L0pht’s warnings about the Internet drew notice but little action

177 点作者 weld将近 10 年前

10 条评论

tptacek将近 10 年前

The more I think about this story, the dumber it seems to me.The narrative seems to be, L0pht testifies, world ignores them, chaos ensues. But Mudge's testimony coincides almost perfectly with a software security renaissance. The reality is more like: L0pht testifies, world ignores them, gigantic sea-change in security leads to 9-figure investment in securing Windows, the near eradication of SQL injection from popular applications, universal deployment of TLS in financial applications, chaos ensues anyways.What, exactly, would be different if people had "listened" to the L0pht? Would we have S-BGP? DNSSEC?The simple fact is: in 1998, when this happened, nobody knew how to fix any of the problems. If we had known, we'd have been doing that. There were still servers in 1998 that used deslogin.I'm very happy that a bunch of people I like got to put their handles on nameplates and get recorded testifying to dummies in Congress. I do not, however, think it was an event with much meaning.Later.I think it's literally the opposite of the gist of this story. Everything is much, much better than it was in 1998. We have made surprising progress, and addressed security problems with an improbable seriousness:1. Most new software is no longer shipped in C/C++.2. The devastating bug class introduced with new languages (SQLI) was, for public-facing software, ratcheted back from "universally prevalent" to "rare" within a decade.3. 3 billion Internet users all run software that downloads unsigned code in a complex, full-featured language with a dizzying variety of local C library bindings, right off web pages, executes it locally, and it's a news story when Pinkie Pie wins Pwn2Own with a working reliable Chrome clientside.4. Anyone who wants strong crypto can have forward-secret elliptic-curve DH AEAD transports with a config file tweak on their servers.5. Microsoft went from MSDOS levels of security to "you can live like an investment banker if you can reliably produce a couple Windows exploits a year" levels of security, again inside a decade.6. Despite its emergence as an entire new category of computing platform, with its own new feature set, the most popular mobile OS has --- it appears --- zero effective malware outbreaks.7. Remember Sendmail? Remember BIND? Probably only if you're a security nerd. The last working SSH vulnerability was how many years ago?As usual: everything's amazing and nobody cares.

评论 #9762080 未加载

评论 #9762093 未加载

评论 #9764888 未加载

评论 #9762367 未加载

评论 #9762456 未加载

Animats将近 10 年前

l0pht is a successor to Cult of the Dead Cow, which goes back to the 1980s.[1] Their "Tao of Buffer Overflow"[2] is still a good read.The two big problems in computer security used to be Microsoft and C. Amit Yoran said that publicly when he was Homeland Security's head of computer security. That made him unpopular, and he resigned in 2004. Yoran was then replaced by a Cisco lobbyist who kept his mouth shut. (Yoran did OK; he's now the CEO of RSA.)[1] <a href="http://www.cultdeadcow.com/" rel="nofollow">http://www.cultdeadcow.com/</a> [2] <a href="http://www.cultdeadcow.com/cDc_files/cDc-351/" rel="nofollow">http://www.cultdeadcow.com/cDc_files/cDc-351/</a>

评论 #9762032 未加载

评论 #9762039 未加载

评论 #9763334 未加载

dnlongen将近 10 年前

Rather encouraging to see mainstream media describe hacking accurately: "...insights about how various systems worked — and in some cases could be made to do things their creators never intended. This is the essence of hacking. It is not inherently good or evil. It can be either, or in some cases a combination of both, depending on the motives of the hackers."

jessaustin将近 10 年前

The Internet itself, he added, could be taken down "by any of the seven individuals seated before you" with 30 minutes of well-choreographed keystrokes.If this wasn't exaggeration, we should study the fortunate circumstances by which this calamity has been avoided for 17 years.

评论 #9762140 未加载

评论 #9761459 未加载

评论 #9761969 未加载

评论 #9761447 未加载

评论 #9761454 未加载

评论 #9762280 未加载

评论 #9761298 未加载

kwhitefoot将近 10 年前

It was an exaggeration.But it is certainly not especially hard for _governments_ to take down the net in their own country and in many cases reduce the degree of interconnectedness with other countries so far as to effectively take down large chunks of the Internet. The problem is that we do not truly have a network, instead we have a tree structure connected to a very small number of fat pipes. As originally envisaged the internet would be resilient in the face of the failure of one route because there would be many alternative routes but that is not what we have today.This is a much bigger threat than the cracking of individual machines.

评论 #9761763 未加载

acqq将近 10 年前

The title picture is wonderful.

评论 #9761462 未加载

fapjacks将近 10 年前

The picture is worth a million dollars. Especially their nameplates, and the way they've dressed but are still very clearly pure fucking hackers, just by the looks on their faces. I want this framed.

kbenson将近 10 年前

> Even today, many serious online intrusions exploit flaws in software first built in that era, such as Adobe Flash, Oracle’s Java and Microsoft’s Internet Explorer.Isn't that like saying "Many accidents happen to models of cars first built during that era?" Just because they debuted then doesn't mean they are substantially, or even remotely the same thing. How many complete rewrites of Internet Explorer have we had since then?

评论 #9761917 未加载

评论 #9761943 未加载

评论 #9761722 未加载

themeek将近 10 年前

There's two fundamental systemic blockers to investment in information security.The first is a problem is with incentives over time. (The same thing happened with global warming, with overfishing, with deforestation, with cyber privacy rights, etc.) The problem is that the immediate incentives do not align with the long term incentives. If the country that can cut down the most forest or burn the most oil is the one that wins, relative to the other, a global race for power projection - no country will want to perform in the short term what it must in the long term.Alas, today the short term incentives in software and hardware development are mostly the same. The security community has long preached that built in security as a crucial and fundamental engineering design goal. Today, as it has been for decades before, software is not competitive if it has security built in. It raises the costs of development and it slows production and building security awareness into every developer would require years of additional professional experience or schooling: building in security is a competitive disadvantage.The second problem is that everyone's threat model is different:- Consumers want their computers to run quickly and do not want their information or identity stolen. They want to have convenient and reliable control over the privacy of their online interactions - from the public and from law enforcement.- Industry does not want to spend more time and treasure creating fewer visible features. Their existential threat model is losing their business by being too slow at production. Corporations are also scared dumb of having a SONY-style or Target-style breach.- Government wants to be able to peek into all communications of everyone including its citizens. It wants to be able to hack into other countries - both their industrial and their government sectors - and those of private foreign citizens. It does not want the same to be true in reverse.It's also true that the types of systems used by the military are different than those used in industry which are further different than those used by consumers. Where do you allocate investment in security? Consumer internet browsers? Virtualization for enterprises? Network intrusion detection for corporate LANs? Access control for government systems? Which do you prioritize? (Granted, its true that some technologies are shared between these classes, such as web browsers)What's happening right now is that the discussion about threat model is being negotiated (though not in those conscious terms). Governments make their case about national security - how they need backdoors - and how they would like computer security to work. Security professionals - many of them private citizens - have separate threat models and can't agree with government. Individual citizens want privacy - and can't agree with government or industry. Industry wants to get customer and competitor data but also doesn't want to leak their own.To the degree that the threat models are compatible, some level of real investment can be made (today there do happen to be large scale efforts to mitigate cyber security risks - particularly threat intelligence sharing programs).Yet fundamental contradictions in threat models will keep the direction of security in limbo and worse if some threat model 'wins' it will comes at he expense of the others. Government's goals, even in so labeled 'free' countries, are disaligned with their citizens on threat model. Government goals themselves are further internally contradictory, as they would like computer networks to be both secure and insecure (giving birth to phraseology such as "NOBUS").Today not only are we not able to secure the internet and computer systems, we still don't really know what a secure internet would mean.

hoodoof将近 10 年前

long hair: hacker credibility +1beard: hacker credibility +1nickname/handle: hacker credibility +1glasses: hacker credibility +1suit: hacker credibility -1

评论 #9763371 未加载

评论 #9762304 未加载