RE: *ICN - A Conspiracy of Inertia?

From: Jason Lewis (jlewis@packetnexus.com)
Date: 03/20/02 

From: "Jason Lewis" <jlewis@packetnexus.com>
To: <falcon@cybersecret.com>, <focus-ids@securityfocus.com>
Date: Tue, 19 Mar 2002 18:48:08 -0500

BAH!!! There is a nut on the ISP-Security list that spouts the same
garbage. Then when pressed to explain how his "revolutionary" software
works, he says he can't say anymore or it would give it away.

He claims to have contacted all the big companies and they aren't
interested. I suspect these people have a screw loose and are trying to get
their 15 minutes.

If these claims were true, the people making them would be rich and we
wouldn't have to deal with NIMDA. I'm waiting.....

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.

-----Original Message-----
From: Benjamin Tomhave [mailto:falcon@cybersecret.com]
Sent: Tuesday, March 19, 2002 1:36 AM
To: focus-ids@securityfocus.com
Subject: FW: *ICN - A Conspiracy of Inertia?

Has anybody else heard about this? It seems to uphold a principal that I've
tried to consistently apply throughout my security career -- working with
known quantities whenever possible and configuring systems to only accept
those known quantities. Even if the software is ficticious, it represents
the possibility for a paradigm shift from the perspective of IDS, among
other things. Thoughts?

----- Original Message -----
Sent: Monday, March 18, 2002 12:17 PM
Subject: FW: *ICN - A Conspiracy of Inertia?

> This guy simply has no idea how big and stupid the world is.
>
> -----Original Message-----
> From: internetcrimenews [mailto:internetcrimenews@infowar.com]
> Sent: Monday, March 18, 2002 9:47 AM
> To: icnlist@infowar.com
> Subject: *ICN - A Conspiracy of Inertia?
>
>
>
>
> By Sarah Scalet
> An academic-turned-entrepreneur says he's found the key to security
> problems - and the security community doesn't want it.
>
> I'm deeply suspicious of anyone who claims to have created a new paradigm
in
> security. In fact, I usually hit the delete button faster than you can say
> "snake oil." But this week, allow me to entertain one such vendor claim
that
> relates to how the entire security community approaches insecurity.
> It involves a man named John Munson, who has spent the last 30 years
> thinking about software reliability - and we're talking about serious
> software like the stuff that powers the Space Shuttle and the Cassini
> spacecraft that's currently hurtling toward Saturn. Dr. Munson, a
University
> of Idaho professor and NASA contractor turned entrepreneur, is not a man
you
> want to find out is a kook. Yet he's skittering on the edge of a
conspiracy
> theory that, if it turns out to be true, could turn the security community
> on its head and empty out its pockets.
>
> His premise? That the security community doesn't want to solve security
> problems once and for all, because the whole business relies on the very
> existence of computer crime and malicious code.
>
> The technical details of the research that led Munson to this conclusion
are
> far beyond the scope of this column, but here's the 250-word version.
>
> Munson's life work involves researching and monitoring how software
> responds, and sometimes breaks, because of what a user does to the
software.
> Software doesn't wear out like hardware; it crashes because of user input.
> Astronauts can only hit so many buttons in the Space Shuttle, and Munson
> used to make sure that none of those combinations would cause the systems
to
> break.
>
> Then, about three years ago, he decided that this research could be
applied
> to computer security. By monitoring the kernel of an operating system, he
> set out to find nuances of behavior change when a system was under attack
> from a hacker or computer virus. "It turns out there were no such
nuances,"
> explains Munson, at work at Software Systems International, the second
> obscure company (the first one went bankrupt) attempting to profit from
> these principles. "Assaults were astonishingly obvious. In fact, we have
yet
> to observe a malicious activity that is not wearing a Day-Glo orange
shirt."
>
> If an attack on a computer system were so easy to identify, he asked
> himself, then why not build in controls that identify and allow normal
> behavior and stop abnormal behavior? There'd be no need for patches to fix
> specific vulnerabilities, and no need for antivirus software to fight
> malicious code.
>
> Munson says he has a few Linux servers up and running that are protected
by
> an early version of these operating system controls, which are calibrated
> based on how the server normally operates. He says the controls could
> eventually be built into a computer's hardware.
>
> Needless to say, his work has been met with considerable skepticism.
>
> "The reaction is, we don't believe you," Munson says. "But this is not an
> act of faith. All the research I have done is reproducible to scientific
> standards."
>
> Munson suspects more than skepticism. "They (security vendors) thrive on
> your misery. It's a conspiracy of inertia. I don't think there's
collusion.
> I don't think McAfee is sitting there kicking viruses out the back door. I
> do believe that they're making money at it and would like to keep making
> money at it. But they're working on the wrong problem."
>
> Whether Munson (or anyone) can actually deliver a product that avoids
> security problems altogether - and whether hackers and coders couldn't
then
> launch attacks designed to look "normal" - I cannot say. But his logic is
> tempting. The way things are done today is terribly inefficient and
> ineffective, and a lot of people are profiting from it.
>
> Suppose, just for a moment, that there is a solution to the security woes
> plaguing corporate America - the endless cycle of installing patches
against
> new vulnerabilities, of stopping viruses and security breaches, of fixing
> damage done. I'm not talking about a magical elixir but a so-called
> disruptive technology that comes from an outsider whose ideas could make
> columns like this obsolete. CIOs would be ready to hear it. But what about
> the rest of us?
>
> What do you think? E-mail Sarah D. Scalet, security editor and senior
> writer, at sscalet@cio.com.
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Cybercrime Reports: http://www.infowar.com/ccr/ccr1.shtml
> CCR@infowar.com
> Internet Crime Watch: http://www.infowar.com/iwatch/iwatch.shtml
> ICN@infowar.com
>
> Internet Crime News ( ICN) is brought to you by Infowar.Com Ltd.
> Please feel free to pass this on as long as all information and header
> remains intact.
> Please forward your comments or posts to ICN@infowar.com.
> Subscribe and Remove instructions appear at the end of this email.
>
> Infowar.Com Ltd. 3030 N. Rocky Point Drive West. Suite 275. Tampa, FL
33607
> 813-288-1955 Voice 813-288-1985 FAX
> Need Further Info? Write betty@infowar.com
> Visit the Security Store @ Infowar.com
> http://estore.infowar.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ----------------------------------------------
> To unsubscribe send an email to icnlist@infowar.com
> with unsubscribe as the first line of the message in PLAIN TEXT.
>
> To receive a digest of 15 messages per email
> send an email to icnlist@infowar.com with
> mode_digest as the first line of the message.
> Note that control messages must be sent as PLAIN TEXT.

Quantcast