Who is more knowledgeable when it comes to computer security?

[skiddieleet]

I was just thinking about the part just after your quote in that paper. Where he is talking about trusting compilers, and hardware, etc... What if we can't trust the compilers all our software was made with? Simple, disassemble the code and make sure the instructions coincide with what you programmed. How can you trust the disassembler? etc... Stupid really, but something to think about. I didn't read much of that part, so I probably missed where he mentions that it is silly to worry about that type of stuff. I'm too focused on the small things. I guess that's just the way I am.

[thehorse13]

I didn't read much of that part, so I probably missed where he mentions that it is silly to worry about that type of stuff. I'm too focused on the small things. I guess that's just the way I am.

Need I say more?

Anyway...

Since I see where this is going, I’ve decided to craft one last post on this thread.

Let’s dumb it down shall we?

Let’s for a second pretend that I’ve just handed you the most uber weapon that can be had in the video game “Security”. You have never played this game but have heard about it from friends. You cannot wait to play especially knowing you’re going to materialize with the supreme weapon available.

One of two things will happen.

You will either run amuck with this new weapon allowing all of the others in the game to realize that you’re a n00b or you will bide your time and learn the landscape, the players, their relationships, their weapons and how they use them. Taking that a step farther, you will then craft your strategy for victory.

If you run amuck, you will not be nearly as effective with that weapon (call it any policy, theory, ISO doc, whatever) as someone who knows the playing field and how all the players and movements relate to the game. In the real world, when you are smoked out and labeled a dumb ass, you are captained. Captained simply means you are taken away from the real tasks and assigned meaningless busy work. This is the equivalent of death in an organization.

If you’re smart and take the time to learn how all the pieces interoperate, then you will surely come to the conclusion that you will need more than just this uber weapon to win this game. Relating this to the real world, you cannot run around waiving a document without understanding how and who it will impact and what you need to do to drive the document and its contents home. The very worst thing you can do is smugly waive a document and chastise others about security (models, theories, standards,whatever) without understanding everyone playing and the landscape you’re playing on. This would be different departments, budget issues, public perception, stockholder perception, individual goals, and the list goes on.

So in the end, documents, theories, controls and what have you will not be seen as a panacea when applied in real world situations. You’ll need a hell of a lot more ammo than a soapbox, a document you downloaded from the net and self appointed righteousness in the cause to make all the dum dums understand that you have the right answer in your doc, standard, theory, ISO, or whatever else you’ve been pitching.

Someone said that humans are imperfect so there can be no perfect computing model. This is a fairly intelligent statement. Add a hundred or so imperfect humans to interpret a perfect computing model (hardware, software, policy, etc.) and see what you’re left with.

In theory I agree that there are perfect computing models. This is especially the case in a vacuum or a university environment.

In practice, because external influences will taint perfection (this can even be the business requirements), there is no such thing but you can sure get damn close.

I’m done.

[rcgreen]

The analogy between computing and ordinary life is what I
insist on coming back to. We have an open political and
economic system that resists formal security measures.
We don't fight crime by designing a society where each
citizen's rights are assigned according to "least privelige"
or "need to know".

Your rights are unspecified and broad. Government's powers are specified
and narrow. When people disagree they fight it out in court or politics, and
the results are not predetermined. It seems like chaos. Morons have the
right to spend their money the way they choose. This is what directs
manufacturers to produce things, not the other way around.

Increasingly, computers are networked, and used as communication devices,
a use that was unforeseen when they were invented. If someone had imposed
a formal security model in the 1960s, there would be no internet. There's no way
I would have let Richard Stallman anywhere near a computer if I had known
his political views. He might try to sabotage the system and reveal my secrets.

The "network is the computer", they say, and that means that without net access
you miss out on net citizenship. Today, your priveliges in computing are
undefined and broad. You have (I hope) total ownership of your own computer.
When you go online, Your ISP has something to say about your behavior.(Be
nice to them). Each host you connect to may have its own configuration and
idea of rights and priveliges.

This is the way it should be. Don't buy the idea that formal security will make you
more secure. It will put you into "container B".

[FlockofSeagulls]

On the topic of operating systems and their security.
Computer security obviously falls under math, which means it's something that can be measured and counted. Just like with Boolean, it's a yes or no, quid pro quo, 1 or 0, a logical true a logical false. So I presume this can or will spill over to almost every branch of computer security. A problem with it meshing with an existing infrastructure doesn't make it any less true.

However, as horse pointed out, he must pick and choose his implementations or it's gonna cost money and send his ass packing or sharing an office with the interns. This man exercises authority over 1000's servers each day. horse will point out where I commit folly.

Example from the Dev-proof PDF. It discusses how to develop and prove a multi-level security policy. The SNet system to be exact.

sum(x, y) = x + y;
c = sum(a, b);


A set S of subjects
A set D of data
A set M of messages
A set E of events
A partially ordered set H of histories
A partially ordered set L of levels
A mapping Trusted: S + Boolean
A mapping Subjectlevel: S x H + L
A mapping Maxlevel: S + L
A mapping Messagelevel: M + L
A mapping Destination: M += S
A mapping Data: M + D
A mapping Sender: M + S
A mapping Newhistory: H X E + H

"Verification of computer programs and systems is a difficult problem. This is mainly because most common programming languages are designed from an operational, rather than a mathematical semantics."

I guess this is one of the reasons why catch was suggesting ADA, which has been revised to ADA95 and has incorporated numerical programming into the mix. It was the consensus of the mathematical foundations group at the Verification Workshop (1985). Where you'll find Norman H. Cohen talking about ADA in the ACM. catch will defiantly point out where I commit folly, but I'm pretty sure that's what he was talking about.

Also in the dev-proof paper it mentions that a multilevel secure local area network is under development at Boeing Aerospace Corporation. Couldn't find a paper for that one, but while searching I ran into the High Assurance Multilevel Services For Off-The-Shelf Workstation Applications pdf by: Naval Postgraduate School / James P. Anderson James P. Anderson Co. I figured if it shot off the James P. Anderson John Hancock it was good to go, I wasn't disappointed. You might find some of it redundant though if you have read the "Approach to Identification of Minimum TCB Requirements for Various Threat/Risk Environments".


Just a reminder of the topic:
This list of papers was initially distributed on CD-ROM at NISSC '98. These papers are unpublished, seminal works in computer security. They are papers every serious student of computer security should read. They are not easy to find. The goal of this collection is to make them widely available. This list was compiled by the Computer Security Laboratory of the Computer Science Department at the University of California, Davis. See Acknowledgements.

RC,

One question, how the hell can one be "over educated" on a subject? Humans by nature are educated every day whether you like it or not..........the hunter gather stage.

[skiddieleet]

Originally posted here by thehorse13
Typically I don't engage in flaming, however, I take special interest in the case of skiddie (herect3c or whatever).

What most of you don't see is that he is spoon fed constantly on IRC by myself and others. Being a "n00b" is excusable, being a lazy f@#$ is not.

That said, I like him in a bastard step child sort of way. He entertains me at times but then grinds my last nerve on other occasions. I directed him to go read because typically he doesn't. He simply continues on like a broken record pleading for help.

I've never minced words with Neel before so I'm somewhat surprised at his response to my posts. Be that as it may, if you'd like to continue to take shots at me, I welcome you to do so though it would be wise to understand why someone posts before you decide to judge motives, assign theoretical value to the site or simply behave like a simp.

I missed this post before and I was just rereading through the thread. I've given up IRC for the time being. I think I'll also give up on myself in this thread for the time being. I hope nobody else does the same as it is an interesting thread. Peace.

[FlockofSeagulls]

A god damn fly on the wall in a server room! <insideJoke> ROFmofoL

God damn, I'm speechless, horse you can't, this **** is unbeatable on this one. You gotta let nature take its course!

[catch]

Formal security models are a superset of informal ones... not the other way as many people think. This is why users like rcgreen and chsh that have no experience with formal models simply do not understand them. The idea of something beyond their own knowledge set puts them on the defensive. Close mindedness is an unfortunate thing...

I have never heard anyone ever who was familiar with formal security models and systems based on them that didn't feel they were significantly better. Seriously... how many PhDs can you find how are Information Security experts that feel informal security models are better? Or even comparable.

If you think about security as a process... an informal solution is a generic answer.

"What system can do X?" "System Y seems popular, so it'll prolly do what we need."

"What system can do X?" "First we must define X to quantify all of specific requirements: X(1,2,3...), now we have a requirement. System Y must have matching charactoristics for every X. If Y(1,2,3...) == X(1,2,3...) then Y is verified... for every exception Z, Y must be modified or supplemented until Z is an empty set."

Do you notice the difference? Of course people who do not understand the quantification of requirements and the verification of their solutions will think this is a silly, wasteful process.

I guess this is one of the reasons why catch was suggesting ADA, which has been revised to ADA95 and has incorporated numerical programming into the mix.

Ada2005 is now out... you can pick up a free copy of GNAT with 2005 support at adacore.com

cheers,

catch

[FlockofSeagulls]

Originally posted here by catch
Ada2005 is now out... you can pick up a free copy of GNAT with 2005 support at adacore.com

cheers,

catch

The only reason why I even spend my broadband on this site...........


Cheers M8's

[thehorse13]

I remember about a decade or so ago, Ed Schonberg was pitching his company at a large technology show. Keep in mind, there were very few large players in the Unix security code space back then. Christ, most didn't even have a firewall at the perimeter back then.

Anyway, I can remember people looking very puzzled after he was done speaking almost like he had just done a presentation in a foriegn language.

Interesting what ten years has done for them.

[FlockofSeagulls]

Yesssss doctor, if my recollection serves me correct, he's a professor at the institution where you obtained your masters.