[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: [ISN] How To Save The Internet

<br><font size=2 face="sans-serif">This is the third time I've received
this, but I forgot to mention that the question at the top is not rhetorical.
In fact, I know of hundreds of deaths attributed to computers in 2003 alone.
Many involved dosage delivery software. Others involved helicopters. Planes.
Deaths by buggy software are a common occurence. </font>
<br>
<br><font size=2 face="sans-serif">Death by PC? Perhaps not as many but
if that's such a narrow subset of computers our audience would laugh at
us if that's all we looked at. If that's how you look at the world of computers,
ours is not the magazine for you. The PC-centered view t's too narrow to
even consider seriously. We have far wider-ranging ideas.</font>
<br>
<br><font size=2 face="sans-serif">sb </font>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>&quot;Jason Coombs&quot;
&lt;jasonc@xxxxxxxxxxx&gt;</b> </font>
<p><font size=1 face="sans-serif">03/21/2005 07:00 PM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
jasonc@xxxxxxxxxxx</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">&lt;kenneth&gt;</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">isn@xxxxxxx, Scott 
Berinato/CIO@CIO,
full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [ISN] How To Save The
Internet</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><img src=cid:_1_057D6998057D645C004BF09E85256FCC>
<br><font size=1><tt>InfoSec News wrote:<br>
&gt; Forwarded from: security curmudgeon &lt;jericho@xxxxxxxxxxxxx&gt;<br>
&gt; Cc: sberinato@xxxxxxx<br>
&gt; ... Big load of crap ...<br>
&gt; : http://www.cio.com/archive/031505/security.html<br>
&gt; : BY SCOTT BERINATO<br>
&gt; : serial numbers and control their distribution. James Whittaker says<br>
&gt; : programmable PCs are dangerous, so why not treat them like guns?<br>
</tt></font>
<br><font size=1><tt>jericho@xxxxxxxxxxxxx wrote:<br>
&gt; In 2001, 2002, 2003 and 2004, how many deaths were attributed to<br>
&gt; computers?<br>
</tt></font>
<br><font size=1><tt>Programmable PCs *are* dangerous, but only to themselves
and other<br>
programmable PCs that aren't operated by skilled people who know how to<br>
defend against the execution of unwanted machine code.<br>
</tt></font>
<br><font size=1><tt>The problem with programmable PCs is that they execute
machine code<br>
without considering whether any of the instructions are desired by the<br>
owner of the CPU. A no execute (NX) stack and heap [1] is a step in the<br>
right direction, but everyone in the computer industry who has given<br>
this any thought already knows that the core problem with computer<br>
security is that our CPUs make no effort to restrict the execution of<br>
machine code to that very small subset of all possible machine code<br>
which constitutes the code that the owner of the CPU desires it to run.<br>
</tt></font>
<br><font size=1><tt>Until this security defect is solved, we will still
have problems caused<br>
by rampant technical bugs in our programmable PCs. Insecure software<br>
would not be a threat except in rare circumstances if there were only a<br>
way for our CPUs to be configured to execute *only* the insecure<br>
software that we desire, and block anything else that is added to our<br>
boxes by buffers, bullies, or buffoons.<br>
</tt></font>
<br><font size=1><tt>If anyone really cared about solving this core security
problem with<br>
computing today, it would be solved in just a few months. We would then<br>
be left with all of the wonderful array of security problems that are<br>
caused by human behavior (theft, misuse, physical intrusion,<br>
eavesdropping, scam artists, etc) and these are problems we can all live<br>
with in relative harmony [7].<br>
</tt></font>
<br><font size=1><tt>The marketplace is not demanding this solution, and
it appears from the<br>
noise of the media and marketing and PR machines of our revered industry<br>
leaders that nobody is even trying to build awareness of the problem<br>
much less devise and deliver solutions.<br>
</tt></font>
<br><font size=1><tt>Programmable CPUs are not suitable for use in data
communications<br>
devices without hardware defenses that restrict the machine code<br>
instruction sequences that the CPU will accept. Programmable CPUs are<br>
barely suitable for anything without this simple security addition.<br>
</tt></font>
<br><font size=1><tt>We're all so busy pushing bits around urgently we've
forgotten to care.<br>
</tt></font>
<br><font size=1><tt>CIO should be ashamed to be perpetuating the pointless
and fraudulent<br>
business ideas of an industry addicted to extracting profit from victims<br>
by causing them unnecessary problems and then selling inadequate fixes.<br>
</tt></font>
<br><font size=1><tt>Sincerely,<br>
</tt></font>
<br><font size=1><tt>Jason Coombs<br>
jasonc@xxxxxxxxxxx<br>
</tt></font>
<br>
<br><font size=1><tt>[1] MSDN Security Developer Center: Execution 
Protection<br>
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx<br>
</tt></font>
<br><font size=1><tt>[7] Why Was Intel a No-Show on No Execute?<br>
http://www.eweek.com/article2/0,1759,1599193,00.asp<br>
</tt></font>
<br><font size=1><tt>
</tt></font>
<br>

GIF image

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/