Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: Seth Arnold (sarnold@private)
Date: Thu Sep 05 2002 - 23:52:10 PDT

  • Next message: Andrew Plato: "RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"

    On Thu, Sep 05, 2002 at 08:06:20PM -0700, Andrew Plato wrote:
    > I think you and I have different definitions of the word "insecure." To me
    > insecure means something that is easily exploited and there is a 
    > significant probability that somebody will exploit such a hole. 
    
    Crispin _is_ a professor, with a reasonably strong math background; it
    takes a proof to prove a theorem, but only a single counterexample to
    demonstrate it is incorrect. A single flaw in a piece of software
    demonstrates that any claim of the software's security is incorrect.
    
    Whether the flaw is something you as an administrator need to be
    concerned about is another matter entirely; from what I've read of your
    "mitigate the risks" and from what I know of Crispin, I think you two
    may have rather close ideas of what this means, with the notable
    exceptions of biometrics and IDS. :)
    
    > Its maybe not the MOST secure solution (a Wirex box would be best, of course :-) ),
    
    Indeed! Our capture the flag box at defcon withstood _many_ IIS exploits
    during the course of the game! :) [1]
    
    > > 1. Not *every* product has holes if you pound hard enough.
    > Sure it does. Again, I think you and I have a different definition of "holes."
    
    Protecting against stolen credentials is pretty difficult. Two-factor
    login isn't perfect -- thumbs can be forged, tokens can be stolen, guns
    can be pointed at heads to force legitimate log-on sequences, etc.. If
    there were some way to prevent stolen credentials from being used, I
    think our governments may have chosen to use them for our current
    identification systems. [2]
    
    However, if one grants that some combination of cameras and guards and
    biometrics and login tokens and passwords can combine to demonstrate
    that user U really is user U, then there _are_ systems without security
    flaws to be found, no matter what level of pounding you can afford. I
    believe the CTOS/STOP operating system (a unix-alike) has had extensive
    enough design and audit of code used that it is, for all practical
    purposes, proven to be secure.
    
    It also has limitations -- there is an upper limit of roughly 250
    processes, and it performs your basic run of the mill multilevel
    security scheme, so it really only closely matches military needs.
    
    My 'favorite' operating system, EROS, has a provably correct access
    control design. Its kernel is small enough to allow it to be audited
    sufficiently to convince anyone that its kernel is a correct
    implementation of that access control design. From then on, applications
    will have exactly as much access as they are granted by the system
    administrator when they are started. If only EROS had some
    applications..
    
    
    [1] IIS exploits don't work so well against a linux machine running
    apache. But the attackers had only our marketing literature to go on, as
    well as our (possibly faked) banners, so they tried everything.
    
    [2] To renew my driver's license, the state of Oregon wants me to bring
    in a utility bill with my name and address printed on it. I'll admit
    they have a difficult problem, but I sense a circular definition of my
    identification: How did verizon know I was who I claimed to be? My older
    driver's license. How does Oregon know why I am? My Verizon bill. Oy vey!
    
    -- 
    http://www.wirex.com/
    
    
    



    This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 00:36:05 PDT