...making Linux just a little more fun! |
By David Dorgan |
The state of software security.
Note, this is just a alpha document , I am going to work more on this.
Computer security today is appalling. It is awful, there are worms all the time, there are ones to attack your email, maybe it's an irc network, maybe it's just a flood of traffic, the situation is getting out of control, and I've not seen any 'security' company help, in fact, they are making things worse, 'how much worse?' allot worse, there are lots of hosts infected right now, and when an owner gets pissed, he hits you. The openssh bug recently was first presented at defcon of this year, and was supposed to be known within ’some circles’ for over a year. I wonder how many of those exist right now?.
I am fast becoming disillusioned with software security. It seems like an uphill battle which just isn't being won. Every company offers the silver bullet, and most users accept that. I'll take an example, recently there have been some virus outbreaks, now allot of machines got infected, and the worm pinged allot of hosts before it infected, in fact it would only try and infect those who replied. This caused a DoS attack on the clients site very often, it seems to have started on the subnet you are on, some if some guy had a laptop and popped behind a 192.168.x.x network, it would try and infect the whole network. The patch site that MS run was very slow due to the demand, 'but what about anti virus software?' Personally I think if the ISP detected this worm on a customers network it should have disconnected their network and then fined the user for wasting their time.
There are some problems with antivirus software,
Now after that recent scare, some 'internet patch' crap did the rounds, and some IDIOTS actually clicked on the .exe file, of course they can plead ignorance. But if I get a car and smash it into somebody, I can't plead ignorance, there is NO liability put on the end user in computing, there is NO liability on software quality put on the vendor. In fact, if you want to think about how careless vendors are, visit this page on Unpatched IE security holes.
Allot of this could be stopped by a tiny amount of clue, in programming, WHY USE STRCPY if you are using C, if you are teaching C in college, DON'T LET ANYBODY USE THEM! Fail anybody who does use them. In the testing phase of code, fail anybody for using these, if they are silly enough to use strcpy for input from a user for example, imagine the possible amount of race conditions, format string overflows etc...
For the end user, do not click on executable files, just don't, don't ask why, who cares who it's seemed to have been sent from, don't execute it, or pif files, or bat files, or scr files etc. Why use word documents? HTML is cross platform, looks great etc...
It's going to get allot worse before it gets better, imagine 1000 of those sobig worms around, not just one. Imagine lots of more infected flying around and stupid software replying to each one, to mailing lists with 100,000 people on them. The future of secure computing isn't coming from vendors such as symantec, that's one thing I do know, and I really believe this after some really stupid statements that some of their 'leaders' have come out with.
$Id: security.html,v 1.7 2003/10/03 17:34:27 davidd Exp $
David has been a very productive writer and plans to contribute more of his
work in the future.