Comment Re:Its due to the courts' zeal for punishment (Score 1) 246
He's no Tony Blair or even a Mitnick or a Zimmermann. He might make $10k if he's lucky.
Comment Its due to the courts' zeal for punishment (Score 2, Informative) 246
...particularly for punishing small fries who get in the way of large corporate interests and other big shots.
Along the same lines, we can ask why 'Bidder 70' went to jail for stopping the illegal sale of public land.
Comment Re:Hubris (Score 1) 162
Read more of their site (and Joanna's blog). DMA is isolated with an IOMMU; You must have an Intel i5 or better with the VT-d feature and a chipset + BIOS that supports it. AMD also has some processors with IOMMU capability under their own trade name.
PCIe devices are assigned to VMs as needed (you can even configure it in the GUI).
x86 virtualization is not about security,
Uh, x86 virt "wasn't" about security. Intel has already responded to bugs reported by the ITL team and others, so its changing for the better. Stick with Ivy Bridge or later.
The addition of the IOMMU feature alone is evidence the focus has shifted toward VM security.
As for legacy, it turns out that those PS/2 interfaces that have hung around in a lot of laptops (built-in keyboards) and towers are what keeps the USB miasma from negating the security architecture.
Comment Re:The whole security world is in a very bad shape (Score 1) 162
The whole mess has a lynchpin (perhaps the only one?)....
Modern computers are vast amalgamations of logic (of varying quality), and we can see only the iceberg tip of the iceberg tip of that content at any given time. Even the experts are left constantly guessing about the doings of all the invisible things inside.
And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.
Start by creating a creating a desktop OS with a hypervisor ingrained into it (all the risky stuff, even graphics and IP stacks are isolated) to reduce the attack surface to a very small area. Then, hopefully, more and more eyeballs and minds will concentrate their attention on the really crucial parts instead of getting PTSD over the whole expanding theatre of apps and services.
Next, turn attention to system firmware (CoreBoot BIOS, and Shuttleworth's initiative to replace ACPI). We're almost half way there now...
Finally, open hardware: CPUs, GPUs and such (we may see mobile devices benefit from this first).
TL;DR: Make the whole logic stack inspect-able and open, and tightly link the security context provided by those components to the privileged part of the GUI.
Comment Re:Skills Levels of Hacking Community (Score 1) 162
The explosion of "brogrammers" et al is a reflection of increasing amounts of code and complexity. Maybe this site closure is a just a symptom of that trend going too far... the surface area to be protected, audited and patched has just become to large and the security culture is caving under that weight.
I think I've mentioned Qubes to you before... I can stuff all sorts of apps and functionality into it without impacting my attack surface and overall risk much. I just have to think about the 'who' and 'what' of the app and the task before I assign it to a domain-- a little reflection buys me great peace of mind (instead of making me more worried, the way other architectures do).
This is based on a particular kind of Security By Isolation. The upshot is that the area of security focus for the community is reduced to the bare essentials, and that could have a positive effect in terms of available skills with more eyeballs looking at a given piece of sensitive code.
Comment Re:Nonsense. (Score 1) 162
Also, there are ways to impose strong security on a wide array of existing consumer software. It requires a certain level of hardware features (like IOMMU), but its possible to do even in a somewhat elegant manner.
Comment Hubris (Score 1) 162
Audits are not formal verification. Give me a system that reduces the attack surface *without* shutting down most of a system's functionality, and which doesn't diminish its security profile when adding/enabling features.
OpenBSD is an anachronism in a world that has demoted OS kernel-based security to the sidelines, in favor of hypervisors. Qubes continues this trend by working VMs into the grain of the desktop architecture itself; this allows a profusion of apps and features to be added while affecting the attack surface minimally or not at all.
Comment Sort of makes sense it happened in 2008 (Score 1) 290
Its a good reflection of Finance sector dealings and the "controversy" about global warming trumpeted by the media (it was a large component of the media's product-output at the time, needlessly fuelling a pattern of denial and argument for its own sake).
Overuse of Bioengineered Corn Gives Rise To Resistant Pests 259
An anonymous reader writes "Though warned by scientists that overuse of a variety of corn engineered to be toxic to corn rootworms would eventually breed rootworms with resistance to its engineered toxicity, the agricultural industry went ahead and overused the corn anyway with little EPA intervention. The corn was planted in 1996. The first reports of rootworm resistance were officially documented in 2011, though agricultural scientists weren't allowed by seed companies to study the engineered corn until 2010. Now, a recent study has clearly shown how the rootworms have successfully adapted to the engineered corn. The corn's continued over-use is predicted, given current trends, and as resistance eventually spreads to the whole rootworm population, farmers will be forced to start using pesticides once more, thus negating the economic benefits of the engineered corn. 'Rootworm resistance was expected from the outset, but the Bt seed industry, seeking to maximize short-term profits, ignored outside scientists.'"
Firefox 28 Arrives With VP9 Video Decoding, HTML5 Volume Controls 142
An anonymous reader writes "Mozilla today officially launched Firefox 28 for Windows, Mac, Linux, and Android. Additions include VP9 video decoding, Web notifications on OS X, and volume controls for HTML5 video and audio. Firefox 28 has been released over on Firefox.com and all existing users should be able to upgrade to it automatically. The full release notes are available. As always, the Android version is trickling out slowly on Google Play (Android release notes)."
Mozilla also announced tools to bring the Unity game engine to WebGL and asm.js.
Comment An OS can cope with hostile peripherals: (Score 1) 147
In fact Qubes assumes they are hostile to a great extent already.
As long as one trusts the BIOS and other critical boot-time elements (i.e. ACPI), you have a very good shot at maintaining security with a system like Qubes and this is why Qubes users are expessing a lot of interest in Coreboot (open BIOS).
(Of course, one must also trust the CPU and chipset, but these are often provided by the same vendor which reduces the trust issue down to one party. And we're not even talking firmware or software here: Its hardware, which is further down the open source horizon, but someday.....)
Comment The train left the station in the 2000s (Score 1) 147
Escaping proprietary firmware.... http://www.coreboot.org/Welcom...
Comment Re:Ghostery = INFERIOR + 'souled-out' (Score 1) 207
Interesting, though I've been using DoNotTrackMe which is faster than Ghostery and isn't joined at the hip to the ad industry.
Comment No app by itself is all that safe (Score 1) 207
I do my browsing in an untrusted or disposable Qubes domain, which is about as strong security as you can get for a functional desktop system. Still, it would be awesome if pwn2own made it one of their target OS's... now for *that* I would get out the popcorn!
Comment Re:Who would characterize Gates as a hero? (Score 3, Insightful) 335
Maybe he thinks MS joining NSA PRISM was a heroic act.
