lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <79342648-1121536340-cardhu_blackberry.rim.net-13780-@engine75>
Date: Sat Jul 16 18:52:44 2005
From: jasonc at science.org (Jason Coombs)
Subject: Why Vulnerability Databases can't do everything

Do either of you seriously believe that it will ever be safe to use a software programmable CPU to automatically process data that originates from some place other than your fingertips?

The entire personal and business computer industry is producing broken and dangerous products, yet it would require only a few fundamental changes to fix everything. Instead of putting effort and capital into this objective everyone is squabbling over changing software vendors' behavior or fretting over individual bugs and whether or not they should be disclosed and if so how and when.

1) Stop loading machine code from the same data storage devices to which user/application data is saved.

2) Don't allow machine code to be written to program storage unless it has first been enciphered with a key assigned to the computer.

3) Stop buffering runtime I/O within the same physical memory as machine code.

4) Put a stop the silly belief that software must be executed in the same form that it is delivered. (i.e. Just because the programmer wrote code that made Win32 API calls on the development box, this does not mean that the OS deployment that hosts the execution of that code has to support Win32 at all -- we need to insert a machine code transformation step prior to deployment of code, combining the principles of address space layout randomization with new approaches to API obfuscation/reassembly down to the level of customized/reassigned interrupts and CPU registers.

6) Etc.

Do these things, some of which require modifications to the present fixed-opcode structure of the programmable CPU, and all outsider attacks against software will fail to accomplish anything other than a denial of service.

With a little common sense applied to the design of computers, the only threats anyone would have to worry about are data theft, physical device tampering/hacking, and insiders.

The company that achieves objectives like these will own the next 100 years of computing. Everyone who believes that security flaws in software are worth effort to discover and fix is very badly confused.

Solving present-day systemic defects in the design of computing architectures, now that's important.

Software bugs are a plague that infects every computer from the moment it is first assembled, but not because of software vendors' mistakes, rather as a direct result of genetic defects in the computer genome.

Windows will no longer exist within 10 years because everyone will have realized that it was built on a flawed premise around defective hardware.

Will Microsoft be the architect of the first non-defective programmable computer? No way. They only know how to profit by exploiting short-term opportunity.

More likely, some microprocessor vendor will bring to market a machine architecture that the best and brightest programmers around the world will rally around to birth the neocomputer industry.

Meanwhile, your continued loyalty to, investment in, and commercial exploitation of the computer technology we have today is obviously nothing more than an attempt to increase your own importance at the expense of others. Get over it. If you're a decent human being you will not buy nor encourage the purchase of a single computing device other than the Nokia 770 Linux Internet Tablet until the neocomputer industry emerges.

Regards,

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists