All it's going to take is one major outlet to pick it up, and we'll have another "Mac OS X Just As Insecure As Windows" free-for-all.
You're right, that's better than "emacs vs vi" as the next virus wrapper.
I agree that there is something of a double-standard. However, the big difference between most Windows trojan/virus scares and this specific trojan is that, in this case, the OS behaves exactly as it is expected to behave. By opposition, buffer overflow attacks are programming errors (which shouldn't exist in this day and age, but that's a different discussion). I did mention most Windows trojan/virus scares, not all, as this kind of trojan is quite feasible under Windows.
Now the question is : how do you make sure trojans can't happen ?
I've seen a few potential "security measures" being discussed
somehow forcefully differenciate executables from everything else, either by modifying the icon or by changing the font
warn the user every time an executable is created/downloaded/extracted
warn the user every time an executable is executed, if this executable hasn't been installed by the administrator
don't let users have executable programs at all
proof-carrying code/checked executables
more sandboxing/dynamic authorisations for just about everything.
I'd say that proposition 1. has a fighting chance. Propositions 2., 3. and 4. will probably be quickly deactivated as "too clumsy". Proposition 5. would be great if engineers (not to mention "home" web developers) had the skills to actually get it to work. Too bad it's currently not cost-efficient to teach proofs to engineers, nor giving them the time to actually prove their programs. Proposition 6. might be the future, with Ajax-style apps and all that, but I'm afraid it requires too much education from the user.
Yeah, well, I'd rather not se games whose objective is explicitely to kill me or my family. I've been demonstrating for freedom of expression recently but there are times where it's quite painful.
Hint: I might be either Jewish or Native American or a descendent of African Slaves or Strogg.
If you mean money as in, well, real money, I can't help you.
If you mean money as in learning something new and/or spending less time working on the same program, here are a few pointers:
less verbose language -- really much less verbose
domain-specific languages -- once you've understood a design pattern, integrate it into your language, you won't have to spend your time coding and recoding the same thing
a degree of functional programming -- which again means less coding, higher level of abstraction and reusability of your components.
Plus some people like the syntax immensely.
Of course, that's also the kind of benefits you can find in, say, OCaml or Scheme. Which of these languages you'll prefer depends on a number of factors I won't detail here. I'm personally a big fan of OCaml.
Mmhhhh..... Sounds like a valid research project. Next step: finding an unsuspecting Ph.D. student to develop this algorithm. And, of course, to answer my phone until it's working.
Well, yes, but who is always paying attention ?
One day, while I was in the middle of a Paypal-arbitrated dispute with an eBay seller, I received a very Paypal-looking mail instructing me that I had been refunded, please check that everything is ok, yada yada, direct link to the dispute history.
When I received that mail, I was on the phone, helping my parents with technical problems. I nearly followed that link. One second before doing so, some survival instinct prompted me to check the url. Turned out to be a pure IP, a fact strongly connected with phishing.
Oh, yeah, before I forget: my job is related to computer security, safety of information transfers, safety of protocols, etc. But they very nearly had me.
Bottom line ? I'm not immune. I can only assume that you aren't either and that nobody is.
Well, with recent Service Packs, ActiveX controls are not installed automatically anymore. They are installed, just like XPI files, whenever the user requests it. Even the interface for requesting it is almost the same between IE and FF.
And XPIs extensions are just as priviledged as ActiveX controls.
Could anyone please explain to me how Mozilla's XPIs are better than ActiveX, now that ActiveX are not installed by default anymore ?
Oh, yeah, they're cross-platform (when written in JavaScript). But they have all priviledges when accessing your machine (even in JavaScript, they can do pretty much anything by scripting native components).
My bet is that MS is currently writing a.Net version of IE, safer with regard to extensions (XPCom is absolutely unsafe), faster (XPCom is not really fast) and possibly portable (thanks to Mono) while we (the Open-Source community) are going to be on the wrong side of security holes for a few year until we do the same.
Well, turns out I'm also working on trust -- with a different meaning of the world, though.
Let me present a simple scenario, and maybe you can explain me how iName can prevent my data from leaking.
I get a iName through some iBroker.
I somehow allow the iBroker to give my address to eBay, as I need eBay to be able to deliver my packages and to communicate with me.
Some subsidiary of eBay sells my address to anyone.
Did I get something wrong here or have all my confidential informations been leaked exactly as they would have without iNames ?
People much brighter than I have been thinking hard about this, and individuals whose privacy is very critical have been working on this
Would you mind pointing us to the related papers ?
Remember the Old Testament ? Remember Matthew 10:34 ? Luke 22:36 ?
Remember everything members of every cult have done in the name of God ?
I'm not criticizing God, the Bible or any belief. I'm just leading to a question.
Where does the source of your belief come from ? Your soul ? The Bible ? Your culture ? Current interpretations ? The translation ? Have you read the Bible in Hebrew & Aramean ? Have you read interpretations from different-minded people ? Different eras ?
What do you believe in and why ? Because I do not think anyone can call oneself a believer without having answered that question. Truly. Honestly. Every day of one's life.
And then we can return to the original debate and Tenet's plans:)
Slashdot Mirror
All it's going to take is one major outlet to pick it up, and we'll have another "Mac OS X Just As Insecure As Windows" free-for-all.
You're right, that's better than "emacs vs vi" as the next virus wrapper.
Now the question is : how do you make sure trojans can't happen ? I've seen a few potential "security measures" being discussed
I'd say that proposition 1. has a fighting chance. Propositions 2., 3. and 4. will probably be quickly deactivated as "too clumsy". Proposition 5. would be great if engineers (not to mention "home" web developers) had the skills to actually get it to work. Too bad it's currently not cost-efficient to teach proofs to engineers, nor giving them the time to actually prove their programs. Proposition 6. might be the future, with Ajax-style apps and all that, but I'm afraid it requires too much education from the user.
Any other idea roaming around ?
Yeah, well, I'd rather not se games whose objective is explicitely to kill me or my family. I've been demonstrating for freedom of expression recently but there are times where it's quite painful. Hint: I might be either Jewish or Native American or a descendent of African Slaves or Strogg.
If you mean money as in learning something new and/or spending less time working on the same program, here are a few pointers:
- less verbose language -- really much less verbose
- domain-specific languages -- once you've understood a design pattern, integrate it into your language, you won't have to spend your time coding and recoding the same thing
- a degree of functional programming -- which again means less coding, higher level of abstraction and reusability of your components.
Plus some people like the syntax immensely.Of course, that's also the kind of benefits you can find in, say, OCaml or Scheme. Which of these languages you'll prefer depends on a number of factors I won't detail here. I'm personally a big fan of OCaml.
0 ?
Mmhhhh.....
Sounds like a valid research project. Next step: finding an unsuspecting Ph.D. student to develop this algorithm. And, of course, to answer my phone until it's working.
Well, yes, but who is always paying attention ? One day, while I was in the middle of a Paypal-arbitrated dispute with an eBay seller, I received a very Paypal-looking mail instructing me that I had been refunded, please check that everything is ok, yada yada, direct link to the dispute history. When I received that mail, I was on the phone, helping my parents with technical problems. I nearly followed that link. One second before doing so, some survival instinct prompted me to check the url. Turned out to be a pure IP, a fact strongly connected with phishing. Oh, yeah, before I forget: my job is related to computer security, safety of information transfers, safety of protocols, etc. But they very nearly had me. Bottom line ? I'm not immune. I can only assume that you aren't either and that nobody is.
Well, who knows, the RIAA might wish to get involved. Somehow, I'm sure they can hold that Copyright, too, can't they ?
And XPIs extensions are just as priviledged as ActiveX controls.
Could anyone please explain to me how Mozilla's XPIs are better than ActiveX, now that ActiveX are not installed by default anymore ? .Net version of IE, safer with regard to extensions (XPCom is absolutely unsafe), faster (XPCom is not really fast) and possibly portable (thanks to Mono) while we (the Open-Source community) are going to be on the wrong side of security holes for a few year until we do the same.
Oh, yeah, they're cross-platform (when written in JavaScript). But they have all priviledges when accessing your machine (even in JavaScript, they can do pretty much anything by scripting native components).
My bet is that MS is currently writing a
Well, I tend to think that the information leaks are the major problem, especially since most of them are actually untraceable.
Happy to see that you are designing a process to address it. By all means, I want to see the papers.
Let me present a simple scenario, and maybe you can explain me how iName can prevent my data from leaking.
- I get a iName through some iBroker.
- I somehow allow the iBroker to give my address to eBay, as I need eBay to be able to deliver my packages and to communicate with me.
- Some subsidiary of eBay sells my address to anyone.
Did I get something wrong here or have all my confidential informations been leaked exactly as they would have without iNames ?People much brighter than I have been thinking hard about this, and individuals whose privacy is very critical have been working on this
Would you mind pointing us to the related papers ?
Just saying I should not answer sensitive subjects too late at night :)
Let's face it, my post was pointless and condescending. My apologies.
Ok, that one is just too good to pass.
:)
Remember the Old Testament ? Remember Matthew 10:34 ? Luke 22:36 ?
Remember everything members of every cult have done in the name of God ?
I'm not criticizing God, the Bible or any belief. I'm just leading to a question.
Where does the source of your belief come from ? Your soul ? The Bible ? Your culture ? Current interpretations ? The translation ? Have you read the Bible in Hebrew & Aramean ? Have you read interpretations from different-minded people ? Different eras ?
What do you believe in and why ? Because I do not think anyone can call oneself a believer without having answered that question. Truly. Honestly. Every day of one's life.
And then we can return to the original debate and Tenet's plans