[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: [ISN] How To Save The Internet

To: Keith Oxenrider <koxenrider@xxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Re: [ISN] How To Save The Internet
From: Scott Berinato <sberinato@xxxxxxx>
Date: Tue, 22 Mar 2005 08:58:50 -0500

<br><font size=2 face="sans-serif">Keith, </font>
<br>
<br><font size=2 face="sans-serif">I argue in a recent column that the
real problem is not that they won't pay people to secure their products
(though they won't) but that the products can't be secured. As Jason points
out, the architecture is set up to execute code; and there are other inherent
faults in design. Some kind of major upheaval will probably be needed to
fix the problem.</font>
<br>
<br><font size=2 face="sans-serif">Also, perhaps they'd hire you if you
spelled clueless the way they do.</font>
<br>
<br><font size=2 face="sans-serif">Cheers,</font>
<br><font size=2 face="sans-serif">Scott Berinato</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Keith Oxenrider 
&lt;koxenrider@xxxxxxxxxxxxxxx&gt;</b>
</font>
<p><font size=1 face="sans-serif">03/21/2005 10:21 PM</font>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">jasonc@xxxxxxxxxxx, 
jericho@xxxxxxxxxxxxx</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">isn@xxxxxxx, Scott 
Berinato/CIO@CIO,
full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [ISN] How To Save The
Internet</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><img src=cid:_1_047ADDE0047AD8A8004C5AD485256FCC>
<br><font size=1><tt>I didn't take the time to read every single response
to the article (though<br>
did take the time to pen my own), but I read at least half of them and<br>
didn't see a one that seemed to support the article. &nbsp;Several even
seemed<br>
to think they were reading a Dilbert comic. &nbsp;The ironic part (and
the point<br>
I tried to make in my post) is that the actual readership of CIO are, for<br>
the most part, clewless pointy hairs and probably didn't even finish<br>
reading the article (if they even started it) and certainly would never<br>
take the time to read the responses to it, let alone discuss them with<br>
their technical people. &nbsp;These are the decision makers who pay us
to make<br>
the things that are complained about in the article. &nbsp;As long as they<br>
refuse to pay us to write secure products nothing will change.<br>
</tt></font>
<br><font size=1><tt>Keith Oxenrider<br>
CISSP<br>
</tt></font>
<br><font size=1><tt>At 10:24 AM 3/22/2005 +1200, Jason Coombs wrote:<br>
&gt;InfoSec News wrote:<br>
&gt;&gt;Forwarded from: security curmudgeon &lt;jericho@xxxxxxxxxxxxx&gt;<br>
&gt;&gt;Cc: sberinato@xxxxxxx<br>
&gt;&gt;... Big load of crap ...<br>
&gt;&gt;: http://www.cio.com/archive/031505/security.html<br>
&gt;&gt;: BY SCOTT BERINATO<br>
&gt;&gt;: serial numbers and control their distribution. James Whittaker
says :<br>
&gt;&gt;programmable PCs are dangerous, so why not treat them like guns?<br>
&gt;<br>
&gt;jericho@xxxxxxxxxxxxx wrote:<br>
&gt;&gt;In 2001, 2002, 2003 and 2004, how many deaths were attributed to
computers?<br>
&gt;<br>
&gt;Programmable PCs *are* dangerous, but only to themselves and other<br>
&gt;programmable PCs that aren't operated by skilled people who know how
to<br>
&gt;defend against the execution of unwanted machine code.<br>
&gt;<br>
&gt;The problem with programmable PCs is that they execute machine code<br>
&gt;without considering whether any of the instructions are desired by
the<br>
&gt;owner of the CPU. A no execute (NX) stack and heap [1] is a step in
the<br>
&gt;right direction, but everyone in the computer industry who has given
this<br>
&gt;any thought already knows that the core problem with computer security
is<br>
&gt;that our CPUs make no effort to restrict the execution of machine code
to<br>
&gt;that very small subset of all possible machine code which constitutes
the<br>
&gt;code that the owner of the CPU desires it to run.<br>
&gt;<br>
&gt;Until this security defect is solved, we will still have problems caused<br>
&gt;by rampant technical bugs in our programmable PCs. Insecure software
would<br>
&gt;not be a threat except in rare circumstances if there were only a way
for<br>
&gt;our CPUs to be configured to execute *only* the insecure software that
we<br>
&gt;desire, and block anything else that is added to our boxes by buffers,<br>
&gt;bullies, or buffoons.<br>
&gt;<br>
&gt;If anyone really cared about solving this core security problem with<br>
&gt;computing today, it would be solved in just a few months. We would
then be<br>
&gt;left with all of the wonderful array of security problems that are
caused<br>
&gt;by human behavior (theft, misuse, physical intrusion, eavesdropping,
scam<br>
&gt;artists, etc) and these are problems we can all live with in relative<br>
&gt;harmony [7].<br>
&gt;<br>
&gt;The marketplace is not demanding this solution, and it appears from
the<br>
&gt;noise of the media and marketing and PR machines of our revered industry<br>
&gt;leaders that nobody is even trying to build awareness of the problem
much<br>
&gt;less devise and deliver solutions.<br>
&gt;<br>
&gt;Programmable CPUs are not suitable for use in data communications 
devices<br>
&gt;without hardware defenses that restrict the machine code instruction<br>
&gt;sequences that the CPU will accept. Programmable CPUs are barely 
suitable<br>
&gt;for anything without this simple security addition.<br>
&gt;<br>
&gt;We're all so busy pushing bits around urgently we've forgotten to care.<br>
&gt;<br>
&gt;CIO should be ashamed to be perpetuating the pointless and fraudulent<br>
&gt;business ideas of an industry addicted to extracting profit from victims<br>
&gt;by causing them unnecessary problems and then selling inadequate fixes.<br>
&gt;<br>
&gt;Sincerely,<br>
&gt;<br>
&gt;Jason Coombs<br>
&gt;jasonc@xxxxxxxxxxx<br>
&gt;<br>
&gt;<br>
&gt;[1] MSDN Security Developer Center: Execution Protection<br>
&gt;http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx<br>
&gt;<br>
&gt;[7] Why Was Intel a No-Show on No Execute?<br>
&gt;http://www.eweek.com/article2/0,1759,1599193,00.asp</tt></font>
<br>
<br>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Re: [ISN] How To Save The Internet
Next by Date: [Full-disclosure] CISSP Test
Previous by thread: [Full-disclosure] Re: [ISN] How To Save The Internet
Next by thread: [Full-disclosure] RE: [ISN] How To Save The Internet
Index(es):
- Date
- Thread