Full Disclosure mailing list archives
Re: [ISN] How To Save The Internet
From: Keith Oxenrider <koxenrider () sol-biotech com>
Date: Mon, 21 Mar 2005 21:21:21 -0600
I didn't take the time to read every single response to the article (though did take the time to pen my own), but I read at least half of them and didn't see a one that seemed to support the article. Several even seemed to think they were reading a Dilbert comic. The ironic part (and the point I tried to make in my post) is that the actual readership of CIO are, for the most part, clewless pointy hairs and probably didn't even finish reading the article (if they even started it) and certainly would never take the time to read the responses to it, let alone discuss them with their technical people. These are the decision makers who pay us to make the things that are complained about in the article. As long as they refuse to pay us to write secure products nothing will change.
Keith Oxenrider CISSP At 10:24 AM 3/22/2005 +1200, Jason Coombs wrote:
InfoSec News wrote:Forwarded from: security curmudgeon <jericho () attrition org> Cc: sberinato () cio com ... Big load of crap ... : http://www.cio.com/archive/031505/security.html : BY SCOTT BERINATO: serial numbers and control their distribution. James Whittaker says : programmable PCs are dangerous, so why not treat them like guns?jericho () attrition org wrote:In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers?Programmable PCs *are* dangerous, but only to themselves and other programmable PCs that aren't operated by skilled people who know how to defend against the execution of unwanted machine code.The problem with programmable PCs is that they execute machine code without considering whether any of the instructions are desired by the owner of the CPU. A no execute (NX) stack and heap [1] is a step in the right direction, but everyone in the computer industry who has given this any thought already knows that the core problem with computer security is that our CPUs make no effort to restrict the execution of machine code to that very small subset of all possible machine code which constitutes the code that the owner of the CPU desires it to run.Until this security defect is solved, we will still have problems caused by rampant technical bugs in our programmable PCs. Insecure software would not be a threat except in rare circumstances if there were only a way for our CPUs to be configured to execute *only* the insecure software that we desire, and block anything else that is added to our boxes by buffers, bullies, or buffoons.If anyone really cared about solving this core security problem with computing today, it would be solved in just a few months. We would then be left with all of the wonderful array of security problems that are caused by human behavior (theft, misuse, physical intrusion, eavesdropping, scam artists, etc) and these are problems we can all live with in relative harmony [7].The marketplace is not demanding this solution, and it appears from the noise of the media and marketing and PR machines of our revered industry leaders that nobody is even trying to build awareness of the problem much less devise and deliver solutions.Programmable CPUs are not suitable for use in data communications devices without hardware defenses that restrict the machine code instruction sequences that the CPU will accept. Programmable CPUs are barely suitable for anything without this simple security addition.We're all so busy pushing bits around urgently we've forgotten to care.CIO should be ashamed to be perpetuating the pointless and fraudulent business ideas of an industry addicted to extracting profit from victims by causing them unnecessary problems and then selling inadequate fixes.Sincerely, Jason Coombs jasonc () science org [1] MSDN Security Developer Center: Execution Protection http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx [7] Why Was Intel a No-Show on No Execute? http://www.eweek.com/article2/0,1759,1599193,00.asp
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [ISN] How To Save The Internet Jason Coombs (Mar 21)
- Re: [ISN] How To Save The Internet Keith Oxenrider (Mar 22)
- CISSP Test Vladamir (Mar 22)
- Re: CISSP Test robert (Mar 22)
- Re: Re: CISSP Test Andre Ludwig (Mar 22)
- CISSP Test Vladamir (Mar 22)
- Re: [ISN] How To Save The Internet Keith Oxenrider (Mar 22)
- RE: [ISN] How To Save The Internet David Gillett (Mar 22)
- Re: [ISN] How To Save The Internet Ben Vaisvil (Mar 23)
- Re: [ISN] How To Save The Internet Devdas Bhagat (Mar 23)
- <Possible follow-ups>
- Re: [ISN] How To Save The Internet Scott Berinato (Mar 22)
- Re: [ISN] How To Save The Internet Scott Berinato (Mar 22)
- Re: [ISN] How To Save The Internet Scott Berinato (Mar 22)
- RE: [ISN] How To Save The Internet Marchand, Tom (Mar 22)