RE: botnets: web servers, end-systems and Vint Cerf
Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing.
A HUNDRED MILLION machines beg to differ.
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. --Michael Dillon
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem.
The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
Eh? Sure, we can secure servers, but that's not where the trouble is. It's the client systems with browsers and P2P software and people mindlessly banging on keyboards running arbitrary executables. I'm interested in hearing how they can be secured, since you seem to believe this is a solved problem.
On Feb 16, 2007, at 9:12 AM, <michael.dillon@bt.com> wrote:
It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem.
I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile.
The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
We know how -people with specialized knowledge- can secure them, not ordinary people - and I submit that we in fact do not know how to clean and validate compromised systems running modern general-purpose operating systems, that the only sane option is re-installation of OS and applications from scratch. There have been very real strides in increasing the default security posture of general-purpose operating systems and applications in recent years, but there is still a large gap in terms of what a consumer ought to be able to reasonably expect in terms of security and resiliency from his operating systems/applications, and what he actually gets. This gap has been narrowed, but is still quite wide, and will be for the foreseeable future (witness the current renaissance in the area of browser/HTML/XSS/Javascript vulnerabilities as an example of how the miscreants can change their focus as needs must). ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
On Fri, 16 Feb 2007, Roland Dobbins wrote:
On Feb 16, 2007, at 9:12 AM, <michael.dillon@bt.com> wrote:
It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem.
I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile.
In other words, we know how to secure them, and theoretically it is possible to secure all of them. In practice - not so much. As resources-wise and the time-until-they-will-be-insecure-yet-again don't meet. Gadi.
Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. A HUNDRED MILLION machines beg to differ.
* michael.dillon@bt.com [Fri 16 Feb 2007, 18:27 CET]:
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet.
Given that even NASA has issues writing correct programs I would call it far from "solved" for any reasonable definition of the word, even in hyper-correct environments such as programming spacecraft where time and budget constraints are secondary to safety (security). Or did you forget to mention that your secured machine is powered off?
There is no *COMPUTING* problem or technical problem.
Denying that there is a technical problem with a hundred million machines out there not under full control of its owners is delusional.
The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
Clearly the solution you have in your mind isn't obvious to us out here in the real world, nor simple, as we haven't figured it out yet. -- Niels.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 michael.dillon@bt.com wrote:
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem.
True *BUT* (and this is a really big but) it requires that you do something *BEFORE* you connect it to the Internet.
The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
Whilst the problem is social in terms of people not knowing/wanting to do the securing before connecting, the technical solution is to make the software secure by default. If you think anything else then you are delusional. J - -- COO Entanet International T: 0870 770 9580 http://www.enta.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF1fBaR+KszLBLUT8RAo+AAJ97RxMBhyZY2MQMRAFs3KWM7EPkHACgqebN g/nOPkbZffyEDoWAIEvQUK0= =w0iC -----END PGP SIGNATURE-----
On Feb 16, 2007, at 10:12 AM, <michael.dillon@bt.com> <michael.dillon@bt.com> wrote:
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem.
The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
So, you're saying we can secure them so long as we put them behind NAT AND humans don't use them? -danny
On Sat, 17 Feb 2007 17:38:18 MST, Danny McPherson said:
So, you're saying we can secure them so long as we put them behind NAT AND humans don't use them?
I think a few messages back, I specifically phrased my comment about getting them off my radar to cover this - I actually don't care if they are or aren't in fact secure, as long as their insecurity, if any, isn't visible to the outside world.
participants (8)
-
Danny McPherson -
Gadi Evron -
James Blessing -
Mark Boolootian -
michael.dillon@bt.com -
Niels Bakker -
Roland Dobbins -
Valdis.Kletnieks@vt.edu