[Full-disclosure] Re: [ISN] How To Save The Internet

• Previous message: Lionel Zhou: "[Full-disclosure] On Demand Staffing for Information Technology Projects"
• In reply to: Jason Coombs: "[Full-disclosure] Re: [ISN] How To Save The Internet"
• Next in thread: Devdas Bhagat: "[Full-disclosure] Re: [ISN] How To Save The Internet"
• Reply: Devdas Bhagat: "[Full-disclosure] Re: [ISN] How To Save The Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 23 Mar 2005 13:51:12 -0600
To: jasonc@science.org

The truth is most people are not "skilled" enough to operate their PC's at a level that
isn't "dangerous" to the rest of the network/internet. Nor should they have to be. With
better operating system and software design we can mitigate those risks, but never
eliminate them. There is no one simple solution to a security problem - it always a
process. The problem often lies that the default configuration for software and OS's are
inherently insecure, allowing problems to propagate. No normal computer user should be
expected to become a system administrator for their computer. Design is what has let us
down - the fact I have be active to protect my computer is the problem.

Ben

Jason Coombs wrote:
> InfoSec News wrote:
>
>> Forwarded from: security curmudgeon <jericho@attrition.org>
>> Cc: sberinato@cio.com
>> ... Big load of crap ...
>> : http://www.cio.com/archive/031505/security.html
>> : BY SCOTT BERINATO
>> : serial numbers and control their distribution. James Whittaker says
>> : programmable PCs are dangerous, so why not treat them like guns?
>
>
> jericho@attrition.org wrote:
>
>> In 2001, 2002, 2003 and 2004, how many deaths were attributed to
>> computers?
>
>
> Programmable PCs *are* dangerous, but only to themselves and other
> programmable PCs that aren't operated by skilled people who know how to
> defend against the execution of unwanted machine code.
>
> The problem with programmable PCs is that they execute machine code
> without considering whether any of the instructions are desired by the
> owner of the CPU. A no execute (NX) stack and heap [1] is a step in the
> right direction, but everyone in the computer industry who has given
> this any thought already knows that the core problem with computer
> security is that our CPUs make no effort to restrict the execution of
> machine code to that very small subset of all possible machine code
> which constitutes the code that the owner of the CPU desires it to run.
>
> Until this security defect is solved, we will still have problems caused
> by rampant technical bugs in our programmable PCs. Insecure software
> would not be a threat except in rare circumstances if there were only a
> way for our CPUs to be configured to execute *only* the insecure
> software that we desire, and block anything else that is added to our
> boxes by buffers, bullies, or buffoons.
>
> If anyone really cared about solving this core security problem with
> computing today, it would be solved in just a few months. We would then
> be left with all of the wonderful array of security problems that are
> caused by human behavior (theft, misuse, physical intrusion,
> eavesdropping, scam artists, etc) and these are problems we can all live
> with in relative harmony [7].
>
> The marketplace is not demanding this solution, and it appears from the
> noise of the media and marketing and PR machines of our revered industry
> leaders that nobody is even trying to build awareness of the problem
> much less devise and deliver solutions.
>
> Programmable CPUs are not suitable for use in data communications
> devices without hardware defenses that restrict the machine code
> instruction sequences that the CPU will accept. Programmable CPUs are
> barely suitable for anything without this simple security addition.
>
> We're all so busy pushing bits around urgently we've forgotten to care.
>
> CIO should be ashamed to be perpetuating the pointless and fraudulent
> business ideas of an industry addicted to extracting profit from victims
> by causing them unnecessary problems and then selling inadequate fixes.
>
> Sincerely,
>
> Jason Coombs
> jasonc@science.org
>
>
> [1] MSDN Security Developer Center: Execution Protection
> http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx
>
>
> [7] Why Was Intel a No-Show on No Execute?
> http://www.eweek.com/article2/0,1759,1599193,00.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Lionel Zhou: "[Full-disclosure] On Demand Staffing for Information Technology Projects"
• In reply to: Jason Coombs: "[Full-disclosure] Re: [ISN] How To Save The Internet"
• Next in thread: Devdas Bhagat: "[Full-disclosure] Re: [ISN] How To Save The Internet"
• Reply: Devdas Bhagat: "[Full-disclosure] Re: [ISN] How To Save The Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]