[Full-disclosure] Re: [ISN] How To Save The Internet
From: Scott Berinato (sberinato_at_cxo.com)
To: Keith Oxenrider <firstname.lastname@example.org> Date: Tue, 22 Mar 2005 08:58:50 -0500
I argue in a recent column that the real problem is not that they won't pay people to secure their products (though they won't) but that the products can't be secured. As Jason points out, the architecture is set up to execute code; and there are other inherent faults in design. Some kind of major upheaval will probably be needed to fix the problem.
Also, perhaps they'd hire you if you spelled clueless the way they do.
|Keith Oxenrider <email@example.com>
03/21/2005 10:21 PM
I didn't take the time to read every single response to the article (though
did take the time to pen my own), but I read at least half of them and
didn't see a one that seemed to support the article. Several even seemed
to think they were reading a Dilbert comic. The ironic part (and the point
I tried to make in my post) is that the actual readership of CIO are, for
the most part, clewless pointy hairs and probably didn't even finish
reading the article (if they even started it) and certainly would never
take the time to read the responses to it, let alone discuss them with
their technical people. These are the decision makers who pay us to make
the things that are complained about in the article. As long as they
refuse to pay us to write secure products nothing will change.
At 10:24 AM 3/22/2005 +1200, Jason Coombs wrote:
>InfoSec News wrote:
>>Forwarded from: security curmudgeon <firstname.lastname@example.org>
>>... Big load of crap ...
>>: BY SCOTT BERINATO
>>: serial numbers and control their distribution. James Whittaker says :
>>programmable PCs are dangerous, so why not treat them like guns?
>>In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers?
>Programmable PCs *are* dangerous, but only to themselves and other
>programmable PCs that aren't operated by skilled people who know how to
>defend against the execution of unwanted machine code.
>The problem with programmable PCs is that they execute machine code
>without considering whether any of the instructions are desired by the
>owner of the CPU. A no execute (NX) stack and heap  is a step in the
>right direction, but everyone in the computer industry who has given this
>any thought already knows that the core problem with computer security is
>that our CPUs make no effort to restrict the execution of machine code to
>that very small subset of all possible machine code which constitutes the
>code that the owner of the CPU desires it to run.
>Until this security defect is solved, we will still have problems caused
>by rampant technical bugs in our programmable PCs. Insecure software would
>not be a threat except in rare circumstances if there were only a way for
>our CPUs to be configured to execute *only* the insecure software that we
>desire, and block anything else that is added to our boxes by buffers,
>bullies, or buffoons.
>If anyone really cared about solving this core security problem with
>computing today, it would be solved in just a few months. We would then be
>left with all of the wonderful array of security problems that are caused
>by human behavior (theft, misuse, physical intrusion, eavesdropping, scam
>artists, etc) and these are problems we can all live with in relative
>The marketplace is not demanding this solution, and it appears from the
>noise of the media and marketing and PR machines of our revered industry
>leaders that nobody is even trying to build awareness of the problem much
>less devise and deliver solutions.
>Programmable CPUs are not suitable for use in data communications devices
>without hardware defenses that restrict the machine code instruction
>sequences that the CPU will accept. Programmable CPUs are barely suitable
>for anything without this simple security addition.
>We're all so busy pushing bits around urgently we've forgotten to care.
>CIO should be ashamed to be perpetuating the pointless and fraudulent
>business ideas of an industry addicted to extracting profit from victims
>by causing them unnecessary problems and then selling inadequate fixes.
> MSDN Security Developer Center: Execution Protection
> Why Was Intel a No-Show on No Execute?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/