Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: [ISN] How To Save The Internet

from [Scott Berinato] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: [ISN] How To Save The Internet
Date: Tue, 22 Mar 2005 08:54:18 -0500

This is the third time I've received this, but I forgot to mention that the question at the top is not rhetorical. In fact, I know of hundreds of deaths attributed to computers in 2003 alone. Many involved dosage delivery software. Others involved helicopters. Planes. Deaths by buggy software are a common occurence.

Death by PC? Perhaps not as many but if that's such a narrow subset of computers our audience would laugh at us if that's all we looked at. If that's how you look at the world of computers, ours is not the magazine for you. The PC-centered view t's too narrow to even consider seriously. We have far wider-ranging ideas.

sb




"Jason Coombs" <jasonc@science.org>

03/21/2005 07:00 PM
Please respond to
jasonc@science.org
To
<kenneth>
cc
isn@c4i.org, Scott Berinato/CIO@CIO, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject
Re: [ISN] How To Save The Internet






InfoSec News wrote:
> Forwarded from: security curmudgeon <jericho@attrition.org>
> Cc: sberinato@cio.com
> ... Big load of crap ...
> : http://www.cio.com/archive/031505/security.html
> : BY SCOTT BERINATO
> : serial numbers and control their distribution. James Whittaker says
> : programmable PCs are dangerous, so why not treat them like guns?
jericho@attrition.org wrote:
> In 2001, 2002, 2003 and 2004, how many deaths were attributed to
> computers?
Programmable PCs *are* dangerous, but only to themselves and other
programmable PCs that aren't operated by skilled people who know how to
defend against the execution of unwanted machine code.
The problem with programmable PCs is that they execute machine code
without considering whether any of the instructions are desired by the
owner of the CPU. A no execute (NX) stack and heap [1] is a step in the
right direction, but everyone in the computer industry who has given
this any thought already knows that the core problem with computer
security is that our CPUs make no effort to restrict the execution of
machine code to that very small subset of all possible machine code
which constitutes the code that the owner of the CPU desires it to run.
Until this security defect is solved, we will still have problems caused
by rampant technical bugs in our programmable PCs. Insecure software
would not be a threat except in rare circumstances if there were only a
way for our CPUs to be configured to execute *only* the insecure
software that we desire, and block anything else that is added to our
boxes by buffers, bullies, or buffoons.
If anyone really cared about solving this core security problem with
computing today, it would be solved in just a few months. We would then
be left with all of the wonderful array of security problems that are
caused by human behavior (theft, misuse, physical intrusion,
eavesdropping, scam artists, etc) and these are problems we can all live
with in relative harmony [7].
The marketplace is not demanding this solution, and it appears from the
noise of the media and marketing and PR machines of our revered industry
leaders that nobody is even trying to build awareness of the problem
much less devise and deliver solutions.
Programmable CPUs are not suitable for use in data communications
devices without hardware defenses that restrict the machine code
instruction sequences that the CPU will accept. Programmable CPUs are
barely suitable for anything without this simple security addition.
We're all so busy pushing bits around urgently we've forgotten to care.
CIO should be ashamed to be perpetuating the pointless and fraudulent
business ideas of an industry addicted to extracting profit from victims
by causing them unnecessary problems and then selling inadequate fixes.
Sincerely,
Jason Coombs
jasonc@science.org

[1] MSDN Security Developer Center: Execution Protection
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx
[7] Why Was Intel a No-Show on No Execute?
http://www.eweek.com/article2/0,1759,1599193,00.asp
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Re: [ISN] How To Save The Internet, Keith Oxenrider
Next by Date:  [Full-disclosure] Re: [ISN] How To Save The Internet, Scott Berinato
Previous by Thread:  [Full-disclosure] Re: [ISN] How To Save The Internet, Scott Berinato
Next by Thread:  [Full-disclosure] Re: [ISN] How To Save The Internet, Scott Berinato
Indexes:  [Date] [Thread] [Top] [All Lists]