Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Software Technology

100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems 145

An anonymous reader writes: For an ex-academic security company still in the seeding round, startup Abatis has a small but interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and customers in the civil nuclear and air traffic control sectors. The company's product, a kernel driver compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity. The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns." The software requires no use of signature files, white-listing, heuristics or sandboxing, with a separate report from Lockheed Martin confirming very significant potential for energy savings — up to £125,000 per year in a data center with 10,000 servers.
This discussion has been archived. No new comments can be posted.

100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems

Comments Filter:
  • by dargaud ( 518470 ) <slashdot2&gdargaud,net> on Wednesday June 03, 2015 @04:21AM (#49828645) Homepage
    Oh yeah ? From reading the summary, it sounds like a scam. But I'd really like to know on what principles this 'security driver' is based on. BTW, the title I used means that you are going to be torn to shreds in french. An aptly chosen name for a company with such claims !
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      on what principles this 'security driver' is based on

      I bet on good-old `security through obscurity`, but plain fairy dust is not excluded either.

    • by monkeyxpress ( 4016725 ) on Wednesday June 03, 2015 @04:48AM (#49828727)

      It appears to be nothing more than a kernel mode IO monitor that allows you to assign disk IO permissions to processes. In other words, it is basically just doing what any modern kernel does anyway. I don't get the power saving thing though - that sounded very snake oil like. I mean, if your system isn't compromised, what CPU operations is it reducing exactly?

      I imagine this thing started out as a legitimate third-party kernel monitor (they refer to watchdog) and then some marketing goons got involved.

      • by Mendy ( 468439 ) on Wednesday June 03, 2015 @05:20AM (#49828819)

        I don't get the power saving thing though - that sounded very snake oil like. I mean, if your system isn't compromised, what CPU operations is it reducing exactly?

        There is a bit in the linked PDF which says...

        "Abatis Hard Disk Firewall, was also tested using the same standardised environment and shown to block applications and background processes from executing; saving energy from a baseline configuration."

        What they seem to have done in the test is taken a standard system and measured the power consumption. They've then tested that baseline with one of 3 3rd-party AV products and recorded the power consumption go up. They've then installed tested it with their kernel module that blocks I/O and unsurprisingly noticed that a system which isn't using the disks uses less power.

        It also says...

        "Between best case, HDF and worst case, AV Product 2 there is a potential annual cost saving in excess of £12 at server level, this scaling up to £125,000 in a data centre with 10,000 servers."

        I would have thought that if you had 10,000 servers and wanted to avoid power I/O costs you wouldn't have specced them with physical storage in the first place and would be network booting them instead.

        • In a big datacenter running VmWare, it is an otfen-broken support policy of not having your scratch somewhere out on the LAN. At least for 5.5x, "scratch memory across a LAN/vlan is not supported", but it still seems to work so it's done. I believe a good chunk of my companies servers already don't have local storage...although I don't know if this is a "standard policy" for us, or even if we managed those servers or just hosted them. The sys admins told me the scratch went across the vlan. I assume it's
          • by azav ( 469988 )

            Your companies? How many companies do you own?

            Shouldn't it be company's* servers? As in, the servers that belong to your company?

      • On the Info security blog [infosecurityeurope.com] he mentions that it's the kernel which recognises executable files.

        So, how does the kernel know which executables are legit to run?
        If I want to run my CreateDancingBunniesDrawingsIn0Days.exe I would give it permission just like the new update from my office suite because I don't know any better. Unless there is a program which recognises the executable as malware and warns me. Something that gets updates hourly from a central source of known malware maybe?
        Better yet, we need somet
        • The control systems for a nuclear reactor or a flight data processing system don't ever need to run CreateDancingBunniesDrawingsIn0Days.exe, or any arbitrary code for that matter.

          Neither, for that matter, do 99% of modern office workers - They don't need anything beyond what amounts to a dumb terminal with a dedicated connection to their ERP system. In security-insensitive environments, we've gotten used to having a web browser and music player and Solitaire and maybe even the ability to customize our de
          • That's why I think it only works in static environments. Back when I set up the first Windows 2003 terminal server farm I used the builtin ability to restrict access to only those programs allowed to run.

            Unfortunately in reality most offices have users with full access to their PC's (because they feel entitled to it) or at least their profile so they can run whatever they want. The only thing blocking their behaviour is up-to-date anti-virus software.
      • by Dunbal ( 464142 ) *

        a kernel mode IO monitor that allows you to assign disk IO permissions to processes

        But that's not white-listing at all, right? Sigh, I hate marketing sperg. Anyway I bet this thing can be hacked/defeated within 10 hours of it going "mainstream" and real people having their hands on it.

      • So, it's like Tron and can even monitor the MCP as well?
      • by Anonymous Coward

        It's simple. All malware carries an approved Illuminati ID marker within it, this kit just happens to have the secret reader for such ID's and can thus immediately disable them via their built-in Illuminati kill-switch. Takes very little code to do if you happen to posses the correct algorithms.

    • by Anonymous Coward

      Well, you know. There's (computer/digital/cyber) security theatre and there's security theatre. It's not like the rest of the industry has tried very hard to do anything fundamental, instead preferring to dole out "exploits" and "patches" like hors d'ouvres and stir up a big hype stink about it every. fscking. time. even complete with identikit website, snazzy buzzwordy name, and heck, a logo and a publicity campaign.

      It's not impossible that instead of tiny little bites these guys offer a hearty meal. OTOH

    • by GoddersUK ( 1262110 ) on Wednesday June 03, 2015 @05:54AM (#49828919)

      I'd really like to know on what principles this 'security driver' is based on

      From TFS I'm going for homeopathy. It's tiny (less than 100 kb, compared to several GB for an OS installation), has no known mechanism of effectiveness ("the software requires no use of signature files, white-listing, heuristics or sandboxing"), uses meaningless techno-babble to explain how it works ("by preventing unauthorized I/O activity"), makes unrealistic claims of effectiveness ("reportedly achieves a 100% effectiveness rate against intruders ... The CEO of Abatis claims, 'We can stop zero day malware — the known unknowns and the unknown unknowns'") and also claims to save the world (" very significant potential for energy savings").

      • by gbjbaanb ( 229885 ) on Wednesday June 03, 2015 @06:29AM (#49828993)

        Its a network driver that doesn't work. No network activity, ergo 100% security against network-bourne threats!

        See, I should have been in marketing!

      • by TheRealHocusLocus ( 2319802 ) on Wednesday June 03, 2015 @06:44AM (#49829041)

        I'd really like to know on what principles this 'security driver' is based on

        TFS I'm going for homeopathy.

        If the marketing technobabble is correct the code is 100k but naught is said about data store, memory and persistent. Or whether the system satisfies these claims 'out of the box' or there is some training/learning period. Of course the pitch also does not indicate how often the Key Operator is called to investigate and override false alarms, and what the investigate/resolution process takes. Some ACs with experience might be useful...

        You could have a 'train/run' switch that you flip to 'train' on first install during a period in which you do not reasonably expect intrusions, putting it through paces and trigger your software to check for updates, things like that, where it passively builds a profile of normal activity. Then flip it to 'run'. Then if it is a machine that does just a few things all day, the software has a pretty good idea of what to expect.

        The payoff would come from how well you could parametrize the basic inputs --- stack state, communications endpoints and addresses, using directory hierarchy on disk --- and introduce a clever degree of fuzziness that also implements a sense of 'near' and 'far' on both class of operation and value.

        Then maintain a pointer in some so-called 'phase space' and burn data into a sparse array to create a virtual landscape with erosion. In 'run' mode it is almost always hitting (or near) areas that have been populated. If the pointer strays from from the populated region we have an alarm.

        For example, a process that has never accessed data outside its installed folders suddenly does so. Network addresses compared by closeness in the neighborhood.

        • "Then maintain a pointer in some so-called 'phase space' and burn data into a sparse array to create a virtual landscape with erosion. In 'run' mode it is almost always hitting (or near) areas that have been populated. If the pointer strays from from the populated region we have an alarm."

          Could you please post a link to more information about these technologies and algorithms? I am very interested in graph analysis, including geolocation of information against a real or metaphorical landscape. I tried Googl

      • by Anonymous Coward

        I'm not buying the "it's too small to possibly be effective" argument. The rest you can make a case for, but 100kB is more than enough for an entire OS, even if most current mainstream OSes are many times larger than that, not always with much of any justification at all. Next you'll be claiming that, say, PuTTY is too small to possibly be useful because most mainstream applications are many times larger than that. That's just not how it works. In fact, one could make a strong case that the very size of con

        • by Anonymous Coward

          Sure, 100kB is enough, but they said 100kb. That's one eighth the size!

    • bool isThreatDetected(IoRequest req) {
        return true; // Caveat: may cause false positives
      }

      // In practice, any claims that software is this effective require detailed, convincing explanation and proof.
      • by putzin ( 99318 )

        // In practice, any claims that software is this effective require detailed, convincing explanation and proof.

        Having been a grunt and a manager in corporate SW environments for a while now, I can attest that claims like this don't require details or proof, just convincing.

    • by Timothy Lawless ( 4136295 ) on Wednesday June 03, 2015 @07:22AM (#49829225)
      Based on the exclusions, it sounds like a Rule-based anomaly detection engine with some sort of self-training module. Ironically, this is one of the first types of IDS systems created, and is counted as one of the first works by Dorthy Denning (http://webpages.cs.luc.edu/~pld/courses/447/sum08/class9/denning.intrusion_detection_model.pdf). The most successful implementations have used the Markov chain based model. Their down side is that they require a degree of 'training' before the IDS model may go active; however, in a well understood environment like that of a windows server running windows applications, its possible the training could be done in the back-end shop and shipped to customers as part of the COTS product.
  • by Anonymous Coward on Wednesday June 03, 2015 @04:23AM (#49828651)

    Sounds legit.

    • by AmiMoJo ( 196126 ) on Wednesday June 03, 2015 @05:56AM (#49828925) Homepage Journal

      They actually admit that it's not really very effective:

      "You wonâ(TM)t stop processes from running in memory, but you will stop processes writing to disk,â

      Rogan admits that in server environments that may not reboot for months, or even years, HGFâ(TM)s write-prohibitions may not be so meaningful, since malign processes can do a lot of damage without writing to disk.

      Even that is misleading, because if say an app has a vulnerability that allows arbitrary code execution in its process then that code will be able to write to all the places the app is allowed to write to. That can easily be enough to run numerous malware tasks, and in fact much malware runs on that basis because it doesn't require further exploits to get out of the app's process.

      • I would imagine that there is a mandatory security policy on those systems, enforced by the kernel, that prevents processes from modifying their code or modifying any other process's code. If not, it sounds like they need another 100kb kernel module to make sure of that. I'm pretty sure SELinux and/or grsecurity can do that. It's usually enforced with certain exceptions for some software programs that need to modify their own code by design. On an embedded, high-risk system, you would just not allow it, per

      • by nmb3000 ( 741169 )

        Even that is misleading, because if say an app has a vulnerability that allows arbitrary code execution in its process then that code will be able to write to all the places the app is allowed to write to.

        And on Windows you don't even need a vulnerability in one of the whitelisted programs. CreateRemoteThread [microsoft.com] will gladly give you an execution context in another process you have access to. From there you can LoadLibrary or CreateFile or whatever other evil things you might want to do.

      • I read the paper from Lockheed Martin, and it's laughable. The Electrical savings they claim makes the assumption that a server is always running malware which is churning up processing time. They don't stop Malware, and don't stop anything in memory.. so they save absolutely nothing and do absolutely nothing.. except of course make bad claims. Even if they could block the writes, which consumes more power.. a process attempting to write repeatedly and being refused, or a process allowed to write when re

      • by Bert64 ( 520050 )

        SELinux already has the ability to prevent processes from writing to arbitrary areas, as do file permissions and acls if used appropriately..
        Then there's always the option to boot from write protected media.

    • This one weird trick protects government systems from malware! How does it work? The developers don't want you to know!

  • by Anonymous Coward

    I can protect any system against all kinds of unknowns (including the ones that are unknown by unknown unknowns) with bash one-liner:
    # dd if=/dev/zero of=/dev/sda bs=512 count=1 && halt

  • by Zombywuf ( 1064778 ) on Wednesday June 03, 2015 @04:32AM (#49828677)

    You can patch the kernel on a running system without writing to disk. Their claims are self contradictory.

  • by Anonymous Coward on Wednesday June 03, 2015 @04:33AM (#49828681)

    It just automatically turns the machine off whenever you power it on! Foolproof!

  • "please don't hack me"?
    • Re: (Score:2, Funny)

      by Anonymous Coward

      But there is RFC for this already: https://www.ietf.org/rfc/rfc3514.txt

  • by Anonymous Coward

    This article has all of the classic snake oil markers.

    I'd need to know a lot more about it before I'd part with even money.

  • Sounds like BS (Score:5, Insightful)

    by gweihir ( 88907 ) on Wednesday June 03, 2015 @04:36AM (#49828691)

    "Magic" technologies like this usually under-deliver, or do not help at all. In particular, a detection rate of 100% is simply impossible, already from purely theoretical observations and even more so in practice.

    • by DeathToBill ( 601486 ) on Wednesday June 03, 2015 @04:48AM (#49828725) Journal

      Come on, of course 100% detection rate is possible! We don't know about any threats it doesn't detect!

      • Alternatively, it has a high rate of false positives. But who cares with collateral damage.

      • by bug1 ( 96678 )

        Come on, of course 100% detection rate is possible! We don't know about any threats it doesn't detect!

        But they also say they protect against the "unknown unknowns".

        Claiming "100% protection against the unknown" really should get this company investigated for fraud.

    • The article doesn't really explain very well how HDF works, it is not a detection based technology. It stops unauthorised PE code from writing to the system's disks thereby making it difficult for malware to establish persistence on the system. It won't protect against malware that only live in memory. I have used this product (years ago, it has been about for a while) - it's a great addition as part of a systems's layered defences, but not necessarily suitable for all environments or cases.
      • by gweihir ( 88907 )

        So basically, it does what a restrictive SELinux config does anyhow? And how does it know hat code is allowed to write to the system disk, when it "does not require configuration"?

        • As far as I remember it comes with a baseline config and if a process is not on it's whitelist it cannot write PE code to the disk. At the time I used it, it was a Windows only product, so I have no knowledge of the OSX or Linux products.
          • by gweihir ( 88907 )

            That would make some sense. A modern Linux distro with integrated SELinux support also comes with configurations for all packages (you can usually still run without SELinux, e.g. when developing software).

            Still, nowhere near as good as claimed if that is what it is and not even a new idea.

  • That is my only question: can I have a flying unicorn? I'm not satisfied with a mere unicorn, or a pegasus. My little girl is turning 2, and it's time she thought about both her data security and her mythical beings. For my baby girl, I won't settle for anything less than the best. Beyond a 100KB 100% effective security module, I want a horse, flying, with one horn, capable of defeating any poison, and only capable of being captured by a virgin.

    And she also wants puppy.
    • The problem with this is your child, who is turning 2 years old, while qualifying to be capable of capturing a flying unicorn, is physically incapable of doing so.

      The flying unicorn, upon delivery to your home, would just fly off, since neither you nor your spouse meet the capture requirements (a) and your child is too young to control such a majestic and powerful animal.

      (a) This is an assumption given you have procreated. You could be a sawfish for all I know, but that would make riding a flying unicorn v

  • by Anonymous Coward

    Well, it's called Tron.
    It's a security program itself, actually.
    It monitors all contacts
    between our system and other systems.
    Finds anything going on that's
    not scheduled, it shuts it down.

  • by DeathToBill ( 601486 ) on Wednesday June 03, 2015 @04:47AM (#49828723) Journal

    I have this explosives detector I'd like to know if you're interested in. It's used by the Iraqi government...

  • 100% effectiveness.

    What they really mean is:

    We have no clue how effective this really is, and are too stupid to realize it.

    This goes for nearly every "100%" claim and most "99.99%" claims.

    • by Mendy ( 468439 )

      Or they didn't realise they were hacked because no log files were being written...

  • AppArmor (Score:5, Interesting)

    by ThePhilips ( 752041 ) on Wednesday June 03, 2015 @05:00AM (#49828765) Homepage Journal

    From description, it sounds like the AppArmor [wikipedia.org].

    • Re:AppArmor (Score:5, Interesting)

      by smpoole7 ( 1467717 ) on Wednesday June 03, 2015 @06:43AM (#49829039) Homepage

      > it sounds like AppArmor

      Or SE Linux, as others have noted.

      It is possible to achieve high levels of security through integrity checking and behavior(al) control. It just costs a bit in performance and memory. And if you write something in very tight C, it's not going to be large.

      I may have mentioned this here before; if so, I apologize. But a million years ago, back when MS DOS 5 came out, a friend and I developed something called the ARF Utilities. (To my endless amusement, you can still find it in a Google.) Our approach was integrity and behavior blocking.

      One reason why DOS was so vulnerable at the time was because Microsoft kept rebuilding and reusing the same code. The entry point to the DOS kernel (the old INT21h interface) didn't change from DOS 5 through 6.22. Our integrity blocker did a simple search to find that in memory, then *patched* DOS to send all calls through the behavior blocker, which was resident in memory. We also hooked and examined a bunch of other stuff inside the kernel (including the INT 21h interface and the SHARE hooks -- the latter was a terrible security vulnerability and only the appearance of Windows 95, and the rapid demise of DOS, kept it from being exploiting widely and wildly.) The blocker was written in assembler and could fit in about 2K of memory, as I recall.

      It also checked itself, and the integrity of an executed program's file, at startup, and each time a program was terminated. By "check," I mean it literally scanned its own code in memory, compared random CRCs taken of different blocks to generated values stored earlier and would instantly warn if DOS, the terminating program or itself had been tampered with. (You don't just do one "checksum" of a fixed length; you do different blocks, chosen at random, generated on the fly at system startup.)

      We couldn't find a virus that could get around it. The worst we ever experienced was a hang that required a hard reboot. But the system wasn't altered. And yet, the Official Anti-Virus Community (which, at the time, was BIG business) rejected our approach, called us interlopers and marginalized us. Everyone back then wanted scanners, scanners, scanners. All of the tests were on scanners.

      In sum: I have no idea if this particular company's code is snake oil or the Real Deal(tm). But don't just dismiss them. If you think outside the box, it is possible to find better ways to do something.

      Just my opinion and worth every penny of what you paid for it. :)

      • Re:AppArmor (Score:5, Interesting)

        by KiloByte ( 825081 ) on Wednesday June 03, 2015 @08:17AM (#49829591)

        Sorry to break it to you, but the only reason no virus got around that is that no one bothered working around a blocker no one uses. In DOS, all it takes to duplicate OS calls is to copy their code, as every process has full access to the hardware and can do everything on its own. And then, any process can write to every location in memory, defeating any anti-virus or precaution imaginable. You would have to reimplement Bochs and interpret every opcode in software, effectively emulating a more secure platform. You can't securely run untrusted code without a MMU of some kind.

        • Re:AppArmor (Score:5, Interesting)

          by smpoole7 ( 1467717 ) on Wednesday June 03, 2015 @11:28AM (#49831329) Homepage

          > the only reason no virus got around that is that no one bothered working around a blocker no one uses

          At the time, we actually had thousands of users of the ARF Antivirus, and we received more than one report that there were indeed efforts to hack it. :)

          What you say is true *technically.* And you should change your username to "Deja Vu," because I (and my friends with similar approaches, like Zvi Netiv with Invircible) had to repeat this over and over. I finally got tired of it, and given that out of those thousands of downloads only ONE person ever bother to register/pay, it wasn't worth it. Fuggedaboutit, just use your virus scanner and we'll still be friends.

          Never forget this: it's theoretically possible to do many things. But it is not always PRACTICAL. In the instant case, using your example, a virus that tried to emulate actual DOS calls, essentially duplicating the code internally, would be very large. Remember, this was back in the day of dial up modems and bulletin boards. And a virus that emulated processor opcodes would be even larger.

          (And *cough* ... we also kept encrypted copies of critical system areas, and compared what we'd stored with what we found -- both on disk AND in memory -- from time to time. That made it much more difficult for the "stealth OS" hack that you describe.) (Heh.)

          But I'm not going to waste time rehashing this argument. What I WILL warn against is what I saw your attitude produce, too many times to count: "since we can't guarantee 100% that a system can't be hacked, why bother?" I'm not saying that's what you believe, but I ran across that attitude too many times to count.

    • by gweihir ( 88907 )

      Indeed. But AppArmor and SELinux need a configuration and the security offered critically depends on the quality of that configuration. At least SELinux is also not so easy to configure.

  • by Mendy ( 468439 ) on Wednesday June 03, 2015 @05:01AM (#49828769)

    I'm unsure what this offers that you can't do with SELinux or similar.

    I also don't see how it can work without white listing of some kind unless they're just blocking access to everything which seems impractical and is something you could do with drive mount options anyway.

  • by johanw ( 1001493 ) on Wednesday June 03, 2015 @05:04AM (#49828785)

    Because /. editors seem to have inconvenient hollidays I'll just spam this topic with the bahaviour of their mother company:

    From http://seclists.org/nmap-dev/2... [seclists.org]:

    From: Fyodor
    Date: Wed, 3 Jun 2015 00:56:23 -0700

    Hi Folks! You may have already read the recent news about Sourceforge.net
    hijacking the GIMP project account to distribute adware/malware.
    Previously GIMP used this Sourceforge account to distribute their Windows
    installer, but they quit after Sourceforge started tricking users with fake
    download buttons which lead to malware rather than GIMP. Then Sourceforge
    took over GIMP's account and began distributing a trojan installer which
    tries to trick users into installing various malware and adware before
    actually installing GIMP. Of course this goes directly against Sourceforge
    CEO Michael Schumacher's promise less than two years ago:

    "we want to reassure you that we will NEVER bundle offers with any project
    without the developers consent"
    --http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

    So much for that promise! Anyway, the bad news is that Sourceforge has
    also hijacked the Nmap account from me. The old Nmap project page is now
    blank:

    http://sourceforge.net/project... [sourceforge.net]

    Meanwhile they have moved all the Nmap content to their new page which only
    they control:

    http://sourceforge.net/project... [sourceforge.net]

    You can see at the top that the owners of the Nmap page are now
    'sf-editor1', and 'sf-editor3'. You can click on those to see other
    projects they have hijacked.

    So far they seem to be providing just the official Nmap files (as long as
    you don't click on the fake download buttons) and we haven't caught them
    trojaning Nmap the way they did with GIMP. But we certainly don't trust
    them one bit! Sourceforge is pulling the same scheme that CNet
    Download.com tried back when they started circling the drain:

    http://insecure.org/news/downl... [insecure.org]

    We will ask Sourceforge to remove the hijacked Nmap page, but more
    importantly we want to reiterate that you should only download Nmap from
    our official SSL Nmap site:

    https://nmap.org/download.html [nmap.org]

    If you don't trust SSL by itself (and we don't blame you), you can also
    check the GPG signatures: https://nmap.org/book/install.... [nmap.org]

    Cheers,
    Fyodor

    PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco:
    http://arstechnica.com/?p=6734... [arstechnica.com]

    PPS: Sourceforge now claims they will stop trojaning software without the
    developer's permission, but they've broken that exact promise before.

  • by Sangui5 ( 12317 ) on Wednesday June 03, 2015 @05:11AM (#49828803)
    Chris Howden and John Plumb are the author and approver (respectively) from Lockheed..... Chris and John are lousy scientists.

    The kindest way I can figure it is that the driver simply disables disk IO... hence there may be a small power savings from the lack of writes. Less kindly, they happened to measure lower power, and are reporting experimental noise as a solid result (see www-plan.cs.colorado.edu/diwan/asplos09.pdf for instance). We have no error bars (or even a # of runs), so it really isn't possible to say, but disabling disk writes could conceivably reduce power draw. The methodology section is sketchy enough to make solid conclusions impossible; the reporting of experimental details is worse.

    Of course, this doesn't (and they admit it) stop me from hacking them in RAM... nor does it stop persistent firmware attacks (e.g. http://www.wired.com/2015/02/n... [wired.com]), nor does it stop me from trapping to ring 0, then trapping to SMM, then just ignoring their F*ING CODE BECAUSE I"'M IN SMM MODE BITCH!!! I GOTZ MY OWNZ ATA CODEZ

    Or something.. I'd recommend just cutting the write-enable line on an old IDE drive, or rebooting periodically and running Tripwire from non-writable media (CD?). It's likely cheaper, and probably just as effective.
  • by Anonymous Coward

    Date check, today is April 1st ?

  • by Lumpy ( 12016 ) on Wednesday June 03, 2015 @05:25AM (#49828829) Homepage

    We used to use unidirectional ethernet cables. Basically the TX wires clipped out on the receiving end to the less secure network. You do need ethernet cards you can set to accept a link without having a full handshake going.

    But it allowed us to set up the SCADA network to take the data stream we needed to get to the collection and reporting pc and UDP broadcast it. then the PC that can only receive set up to listen for and receive it, works great and is 100% hacker proof as hackers have yet to write code that can cause copper to grow back in a CAT-5e cable.

    Now if we could keep the N00b SCADA programmers from bringing in their crap-tastic home laptops for programming changes and becoming the largest infection vector.

  • by Anonymous Coward

    Yeah, this sounds like those magic sticks [wikipedia.org] someone was selling a few years ago.

  • to shutdown -hP now?

  • Anything that claims a 100% success rate is doomed to fail, all you need is a single case to bring it down. Doing such a thing would mean a serious step forward on security. To tell the truth, i'm quite skeptical on this making any difference, at all.
  • This looks like it's more of a play for the embedded systems or IoT space. Look at the examples given, nuclear reactors, IoT, etc. These are specialized systems where it's possible to say "I've monitored the system for x time, and these are the things that should be running. OK, anything new running can't use the disk IO driver to write to the disk".

    There was a similar proposal for a device to work on the engine bus but focused on communications. "We monitor the bus for the first X seconds and classify

  • If I remember correctly, there was a product for Windows NT in the late 90's that seemed very similar to this announcement.

    What the product basically did was wrap all of the system calls and blocked any privileged ones except if you intervened at the console -- and there wasn't any way to spoof the intervention. It was quite effective once you got it set up (obviously it is hard to boot your OS without *some* privileged system calls), and I never did look into it enough to get their definition of "privileg

  • by KitFox ( 712780 ) on Wednesday June 03, 2015 @08:06AM (#49829501)

    "We haven't seen any attacks work therefore it must be 100% effective."

    1: A lack of evidence is not evidence of a lack.

    2: I have this wonderful Ticklebang repelling charm. Nobody wearing it has ever been stolen by Ticklebangs.

    Notably, no explanation of how it determines what I/O is "Authorized" versus "Unauthorized".

  • ...The CEO of Abatis claims, "We can stop zero day malware — the known unknowns and the unknown unknowns."

    Well, with claims like this, all I have to say is good luck offering up a viable defense if shit happens one day to your unbreakable solution.

    After all, shit never just happens, right?

  • They should call this Kernel driver the "ADE 651"
  • This sounds like the good old VMS operating system - though I do not know how many bytes that occupie[sd].

  • oil selfies and can fly.
    Seriously.

    by preventing unauthorized I/O activity

    is the end already.
    Logically speaking, one never knows exactly not about the authorization. Therefore, it can only be a selfie. A flying-oily-selfie.

    Think hard, think fast, and within a fraction of a moment you'll agree with me as security researcher that preventing any invalid I/O is indeed a 100% safe bet. Over.
    Any illegal and unauthorized bank transaction prevented makes banking 100% secure. The crux is the detection of what 'illegal' and 'unauthorized' transactions are.

  • by J-1000 ( 869558 ) on Wednesday June 03, 2015 @09:47AM (#49830339)
    This one weird trick protects Nuclear, ATC, and United Nations Systems from malware attacks!
  • Measuring code size in kilobits seems very unusual to me.
  • "We can stop zero day malware — the known unknowns and the unknown unknowns."

  • ...another person shows up just to show them exactly how wrong they really are to think they have an end-all security system. Making claims like this is pretty much issuing a challenge to people you really don't want looking at your systems.

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...