SoylentNews is people
SoylentNews
The principle of Defence in Depth ("DiD"), says OWASP (Open Web Application Security Project), is that "layered security mechanisms increase security of the system as a whole". That is, if one layer of protection is breached, there's still the opportunity for the attack to be fended off by one or more of the other layers. If anyone's ever drawn something that looks like an onion on the whiteboard – a load of concentric layers with your infrastructure in the middle – that's the concept we're looking at. It's actually a military term that's been adopted by security types in the IT industry who want to be tank commanders when they grow up.
On the face of it it's a pretty simple concept to understand. Rather than just having (say) anti-malware software on your desktop computers, why not also make your Web downloads go through a filter that has malware protection on it too? And yes, this helps. But to do it properly you have to step back a few strides and have an overview of your world: although it's going to cost me 50p in the buzzword swear box, I'm going to say "holistic view".
I secure my systems by naming things like Perl regular expressions. Attackers instantly go cross-eyed and fall over.
(Score: 2, Insightful) by anubi on Friday March 24 2017, @05:03AM (1 child)
I believe this whole security fiasco is the result of special interest's need of controlling things after the sale and installation on the customer machine.
I also believe the only solution is to make an OS that has absolutely NO remote arbitrary code execution capability. That is to say the OS becomes much like a graphical calculator, capable of all the eye candy displays you would want, but no way to send a program to it - rather that would have to be initiated during physical contact with the machine, kinda like in one of the Star Trek movies where V-Ger flat insisted on a physical contact. - And be able to hold the rightsholder of the program so loaded totally responsible for what it does in one's machine. Creating back doors in ones program for release to the public would come at a substantial risk.
Now, I am not saying the machine cannot be remotely controlled.... rather I am saying that any program that would do the telemetry would have to be deliberately loaded.
Anyone can download a file and run it if they wish, write their own, or pass copies of code around, run it at your own risk. Its not the OS's job to nanny who can do what. But it WOULD be the OS's job to accurately report on who is doing what. Holding programs accountable and verifiable for what they did.
If the program I loaded instructs the machine to download yet more programs, and run them, tell me!
Businesses have no problem with installing cameras to closely watch employees. Why can't my OS tell me exactly what programs are asking of it. Especially if one is on a "watch list" of programs "on probation".
And, while I am on the OS, I also need trustworthy hardware booting from USB, so an alternative boot program can go out and verify the boot and OS part of my primary storage to be sure the OS is intact and is accurately reporting. The "safe mode" of Windows looks like a good start on this. Disable ALL startup stuff so it can be re-enabled one at a time to help find malicious code.
Then the burden of trustworthiness is on the rightsholder of the software I loaded... no different than holding an employer responsible for what his employee did in my home. If I contracted to have the house painted, and while he was doing it, he slipped in my house and emailed the contents of my computer to one of his colleagues, I would be furious. This kinda crap may be OK for "business-class" software but it has no place in a private home.
That backdoor crap has no place in the core operating system.
If some business makes backdoor-ridden software, let them... however this narrows down who is letting the cat out of the bag when the backdoors show up routing through that software. Once certain software vendors have a reputation of distributing programs riddled with STD's, they will acquire a reputation of being seen as risky and any business requiring it will be looked at as if that business insisted you visit the whore down the street before he will shake your hand.
Much like I do with JavaScript right now. A business site tells me JavaScript is required. I click away.
Many more of us need to do the same to send business a clear signal that we won't accept risky behaviour just to shake their hand or shop in their digital store. Many online businesses give me the same uneasy feeling as being required to shake hands with an extremely filthy doorman in order to visit their store. This thing blocking the door extends its hand, oozing with God-knows-what and I am not allowed to know, stating "Handshake Required!" I have to turn away and go somewhere else who does not implement the doorman. If I absolutely have to visit them, I have to wear as much antivirus as I can in order to comply with their business requirement.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by WillR on Friday March 24 2017, @02:10PM
Why can't my OS tell me exactly what programs are asking of it
It can (see debuggers, strace, dtrace, kprobes, etc.) Most people don't ask it to, because they wouldn't understand the output. The ones that do ask very specific questions, not a blanket "tell me what you're going", because on a 4GHz quad core CPU that would produce several gigabytes per second of log spew.