Re: Spyware S&D vs Spywarebot? ??

In article <2t05e3dg22v343pufvu8lgbal28de3h9km@xxxxxxx>,
mike weber <fairportfan@xxxxxxxxx> wrote:
On 7 Sep 2007 19:09:50 -0400, "Keith F. Lynch" <kfl@xxxxxxxxxxxxxx>
wrote:

mike weber <fairportfan@xxxxxxxxx> wrote:
Meanwhile, here's Gizmo's take on the anti-spy/mal/scumware question:
[quote]
The new generation of malware requires a new generation of defensive
products. Such products need to provide stronger active protection
and broader spectrum detection.

Does nobody else see how profoundly wrongheaded all this is? No
anti-spy/mal/scumware should ever be necessary. A competently
designed system will be absolutely secure against anyone who doesn't
have direct physical access to the hardware.

Yes, Keith.

The choir's over that way.

Kindly re-direct your preaching.

Ladies and gentlemen of the choir:

"A competently designed system will be absolutely secure" IF AND ONLY
IF (1a) no one can connect to it from a remote location, or (1b) if
someone can connect to it from a remote location, they can't do any
useful work; and (2) there are no design errors; and (3) there are
*exactly* zero bugs in the implementation of that perfect design; and
(most importantly) (4) every person using that system is fully and
constantly aware of protecting against every threat of remote
penetration. Put another way, an absolutely secure system can be had
if there are no errors -- physical, intellectual, or human -- in the
design, implementation, and use of the system. In this perfect
world, the German Enigma and Japanese Purple encryptions would never
have been broken during World War II.

On the planet I'm from, what you really do to make your system secure
is roughly (A) design your software to defend itself in layers so
that if something goes wrong on the outside there's another layer to
prevent further damage; (B) develop a theoretical model of how your
design can be attacked by a bad guy and assess the damage that each
possible attack can cause; (B') having people not involved in the
original design but who are experts in security considerations take a
look at your model and tell you where your imagination failed; (C)
put your effort into defending against the attacks that can cause the
worst damage because if you close every theoretical loophole all the
way you don't ship the software at all; (D) each time you discover a
new attack vector madly review every bit of software that's out in
the field to ensure you didn't allow that same attack somewhere else;
and (E) realize that there are some pieces of data, like your kids'
soccer schedules, that really don't need to be treated as though they
were nuclear launch codes. (Properly generalized, these principles
give you a way to guard against terrorist attacks without requiring
every airline passenger to take their shoes off at the Security
Theater. But that's a sermon for another time.)

I have reason to believe that the time taken for the full-up security
review of the Microsoft Windows NT code base which resulted in the
existence of Windows XP Service Pack 2 (an example of (D) in the real
world), was one of the factors responsible for Windows Vista taking
five years to complete. But for an organization which has Sagans of
lines of code in the wild, stretching back decades to a time before
security against remote intrusion was an issue, the only possible way
to really lock things down (instead of doing an on-going rear-guard
action) would be to trash the lot and start over, assuming you could
achieve perfection this time --- and for Microsoft that would put the
time-to-release for the next versions of Windows and Office at a
decade.

This is not intended to start a round of Microsoft bashing or to
claim that Microsoft is blameless in the buggyness of some of their
software, but it is rather an observation about actual engineering
and business tradeoffs in the real world with real people running
commercial software on real computers. And you get not only an
unusual post from me, but such a long-winded one, because I am
currently in the design phase of a new project, and doing exactly
this kind of security assessment.


.

Relevant Pages

  • Re: gets() is dead
    ... Failing to analyze and design (in my opinion you analyze the problem ... Although secure and safety critical are independent attributes. ... I have worked on safety critical SW where security was not ... also having sufficient permissions to not need to attack are really small. ...
    (comp.lang.c)
  • Re: Microsoft finally acknowledges the security drumbeats
    ... >>was formerly in charge of design for VMS (a quite securely designed OS, ... The core architecture design is likely to be the same between the ... it had no security model on ... which was being suggested as "the only solution" for Windows ...
    (comp.security.misc)
  • Re: Microsoft finally acknowledges the security drumbeats
    ... >>developed, it was not solely a Microsoft project, and it was not developed by ... >>was formerly in charge of design for VMS (a quite securely designed OS, ... it had no security model on ... > primary use as a Windows desktop system, ...
    (comp.security.misc)
  • Re: Microsoft finally acknowledges the security drumbeats
    ... >>developed, it was not solely a Microsoft project, and it was not developed by ... >>was formerly in charge of design for VMS (a quite securely designed OS, ... it had no security model on ... > primary use as a Windows desktop system, ...
    (comp.security.unix)
  • Re: Internet gateway
    ... Windows is full of security holes, due to extremely poor design. ...
    (comp.os.linux.networking)
Loading