Security or obscurity

Unless you’re paranoid, then you’re relying on software to check the chain, and that then is the weak link.

http://heyrick.co.uk/random/pics/ssl_hijack.png

Unless you personally check and no where and what to check, you’re relying on software which may or may not work as intended, as my screenshot indicates.

to harden the system to a hostile internet

Or just minimise exposure. There are many systems better suited to interacting with the internet, some of which could be used as a gateway/firewall. That’s one of the things that I like about NAT and having rules in the ADSL router. I hope long gone are the days of having a USB modem with a machine directly connected to the internet…

Do remember that a sandbox is really just another layer to break through. There’s nothing magical about them, and they have been compromised.

When I say signed, it’s sandboxed OR signed.
AKA core = signed by MS+OEM (Windows), Google+OEM (Android)
And all the other applications: sandbox.

Sandbox is not a bad idea but it’s annoying in the real world.

I know. I just say there is no (real) other way :)

OpenBSD

OK, to use a fully audited OS is another solution. But don’t forget that no package/port is audited. So you must use the OS as is, and never install/compile any other software.

Or just minimise exposure.

Close all ports. Done.
Hardening TCP/IP stack for floods. Probably not done.

There are many systems better suited to interacting with the internet, some of which could be used as a gateway/firewall

That’s what I’ll do

So you must use the OS as is, and never install/compile any other software

I do. cwm is my favourite window manager. I compile my own patches from OpenBSD but they’re signed with signify and are audited code.

Thing is, OpenBSD is more for freaks like me. RO is more for normal people, but it’s getting dated. I cant wait to get under the hood with RO, but it needs a clear development path and not to be held back by old software.

This is a tall order for the RO community, from what I can tall, as many still use legacy software.

I guess the question is should RO not worry as much with backwards compatibility (a little worrying is healthy) or should RO just be maintained with backwards compatibility in mind at the cost of more modern OS features and protections?

One of the more obvious points, before RISC OS needs hardening for the internet, it needs to be able to use it!

One of the more obvious points, before RISC OS needs hardening for the internet, it needs to be able to use it!

It needs to be both, to be honest. RO needs to tempt in more users to tempt in more developers. When we do this, RO now has a bullseye on its back from malicious hackers. A clear roadmap to update RO as well as more advanced features like stronger memory protection, modern crypto for web, and privilege separation will help make the way easier.

At the moment, RO probably doesn’t need these features yet, as it is obscure, but when it does need them, it can be a long and hard road to add them in. If RO grows, and I think most want it to grow, prudent measures to slowly add some of these features early or a clear roadmap of when they’ll be added will save a lot of headaches and heartaches in the future if we succeed in growth.

or should RO just be maintained with backwards compatibility in mind at the cost of more modern OS features and protections?

The answer is in the question. An OS without the existing ecosystem of application is another OS. It could exist, as a new RISC OS like system, but it won’t be RISC OS. Anyway, compatibility with old applications is not done at the cost of modern protections.

A closed to native emulation tool could be the base of an abstraction layer for security. And since RISC OS is small, and has file exchange capabilities (sharefs), the VM/containers will be very very small. A better filesystem protection could be implemented too (a passworded protect attribute). Etc.

stronger memory protection…

Good for stability, not for security, as every application can claim vectors and play with system things. That’s the power and limit of RISC OS. RISC OS is more a free to use/ignore toolbox, than a strict conductor.

privilege separation

I’m a bit sarcastic/pessimistic on this point. We did invented privilege separation. They invented privilege escalation. It just slow down – a bit – bad hackers (and computers too). And what will you do with malware that attack your data? (ramsonware). IMHO “partial protection” is not different from “no protection”. Absolutely no use.

The only solution is prudence, abstraction tools, and good backups.

Put all your tools and data in a VM, and only trusted tool in the main OS. And you have a solution for process separation, multi user, snapshots, old computers emulation, etc.

Put a login shell in front of the Wimp. Supervisor mode is the main OS. Others are VM in fullscreen (one for each user, other ones for applications in protected mode, etc.).

It could be also a solution for multiprocessing support. 4 VM = AMP mode (4 instances of RISC OS, 1 on each core). It seems to be stupid, but AMP has qualities: no giant lock problem, ready for clustering. SMP is convenient, but it does not scale so well.

SMP is a multinational company. AMP is a pool of SME :)

I appreciate your comment David, but I think you’re missing my point

An OS without the existing ecosystem of application is another OS

Absolutely, I agree. The process needs to be gradual and done slowly to give developers a chance to change their code. Supporting apps no longer in active development, however, will stop RO moving forward.

Good for stability, not for security

I’m a bit shocked by this. Most exploits I can recall to mind are exploiting how memory works. Obviously this is a complicated topic and I don’t know how I can condense it into a forum post to explain it better.

IMHO “partial protection” is not different from “no protection”. Absolutely no use.

I find fault with your conclusion. All protecion is “partial protection”. There is no single secure solution. Once you start stacking these things up, it makes life hard or impractical to break in to somebody’s computer.

The only solution is prudence, abstraction tools, and good backups.

Prudence is what I’m suggesting, planning ahead now. Personally not a fan of abstraction but I can see how it helps productivity though I cant see how it helps with security, but would the interested in learning. Backups are good for preventing lost data, but it does nothing if someone steals your data. More and more people are trusting computers with sensitive information these days.

Cyber security is no different to physical security. It doesn’t matter what doors and windows a building has and how many locks you fit. If someone is determined to be in they will break in.

You can only buy time in the hope of discouraging them.

I’m a bit shocked by this. Most exploits I can recall to mind are exploiting how memory works.

I know. But explain me where a code launched as root (as is, or with privilege escalation) will be less harmful with a stronger memory protection system. It’ll be more stable. That’s all.

I find fault with your conclusion. All protecion is “partial protection”. There is no single secure solution. Once you start stacking these things up, it makes life hard or impractical to break in to somebody’s computer.

Now, pirates are on Internet, and they have botnets. So the trick to slow them down is 0 use. What is needed is much more. The x exploits * x software is not possible any more. One solution is to use 1 frontend. For example a web browser. Then the x*x becomes x*1. And if you sandbox the web browser, it’s even less: around 100 critical flaws a year for Firefox. Around 1 or 2 for Chrome.

It’s time to say “stop”. We’re still on “get a good anti-virus”, while saying “the last attack was a 0-day, not detected by the anti-virus”. What’s the point? Android shows us the way to follow: strict sandboxing, with no impact on people work.

But there is still the problem of data corruption. Solution: get a strong backup system. Because, it’s cool to protect the system, but it’s no use for data corruption. Most malware are even not malware from a code point of view. Just apps that does bad things. How do you want to stop this? With illegitimate code protection? Na! With data protection.

You can only buy time in the hope of discouraging them.

I’m afraid, you can’t discourage a botnet :)

http://www.zdnet.com/article/hey-cyber-techbros-smugly-yelling-patch-and-back-up-wont-fix-ransomware/

Yep, part true. Every OS today should be at least better than OpenBSD or Android. Why it’s not the case? Because we get accustomed to bad code.

I know that no protection is perfect. But there is a very big difference between state of the art protection (as used in some embedded systems) and the current situation. Here, we just close the door, without trying to lock it, and say, “hey, it’ll block the dumbest pirates”. RISC OS is honest: it does not even try to do this :)

The WannaCrypt attack is a wake-up call for all of us. (Microsoft)

Absolutely.

Every OS today should be at least better than OpenBSD

I would love this but lets be realistic here, OpenBSD is a research OS. They implement new security software and ideas, software breaks, then they fix it and push it upstream. Years down the line people implement the feature into their OS as a lot of software is now fixed to run on OSes with said feature. How would RO users feel if their apps stopped working every 6 months, because honestly that is what OpenBSD is like.

Because we get accustomed to bad code.

This is true, but I also think people aren’t security aware. And why should they be? I spend a lot of man hours researching security as a sysadmin, I don’t think you can ask normal users to do that. Some developers take advantage of the end users ignorance, but most developers I’ve met are also unaware of modern security. I’m a terrible developer and I wouldn’t trust my own code. :D

RISC OS is honest: it does not even try to do this :)

This made me chuckle. Let me be clear, though. If tomorrow you woke up and RO had a ton of security features making it one of the top 2 secure OSes, it wouldn’t make a blind bit of difference to it’s users, other than all your 3rd party apps would stop working. RO is obscure, and that is an excellent security feature. It works for IBM’s z/OS.

I just wonder if very slowly we implement these features over the course of 10 years, and assuming RO grows it’s install base, then when/if we need those features, they’ll be there ready and waiting with minimal pain instead of a frantic dash to patch and break applications.

The problem here is that some changes to harden RISC OS would break everything. For instance:

• Low level modules should run in SVC mode (Kernel, HAL, maybe FileCore).
  Everything else should run in SYS mode.

• User mode applications should have no write access to “protected” module space. Since modern ARMs don’t seem to like having “read, no write” access, this may imply that protected module space may be inaccessible from applications.
  Of course, one could claim a small DA flagged as accessible in user mode instead of cluttering the RMA with junk.

• Speaking of module space, the area of the SYS mode modules should be split into module code and module data, not the two mashed together.

• Important system data should go into a DA that is only accessible from SVC mode, so nothing else (USR or SYS mode) can touch it.

• Many calls need to be hardened to reject bogus input. RISC OS generally doesn’t sanitise input data… ZPP demonstrated this quite effectively. ;-)

And that’s for starters. And that would break everything, including large parts of the OS itself…

Better perhaps, to simply accept that RISC OS is inherently insecure, and to place it behind an effective firewall. Not perfect, but it’s a start. At least we’re immune to the current nasty.

I don’t know much about RO (only had it 2 weeks) and I haven’t had a chance to play with the source (waiting for ROOL to send me a working ePic card) but surely those changes could be made gradually without forcing the policy?

And encourage devs to use better practises and avoid others?

place it behind an effective firewall

It would minimise attack but not being funny, is that possible for normal RO users? I think I’d have a tough time securing a consumer router. Building your own router is okay and that’s what I’ve done but, to me it seems every RO user’s website keeps getting hacked. I cant get on Piccolo to grab !SystemDisk because the site once had malware and is now down for maintenance. How would normal people be able to write secure firewalls?

Even then, most desktop attacks are from users browsing the web, so unless you’re also blocking 80 and 443 outbound (and seriously whats the point in connecting to a network then) then firewalls wont help much for the average person.

Everything else should run in SYS mode.

I’m sure I’ve told you this before, but SYS mode is a privileged mode. It uses the USR mode registers, but it has the exact same privileges as SVC/IRQ/FIQ/etc.

Since modern ARMs don’t seem to like having “read, no write” access, this may imply that protected module space may be inaccessible from applications.

Clarification: “read, no write” is fine if you want those permissions for all privilege levels. But for USR read-only, SVC read-write, you’re correct that ARM have dropped support for it in the newer page table formats (like the “long descriptor” format that we’ll eventually have to migrate to to support >4GB RAM)

Of course, one could claim a small DA flagged as accessible in user mode instead of cluttering the RMA with junk.

Yes. If an unprivileged app can read arbitrary data from an area of memory used by privileged code then that’s a massive security hole.

Speaking of module space, the area of the SYS mode modules should be split into module code and module data, not the two mashed together.

Yes. With the current setup there’s no proper way to flag the code as read-only (or the data as non-executable).

And that’s for starters. And that would break everything, including large parts of the OS itself…

There’s no reason it has to be an “all or nothing” solution. We can add support for sandboxed apps + modules, which run in user mode and have a different memory map. Non-sandboxed code will still be able to mess with them, but if we can get to the point where a working system can be built form just sandboxed code then security-mindend individuals shouldn’t have anything to worry about*.

It would minimise attack but not being funny, is that possible for normal RO users? I think I’d have a tough time securing a consumer router.

I think this depends upon the router… For the Livebox, there are three levels: none, default (allow outgoing, block incoming), and custom (complicated).

then firewalls wont help much for the average person.

The important thing, assuming one doesn’t get tricked into installing malware, is to block incoming traffic. It’s hard to break or crash a machine if it simply isn’t visible to the outside world.
Once upon a time internet connections were directly to the device (USB modem), but now the average router ought to discard many unwanted connection attempts.

to me it seems every RO user’s website keeps getting hacked.

A dose of hyperbole, but you’ll probably find those websites are running on a supposedly secure and solid operating system.
My server? Runs on RISC OS. Plenty of hack attempts logged. All fail. The security-through-obscurity is strong. ;-)

If anyone is interested UHCW NHS Trust – partner organisations(most of them) have cleaned up their systems so we exited Turtle mode.
Now we are just in you aren’t on my friend list mode :)

This is actually a test of the N3 links to the internet.

Been a long day (so far¹) checking 3rd party systems and disconnecting people who won’t play the game.

¹ Finish time is actually 50 minutes ago (fail)

you’ll probably find those websites are running on a supposedly secure and solid operating system.

I doubt that, it’s probably a Linux distro. You can secure it, but I’ve only done it on an enterprise distro like RHEL/CentOS and you’ll need SELinux (which everyone seems to disable because it breaks everything). It also wont be secure out the box so will need hardening. It’s not idiot-proof.

My server? Runs on RISC OS. Plenty of hack attempts logged. All fail. The security-through-obscurity is strong. ;-)

Haha. Well done. Like I said, obscurity is a form of security.

The biggest security hole in RISC OS is that Filer executes everything it sees, as long as it’s a directory with a name beginning with “!”. With the addition of SparkFS just reading a Zip file gives an attacker the ability to execute arbitrary code. I also find it a nuisance changing which programs open text files.

StrongHelp is also bad, it is apparently just a document viewer but will execute arbitrary code embedded within the manual by design.

I doubt that, it’s probably a Linux distro.

Most likely, yes.

It also wont be secure out the box so will need hardening. It’s not idiot-proof.

Indeed. That’s why I have somebody else run my main server. But, even that is not necessarily any guarantee. Web facing things will be attacked, and given the complexity of a lot of it, there will be enough holes to poke. WordPress anyone?

Haha. Well done. Like I said, obscurity is a form of security.

It probably helps that the server doesn’t execute anything. It just gives static pages. When you read my weather report, it’s another task that collates the data and builds the page, every five minutes.

and disconnecting people who won’t play the game.

Indeed. Given the scale of what just happened (a secret Microsoft ploy to kill off XP once and forevermore, right?), those who don’t get it need to be dropped on the floor. Might help concentrate their minds…

The biggest security hole in RISC OS is that Filer executes everything it sees,

Yeah, I believe that’s the point. ;-)

[Geek: there’s a vector or service call or somesuch which could be used to trap and sanitise software about to be loaded]

gives an attacker the ability to execute arbitrary code.

They don’t need archive image files… Seriously, how often to people audit code they have downloaded for RISC OS? The package managers make it easier to install stuff, but do you ever look to see what is actually being executed? I’ll bet quite a few people don’t, and an even greater number probably wouldn’t spot a virus if it was embedded in an executable with a readable message saying “the following arrangement of bytes are a virus —>” in readable text!

We are trusting. Maybe it’s a fault, but it is also kind of nice. When I download software for my PC, the first thing I do with it is upload it to VirusTotal to ensure it’s nothing unpleasant…

I also find it a nuisance changing which programs open text files.

Generally, the last program run that can handle text files will be associated, and the first one running will get the open request.
If you load Zap, StrongEd, then Edit and then load a text file, it ought to open in Zap as that’s the first editor you loaded.
If you quit all three and then load a text file, it ought to start Edit and display the file in Edit, as that’s the last one that messed with the file association.

StrongHelp is also bad, it is apparently just a document viewer but will execute arbitrary code embedded within the manual by design.

While that is technically correct, the “!Pre” file has a specific purpose, and it is executed in certain conditions. I’m not aware of StrongHelp having any “just run this bit of code” command…?

apart from all the nightmare-inducing attacks which exploit hardware behaviour

I do wonder if there is a lurking horror in ARM’s TrustZone. It’s the same sort of idea as the Intel one that was just shown to be deficient.
I’m wondering if having any secret system that can run below the operating system is a good idea. For the purposes of DRM, one could have an associate module, but one that interacts with the OS and is controlled by it. All this hush hush super low level stuff is surely a lurking disaster?

Now, if you’re bored, go search my blog for “IPCAM”. That’s what happens when somebody doesn’t even try……….
RISC OS has an excuse. It was never secure. The IP camera? Woeful. Took a version of Linux and a version of GoAhead (server) and cocked them both up. Utterly Made Of Woe.

Apropos: https://www.theregister.co.uk/2017/05/15/volvo_android_connected_car_software/

Apropos: https://www.theregister.co.uk/2017/05/15/volvo_android_connected_car_software/

I’d choose QNX over Android everytime.

Indeed. Given the scale of what just happened (a secret Microsoft ploy to kill off XP once and forevermore, right?

Well that’s a fail then, because they issued a patch for XP to deal with this specific hole but obviously there will be others not yet disclosed.

Home now, had food. Got away at 19:25. Took a few hours opening the bits we closed.

because they issued a patch for XP to deal with this specific hole

… after a decent chunk of the XP owning world got their asses handed to them their weekend ruined.
… and possibly only “exceptionally made available” because of the sheer scale of the problem.

I know there was a patch. Downloaded it, will apply next time I switch the machine on.