Sometimes I dream about a 100% secure OS. Maybe formal verification is the key, or Rust, I don’t know. But I would love to know that I can't be hacked.
A world in which the only way to get hacked is to be tricked would be an insane improvement over today. There are a lot of ways to solve social engineering issue with tech solutions
too - FIDO2 is one example, as would be app isolation, etc.
The problem is that for the overwhelming majority of use cases the isolation features that are violated by security bugs are not being used for real isolation, but for manageability and convenience. Virtualization, physical host segregation, etc are used to achieve greater isolation. People don't necessarily care about these flaws because they aren't actually exposed to the worst case preconditions. So the amount of contributor attention you could get behind a "100% secure OS" might not be as large as you are hoping. Anyway if you want to work on such things there are various OS development efforts floating around.
Isolation is one thing, correctness is another. You may have architecturally perfect, hardware-assisted isolation, but triggering a bug would breach it. This is how a typical break out of a VM, or a container, or a privilege escalation, happens.
There is a difference between a provably secure-by-design system, and a formally proven secure implementation, like Sel4.
That protects against much, but is far from a "100% secure OS". If the specific VM or 'qube' has a vulnerability, anything in that VM could be obtained/interacted with.
Your VM isn't protected from malware that you run in it. However your OS and other VMs containing sensitive data (in which you of course do not run anything untrusted at all) will stay safe, by design.
> That's like saying a bank vault is secure after being rebuilt from being broken into. Meaningless.
Did you even read my reply? All data are safe unlike in your (unrelated) example. Give me your actual threat model. 100% security never existed and never will. Security through correctness never worked and never will. Compartmentalization is the only viable approach.
> A vulnerability in the VM allowing exfiltration.
Thanks, now we can talk technically without accusations.
> Any data in the VM is vulnerable if the VM has a vulnerability allowing exfiltration.
Qubes OS has a possibility to open any file in a dedicated, offline, disposable VM, for reading or for editing [0]. The original VM will not get compromised because it never touches the file. The disposable VM will not allow exfiltration, since it has no network (with the correct configuration).
There is a reason why this OS is chosen for SecureDrop Workstation [1].
> Then why did you suggest Qubes as a 100% secure OS?
There is nothing 100% in this world. Qubes is as close to 100% secure as possible. People often use imprecise expressions for things they wish existed. This is what I expected from your comment.
> Security clearly isn't your area of expertise. Security through correctness is indeed a solution to many/most threats.
Indeed, it is not my area. However it is the area of well-known security professionals whose opinion I trust [2].
> Thanks, now we can talk technically without accusations.
That was always within your control.
> The disposable VM will not allow exfiltration, since it has no network
Sure, unless you're doing something in the disposable VM that requires network traffic, like browsing.
> Qubes is as close to 100% secure as possible.
No, it isn't. It lacks numerous protections. It serves a purpose against certain threatmodels, but it's far from being close to 100% secure. Like I said, it's essentially a workaround.
> There is nothing 100% in this world.
So you agree Qubes is not a 100% secure OS like the other poster was asking for, correct?
> However it is the area of well-known security professionals whose opinion I trust.
None of them are claiming it is as close to 100% secure as possible. No security expert would. Not even a security hobbyist would. It's a nonsense claim.
>> The disposable VM will not allow exfiltration, since it has no network
> Sure, unless you're doing something in the disposable VM that requires network traffic, like browsing.
This is called goal shifting. Anyway, in this case Qubes can also save you. You browse untrusted websites in a disposable VM, which doesn't contain anything sensitive. You move any downloaded untrusted files to a dedicated storage VM and never open them there without another, dedicated disposable VM.
> It lacks numerous protections. It serves a purpose against certain threatmodels, but it's far from being close to 100% secure. Like I said, it's essentially a workaround.
I challenge you to provide me with a threat model that is not covered with Qubes. You couldn't yet. You can call it a workaround, but it's the only approach that actually works today and in the visible future.
> So you agree Qubes is not a 100% secure OS like the other poster was asking for, correct?
The poster is asking for a fairy-tale. I suggested something realistic that solves the problem instead.
> None of them are claiming it is as close to 100% secure as possible. No security expert would. Not even a security hobbyist would. It's a nonsense claim.
I also don't. But you seem to be seeking 100% security, don't you?
Far from it. You claimed Qubes was a 100% secure OS. I'm pointing out that it's not. Plenty of people use Qubes for browsing.
You are the only person goal shifting, by giving a specific scenario where you think your claim might apply (it still doesn't). When I mention a more common scenario, you call it goal shifting. This is blatantly dishonest.
> You browse untrusted websites in a disposable VM, which doesn't contain anything sensitive. You move any downloaded untrusted files to a dedicated storage VM and never open them there without another, dedicated disposable VM.
Yeah, I know how Qubes works - you're continuing to miss the point. Sometimes, you may have to upload sensitive data, so you do it in a disposable VM. That disposable VM is protected from all your other disposable VMs, but it isn't protected if something manages to get access to that particular disposable VM. Do you get it now? Stop being obtuse, just admit your claim was bogus. Be honest.
> I challenge you to provide me with a threat model that is not covered with Qubes. You couldn't yet.
I already did above lol. Kernel level RCE that grants a remote root shell. Boom.
What you don't understand is that a secure OS could protect against that, and there are such secure OSs in existence - just not targeted at consumers.
Qubes can limit the damage, but it doesn't prevent it. It doesn't even really try.
> You can call it a workaround, but it's the only approach that actually works today and in the visible future.
That's just not true, and it's why institutions that actually need real, verifiable security are not using it. It's a hack mainly used like hobbyist tinkerers like yourself.
> The poster is asking for a fairy-tale. I suggested something realistic that solves the problem instead.
It doesn't solve the problem, it's a workaround.
You don't seem to have the ability to flat out admit you were wrong, but I suppose this is as close as you're capable of coming to doing so. I'll take it.
> I also don't.
You literally did so in your last reply.
> I wasn't talking about my own words.
Right, but I was. If you wanted to have a technical discussion, you could have responded with a technical argument in your first reply to me. You didn't, you chose to preach and be overly defensive instead.
Can someone explain the problem with 'mature' rated games? As kids (under 10), we played Mortal Kombat and GTA III, laughing when we interacted with hookers in GTA. It was fun, and we had a great time playing these games. What's the issue? It's no different from playing with a wooden sword and shield.
We can quibble about the actual age but in principle I agree about GTA. That's because it's a game designed to be fun for kids.
Let me tell you about elements of games I'm thinking about:
A girl is bullied at school to the point of committing suicide. This isn't a game of vindication. Justice isn't served. Things aren't set right. It's just how things are.
Your brother committed suicide a year ago. As part of the game you have to deal with someone who blames you for it.
A couple has to deal with the grief of their baby drowning in the bathtub. It's not an abstract thing. You as the player have to ensure the baby drowns and set the conditions for it to happen, knowing full well this will be the outcome.
You're a scientist stuck in a weird dimension and trying to figure out how you got here. Well, you got here because you murdered your wife and kid and then killed yourself but before you did that you made a copy of yourself and your family in a virtual world. That plan didn't work out well.
Edit: Just in case anyone gets deceived, the games aren't about these things but they do explore them as part of the game. The point is a lot of modern mature games tackle very adult topics.
Don't knock it until you try it. 3 of the 4 games are highly rated, winning multiple awards. One frequently is mentioned on HN as one of the best games ever.
Games are a medium to tell stories. If you can conceive a TV show or movie tackling these themes there's no reason to think games should be exempt. In fact they are far superior in addressing these themes than movies are.
Ratings are very criticized by artists, eg as being fueled by conservative moms. For example, in the USA, movies with guns and explosion can be shown to younger audiences than nudity - seems very illogical.
Also, some anecdotes: lots of my friends were into GTA as kids, ie early teens, and turned out fine. Comparing to kids who didn't do so well, I consider the most important factors to br family, education, and finances, not violent multimedia.
With that being said, I'm sympathetic to limiting internet access due to communication with strangers, and extreme content (eg violent rethorics that appeal to action, not fantasy violence).
Okay. Society isn’t asking you to police how parents choose to parent. Not like this. It is reasonable for someone to want to be able to buy something advertised as having a certain feature without it being implemented with malicious deception. Nobody wants to have the “are bideo games good or bad?” debate again.
In my mind when I was 13 I played Carmageddon and GTA1
In reality I was 15 when they came out. The graphics in GTA weren't much different to Frogger. Doom and Quake involved blasting monsters, not people. Duke Nukem 3D, Halflife had very unrealistic looking people.
Todays games are very different in terms of visual quality, but even then, GTA is relatively mild compared to many games. You can hit a prostitute with a bat and kill her, but you can't drag a random person off the street and plunge their arm into a deep fat fryer.
I did it as a kid but I also understood that if my parents SAW me doing it I’d feel embarrassed and they might scold me. I think there is some character building benefit behind making sure that simulating or watching inappropriate behavior should have an air of seediness and illicitness to it, even if the kids are technically able to access the stuff.
But I will say the rating systems have not caught up to the reality of where the dangers of modern media are. I worry a LOT more about skinner-box mechanics, design choices that cultivate addictive personality traits, and communication systems that create openings for cyberbullying and grooming/sexual interactions with minors are much bigger problems that I feel the industry does basically nothing to even inform me about, let alone empower me to be able to manage it.
I was against mandatory seatbelt laws at first because I disliked the intrusion.
That was it. My entire argument was (and I emphasize WAS) that I didn't like no gubment tell me what to do. If I wanted to be a damn fool and kill myself why would they care? It's a stupid act to try to outlaw stupidity.
Then I found out that seatbelt laws are actually about decreasing the financial burden of underinsured accident victims. The "gubment" doesn't care if you die, but they do care if they have to fund weeks of medical support before you die despite the treatment, or if you survive but are disabled and wind up on social security.
That realization made me give up.
It was always about saving money, not lives. With seatbelts and airbags you are more likely to either walk away uninjured or at least not so injured that you spend more than a few hours in the hospital.
So you’re trying to say it’s a survivorship bias? Well, I did turn right, and everyone I know from childhood has turned out alright as well, except for a few who had problematic parents. So games did not cause harm, but rather irresponsible parents (or, to be fair, parents with mental problems...).
What if these kind of games are a problem for kids with shit parents, or kids who are in a dark places for other reasons, like bullying? The same with like drugs, gore, or porn? Should we just ignore those kids? Or what do you propose?
Well, I think you’ve argued yourself into a corner there. Shit parents aren’t going to deny access to video games which are too mature for their children, so a rating system should isn’t going to help
You blame unfettered access to AOL chat, I blame your parents for giving you internet access and not teaching you to never share your real name or real address online. Mine taught me that early on. Later, I learned about proxies so I could further hide my approximate IP location from danger.
no I blame the rapist personally, predators exploit any tools they're able to
there was plenty of "you need to get your kids on computers so they can get the jobs of the future" in the 90s that parents fell into, and information about online predation was almost non-existent at the time - I didn't even have to share my home address or name, I was encouraged to meet this person at their church
mind you my guardian at the time didn't even graduate high school
I shouldn't have been given access to tools my parent didn't understand, but corporations still pressure this constantly today
I doubt even a single digit % of parents know what they're doing when giving kids free access to youtube for example... and recently the CEO of roblox called pedophiles an "opportunity"
I don’t see a problem with the github PR workflow for updating documentation. Yes, it’s one step more, but it’s nothing special when you use github’s online editor.
PS: MDN and MSDN are my favorite documentation sites.
I think criticizing JavaScript has become a way of signaling "I'm a good programmer." Yes, good programmers ten years ago had valid reasons to criticize it. But today, attacking the efforts of skilled engineers who have improved the language (given the constraints and without breaking half of the web) seems unfair. They’ve achieved a Herculean task compared to the Python dev team, which has broken backward compatibility so many times yet failed to create a consistent language, lacking a single right way to do many things.
> But today, attacking the efforts of skilled engineers who have improved the language (given the constraints and without breaking half of the web) seems unfair.
I was criticising a thing not a person.
Also your comment implies it was ok to be critical of a language 10 years ago but not ok today because a few more language designers might get offended. Which is a weird argument to make.
Not OP, but the case can be made that it's still the same very ugly language of 10 years ago, with few layers of sugar coating on top. The ugly hasn't gone anywhere. You still have to deal with it and suffer the cognitive burden.
> Not OP, but the case can be made that it's still the same very ugly language of 10 years ago, with few layers of sugar coating on top.
Let's talk specifics. As it seems you have strong opinions, in your opinion what is the single worst aspect of JavaScript that justifies the use of the word "ugly"?
or anything that touches array ops (concatenating, map, etc…). I mean, better and more knowledgeable people than me have written thousands of articles about those footguns and many more.
I am not a webdev, I don't want to remember those things, but more often than I would wish, I have to interop with JS, and then I'd rather use a better behaved language that compiles down to JS (there are many very good ones, nowadays) than deal with JS directly, and pray for the best.
Both of the things you quoted are basically gone in practice, you just always use const/let and always use triple-equals for equality comparisons and that's that. Most people that write JavaScript regularly will lint these out in the first place.
OTOH I think JS has great ergonomics especially wrt closures which a number of popular languages get wrong. Arrow functions provide a syntactically pleasant way to write lambdas, let/const having per iteration binding in loops to avoid nasty surprises when capturing variables, and a good number of standard methods that exploit them (eg map/filter on arrays). I also think, though a lot of people would disagree because of function coloring, that built-in async is a great boon for a scripting languages, you can do long operations like IO without having to worry about threading or locking up a thread, so you get to work with a single threaded mental model with a good few sharp edges removed.
If type conversion and the new var declaration keywords are your top complains about a language, I'm sorry to say that you are at best grasping at straws to find some semblance of justification for you irrational dislike.
> I am not a webdev, I don't want to remember those things, (...)
Not only is JavaScript way more than a webdev thing, you are ignoring the fact that most of the mainstream programming languages also support things like automatic type conversion.
> you are at best grasping at straws to find some semblance of justification for you irrational dislike.
You seem so emotionally-involved that the whole point whooshed above your head. JS is a language that gives me no joy to use (there are many of those, I can put Fortran or SQL in there), and, remarkably, gives me no confidence that whatever I write with it does what I intend (down to basic branching with checking for nulliness/undefinedness, checking for edge-cases, etc). In that sense it's much worse than most of those languages that I just dislike.
> Not only is JavaScript way more than a webdev thing, you are ignoring the fact that most of the mainstream programming languages also support things like automatic type conversion.
Again, you are missing the point. JS simply has no alternative for webdev, but it's easy to argue that, for everything else, there are better, faster, more expressive, more robust, … languages out there. The only time I ever have to touch JS is consequently for webdev.
Looks like open source helped create Silicon Valley, while no IP laws made Shenzhen. Sharing seems to really drive industry growth, so maybe the US and EU should rethink their IP laws?
I think he meant things like his personal notes and files stored in an app like Evernote, which law enforcement can request copies of. I don't like the idea of someone reading my private notes...
If we all acknowledge that the internet is a beautiful disaster that shan’t be trusted, which it always has been and always will be, we can all collectively get over ourselves about privacy on the internet. “Hey world I went overseas for vacation/holiday! I cooked this amazing dinner! I’m cheating on my SO using an online chat app!”
Maybe stop doing all 3 of those things. I can’t tell you how liberating it’s been since I got off all social media in ~2008. It’s super easy to be very private if you so choose. Having any kind of internet presence is a voluntary sacrifice of privacy.
When I imagine humans as an interplanetary species, I see animals among us (including cows, chickens, etc.). Yes, it's not something you typically see in sci-fi movies, but I think we should replicate our environment as much as possible so we don't forget something important that we didn’t know was necessary.
