The truth is most people are not "skilled" enough to operate their PC's at a level that
isn't "dangerous" to the rest of the network/internet. Nor should they have to be. With
better operating system and software design we can mitigate those risks, but never
eliminate them. There is no one simple solution to a security problem - it always a
process. The problem often lies that the default configuration for software and OS's are
inherently insecure, allowing problems to propagate. No normal computer user should be
expected to become a system administrator for their computer. Design is what has let us
down - the fact I have be active to protect my computer is the problem.
Ben
Jason Coombs wrote:
InfoSec News wrote:
Forwarded from: security curmudgeon <jericho@attrition.org>
Cc: sberinato@cio.com
... Big load of crap ...
: http://www.cio.com/archive/031505/security.html
: BY SCOTT BERINATO
: serial numbers and control their distribution. James Whittaker says
: programmable PCs are dangerous, so why not treat them like guns?
jericho@attrition.org wrote:
In 2001, 2002, 2003 and 2004, how many deaths were attributed to
computers?
Programmable PCs *are* dangerous, but only to themselves and other
programmable PCs that aren't operated by skilled people who know how to
defend against the execution of unwanted machine code.
The problem with programmable PCs is that they execute machine code
without considering whether any of the instructions are desired by the
owner of the CPU. A no execute (NX) stack and heap [1] is a step in the
right direction, but everyone in the computer industry who has given
this any thought already knows that the core problem with computer
security is that our CPUs make no effort to restrict the execution of
machine code to that very small subset of all possible machine code
which constitutes the code that the owner of the CPU desires it to run.
Until this security defect is solved, we will still have problems caused
by rampant technical bugs in our programmable PCs. Insecure software
would not be a threat except in rare circumstances if there were only a
way for our CPUs to be configured to execute *only* the insecure
software that we desire, and block anything else that is added to our
boxes by buffers, bullies, or buffoons.
If anyone really cared about solving this core security problem with
computing today, it would be solved in just a few months. We would then
be left with all of the wonderful array of security problems that are
caused by human behavior (theft, misuse, physical intrusion,
eavesdropping, scam artists, etc) and these are problems we can all live
with in relative harmony [7].
The marketplace is not demanding this solution, and it appears from the
noise of the media and marketing and PR machines of our revered industry
leaders that nobody is even trying to build awareness of the problem
much less devise and deliver solutions.
Programmable CPUs are not suitable for use in data communications
devices without hardware defenses that restrict the machine code
instruction sequences that the CPU will accept. Programmable CPUs are
barely suitable for anything without this simple security addition.
We're all so busy pushing bits around urgently we've forgotten to care.
CIO should be ashamed to be perpetuating the pointless and fraudulent
business ideas of an industry addicted to extracting profit from victims
by causing them unnecessary problems and then selling inadequate fixes.
Sincerely,
Jason Coombs
jasonc@science.org
[1] MSDN Security Developer Center: Execution Protection
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx
[7] Why Was Intel a No-Show on No Execute?
http://www.eweek.com/article2/0,1759,1599193,00.asp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
