lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5.2.1.1.1.20050321211437.01e64e38@web10198.securesites.com>
Date: Mon, 21 Mar 2005 21:21:21 -0600
From: Keith Oxenrider <koxenrider@...-biotech.com>
To: jasonc@...ence.org, jericho@...rition.org
Cc: sberinato@....com, full-disclosure@...ts.grok.org.uk,
	isn@....org, bugtraq@...urityfocus.com
Subject: Re: [ISN] How To Save The Internet


I didn't take the time to read every single response to the article (though 
did take the time to pen my own), but I read at least half of them and 
didn't see a one that seemed to support the article.  Several even seemed 
to think they were reading a Dilbert comic.  The ironic part (and the point 
I tried to make in my post) is that the actual readership of CIO are, for 
the most part, clewless pointy hairs and probably didn't even finish 
reading the article (if they even started it) and certainly would never 
take the time to read the responses to it, let alone discuss them with 
their technical people.  These are the decision makers who pay us to make 
the things that are complained about in the article.  As long as they 
refuse to pay us to write secure products nothing will change.

Keith Oxenrider
CISSP

At 10:24 AM 3/22/2005 +1200, Jason Coombs wrote:
>InfoSec News wrote:
>>Forwarded from: security curmudgeon <jericho@...rition.org>
>>Cc: sberinato@....com
>>... Big load of crap ...
>>: http://www.cio.com/archive/031505/security.html
>>: BY SCOTT BERINATO
>>: serial numbers and control their distribution. James Whittaker says : 
>>programmable PCs are dangerous, so why not treat them like guns?
>
>jericho@...rition.org wrote:
>>In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers?
>
>Programmable PCs *are* dangerous, but only to themselves and other 
>programmable PCs that aren't operated by skilled people who know how to 
>defend against the execution of unwanted machine code.
>
>The problem with programmable PCs is that they execute machine code 
>without considering whether any of the instructions are desired by the 
>owner of the CPU. A no execute (NX) stack and heap [1] is a step in the 
>right direction, but everyone in the computer industry who has given this 
>any thought already knows that the core problem with computer security is 
>that our CPUs make no effort to restrict the execution of machine code to 
>that very small subset of all possible machine code which constitutes the 
>code that the owner of the CPU desires it to run.
>
>Until this security defect is solved, we will still have problems caused 
>by rampant technical bugs in our programmable PCs. Insecure software would 
>not be a threat except in rare circumstances if there were only a way for 
>our CPUs to be configured to execute *only* the insecure software that we 
>desire, and block anything else that is added to our boxes by buffers, 
>bullies, or buffoons.
>
>If anyone really cared about solving this core security problem with 
>computing today, it would be solved in just a few months. We would then be 
>left with all of the wonderful array of security problems that are caused 
>by human behavior (theft, misuse, physical intrusion, eavesdropping, scam 
>artists, etc) and these are problems we can all live with in relative 
>harmony [7].
>
>The marketplace is not demanding this solution, and it appears from the 
>noise of the media and marketing and PR machines of our revered industry 
>leaders that nobody is even trying to build awareness of the problem much 
>less devise and deliver solutions.
>
>Programmable CPUs are not suitable for use in data communications devices 
>without hardware defenses that restrict the machine code instruction 
>sequences that the CPU will accept. Programmable CPUs are barely suitable 
>for anything without this simple security addition.
>
>We're all so busy pushing bits around urgently we've forgotten to care.
>
>CIO should be ashamed to be perpetuating the pointless and fraudulent 
>business ideas of an industry addicted to extracting profit from victims 
>by causing them unnecessary problems and then selling inadequate fixes.
>
>Sincerely,
>
>Jason Coombs
>jasonc@...ence.org
>
>
>[1] MSDN Security Developer Center: Execution Protection
>http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx
>
>[7] Why Was Intel a No-Show on No Execute?
>http://www.eweek.com/article2/0,1759,1599193,00.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ