Ranum on the root of the problem

Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can solve the entire problem.

Richard at Taosecurity propagates the myth of -Wall. Things are about to get (deeply) technical, follow the jump if you know what -Wall means.

Continue reading “Ranum on the root of the problem”

How about "Align with the business?"

I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts:

Ellyn believes that companies should strive for a holistic approach to achieving security. The top 15 strategies for computing responsibly are highlighted in the report and are practices IT departments of any size should implement if they haven’t already done so.

1. Establish strong identity management for network access, ideally including passwords, smart cards and biometrics.

2. Strictly control password management and administration; avoid outsourcing this at all costs.

Not until #14 do we get to policies, and even there, its not about the business.

Number 13 starts out well: “Inspect the software development practices of vendors to determine …” their ability to control backdoors? How about their ability to control the use of gets()?!?

To be fair, I haven’t read the report–it may contain language about business alignment which is hard to summarize into a bullet list.

0wned in 60 seconds

0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability.

Less than 60 seconds from DHCP to buffer overflow. Read about it here.

"What's The Cybersecurity Czar's Job?"

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place.

says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly argues that neither of these require a “Czar.”

There’s a third role, which I think that the government might be able to play well, and that is helping us collect information. Today, being broken into is seen as an embarrassing failure. In many ways, it is. But, given the number of cases the cops are dealing with, its also very common. Much more common than you’d think. The federal government, either the FBI or DHS ought to be collecting crime statistics. They ought to be studying crime, and publishing analysis. The reporting of crime ought to be made mandatory, especially if there’s a financial impact. The analysis they do ought to be pinpointing common factors which do or don’t exist. (What the industry, without a trace of irony, calls “best practices.”)

This doesn’t require a “czar,” either, but its important, and its a role that only a government or insurer can effectively play.