RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!

From: RADFORD John J * DAS SCD (John.J.Radford@private)
Date: Fri Sep 06 2002 - 13:44:14 PDT

  • Next message: Crispin Cowan: "Re: CRIME REMINDER: Free Seminar on Computer Security tomorrow!"

    http://csrc.nist.gov/grants/ <http://csrc.nist.gov/grants/> 
    
    -----Original Message-----
    From: Steve Nichols [mailto:steven@private]
    Sent: Friday, September 06, 2002 11:49 AM
    To: 'Andrew Plato'; crime@private
    Subject: RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!
    
    
    Maybe we should all work on a new authentication scheme.
     
    1. Have a built in lie detector
        a. Are you so and so
            if yes proceed to b
            if no send 50,000V through chest.
        b. Are you being forced to login (is someone there with you trying to
    access your data)
            if yes explode PC and release chemical agent
            if no proceed to 2
    2. Insert finger in a blood drawing chamber.
        a. Match DNA    
            Check to see if dna is altered
        b. Check finger to see if heart beat is present ( just incase someone
    has cut off the finger)
        c. Check finger print at the same time
        
    3.  Facial recognition via IR. 
        a. Check underlying bone structure
     
    4. windoze logon.....
     
    And when it's all done and you are finally logged in, you can print that one
    line file with the directions to the company picnic. Hey, it only took 2 1/2
    hr to log on. Won't be much worse then waiting for your roaming profile to
    load.
     
    You think we could get a grant for this?
    
    Steven Nichols
    Network and Systems Administrator
    Internet and NOC Manager
    
    
                       VALLEY INTERNET COMPANY
                    1709 NE 27th Street, Suite C
                      McMinnville, Oregon 97128
               503-565-5030 or 800-909-9078 (toll-free)
         "Pay no attention to the folks behind the curtain..."
       PGP: www.viclink.com/~steven/steven.nichols.pgp.txt 
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf Of
    Andrew Plato
    Sent: Friday, September 06, 2002 09:30
    To: Andrew Plato; Seth Arnold; crime@private
    Subject: RE: CRIME REMINDER: Free Seminar on Computer Security tomorrow!
    
    
    Arrrg - hit SEND before I could finish. DUH. I am a little sleepy today. 
     
    > Crispin _is_ a professor, with a reasonably strong math background; it
    > takes a proof to prove a theorem, but only a single counterexample to
    > demonstrate it is incorrect. A single flaw in a piece of software
    > demonstrates that any claim of the software's security is incorrect.
    
    And as such, Crispin's assertion is fine - for a math class. But running 
    an IT department is not the same as a math exercise. There are a lot 
    of aspects of building and maintaining a business and its technology
    that do not conform to precise mathematical logic. 
    
    > Whether the flaw is something you as an administrator need to be
    > concerned about is another matter entirely; from what I've read of your
    > "mitigate the risks" and from what I know of Crispin, I think you two
    > may have rather close ideas of what this means, with the notable
    > exceptions of biometrics and IDS. :)
    
    I think so too. I think Crispin and I represent two extremes of the security
    spectrum. Crispin is the theoretical/academic side of security while I am
    
    the practical/street-smarts side of security. My experience and training
    is solidy routed in "field work" where Crispin's seems routed in
    "theoretical
    work."  
    
    > Its maybe not the MOST secure solution (a Wirex box would be best, of
    course :-) ),
    
    > Indeed! Our capture the flag box at defcon withstood _many_ IIS exploits
    > during the course of the game! :) [1]
    
    Well, that's good. I should think many of the IIS exploits would be
    meaningless
    to your boxes, since they are Linux-based. 
    
    The problem now is that Linux is growing in popularity and as such, its
    getting
    more attention from the hacker world. 
    
    > Protecting against stolen credentials is pretty difficult. Two-factor
    > login isn't perfect -- thumbs can be forged, tokens can be stolen, guns
    > can be pointed at heads to force legitimate log-on sequences, etc.. If
    > there were some way to prevent stolen credentials from being used, I
    > think our governments may have chosen to use them for our current
    > identification systems. [2]
    
    As with any security challenge, a combination of efforts (layers) can help
    mitigate many of the risks. Excellent physical security can remove many
    of the "coercion" attacks. Security training and education can help
    mititgate
    many social engineering attacks. 
    
    Each aspect of the entire security plan supports and helps another area. 
    But were any one area to fail, it may open a serious hole, but would not 
    necessarily lead to exploitation. Provided there were good monitoring and
    management mechanisms, such a failure could be quickly detected and 
    handled by trained staff (or consultants). 
    
    > However, if one grants that some combination of cameras and guards and
    > biometrics and login tokens and passwords can combine to demonstrate
    > that user U really is user U, then there _are_ systems without security
    > flaws to be found, no matter what level of pounding you can afford. I
    > believe the CTOS/STOP operating system (a unix-alike) has had extensive
    > enough design and audit of code used that it is, for all practical
    > purposes, proven to be secure.
    
    I firmly believe there are secure systems that - when placed in a secure
    state, 
    managed in a secure manner, and monitored in a proactive fashion, are for
    all
    practical purposes - impenetrable. But, the cost of such an arrangement can
    
    It also has limitations -- there is an upper limit of roughly 250
    processes, and it performs your basic run of the mill multilevel
    security scheme, so it really only closely matches military needs.
    
    My 'favorite' operating system, EROS, has a provably correct access
    control design. Its kernel is small enough to allow it to be audited
    sufficiently to convince anyone that its kernel is a correct
    implementation of that access control design. From then on, applications
    will have exactly as much access as they are granted by the system
    administrator when they are started. If only EROS had some
    applications..
    
    
    [1] IIS exploits don't work so well against a linux machine running
    apache. But the attackers had only our marketing literature to go on, as
    well as our (possibly faked) banners, so they tried everything.
    
    [2] To renew my driver's license, the state of Oregon wants me to bring
    in a utility bill with my name and address printed on it. I'll admit
    they have a difficult problem, but I sense a circular definition of my
    identification: How did verizon know I was who I claimed to be? My older
    driver's license. How does Oregon know why I am? My Verizon bill. Oy vey!
    



    This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 14:38:33 PDT