn't seem much different from any other system, the dialog boxes might look slightly different, but as far as the application, it can only access the specific stuff the user has decided to trust it with, and nothing else.
It's possible to have secure computing, but it's been a long time coming. GNU Hurd stalled out, Microsoft Midori stalled out, the only glimmer of hope I've seen lately is the Genode project, which might be something we can get to run in the next year or two. I estimate 10 more years before Capability Based Systems go mainstream.
So, this can join GNU Hurd and Genode in the queue of things that we all need, but nobody (else) knows it yet. I look forward to running on of these, some day, so I can ditch the virus scanners, and surf the web in perfect safety... downloading and running whatever I want without worry.
There's a lot to be concerned about here, but the thing that everyone seems to miss, over and over, is the fact that we can't secure our computers against humans, let alone an AI with infinite patience. A few years ago, all of the 128 page security clearance applications for the entire United States were digitized, and online.... who was stupid enough to let this happen? Everyone was surprised and shocked when it happened, but I bet most of you don't even remember it any more.
All this data is eventually accessible via the internet, and there's shit for security protecting it. One lucky rogue human is all it takes to take the whole thing down. I'd be deeply surprised if someone, somewhere, isn't training an AI to take over compute resources.... and once that gets sufficiently good, it's game over, because nothing is secure.
It's possible to radically increase security, and do it in a user friendly manner... but this requires re-writing everything based on a new security model. (The principle of least privilege), so it's not a "magic bullet", but rather an expensive one.
I hope we decide to spend the resources and fix security... but it's a faint hope.
1> Capability based operating systems - These allow a user to control the risks associated with running a given program in a familiar and transparent manner, thus solving most maladies associated with the use of networked computing.
2> Small scale power sources- The personal kilowatt. It should be feasible to develop a small turbogenerator capable of about 1.4 horsepower, for all manner of uses.
3> Homogeneous non-Von Neuman computation (i.e. FPGA without the pain). A grid of look up tables (LUT) can do Turing complete computation without the need for complex routing decisions to fit into the confines of current FPGA architectures. This homogenity also provides flexibility in fit to any size compute core, and the ability to route-around faults in hardware. It is also possible to guarantee the security relationship of inputs and outputs on shared devices. This chips could easily perform Exaflop scale computation if widely deployed.
4> Cold fusion and/or Wiffleball Fusor - This could go a long way towards solving our dependence on fossil fuels.
5> Mesh networking on a large scale - We need to take the internet back into our hands
WTF? If some authority can't browse the photos in your devices, they will simply seize the devices. Encryption isn't going to help you there.
Adding a digital signature, created by the camera before compression, etc.. to an image, would be a much better value add. This could help assure that images aren't tampered with after they are taken. Heck, my name is even on one of those patents, though I wouldn't get any $ from it.
I can see how funding speculative investments with credit shouldn't be encouraged, but what about people who have the money in the bank? Are they doing anything to debit cards?
Why does anyone trust any application to do what it claims it will do on the tin? Isn't it the job of the Operating System to allocate and determine access to system resources, as specified by the user? We need better OSs.
It's time for Zero Trust Operating Systems. Gone are the days when one could assume that a program would work as designed, and tolerate the odd bug. Until the software that defines our computing experience grows up and stops trusting everything put into it, we're going to be deep in shit.
So when is Turbo Pascal coming back? ;-)
For once, this has nothing to do with the current lack of capability based security....
whew
Until we get systems like Genode or Hurd to the point where they can be used by most of us, and especially on servers, this is going to keep happening. The idea of trusting an application or service to voluntarily restrict its own actions is idiotic (at best).
Imagine getting a check from the bank of Windows... where after checking your ID very carefully, then handed you all of the funds for the account, and trusted you (the person delegated a small amount of the account holders money) to only take/remove the right amount..... that's what all the operating systems do. NONE of them require you to specify the capabilities to be handed to an application at run-time, but instead let the application do anything you can do, which is insane.
Capabilities are like having a cashier, who verifies the check, and only lets out the amount of money specified, and no more... if the balance permits. There's no need to trust the check-holder.
I give it about 10 more years until this insanity is resolved. ...So the prophecy is written, yet again.
I too am quickly getting tired of the political diatribes that just irk me, as I agree with them but just don't want to waste time in such a futile way.
What's needed is a platform where a post, or comment, can be tagged with any number of social network sourced flags, and you can filter out those flags.
So you're saying the FBI isn't smart enough to be able to put this software in a machine on an untrusted network, and firewall it so that it can only connect to a specific host, and not leak info back to any possible other sites in the world?
It's obvious this is just more Red Baiting, straight from the 1950s. Fsck that noise.
As soon as people wake up and realize that capability based security can fix all of this, "computer security professional" will be about in demand as much as "computer operator" or "system administrator". I wish these folks so employed a nice 10ish year ride until it's over.
So the prophecy is written, again.
When Hurd or Genode reaches a state where it boots and supports more than 50% of all hardware (probably by sucking in drivers from Linux), either of them will take over the desktop, and fix security, all in one fell swoop. It'll shock everyone when it happens, including me, if I'm still alive by then.
Capability based security is something everyone desperately wants, but doesn't know about existence of. Years remain for the veil to be lifted.
So the prophecy is written, yet again.
If we had capability based security in our systems, this kind of stuff would require the user to knowingly allow these types of activities. Until then, we're all screwed. Stop blaming everything but the OS. It's not the programmers or the users.
If your OS doesn't require you to specify what I/O is allowed for a program when you run it, you're never going to have a secure system. We need capability based security, and will be spinning our wheels until we get it.
You've taken a shallow view of this... like some one who thinks that circuit breakers aren't necessary, it's just the users of electricity who aren't careful enough. Limiting the scope of change that a instruction can execute is the primary job of an operating systems, and Linux, Windows, and all the others just can't do it. Capability based systems provide safety, in a user friendly and transparent way... just like the breaker box in your house.
What we have now, is electrical equivalent of a power grid without breakers anywhere... imagine if every circuit in your house could potentially have megawatts flowing through it. This is as close as you can get analogy wise to having a stack or buffer overflow that can be exploited.
It's a very deep design flaw, it takes a while to sink in.
Almost all security problems boil down to the absolute lack of support for the principle of least privilege. None of the commonly used systems have anything approaching this concept. The crude approximation available is to put each resource in a virtual machine and tightly limit its connections to other virtual machines that need to access it for a specific resource... then watch those like a hawk for traffic spikes etc.
The other thing that could help immensely is to install Data Diodes, which are gateways specifically designed to NEVER let data flow in the non-desired direction, guaranteed by physics. The come in pairs, they have a normal network connection on one side, and one of the pair can only transmit, the other can only receive, usually via a single fiber.
This stuff can be fixed, I've been saying so for at least a decade now (go ahead, search my comment history here and elsewhere)... ya'll are slow on the uptake. I figure another 5 years before it starts sinking in, and at least 10 more to get it done.
I make bevel gears for a living, on 1950's vintage equipment. I can't telecommute.