Slashdot Log In
A Closed Off System?
Posted by
Cliff
on Tue Jul 11, 2006 09:50 PM
from the would-this-appeal-to-you dept.
from the would-this-appeal-to-you dept.
AnarkiNet wonders: "In an age of malware which installs itself via browsers, rootkits installing themselves from audio cds, and loads of other shady things happening on your computer, would a 'Closed OS' be successful? The idea is an operating system (open or closed source), which allows no third party software to be installed, ever. Yes, not even your own coded programs would run unless they existed in the OS-maker-managed database of programs that could be installed. Some people might be aghast at this idea but I feel that it could be highly useful for example in the corporate setting where there would be no need for a secretary to have anything on his/her computer other than the programs available from the OS-maker. For now, let's not worry if people can 'get around' the system. If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need', would you really have an issue with being unable to install a different program that did the same thing?"
Related Stories
[+]
IT: Hackers Serving Rootkits with Bagles 150 comments
Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."
[+]
IT: Does Open Source Encourage Rootkits? 200 comments
An anonymous reader writes "NetworkWorld reports that security vendor McAfee places the blame for increased numbers of rootkits squarely on the shoulders of the open source community. Others, however, do not agree. From the article: 'Rootkit.com's 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it's naïve to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit. "It's there to educate people," says Hoglund [...] It's a great resource for anti-virus companies and others. Without it, they'd be far behind in their understanding of rootkits."'"
[+]
IT: Undetectable Rootkits Through Virtualization? 237 comments
techmuse writes "eWeek has an article about a prototype rootkit that is implemented using a virtual machine hypervisor running on top of AMD's Pacifica virtualization implementation. The idea is that the target OS, or software running on it, would not be able to detect the rootkit, because the OS would be running virtualized on top of the rootkit. The prototype is supposed to be demonstrated at the Syscan conference and the Black Hat Briefings over the next month."
This discussion has been archived.
No new comments can be posted.
A Closed Off System?
|
Log In/Create an Account
| Top
| 177 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Wouldn't a live CD do this? (Score:5, Insightful)
(http://amanda.zmanda.com/)
No. - Re:Wouldn't a live CD do this? (Score:5, Insightful)
Seems to be a matter of reading 'man fstab' ... (Score:5, Informative)
(http://slashdot.org/)
Amazing what those guys back then thought of, is not it?
Paul B.
What a load of... (Score:5, Funny)
Windows Group Policy (Score:5, Interesting)
It'd be a huge nuisance but it's possible today.
Re:not quite! (Score:5, Informative)
(http://www.ocelotbob.org/)
I'd use it (Score:4, Interesting)
(http://wizarth.is-a-geek.org/)
System admin's would only allow updates from the offical repository, with a local repository for mirror/caching and business specific software packages.
I use something like this for my relatives. Give them a linux, don't give them root, make all updates/installations go through me.
Then print out a poster for my door "setup.exe will not run on your system"
On the subject of the CD Rootkit... (Score:3, Interesting)
code isolation (Score:5, Insightful)
(http://www.shambala.net)
Hypothetical question: "lusers" as decoys (Score:5, Insightful)
(http://kadin.sdf-us.org/ | Last Journal: Tuesday October 16, @01:46PM)
If we (hypothetically) closed off the "stupid user" vulnerabilities that are the major attack vectors right now, wouldn't the malware authors instead just concentrate on other, more technical, avenues of attack?
Here's my thought: maybe having systems vulnerable to idiot users is actually a good thing for the informational ecosystem as a whole. They're more than just the canaries in the coal mine (although they serve that function, too), they provide a steady stream of marks for the virus/trojan/malware writers and phishing-scheme authors of the world.
If these people weren't able to basically throw themselves on the swords of their own stupidity on a regular basis, couldn't this just lead to smarter malware, which affected more of us (not just the stupid/ignorant)?
Malware authors are inherently lazy and opportunistic. While there are still lots of "the monkey told me to click it so I did" people around, and ways to exploit this idiocy, that's what they're going to do. They're not going to mess around with esoteric buffer overflows to steal your information, when they can just send out some fake PayPal emails and watch the data roll in.
Given the choice, I'd rather have the primary attack vectors be ones that rely on user stupidity, rather than technical flaws, because 0-day technical flaws are too 'egalitarian,' attacking both the clueless user and the experienced person without warning. Personally, anything that keeps the collective attention of the Russian Mafia focused on people too dumb to check the URL line in IE before typing in their bank account information is a good thing in my book.
I know this isn't a very nice sentiment to hold, but if there was some hypothetical way to remove user stupidity as a vulnerability (not possible, so this is all just a mind game), maybe we'd be better off not implementing it?
I'm not suggesting that we shouldn't attempt to educate people on good computing practices, but if people are too lazy or disinterested to become educated, maybe in their laziness they can do the rest of us a favor by acting as the collective decoys?
Question moot. (Score:4, Insightful)
(http://blog.mzzt.net/)
"If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need',"
Considering that is impossible, the question is pretty much moot, isn't it. I am always going to find more needs for things, and chances are I'm going to need a new piece of software. Even if an OS shipped with "everything", new things are invented all the time. Maintaining a "Closed OS" to allow for new things would be difficult, and to keep it relatively up to date even more so... but then it wouldn't really be closed if new stuff kept getting added to it...
Treacherous Computing (Score:4, Interesting)
(http://del.icio.us/jvz | Last Journal: Sunday December 03 2006, @12:45PM)
Smith-Corona to the rescue! (Score:5, Funny)
Yeah, turns out somebody was doing this for kind of a while. Called them "typewriters" or somesuch.
Really, much of the value of a computer lies in the fact that it's an extremely versatile device. Choosing to discard all that, and believe that you can know ahead of time every single thing you will ever want to accomplish with it, seems like a pretty bad deal.
OS X (Score:4, Interesting)
Vista + 'DRM' Hardware (Score:4, Interesting)
(http://nuxx.net/)
As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the apps we specifically approve and sign. This would lock out all unapproved software *and* malware. If the OS is secure enough to keep there from being any ways around this, it'll be ideal.
Oh, and of course, as long as such trusted computing stuffs can be turned off for users who purchase the hardware and don't wish to use it, it's a win-win all around.
console? (Score:5, Insightful)
(Last Journal: Wednesday May 16 2007, @12:43PM)
Have had it for almost 30 years! (Score:5, Insightful)
(http://www.portcommodore.com/)
An OS without any 3rd party apps... (Score:5, Funny)
(http://freebytes.org/ | Last Journal: Monday July 28 2003, @02:58AM)
as a software developer... (Score:3, Insightful)
(http://xtifr.w.googlepages.com/home)
As a component of a larger, networked system, which had parts where I could install and run the software I was developing, then yes, no problem. But alone, by itself, no, it would be completely useless.
Of course, there's still some interesting questions about this theoretical beast. Is it scriptable? I often have quick one-off tasks that are best done with a quick script. If I can't run one-off scripts, then it's not "up-to-scratch" and doesn't have "everything I need", and if it can, then it's not a completely closed, locked-down system. The only way around that, even in theory, is to have an infinite number of monkeys providing you with all the scripts you could ever need in advance, and even then, there's probably be some difficulty finding the script you need right now from that infinite number of scripts. (Not to mention the costs of the infinibyte drives needed to store all those scripts.)
Bottom line, I think the notion of a machine that does "everything I need" is about as realistic as those old concepts of an irresistable force or an immovable object. Nice for creating logical paradoxes, but completely silly otherwise.
*groan* (Score:5, Insightful)
Oh, for fuck's sake! Don't give them any more ideas.
The extra cost of technology staff and the risk of a shittastrophe are nothing compared to abysmal employee morale. If you don't let 'em stroke off for a few minutes a couple of times an hour by going to ebay or playing snood you're going to end up with a resentful staff. And they'll produce awful, crappy work for you.
Not on my PC (Score:3, Insightful)
The concept is also flawed. Just because something isn't an executable doesn't make it not contain instructions that tell your computer to do something. Word macro viruses is a great example of this kind of problem. It's just a simple word processing document.. but it can also be a virus. The
This is not the answer to computer security.
Symbian OS 9.1 for cell phones. (Score:3, Informative)