Computer Security Criteria

Rolf Marvin Bøe Lindgren writes: "For most human endeavors that involve some sort of risk, there are powerful, recognized public interest groups or even government-appointed organizations that investigate and analyze dangers, prescribe guidelines, determine criteria for acceptable risk, etc. This does not seem to be the case for software! I work for a ship classification company. The purpose of such companies are, very simply put, to determine how safe seagoing vessels are, for instance in order that insurance companies can decide insurance premiums. There are, needless to say, numerous conventions and special interest groups to determine safety at sea. That is, as far as I know (and I would very much like to be proven wrong), except the computer systems that the ships use. there are restrictions, laws and regulations involved in just about any object that goes into a ship except the computer system. Everybody seems to know, for instance, that UNIX is safer that Windows, but there are no safety, reliability or security criteria established by any recognized authority that can be used to defend one computer system over another."

"Now, I could ask Slashdot how to go about to form a recognized body, but I have access to competence in that particular matter. What I would rather like to know, is this:

• What might a set of safety criteria be like (I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?
• How should one go about to find competent and interested people who would like to be part of a body like I describe, or consultants to one?

Human Life

[spookysuicide]

I would venture to guess the reason there are so many regulatory bodies involved in overseeing the safety of such things as highways, seagoing vessels, planes, food, etc. and not software, is that in the former situation human life is directly at risk while in the latter human life, is at best, indirectly at risk and usually not at risk at all.

Re:Human Life

It seems to me that this may not always be true.
What about the software used to regulate life threating devices. Nuclear power plants and air planes being two areas. Remeber the SR71 spy plane. It could not be flown effectively without the using autopilot. These computers are of course subject to rather stringent security.

Re:Human Life

[GSloop]

Would you consider it acceptable for your car to go kaput and just quit working as often as your software does? Even if it didn't cause a crash, or threaten life or property? [If you do, please drink the Koolaid now!]

The reason we don't require software to meet the same standards as other products, is that as a general rule, we think we can't - and THAT IS A CROCK.

This touches on anther /. story today about TCO.

Bad (buggy) software probably costs more than good (bug-free) software.

The difference is that bad software is cheaper in the initial acquision. That's where PHB's focus on these things. After the product is in use, the real costs for crappy software rise quickly.

I'd rather pay up-front for something that works, and then get to enjoy the lower costs of continuing to use that good software.

Until we (the ones who know - the tech community) decide that crap software has to GO - even if it doesn't threaten your very life or property.

I can't say this enough - good software is cheap. Bad software is expensive. Bug-free/Good (or nearly so) isn't a totally impossible task.

It may be difficult, but the results would be impressive.

The real barrier to getting bug-free software is that software manufacturers are shielded from civil suits that would make them liable for the crap they produce.

Cheers!

Re:Human Life

[homer_ca]

I think you mean the F-16 fighter. It's aerodynamicly unstable and needs constant correction from the autopilot to maintain a course. The instability also makes it maneuverable, so the design has advantages too. The SR71 was built in the early 60s before all this digital crap.

Re:Human Life

[Squeamish+Ossifrage]

Software can't kill people directly, but it controls hardware than can. Also, people frequently depend on systems which include software for life-critical purposes.

Think:

1. 911 call centers
2. Industrial robotics
3. Air Traffic Control
4. Engines with embedded software controls
5. The telephone network
6. The power grid
7. Medical equipment

I'd like to point out that there are documented deaths from software failures in most of these categories.

Re:Human Life

In a perfect world, software engineering would follow NASA's lead in safety and control in development.

Understanding precisely what is required of software for complicated industries is a highly difficult task, and I would say that it should be up to the individual bodies (FAA, whoever is in charge of shipping industries, etc.) to understand and document their requirements for current and future projects rather than leaving their fate to expected 'expert' software engineers.

This is the requirements problem, and until agencies realize that it is their problem too, software will continue to reside in the grey are of nebulous consultant recommendations that get everyone in trouble("Oh, well, IIS is waaaaay more secure than Apache. Trust me").

Re:Human Life

Software can't kill people directly, but it controls hardware than can. Also, people frequently depend on systems which include software for life-critical purposes.

But that pneumatic cylinder with the HotKnife on the end of it was perfectly safe until the mechanical interlocks were replaced by a PLC system. Too bad Harry didn't remember that lockup circuit, the one that would have saved Jerry's life when he opened the front gate and had his skull crushed and brains cauterized.

Is there such a thing as safe software? Heck, the old C64 (or was it the VIC-20?) could damage itself with a simple 'poke' to a memory location.

Re:Human Life

[gweihir]

I can't say this enough - good software is cheap. Bad software is expensive. Bug-free/Good (or nearly so) isn't a totally impossible task.

I fully agree, also to most of the rest of the post. The problem is just that some people are willing to sell bad software and others are willing to live with it. Good software costs a lot to create yet is still cheap.

Let me compare Linux to Windows as an example:

With Linux a lot of highly qualified people are in the process of building an infrastructure, a basic block that can survive for a long time. It is still not finished. But I guess by now Linux was several times more expensive to create than all versions of Windows together. But it is a community effort of people that build to last! And it is a gradual improvement of a design that is knowen to work! A very good engineering practice for dependable systems. And you get a fallback if the effort fails, namely the system you improved upon!

With Windoes and Office a company is trying to make money with the lowest quality the market will accept. (I am still shocked by the unusability of Word and its document format whenever I have to use it.) These systems are not built to last. The business model depends on people having to throw away the old one and buy a new one every few years. This alone demonstrates that the old one was never intended to serve as long used reliable infrastructure.

Now the problem is not that Microsoft makes bad software. The problem is that MS is in the wrong market! Their approach is well suited for games and other software that is not critical. (Mind that MS Office _is_ critical for many companies.) But MS's approach is not suitable for anything even remotely approaching "critical" or "infrastructure".

I don't want all these critical systems to be computerized fast. I want them to be computerized so that they work for a long time without major changes. 30 years would be a good reasonable number. Now don't use Linux for that. But maybe use the Unix-API as embodied by Linux! If you limit the fancy graphical stuff that is unneeded anyway and pay attention to clean design and implementation you can move to a different Unix-like OS without changing data, user-interface or procedures!

Re:Human Life

[thogard]

The sr71 needs a very good autopilot or else you end up hundreds of miles of course.

Like most autopilots today, its a bunch mechanical gyroscopes and a bit of electronics and a few servos.

Re:Human Life

[/Wegge]

I think that you fail to realize just how big an impact software has on your daily (or in som cases not-so-daily life):

* CAT/PET/whatever medical scanners
* Elevators
* Wind Turbine Generators
* Anything that is computer controlled, that has an emergency stop (This likely includes the big red button at your local gas station).

Until recently, I used to work for one of the bigger WTG Companies, and in my current job I'm writing software for sortation systems.
In both jobs, you tend to give a real notice to safety-critical issues. Otherwise, you'll eventuellay have to live the rest of your days in the knowledge that somebody was injuried or killed because there was this off-chance event that triggered a system start at just the wrong point.

Re:Human Life

[unitron]

Considering how many enraged users of MS software there are out there I'm not sure that Billy G's life isn't at risk :-)

Re:Human Life

[mpe]

The sr71 needs a very good autopilot or else you end up hundreds of miles of course.

Also the aircraft is perfectly capable of tearing itself apart under certain circumstances.

Re:Human Life

It was the Commodore PET, actually, for those of us old enough :-)

Simple enough

[CitznFish]

Well to avoid a virus/worm whatever just use an Antivirus program and keep it updated. Sat. Internet access on a ship is nothing new..you can even update at sea. I don't think ocean going vessels can be any more or any less effected by a virus. I'd be more concerend about the corrosion all teh saltwater could do to the equipment..

hm!

[prizzznecious]

"How do you find people willing to pontificate about what makes one system more secure than another," he naively asked Slashdot. Then came the deluge.

Re:hm!

excuse me moderator, sir, but read the article. That's his closing question. This was a joke. As in, "Ha-Ha."

Re:hm!

[Dr_EddieB]

I'd start by looking for qualified people on AOL. It seems that the brightest minds in computing all congregate together on AOL, so you should be able to solve nearly any problem you have by using this great resource. Okay, I used up all my sarcasm for the whole day posting that, I need a nap.

Criteria

[DecoDragon]

Have you looked at any of the work done by SANS (http://www.sans.org) or NIST (which is not necessarily what you're looking for, but in the area of providing guidance, http://www.nist.gov)?

SANS has been publishing a series of "consensus" documents, asking for feedback from people on topics such as securing Windows and Unix versions. They've also put together a working group (pay to join).

If you have looked at these sources, I would be interested to hear how they do or do not fit in to what the author of the original question is looking for.

Re:Criteria

[sheldon]

In particular SANS has their SCORE initiative, which seems as though it might be somewhat applicable.

http://www.sans.org/SCORE/

I work for..

[onion2k]

I work for a ship classification company.

Big ship..

Little ship..

Big ship..

Medium size ship..

Re:I work for..

[NorthDude]

OffTopic? C'mon, that was pretty funny :-)

common criterea? protection profiles?

[mattsouthworth]

well, have you checked out these things?

http://www.commoncriteria.org/

http://csrc.nist.gov/cc/pp/pplist.htm

Most secure

[Geekboy(Wizard)]

The most secure method is to apply the KISS method. (keep it simple, stupid) The fewer lines of code, the fewer places an attacker can gain access. Use lots of encryption, (check on theoretical attacks mostly), and use physical safeguards for the system. You possibly want to use OpenBSD, because of the history behind it (4 years with no remote exploits on a default installation), but choose your base carefully. Encrypt all communications (ESP networking) and make sure you have double and triple safeguards. Better be paranoid, than exploited.

Re:Most secure

[ghack]

KISS is right on.

Another security personnel motto:
No security at all is better than a false sense of security.

Realize what all components of your system do!

Re:Most secure

[Cyno]

I think you meant DIVX ;-)

Anyway I totally agree and wanted to add that these systems are also based on very specific operating conditions. Including electromagnetic fields and other forms of RF. No matter how secure and stable the OS, your hardware could fail at any given moment. KISS, yes, but always plan for the worst and develope fault-tolerant/redundant systems. Never trust a single system or OS for any mission critical service. Also I find its best to just use cheap PC hardware since you can't expect better uptime from the more expensive proprietary stuff and it can't get much more modular than racked PCs.
(keep in mind I know nothing about the condition aboard a ship, I know Sun make special cases designed for this)

Re:Most secure

[gweihir]

No security at all is better than a false sense of security.

Very true. I would qualify this as "... in a specific system." The reason this is far better is that people will add security measures they understand (e.g. being careful, having emergency equipment and plans, having insurance,...) to the overall approach. And they will carefully observe the system because they are aware that bad things can happen.

Re:Most secure

[catsidhe]

At what point does 'simple' become stupid?

Trivial but emblematic example: assuming that the string you are being sent will stay below a certain size means you don't need boundary checking. Congratulations! You have just made the main loop faster by orders of magnitude and much more human-readable!

Oops ... buffer overflow attack!

But, but, but the code was simple! Its not my fault!

Re:Most secure

[mpe]

Never trust a single system or OS for any mission critical service. Also I find its best to just use cheap PC hardware since you can't expect better uptime from the more expensive proprietary stuff and it can't get much more modular than racked PCs

Though you don't want to put all of these in one place, especially if they are doing something like controlling the weapons on a warship.

(keep in mind I know nothing about the condition aboard a ship, I know Sun make special cases designed for this).

Not only do you have the problems of keeping salt water out of the electronics you also have to ensure that things such as hard disks can cope with rapid movement about any axis.

Risks

[xphase]

Sorry for not making a huge long rambling post, but you really should check out the Risks Digest

--xPhase

Some simple observations

[DohDamit]

What might a set of safety criteria be like (I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?

While there may not be a body of standards regarding security, there are some de facto standards regarding redundancy of data, the breakdown of different methods of communication(connection versus connectionless protocols) are quite well defined as standards, and the general structure of professional applications. Taking these as a starting point, one could build a list of vulnerabilities for each of these standards. For example, in a connectionless environment, one would be worried about DDOS attacks, and methods for identifying the assailant. In a connection-based environment, physical issues such as allowing someone to get access to a LAN line with a laptop inside the company building would be something that would require at least some preventative measures(ID cards at the door, social policies about bringing in computers, etc.)

How should one go about to find competent and interested people who would like to be part of a body like I describe, or consultants to one?

Be very careful. You will need to find people who are trustworthy AND brilliant. Good luck.

Re:Some simple observations

Don't forget formal policies on training and/or skills requirements for direct access to the computer systems, regular security reviews to analyze logs and apply important patches, and formal procedures on what to do in the event of a failure.

I think one of the reasons there are no formal organizations for maritime computing is because the results of a security breach and downtime very dramatically from one system and one breach to the next. What happens if my box is breached? What happens if one of the Echelon project's machines is breached?

Air Gap...

[warpSpeed]

First and formost, keep the computer system closed. Do not hook it up to any outside networks. No networks, no phone lines, no serial connections. That will elimiate quite a bit of risk for attack.

If that is not an option, then run the outside network connection through a very tight firewall.

~Sean

Re:Air Gap...

[susano_otter]

It's not just susceptibility to exploits, though: you're also concerned about the stability of the system. What's the uptime like? What are the chances of the system crashing at a crucial moment? How long is the troubleshooting/resolution cycle? Which components need to be redundant? &c. For most shipboard systems, I'd imagine stability and reliability are much more important than security. Look at it another way: the Air Force probably isn't too worried about someone rooting the navigation system on their stealth fighter, but they damn well care about the stability of that component!

Re:Air Gap...

[CrazyBrett]

... then put the system in a special room which contains a thermal sensor, a sound sensor, and touch sensors on the floor. Oh, and don't forget to put a laser on the air vent in the ceiling...

Re:Air Gap...

[warpSpeed]

I agree with you 100%. I did not talk about the stability aspect of the systems. Who would run critical systems on NT or Windows? I was just assuming that we were talking about Linux, so you know... :-)

~Sean

Re:Air Gap...

You didn't mention WIRELESS... definately don't expect wireless to be safe.

Security

[AlaskanUnderachiever]

Well I know everyone's going to shoot this one down but I personally see a huge amount of time, effort and expense wasted on my own company's systems to protect them from the "scourge of the internet" when, upon detailed inspection, there is no good reason that 95% of these boxes NEED connectivity. Before you go about inspecting the various methods of combating the madness (firewalls, routers, off the wall OS, tying up the PHB, etc.) ask yourself "do our critical systems need connectivity and if so, to what degree?"

Re:Security

[hagardtroll]

I think most companies (Don't know about ships.) have this problem...

1. You host a web site. The web site obviously needs connectivity to the internet for external customers.

2. The web site needs access to a database so customer have access to your data for their purposes. And the ability to create data (Place Orders.)

3. In house applications need access to this same database to process the previously placed orders, update customer accounts, etc.

4. In house customer service needs access to the same database to provide customer service and ability to communicate to customers via email.

That doesn't leave too many boxen that can be physically disconnected.

But like I said, I don't know how this applies to a ship.

Re:Security

[joto]

Yes it does. Put the dbms server inside the corporate network. Put the web-server on the outside. All you need is one application-level proxy so the webserver can access the dbms-server. Obviously, that is not entirely physically disconnected, but good enough for almost any purpose I can think of.

Re:Security

[Faramir]

Protection "from the Internet" is only one part of the issue. Analyzing the security issues should include an analysis of the local issues. Let's look at the ship scenario, and come up with some potential non-Internet dangers:

1. How well protected is the local terminal? Does it run critical guidance software on a Windows 9x box that anyone can hit Escape to log into?
2. Does the ship have a LAN? Perhaps it is a cruise ship with an 802.11 (whatever) network to keep computers, registers, etc. around the ship connected. How easily can a laptop-ed cracker get in?
3. Are the ships systems setup (via satellite obviously) on a VPN back to the mainland home office? How secure is the satellite? The VPN?

These are just a few potential worries off the top of my head that do not, intrisically, have anything to do with Internet connectivity, or even necessarily with connectivity at all.

Re:Security

Oh yeah, communication is way overrated. And here's another tip - you can prevent those annoying sales calls by unplugging your phone. And for really clean living, stop filling out all of those damn address request forms at the doctor's office, the school, work, and every other goddamn place that thinks its their god-given right to jam your mailbox full of fancy word processing detrius.

I'm really actually quite curious. Just what the hell do you do with a computer that's not connected to your company network? Besides fill up filing cabinets, I mean.

Common Criteria is a possibility

Closest is the international Common Criteria . It's the indirect descendent of the old military orange book (you know, C2 certified, etc.). The attempt is to come up with multiple standards for each security critical component. The components are evaluated against the standard. A higher rating means they meet the standard to a stricter engineering criteria.

Some sample standards (or "Protection Profiles") include proxy and packet filtering firewalls.

My sense is the folks overseeing the Common Criteria would like industry groups to sponsor Protection Profile development. For example, banks could come up with profiles for wire transfer components, ATMs, etc. The shipping industry could be another.

BTW, if you visit the Website, there is an interesting line of Common Criteria-branded clothing, for the geek who has everything!

If only it were that simple

[Spamalamadingdong]

Antivirus programs are always out of date by hours if not longer. If you are hit between the time a virus goes into the wild and the time the update is finally ready and installed, you're hosed. The only solution for safety-critical systems is to have a secure wall between programs and data which cannot be breached by viruses or worms arriving from outside on their own, and preferably not without intervention from a qualified service person (fooling a user is one thing, fooling an expert is something else).

This probably means that critical systems on things like ships should not be running any flavor of Windows, nor maybe Linux either. There are a bunch of OS's made for embedded systems, and due to their small size and simplicity they are much smaller, probably faster, and certainly less vulnerable or even completely invulnerable to this kind of attack. If your requirements are that stringent, that's what you should be using.

Safety of computer systems...

[fruey]

... in a ships context:

Backup systems have to be in place, and why captains have to be able to navigate manually. Just like how yachts have to have motors in case sails break, etc... and to be able to safely navigate in ports.

The threat of virii could be minimal because the physical security of the ship's navigation systems should be locked down. No internet access, no floppy disk drives, closed systems, etc.

However, there have been failures. I remember a Navy Submarine running Windows NT or something, and it crashed (the OS, not the sub). They had backup systems, of course, but they looked pretty stupid. Windows NT Crash on Navy ship

The key point here is that you can test systems anyway : running for long periods of time, checking memory leakage, hardware failure periods, etc... and bugs that come up are corrected for free, usually, when you're talking about expensive navigation systems.

Sure, you can lose money for being out of action for a few hours, but that could happen due to any number of other mechanical failures too, so you just calculate some kind of percentage chance of failure based on past history of the navigation system?

Re:Safety of computer systems...

Found some more incidents like that crash at:

http://www.vcnet.com/bms/departments/nt/bugs.sht ml

Re:Safety of computer systems...

Just like how yachts have to have motors in case sails break, etc...

Umm... What country do you live in? Here in the U.S., there are no such regulations. Private yacht owners are free to configure their vessels any way they choose, with the exception of certain safety items such as flares, life jackets, running lights, etc. But engines are not part of that equation.

Just trying to clarify a fact...

Now, on the question of commercial ships and computer systems. Shipboard computer systems are no different than office systems. I mean no different.

Security always looses in the end

[Penguinoflight]

This is not intended to say "don't bother with security because it's a lost cause". Security is a issue where the hacker always wins though. Even OpenBSD is possible to hack via the SSH exploit. So keep up with the updates, but dont think you're immune.

Re:Security always looses in the end

Exactly, if someone wants in, they will get in.

The good thing is most hax0ring is done at random AFAIK. Keep patching, and hope you don't get unlucky. ;)

It depends on how the computers are used

[tshoppa]

I work for a ship classification company.

And I work for a railroad that moves a half-million people a day. I like to think they're not too dissimilar industries - when my computers shut down, the railroad stops running. I'm guessing that when your computer stops, the ship stops moving. That it doesn't sink or explode (i.e. there are hardware items that relieve excess pressure, etc.)

There are some differences. My trains have low-level hardware (based around gobs of vital relays) that will stop them from running into each other. I doubt ships have anything like this.

The standards for what you or I do are drastically different from what someone writing software for an airplane's fly-by-wire system has to do. There, if the computer stops or starts doing the wrong thing, it falls out of the sky. Scary stuff.

So, it depends on what the computer controls, but you haven't given us this information.

Re:It depends on how the computers are used

Funny, I also work for a railroad that moves a half-million people a day and our security is lousy. The embedded stuff on the line is probably pretty solid, but our higher level infrastructre is... well, crappy.

Now we post trolls?

[coupland]

Sounds to me like the shipping industry is behind the times -- there are lots of other industries that have standards for computer systems. The FDA is becoming much more strict about computer validation and there is a great deal of documentation and testing required to implement a validated computer system. There are also many, many recognized Quality Management Systems in existence that apply equally well to a computing environment.

>Everybody seems to know, for instance, that UNIX is safer that Windows

Sorry, I couldn't ignore this... Validation of a computer system is about proving something is fit for purpose. Documenting requirements, design, performance, data integrity etc. It ain't about what OS you run. There's not a sane business person in the world who will rally behind someone masking anti-Microsoft sentiment as "computer security".

Re:Now we post trolls?

Very good point. One thing to keep in mind is that most Slashdot users are high school or college students who have never held a real job. Even the few Slashdot readers who are gainfully employed are working for game makers or are loading the network printer with paper when it runs out.

The idea of suggesting OS #1 is better than OS #2 for a given purpose without even referencing requirements document is frightening. Remember that old saw ``When all you have is a hammer, every problem looks like a nail''. It's the same here on Slashdot. Presto, solve all your problems with OS #13, even when the OS is totally irrelevant to the problem at hand. There is no intellectual depth to the suggestions. We are given "instant" answers to every CS and Security problem ``blah blah use OS #9 blah blah''.

Re:Now we post trolls?

Even the few Slashdot readers who are gainfully employed are working for game makers or are loading the network printer with paper when it runs out.

Oh, please! You make it seem like half the people on here would pull back a bloody stump trying to fill a paper tray. Hmm. Well, maybe you're right.

The idea of suggesting OS #1 is better than OS #2 for a given purpose without even referencing requirements document is frightening.

I think that the people who post their opinions here on /. are perfectly justified in offering their solution to an improperly defined problem. When the majority of story submitters give a thimble-full of information (my boss says I need to come up with a networking solution tomorrow for X computers), there's no reason to take the responses seriously.

Remember that old saw ``When all you have is a hammer, every problem looks like a nail''. It's the same here on Slashdot.

Beats pounding in the nails with your forehead, I guess.

Presto, solve all your problems with OS #13, even when the OS is totally irrelevant to the problem at hand. There is no intellectual depth to the suggestions. We are given "instant" answers to every CS and Security problem ``blah blah use OS #9 blah blah''.

I think you were on to something: OS-9 (not OS #9) is the solution to your problem! It slices, it dices, it even provides signals, events and semaphores! If you act now, we'll throw in interprocess communication via named and unnamed pipes. What more could you want?

Not what he's asking....

[Alcimedes]

Um, hate to break it to you, but how the hell do you hack a system that's on a ship and self contained? everyone's talking about virus this and worm that, who gives a crap? my guess is that the ship's navigation systems are secluded from anything that would have outside access.

what i'm guessing he wants to know is something more along the lines of this.Windows NT cripples US Navy Cruiser

in which case, he's really asking which software/OS is the least likely to puke and leave you up a creek without a paddle.

Re:Not what he's asking....

[bluebomber]

It sounded more like he's asking about general classifications of software systems in terms of security. Maybe he's looking for a scale like the following. (I'm pulling this out of my ass, a real classifcation committee would have much better rules, and they would spend longer than five minutes putting such a list together.)

1 - Non Secure

This describes a public terminal (e.g. what you might see in a shopping mall or your local university computer cluster) that is running MSDOS. The keyboard and mouse aren't even locked down.

2 - Half-Assed Security

This describes a public terminal that is securely bolted to the desktop and is locked shut. A log-on prompt appears, but is easily bypassed (e.g. Windows 95, or a Linux box that is bootable via an accessible CDROM or floppy drive). [Alternative: the logon prompt appears but passwords are available by shoulder-surfing, e.g. "employee only" terminals in retail stores.]

Levels 1 and 2 are a black hat's paradise.

3 - Almost Secure(tm)

This describes probably 95% of the unwashed masses connected to the internet. This machine has a firewall and virus scanning installed, but the virus definition might not be up to date, and the firewall isn't what you'd describe as industrial strength. Some security patches may or may not have been applied, but are probably not completely up to date. This machine might present a challenge for your ordinary script kiddy, but an experienced cracker can probably find a way in. Configurations in this category would include most Windows installations, default Linux installations (older Red Hat, I don't think the newer ones start everything up) that start up every service under the sun, and a public web servers that are "sort of" secure but have holes in CGI scripts or are missing security patches. This also describes a lot of corporate wireless networks.

The black hats enjoy level 3 probably more than 1 and 2, just because of the (slight) extra challenge.

4 - Pretty Good Security(tm)

This describes a machine that is physically locked down, but still connected to the network (generally behind an external firewall). Security patches are applied within hours of announcement. Logs are human monitored, and are written either on another machine, or on permanent media (e.g. printer or CDROM). There are no more services running on this machine than absolutely necessary (in other words, a mail server ONLY has ports 25 and 110 open).

In practice, these don't generally get cracked. When it happens, it is usually physical security -- telling someone your password, sending your password via email, etc. A break-in might also be caused from a yet-unpublished remote exploit in one of the major services (sendmail, bind, apache, etc.) These machines are often susceptible to certain types of DOS attacks (when such attacks can't be stopped at the router/firewall).

5 - Unbreakable security

This descrbes a machine that is physically secure (i.e. the hdd is locked down inside a secure chassis), and has no external network connections. It is also shielded from van Eck and other eavesdropping.

You won't get into this machine without weapons, "truth serum", or monetary inducements to certain priveleged individuals. Also worth noting is that this machine isn't really practical for everyday use...

Re:Not what he's asking....

[Sabalon]

Perhaps there is a LAN on the ship?

Perhaps someone dials in via satellite, gets some virus, and later plugs into the LAN to see what is for dinner and it spreads.

Like you said - the nav systems should be seculuded, but you never know. Perhaps the Captain likes to look at the info in his cabin?

Re:Not what he's asking....

[Sinus0idal]

This isn't any longer the case.

My father is a marine consultant, and I have been to several ships with him, which rely much more heavily than this on computer systems these days.

One specific example-

The charts used to navigate by a ship were running on an NT workstation on the bridge of the vessel. It is no longer a requirement for up to date backup charts to be kept on board. A CD is sent to the ship each week updating the charts to the latest version, but the backup paper charts that are kept are not updated at these regular intervals any longer because of the increased reliance on the NT charting software. The GPS onboard the ship updates the ships current position on the charting software running on the NT workstation so the master can see where they are with respect to the course that has been plotted previously.

This same ship contains a small network, only consisting of 4-5 computers (its only a coastal tanker). One for charting on the bridge, one controlling & monitoring the amount of oil flowing on/off the ship in dock etc.. but..

The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock.

There are also proposed inprovements which would in effect link in the course plotting software with the autopilot, thus controlling the ships movements from the PC's course plotting software (unless of course, any evasive action were needed to be taken - the master would switch to manual).

This is only a small example of the problems that could genuinely be caused if a virus infected some of the more modern ships in todays world.

Re:Not what he's asking....

[RetroGeek]

has no external network connections

If it is a local LAN (building / room) running on fibre (TEMPEST), in secured conduits, then it can be on a network. Add in that ALL drives are removable and are locked in safes everynight (includes server drives), and you can get pretty secure.

this machine isn't really practical for everyday use

Well now it depends doesn't it? Do you REALLY need to be able to surf the net from the comfort of your workstation? Or can you get up, move over five feet, and surf from that machine.

Or can you do 95% of your work (on that really secret project) on your own Internet-disconnected machine?

And it is a truism that most security breaches are done by employees (far a variety of reasons (excuses?)).

Re:Not what he's asking....

[Alcimedes]

Oh my Lord! that is so amazingly dangerous i can't believe it. sheesh, here i hope that one time people will try and do security right, and guess not. the maps on CD doesn't seem as bad as having a network where people are checking their mail w/Outlook. you're just begging for trouble.

thanks for the info!

Re:Not what he's asking....

[Aqualung]

The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock.

Don't worry! I'm sure that Crash Override, Acid Burn and Cereal Killer will save us all by hacking into a Gibson with their iBooks!

Re:Not what he's asking....

[Sinus0idal]

Maybe, as many science fiction books have been before, the movie scripters weren't all that bad at predicting some of the possible outcomes of computer integration into our everyday lifes.

What was deemed 'far fetched' when the film was released is now becoming a possible scenario.

Re:Not what he's asking....

[Arker]

The charts used to navigate by a ship were running on an NT workstation on the bridge of the vessel. It is no longer a requirement for up to date backup charts to be kept on board. A CD is sent to the ship each week updating the charts to the latest version, but the backup paper charts that are kept are not updated at these regular intervals any longer because of the increased reliance on the NT charting software. The GPS onboard the ship updates the ships current position on the charting software running on the NT workstation so the master can see where they are with respect to the course that has been plotted previously.

Well this doesn't sound too horribly dangerous, although it's a little sloppy IMOP. Presumably (correct me if I'm wrong) it's acceptable in this situation if the navigation system is subject to short periods of unavailability? Just how bit a problem is it if that NT box is totally destroyed in mid-voyage, however?

This same ship contains a small network, only consisting of 4-5 computers (its only a coastal tanker). One for charting on the bridge, one controlling & monitoring the amount of oil flowing on/off the ship in dock etc.. but..

The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock.

Well obviously that's a huge problem just waiting to happen. I certainly would never sign off on such a system. But the question remains just how much better would be good enough? Just how catastrophic, for instance, would it be to lose that balast monitoring system?

If this system can be taken offline safely for, say, an hour at a time, then I would not say changing OS is necessary - a sensible program of security and reliability enhancement can easily make a windows based network perform at a level that's acceptable in that case. Given how much these vessels cost it would seem horribly short sited to scrimp, so I would recommend:

• Strategic network firewalling that blocks any communication not needed for the functioning of the systems as intended, as a prophylactic.
  
• A thorough software scrubbing. Obviously Outhouse has to go. MSIE can and should be completely eradicated (yes, Virginia, you really can do that, despite what MS claims.) This list could get pretty lengthy, but it boils down to removing risky software, and replacing it with less risky equivelants when that is needed.
  
• Each machine should be torn down to exactly what is needed on it, then imaged. There are several ways you could go from there, depending on the exact circumstances, but one good option is simply to have a couple of cloned replacements for each station ready and locked in the ships safe. Alternatively, cloned harddrives only could be kept, along with plenty of spare parts, if the ship will always have a qualified tech no board to make repairs.
  

Switching Operating Systems might eliminate the need for some of that work, but much of it needs to be done regardless. Hardware failures need to be planned for, in particular.

Re:Not what he's asking....

[5KVGhost]

"The GPS onboard the ship updates the ships current position on the charting software running on the NT workstation so the master can see where they are with respect to the course that has been plotted previously."

Unless you have drooling idiots configuring your NT box, you shouldn't have a problem. NT/2000 uptimes are very good for properly configured and maintained systems. (Except, apparently, for Linux advocates with an axe to grind.) But if the system is as critical to the daily operation of the ship as you indicate, then there should be a duplicate system either running in parallel or ready to drop in at a moment's notice. If the hardware fails then it doesn't really matter which OS you're running.

"The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock."

How so? First off, Outlook is not difficult to secure, unless people insist on running random executables and disabling routine security options. And I would certainly hope people aren't checking their email or running extraneous programs on the navigation computer described above. That would be silly.

But, leaving aside the religious preference of OS and email apps, if any physically unsecured computer on the ship could be used to cripple the vessel or mess with monitoring systems then that seems like a fairly big security problem all by itself.

Re:Not what he's asking....

[thogard]

I don't see any real problems with the ship you described.

They have paper charts. The ocean doesn't change all that much and if they don't have their PC, they may break some regulation or not be able to find some radio beacon or not know some lighthouse has been replaced but thouse things don't happen all that often and may not be reflected on the charts for months if not years anyway.

The GPS feeding the computer is a one way thing. The GPS spits out stuff in a format called NMEA by its creator the Natl Marine Electronics Association. If the PC dies, you look at the GPS display.

As far as using the GPS to get a position and it going down, well people have been taking long voyages in boats for at least 5000 years and not getting lost. Capt Cook and his clan would get star sightings a few times a week in some cases and those were good for a position down to about 100km or so even on a rocky boat.

Of course their email system is going to get hacked at some point by a virus or while its connected but with sat phone costs, I expect they don't stay online all that long.

Re:Not what he's asking....

[Mister_IQ]

As far as using the GPS to get a position and it going down, well people have been taking long voyages in boats for at least 5000 years and not getting lost. Capt Cook and his clan would get star sightings a few times a week in some cases and those were good for a position down to about 100km or so even on a rocky boat.

The point is not what is possible, but what the crew is prepared for and capable of.

If they don't have up-to-date paper maps onboard, do you think they have a sextant?

Part two of the question: If they have a sextant, do you think they have the training and experience to use it well?

I would think that the locations of major cities doesn't change much either, but have you ever seen the volume of data generated for NOTAMS (changes to charts that pilots use)? "The sea doesn't change all that much" but I imagine ports, shipping routes, danger areas, etc change significantly.

Then again, I guess they could approach "by eye" and once they get withing screaming distance, they could call for an MCSE to come aboard and apply the latest service pack so they can enter port....

Re:Not what he's asking....

[Kallahar]

Well duh, didn't you see Hackers?

Row row row the boat.

Re:Not what he's asking....

[bluGill]

Accually it is common practice when approaching a port to have someone who knows that port come out to your ship and bring you in. So you have the ship crew that knows general ocean navigation well, and can probably get port to port without maps (assuming they don't hit an island or iceburg, not a big danger if you keep watch); and you have the port pilot who doesn't know all that, but knows the location of all the hazzards in port. Sandbars move just a little bit with each wave, the local has expirence with how and therefore how close he can cut it.

Rainbow Books

[Slashamatic]

One of the oldest sources were the rainbow books, namely the Red and Orange books that were produced by the NCSA. The Orange book addressed standalone systems and the Red book addressed networked computers. Regrettably some systems managed to be passed even though the criteria must have been 'nudged' to allow them to do so. The criteria addressed security but sort of left other aspects out. It was a standing joke that you could switch a computer off and bury under concrete and it would pass the A criteria of the Orange book.

Later the EU produced their Green book which looked at availability as well, this is kind of good for information systems but it doesn't really cover real-time control systems.

A long time ago, I worked on real-time control systems. We divided our systems into control/measurement, supervisory and at the top, information systems. At the lowest level, we are talking hard real-time and simple enough to be very reliable. They had to be as they were typically sitting by a man-sized chemistry set. The supervisory systems gave the pretty interfaces, they could crash, but generally they didn't. These were for control rooms, and whilst bypassing them was possible, it wasn't easy. The top level system ran all kinds of complicated software applictions that could and would occassionally crash. Apart from the crudest electrical standards for the stuff in the plant and the control room, there were no evaluation criteria.

Re:Rainbow Books

[Dynamoo]

Well hey I run a site about the Orange Book and it's still a pretty good basis for ranking systems.. the Common Criteria are derived from it, but there's nothing like a good old DoD certification if you're responsible for the security of any major nation.

The TCSEC certification process is important in that it's a real certification.. if you get a TCSEC rating of "B" or better you know you've got a kick-ass secure system, and the US Government says so. Certification is, and always will be, extremely time consuming and expensive.

Also, the most secure systems tend to be weird and wonderful, or hideously out-of-date. Check out the site ;) and have a look. Oh yeah, and don't expect Windows XP to get certified any time soon.

Re:Rainbow Books

[Slashamatic]

The Orange book is kind of useless as it is for standalone systems. Once you plug any rated system into a network, it no longer rated.

The criteria were sort of degraded though and NT (3.5 I seem to remember) got a rating that implied that it had a protected audit trail. Regrettably, there was no system to protect the audit log integrity, however the system still passed.

Also, a rating was only valid for a single release. Any update then back into the validation process.

How a defense contractor handles software

[spaten-optimator]

I worked for a famous defense contractor located in Fort Worth, TX. My department was responsible for writing requirements for software that was installed on fighter aircraft.

When using a requirements-based system (where you write requirements for software and then the software is written from the requirements), there are multiple checkpoints. First, the requirements document for the software must meet or pass certain criteria. Second, the software must meet or pass the criteria put forth by the requirements document. Third, the software is rigorously tested.

Now, in fighter planes, the software must be incredibly robust - you don't want planes falling out of the sky - and in defense projects, bureaucracy tends to inflate the whole process.

That being said, requirements are an excellent way to control the quality of software, or an installed computer system.

And this is important! We all remember the movie Hackers, in which the Davinci virus was going to cause a bunch of oil tankers to tip over into the ocean. And we all know how closely that movie parallels reality.

Re:How a defense contractor handles software

This is "insightful"? It's hardly more coherent than pure jibberish.

Naive or troll?

[drew_kime]

Computer security in no way affects human life directly.

"Reboot the air traffic control system."

"How long has the reactor control system been down?"

"Try to get the GPS working again before we enter the harbor in this fog."

Any of these sound like non-life threatening situations? And you did notice the questioner is specifically concerned with the third type of situation I mentioned, didn't you?

Re:Naive or troll?

[prizzznecious]

Someone mod this up. I can't believe the parent post is +5. Many, many lives depend on secure, stable computer systems. Moreover, look for future terrorism to be computer terrorism--that may wake people up to our computer-controlled reality.

Re:Naive or troll?

OK, you are talking "Computers" not "Computer Security".

Did someone hack into the air traffic control system? If so, why is it even on the 'net?

Etc, etc...

Re:Naive or troll?

It's on the net because it is unhackable! Well, unless you have Janeck's little black box that is.

Re:Naive or troll?

[homer_ca]

This is exactly why UCITA is bad. If firmware in embedded controllers get classified as licensed software that's immunity from liability for a whole class of products. A big business or government agency would have a legal staff checking their contracts so they don't give away immunity to vendors of critical software, but consumer products are another matter, like the ABS brakes on your car.

Re:Naive or troll?

Don't all of the systems you mentioned have non-computer redundantcy?

"Reboot the air traffic control system."
Track manually with traffic control operators / radar

"How long has the reactor control system been down?"
Analog controls are hardwired into rector control systems

"Try to get the GPS working again before we enter the harbor in this fog."
Signal houses, radio, harbour controlled tugboats, maps that use co-ordinate systems...

Even medical digital devices have their analog counterparts, if there are any devices that rely solely on software used in life/death applications, I'd sure like to hear about them!

Re:Naive or troll?

[zangdesign]

If these computer systems are so critical, then why are they attached to networks in such a way that intruders could get at them remotely in the first place?

Re:Naive or troll?

[stilwebm]

Those situations are covered by other regulatory bodies. Software regulation is not mutually exclusive of the industry in which it is used. The more risk involved, the more regulations. The FDA regulates the computers, software included, used in medicine, for example. There are strict criteria that the software must meet, specific tests must be passed, etc.

It would not be appropriate for software regulations to be sweeping over all industries when the uses vary greatly. Instead, the industry should have individualized (by function) regulations. These could (actually they are in many cases) even be regulated by several athorities. For example, the Department of Saftey may regulate software controlling a chemical plant to prevent human injury. Then the Environmental Protection Agency regulates the software to prevent a computer crash from releasing nasty gasses.

Re:Naive or troll?

[ghack]

>>"How long has the reactor control system been down?"

Actually, most reactors are old enough that they are not computer controlled. This is a good thing - much more fool-proof. Anything(including linux/bsd/nt/qnx/whatever) that has the possibility of crashing should not be(and usually isnt) used in such an application. Basically: reactors are either (A) simple enough that they do not need to be computer controlled (B) complex enough that a computer shouldnt control them.

It is always better to have a person behind the mechanical controls, and the NRC[Nuclear Regulatory Commision] requires that there is.

Re:Naive or troll?

Hello,

First of all the original poster is confusing 'reliability' , with 'security'.

Note also we are talking Software here, not hardware.

Don't all of the systems you mentioned have non-computer redundantcy?

Having worked in 2/3 (soon to be 3/3) of those fields for more than 6 years, I can reply - Yes they do!

"Reboot the air traffic control system."
Track manually with traffic control operators / radar

On loss of main Host computer, air traffic is reduced to manual levels to ensure separation is maintained at all times. In air traffic the "system" is mainly for advisory purposes, with RT taking higher priorty, radar next, and finally FDP.
Loss of "system" should not endanger any lives (loss of RT would be another thing).

"How long has the reactor control system been down?"
Analog controls are hardwired into rector control systems

Correct again, having helped implement a main DCS/DPS for a UK nuke power plant I can tell you there are MANY manual backups to a typical nuke power plant design. Loss of DPS or DCS should have no over all impact on operations and certainly should not cause an accident (control rods would fall into the reactor and slow the reaction before that point anyway, or the manual interlocks, or the nitrogen injection systems, or the .... etc etc)

"Try to get the GPS working again before we enter the harbor in this fog."
Signal houses, radio, harbour controlled tugboats, maps that use co-ordinate systems...

Ive not had experience here. but I trust the reply given.

The orignal poster is a scaremonger with no obvious knowledge of safety RELATED systems (which is the role of all the computer systems he mentioned).

Safety/Mission Critical are a different thing altogether.

Even medical digital devices have their analog counterparts, if there are any devices that rely solely on software used in life/death applications, I'd sure like to hear about them!

The original poster is a hairy creature that lives under a bridge.

Re:Naive or troll?

[juliao]

It was neither... Having read that poster before, it was just sarcasm... :)

Re:Naive or troll?

[madfgurtbn]

The VTOL aircraft Osprey has killed US Marines due to a software error which became occurred in reponse to a hardware problem:

http://www.cnn.com/2001/US/04/05/arms.osprey.02/

Re:Naive or troll?

[cballowe]

Any of these sound like non-life threatening situations? And you did notice the questioner is specifically concerned with the third type of situation I mentioned, didn't you?

The third doesn't sound life threatening. Anybody in a boat should be competant to navigate without electronic devices (what happens when the batteries die or the generators are out of gas). Computers on ships (and anything else where they are assistive rather than required) should not be capable of causing life threatening situations.

Medical devices, fly-by-wire aircraft, etc. where the computer is in direct control of something that affects a human is a more serious condition. If there are no overrides and no way for a human to have enough control to operate without the system, then the risk is much greater. (Know any humans that can precisely control the radiation level in a cancer treatment device?)

Re:Naive or troll?

Try this search: Therac 25

Re:Naive or troll?

[zaffir]

'Try to get the GPS working again before we enter the harbor in this fog.'
"Signal houses, radio, harbour controlled tugboats, maps that use co-ordinate systems..."

Sure, that works if the GPS just explodes, but what if there's a bug that gives your position 100 yards west of where you should be? I don't believe that those analog fail-safes are always in use in conjunction with the GPS; they're just in place should something go wrong. But then again IANASC (I Am Not A Ship Crewman).

Re:Naive or troll?

Most reactors have builtin safety settings that would prevent a total catastrophe even if all the humans are dead and the computers are crashed (many reactors do have computer control, although mostly for the non-vital, boring tasks. For example, the assembly that holds the control rods in place might melt at a fairly low temperature, which would sink the control rods completely into the core, absorbing neutrons and preventing any more nuclear fission once a critical temp is reached.

Re:Naive or troll?

[El+Kevbo]

Who said anything about networks?

Kevin

Re:Naive or troll?

[prizzznecious]

Yes. What a lot of people don't seem to realize is that a huge part of real cracking of systems is done/would be done (in the case of terrorists bringing down something crucial) through non-computer means. Things like asking for passwords (eerily effective), bribing employees, sifting through the trash are all integral in the cracking process. Also, a computer doesn't have to be networked to accept input, so as long as the would-be cracker can gain access to the terminal (or set up his own remote terminal), the system can theoretically be cracked. Most systems are extremely insecure against these sorts of attacks.

Re:Naive or troll?

[El+Kevbo]

Moreover, this discussion is not limited to computer failures resulting from malicious activity. Although any measurement of "safety" of a computer system must take malicious, hostile, and downright stupid or ignorant user activities into account, it is just as concerned with the stability of the algorithms used, the quality of the code, the quality of the hardware on which that code runs, etc. "Safety" can encompass quite a large number of different variables, which is what makes this a somewhat interesting question that has been posed to us.

Kevin

Re:Naive or troll?

[j_w_d]

The third doesn't sound life threatening. Anybody in a boat should be competant to navigate without electronic devices (what happens when the batteries die or the generators are out of gas). Computers on ships (and anything else where they are assistive rather than required) should not be capable of causing life threatening situations.

Ships are generally larger than boats, tend to be less manueverable on the whole, and a whole lot messier if you rip the bottom out on a reef in the fog. So suppose a "terrorist" or some lame script kiddy gets hold of a bit of code that alters the UTM display from WGS84 to NAD27. You could easily be 100 meters or more off course, and because you believe your "assistive" device, you are bound for a catastrophic oil spill in the fog. The system does not have to go down to be dangerous. You do not want it manipulated by the malicious or incompetent either.

Talk to the FAA

[blair1q]

The FAA has well-known procedures in place for certifying HW and SW for safety. Look up DO-178B, for instance.

It'd be almost trivial for the shipbuilding industry to adapt them to their somewhat lower-risk environment.

--Blair

I don't want 'everyone' auditing my company.

I've seen Unix boxes left wide open, and I've seen MS Windows boxes closed up damned tight.

In the end, it's up to the admin. While I think it's easier to secure a Unix-like OS than it is Windows, it's also a lot easier to screw up.

Re:common criterea? protection profiles?

[debrain]

Yes, google knows about:

CCITA
ISO/IEC 15408
NSA Rainbow

Which might be of note.

But these groups usually become risks themselves

Look at the governments auto safety standards. They are a joke. Look at the Ford F-150. It passes all the government's standards but if you look at the Insurance Institute for Highway Safety:

http://www.hwysafety.org/vehicle_ratings/ce/html /0 110.htm

Its a sad joke what government standards are. Buyer beware.

I don't know "that UNIX is safer"

[SaberTaylor]

Sure Windoze apps have buffer overflow holes like [insert good analogy here], but when was the last time your WinVERSION came installed with a plaintext remote login server? Or have you seen Windoze setup with directory services exporting crackable password hashes? .. Unix is safer in many respects (especially to the scheduled-to-be-obsolete Win95/98/ME series), but I don't know that it's a cold statement of fact to say everyone knows that UNIX is safer than Windows. Depends on the attack vector.

Re:I don't know "that UNIX is safer"

[2names]

No OS is 100% secure just as no program is 100% reliable. We have to remember that PEOPLE create these lines of code. Until we find an infallible programmer, we will have fallible code.

Re:I don't know "that UNIX is safer"

Terminal servies = plaintext.
Ever run lophtcrack on a NT4 domain? heh.

Re:common criterea? protection profiles?

[InfoSec]

Yes! Exactly. There are several standards for the evaluation of computer security. The more accepted today is the Common Criteria of Information Security Evaluation (Common Criteria for short) and the good old Rainbow series from the US Gov't. Particularly the RED book for the evaluation of trusted computer systems and the orange book for the evaluation of trusted networks. There are many more, but the problem is not so much that we need these standards, but that many companies are not willing to go to the expense of implementing them. This leads to shotty software because no organization or company is paying to check out all of the possible flaws in their systems.

Re:Most secure [TANGENT]

[President+Chimp+Toe]

I often see this in /. in threads related to computer security:

use OpenBSD .... 4 years with no remote exploits on a default installation

I have never used OpenBSD and do not know what "a default instillation" consists of. But can you actually do anything useful with a default instillation?

For instance, if i installed linux but turned off all services (unlike most default instillations), i reckon I could go 4 years without a being rooted [yes, I know there have been privelege elevation exploits found in kernel fairly recently etc, but you get the point]. But I wouldnt actaully be able to do much with it other than as a workstation.

Is an active OpenBSD box, running several service, dishing up some dynamic content etc really any safer than other systems?

It's called engineering judgement.

[twitter]

Nuclear is the most regulated place in the world, right? Well, even there you have to have people who can think and exercise judgement. Check out 10CFR50-2 for this very important definition:

Design bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.

The same logic underlies all design. At some point you have to have engineers you trust and they should be versed in the "state of the art" and all applicable studies.

In the nuclear industry we can and do rely on vendor studies. Who else but GE is going to know the maximum power levels that are safe with their reactors? They built a full scale model and proved it.

In the software industry, as you have noticed, things are a little less clear. First, Microsoft is an unethical company. (gotta go before finishing!) You and me both know that Windows is an unstable system. It changes all the time and those changes break programs. Some would even say that Windows is unstable without any changes, and indeed sites that use it typically see 30 day uptimes and no better. Anyone who would relly on such a thing for something that in is in any way needed to protect the public safety is incompetent. How that might be worked into a ship is a matter of judgement. I would not use it except as a game platform in the rec room or to look after some system that is superfuous.

Re:It's called engineering judgement.

[LadyLucky]

According to netcraft, hotmail which runs IIS on windows 2000, has an average uptime of 115 days, which is more than apache, redhat, and Slashdot.

But of course, you knew that before you posted that, didnt you?

Solution

[madmagic]

The answer is obvious if you're looking for the best way to secure an onboard system: hide the ship.

-mm
obscurity mon ami

got dildo?

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&it em =705735610

Re:got dildo?

[GafTheHorseInTears]

3XL.

Ewww.

Never ever!

[3.141592653589793]

Reveal your root pass word! it only takes one command to fuck up linux when your logged in as root! But users are so stupid hackers can easily guess your password is your mothers maiden name!

Re:Never ever!

heh.. at my friends office, one of their boxes got hacked.. because root compiled sudo globally :-)

It all depends

[EFGearman]

First, let me point out I work with both *nix systems and Windows. Both have problems. I'm not going to address these problems.

My thoughts on this are, what levels of security are required? I've never heard of someone hacking an oil tanker, but just because I've never heard of it doesn't mean it hasn't happened, or is impossible.

My opinion is that the most important thing you would need software for is navigation software, in order to determine location, and software for weather reports, so you can plan ahead for adverse weather conditions. Can you get both for either OS? Sure (but I don't know names). Do they work? Well, if they didn't we'd have a few more ships crashing into reefs.

It gets away from secure systems, in my opinion, and more towards robust systems. Maybe it's just words, but I view secure and robust being different.

EFGearman
--

Re:It all depends

[flying_triguy]

hmmm

Interesting thought: I have had fairly good luck running somewhat robust servers with Windows (File/Print only) systems, the problem seems to be when you have other software (sometimes MS software: I have had bad luck with exchange, more often though third party software) The problem seems to be that very few people have the skills, knowledge, time or specs/API's for writing robust windows apps

Another problem: many writers take shortcuts like "I need to do x, y, z and to do z you need system user status, so I will run EVERYTHING as system" which makes everything a lot less stable I think.

What about kernel space third party dll's, if memory serves, it was a kernel space DLL that caused IIS's blackice to crap out on a reasonably high volume of pings... turned out to be exploitable. Mind you the same is true of the most recent telnetd, exploits for *nix systems. The common theme seems to be how robust the app implementation is and how well documented/well used the OS API's are.

seems that we shouldn't be searching for the best OS, but the easiest OS to develop secure stable platforms for... and there are a lot of factors that go into that... and please don't mod me down for being redundant with that last statement, I know others have said that same thing, I am just reiterating.

Re:Curious:

I think most slashbots are muslim.

MacOS most secure, never been exploited once!

The MacOS running WebStar as a server has never been exploited.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

That is why the US Army gave up on MS IIS and got a Mac with WebStar.

I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about Mac OS 9 and earlier.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits.

4> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.

6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along wiht many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For ecxample file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable of creating an executable file. the file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually.. TOTAL security.

7> There are less macs, though there are huge cash prizes for craking into a MacOS based WebStar server. Less macs means less hacvker interest, butthere are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc).

8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and such, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS remote exploit hack.

Shh...

[msheppard]

You wanna get everyone looking over our shoulders all day long!

M@

PEBCAK

[Col.+Klink+(retired)]

The real problem has very little to do with software and very much to do with the people running the software.

I don't care how secure your unix system is, if your root password is "password" or you let root telnet into it, you're system is insecure. Selecting "unix" over "NT" should not save you money on insurance if it's the same moron running either machine.

Not to mention that there is some inherent risk in change. If you declare that "Unix is secure" and give a break to anyone using it, you're going to end up with a former NT administrator forced to admin a system he knows nothing about. (The same would be true in reverse.)

Re:PEBCAK

[Pvt_Waldo]

Klink, I understand where you're coming from with that comment, but really that's not valid. Why? Because you can falsly the same comment/argument to many aspects of "Human Controled Devices" on a platform such as a ship. I worked for 13 years on research ships, and believe you me - the most important thing in my book was that the guy/gal behind the wheel, the crane, or the off switch on the device I was working on was more important than anything else.

That said, here's the falacy: there are tons of (good) rules and regulations about the control and safety of devices those humans are using. And a smart ship doesn't just hire someone to fill a role RE your "former NT administrator" comment.

So, I guess to conclude, I gotta say "Hmm, that's a good question!" (which means I don't have an answer). HOWEVER, I gotta say if you're on a ship or any other environment where you can't just call the SA guys on the phone and have 'em drop in to help you out, you'd better have a really failsafe system, AND you'd better train your crew so they know and respect the computer system much like any other mission critical device on the ship. You don't want the ECDIS to "go offline" when really it's the guy not knowing how to turn the monitor back on.

Re:PEBCAK

[uberdave]

For those who don't know:

PEBCAK
Problem Exists Between Chair And Keyboard

Some regulations...

[netizencain]

There are a few regulations currently in place that dictate computer networks onboard commercial vessels. A big one is IEC-945. The IEC-945 testing is a standard for test of equipment intended for installation in the bridge. IEC-945 assists in meeting the requirements of SOLAS (Safety Of Life At Sea) that is also adopted by IMO (International Maritime Organization). ISO (International ORganization for Standards has a technical committee (TC-8) and a subcommitte 10 (SC-10) that deals with computer applications. (never looked this one up before) The guiding principle with the shipping company I work for is that no computer that controls navigation can be on the network. We make sure we have ABS approval before penetrating bulkheads for cable runs and the cable must be of a type that does not produce smoke if burned. Otherwise it's anything goes as far as software: Windows, Novell, etc... We just ensure compatibility with the shore-side and go from there.

Re:Some regulations...

[peacefinder]

Mod parent up!

There are a few standards

[synoniem]

Although i am not in that part of market any more. I 've worked under conditions equal to the safety standard for nuclear sites IEC60880 and the coming IEC61508 as I recall from memory. So take a look at this organisation and their other standards. (www.iec.org)

Risks Associated with Ship Computer Systems.

[NateTG]

I recall that a while ago some navy ships were stopped dead in the water due to computer failure, so there are legitimate concerns. Most ships have a large number of fallback systems - notably crew - that can recover from most problems.

Large ships also benefit from a reasonable physical security structure - limited bridge and engine room access for crew - that help computer security

In light of a natural physical isolation, limiting the net access of the navigation computers is a natural and effective security boost.

Most of the 'essential' computer systems that are currently used are not OS based, but embedded. It would be silly to worry about the electronic fuel pump in your car getting a worm. These embedded systems are often virus proof because they use ROM program space. Any bugs are the result of programmer error and insuficient testing

So, I suspect that only high-level systems like navigation are vulerable to worms. Now, let's take a look at possible damage

Massive failures can be caused by hardware, so there must be a backup system regardless of the software that you choose

The same redundant systems can also be used to keep the master system honest

In general good policy and management is more important that what software is used.

Re:Risks Associated with Ship Computer Systems.

[sylvester]

I'm sorry, I couldn't read your post...








It was far too low on whitespace. :-)

Well, history repeats itself, right?

[JoeShmoe]

Maybe now that companies are offering hacker insurance some standards and guidelines will develop?

On the other hand...when has the computer industry ever mirror any real world industry? We still don't have the equivalent of the Consumer Product Safety Commission nor is there product liability, recalls, or defect-related lawsuits.

If there were, Microsoft would make the Ford/Firestone fiasco look like nothing.

- JoeShmoe

.

Re:Well, history repeats itself, right?

[Kalak]

Lloyd's of London started the idea of classifying itmes basd on their survival rating. This is where the idea of ship classification came from, IIRC, and is where the phrase "brass bottom boat" came from. Boats were rated on thier likelihood to survive, and those with brass bottoms were rated with the highest survivability, and therefore received the best insurance classification (talking days of the West India Teading Company here). Ironic that that poster works for such a modern company.

Saying that the admin makes a difference (which it does) is not much in the eyes of an insurance underwriter. You could say the same about a driver of a car, or even the captain of a shit (what is the captain of the Exxon Valdez doing these days)? You could be the safest driver on the road, but insurance just sees an 18 year old male with no prior accidents.

An NT box with a good admin can be made safer than a *nix box with a poor admin, but insurance looks at classifications.

Re:Well, history repeats itself, right?

Us a Mac webserver with MasOS 9 and be safer than unix or NT. No known exploits in history or bugtraq.

Re:Well, history repeats itself, right?

...or even the captain of a shit...

Hopefully, it's a floater.

Sorry, couldn't help. Almost bust a gut when I first read that line. Mental picture of a guy dressed up in that yachtsman's get-up, ascot, cap with the anchor and rope emblem, standing on a brown deck...

Re:Well, history repeats itself, right?

[stretch_jc]

When was the last time you heard a report of a CodeRed exploit causeing death? or that MS knew of an exploit and tryed to cover it up and settle out of court rather than fixing the prob?

These are the reasons that software is differant than most other consumer products. Software for military, or other high threat systems already has guidelines to be followed. Microsoft's programs may be like that cheap vcr from walmart (it breaks often), but never kills anyone. So trying to compare it to Ford/Firestone is laughable.

Re:Well, history repeats itself, right?

Mod this up! Funny! This picture is the best moment I've had all day. Jure beats trolls whining about spelling errors.

Re:Well, history repeats itself, right?

[JoeShmoe]

On point one: Medical devices have in fact failed due to bugs, and some of them are software related. I specifically remember some case in Boston where a dosing machine malfunctioned and administered a lethal level of a medication because of unit conversion error. In cases like that, the manufacturer is responsible and quick/quiet settlements are guaranteed. So maybe there hasn't been a CodeRed death but if not it would be primarily because Microsoft doesn't allow their software to be used in life or death situations (read the license) at least not yet. But my comment was about SOFTWARE, not MICROSOFT.

On point two: if MS knew of an exploit and DID COVER IT UP then it stands to reason you very well wouldn't know, would you? That's what NDAs are for. You are arguing that because Microsoft has never been stupid enough to get caught covering something up they must not do it. That's hardly a provable thesis.

Last but not least, Microsoft has goals to put Windows everywhere. We have battleships now running Windows NT-based products. They have released XP embedded. There are a huge number of non-interactive devices like drive arrays running NT kernals. Guidelines or not, mistakes can be made and it's only a matter of time before a traffic light blue-screens and causes a 20-car pile up.

My comparison to Ford/Firestone was talking specifically about how the incident brough critical (and congressional) attention to some little known text carved on the side of a tire that had basically gone unnoticed before. Now because of that backlash, SUVs are (hopefully) safer. There is no Ford/Firestone incident in the software world that had caused a similar grass-roots movement for better software. As bad as CodeRed was, nothing appears to have resulted from it. Bill Gates professes a keen interest in security but this is just a sound byte because it's exactly the same lip service that any CEO would give when confronted with problem X.

My comparison wasn't trivializing Ford/Firestone...it was foreshadowing Microsoft/Nuclear Launch Agency.

- JoeShmoe

.

Evaluation and Certification

[cplcap]

There is one answer... the US government has published a civilian version of a process that the DoD has been using for a while. It's called the NIACAP (NSTISSC 1000), here.
Simply put: It defines a complete, scaleable, tailorable and relevant process to design, test, certify and maintain a system for use.
IF: 1. Good, well informed individuals identify vulnerabilities during system design and testing,
2. The upper management commits to following the maintenance plan, and
3. The priciples of good system design are followed (i.e. KISS, enforcement of least privilege), then many security issues are non-issues.
IMHO, one of the most important things in certifying a system for a critical app is to get the underlying SW from a reputable vendor, one who identifies "Day 0" exploits immediately, preferrably one on the Common Criteria List, and offers a modularized package to limit the amount of unused but potentially vulnerable code in the system. No system is going to be immediately perfect now and for its entire lifespan, but follow a good maintenance plan and you may even be able to make a M$ system secure!

Depends on the Industry

[Arandir]

It all depends on the industry in question. Take as an example, light bulbs. When you buy a lightbulb for you bathroom light, no one really cares. But when you buy a light bulb for your car headlight, you start running into safety regulations. And when you buy a light bulb for your left airplane wing, the FAA is going to be breathing down your neck.

I help build software for invasive diagnostic medical devices. The FDA (and similar organizations for other nations) is very concerned about the software we use. They don't have a checklist of brands, makes and models of software, since that's not the nature of software. But they do audit our development process. ISO compliance is easy. FDA compliance is hard.

For our next project, some boneheads decided on Win2K and "embedded" Win2K. I personally think the decision is stupid. But it probably won't affect the final quality of the device. Why? Because it won't be a stock Win2K, it will be the embedded version, stripped of everything we don't need. We will be in charge of the hardware it runs on. It will be tested under rigorous protocols. Etc.

The FDA doesn't care that it will have Windows on it. But they will care that it operates safely. That means it can't crash while diagnosing a live patient.

Re:Depends on the Industry

[Jburkholder]

>I help build software for invasive diagnostic medical devices
>some boneheads decided on Win2K

The rest of your comments about a stripped down embedded version and rigorous testing portocols aside...

Brings new meaning to "Blue Screen of Death", doesn't it?

*ducks*

Sorry, it had to be said.

Re:Depends on the Industry

[john82]

When you buy a lightbulb for you bathroom light, no one really cares.

In the US, there are indeed consumer safety entities (Consumer Product Safety Commission) and testing labs. Underwriters Labs (UL) would be the most well-known of the latter. I believe there are similar orgs elsewhere in the world. Canada for instance has their own version of UL (CSA?).

Understand you're point, consumer products are not a good example.

Re:Depends on the Industry

[dstone]

Understand you're [sic] point, consumer products are not a good example.

I think the consumer product example is good, because it displays a scale of increasingly stringent requirements as the implications of a product's failure increases. This keeps the end costs proportionate to how much we care.

We're all aware of UL and CSA, but the previous poster said that they don't really care, in the context of how much more the DOT (for cars) and FAA (for aircraft) care. A bathroom lightbulb is an imprecise, low-quality, highly unpredictable piece of garbage compared to an airplane wing bulb, and UL (or whoever) don't really care. Nor should they!

Re:Depends on the Industry

it can't crash while diagnosing a live patient.

try
{
run_system();
}
catch(int a)
{
/* cannot crash while diagnosing a live patient */
kill_patient();
crash();
}

Re:Depends on the Industry

[thogard]

You haven't delt with airplane lights have you.

A UL approved lightbulb will have a fuse in it. It will also meet quite a few requirements such as breakage resistance. From what I can tell, the lightbulbs for some restraunt applications are much better than the overpriced relabled auto lights that go in the wings of small planes.

Re:Depends on the Industry

[unitron]

There's not much reason for a U.L. approved light bulb to have a fuse. If it dead shorts, the fuse or circuit breaker for the circuit that the light is on is supposed to interrupt current flow. If it merely attempts to draw more current than it should the filament will probably burn out, which will interrupt current flow as well as any fuse.

Actually the bulb wouldn't be U.L. approved, it would be U.L. listed. What U.L. does is tests stuff to make sure that it fails safe, not to guarantee that it doesn't fail. They don't care if the light bulb burns out, they care whether it starts a fire or lets someone get shocked or electrocuted from touching something that shouldn't be electrically "hot".

Re:Depends on the Industry

[RegularFry]

Oh, for mod points!
ROTFL!

Ben Stein: Friend of the Lardass

[GafTheHorseInTears]

So I was watching "Win Ben Stein's Money" just now, and I think I've spotted a pattern:

The fattest contestant makes it to the final round.

I'm going to have to watch a few more episodes to confirm my theory, but I think I might be on to something here...

On a related note, WTF's up with Nancy Pimental's neck, anyways?

Re:Ben Stein: Friend of the Lardass

Jews, all of them! Fat, ugly, stinking JEWS

Standards in Coding

[longwinded]

I would venture to guess myself that software is very hard to regulate in a normal sense. On complex pieces of code (KISS standard aside) it is nigh impossible to completely prevent bugs 100%of the time. That's the ideal, but that's why we call it ideal.

If a bug occurred in a very unique situation, and it took 20 years for that situation to come about and it caused just one death, people would still ask, "Why wasn't anything done to prevent this?" Something was done (hopefully), and standards and regulations help, but in the end that's pretty much all you can do.

I don't think he's asking as much about viruses or hackers in this case, but those are also valid questions. I tend to believe what is stated downstairs in this argument -- I've seen Unix systems that were wide open and Windows Boxes sealed tighter than a drum, and it's up to the admin. I'm not really sure if there's a test or anything that sysadmins must pass to become licensed sysadmins, but if there isn't (and I'm not talking about certification) there should be one, at least as far as sensitive data like this is concerned.

Also, a real life situation when computer software caused multiple deaths was in the case of the London Ambulance Service, which used a very poorly constructed computer system and was directly linked to 20 or 30 deaths (due to late ambulances) in the few days it was active.

Re:Standards in Coding

[Sobrique]

SAGE runs a sysadmin certification program.
It's still in early days, but the idea was to set up a non-vendor dependant certification program.

Re:Most secure [TANGENT]

[Geekboy(Wizard)]

I find that it is. It DOES have most things turned off by default, but it is easy to turn stuff on. Simple flags in /etc/rc.conf. I use it for a web server, and a firewall, and everything seems hunky dory.

there are many such criteria!

[Mr.+Slippery]

(I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?

The Orange Book / TCSEC. The Rainbow Series. The Common Criteria. The FIPS PUBS.

Pick up the relevant O'Reilly book, Practical Computer Security, and spend some time with everyone's friend Google.

Exactly!

[hndrcks]

As someone more erudite (and wittier) than I once said,

"The most unsafe part of an automobile is the nut loose behind the steering wheel."

The insurance company auditors that have grilled me about our IT infrastructure (for business continuity purposes) NEVER ask what kind of hardware or software we use - they ask "Do you have a backup plan?" "Have you tested your backup plan?" "Do you have antivirus software installed?", etc.

Now I assume that some value could be given to the relative security or insecurity of hardware or software for the purpose of calculating risk and premium costs (much like the airbags on my car save a few buck a year) - but I expect the procedural implemenation and system policies (the 'driving record') will continue to have the most weight.

Re:Most secure [TANGENT]

But when you're rooted (say, through the recent openssh hole) can you really honestly say that OpenBSD has no exploits? ANY system is going to be secure with all the services shut off by default.

Re:Most secure web server

[Glorat]

Here is another clue I got today from my uni lecturer. If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?

*Up go hands of Linux advocates*

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal

Back to the article, would a measurement take into account this type of situation? Does Mac get a high rating for low rate of incidents or a low rating because it (probably) has more bugs than Linux. Open question

Networked ships?

[cybergibbons]

To be perfectly honest, is the computer on a ship going to be networked externally? Maybe the control systems on board are linked by a network, but surely there is no need for vital systems to be connected to the outside world?

If the ship needs a internal network connected to an open network, then it should be entirelly physically separate to the control systems. No firewalls, no fancy security measures. Just no route between the two.

More of an issue is software reliability and stability. I won't get into the linux/windows argument, but generally, a more stable, stripped down system can be easily achieved with linux. In windows, you run the whole OS, no two ways about it, even if it just adds to instability and problems.

Generally, on essential computer systems, such as those on planes, radar, life support systems, and sattelites, are as simple as possible, and undergo rigerous testing. The development is often frozen early on because of this, resulting in reduced features, but better overall performance. It can take several years for changes to propagate throught the system... this can be annoying if it is as simple as a GUI change (say, one display needs to be frequently accessed, but requires several button presses, where another, rarely used display has instant access off the yoke).

Hardware reliability could be a problem as well - though I should imagine these systems are ready built by people who know what they are doing. I wouldn't trust off the shelf boxes and bog standard cat 5 linking them.

Redundant systems are probably a very good idea - as is some form of power conditioning and UPS system, as ships power may not be the best.

There is a lot to consider, but I think you may just as well turn to someone who has experience with aviation computers as well as someone who knows a lot about closed network security.

And imagine.... maybe the dodgy oil tanker plot in hackers could come true...

It says in Micro$oft EULA...

Well, I apologize (considering the /. readership) for not knowing squat about UNIX, but I recall reading in Microsoft's EndUserLicenceAgreement that it specifically states that (paraphrasing) "This product is NOT to be used in a life-critical situation". I remember it well, because I was installing these NT boxes in hospital Surgical Suites! Does UNIX have a similar disclaimer?

Re:It says in Micro$oft EULA...

[ONOIML8]

I believe that you are correct about "off the shelf" Microsoft products. While I can't swear to it, I would imagine that Microsoft has a slightly different version of NT available for your situation which doesn't contain that limitation in the EULA. I know that is the case with the radio console system that I run for a 911 center, it runs NT (yuck) but it is not an off the shelf version, it was provided by the equipment manufacturer.

Because of that I can't go to Microsoft as an end user and purchase upgrades. There are strict limitations because of the life-critical nature.

This is true of many products. If you purchase a Ford chassis or van, you'll notice a sticker on it that informs you that you can not use the vehicle as an ambulance, nor can you build an ambulance from that vehicle. Yet Ford sells thousands of the very same vehicles which are for use as ambulances with very minor changes. Those changes protect life, protect Ford from liability.

Your question about UNIX tho is tricky. You see with Windows you have to go to a single source, Microsoft. If you want Unix then you can go to several sources. I believe that I've seen a similar limitation in the Sun Solaris license. I'm pretty sure of AIX and SCO.

I do know that in any situation where I have installed an OS in a life-critical situation such as yours I made sure that I had something on file that indicated that the OS and all software/hardware in use is ok for that. I get that documentation from the manufacturer. Not having that information in your file is a HUGE liability.

In essence...

[S.+Allen]

your lecturer is advocating security through obscurity. by that measure, the most secure possible web server is one you've written yourself, regardless of your competence level, because it's one of a kind.

I would like to see that point of view competently defended in the public court of security experts.

Re:In essence...

[duffbeer703]

The court security experts have an built in incentive to push whatever it is that they are pimping, because it keeps them employed. I have dealt with 'security' groups at my employers who seem to universally specialize pushing paranoia to management and holding the sysadmins and system programmers who enforce security practices hostage in tedious policy meetings.

I would estimate that 95% of successful hacking attempts are either internal compromises or moderately-skilled users using pre-programmed exploits.

Security through obscurity, combined with good user policies and applications is quite effective. You cannot hack what you don't know about.

Re:In essence...

[Steveftoth]

You cannot hack what you don't know, but at the same time, you cannot depend on other peoples ignorance to protect you.

I think that it's more important to look at factors like how often the software you are using is updated in response to security flaws and how easy it is for you to replace your software given an update.

Basically, if the software is never updated, or if the server cannot go down under any circumstance, then maybe the more obscure platforms/software maybe an answer.

Re:In essence...

[bluesangria]

Not really. Macs are more secure as web servers because they lack a command line interface and, because of its design as an end-user desktop, almost nothing can be done to the OS through an application if its not designed for that. I can't user the Chooser, for example, to do anything else except look at AppleTalk network devices. There's no CLI commands you can pass to that app. Note that this only applies to Mac OS 9.x and LOWER. OS X, with its BSD Unix core, is another animal entirely.

However, the same features that make the Mac secure against overflow bugs also limits its abilities as a server. I surely wouldn't run more that a small-user-base file server or web server on it.

Re:In essence...

[gweihir]

I think that it's more important to look at factors like how often the software you are using is updated in response to security flaws and how easy it is for you to replace your software given an update.

Right. And respekt KISS. If you want to securely serve static pages, don't use a full Webserver with CGI and other stuff! Use the simpelest possible! (See e.g. D. J. Bernstein publicfile for such a solution.)

A lot of todays insecurity arises from feature creep and reinventing the wheel.

Re:In essence...

[Mawbid]

That's not entirely correct. While the majority of Pre-X MacOS installations don't have an interactive shell, they do have an AppleScript interpreter. Remember the /. story of the stolen Mac recovered with the aid of Timbuktu? A key element was the use of an applescript placed in some folder where it was executed on boot.

Now, I have only a superficial acquaintance with MacOS, but it seems to me that the applescript interpreter can be used by an attacker in many of the same ways that /bin/sh can be used. The Chooser can't be called with commandline paramaters, but do you know if it has an AppleScript interface? (I don't.)

Cruise Ship Systems

For what it's worth I just got back from a Carribean cruise on one of the newer "largest" cruise ships "Explorer of the Seas"

They had two small-ish internet cafes on board - don't know the actual specs (almost have to be satellite based...)

The point is I tried to telnet into my university email account but they had the terminals locked up to only web useage - I asked if I could get a telnet window open at the ship's info desk and was told no due to security reasons.

Apparently there was a fairly significant problem on another ship where someone did some damage to the ship's systems through telnet (virus? hack?) that casused the entire week cruise to be cancelled (screwed the nav system or some-such) - since then they seperated the guest's systems from the ship's and limit guests to only web access.

Might just be a story they tell to anyone wanting to telnet but sounds plausible - lucky for me my addled brain remembered our university has web access to our email accounts... still - 50 cents a minute on board - ouch...

Groups?

Aren't there groups withing the ACM/IEEE etc. that allready do this?

nsa

if you go to nsa.gov they can provide some background on security or operating system hardening against known and unknown vulnerabilities. I highly recommend using them as a basis for locking down your operating system. =)

Risks of www.dnv.com

[mosch]

Your webmaster, for instance, does not understand how to properly create a website, therefore their website creation software should be listed as high-risk.

Click on 'classifications', then try to use any of the links on the left, register of vessels and such. The link for that is file:///registerofvessels. Needless to say, that link doesn't work too well on a public internet.

Re:Most secure [TANGENT]

[duckyd]

You can do quite a lot with a default install of OpenBSD. A default install does not have all services turned off - for example, SSH runs by default. The idea is, however, that you should have a pretty good idea what services you're adding, and be careful to ensure you do so securely - generally this is a much better idea than starting with a system whose services were enabled by default and then attempting to secure neccessary ones and disable unneccessary ones...

Backup Everything

[DeathPooky]

Any system, no matter what software or OS you decide to use, still has a possiblity of error simply because it is a somewhat complicated high-level system. When you turn more and more over to software, then you inevitably create a greater likelyhood of error somewhere along the line. The best thing to do to prevent the error resulting in a more serious problem is to have backups, either much more low-level software, or, even better, manual controls for everything that would need to be used in case of an emergency. At the very least have manual controls for basic navigation so if the problem is serious the vessel isn't stranded.

The best idea is just to have manual systems for everything that can be controlled manually, so the ship could continue functioning at somewhat normal level while the problem is solved. Humans may not be foolproof, but when the system crashes, they're all we have.

wow I can't beleive u want him to take such risks

[blonde+rser]

it can only be safe if it is not connected to the outside, off, and unplugged from the wall.

Air Gap

[slugfro]

Implementing a system with an air gap is definitally a good security measure. However, it is really only practical for certain systems. On a ship, an air gap might be applicable for systems that run the ships controls (i.e. engines, environmental controls, etc). These systems may be very important for ship safety and have no need to be in contact with the outside world.

Then there is the navigation and communication systems. These are very important for a ship but may require limited access to the outside (GPS, etc). This should be completely seperate from the air gapped systems above and of course implement all other possible security measures (firewall, etc).

On a modern ship there will likely be a third level of systems used for personal communication. Web browsing, Email and the like are not vital to the safety of human beings onboard the ship an thus do not require as stringent security.

Using a multiple-system and multi-tiered security model like this may affer the best combination of security, price, and convenience due to not having to secure everything to the highest order.

Every ship captain's nightmare

[ahde]

"Captain -- the minesweeper program's crashed again!"

Re:Every ship captain's nightmare

[Zog]

Isn't that the captain's line?

Re:Most secure [TANGENT]

[Geekboy(Wizard)]

I never said that OpenBSD has no exploits. What I'm saying, is that they have the least amount of them. You can install it out of the box, and as long as you pick a decent root password, you can leave it plugged in, and stay safe for quite a while. Can you do that with ANY other operating system. No patches, no other configuration, nothing else.

Computer Security Isn't the Problem

The problem lies with the users. Obviousely the users must be more informed about computer security. I have been using a firewall since before I got dsl. Why, because I'm cool. You can be cool too. Subscribe to my costly newsletter today, if you want to be cool.

What's the consequences, likelyhood, backups ?

[pspinler]

Ask three questions:

1) What are the consequences of failure:

(Nav system steers you into rocks == bad)

2) What's the risk of that failure mode happening

(GPS systems == highly reliable)

3) Are there redundant systems using different methods, or other forms of backup ?

(LORAN and GPS systems, skilled pilot knowledgable of local reefs)

Assign an arbitrary scale to each of these criteria, and use it to consistantly evaluate effected systems. Over time you'll build up a body of knowledge about effected systems.

Note that this will bias strongly toward older, proven systems rather than upgrade of the month type, which for critical software is exactly as it should be.

-- Pat

Careful on requirements

[bluGill]

Yes, [everyone knows] UNIX is safer that Windows. BUT, that is in general, not specific.

I can write my own Unix, make it fully posix, even pay for legal use of the unix name. (I don't have the money, but I could in theory) I'm a fairly good programers, and I've done some OS level work. However I know next to nothing about writting a secure system, and apart from the backdoors that I intentionally put in my code, there will be many accidental security holes. However it would still meet the standards to be called unix by all measures.

The point is your standards need to mandate a solution that works. Require code audits by qualified external parties if it is net connected. Make sure your external parties are well chosen (example Bruce S. or applied cryptology fame, or his company), but make sure you have several different experts represented. Make sure the requiremetns are reviewed. Accually, you probably have processes for reviewing the machanical areas of the ship, extend those processes to the software. Remember, anything you can do in software I can do with gears (though in some cases I don't know if there is enough metal on earth to accually make all those gears, not to mention the relability) so your mechanical review process should extend to software.

Do you let your suppliers buy an engine (eg from Cummins) off the shelf and put it in, or do you require that your mechanicial engineers examine the engine design first. If they can buy any engine, then they can put in any software. If you need to see all the engine design, then you need all the software design.

FDA Examples

[Torgo's+Pizza]

If you want examples on a governmental body checking computer software, look no further than the FDA. The Good Manufacturing Practices for 21 CFR Parts 210, 211 and 810 are the bane of anyone trying to get FDA validation for their company. It covers everything from system setup, networks, vendor experience, change control, electronic signatures and testing. It will make IT sysadmins cringe in fear.

Simply do any Google search on "FDA 21 CFR" and you'll find hordes of information that you can use.

Prescription medication is your friend

[GafTheHorseInTears]

Hey, did you know that one of the side effects of Ambien is hallucination?

In any case, the visuals are really starting starting to kick in now, so I'm going to go lay down for a bit.

Please try to hold the fort while I'm gone. If you need anything, just leave me a message, I'll check it when I get up in 7-8 hours.

See you then - XOXO

Re:Most secure web server

[Jeremi]

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it.

Ah yes, good old security-through-obscurity. Shouldn't you say, "there are fewer publicized attacks created for it"?

Re:Careful on requirements USE MAC

MacOS is safer than Linux OR windows.

Consulting self apointed experts have nothing to do with reality of waht is safest.

Use Bugtraq to make your decision based on historical fact.

The MacOS running WebStar as a server has never been exploited.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

That is why the US Army gave up on MS IIS and got a Mac with WebStar.

I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about Mac OS 9 and earlier.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits.

4> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.

6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along wiht many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For ecxample file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable of creating an executable file. the file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually.. TOTAL security.

7> There are less macs, though there are huge cash prizes for craking into a MacOS based WebStar server. Less macs means less hacvker interest, butthere are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc).

8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and such, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS remote exploit hack.

gears and software analogy off are not similar... programs can recurse and programs can generae code and programs can self replicate. In fact a computer can control a servo arm to play ping pong. playing ping pong with prure analog machinery is probably impossible.

It's coming soon enough

[clangro]

I agree entirely that there needs to be a regulatory branch to standardize software security, simply based on the fact the major software players really don't care. I hope this standardization branches off into a wider array of issues and not just security, but product stability. Such rules that could be forcefully enacted are: - Required testing of a product on a designated amount/type of test beds - A required amount of man hours put into product testing - Governmental bodies to beta test all products to deem if they are fit to go into the market place Wouldn't it be nice to buy a piece of software that doesn't crash on installation or execution? Or software that doesn't have completely retarded default values to make no sense whatsoever? I don't know. Maybe I'm just pipe dreaming. Software that has a 90+% success rate upon first release. Yeah. Right.

Re:Most secure [TANGENT]

[ftobin]

Do you not realize that the vast majority of network server software is not even developed by the 'bundler' (e.g., OpenBSD, RedHat, etc), so the 'remote exploit' issue is quite irrevalent. As to the question of how many are enabled by default, there is practically no services enabled by default on RedHat (I'm not sure how many; I use custom installs). Even inetd isn't running on many RedHat systems.

Safety IS NOT Security

[Zamboni]

DISCLAIMER: The company I work for does software safety work.

Many comments (as well as the poster) seem to imply that safety and security are the same thing. This is simply untrue, and this is one attitude that causes unsafe software systems to be put into production. A perfectly secure (or reliable) software system can still kill everyone involved. Repeat after me: security and reliability ARE NOT safety.

If you want to know about safety, ask an expert in safety. Don't ask security or reliability experts about the safety of your system. Ask the wrong expert, and you'll get bad advice. Certianly, whatever you need to determine, take the matter up with an appropriate expert.

Re:Most secure web server

[Zeinfeld]

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal

Let us supose that someone discovers a bug in the MAC O/S that is only relevant to online control. almost no MACs are used for online control, what is the probability your bug will ever get fixed?

The original story in this case is posted with the intention of obtaining a particular answer. The poster is not really interested in what system would be secure, he wants to have his original prejudice reinforced.

Design of ship control systems is a real time control problem. As such it is not an application for which 'Linux' is a solution, you have to be much more precise and specify exactly which real-time enhanced Linux you are considering. It would also kinda help to actually specify the problems to be addressed

As for 'security', one would hope that you would not be hooking your control systems up to the Internet or running any sort of user application other than controls for the ship. The references to worms viruses etc suggest to me that the poster does not understand the problem or is trolling for anti-Microsoft stories to tell his manager.

Medical hardware

[Fopster]

Many medical diagnostic machines must be validated by the FDA for use. A friend of mine works for a medical instrument company, and the hardware/software check are quite involved. You might see how the FDA and the various hardware manufacturers handle this issue.

You should be sorry!

[fm6]

Don't you understand the importance of gratifying your own ego? Instead, you remind us of a useful link, and go away! How lazy can you get?

Re:Most secure web server

[iconian]

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal

You forget that we live in a dynamic world. What's going to happen if system administrators all decide to move over to Macs? Do you think crackers will continue to develop exploits for *nix/Windows if there is no "market" for them? Of course not. They will start developing exploits for Macs. If Mac software are not BETTER designed than *nix/Windows software, you're going to see an explosion of Mac exploits. Many of these new Mac exploits will be based on the same principles of initial exploits resolved by *nix/Windows systems long ago.

Re:Most secure web server

[Tipsy+McStagger]

Wasn't there a story about the US army moving their webservers to macos a while ago for exactly this reason?

can't find the link but netcraft tells the truth

Re:Common Criteria -what about NIST in the US?

[turtleshadow]

The actual department of the U.S. National Institute of Standards and Time is CSRC I would point you to the Computer Security Expert Assit Team and their guidlines
Their audit and risk checklists are quite extensive.

Practical Security Sign-off

I worked for a financial software company which needed to assure its clients that our software was secure. The way we did this was approach a security consulting company, like ISS, pay them a reasonable fee, give them access to the source and engineers, and produce a report of their findings. We then shared that report with our customers, with comments about how we're addressing the various vulnerabilities. This provided the practical level of assurance that our customers needed.

Ahh...

[NiftyNews]

Ahh..

Another day, another "Tell Me Exactly How To Do My Job post masquerading as an Ask Slashdot question.

:)

Re:Most secure [TANGENT]

[Geekboy(Wizard)]

I do realize that, OpenBSD goes through the code that it packages, and does some secure de-bugging. They change some of the code to protect from buffer overflows, and things of that nature. They send the changes up the tree, for the maintainers to use. OpenBSD (and BSD's in general) don't care if they are the most widely used, they just want their stuff to work.

Really?

Everybody seems to know, for instance, that UNIX is safer that Windows, but there are no safety, reliability or security criteria established by any recognized authority that can be used to defend one computer system over another." So how does everybody seem to know that one is safer then the other.

zlib overflow

take your linux, and eat it.

your super secure, bug free os seems to have a little problem with its zlib :)

http://news.com.com/2100-1001-857008.html

but its not a problem right? of course not, linux doesnt have "bugs" just "issues". open source is far better because bugs get caught earlier... well zlib is pretty damn old. But all the linux zealots will be like "its not a "bug" its just a simple "issue" that will get resolved, because linux can't have bugs! its just too cool to have bugs!"

foff.

i wonder if this cnet article makes slashdot front page. be funny if it didnt because it hurt your precious linux :( :( :(

Not life-threatening, but...

[DaoudaW]

In Microsoft's anti-monopoly case, Microsoft's lawyers had to use WordPerfect to prepare their case because MS Word didn't meet the relevant bar association standards. If I remember correctly Word didn't count words reliably, so both sides couldn't be certain that they were looking at complete documents.

Also I believe there is a similar set of standards for accountants using spreadsheets.

Most of us just assume that our software is going to work and tell horror stories when it doesn't, but for those whose very careers depend on the accuracy of their programs, software is indeed very closely monitored.

Depends on the criteria, too

[Spamalamadingdong]

That means it can't crash while diagnosing a live patient.

Not true; it only has to fail safe. The FDA wouldn't care if it crashed, so long as:

1. The machine could not malfunction in a way which would harm the patient, and
2. The machine would not report erroneous data which could lead to harm from subsequent mis-treatment of the patient.

How you'd demonstrate such things given the legendary instability of Windows, I have no idea.

Re:Depends on the criteria, too

[Arandir]

You are correct. The FDA doesn't care much if it merely crashes, so long as it doesn't harm the patient. I was simplifying matters greatly in my description. For this particular class of device, however, crashes occuring during certain modalities are considered regulatory issues.

This is for SHIPS, folks...

[s390]

so Internet security isn't an issue. For a shipboard computer, you only need two things:

* No network connections to non-trusted systems (i.e., onboard crew and passenger personal systems)

* Solid stability and reliability in operation.

Given those, your ship computers should be secure.

Re:This is for SHIPS, folks...

[Webmoth]

In the future, if not the present, internet security for shipboard computers WILL be an issue.

You can expect that navigation systems will at some point receive updated charts or Notices to Mariners via the Internet.

You can expect that navigators will receive up-to-the-minute, detailed reports about harbors they are about to enter.

You can expect that shipboard control systems will interface with shipboard navigation systems, which by reason of the aforementioned scenarios, will effectively have a traceable data connection to the PC whose monitor you are staring at right now.

What is necessary are firewalls: 1) between the satellite-uplink internet connection (duh, of course they have this, they'd be stupid if they didn't); 2) a packet-inspecting firewall between the LAN that has full internet access and the navigation system allowing only those packets pertaining to navigation to pass; and 3) a packet-inspecting firewall between navigation and control systems.

The navigation system may be allowed limited access to the internet, perhaps only to certain sites. The control system should have NO access to the internet; rather, it should only be able to communicate with the navigation system.

Of course, I say all this with NO expertise and NO experience in shipboard IT infrastructure.

Re:This is for SHIPS, folks...

"...Internet security isn't an issue..."

Have you ever heard of a satellite uplink? Did you think they used a reaaaallllllyyyyyyyy loooong CAT5 patch cord???

Re:This is for SHIPS, folks...

[Sinus0idal]

As Webmoth says, it is no longer a possibility in many cases for ships to be entirely seperated from anything but trusted machines.

On this website is a typical example of PC maritime software which makes use of emailed chart updates:

http://www.pcmaritime.co.uk/comm/charting/navpro .h tm

daVinchi

[C_nemo]

shit, i think the man asking questions here is "the pauge". he's just looking after a way to get into those poor tankers ballast control systems. and make a million bucks(email worm virus... sounds familiar).

Your Lecturer is WRONG

[gnovos]

If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?

*Up go hands of Linux advocates*

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal.

This is short sighted, becuase it does not take into account what you are securing AGAINST. If you are securing against random, non targeted attacks from script kiddies, you might be right, becuase said script kiddies aren't going to spend the time to figure the system out... but if you are trying to secure against a real, concerted attack by agents of a competitor trying to steal your ideas or ruin your business, then you have made a very grave mistake.

When you say "all things being equal", then you are saying that 1 defaced web page is exactly equal to 1 stolen top secret formula, which is preposterous. A hypothetical question can not consider all types of attacks to be equal and still produce a valid and meaningful result.

If you use that logic, then using a completely open and unsecured network would be ok if you sealed the computer in a locked metal box, since it would deter physical attacks by baseball bats (ALL attacks are of equal value, right?). Or you could say that adding the line "WWJD" to the telnet login prompt would be a valid defense since it would lower the instance of attacks by Christians by 80%.

Go set him straight.

shotty?

does this mean shitty and shoddy? Anyway, I like the term, even if it's accidental.

This is the real story

[gruntvald]

"For our next project, some boneheads decided on Win2K and "embedded" Win2K". While Mundie is sent out to "enrage" us with anti-GPL rhetoric, Microsoft are hard at work on getting windows in every place they can. From VoIP solutions, to embedded, to medical and industrial, to phones, to consumer electronics. They are beginning to make a very "dangerous" end run around all other technologies. We got a taste of this when code red shut down routers because they had embedded IIS. The fight for the desktop is becoming irrelevant, as it is turning into the battle for technology itself.

Computer Security Criteria

[Teh+Grammar+Patroll]

Well, I thought maybe I could take the day off, but this post makes it clear that it is downright dangerous for me to leave you creatures alone for even short lengths of time.

Like so many posts here on Slashdot, this one falls off the cliff with its very first step out the door. To add insult to injury, after leading me on a wild goose chase with that first sentence, the author then leaves me stranded out in the forest by ending his run-on sentence with the word "etc." Maybe the St. Bernard will come and rescue me.

I must also remind the author that standard English requires a verb form to be in agreement with the subject of the sentence. In general, agreement depends on three factors: person, number, and tense.

The author has violated this rule in the sentence beginning with "The purpose of such..."

The subject of this sentence is not "companies", rather, it is "purpose". Therefore, it is correct to say "The purpose ... is." It is not correct to say "The purpose ... are."

Frankly, I stopped reading immediately upon discovery of this blatant error. Clearly both the author and his "editor", Michael, are incapable of meaningful written communication.

Thanks!

[roffe]

I am quite impressed by the replies I have received both here and by mail. I would like to take the opportunity to try to address, as well I might, the issues that have been raised in the replies.

I see that I have not stressed clearly enough the sort of security I am most concerned with, although some of you have guessed. Hacker attacks is probably the least of our troubles, because most ship's computers do not have a permanent Internet connection. In fact, in some cases ships regularly have no way of contacting shore and more frequently does not have any permanent connection, be it ground radio or by satelite.

So the basic problem is computer systems that go down during navigation, or need a lot of maintenance. Typically, one would obviously not want a "classic" Macintosh or Windows 98 on board, because these are systems that are apt to erratic behavior that only experts can fix. GPS systems typically run on Windows NT.

Now, if the GPS system goes down, it doesn't have to be a disaster because the radar will still work, but problems can occur in a roundabout way. A famous example is this: The GPS goes down because somebody trips on the antenna base and ruins it and fails to report it. GPS and the ship's auto-pilot switch to Dead Reckoning, which means that the ship calculates its position based on speed and initial course. If there are strong currents or even sidewinds DR becomes wildly inaccurate quite rapidly. This particular ship drifted for 24 hours before somebdy noticed that the computer display showed that the autopilot was navigating by DR. This would not happen if the crew were paying attention to their job, but this ship had serious morale problems.

There are also computers that monitor the state of the engines and warning messages from various information centers.

Now, I know of no record that can give a clear picture of the frequency or gravity of computer problems at sea. Judging from a typical office, you'd have computers out of order all the time, but the analogy doesn't hold because the computers typically run only one program and are usually set to start them automatically at powerup, so the most typical causes of computer error is eliminated.

No, I don't ask for a set of regulations that would outlaw Microsoft. I know that Unix systems are supposed to be more reliable than the obvious alternatives (hackability not being much of an issue here) but I lack criteria for reliability that could be used to challenge or clarify this position. The ship industry would clearly benefit from being made aware of

1. The fact, if it is a fact, that reliability is in fact an issue that should be reckoned with
2. Criteria that clearly show the strengths and weaknesses of the alternatives that exist
3. The fact, if it is a fact, that it is possible to create a body that, based on objective criteria, can act as an authority that sets the standard for safety of ship's computer systems.

Re:Thanks!

[netizencain]

I can respond a bit to #2. Alternatives don't mean anything if your software vendors aren't writing their programs in that OS. For example you probably are familiar with Kyma (Diesel Engine Monitoriing Performance) or maybe ChartCo or WNI's 'Orion' weather product. Or maybe Globewireless or Rydex's e-mail suites. All of these large vessel programs run on Windows. Period. There's no reason to spend months working on a Linux solution if your SOLAS or ABS required software won't work on it. First find out your boundries and work from there.

Re:Thanks!

[DecoDragon]

1. The fact, if it is a fact, that reliability is in fact an issue that should be reckoned with
2. Criteria that clearly show the strengths and weaknesses of the alternatives that exist
3. The fact, if it is a fact, that it is possible to create a body that, based on objective criteria, can act as an authority that sets the standard for safety of ship's computer systems.

In reply:
1. For reliability, on cursory examination, I would suggest looking at the methods that new technology has replaced. Was it important for the previous method to be reliable? To what degree? Then presumably the new method needs to be as reliable.
2. Now we're back to how to set up a criteria creation body, which I think has been less addressed in the responses. I mentioned SANS in my early posting, why not contact these people, and people in similar industries (the person who mentioned they were in the railroad industry for example) and find how they did it, who the major players were, and talk to them.
3. I'll take a pass on this one.

Bastards, I thought it was funny.

I liked this. Screw you moderators.

*pause*

Wait, what does this combo box do? Hmm....

I can either submit this or mod the parent up...

I'd rather bitch and moan. I like to mod up interesting points, not waste my mod point trying to mod up a dissed funny. So I repeat:

SCREW YOU MODERATORS!!!

I hope people meta-mod you down.

Impossible

[Zunni]

What you are asking for is impossible to find, as you are dealing with certain "human" characteristics. A system is only as accessable, easy to use, secure and reliable as the people who administer, install and work with the technology. We can't make blanket statements like "Windows is less secure than Unix" simply because a good Windows admin can make that Windows machine more secure than an Unix box that has a junior or bad admin. That human factor cannot be understated and is the reason why just such a report or committee is impossible.

The UK Speaks: "Peace in our time..."

[Venomous+Louse]

The surrendering chatter-monkeys of Europe have much to teach us about how to lose wars, lose international prestige, and turn first-world powers into sagging, helpless welfare states.

They insist that we must let them teach us these valuable skills!

Fuck that. Europe just wants to drag us down the same rathole of poverty, decadence, and irrelevancy they live in. Fuck that.

Sun Tzu said that "the perfection of war lies in sapping your opponent's will to fight", didn't he? Well, he lived a long time ago. Back then, if you wanted a meal, you had to prepare it. Nowadays, it's all done for you: Just pop some frozen crap in the microwave. Likewise, back then if you wanted a spineless, helpless opponent, you had to sap his will yourself. These days, you just attack Europe. They come pre-de-backboned for your conquering pleasure. They couldn't even stand up to Serbia.

The strong will always survive. Let Europe rot.

Accepted security criteria

[Lish]

The Common Criteria:
here and here.

Which supersedes the Orange Book:
here and here.

use SE linux

I believe security enhanced linux, created by the NSA, is an ideal technology which ought to be integrated into Linus's kernel.

Some thing I learned in software engineering

You might be interrested by those reads :

www.ieee.org
www.swebok.org

both are links to organisation that defines what is software quality. In those, you should find metrics to evaluate whatever quality you're looking for(security included).

Nobody has mentioned CERT or Bugtraq?

CMU's cert organization can help with certain falvours of Unix (maybe windows) with an emphasis on data center computers (e.g. ftp or web servers) as opposed to command and control computing (like ships at sea). www.cert.org.

Also of use to Windows admins and similar folk is bugtraq at apparently a new URL. Ahoy and good luck.

software fault tolerance, and other possible stuff

I think a large part of evaluating this topic would be software fault-tolerance. Mostly, I think that the methods in this area are full of crap, and there are some papers out there to back me up. Search for papers by Leveson for the nay sayers and Avizeinis for the proponents. These are papers describing methods of developing fault tolerant software systems. I think you would like to say that a software system that will keep running in adverse conditions is better than one that won't. Hardware fault tolerance is much better in the reliability area, and N-way redudancy makes more sense there, since you're protecting against faults other than design faults. Software's problems are design faults, and so the fault is likely to be replicated N-times. A good book on this topic, extremely technical in nature is edited by M. R. Lyu "Software Fault Tolerance".

The FAA method is probably better in general. Test EVERY line, full call path, every branch etc. Its a real pain and makes software SUPER expensive. I think tools like Balista would be a big help, if people used them. But then you still have to test against a well defined spec; and I would love to see one of those for the software that I write....

I would hope that you have the leverage to increase the use and methods of tools like ballista and maybe make passing an independant test get a better discount on insurance. It appears that there some good links already, but the Software Engineering Institute at CMU does research in this area, mostly for US DoD, but I'm sure they have lots of lofty ideas, if not good practice. HP and IBM have also done some interesting work, but its been a while since I was looking into this topic.

Guidelines for writing secure programs (HOWTO)

[dwheeler]

You might find my Secure Programming for Linux and Unix HOWTO useful. It's a set of guidelines for writing secure programs, including writing web applications, clients, viewers (including word processors), setuid/setgid programs, and so on. It's focused on Linux and Unix, but most of the general principles apply to all systems.

Several Criteria

[MattGWU]

*NITSCAP
*DITSCAP
*Common Criteria
*FIPS 102 Not to mention all the other FIPS criteria, esp. regarding crypto and PKI.
*NIAP (Information Systems Certification Procedures and Assessment Scheme)
*A Plethora Of Schema and Policy
*Ye Olde Rainbow Series
*MIT GASSP [warning, .doc file]

And these are just US criteria...other nations have their own. These are becomming very important, if typical job requirements on security-jobs list are any indication. Need a BS, a clearance, and 5 years practical experiance in everything from LAN wiring, vulerability finding and exploit production, penetration testing, firewalls and IDS, to the evaluation and application of these federal criteria, and everything in between. And that will get you an entry level position!

Heh heh heh.

[Venomous+Louse]

Um, yeah, whatever. The regime now in power in Iraq has a long history of a) launching wars of conquest against its neighbors in cases where it was not threatened in any way at all; b) using chemical weapons against its own citizens (hello?!) c) devoting considerable effort to expanding its chemical and biological arsenals and developing a nuclear arsenal as well.

Them's called "facts", son. The European approach is to hide one's head in the sand until it's too late, and then wring one's hands and whimper about "international law". The US approach is to kill the problem while it's small. The US approach saves lives. The European approach cares nothing for lives. All Europe cares about is short-term convenience.

The European mentality killed tens of thousands of civilians in the Balkans in the past decade, and millions -- literally millions -- of civilians during the second world war. The United States cleaned up their mess in both cases, at great cost to ourselves. What thanks do we get? No thanks at all, as it turns out. The Europeans aren't just helpless children; they're insolent and ungrateful as well.

Letting Europeans run around loose with their own countries is lunacy. They can't handle the responsibility.

Your answer in your text

[jet_silver]

This would not happen if the crew were paying attention to their job, but this ship had serious morale problems

Seaworthiness therefore depends in part on the crew. This is common sense. Is it taken into account in your ratings?

It's the same with computer systems. Asking a person, who might or might not know his job, to set up a ship's computer system on any particular OS will produce widely varying reliability results. If you were to do a very careful FMECA (failure modes, effects and criticality analysis) and iterate the design of a ship's computer you would probably find that a simple system designed to do the job was the right thing to use. Using a general-purpose computer for anything connected to navigation seems to be a definite request for a screwing.

Ever since Buckley's "Overdrive", where he used (and bragged about using) an HP-65 calculator to do his sight reductions, I have been very concerned about the idea that people are depending on electronics to do their navigation. Sounds as though the watch officer(s) were actionably slack in this case, if they weren't conscious of the quality of their fixes.

I believe you are asking the wrong question here. Perhaps what it is you need to know is "how well are computers integrated into ship's management, and how dire are the consequences of failure?" A job like this done well is probably nearly invariant with OS, but this job is bound to be done poorly in a lot of cases. That's why I suggest FMECA and a safety-based, rather than OS-based, review of critical systems.

the low down

[SpacePunk]

OK, first off if your looking primarily from an insurance standpoint any number of criteria can be used.

Since the computers are in a marine environment are they resistant to (salt)water?

Is there a knowledgable(sp) computer tech on board, and what are his additional duties. Is he/she there to make sure the computer system stays online or is he/she also cleaning out shitters?

One computer system is much like the other much as one OS is much like the other. Both Linux and Windows (pick your version) have it's bugs, and will the particular bugs have an effect on the operation.

In any operation there ideally should be enough spare parts around that you could build another complete unit if needed, but there's never an ideal situation.

The list could go on and on and on, but there are a few major points...

1) environment
2) support personell
3) inventory
4) access

Most here will be talking from an electronic security aspect, but on a ship the major focus should be physical security.

Look at areas where software is safe

[wiswaud]

Looking at space station software (i work in the operations group for the MSS - but this is a personnal opinion, not engaging anyone else), there are signs of things that should be done by anyone claiming to be writing safe software:

- Clear methodology: the system is completely specified, and software requirements then flow from that. Requirements are inspected by a team of people and are detailed. Validation test specification tokens flow from the requirements. Each requirement will be tested. The validation specs are written. Only then can software be written, along with test equipment software. The software itself must be configuration controlled. Once baselined, the software can't be changed other than with the writing of software non-conformances (SNC: it says "oops, this function doesn't quite conform to its spec) or software enhancements (SE: it would be nice if it did this). In other words, the flow is controlled and you can't just hack to code: each piece of code flows from design specs to requirements to code, and in parallel from req'ts to validation spec to test results and documentation.

- Clear documentation: design docs, sofware specs that related to system requirements, test specs, test reports that clearly trace each requirement through and shows they've all been satisfied and all work, etc.

- The test systems themselves need to follow the same methodology

Basically, i don't think you can use criteria like "uses UNIX, uses good lib, etc". You need to see if everything has been thought out, everything has been validated, nothing's bloated. I'd say language of implementation would figure into this as well, but if you do it right, you can write very safe code in c; it's just that you might find more errors in testing than in building, which is not the case with Ada. Traceability is a huge part. Preventing disasters is one thing; making sure every little glitch can be traced back and fixed is another. If that software has excellent design, requirements and test traces that are configuration-controlled, and has good, documented methodologies, you're still not assured there won't be any faults (there can still be discreptancies in the requirements, for example), but you know they'll be able to find the root of the problems that might pop up.

Or just stop using C

If people started writing more stuff in 'modern' languages, buffer overflows would be vitually non-existent...

Re:Or just stop using C

[thogard]

And then you have bloat issues.

Take sendmail for example. Most of the exploits over the last 15 years have been a result of
1) external programs causing problems
2) operating system bugs
3) trusted interfaces that were wrong
The core isn't the problem, its all the other fluff on top of it.
The same could be said for ISS and even Win NT.

Talk to the security / safety experts

Start with:

Bruce Schneier at Counterpane Systems

Ross Anderson at Cambridge

and especially: Nancy Leveson at MIT

A google search will generate contact information. Good luck!

Dead Reckoning

[Webmoth]

It's been pointed out that ships whose absolute-position navigation systems (GPS, LORAN, radar, etc.) conk out depend on dead reckoning: determining position based on speed and initial course.

It occured to me that this is the way software purchased are too often made: rather than determining exactly what is needed, purchases are based on what's already there and how fast development has proceeded. It seems like people buy the newest version not because they need it, but because it's available. Most users I know would be doing just fine with Word 97, (heck, most of them would do great with WordPerfect 6 for DOS) but they have upgraded to Word 2000 then Word XP because it's there. (I used to use WP6/DOS extensively, and it NEVER crashed on me.)

If Microsoft spent more effort making Word 2000 and Windows 98 more stable than succumbing to feature creep, the world would be a better place.

If people wouldn't upgrade for the sake of upgrading, they could demand that future software versions be compatible with older versions: a document in Word XP should be openable in Word 1.0.

Just use Oracle software

[RichardBurns]

that way you don't have to do any testing because you know it's Unbreakable :)

Quit promoting that stupid myth

[sheldon]

Go back, reread the articles, put on your critical thinking cap and try to explain to yourself what must have happened.

The article talks about a software problem, not an OS problem.

Re:Quit promoting that stupid myth

A divide by zero error within SQL Server that ended up locking the entire NT domain, if I remember. Given Microsoft's penchant for rolling every piece of software they design into their OSes at *some* level, I'd call this one a (so to speak) wash.

Re:Quit promoting that stupid myth

[sheldon]

You remember incorrectly, or rather you have a preconceived concept that you want the article to say and are filling in facts to try to get to that point.

The article is really quite vague, but anybody with a remote amount of intelligence and experience with systems design can see that they were talking about a custom application written by the consulting firm that runs on top of the OS and the database.

i.e. some bad data got entered into the database, and this app didn't know how to fail gracefully.

The issue is SAFETY, not SECURITY

[Webmoth]

Many people have brought up the SECURITY question here, myself included. But the issue is SAFETY.

SECURITY asks, will the lock keep out intruders?
SAFETY asks, will the lock allow personnel to pass quickly in the event of an emergency?

SECURITY asks, will the window resist breaking in an intrusion attempt?
SAFETY asks, will the window resist breaking if accidently impacted? Can the window be used as an egress in an emergency? If the window breaks, will the fractured glass cause injury?

SECURITY asks, can intruders compromise the ships navigation or control systems?
SAFETY asks, will failure or compromise of the navigation or control systems have a negative impact on life or property?

SECURITY asks, does the system have permission to perform task A while being restricted from performing task B?
SAFETY asks, are the navigation or control systems able to the specified job in the specified manner?

SECURITY asks, how will access be controlled in the event of a system failure or compromise?
SAFETY asks, how will catastrophic failure be prevented in the event of a single system failure or compromise?

Hopefully, these questions will give you an idea of the kinds of questions a computer systems safety panel would be responsible for answering. Security is concerned with authority, which is NOT the question here. Safety is concerned with protecting the life and health of personnel and the physical integrity of assets.

That being said, Michael should go back and revise the headline to read "Computer SAFETY Criteria."

Right: Vichy France became Hitler's friend

[Venomous+Louse]

Wow, that's a pretty good strategy you guys got there: Surrender and become a client/dependency of a dictatorship. There's a lot of future in that! Let's not forget that "older and wiser" statesman Vidkun Quisling, either.

Back when China was allegedly laughing at your efforts, they weren't laughing very hard. Why not? Because they had been colonized, humiliated, brutalizeed, and robbed blind by European powers. How did that happen? I'll tell you: They had that precious attitude that Europe has now. But they learned their less. Try invading China now and see what you get. They're on the road to recovery, God bless 'em.

"Violence doesn't solve anything", you say? Violence "solved" Hitler pretty thoroughly, as I recall. It also solved the massacres in Serbia. Ask a few surviving Balkan Muslims whether they'd prefer to have been killed, or to have a few Serbs bombed into the stone age. I bet you they're pretty satisfied to be alive and to have Milosevic's evil bastards dead instead.

There are two solutions to a war: Winning, and losing. Losing is a shitty option, and winning requires violence. That's life. It's not "idealism". It's reality. You don't always get to choose not to be in a war. Kuwait didn't get to choose not to be in a war with Iraq. Czechoslovakia, Poland, and France didn't get to choose not to be in a war with Germany.

"Today's enemy is a friend tomorrow?" Let's focus real hard and remember the peace that France and England dictated at the end of WWI -- and the peace the USA dictated at the end of WWII. Your punitive madness led to another war. Our generous terms made permanent friends and allies out of our old enemies. Don't try to teach Grandpa to chew cheese, Junior.

Most[ly] secure

"Use lots of encryption ... Encrypt all communications (ESP networking) and make sure you have double and triple safeguards."

But use encryption carefully! Encryption systems don't just use algorithms, they use protocols, and many a system using secure algorithms has been taken down because the entire protocol was poorly thought out and implemented. In fact, overuse of encryption can actually make systems easier to break.

Again, KISS.

-Baka!

Re:Most[ly] secure

[Geekboy(Wizard)]

Yes. I mentioned (sorta) that in my post. Watch the theoreticals. Be paranoid, but rational, at the same time. ;-)

Also, what does "Baka" mean? I've seen it places, but it bugs me that I dont get it.

You're both RIGHT, but for the WRONG reasons

First of all, none of this applies to MacOS X, which has all the virtues and flaws (plus some on both sides) of BSD.

But ... the "classic" Mac environment was in many ways more secure, because it was considerably less flexible than *nix or even NT. No remote login, no useful scripting or programming environments: not much, in fact, of anything at all. It might decide to crash every fifteen minutes, but it was also secure in the sense that a door without a handle is secure.

safety critical systems

[colinmc]

There has been a lot of work on establishing standards for safety critical systems. search google or try http://www.afm.sbu.ac.uk/safety/ as a start

Do some actuarial analysis

[wfrp01]

Everyone's saying "it should be designed like such and so" and "keep it out of the water" (duh) and so on. That's all well and good, but the question here is about measurement. You've got your theories, you've implemented them, now how do you decide whether they hold up?

The only way I can think of is to do some good old fashioned actuarial analysis. It's a lot of work and a lot of time, but basically answering this question involves (1) collecting gobs of data and (2) analysing it. As well intentioned, well-researched, and sensible as the rest of the front end design advice might be, it's basically a lot of handwaving. It's about where the rubber hits the road, not a theoretical discussion about what chemicals should be used to make tires.

These are the same issues as the Industral Sector

[mprindle]

I work on computer system for the Industrial sector. The systems I work on control petrochem plants and refinery. These applications are very critical because if the systems fail then a plant could blow up and no I'm not joking.

In most of our applications we currently use Windows NT. The reason for using NT is that it is a pretty stable platform, as far as Microsoft goes, and for security it is great.

The Networks for the systems are totally isolated. The only connection to the outside world might be a router that is really locked down that only allows certain 'safe' machines to get through. Most of the time these machines are used to back up the data or to pull data out for historical or corp use.

That being said I would defiantly look at redundant systems. Basically a system that keeps a copy of what is going on in the master machine so if it does crash the backup and take over. This can also be applied to the GPS. Have redundant GPS setups and have the antenna located in two different locations.

As for the Software, restrict the access to the machine to ONLY the people that need to use it. Setup NT to be a captured account and restrict that account so no one can do any installations unless they can login as an admin. That way you don't have Joe hand coming in and installing his new game to give it a play and in the process overwriting a critical .dll that crash's the applications that is running the ships systems.

Also the standard antivirus software. It still amazes me how many people do not run antivirus software on there servers. All it takes is one person not paying attention to pop in a diskette and bam ur infected. This is defiantly not good for a critical system.

So in summary:
- Lock down the systems to allow ONLY those ppl access that need it
- Redundancy, Redundancy, and Redundancy
- Last, Antivirus software to catch those ones that might slip through.

M. Prindle

The Basdic Problem

[gweihir]

... is that in ordinary engineering testing works better and that most mechanical engineering practices are well established. Furthermore the components ships are made of (except the software) are well understood and often have been tested and verified for hundreds of years.

Software is different in three regards.

1. It is on of the hardest disciplines knewen to man, together with creating mathematical theory and probably genetic engineering.
   
2. In physical engineering you have tolerances. Often systems only fail if some component is close to a tolerance border or a substandard components was used. This does two things: You get a slightly different set of test parameters for every system deployed and doing redundacny is very easy and trivially added, as the tolerances usually are not all at the lower limit. With software you allways get exactly the same system, no inherent redundancy and no slightly different test -environment for every system.
   
3. Software engineering is a young discipline. I have serious doubts that it is far advanced enough at the moment to really have quality criteria that can serve as a solid basis for risk management. So the only thing you get is the gut-feeling of knowledgeable people. Far better than nothing, but in my opinion a lot of the practical use of computers in critical systems is just one gigantic experiment. The adoption is far to fast from any sane engineering viewpoint.

I think this will change drastically as soon as software makers start to have real liability for the products they sold (free software is a seperate issue), like other engineers do. Then it might just happen that you will not find anybody willing to do software where their feeling tells them the art is not advanced far enough. And software production will be slower and more careful. And even more important those that fail repeatedly will have to leave the business!

Re:Most secure web server

[gweihir]

Wrong. Use Linux with Solaris as fallback or the other way round. These systems are compatible with each other and you can use one as a backup for the other.

Maybe use both with a hard-coded failover or a combined system where both OSes have to be successfully hacked in order to compromise the system. Depends on what kind of security you need.

Re:Most secure [TANGENT]

[gweihir]

I never said that OpenBSD has no exploits. What I'm saying, is that they have the least amount of them. You can install it out of the box, and as long as you pick a decent root password, you can leave it plugged in, and stay safe for quite a while.

I am quite willing to spend the extra time to secure my linux system in order to get better driver support. Not everybody is able to do this though. These people should carefully consider whether to use OpenBSD or pay a Linux-expert to secure their installation. Or whether to use another Unix(-like) system. If you don't need the better drivers, OpenBDS should be a very good choice.

You *can* hack what you don't know about!

[leonbrooks]

You cannot hack what you don't know about.

Yes, you can. Your Windows box can randomly throw 'sploits at a box you don't know exists until it finds one the admin didn't patch or didn't know about. Often, you don't know your Windows box is doing this, because you don't know that it's been thoroughly zombied.

One-of-a-kinds generally don't help as much as you might think because what you gain in obscurity you lose in maturity (ie, some script kiddie stuff will still work becuase the author made the same mistakes that were found and removed from Apache years ago).

Become the majority of a minority

[leonbrooks]

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs.

There are at least two huge flaws in this; firstly, a generic attack (or a manual followup to a generic probe) is more likely to work, and secondly the hack-attack numbers reflect a smaller population, not necessarily a smaller proportion of a population. It's a great comfort to know that you're unique as you sit there looking at your Mac server full of zeroes.

If I wanted to take advantage of the features advocated by the lecturer, I'd use something like Roxen on Linux on a MIPS box, chrooted and as far as possible readonly (chown/chmod then chattr +i then remove the chattr binary, and if possible also mount -o ro).

Re:Most secure web server

Mac has a really HIGH rating, but is poor in performance. OS-10 is better then OS-9 obviously.

Webstar is very very good as far as security goes (Under os-9)

But I'm told there are some plugins that can be exploited. Don't recall which ones.

Of course OpenBSD is also very good.

THAT came from YOU!!

and you should know better there josh.....

There are some safety standards

[zlooj]

IEC 61508: "Functional safety of electrical/electronic/programmable electronic safety-related systems".
This standard, which also applies to software (see 61508-3: Software requirements), defines some very stringent requirements for systems that have anything to do with safety, i.e. where a failure of the system could endanger life.
See the IEC's website for more...

P-lease

[Ratso+Baggins]

this is just obscurity-security which is none at all really...

As for the "missiion critical" nature of such a box; I ask all you experienced, mult-platform administrators out there would you rely on a mac that was actually being used for something (ie: not just sitting there, on) in a life or death situation?

Re:Most secure web server

[Glorat]

Yeesh... not sure what the mods are doing me modding me up. It wasn't meant to be a serious post, nor was it a serious gesture by my lecturer.

The point I was trying to make (and my lecturer too I imagine - I slept thru much of it) is that the incidence of problems is not purely a function of "security" but also a function of "attack likelyhood". Of course these are dynamic variables and aren't even completetly independent variables but they do illustrate a point.

If you are going to measure security, do you measure it by "measuring" empirical results to form your conclusion or do you go into the black art of measuring security by non-empircal means like how many holes you "think" there are.

That's the serious point that *I* wanted to make. And if my parent miraculously got an overrated moderation count, this deserves a (+1) insightful =P

Re:common criterea? protection profiles?

[FireWhenRady]

The problem with the Rainbow series was that things that reached the A1 level were so secure that very little useful work could be done on them. A number of years ago I was involved in creating a secure computer room/system for a defense establishment. It has Tempest rated walls (Faraday cage, lead lined), no networking, mandatory access controls on all users and objects etc. At first there were a large number of systems running on it. Then someone decided that "we need to share data and it isn't REALLY that neccessary to have MAC" on one system. Then another... In about a year and a half, there were only a couple of systems using that room. Part of security is availability as well as security. The Rainbow series guaranteed confidentiality but availability lost out. Companies will go into security when there is more money to make being secure than being feature-laden. And that will only happen when somebody gets sued for $1/2 billion for letting private information be lost for lack of controls. Then there will be an Underwriters Lab for software, becuase the demand will be there to show that your system is secure. Another CISSP.

That's not my experience

[Goonie]

We had a 35-foot sport fishing boat with a dedicated chart plotter (a much simpler and more reliable device than a PC), and there's no way we'd leave port without a set of paper charts as well. Aside from anything else, what if the system breaks?

Given the cost and reliability of paper charts, it would seem highly imprudent not to take at least a set of the most crucial ones.

Of course, forintercontinental shipping charts aren't terribly useful for most of the trip, though.

Critical systems should be physically secured

[xixax]

The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock.

That would be bad design. Systems controlling critical functions should be physically secured and certainly not anywhere near *any* kind of wider network access, least of all Outlook.

It boils down to criteria listed in several posts here already. There's no point in having the best, most secure OS if you leave it with a floppy drive, unattended root logins, Outlook, NFS exports. Since PCs are so cheap, why risk so much to save maybe $2,000 per PC?

Xix.

Re:Critical systems should be physically secured

[mpe]

That would be bad design. Systems controlling critical functions should be physically secured and certainly not anywhere near *any* kind of wider network access, least of all Outlook.

Also the system probably shouldn't be running under any general purpose OS in the first place. Which means that Windows may well be out because you can't easily remove all the baggage from it. Open Source is much safer, since you can restrict it to doing only what it needs to do.

Have you tried:

[cheeseflan]

Have you tried British Standard BS7799? I think it has been turned into an ISO standard (or is underway). It defines how to turn your organisation into a secure/reliable environment - and more importantly how to prove that it is. It takes into account the fact that systems change, and that they are not reliable - and helps you work around/knock down the risks to a level you are comfortable with. It is used mainly for companies - but I don't see why it couldn't be used for any organisation (read: ship-board network/control system). In fact, get in touch with them on http://www.bsi-global.com and see if they would be interested in defining a sea-borne computing standard (they do that kind of thing with private firms as long as the standard becomes public domain...).

Alternatively, call a manufacturing network supplier. Think about the kind of reliability that Ford or GM requires on the assembly line - they don't allow any crashes! (har har har) There are (as usual) several competing standards which could be converted to nautical use.

ULTIMATE LIFE-SAVER-SOFTWARE

We are at the moment working on the ULTIMATE-LIFE-SAVER-SOFTWARE (TM). Now we're finalizing the alpha readiness tests, and are about to release the Beta-version.

The system works by estimating the users remaining life-expectancy-rate. And interfere when there's 3ms left, saving the users life.

This system is to be sold on a license-by-save basis, meaning that each time a save has been made; the user must buy another license at a new price. Different packages can be bought depending on the users need. The Nine-life package is expected to become particularly popular, and will be the "flag-ship" of our company. The price scheme will be customized to fit any profession or region of the world.

Software/hardware requirements:

- 500MHz P3 CPU
- 512 Mb RAM
- 40 Gb SCSI HD
- Windows 98
- RS232 port.

We will soon offer a half-price two-life license of the beta package, for users that are willing to report bugs, and help out with our beta-tests.

This is not an open-source-project and the company does not except liability for any direct or indirect damage caused by this software.

Enjoy!

hElDlik

Poor, poor CmdrTaco

You can't troll worth a shit these days.

You are a moron

[greenrd]

With respect, you are a moron. Mac OS pre OS X does not have any security! No concept of users or permissions. All executable code can delete and corrupt any and all files, AFAIK.

You also most likely have no clue what an overflow bug is. An overflow bug gives you the ability to execute rogue exectuable code. With said code you can delete and corrupt files. Period.

Computer Security Criteria

[bul]

Computers for main functions (propulsion, steering, cargo) in a ship have been in use since the mid seventies, and although lagging somewhat behind in the beginning when it came to Rule coverage, all major Shipping Classification Societies today have Rules which cover above use of computers onboard ships. This relates both to hardware and software. E.g.:For DNV (Det Norske Veritas) see Rules Pt.4 Ch.9 (Instrumentation and Automation) Sec.4. This is 2,5 pages of what experience have taught us are the most important aspect concerning computers onboard. However, everything else in Pt.4 Ch.9 concerns computers as well as other technology platforms, the Rules are written to be as technology independent as possible. The gradual increase due to expense Considerations in the use of PC's as workstations, , are something we haven't taken lightly. The hardware needs to prove itself by going through environmental/EMC testing (See Rules Pt.4. Ch.9 Sec.5 and Standards for Certification 2.4), and the software is tested by Approval Test of Application Software, where normal operation as well as reaction to most probable system failures are tested. Admittedly the first Windows versions were not secure, but today's versions are mostly acceptable, that is if you know which precautions to take. Of great concern is young eager software designers who haven`t learned their lessons and read necessary safety documentation before diving into the design phase. It seems DNV as a Classification Society have a similar problem. We would not object if you do some more homework and then revert with your findings! By the way, DNV does have a group working with software analysis as well, as far as I know they are mostly used in the consulting role, for manufacturers developing extremely safety critical systems. One last information: DNV consists of 5400 individual spread all around the world, all trying their best to fulfil our intentions of keeping our customers on the right track with regard to safety matters.

Re:Most secure web server

[mpe]

Design of ship control systems is a real time control problem. As such it is not an application for which 'Linux' is a solution, you have to be much more precise and specify exactly which real-time enhanced Linux you are considering. It would also kinda help to actually specify the problems to be addressed.

Also it may well matter quite a bit if the ship in question is a supertanker, aircraft carrier, bulk carrier, destroyer, liner, ferry, etc.

Read this first ...

[Zero__Kelvin]

Bruce Schneier's Secrets and Lies : Digital Security in a Networked World. Many of your questions will be answered, and you will walk away from the reading with much better questions.

Re:looses

[k8to]

Try 'loses'.

hotmail?

[twitter]

, hotmail which runs IIS on windows

No, I did not know that. I thoght they still ran on BSD, that all efforts to port had failed and that they put a few win2k machines up front. Eh, what do I know?

Hotmil Hacked Go team!

Hotmail still using non-microshit software last summer Oh yeah, at leas one of the posters there notes that NT code has lots of BSD in it too. Fanboys like you know that, don't you?
the start of their effor, summer of 2000 Don't look like it happened does it?

Oh well, it's silly to talk to trolls. I like the graph of Hotmail's uptime. It looks like they figured out how to load balance hide their individual machine's poor performance last summer. Since their switch from BSD and solaris (which billgates still uses for his own site) their best uptime was 66 days or so, ptttthfit. You might have a look at Netcraft's good uptime page to see where your mighty 115 day spree really sits. Hint, multiply times ten to get real uptimes that free code provides!

Re:Most secure web server

Well, considering that MacOS X is running the exact same remotely accessible software packages that you would run on Linux, Solaris or whatever (OpenSSH, Apache) when used as a web server, you'd probably have the exact same bugs in both.

Modulo kernel bugs (which seldom allow remote root exploits, generally they make systems vulnerable to denial of service attacks) and differences in other remote services enabled in the system.

MacOS X is fairly secure by default, you even have to enable sshd and httpd (apache) explicitly. Like many other modern BSD systems, inetd is enabled but /etc/inetd.conf has everything commented out.

Re:Criteria (check out www.cisecurity.org)

[eludom]

In particular, go see the Benchmarks and
testing tools published by the Center for
Internet Security

http://www.cisecurity.org

They have benchmarks (essentialy Minimum Security
Baselines or Current Best Practice type documents)
for NT/2000, Solaris, Cisco IOS and others in
progress. Each Benchmark comes with a tool
for checking compliance.