<<< Date Index >>>     <<< Thread Index >>>

Re: [ISN] How To Save The Internet



InfoSec News wrote:
Forwarded from: security curmudgeon <jericho@xxxxxxxxxxxxx>
Cc: sberinato@xxxxxxx
... Big load of crap ...
: http://www.cio.com/archive/031505/security.html
: BY SCOTT BERINATO
: serial numbers and control their distribution. James Whittaker says : programmable PCs are dangerous, so why not treat them like guns?

jericho@xxxxxxxxxxxxx wrote:
In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers?

Programmable PCs *are* dangerous, but only to themselves and other programmable PCs that aren't operated by skilled people who know how to defend against the execution of unwanted machine code.

The problem with programmable PCs is that they execute machine code without considering whether any of the instructions are desired by the owner of the CPU. A no execute (NX) stack and heap [1] is a step in the right direction, but everyone in the computer industry who has given this any thought already knows that the core problem with computer security is that our CPUs make no effort to restrict the execution of machine code to that very small subset of all possible machine code which constitutes the code that the owner of the CPU desires it to run.

Until this security defect is solved, we will still have problems caused by rampant technical bugs in our programmable PCs. Insecure software would not be a threat except in rare circumstances if there were only a way for our CPUs to be configured to execute *only* the insecure software that we desire, and block anything else that is added to our boxes by buffers, bullies, or buffoons.

If anyone really cared about solving this core security problem with computing today, it would be solved in just a few months. We would then be left with all of the wonderful array of security problems that are caused by human behavior (theft, misuse, physical intrusion, eavesdropping, scam artists, etc) and these are problems we can all live with in relative harmony [7].

The marketplace is not demanding this solution, and it appears from the noise of the media and marketing and PR machines of our revered industry leaders that nobody is even trying to build awareness of the problem much less devise and deliver solutions.

Programmable CPUs are not suitable for use in data communications devices without hardware defenses that restrict the machine code instruction sequences that the CPU will accept. Programmable CPUs are barely suitable for anything without this simple security addition.

We're all so busy pushing bits around urgently we've forgotten to care.

CIO should be ashamed to be perpetuating the pointless and fraudulent business ideas of an industry addicted to extracting profit from victims by causing them unnecessary problems and then selling inadequate fixes.

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx


[1] MSDN Security Developer Center: Execution Protection
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx

[7] Why Was Intel a No-Show on No Execute?
http://www.eweek.com/article2/0,1759,1599193,00.asp