Jump to content


Photo

now we know why Joanna is so paranoid...


  • Please log in to reply
5 replies to this topic

#1 WyoCowboy

WyoCowboy

    Member

  • Full Member
  • Pip
  • 62 posts

Posted 01 March 2007 - 05:31 PM

Joanna doesn't use anti-malware software because she says it engenders a false sense of security - she uses system file auditing instead.

Now look what she's gone and done!

http://www.eweek.com...,2099603,00.asp

Based on this, maybe Swami was ahead of his time...

http://forums.spywar...h...=swami&st=0

#2 hornet777

hornet777

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 607 posts

Posted 05 March 2007 - 09:40 AM

mmm, mmm, mmm I was afraid this would happen.

I have been reluctant to mention her here, but breaking the silence is just what is needed. Please keep in mind that the breach happened on an x86 hardware platform, which to my mind points to its ultimate decrepitude, but also to the inevitability of going to a closed hardware platform for general-purpose computing. Also, it should be noted that had she had any hardware background, mounting her attack would have taken decidely less time than it did.

Given the present situation, going to such a structure will be viewed as having withdrawn some particular advantage to a user, but then how many times has a typical user actually cut a trace or soldered anything to their mainboard these days? It can be done one of two ways: tyranically, as M$ is currently trying to implement with impugnity, or beneficially by Mr X who has yet to show up on the scene, and completely redesign the GP computer from the ground up, learning from the mistakes of the past, as well as looking forward to the future, maybe 20 years out, and anticipating the needs of the one who actually purchases the equipment, makes available a machine that one can actually use for a long time to come, and in a safe manner.

There really isn't any excuse for not having optimal performance and security in the same package: those who would tell you otherwise are either lying, or selling x86 and Windows. TWhat will make the difference is for someone to perceive consumer demand for such a machine and act accordingly, which in view of the M$/Intel propaganda machine has yet to materialise, but this may be changing.

The subject of where we have been and where the computer "industry" is going is fascinating, and very complex, taking in diverse factors which range from design to politics, but thusfar, it is the consumer that is the one who has been consistently left out in the cold. Perhaps this is changing as well, its too early to tell, but for now (and subject to change) it appears that Joanna has driven a stake into the heart of the platform pretty much al of us grew up with. I for one accept her tenets unreservedly.
After all is invested in correctness, then how does it stand with truth?

#3 WyoCowboy

WyoCowboy

    Member

  • Full Member
  • Pip
  • 62 posts

Posted 04 April 2007 - 11:12 AM

Yes, given the fun that some folks have had with hacking the various OS, browsers and other applications, it would make sense to reinvent the PC hardware platform to incorporate designed-in security. Security certainly was not an original design criteria, and the only hardware security additions in the meantime have been those cheap case locks and chassis intrusion detection.

Some corporations have taken to filling in the USB ports with glue in an attempt to protect corporate data from walking out on memory sticks, or malware walking in. As it stands, the only way to completely secure the current PC hardware/OS platform is to 'airwall' it - locked away in a room, connected to nothing and used by no one.

There was one interesting idea that I heard about a few years back that may or may not be in legitimate use - a shim that goes between the kernel and everything else, with the idea being to prevent anything outside of a small set of well defined calls being allowed. Of course, this component could possibly be hacked as well.

#4 racooper

racooper

    Master of my own Domain

  • Retired Staff
  • PipPipPipPipPip
  • 1,420 posts

Posted 13 April 2007 - 07:37 PM

But the idea of hardware-based security is exactly what the big software publishers and "content producers" want -- which is hardware-based DRM that allows the manufacturers, record labels and movie studios to determine what a user can and can't run on their own computer. I agree higher security in the operating system is necessary, but a hardware-based model of security isn't the best solution. Software can always be hacked, but a software model along the lines of OSX, linux or the *BSD's would be a good start. Even Vista's UAC is a start at limiting administrative access, but it's apparent ease of being bypassed isn't quite up to par yet. Usermode applications should not require administrative/root permissions to run, but until Vista came out, publishers such as Intuit hadn't bothered to fix their programs to run only in userspace. (slight OT: Why the hell does a financial application need full write-access to the HKEY_CLASSES_ROOT key in the registry just to run? I mean, I can understand to be installed, but not to run in user mode....)

#5 WyoCowboy

WyoCowboy

    Member

  • Full Member
  • Pip
  • 62 posts

Posted 16 April 2007 - 11:57 AM

The unix based OSs are inherently more secure than the MS ones based on their permission vs user security structure, but I wonder what Joanna would find if she turned her attention to them. I'm not sure that h/w based security implies DRM, but I guess we will probably find out. The shim idea I had read about sounds something like this...

http://www.internetn...cle.php/3635806

The problem of OS security through self-policing/auditing is somewhat like psychology - a compositional problem where a certain amount of 'circuit loading' or Heisenberg's uncertainty principle comes into play. In order for the OS to verify that it has not been compromised, it cannot already be compromised. Hence the argument for auditing by a separate entity.

#6 hornet777

hornet777

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 607 posts

Posted 17 April 2007 - 12:06 PM

I understand your concerns, racooper, but what I had in mind was (considered from a social pov) was something like a benevolent dictatorship, rather than what you suggest, as an alternative, since any action that is going to move everything to a proprietary and closed paradigm is likly to be looked at with deep scepticism, given our experience with these... schemes in the past. The selling points would be as follows:

ease of use: microphone replaces kb and mouse for most actions;
universality: the computer will do anything the user wants it to, except attack another computer or allow itself to be compromised;
robustness: MTBF, 10 years min, guaranteed; no planned obsolescence;
15 seconds max from power on to ready-to use;
you own it outright, no licensing schemes or any other crap, except maybe a nominal extended repair warranty;

that's just s thumbnail of what I have been thinking about over the past 6 months or so; there's a lot more to it, but to summarise from a human/consumer pov, the promises of the so-called "digital age" would finally be fulfilled: that would be my goal as the CEO of this mythical company in a nutshell
After all is invested in correctness, then how does it stand with truth?




Member of UNITE
Support SpywareInfo Forum - click the button