I really disagree with the use of bad guy in any of those laws. It biases the reader from the get go to only worry about the bad guy, you should worry about every user.
The articles says this, "If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn't—it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and you'll usually be safe."
The Law #1 seems to have been proved wrong. I'm against closed systems but what the iPad/iPhone have done in terms of security is fantastic.
It would be great if other systems worked as smoothly. I'm particularly disturbed by Android's permission system (only tested on stock Nexus S). You are shown a list of permissions but I don't see why I have to allow Twitter access to my contact information and gps location.
I understand it improves the experience but personally I would rather have those turned off and the twitter application should be able to deal with that choice (rather than me having to deal with Twitter having access to my location and full contact list)
I can't agree with you more. It seems to me that with interpretation (e.g. a Java virtual machine, for example), exactly what a program can do can be controlled precisely. Build a trusted interpreter, which should be possible (right?), and you're golden.
One question: How does the security in iOS differ from that in Android? I'm only familiar with Android. I would imagine iOS must also have some kind of selective permission system?
If you run a program on a virtual machine, then it is not "running on your computer". It is "running on a virtual machine, running on your computer", and the security implications are different. Law #1 still holds. Especially if you are unwilling to simply take as given the perfection of the virtual machine... which history says is not a wise thing to take as a given.
That's also which qixxiq is wrong in the GP post; it's only true if you assume that Apple's security is perfect. As a practical matter as a user it's a tolerable approximation, especially if you have no personal assets of value on your phone, but if you're really concerned about security it is not something you can assume.
If you run a program on a virtual machine, then it is not "running on your computer".
I strongly disagree. This is an equivocation of the words "running on your computer," though I understand the technical reason why you might say what you did.
Honestly, this article comes across as poor excuse-making by Microsoft for not having decent security.
Especially if you are unwilling to simply take as given the perfection of the virtual machine... which history says is not a wise thing to take as a given.
From what I can tell, process virtual machines can provide a very good sandbox that allows you to safely run arbitrary code, modulo whatever permissions you explicitly give it.
Yes, writing a fully correct virtual machine is surely very difficult, but software can be secured eventually by trial and error, especially if the codebase is kept small, which you can (in principle) do with a process virtual machine.
If you have citations to show me why I'm wrong on this aspect, I'd appreciate it, as I have a genuine intellectual interest in VM security.
And I disagree with your disagreement. The different phrasing captures an important security aspect of running software, it is not merely a semantic game. You're trying to present VMs as an easy answer to security, and I'm trying to show you why that's not a valid way of approaching the question. Trying to game the definitions won't undo my points here.
"From what I can tell, process virtual machines can provide a very good sandbox that allows you to safely run arbitrary code, modulo whatever permissions you explicitly give it."
Take your choice of virtual machine, and poke it into the search box on http://osvdb.org/ . Don't forget the things you might not consider VMs, like the Javascript engines in the browsers. I know that's less "citation" than "metacitation", but in the spirit of teaching one to fish I think it's more useful. Or just google it, plus the word "vulnerability". As an acceptable technique for quickly and easily securing low-security-requirement applications, sure. As an easy answer for everything, no, their history does not suggest that's the answer. I'm not aware of any VM that hasn't had a history of at least some bad vulnerabilities, and what confidence can you have that there aren't others lying in wait for any given VM?
(Interestingly, OSVDB doesn't have anything for Google nativeclient, but Google search does.)
Saying "there are lots of VMs with security problems, therefore VMs cannot be secure" is faulty logic.
Most (perhaps all) existing VMs are quite complicated and are not designed specifically to be secure, but that does not have to be the case.
I bet I could write a secure VM in C that interprets some simple toy "virtual machine code" with around, say, 2^5 instructions. What I have in mind here is something like TinyVM [1].
Anything in a modern operating system other than the kernel can be considered to be running in a virtual machine; when people refer to running a program on their computer, they're not usually talking about kernel modules.
Apple's security is not perfect, of course, but these are supposed to be immutable laws: we can't fix problems caused by them because they are fundamental to how computers work. It is possible in theory to build a completely secure kernel.
Anything in a modern operating system other than the kernel can be considered to be running in a virtual machine
The level of isolation between processes running on the same machine doesn't really come close to that afforded to processes running inside different VMs.
Maybe it doesn't, but it could. So the first law doesn't seem correct.
As the simplest example a multi uses unix operating system allows lots of people to run programs on the same computer and barring errors it works fine in separating them.
Processes are one level, then there are bsd jails, linux containers, lots of vm types. All have different security issues, once processes seemed enough isolation.
In the end the bugs matter most, and vm isolation has bugs too, they have just been harder to find and exploit.
Security is not absolute, just a matter of degrees.
iOS does not have a general purpose "permissions" system. It does, however, ask for permission (via a modal popup with an explanation) before performing some things that you might to deny, such as accessing your photo library or physical location. (However, most likely for legacy reasons, the Contacts isn't protected in the same way.)
It's also enforced through the review process: in addition to checking for stability and compatibility, the iOS review process also checks for malware and some data theft. This is also helped by the fact that iOS apps cannot dynamically load code after the review process, so you can be pretty sure that Apple at least took a quick look at what you install.
It's far from foolproof — I'm sure a dedicated attacker could sneak something through the review process and steal your contacts — but nothing has happened so far (at least as far as I know).
(As a side note about the lack of a true "permissions" system: having the app request access when it makes sense (Twitter only asks for location when I tap the geotag button, for example) means that I know why the app is asking, rather than on Android where I've seen frantic messages in the description to explain why the app needs some theoretically-privacy-invading permission, even if it's only used for a minor feature, since just asking for that permission scared users away. Neither system is perfect, but a contextual system where you can allow or deny individual permissions (as on iOS) combined with full coverage of what permissions might be wanted to be controlled (as on Android) would work pretty well.)
Well actually on Android you can ask for no permissions up front, and then prompt for various single permissions later whenever appropriate, but this will lead to many confirmation dialogues that users probably won't like.
There are some apps (all requiring root) that allow selective permissions for android apps. I like knowing what the app wants to be able to do and if something strange sticks out, I'll look it up or block it.
>You are shown a list of permissions but I don't see why I have to allow Twitter access to my contact information and gps location.
On your iphone, the twitter app has the same permissions but nobody tells you about it. Only upside is, that you can disable the gps access.
1) They only allow you to download apps they've vetted, not just any old application. Yes, this review process increases security.
2) It's somewhat better in that respect, but not perfect. Imagine a malicious version of jailbreak.me, for example. Yes, they use security holes to perform that operation.
Apple here is the trusted friend. A jailbreak is like the sandwich on the street. The friends checking isn't infallible, but it's good enough that you can normally trust them.
I designed the website for JailbreakMe, but I seriously have not seen a single malicious implementation of that exploit of that — or of any malware, through the App Store or not — for the iPhone.
Theoretically could. But it didn't happen, and nobody even made a PoC or demonstration. And full source code was released within three weeks of the initial JailbreakMe release, so it's not like it was made particularly hard if someone wanted.
(I don't count that thing you linked; it only affected jailbroken devices who installed a specific package and didn't change their password.)
Re: Law #1; This is what the idea of a super user is supposed to help with, and not properly using that concept is part of the reason Windows has developed such a poor reputation for security. To some degree, a program run by a normal user can do damage, but nowhere near what a program run by a super user can do.
I would say that a program run by a normal user can do most of the damage that the owner/user of a personal system (as opposed to an admin of a multi-user system) actually cares about.
Laws #1 and #2 for all intents and purposes mean the same. If an unauthorized person is allowed to modify anything on your computer, you could be in trouble.
Most of these are a failure of technology of which virus scanners are the most obvious symptom. Why is it that if I run a program on my computer it can do basically anything I can do? It can delete my files and depending on your OS all files. It can run a keylogger. It can add toolbars to my browser. It can send emails from my email account. It can access the saved passwords in my browser.
This doesn't have to be the case. OSes should have been designed so that it is safe to run any program, unless you explicitly grant it permission to e.g. delete your files. If I open foo.png in an image editor, the editor should only have access to that file and the image editor's directory, not the entire filesystem. Nor should it be able to add a program to run at startup or to observe the things I'm typing in the password box of my online banking login form.
Facebook at least got this partially right. When you run an application it asks you "Application X wants permission to: access your phone number, send messages on your behalf, etc.".
Number 5 is so true. I've seen it first hand many times. If the password on your TrueCrypt volume is "password" (or something similarly trivial) then you've just given away everything. And you need to understand this.
Strong encryption with a weak password means nothing. You've undone all the power of AES encryption when you select a weak password. So please use strong passwords and understand why they are important.
Some people believe you can get security along with convenience.
This COULD NOT be further from the truth.
Convenient for you = convenient for hackers!
You need to be accountable regarding your passwords and how you choose them.
There is no system that makes passwords magically secure.
You need to just stay away from the commonly abused passwords and go with combinations of characters, numbers and punctuation to increase the possible permutations a hacker would have to exhaust before discovering yours.
38 comments
[ 2.6 ms ] story [ 98.6 ms ] threadWhich I thought was pretty good.
It would be great if other systems worked as smoothly. I'm particularly disturbed by Android's permission system (only tested on stock Nexus S). You are shown a list of permissions but I don't see why I have to allow Twitter access to my contact information and gps location.
I understand it improves the experience but personally I would rather have those turned off and the twitter application should be able to deal with that choice (rather than me having to deal with Twitter having access to my location and full contact list)
I can't agree with you more. It seems to me that with interpretation (e.g. a Java virtual machine, for example), exactly what a program can do can be controlled precisely. Build a trusted interpreter, which should be possible (right?), and you're golden.
One question: How does the security in iOS differ from that in Android? I'm only familiar with Android. I would imagine iOS must also have some kind of selective permission system?
That's also which qixxiq is wrong in the GP post; it's only true if you assume that Apple's security is perfect. As a practical matter as a user it's a tolerable approximation, especially if you have no personal assets of value on your phone, but if you're really concerned about security it is not something you can assume.
I strongly disagree. This is an equivocation of the words "running on your computer," though I understand the technical reason why you might say what you did.
Honestly, this article comes across as poor excuse-making by Microsoft for not having decent security.
Especially if you are unwilling to simply take as given the perfection of the virtual machine... which history says is not a wise thing to take as a given.
From what I can tell, process virtual machines can provide a very good sandbox that allows you to safely run arbitrary code, modulo whatever permissions you explicitly give it.
Yes, writing a fully correct virtual machine is surely very difficult, but software can be secured eventually by trial and error, especially if the codebase is kept small, which you can (in principle) do with a process virtual machine.
If you have citations to show me why I'm wrong on this aspect, I'd appreciate it, as I have a genuine intellectual interest in VM security.
"From what I can tell, process virtual machines can provide a very good sandbox that allows you to safely run arbitrary code, modulo whatever permissions you explicitly give it."
Take your choice of virtual machine, and poke it into the search box on http://osvdb.org/ . Don't forget the things you might not consider VMs, like the Javascript engines in the browsers. I know that's less "citation" than "metacitation", but in the spirit of teaching one to fish I think it's more useful. Or just google it, plus the word "vulnerability". As an acceptable technique for quickly and easily securing low-security-requirement applications, sure. As an easy answer for everything, no, their history does not suggest that's the answer. I'm not aware of any VM that hasn't had a history of at least some bad vulnerabilities, and what confidence can you have that there aren't others lying in wait for any given VM?
(Interestingly, OSVDB doesn't have anything for Google nativeclient, but Google search does.)
Most (perhaps all) existing VMs are quite complicated and are not designed specifically to be secure, but that does not have to be the case.
I bet I could write a secure VM in C that interprets some simple toy "virtual machine code" with around, say, 2^5 instructions. What I have in mind here is something like TinyVM [1].
[1] https://github.com/GenTiradentes/tinyvm
- Implement your VM
- Release the source code for inspection
- Provide a way for anyone to upload code (e.g. via the web) into an instance of the VM on a server you control
- Give an increasing bounty for each security bug found
- Publically state that you are encouraging people to try cracking it
That would be fun :-)
Apple's security is not perfect, of course, but these are supposed to be immutable laws: we can't fix problems caused by them because they are fundamental to how computers work. It is possible in theory to build a completely secure kernel.
The level of isolation between processes running on the same machine doesn't really come close to that afforded to processes running inside different VMs.
As the simplest example a multi uses unix operating system allows lots of people to run programs on the same computer and barring errors it works fine in separating them.
Processes are one level, then there are bsd jails, linux containers, lots of vm types. All have different security issues, once processes seemed enough isolation.
In the end the bugs matter most, and vm isolation has bugs too, they have just been harder to find and exploit.
Security is not absolute, just a matter of degrees.
It's also enforced through the review process: in addition to checking for stability and compatibility, the iOS review process also checks for malware and some data theft. This is also helped by the fact that iOS apps cannot dynamically load code after the review process, so you can be pretty sure that Apple at least took a quick look at what you install.
It's far from foolproof — I'm sure a dedicated attacker could sneak something through the review process and steal your contacts — but nothing has happened so far (at least as far as I know).
(As a side note about the lack of a true "permissions" system: having the app request access when it makes sense (Twitter only asks for location when I tap the geotag button, for example) means that I know why the app is asking, rather than on Android where I've seen frantic messages in the description to explain why the app needs some theoretically-privacy-invading permission, even if it's only used for a minor feature, since just asking for that permission scared users away. Neither system is perfect, but a contextual system where you can allow or deny individual permissions (as on iOS) combined with full coverage of what permissions might be wanted to be controlled (as on Android) would work pretty well.)
>You are shown a list of permissions but I don't see why I have to allow Twitter access to my contact information and gps location.
On your iphone, the twitter app has the same permissions but nobody tells you about it. Only upside is, that you can disable the gps access.
1) They only allow you to download apps they've vetted, not just any old application. Yes, this review process increases security.
2) It's somewhat better in that respect, but not perfect. Imagine a malicious version of jailbreak.me, for example. Yes, they use security holes to perform that operation.
Apple here is the trusted friend. A jailbreak is like the sandwich on the street. The friends checking isn't infallible, but it's good enough that you can normally trust them.
You are ruining my business. Paranoia benefits Microsoft. Are you bearing false whitness? Yer fucked.
God says...
C:\TEXT\BIBLE.TXT
ever: but upon David, and upon his seed, and upon his house, and upon his throne, shall there be peace for ever from the LORD.
2:34 So Benaiah the son of Jehoiada went up, and fell upon him, and slew him: and he was buried in his own house in the wilderness.
2:35 And the king put Benaiah the son of Jehoiada in his room over the host: and Zadok the priest did the king put in the room of Abiathar.
2:36 And the king sent and called for Shimei, and said unto him, Build thee an house in Jerusalem
(I don't count that thing you linked; it only affected jailbroken devices who installed a specific package and didn't change their password.)
This statement is incredibly naive. Websites can change their privacy statements daily or they may not adhere to their own privacy statement.
This doesn't have to be the case. OSes should have been designed so that it is safe to run any program, unless you explicitly grant it permission to e.g. delete your files. If I open foo.png in an image editor, the editor should only have access to that file and the image editor's directory, not the entire filesystem. Nor should it be able to add a program to run at startup or to observe the things I'm typing in the password box of my online banking login form.
Facebook at least got this partially right. When you run an application it asks you "Application X wants permission to: access your phone number, send messages on your behalf, etc.".
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
s/bad guy/vendor/g, looking at phones and e-readers.
Computer for which someone else has the root password and a comm link: not yours.
Strong encryption with a weak password means nothing. You've undone all the power of AES encryption when you select a weak password. So please use strong passwords and understand why they are important.
Some people believe you can get security along with convenience. This COULD NOT be further from the truth.
Convenient for you = convenient for hackers!
You need to be accountable regarding your passwords and how you choose them. There is no system that makes passwords magically secure.
You need to just stay away from the commonly abused passwords and go with combinations of characters, numbers and punctuation to increase the possible permutations a hacker would have to exhaust before discovering yours.