lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2005 13:51:12 -0600 From: Ben Vaisvil <benv@...igntoscano.com> To: jasonc@...ence.org Cc: sberinato@....com, full-disclosure@...ts.grok.org.uk, isn@....org, bugtraq@...urityfocus.com Subject: Re: [ISN] How To Save The Internet The truth is most people are not "skilled" enough to operate their PC's at a level that isn't "dangerous" to the rest of the network/internet. Nor should they have to be. With better operating system and software design we can mitigate those risks, but never eliminate them. There is no one simple solution to a security problem - it always a process. The problem often lies that the default configuration for software and OS's are inherently insecure, allowing problems to propagate. No normal computer user should be expected to become a system administrator for their computer. Design is what has let us down - the fact I have be active to protect my computer is the problem. Ben Jason Coombs wrote: > InfoSec News wrote: > >> Forwarded from: security curmudgeon <jericho@...rition.org> >> Cc: sberinato@....com >> ... Big load of crap ... >> : http://www.cio.com/archive/031505/security.html >> : BY SCOTT BERINATO >> : serial numbers and control their distribution. James Whittaker says >> : programmable PCs are dangerous, so why not treat them like guns? > > > jericho@...rition.org wrote: > >> In 2001, 2002, 2003 and 2004, how many deaths were attributed to >> computers? > > > Programmable PCs *are* dangerous, but only to themselves and other > programmable PCs that aren't operated by skilled people who know how to > defend against the execution of unwanted machine code. > > The problem with programmable PCs is that they execute machine code > without considering whether any of the instructions are desired by the > owner of the CPU. A no execute (NX) stack and heap [1] is a step in the > right direction, but everyone in the computer industry who has given > this any thought already knows that the core problem with computer > security is that our CPUs make no effort to restrict the execution of > machine code to that very small subset of all possible machine code > which constitutes the code that the owner of the CPU desires it to run. > > Until this security defect is solved, we will still have problems caused > by rampant technical bugs in our programmable PCs. Insecure software > would not be a threat except in rare circumstances if there were only a > way for our CPUs to be configured to execute *only* the insecure > software that we desire, and block anything else that is added to our > boxes by buffers, bullies, or buffoons. > > If anyone really cared about solving this core security problem with > computing today, it would be solved in just a few months. We would then > be left with all of the wonderful array of security problems that are > caused by human behavior (theft, misuse, physical intrusion, > eavesdropping, scam artists, etc) and these are problems we can all live > with in relative harmony [7]. > > The marketplace is not demanding this solution, and it appears from the > noise of the media and marketing and PR machines of our revered industry > leaders that nobody is even trying to build awareness of the problem > much less devise and deliver solutions. > > Programmable CPUs are not suitable for use in data communications > devices without hardware defenses that restrict the machine code > instruction sequences that the CPU will accept. Programmable CPUs are > barely suitable for anything without this simple security addition. > > We're all so busy pushing bits around urgently we've forgotten to care. > > CIO should be ashamed to be perpetuating the pointless and fraudulent > business ideas of an industry addicted to extracting profit from victims > by causing them unnecessary problems and then selling inadequate fixes. > > Sincerely, > > Jason Coombs > jasonc@...ence.org > > > [1] MSDN Security Developer Center: Execution Protection > http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx > > > [7] Why Was Intel a No-Show on No Execute? > http://www.eweek.com/article2/0,1759,1599193,00.asp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists