| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Dec 2007 22:45:39 -0500 From: "Dude VanWinkle" <dudevanwinkle@...il.com> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: need help in managing administrators On Dec 5, 2007 5:44 PM, <Valdis.Kletnieks@...edu> wrote: > On Sun, 02 Dec 2007 20:04:42 EST, Dude VanWinkle said: > > > Anyone who was a security expert 30 yrs ago should be ridiculed. Their > > job description was "I inspect all 5 & 1/4 disks that get mailed to > > us" and should be a reason NOT to hire them :-P > > Anybody who doesn't know the history of security well enough to know what > was going on 30 years ago deserves to be ridiculed. You are right, thanks for all the careful planning and well thought out infrastructure. I mean, who could have thought that the ability to reach into the homes of every tom dick and harry as well as every company on the planet would be used for swindling cash? > Here's a classic paper (the original Multics vulnerability analysis by Karger > and Schell): > > http://www.acsac.org/2002/papers/classic-multics-orig.pdf Thanks for the link. Good info to have, even today (which is what I have a problem with). >>From the Link: http://www.acsac.org/2002/papers/classic-multics-orig.pdf -------------------------- The internal controls of current computers repeatedly have been shown insecure though numerous penetration exercises on such systems as GCOS [9], WWMCCS GCOS [8, 18], and IBM OS/360/370 [16]. tems and cannot be corrected by "patches", "fix-ups", or "add-ons" to those systems. Rather, a fundamental re- implementation using an integrated hardware/software design which considers security as a fundamental re- quirement is necessary. In particular, steps must be taken to ensure the correctness of the security related portions of the operating system. It is not sufficient to use a team of experts to "test" the security controls of a system. Such a "tiger team" can only show the existence of vul- nerabilities but cannot prove their non-existence. -------------------snip---------------- So you knew this 30 years ago, and didn't change squat, and we are still dealing with it now. How fuscking hard is it to design a system with separate processors|memory for command|data channels? Sheesh, way to invalidate my comment Valdis. (O_o) --------------------snip---------------- Unfortunately, the managers of successfully penetrated computer systems are very reluctant to permit release of the details of the penetrations. Thus, most reports of penetrations have severe (and often unjustified) distribu- tion restrictions leaving very few documents in the public domain. Concealment of such penetrations does nothing to deter a sophisticated penetrator and can in fact impede technical interchange and delay the development of a proper solution. --------------------snip---------------- Nice way to work on this one as well. I have a better idea, lets lock ourselves up in an ivory tower and just bitch about it for decades to each other while simultaneously and obfuscating our proprietary knowledge while hoarding it. Then we can wait and say "I told you so" when a worm hits, or critical infrastructures are compromised. That ought to pass the time... --------------------snip---------------- A system which contains vulnerabilities cannot be protected by keeping those vulnerabilities se- cret. It can only be protected by the constraining of physi- cal access to the system. --------------------snip---------------- All of the pdf you sent is very valuable and accurate information, of which I have no problem with. But it should be the "history of computer security" class from 19[8|9]6 in college that taught me this, not the "Unethical Hacking" class from Immunity Inc. taught in 2007. > Here's their 30-years-later retrospective: > > http://www.acsac.org/2002/papers/classic-multics.pdf Lemme guess, nothing changed? > Executive summary: We've learned somewhere between diddly and squat from > 30 years of experience. Yeah, thanks a lot for that. You know that it would have been a lot easier, as a close knit group of programmers and developers to edit things vs.. the refitting of an infrastructure, that if it were to go down today, would take the economies of all industrialized nations on the planet. But thats OK, Hopefully future technologies invented will learn from the massive mistakes of your generation. Like Paper Accounting Systems, the Phone, Fax Machines, etc, the internet was rife with abuse. Future technologies that enable people to reach people or count dollars will hopefully be engineered to be Secure. >>From the analysis or days past, maybe this is a limitation of the profit driven security model (which seems to be purely reactionary) and I am just a hate filled moron, angry at the past for creating the present. There is probably some truth to this (as I am hate filled and moronic) What do i care? The less secure the Technology, the easier my job is.... Still I can't help feeling that in 1976 (the year I was born, so I don't have much personal experience to go on) you could have said "yeah boss, this computer thingy will have 4k of ram, hand-woven in India, cost 2 million dollars, and oh yeah, it won't run without separate command and control channels, that would have driven up the price to 4 mil for 4 k ram and two processors, and the higher-ups would'nt have the knowledge to know this wasn't a necessary expenditure for "blocking solar flares from corrupting your data". > Incidentally, Karger&Schell is the "unnamed Air Force document" that Ken > Thompson references as the source for his Turing Award lecture: > > Thompson, K., "Reflections on Trusting Trust", Communications of the ACM, > Vol. 27, No. 8, August 1984, http://www.acm.org/classics/sep95/ > > Ridicule these guys at your own peril. You can count me out, my personal timer > is currently sitting at 29 years 10 months.. ;) Yeah, don't come to me for a Job.... but if you guys are hiring.. ;-) > Incidentally, 30 years ago, the 5.25" disk was still well in the future - even > the 8" floppy was relatively new. > Someone pointed out to me that in an offline email. Also my comment was rude and nieve. Its easy to sit back and say "those people who came before me didn't knwo much about X" is kind of a cop out. Usually History and learning progress to the point that those who first discovered the knowledge are loong gone before the revisions are made. Now History happens so fast that we still have to deal with you fusckers while we are learning from your mistakes and dealing with their consequences.... I blame computers and those that invented them for this ;-) -JP<whew, if feels good to let that out, Doc> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists