Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows RT Jailbroken To Run Third-Party Desktop Apps

samzenpus posted about a year and a half ago | from the free-at-last dept.

Microsoft 178

An anonymous reader writes "We all knew it was just a matter of time, now it looks like Windows RT has been Jailbroken. From the article: 'The hack, performed by Clokr, exploits a vulnerability in the Windows kernel that has existed for a long time — since before Microsoft ported Windows from x86 to ARM, in fact. Basically, the Windows kernel on your computer is configured to only execute files that meet a certain level of authentication. There are four levels: Unsigned (0), Authenticode (4), Microsoft (8), and Windows (12). On your x86 Windows system, the default setting is Unsigned — you can run anything you like. With Windows RT, the default, hard-coded setting is Microsoft (8); i.e. only apps signed by Microsoft, or parts of Windows itself, can be executed.'"

cancel ×

178 comments

Non Sequitir (2, Interesting)

recoiledsnake (879048) | about a year and a half ago | (#42506231)

Microsoft locked Windows RT down because it wanted to slowly get rid of the Win32 cruft dating back to the 80s and 90s. That cruft does exist now and is used to run things like Office and Notepad etc. but Microsoft can easily rewrite them in the future. What will happen to Putty, VNC and the like then? They will break,and then again we will blame Microsoft for it. That's the reason to lock it down.

well then the appstore will NEED NO censorship oth (0)

Anonymous Coward | about a year and a half ago | (#42506311)

well then the appstore will NEED NO censorship other apps that crash the system. Also need to have a 3rd part app store like amazon app store for android

Re:well then the appstore will NEED NO censorship (3, Funny)

tripleevenfall (1990004) | about a year and a half ago | (#42506469)

"Need" implies there are people using it, which is a conclusion we might want to take off our mat for the time being.

Re:well then the appstore will NEED NO censorship (3, Interesting)

hairyfeet (841228) | about a year and a half ago | (#42507961)

I think this article [extremetech.com] linked through TFA reviewing the WOA appstore sums it up nicely "But for now, x86 compatibility isn't just a check box: It's a doorway back to a land of sanity.". Kinda sad they are actually charging more than iPad for Surface when its quite obvious just from reading the reviews their appstore is completely broken and worthless.

BTW it may be a little petty of me, but since i called it months ago that the WOA and Win 8 appstore would be a trainwreck, since they couldn't make GFWL functional after years and a competitor that would be easy enough to copy they sure as hell wouldn't be able to pull off an appstore for a different arch so I'd like to say "I told you so" to those that doubted me and do the dance of smug superiority.

Re:Non Sequitir (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42506315)

Microsoft locked Windows RT down because it wanted to slowly get rid of the Win32 cruft dating back to the 80s and 90s.

Yeah, it's all about freedom from backwards compatibility and legacy code!
Wanting to be like Apple and get paid every time a customer installs any software has nothing to do with it.

Re:Non Sequitir (2)

Big Hairy Ian (1155547) | about a year and a half ago | (#42506321)

MS locked it down so you could only run apps you bought from the app store same reason apple locks theirs down. I suspect atleast with MS upgrade probably patches wont turn your unlocked tablet into a brick.

Re:Non Sequitir (4, Funny)

tripleevenfall (1990004) | about a year and a half ago | (#42506729)

Good news, the Surface will never "brick".

(It will just become a more literal interpretation of the word "tablet")

Re: Non Sequitir (0)

Anonymous Coward | about a year and a half ago | (#42507705)

A tile?

Re: Non Sequitir (1)

VortexCortex (1117377) | about a year and a half ago | (#42508439)

A tile?

Sort of -- More like a facade.

Re:Non Sequitir (4, Interesting)

JDG1980 (2438906) | about a year and a half ago | (#42506763)

Microsoft locked Windows RT down because it wanted to slowly get rid of the Win32 cruft dating back to the 80s and 90s.

If Microsoft gets rid of the "Win32 cruft dating back to the 80s and 90s", then there will be no reason for anyone to choose Windows over any other operating system. Legacy compatibility and a huge installed base of applications are Microsoft's primary competitive edge, but Ballmer seems to have forgotten this in his Ahab-like quest to chase down Apple.

That cruft does exist now and is used to run things like Office and Notepad etc. but Microsoft can easily rewrite them in the future.

If Microsoft could have ditched legacy API usage for Office that easily, I think they would have done so already in the first release of Surface. At this point, the Office codebase is probably so FUBARed with 20+ years of spaghetti code and the need for backwards compatibility with 500 different document types that I doubt they could rewrite it completely even if they wanted to. Office for MacOS is almost a completely different product, done by a separate business unit. And if Microsoft ever releases a slimmed-down "Office" for iOS and/or Android, then those products will probably be written from scratch, and will not be 100% backwards compatible with anything other than OOXML.

(Of course, any competent programmer could write a better version of Notepad in a month, so that's really not a factor.)

Re:Non Sequitir (4, Informative)

shutdown -p now (807394) | about a year and a half ago | (#42507427)

If Microsoft gets rid of the "Win32 cruft dating back to the 80s and 90s", then there will be no reason for anyone to choose Windows over any other operating system. Legacy compatibility and a huge installed base of applications are Microsoft's primary competitive edge

We are talking specifically about Windows RT running on ARM here. There's no legacy compatibility story to begin with, even if the restriction on MS-signed-only desktop binaries weren't there in the first place.

Re:Non Sequitir (0)

Anonymous Coward | about a year and a half ago | (#42507551)

In which context it makes even less sense and just sets up WoA as a separate product, not another facet of Win8.

Even selling some kind of "WinRT Enterprise" with this switch set to enabled would probably give them a nice boost for initial adoption - right now corporations thinking about migrating to mobile have to choose whether to rewrite their internal apps for Java, Obj C, .Net, Lua/JS with a crossplatform framerwork or HTML5 and backend, when they could have an easy option of "Recompile it for now and rewrite to Metro part by part in the meantime"

Re:Non Sequitir (2)

shutdown -p now (807394) | about a year and a half ago | (#42507729)

In which context it makes even less sense and just sets up WoA as a separate product, not another facet of Win8.

That's exactly how it is intended - which is why it's called "Windows RT", and not "Windows 8" in the first place.

Even selling some kind of "WinRT Enterprise" with this switch set to enabled would probably give them a nice boost for initial adoption - right now corporations thinking about migrating to mobile have to choose whether to rewrite their internal apps for Java, Obj C, .Net, Lua/JS with a crossplatform framerwork or HTML5 and backend, when they could have an easy option of "Recompile it for now and rewrite to Metro part by part in the meantime"

Most enterprises that want to run their existing apps on a mobile device would just get an Intel-based tablet and be done with it.

Note that you kinda outline the problem yourself: even if you can enable RT to run arbitrary desktop apps, you need to recompile not just the apps, but also all the supporting libraries/frameworks. E.g. you can't run Java apps until someone takes JRE and builds it for ARM (and it's not going to be trivial, since JIT mucks around with assembly directly). It would need to be prominently supported for several years before there's significant uptake in porting that would make it viable for enterprises to consider - and why bother?

Re:Non Sequitir (0)

Anonymous Coward | about a year and a half ago | (#42508019)

Most enterprises that want to run their existing apps on a mobile device would just get an Intel-based tablet and be done with it.

If they're running Windows apps, most of them would just get an Intel-based laptop for half the price, install Windows 7 to replace Windows Metro, and be done with it.

Unless it's for a marketing drone who must have The New Shiny. But they'd probably prefer something with an Apple logo on the back.

Re:Non Sequitir (1)

hobarrera (2008506) | about a year and a half ago | (#42508301)

There's no legacy compatibility story to begin with

There is for open source software and for developers.

Re:Non Sequitir (1)

shutdown -p now (807394) | about a year and a half ago | (#42508437)

And how many of those would choose Windows in the first place?

Re:Non Sequitir (2, Insightful)

tftp (111690) | about a year and a half ago | (#42508649)

And how many of those would choose Windows in the first place?

Quite a few, if you count how many F/OSS applications are available on Windows. Majority of customers are not even in control of what OS they are running. If GIMP or Dia or OpenOffice are not available on Windows then it's like they are not available at all. Developers generally care about their customers, even though they may express no joy about the need to compile their product using a not quite compatible toolkit. It's always simpler to publish a tarball with sources and call it done. But that's not how most people install the software.

Re:Non Sequitir (4, Insightful)

VortexCortex (1117377) | about a year and a half ago | (#42508895)

If Microsoft gets rid of the "Win32 cruft dating back to the 80s and 90s", then there will be no reason for anyone to choose Windows over any other operating system. Legacy compatibility and a huge installed base of applications are Microsoft's primary competitive edge

We are talking specifically about Windows RT running on ARM here. There's no legacy compatibility story to begin with, even if the restriction on MS-signed-only desktop binaries weren't there in the first place.

You may have failed to realize that Win32 doesn't mean 32 bit windows API. It simply means "Not the old 16 bit API" I write all my widgets from scratch, and I talk to OpenGL directly, no SDL, no freeglut3, no MFC, just straight Win32 and OpenGL to make the lightest weight most efficient programs, even on 64 bit systems. It's crazy as hell to do this, yes, yes, I'm glutton for punishment, ha ha, you jest, "re-invent every wheel", I know, but game developers are allowed to throw away every best practice in the name of performance... Besides, you don't see wagon wheels on a formula-1 car, eh?

That is to say, Win32 can be compiled on ARM, and then I compile my code that uses the Win32 API to get a window and event loop, and the "legacy" compatibility isn't an issue. Event pumps and windowing callbacks are going to exist no matter what API they build. If you're talking cruft, then it's that COM stuff and .NET and MFC and all the other stuff that's built on top of win32, not win32 itself.

IMO, Win8 is about MS trying to sandbox programs via VM (C#) and simultaneously provide cross platform support while taking a cut of every software sale made. Now, I'm not going to eat that app-store cost. You are. I'll just raise my price accordingly on MS's market to offset those fees... Sucks, but C'est la vie. If MS continues allowing "side-loading" then they can't force developers like me to sell programs in their store -- C/C++ is cross platform, and so is my code, so I just rebuild the binary for each target platform, it's not a big deal. Rebuilding everything in C# and suffering that vendor lock-in cluster fsck is really off-putting, considering my C code runs across the board on every chipset, even MIPS, and every OS (thanks to OS abstraction layer, and a bit of meta-programming for iOS and Android)... No such luck with C#, yet.

That's where MS wants to take their market -- Incompatibility land. IMO, I wouldn't play their shenanigans unless I had to, I don't think OS choice should limit software choice (and I don't think hardware choice (beyond performance) should limit OS choice. This is shit we had well and good SOLVED in the 70's. MS sees the road ahead: The bright future where all programs are cross platform -- The road to OS irrelevance -- they hate that future, they hate your freedom to choose to run any OS on your hardware. Hence SecureBoot (Which I've said time and again is Pointless), Hence C# only in App Store & XBL Indie Games, hence blocking any apps that aren't signed by MS, and not allowing users to add their own trust certs to the OS / Hardware. The jig is up. W8 is just one more battle in the Vendor Lockin war.

I don't mean to pick on MS, Apple is going down the same road with an app-store route for their desktop too. GNU/Linux, BSD, Android, and other FLOSS OSs are the only ones that get the software repository system done right, and not even stock Android allows user installing a new / additional cert trust (recompile). This is a fight over developers, it's the applications that matter, OSs have been irrelevant for quite some time now. It's only a matter of time -- MS can't win this one, they couldn't write secure code to save their ass, which is exactly what they'd need to do.

Re:Non Sequitir (2)

cbhacking (979169) | about a year and a half ago | (#42507539)

Office for Mac and Office for Windows are at least 70% the same code, and that was a few years ago. They were targeting 90%, I believe. Already, all of the document rendering/layout/document format code (at least for 2010/2011) is supposedly identical, just recompiled for OS X. The GUI and certain features specific to each platform obviously must be different, and there's a compatibility layer which abstracts the core APIs used by Office from the OS they run on (supporting things like using the Windows Common Controls on Win32 to display file open/save/print/etc, and using the analogous controls on OS X when on that platform) and that compatibility layer obviously needs to be platform specific.

Re:Non Sequitir (1)

erroneus (253617) | about a year and a half ago | (#42507623)

The cruft should not need to exist for a different processor architecture running applications written for the new and different processor architecture.

And by "cruft" I mean code which is unused or unnecessary. If it is used by Office and Notepad and neither application will be present, then it is "cruft" and should be removed from a nimble and light-weight Windows.

Putty and VNC would have to be rewritten for the new environment because Windows RT is "all new" and "written from scratch" without any of this "legacy code" I have complained about which many people here deny exists.

I get that Microsoft wants to participate in certain markets. What I don't get is why they are willing to extend and even magnify their bad reputation by porting the x86 Win32 kernel to a whole new environment when they could use others. "Pride"? I don't think it's in the best interest of the shareholders to make decisions like these.

Re:Non Sequitir (1)

Anonymous Coward | about a year and a half ago | (#42508101)

What I don't get is why they are willing to extend and even magnify their bad reputation by porting the x86 Win32 kernel to a whole new environment when they could use others.

Because if Windows can't run your old Windows apps, why would you run Windows?

Microsoft is built on backward compatibility, it's the only reason anyone picks Windows over other alternatives.

Re:Non Sequitir (4, Insightful)

hairyfeet (841228) | about a year and a half ago | (#42507669)

Actually the reason they locked it down was because "What does Apple do? Well do that and charge 20% more because we are better than them dammit!". If you want to know more look up the "Windows Blue" memo which makes it clear the ultimate goal of Win 8 and above is to have only MSFT approved software running on MSFT hardware sold at MSFT stores for MSFT profit margins and...well that's pretty much it.

Windows Blue shows any original thought left the company ages ago and now they are gonna try their favorite gag of using their position in one market to force their way into another, the old IE trick, only they just don't have the power of the monopoly anymore as people don't rush out to buy the latest version like they did during Win 9X.

Of course the bigger question of TFA is why, why would anybody care? WOA is a complete and total failure, they had to call the factory and cut their order in half to keep from having a warehouse full of surface units so what is the point? The hope that all these surface units will end up on Woot! for $99? I think with the Ballmernator's ego he'd bury them in a landfill in NM rather than admit its a flop, just as he counted every Vista downgrade as a Vista sale to pad the numbers.

Re:Non Sequitir (1)

wmac1 (2478314) | about a year and a half ago | (#42507953)

Even if it could be jail-broken, how people are going to develop native WindowsRT software? Is there any compiler and Windows RT (native) SDK available?

All the users will be happy. (5, Funny)

Anonymous Coward | about a year and a half ago | (#42506247)

All 3 of them.

Re:All the users will be happy. (4, Funny)

Anonymous Coward | about a year and a half ago | (#42507743)

Dude, this stupid meme is getting fucking old. Just quit, it's not funny anymore. I know for a fact there is at least double the amount you quote that are using it.

Re:All the users will be happy. (1)

Anonymous Coward | about a year and a half ago | (#42508369)

2013 is the year of the Windows RT desktop...

Re:All the users will be happy. (0)

Anonymous Coward | about a year and a half ago | (#42508385)

Yeah, Oprah alone counts for half of them

Re:All the users will be happy. (1)

TemporalBeing (803363) | about a year and a half ago | (#42508185)

All 3 of them.

who are not Microsoft employees, paid advertisers, etc.

What is Windows RT? (0)

Anonymous Coward | about a year and a half ago | (#42506259)

Never heard of it.

Re:What is Windows RT? (2, Informative)

Joce640k (829181) | about a year and a half ago | (#42506499)

The fine article has a big link in the first paragraph: "What is WIndows RT?"

Oh, wait...

AMF time (-1)

Anonymous Coward | about a year and a half ago | (#42506953)

Adios,
Mother
Fuckers...
Time for Microsoft to go away.

Not a Jailbreak (4, Informative)

0x15e (961860) | about a year and a half ago | (#42506261)

This may border on being pedantic, but I'd call this a crack instead of a jailbreak. It sounds like they're just patching a kernel value ... not breaking out of a jailshell.

I expect MS will probably just find a way to patch it up in the near future.

Crack, Rip, Hack, Jailbreak ... (5, Insightful)

bill_mcgonigle (4333) | about a year and a half ago | (#42506537)

"Windows RT Gains Solution to Allow Customers to Run Any Software They Choose"

And we wonder why people don't "get" Software Freedom. Somebody please remember to name the next software-freedom work-around "murder" just to keep the bad PR going.

Re:Crack, Rip, Hack, Jailbreak ... (1)

Megane (129182) | about a year and a half ago | (#42506979)

"... Except Linux"

Sounds like this is a hack to let unsigned apps in. While it's not impossible to have an app which is actually a Linux boot loader, it would actually have to take control away from the kernel first. All this does is tell the kernel not to check the app.

I'm rather surprised that El Reg didn't take an opportunity in their article about this [theregister.co.uk] to snipe about Linux still being locked out.

Re:Crack, Rip, Hack, Jailbreak ... (1)

Zero__Kelvin (151819) | about a year and a half ago | (#42507149)

I propose "Caressed". The we can say we caressed our phone so that we can have our way with it.

Re:Not a Jailbreak (2)

jkrise (535370) | about a year and a half ago | (#42506829)

I'd call this a crack instead of a jailbreak

In other words, the most commonly employed method by 'pirates' to get software for free to run on Windows systems?

I have personally not used Windows8 at all; but I hear from a local PC vendor that with Win8, you cannot get 'cracked' copies of Win8, but only 'cracked keys' to activate the damn thing; for kids who must have the latest OS at any cost on their PCs.

I expect MS will probably just find a way to patch it up in the near future.

No. I have seen MS for about decades now; they seen to think "If you're gonna pirate s/w; then pirate our s/w, or code that runs on Windows; don't take the trouble to learn other OSes or products".

Re:Not a Jailbreak (1)

0x15e (961860) | about a year and a half ago | (#42507761)

No. I have seen MS for about decades now; they seen to think "If you're gonna pirate s/w; then pirate our s/w, or code that runs on Windows; don't take the trouble to learn other OSes or products".

Except that this isn't about piracy; it's about control. MS, and probably Windows RT licensees won't be happy with losing control over what can be run on that OS.

Re:Not a Jailbreak (1)

jkrise (535370) | about a year and a half ago | (#42507989)

MS, and probably Windows RT licensees won't be happy with losing control over what can be run on that OS.

As I understand, this crack allows legacy x86 code to be recompiled and run on ARM devices. Such as un-crippled Office, other legacy apps by 3rd parties.

Given that this results in sales of additional h/w and s/w by MS, I cannot imagine why they would be unhappy.

Customers ( a short term for Windows RT licensees) would also feel happy about being able to run 'normal' desktop x86 apps on RT.

Intel might cringe, but why would MS and buyers do so?

Re:Not a Jailbreak (1)

0x15e (961860) | about a year and a half ago | (#42508191)

As I understand, this crack allows legacy x86 code to be recompiled and run on ARM devices. Such as un-crippled Office, other legacy apps by 3rd parties.

Why would MS want you to run an un-crippled Office on Windows RT when they could sell you a new version that's been "optimized" for RT? It might be great for end users but unfortunately, "good for end users" isn't necessarily profitable.

Note that when I say licensees, I don't mean end users. No one cares about those guys after the initial sale. When I say licensees, I mean system OEMs, who are much more valuable to MS.

Too Late (0)

Anonymous Coward | about a year and a half ago | (#42506835)

Now that there is a win8 version in circulation which allows it, it is too late.

Re:Not a Jailbreak (1)

mysidia (191772) | about a year and a half ago | (#42507523)

I expect MS will probably just find a way to patch it up in the near future.

The "hole" though requires a hacker to tinker with memory.

I expect what Microsoft will instead do is restrict debugging access -- remote debugging ONLY available on special installs of Windows RT "Developer Edition"; requiring a special product key, to enable developer functionality.

The tablets sold to consumers won't be developer-enabled, therefore, won't have the remote debugging functionality required to tamper with kernel memory.

Re:Not a Jailbreak (0)

Anonymous Coward | about a year and a half ago | (#42507637)

Just what they need to promote a new OS and new devices in a world of two incumbents getting most software and a bunch of lesser contenders fighting for the resource Steve B. was so passionate about [youtube.com] .

Is there a way to use this to install Linux? (0)

John Hasler (414242) | about a year and a half ago | (#42506293)

Or Android? If so it might be possible to render these gadgets useful, even if it does require going through a song and dance every time you reboot.

Re:Is there a way to use this to install Linux? (3, Insightful)

djsmiley (752149) | about a year and a half ago | (#42506343)

Theoretically you could run some kind of shell on there, so yes, you could run android or linux, but it'd still be running within windows.

And yes, you'd need to flip this bit each time you booted.

What is more interesting is the fact you maybe able to completely rewrite the whole thing; getting rid of windows entirely...

Re:Is there a way to use this to install Linux? (1)

Patch86 (1465427) | about a year and a half ago | (#42506717)

I wonder idly if this could be used to run Wubi to install Ubuntu in that strange dual-boot-from-a-boot-file-that-sits-within-Windows way that it does. If so, that'd be a pretty big breakthrough.

Come to think of it, I have no idea how Wubi would react to a "secure boot" set up.

Re:Is there a way to use this to install Linux? (1)

HJED (1304957) | about a year and a half ago | (#42507367)

From my understanding of Secure boot, I don't think wubi would work because I think it modifies the part of the bootloader that is signed. It is also probably only designed for x86 systems and as Windows RT runs on ARM, it might not be compatible. (It at least partially acts like a boot loader which is quite architecture specific)

Re:Is there a way to use this to install Linux? (1)

John Hasler (414242) | about a year and a half ago | (#42508339)

> What is more interesting is the fact you maybe able to
> completely rewrite the whole thing; getting rid of windows
> entirely...

That's what I meant.

Re:Is there a way to use this to install Linux? (-1)

Anonymous Coward | about a year and a half ago | (#42506427)

Oh, right. because so many useful things are done in Android, and no progress with mankind has ever been made using MS products.

Re:Is there a way to use this to install Linux? (1, Troll)

Zero__Kelvin (151819) | about a year and a half ago | (#42507287)

I'm glad to see that you are finally up to speed AC. Now if you could just learn how to create an account!

Re:Is there a way to use this to install Linux? (-1)

Anonymous Coward | about a year and a half ago | (#42506643)

Why is your piece of shit post not modded flamebait?

Re:Is there a way to use this to install Linux? (1)

Zero__Kelvin (151819) | about a year and a half ago | (#42507249)

That should be including Android, since Android is Linux. It is both the Linux kernel, and the typical user space tools you would find in a base GNU/Linux distribution. You can adb shell into a device and ls, cp, etc. and you can even get Busybox from the Google Play store. If you have the skills, nothing stops you from cross-compiling your own FOSS software and installing it as well. On many (almost all?) devices, you can also build and install a custom kernel, as has been done time and again.

Re:Is there a way to use this to install Linux? (0)

Anonymous Coward | about a year and a half ago | (#42507445)

There is very little GNU, if any, in a typical Android device. Hardly GNU/Linux. Best to call it Linux.

Re:Is there a way to use this to install Linux? (1)

Zero__Kelvin (151819) | about a year and a half ago | (#42507733)

The entire Android software ecosystem is built with "standard" Linux (typically Ubuntu, but I've used a few others to do it), and has the Linux kernel at its core. While the build system has repo, that is a wrapper around gitFurthermore, it has the Linux kernel and ABI it is therefore fairly straightforward to build the software you find in a "typical" Linux distribution and install it, so long as one has the skills. This is the old naming argument again, which I'm not about to get into. The fact remains that Android is Linux, as we both agree.

Re:Is there a way to use this to install Linux? (1)

Microlith (54737) | about a year and a half ago | (#42507687)

With the exception of Bionic, which is smaller and weaker than glibc. Android's compatibility with standard GNU-based Linux platforms is extremely weak.

Re:Is there a way to use this to install Linux? (2)

Zero__Kelvin (151819) | about a year and a half ago | (#42507795)

"Android's compatibility with standard GNU-based Linux platforms is extremely weak."

Due in no small part to the fact that there is no such thing as a standard GNU/Linux distribution. If you had experience developing for Embedded Linux systems you would realize how unfounded your "complaint" is. We have been using Busybox and non-glibc libc for over a decade.

Re:Is there a way to use this to install Linux? (2)

Microlith (54737) | about a year and a half ago | (#42507925)

Due in no small part to the fact that there is no such thing as a standard GNU/Linux distribution.

No, due to the fact that they eschew GNU entirely, which is actually pretty common across Linux distributions with the sole exception of Android.

If you had experience developing for Embedded Linux systems you would realize how unfounded your "complaint" is. We have been using Busybox and non-glibc libc for over a decade.

I'm aware that Embedded Linux don't use glibc, they tend to use uClibc or (worse) something proprietary.

But Android is still deliberately separated from GNU/Linux platforms because Google wanted to control it all and cater to handset vendors that don't like having to comply with the GPL.

Despicable (1)

Anonymous Coward | about a year and a half ago | (#42506439)

This trend of making it hard/impossible to run what you want on your computing devices is just despicable. I predict that not many years from now there won't be a commonly-used platform where you can download whatever you want and run it. We may be way past the year 1984, but we sure seem headed for 1984.

Re:Despicable (1)

tripleevenfall (1990004) | about a year and a half ago | (#42506711)

Not so, I read on /. that Google, being the primary force for good on the Earth today, is going to produce a mobile OS which will free us from such things.

Re:Despicable (1, Interesting)

Patch86 (1465427) | about a year and a half ago | (#42506749)

Linux isn't going anywhere, and there are plenty of niche manufacturers out there producing purpose-built Linux laptops and desktops (well I say plenty...you know, relatively speaking). Presumably they'd see a fair surge of business if they became the only way to run Linux (rather than the hitherto standard method of buying anything you like from Dell/HP/whoever and just wiping the hard drive).

Here's a better idea (-1)

Anonymous Coward | about a year and a half ago | (#42506465)

Shove your goddamned micorshaft thing up your ass and jump off the golden gate bridge.

M$ cunts must die.

Now we can make a Beowolf Cluster! (1)

jfdavis668 (1414919) | about a year and a half ago | (#42506467)

Imagine!

Tomorrow is Tuesday... (1)

hillbluffer (1684134) | about a year and a half ago | (#42506481)

I foresee an update to Windows RT tomorrow (or soon thereafter) to plug this serious threat to user security (have to secure users from getting apps somewhere else that Redmond doesn't make money from)

Re:Tomorrow is Tuesday... (1)

cbhacking (979169) | about a year and a half ago | (#42507673)

You do realize that sideloading "Modern" (a.k.a. "Metro") applications is fully possible and officially supported, right? The difference is that those have to run in an application sandbox that limits their capabilities and restricts the APIs they can call... in particular, they aren't supposed to be able to access the Win32 API, which is needed for making something that is recognizably Windows software (what Microsoft is calling a "desktop app" because it runs in the Desktop view of Win8 / Windows RT).

The breakthrough here is twofold:
1) Run homebrew / non-Windows-Store software outside of the application sandbox (at whatever permission level you like, all the way up to Admin, which is already possible for any desktop app that you can run on Windows RT).
2) Port legacy software to Windows RT with merely a recompile, rather than forcing people to re-write the software to use the new APIs.

There isn't really anything else that this hack permits which wasn't already possible on RT... but both of those are pretty big achievements.

Developing Applications (1)

Old Aylesburian (2780221) | about a year and a half ago | (#42506527)

Am I missing something here? How can anyone develop new applications for Windows RT and test run them?

Re:Developing Applications (0)

Anonymous Coward | about a year and a half ago | (#42506653)

I dunno...http://msdn.microsoft.com/en-us/windows/apps/br229516.aspx

Re:Developing Applications (5, Informative)

Dudds (132159) | about a year and a half ago | (#42506659)

Windows RT contains a complete Win32 API environment (all the standard DLLs are there: kernel32.dll, user32.dll, etc).

Visual Studio 2012 comes with the ARM compiler, so building executables is fairly easy. The restriction, to not allow ARM Win32 applications, only came late in the development cycle, so it's really only hacked in. Visual Studio will even allow native development for ARM applications, going as far to remote debugging the application, by simply adding a "enabled" setting to the ARM manifest file.

The Windows RT SDK for building executables is not required to link existing applications, only a library file is required and that is easily built (in the XDA thread, a tool was posted that builds library files from live DLLs).

Whitelisting of a sort (& the future of securi (-1)

Anonymous Coward | about a year and a half ago | (#42506533)

Versus malicious executables (as in virus/trojans, etc.).

I've seen a lot of material on this online, that whitelisting IS the future of computer security as far as applications go... & yes, I believe it - as it makes sense!

* E.G.-> It'd be a LOT simpler for say, a home user all the way up to a network administrator on a HUGE corporate WAN to setup a list of PROVEN & fully vetted/code reviewed allowed apps to run (& all the rest would be disallowed...)

This would also put less stress on antivirus/antispyware programs in security, if not invalidate their use altogether!

(Since they ARE playing a "catchup ball" game, constantly, & never really "on top" of the game, doing false positives based on heuristics "best guess" work, & signatures based detections... yes, they DO help, currently - but can be circumvented easily enough, since the malware maker change their wares, or make them mutate, etc.).

Yes - imo @ least?

This would also put a HUGE DENT in the malware problem out there (as far as malicious executables they utilize @ times as well!).

So, in a sense?

What MS is doing is a 'whitelisting' of sorts, allowing ONLY their apps &/or OS.

I do think this IS the future of secured computing.

It's going to hurt freeware/shareware markets though (which I've been involved in as well as commmercially sold wares bearing my code too over time - however: I still WON'T say that this isn't a possibly helpful measure in security too, as that would be lying to protect business interests only on my end).

APK

P.S.=> So, in short - MS' is attempting a sort of "walled garden" that *MIGHT* just work as I noted above!

However - the only problem I see?

Well... driveby downloads (in both malicious executables downloaded like fake antivirus, as well as maliciously scripted code on websites themselves) ARE the largest contributor to the malware issue according to AVG here:

---

http://betanews.com/2012/01/25/the-top-10-web-security-threats-you-should-avoid/ [betanews.com]

Pertinent quote/excerpt:

"The compromised website is still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner, says security firm AVG. Another 10.6 percent are tricked into downloading exploit code -- many times, without their knowledge -- by clicking on links on pages to sites hosting malware... It also found that faked pharmacy sites are a popular attack method, seen in about 10.4 percent of all attacks. Fake antivirus scanners remain a popular malware injection method at 8.4 percent. "

---

* Fact is, what I noted, in compromised sites, comprises 77% of malware installations - not what users download & install themselves (ala shareware/freeware sites like download.com etc./et al)...

---

Whitelisting COULD help stop that too, per what I stated above, along with other "layered-security"/"defense-in-depth" measures commonly used today already.

Even "walled gardens" do, albeit imo @ least? Not as much due to the above statistics from AVG & imo, lastly, in malscripted sites (only doing what I do in Opera which is in & of itself, a 'whitelisting' approach too, via its "by site preferences" - ONLY allowing scripting, cookies, plugins, frames/iframes, javascript, java, etc. on SOME sites only that REQUIRE THEM FOR FULL FUNCTION - the rest are in global policy, disallowing their usage (lessening the chance of attack))

... apk

Re:Whitelisting of a sort (& the future of sec (1)

dyingtolive (1393037) | about a year and a half ago | (#42506715)

Interesting post. I'm no security buff, but whitelisting doesn't sound like it's inheriently a bad thing, and I don't think anyone would argue so, but if that's the route you go, the default should have to be that the user themselves is gatekeeper, with the option of enabling it such that they can use another party to manage their walled garden for themselves.

Really, building your own walled garden of executables from places you trust actually sounds like a pretty clever idea. It also sounds like Linux repositories with a filemask of 110. Or maybe using a host file instead of DNS. :P

Re:Whitelisting of a sort (& the future of sec (0)

Anonymous Coward | about a year and a half ago | (#42506949)

Interesting post. I'm no security buff, but whitelisting doesn't sound like it's inheriently a bad thing, and I don't think anyone would argue so, but if that's the route you go, the default should have to be that the user themselves is gatekeeper, with the option of enabling it such that they can use another party to manage their walled garden for themselves.

Except that the root problem with security is the user. If users could be reliably trained to not follow links in phishing emails, to turn off cookies, or not execute random files the find on the metaphorical floor, there would be no need for any kind of whitelist.

Since that hasn't proven to be feasible, any system that lets the user override the system (by for example adding a third party repository to their trusted list) is doomed to fail.

Again: I didn't FORGET the end-user... apk (-1)

Anonymous Coward | about a year and a half ago | (#42507429)

"Interesting post." - by dyingtolive (1393037) on Monday January 07, @12:33PM (#42506715)

Thank you, but... I *think* you missed a few of my points, skimming over them (regarding end users)...

---

"I'm no security buff" - by dyingtolive (1393037) on Monday January 07, @12:33PM (#42506715)

LOL - I am (since 1997), see here -> http://news.slashdot.org/comments.pl?sid=3364039&cid=42506997 [slashdot.org]

(Where I list only a SMALL PART of my involvement in & around the security community for coming up on 2 decades now almost)

I went to "normal end users" with the guide noted there... as THEY ARE THE ONES THAT NEED TO LEARN ABOUT COMPUTER SECURITY THE MOST (not the already 'guru' types).

---

"but whitelisting doesn't sound like it's inheriently a bad thing, and I don't think anyone would argue" - by dyingtolive (1393037) on Monday January 07, @12:33PM (#42506715)

It makes sense is why - ESPECIALLY in corporate environs (where the system is NOT the 'end users' to play with, but rather, to merely use as a tool for working).

---

Now, on what you & other repliers SEEM to have missed that I did cover!

(Unless I somehow didn't express myself well? I do 'cover the end user' - see quote of my words next below from the post you replied to):

"* E.G.-> It'd be a LOT simpler for say, a home user all the way up to a network administrator on a HUGE corporate WAN to setup a list of PROVEN & fully vetted/code reviewed allowed apps to run (& all the rest would be disallowed...)" - by Anonymous Coward on Monday January 07, @12:17PM (#42506533)

See subject-line, & that quote of myself, vs your misinterpretation of what I wrote (or perhaps you just missed it)...

---

"Really, building your own walled garden of executables from places you trust actually sounds like a pretty clever idea." - by dyingtolive (1393037) on Monday January 07, @12:33PM (#42506715)

I do by programming my own stuff QUITE a lot, even on the note of security (& reliability, performance, privacy & more), ala:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

As 1 "example thereof"...

Which leads to another point of yours below in fact ('great minds think alike').

---

"It also sounds like Linux repositories with a filemask of 110" - by dyingtolive (1393037) on Monday January 07, @12:33PM (#42506715)

OR like Apple's "walled garden" or what MS is doing here in this article... think about it!

---

"Or maybe using a host file instead of DNS. :P" - by dyingtolive (1393037) on Monday January 07, @12:33PM (#42506715)

Per the app above? BIG fan of custom hosts files here, but... & again - 'great minds think alike'!

HOWEVER:

I don't use hosts to resolve EVERY host-domain name to IP address online - that'd be impractical, & make me use a DNS of my own, with my own DNSBL in it!

(I do however, 'hardcode' in 20 of my favorite sites I spend a good 95% of my time online @ for reliability vs. DNS failure & faster resolutions into my custom hosts file for the reasons I just noted...).

HOWEVER ALSO:

Ontop of benefits custom hosts files yield (including overcoming some issues in DNS, like failure or redirection poisoning) - I also use DNS servers - albeit SPECIAL FILTERED ONES vs. malware & maliciously scripted sites online!

(To supplement the largest part of what my custom hosts generating program above does in fact).

The DNS servers I use, external to my home, are the following:

---

Norton DNS:

http://setup.nortondns.com/ [nortondns.com]

198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40

OpenDNS:

http://www.opendns.com/home-solutions/ [opendns.com]

208.67.222.222
208.67.220.220

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

67.138.54.100
207.225.209.66

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]

8.26.56.26
8.20.247.2

---

Now - keep in mind:

I don't run a DNS server here! With good reason - mostly electricity bills, lol... laughing, but no joke. It costs as I am SURE you know!

(Plus - No point in adding complexity for what hosts do for me, or eating up electricity, CPU cycles, & other forms of I/O on DNS... especially when it has KNOWN issues in DNS-poisoning redirection for example when setup in recursive mode + more)

APK

P.S.=> Thanks for your comment on 'interesting'... apk

Asking SAME question of YOU now (0)

Anonymous Coward | about a year and a half ago | (#42508705)

Why was my post downmodded here http://news.slashdot.org/comments.pl?sid=3364039&cid=42507429 [slashdot.org]

?

* Especially since I covered END USERS being 'gatekeeper' as well as network admins in corporate environs in the link above!

(This I gotta see - Why? Well... Just to see if others notice what I do around this website, noted below...)

APK

P.S.=> So, why the downmod of my posts (nearly every one of them since my initial post you replied to)?

Again - I'd love to see YOUR answer to that!

(Not saying YOU did it or anyone I replied to - it's MORE to make a point how BOGUS the moderation system is here @ times, when trolls misuse it)...

... apk

Re:Whitelisting of a sort (& the future of sec (-1)

Anonymous Coward | about a year and a half ago | (#42506751)

White Listing is better than black listing! Proof? White are better than blacks :)

That is why you should use a white-list private dns server instead of a blacklist /etc/hosts file imo.

BQL

Re:Whitelisting of a sort (& the future of sec (-1)

Anonymous Coward | about a year and a half ago | (#42507349)

White are better than blacks

Hockey, yes. Basketball, no.

How I use BOTH custom hosts & DNS... apk (-1)

Anonymous Coward | about a year and a half ago | (#42507627)

"That is why you should use a white-list private dns server" - by Anonymous Coward on Monday January 07, @12:36PM (#42506751)

Why should I run a DNS server @ home?

As a separate machine it would EAT UP ELECTRICITY, & truly add complexity I don't NEED!

On my single home system?

It would do the same, as well as eat up CPU cycles, RAM, & other forms of I/O for something I don't need vs. what the combination of custom hosts files (which yes, overcome some issues on DNS like dns poisoning, dns servers going down, slower resolutions from remote DNS) & yes, on the single system I have (@ home)!

---

IMPORTANT: & I can't stress THIS enough!

Also PER MY SUBJECT-LINE ABOVE, which is what I *think* you all mess up on, as to HOW I USE CUSTOM HOSTS FILES?

CLUE: I don't ATTEMPT to have every single host-domain name in existence resolved to IP address here!

What DO I ACTUALLY DO?

I 'hardcode in' only my 20 top favorites sites in it!

The rest of its entries are blocked out KNOWN malicious sites/servers/hosts-domains that serve up malicious script code, malware, phishing/spamming, adbanners, & such (which eat your bandwidth you pay for, as well as poison you).

Once more - I hardcode in where I spend 95% or more of my time online (for reliability vs. downed or DNS poisoned DNS servers, and for faster resolution from local address once they are reverse DNS pinged for proper resolution).

AND?

I use Filtering DNS servers I use (secured vs. malware, malicious scripted sites, phishing/spamming & more) external to my home:

---

Norton DNS:

http://setup.nortondns.com/ [nortondns.com]

198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40

OpenDNS:

http://www.opendns.com/home-solutions/ [opendns.com]

208.67.222.222
208.67.220.220

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

67.138.54.100
207.225.209.66

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]

8.26.56.26
8.20.247.2

---

To do the rest!

---

"instead of a blacklist /etc/hosts file" - by Anonymous Coward on Monday January 07, @12:36PM (#42506751)

I generate my custom hosts file via this security (and speed, reliability & performance enhancing) program I wrote:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

Both in 32 bit &/or 64 bit form... why?

* Please - DO read what it does for you... it explains it in a short 16 point list, so you can UNDERSTAND how I utilize custom hosts files for security, speed, reliability, privacy, & more... & yes, it works!

APK

P.S.=> Sometimes, I TRULY do *think* you guys THINK I use hosts to "resolve the entire internet" & again, so it "sinks in":

NO, I don't DO that... see above!

(See what I use custom hosts for in that programs' link above (it will explain it to you without ME having to do it for the 100th time here on slashdot))...

... apk

Re:Whitelisting of a sort (& the future of sec (4, Interesting)

iamgnat (1015755) | about a year and a half ago | (#42506753)

Except the problem with your whole premise is that you forget the user.

Basically Apple "whitelists" what Apps can run under iOS (and are clearly moving that way for OSX too), yet people rail against it and even go so far as to remove the "whitelist" (e.g. jailbreak).

The problem comes down to who does the vetting and testing of an application to add it to a whitelist? If it is the user, they've proven they can't be trusted because they'll "vet" any new screensaver/antivirus/cursor application that comes along. If it is a central organization (Microsoft/Apple/Google/etc..) you then run into conflicts of interest in what they think you should do with the platform and what you actually need/want to do (e.g. what happens when you have a problem that can't be solved by any existing approved application?).

There is no simple single solution to the problem of security. A real solution by nature needs to be multilayered which means there is some complexity and ultimately users have to take responsibility for their actions. The idea that a single company/program can keep you safe just keeps perpetuating this idea that you don't have to pay attention to what your are downloading/executing and it's that mentality that allows malware to continue to be so successful.

I didn't forget the user, & MORE (see quote) (0)

Anonymous Coward | about a year and a half ago | (#42506997)

"* E.G.-> It'd be a LOT simpler for say, a home user all the way up to a network administrator on a HUGE corporate WAN to setup a list of PROVEN & fully vetted/code reviewed allowed apps to run (& all the rest would be disallowed...)" - by Anonymous Coward on Monday January 07, @12:17PM (#42506533)

See subject-line, & that quote of myself, vs your misinterpretation of what I wrote (or perhaps you just missed it)...

---

"Except the problem with your whole premise is that you forget the user." - by iamgnat (1015755) on Monday January 07, @12:36PM (#42506753)

Once more - See above...

---

"The problem comes down to who does the vetting and testing of an application to add it to a whitelist? If it is the user, they've proven they can't be trusted because they'll "vet" any new screensaver/antivirus/cursor application that comes along." - by iamgnat (1015755) on Monday January 07, @12:36PM (#42506753)

See above again - in corporate environs, where THE MACHINE IS NOT THE USERS but the companies? That'd be the network admins doing the testing (hopefully).

---

"There is no simple single solution to the problem of security. A real solution by nature needs to be multilayered which means there is some complexity and ultimately users have to take responsibility for their actions." - by iamgnat (1015755) on Monday January 07, @12:36PM (#42506753)

You're "preaching to the choir" here man... seriously, take a look below

(I.E.-> I've been doing security guides based on "layered-security"/"defense-in-depth", especially geared to 'end users' @ home with single systems, since 1997 online & doing pretty well @ it):

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60 [theplanet.com]

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET

(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from other users & sites online)

EVEN AMONGST SLASHDOTTERS - the hardest 'critics' I've ever MET online in 1 spot in fact:

---

* THE APK SECURITY GUIDE GROUP 18++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=154868&cid=12988150 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://books.slashdot.org/comments.pl?sid=168931&cid=14083927 [slashdot.org]
APK SECURE SETUP FOR IP STACK:2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14211084 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14210206 [slashdot.org]
APK SECURITY TEST CHALLENGE LINUX vs. WINDOWS:2007 -> http://it.slashdot.org/comments.pl?sid=267599&threshold=1&commentsort=0&mode=thread&cid=20203061 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://tech.slashdot.org/comments.pl?sid=1027095&cid=25747655 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&cid=25093275 [slashdot.org]
APK SECURITY GUIDE: 2008 -> http://ask.slashdot.org/comments.pl?sid=970939&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://it.slashdot.org/comments.pl?sid=416702&cid=22026982 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://yro.slashdot.org/comments.pl?sid=1218837&cid=27787281 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://news.slashdot.org/comments.pl?sid=1135717&cid=26941781 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://tech.slashdot.org/comments.pl?sid=1885890&cid=34358316 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://yro.slashdot.org/comments.pl?sid=1638428&cid=32070500 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&cid=30649722 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&threshold=-1&commentsort=0&mode=thread&cid=30649722 [slashdot.org]
MICROSOFT SECURITY:2010 -> http://news.slashdot.org/comments.pl?sid=1546446&cid=31106612 [slashdot.org]

---

* &, there ya go...

APK

P.S.=> "NEXT"... apk

Re:I didn't forget the user, & MORE (see quote (1)

iamgnat (1015755) | about a year and a half ago | (#42507621)

See subject-line, & that quote of myself, vs your misinterpretation of what I wrote (or perhaps you just missed it)...

You mean the subject line that is simply showing as "Whitelisting of a sort (& the future of securi"?

As far as possibly misinterpreting you, I will admit your writing style is not as clear as it could be but you clearly go on about whitelisting being most/all of the security solution (to the extent you talk about it possibly replacing AV software). If that was not the point you were trying to get across, then I apologize but that is how it came across to me.

See above again - in corporate environs, where THE MACHINE IS NOT THE USERS but the companies? That'd be the network admins doing the testing (hopefully).

In this case the network admins/company are still the end user even if the result is that they represent more than one physical person. Using the iOS example without buying into Apple's development system there is no "authorized" method for the company to build an internal application and deploy it to their employees iOS devices. So in that case the corporate environment operators still have limited control to do their own vetting. Even still, I've been on the receiving end of "by god you will install this" in the corporate environment so you still have the "users can't be trusted" element there as well.

Whitelisting is the security holy grail, but as with all hardline security measures it forgets that there needs to be a balance between letting the user perform the work that needs to be done while still protecting them from themselves.

I spent some time in a secure environment that tightly controlled what ran on desktops and needed an application that was allowed, but not for the role I was filling. We spent 6 months going back and forth before finally getting approval and getting it installed. Because what I was doing couldn't wait those 6 months we had to work around the restrictions in the meantime. While I am sure of my personal computers, that I had to use them and email the data back and forth opened a vector for a potential problem (as well as violating the corporate rules so you can be sure I had it in writing from a couple levels of management that they approved of what I was doing).

The flip side of course is that I've also worked in environments where everyone had admin rights and could install anything the wanted (though the written policy said they "can only use approved software"). That environment was a constant headache for security and the help desk due to the near constant malware issues (which almost always manifested as performance problems).

Those are the reasons that a rigid whitelisting policy can't work in the real world. Exceptions have to be able to be made in a responsive manner, but that control still needs to be somewhat centralized. In a corporate environment this is relatively easy to do (in principle anyway), but when you start talking about home users that becomes near impossible as there is no way a large company (Apple/Google/MS/...) know what all their users need to do (and really have no business knowing that level of detail in my opinion) and the individual can't really be trusted either. Really the only way to possibly do it would be a community based system, but even there you need some kind of control to keep the likes of 4chan from polluting it by tagging malware as "safe" and Photoshop as "unsafe".

I can say that of your READING 'ability' (-1)

Anonymous Coward | about a year and a half ago | (#42508065)

Vs. my 'writing style', easily. I did cover end users though, no questions asked.

(Even requoting myself where I did so, proving that much in plain black & white...)

Ah, anyhow/anyways:

---

"In this case the network admins/company are still the end user" - by iamgnat (1015755) on Monday January 07, @01:42PM (#42507621)

Who, IF they have any SENSE & especially a sense of security, would use SIGNED apps... @ the very least.

(Signed apps with a proven track record of reliability etc. no less!)

That's a sign of 'vetting' vs. malicious code!

---

For instance/example, & ONE I HAD TO GO THRU myself regarding the link to the app on custom hosts I built years ago in 2003, & only released in 2012:

Comodo & other antivirus companies offer this as a service, for SIGNING apps!

(I know, 1st hand: ALBEIT, @ FIRST, NOT IN A GOOD WAY EITHER - since the app I put a link up to in replies here that I wrote was offered it)

Why?

Well, lol, once I passed clearance it was NOT a virus/malware, FIRST (which was hell - the security community in malwarebytes & others wouldn't let me through UNTIL I proved my code was 'clean'... boy, did I, lol!).

Why??

Well - I use a UNIQUE 64-bit executable compression scheme that Norton/Symantec, ArcaBit-ArcaVir, Comodo, McAfee, & others didn't understand + could NOT penetrate for disassembly!

(Oh, it can be 'peered into' in memory, but good luck breaking the file itself)

All, via techniques I've used for DECADES, ala my post here:

CODING FOR DEFCON (my compressed/packed exe + sizecheck @ startup technique): 2005 -> http://it.slashdot.org/comments.pl?sid=158231&cid=13257227 [slashdot.org]

Anyways...

They "false positive" flagged it a malware!

Then, shortly later, which delayed the release of my app PISSING ME OFF?

I proved them wrong earlier this year... even the "BIG BOYS" can be "taught a lesson", now & then... lol!

Should you require PROOF of that? Ask... & "ye shall receive"...

(Via email proofs & also from Mr. Steven Burn of Malwarebytes as well as Henry Hertz Hobbitt of securemecca also).

---

"Whitelisting is the security holy grail, but as with all hardline security measures it forgets that there needs to be a balance between letting the user perform the work that needs to be done while still protecting them from themselves." - by iamgnat (1015755) on Monday January 07, @01:42PM (#42507621)

Per the rest of your statements?

"Been there, done that"!

I've been thru SAME 'hassles' you did (had to go thru massive "red tape" just to get dev tools I wanted cleared)... but avoided others you noted (everyone running as admin - which sure kept the techies in a JOB though @ LEAST, the one good bright spot I suppose, lol, due to infestations).

It's just "how it is"/"the way it goes"...

Although, & I can't stress this enough - in CORPORATE ENVIRONS where there is millions of dollars to be taken in ca$h or R&D information for example? I do TRULY *think* that whitelisting of applications is a GREAT APPROACH to better security...

(In combination with std. "layered-security"/"defense-in-depth" measures I noted & have been covering, targetting home end users the MOST since they are NOT generally 'security gurus', for coming up on 2 decades with GOOD results from many of them that applied my guides).

APK

P.S.=> Don't take offense @ my subject-line though - because you may not like my writing style, but it's possible your reading was skimming or you just missed it, or you are tired? I don't know - however,/again:

I DID PUT IT UP IN REGARDS TO END USERS quite plainly, no questions asked!

... apk

Re:I can say that of your READING 'ability' (0)

Anonymous Coward | about a year and a half ago | (#42508647)

Please take your meds. Thanks.

Re:I can say that of your READING 'ability' (0)

Anonymous Coward | about a year and a half ago | (#42508729)

Quit projecting your own "issues" onto others.

Explain this please (I'd like to hear it)... apk (-1, Flamebait)

Anonymous Coward | about a year and a half ago | (#42508159)

Why was proving myself correct vs. your false accusation being downmodded here -> http://news.slashdot.org/comments.pl?sid=3364039&cid=42506997 [slashdot.org]

"?"

* That, along with my INITIAL POST you even agreed is a good measure too -> http://news.slashdot.org/comments.pl?sid=3364039&cid=42506533 [slashdot.org] being downmodded also?

APK

P.S.=> I'd LOVE to see the answer... Especially with YOUR POST upmodded to +4 on a FALSE PREMISE & FALSE ACCUSATION, & mine downmodded to -1 & YET I PROVED YOU INCORRECT (missing that I did, indeed, cover end users)... apk

Did you even READ my post entirely? (0)

Anonymous Coward | about a year and a half ago | (#42508567)

Not only did you falsely accuse me of NOT covering end users, WHICH I PROVED I DID QUOTING MYSELF IN MY OTHER REPLY TO YOU IN REGARD TO THAT -> http://news.slashdot.org/comments.pl?sid=3364039&cid=42506997 [slashdot.org]

---

NOT ONLY THAT!

You also MISSED that I noted "layered-security"/"defense-in-depth" (as I've been 'into that' for decades now via the proofs of that I put up in extremely successful security guides for end users, the ones that need them most)!

That quote? It's per the termination of my initial post here -> http://news.slashdot.org/comments.pl?sid=3364039&cid=42506533 [slashdot.org]

PROOF again, via this salient pertinent quote of myself from my initial post here:

---

"Whitelisting COULD help stop that too, per what I stated above, along with other "layered-security"/"defense-in-depth" measures commonly used today already." - by Anonymous Coward on Monday January 07, @12:17PM (#42506533)

---

Especially on THAT note?

You are PREACHING TO THE CHOIR on layered security/defense in depth especially to myself, and you also falsely accused me of NOT COVERING END USERS too... in regards to whitelisting!

---

AND, yet you got a +5 upward mod & my posts are downmodded to -1...

APK

P.S.=> Again, as I asked you in another post: EXPLAIN THAT, please...

... apk

it's for your own good (-1)

Anonymous Coward | about a year and a half ago | (#42506573)

Micorsoft users like to lick poop from dog's ass. This make sure all poop is taste tested by steve ballmer who is world's leading expert on dog poop.

Which 3rd party apps are those? (1)

Barlo_Mung_42 (411228) | about a year and a half ago | (#42506585)

Still have to be complied to ARM right?

Re:Which 3rd party apps are those? (1)

DdJ (10790) | about a year and a half ago | (#42506635)

Won't things that use the CLR run without recompilation?

Re:Which 3rd party apps are those? (1)

0123456 (636235) | about a year and a half ago | (#42506929)

Won't things that use the CLR run without recompilation?

Only if they don't call native code at any point, or only call native code that exists on ARM versions of Windows. If they bundle an x86 version of zlib.dll and call it to read .zip files, for example, you're probably screwed.

Re:Which 3rd party apps are those? (1)

s73v3r (963317) | about a year and a half ago | (#42506999)

That would be for things using .NET. Legacy native code, written in C/C++, would have to be recompiled.

Re:Which 3rd party apps are those? (1)

cbhacking (979169) | about a year and a half ago | (#42507727)

CLR = Common Language Runtime = "things using .NET". You basically just re-stated his comment...

Re:Which 3rd party apps are those? (1)

Dudds (132159) | about a year and a half ago | (#42506689)

On the last few pages of the thread at XDA, there are links and screenshots of: PuTTY, Tightvnc, 7zip and BOCHS (just to name a few):
http://forum.xda-developers.com/showthread.php?t=1885399&page=23 [xda-developers.com]

"Metro" is a Walled Garden (0)

Microlith (54737) | about a year and a half ago | (#42506793)

On your x86 Windows system, the default setting is Unsigned — you can run anything you like. With Windows RT, the default, hard-coded setting is Microsoft (8); i.e. only apps signed by Microsoft, or parts of Windows itself, can be executed.

They can set this selectively per environment as well. Microsoft sets it to "Unsigned" for the desktop but to "Microsoft" for "formerly-Metro" applications.

Re:"Metro" is a Walled Garden (2)

cbhacking (979169) | about a year and a half ago | (#42508353)

Ummmm.... no. You can sideload "Metro" applications just fine (after running one command to unlock this capability). The packages must be signed, but they can be signed by anybody (including self-signed), so long as they chain to any trusted certificate. Visual Studio generates an install script for the package that checks whether its (also auto-generated) signing cert is trusted, and if not, offers to install the cert for you. You can also do so manually (just double-click the cert file and follow the usual import steps).

So, .APPX (Metro application bundle) files don't require "Microsoft" signing level. What about the binaries they contain, though? It turns out that those don't need to be signed at all. At least a month back, a different branch of the "run everything on Windows RT" project bore fruit; we could run "desktop" apps within the AppContainer of a "Metro" app. (WinRT isn't supposed to include the APIs to launch new processes directly, but you have to be linked against the system call interface on Windows anyhow, which means it's possible to just scan the address space for the NtCreateProcess entry point and call it.) These apps don't have to be signed *at all* even without anything like the hack posted here. They run with low Integrity Level and have (by default) extremely limited permissions (access the System32 directory, their install directory, and their data directory, and only the last of those with write permissions), but they do not have to be signed.

Summary continuation (5, Informative)

Translation Error (1176675) | about a year and a half ago | (#42506821)

Since the summary ends before actually getting to the vulnerability it started to describe, here's the relevant text:

Now, in theory, you could change this hard-coded setting--but all Windows RT devices use UEFI, and so Secure Boot detects the altered code and locks the system down. Secure Boot doesn't stop you from changing the setting in memory, however

Re:Summary continuation (0)

Anonymous Coward | about a year and a half ago | (#42507063)

Since the summary ends before actually getting to the vulnerability it started to describe, here's the relevant text:

It's not a summary. It's plagiarized straight from the article. Some anonymous reader did not write that. Sebastian Anthony did.

Re:Summary continuation (1)

Anonymous Coward | about a year and a half ago | (#42507301)

"From the article:"

Dipshit.

Re:Summary continuation (0)

Anonymous Coward | about a year and a half ago | (#42508169)

Problems with reading comprehension, eh?

The unthinkable? (0)

Anonymous Coward | about a year and a half ago | (#42507171)

Microsoft decides to suck it up and puts in a simple UAC-like system where the user has to confirm that they want to run a potentially dangerous application that is not signed by Microsoft itself.

Based on the little I know... (1)

The MAZZTer (911996) | about a year and a half ago | (#42507409)

Once you can attach a remote debugger to a process you can pretty much run whatever code you want, it's just not user-friendly. The big thing here is that a system process is bypassing sanity checks on API calls (for speed, I assume) and so it's exploited to run arbitrary code in kernel mode, and then you have the whole system (in this case, it just flips the switch to allow any app to run, for the current session only I assume, it won't persist to the next boot).

MS may restrict the processes to which the debugger can attach to fix this, so you can't attach to any system process which uses the faster API calls lacking sanity checks. Assuming there's no way to get other programs to use those versions of DLLs, this would close the exploit, unless the user removes the hotfix (can you do that in RT?) or reinstalls Windows (if that's easy to do).

Either way a tool to package up the remote debugger side of things into something usable would be fairly trivial to make, just gotta capture the network activity of the exploit and then automate it so normal users just push a button and then trigger the proper breakpoint by adjusting the system volume.

Re:Based on the little I know... (1)

cbhacking (979169) | about a year and a half ago | (#42508429)

It's not actually really running arbitrary code in kernel, just changing some kernel memory which causes the kernel to run different code. All the code running is already present in the kernel - this isn't a code injection attack, or even ROP - but instead merely flipping a switch that isn't supposed to be accessible from user-mode. Very minor nit-pick, but I wanted to be clear on that. If (for example) Microsoft had decided to not permit the "Unsigned" level at all, and had removed the code which executes that path, this exploit would not work in its current state. However, that would be a non-trivial change to the program loader, which is a pretty core part of the OS. By just changing a flag that the program loader already understands, MS is able to keep the source for Windows RT pretty nearly identical to that of Windows 8.

Why? (0)

Anonymous Coward | about a year and a half ago | (#42507771)

If people are so stupid as to buy a locked device, why make it better for them? Otherwise the might buy and unlocked device next time=better.

Lol ./-etrs ar at it again (0)

Anonymous Coward | about a year and a half ago | (#42508015)

Since when attaching the debugger constitutes a jailbreak?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...