lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Dec 2006 14:10:24 -0800
From: coderman <coderman@...il.com>
To: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: Re: comparing information security to other
	industries

On 12/19/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
> On Tue, 19 Dec 2006 12:16:29 PST, KT said:
> > So we have been dealing with information security from last 20 years

i'd argue this is closer to 40 years than 20. [0]


> 20 years after the first automobile, we'd gotten as far as a Model A or T
> or so.

1885 [1] to 1965 [2] for decent auto security.  80 years?  add 10
years if you consider air bags the requisite threshold.


> (Incidentally, the fact that we still have a lot of security issues isn't
> actually a software problem, so much as an innate lack of tools to help
> humans understand *any* complex system, be it software, or the economy,
> or global climate, or....)

i argue that the vast majority of insecure computing problems are
indeed software problems, in the sense that proper software design and
development would fix them.  consider the automobile theme, where a
wheel, some pedals, and a few signalling levers allow you to operate a
vehicle with more computers and technology than space faring vehicles
from a mere 30 years past.  these machines are usable and secure,
despite their mind boggling technological complexity brought about
over a hundred years of evolutionary and radical improvement.

let's side step the economics and inertia of existing software / IT
practice and look at a future utopia for sake of argument:

A: usability is requirement #1 for security [3].  is configuring that
IPsec IKE/ISAKMP key distribution and re-key policy iPod (tm) simple?
how about generating PKI infrastructure for those OpenVPN connections?
 "security" products are so ridiculously complicated it's a wonder
anyone is able to use them.  for a good laugh, write down the steps
required to configure full disk encryption and a strong VPN from your
laptop to a server. LOL, ROFFLE, etc.

B: capability based computing is the norm, as identity based access
control is fundamentally flawed [4].  if you've only heard of
capability based security in passing, consider this an underscore of
the systemic and pervasive nature of our willful ignorance of good
practice.

C: consumers can recognize and compare the merits of security built
into systems they use, with producers willing and able to emphasize
security considerations during design, implementation, testing, and
support/integration phases of production and life cycle [5].

99.5% of existing problems disappear in such a world, leaving mostly
insider fraud to be addressed via process and policy.  we can get
there, but it ain't gonna happen soon...


0. "Capability-Based Computer Systems - Chap. 3 Early Capability Architectures"
    http://www.cs.washington.edu/homes/levy/capabook/
    [ref: Dennis and Van Horn @ MIT using Capabilities to describe
secure composition in 1966]

1. "History of the Automobile"
    http://en.wikipedia.org/wiki/History_of_the_automobile

2. "Unsafe at Any Speed"
    http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed

3. "Secure Interaction Design"
    http://www.ischool.berkeley.edu/~ping/sid/

4. "Capability Security Model"
    http://c2.com/cgi/wiki?CapabilitySecurityModel

5. "Build Security In"
    https://buildsecurityin.us-cert.gov/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists