A Closed Off System? 177
AnarkiNet wonders: "In an age of malware which installs itself via browsers, rootkits installing themselves from audio cds, and loads of other shady things happening on your computer, would a 'Closed OS' be successful? The idea is an operating system (open or closed source), which allows no third party software to be installed, ever. Yes, not even your own coded programs would run unless they existed in the OS-maker-managed database of programs that could be installed. Some people might be aghast at this idea but I feel that it could be highly useful for example in the corporate setting where there would be no need for a secretary to have anything on his/her computer other than the programs available from the OS-maker. For now, let's not worry if people can 'get around' the system. If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need', would you really have an issue with being unable to install a different program that did the same thing?"
Windows Group Policy (Score:5, Interesting)
It'd be a huge nuisance but it's possible today.
I'd use it (Score:4, Interesting)
System admin's would only allow updates from the offical repository, with a local repository for mirror/caching and business specific software packages.
I use something like this for my relatives. Give them a linux, don't give them root, make all updates/installations go through me.
Then print out a poster for my door "setup.exe will not run on your system"
On the subject of the CD Rootkit... (Score:3, Interesting)
Treacherous Computing (Score:4, Interesting)
OS X (Score:4, Interesting)
Vista + 'DRM' Hardware (Score:4, Interesting)
As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the apps we specifically approve and sign. This would lock out all unapproved software *and* malware. If the OS is secure enough to keep there from being any ways around this, it'll be ideal.
Oh, and of course, as long as such trusted computing stuffs can be turned off for users who purchase the hardware and don't wish to use it, it's a win-win all around.
Why not instead..... (Score:2, Interesting)
Downside: you'd have to use a CD or flash drive to transfer documents on/off the machine. You couldn't receive email on the machine.
Upside: The only security risk would be by direct access.
Actually, the most secure machines probably aren't even password-protected. If the machine isn't attached to anything but a power cord, and the machine itself is inaccessible, then you've got a secure machine. If you're running Win3.1 or something, it might DIE, but it would be a secure death.
Re:not quite! (Score:2, Interesting)
Oh, so how exactly do you lock down Linux so that only signed software can be run?
Re:I'd use it (Score:3, Interesting)
Just do:
and you can bypass noexec.
Not to mention shell scripts, perl etc etc.
Re:not quite! (Score:3, Interesting)
glibc needs a rewrite before noexec becomes useful.
This is EXACTLY where my mind went! (Score:3, Interesting)
One of the many, MANY hazards with this would be having to buy a supported printer, supported network card, etc... as 3rd party software (and there by hardware) is excluded by definition.
As another poster has mentioned, wouldn't a LiveCD suffice?