620 posts • joined 3 Jul 2007
Just use a Live CD
There are so many good Linux distros running on a Live CD that it's just silly not to do it if you are worried about Big Brother and spyware and all that. For heaven's sakes, the CD can't be altered, so there's a guarantee of no spyware between boots. It's not that hard to do a different bit of clicks to open a different program to edit the same document.
And if you're really paranoid, stop using the stupid computers! Use paper, and the solitaire cipher.
Really, the "privacy bods" need to recognize that there are better solutions than useless scanners.
Plugging in phones to computers not allowed at Amazon
Amazon has a policy that forbids people plugging in their phones to any Amazon computer, and they're quite upfront about it. As in, "plug it in, get fired."
From the Lookout blog: "NotCompatible.C operators do not use any exploits that we know of and instead rely on social engineering tactics to trick victims into completing installation of the malware. One observed spam email informs the user that they need to install a “security patch” in order to view an attached file."
So it sounds like, "Here's your attached system update. Plug in your phone, and put it in developer mode. Thanks for joining our botnet!"
With ASICs, FPGAs, GPUs, and eye-popping networks on a chip, will quantum computers really amount to anything? Either it's going to be too late, or else it's going to be too expensive for anything actually useful, except by Big Government and Big Corporation. Really, does anyone expect a quantum computer priced like a PC?
By the time a quantum computer will be breaking encryption written today, the art of encryption will have moved beyond what would make that quantum computer practical. And no, it wouldn't be cheap enough for crims to purchase to crack our online transactions.
I predict the obvious: bad implementation and practices are our biggest problem. Always have been, always will be. "Passwords? We don't need no stinkin' passwords!" "Encryption? Uh, I saw a movie with that in it."
Harshing their mellow!
Oh, the pain, the horror! To be told that weak anonymizing protocols don't count for much! Tor should have a FAQ about how many ways its anonymity can be countered. It doesn't matter how many times the packet bounces around Tor's echo chamber, there are only so many entries and exits.
Tor is broken. Time for better protocols, where source and destination are anonymous, despite the fact that everything is in a big glass fishbowl!
Google is the best hope? Aw, sh...
"Google has more information on the people of the planet and more influence on the people of the planet than all of the governments combined." -- Andrew Greig, founder and CEO of Vizzeco.
He likens Google to the Borg. Actually, it sounds like the Borg and the dark side of the Force. "Don't be evil." Uh huh.
Quick, El Reg, go for it!
Now is the time to leverage all of the wonderful expertise gained with the intrepid Plamonauts, and go for that prize!
Tor = broken!
There are a lot of "secret" services which are essentially broken by design. The Tor service can be decloaked if one rents sufficient temporary capacity, and then makes a lot of requests to the site in question, and the analyzes the traffic on the captive Tor nodes. Eventually, the server that you are after lights up in the statistics, and you've got them.
Tor nodes can be evil, too, dumping malware on the files being transfered. Thus when feeding traffic back to someone, you can drop into the stream some exploits to easily track the user's computer.
The only way that a service can be effectively hidden is if it exists on multiple nodes, and move around of its own accord. There was a research paper about using the logic in the Game of Life to keep nodes alive, and give a stable user experience.
And what was doxbin? A blackmailing service! Kind of like an evil Wikileaks.
Shouldn't they have seen this coming?
There are so many capable maritime consulting companies available, I don't see why they weren't hired to do the job right the first time around. Really, does Google really have a need to burn money stupidly like this?
But TOR *IS* broken
Let's see, what do we need to do? Establish a bunch of "evil" TOR exit nodes? And how much do "cloud" servers cost? And there you have it.
But Silk Road 2.0 was broken through normal infiltration, and nothing else. ("Yeah, I'm a crook! I'm wearing a mask and carrying a crowbar." "Want to be a sysadmin on my evil site?") And then the Feds went on to do routine surveillance, which is something they are very good at.
Personally I'd really like to see the "sellers" serve time. Really, offering contract killing? I would so love to see crap artists like that in the slammer.
Not a panacea
Network access is not a panacea. Never has been, never will be. Yes, it can be good for some things. But it won't change the ox cart! If a third-world country's rural population is running at ox cart speed, no amount of network access is going to change that. The ox only moves just so fast.
The Internet made a difference in the first world countries because we already had networks, we were moving at the speed of trains, planes, and automobiles, and we had been doing so for quite some time.
Re: Everyone apart from me, obviously...
The phone will get to the Exchange server if it is allowed outside, i.e., like https://your.mail.server.com. Then just specify that you're connecting to it. As for the POP3 mail, some clients will allow you to just read what is currently on the server without downloading it. In the POP3 protocol, downloading and deleting the mails are separate operations.
It's not really a question of whether you can run your business on a phone, but how well it can be done. After all, not long ago paper and pen was how business was done, and we got by.
If one must do a good bit of typing, then a Bluetooth keyboard is the only way to go. Your productivity can only be severely hampered by thumb-typing or correcting all of the errors in voice recognition. Also, you will be zooming in and out of those documents a lot. Unless you have a big magnifying glass in front of your screen like in Brazil or Twelve Monkeys, your eyes can only resolve just so much, and you'll be trying to look at how something is laid out, and then trying to edit that. Not fun.
What steps to take?
What are they going to do, forbid all travel to north and south America? "Sorry chums, we love you, but you'll have to be isolated to save the newts." And the frogs, and whatever else this fungus loves to eat.
And then the fungus will mutate and eat us.
Collect garden gnomes, something else, PROFIT!
Interesting how they didn't show anything that actually had to do with wearable computing or computers. Fur suits and cue cards just doesn't cut it.
The first wearable computers we had were those little things from Sharp, the PC-1500, etc. OK, more like stuffable in a coat pocket, but close enough. The next thing that really caught on, and is still sticking with us, is the "mobile phone," with more screen resolution than a desktop monitor.
Since "augmented reality" is sure to be a larger distraction than texting, I'm sure that this will result in more Darwin awards (or runners-up or honorable mentions).
But it's still two blokes in a shed...
Look, everybody knows when ASIO makes a phone call because they have to move the wombat off the phone. In order for the other bloke to not listen in, he has to hold a koala on either side of his head to muffle out the sound.
At least they're better off than the Tasmanian office, where they haven't ever made a phone call because there's a Tasmanian Devil on top of it.
Wasn't there a Bitcoin fund for him?
IIRC, there was a Bitcoin fund for him, as a "thank you for making Bitcoin or sorry that you got fingered by idiots at Newsweek" set up for him. I suppose that's not enough for waging battle against Newsweek, though.
Industry has had IoT for quite a while
You do realize that industry, i.e., big machines and such, has had IoT for some time, right? It's just that nobody has made a big deal about it. Industry does have quite a lot to monitor, from the tire pressure in dump trucks to all kinds of factory processes. But it's an intranet, for local use only, security breaches aside.
Yes, I have IP cameras, but I don't open my network to the outside. That's part of the sensible nature of security, is to not expose what doesn't need to be exposed. So what about the fridge? The fridge isn't supposed to nag, it's supposed to report what's in it when you're at the store, trying to remember what's in it. You do realize that the alternative is to write things down on a slip of paper, right?
Look at all of the things that we use remotes for today. You realize all of that's IoT, but without the internet, right? I remember when a friend of mine, madly obsessed with remotes, had them all lined up on his coffee table, and then he wanted to turn off the telly. But that didn't work, because he'd grabbed his calculator instead. (It was hilarious watching him mash that red C/CE button!)
So what it comes down to, do we need industrial control for the home? Maybe a bit, but that's all there is, really. Old thermostats need to be replaced with something a bit better, but mainly because the old ones stick a bit, and don't turn off the heat when they should. But it's not because we want the heat only when the electricity is the cheapest.
Nice idea, installation & maintenance problematic
The current system for finding out when things go wrong is when the citizens in the neighborhood of the device call in to let someone know it doesn't work. Such as street lamps and crosswalk buttons. Now imagine trying to set that IOT device up. There will be a lot of paperwork just to note the location, like 27b/6.
How problematic would the firmware be? Depends on what it does. If it only reports, then there's not much of an attack vector, unless it's through the IP stack. But the ARM chips, if the system really is bare bones, don't have enough room for large complex code anyways. The IP stack itself will take up most of the space.
No, really, I read it and I have proof...
What everybody misses with things like this is that you could fake it when given that assignment. Or else completely fill up their database with garbage. Anytime your data is sent back to someone in plain text, you should get in on the act, too. Give them more data than they had planned on receiving, not less. What would happen if everybody claimed to be reading the great classics of literature?
Bash is Bollocks for security
Why in the world Bash isn't deleted from any Internet-facing system, I have no idea. If you look at John Hall's code, it's Bash itself that's making a connection back to Hall's servers. I can imagine that a complete evil server system could be hidden in Bash environmental variables. A "minimal system" should be exactly that, with minimal functionality.
Bash is a DISASTER
We gots exploits!
Yahoo! and WinZip both got nailed. If you take a look at John Hall's request text, the parts that were "malformed" were the User-Agent, Cookie, and Referer. Not only that, but it is Bash itself that's calling back to let someone know that the server is vulnerable! That "/dev/tcp" is part of Bash, for your comfort and convenience.
The messed-up thing about this is that to check whether a system is vulnerable, you have to break computer laws to do it. This isn't just port scanning, the fellow got entry, poked around, and killed the botnet client.
Yes, exactly, have any exploits been found in the wild?
I want to see who has actually been pwned by this, and how badly they misconfigured their system in order for the exploit to occur. There are a lot of exploits that happen simply due to poor configuration, like not scrubbing inputs, and using Bash (instead of sh or Dash) with too many privileges, and many other things. I don't want to see honeypots or theoretical vulnerabilities from security researchers, I want a real case of a system getting hacked by this.
Re: Already out there, called "U3" and "startkey"
OK, here's the problem: the USB serial connection is just a serial connection, and there needs to be additional stuff to convert all that to writing into the flash. Now, if you were plugging in a flash card into a bus, then things might be different, like the CF cards. But instead, you want to put something on a general-purpose bus, which has no real security features. "Hello, I'm device XXYYXYXY!" That's basically it, and then the bus routes traffic. So really, it's a kind of network, but without the security features of Ethernet.
What does this mean? It means that there must be a controller to translate the serial to the flash, keep the flash wear level, and some other housekeeping. The problem with all of this is that the microcontrollers are amazingly good these days, an a 32-bit controller can be had in an 8-pin package. It doesn't take much to emulate a keyboard, so reprogramming a USB stick isn't that much of a problem.
I figure at some point what we'll see are USB firewalls in the operating system.
Read up, this is fun!
"Hi! I'm your friendly input device! And I have a CD drive! And I have storage space! You love me!"
And then everything went to Hell, in a hand basket. Oh, wait, we were already shellshocked before this...
Do you have any idea how many times I've given the OK to Windows to install a device driver for a known good device, just because I plugged it into a different USB port?? It doesn't matter if system policies are changed if the user is trained by the OS to always click "OK" before the "friendly" device can be used.
The "microcontrollers" have some fairly good horsepower. Once upon a time, a 32-bit 60MHz chip would have been running a server or workstation instead of sitting behind a USB connector. If you want to fabricate your own board, you can add a coprocessor, and have a serious little hacking system! Some of these controllers have their own FPGA.
Welcome to the future of Moore's Law, where the servers and storage systems of yesterday are now on USB sticks, and can hack your system in milliseconds.
Trust the computer. The computer is your friend.
Re: Ah, you need to read up, Lewis
That's a great answer to someone else's post.
Right, you made one, and you helped a friend make one for himself. Anybody can do it legally, if they're not violating state law, which was my point. And those laws vary from state to state.
Personally, I'm all for everybody legally doing something like this. Laws have long been absurd, and people need to get involved in prodding their legislators into acting with something that resembles common sense. Unfortunately, yellow journalism and reactive politics have been with us for, well, forever.
Time to do something truly dangerous: write letters and vote.
Ah, you need to read up, Lewis
"and it will remain just a piece of metal which you can send via post, Fedex etc to anyone you like."
No, that's against the law. To transfer this to someone else, you must first obtain the right licenses, stamp the thing with a serial number, and then it can be transferred after the paperwork is done. This is the part with the serial number, and this is the part that legally constitutes the weapon.
You can, however, fill in all of the part that you can't mill, like everything else, and happily go legally shooting. That isn't against federal law.
Gun laws vary from state to state. Perhaps a state requires firearms registration, perhaps it doesn't. Perhaps it allows a person to manufacture a firearm for themselves, perhaps it doesn't. Where I live, this would be perfectly legal, but I'm not so sure about New Jersey. Also, state laws may restrict purchase to state residents, and other things like that. For instance, in the State of Washington, an individual may not own a full-auto weapon, but that weapon may be owned by a corporation. Go figure.
No sh!t, DRAM to the rescue!
Wow, once again we find out that massive DRAM caches speed things up. Who would have thought?
These days a 60MHz 32bit processor is smaller than your thumbnail, costs $5, and people are still amazed that massive DRAM caches improve I/O. Back when IDE drives had just been introduced, I bought a smart controller and populated it with 16Mb of cache. Wow, builds could fly! And when I shutdown the system, the writes continued for a minute. Same thing here, different day, same premise.
Re: cynical remark
"they went back to numbers to distance themselves from Vista..."
Even though Windows 7 reports that it's version 6.1, and Windows 8 reports 6.3. I wonder if Windows "10" will report that it's version 6.4? Incremental versions mean incremental changes, though! Tweaks! No radical changes, move along...
Re: run for the hills!
One of the things that drives me really nuts is that a server is not supposed to be using Bash for its system accounts. And yet X number of numpties have set the systems up that way. Bourne, and its alternate, Dash, don't offer the attack surface that Bash does, and are the defaults. So whoever is getting pwned by this bug had to go and work their way around a large number of security practices, any one of which would have mitigated the problem.
Re: what else lurks
Well, the attack is based on a feature of Bash. This means that it's been "out in the open" for the entire existence of the feature, not hidden as an oopsie-daisy bug in the source code. It also points out why it's a bad idea to have so much running with root permissions, besides not sanitizing input. And why it's a bad idea to allow just any server to throw whatever traffic it likes out onto the network.
The equivalent on a Windows system would be to pass in PowerShell script and .NET binaries through the http request, and then run it all with Administrator permissions. Attacks like these should be in the category of GET root!
Re: FUD whack-a-mole
But the device zombie botnet has already been done! And without using this "vulnerability," last year. IOT devices have crap security in the first place, and most, if not all, aren't running Bash, but Busybox or equivalent. (Are any of them running Bash?)
Still no word of JUST ONE commercial site (or device!) being pwned by this one. Sure, there's a search on for a server that's vulnerable to this, but so far, nothing.
(Yeah, sure, my IOT light bulb has enough space for Bash. Right...)
Really, anybody notice how all of this is getting inflated? "Oh, maybe the web server is running DHCP. Or a DHCP server could be uploaded." And on and on. How many systems have been pwned by SSH bugs? I worked in a company where a sysadmin opened an unpatched Linux box to the world, and somebody in Germany promptly walked right in through the SSH server.
So, no, I'm not banking on this being as big as people are making it out to be. For this to work, somebody has to explicitly invoke Bash to run executables, not merely have a cgi-bin directory. The system has to be set up with no sanitation of the inputs. All in all, a system has to be set up really poorly for it to be affected.
Re: FUD whack-a-mole
You know what else is a "vulnerability?" Running code on a processor. Hello, if a system lets a person anonymously upload and then execute code, that's a vulnerability, too. But we kind of guard against that, of course. Yes, we do. Mostly. Kind of. Now and again. Maybe. Nothing remotely like this has ever happened before now. Really.
Yeah, I know, this could possibly be opened up by someone who hasn't a clue as to what they're doing. Maybe "developers" like the Obamacare site contractors, for example. But you can't totally save someone from themselves. It just can't be done. They will always find a way to fail.
And I do want to see a site, not just some test code, but a normal commercial site, pwned by this bug. There's been so many instances of pwnership, this shouldn't be a hard one.
This has existed for 23 years, and nobody has ever written a worm using it! Now, doesn't that tell somebody something? Like this might be a little bit overblown? "Oh, I found a Bash exploit. Wait, it doesn't actually work. Moving on to something else to exploit now..."
Now, what if that supposedly vulnerable server is actually running Bourne shell instead of Bash? Look, ma, no vulnerability! Or maybe the system was set up with some sanitation on the inputs first before the command was sent onwards. I've been seeing people point fingers at Cpanel, but Cpanel folks say that they don't fork around with Bash.
I have yet to read an article stating that server X was exploited with this bug. And I mean truly exploited, not "oh, it looks that way in a Google search."
Pwn the server, post the results, let's see if it's verified.
Fax would be an upgrade...
Because then the "phone" could actually make calls.
No, the next release will fully brick it, thus making it fully functional as one half of a pair of mallets you can use to beat a jungle drum!
Oh, why Steam?
Playing games bought on Steam has not made me happy. When I want to play a game, I want to play it when I sit down, not when Steam decides that it has server capacity to see if I may play it. I'd rather pay a premium for the game to not play it on Steam, and wait for it to be delivered to me.
Something about garden gnomes, ???, profit
Ballmer went on an acquisition spree, since Microsoft can't innovate. Microsoft bought Nokia, allegedly for its cell phone expertise. Now they lay off practically the entirety of Nokia, plus good chunks of their own US operations. Huawei dumped Microsoft phones due to poor sales.
Spend lots of money buying stuff, lay off lots of people, ???, profit.
Well, the profit is, of course, from Windows OS, Office, cell phone patents, and never from cell phones themselves.
Why bother with "Fantasy Supercomputer League" anymore
Once upon a time I'd look at the list and think to myself, "Gee, how much would it take for me to get my bedroom on the list?" Now, with the smallest configuration using over 2,700 cores, there's no longer any way this could happen. Any configuration worthy of #500 on the list these days would take more power than the whole house's mains circuit. Back in 2005 a system with 50 cores could score well. Not anymore! I'd need about 100 NVIDIA K-40 cards to get to #500.
M-Disk: 42,000 pictures of cats
From their own website: 21 hours of non-HD video, 120 minutes of HD video, or 42K pictures of your cats.
So in 1,000 years, the archivists will pop one of these into a drive, and see pictures of cats. And they will wonder what the hell is wrong with us!
2FA, passwords, fingerprints
I've had fingerprint readers on my past three notebooks. And I've used 2FA with a key fob device, for access to a corporate network.
The first real level of security is, "don't put that there," and, "don't let it do that." Don't put embarrassing photos of yourself on the Internet, and don't let your bank transfer funds like that.
The fingerprint idea is OK until you get an owie on your finger, and you need a Band-Aid. Even when it works right, it can take a few swipes before it recognizes your finger. The key fob is OK until it gets out of sync with the service, and then a re-sync needs to happen. The smart card and the key fob can also suffer from insufficient randomness or whatever other problem can crop up.
It's really hard to protect people from themselves. My apartment manager's password is two very simple words, followed by repeating numbers, and he has problems remembering that, so no way is he going to remember v<#?rSK51_Rc,pt, which can still be broken by a rainbow table. Yes, he has called me up on occasion to find out what his password is.
Sending a text message containing a second password to the phone is a good idea, though. Then the second password could be something random, like, "battery horse staple." Of course, for a MITM attack, that would restrict the attack to the current session. But depending on the data that the attackers want to access, that may be enough.
Re: Can't wait to see COBOL syntax highlighting in KDE's Kate text editor
"... but I can see some potential in marrying the mainframe terminal emulator with Linux..."
You do realize that there are already open source TN3270 and TN5250 emulators? There have been professional products for at least 20 years for IBM terminal emulation on Unix, Windows, and even MS-DOS and OS/2. I used to work at Attachmate long ago. ("Where's the IrmaLAN team?" "He's right over there! Splinter!" [This actually confused an HR rep who didn't understand the Monty Python reference. Really, I wonder how much of real life those people experience. Maybe we need to study them with tracking collars and electric shocks...])
Yes, I remember when they were an independent company. Anyways, emulation on Linux not only includes terminal emulators, but also the Hercules project, which can emulate the mainframe itself.
When 60 Minutes ran a piece on the CIA, they received a rebuttal from the CIA before the news segment had been broadcast. The CIA had been monitoring the satellite feeds used for editing the shows...
Security by brick!
Never mind security by obscurity, you need security by brick! If it has all the connectivity and Internet functionality of said brick, it's definitely secure for ten years!
Seriously, a lot of the security problems simply stem from really bad practices that should get someone fired in the first place before they create a pile of crap. If you want to manage a fridge, all it needs is SNMP, and nothing else. Same for basically every other appliance. SNMP v1 is more than enough to monitor everything, because you just need to get an appliance's state, not turn it on or off. Honestly, an IOT blender is pointless to turn on and off over the net. Really, is your robot capable of washing and slicing and dicing the veggies, but it can't turn on a switch?
Wonder where they get their data
"Predating Stonehenge, the building is thought to have been a house of the dead where bizarre burial rituals were played out. "The rituals included exposure of the dead bodies, and defleshing on a large forecourt,""
Where do they get that data? And about a wooden building that's older than Stonehenge?? The builders and others who played around with the stones weren't big on writing anything down, so I wonder how the archeologists came up with the specifics of the rituals.
Watch idea is valid, still bad implementation
I wear a wristwatch, and I keep the mobile phone stowed away. Honestly, I think that the watch is still a great idea, but they keep implementing it wrong.
A watch isn't supposed to be its own input device, it's supposed to be an output device, and it's supposed to be convenient. For a while, Epson produced a watch with pager functionality. Instead of a bulky pager, you had the convenience on your wrist. These new "smart" watches are trying to do too much, and thus essentially fail at everything.
Really, what do you want on your wrist? #1, the time. #2, who's calling you. #3, a small notification that maybe you'd like to look at your phone. That's it, and little more than that. Small, thin, light, and keeps running for a very long time.
Does the watch need to transmit data back to the phone? No. Does the watch need an amazing color display? No. Does the watch need to keep running? Yes, preferably at least a year between battery changes.
Let the smartphones be the little computers they are, and leave the watch with simple functionality.
Passwords? We don't need no steenkin passwords!
Anybody remember about the researcher who created a botnet to map out the Internet? 420,000 nodes, just on cameras alone.
It doesn't matter how many times this happens, the hardware manufacturers need to start requiring passwords on their devices, and ones that are "strong." My Cisco ISA550 requires a password that is stronger than logging into their website! And yes, it has to be changed on the first login. And why do they keep opening up ports by default? "This router keeps you safe!" Really? Really?? It doesn't keep you safe, and it doesn't keep anyone else safe, either!
Maybe the manufacturers could be fined under the truth in advertising laws. These are insecurity routers!
But it's my neighbors what's done it!
Once upon a time, a while back, I set up a honeypot on my connection to see what bots were rapping and tapping at my virtual door. It wasn't a raven, but a crowd of my neighbors! The vast majority of bot net zombies were, in fact, in my IP neighborhood.
So who is the military going to nuke when a DDOS happens?
I just can't help but imagine that some 12yo is going to start WWIII for shits and giggles.
Re: Absence of evidence = evidence of deletion?
The article on Wired says that the investigators put malware on the site, which was "placed" on the visitor's machines. The machine's address, MAC address, various other identifiers, and Tor browsing history were gathered.
Plus when the agents executed their search warrant, DeFoggi was in the process of downloading a porn video, and the agents had to physically wrest the notebook computer from him.
So, yeah, they caught him in the act, and they had plenty of evidence.
Why binary compatibility?
"The chief problem for ARM is existing Intel apps won’t run on the chipset."
Once upon a time, not that long ago, this would never have been an issue. Really, the data center environment was heterogeneous, and many architectures were found. It was quite typical for a vendor to distribute many versions of the product. Yes, I personally did that, and the product was compiled for over 20 flavors.
Now we supposedly have Linux all over the place, but it's not really about Linux, is it? It's about Windows. If it were Linux, then it would be nothing to do but type "make" and then get on with it. But all of this actually has to do with Windows, and of course there's no end to that rat hole.
What's the point?
Everybody knows the Aussie agency is in a shed in the garden in the first place, and everybody knows everybody else as 'Bruce,' what's the point of all the security fallderal?
"Hello, who are you?"
"Oh, I'm Bruce!"
"Right, grab a beer from the fridge and let's chat."
"Hello, who are you?"
"Oh, I'm Ivan."
Re: Plans for dragon attack
Really, it's quite simple: arm the citizenry. You never hear of dragon attacks in the USA because citizens may legally own .50-cal hunting rifles. Really, do you think that these things are for deer?? No, the rifles are for dragons and whales. (No, we don't use them on the Ogre battle tank. We trap those when they're in season.)
Bad article, miserable rant, no information
"I cannot see how an OS could handle multiple processes without having a kernel mode. It follows that there must be at least some hardware support for security measures outlined above. Perhaps it’s all there?"
Mr. Watkinson, your display of ignorance, on The Register, no less, is utterly shameful. Multiple processes can be run without a kernel mode, and it has been done quite often. As for "Perhaps it's all there," yes, it is all there!!!
The Intel 80386 was released with four independent levels of protection, building on the features in the Intel 80286. The failure of a software vendor to implement those features in an operating system is not the failure of the hardware manufacturer.
The reason that Windows is targeted for malware is due to its popularity. Really, with a minimum 80% market share, who wouldn't target Windows? As for Window's lack of security, well, it was never conceived as a secure system, so what can be expected? One of the "features" of Windows is to start a thread on another process that isn't yours! All of the backwards compatibility of Windows means that there is a lot of significant baggage that must be brought forward, release after release.
You want software to be made secure? It's very simple. Software vendors must be penalized for bad code. If there is a fast and immediate monetary penalty applied, then effort will be made to write good code. It really is just that simple.
Really, good techniques have been known for decades. There is nothing new, there is just very little willpower to carry out the task.
- All ABOARD! Furious Facebook bus drivers join Teamsters union
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Review Samsung Galaxy Note 4: Spawn of Galaxy Alpha and a Note 3 unveiled
- Webcam hacker pervs in MASS HOME INVASION
- Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop