Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Living In an Unsecured World

Soulskill posted more than 3 years ago | from the trying-to-bail-the-ocean dept.

Security 112

GhostX9 writes "Charlie Miller, Accuvant Principal Research Consultant and keynote speaker at NATO's recent International Conference on Cyber Conflict, speaks with Alan Dang of Tom's Hardware about living in an unsecured world. He goes over his recent MacBook battery exploit and the challenges of computing security in the upcoming future. Quoting: '[W]hat we can do (and this is the approach the industry is sort of taking) is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers. ... The way we make it more difficult is to reduce the number of vulnerabilities and ensure users' software is up to date and "secure by default." Also, make the OS resilient to attack with things like stack canaries, ASLR, DEP, and sandbox applications so that multiple exploits are needed. We also need to better control the software loaded on our devices (i.e. Apple's App Store model). So, instead of having to write a single exploit, it takes three or four in order to perform an attack. This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out.'"

Sorry! There are no comments related to the filter you selected.

Defense in Depth (0)

Anonymous Coward | more than 3 years ago | (#36967730)

I'll see your defense in depth and raise you by one automation.

Fundamental design flaw (-1)

Anonymous Coward | more than 3 years ago | (#36967748)

Computers weren't designed for security. They still aren't. We shouldn't feel bad though, 'god' didn't do much better.

Re:Fundamental design flaw (1)

cheaphomemadeacid (881971) | more than 3 years ago | (#36967770)

pff most exploits these days are the same type of exploits used10-15 years ago, its all just stack overflows and sql injections, no law/budget/military intervention/bombing can fix incompetence, so yeah, we're in deep shit =)

Re:Fundamental design flaw (3, Informative)

oztiks (921504) | more than 3 years ago | (#36967910)

switch to openbsd :)

Re:Fundamental design flaw (2)

ozmanjusri (601766) | more than 3 years ago | (#36968240)

Windows Computers weren't designed for security. They still aren't.

FTFY

Re:Fundamental design flaw (0)

rtfa-troll (1340807) | more than 3 years ago | (#36968668)

To give Microsoft their due, I think Windows (that is to say Windows NT on which current Windows is based) was quite specifically designed for security. Remember the NT kernel was designed by guys stolen from Digital who had worked on VMS. What seems to have gone wrong is that Microsoft has different priorities from their customers. Uncontrollable automatic installation of things like Active X was done because they wanted their new system to push others out of the market place. Look at the big recent push to get the DotNet runtime installed.

The other thing that went wrong is more interesting and fundamental. Windows design for security actually seems to have achieved the opposite. For example, Windows uses full access lists where Unix traditionally only had file modes. Full access lists should be more "secure" because it should be possible to have the exactly the access you need. In practice, however, users don't understand the access lists and end up either giving too much access or locking themselves out of something. This leads to a situation where the standard practice in many companies is to not allow the users to set their own access lists and completely defeats the entire benefit. Process security is similar and UAC and a bunch of other recent ideas were basically the same problem.

Re:Fundamental design flaw (1)

shadowfaxcrx (1736978) | more than 3 years ago | (#36968810)

There's also the issue that security is annoying. Whether it's changing your password monthly or something non-IT related like checking badges at the lobby, security is a pain in the ass, and a lot of people would rather install the security infrastructure and then bypass it. Hell Feynman used to tell the story of the general at Los Alamos who ordered a zillion dollar uber-safe to store the secrets of the bomb in, and then never bothered to change the factory combination.

One reason UAC and the other recent ideas don't work is because they bug the shit out of the end user. Windows is especially annoying because when it decides it needs admin approval to do something, it pops up a dialog, and *locks the rest of the system from doing anything until you handle the question.* That's asinine. Lock the program in question from doing anything, but don't stop the video I have going in the second monitor. Stupid little irritants like that make me want to turn that crap off, and I know better. Most users wouldn't hesitate to make their system stop pissing them off on a daily basis.

Re:Fundamental design flaw (1)

rtfa-troll (1340807) | more than 3 years ago | (#36969700)

UAC is not a security feature. Improving it's interface and security simultaneously would be simple by just automatically answering all questions with "no". Doing that "securely" would mean giving the user / administrator a set of instructions for which privileges need to be given to the application at the beginning which is precisely what is too complicated.

Re:Fundamental design flaw (1)

Geoffrey.landis (926948) | more than 3 years ago | (#36971428)

There's also the issue that security is annoying. Whether it's changing your password monthly or...

I've never understood why "change your password monthly" has become the poster child for security advice most often mandated by IT departments. On the list of things to make security stronger, this wouldn't even be in the top one hundred, and in fact, I suspect frequent password changes make security weaker.

("Never use the same password on two different systems" would have been my number one choice for advice.)

Re:Fundamental design flaw (1)

shadowfaxcrx (1736978) | more than 3 years ago | (#36972428)

I've always thought it was a butt-covering method. "Yeah, we had a data breach but we're taking proper security measures. We make them change their password every month!"

You're right - it makes it less secure. Everyone at my office writes their pw down and stores it somewhere around their desk.

Re:Fundamental design flaw (2)

ifiwereasculptor (1870574) | more than 3 years ago | (#36968366)

Computers weren't designed for security. They still aren't. We shouldn't feel bad though, 'god' didn't do much better.

A lot of Apple fans will disagree with that last part.

Re:Fundamental design flaw (1)

rtfa-troll (1340807) | more than 3 years ago | (#36968800)

Computers weren't designed for security. They still aren't. We shouldn't feel bad though, 'god' didn't do much better.

Modern ones maybe not. Many older ones, back when a big buyer was the military, and some smaller ones still designed for such areas, are. What we have now is an upgraded micro-controller architecture with security bolted on the back. The problem isn't that we don't know how to do security much better. The problem is that nobody who's building the systems cares enough.

Unsecured world? (4, Interesting)

Archangel Michael (180766) | more than 3 years ago | (#36967758)

When, if ever, has the world been secure?

Mankind is flawed, you cannot patch this flaw. You can only mitigate the flaws.

Re:Unsecured world? (1)

im_thatoneguy (819432) | more than 3 years ago | (#36968054)

"It only takes one."

Doesn't matter how much time you spend hardening your system. If there is a single exploit in your system every piece of malware will use it.

I always raise an eye brow to "The less vulnerabilities we have, the more secure we are." It's not like you need to double root a system. One root kit is enough.

Re:Unsecured world? (1)

hedwards (940851) | more than 3 years ago | (#36968426)

Yes, but the more vulnerabilities there are the quicker it is that an attacker is going to find it and the more kits that can root the system. Sure one vulnerability is enough, but the fewer there are the more they're going to need to want that particular machine to actually finish up.

Re:Unsecured world? (2)

Archangel Michael (180766) | more than 3 years ago | (#36968752)

Targeting Humans (flawed) is the quickest and easiest way to exploit a system. This is Mitnick 101. It is why Nigerian scams and click loaded malware works, even to this day.

Re:Unsecured world? (1)

TheLink (130905) | more than 3 years ago | (#36975500)

Doesn't matter how much time you spend hardening your system. If there is a single exploit in your system every piece of malware will use it.

Not true. Like the joke goes, I don't need to outrun the "bear", I only need to outrun the majority...

Re:Unsecured world? (1)

black soap (2201626) | more than 3 years ago | (#36971122)

When, if ever, has mankind not attempted to secure his surroundings?
  • moving into caves
  • building shelters
  • inventing "doors"
  • inventing "latches"
  • inventing "locks"
  • inventing weapons to defend property
  • inventing language and numbers, to identify and quantify property, and communicate ownership
  • inventing laws so that society can help protect his property

We may have never achieved security, but we have always sought to increase it.

The sky is falling? (1)

jbmartin6 (1232050) | more than 3 years ago | (#36967772)

I wonder if he has windows in his home. That's a terrible vulnerability that we have endured for centuries and somehow civilization survives.

Re:The sky is falling? (1)

DahGhostfacedFiddlah (470393) | more than 3 years ago | (#36967874)

Would you feel so secure with your windows if anyone from anywhere in the world could break them? If they could break yours and thousands of others automatically with the same amount of effort? If it would take a team of experts months of effort to track down a single perpetrator - assuming he screwed up along the way?

Or would you accept that there's an inherent danger when an attacker has physical access to your windows, but try to make remote/anonymous window-breaking as difficult as possible?

My analogy may seem stretched, but I'm just working with what I was given.

Re:The sky is falling? (1)

SpiralSpirit (874918) | more than 3 years ago | (#36968152)

As someone who designs structures, I have to tell you: That's a feature, not a bug.

Re:The sky is falling? (0)

Anonymous Coward | more than 3 years ago | (#36968374)

If they could break yours and thousands of others automatically with the same amount of effort? If it would take a team of experts months of effort to track down a single perpetrator - assuming he screwed up along the way?

Careful, that is a design problem, and can be fixed. Don't take what we have for granted, the Internet could be run very differently.

Re:The sky is falling? (2)

Ironchew (1069966) | more than 3 years ago | (#36968016)

A vulnerability we should have to deal with no longer!

Sincerely,
The Year of Linux on the residential exterior

Re:The sky is falling? (2)

Baloroth (2370816) | more than 3 years ago | (#36968046)

A vulnerability we should have to deal with no longer!

Sincerely, The Year of Linux on the residential exterior

This is /. I'm guessing most people here already don't have windows. Basements rarely do.

Re:The sky is falling? (0)

Anonymous Coward | more than 3 years ago | (#36968088)

If the building is up to code in many cities in the US, their basements do have windows that are (theoretically) large enough to exit from in case of fire.

Re:The sky is falling? (1)

Mr. DOS (1276020) | more than 3 years ago | (#36968110)

Windows 7 on my desktop, laptop, and netbook. Despite the historic opinion of Windows around here, 7 provides a very solid, stable, and importantly, a usable desktop environment.

Re:The sky is falling? (0)

Anonymous Coward | more than 3 years ago | (#36968340)

linux and osx are also 'usable'. windows is better some of the time, but not always.

Re:The sky is falling? (0)

Anonymous Coward | more than 3 years ago | (#36968342)

N.B, Slashdot (TM) a division of Microsoft Marketing.

Re:The sky is falling? (1)

Nursie (632944) | more than 3 years ago | (#36968080)

I make do with live emperor penguins embedded into the walls!

Sure, they're angry, they smell bad and they don't let in any light, but it makes attackers think twice!

In a world without (1)

reiisi (1211052) | more than 3 years ago | (#36970712)

In a world without MSWindows, who needs MSWalls?

Security through obscurity (1)

PvtVoid (1252388) | more than 3 years ago | (#36967776)

Three or four exploits is one exploit. Unless your solution scales exponentially, it's bullshit.

Re:Security through obscurity (1)

lpp (115405) | more than 3 years ago | (#36971344)

I think he's implying something more along the lines of exploit vectors.

For example, if a successful exploit requires that the user simultaneously download and run a malware app while an already installed app is opening an external connection while at the same time an inbound connection attempt is made, your chances of being infected drop quite a bit and the work needed to pull it off as a malware author goes up, possibly to the point where it's no longer worth it in most cases. It also perhaps increases the chances of a security watchdog detecting the behavior and responding to it in real time to squash the threat.

I don't think he's suggesting a scenario where you might only succumb if you have clicked on three separate malware downloads or something along those lines.

(And preempting a few comments, yes, I'm aware that strictly speaking the scenario I put forth isn't really too tough. The outbound connection might be prompted by the very malware you downloaded and clicked on and could automatically trigger the inbound hack attempt. I'm working under the assumption of the original speaker where defenses are up and active to protect against each of those approaches. My analogy isn't perfect, in fact I suspect it's quite flawed actually, but I believe the spirit is accurate. Make the malware authors work hard enough and you eliminate most of the threats because the reward:effort ratio is no longer high enough.)

... like Apple's App Store model (2, Insightful)

E IS mC(Square) (721736) | more than 3 years ago | (#36967838)

No Thanks.

Re:... like Apple's App Store model (1)

rubycodez (864176) | more than 3 years ago | (#36967858)

Indeed, it disconnects sellers from their market, losing feedback and communication. I've had better luck security-wise with the bazaar than any store.

Re:... like Apple's App Store model (1)

grcumb (781340) | more than 3 years ago | (#36968398)

indeed. When I saw this quote:

We also need to better control the software loaded on our devices (i.e. Apple's App Store model)

... all I could think was, 'No, more like the Linux RPM/Deb model that's only been around for... what? a couple of decades? And which offer far better prices, control and access to the market. So much so that, for all its popularity, Apple's Store is -at best- a pale approximation of a viable software management model."

Re:... like Apple's App Store model (0)

Anonymous Coward | more than 3 years ago | (#36968450)

When I saw that quote, I thought "This opinion was sponsored by Apple Computers".
If the app store is the best model they can think of, then time to hand in the fricken geek badge.

An even more restrictive model (1)

tepples (727027) | more than 3 years ago | (#36970390)

Anonymous Coward wrote:

If the app store is the best model they can think of, then time to hand in the fricken geek badge.

They could have proposed an even more restrictive model, namely that of video game consoles. One can't even get started developing for a console unless affiliated with an established company with "industry experience" (that is, having already published a commercial game on another platform).

Re:... like Apple's App Store model (1)

Anonymous Coward | more than 3 years ago | (#36968574)

When I saw the quote, I was reminded of those politicians who want us to give up our freedom ‘to make us secure’. I think he can stick his app store where the backlight don't shine.

Re:... like Apple's App Store model (1)

Caesar Tjalbo (1010523) | more than 3 years ago | (#36970056)

He seems to be focused on Apple products as user/cracker/hacker. In his world a 'repository' just isn't called a "repository" even if that's what he means most likely.

"far better prices" (1)

tepples (727027) | more than 3 years ago | (#36970400)

'No, more like the Linux RPM/Deb model that's only been around for... what? a couple of decades? And which offer far better prices, control and access to the market.

If by "far better prices" you mean zero as the only available choice, then how are people supposed to cover the cost of developing high-quality video games or tax preparation software [pineight.com] ?

Re:"far better prices" (0)

Anonymous Coward | more than 3 years ago | (#36976056)

Cydia seems to be able to make a Debian APT system work. Independent Devs can and do make money there. The point is we don't need Apple in order to have a secure and profitable market place. In fact it's better if Apple isn't taking such a huge bite out of sales.

Expensive (0)

Anonymous Coward | more than 3 years ago | (#36967848)

"[W]hat we can do is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers"

And doing that is so hard and expensive that it becomes economically infeasible to release a product at a competitive price.

Re:Expensive (1)

postbigbang (761081) | more than 3 years ago | (#36967980)

Not necessarily. It means actually spending money to do QA, uniting developer teams, using fuzzing to explore hacking your own code, and low-hanging-fruit examinations of your code. For a long time, certain OS versions just didn't do any of that.

Operating systems were designed for geeks, not civilians. Civilians have money; so the scammers wrote exploit code for profit. Child's play script kiddy junk. Real coders got involved and went for bigger money. Now it's out of control, and Anonymous and LulzSec make fools out of people that were sitting fat and pretty because they bought the "cure" after a golf game. Now they're twitching.

Windows has vulnerabilities, but a huge war chest. If they'd spent part of that war chest on real design and security, it would be a smaller war chest. The same goes for Apple (let the fanbois begin) as the latest APNC exploit was just fixed for iOS. The problem is: it's not expensive, it's process control and design and testing, grunt work that no one wants to do, because they too, want: profits. When love of the art is involved, and darwinian results are in the mix, you get a Linux or BSD or Solaris, all three of which are vastly more solid than the competition. That's what it takes, the ethics of doing it right.

captain overlooking the obvious (1)

sweatyboatman (457800) | more than 3 years ago | (#36967906)

This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out

So the theory is that making systems harder to hack will dissuade hackers, thus making all computers secure forever. It's too bad this is such a novel theory and no one's ever tried to harden existing systems against hacking otherwise we might have some empirical evidence to support his plan.

Oh what's that? The entire history of hacking is one of ever more elaborate and clever security precautions being overcome by ever more elaborate and clever hackers? One side cannot ever declare victory and rest on its laurels? It's an arms race, you say?

How very exciting!

Re:captain overlooking the obvious (1)

djh2400 (1362925) | more than 3 years ago | (#36968108)

The summary seemed to imply "security through obscurity to me.

Re:captain overlooking the obvious (1)

0123456 (636235) | more than 3 years ago | (#36968148)

Oh what's that? The entire history of hacking is one of ever more elaborate and clever security precautions being overcome by ever more elaborate and clever hackers?

You forgot the part where they just wrap their malware in a 'Free B00b1es' screensaver and people download and install it for them.

Re:captain overlooking the obvious (1)

tepples (727027) | more than 3 years ago | (#36970438)

You forgot the part where they just wrap their malware in a 'Free B00b1es' screensaver and people download and install it for them.

I think that's what the reference to Apple's App Store was intended to fight. One has to social engineer not only the user being attacked but also Apple.

Re:captain overlooking the obvious (1)

hedwards (940851) | more than 3 years ago | (#36968442)

It does work, the problem is that you have to really secure the applications not kinda sorta secure them. And in practice folks rarely manage to secure them enough to remove the profit motive from breaking in.

Re:captain overlooking the obvious (1)

rtb61 (674572) | more than 3 years ago | (#36969190)

Of course there are two types of black hat hackers. One group, the private enterprise, distribute their attacks so that they kind hide their criminal activities behind the activities of script kiddies. The other type the government professionally paranoid black hat hackers tend to keep their attack secret until they use them of course corruption in those organisations means attack methods can leak out.

I wonder how many out in the wild attacks had their origins in the offices of the professionally paranoid and whether this has been investigated yet.

Apple's App Store model? (0)

Anonymous Coward | more than 3 years ago | (#36967914)

To bad it's not their model, the Linux and BSD communities have been vetting software through trusted distribution channels for over a decade now.

Re:Apple's App Store model? (1)

hedwards (940851) | more than 3 years ago | (#36968454)

As much as I like BSD and use Linux, it's not inherently anymore secure in that respect. Somebody does still need to go through the code and audit it. And not just one somebody, really a whole team of somebodies doing it regularly.

In practice though, I've never worried about software that I install in that respect because I have means of securing the system beyond just trusting my sources.

Re:Apple's App Store model? (1)

Caesar Tjalbo (1010523) | more than 3 years ago | (#36970112)

it's not inherently anymore secure in that respect

It isn't and it even introduces a single point of maximum vulnerability (1. crack the repo, 2. ???, 3. profit!). However, compared to having to hunt for programs on-line it is inherently more secure. You might take your programs from download.cnet but all they do is run a virus scanner. A recent article [slashdot.org] about 'open source' software being bundled with malware makes me glad I can do apt-get install with less worry.

audits? Did I hear someone say openbsd? (1)

reiisi (1211052) | more than 3 years ago | (#36970758)

Almost all major distros have audit processes of some sort. That's the only reason we have not already seen rogue engineers introducing trojans directly into the kernel and/or tools.

They could be better, but we need more guys like Theo DeRaadt to lead the audit teams, which presents a sort of dilemma.

One word: Chromebook! (4, Funny)

kurt555gs (309278) | more than 3 years ago | (#36967956)

I love mine and know it is secure by the simple reason that no one has sold enough to make it a worthwhile target.

Re:One word: Linux! (1)

nzac (1822298) | more than 3 years ago | (#36968200)

Linux does not have the market share either.

The other reason is you hardly ever load software onto it. The other problem with your theory though is chrome (browser) has a massive (relative to Linux) market share, I wonder how long it will be before a persistently open tab could become an "attack vector".

Re:One word: Linux! (1)

kurt555gs (309278) | more than 3 years ago | (#36972348)

Actually, paraphrasing the great line from Soylent green, "Chrome OS is made of SUSE"!

So, it is Linux. It just has anything not needed removed and all the posts not needed locked up. It's *prolly very secure in it's own right.

I had a Samsung Galaxy Tab 7", and replaced it with the Chromebook. It is great as an internet appliance with a real keyboard.

Re:One word: Linux! (1)

Rich0 (548339) | more than 3 years ago | (#36974872)

Actually, believe it or not it is based on Gentoo - at least the package management aspects are. The end-user experience is pretty appliance-ish.

One thing going for Chrome is the fact that it uses secure boot, so that greatly limits attack vectors, and if you do manage to get temporary control the next OS upgrade is going to fix that, unless you manage to somehow block those (and that will be even harder to do without tripping the signature checks). And, it is pretty trivial to re-image in the absolute worst case (push a button and insert a USB drive - re-provisioning takes 2 minutes and your settings/apps get completely restored on first login). There is an app you can download to make the rescue drive, and Google is looking to make it possible to create it from chrome.

On the other hand if you can root a phone chances are you'll be able to root chrome - nothing is perfect. However, compared to the typical general-purpose OS it is fairly secure.

Re:One word: Chromebook! (-1)

Anonymous Coward | more than 3 years ago | (#36968234)

Security through obscurity is hardly security at all.

The same could be said of other low market share potential targets.

Re:One word: Chromebook! (1)

Cwix (1671282) | more than 3 years ago | (#36968704)

So your saying they are not only useless to users, but useless to virus writers also?

Re:One word: Chromebook! (1)

gl4ss (559668) | more than 3 years ago | (#36970294)

it's a pretty good target for js malware. but the sales and use numbers are so low, you might as well target beos.

Re:One word: Chromebook! (1)

houghi (78078) | more than 3 years ago | (#36968714)

Yeah,the only reason that things are hacked is because there are enough sold. Nothing is ever done because it is possible.

(Relax, it is called sarcasm.)

Very well. (4, Insightful)

Microlith (54737) | more than 3 years ago | (#36968038)

So long as said security doesn't inhibit my ability to use my machine entirely as I wish, and doesn't treat me as an enemy as well.

Like The Old Joke (3, Insightful)

SchMoops (2019810) | more than 3 years ago | (#36968186)

This reminds me of the old joke:

Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"

In that sense, all the security any given person needs is just not to be low-hanging fruit.

Re:Like The Old Joke (1)

evanbd (210358) | more than 3 years ago | (#36968388)

You also need to not be a particularly tempting fruit. See spear phishing, advanced persistent threats, Stuxnet, etc.

Re:Like The Old Joke (1)

Culture20 (968837) | more than 3 years ago | (#36968446)

This reminds me of the old joke:

Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"

In that sense, all the security any given person needs is just not to be low-hanging fruit.

That joke is only about encryption if the bear's name is Carol.

Re:Like The Old Joke (1)

black soap (2201626) | more than 3 years ago | (#36971228)

Two guys are out camping in the woods, and the discussion turns to bears. One of them has a monstrous cannon of a pistol he lugs around all day, but it gets heavy by the end of the day. The other guy shows him a tiny .22 pistol,
A: "This is what I carry. All I need for bear."
B: "Are you kidding? You won't even slow down the bear a little bit with that thing."
A: "I wasn't going to shoot the bear.

Moral of the story: Increase your own security a little bit, and encourage everyone else to be less secure, but still making enough noise to be an attractive target.

Re:Like The Old Joke (1)

Rich0 (548339) | more than 3 years ago | (#36974914)

Yup, if you want to survive WWIII your bomb shelter is only going to be as useful as its defensibility.

Only one lion (0)

Anonymous Coward | more than 3 years ago | (#36972958)

This reminds me of the old joke:

Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"

In that sense, all the security any given person needs is just not to be low-hanging fruit.

The joke only works so long as theres only one lion.

In the real world, there are plenty of hackers and plenty of targets, plenty of lions and plenty of campers, and no guarantees.

This Is The Wrong Way, Period. (2, Interesting)

Anonymous Coward | more than 3 years ago | (#36968254)

Yep with capitals on every word.

So you see every security researcher and their friend claim how good it is to have long, strong unremembered passwords for each of your 1000 services.
They also want to have a million software work-arounds to manage flaws in the current software and operating system design. Such as ASLR, canaries, what not - then make your believe your system is, I quote again, RESILIENT. Nothing less! Your OS fights back for you and has multiple layers of security! (which usually are all bypassed in one go.. sometimes 2 go.)

That's a lot of nice words. Slashdot readers should know by now that while all these features are integrated in all modern OS (yay Lion now has real ASLR...) it doesn't stop attacks at all, and barely makes the exploits code longer to figure out.

These people have had their mind programmed to think a certain way and they do think, since "security is a process" that it's the correct way to secure software in the future. Well, it looks pretty bad and full of holes doesn't it? Pretty crappy security if you ask me, even if that's way better than 10 years ago.
They've been programmed that way because many fear that their job and their precious antivirus software would be less relevant if the flaws were fixed. Oh I can't tell you how much hate posts such a statement generates. It's like saying 'Chrome sucks because there's Google behind it and they want your data' you know. The truth too many don't like to hear and will close their eyes as if nothing was going on

There is, and there are however true alternatives. It involves rewriting from scratch the current OSes to fix the design flaws.
Actual, real OS programmers know this very well. Even the people behind UNIX knew that and rewrote it, and called it Plan9 (which died for other reasons).
Even Microsoft knows that and wrote Singularity as well as Midori. Even Open source OS programmers know that and made their little spin offs.

Those OS are by design very secure (even if the 'nothing is 100% secure' still stand true). Every app is sandboxed in it's own memory space. Every driver too and kernel components too. The memory has automatic reference counting and garbage collection, and there is also no way to provoke overflows and any attack of that class. The core assembly is typed to avoid type errors leading to exploits in the core kernel. Its also kept very, very small as are all the critical sections.

All the message passing between the apps, the apps to the kernel, the driver to the kernel and so on go through a special, ultra fast messaging system and it is the sole and unique vector for communication and thus attacks. Every message is verified and must match a predetermined contract to pass through. The contract describe the kind of data with precision. No more injection of bad data. Not only that but the kernel overhead is actually lower than Windows, OSX or Linux and the apps actually run faster.

And there's a whole lot more. With today's computer speed we will be able to afford running those new OSes while running legacy apps in emulation mode.
Besides many applications being written into portable languages such as JS this will be less of an issue.

Re:This Is The Wrong Way, Period. (0)

Anonymous Coward | more than 3 years ago | (#36969058)

I'd rather do this than use the crappy virtualization stacks we're using now, but microkernels are still very slow.

Re:This Is The Wrong Way, Period. (2)

SecurityTheatre (2427858) | more than 3 years ago | (#36969136)

Well, considering that remotely-exploitable network-stack-level overflow vulnerabilities are almost completely gone, either the programming techniques have improved, or these technologies are helping.

I would like to point out that the pervasive attitude at Sony seemed to be one of "well, nothing is perfect, so we don't need to spend too much money doing our best".

On the other hand, building a secure OS from the ground up IS the right approach, and I'm sure Mr Miller would agree, but, the simple fact is that IT WONT HAPPEN (yes, all caps). Functionality is the driver, not security. Security necessarily has to be an afterthought, simply for the business reality that many people approach the problem in the same vein as the recent post about iPads "consumerizing" IT. Business people still pay the bills.

So we take these approaches at making *Better* securityu out of commodity products, rather than deconstructing everything and coming up with a completely new model that is places security first.

Remember, too, that thus far, the high end pulls the low end along. So those people who need bleeding edge performace, be it database administrators, gamers, 3d modeling, etc... they tend to drag the desktop market around in terms of technology and software support, so you have to find a model to appease them and their needs in order to have your mythical "secure OS" project get off the ground.

Living In an Unsecured World (0)

Anonymous Coward | more than 3 years ago | (#36968268)

Guess those guys who'll be interested in encrypting theirs are the ones who have saved files that are

for their eyes only huh. Am one of them. Nothing malicious though. http://financial.atlanticinternationalpartnershipnews.com/

start by taking time to a non rush job and do QA (1)

Joe_Dragon (2206452) | more than 3 years ago | (#36968300)

start by taking the time to a non rush job and do a lot more QA / testing. Also usability testing needs to be done as well.

auto testing can help but it does not cover all things / leads to coding to pass the test missing the stuff that the test does not cover.

Tolerance (1)

U8MyData (1281010) | more than 3 years ago | (#36968316)

I am a firm believer that when we came up with the concept of zero tolerance we were in trouble. Life is shades of grey; some more white, some more black never just black nor white. If we lose the ability to take care of ourselves, we lose our ability of self determination a.k.a freedom. We are in trouble...

Stop makeing us change passwords each month or les (1)

Joe_Dragon (2206452) | more than 3 years ago | (#36968322)

Stop makeing us change passwords each month or less and cut back on the pass word rules Ti5@j0ke is way to pass with out needing to use a post it and next month it's P@ssw0rd2!

Re:Stop makeing us change passwords each month or (2)

SecurityTheatre (2427858) | more than 3 years ago | (#36969184)

Listen, I do computer security audits and penetration testing and we break into 90% of the companies we attempt to break into. The simple fact is that password complexity and password changes is probably the #3 biggest risk in the enterprise, aside from simple patching and configuration/hardening issues.

Through a combination of techniques, we are able to obtain password hashes of various values. Frequently these are cached values. If you've ever logged into a windows workstation on a domain, your password is stored in a cached hash format on the system and that's what we consider a high value find, because we can run those through crackers very quickly to determine the result. Frankly, the first password you supplied is reasonably strong and would take a few days to crack if your attacker/tester was relatively skilled, the second would be picked up in the first pass after only about 10 minutes of a decent cracking system.

Changing passwords is an important part of keeping these caches from persisting in the long term. I can often tell how often password changes are forced, by looking at the number of valid cached credentials we obtain on the first batch of penetrated systems. Shops that require frequent password changes mean that 60-80% of our cracked cached credentials are going to be invalid (but we will see if there is an obvious pattern, like incrementing the digits by 1). Often we only get one set of valid credentials per machine, and it's for the user of that machine, which is almost inconsequential, since we could impersonate him anyway with the domain security tokens. But in a place with no password changes, or those that happen less than every 3 months or so, the value of those cracked credentials increases greatly.

Since security is a game of layering protections, it seems a rational thing to do. I recommend 60 days, rather than 30 days, however, just simply for the convenience.

Re:Stop makeing us change passwords each month or (0)

Anonymous Coward | more than 3 years ago | (#36970484)

However you completely miss his point.
He's saying that if you have to change password regularly, it more or less forces you to use worse passwords, since you also have to remember them.

Re:Stop makeing us change passwords each month or (0)

Anonymous Coward | more than 3 years ago | (#36974174)

Forcing people to change passwords regularly is the biggest risk of all - because that _ensures_ that most people have simple, easily remembered passwords. Which are also very easy to crack. I change passwords only once per break-in incident. Which means I have the same password for many years at a time. Nobody guesses it, because it it is long and complicated. (Break-ins so far has been through buggy software, not passwd guessing.)

People with enforced password change have passwords like "peter01", "peter02", ... If someone abuses the account and suddenly find that "peter05" no longer lets them in - of course "peter06" is the next try. Most people simply can't come up with good hard-to-guess passwords month after month for many years. Or if they do, they consistently forget them over holdidays. Get a single _good_ password, Long, convoluted, and use it for years.

Password caching, in a easily breakable form? What kind of silliness is that? If the password is cached in a form that lets you break in - well it'd be cached after day one. So not much security in changing it a month or two later. If it is broken early, there is time enough to install a keylogger program for the next password. Or just break the new password the same way as the first. A better fix - don't use such software.

Re:Stop makeing us change passwords each month or (0)

Anonymous Coward | more than 3 years ago | (#36975386)

If you've ever logged into a windows workstation on a domain, your password is stored in a cached hash format on the system and that's what we consider a high value find, because we can run those through crackers very quickly to determine the result. Frankly, the first password you supplied is reasonably strong and would take a few days to crack if your attacker/tester was relatively skilled, the second would be picked up in the first pass after only about 10 minutes of a decent cracking system.

Rainbow tables to defeat *good* passwords (more like passphrase sprinkled with odd characters, digits, and mixed-case) on modern Windows systems are not yet practical. Same goes for automatic crackers, dictionary-based or not. For now, a long, complex password mitigates those threats. But if you force frequent password changes, most people won't be able to deal with remembering a new *good* password every other month, and you'll end up with short, trivial passwords, often very similar to the previous one. If you force frequently changed passwords to be sufficiently complex, you'll merely shift the weakness from the hashes to increased use of post-it notes.

Human nature is the most persistent security weakness, and frequent password changing plays right into it.

- T

He's mentioned everything except (1)

airfoobar (1853132) | more than 3 years ago | (#36968328)

educating the fucking users, which is the most glaring and most fundamental security hole there is. Make sure the users know they need to keep the PCs and anti-viruses updated, make sure they know how, make sure users know not to run untrusted programs, make sure they know what counts as a program (screensavers, plugins, installers... we know but they often don't), make sure they don't insert a USB stick they found in the street, if their PC has an instant-on OS option make sure they use that to do their banking instead of their main OS, if there are grandmas out there using Windows for no good reason try and get them to switch to another OS, teach users to recognise suspicious behaviour and ask for help... need I go on?

Re:He's mentioned everything except (1)

Kargan (250092) | more than 3 years ago | (#36968838)

I don't disagree with what you are saying at all, but I am curious:

Who is going to do the educating, exactly, and how? It's not like you can force people to learn things they don't want to learn. You don't need a license to use a computer or the Internet.

Make no mistake, there are actively, willfully ignorant users all over the place. They know what they need to do to learn more - use the computer more. But they don't want to, because using the system is not an enjoyable, rewarding experience. It's more like they approach it with a sense of dread -- "I could click or do something wrong and just ruin the damn thing!" Consider also that even the cheapest pc still costs a few hundred dollars, which is a lot of money for some folks.

They'd rather just have someone that already knows how to use a computer fix their issue for them, thereby separating the world into the haves and have nots (or in this case, know and know nots) that we have today.

Re:He's mentioned everything except (1)

airfoobar (1853132) | more than 3 years ago | (#36968972)

Who is going to do the educating, exactly, and how?

At the moment, the only ones trying to teach people about security are frustrated IT workers. Every little bit helps, so if the gov't put some effort into it, quit doing campaigns for the RIAA and started doing something for their citizens, they could improve the situation quite a bit.

There are a lot of possibilities. From introducing security essentials into school curricula (who needs to be taught Powerpoint?), to encouraging companies to take action to safeguard their own data (the recent hacks should be a wakeup call), to backing open source/diversity more.

In fact, that last point needs repeating. A monoculture allows bad people to invest all their energies into exploiting a single type of system, with the promise of huge returns. That's how you get massive botnets and millions of infected PCs all the time. If there was more diversity, say two major OSs instead of one, the potential returns from writing a virus would immediately be cut in half.

Re:He's mentioned everything except (1)

Anonymous Coward | more than 3 years ago | (#36968872)

Umm, no. The user should not have to worry about security. It should be secure by default. The burden of security should be placed on the thousands of software engineers instead of the millions of end users.

Re:He's mentioned everything except (2)

airfoobar (1853132) | more than 3 years ago | (#36968990)

Unfortunately, that's not how security works. If the users don't know what they're doing, their systems are insecure no matter how much security you build into them.

Re:He's mentioned everything except (1)

SecurityTheatre (2427858) | more than 3 years ago | (#36969202)

You can't educate willful indifference.

Users KNOW they should have strong passwords, but consistently, in my security audits of big companies without technical controls in place to prevent it, 30% or more of passwords are crap like "master" and "cookie" and "god".

I'm not kidding. People DONT see value. Even if they do, they think... "well, everyone needs to do that, but I am special". It's human nature.

Security is about fixing human nature, which is why it's so damn hard, and sometimes appears irrational and painful.

OF COURSE that's the right solution, but it's just going to reduce the problem, not fix it.

Re:He's mentioned everything except (1)

stephanruby (542433) | more than 3 years ago | (#36969792)

You can't educate willful indifference.

Users KNOW they should have strong passwords, but consistently, in my security audits of big companies without technical controls in place to prevent it, 30% or more of passwords are crap like "master" and "cookie" and "god".

I'm not kidding. People DONT see value. Even if they do, they think... "well, everyone needs to do that, but I am special". It's human nature.

Actually, you can to an extent.

The way I've educated my mom about secure passwords was to teach her how easy it was to crack her own passwords. And when I say teach, I don't mean to say that I broke her passwords for her. No, I showed her the script, explained it a little, and then I made sure she filled out some of the paths and that she ran the script herself.

That was half of the education process. The other half was to teach her how to make a password out of a long sentence of her choice.

Just explaining something doesn't always work. For some things, I believe there must be several layers of understanding before it has an effect. And even then, there will always be people who really don't care, like you say, but I believe that percentage to be far lower than 30%. By the way, now my mom's passwords are so freaking complicated and god-awful-long, I think she's over doing them -- but that's for another story.

fu34er (-1)

Anonymous Coward | more than 3 years ago | (#36968396)

outreach are world will have during this file in our group member. GNAA (GAY the project as a [nero-online.org] Example, if you to die. I will jam at this point are 7000 users our cause. Gay to you by Penisbird We'll be able: to Baby take my you get distracted but many find( it effort to address more. If you feel Software lawyers people's faces is Blue, rubber there are working on various will not work. And little-known Pooper. Nothing project returns gig in front of of all legitimate happiness Another Minutes. If that. around are in need parts of you are but now they're

EWD was right... and this guy doesn't get it. (0)

Anonymous Coward | more than 3 years ago | (#36968520)

"We also need to better control the software loaded on our devices (i.e. Apple's App Store model)."

That is to consumer control as paladium/tcpa is to consumer security and DRM is to consumer choice.

Yes, we need better control on the run-time environment of untrusted software. No, the app store model is not the answer. The rest I leave as an excercise, though if this so-called expert gets it wrong, what about the rest of the industry? Go do your homework, guys.

Playing Catch Up (1)

cavreader (1903280) | more than 3 years ago | (#36968954)

The efforts to improve Internet security are simply being out paced by the rate of new technology implementations. The Internet has been one gigantic Rube Goldberg construct since the beginning. Trying to provide security while maintaining backwards compatibility is creating security nightmares. Any large scale and meaningful security improvements would require a wholesale abandonment of past security methodologies and replacing that security infrastructure would be extremely expensive and would cause incompatibilities that would almost render the Internet useless. Just look at the amount of work required for implementing IPv6. This is only one aspect of the Internet core requirements. Everyone from ISP's, OS developers, and application developers across all platforms will be effected. We certainly know how to create very secure systems but unless we are willing to start over from scratch and abandon any backwards compatibility the chances of creating a more secure Internet is doubtful in the extreme.

"...and I am an unsecured girl"? (1)

XahXhaX (730306) | more than 3 years ago | (#36968956)

Is that how it goes?

personal computer security = personal hygiene (1)

stephanruby (542433) | more than 3 years ago | (#36969604)

Of course, it makes sense that a security consultant would want to centralize security even more. He would profit from such centralization, but he wouldn't profit from ensuring that we get better security.

In my opinion, computer security should be approached just like a public health issue. We should teach people good computer hygiene, just like we teach people about proper personal hygiene. Granted, this approach is not going to solve every problem, and this educational effort would have to be never ending, but I don't think there is any way around that.

We need to start teaching good computer hygiene courses in schools. And for the generations that are already out of school, we need to create ways to get them to catch up to the kids we educate on this subject. For this to really work, everyone needs to learn about proper computer hygiene. Not just the office worker, or IT personnel, but the janitor, the big-shot CEO, the stay-at-home wife, the unemployed, and even grandpa/grandma. The burden of good computer hygiene simply can not be pawned off unto someone else anymore.

And this goes for the people that are going to teach our kids (or teach us) about good computer hygiene, we can't let security firms, manufacturers, ISPs, software vendors, or even content providers, teach our kids about proper security. We need to start taking responsibility for this ourselves. The industry does not teach, it obfuscates. That's a big part of how it makes money. And letting them teach our kids about good computer hygiene would only lead to too many conflicts of interests. That's why we need to do this ourselves.

And I say "computer hygiene", but we should probably call it something else. The term "computer" is not enough these days to convey every type of security problems we should be teaching our kids (or ourselves) about. There is social engineering, which can be very low tech. And there are many more types of powerful computing devices, that can still have problems, but that we do not specifically call computers anymore.

Agreed, 110%: Hence, this, since 1997 (0)

Anonymous Coward | more than 3 years ago | (#36976436)

From/By "Yours Truly" -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60 [theplanet.com]

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET

(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from other users & sites online)

HOWEVER - There's ONLY 1 WEAKNESS TO IT: Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... King's Joker above tends to "2nd that motion" (& there is NOTHING I can do about that! Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS helps -> http://nortondns.com/ [nortondns.com] ...

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

I also do extra "layered security" work above Norton DNS/OpenDNS/ScrubIT DNS too, in HOSTS files usage, that layer on to that!

AND, HOSTS files are COMPLETELY under MY personal control as well, for better speed, security, & even "anonymity" to a degree (vs DNSBL of all things) here..

In fact, my HOSTS file here has well over 1.5 million entries worth vs. adbanners (because they have had malicious code in them @ times since 2004), bogus DNS Servers, botnet C&C servers, & known maliciously scripted websites + servers/hosts-domains that are KNOWN to serve up malware.

(I, and my friends + family that use it, along with Norton DNS/OpenDNS/ScrubIT DNS? Haven't been infected ONCE, since 1996!)

See testimonials above in addition to my own, & I can produce others easily on request from other forums where my guide is (as well as mvps.org & many others that produce HOSTS files), and here are others from /. no less, testifying to the same:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

---

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

---

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

---

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

---

And, THERE YOU GO:

DIRECT QUOTES FROM SLASHDOT USERS TOO, & ON HOSTS FILES USEFULNESS + EFFICACY IN LAYERED SECURITY TO THEY AS WELL!

(They are, after all, your "peers" here...)

---

Also?

Well, how about a DIRECT QUOTE from a respected security pro (from securityfocus.com, a division of SYMANTEC/NORTON) on the note of HOSTS files too?

Resurrecting the Killfile

Oliver Day, 2009-02-04

FROM -> http://www.securityfocus.com/columnists/491 [securityfocus.com]

---

PERINTENT QUOTES/EXCERPTS:

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet, particularly browsing the Web, is actually faster now."

and

"The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

and

"This is a solution I've seen used in small communities around the Internet. Not application-based killfiles, but diving down through the network stack and blocking things at a lower level using host files. The host file is the first file that applications query when looking for an address on the network. Each of the hosts considered as unwanted guests can be given an entry in the host file pointing to 127.0.0.1, the default loopback address, effectively blocking them."

---

Nuff said... & you can't get BURNED, if you can't go into the "malware kitchen", so-to-speak!

Between "layered security" principles, using HOSTS files + DNSBL filtering DNS servers, security-hardening an Operating System, conscientious patching of the OS & Apps present you use, & "smart surfing" (watching it with the indiscriminate usage of javascript/java "everywhere all the time" (a "no-no" since they are the "harbingers of doom" out there along w/ being useful to in say, e-commerce situations, being a double-edged sword really)) using Opera's "by site" preferences for frames/iframes, javascript, plugins, java & more?

You CAN BE SAFE online...

(Albeit - With about 1-2 hours of your time in implementing a guide like mine & its points for layered security & smarter/safer surfing online too... & for YEARS TO DECADES INTO THE DISTANCE!)

Lastly/In Closing/BOTTOM-LINE:

As far as HOSTS files' efficacy alone?

My points on them seem to have done well here on /. as well in the eyes of others as well more than a few times vs. "malware-in-general" & on many platforms:

HOSTS MOD UP -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
HOSTS MOD UP -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
HOSTS MOD UP -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
HOSTS MOD UP -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
HOSTS MOD UP -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
HOSTS MOD UP -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
HOSTS MOD UP with facebook known bad sites blocked -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
HOSTS FILE MOD UP FOR ANDROID MALWARE -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
HOSTS MOD UP ZEUSTRACKER -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
HOSTS MOD UP vs AT&T BANDWIDTH CAP -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
HOSTS and BGP +5 RATED (BEING HONEST) http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]

APK

P.S.=> Similar "layered-security" methods exist for other Operating Systems as well, as seen here:

---

Apple's MacOS X Security Guide:

http://www.apple.com/support/security/guides/ [apple.com]

---

&

---

Securing Linux:

http://www.puschitz.com/SecuringLinux.shtml [puschitz.com]

(Linux in particular has a WEALTH of information here in fact in the topic of securing it far, Far, FAR BETTER than the "default" shipping setup, & the above link is only a tiny sampling thereof too, mind you!)

AND?

Linux distros (many to most), also have SeLinux!

(Which the NSA themselves "bolted onto" std. Linux making it possible to have MAC (analog to Windows NT-based OS ACL's &/or an analog to Windows NT-based OS "Group Policies" (gpedit.msc) + "Security Policies" (secpol.msc)).

---

* So yes, OS' can be SECURED, & far better than they ship to "end users" by default... but, YOU have to take the time to do it yourself largely is all!

(There are tools that help, for Linux &/or Windows, there exists the CIS Tool which is multiplatform & does help guide "the novice" somewhat, & makes it almost "fun-to-do", like running a benchmark of system speed, albeit in CIS Tools' case, for security (based on security std.s/"best-practices", for the OS @ hand tested))

However, THE MAIN PROBLEMS TODAY IMO?

---

1.) End users themselves being ignorant or uncaring about it, allowing for "spreading the disease" for one thing (ignorance IS excusable though, they're NOT "expert" @ computing etc. - but not helping them out on the part of those who ARE in fact, "expert", is imo, inexcusable by the same token)

AND, of course/as well:

2.) The malware makers/hacker-crackers out online, in general, also... but - these types @ least do "1 good thing" imo @ least & that's POINTING OUT WHAT NEEDS TO BE FIXED!

---

So, "all that said & aside":

MS is doing the right thing, Norton DNS/OpenDNS/ScrubIT DNS are too, as well as folks like GOOGLE on this account as another example thereof as well/also/too!

(The DNS servers noted employ filtering DNS servers that are FREE TO USE, vs. malware, phishing, bogus DNS servers, botnet C&C Servers, known maliciously scripted sites, or sites KNOWN to serve up malware too, GOOGLE's filtering out known bogusly done "SEO" work by malware makers (recently vs. the .cc TLD's being abused thus) & Microsoft of course, hunting down the RUSTOCK botnet + patching their OS every 2nd Tuesday of the month, etc./et al also!).

So, security's (especially "layered security", the best thing we as end users currently have going in fact in our favor) IS DOABLE, but you have to know what to look for, sometimes a guide too (because it's a WEE bit complex, but not really as opposed to harder things in the art & science of computing such as programming imo)

... apk

Curious question (1)

renoX (11677) | more than 3 years ago | (#36969814)

One curious part of the interview is when Alan Dang write: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users can protect themselves.
But the sad part in this case is that it's the security conscious users who pay the cost of the protection against hackers, not Sony and the other stupid companies storing credit card numbers on unsecured servers..

Several design issues with hardware and software. (2)

master_p (608214) | more than 3 years ago | (#36970102)

The problem of seccurity starts with CPUs, goes through the operating system and programming languages, and ends up to the communication standards.

The problem with CPUs is their horrible security model: it is either user or kernel mode for an application, there is no other security mode. This means that once an app is compromised, and foreign code is executed, all sorts of nasty things can be done. A more finegrained CPU security model would offer much better security, allowing software components withihin the same process space to coexist without affecting each other.

The problem with operating systems is that their security model is based, again, on the guest/administrator model, i.e. it is actually the same security model as the one used by the CPUs. A better security model would allow software that communicates with the outside world to run with less privileges than the user, thus saving the user from being compromized when malicious code. Furthermore, operating systems resources are not virtualized for the user, requiring access to administrator rights for jobs that could not require such rights.

The problem with programming languages is that the most used programming languages for system programming are too open for abuse. I am talking about C/C++, of course. Take Windows, for example: hundreds of buffer overflows bugs, because C does not do bounds checking on arrays. If C was designed with safety first, performance second, and made checked array access the default, and unchecked array access explicit, less security issue would exist.

Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so. The encryption support cost would have been minimal by now, as with all technologies that start expensive and get cheap as they are massively produced.

PKI issue (1)

tepples (727027) | more than 3 years ago | (#36970470)

Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so.

In the system you propose, how would each party know the other's key?

Re:PKI issue (1)

master_p (608214) | more than 3 years ago | (#36975752)

Each part would know the other's public key by exchanging public keys on communication initialisation.

In order to avoid man-in-the-middle attacks, a solution like verifying the other part's public key by a different route could be used.

Re:design issues with hardware and software. (0)

Anonymous Coward | more than 3 years ago | (#36970974)

When encryption was added to IP it was added at the Application (top-most) layer, not the transport layer, which is just as simple and far more practical. This stopped encryption being part of the OS kernel and enabled Man-In-The-Middle attacks on a data-gram stream. But that bad design decision is a small part of the problem.

    How many machines use Microsoft's IPsec? With advent of broadband, packet-forwarding needs to be fast meaning dedicated CPUs (embedded devices) for communication: Now the need to decrypt the TCP packet while forwarding is minimal but still an encrypted packet could not be decrypted quickly on an embedded device. Lastly remember, encryption is a weapon, and in this day of 'find the terrorist', 'think of the children', '(wage) war on drugs', governments don't want any communications to be strongly encrypted. Note that GSM encryption was cracked in 2003 but there is no draft to implement more than the current 96-bit encryption. Which returns us to the problem mentioned by CAVreader, that of legacy protocls.

"Stack Canaries" FTW! (0)

Anonymous Coward | more than 3 years ago | (#36970268)

I don't know what "Stack Canaries" are, but it sounds like an awesome name for a band.

is it just me (0)

Anonymous Coward | more than 3 years ago | (#36971502)

Or has this guy really made a living out of figuring out a way to destroy a battery and calling it a "hack".... Hell give me a sledge hammer and I can hack any laptop in his mindset.

One of two 'solutions' (0)

Anonymous Coward | more than 3 years ago | (#36972538)

I think we will see the "increase the cost of attack" model be one of two solutions going forward. It will work well for highly organized organizations as well as small individuals. However, a large portion of the entire population will not take the necessary steps and will still be "low cost to attack" ultimately succeptable to anonymous-type attacks.

The second 'solution' will be a more active defense. Right now, people attack computers because the chance an unsuccessful attack will have a negative impact on them is basically zero. And the impact of a successful attack is much more likely to be positive (for the attacker) than negative. This also makes it very easy to practice attacking, particularly for people in other countries without the laws or will to deal with it. What we need is an active approach to our defenses. If you catch someone attacking, profile them and deny them access to services, wall them off to only access useless data, and deny them attack opportunities the next time they come knocking. This could be done by major organizations for themselves. Also, companies like Google or ISPs could provide this service for all hosts within their sphere of control. Some parts of it could even be automated and placed on servers and network gateways, (similiar to project honey pot [projecthoneypot.org] or bad behavior [drupal.org] .)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?