Vint Cerf

[[BTF]Defiant!]

Listened to Vint Cerf then talked with him afterwards.  Funny that he is referred to as the "father of the internet"; and, actually gives Al Gore significant credit for supporting network technologies. 

[reaper]

how hard is it to fund a program. "yeah looks good, alright, sign me off"

[[BTF]Defiant!]

how hard is it to fund a program. "yeah looks good, alright, sign me off"

True, not technically hard; but, what you describe is what congress does.  What makes it tough, I suspect, is in deciding what not to fund as much as what to fund.

It surprised me that a foremost expert who co-invented the internet and repeatedly met with Al Gore, says that "Al Gore deserves significant credit" for seeing the importance of networking that his peers lacked and didn't follow through to support.

[quadz]

Apparently Al Gore realized, decades earlier than his colleagues, that the future was indeed not a big truck - but a series of tubes.

[Whirlingdervish]

...and a lockbox.

 

[[BTF]Defiant!]

Tubes!   
http://www.youtube.com/watch?v=f99PcP0aFNE

The lockbox is a horrible classic, even Sammy Hagar thinks so
http://www.youtube.com/watch?v=tWT8RaQhbjg -- and seriously, since when was Will Ferrell on guitar for Sammy (0:30)?

[quadz]

Heheh 
http://www.youtube.com/watch?v=_cZC67wXUTs

[reaper]

in all serious the internet does have some serious problems.  you have some mafia organization that can take down practically any online entitity they wish

i vote for some type of botnet security force, where they trace the connections as best as humanly possible, then do some point and clicks, gun fire style.

[Whirlingdervish]

but reaper,

Quis custodiet ipsos custodes?

 

[quadz]

in all serious the internet does have some serious problems.  you have some mafia organization that can take down practically any online entitity they wish

I wonder... Isn't this largely the result of clueless windows users whose machines have become hosts to botnet-enabling trojan software?

In other words, even though zombie army botnets currently exist, shouldn't this be a problem that is solvable through tighter OS security safeguards in the home sector?

Or do you think that no matter how hard M$FT tries to fix holes in their OS, and stop running user accounts in Administrator mode by default, that trojan writers will still find ways around the security and infect systems to the same degree they do today?

I would like to think the problem is mostly solvable.  Sophisticated users rarely get infected with trojan software, and, well, dumbass users should be running in some sort of dumbass shell that doesn't allow web-based installation of software....???


Regards,

quadz

[reaper]

in all seriousness the internet does have some critical problems.  you have some mafia organization that can take down practically any online entitity they wish

i modified my own quote a little, i think that's acceptable 

I wonder... Isn't this largely the result of clueless windows users whose machines have become hosts to botnet-enabling trojan software?

insecure windows hosts, run by users who don't care or don't know how to secure their machines was their attack vector, and the weakest link.  I did read a report that linux boxes are growing in numbers on the botnets.  there are still a lot of ways for the botnets to infect machines other than just through windows users.  if you compromised other infrastructure, you can still get your botnet, or do you think it's to hard?

SQL injection attacks creating botnets from China, are becoming prevelant, and very succesfull.  However it's interesting to note, the vast majority were cleaned up very quickly by the administrators.

In other words, even though zombie army botnets currently exist, shouldn't this be a problem that is solvable through tighter OS security safeguards in the home sector?

if the botnet operators focused there efforts elsewhere, I think they could still stir something evil up.  real evil, there was a security company that was effective against them, now that security company is out of business.

Or do you think that no matter how hard M$FT tries to fix holes in their OS, and stop running user accounts in Administrator mode by default, that trojan writers will still find ways around the security and infect systems to the same degree they do today?

the stormnet worm uses social engineering as well, although of course running software with less rights to the system should prevent a lot  -  unless there is some type of priviledge escalation possible.  mitigating attacks through software having lower access credentials is also easier said then done, don't you think it would be very difficult to fix every possible problem?  what about software that needs access rights, and becomes vulnerable to some attack, like a recent buffer overflow in trend-micro.

I would like to think the problem is mostly solvable.  Sophisticated users rarely get infected with trojan software, and, well, dumbass users should be running in some sort of dumbass shell that doesn't allow web-based installation of software....???

what about the other attack vectors, like phishing, and sniffing traffic through layer2 attacks, etc., there are so many attacks. surely these things can be automated somehow.  i don't know the answer, maybe that's a big step of the solution, to help the average user not become infected.    easier said than done i guess, but it still needs to be done.

it's really hard to catch someone going through tor, and from wireless, but people slip up, and i think we can catch them sometimes.  i bet we don't have what we need in place, but then again, what the hell is the NSA up to now, aren't they reading some ridiculous amount of data, like 10 percent of the U.S backbone, boooo

Quis custodiet ipsos custodes?

we have to keep the government as trustworthy, and keep them on the right track.  i certainly don't expect them to take out some random business like the botnet mafia has and will.  at this point i trust them more than the botnet owners. although i'm really upset they are reading the data like that

shame on them!

 

 

it's a series of tubes mother f'er!!!!![/color][/b]

[quadz]

I did read a report that linux boxes are growing in numbers on the botnets.

Hmmm, that sucks... did some reading...

Some articles on Linux systems used in botnets:

http://lwn.net/Articles/222153/
http://www.techworld.com/security/news/index.cfm?newsid=10251&pagtype=all


An article describing some of the PHP vulnerabilities often used to gain access:

http://lwn.net/Articles/203904/

...I made several changes to the server's PHP configuration after reading that. 


An article describing the botnet attack that put Blue Security out of business:

http://www.wired.com/wired/archive/14.11/botnet.html


And a quote from none other than Vint Cerf, estimating that one quarter of all internet connected computers are part of a botnet (!!!)

http://arstechnica.com/news.ars/post/20070125-8707.html


Ugh... talk about an epidemic... that really sux...

[reaper]

looks like those php attacks, are somewhat like the SQL injection attacks, in SQL injection you get SQL to run things the programmers didn't want, looks the same with PHP.

the SQL injection goes like this:
form variables are passed to the database via http gets, or http posts, and then executed by the sql shell. so if you pass a variable with question marks after the url, the get is processed by the web server, and the variables are sent to the sql shell, and run with privileges of the web server.  you can even enable a dll, and run a stored procedure which gives you a cmd like shell access.  then tftp netcat up, and do some trickery to get a remote gui.

the problem is usually that simply the user input isn't validated, it should be whitelisted, like if it's a date, just accept a date.  not semicolons, and user input commands.  you could use a software tool to modify the post, or alter the url yourself to send what input you want.  so you have to check the input, and run the web server at the right privliges.

I don't think you can run software and found out these problems, and if not, they're here to stay I think.

[quadz]

I don't think you can run software and found out these problems, and if not, they're here to stay I think.

I'd agree it's hard to automatically find such bugs in existing software... However... I think there are measures that can be taken to prevent future programs from having these sorts of bugs.

Consider the classic "buffer overrun" exploits... Solution: Stop writing programs in C.   ...Languags like Perl, Python, Ruby, and Java don't give naked access to pointers to memory... thus it is effectively impossible to get the kind of buffer overrun exploits that are so common in poorly written C programs.

As for the SQL injection sorts of errors... Perl and Ruby have a concept of 'tainted' data that can help raise awareness in the programmer when dealing with untrusted data.  If your program receives data from an external source, the data is tainted.. And if you try to take tainted data and write it back out to disk or to another program, you'll get a SecurityError.

Now if you want to be lazy, you can just turn that off, or you can just blindly tell Perl or Ruby to untaint the data without doing any validation on it.  But the mechanism is there in the language, and if used properly it can help prevent accidental use of untrusted data.  (What you're supposed to do is validate that the data looks good and is in the proper format before deciding to untaint it.)

Anyway... I do think there are steps that can be taken at the language level, and at the application framework level, to help prevent or reduce the sorts of exploits we currently see in many programs.


Regards,

quadz

[kren.Z]

wow, great discussion