Critique of CyberInsecurity report

Sunder sunder at sunder.net
Fri Sep 26 14:30:53 PDT 2003 

Look, the answers are excruciatingly simple:  

1. your email should not execute.
2. your web browser should not be able to run script that can access
anything other than contect that came from that server - or in the least
that domain -- especially not your hard drive.  Things like ActiveX are a
security nightmare.
3. your machine should not serve any services to the outside world that
it doesn't need to.

It doesn't matter what OS you run, the above are all still true.  Do that,
the 90% of insecurity goes away.  Add buffer overflow protections, and
another 5% goes away.  Add parameter checking to libraries, good security
permissions on file systems and other objects, and things like per process
capabilities limitations, and another 4% goes away.

If you run a network of unhardened Macs, Linux boxes, FreeBSD or even
OpenBSD boxes, you may as well hang up a sign that says "break in please."

All of this has been previously dealt with elsewhere, and it isn't that
hard to grok.  The only reason to cricize the redmond beast that should
not be is points 1-3.  The paragraph following it hasn't been implemented
anywhere that's widely in use.  

Things like SE Linux and OBSD have attempted some of them and succeeded,
but they're not as widely used as they should be.


Worrying about what percentage of machines are hetro vs homogenous is a
waste of time.  Do you run Linux or MacOS X?  Did you bother to upgrade
OpenSSH last week?  No?  Is ssh open for anyone on the internet to access?  
Well then, you're fucked, and you're not even running Windows!

If someone breaks into a windows 95 machine on your network whose owner
has access to files vital to your company's existance, the potential to
break into the server is already there.

Don't just harden SOME machines and your firewall, harden them all.  A
simple activeX component off some rogue web page is enough to take over a
lame little win9x machine. 

Example:


Ever seen WebX? - it's like PCAnywhere, or VNC or TimbukTu, only it works
over the web.  A user just goes to a web page, and a user at the other end
can take over their machine because IE allows such software to run!  

Ok, at least WebX is a commercial product designed to provide tech
support, and asks if it's ok to allow it, but if it's technically possible
to do it for legitimate reasons, it's technically feasable to do it for
rogue reasons too.


Worms aren't the only problems out there.


----------------------Kaos-Keraunos-Kybernetos---------------------------
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
<--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.        \|/
 + v + :           The look on Sadam's face - priceless!       
--------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------

More information about the cypherpunks-legacy mailing list