FW: *ICN - A Conspiracy of Inertia?

From: Benjamin Tomhave (falcon@cybersecret.com)
Date: 03/19/02 

From: "Benjamin Tomhave" <falcon@cybersecret.com>
To: <focus-ids@securityfocus.com>
Date: Mon, 18 Mar 2002 23:36:26 -0700

Has anybody else heard about this? It seems to uphold a principal that I've
tried to consistently apply throughout my security career -- working with
known quantities whenever possible and configuring systems to only accept
those known quantities. Even if the software is ficticious, it represents
the possibility for a paradigm shift from the perspective of IDS, among
other things. Thoughts?

----- Original Message -----
Sent: Monday, March 18, 2002 12:17 PM
Subject: FW: *ICN - A Conspiracy of Inertia?

> This guy simply has no idea how big and stupid the world is.
>
> -----Original Message-----
> From: internetcrimenews [mailto:internetcrimenews@infowar.com]
> Sent: Monday, March 18, 2002 9:47 AM
> To: icnlist@infowar.com
> Subject: *ICN - A Conspiracy of Inertia?
>
>
>
>
> By Sarah Scalet
> An academic-turned-entrepreneur says he's found the key to security
> problems - and the security community doesn't want it.
>
> I'm deeply suspicious of anyone who claims to have created a new paradigm
in
> security. In fact, I usually hit the delete button faster than you can say
> "snake oil." But this week, allow me to entertain one such vendor claim
that
> relates to how the entire security community approaches insecurity.
> It involves a man named John Munson, who has spent the last 30 years
> thinking about software reliability - and we're talking about serious
> software like the stuff that powers the Space Shuttle and the Cassini
> spacecraft that's currently hurtling toward Saturn. Dr. Munson, a
University
> of Idaho professor and NASA contractor turned entrepreneur, is not a man
you
> want to find out is a kook. Yet he's skittering on the edge of a
conspiracy
> theory that, if it turns out to be true, could turn the security community
> on its head and empty out its pockets.
>
> His premise? That the security community doesn't want to solve security
> problems once and for all, because the whole business relies on the very
> existence of computer crime and malicious code.
>
> The technical details of the research that led Munson to this conclusion
are
> far beyond the scope of this column, but here's the 250-word version.
>
> Munson's life work involves researching and monitoring how software
> responds, and sometimes breaks, because of what a user does to the
software.
> Software doesn't wear out like hardware; it crashes because of user input.
> Astronauts can only hit so many buttons in the Space Shuttle, and Munson
> used to make sure that none of those combinations would cause the systems
to
> break.
>
> Then, about three years ago, he decided that this research could be
applied
> to computer security. By monitoring the kernel of an operating system, he
> set out to find nuances of behavior change when a system was under attack
> from a hacker or computer virus. "It turns out there were no such
nuances,"
> explains Munson, at work at Software Systems International, the second
> obscure company (the first one went bankrupt) attempting to profit from
> these principles. "Assaults were astonishingly obvious. In fact, we have
yet
> to observe a malicious activity that is not wearing a Day-Glo orange
shirt."
>
> If an attack on a computer system were so easy to identify, he asked
> himself, then why not build in controls that identify and allow normal
> behavior and stop abnormal behavior? There'd be no need for patches to fix
> specific vulnerabilities, and no need for antivirus software to fight
> malicious code.
>
> Munson says he has a few Linux servers up and running that are protected
by
> an early version of these operating system controls, which are calibrated
> based on how the server normally operates. He says the controls could
> eventually be built into a computer's hardware.
>
> Needless to say, his work has been met with considerable skepticism.
>
> "The reaction is, we don't believe you," Munson says. "But this is not an
> act of faith. All the research I have done is reproducible to scientific
> standards."
>
> Munson suspects more than skepticism. "They (security vendors) thrive on
> your misery. It's a conspiracy of inertia. I don't think there's
collusion.
> I don't think McAfee is sitting there kicking viruses out the back door. I
> do believe that they're making money at it and would like to keep making
> money at it. But they're working on the wrong problem."
>
> Whether Munson (or anyone) can actually deliver a product that avoids
> security problems altogether - and whether hackers and coders couldn't
then
> launch attacks designed to look "normal" - I cannot say. But his logic is
> tempting. The way things are done today is terribly inefficient and
> ineffective, and a lot of people are profiting from it.
>
> Suppose, just for a moment, that there is a solution to the security woes
> plaguing corporate America - the endless cycle of installing patches
against
> new vulnerabilities, of stopping viruses and security breaches, of fixing
> damage done. I'm not talking about a magical elixir but a so-called
> disruptive technology that comes from an outsider whose ideas could make
> columns like this obsolete. CIOs would be ready to hear it. But what about
> the rest of us?
>
> What do you think? E-mail Sarah D. Scalet, security editor and senior
> writer, at sscalet@cio.com.
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Cybercrime Reports: http://www.infowar.com/ccr/ccr1.shtml
> CCR@infowar.com
> Internet Crime Watch: http://www.infowar.com/iwatch/iwatch.shtml
> ICN@infowar.com
>
> Internet Crime News ( ICN) is brought to you by Infowar.Com Ltd.
> Please feel free to pass this on as long as all information and header
> remains intact.
> Please forward your comments or posts to ICN@infowar.com.
> Subscribe and Remove instructions appear at the end of this email.
>
> Infowar.Com Ltd. 3030 N. Rocky Point Drive West. Suite 275. Tampa, FL
33607
> 813-288-1955 Voice 813-288-1985 FAX
> Need Further Info? Write betty@infowar.com
> Visit the Security Store @ Infowar.com
> http://estore.infowar.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ----------------------------------------------
> To unsubscribe send an email to icnlist@infowar.com
> with unsubscribe as the first line of the message in PLAIN TEXT.
>
> To receive a digest of 15 messages per email
> send an email to icnlist@infowar.com with
> mode_digest as the first line of the message.
> Note that control messages must be sent as PLAIN TEXT.

Quantcast