[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: [ISN] How To Save The Internet

To: jasonc@xxxxxxxxxxx
Subject: [Full-disclosure] Re: [ISN] How To Save The Internet
From: Scott Berinato <sberinato@xxxxxxx>
Date: Tue, 22 Mar 2005 08:50:12 -0500

<br><font size=2 face="sans-serif">Jason,</font>
<br>
<br><font size=2 face="sans-serif">Thanks for the good thoughtful note.
I've thought quite a bit about the exact issues you bring up at the end--human
behavior being a far more serious problem and the security-infrastructure
complex which is profiting off of the industry's own sins of selling inadequate
equipment in the first place. You can see much of this coverage in the
column Alarmed online.</font>
<br>
<br><font size=2 face="sans-serif">It's also nice to see someone with 
programming
experience not simply claim that programming is too creative, too complex
to secure. This is a myth perpetuated by programmers as an excuse not to
do their jobs in a secure way. </font>
<br>
<br><font size=2 face="sans-serif">Also, you've read the piece (one hopes)
and thought seriously about the suggestions and commented on them. For
that I'm not ashamed, I'm pleased.</font>
<br><font size=2 face="sans-serif"><br>
Cheers,</font>
<br><font size=2 face="sans-serif">Scott Berinato</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Jason Coombs 
&lt;jasonc@xxxxxxxxxxx&gt;</b>
</font>
<p><font size=1 face="sans-serif">03/21/2005 05:24 PM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
jasonc@xxxxxxxxxxx</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">jericho@xxxxxxxxxxxxx</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">isn@xxxxxxx, Scott 
Berinato/CIO@CIO,
full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [ISN] How To Save The
Internet</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><img src=cid:_1_0568D1600568CC28004B90B885256FCC>
<br><font size=1><tt>InfoSec News wrote:<br>
&gt; Forwarded from: security curmudgeon &lt;jericho@xxxxxxxxxxxxx&gt;<br>
&gt; Cc: sberinato@xxxxxxx<br>
&gt; ... Big load of crap ...<br>
&gt; : http://www.cio.com/archive/031505/security.html<br>
&gt; : BY SCOTT BERINATO<br>
&gt; : serial numbers and control their distribution. James Whittaker says<br>
&gt; : programmable PCs are dangerous, so why not treat them like guns?<br>
</tt></font>
<br><font size=1><tt>jericho@xxxxxxxxxxxxx wrote:<br>
&gt; In 2001, 2002, 2003 and 2004, how many deaths were attributed to<br>
&gt; computers?<br>
</tt></font>
<br><font size=1><tt>Programmable PCs *are* dangerous, but only to themselves
and other<br>
programmable PCs that aren't operated by skilled people who know how to<br>
defend against the execution of unwanted machine code.<br>
</tt></font>
<br><font size=1><tt>The problem with programmable PCs is that they execute
machine code<br>
without considering whether any of the instructions are desired by the<br>
owner of the CPU. A no execute (NX) stack and heap [1] is a step in the<br>
right direction, but everyone in the computer industry who has given<br>
this any thought already knows that the core problem with computer<br>
security is that our CPUs make no effort to restrict the execution of<br>
machine code to that very small subset of all possible machine code<br>
which constitutes the code that the owner of the CPU desires it to run.<br>
</tt></font>
<br><font size=1><tt>Until this security defect is solved, we will still
have problems caused<br>
by rampant technical bugs in our programmable PCs. Insecure software<br>
would not be a threat except in rare circumstances if there were only a<br>
way for our CPUs to be configured to execute *only* the insecure<br>
software that we desire, and block anything else that is added to our<br>
boxes by buffers, bullies, or buffoons.<br>
</tt></font>
<br><font size=1><tt>If anyone really cared about solving this core security
problem with<br>
computing today, it would be solved in just a few months. We would then<br>
be left with all of the wonderful array of security problems that are<br>
caused by human behavior (theft, misuse, physical intrusion,<br>
eavesdropping, scam artists, etc) and these are problems we can all live<br>
with in relative harmony [7].<br>
</tt></font>
<br><font size=1><tt>The marketplace is not demanding this solution, and
it appears from the<br>
noise of the media and marketing and PR machines of our revered industry<br>
leaders that nobody is even trying to build awareness of the problem<br>
much less devise and deliver solutions.<br>
</tt></font>
<br><font size=1><tt>Programmable CPUs are not suitable for use in data
communications<br>
devices without hardware defenses that restrict the machine code<br>
instruction sequences that the CPU will accept. Programmable CPUs are<br>
barely suitable for anything without this simple security addition.<br>
</tt></font>
<br><font size=1><tt>We're all so busy pushing bits around urgently we've
forgotten to care.<br>
</tt></font>
<br><font size=1><tt>CIO should be ashamed to be perpetuating the pointless
and fraudulent<br>
business ideas of an industry addicted to extracting profit from victims<br>
by causing them unnecessary problems and then selling inadequate fixes.<br>
</tt></font>
<br><font size=1><tt>Sincerely,<br>
</tt></font>
<br><font size=1><tt>Jason Coombs<br>
jasonc@xxxxxxxxxxx<br>
</tt></font>
<br>
<br><font size=1><tt>[1] MSDN Security Developer Center: Execution 
Protection<br>
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx<br>
</tt></font>
<br><font size=1><tt>[7] Why Was Intel a No-Show on No Execute?<br>
http://www.eweek.com/article2/0,1759,1599193,00.asp</tt></font>
<br>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Re: [ISN] How To Save The Internet
Next by Date: [Full-disclosure] Re: [ISN] How To Save The Internet
Previous by thread: [Full-disclosure] Re: [ISN] How To Save The Internet
Next by thread: [Full-disclosure] Re: [ISN] How To Save The Internet
Index(es):
- Date
- Thread