RE: *ICN - A Conspiracy of Inertia?
From: Marcus J. Ranum (mjr@nfr.com)Date: 03/20/02
- Previous message: robert_david_graham: "RE: *ICN - A Conspiracy of Inertia?"
- Maybe in reply to: robert_david_graham: "RE: *ICN - A Conspiracy of Inertia?"
- Next in thread: Benjamin Tomhave: "RE: *ICN - A Conspiracy of Inertia?"
- Next in thread: Benninghoff, John: "RE: *ICN - A Conspiracy of Inertia?"
- Reply: Benjamin Tomhave: "RE: *ICN - A Conspiracy of Inertia?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Mar 2002 18:20:46 -0500 To: robert_david_graham <robert_david_graham@yahoo.com>, falcon@cybersecret.com, focus-ids@securityfocus.com From: "Marcus J. Ranum" <mjr@nfr.com>
robert_david_graham wrote:
>You could solve more than 50% of UNIX exploits if you simply hooked
>exec("/bin/sh") in the kernel. Likewise, detecting changes to
>/etc/inetd.conf would solve another large percentage of UNIX exploits.
Come on Robert, you KNOW it's not that simple...
You'd need to hook /bin/sh /bin/ksh /bin/csh, and then...
You could temporarily fix more than 50% of UNIX exploits
for SEVERAL WEEKS. After that, the bad guys would learn that
they could use Perl instead of /bin/sh - or awk, or troff, or
any of a jillion commands that can do exactly the same thing
as the shell... That's without thinking about the C compiler...
And then you have to worry about combinations of things. What
if the Bad Guy calls the shell through a pipe process from
a troff command - suddenly any program that calls popen is
a potential parent process. The whole system fails very
quickly.
>RedHat could easily ship a version of Linux such that /bin/sh checks to see
>if <stdin>/<stdout> are socket handles, but if they did that, then exploit
>writers would simply choose another technique.
_Exactly_
It'll be interesting to see if we ever hear what Munson's
solution to security is. Lots of problems are easy to solve
right _now_ (simple fix for IIS holes: upgrade!) but they
aren't a solution that lasts for more than minor contact
with the enemy...
I also found the article insulting (and told the journalist so!)
in that it conveys the notion that the security product builders
are actually trying to suppress Munson's "solution" out of
economic fear. It shows a profound lack of understanding of the
economics of the high tech sector. If Munson's stuff was real
enough he wouldn't need to get it past the security practitioners
of the world - there's a big customer in Redmond who'd make him
rich even if every security expert in the world lined up against
him. Unless, of course, his stuff is B.S...
I was amazed that someone would actually print an accusation like
that without anything to back it up. :( It's like implying that
cops would try to drag their feet on preventing crimes for fear
of losing their jobs. As if!
Personally, if the security market evaporated tomorrow, I'd be
quite content to go back to system administration or something
fun and easy like writing games or browsers. :) It'd be nice to
be able to code without having to worry about security anymore,
huh?
mjr.
--- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com
- Previous message: robert_david_graham: "RE: *ICN - A Conspiracy of Inertia?"
- Maybe in reply to: robert_david_graham: "RE: *ICN - A Conspiracy of Inertia?"
- Next in thread: Benjamin Tomhave: "RE: *ICN - A Conspiracy of Inertia?"
- Next in thread: Benninghoff, John: "RE: *ICN - A Conspiracy of Inertia?"
- Reply: Benjamin Tomhave: "RE: *ICN - A Conspiracy of Inertia?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
