RE: How hackers cause damage... was Vulnerabilites in new laws on computer hacking

["Craig Wright" <cwright () bdosyd com au>]

Hi Jason
First I do agree that vulnerable software is an issue, I also would love
to see a world where I was not needed for the skills I peddle. I would
like a world where compliance was not necessary, where fraud did not
occur...

The "state of doubt" I was referring to is the condition of
determination associated with knowledge that a system has been attacked.
The determination that the attacker was benign or malevolent leaves one
in doubt as to the true intentions and thus one has to err towards the
side of the assumption  that the attack was malign.

Please do not let me asperse your passion for fixing the flaws inherent
in the world. I wish you all the best on this, but I have become a
little more jaded over time. I also teach CAATs based methods to
determine corporate financial fraud and accounts fraud as well as the
more information security focused risk that this list propagates.

People are generally in a state of denial this is true, but why should
that be the issue. I preach awareness all the time, yet I would prefer a
world where this is not needed. Who do we blame - the victim who did not
take adequate care or the criminal?

If I walk down a dark alley at night is it my fault if I get mugged?
Should it be? It may be ignorant but who are we protecting and what type
of society do we want to create?

Regards,
Craig

-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org]
Sent: 24 February 2006 8:08
To: Craig Wright
Cc: security-basics () securityfocus com; fla.linux () gmail com;
Full-Disclosure; bugtraq () securityfocus com
Subject: Re: How hackers cause damage... was Vulnerabilites in new laws
on computer hacking

Craig Wright wrote:
> Cyber-trespass leaves one in a state of doubt. It is commonly stated
> that the only manner of recovery from a system compromise is to  >
rebuild the host.

Don't you mean that the trespass disrupts the condition of denial and
neglect that normally exists surrounding any network of programmable
computers?

The 'state of doubt' is no different post-trespass than it was
beforehand, what has changed is the emotional condition of the property
owner. After recovery steps to rebuild the host, there is again a 'state
of doubt' and it is just as substantial as it was before the trespass
incident caused everyone emotional trauma.

We must build computer systems that separate the act of installing and
executing software from the act of depositing data on read/write media.

Executable code must not be stored on read/write media. At least not the
same media to which data is written, and access to write data to
software storage must not be possible through the execution of software;
at least not software executing on the same CPU as already-installed
software.

Our CPUs need a mechanism to verify that the machine code instructions
being executed have been previously authorized for execution by the CPU,
i.e. the machine code is part of software that has been purposefully
installed to a protected software storage separate (logically, at least,
and both physically and logically separated at best) through actions
that could not have been simulated or duplicated by the execution of
machine code at runtime on the system's primary CPU.

The worst-case scenario of 'repair' and 'recovery' from any intrusion
event should be verification of the integrity of protected storage,
restore from backup of data storage, analysis of data processing and
network traffic logs to ascertain the mode of intrusion (if possible)
and reboot of the affected box with a staged reintroduction of the
services that box previously provided (if you just re-launch all of the
services being exposed by the box then it is just as vulnerable as
before to whatever attack resulted in the intrusion, so you start from
the most-locked-down condition and add services one at a time,
monitoring for a period of time at each step).

Depending on the length of time one is willing to monitor the box as it
is staged into deployment again after recovery, and depending on the
tools put into place to enable verification of the authenticity and
'correctness' of the machine code found to be present on the protected
storage where software is installed, 'recovery' from any incident can be
almost immediate, requiring little more than a reboot (the steps for
which could also be optimized in a well-built secure computer system,
since the objective really is nothing more than wiping all RAM and
re-reading machine code from the protected storage after integrity
verification is complete) ...

All of the 'damage' and 'vulnerabilities' you're talking about stem
directly from very bad business decisions made by owners of computer
systems and from authors of software made to run on those computer
systems. Hackers can be made irrelevant, and virtually all significant
damage from 'intrusion' can be prevented in advance, by putting a stop
to the world's addiction to the installation and execution of arbitrary
code. The problem is that the computer industry has been built around
providing financial rewards to the businesses that can get as many
copies of their code executing as possible, and security barriers that
curtail access to this cash generating machine would kill 75% of the
existing computer industry.

I say let 'em die. Give us secure computing, and may every company that
intentionally harms people for profit die a horrible and painful death
that takes as many of its investors with it as possible in the process!

Sincerely,

Jason Coombs
jasonc () science org

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/