[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e024ccca0712051945t4c04bb59sa204a1a3dde4fc3a@mail.gmail.com>
Date: Wed, 5 Dec 2007 22:45:39 -0500
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: need help in managing administrators
On Dec 5, 2007 5:44 PM, <Valdis.Kletnieks@...edu> wrote:
> On Sun, 02 Dec 2007 20:04:42 EST, Dude VanWinkle said:
>
> > Anyone who was a security expert 30 yrs ago should be ridiculed. Their
> > job description was "I inspect all 5 & 1/4 disks that get mailed to
> > us" and should be a reason NOT to hire them :-P
>
> Anybody who doesn't know the history of security well enough to know what
> was going on 30 years ago deserves to be ridiculed.
You are right, thanks for all the careful planning and well thought
out infrastructure. I mean, who could have thought that the ability to
reach into the homes of every tom dick and harry as well as every
company on the planet would be used for swindling cash?
> Here's a classic paper (the original Multics vulnerability analysis by Karger
> and Schell):
>
> http://www.acsac.org/2002/papers/classic-multics-orig.pdf
Thanks for the link. Good info to have, even today (which is what I
have a problem with).
>>From the Link:
http://www.acsac.org/2002/papers/classic-multics-orig.pdf
--------------------------
The internal controls of current computers repeatedly
have been shown insecure though numerous penetration
exercises on such systems as GCOS [9], WWMCCS
GCOS [8, 18], and IBM OS/360/370 [16].
tems and cannot be corrected by "patches", "fix-ups", or
"add-ons" to those systems. Rather, a fundamental re-
implementation using an integrated hardware/software
design which considers security as a fundamental re-
quirement is necessary. In particular, steps must be taken
to ensure the correctness of the security related portions
of the operating system. It is not sufficient to use a team
of experts to "test" the security controls of a system.
Such a "tiger team" can only show the existence of vul-
nerabilities but cannot prove their non-existence.
-------------------snip----------------
So you knew this 30 years ago, and didn't change squat, and we are
still dealing with it now. How fuscking hard is it to design a system
with separate processors|memory for command|data channels? Sheesh, way
to invalidate my comment Valdis. (O_o)
--------------------snip----------------
Unfortunately, the managers of successfully penetrated
computer systems are very reluctant to permit release of
the details of the penetrations. Thus, most reports of
penetrations have severe (and often unjustified) distribu-
tion restrictions leaving very few documents in the public
domain. Concealment of such penetrations does nothing
to deter a sophisticated penetrator and can in fact impede
technical interchange and delay the development of a
proper solution.
--------------------snip----------------
Nice way to work on this one as well. I have a better idea, lets lock
ourselves up in an ivory tower and just bitch about it for decades to
each other while simultaneously and obfuscating our proprietary
knowledge while hoarding it. Then we can wait and say "I told you so"
when a worm hits, or critical infrastructures are compromised. That
ought to pass the time...
--------------------snip----------------
A system which contains vulnerabilities
cannot be protected by keeping those vulnerabilities se-
cret. It can only be protected by the constraining of physi-
cal access to the system.
--------------------snip----------------
All of the pdf you sent is very valuable and accurate information, of
which I have no problem with. But it should be the "history of
computer security" class from 19[8|9]6 in college that taught me this,
not the "Unethical Hacking" class from Immunity Inc. taught in 2007.
> Here's their 30-years-later retrospective:
>
> http://www.acsac.org/2002/papers/classic-multics.pdf
Lemme guess, nothing changed?
> Executive summary: We've learned somewhere between diddly and squat from
> 30 years of experience.
Yeah, thanks a lot for that. You know that it would have been a lot
easier, as a close knit group of programmers and developers to edit
things vs.. the refitting of an infrastructure, that if it were to go
down today, would take the economies of all industrialized nations on
the planet.
But thats OK, Hopefully future technologies invented will learn from
the massive mistakes of your generation. Like Paper Accounting
Systems, the Phone, Fax Machines, etc, the internet was rife with
abuse. Future technologies that enable people to reach people or count
dollars will hopefully be engineered to be Secure.
>>From the analysis or days past, maybe this is a limitation of the
profit driven security model (which seems to be purely reactionary)
and I am just a hate filled moron, angry at the past for creating the
present. There is probably some truth to this (as I am hate filled and
moronic) What do i care? The less secure the Technology, the easier my
job is.... Still I can't help feeling that in 1976 (the year I was
born, so I don't have much personal experience to go on) you could
have said "yeah boss, this computer thingy will have 4k of ram,
hand-woven in India, cost 2 million dollars, and oh yeah, it won't run
without separate command and control channels, that would have driven
up the price to 4 mil for 4 k ram and two processors, and the
higher-ups would'nt have the knowledge to know this wasn't a necessary
expenditure for "blocking solar flares from corrupting your data".
> Incidentally, Karger&Schell is the "unnamed Air Force document" that Ken
> Thompson references as the source for his Turing Award lecture:
>
> Thompson, K., "Reflections on Trusting Trust", Communications of the ACM,
> Vol. 27, No. 8, August 1984, http://www.acm.org/classics/sep95/
>
> Ridicule these guys at your own peril. You can count me out, my personal timer
> is currently sitting at 29 years 10 months.. ;)
Yeah, don't come to me for a Job.... but if you guys are hiring.. ;-)
> Incidentally, 30 years ago, the 5.25" disk was still well in the future - even
> the 8" floppy was relatively new.
>
Someone pointed out to me that in an offline email. Also my comment
was rude and nieve. Its easy to sit back and say "those people who
came before me didn't knwo much about X" is kind of a cop out. Usually
History and learning progress to the point that those who first
discovered the knowledge are loong gone before the revisions are made.
Now History happens so fast that we still have to deal with you
fusckers while we are learning from your mistakes and dealing with
their consequences.... I blame computers and those that invented them
for this ;-)
-JP<whew, if feels good to let that out, Doc>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists