“The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently.”
-Nietzsche
Four stages of acceptance:
i) this is worthless nonsense,
ii) this is an interesting, but perverse, point of view
iii) this is true, but quite unimportant.
iv) I always said so.
John Haldane (1892-1964), English geneticist
Some problems are so complex that you have to be highly intelligent
and well-informed just to be undecided about them.
“In the choice between changing one’s mind and proving there’s no need
to do so, most people get busy on the proof”
Whenever I see an old gnarled tree I find that thinking about its life is a sobering experience. When you think about it, a lot of things can be put into perspective.
Often we are so embroiled in our day to day issues that we forget the big picture. The existence of an individual is but a blip on the horizon in the time spanned in the life of an ancient tree.
Take some of the big mountain grey gums (Eucalyptus cypellocarpa ) in the gullies of Kinglake. The older ones are probably at least two hundred years old.
Just stop and think about this. Two hundred years ago, Australia had just been settled by Europeans. What has gone on in history since then? Wars, booms and busts in the economy, social and political upheavals ….. Through it all, this tree has stood the test of time, serving many useful functions for the environment.
Some of my students this semester seem very interested in the cracking side of things. How much should I teach them?
A tricky area that I have yet to deal with adequately. Part of my response to one student who asked about finding a possibly vulnerable server:
A good citizen would advise the owners of the server… or would they?
There are the issues that I raised of the whistle-blowers. Compare Mike Lynn to the Zeroday Initiative. If you inform the organization, what will they do: ignore you, sue you, hand you over to the police, thank you or pay you?
Things are much more complicated than you think:
o Can you tell the difference between a real server and a Honeypot? I think not….
o There is a more complex issue of an older, but patched version of software versus an old and unpatched version. Just because a server is running an old version, it does not automatically mean that it is vulnerable.
A little knowledge is a dangerous thing!
Not to mention quite illegal……
Reasonable or not?
How software fits together
An understanding of this is critical to understanding system security
Background - security issues
The situation can best be illustrated with an example.
Case study - Postfix
What is Postfix?
Mail server - exactly what does a mail server do?
Written by Witesse Venema - better known for security tools such as SATAN, Coroner’s Toolkit, TCP wrappers
Business case - IBM (1998)
Why would IBM pay someone to write a new mail server and give it away?
At the time IBM was attempting to establish eBusiness but:
Solution?
Write a secure mail server and give it away
Server in depth - how does it all fit together?
A server of any kind does not exist in isolation
It must talk to a variety of other servers/services such as:
Issues
Note: not necessarily break ins - must consider accuracy (example DNS –> pharming)
Other things to consider:
Witesse’s long-term average - one bug per 1000 lines of code (and what is yours?)
Only some bugs have security implications
But all bugs have credibility implications
Postfix has 88,000 lines of code
Windows 2000 has 40 million (being written at same time as Postfix)
The critical issue is: how do we manage the risk?
Even if we have a problem, how does our server handle this gracefully and with minimal risk?
Venema solution:
