Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : The *NEW* Frank Coluccio Technology Forum -- Ignore unavailable to you. Want to Upgrade?

To: axial who wrote (10874)	8/3/2005 9:58:25 AM
From: Frank A. Coluccio	Read Replies (3) \| Respond to of 46821

Hi Jim, I passed your post along to a colleague of mine who is a security specialist. The opening sentence of her reply is worth repeating here, IMO: "I am glad to see that Phil Zimmerman has joined the chorus in publically saying that the Internet Commons is a crime-ridden slum, and that these unsecured wireless connections are a fertile field for all sorts of malicious behavior, including identity theft - if only of the ABC and XYZ corporate credentials." It's common to think of the early exhaustion of capacity when we hear the term "tragedy of the commons," along with the chaos and angst that would normally ensue on the part of end users. So it would naturally appear, as well, that if capacity issues could somehow be miraculously solved through the application of the usual bromides associated with Moore's Law, then we'd continue to be in good, if not better, shape as time goes by. And, in fact, if a glut could ever be declared forcing bandwidth capacity pricing down in a precipitous way, then as far as the end user is concerned it would be all the better. But I usually don't (or, I should say, "didn't") associate vulnerabilities to personal and corporate security with the chaos mentioned above as much as I do at this time. A legitimate question to ponder at this point is whether security on the open Internet is merely an overly optimistic dream whose primary beneficiaries are the alchemy labs of the IP security firms and the management fiefdoms within enterprise IT departments that purport to keep the matter in check? Or, can security actually be implemented on the open Internet and within client end points that would satisfy reasonable levels of end user expectations, while still permitting the openness that is so crucial to the delivery of what we perceive the Internet's benefits to be? The problem appears to be worsening all the time with no plausible reasons for hoping that it will reverse itself anytime soon, when you view it in the context of straight line capex dollar expenditures on systems and software, and the monies spent on the ongoing operating costs to improve the situation. Even if we set financial costs aside, we also face a certain loss in our freedom of movement, as well, which may prove to be an even higher price to pay in order to maintain reasonable levels of security. Your Comments? Anyone? FAC frank@fttx.org

To: axial who wrote (10874)	8/9/2005 5:06:33 PM
From: Frank A. Coluccio	Read Replies (1) \| Respond to of 46821

ISS and Cisco v. Granick’s Gambling Plans. By Jennifer Granick [FAC: Jennifer Granick is Michael Lynn's personal attorney, representing him in the referenced situation above. (See Message 10874 above as well). Her views are presented in four parts, starting at the bottom of the following page and working their way up to the top (today): granick.com The openning several paragraphs of this ongoing account follow, starting with her August 2nd message that followed the Black Hat event:] ---snip What follows is my take on “Ciscogate”, the uproar over researcher Michael Lynn’s presentation at this year’s Black Hat conference, in which he revealed that he was able to remotely execute code on Cisco routers. I have been representing Mike during this crisis, so I’m clearly partisan, and what I can say is limited by attorney-client responsibilities. But while many people are speculating about the facts, there hasn’t been much on the law, which turns out to be really interesting. I arrived in Las Vegas around 1:00 PM on Wednesday. My plane had been delayed and I was anxious to get to Caesar’s Palace and get prepared for my presentation, scheduled for 3:15P. My parents and sister also were coming to see me and I had to get approval for their day passes from the Black Hat powers-that-be. I had heard that there was a chance of some legal problems with a talk that Mike Lynn had planned to give about Cisco router vulnerability and that the night or so before the conference, Cisco sent temp workers to cut Lynn’s slides out of the presentation materials and to seize CDs containing his powerpoint presentation. But I wasn’t involved in the case yet. ---end snip From NANOG, some additional, cogent comments from poster MD on the same subject that struck me as being highly pertinent: ---snip: /* ARTICLE > Experts and users say the hole in IOS appears not to be an immediate > concern based on what is public knowledge at the moment, since patches > are available. But what concerns some is that Lynn's exploit > techniques take router hacking to a new level, which eventually could > have security implications for Cisco customers. > */ They are not "Lynn's exploit techniques". The techniques were published by someone else in considerable more detail than Lynn along with source code. And this other person has also described techniques for attacking other brands of network equipment not just Cisco. There is a sea change in hacker activity under way as they realize that most embedded systems (including routers and switches) are now based on general purpose computer technology and that such systems are full of opportunities for software exploits. Hackers no longer just attack OSes like Windows and Linux, they now are beginning to go after any kind of smart device, especially when the exploits can be leveraged for blackmail or to earn cash from espionage. You aren't safe just because your network runs on brand X boxes. The only way to be safe is for your brand X vendors to take software security and systemic security much more seriously. I also believe that there are lessons to be learned from the open source community's approach to security. This doesn't mean that Cisco or any other Brand X vendor should just run out and replace their box's OS with OpenBSD or NetBSD or Linux. But they need to seriously ask themselves what advantage they gain from inventing their own wheel and rejecting the work of thousands of highly skilled and dedicated people. There really is no such thing as closed source. The people building these exploits are fully capable of taking code from ROM or flash memory and reading what it does. It's all fine and well to have layers of security but hiding your source code really shouldn't be counted as a security layer. Even if someone managed to eliminate Lynn and all past and current employees of ISS by exiling them to Cuba, this would not stop the hackers who are exploiting network device flaws. ---end snip Those are some interesting ideas to contemplate and digest, eh? They speak volumes about the need for robustness through diversity, as opposed to the dependence on monoculturist defaults that the universe of networking platforms shares, if nothing else ... Comments? ------ FAC