Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Next 50 Years of Computer Security

Zonk posted more than 9 years ago | from the i'll-be-grey-haired-and-senile dept.

Security 128

wbglinks writes "An informative interview with Linux guru Alan Cox, with an emphasis on Linux and security. Alan will be the keynote speaker at EuroOSCON this October." From the article: "It is beginning to improve, but at the moment computer security is rather basic and mostly reactive. Systems fail absolutely rather than degrade. We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

Sorry! There are no comments related to the filter you selected.

The next step in security: benevolent parasites? (2, Interesting)

TripMaster Monkey (862126) | more than 9 years ago | (#13549570)


This reminds me of a conversation I had with my business partner regarding computer security:

Imagine a hacker group that offered to protect your system against other hackers. In exchange for x% of your computer cycles, x% of your HDD space, a predetermined number of pop-up ads, etc., the group would guard your computer against others attempting to compromise it for its own use. The group would connect to your system from the internet, install their rootkits, and regularly scour your system looking for intruders, which they would zealously remove. Because they would be paid in computer resources (disk space, cycles, etc.), it would be in their best interests to keep your system as free from other parasites as possible. In much the same way as the bacteria growing in our mouths prevent them from being colonized by other, much more harmful bacteria, the group would defend its box against intruders.

Just an idea...thought I'd throw it out there and see what the Slashdot crowd thought of it (be gentle ^_^).

Sleeping....? (3, Insightful)

Valiss (463641) | more than 9 years ago | (#13549593)

Seems to be the classic 'sleep with the devil' scenario. The problem occurs when the hackers, over time, want more than you want give/barter with.

Re:Sleeping....? (1, Flamebait)

dotgain (630123) | more than 9 years ago | (#13549632)

And once you let someone compromise your system, you'll never be able to fully trust it again. It's about the stupidest idea yet in computer security. The only reason it wasn't on that list of "top six stupid things" the other day is because it's not an adopted practice, and isn't taken seriously.

And since TripMasterMonkey is an incessant troll, please, don't be gentle.

Re:Sleeping....? (4, Insightful)

Tackhead (54550) | more than 9 years ago | (#13549818)

> In exchange for x% of your computer cycles, x% of your HDD space, a predetermined number of pop-up ads, etc., the group would guard your computer against others attempting to compromise it for its own use. The group would connect to your system from the internet, install their rootkits, and regularly scour your system looking for intruders, which they would zealously remove
>
> And once you let someone compromise your system, you'll never be able to fully trust it again. It's about the stupidest idea yet in computer security. The only reason it wasn't on that list of "top six stupid things" the other day is because it's not an adopted practice, and isn't taken seriously.

Is that not the functional specification for Windows Update? ( Ha ha, only serious. [catb.org] )

For that matter, is that not the functional spec for every automatically self-updating piece of software?

Your machine is as trustworthy as those you permit to administer it. To the extent that you install auto-updating software, your machine is only as trustworthy as the authors of that software.

I'm highly confident that when my cron job asks apt-get to phone home, the maintainers of $MY_PET_DISTRO won't take advantage of the opportunity to place anything nasty on my machine.

I'm somewhat confident that Microsoft isn't going to auto-disable even pirated Windows installations, nor to install a RIAA/MPAA sniffing trojan as part of its updates - at least, not without providing a few weeks of warning.

I had so little confidence (as a matter of personal opinion) that the auto-updating and installation of DRM/software subscription services from www.steampowered.com, that I never purchased Valve's Half-Life 2. (If you trust Valve, hey, go for it -- but Steam is, IMO, fundamentally no different than having companies like EA and Adobe decide to outsource the management of "licencing component services" to organizations like Macrovision and the BSA. Would you like to get your "security components" from DRM providers?

And finally, I'd have no confidence whatsoever in any machine that was required, as part of the Homeland Cybersecurity Act of 2012, to download security updates from updatefarm.cybersec2012.gov.

On that scale, I'd place the original "cracker group" (perhaps affiliated with the Russian mafia) installing its own rootkits as somewhere between "less trustworthy than Steam, but more trustworthy than bsa.org".

But there's fundamentally no difference between any of these options.

Re:The next step in security: benevolent parasites (4, Insightful)

starfishsystems (834319) | more than 9 years ago | (#13549613)

Isn't that rather like setting the fox to guard the henhouse?

The controls that an organization would need to put in place to avoid being utterly exploited in such a scenario are pretty much the same controls needed to manage systems securely in the first place. So as a thought experiment, this is useful. As an actual practice, forget it.

Re:The next step in security: benevolent parasites (4, Insightful)

taustin (171655) | more than 9 years ago | (#13549623)

Sounds like a classic protection racket to me.

Re:The next step in security: benevolent parasites (1)

FragHARD (640825) | more than 9 years ago | (#13549921)

yep, sounds just like what m$ is doing right now, only they are doing a lousy job of it... or are they it might be part of the master plan to get you to give them total control to get rib of those awful windoze worms, windoze viruses, windoze trojans, windoze hackers, windoze spyware, windoze adware, windoze etc...

Re:The next step in security: benevolent parasites (2, Insightful)

Mr. Underbridge (666784) | more than 9 years ago | (#13550241)

Yeah. The problem is when they decide you need more "fire insurance."

Re:The next step in security: benevolent parasites (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13549633)

I bow to Trip Master Monkey, the Master of the first post. When you stand up, I bow before you. My devotion to you is such oh master, that I would eat your dingleberries and floss with your ass hair.
FUCK YOU to all who dare make fun of the master of the insightful fiirst post, Trip master monkey.

What, like taxing? (1)

daniil (775990) | more than 9 years ago | (#13549646)

The reason your idea will never take off is that if this scheme turned out to be profitable to both the racketeers and the people paying for "protection", the government would step in and demand a monopoly in the "protection" racket. Now, you don't want the government installing their rootkits on your computer, do you?

Re:The next step in security: benevolent parasites (1)

Daveznet (789744) | more than 9 years ago | (#13549685)

Sounds like a good idea in principle but who is to stop this group of hackers from using your resources for their own milicious intentions.

Re:The next step in security: benevolent parasites (3, Funny)

Clovert Agent (87154) | more than 9 years ago | (#13549745)

"Yes, Mr Sarbanes Oxley Auditor, I exposed my entire desktop computing infrastructure to a group of self-proclaimed hackers so they could uninstall spyware for me. Great idea, huh? Huh? Hey! Come back! I haven't told you about the foxes guarding the corporate henhouse yet."

I have a better idea. Swap some other commodity (like, say, money) for the same service, and call it an MSSP.

Re:The next step in security: benevolent parasites (1)

kfg (145172) | more than 9 years ago | (#13549757)

Hey guys, I've got an idea, why don't we just get the barbarians to guard the gates of Rome?

KFG

Re:The next step in security: benevolent parasites (2, Funny)

'nother poster (700681) | more than 9 years ago | (#13549939)

Um, dude, about those gates. We had to remove them because they were interfereing with us getting in and out of the city to rape and pillage in our 20% of Rome. Oh, and by the way, we decided that we would rather rape and pillage in the 20% of Rome that contains the forums. Raping and pillaging in the slums wasn't working.

Yours truly,
The Visigoths.

Problem (5, Insightful)

mcc (14761) | more than 9 years ago | (#13549784)

There are a large number of problems with your suggestion. I will outline only one.

One problem is that your suggestion is wholly founded on the assumption of computational resources being valuable. This is to an extent incisive, since you have realized that the reason why the formation of zombie networks has increasingly become the endgoal of worms and such is that there is commercial value in those networks' computational resources. But this breaks down when you start to think about what they use those computational resources for.

Computational resources, by themselves, aren't particularly valuable or hard to obtain; even bandwidth resources are beginning to become expendable if you're smart about how you use them. Your average PC is absolutely awash in power it doesn't need. 20 years of "your computer is obsolete as soon as you buy it" has crashed out into "your five-year-old computer technically isn't obsolete yet". People who used to buy supercomputers often now just buy cheap PCs and leash them together. Anybody who just has a legitimate need for a lot of computation these days can most easily obtain this through totally legitimate channels.

The reason why hackers, worm-builders, spyware peoples, etc obtain their resources through illegitimate means (like worms) is because they have illegitimate intents for those resources. They don't so much want 20% of the resources of a PC, they want 20% of the resources of a PC that can't be traced back to them. This is because once they have these resources, they're going to be using them for things like, warez. Sending spam without compliance with local laws. Hosting dubious and virus-like spyware. Extorting businesses for money in exchange for not launching DDOS attacks against them. If you willingly give these people 20% of your hard drive and CPU they aren't going to be using it for things like 3d rendering or protein folding; if that was all they wanted, they wouldn't need to be using hacker methods to get it in the first place.

Instead, if we go by your scenario, you'll give them 20% of your hard drive, CPU and bandwidth; they will protect you from the other hacker groups; everyone will be happy; ... and then six months later your computer will be part of a gigantic DDOS or some other illegal act so large it will attract the FBI's attention. From here there are two possibilities. Possibility one is, the people you've been contracting with here are a legitimate business, in which case the FBI will get their contact information from you and have them arrested. Possibility two is, the people you've been contracting with here are not a legitimate business, in which case the FBI will arrest you for conspiring with an organized crime group. We can assume no group even remotely competent enough to even get into this hypothetical security "protection" business in the first place would be stupid enough to let possibility one happen. This leaves possibility two. See the problem?

Re:Problem (2, Funny)

gatekeep (122108) | more than 9 years ago | (#13550250)

We can assume no group even remotely competent enough to even get into this hypothetical security "protection" business in the first place would be stupid enough to let possibility one happen. This leaves possibility two. See the problem?

While I largely agree with your point, the quoted line made me think of this;

Man in black: [turning his back, and adding the poison to one of the goblets] Alright, where is the poison? The battle of wits has begun. It ends when you decide and we both drink - and find out who is right, and who is dead.
Vizzini: But it's so simple. All I have to do is divine it from what I know of you. Are you the sort of man who would put the poison into his own goblet or his enemies? Now, a clever man would put the poison into his own goblet because he would know that only a great fool would reach for what he was given. I am not a great fool so I can clearly not choose the wine in front of you...But you must have known I was not a great fool; you would have counted on it, so I can clearly not choose the wine in front of me.
Man in black: You've made your decision then?
Vizzini: [happily] Not remotely! Because Iocaine comes from Australia. As everyone knows, Australia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So, I can clearly not choose the wine in front of you.
Man in black: Truly, you have a dizzying intellect.
Vizzini: Wait 'till I get going!! ...where was I?
Man in black: Australia.
Vizzini: Yes! Australia! And you must have suspected I would have known the powder's origin,so I can clearly not choose the wine in front of me.
Man in black: You're just stalling now.
Vizzini: You'd like to think that, wouldn't you! You've beaten my giant, which means you're exceptionally strong...so you could have put the poison in your own goblet trusting on your strength to save you, so I can clearly not choose the wine in front of you. But, you've also bested my Spaniard, which means you must have studied...and in studying you must have learned that Man is mortal so you would have put the poison as far from yourself as possible, so I can clearly not choose the wine in front of me!
Man in black: You're trying to trick me into giving away something. It won't work.
Vizzini: It has worked! You've given everything away! I know where the poison is!
Man in black: Then make your choice.
Vizzini: I will, and I choose...[pointing behind the Man in black] What in the world can that be?
Man in black: [turning around, while Vizzini switches goblets] What?! Where?! I don't see anything.
Vizzini: Oh, well, I...I could have sworn I saw something. No matter. [Vizzini laughs]
Man in black: What's so funny?
Vizzini: I...I'll tell you in a minute. First, lets drink, me from my glass and you from yours. [They both drink]
Man in black: You guessed wrong.
Vizzini: You only think I guessed wrong! That's what's so funny! I switched glasses when your back was turned! Ha ha, you fool!! You fell victim to one of the classic blunders. The most famous is never get involved in a land war in Asia; and only slightly less well known is this: Never go in against a Sicilian, when death is on the line!

[Vizzini continues to laugh hysterically. Suddenly, he stops and falls right over. The Man in black removes the blindfold from the princess]
   

Re:Key Phrases (1)

vertinox (846076) | more than 9 years ago | (#13550759)

Possibility two is, the people you've been contracting with here are not a legitimate business, in which case the FBI will arrest you for conspiring with an organized crime group.

Plausible Deniability

And don't forget... You can't arrest a corporation. Just the individuals that work for it. Thirdly, you can't go after the shareholder's assets unless they have been directly implicated in the crime.

Lastly, the crime might have been intentional in order to get the FBI's intention. Of course you'd be dealing with a Class A hacker, but if you wanted to get rid of someone for a while you'd just put illegal underage images on their computer and then attract attention to that computer.

Then again... I'm throwing around terms and ideas that would just make a good murder mystery and no one would apply them to real life.

Still... Leasing out your computers to people outside with the pretext they will protect you is a bad idea.

Re:Problem (1)

kesuki (321456) | more than 9 years ago | (#13550776)

Your average PC is absolutely awash in power it doesn't need. 20 years of "your computer is obsolete as soon as you buy it" has crashed out into "your five-year-old computer technically isn't obsolete yet".

First of all, computers have always been on a fairly constant cycle of getting faster, but it's never been 'overnight' except for people who go out and buy the bargain PCs the day before they release the new 'latest greatest' models. so, 'your computer is obsolete as soon as you buy it' only applies to clueless people who are buying 2-3 year old hardware 'brand new' because it was selling 'cheaply.' it's true, that most 'retail vendors' have a really hard time getting products to market 'when they're new' but that's changed a lot with the likes of dell who sells the computer they made last week.. so even people buying at retail level are generally getting newer hardware than they were when companies took months and months to years to develop and market products.

As far as the latter goes 'your 5 year old PC' is pretty useless. word processing goes slow, agonizingly slow compared to a 'modern' system. web browsing same deal, although technically that computer can Barely Manage those tasks, it requires Full operating power to do basic everyday tasks! now a modern PC doesn't even break a sweat for any of that...

I have a nice system i built almost 4 years ago, and i built it with the best parts I could, even so it still came to under 1 grand. That system is still 'fast enough' for word processing and web browsing, and it can even handle many modern games , as long as you set them to fugly mode. It's in dire need or replacement though, maybe i can stretch it to 5 years, if i gave up PC gaming, and it will be able to handle web browsing for years to come.. but it is obsolete.. has been for at least 2 years, it just hasn't been 'so awful' I would stop using it.

But it is true, software makers are having a hard time making 'consumers' feel like they need to buy faster hardware. is that some tragic end of the world doomsday scenario? Wow i don't think so, how long have car makers had so very little they could do to make 'faster' more powerful cars? yet do people not go out and buy new cars still? There are Already people who want to believe that once they buy a PC they should never have to buy a new one, ever.

Personally, i'll always love the faster newer computers, but the next system i built will probablly have to make due for a long time kinda like this one did.

My services (1)

Ced_Ex (789138) | more than 9 years ago | (#13549795)

Let me be the first to offer you those services as it describes my company exactly. We exchange security for a small meagre portion of your vast unused computer cycles and HDD space.

For everyone else, Do you need mass advertising? Do you need to get your message out in a cheap and effective manner? Contact me for mass electronic messaging promotions.

Re:My services (1)

FragHARD (640825) | more than 9 years ago | (#13549972)

love your sig...but isn't it backwards ;=)

Re:My services (1)

Ced_Ex (789138) | more than 9 years ago | (#13550229)

love your sig...but isn't it backwards ;=)

Really depends on what you plan on doing.

Re:The next step in security: benevolent parasites (1)

Mignon (34109) | more than 9 years ago | (#13549825)

What we have now isn't that different. When we set up a box, we can choose from a set of operating systems and applications. With all those choices we implicitly trust their creators and maintaners to some extent.

But it's not absolute trust; just as helpful bacteria in our mouths can get out of control, software may (will?) prove vulnerable. So we still have to monitor and maintain our systems, installing security patches and changing administration practices accordingly.

Re:The next step in security: benevolent parasites (2, Insightful)

elcheesmo (646907) | more than 9 years ago | (#13549860)

The problem is that the hacker would be using your computer resources for other illicit purposes, such as hacking computers belonging to other businesses. It would solve your problems at the expense of others. And imagine the liability of having their attacks traced back to your computers.

It would be no different than giving guns to thugs to protect your business. When they do finally get busted, the FBI will find your fingerprints on the guns.

Re:The next step in security: benevolent parasites (1)

tdvaughan (582870) | more than 9 years ago | (#13549882)

Sounds like how Ankh Morpork runs - Vetinari legimised crime by creating the guilds but made them responsible for keeping crime to within agreed limits. Of course, he had leverage over the guild leaders to make them comply. Not sure what I'd have over some Russian kid who I've never met.

You mean they don't already do that? (1)

mdarksbane (587589) | more than 9 years ago | (#13550277)

I've always assumed that was what Norton was doing when it randomly stole half my CPU to not scan anything. I mean, it makes a lot more sense for them to *steal* my processor cycles than just *waste* them, right?

Re:The next step in security: benevolent parasites (1)

fshalor (133678) | more than 9 years ago | (#13550834)

Ah so you noticed! I was wondering what Microsoft was doing with my hardware all these years...

Lunix (0)

Anonymous Coward | more than 9 years ago | (#13551062)

I think Cox should focus on getting Linux up to par with Windows before he starts looking at 'the future'. How can he see the road ahead when he is stuck behind a bus?

Re:The next step in security: benevolent parasites (1)

part_of_you (859291) | more than 9 years ago | (#13551145)

Kinda makes me feel like rolling over and crapping my pants, and maybe gagging a bit. What's the difference between letting someone own your box, and not own your box, if someone owns your box???

"Hi I'm a 1337 Hax0r and I offer you a deal. Me and my friends will not take over your disk space if you give us some of your disk space."

It would be better to have a PC that is riddled with virus' and spyware, that infects anyone who ties up to it, and just have it as a dummy-PC for the 1337 Hax0rs to have to deal with. It wouldn't be a trojan horse, it would be a trojan castle.

Both, I think are a waste of disk space.

50 years, eh? (5, Insightful)

grub (11606) | more than 9 years ago | (#13549573)


[...] at the moment computer security is rather basic and mostly reactive.

OpenBSD [openbsd.org] has been proactive since Day 1. And, really, can anyone speak authoritatively on computer issues 5 years in advance let alone 50?

If I drank a strong tea brewed from Theo de Raadt's toenail clippings I could glean knowledge from perhaps a couple of days in the future, but beyond that you're getting into the realm of Xenu.

Re:50 years, eh? (0, Funny)

Anonymous Coward | more than 9 years ago | (#13549668)

If I drank a strong tea brewed from Theo de Raadt's toenail clippings I could

get a really nasty fungus infection in your mouth!

Re:50 years, eh? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13549901)

Since you mentioned OpenBSD...

Having a Linux kernel hacker discuss security is like having Rich Kotite [tripod.com] discuss football strategy.

Re:50 years, eh? (1)

Trigun (685027) | more than 9 years ago | (#13550950)

I'd hazard to guess that if anybody can talk about computer security in the next 50 years, it'd be Alan.

I hate to compare him to Jesus, but he has the beard and sandals...

But you said (0, Troll)

RandoX (828285) | more than 9 years ago | (#13549596)

... Linux was only 5 years away from mainstream.

Re:But you said (2, Insightful)

Alexis Boulva (873401) | more than 9 years ago | (#13549758)

as the number of new computer users increases, their average level of intelligence decreases. same thing happens when it comes to IT professionals, sorry to say.

looking back on the last 50 years, (4, Insightful)

JeanBaptiste (537955) | more than 9 years ago | (#13549600)

I can't see how anyone can claim to know what is going to happen in the next 50.

Re:looking back on the last 50 years, (3, Informative)

mov_eax_eax (906912) | more than 9 years ago | (#13549695)

RTFA. even if the title of the interview says "The Next 50 Years of Computer Security" the content is not related with the next 50 years, there are just some superficial random thoughts of alan cox about CURRENT security.

Re:looking back on the last 50 years, (1)

Daveznet (789744) | more than 9 years ago | (#13549700)

Agreed, especially with the quantum computers/cryptography security in the computer industry will be very different than it is now.

Re:looking back on the last 50 years, (1)

yoshi_mon (172895) | more than 9 years ago | (#13549750)

While I'll agree that 50 years is a long time no matter how you slice it, all the more so for computers, but I think it's pretty safe to say that since computers and all the related tech have moved beyond the "brand new" phases of develoment that it's possable to make some generlaizations regarding their future.

Unix itself has shown to stand the test of time so far and with the continuance of Microsofts monopoly (and what amounts to the goverments near approval of it) monopoly the shape of things to come is not as foggy as say in the 70's or 80's.

Oh, it's easy! (2, Funny)

jabber01 (225154) | more than 9 years ago | (#13549768)

Extrapolating recent trends, Pokemon will be President of the United Corporations of America. The United Middle East will be America's closest friend. Together, we will have obliterated the EU. No one will care about poverty and disease in Africa.

Computers will be so small, they'll be ingestable, with music players and cell phones being implanted in teeth. But DRM will be so pervasive that the RIAA will be allowed to inspect your mouth with toothpicks. The weakest link in computer security will still be the human being.

Re:looking back on the last 50 years, (1, Insightful)

cbiltcliffe (186293) | more than 9 years ago | (#13549802)

Easy...watch:


In 50 years, we'll have flying cars, world hunger and poverty will be a distant memory, and we'll all have a small nuclear fusion reactor in our basement which will power everything from our maid service robot to the 512-core 650GHz Pentium 17 computer in your home office.
Bill Gates will disband Microsoft when he retires, and all his billions will be donated to help sick kids on Mars. (We'll have settlements there, after all, but the hospitals won't be quite up to snuff for a few more decades.)
When the Voyager 17 warp-drive probe reaches Alpha Centauri in 2043, it will be regarded with deep suspicion by the natives, and subsequently dismantled. George W. Bush the 5th will then unilaterally decide that the Alpha Centaurians must be in league with Al-Qaida, and declare war on them.
Using the decades-old first-strike policy [slashdot.org] he'll order pre-emptive nuclear strikes on all planets in the Alpha Centauri system (just to be safe....wouldn't want those pesky terrorists to go changing planets in the months it will take the missiles to reach the system....)
The Centaurians will see the missiles coming before they're even halfway there (after all...they didn't underfund their Hubble project), and come out to meet them, blowing them up in deep space where they can do no harm. They'll then continue on to our planet, quickly determine that the order to destroy them came from the White House, blow up Bush and Congress, and tell us all to stop being so fscking childish and grow up.
Then, just to prove they mean business, and that if we want to play in the galactic neighbourhood, we've got to play nice, they'll blow up both the RIAA and MPAA headquarters, before heading back to their own planet.
The rest of us will soon realize that without Congress, and the ??AA, the earth has suddenly become a very nice place, and we'll stop trying to go away to other planets.


See, it's easy to claim to know what's going to happen in 50 years. You'll be full of shit, but you can still claim it.

Re:looking back on the last 50 years, (1)

FragHARD (640825) | more than 9 years ago | (#13550042)

I just read <<In 50 years, we'll have flying cars, world hunger and poverty>> and I figured you were right on th money, then I kept reading and noticed you were right in with the rest of optimists. :=(

Re:looking back on the last 50 years, (1)

cbiltcliffe (186293) | more than 9 years ago | (#13551176)

Yeah, well....I was loading the sarcasm in there with a forklift, so you might want to re-read it....

I was especially proud of the part about GWB the 5th....

Sounds like an idea... (-1, Flamebait)

highcon (857286) | more than 9 years ago | (#13549606)

"We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

Bet that would get people switching in droves to "alternative" operating systems which were immune to the attack.

Re:Sounds like an idea... (0)

Anonymous Coward | more than 9 years ago | (#13549638)

Are you really that naive, or were you just trying to get modded up?

Re:Sounds like an idea... (0)

Anonymous Coward | more than 9 years ago | (#13549861)

Hah, don't you wish.

No, the reality of the matter is, their computer "just broke" because of "evil hackers" so they need to buy a new one from best buy, the one the pimply faced sales rep will be immune from that kind of attack, the one that's conveniently very expensive.

Fortunate? (5, Insightful)

Krast0r (843081) | more than 9 years ago | (#13549620)

"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them." - however in a sense we are unfortunate that they generally take control of them to destroy someone elses computer, it just depends on how selfish you are.

Re:Fortunate? (1)

Fungus King (860489) | more than 9 years ago | (#13549737)

True. Well, if a system is obliterated on infection, it can't spread... not really the behaviour of a virus. Still, by letting them not do something cruel like wipe the BIOS or trash the filesystem or something and just hijacking it's internet connectivity and letting them spread, you can get maximum exposure while still causing plenty of infuriating moments.

My flatmate got a virus that lurked for a while and then deleted ntoskrnl.exe so Windows wouldn't boot anymore - that wasn't fun.

Re:Fortunate? (1)

SpaceLifeForm (228190) | more than 9 years ago | (#13550281)

Probably a POC. One of these days, such an attack will take down many many doze boxen. It will be a real wakeup call for many people. Those that have been paying attention are already off or weaning themselves off of the MS addiction.

Those that have not been paying attention or are buying the MS FUD are taking a huge risk.

Destruction would yield better protection. (1)

khasim (1285) | more than 9 years ago | (#13550054)

Right now, the worst that happens is you have to reformat your hard drive when the pop-ups and re-directors stop you from doing anything online.

If the systems were destroyed, you'd see a lot more effort put into protecting them.

Global proofs of security are not on.. (4, Insightful)

Ckwop (707653) | more than 9 years ago | (#13549629)

This last area is very important. We know the theory of writing secure computer programs. We are close to knowing how to create provably secure computer systems (some would argue we can--e.g. EROS). The big hurdles left are writing usable, managable, provably secure systems, and the user.

It may be possible to establish "limited" proofs of security which are tightly defines in small areas but a provably secure operating system is impossible. It's impossible on so many levels that I expect that Alan Cox doesn't understand the issues deeply enough.

There are a number of problems with creating a secure operating system. One is the amount of code it takes. You can't create a security proof on huge volumes on code. Hundreds of lines? probably. Thousands of line.. maybe.. hundred of thousands? no chance.

The next problem is that we haven't figured out a way to make security modularise. You can't say "method 1 is secure, method 2 is secure therefore using method 1 after method 2 is secure. It just doesn't work like this. You can put two secure pieces of code and get insecurity. This means you have to treat the whole operating system as one huge program all of which needs to be proven secure.

The third problem is that even you establish a proof of security this still isn't enough. Your proof is based on some formalisation of the language but the compiler itself might be buggy (either by accident or on purpose) and might compile in a way that breaks your proof. Ouch! cuO

Too often we strive to absolutes in security. Security is not binary. It is not a zero or one but a complex set of trade-offs and risk mitigation.

Simon.

Re:Global proofs of security are not on.. (0)

Anonymous Coward | more than 9 years ago | (#13549841)

Quote the parent:
>It's impossible on so many levels that I expect
>that Alan Cox doesn't understand the issues deeply
>enough.

I'm sure the parent, a 21 year old "junior C# developer for a company in Manchester," knows better than Alan Cox, a 37 year old "programmer heavily involved in the development of the Linux kernel since its early days (1991)." and can tell him a thing or two about creating a secure OS.

Re:Global proofs of security are not on.. (4, Insightful)

querencia (625880) | more than 9 years ago | (#13549883)

"I expect that Alan Cox doesn't understand the issues deeply enough."

I hope someday I am cocky enough to make that statement.

"You can put two secure pieces of code and get insecurity."

Of course you can. But you can also put two secure pieces of code and prove that the combination is secure. The fact that the two pieces that you're combining are provably secure means that there is less work for you to do. Nobody is talking about writing the "Linux is secure" proof. If you start with the building blocks of secure systems and make them provably secure, you can absolutely combine them to come up with "provably secure systems."

"... a provably secure operating system is impossible."

You are wrong. Perhaps a provably secure Linux is impossible. But Alan Cox didn't say "operating system." He said, "system." Always pause (at least briefly) before suggesting that you have a better understanding of operating systems than Alan Cox.

Re:Global proofs of security are not on.. (1)

Coryoth (254751) | more than 9 years ago | (#13550407)

You are wrong. Perhaps a provably secure Linux is impossible. But Alan Cox didn't say "operating system." He said, "system." Always pause (at least briefly) before suggesting that you have a better understanding of operating systems than Alan Cox.

These guys [coyotos.org] are working on just such a concept, attempting to write a microkernel OS in a language that supports formal semantics amenable to verification and correctness proofs. It seems they are still just getting underway, but it looks like an interesting project.

Of course this will not guarantee 100% security because "secure" is a rather loose term and will mean more than just a kernel that doesn't have any buffer overflows or other bugs. They will be able to, however, tell you very precisely what exploits and attacks the system is definitely secure from, which would be quite a significant step forward.

Jedidiah.

HOWTO: Provably Secure Linux (3, Interesting)

jd (1658) | more than 9 years ago | (#13550931)

Here are some steps to produce a provably secure version of the Linux Operating System. And, yes, I mean provably secure. It is not the only method, it is not necessarily the best method, it is merely a workable* method.


*Workable means you can do this in finite time.


1) For each function, determine the preconditions, postconditions and the formal description of that function.


2) For each of the derived specifications, modify the specifications to be robust (ie: no invalid states are possible).


3) For each subunit of code that is referenced outside of the unit it is within, add mandatory access controls with a default of "deny", except for the mandatory access control system's check access function which should have a default access of "accept", and the bootstrap code which should have no access controls as the MAC system won't be running at the time.


4) MAC systems should be heirarchically defined in terms of linking a set of users to a set of rights those users can have. You then have as many mappings of this kind as you need. But because it is heirarchical, an application run by another application cannot assign rights it doesn't know about, nor can it assign rights to users it doesn't know about. An application accessed by paths with different rights must associate the rights to the path used to connect to it and define those as the superset of rights that path has when calling sub-components.


Oh, and MAC system interaction should follow the paradigm laid out under the Bezantine General's Problem - in other words, MAC systems should distrust each other enough that they can detect any MAC system that turns traitor.


5) MAC should apply to EVERYTHING. The network, memory pools, swap space, shared memory, everything. No resource should have permit access rights by default and no resource should allow unconstrained access granting. The resource should be able to control who can be granted access, so no one central system hands out access.


6) Remote connections (via any kind of connection outside of the defined physical machine) should be secure channels (host authentication, user authentication and data validation) and should have access rights limited to the subset of rights allowed to both remote connections, the remote host and the user who is performing the access. This is in addition to any constraints imposed by the application being connected to or any access rights it inherits (and is therefore limited to).


7) As part of 5, no "superuser" account should exist. Administrator accounts should only be permitted to administer, they should not be permitted to do anything else. There would be no "root" account, for example.


8) Once the specification has been hardened as above, it then needs to be re-implemented as code and then the code must be formally verified against the specification for correctness.


The first consequence of all of this is that paths would be very tightly constrained, making any kind of breaking out of the box about as close to impossible as you can get.


The second consequence is that because all access control is independent (but heirarchical), breaking the security of one module won't affect the security of anything else and won't grant any rights in excess of the subset defined by the intersection of the rights allowed by the path of connection, the broken module, the module then accessed and the broken module's rights within the module then accessed.


The third consequence is that, because the default is "deny", nothing can do anything not explitly authorized by the entire chain of connections.


Could this be done in Linux? Sure. If you add the kernel, X, KDE/QT, Gnome/Gtk, the GNU suite, etc, together, you're probably talking a billion lines of code. One million coders could probably do this entire eight-step lockdown over the whole of that codebase in a year, maybe two. There are more than a million coders on the planet, and I don't see the world ending in two years time, so that makes it possible.


Would it be feasible? That's another question entirely. A million coders, at $75,000 apiece, for two years, would come to $150,000,000,000 - about what Hurricane Katrina is estimated to cost, in total. The Federal Government could certainly spend that amount on Linux development, but they're about the only ones who could.


Of course, the OS would have moved on in two years. The synchronization effort won't take as long, though - probably six months, then a further month to re-synchronize from the time taken to do that.


Compiling and formally testing the binaries might easily take another five months, bringing the total development time to 3 years.


After that, I'd call that "provably secure". Modules won't trust a module that has been compromised (Bezantine General's Problem), won't trust users or applications outside of what those users/applications are allowed to do AND what the called application can do (MAC + default of deny), and can't be accessed by untrusted sources (all connections, channels, memory and shared resources are covered by MAC).


If you can find a way to break something like this, in software alone, let me know. As best as I can tell, this beast is vulnerable to hardware attacks but that's about it - and even those would be limited in value.

Re:HOWTO: Provably Secure Linux (1)

Coryoth (254751) | more than 9 years ago | (#13551108)

Sounds like an excellent plan of attack. And it is even somewhat feasible on some level - doing the whole software stack is probably going to be far too much to bite off in one go, but the problem can be broken down and attcked in pieces. Just securing the kernel itself to this degree would be a significant benefit, and worth doing. Equally you can break that project down to some extent: just having a side project in the kernel performing steps 1 and 2, probably just in core functions at first, is quite feasible, and could have sufficient benefits to make it worthwhile. It is the sort of thing you can, at least to some extent, chip away at with a fairly long term time frame. It will be interestin to see if any such thing actually occurs. In practice I expect it will need some impetus, some decently sized group stepping ap and getting things started, much like the NSA adding MAC for SELinux. Once underway I suspect it could easily take on a momentum of it's own and become self sustaining. We cna but hope.

Jedidiah,

Re:Global proofs of security are not on.. (2)

GigsVT (208848) | more than 9 years ago | (#13550187)

The main issue isn't complexity, at least not on an OS level. Systems like EROS and other Take-Grant type systems can be provably secure. The problem comes in the administration of multi-user system.

People have enough trouble managing simple systems like Unix-style permissions and Novell NDS permissions.

Most multiuser systems I've come across in actual use have pretty glaring security problems, just because of the complex nature of the way people want to use them.

At some point it becomes easier to just say "OK fine, we'll give this whole group of people this particular (overly broad) access... it's better than them having to come bug an admin every 10 minutes".

Another example, this one a particular problem for an internal app I had a big role in designing. Every user is given a password, and told not to give it away. A few months later it's exposed that many users know other user's passwords. Turns out when someone was on vacation or sick, someone had to be able to get access to the data normally reserved for that person only. This can usually be designed around, but it's the sort of thing that complicates these matters.

Daemons and programs are easier, they don't change roles or start working with different people unless it's a well defined change concurrent to an upgrade.

Re:Global proofs of security are not on.. (1)

davecb (6526) | more than 9 years ago | (#13550191)

There are A1 systems by the orange book criteria, all of which which have small, provably secure security kernels. This amounts to an existance proof that the first point is in error.

Alas, Ckwop is right in saying it's hard (:-)) You indeed need to limit the thing you propose to have secure.

--dave

Re:Global proofs of security are not on.. (2)

jbrandv (96371) | more than 9 years ago | (#13550675)

You are wrong. There are at least two "provably secure operating systems" EROS and SCOMP. These are Orange book proven systems which have NEVER been hacked and many groups have tried. The only problem is that they are so secure it is very hard to get any real work done with them. Ask the folks at Los Alamos and Mitre.

Hurd? (1)

gr8_phk (621180) | more than 9 years ago | (#13551050)

"You can't create a security proof on huge volumes on code. "

So we need to write smaller code. Perhaps the "kernel" of the OS should not be responsible for memory management and device drivers, but security of communication between all parts built on top of it (including APIs and hardware access). Perhaps the micro-kernel will have its day after all. How does the security model of the Hurd differ from that of Linux?

Re:Global proofs of security are not on.. (1)

conJunk (779958) | more than 9 years ago | (#13551211)

The third problem is that even you establish a proof of security this still isn't enough. Your proof is based on some formalisation of the language but the compiler itself might be buggy (either by accident or on purpose) and might compile in a way that breaks your proof. Ouch!

Don't ommit the obvious: if i unplug the computer, encase it in cement, and burry it in my garden, it is secure.

Functional? No. Secure? Yes.

Bull! (3, Insightful)

cbiltcliffe (186293) | more than 9 years ago | (#13549630)

In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.
Not a chance. Because with that, we've got millions of clueless users who think that because their computer turns on, it can't possibly have a virus/worm/spy trojan, so they do absolutely jack shit about it. Meanwhile, I'm still getting copies of Netsky.P emailed to me. It's almost a year and a half old, for Pete's sake!!!

Re:Bull! (1)

MaceyHW (832021) | more than 9 years ago | (#13549712)

While I agree that more damaging viruses would spur users to be more concerned about security, the "we" in that sentence clearly was meant to mean all computer users, not just the IT-elite who would be freed from stupid questions and DDOS attacks by the sudden destruction of 50% of the world's pcs. (not to mention it would put a lot of /.ers out of a job)

'tis a pity... (5, Insightful)

advocate_one (662832) | more than 9 years ago | (#13549636)

We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.

cos if they actually destroyed them, then people would take proper care... apparently, it's quite normal for people to view their ms-windows boxes filling up with vermin etc. as just a fact of computer life... they only do something when they can't get online anymore... and then it now appears cheaper to buy a new box than get the damned thing fixed properly...

Re:'tis a pity... (1)

reclusivemonkey (703154) | more than 9 years ago | (#13550427)

and then it now appears cheaper to buy a new box than get the damned thing fixed properly... ...or install Linux on it.

Not that I really wish for that to happen... (2, Funny)

Kristoffer Lunden (800757) | more than 9 years ago | (#13550443)

... but it would be pretty interesting days to live in for a time. Just imagine the circus! =)

Then again, it might just be good for us who run not Windows. I mean, most important servers and the like aren't running Windows anyway, and those who do are probably pretty well firewalled. So we'd have the internet all to ourselves - probably the only thing I'd notice for quite some time is a shorter "Online Buddies" list. ;-)

Now, if we had the games, imagine those ping times!

The good ol' days... (4, Funny)

traveyes (262759) | more than 9 years ago | (#13549644)

...when a virus just wiped your harddrive....

.

Re:The good ol' days... (1)

AvitarX (172628) | more than 9 years ago | (#13549966)

Thank you CotDC for the Churnoble virus.

Erase the flash, write random data on the first MB of each HD (luckily it didn't use the hardware and only hit drives Win recognized, so my Linux partition was in tact).

The was the first time I used Linux exclusivly (I had an old computer at the time that I could run BBox on or the CL. I learned all about splitting windows in Emacs (to use an AIM client) and eventually I learned about ALT+Fkey so I didn't need to CTRL+Z emacs and than bg it so that I could run lynx and converse at the same time.

Before getting Linux on the old computer, I remember struggling to find TSR programs to do things, I eventually found a great CD player. It was also a great oppurtunity to play Arena again since I had forgotten teh mojo of making boot disks and could never get DOS mode to have enough memmory for Arena (witch needed something like 618K of that 640.

I say thank you half facitiously because I learned a lot on the cammand line and desktop Linux in general saving up money for a new motherboard to replace the chip. I also used windows for very little over the next year, but eventually the need to reboot to print overcame the conviniance of any software I needed for free (oh yeah, $10.00 old games vs $40.00 ones helped too).

I can't be the only /.er that got hit by this (though maybe the only to admit it).

Re:The good ol' days... (3, Insightful)

TheRaven64 (641858) | more than 9 years ago | (#13549973)

The most successful ones back then waited a few days / weeks and infected every floppy disk you inserted (executables and boot sector) so that they didn't die out immediately. Of course, the longer this period was, the more copies of the virus would exist and the more successful it was. Eventually, the period extended to infinity - the virus would infect the `host organism' and use it to create copies of itself until it was detected and killed. A virus with this strategy was far more successful - in fact the most successful virus would be one that didn't have any adverse effect on the computer at all.

And that, my friends, is an example of both evolution and intelligent design in operation.

Obligatory Simpsons Quote... (3, Funny)

bigtallmofo (695287) | more than 9 years ago | (#13549645)

Professor Frink: Well, sure, the Frinkiac-7 looks impressive, don't touch it, but I predict that within 100 years, computers will be twice as powerful, 10,000 times larger, and so expensive that only the five richest kings of Europe will own them.

Re:Obligatory Simpsons Quote... (1)

Sorthum (123064) | more than 9 years ago | (#13550499)

Was he talking about Windows Vista hardware reqs perchance?

I only scanned the article (2, Interesting)

TubeSteak (669689) | more than 9 years ago | (#13549655)

But there's really no way we can predict what computers are going to be like 15 yrs from now... much less computer security.

In 50 yrs I'm going to assume that IPv6 (or v7,8,9) has taken over the world. Wouldn't that do a lot for basic internet security? No more scanning and rooting boxen.

As for stuff like BIOS erasers and disk locking tools, e-mail will no longer be a useful attack vector due to filtering. The again, nothing can defeat stupidity.

Disclaimer: IANAL

Re:I only scanned the article (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13549714)

it's a good thing you let us know you're not a lawyer when offering opinions that have nothing to do with the law

The virus that 'helps' you (2, Interesting)

digitaldc (879047) | more than 9 years ago | (#13549671)

"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
Of course, we will have to worry about the attackers that inadvertently destroy systems while trying to control them.
I'm afraid I can't let you do that, Dave...this virus is too important for me to let you jeopardize it.

Re:The virus that 'helps' you (0)

Anonymous Coward | more than 9 years ago | (#13550575)

That's not a worry, that's called zombie control. I worry that they don't destroy enough.

My prediction for the future of the next 50 years (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13549721)

Instead of post-it notes with written passwords attached to people's monitors or keyboards, people will have 3d holographic, semi-autonomous post-it notes with written passwords floating over their monitors or keyboards.

where is the freebsd virus? (0, Offtopic)

RouterSlayer (229806) | more than 9 years ago | (#13549752)

Which reminds me,
where the hell is that freebsd virus?

The one that would infect windows systems, and once infected reformat the drive and install freebsd?

I've always wanted to actually see this thing...
so where is it? ;)

Re:where is the freebsd virus? (0)

Anonymous Coward | more than 9 years ago | (#13549891)

Dunno about freebsd but let's see the steps one could take...the "virus" gets downloaded onto the machine with a working kernel image/shell and a few tools. Something like a tomsrtbt or whatever floppy based distro is out.

Partition the machine, put that disc image in, modify the mbr so it boots from that partition on the reboot. Optionally, determine the uptime of that particular server and its internet connectivity. If you're gonna plop a distro into it (Knoppix?) you'll want a machine that's used to being left alone with an internet connection for a long time.

Reboot the machine and have it autopilot through the new partition. Have that do the actual distro install without human intervention. From there, the distro installs and task is done. I suppose you'll want to include something that scans others to do the same. :)

fast vs. slow spreading... (4, Insightful)

markana (152984) | more than 9 years ago | (#13549822)

"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

This is not necessarily a good thing. I've read that Ebola and other very nasty diseases don't spread as far as they might, because they wipe out their carrier population too quickly. As opposed to HIV, which has time to slowly spread out. If an infected PC self-destructed after one round of outbound spreading, then it's not going to be continually spewing the junk like they do today.

Such a virus would burn through the supply of unprotected PCs quickly, and then go away.

Re:fast vs. slow spreading... (1)

tsmithnj (738472) | more than 9 years ago | (#13549853)

Sounds like a cure to me.

Re:fast vs. slow spreading... (1)

David Off (101038) | more than 9 years ago | (#13551207)

> This is not necessarily a good thing. I've read that Ebola and other very nasty diseases don't spread as far as they might, because they wipe out their carrier population too quickly. As opposed to HIV, which has time to slowly spread out.

Fortunately /. readers are well protected against both computer viruses and HIV!

Anybody else see "AC" for Alan Cox... (0)

Anonymous Coward | more than 9 years ago | (#13549828)

And read it as Anonymous Coward? Makes the article funnier.

Problem is Users... (2, Insightful)

sarlos (903082) | more than 9 years ago | (#13549833)

If we could eliminate all users, the internet would be much safer! All joking aside, what it comes down to is this: As long as there is information people want to protect, there is going to be someone who wants to read it, distribute it, sell it (?). Let's play a mental game.. Suppose we come up with a truly proactive system to protect a home PC (which are mainly target to be zombies against riper targets). All a hacker need to do is purchase a copy (or download it from IRC or some file-sharing service) and keep trying their virus or exploits against their own system on their own network until it works. Now you're still going to be dependent on the old reactive system of doing things to patch your brand new proactive system. Until we change the way we think about network security and adopt more distributed solutions to this problem, it's going to very difficult to stop these people. In my opinion, it's going to take a completely different way of thinking about networking which, sadly, probably won't happen until some new technology necessitates it.

i know what it is. (1)

romeo_in_blk_jeans (782924) | more than 9 years ago | (#13549851)

The next 50 years of computing will see the introduction of AI to PC's in the form of an expert system designed to protect against intruders and malicious programs.

Re:i know what it is. (1)

LuckyStarr (12445) | more than 9 years ago | (#13550009)

designed to protect against intruders

Don't make me laugh!

The next 50 years of computing will see the introduction of intruding AIs to PCs in order to control the integrity and lawfulness of the user.

benevolent worm (5, Funny)

someone1234 (830754) | more than 9 years ago | (#13549869)

A worm which would spread fast like slammer and destroy infected machines after a short time is actually benevolent. It will destroy only machines that would otherwise be used as spam zombies. The day after the outbreak the internet would be clean again!

Whitehat Extremists (4, Interesting)

mrwiggly (34597) | more than 9 years ago | (#13549924)

A group of whitehat extremists may become tired of lusers that don't patch their systems, and decide that they don't deserve to use the internet.

They then launch their virus and destroy on all non-patching infidels.

What, it could happen.

Re:Whitehat Extremists - Greyhays (1)

MooseTick (895855) | more than 9 years ago | (#13550174)

I believe those types would be classified as greyhats.

Re:Whitehat Extremists (1)

GigsVT (208848) | more than 9 years ago | (#13550272)

What, it could happen.

Indeed. What SPEWS does is not so different from what you are proposing.

Re:Whitehat Extremists (1)

greg_barton (5551) | more than 9 years ago | (#13550758)

A group of whitehat extremists may become tired of lusers...

You mean, like, the Vorlons?

Yawn... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13549956)

The Next 50 Years of Computer Security

HA-HA-HA-HA...

Nothing to see.. Move along... End of story.

Pretty Unimaginative Vision (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13550046)

This is a vision of the future produced by someone stuck in the past. :)
No offense, but a *lot* can happen in 50 years...

Re:Pretty Unimaginative Vision (1)

Mr. Underbridge (666784) | more than 9 years ago | (#13550341)

No offense, but a *lot* can happen in 50 years...

Yep. 50 years ago, the computers we have now would have been inconceivable. But 50 years ago, the computers we had 30 years ago were also inconceivable.

Re:Pretty Unimaginative Vision (1)

TheRaven64 (641858) | more than 9 years ago | (#13550536)

You think? Alan Turing introduced the concept of the Universal Turing Machine in 1936 - almost 70 years ago. Everything we've done since then has just been making smaller and smaller implementations - actually, they're not even full implementations, since a UTM has infinite storage space.

Fortunate? (2, Insightful)

Anonymous Coward | more than 9 years ago | (#13550100)

From the summary...

In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.

Personally, I find it unfortunate. We would be more fortunate if the attackers did seek to destroy. I'd rather irresponsible people's computers were fried than to get tons of spam and viruses sent by them.

We all love anal cocks (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13550255)

Sure we do :)

Alan Cox (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13550347)

What does Alan Cox know about security?

Not until Linux makes security a priority (0)

Anonymous Coward | more than 9 years ago | (#13550861)

This will probably be modded as a Troll or Flamebait, which I suspect is how many people here will see it. *sigh*

The fact is that Linus and most of the linux kernel dev team don't see security as a priority. Linus designed linux to be fast and flexible. He achieved those goals admirably. But the design does not take security into account.

Yes, there are a couple of projects that are doing a great job trying to bolt security onto Linux, but in all seriousness, the security is just bolted on, not built in. So until we, as a community, start to take security into account as a priority, Linux will still have a very reactive security approach.

Perfect attack for hardware vendors (1)

greg_barton (5551) | more than 9 years ago | (#13550863)

We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet...

Wouldn't a variant of this attack be great for hardware vendors? Read the BIOS and kill a certain percentage of the oldest computers per year. They're old, so folks probably wouldn't think twice about a hardware failure.

Instant upgrade.

Profit!

mod5 doWn (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13551202)

Preferrably 3xith an
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?