RE: botnets: web servers, end-systems and Vint Cerf

> >Therefore, I assert that securing systems
adequately for use on the 
> >Internet is indeed a SOLVED PROBLEM in computing.
> 
> A HUNDRED MILLION machines beg to differ.

You misunderstand. The problem of securing machines *IS*
solved. It is
possible. It is regularly done with servers connected to the
Internet.
There is no *COMPUTING* problem or technical problem. 

The problem of the 100 million machines is a social or
business problem.
We know how they can be secured, but the solution is not
being
implemented.

--Michael Dillon

On Feb 16, 2007, at 9:12 AM, <michael.dillonbt.com> wrote:

> It is regularly done with servers connected to the
Internet.
> There is no *COMPUTING* problem or technical problem.

I beg to differ.  Yes, it is possible for tech-savvy users
to secure  
their machines pretty effectively.  But the level of
technical  
knowledge required to do so is completely out of line with,
say, the  
level of automotive knowledge required to safely operate an
automobile.

> The problem of the 100 million machines is a social or
business  
> problem.
> We know how they can be secured, but the solution is
not being
> implemented.

We know how -people with specialized knowledge- can secure
them, not  
ordinary people - and I submit that we in fact do not know
how to  
clean and validate compromised systems running modern
general-purpose  
operating systems, that the only sane option is
re-installation of OS  
and applications from scratch.

There have been very real strides in increasing the default
security  
posture of general-purpose operating systems and
applications in  
recent years, but there is still a large gap in terms of
what a  
consumer ought to be able to reasonably expect in terms of
security  
and resiliency from his operating systems/applications, and
what he  
actually gets.  This gap has been narrowed, but is still
quite wide,  
and will be for the foreseeable future (witness the current 

renaissance in the area of browser/HTML/XSS/Javascript  
vulnerabilities as an example of how the miscreants can
change their  
focus as needs must).

------------------------------------------------------------
-----------
Roland Dobbins <rdobbinscisco.com> //
408.527.6376 voice

           The telephone demands complete participation.

                       -- Marshall McLuhan

>>>Therefore, I assert that securing systems
adequately for use on the 
>>>Internet is indeed a SOLVED PROBLEM in
computing.
>>A HUNDRED MILLION machines beg to differ.

* michael.dillonbt.com [Fri 16 Feb 2007, 18:27 CET]:
>You misunderstand. The problem of securing machines *IS*
solved. It is 
>possible. It is regularly done with servers connected to
the Internet. 

Given that even NASA has issues writing correct programs I
would call it 
far from "solved" for any reasonable definition of
the word, even in 
hyper-correct environments such as programming spacecraft
where time and 
budget constraints are secondary to safety (security).

Or did you forget to mention that your secured machine is
powered off?


>There is no *COMPUTING* problem or technical problem.

Denying that there is a technical problem with a hundred
million 
machines out there not under full control of its owners is
delusional.


>The problem of the 100 million machines is a social or
business problem.
>We know how they can be secured, but the solution is not
being 
>implemented.

Clearly the solution you have in your mind isn't obvious to
us out here 
in the real world, nor simple, as we haven't figured it out
yet.


	-- Niels.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

michael.dillonbt.com wrote:

> You misunderstand. The problem of securing machines
*IS* solved. It is
> possible. It is regularly done with servers connected
to the Internet.
> There is no *COMPUTING* problem or technical problem. 

True *BUT* (and this is a really big but) it requires that
you do something
*BEFORE* you connect it to the Internet.

> The problem of the 100 million machines is a social or
business problem.
> We know how they can be secured, but the solution is
not being
> implemented.

Whilst the problem is social in terms of people not
knowing/wanting to do the
securing before connecting, the technical solution is to
make the software
secure by default. If you think anything else then you are
delusional.

J

- --
COO
Entanet International
T: 0870 770 9580
http://www.enta.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFF1fBaR+KszLBLUT8RAo+AAJ97RxMBhyZY2MQMRAFs3KWM7EPkHACg
qebN
g/nOPkbZffyEDoWAIEvQUK0=
=w0iC
-----END PGP SIGNATURE-----

On Feb 16, 2007, at 10:12 AM, <michael.dillonbt.com>  
<michael.dillonbt.com> wrote:

>
> You misunderstand. The problem of securing machines
*IS* solved. It is
> possible. It is regularly done with servers connected
to the Internet.
> There is no *COMPUTING* problem or technical problem.
>
> The problem of the 100 million machines is a social or
business  
> problem.
> We know how they can be secured, but the solution is
not being
> implemented.

So, you're saying we can secure them so long as we put
them behind NAT AND humans don't use them?

-danny

On Sat, 17 Feb 2007 17:38:18 MST, Danny McPherson said:

> So, you're saying we can secure them so long as we put
> them behind NAT AND humans don't use them?

I think a few messages back, I specifically phrased my
comment about
getting them off my radar to cover this - I actually don't
care if they
are or aren't in fact secure, as long as their insecurity,
if any, isn't
visible to the outside world.