lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1989F6F0D512A7428593D724A81986F0239141@waprdms01.gsm1900.org>
From: Michael.Schmidt at T-Mobile.com (Schmidt, Michael R.)
Subject: Calcuating Loss

Well one of the biggest issues that allows people to remain anonymous is DHCP.  If everyone on the internet was required to get a static IP address, or to log which IP they were using - using a secure technology then everyone could be tracked, sure a few "super" hackers could still manage to escape detection I am sure, but there is nothing that is the equivalent of a drivers license on the internet.

Sure there would still be criminals using stolen credentials, but IPs are handed out based on location or where you dialed in from. Dialing in can be traced using caller ID, wireless by IP and base station proximity, so just like today, people would have a alibi for the time and place the criminal used their identity.

What we need is something that you have to log into (securely) or your DHCP is revoked immediately.  And of course static IPs are well, static and since they are routed, routes can be logged and therefore trackable.

So again it is anonymity that causes most of the grief.  If all code had to be signed, then you'd know who wrote it, and running unsigned code would be your own stupid fault.

If you replace a part on some new cars with a non-manufacturers part, you void the warranty.  But when you run unsigned downloaded for free or sent through email code on your dell, who do you call and expect to fix it when it stops working?  The end user is the moron, we require no test to get on the internet and yet we let more people anonymously sign on the net everyday.

-----Original Message-----
From: Alexander Schreiber [mailto:als@...ngorodrim.de]
Sent: Tuesday, May 11, 2004 10:34 PM
To: Schmidt, Michael R.
Cc: 'Frank Knobbe'; Valdis.Kletnieks@...edu; Full-Disclosure
Subject: Re: [Full-Disclosure] Calcuating Loss

On Tue, May 11, 2004 at 03:02:30PM -0700, Schmidt, Michael R. wrote:
> I think that part of the evolution is to lock people who create these
> things up for a *very* long time.  It will deter the script kittens
> when they start to find that their computers are confiscated and their
> parents homes are sold to pay for the "loss" incurred by there
> stupidity.  The real black hats will be deterred when 20 FBI/CIA whoever
> agents drag them from their homes at gunpoint with the handcuffs tight
> around there wrists.

Dead wrong. All this will accomplish is the any malware author will just
be one hell of a lot more careful to avoid getting caught. It might even
accelerate another trend: malware by script kiddies who goes down,
malware by real criminals (who use/sell the infected machines as spam
relays, DDoS zombies (nice extortion tool, already used), ...) will go
up. Net result: you ruined the live of a few foolish kids and their
entire family, but you still don't get the (much more dangerous)
professional criminals. Achievement for network security: NIL.

> The consequences need to be severe enough.  In order to accomplish that
> our infrastructure has got to support the basic ability to find people
> who cause problems.  Anonymity is not an option.

Ever heard of identity theft? In the same way that the less stupid
criminals don't use their own private cars but stolen ones for
committing crimes, criminal malware authors will just use
computers/accounts whose access credentials were stolen. You end up
investigating a fool who got his access credentials stolen, but probably
didn't do anything else. And you still have to find the real guy ...

We really should take a lesson from the real world here: valuable
property (like big bags full of money) are not usually left out on the
kitchen table and only protected by strong penalties for anyone
wandering in and grabbing a few - if you tried to rely on this, police and
insurance would laugh you out of town. Instead, valueable physical
property is protected by serious physical means of protection (like
putting your bags full of cash into a big, heavy, unmovable safe) _and_
legislation to punish the few serious criminals who still manage to
steal some.

The way to protect digital infrastructure from the destructive effects
of malware is to harden the infrastructure itself. Don't use insecure
operating systems and hope that the 'patch of the day' will keep the
malware out - because it won't. Don't use sloppily coded, insecure
software on hope nothing bad will happen because nobody will find out
how to exploit the flaws - because somebody will find out and exploits
will happen. Don't build insecure networks and hope nobody will abuse
them because nobody knows what a mess it is - because somebody will
abuse them.

In short: Don't build a house of cards and then try to outlaw the wind,
build a house of stone and enjoy the fresh air.

Yes, there are things that are very hard or practically impossible to
guard against (DoS comes to mind), but practically all malware problems
are due to avoidable failures: insecure configurations (like executing
untrusted code from unknown sources by default), coding errors that
could be avoided by using proper tools (like buffer overflows) and so
on. Close the existing easy attack paths and then we can deal with the
remaining few attackers with the law and a lot of attention.


Regards,
      Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ