Crackpots in computer security: A complete solution to computer security


Now that computer security grabs headlines, the crackpots are drawn to it. This means that the security folks are innundated with dubious vulnerability reports and revolutionary computer designs.

Today's story is one of the "revolutionary computer designs" category.

I have developed a complete solution to computer security.

Construct one case but with two CPUs inside. Each CPU gets its own hard disk, keyboard port, monitor port, mouse port, etc. You also have a keyboard, mouse, and monitor with two cables, one that goes to the first CPU's I/O ports and another that goes to the second CPU's I/O ports.

You then designate on of the CPUs the "fun" computer and let it connect to the Internet, play games, download software, all that fun reckless stuff. You designate the other CPU as the "safe" computer, which is where you do your personal finance and save your sensitive information.

There you have it. A way people can surf the web without compromising their sensitive data. I'm willing to grant Microsoft a license to use this revolutionary new computer design.

(The actual proposal was much longer and more convoluted.)

Once you untangle the proposal, it just boils down to using a KVM switchbox to switch between two computers. The only "revolutionary" bit is that the two computers happen to share a single case.

Comments (33)
  1. Cody says:

    Wouldn’t virtualization serve the same purpose?

    One virtual computer for por^H^H^Hinternet use and for war^H^H^Hmore internet use?

  2. Dave says:

    I’m guessing that suggestion came from a welder.

  3. Jules says:

    As someone who operates a computer specifically for the purpose of doing "dodgy" stuff on it, I can see the attraction.  I can get away without using any antivirus software on my main system and haven’t thus far had any problems because of it.  You don’t realise how much of a drain antivirus is unless you have a machine without it.

    I don’t suspect this is for everybody, though.

  4. Aaron says:

    So does e-mail count as fun or sensitive?

    What about eBay?

  5. Aaron Fischer says:

    Virtual PC its just that easy.

  6. SK says:

    Given the current situation with patents, the guy might very well be able to have a patent granted for this idea. Especially since the original proposal "was much longer and more convoluted".

  7. I remember proposing that exact solution to the IS director as a way to stop the CEO of the company where I was working getting infected with all sorts of rubbish when he surfed the web and did he download some dodgy stuff….

    I KNEW I should have patented the idea…….!

  8. jeffdav says:

    Of course it’s not a new idea at all.  There are much better ways to implement it (see http://en.wikipedia.org/wiki/Hypervisor).  

    But you have to say this for the proposer, at least it would work–unlike most crackpots who attempt to solve problems in physics and math.

  9. SM says:

    What about the personal finance/sensitive data tasks that also require internet access?  In my case, that’s just about everything.

    [Shhh… you’ll ruin it… -Raymond]
  10. stic says:

    Hi,

    At my workplace there are two separate networks, first is for "office stuff" in which you have limited privileges (read as "lowest user rights"). The other is "lab network" in which we can do almost anything that you could imagine.

    That makes two machines, but is similar to you idea, as far as I know there is more companies that are working in similar "style".

    So patent it, when it is not too late !!! ;-)

  11. LongHairSteve says:

    The term ‘crackpots’ implies a very minor percentage of the marketplace.  Raymond, are you sure it is minor and not majority?  Which would result in a missed marketing opportunity!

    Or, a missed educational opportunity.  How wonderful is it for a student to reveal their new exiting thoughts, which drives their desire to learn.  Ten years of real education later the student would realize how ‘crackpot’ their idea was.  But, a good teacher would appreciate this understanding of their student and use the knowledge to help direct the young neophyte into desiring that ten years of education.  And this is what Raymond Chen is very good at doing, THANKS.  

  12. Cody says:

    "Ten years of real education later the student would realize how ‘crackpot’ their idea was.  But, a good teacher would appreciate this understanding of their student and use the knowledge to help direct the young neophyte into desiring that ten years of education."

    One of my physics professors said he got into physics to prove there were more than three ways to transmit thermal energy, since it baffled him that there were so few ways to do so.  Then again, physics professors tend to be pretty crazy.

  13. steveg says:

    All well and good until you accidently use BoringPC instead of FunPC, at which point it’s pointless having two PCs.

    And your licensing costs just increased. You’d need two copies of your OS + possibly office suite. Now if the licensing for a certain popular OS which has just been released allowed 2 or 3 installations at home OR it cost about half as much this proposal might have legs.

    The obvious alternative free OS doesn’t cut it for the sort of user who needs the padded suit we’re talking about, it’s just too complex at the moment.

  14. Good Point says:

    "it just boils down to using a KVM switchbox to switch between two computers"

    You’re being generous in interpreting his ‘design’.  A monitor with two cables?

    I think the guy works on the third floor in my building.  Writing requirements I have to interpret.

  15. Dustin Long says:

    Here’s a better idea: Have one computer do *both* the fun stuff and the sensitive stuff, then have a second cpu run algorithms that watch the first for security breaches, and automatically fix them! Brilliant!

  16. Jane Hollings says:

    Before you laugh at this, there was a recently-published peer-reviewed security conference paper that came up with a variation of this protection idea. All it required was that all future computer designs use 9-bit bytes, with the extra bit being reserved for a "don’t-execute" tag. Apart from the fact that there are so many things wrong with this design that I don’t want to spend the time to type them all in, this idea was already a bit of a non-starter forty years ago when it was first used in computers of the time.

  17. dave says:

    Not that it would stop a patent from being granted, but my employer can claim prior art.

    We sell a system with a hardware component made up of not two, but *four* computers inside a single case, which can be allocated in whatever way we choose.  (In our case one talks to the outside world, one talks to a data-in connection, and the others do only internal work and don’t talk to anything outside the box they’re contained in.)

  18. Mike says:

    While obviously just wicked for general purpose computers, an extension of this crackpot idea is firmly rooted in really critical systems, like nuclear powerplants, train control systems and so on.

    The idea is basically that you write one specification for a system, with explicit "checkpoints". Then you have two (or more!) completely separate teams implement this (for extra points, have them design their own hardware too). These teams must not be in contact. You then run the completed systems in parallel, and if at any point the results differ (in case of floating point there could be some difference allowed) one of the (again, redundant) watchdogs will trigger an emergency shutdown.

    Obviously it won’t happen for general-purpose computers, or any consumer devices at all for that matter. But when really, really high safety is required, this is not uncommon – it’s the only way.

  19. Jayakrishnan K says:

    I guess crackpots are everywhere. My personal encounter with one "revolutionary thinker" happened in 1998 with regard to an "Unbreakable Copy Protection" he had invented.

    Amazingly he even had with him a fax he had sent to Microsoft HQ with the heading "Attn. Mr. BILL GATES" at nothing less than a 24 point font. The fax went on to describe how Microsoft could gain revenue by using his revolutionary uncrackable copy protection.

    After unsuccessfully trying to persuade the "revolutionary thinker" that unbreakable real-world copyprotection is not possible. I decided to take a look at his revolutionary idea. His uncrackable protection took less than 30 minutes of my time; after all how hard can a couple of time based xor encrypted foxpro source files be :-).

    The "revolutionary thinker" didn’t like it and I didn’t hear from him for a long time. Then 2 years later it was all over the local media. This time the "thinker" had focused on unbreakable copyprotection for CDs (http://www.rediff.com/computer/2000/apr/28sha.htm)

    What’s more he even had a buyer for his product. I dug in a bit deeper to figure what company would buy such an obviously flawed product.  What I found didn’t amaze me, the purchaser had another software product,  which among other things; claimed to double the processing speed, hard drive capacity and increase the video RAM of personal computers and laptops all at the same time (http://www.highbeam.com/doc/1G1-69748870.html)

    At this point I gave up trying to talk sense into people including “media technologists” who seem to be going gaga over something that was obviously fake. I guess you can never talk common sense into people.

    My only regret about the whole episode was that I didn’t take a copy of that fax when I had the chance. I mean that fax was a classic, had to be seen to be believed. I still wonder how many Microsoft customer service people were doubled over laughing on the day they got that fax.

  20. Niall says:

    Was the crackpot that came up with this dual CPU idea Steve Gibson? Maybe he should do it, then he can run some cutesy named security tool that tells you if you’ve turned your firewall on and write about it in REALLY BIG LETTERS.

  21. S says:

    I’m working on designing a special network cable. When bad stuff comes down it, the cable will turn red, or something, so you can quickly unplug it to protect your PC. I’ve got the unplugging bit to work (although unfortunately you lose your network connection when the cable is unplugged – hopefully Vista fixes this), but am still having difficulties with the rest of it.

  22. Jules says:

    S> What you’re looking for is the security flag, also known as the evil bit.  It’s specified in RFC 3514 (available at http://www.faqs.org/rfcs/rfc3514.html ).

  23. James Risto says:

    Security mavens hate this, but I occasionally run a machine without anti-virus or anything else; just patching, latest IE or FF. I check with one-time (i.e. not continuous perf sucking) scanners like MS OneCare and RootKitRevealer. I love the speed and no quirky behaviour. I scan downloads, expand them, scan the install, run the install, then scan the installed place. Until recently, I don’t view WMV or MOV, just flash. WMV is better now.

    Nothing. No viruses, rootkits, adware … nothing.

  24. Mike says:

    You can view VMW’s, MOV’s and quite a lot of other usually potentially harmful formats using VLC (of  Videolan Client fame) without ever having to worry about media downloading rootkits and wreaking havoc on your box.

  25. ChrisR says:

    Mike: So what you are saying is that FFMPEG has NO bugs?  This is news to me.

  26. Sami says:

    Ever heard of the Giwano Safe Computer? Didn’t think so.

    http://web.archive.org/web/20031222135246/giwano.com/computerproducts.htm

  27. Ben Hutchings says:

    Mike: ChrisR is right: http://sam.zoy.org/zzuf/ has files that will crash VLC, ffmpeg, mplayer…  The author has not yet determined whether these indicate potential code injection vulnerabilities.

  28. danb1974 says:

    Actually I saw many years ago a case that accomodated two motherboards (it was a sort of hw-level redundant computer, mb’s interconnected with a scsi bus and dedicated ethernet link), the whole system at a price of a new car.

  29. C Gomez says:

    "As someone who operates a computer specifically for the purpose of doing "dodgy" stuff on it, I can see the attraction.  I can get away without using any antivirus software on my main system and haven’t thus far had any problems because of it.  You don’t realise how much of a drain antivirus is unless you have a machine without it."

    Haven’t used antivirus in ten years.  No problems, no "infections".  It’s far easier to write trojans (email) and web based malware.  I think simply running as a non-admin and having strong passwords you change at reasonable intervals works wonders far greater than any antivirus software can do.

    [As a disclaimer, I do run spyware checks about every six months.  The industry still sees these threats as separate.  I think they’re actually the same.  Still, I only rarely find adware and popupware because, for the most part, it can’t "install itself" when I’m a non-admin.]

  30. Norman Diamond says:

    Friday, February 02, 2007 8:29 AM by danb1974

    the whole system at a price of a new car.

    History lesson 1:  Once upon a time new computers cost more than new cars.

    History lesson 2:  Once upon a time used computers cost more than used bicycles.

    Prediction:  New computers are going to cost less than new bicycles.

    Friday, February 02, 2007 8:39 AM by C Gomez

    Still, I only rarely find adware and

    popupware because, for the most part, it

    can’t "install itself" when I’m a non-admin.]

    Don’t worry, that will change under Vista ^_^

  31. r3m0t says:

    Like paravirtualisation (VMWare Server, etc) only easy for judges (who don’t know anything about computer security) to understand!

  32. Dan says:

    Running almost anything with admin/sys(root?) is the usual situation for most guys who not installed vista.

Comments are closed.