Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: [ISN] How To Save The Internet

from [Scott Berinato] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: [ISN] How To Save The Internet
Date: Tue, 22 Mar 2005 08:50:12 -0500

Jason,

Thanks for the good thoughtful note. I've thought quite a bit about the exact issues you bring up at the end--human behavior being a far more serious problem and the security-infrastructure complex which is profiting off of the industry's own sins of selling inadequate equipment in the first place. You can see much of this coverage in the column Alarmed online.

It's also nice to see someone with programming experience not simply claim that programming is too creative, too complex to secure. This is a myth perpetuated by programmers as an excuse not to do their jobs in a secure way.

Also, you've read the piece (one hopes) and thought seriously about the suggestions and commented on them. For that I'm not ashamed, I'm pleased.

Cheers,
Scott Berinato


Jason Coombs <jasonc@science.org>

03/21/2005 05:24 PM
Please respond to
jasonc@science.org
To
jericho@attrition.org
cc
isn@c4i.org, Scott Berinato/CIO@CIO, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject
Re: [ISN] How To Save The Internet






InfoSec News wrote:
> Forwarded from: security curmudgeon <jericho@attrition.org>
> Cc: sberinato@cio.com
> ... Big load of crap ...
> : http://www.cio.com/archive/031505/security.html
> : BY SCOTT BERINATO
> : serial numbers and control their distribution. James Whittaker says
> : programmable PCs are dangerous, so why not treat them like guns?
jericho@attrition.org wrote:
> In 2001, 2002, 2003 and 2004, how many deaths were attributed to
> computers?
Programmable PCs *are* dangerous, but only to themselves and other
programmable PCs that aren't operated by skilled people who know how to
defend against the execution of unwanted machine code.
The problem with programmable PCs is that they execute machine code
without considering whether any of the instructions are desired by the
owner of the CPU. A no execute (NX) stack and heap [1] is a step in the
right direction, but everyone in the computer industry who has given
this any thought already knows that the core problem with computer
security is that our CPUs make no effort to restrict the execution of
machine code to that very small subset of all possible machine code
which constitutes the code that the owner of the CPU desires it to run.
Until this security defect is solved, we will still have problems caused
by rampant technical bugs in our programmable PCs. Insecure software
would not be a threat except in rare circumstances if there were only a
way for our CPUs to be configured to execute *only* the insecure
software that we desire, and block anything else that is added to our
boxes by buffers, bullies, or buffoons.
If anyone really cared about solving this core security problem with
computing today, it would be solved in just a few months. We would then
be left with all of the wonderful array of security problems that are
caused by human behavior (theft, misuse, physical intrusion,
eavesdropping, scam artists, etc) and these are problems we can all live
with in relative harmony [7].
The marketplace is not demanding this solution, and it appears from the
noise of the media and marketing and PR machines of our revered industry
leaders that nobody is even trying to build awareness of the problem
much less devise and deliver solutions.
Programmable CPUs are not suitable for use in data communications
devices without hardware defenses that restrict the machine code
instruction sequences that the CPU will accept. Programmable CPUs are
barely suitable for anything without this simple security addition.
We're all so busy pushing bits around urgently we've forgotten to care.
CIO should be ashamed to be perpetuating the pointless and fraudulent
business ideas of an industry addicted to extracting profit from victims
by causing them unnecessary problems and then selling inadequate fixes.
Sincerely,
Jason Coombs
jasonc@science.org

[1] MSDN Security Developer Center: Execution Protection
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx
[7] Why Was Intel a No-Show on No Execute?
http://www.eweek.com/article2/0,1759,1599193,00.asp 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SecurityForest Exploitation Framework Beta has been released!, Alon Swartz
Next by Date:  [Full-disclosure] Re: [ISN] How To Save The Internet, Keith Oxenrider
Previous by Thread:  [Full-disclosure] Re: [ISN] How To Save The Internet, Devdas Bhagat
Next by Thread:  [Full-disclosure] Re: [ISN] How To Save The Internet, Scott Berinato
Indexes:  [Date] [Thread] [Top] [All Lists]