Talk:Computer insecurity
|
We need to find some way to add a new category for the underground movement, having a timeline, references to Phrack, to 2600, to the BBS's etc.
- Computer Security refers to the measures taken to assure that only the allowed persons can have access to the data in a computer system.
It's not only about data, but also about control over computer systems (for example famous changes of web pages).
- As the systems are ever more complex, this objective, as security in the real world, remains forever unattainable.
- A determined thief can successfully rob the best guarded of banks. A determined computer criminal can read, copy, alter or destroy data in the best secured computer. As in the real world, the best you can do is make it more difficult, changing the cost/benefit equation for the criminal. You can reduce the effects of data loss by careful [backing up]? and insurance. And you can further change the cost/benefit equation by pursuing the criminal after the attack.
That's completely untrue. Security-related parts of systems (usually only a few percent of code) don't have to become more complex. They can even become simpler, as they don't need so many performance-optimalizations as it was required in the past.
It's completely possible (even though rarely done nowadays) to mathematically prove correctness of all security-related code. It's as possible to get 100% security of computer system as to get 100% sureness of any other algorithm or code.
And 'cracker' not 'criminal' is the correct word. Legilaty of cracking doesn't have anything to do with computer systems and cracking by police isn't any different than cracking by individuals. --Taw
I've been looking at this page, and I completely agree with you that it needs a major rewrite. However, I'm not sure on how to accomplish it, as what already exists is far to 'advisory' and not enough 'to the point', in addition to beeing very "morally correct" .
It would be a good thing to have a rewrite, imho.
While it's unfortunate I'm temportary moving lot of useful and well-written content to /Talk. It unfortunatelly presented one-sided view of computer security. I hope we'll made better and more balanced article. --Taw
Old article:
Computer Security refers to the measures taken to assure that only the allowed persons can have access to the data in a computer system. As computer systems hold ever more valuable data, the importance of computer security grows. As the systems are ever more complex, this objective, as security in the real world, remains forever unattainable.
A determined thief can successfully rob the best guarded of banks. A determined computer criminal can read, copy, alter or destroy data in the best secured computer. As in the real world, the best you can do is make it more difficult, changing the cost/benefit equation for the criminal. You can reduce the effects of data loss by careful backing up and insurance. And you can further change the cost/benefit equation by pursuing the criminal after the attack.
The only real difference between computer security and real world, "bank" security is that computer systems are poorly understood, as a rule. Managers have usually a firm grasp on real world security issues, like fences, walls, security personnel, alarms, police, etc. And if they do not, their insurance companies do. Computer systems are many times not insured against data theft or destruction, so this "security consulting" is lost. This lack of insurance for so potentially important a loss is in itself noteworthy. It stems probably from this same lack of knowledge, although the cause may be more complex.
A teenager wandering into a warehouse to pick up a trophy and show it to his friends, is not treated in the real world as a dangerous criminal. If such an "explorer" enters into the company computer system, the management can go ballistic, and the trespasser, if aprehended, risks prosecution. This lack of knowledge is potentially the biggest risk in a company. Of course they will have competent technical personnel, but they will tend to concentrate on the technical side of the issue. Social engineering, for example, will probably be ignored.
Of course, the parallelism between computer security and real world security is not exact, for a number of reasons. For example, vandalism is more dangerous in the computer world because it is potentially much more destructive. A vandal can cause havoc in thousands of computers systems around the world with little effort and small risk of capture. Of course the result would be not as visually satisfying as a graffitied wall, but all taken into account, what is really surprising is the small probability you have today of suffering damage from a computer virus or computer worm.
Today, computer security is composed mainly from "preventive" measures, like firewalls. We could liken a firewall to the building of a good fence around your warehouse. A good first step. But not enough if you keep the fence unguarded (no monitoring), or if you hand a copy of the key to everybody that asks for it by phone (social engineering). If, to add insult to injury, it's widely known that you won't prosecute any trespasser, we could consider the firewall installation as almost an exercise in futility. However, many computer systems are not monitored, and the number of computer criminals to be really brought to justice is abysmally low. In that situation, it's no wonder you have no insurance; the policy would be enormous.
Along the same lines of reasoning, it's good to have an antivirus program, but rather pointless if your users open any and all of the executable attachments they receive by e-mail. Opening an executable attachment is the same as opening the door to your system, with your user privileges, to anybody that sent you that attachment.
In short, lack of computer security today is a multi-pronged menace to which a multi-faceted defense is the only response. Buying an off-the-shelf software package is no substitute for a careful evaluation of the risks, the possible losses, the counter-measures and the security policies, done at a high enough company level.
I toned down the claims that code correctness can be proven, by adding the qualification that critics of the so-called Star Wars projects, among others, claim that correctness cannot be proved. In any event, to write from a NPOV, statements of belief or allegations are not sufficient. If you think correctness can be proved, provide links to arguments in support of this that a reasonable qualified person could accept. Graham Chapman
Of the 4 basic attacks, the article focuses on the 3 that are hardest to do. Social engineering, eavesdropping, and even denial of service are extremely expensive. The one that's very easy is code exploits.
Why is that? Well, it's certainly not because we lack "correctness proofs" of codes. Formal proofs are pretty much useless. They're fine for NASA but nobody else can afford them. And they're certainly not error-free since specifications of software are hard to do. Yeah, you know that the program is equivalent to the specification but do you even know what the specification means? What's the point of proving software if you can't trust the proof?
The basic problem with computer security is that there are no security semantics. We still use access control lists, which were proven insecure way back in the 70s or 80s. Not only that, but they were also proven to be deceptive. Access control lists give the illusion of a kind of security which it is provably impossible to ever guarantee.
There are good security semantics, they're called capabilities, and they've been in research OSes for the past two decades. They haven't made it into commercial systems because capabilities make managers nervous; they don't provide the illusion of (provably impossible) control which ACLs do.
By the way, good security doesn't just mean preventing bad people from doing to your stuff what they have no right to do. It also means that you have the ability to do what you have every right to do. Otherwise, the most "secure" computer is one locked in a vault, turned off.
Oh, and "giving someone a program to run which then takes over their computer" is a type of attack. If you consider this attack social engineering then it means social engineering attacks can be prevented (which actually they can). And if it's a code exploit then that too can be prevented (with caps, not proofs). The distinction between a trojan horse attack and a "code exploit" should also be explained. They're not the same as far as the user is concerned. -- Ark
- Your statements about proofs are true, but misleading. Complete program correctness does not need to be proven in order to gain security, only a core set of operations need to be guaranteed to behave correctly. Example: Using a proven capability system is a proof of security. Even if I've missed something there, my main point that proofs don't have to be all or nothing still stands. If some software uses proven components, whole classes of exploits could not happen.
- And I did get it wrong. A program could still give a cap to something that it shouldn't, but that feels like a simpler problem to diagnose and fix than the current crop of exploits.