[NCLUG] I was hacked!

John L. Bass jbass at dmsd.com
Fri Dec 29 13:34:58 MST 2000


	>If you believe you can deploy a system to desktops for 12 to 24 months
	>without doing any sorts of updates, you deserve what you get...  You're
	>effectively deciding to put "hands off" over security because there
	>*WILL* be updates that have to be done in this time.

Sure, you can take that position to the extreme, and imply that it bans doing
security updates (not at all what was implied). But that is a HUGE step past a
GOAL of trying to reduce functionality updates, which are themselves a continous
source of new security bugs - hence the comment "unmanaged changes keep resetting
the clock back to zero" as to when we could expect a given release to be completely
stable/secure.

The current intent is to primarily use auto update to push code with new feature
and general bug fix changes, not as a security countermeasure. As a result, my
point IS that auto-updates becomes the next security hole since there are no controls
over who and what updates are generated by the Open Source community. When all other
easy attacks are closed, the obvious attack is to start introducing security holes
into the development process. At this point auto update IS the security hole, not
a fix. It doesn't matter how secure the distribution scheme is, if the input to
it is corrupted.

This is the primary objection to auto-update - it is fundamentally insecure with
a development process lacking security controls. The second is basic trust.

	My point is, all this stuff in fine for the bank and the ecommerce site, but
	they are insanity to the dorm resident and the DSL owner who is getting owned
	by some scriptkiddie because they didn't update, or even worse, disabled the
	update mechanism because of their misplaced paranoia.

I don't think there is any difference ... the same flaws are applied in both types
of exploits. We can agree to disagree about "misplaced paranoia". Some people don't
lock their doors and leave their keys in their cars too, others deadbolt and chain
doors when home.

Lastly on dependence on digital authentication. The analogy to creating software
systems where the security for nearly all computers globaly is tied to a few vendors
certificates, is a physical barrier system where all new locks world wide have one
of a few dozen (maybe few hundred) master keys. While the geeks might feel justified
that it's the only solution in cyber land, they have to remember to many it has the
same emotional impact to being told they can only buy locks that someone else holds
the master keys too (and those people are saying/demanding TRUST ME).

The concern that someone will find and publish a digital key, is just as real that
someone will find and publish the physical master key code. The reality is that
both digital and physical locks are worthless once the master key/code is published.
It does not matter if the digital key is discovered by chance, or stolen - any more
than if a phyiscal master key is reverse-engineered from the lock, discovered by
chance, or stolen.

Combine the two risks togather, and insist that people should not be concerned?

John Bass



More information about the NCLUG mailing list