Posted on 07/02/2017 8:26:59 PM PDT by Ernest_at_the_Beach
******************EXCERPT********************************************
The Snowden revelations have not only motivated people into building new security-centric tools but also to take a look at the tools we previously considered secure. This holds true for ultra-secure operating systems like TAILS and have created reactionary projects like SubgraphOS and QubesOS. Lets take a look at the state of these projects as well as their end goals.
TAILS, for years, has been most popular OS for the anonymous community. With official support from the Tor Project (financial and managerial), many regard this as the de facto standard.
The TAILS security model can be considered classical in the sense that it attempts to take an existing OS and harden to the n'th degree, add some of the privacy enhancing tools, and make sure there are no compromising flaws.
As stated, we are paying more attention to the secure tools that we use and this has identified some fatal flaws in TAILS. If you look back at the TAILS project, the number of vulnerabilities identified and reported have are much smaller before than after Snowden disclosures.
Ill start by saying this is the project Im rooting for. QubesOS starts with the premise that your OS will be exploited. Your browser will exploit you, your storage device will attack your computer, you mail client will try and attack your web browser. To mitigate these risks, they were the first project to successfully implement a compartmentalization model using a hypervisor (as opposed to Linux kernel controls) using XEN.
If that seems too abstract, heres an example: You want to sell illicit things on the darknet. In Qubes, you build a new WHONIX instance running TBB and all your activities are done in that context.
Technical details aside for a moment, it works similar to how I write about OSPEC: Everything is a separate identity, one identity does not touch the other, when you are done with an identity, burn it. Replace the word identity with virtual object and you have their security model.
This is accomplished by making several virtual objects. You virtualize your firewall, you virtualize your USB controller, you virtualize the browser youre using for Project A, and separately, you virtualize the browser youre using for Project B. From here, QubesOS helps facilitate communications between those objects if necessary.
QubesOS offers some features that no other system currently offers. The big one for me is virtualization for USB controller. So no only are you creating virtual machines, youre creating virtual controllers. If someone malicious is plugged into your system, even in the case of an [0-day exploiting the firmware of your USB controller], the rest of your system is not compromised.
The other major feature that we know is in the GCHQ playbook is protection from WiFi driver exploits. Weve heard of this exploit being used in the while but have yet to have a real mitigation from it. With QubesOS, your wireless card is its own virtual object that contains the exploit into its own virtual machine.
There is a lot more to talk about with QubesOS but it does seem the one to watch going forward.
****************
Any one with experience with this?
Unix based OS are inherently secure. Apple OS is Unix based and is much more secure thah Windoze.
The Qubes OS would run different Windows in a virtual machine nicely I think given enough horsepower.
Consider OpenBSD. It is the most inherently secure BSD.
OpenBSD is the most secure I know of and it is mainstream.
Encrytption and/or storing the files on a external drive that spends most of its time disconnected.
BTTT
“Apple OS is Unix based and is much more secure thah Windoze.”
This is why I do all my work on a Mac vs a PC. It’s just too risky, IMO for me to risk my work using Windows. I run a small project recording studio & if I lose my customer’s project because I get locked out by a ransom virus, I would be screwed everyday imaginable.
Has any outside ever hacked a mainframe?
Most companies are not going to talk about it.
Look at the attacking and downloading from US Government websites.
In the old days, many systems were Mainframe plus CICS or MFS on the front end. Some still are that way.
But many shops went hybrid, Mainframe on the backend for the database and heavy duty OLTP processing. But the front end is now APPs on the web. Those APPs could access the mainframe directly. But most often the design is to off load the results of the mainframe processing to middleware.
I’m aware of many cases where that middleware was hacked. But I’ve never heard of the mainframe being hacked. There are two reasons. One is that the mainframe is designed to be secure. The second is that mainframe programmers are paranoid. Good mainframe programmers write tight code, sometimes too tight.
In contrast middleware programmers write code that has many entrances and exits and many more opportunities for hackers to access.
Mainframe security has failed when an insider accessed it and sent it outside, or an ex-insider found his RACF had not yet been revoked. A couple years ago I worked in a shop where managers intentionally kept around the RACF of several people who had not worked there in years because they thought it was too much trouble to update RACF. Managers...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.