Re: Packet anonymity is the problem?

["Steven M. Bellovin" <smb () research att com>]

In message <C7AA377F-8B92-11D8-8702-000A95CD987A () muada com>, Iljitsch van Beijn
um writes:
> >   Bellovin compared the situation to bank robberies. "[S]treets, 
> > highways
> >   and getaway cars don't cause bank robberies, nor will redesigning 
> > them
> >   solve the problem. The flaws are in the banks," he said. Similarly, 
> > most
> >   security problems are due to buggy code, and changing the network 
> > will
> >   not affect that.
>
> Ok, then explain to me how removing bugs from the code I run prevents 
> me from being the victim of denial of service attacks.
That's where my analogy breaks down -- but you're being victimized 
largely because of bugs in code other people run.  I stand by my 
statement: most of the security problems we have on the 
Internet are due to buggy code.  (If you want to stretch the analogy, 
imagine a bogus newspaper report that stimulates uncritical readers to 
withdraw their money.  It's called a run on the bank, and it's every 
bit as much a denial of service issue as excess packet floods -- bank 
runs are transaction rates much greater than what the (financial) 
system was designed to handle.  And when they're triggered by false 
rumors -- well, you get the picture, and my metaphors are stretched too 
thin as is.)


                --Steve Bellovin, http://www.research.att.com/~smb