MS wants to put out a stable, good performing phone OS. Locking it down to vetted apps from people who register weeds out a lot of malware as well as a lot of apps that will make the performance of the battery and other apps terrible giving users the impression that the OS/phone sucks. Further, it gives MS more control in case they want to lock things down in future. It requires developers to learn MS's dev tools, thus adding yet another block to cement MS's domination of the desktop OS market. Additionally, this will allow MS to prevent pornographic or overly violent apps from running on the phones, and as much as many of us dislike that, most of the populace seems to consider it a feature.
Basically, for many reasons MS thinks this will get more copies of their new OS out there and running on phones people are using, so MS can try to gain traction in the market.
If Comcast are a monopoly supplier (ie customers cannot get broadband from another ISP) then maybe the customers who cannot get Netflix (or whatever else) should bring a class action suit against Comcast.
They could, but not many consumers are interested in getting a $15 coupon off Comcast cable eight years from now when the lawsuit is over. Our courts, the FCC, the DoJ are all so pro-big business as the result of both political parties' appointments at the behest of lobbyists that breaking antitrust law is just another profitable new business strategy.
What they CANNOT do, and apparently what they have DONE is to limit people from installing applications on their iphone unless those applications come from the Apple store. I don't know if what they are doing is illegal, but it very well could be.
Aren't your statements a bit contradictory? You think what they've done is what the cannot do and that might be illegal but you don't know?
...but just imagine how much more money they would be making if they had a reasonable policy about third party sellers. If I was one of their investors, I would be pissed.
Okay I imagined how much they'd be making, but I'm not sure it isn't less. And at what $313, I don't think any of their investors are pissed. In the middle of a recession Apple has record profits largely because of the product you're second guessing their decisions about. How's the corporation you run doing?
The lowest you can go for range and still sell a (non-specialty) gasoline car is 200 miles, and they can refuel anywhere...
Why the 100 mile toys?
While short range vehicles may not be viable as most primary vehicles, a lot of families have multiple autos and a short range one for about town makes sense to a significant market.
Exploits in user level software net them access to a restricted sandbox and the OS can stop it from functioning unless
There have already been exploits to break out of Virtual Machines (e.g. VMWare) and various sandboxing techniques.
Of course there are techniques, it's just a difficult task to accomplish and even harder to sneak past a vetting process. There are also methods to verify the integrity of apps in a sandbox, usually using code signing and reset sandboxes to prevent persistence of exploits, although I don't know of any security setups that actually make use of said techniques as escaping the sandbox is already so difficult that such techniques are not really needed yet.
I've played with numerous touch based interfaces for years, everything from Wacom on OS X to iOS to Linux kiosks to Android devices to WebOS. I also have done a lot of work as a user interface and usability designer and tester. In my experience, pretty much all of them are superior to Windows 7 for tablets. It's just painful trying to do normal tasks clearly using a hacked on interface that none of the applications have been properly tested and engineered for. Even old versions of MacOS with a tablet at least start with a flexible input strategy that insures app developers don't rely upon multiple mouse buttons for necessary functionality.
I really do not get the point of this vehicle. Using electricity as a fuel instead of gasoline and sacrificing on some power to save the environment does sound like an interesting idea. But we need to consider where the electricity comes from
The point of electric vehicles is to divorce cars from a single power source and make it possible to transition to more sustainable energy. It's one part of a strategy to free us from dependence on oil. Once the majority of the fleet is electric, the electricity can come from nuclear, wind, hydro, tidal, geothermal, natural gas, coal, or anything else we come up with. Moreover, it allows for the option of distributed power generation from flexible sources. Put solar panels or windmills on your house and power your car, or use centralized power generation for greater efficiency, but more transmission cost.
Really, they lost me at "full Windows 7". As an OS, the interface is complete crap for use on a tablet. So this is a small netbook that converts into a barely usable tablet. No thanks.
That might be ok for malware writers like comScore, but the normal malware writer is aiming to take advantage of flaws in software - not go through a appstore kind of place.
Great, so how do they get their malware to execute on the target? Exploits in user level software net them access to a restricted sandbox and the OS can stop it from functioning unless it somehow masks that it is not matching the signature for the app assigned to that sandbox. So that means you need an exploit in an app and an exploit in the sandbox, just to get started trying to root the system. That's not impossible, but remember now they need to unpatched exploits and they have to have them before they are discovered and the greylists start restricting the insecure software to an even more restrictive sandbox that prevents infection in the first place. It makes worms really hard to make and have a short lifespan.
So again, you're imposing restrictions on what people want to legitimately do while not increasing the difficulty for the true problems by any order of magnitude.
It greatly increases the difficulty, more so than anything you've proposed certainly. Further, it doesn't "restrict" users. Users still have control but now they delegate default behaviors such that experts make security decisions for them unless they are absolutely certain they want to override that (something most users will never need to do and will only be asked to do by malware).
And while you're "vetted greylists" idea sounds interesting, I doubt competition would bring about what you describe - it hasn't already for what exists.
Competition works very well in the vast majority of markets. It fails when it runs into monopolies or abusive trusts. The main problem we have with the security industry now is that most of the changes needed require modification of the OS, and we have a monopolist controlling that OS.
and if macOS were ever to become popular enough that malware writers decide to target it? Just because something is too obscure to be targeted does not mean it's totally secure. The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.
If OS X ever became popular enough that it had 40% of the market not only would it be much more resistant to malware than Windows is now, Windows would adapt and become much more resistant to malware. Here's the thing that people don't seem to get. Windows isn't built on an inherently insecure foundation that can never be fixed. It's not insecure because it is built by Microsoft. It's insecure because it has monopoly influence on the market so competitive forces that would normally drive real, functional security improvements, are just not there.
Now I'm not saying all OS's would be immune to malware if Windows was not a monopoly. What I'm saying is that they'd adapt to be resistant enough to satisfy the needs of their main customer base and some OS's would target the secure workstation segment. The weakness of Windows is that investing in security doesn't make Microsoft more money than dumping half that money into marketing about security or security theater features.
You want to know the most effective way I can think of to improve computer security, break Microsoft up into at least two companies BOTH with full rights to the windows code, forbid them from any nonpublic communication or collusion. Let Microsoft A and Microsoft B bid against one another for contracts and we'll see just how fast they can make real security improvements at lower costs in order to win that contract.
While you do portend that there should be no single entity controlling it, there is nonetheless an entity other than the user controlling it - even if multiple entities, they will likely form together into a gov't agency or consortia of some sort in the end, thus a single entity any way.
No, it's the user controlling it by choosing what companies/organizations they trust rather than micromanaging and trying to make decisions they do not have the expertise to make.
...they will likely form together into a gov't agency or consortia of some sort...
The same way Apple, Symantec, and CERT have merged? Sure, anti-malware companies might form loose alliances but since many will be running paid services they'll also be in direct competition for customer dollars. That helps with a lot of collusion concerns as do open source projects like ClamAV.
Trusted computing (as you suggest with weights, etc for the user to adjust) still would not work. Why? If the user can modify what the system can trust, so can anything malicious.
That might be true on Windows, but it certainly isn't true on systems like SELinux, TRustedBSD, or even the iPhone. There are lots of settings users can change on their iPhone that apps have no access to as it is outside their sandbox.
All it takes is for the malware to be one step ahead of those writing lists - e.g. just like all viruses today.
Not really. PC's use blacklists. iPhones use whitelists, but poorly vetted ones. What is proposed is well vetted greylists that harness competition to make them well vetted. Say you write malware. Great. Now you still have to submit it to the store which means the store operator vets it and all other security lists are notified that it exists. On top of that, since it had to declare an ACL to get into the list, a cursory inspection is all that is needed to determine if the ACL matches up with the app's feature-set in most cases.
So no, that is not a working model - it works no better than what we have today, and in fact makes it worse since it creates a false sense of security as well.
I strongly disagree. In fact, sandboxing, ACLs and auditing is the method chosen by most high security OS distributions. The only difference here is changing from a single site based auditing group to a decentralized system designed for consumer use.
Also, if you notice, my initial reply ignored your weights, etc - replying to what you had before that.
You're mistaken. My very first post, before you even, posted contained, "...and weight those security feeds...".
I think you need to re-read the thread starting without all your preconceptions.
That's a great reason to have a centralized store, but there is no reason they couldn't allow other app markets exist, and allow the consumer to decide what they want to have on their device.
So what happens when the device is really really slow, or infected with viruses, or the battery dies after only a few hours. Users don't blame that on the application they installed from somewhere else. Rather they blame it on the device manufacturer and that device manufacturer loses sales. That's why you need a solution that takes this into account. Install apps from one store or multiple stores, but only vetted apps that have gone through a review that meets the guidelines, or you give the device manufacturer no business case for implementing it and significant downside.
Now there's some nice revisionism... It took Amazon's MP3 store - and some help from big record companies - before they changed their mind.
April 2007: Apple reaches a deal with EMI, effective immediately, to offer DRM free music from that label, pus them up for sale, and publicly announces that it hopes other labels follow suit.
September 2007: Amazon music store launches.
So you think Amazon forced Apple's hand by releasing DRM free music half a year after Apple had already done so? You're not just a revisionist, you're a retroactivist.
However, one person (e.g. Microsoft, gov't, gov't agency, etc.) controlling what all users - including all corporations - can do with the computers doesn't work. Thus 'trusted' computing is flawed...
Please go read the thread you're replying to. We're talking about a trust model where the greylists are created by weighted combinations of security threads from multiple sources, as weighted by the end user, with a very, very rarely user override option. There is no "one person" by the definition of what we're talking about.
Please keep up with the conversation. Go re-read the thread leading up to this and you'll understand the security framework they would have to overcome. Then you can make an informed comment.
About sports stadiums. Study after study have shown that cities that subsidize new facilities, typically on the order of $100 Million, never recoup that money.
I think you're oversimplify and also need to clarify the term "subsidy". Stadiums built to replace already existing stadiums and stadiums funded where building and operating costs are shared by local government usually do not recoup the investment even when you take into account tax dollars collected by increases in the local economy. But "subsidy" is a somewhat broadly used term. When you look at privately owned stadiums where the public has no upkeep and provides a one time time tax break (ala federal bonds for example) the picture is quite different.
I suspect that factories and data centers are also a money sink.
As far as I know, no public funds are being spent on these data centers. They're privately owned and just getting a tax break from the state. So if a company did not build one, the state would not get any of the tax revenue in the first place. It's hard to see how the state can lose by giving tax breaks in this way unless they have some reason to think the company will build there even without one.
Even if they charge no taxes at all, the presence of the company will bring in income tax, sales tax from employees and all the stuff they buy and all the temporary construction workers in the area.
Disagree. This is the same logic flaw politicians make when they justify building a new sadidum for the football/baseball team. They spend MORE money building the structure than what the stadium generates in the nearby neighborhood.
What money? Can you cite anywhere it says NC is paying for the construction of this or even paying to build new roads around it? As far as I've been able to determine, NC is just not charging them all the taxes they normally would, taxes they wouldn't be able to collect if they weren't building in the first place.
Libertarian==fiscally-conservative...
Heh, maybe that explains it. Pretty much all the libertarians I meet are clueless when it comes to real world economics. I mean I like Ron Paul and respect his dedications, but he just doesn't have the foggiest when it comes to economics.
Suspect Benchmark Results by IE9 Being Investigated. There, how hard was that?
Harder than you think since that is misleading. They aren't being investigated as far as I know or the article presents. They were investigated (briefly) and the results are in the blog post.
The article was light on details, but the reason why companies typically do this is because the states hand out idiotically huge tax incentives that there's no way will ever be paid off by the presence of the company.
I've never heard of them actually paying for the federal taxes, just agreeing to not charge all the normal taxes the state does. So how does the state or locality have to pay off anything to break even? Even if they charge no taxes at all, the presence of the company will bring in income tax, sales tax from employees and all the stuff they buy and all the temporary construction workers in the area.
By the time the jobs would be around for long enough to finally start to break even, it's been long enough that the companies have started looking around for who's going to offer the best tax incentives for them to either upgrade their facilities to stay or move.
I still don't see this "break even" you're talking about. Jobs come in for a while. It's doubtful any of these companies are going to move these data centers ever, as they are huge investments. They might not expand them if they get a better deal elsewhere, but even if they did close one, they'd sell it off and another company would open a datacenter there. Nobody just shutters a billion dollar datacenter and lets it sit empty.
it's almost certainly about nothing other than getting ridiculous handouts given by desperate leaders in order to make them look good at any cost to their constituents. See also sports team stadiums.
I've certainly seen some crazy things with stadiums, like subsidies, but then those stadiums often bring a lot of money into a community as well. I guess I'd just have to see some real hard numbers on the situation before I dismiss this as a political stunt that harms their constituency. I read an article or two on most of these and all I saw were tax breaks with a bunch of conditions (healthcare for employees, move into one of several very poor areas, etc.). As far as I an tell, it's the state giving up tax revenue they would not get anyway if these companies chose another location.
Shows a problem with benchmarks in general. Too easy to game.
Benchmarks are great, for improving the performance of your code. Benchmarks are terrible, as soon as they start to get press and companies try to deceive users by gaming them. That's why it is important that we call out when they are caught so they get more bad press and maybe think twice about gaming the benchmark in the first place.
Headlines are supposed to be succinct summaries and that is enforced by the character limit here. Maybe a better headline would be "Internet Explorer 9 Probably Cheating On Sunspider, But Maybe Just Horribly Written In Ways That Make SunSpider Apply Poorly". Of course that is too long for the title.
The important take away is that a particular SunSpider test is not a valid test for IE 9's performance in that category and that IE 9 will do much, much worse in many real world scenarios. The likelihood is that this is because Microsoft cares more about SunSpider than actual performance (marketing versus functionality) but it is vaguely possible it is the result of really crappy coding that just happens to have the same result.
Bzzt, you fail. You're back to square one. Remember all those jailbroken iPhones getting hacked because OpenSSH was installed with default passwords?
No. I remember A TINY NUMBER of jailbroken iPhones getting owned because a very small subset of users hacked their phones and an even smaller subset installed SSH but did not change the default password.
The example you cite has little or nothing to do with mainstream security. We're in a situation right now where people regularly have automated malware infecting their machines in large numbers. Low hanging fruit first.
It is a pretty unsolvable problem.
Not really. The first step is to make software installation and default configuration easy and simple for developers writing software, seciurity expert auditing software, and users actually installing it. Once users no longer have to jump through hoops to perform computing tasks, they question why they are asked to jump through hoops in one particular case (malware) or they just don't bother out of laziness.
UAC and everything is great for those on the ball and understand when things should happen (UAC shouldn't popup in most cases, and if it suddenly does on some random file off the Internet, maybe it's best to click Cancel), but it's otherwise just another step the user goes through to get some program running.
UAC has broken UI that results in huge security holes because the "experts" didn't bother to adequately test it before they deployed. They were a lot ore concerned with making sure they could blame security problems on users instead of actually making things more secure. The point of a good UI is to not get in the users way. Apple's store does a good job of that, but doesn't have the best security. What I propose would keep the same ease of use with users basically never seeing any prompts, but adding in a better mechanism for making sure those apps are secure and properly sandboxed.
It's important not to make the mistake of assuming because Microsoft did something terribly, it can't be done well. Microsoft often does things terribly.
And that company with professionals leaked a tethering app in a flashlight app. What's that say about the minimum wage grunts^H^H^H^H software professionals ability to scan for malware in a compiled binary? Thankfully apps on that device are extremely limited as to what they can access due to the sandboxing -- the app can't even request for additional permissions, as there is on Android or Blackberry).
Sandboxing and declared ACLs can help, but what you bring up is why it would be nice to bring competition to the space. By letting users pick and weight various security feeds, you don't have to rely on Apple (for example). Instead you could get a feed from an open source project as well and from a dedicated security company that just does audits. Remember even if it is a compiled binary, the security experts can still see the sandbox ACL.
To be perfectly honest, nobody has any idea if even professional software like AutoCAD, Windows, M acOS, etc are calling home, reporting user information.
There are lots of network security people and government agencies that look for just these things. Some of them do have a good idea, but you make a point that no one can know for certain.
First, there should not be one company deciding. We should harness the free market and build a system that takes inputs from whatever security feeds users subscribe to and weight those security feeds based upon the end user's preferences.
There isn't one company deciding, right? If you don't like vendor X, move to vendor Y.
Except at least for PC's, this is an OS level problem and desktop OS's are a monopolized market. But I'm not making any claims about what has to happen, just what would be best for end users in my opinion. Obviously having to switch OS's in order to change security feeds would be less than ideal for users. and would lessen the ability of the free market to bring those users benefits.
I'm convinced we could leverage the benefits of both an iPhone app store approach and a traditional package manager approach. I fear, however, that none of the companies in a position to actually make a good system and push it to end users is going to be motivated to do so.
Isn't this a valid manifestation of the free market?
If i were a free market, perhaps. But the courts in at least four countries I know of have already ruled that the free market is not acting appropriately and that a monopoly has formed in the desktop OS market. It's pretty clear that MS's Windows market share will hold back progress significantly and the free market breaks when it encounters a monopoly (which is why we have antitrust/competition laws).
But how that 99% of society wants to use the computer should not ( and cannot necessarily) be dictated by even the 1% as the 1% will not know every edge case for how the 99% wants to use the computer.
Actually 99% of users will probably never do anything that would even be an issue. Malware primarily runs because users are not informed by the OS that it is malware or told that it is accessing their address book and starting a mail server or constantly spamming traffic at an address in Estonia. For the other 1% of cases the user needs the option to override the security system, but this should never be needed for normal use cases so when an app requests this it should be a red flag to users. Right now they're so conditioned by our poor OS UIs they just click through things. But if a users was never, ever (over the course of owning a machine and later over their lifetime) asked o override security and they were asked at some point with language worded to say doing so would allow someone else control of their computer forever, I think that would make a huge difference, don't you?
Slashdot Mirror
Why would they copy Apple in this area?
MS wants to put out a stable, good performing phone OS. Locking it down to vetted apps from people who register weeds out a lot of malware as well as a lot of apps that will make the performance of the battery and other apps terrible giving users the impression that the OS/phone sucks. Further, it gives MS more control in case they want to lock things down in future. It requires developers to learn MS's dev tools, thus adding yet another block to cement MS's domination of the desktop OS market. Additionally, this will allow MS to prevent pornographic or overly violent apps from running on the phones, and as much as many of us dislike that, most of the populace seems to consider it a feature.
Basically, for many reasons MS thinks this will get more copies of their new OS out there and running on phones people are using, so MS can try to gain traction in the market.
If Comcast are a monopoly supplier (ie customers cannot get broadband from another ISP) then maybe the customers who cannot get Netflix (or whatever else) should bring a class action suit against Comcast.
They could, but not many consumers are interested in getting a $15 coupon off Comcast cable eight years from now when the lawsuit is over. Our courts, the FCC, the DoJ are all so pro-big business as the result of both political parties' appointments at the behest of lobbyists that breaking antitrust law is just another profitable new business strategy.
What they CANNOT do, and apparently what they have DONE is to limit people from installing applications on their iphone unless those applications come from the Apple store. I don't know if what they are doing is illegal, but it very well could be.
Aren't your statements a bit contradictory? You think what they've done is what the cannot do and that might be illegal but you don't know?
...but just imagine how much more money they would be making if they had a reasonable policy about third party sellers. If I was one of their investors, I would be pissed.
Okay I imagined how much they'd be making, but I'm not sure it isn't less. And at what $313, I don't think any of their investors are pissed. In the middle of a recession Apple has record profits largely because of the product you're second guessing their decisions about. How's the corporation you run doing?
The lowest you can go for range and still sell a (non-specialty) gasoline car is 200 miles, and they can refuel anywhere... Why the 100 mile toys?
While short range vehicles may not be viable as most primary vehicles, a lot of families have multiple autos and a short range one for about town makes sense to a significant market.
Exploits in user level software net them access to a restricted sandbox and the OS can stop it from functioning unless
There have already been exploits to break out of Virtual Machines (e.g. VMWare) and various sandboxing techniques.
Of course there are techniques, it's just a difficult task to accomplish and even harder to sneak past a vetting process. There are also methods to verify the integrity of apps in a sandbox, usually using code signing and reset sandboxes to prevent persistence of exploits, although I don't know of any security setups that actually make use of said techniques as escaping the sandbox is already so difficult that such techniques are not really needed yet.
I've played with numerous touch based interfaces for years, everything from Wacom on OS X to iOS to Linux kiosks to Android devices to WebOS. I also have done a lot of work as a user interface and usability designer and tester. In my experience, pretty much all of them are superior to Windows 7 for tablets. It's just painful trying to do normal tasks clearly using a hacked on interface that none of the applications have been properly tested and engineered for. Even old versions of MacOS with a tablet at least start with a flexible input strategy that insures app developers don't rely upon multiple mouse buttons for necessary functionality.
I really do not get the point of this vehicle. Using electricity as a fuel instead of gasoline and sacrificing on some power to save the environment does sound like an interesting idea. But we need to consider where the electricity comes from
The point of electric vehicles is to divorce cars from a single power source and make it possible to transition to more sustainable energy. It's one part of a strategy to free us from dependence on oil. Once the majority of the fleet is electric, the electricity can come from nuclear, wind, hydro, tidal, geothermal, natural gas, coal, or anything else we come up with. Moreover, it allows for the option of distributed power generation from flexible sources. Put solar panels or windmills on your house and power your car, or use centralized power generation for greater efficiency, but more transmission cost.
Electric cars == flexibility
Really, they lost me at "full Windows 7". As an OS, the interface is complete crap for use on a tablet. So this is a small netbook that converts into a barely usable tablet. No thanks.
That might be ok for malware writers like comScore, but the normal malware writer is aiming to take advantage of flaws in software - not go through a appstore kind of place.
Great, so how do they get their malware to execute on the target? Exploits in user level software net them access to a restricted sandbox and the OS can stop it from functioning unless it somehow masks that it is not matching the signature for the app assigned to that sandbox. So that means you need an exploit in an app and an exploit in the sandbox, just to get started trying to root the system. That's not impossible, but remember now they need to unpatched exploits and they have to have them before they are discovered and the greylists start restricting the insecure software to an even more restrictive sandbox that prevents infection in the first place. It makes worms really hard to make and have a short lifespan.
So again, you're imposing restrictions on what people want to legitimately do while not increasing the difficulty for the true problems by any order of magnitude.
It greatly increases the difficulty, more so than anything you've proposed certainly. Further, it doesn't "restrict" users. Users still have control but now they delegate default behaviors such that experts make security decisions for them unless they are absolutely certain they want to override that (something most users will never need to do and will only be asked to do by malware).
And while you're "vetted greylists" idea sounds interesting, I doubt competition would bring about what you describe - it hasn't already for what exists.
Competition works very well in the vast majority of markets. It fails when it runs into monopolies or abusive trusts. The main problem we have with the security industry now is that most of the changes needed require modification of the OS, and we have a monopolist controlling that OS.
and if macOS were ever to become popular enough that malware writers decide to target it? Just because something is too obscure to be targeted does not mean it's totally secure. The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.
If OS X ever became popular enough that it had 40% of the market not only would it be much more resistant to malware than Windows is now, Windows would adapt and become much more resistant to malware. Here's the thing that people don't seem to get. Windows isn't built on an inherently insecure foundation that can never be fixed. It's not insecure because it is built by Microsoft. It's insecure because it has monopoly influence on the market so competitive forces that would normally drive real, functional security improvements, are just not there.
Now I'm not saying all OS's would be immune to malware if Windows was not a monopoly. What I'm saying is that they'd adapt to be resistant enough to satisfy the needs of their main customer base and some OS's would target the secure workstation segment. The weakness of Windows is that investing in security doesn't make Microsoft more money than dumping half that money into marketing about security or security theater features.
You want to know the most effective way I can think of to improve computer security, break Microsoft up into at least two companies BOTH with full rights to the windows code, forbid them from any nonpublic communication or collusion. Let Microsoft A and Microsoft B bid against one another for contracts and we'll see just how fast they can make real security improvements at lower costs in order to win that contract.
While you do portend that there should be no single entity controlling it, there is nonetheless an entity other than the user controlling it - even if multiple entities, they will likely form together into a gov't agency or consortia of some sort in the end, thus a single entity any way.
No, it's the user controlling it by choosing what companies/organizations they trust rather than micromanaging and trying to make decisions they do not have the expertise to make.
...they will likely form together into a gov't agency or consortia of some sort...
The same way Apple, Symantec, and CERT have merged? Sure, anti-malware companies might form loose alliances but since many will be running paid services they'll also be in direct competition for customer dollars. That helps with a lot of collusion concerns as do open source projects like ClamAV.
Trusted computing (as you suggest with weights, etc for the user to adjust) still would not work. Why? If the user can modify what the system can trust, so can anything malicious.
That might be true on Windows, but it certainly isn't true on systems like SELinux, TRustedBSD, or even the iPhone. There are lots of settings users can change on their iPhone that apps have no access to as it is outside their sandbox.
All it takes is for the malware to be one step ahead of those writing lists - e.g. just like all viruses today.
Not really. PC's use blacklists. iPhones use whitelists, but poorly vetted ones. What is proposed is well vetted greylists that harness competition to make them well vetted. Say you write malware. Great. Now you still have to submit it to the store which means the store operator vets it and all other security lists are notified that it exists. On top of that, since it had to declare an ACL to get into the list, a cursory inspection is all that is needed to determine if the ACL matches up with the app's feature-set in most cases.
So no, that is not a working model - it works no better than what we have today, and in fact makes it worse since it creates a false sense of security as well.
I strongly disagree. In fact, sandboxing, ACLs and auditing is the method chosen by most high security OS distributions. The only difference here is changing from a single site based auditing group to a decentralized system designed for consumer use.
Also, if you notice, my initial reply ignored your weights, etc - replying to what you had before that.
You're mistaken. My very first post, before you even, posted contained, "...and weight those security feeds...".
I think you need to re-read the thread starting without all your preconceptions.
That's a great reason to have a centralized store, but there is no reason they couldn't allow other app markets exist, and allow the consumer to decide what they want to have on their device.
So what happens when the device is really really slow, or infected with viruses, or the battery dies after only a few hours. Users don't blame that on the application they installed from somewhere else. Rather they blame it on the device manufacturer and that device manufacturer loses sales. That's why you need a solution that takes this into account. Install apps from one store or multiple stores, but only vetted apps that have gone through a review that meets the guidelines, or you give the device manufacturer no business case for implementing it and significant downside.
Now there's some nice revisionism... It took Amazon's MP3 store - and some help from big record companies - before they changed their mind.
April 2007: Apple reaches a deal with EMI, effective immediately, to offer DRM free music from that label, pus them up for sale, and publicly announces that it hopes other labels follow suit.
September 2007: Amazon music store launches.
So you think Amazon forced Apple's hand by releasing DRM free music half a year after Apple had already done so? You're not just a revisionist, you're a retroactivist.
However, one person (e.g. Microsoft, gov't, gov't agency, etc.) controlling what all users - including all corporations - can do with the computers doesn't work. Thus 'trusted' computing is flawed...
Please go read the thread you're replying to. We're talking about a trust model where the greylists are created by weighted combinations of security threads from multiple sources, as weighted by the end user, with a very, very rarely user override option. There is no "one person" by the definition of what we're talking about.
Please keep up with the conversation. Go re-read the thread leading up to this and you'll understand the security framework they would have to overcome. Then you can make an informed comment.
About sports stadiums. Study after study have shown that cities that subsidize new facilities, typically on the order of $100 Million, never recoup that money.
I think you're oversimplify and also need to clarify the term "subsidy". Stadiums built to replace already existing stadiums and stadiums funded where building and operating costs are shared by local government usually do not recoup the investment even when you take into account tax dollars collected by increases in the local economy. But "subsidy" is a somewhat broadly used term. When you look at privately owned stadiums where the public has no upkeep and provides a one time time tax break (ala federal bonds for example) the picture is quite different.
I suspect that factories and data centers are also a money sink.
As far as I know, no public funds are being spent on these data centers. They're privately owned and just getting a tax break from the state. So if a company did not build one, the state would not get any of the tax revenue in the first place. It's hard to see how the state can lose by giving tax breaks in this way unless they have some reason to think the company will build there even without one.
Even if they charge no taxes at all, the presence of the company will bring in income tax, sales tax from employees and all the stuff they buy and all the temporary construction workers in the area.
Disagree. This is the same logic flaw politicians make when they justify building a new sadidum for the football/baseball team. They spend MORE money building the structure than what the stadium generates in the nearby neighborhood.
What money? Can you cite anywhere it says NC is paying for the construction of this or even paying to build new roads around it? As far as I've been able to determine, NC is just not charging them all the taxes they normally would, taxes they wouldn't be able to collect if they weren't building in the first place.
Libertarian==fiscally-conservative...
Heh, maybe that explains it. Pretty much all the libertarians I meet are clueless when it comes to real world economics. I mean I like Ron Paul and respect his dedications, but he just doesn't have the foggiest when it comes to economics.
Suspect Benchmark Results by IE9 Being Investigated. There, how hard was that?
Harder than you think since that is misleading. They aren't being investigated as far as I know or the article presents. They were investigated (briefly) and the results are in the blog post.
The article was light on details, but the reason why companies typically do this is because the states hand out idiotically huge tax incentives that there's no way will ever be paid off by the presence of the company.
I've never heard of them actually paying for the federal taxes, just agreeing to not charge all the normal taxes the state does. So how does the state or locality have to pay off anything to break even? Even if they charge no taxes at all, the presence of the company will bring in income tax, sales tax from employees and all the stuff they buy and all the temporary construction workers in the area.
By the time the jobs would be around for long enough to finally start to break even, it's been long enough that the companies have started looking around for who's going to offer the best tax incentives for them to either upgrade their facilities to stay or move.
I still don't see this "break even" you're talking about. Jobs come in for a while. It's doubtful any of these companies are going to move these data centers ever, as they are huge investments. They might not expand them if they get a better deal elsewhere, but even if they did close one, they'd sell it off and another company would open a datacenter there. Nobody just shutters a billion dollar datacenter and lets it sit empty.
it's almost certainly about nothing other than getting ridiculous handouts given by desperate leaders in order to make them look good at any cost to their constituents. See also sports team stadiums.
I've certainly seen some crazy things with stadiums, like subsidies, but then those stadiums often bring a lot of money into a community as well. I guess I'd just have to see some real hard numbers on the situation before I dismiss this as a political stunt that harms their constituency. I read an article or two on most of these and all I saw were tax breaks with a bunch of conditions (healthcare for employees, move into one of several very poor areas, etc.). As far as I an tell, it's the state giving up tax revenue they would not get anyway if these companies chose another location.
Shows a problem with benchmarks in general. Too easy to game.
Benchmarks are great, for improving the performance of your code. Benchmarks are terrible, as soon as they start to get press and companies try to deceive users by gaming them. That's why it is important that we call out when they are caught so they get more bad press and maybe think twice about gaming the benchmark in the first place.
Headlines are supposed to be succinct summaries and that is enforced by the character limit here. Maybe a better headline would be "Internet Explorer 9 Probably Cheating On Sunspider, But Maybe Just Horribly Written In Ways That Make SunSpider Apply Poorly". Of course that is too long for the title.
The important take away is that a particular SunSpider test is not a valid test for IE 9's performance in that category and that IE 9 will do much, much worse in many real world scenarios. The likelihood is that this is because Microsoft cares more about SunSpider than actual performance (marketing versus functionality) but it is vaguely possible it is the result of really crappy coding that just happens to have the same result.
Bzzt, you fail. You're back to square one. Remember all those jailbroken iPhones getting hacked because OpenSSH was installed with default passwords?
No. I remember A TINY NUMBER of jailbroken iPhones getting owned because a very small subset of users hacked their phones and an even smaller subset installed SSH but did not change the default password.
The example you cite has little or nothing to do with mainstream security. We're in a situation right now where people regularly have automated malware infecting their machines in large numbers. Low hanging fruit first.
It is a pretty unsolvable problem.
Not really. The first step is to make software installation and default configuration easy and simple for developers writing software, seciurity expert auditing software, and users actually installing it. Once users no longer have to jump through hoops to perform computing tasks, they question why they are asked to jump through hoops in one particular case (malware) or they just don't bother out of laziness.
UAC and everything is great for those on the ball and understand when things should happen (UAC shouldn't popup in most cases, and if it suddenly does on some random file off the Internet, maybe it's best to click Cancel), but it's otherwise just another step the user goes through to get some program running.
UAC has broken UI that results in huge security holes because the "experts" didn't bother to adequately test it before they deployed. They were a lot ore concerned with making sure they could blame security problems on users instead of actually making things more secure. The point of a good UI is to not get in the users way. Apple's store does a good job of that, but doesn't have the best security. What I propose would keep the same ease of use with users basically never seeing any prompts, but adding in a better mechanism for making sure those apps are secure and properly sandboxed.
It's important not to make the mistake of assuming because Microsoft did something terribly, it can't be done well. Microsoft often does things terribly.
And that company with professionals leaked a tethering app in a flashlight app. What's that say about the minimum wage grunts^H^H^H^H software professionals ability to scan for malware in a compiled binary? Thankfully apps on that device are extremely limited as to what they can access due to the sandboxing -- the app can't even request for additional permissions, as there is on Android or Blackberry).
Sandboxing and declared ACLs can help, but what you bring up is why it would be nice to bring competition to the space. By letting users pick and weight various security feeds, you don't have to rely on Apple (for example). Instead you could get a feed from an open source project as well and from a dedicated security company that just does audits. Remember even if it is a compiled binary, the security experts can still see the sandbox ACL.
To be perfectly honest, nobody has any idea if even professional software like AutoCAD, Windows, M acOS, etc are calling home, reporting user information.
There are lots of network security people and government agencies that look for just these things. Some of them do have a good idea, but you make a point that no one can know for certain.
First, there should not be one company deciding. We should harness the free market and build a system that takes inputs from whatever security feeds users subscribe to and weight those security feeds based upon the end user's preferences.
There isn't one company deciding, right? If you don't like vendor X, move to vendor Y.
Except at least for PC's, this is an OS level problem and desktop OS's are a monopolized market. But I'm not making any claims about what has to happen, just what would be best for end users in my opinion. Obviously having to switch OS's in order to change security feeds would be less than ideal for users. and would lessen the ability of the free market to bring those users benefits.
I'm convinced we could leverage the benefits of both an iPhone app store approach and a traditional package manager approach. I fear, however, that none of the companies in a position to actually make a good system and push it to end users is going to be motivated to do so.
Isn't this a valid manifestation of the free market?
If i were a free market, perhaps. But the courts in at least four countries I know of have already ruled that the free market is not acting appropriately and that a monopoly has formed in the desktop OS market. It's pretty clear that MS's Windows market share will hold back progress significantly and the free market breaks when it encounters a monopoly (which is why we have antitrust/competition laws).
But how that 99% of society wants to use the computer should not ( and cannot necessarily) be dictated by even the 1% as the 1% will not know every edge case for how the 99% wants to use the computer.
Actually 99% of users will probably never do anything that would even be an issue. Malware primarily runs because users are not informed by the OS that it is malware or told that it is accessing their address book and starting a mail server or constantly spamming traffic at an address in Estonia. For the other 1% of cases the user needs the option to override the security system, but this should never be needed for normal use cases so when an app requests this it should be a red flag to users. Right now they're so conditioned by our poor OS UIs they just click through things. But if a users was never, ever (over the course of owning a machine and later over their lifetime) asked o override security and they were asked at some point with language worded to say doing so would allow someone else control of their computer forever, I think that would make a huge difference, don't you?