>>Mostly agree. The ways Android is following the bad windows example when trying to secure the user from unwanted write operation is not a good sign, but I prefer to delegate security to permissions and roles in the OS: it feels like capitulation to have to argue for browser based apps for security reasons. Especially if the one capitulated to has also security weaknesses ;-)
>
>I find myself increasingly alarmed at the capabilities of so-called APTs (Advanced Persistent Threats). A few current examples:
>
>Equation Group malware capable of reprogramming the firmware of hard drives and SSDs:
>
http://www.theregister.co.uk/2015/06/09/nsa_firmware_sighted_ctb_ransomware/Yupp. Starting with viruses not in the "disc area" but in in firmware/controller, that stuff makes me uneasy as well. But as long as your tblet is not connected ;-)
>
>Duqu2 (non-persistent!) infecting Kaspersky (!!) for some time:
>
http://www.kaspersky.com/about/news/virus/2015/Duqu-is-backRead about that one today. Hats off to them for being open about them, if they really found it only recently.
>
>German Parliament may have to replace all its computers and software:
>
http://www.itworld.com/article/2934135/security/german-parliament-may-need-to-replace-all-software-and-hardware-after-hack.htmlToo much news and not enough tech info on that one for my taste. Probably too big to be ONLY some diversion of Snowden topics, but why not hitch a ride if one comes along?
...
>At the same time, intelligence agencies in supposedly freedom-loving countries are trying their darndest to get crypto legislatively backdoored or weakened to uselessness:
>
http://www.theregister.co.uk/2015/06/02/itsavvy_congressmen_to_feds_can_your_cryptobackdoor_campaign/I think I already posted that IMO cryptobackdooors established by law would lead to all electronic stuff concerning money transactions would be unsafe.
...
>How will this affect development e.g. app vs. web-based? On first thought I'd tend to think a monolithic app would have less attack surface than loosely-coupled modules that depend on IPC or network communications.
loosely coupled scripts loaded from different URL might look very convenient for MIM attacks, esp. if one component bundle could be subverted for certain adresses found an a gov bad guy list. But what are your monolithic apps today ? the2 biggest Eco systems to create desktop likesoftware are DotNet and Java, which both are easily resharpened or whatever name the tool uses. securing the whole app with CRC32, Sha fingerprints and so on is doubtul as even the source for delivering the checksums could be subverted via MIM attack to give out a false ok stamp to the subverted module if security of the HTTPS is not given. And at least in NW.js the application can be "built" into a single file (a simple zip with the directories for code) so differences are not as marked if you want to.
So yes, first thought is probably correct, but to a determined attacker the difference is not an order of magnitude, more like a small degree IMO
regards
thomas
