Law No. 2
Law No. 2 states that If a bad guy can alter the operating system on your computer, it's not your computer anymore. In a way, this is a corollary of law No. 1 because the attacker would probably have to run his own code in order to alter the operating system on your computer, but Johansson points out that the operating system, as a practical matter, is a huge and complicated beast, incorporating not only program files but settings, for instance in the registry or ACLs in the file system. He also points out that there are files, such as edlin.exe, which are part of the operating system but which could be modified with no meaningful consequence to the system. But if an attacker can alter edlin, they can probably also alter more important files. If they can alter edlin then some important defense of the system has broken down, and the system as a whole probably has to be considered untrustworthy.Full-disk encryption, an increasingly popular technology in enterprises, makes this much harder. It's possible to configure such systems so that the system credentials, and therefore the encryption keys, can be obtained, but it's also possible to defeat these attacks through the use of 2-factor authentication. Bottom line: Law No. 3 has some clear exception cases, but for the large majority of us it still holds. And the exceptions are not just new technology, but inconvenient, so they are unlikely to be widely adopted any time soon. There is a history of critics pointing to all of these laws, especially No. 3, as excuses by Microsoft for not fixing their own problems, but this is shallow thinking. It's easy to demonstrate that they all apply to other platforms as well. Consider No. 2, about modifying the operating system: rootkits, the ultimate form of this compromise, originated on UNIX many years before they were on Windows. Perhaps Law No. 11 is that a security problem doesn't become important until it affects Windows. We'll see how things work out for laws 4 through 10 as Johansson sees it, but I see a pattern. The improvements in security in recent years are designed to help you avoid the situations embodied in the laws, not to break the laws. There has been some improvement around the margins, but basically the rules are standing. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
Law No. 3 is one I've written about many times: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. This is the 1 of the 3 for which things may have changed the most. In 2000 it was absolutely true. Culp makes passing reference to the then-new EFS (Encrypting File System) in Windows 2000, but it had very little real-world footprint at the time. Also, since it's not a full-disk encryption system, there were limits to the protection it could provide. As Johansson points out, there are plenty of tools available, in the form of boot disks, to reset the administrator password in the local SAM (software asset management) hive.