“The OS vendors need to start thinking very hard about this, because the current defenses just won’t cut it.”

And we hope they don’t, because then we are out of a job ;-)

I really don’t think security has to be quite so difficult as it seems right now. The problem, as I see it, is not about figuring out what to lock and how to lock it. It’s about figuring out where to install a few carefully-placed doors into otherwise solid walls.

I used to write a lot of code destined for ROM. I believe ROM code can be made intrinsically safe against any attacker who does not have physical access to our hardware. (One exception is for content-free denial of service attacks, which cannot be prevented by any locally-deployed method.)

Of course no system can ever be completely secure. As users, we will always be able to act carelessly and take imprudent risks. Nevertheless, we can do better than to leave all our money and possessions out on the front porch every night, with fireflies assigned to guard them — which is essentially what we’re doing now.

However… if Kaspersky’s PR had said “ah, we will take a few years to write a new OS, based on safe paradigms; users who migrate to it will be safe from this threat”, now that would be elegant useless crystal tower talk. They aren’t a OS outfit, like MS, RH, Debian/Ubuntu, Novell or OLPC. And they can’t turn their backs on their customers like that.

Frankly, I am not sure if there is something practical that can be done in the current situation to help people _now_. Those users are in the sh*t, and will continue to be in there for a while — yes, hopefully the industry will move faster towards a better paradigm… but however fast it happens, it won’t be fast enough :-/

With respect to “there are no better countermeasures,” didn’t you just write that you are working on such a system for OLPC?

Personally I just cannot believe that an OS is impossible tod secure. I mean, suppose all the code runs from ROM, and it is (physically) impossible to execute anything from data space. I don’t see how that arrangement could fail.

Ralph — I considered the “we’ll help people already affected while we develop better countermeasures” argument, but the point is that there are no better countermeasures for anti-virus companies to develop. Unless they want to get into the full-disk backup business.

except that one could justify factoring a key which has already been imposed on some victims, while simultaneously taking entirely different and stronger measures to prevent this happening to anyone in the future.

The first and most logical method of rendering harmless future exploits of this type would be to make backups… something the victims should have been doing every day, ever hour or every minute, depending on how much currency they can afford to lose.