lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: CyberInsecurity: The cost of Monopoly

On Sun, 28 Sep 2003, Frank Knobbe wrote:

> I think Paul's sentiment was that current efforts are focused on
> networks, IP addresses, firewalls, protocols, etc, basically focusing on
> the _transport_ of data. I think what we need are better mechanism to
> protect the _data_ itself, not just the transport/protocol of it.

The protection of data (information) involves far more than IT, and is
more about procedures, policies, education, physical access control. On
the computer level, we do not really have a way to approach the problem in
an efficient and workable manner. There are many ways to make the
environment trusted...

> I'm not talking about Palladium crap, but more in the direction of more
> efficient ACL's,

...and yes, trusted computing, meta-tags and redesigned operating systems
that focus on the pieces of information and can handle and oversee data
flow processes are crucial for this. There is a catch, however - it works
fine in a lab or in a high-security office, and not really in the real
world - not yet, not anytime soon.

So it's probably pointless to call for a revolution in this regard. My
interpretation of what Paul said was that he referred to the problem of
"blob networks" that cannot be held accountable and are often very
difficult to control. This can be solved - sometimes, in some
environments. There's no silver bullet, but it's not because we lack the
technology or the knowledge, but because we can't bulldoze everything and
start from scratch in a bank, telco, or any other company that has a very
complex and critical network infrastructure, often designed back in the
ages of net innocence.

> RBAC, and finer system level control. We *can* harden the chewy insides
> by applying better controls.

That does not seem to have much to do with what you mentioned, control of
the data. You still control the machine remaining blind to the information
it handles. Besides, once again, it's all available. Some systems (most
recent Linux, or, to a degree, even Windows) have extensive access control
mechanisms that go beyond archaic root-and-user separation.

The problems with deploying this usually originate from beyond the
technology space, once again.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-28 22:27 --

   http://lcamtuf.coredump.cx/photo/current/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ