IMHO, it falls on what the device's role is going to be. For example, a Surface Pro, even though technically a tablet, can do a full desktop role if plugged into a port replicator.

Some Motorola phones also fell into that category as well. The Atrix and Atrix 2 offered a Linux distribution and basic desktop functionality, although it required a special docking station to do this.

I'd probably say the definite answer would be to have the device have a hypervisor. If one is using it as a phone, a VM with a phone OS would be used. If it is used with an external monitor and keyboard, it would run a desktop OS, and be able to do both at the same time if need be.

Of course, a hypervisor gives some added benefits, be it the ability to deduplicate, encrypt VMs, back an entire VM up as a gestalt (makes installing a new ROM quite easy), and if needed, run an offline AV program to check for malware and remove it.

Once it was made known that the bad guys had real encryption, and banks were stuck with 56 bit DES (which was likely breakable by the well-heeled nations in the 1990s), ITAR eventually was killed.

The Clipper chip did teach some lessons though:

1: What happens if the bad guys can just do something like zero out the LEAF?

2: What happens if the algorithm, Skipjack, got broken? Well, since the Clipper chip was the only thing encrypting, by law, everyone using it would be severely hosed for months to years as physical chips had to be replaced.

3: What prevented the bad guys from just using their own encryption wrapped inside Skipjack? Yes, laws can be passed mandating Clipper/Skipjack only... but in some cases, enforcing those could be quite difficult. Plus, there are ways to encrypt with "just" signing and hashing algorithms.

We have had many, many technologies that were supposed to stop reverse engineering.

I remember back in the Apple ][ days, a program called "Lock it Up" by Double Gold Software had anti-reverse-engineering things in it, and was advertised as sending the bad guys packing (one of which was doing "poke 214, 128" which would disable the BASIC prompt). Then we had obfuscators for C++, BASIC, Java, and other languages, same thing.

This technology looks like it will be broken by running it in a VM, so I'm sure the next generation will have anti-VM stuff in it, and someone will just run a Bochs emulator (dog slow, but emulates everything 100%) to bypass that.

My take: How about companies spend money on improving their software instead of playing with DRM which will get broken anyway? In the enterprise, the fear of an audit is good enough to keep people in compliance with Oracle licenses. For games, using CD keys is good enough. They can play locally, but can't go multiplayer without a proper key.

If the code is so sensitive it -has- to be protected, put it in a tamper-resistant appliance, like a HSM.

You hit the nail on the head. The problem, especially with mature platforms, is that big changes tend to not happen. We are not seeing any new bus architectures, nor are we seeing anything that fundamentally changes the kernel's architecture, so there are two schools of thought:

The first is to only bump up a major version number only if something radical happened, which the Linux kernel used to do (I remember back in the 1.x days, seeing 1.1.100.) Then there is bumping the major number routinely.

I'm of the former school of thought. Historically, a major number bump meant groundbreaking territory and for shops running it to be prepared for major bumps and hurdles. This is a good thing, since there needs to be large updates every so often, and bumping a major number warns of that.

Bumping a major number because the revision number is getting into the triple digits is, IMHO, more something a marketing person would do versus having an actual need for it. For example, the Windows version I'm using should be called Windows 6.3.9600. (Of course, even MS bumped the numbers up in Windows 10 of even the kernel.)

If Linux has to move to 4.0, there should be some reason to explain the jump to non technical people, be it a major feature added or something that adds a line of demarcation.

Without getting in a pro/con flamewar, I'd propose maybe adding kernel level hooks for SystemD without affecting functionality of Android and distros not using it. This way, the #1 program in userland has better interaction with the kernel, either for process management, raising/dropping privs for security, or other uses.

The Atrix 2 has a locked bootloader, and is several years old. I'd go for the M8, but HTC should be releasing the next flagship phone in 4-8 weeks.

The problem is that some phones get useful, permanent mods, such as the HTC One X, or the HTC One M8. Others start out as locked, such as the Moto X or the Motorola CLIQ, but eventually are easily updated. Still others never really get completely unlocked, such as the Motorola Atrix 2.

My next phone, I'll probably just place my bets on HTC, since I've had good luck with their products. Maybe LG is decent, but I've yet to research their stuff.

Motorola and Samsung? They can keep their expertly locked bootloaders and eFuses.

I do agree that AIX does stand for "Alien Interpretation of UNIX", but even though it is squirrely, if an application runs on it, it runs well.

I am not disagreeing with the fact that AIX and Solaris are bit players. However, I would say that one problem is that both Oracle and IBM at best are focused on retaining existing customers. Neither have any marketing focus on getting people from VMWare and OpenStack onto their platforms. And without expanding the market, just as the parent stated if the market isn't growing, it is shrinking.

This is a hard thing to do. The trend has been for businesses to have projects to get off of SPARC and POWER onto commodity x86 hardware, because x86 hardware has a price advantage, and can be sourced from a number of vendors. Both IBM and Oracle will have to have a good reason (good as in financially appealing), but it could be done.

There is the security aspect. Solaris and AIX have long since went through their teething problems when it comes to security and are quite robust in this regard. Solaris has tossed root (as a user) in Solaris 11, and uses roles (this functionality can be reversed if needed), and AIX can run completely root-less, as well as use signed executables/libraries/scripts. If Oracle could put some R&D into security... and a reasonable way to manage/audit things, they might just gain some ground back.

However, it would have to be a -major- improvement in security features, beyond the delta from Solaris 1.x to 2.x, something as major as the jump from Windows 3.1 to NT. Plus, it isn't just features, it is ease of implementation. Something where Solaris can be marketed as, "if it runs on this OS, it is secure".

What might have to happen is that Oracle might have to license things from Microsoft. Exchange and Active Directory come to mind. This way, even if there is a major Windows exploit, core AD servers would still be protected because they would be running on Solaris. It is doubtful MS would license this, and it would take some coding by Oracle... but it is going to take a Herculean effort to get SPARC's marketshare to grow again anyway, so might as well try to get businesses to move to the platform by offering an alternative to a Windows backend.

My suggestion to Oracle: Get SPARC's marketshare up. This might take some doing, but long term, expanding the ecosystem is a good way to keep revenue coming in, where customers buy new machines to upgrade, as opposed to "upgrading" to commodity x86 hardware.

This would require some work on the whole stack from the CPU on up to applications. For example, getting Solaris LDOMs and domains to work with SCVMM or the enterprise admin tool of choice. Another would be getting Linux applications to work on Solaris with low to minimal porting necessary. IBM did this with AIX starting at 5L (where it took a code recompile, but little else.)

As I mentioned before, Oracle has some pretty nice technologies which can shake up the market. SPARC servers have Infiniband, so if Oracle does some work with the hypervisor to allow one machine to access another box's disks via Infiniband, add redundancy (on both drives and nodes), this would completely get rid of a need for a SAN backend. Need more storage? Just add more drives to one of the machines, or add another node to the cluster, similar to how Isilons are updated. ZFS is also a crown jewel, and can be used for a lot of things as well, especially backend deduplication.

I hope Oracle can reinvent itself. They have a lot of core technologies that they could use to eke out a definite niche in the enterprise. Combine that with the fact that SPARC and Solaris are mature technologies, and Oracle can bring to the table pretty decent security.

The ironic thing is that this setup has been in place for at least seven years, and is still working without issue. Otherwise, I'd definitely be made aware that it was not working.

I'll turn the question around... why does a device have to be onto the Internet if it doesn't have to? I do admit I did a low tech solution without going through extensive third party data diode, firewall, and other offerings... but it has worked without issue or need for upkeep for years now.

I may be a bit pedantic, but how can a general purpose laptop or desktop computer get bricked, unless part of the exploit overwrote the firmware, causing the machine to not be able to be booted?

The OS might need to be repaired or reinstalled, but generally the data should be recoverable.

Of course, having backups is a wise idea.

I don't get why these devices are on the Internet in the first place. If access is needed to read statistics, have an internal server scoop the info from the SCADA servers, hand it to a DMZ server, and the external applications use SSL with client authentication (both sides authenticate to each other using keys), to fetch the data, or if it has to be a person doing this, have a web server on the DMZ that is accessed via 2FA for this info. If the SCADA boxes have to be controlled through the Internet, then there is always a high security VPN that uses smart cards or USB crypto tokens.

One project I had a few years ago was to get data from manufacturing systems (systems which could be on the Internet, but at best, had security strapped on at the last moment... so they were not secure) to remote receivers. I ended up putting the systems on one isolated subnet with a Linux box that would scan them, then shove the data through a serial port with the Rx line cut (so it could only transmit, not receive.) The machine on the other end of the cable would take the data from the serial port and format it into useful reports, which wound up on a decently secure webserver.

No, this system wasn't fast, but it did the job where info could be read but a blackhat couldn't tamper with the isolated network without physical access.

I have not dealt with the Great Firewall, but I've seen some quite restrictive stuff here at home. One coffee shop near me actually tries to MITM traffic to my E-mail provider with a bogus SSL key coming from 192.168.168.168, and the people there have zero clue on it, and say it is corporate's decision.

I've seen other crap as well on store Wi-Fi networks, be it ads inserted in-flight (www.google.com doesn't have Flash ads, nor does it try to install "securityupdate.apk" files if on Android), as well as executables that were downloaded and demanded to be run/installed in order to use the Wi-Fi connection. Websites were blocked or redirected willy-nilly (Google would be redirected to another search engine or some no-name site.)

Because of that, I always use a VPN on Wi-Fi networks. Either the Wi-Fi network allows the traffic (and it will be obvious if they attempt to spoof the VPN keys), it will throttle the traffic, or it will disallow it. In this case, the real network traffic is allowed and protected, or it is blocked. The dodgy Wi-Fi AP can't tamper with it.

One common thing I see [1] is crapware doing two things. The first is creating a proxy daemon that sits on the local computer, then forces all Web browsers to use that. The second thing is to use a Web extension stuffed into IE/FF/Chrome/etc. to reload the settings and/or insert ads even into SSL transactions. Not to mention trying to ensure that a home page and search engine is set and locked to a certain site. Not new stuff (adware has been doing this since the Windows 98 and ME days), but having Web browsers require signed extensions means that it is one less avenue the bad guys to have to throw pop-ups at users who fetch a download from a popular PC download site and forget to uncheck some hidden box among the 10-20 dialog screens.

So, having extensions have to go through some type of gatekeeper process is a good thing. This has kept Apple's ecosystems (both OS X and iOS) quite clean. Similar with Linux repositories.

[1]: I've been shielded from it because I run virtually everything in VMs, use adblocking software, and even in the VMs, I use sandboxes, so it has not been an issue here.

This is the first time I've read about this distro... and instead of reading about their UI improvements, it is their way of trying to add revenue streams?

I'm guessing they are subscribing to the "all publicity is good publicity" school of thought. However, there are many good distros out there already and the fact this distro maker does the equivalent of holding out their hat and demanding a tip before the performance begins... ensures that their distro isn't one I will be trying anytime soon.

There are two branches with audio equipment as one gets up the price range: The audiophile stuff and the studio grade stuff intended for people to hear and fix audio mixes.

I'm content with my pair of Yamaha powered monitors. Their response is quite flat so when you hear a mix, it may not sound as boomy as if one hears it on "consumer/audiophile" stuff that cranks the bass up... but if I wanted that, I can always reach for the equalizer and boost that set of frequencies.

For cans, I use a set of Sony MDR-F1 headphones which are quite nice and cause less fatigue than a lot of other brands. They are long since discontinued, but there isn't anything else out there that is similar and gives a flat audio response.

Studio grade stuff that is for actual professional recordings, it is understandable to pay for. "Audiophile" stuff with funky cables and speakers that are talked about like cars or booze instead of response graphs and other items? Others can buy that.