Dailydave mailing list archives

Re: So, the security industry has given up on the principles of least privilege and separation?

From: dan () geer org
Date: Mon, 16 Feb 2009 09:45:14 -0500

Secunia is talking about reality, not hopes and dreams. In reality,
the industry came up with three specific options:
...snip...



Disclaimer: I worked full time at Verdasys for five
years and I am talking about their products, in which
I do have an interest.


The issue of data loss, or for that matter proving to this
or that authority that data loss did not happen, is a pure
"reality, not hopes and dreams" laboratory.  In the case
of Verdasys' "Digital Guardian" product, once installed
it makes admin privileges orthogonal to data protection.
The product appeals to big firms who tend to deploy it on
an enterprise basis, and there are now seven digits of seats
so installed with many more in progress.  Hosts which do
not run DG are the ones who will be dealing with the bear,
if you recall that joke.  The precis' is:

============
  Digital Guardian is a recording reference monitor:
  an agent on every surveilled host communicating
  periodically with a no-wait-state collection depot
  arbitrarily located.  The agent is small, tight,
  invisible, tamper-resistant, and low-load.  Any
  touch whatsoever of local data is captured at the
  innermost operating system levels.  Agents do
  20,000-to-1 continuous log reduction, compress and
  encrypt bundles of these results, and push them to
  the collection system with end-to-end assurance,
  adapting to intermittent connectivity without
  intervention.
  
  Consequent to its complete real-time capture,
  questions requiring full enumeration of past actions
  (prove no one outside the CFO's staff read this
  document) and goals requiring zero-prep reaction
  (application whitelists and zero-day defense) become
  trivially feasible.  Less dramatically, forensics
  becomes possible at near-zero reconstruction cost,
  communities of trust become enforceable irrespective
  of conventional perimeters, data redaction at any
  level of granularity becomes auditably trivial and
  trivially auditable, silent alarms can signal
  enforcement authorities for anticipated events or
  for unanticipated exceptions, and honest people can
  be coached to remain honest without the risk of
  inadvertently preventing anyone from getting their
  job done.
  
  An enemy able to strike location independently and
  without self revelation commands the defender to
  focus on pre-emptive strategies, pre-emption
  requires intelligence, and intelligence requires
  surveillance.  For the electronic sphere, that
  surveillance has as its primary unit of observation
  either a data object or a person; only the former is
  at once versatile, no-load, inescapable, and an
  enabler of economic benefits that justify its
  existence at times of lessened danger and for
  prosaic purposes.  Day-to-day use is a pre-requisite
  for that tool familiarity essential to its confident
  use in times of heightened need, as it is with any
  platform.
============

The second Verdasys product is SiteTrust, and it, too,
is in seven figure rollout.  It is a run-time installable
protection that *depends* on the user/client having admin
privilege, which is to say that if a user has admin
privilege then you must assume they are 0wned already.
If they are 0wned already and you need to transact with
them, such as to permit their stock trading from their
desktop via your datacenter, then you must 0wn their
desktop for the duration of the transaction.  If you
make such temporary remote control a condition for the
client to receive trade guarantees, then they will so
agree, as has been shown.

The point, if you like irony, is that the opposition 
has proven that the operating system is so complex as
to be porous and they have demonstrated abundant
mechanism to accomplish remote 0wnership.  This being
an asymmetric war, we have no choice but to adapt their
mechanisms to our ends, viz., we cannot hope to provide
protections to electronic commerce clients unless we
0wn them, if only for the duration of the transaction
and only after asking nicely.

I leave it to the list to debate whether such therapies
violate "Primum non nocere."

--dan


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

So, the security industry has given up on the principles of least privilege and separation? Dave Korn (Feb 14)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 16)
  - Re: So, the security industry has given up on the principles of least privilege and separation? dan (Feb 17)
    - Re: So, the security industry has given up on the principles of least privilege and separation? Bob Mahoney (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? Joanna Rutkowska (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Andre Gironda (Feb 16)
  - Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 17)