Académique Documents
Professionnel Documents
Culture Documents
1
Past targets The Security Arms Race
• sendmail • We knew about sniffing in the early ‘80s
• anything using gets(2) or sprintf(2) – massive sniffing attacks in 1994 (1992?)
• password guessing and sniffing • We knew about sequence-guessing attacks
• use and abuse of trust (rlogin, rsh) in 1984
– common in 1994
• social engineering
• We knew about IP spoofing and address-
based authentication in the 80s
– tools available in 1994
2
Impact of future net attacks
• It would be much worse today
– “space” is larger and more homogenous
Click here to infect your system. – the net is more important now
• Encryption is a munition
• Ping(1) is a munition!
Java Trust
• Derived from a set-top box project • I put my trust in these things
– Mid-course goal changes are a bad security sign – they are running as me
• I have no particular quarrel with the – they act on my behalf
language – they have access to my files
• Byte-code verifier is probably OK • I prefer source code, please
– Too fancy for my tastes • I vet and “decode” critical software, when I
– I solve the halting problem with ^C can
3
Where Do Programs Run? What it should be
Program Kernel
Kernel Program
Execution Environmental
Fears
Choices
• Untrusted dirty machine, with firewall • Average web users can’t be expected to
enforcing network restrictions understand the security consequences of
• Software containment their actions.
– operating system • Applets make execution of alien programs
– interpretive environment routine
• There are a lot of aliens out there
• Jackpot - exponential growth into a space
• Theorem prover is complex security
Big Fears
• “Native Methods” aren’t standardized Java has let
• All the security effort went into the Eric Allman
language -- the environment is an
afterthought
off the Hook
maybe
• A single security fault makes me suspect the
approach
• We’ve had a number of very bad holes
shown.
4
Stupid URLS Stupid Domain Names
KWWSZZZ • com.com, comdotcom.com,
ILOHHWFSDVVZG comdotcomdotcom.com
ILOHGHYPRXVH • macdonalds.com
IWSORFDOKRVW • bell-labs.com, belllabs.com
KWWSORFDOKRVW • att.org, mci.org
KWWSVDGIONDMVGOIMDOVGNMIONVGMIONDV • bell-labs.com.au?
GMIONVGMIONVGMIONVGMIODNMVGONIDMVONI • localhost.com
5
Snake Oil? Web Questions
• The hype may have us firing librarians • How does cyanuric • What is a “global
acid stabilize the learner?”
• It is better to touch a book
chlorine in a • What is the hyperfine
• The net is the 1990 equivalent of filmstrips: swimming pool? interaction?
you don’t have to think! • What is the meaning • How do you throw a
• My stupid test: the web as a reference and etymology of “four seamer?”
librarian intinction? • What are the hand
– no netnews • Who plays Heidi on signals used in
Home Improvement? baseball like?
– no hard work
6
Web marketing tricks:
The Score
top of the list
• 8 answered • hidden text
• 4 not answered – used cars used cars used cars used cars
• This was better than I expected – same as background color
– very tiny font
• Netnews would have yielded thousands of
answers. Many would even be right – way below the first screen
Conclusions
• If you want to see some of these efforts,
check out my web page.
• (Ask the search engine for the address)
• Keep experimenting!