lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4241C8B0.7010205@designtoscano.com>
Date: Wed, 23 Mar 2005 13:51:12 -0600
From: Ben Vaisvil <benv@...igntoscano.com>
To: jasonc@...ence.org
Cc: sberinato@....com, full-disclosure@...ts.grok.org.uk,
	isn@....org, bugtraq@...urityfocus.com
Subject: Re: [ISN] How To Save The Internet


The truth is most people are not "skilled" enough to operate their PC's at a level that 
isn't "dangerous" to the rest of the network/internet. Nor should they have to be. With 
better operating system and software design we can mitigate those risks, but never 
eliminate them. There is no one simple solution to a security problem - it always a 
process. The problem often lies that the default configuration for software and OS's are 
inherently insecure, allowing problems to propagate. No normal computer user should be 
expected to become a system administrator for their computer. Design is what has let us 
down - the fact I have be active to protect my computer is the problem.


Ben

Jason Coombs wrote:
> InfoSec News wrote:
> 
>> Forwarded from: security curmudgeon <jericho@...rition.org>
>> Cc: sberinato@....com
>> ... Big load of crap ...
>> : http://www.cio.com/archive/031505/security.html
>> : BY SCOTT BERINATO
>> : serial numbers and control their distribution. James Whittaker says 
>> : programmable PCs are dangerous, so why not treat them like guns?
> 
> 
> jericho@...rition.org wrote:
> 
>> In 2001, 2002, 2003 and 2004, how many deaths were attributed to 
>> computers?
> 
> 
> Programmable PCs *are* dangerous, but only to themselves and other 
> programmable PCs that aren't operated by skilled people who know how to 
> defend against the execution of unwanted machine code.
> 
> The problem with programmable PCs is that they execute machine code 
> without considering whether any of the instructions are desired by the 
> owner of the CPU. A no execute (NX) stack and heap [1] is a step in the 
> right direction, but everyone in the computer industry who has given 
> this any thought already knows that the core problem with computer 
> security is that our CPUs make no effort to restrict the execution of 
> machine code to that very small subset of all possible machine code 
> which constitutes the code that the owner of the CPU desires it to run.
> 
> Until this security defect is solved, we will still have problems caused 
> by rampant technical bugs in our programmable PCs. Insecure software 
> would not be a threat except in rare circumstances if there were only a 
> way for our CPUs to be configured to execute *only* the insecure 
> software that we desire, and block anything else that is added to our 
> boxes by buffers, bullies, or buffoons.
> 
> If anyone really cared about solving this core security problem with 
> computing today, it would be solved in just a few months. We would then 
> be left with all of the wonderful array of security problems that are 
> caused by human behavior (theft, misuse, physical intrusion, 
> eavesdropping, scam artists, etc) and these are problems we can all live 
> with in relative harmony [7].
> 
> The marketplace is not demanding this solution, and it appears from the 
> noise of the media and marketing and PR machines of our revered industry 
> leaders that nobody is even trying to build awareness of the problem 
> much less devise and deliver solutions.
> 
> Programmable CPUs are not suitable for use in data communications 
> devices without hardware defenses that restrict the machine code 
> instruction sequences that the CPU will accept. Programmable CPUs are 
> barely suitable for anything without this simple security addition.
> 
> We're all so busy pushing bits around urgently we've forgotten to care.
> 
> CIO should be ashamed to be perpetuating the pointless and fraudulent 
> business ideas of an industry addicted to extracting profit from victims 
> by causing them unnecessary problems and then selling inadequate fixes.
> 
> Sincerely,
> 
> Jason Coombs
> jasonc@...ence.org
> 
> 
> [1] MSDN Security Developer Center: Execution Protection
> http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx 
> 
> 
> [7] Why Was Intel a No-Show on No Execute?
> http://www.eweek.com/article2/0,1759,1599193,00.asp


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ