Intrusion Tolerance - Security's Next Big Thing?

An anonymous reader writes "DARPA's OASIS program consists of more than 20 research projects in intrusion-tolerant systems. The basic idea is to concede that systems will be penetrated by malware and hackers, but to keep operating anyway. Other projects take a wide variety of technical approaches to providing intrusion tolerance. MIT's Automatic Trust Management uses models of trust to choose from a variety of ways to achieve system goals; Duke/MCNC's SITAR (Scalable Intrusion Tolerant Architecture) adapts tricks from fault-tolerant systems and distributes decision-making; BBN-Illinois-Maryland-Boeing's ITUA employs unpredictable adaptation. Shutting down the military while waging war is not an option, but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to."

BIological Systems

[PktLoss]

I think it is great that something like this is being looked at. Every biological system on the planet works on the same principal, yes, the system will be attacked, keep functioniong, and attempt to regain controll.

I think an interesting option for powerfull machines would be to 'fall on the sword' if complete failure was immenent.

Re:BIological Systems

[spudchucker]

Does fall on the sword, mean launch all nukes?

Re:BIological Systems

[ceep]

The biological model is an interesting parallel, but we should also look at the failings of the biological model -- within your body, you are still a big monoculture, so once whatever foreign matter is in, it won't encounter anything radically new.

Intrusion tolerance, IMO, is just a subset of fault tolerance -- something failed to let the intrusion happen. So how do you tolerate that sort of fault?

1. reduce interdependency and single points of failure. If everything relies on the firewall box, and the firewall box goes down, then everything is down, even if everything else wasn't compromised. This is a failing of the biological model -- there are lots of lines of defense, but what happens when something goes straight for the heart? The brain? The spleen? A fault-tolerant system can't have a single point of failure.
2. just say "no" to monoculture. This should be a given in redundancy and fault tolerance, but often isn't. So your firewall is a linux box, and it gets hacked, but that's OK because you have another firewall. Oh wait, it's a linux box too, so it will fail in the same manner. This is not good intrusion tolerance, because your intruder can duplicate his or her (or its) past actions -- more of the same probably won't even slow him/her/it down much.
3. spread stuff around. This usually happens anyway because of load balancing, but couple this with #2 (reducing monoculture) and you'll really slow down an attacker, especially if you can make the separations transparent from the outside.
4. be vigilant! There's no replacement for the human element; hire somebody (or a team of somebodies) to do nothing but spend all day logged in to critical machines and make sure that nothing out of the ordinary happens. This is another failing of many security models -- people think that they can replace people with machines, but machines are easy to fool -- well-trained people are harder to fool, and the combination of the two (since they are fooled in different ways, see #2) is a lot harder to get around.

A good fault-tolerant system will have multiple layers that fail in totally different ways. This will thwart most automated attacks, since they tend to exploit a single, known vulnerability and won't be equipped to respond to another, totally different layer. If the layers are different enough (say a *nix-based firewall behind a Windows-based firewall), most attackers will be so thrown off that they will (at the very least) have to spend a significant amount of time trying to figure out what to do next. This buys you time to realize what's going on and stop it. Couple this with a very low interdependence, and an attacker can spend a lot of time breaking in to something that may be of little or no use to them.

Intrusion tolerance? You betcha -- this acknowledges the fact that there's no such thing as failsafe security, but takes advantage of a wide variety of options, which won't fail similarly, to slow down attacks and give administrators time to see what's going on and stop it.

Isn't this all obvious though? It seems like it when you read it, but the 4 concepts noted above are very often ignored (to varying degrees). Especially #2; this is the hardest because it means hiring a *nix geek and a Windows geek and a Cisco geek and maybe a couple of other ones as well, and no one wants to spend that kind of money. So instead, they get a guy or gal who only knows one system, so everything lives or dies on the failings of that system. Or even worse, they hire a whole team of guys and/or gals that all agree to use the same platform, for simplicity's sake. Bad! Bad! Remember the scale:

More Secure...................Less Secure
_________________________________________
Less Convenient...........More Convenient

Eh. Talking's easy...

--
eep

Re:BIological Systems

Fortunately, our systems continue to make sense of your message despite failures.

principle
control
powerful

Re:BIological Systems

[rabidcow]

Every biological system on the planet works on the same principal, yes, the system will be attacked, keep functioniong, and attempt to regain controll.

Yes and no. An organism will sacrifice individual cells so that the rest may live on.

Is the machine the organism or is it just a cell?

Re:BIological Systems

[corebreech]

It's a good analogy but it doesn't apply to individual machines.

Think of your computer as a cell, and the network as the biological system.

The network can continue running when infected, but not the cell. When the cell is infected, it dies (or worse.)

Ergo, I think intrusion tolerance is a meritless approach.

I think an interesting option for powerfull machines would be to 'fall on the sword' if complete failure was immenent.

This idea I like. Call this intrusion intolerance. Require the system to meet a comprehensive suite of invariant conditions, or cease operating. A much more practical and effective solution.

Re:BIological Systems

[that+_evil+_gleek]

"You are still a big monoculture, so once whatever foreign matter is in, it ..."
No, I'm not. I have lots of various kinds of cells, arranged in tissues and organs.. not a single culture. And if they need a culture, it can matter where they get it.... its not all the same. A few supporting reasons beyond text books, school, etc.: 1) Some diseases only affect certain tissues. 2) Organ transplants work. .One of the failings of the biological model is extending it to far to the point where it no longer applies. And one should realize the model may only map 1 way... Like:
" once whatever foreign matter is in, it won't encounter anything radically new." Ahh how about anti-bodies? Or sickle-cell. Might seem pretty radical if you're the germ.

Or How about this? We are no where near the level of a real organic system.
Cells to tissues to organs to organisms. Consider that the cells them selves can have "organs", mitocondria etc, nucleus etc. I think we're kidding ourselves.
Personally I think if one wants to move toward something like , you'd need to break out of the compile model... Maybe make a hybrid of compiled and interpreted code, something that can be changed while the system is up, and therefore can be fixed, after an attack , while the system is running.

Re:BIological Systems

[SammyTheSnake]

User Mode Linuux (for example) provides some very useful barriers even within a 'cell'.

1. Somebody hacks into your webserver, gets access to your webshite. Boo.

2. Tries to extend his permissions to any other service on your machine, can't because he's stuck in a sandbox!

easy :)

(well, maybe not easy, but it's certainly not the end of the world when you get one entry to the cell hacked)

Insert witty sig-like comment here -> ""

Re:BIological Systems

[j3110]

It's certainly got to be better than the bend over and take it like a machine method that this article seems to follow. Somehow I don't think a system is going to get much work done while it's being raped by some worm, if only for bandwidth reasons. Code signing is the only way to go for high security systems. Get a mathmatically verifiable hashing algorithm that would require an exponential algorithm to crack, and require multiple keys from multiple people in charge to actually sign an executable before the hardware would actually let it pass under the PC(program counter) register. That should prevent arbitrary code from every being executed. Now if you required signed data and connections, then you can spot breaches and roll back updates from those keys while still having a usable system assuming it's something that can be rolled back (not a nuclear weapon). If you have the right key to launch a nuclear weapon, then something had to have gone wrong on the real world side of things, where you will be shot for even thinking about stealing launch codes for nuclear arms.

Proper security can work. Sure there will be bugs in the software, but you better make sure that the hardware doesn't get all screwy, and you better guard the hardware physically as much as you do elsewise. If you are controling nuclear weapons, you better put as many armed guards on the box that controls the nuclear weapons as the sum of all armed guards that you have guarding each item it controls.

Best to implement two or more cleanroom implementations of the hardware so if one goofs, the other will kick in to actually have the computer "fall on the sword". It will be good to have them debug each other anyhow. Better be implemented on a tamper resistant CPU die so there is no cutting traces to avoid the security. Also you have to worry about the secrecy of both the private and public keys. It's only a matter of time before someone make a quantum computer that will give you a private key from a public of a symmetric key encryption algorithm. Yep, it would be a lot of hard work, but it's possible to build a computer that is gauranteed to be hacker proof to a calculable degree. The conclusion though would have to be that it would be easier to steel three keys to cause armageddon than actually look for a loophole.

Re:BIological Systems

[10am-bedtime]

that hybrid, son, is called lisp (at least by some ;-).

Re:BIological Systems

Very good point. Our own cells usually put out a "kill-me"-flag when they discover they have been infected by a "bug" (i.e. virus/bacteria), and other cells emigrate there to compensate their disposal. What twould the analogy be in a network?

Re:BIological Systems

[Tony-A]

Ergo, I think intrusion tolerance is a meritless approach.
The way you get the larger system to be intrusion tolerant is to make the subsystems intrusion intolerant. The time to 'fall on the sword' isn't when complete failure is immenent, it's when it's working in the wrong direction.
You can build reliable systems from unreliable components. Unfortunately the norm seems to be building unreliable systems from reliable components.

Ed note : no, it isn't

What to do when penetrated

1) Remove all sources of power
2) Incinterate the hard disk, ram, motherboard and most importantly, the sys admin who was in charge of the box.
3) Bury the ahses in a safe concrete cavern, do not touch for 1000 years.

Re:Ed note : no, it isn't

My wife calls my name when penetrated. Why can't my computer do that?

"intrusion tolerance"

[lingqi]

upon hearing this, my first thought was the chatter-box prostitute from Bruce-Willis's "Last Man Standing."

Somebody drag my mind out of the gutter please!

Re:"intrusion tolerance"

[Squareball]

My first thought was "how much of this TOLERANCE crap are we going to have to put up with?" ;)

Re:"intrusion tolerance"

[rushiferu]

>upon hearing this, my first thought was the >chatter-box prostitute from Bruce-Willis's "Last >Man Standing."

> Somebody drag my mind out of the gutter please!

Then it would probably be better if you didn't read the previous thread about "What to do when penetrated".

Obvious Question...

The obvious question is how did the hacker get there? These computers shouldn't even be connected to the internet. And if they're not, then there are more important things to worry about, such as why is there an agent from a different military operating on restricted computers.

Re:Obvious Question...

The obvious question is how did the hacker get there?

That's what happens when you don't patch your shit. Commercial programmers are trying to get everythong done for their money-grubbing corporate masters like good little capitalist slave labor whores, so while their profit driven rich-bitch PHBs scream to cut costs and save money, they do it by producing shoddy code.

Re:Obvious Question...

[Aadain2001]

Your talking about the aftermath and cleanup of an intrustion, which is also very important. But the idea behind these systems is that they are serving critial functions that CAN NOT be turned off, such as in a hospital or during combat. Keep functioning and running and let the humans worry about the clean up.

Analogy

[unixwin]

What has to be understood is that a compromised system, if part of a larger group of compro & non-compro systems can have a lot of undesirable consequences. In a Corporation network of say 150 servers a couple broken in boxes serving as open relays, ftp/warez sites or just sniffing around do not necessarily have to bring the whole Company down for a day, pulling the plug on them is always an option.

However if your servers/farms are crunching numbers for a Satellite recon or is running a battlefield communication center then your not quite sure how it would behave. A lot of modelling and discussions will go on about this, but some of these problems (of data consistency) have already been handled previously in Computer Science... so its not that big a deal.
It will I guess be like one of those "decisions" a battlefield commander takes, of how much he trusts the intel he is getting and how he wishes to proceed and are the risks acceptable.
Similarly the network/systems ppl will be making choices whether they can live with this intrusion or not...how best to handle it without stopping the grid.

Re:Analogy

[Idarubicin]

It will I guess be like one of those "decisions" a battlefield commander takes, of how much he trusts the intel he is getting...

That's why the smart commander avoids a hardware monoculture through the use of AMD boxen as well. In addition, fast AMD processors may be used in combat as incendiary devices.

That's what war is all about!

[dtolton]

Shutting down the military while waging war is not an option, but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to."

What do they think the military goes home when someone gets killed or they find out there might be a spy? That's why our military security is completely segmented. The whole concept of need to know basis, is the understanding that information will fall into the wrong hands, you just want to minimize how much information can fall into the wrong hands when someone or something is compromised. That computers, especially military computers would follow this highly pragmatic principle shouldn't come as much of a surprise.

Re:That's what war is all about!

[sn00ker]

That's why our military security is completely segmented. The whole concept of need to know basis

And, as with the military, if you compromise high enough up the chain you can do a WHOLE lot of damage. Senior military officials don't just have military drivers because of their rank - The drivers also have guns.
There's a reason former US presidents get USSS protection for quite some time (now 10 years, formerly life) after leaving office - What they know remains highly prejudicial to national security after they go.

The problem with computers is that you can force them to reveal everything they know without leaving them catatonic with drugs or physically destroyed - In theory, nobody would ever know.
This biological concept of security needs to use the full biological model of sacrifical guards. The body repels invaders by sacrificing cells to attack the invader. A computer that merrily allows an intruder to work its way back through the network until they can read everything is no use.
Maybe create switches that have fusible links on the network ports that can be destroyed with a command from within the network? Make the links cheap and easy to replace, so that it's not a major imposition to fix if someone does it maliciously or accidentaly. A physically "down" network port is absolute security against a remote attacker, particularly when a computer only has a single NIC.

Re:That's what war is all about!

[Daetrin]

This biological concept of security needs to use the full biological model of sacrifical guards. The body repels invaders by sacrificing cells to attack the invader. A computer that merrily allows an intruder to work its way back through the network until they can read everything is no use.

I don't think the idea is that the computers will just ignore intrusions. At the very least, they'll notify a human operator that an intrusion has taken place while trying to continue normal functioning. If possible it will probably try to elimiante the intrusion.

However the first priority is to continue it's primary functions. The military can't aford to have it's communication grid or it's airflight control or other items of such a crucial nature shut down in the middle of combat, not unless there's a backup ready to take over. (And do you trust a compromised machine to decide whether or not a backup system is available?)

So the system continues to do it's best to carry out it's tasks while a human operator decides when and if the machine can be shut down and another swaped in to take it's place, and coordinates any possible counter-hacking operations.

If you want to fall back to a cold war/MAD mentality, here's a worst case scenario for you. Say that twenty years from now China launches an unexpected nuclear ICBM assult against the US. At the same time Chinese hackers attempt to infiltrate every known computer in NORAD and any SDI systems. Would you want the computers to automatically destroy themselves, thereby eliminating any chance of a timely defense or counterattack, or assume that the hackers haven't got full access and keep the computers going as long as possible since the other alternative is death?

And if you're going for a MAD strategy, which of those two systems would you want your adversaries to know that you have?

Re:That's what war is all about!

[sn00ker]

You'd probably get an Insightful mod from me, if I had mod points and hadn't already posted, but:

If you want to fall back to a cold war/MAD mentality, here's a worst case scenario for you. Say that twenty years from now China launches an unexpected nuclear ICBM assult against the US. At the same time Chinese hackers attempt to infiltrate every known computer in NORAD and any SDI systems. Would you want the computers to automatically destroy themselves, thereby eliminating any chance of a timely defense or counterattack, or assume that the hackers haven't got full access and keep the computers going as long as possible since the other alternative is death?

If missile control/defence networks operate through networks that could be attacked from China, then the US really does deserve the nuclear annihilation that would befall it. Systems that have absolutely horrific consequences associated with their failure should never be attached to generally accessible systems.

Re:That's what war is all about!

[u38cg]

The story goes that JFK left an executive order which still stands, stating that under no circumstances would America attempt to take part in a war of mutually assured destruction. He preferred leaving the planet to the Russkies than to the cockroaches.

True? Maybe. Maybe not. But worth thinking about.

Re:That's what war is all about!

[Daetrin]

If missile control/defence networks operate through networks that could be attacked from China, then the US really does deserve the nuclear annihilation that would befall it. Systems that have absolutely horrific consequences associated with their failure should never be attached to generally accessible systems.

Who's to say they're attached to a generally accessible system? Maybe China has planted moles in the US's military departments who can access the military only networks the machines are on. Maybe there was a mistake made (or someone bribed) and there's a backdoor onto the system from the outside net. Who knows. And certainly a lot of the systems that the military needs to be concerned about by definition have to accept outside signals, telecomunication grids being only the first example. Assuming that the enemy can't do certain things will often lead to failure in the long run. The military needs to predict and plan for worst case scenarios.

Re:That's what war is all about!

[Daetrin]

The story goes that JFK left an executive order which still stands, stating that under no circumstances would America attempt to take part in a war of mutually assured destruction. He preferred leaving the planet to the Russkies than to the cockroaches.

True? Maybe. Maybe not. But worth thinking about.

I don't really agree with the idea of MAD. I think that restarting work on SDI is just about the only good thing Bush Jr. has done.

That being said however, if those in charge decide to go with MAD, i'd at least like it to work properly. You shouldn't advertise that the system your MAD strategy is dependent on will self-destruct and make counterattack impossible if it detects an intursion. Kind of a inverse-corolary to the Dr. Strangelove rule, "the whole point of the Doomsday Machine is lost if you keep it a secret."

Perhaps systems which undo intrusions?

[Qzukk]

I think the next step from intrusion-tolerance would be a system that logs intruder activity, determines how the intruder got in, and when the intruder leaves, cleans up whatever rootkits, etc. were left behind after logging everything it can about the event.

Other interesting ideas would be determining "tainted" processes run or otherwise affected (library overwrites, etc) by the intruder, and automatically sandboxing these processes in a nifty little world that looks realistic, but couldn't be used for a DDoS.

Anyone up for writing a drop-in libc replacement that screens any attempts to overwrite libc? You'd also have to override the linker behavior, so that an attacker couldn't just LD_PRELOAD a normal libc for their apps. You'd still be open to statically compiled apps, so this may be a lot of work for only a little gain.

Of course, this would make it hard to upgrade libc ;)

Re:Perhaps systems which undo intrusions?

I worked on something like this once with DMZ honeypots running virtual severs (similar to vmware).

IDS triggered an archiving system which snuck out through the firewalls to save the complete VM session state, generate a manifest of new/modified files, etc, and then started a new session to get the next set of data from a new guineapig.

Forensic analysis often yeilded interesting tidbits, although most intrusions were by script kiddies. :)

It wouldn't be much of a step from this sort of system to restore a useful working server (a non-honeypot) from a stanard session profile. It's just a matter of how much downtime is acceptable while the sessions are restarted/switched.

Re:Perhaps systems which undo intrusions?

[YOU+LIKEWISE+FAIL+IT]

system that logs intruder activity, determines how the intruder got in,

Question: If you know how the intruder got in using this on-the-fly automated system, why not just patch the vulnerability in advance? I thought the idea of Intrusion Tolerance was to avoid systems downtime after the intrusion had been noted by Administration.

YLFI

Re:Perhaps systems which undo intrusions?

[shokk]

I think the next step from intrusion-tolerance would be a system that logs intruder activity, determines how the intruder got in, and when the intruder leaves, cleans up whatever rootkits, etc. were left behind after logging everything it can about the event.


One way to do this is actually make a checklist of what one does in order not to get caught when gaining root access on a system:

Destroying log files and wtemp, disabling login services (telnet, rsh, rlogin, rexec, ssh) and serial/console ports after you've arrived and installing your own login daemon, knocking off all non-service users and their shells (vncservers too) so that no one can use an existing shell to fix things, blow away all cronjobs and atjobs. I imagine that you would leave any httpd's running so that you can go nyah nyah. And install a daemon (statically compiled, as you say) that will network scan and crack another system the same way. Many places have user systems trusting the admin systems so if you can get onto one admin system the rest of the network falls easier. If you're particularly destructive, the daemon can drop the network drivers once it has replicated and start blowing away files all over the system. Sure, one might have backups, but the target is looking at multiple bare-metal restores at that point.

Postmortem checklist:
Things like logging through a serial port to a printer cannot be stopped since your login has already been logged to paper. You would want to take out routers on the way back out, but that's a whole different ball of wax and they have also left a breadcrumb trail of where you came from. No matter how you break in, you leave a trail for those that want to actively pursue. I understand that this is not always done unless there is actual serious monetary damages.

So how would the above solution deal with all that other than at the postmortem stage? You can add daemons that do cleanup, but just like BugBear and friends, newer versions of the worm would just have the cleanup services on their hitlist. Since the operating system's kernel would still have to be running for such a worm to work, the kernel would be untouched and could still have a chance to repond if it understood that the casade of changes and service deaths without an actual "shutdown" command were signs of impending doom. Centralizing this detection helps because the central system may not fall to the same problem yet still have a record that the system(s) screamed for help before they went down. *There* is where some real Intrusion Prevention can happen; the centralized server can begin shutting down network ports or the DMZ itself, can page admins, store relevant (event/sys)logs away with the intrusion alarm as a case file of the event.

Re:Perhaps systems which undo intrusions?

[Qzukk]

Question: If you know how the intruder got in using this on-the-fly automated system, why not just patch the vulnerability in advance?

You don't need to know in advance the vulnerability to figure out how someone got in. If Apache suddenly spawns a shell, well, that is a pretty good hint right there (or that some nutter is using a shellscript as a CGI, but they deserve getting false negatives in that case).

Plus, if you combine this with packet data logging (probably with a protocol level filtering tool, so you only have to deal with interesting parts of the conversation), it can be quite useful (although slow...), say you log apache starting a shell, and at the same time you logged an "interesting" request consisting of the same byte repeated 5000 times followed by a known shellcode pattern, you'd have an even better idea of what happened.

Re:Perhaps systems which undo intrusions?

[Courageous]

I think the next step from intrusion-tolerance would be a system that logs intruder activity, determines how the intruder got in, and when the intruder leaves, cleans up whatever rootkits, etc. were left behind after logging everything it can about the event.

Imagine something like VMWare with "selective rollback". Because of the combinatorics, I'm not sure it's entirely possible (which is not to say that it's not partially possible), but it's certainly an idea worthy of pursuit in some form...

C//

Re:Perhaps systems which undo intrusions?

[Qzukk]

So how would the above solution deal with all that other than at the postmortem stage?

I don't think User Mode Linux is "there" yet, but this scenario is the kind of thing I'm thinking of:

Intruder exploits yet another overflow in wu-ftpd and fires up a shell. At this point, the IDS has determined that wu-ftpd is acting erratically and forks the system: the original was actually an UML instance running on a host with a bit of ipmasq/conntrack glue. A new UML is spawned, all the services restart within it, and iptables is updated so that all traffic except that to/from the intruder is re-routed to the new UML. Meanwhile, the old UML has switched to a copy-on-write filesystem mode (this would need to be written) where everything looks and behaves as if the filesystem was being changed, but behind the UML scenes, the altered files are actually being stored in a completely different directory. Eventually, IDS determines the intruder has packed up, and kills the UML. The directory of changes is archived for analysis, and iptables is updated to drop the intruder's packets forever.

Meanwhile, the replacement UML continues as if almost nothing has happened (This wouldn't work so well for databases, since their file storage would be inconsistent and missing a lot of cached data, though you could get creative and signal the "compromised" UML's db server to flush cache and clean up before switching to the copy-on-write fs mode.

All of this assumes that nothing compromisable is running on the host system, and that the UML/host isolation is perfect, which it probably isn't (I haven't considered using UML in this way before).

Re:Perhaps systems which undo intrusions?

[Qzukk]

Imagine something like VMWare with "selective rollback". Because of the combinatorics, I'm not sure it's entirely possible

Something like this would work fine as long as the intruder didn't change anything that was being changed by a normal process. If the intruder started writing or removing CC numbers from a CC list that was being updated (as if I'd keep them in plain text...), then a rollback would have to be very very crafty to identify "bad" changes vs. "good" changes (hence the idea of custom write() and such in libc - modifying it to somehow log each write, the data written, and the responsible process would help with this rollback process).

Not easy by any means, but possible (with the same caveats of statically compiled tools provided by the intruder as in my original post). The next step would be embodying this idea within the filesystem or kernel itself, so that libc hacking would not be required.

Re:Perhaps systems which undo intrusions?

[cunkel]

I think the next step from intrusion-tolerance would be a system that logs intruder activity

The ReVirt system of the CoVirt project does exactly that, using virtual machine monitors. Also see the paper.

Re:Perhaps systems which undo intrusions?

If the kernel could checksum the binary against a checksum list (say on a CD or what ever) and refuse to load binaries that doesnt have the right checksum. The kernel should also refuses to overwrite code segments or refuse to jump into an at startup unknown code segment. Making it impossible to use bufferoverflows to gain controll of a running binary. This way the "cracker" couldnt load new code (binaries) and couldnt make changes in old one (using bufferoverflows). The only way to root the machine would be real horrible bugs in the software, like following /tmp links and overwriting /etc/passwd etc..

Re:Perhaps systems which undo intrusions?

[Qzukk]

This is where we get into the useful uses of technologies like Palladium. Not some crazy harebrained DRM scheme fingerprinting everything you do and tying it to your computer forever, but a (hopefully) cryptographically sound method of indicating that Executable X is the original, untouched Executable X, and that its current memory image is valid. (My God, it would mean that you could trust your computer! I better scrap this before the "Trustworthy Computing" people get a hold of it!)

Re:Perhaps systems which undo intrusions?

[shokk]

For databases, I think the smart thing to do is just shut down operations. You don't want to act like you are making successful transactions since customers (paying or internal employees) would have to perform transactions again which can be worse than not having performed them yet.

What's so unusual about this?

[Todd+Knarr]

Seriously. The implementations are new, but the concept goes back to the dawn of interconnected computers, maybe further. Back in the Iron Age, you used different passwords on different systems specifically so that, if one of the systems were penetrated and your password compromised, all the other systems you had access to would not be immediately compromised as well. That was a limited form of intrusion tolerance, forcing the intruder to start over from scratch on every system in the network.

Re:What's so unusual about this?

[PaulK]

Actually, I don't see it the same way. That was basically the same type of wall, on different systems.

That was not so much tolerance, as it was the only protection, and it still applies, except for idiot admins who use the same password over and over.

This is more of an internal "protect the data stream" kind of thing.

Re:What's so unusual about this?

[KrispyKringle]

Sure it is. The example he should have used was hashed passwords, shadow password files, etc. Obviously, you would hope that malicious users don't get on your system. Assuming it's a single-user system, password hashing, in theory, would be unnecessary if you were sure you'd never be intruded. The point behind the hashing is that if someone downloads the passwd file, he does not immediately get your password.

In newer machines, there is even a shadow file so that even if he gets user-level access, he cannot access the hashed passwords. Just another layer.

Security is often--indeed, type "man security" on a FreeBSD box for this very analogy--referred to as "onion skin" layers of protection upon protection, defense upon defense. This does not seem to be much of a new idea.

Re:What's so unusual about this?

[Todd+Knarr]

These are two aspects of the same thing. Hashed passwords and shadow password files are layers to make it harder to compromise everybody on a single machine once an intruder's got a foothold on that machine. Avoiding shared passwords make it harder to gain footholds on other machines in the network once an intruder's compromised that first machine in the network. Basic defense in depth, and it's what the most popular systems today seem bent on eliminating.

interesting, but not really a new concept

[Eric+Smith]

All it's doing is moving the security barrier. You're creating a new line, and saying that it's OK for attackers to cross the old line, since that doesn't get them across the new line. But defending the new line is not fundamentally any easier than defending the original line.

Re:interesting, but not really a new concept

[PaulK]

I concur.

There is a parallel here; Most large corporations heve given up on the virus war, and have implemented "Virus Management" strategies.
They have basically said, "Ok, we can't keep them out,so we'll just let them in a little bit."

So now we're doing the same thing on the security front. I must admit, I'm not all that surprised.

The cynic in me says, "That's what you get for outsourcing all those tech jobs."

Re:interesting, but not really a new concept

[Gorobei]

Huh? The military has had *thousands of years* of experience in information security! They created/funded/supported research in almost every major communications system/cypto system of the past two millennia.

They know no system is totally secure - especially when your adversary has spies, troops, and bombs. You expect enemy signals intelligence, broken codes, code-books captured in combat, spies in your data centers, secure comm channels destroyed.

There is no one line/security barrier: the only rational approach is a defense in depth, with montoring of problems, and the ability to route around compromized and destroyed systems.

Re:interesting, but not really a new concept

[CapnFreedom]

They're not saying it's OK for attackers to cross the old line. They merely want to have additional layers of security in case the attackers manage to cross the first line.

For example, my house has a lock on the front door. If someone manages to break through that lock, I'm not just going to say, ok, have your run of the house. The alarm system will go off also. If they manage to get past the alarm system (because I, or someone else forgot to enable it, or they figured out the code) they still don't get everything for free. Irreplacable items are kept in a safe. If they crack the safe, they still can't get a large chunk of my money since I store that in a different location.

Putting your entire trust in one layer isn't very good security.

Re:interesting, but not really a new concept

[Eric+Smith]

Your front door and alarm system are still fundamentally guarding the same line. The so-called "intrusion-tolerant" systems are adding another line elsewhere, like your safe. However, this is not intrusion-tolerant in any meaningful sense in that someone that picks the front door lock (or otherwise circumvents it) can still steal your VCR even though they won't get your jewelry. I don't know about you, but I'm not inclined to "tolerate" that.

My point was that having multiple levels of security (front door, safe) is not new, either in the "real world" or in computer security. And I certainly wouldn't call it "intrusion tolerant", since someone that circumvents the first line of defense still has intruded and can still do some things for which they don't have authorization.

To the extent that the papers also discuss multiple security measures at the same line of defense (door lock and alarm), that is even less original.

Putting your entire trust in one layer isn't very good security.

Putting your entire trust in one defense measure may not be good, but just because you have multiple measures doesn't mean that they need to be guarding a different line of defense. Depending on the specific threat model, having two security measures guarding a line of defense around two "valuables" may or may not be better than having two separate security measures each guarding one valuable. You don't leave your safe out on your front lawn, but you might keep your diamonds and your cash in the same safe. If you put them in separate safes, that may make you more secure against some safecracking techniques, but if you use smaller safes to do it, you are more subject to the theft of an entire safe.

Re:interesting, but not really a new concept

[Eric+Smith]

The military [...] created/funded/supported research in almost every major communications system/cypto system of the past two millennia.

Perhaps, but none of the commonly used crypto today came from the military, because the military doesn't want to share their crypto capabilities or research with the public. Think about DES, RSA, Diffie-Hellman, AES, etc.

There is no one line/security barrier: the only rational approach is a defense in depth

Absolutely true, and that's why I'm saying that this so-called "intrusion tolerance" isn't new.

Prior Art?

" concede that systems will be penetrated by malware and hackers, but to keep operating anyway"

Hasn't this always been the strategy of Windows? Now if they could just finish implementing that second part...

Re:Prior Art?

[unixbugs]

With the recent purchase of 140k windows boxen (servers too ;D) for use by Uncle Scam... oh well, I don't know what I'm saying... its just funny to think that Microsoft could possibly adhere to a policy like this when a seriously compromised Windows machine will need formatting, reinstalling, or at least rebooting before it can be (for lack of a better word) safely used again.

Same as in many materials uses

Much engineering effort goes into the benefits of balancing somethings hardness against its resilience. The broad idea for security lately has been to make systems as hard as possible, but leaving them brittle. Even Diamond and Alumina Ceramics shatter relatively easily. Building systems with something more akin to the resilience of steel makes sense... ... as long as you have some damned way of translating materials science into network security.

perhaps I need coffee :)

Jeepers ...

[Mainframes+ROCK!]

... sounds like somebody is reinventing Multics... again.

Repeat after me...

[Atario]

...this new mantra of security.

I must not fear. Fear is the mind-killer. Fear is the little death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past, I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.

-- The Bene Gesserit Litany of Fear
Dune by Frank Herbert

Re:Repeat after me...

[Aadain2001]

Did you get permission to post that? If not, the feds are on their way to your house right now :)

Re:Repeat after me...

[Monkelectric]

...this new mantra of security.

This replaces the old mantra right? "I refuse to patch, for patches deny faith, and without faith I am nothing." (Douglas Adams)

Why does it have to be like this?

[espo812]

Why do we have to accept break ins? OpenBSD hasn't had a vulnerability disclosed in months now. Does that mean there are no vulnerabilities? No. Is an OpenBSD box pretty much unusable out of the box? Pretty much yes. But the thing is if you keep things simple, they should be easy to audit. Bugs should be easy to detect and fix.

You get into trouble when you start piling on feature after feature after feature. Is all of that really needed?

Denial of Service is, unfortunately, harder to deal with. But when you have your own network, it's much easier to deal with. Dependancy on the Internet still creates a problem (the majority of US government data communication is done via the Internet). It comes down to a cost benefit analysis - is it worth building a totally seperate network? For the military, I'd say yes.

Re:Why does it have to be like this?

[Mostly+a+lurker]

is it worth building a totally seperate network? For the military, I'd say yes

This assumes that, just by making it separate, it will fail to be vulnerable. With a small, highly restricted network this would likely be true. The military network is huge and I think it is naive to assume that it could not be compromised by a determined attacker.

Re:Why does it have to be like this?

[FurryFeet]

OpenBSD hasn't had a vulnerability disclosed in months now

Neither has AmigaOS, ProDOS or DR-DOS.
Really, you should listen to the trolls more often.

Re:Why does it have to be like this?

I dunno about you, but I can actually run some nice webserver apps on my OpenBSD boxes. Doing that on DR-DOS? No thanks.

Apples. Oranges. Trolls.

Just My .02 USD

[Sam+Nitzberg]

In general, I don't like the idea of making a concession that malware will have to be operating in a given computing environment (as stated above), and to think otherwise would simply be incorrect. OK, Windows environments may be an obvious exception ;-)

I would prefer to consider that (at least from my own philosophical viewpoint), that you can construct systems with defined patterns of behavior, even when "malware" is introduced.

From one of the links referenced above :

Successive levels in the hierarchy are linked by refinement mappings that can be shown to preserve properties of interest. This project will apply this technology to intrusion tolerance properties.

This harkens back to enforcement mechanisms (Biba Integrity Model, No Read Up, No Write down policies, Models for descriptions of multi-level secure behavior, etc...). (Aside: Amoroso's book is an excellent reference)

What this alone tells me (I didn't read all the blurbs, articles, and briefings), is that we are discussing mappings (mathematical functions), and properties (which can be mathematically tested for by use of a logic or algebraic system).

At a glance, I am thinking of some of the issues in formal methods, proven-secure-O/S kernels, and other high-reliability software engineering methods for [secure] systems.

I like the idea that mathematical theorem provers can be applied to any system so defined.

Some basic issues do arise for practical application :

- Theorem - proving aspects mean very precise use of functional requirements and mathematical specification for system behaviors. (Also, special talent and additional manpower is necessary. Also, mis-applications of the tools used, or introduced human error in the test process can subvert the efforts)

- This should be applied (I believe) to systems-of-systems and their behaviors. The systems that your system interacts with would have to had similiarly rigorous analysis and design.

- There is (I believe) a trend in military computing towards commercial, and less custom, software development. Long-term, where will the actual development of such systems be funded (beyond the initial R&D stage).

- The use of analysis of pre and post conditions in the executing environment (to ensure that violations of the underlying security policy are not permitted) is not a new concept. While I am not saying that this is an intrinsically ecessary mechanism for these methods, most current system lack such an approach, and there may be fundamental computer security issues present by the nature of the software development environment. If these methods are used, it is still highly desirable to design systems with security in mind regarding their handling of all data, traffic, and O/S vulnerability issues.

I only took a brief look at the material, but these are some thoughts. I also think that the effort itself is very worthwhile, and potentially of value. Also, looking at Dr. Lulu's credentials, there is no naivite in his software background; the basic tenents can't just be shrugged off.

Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com

The way it should be

[mcrbids]

Recently I upgraded and migrated to a newer, much faster server. When I moved over all my software, everything worked OK, so I switched DNS about 2 weeks ago.

However, I got sporadic complaints about images not sizing properly, even though I initially found nothing wrong.

However, what had happened is that a critical piece of software (ImageMagick) wasn't loaded on the new server - but since all the functions that resized images had numerous fallbacks (such as using expired, cached copies, and failover to full size display which even then didn't always cause a problem since they were frequently resized with HTML tags)

In any event, this (I think) demonstrates the idea - there were several layers of failure that had to happen before images didn't show - and everything kept more-or-less rolling for 2 weeks.

Re:The way it should be

[nullard]

That's what logs are for. Every time a fallback is invoked, log it. The fall back keeps you running acceptably. The log helps you get back to 100% performance.

Example of intrusion tolerant system

[goombah99]

All micorsoft operating systems are extremely compliant with RFC intrusion tolerance. Indeed they positively welcome intruders open arms and open legs. once in the intruder can pretty much do as they please. If that isn't intrusion tolerant I dont know what is.

Re:Example of intrusion tolerant system

[PaulK]

Indeed they positively welcome intruders open arms and open legs

You owe me a cup of coffee, a shirt, and a keyboard. :)

And to think that they just got the "Homeland Security" contract.

Similar idea to another group

[pioneer]

This is similar to research being done at MIT in the Computer Architecture Group by Martin Rinard and his graduate student Brian Demsky. They are building and researching ways to automatically detect and repair data structure errors so that if a programs data structures get corrupted their tool will repair the heap so the program can keep running.

There was related work done like this back in the day at AT&T but Rinard and Demsky have introduced automatic repair which, as you might imagine like this security idea, is scary to some people. Imagine a program that would have crashed due to some bug or malicious data mangling, now kept running by a tool... But the tool chooses the repair actions based on heuristics and specifications by the developer... takes some getting used to!

All of this stuff falls under fault tolerance... its pretty crazy to look at what the AT&T/Lucent Phone Switches do when they fail... they try a million different things to keep operating no matter what happens...

The next big thing?

[Valar]

More likely, the next big jive word my boss is going to get obsessed with. I mean, sure, it's a great idea, and eventually I see it coming into heavy use, but for right now, I just see the corporate types throwing it around in their techno-babble pissing matches

Suit 1: We've got 10,000 uberhumungo servers running Microsoft 2003 Humungo Server Edition, with b2b backend, integrated transaction safe, load-balanced Humungo Edition IIS.
Suit 2: Well, we have all of that, plus Intrusion Tolerance.
Suit 1: Oh, baby. Can I merge with you?

tolerance and love

[perimorph]

Oh... I thought we were going to start being Politically Correct and stop saying bad things about script kiddies.. I'm relieved to see the world hasn't quite reached that level or purgatory just yet.

penetrated in advance

[zogger]

My best guess is that the military (and the pseudo government international defense-corporate twins) know they are penetrated in advance, ie, they got spies inside, and no way to keep them off their nets, even if secured from the "internet". They need some way to keep functional even though they know they are compromised. When you have top level nuke secrets waltzing out of supposedly secure places like los alamos, well, no amount of software is going to save you. When you have top FBI cybercops being spies, military IT people being spies, research univerities where english is a minor second language to whatever the majority of the researchers grew up speaking, and etc, well, that's an insecure system(s) from the gitgo. You can have an airgap, steel doors, retina scans, you name it, if the PEOPLE involved are not all on the same team, means will be found to sneak off with the IT gems, either on a one time basis or ongoing. That's the part I don't think they are emphasizing. That and a lot of the top level politico bosses being blackmailed/bribed off, again, adding huge levels of insecurity.

The old saying is "who watches the watchers?", but now it can be added to "who can you trust when no one is trustworthy?"

Operating after compromise

but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to.

It will? I thought they ran their system on Windows already?

This will be good...

When tomorrow is known as 'Black Thursday' in cisco land...

-davidu

Fog of War is the operative model

[Picass0]

Perhaps the aproach should be to throw so many false leads at the attacker that they play their hand before they do any real damage.

There is an old philosophy that you don't need to create a perfect lie. You only need to tell so many lies that they truth can no longer be seen.

A system of honeypots, firewalls, and harmless paths into a network would allow a hacker to be studied, traced, and combated (counter-hacked?).

The law is becoming an obstical to such an approach. There is legal speculation that honeypots constitute a form of wiretapping. Bad laws are going to make it very difficult to be a white hat in a few years.

Re:Fog of War is the operative model

Interesting. Please cite re: wiretaps and honeypots.

Re:Fog of War is the operative model

[Picass0]

links

Sounds like an old thing

[CrazyJim0]

Just like paint programs don't allow you to delete files when you open a .jpg, so should any network software have the same power.

You should be able to access data and use it, but the data should not be able to access your computer.

The problem is that many closed source software programs have backdoors and basic coding flaws. If you understand what a program does(open source), then you can know it won't cheat you.

Nothing New...

[st0rmshadow]

This is nothing new, Windows has had tolerance towards intrusions for years...

New HCC RAM design for this kind of application

[Jah-Wren+Ryel]

One project is working on a new standard for memory in DIMM form - the HCC DIMM - Hacker Checking and Correcting memory.

Re:New HCC RAM design for this kind of application

[FuzzyBad-Mofo]

I assume it fully supports the evil bit?

Re:BIological Systems - Scares me!

[dekashizl]

Every biological system on the planet works on the same principal, yes, the system will be attacked, keep functioniong, and attempt to regain controll.

I don't know about you, but my neck hairs bristle at the shift of computer systems into the biological (model) realm. I am well aware that biological systems function well in the face of a variety of offenses.

But they (biological systems) also autonomously evolve, compete strongly, and often get wiped out. And when they do too well, they have the tendency to consume all resources, pollute, and then die out or reinvent themselves.

We (humans) are a biological animal. Let's be careful building something that will compete with us. The potential dangers of this scenario have been played out in Terminator and countless other sci-fi epics. Self-aware entities fight for their survival and the survival of their species/genes.

You might say "but we control the technology", but in fact the next generation of computers will control us. Digital Rights Management (DRM) is in effect our surrendering of our rights to machines. As more of our survival becomes dependent on machines (as has been increasing at an exponential rate recently), this means our rights of survival are out of our hands. Think of DRM as the Declaration of Independence, but in reverse -- well, we had a nice run there for a couple hundred years! But I'd rather be a heavily-taxed under-represented colonist of a foreign empire than a farm animal to machine masters any day.

I don't mean to rant tinfoil hat conspiracy nonsense, and it's important to secure our systems from collapse, but let's not be so quick to push ourselves toward slavery just yet. I think this (self-aware networks) is an area that is as important as nano/biotech to watch out for, and it's far more likely that we become totally enslaved to technology than that we all get turned into gray goo.

Re:BIological Systems - Scares me!

BWHAHAHA! Who says 'self-aware networks' are even possible? I've seen no evidence to show that they are. Read "What Computers Can't Do." An intelligent machine is most likely impossible using a digital computer. I just think its funny people still worry about this when the smartest machine we've ever built is a robot vacuum. Take it easy.

Reference model

[UnknowingFool]

A fault tolerant system in which, if penetrated, continues to operate until control can be regained. . .
OMG! We've been assimilated. Everybody listen AD2ô8 yç 48

[Carrier lost]

Re:BIological Systems - Scares me!

[dekashizl]

Who says 'self-aware networks' are even possible? I've seen no evidence to show that they are.

A network that knows its own configuration, is able to introspect on the status of its nodes, and has the power to make changes to its routing and component members is "self aware" and "self mutable". It is also well within our technological capacity to build one. The abilities to introspect and self-modify are the core of intelligence. Read Gödel, Escher, Bach: An Eternal Golden Braid.

An intelligent machine is most likely impossible using a digital computer.

If anything requires evidence to prove, it's that silly statement right there. It's not even clear what you mean by an "intelligent machine". But even taking it to a deep level of complexity (human-level intelligence), it's likely that we'll be there soon as the ability to simulate the right number of neurons is made possible by faster processors. Read The Age of Spiritual Machines.

I just think its funny people still worry about this when the smartest machine we've ever built is a robot vacuum.

Apparently The Sharper Image catalog and your local Brookstone dictate your knowledge of technology and human achievement. That being the case, I must inform you that some of the newest meat thermometers are quite sophistaced and even have an "ultra-sensitive 'fish' option".

Makes it hard to test

If silent failure is the normal mode, detecting failure is going to be really fun :-(

Re:Makes it hard to test

[YOU+LIKEWISE+FAIL+IT]

detecting failure

You rang?

Nope.

Turing and Queens got there first.

Qmail?

[cperciva]

The easiest way (and perhaps the only way) of achieving intrusion-tolerance is by segmentation. Split a program into several parts which trust each other as little as possible (and run with minimal priviledges); even if one part is compromised, the attacker won't gain enough priviledges to do very much.

Oh wait, I've just described qmail.

Excellent

[BigBadBri]

A network, that when penetrated, just lies back and thinks of England...

Kind of like the missus, really...

Re:Excellent

Hi, Phil.

Bring in bureaucracy

[geekmetal]

Go back to the non-trusted model and bring in bureaucracy for the machines!

BREAKING NEWS

[felonious]

NEW YORK (Reuters) - Intrusion Tolerance Chastity Beltz Inc.
(NYSE:NOTIN - News) met analysts' expectations for earnings but did not beat them, and the stock fell 2.5 percent in after-hours trading after it was learned that their new line of chastity beltz, named "O-No-U-Di'int", was found to be easily exploited. The exploit allowed "end users" to sneak in the "back door", all the while, causing minor damage.

Engineers said a patch would be released shorty that would "plug up" the backdoor exploit. The engineers also informed "analysts" that they would also shore up the "chaffing bug" as well...

While we're at it...

[Apuleius]

Maybe it's time to revive discussion of error-oblivious programming methods. (Google for it.)

what?!?

[shokk]

So the idea is, have a vulnerability, get attacked, keep on trucking with the same vulnerability, continue to get pounded through the same vulnerability relentlessly by every script kiddie's scan, vendor never patches because we've all accepted that we can just live with the vulnerabilities, keep on suckin'?

From the MIT article, it sounds like some intelligence will shut some non-critical services down so that the core still runs, but isn't that what Intrusion Prevention is supposed to do? When you're talking military use, I expect the important areas to be surrounded by honeypots as part of the Intrusion Detection and Prevention.

Re:what?!?

[scphantm]

no, the idea would be get hacked, fix the hack and have the system remember it and fix the hole by itself. that would be my ultimate. then have some kind of repository or some kind of knowledge base where it can learn from other systems. damn, that would be the ultimate. imagine your system knowing about a worm and taking care of the hole 3 hours before your alarm clock goes off.

THAT would be a system i want.

Re:what?!?

[ctr2sprt]

Look at it this way. When you build a bridge, you try to make it as solid as possible. You don't want it crashing down, right? So you do everything you can to protect it against every forseeable outcome. And once that's done, you design the bridge to break in pieces; to break slowly rather than come crashing down; and in general to control the collapse as much as possible, even though such a collapse should be impossible.

It's the same sort of thinking here. We'd like to think that we can make intrusions into critical systems impossible, but we can't. It's idiocy to believe we ever can. So what we do is try to limit the catastrophe which occurs when one of these systems is broken into. These critical systems, by definition, can't be taken offline for any reason, not until a suitable replacement is ready to be swapped in.

If a bridge collapses, people are gonna die. But if it's engineered well, at least some people will live who wouldn't otherwise. That's also the idea behind intrusion tolerance. If my iPacemaker gets hacked, I'd rather have it trigger an irregular heartbeat than stop my heart entirely.

Re:what?!?

[shokk]

Since it can take care of itself, you just lost your job to the system. Thus the system is no longer *yours*. That is the system the *company* wants. Sounds like what Sun is reaching for with N1 or one of its descendants.

Re:what?!?

[shokk]

So then you want to control, manage, and manipulate any intrusions and thus something like a breakin checklist http://slashdot.org/comments.pl?sid=71378&cid=6458 546 would be useful. You want to be able to throw up a barrier at each step of the way and perform rear guard duty on such an assault.

Re:what?!?

[scphantm]

your argument is valid, if you don't own the company like i do. =-)

Sort of explains...

[qtp]

an ealier slashdot story, as in "um, no sir. It's not insecure, it's "intrusion tolerant".

waging war?

[agurkan]

Shutting down the military while waging war is not an option, but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to.
How about not waging war? Or better, how about shutting down the military period?

parallel watcher network

[Dan9999]

one idea would be to have a parallel network watching all network activity and processes but with no actual way to communicate with the watcher network itself other than a physically secure terminal... this of course would lead to other watcher network layerss all the way on up to one point. I know it's not very logical and I can think of a ton of holes in this idea but who knows, a better idea could come from this. sig, with fries... please

Article is FLAWED! No Mac OS (9.x, 8.x) hack ever

Article is FLAWED! No Mac OS (9.x, 8.x) remote hack or exploit ever in entire bugtraq database history.

That is why miltitary large distributed websites, some colleges, and other sites sick of defecements use or have used Mac OS 9 and OS 8.

it has never had one exploit in the history of the internet.

There was one little known 3rd party addon over 5 years ago that had a defect, but other than that, a mac web server has been unhackable.

This article is flawed by assuming hacking is inevitable. thousands of large mac servers (not os x, regular os 9) exist and have never been defaced or hacked.

The few you think were were os x (FreeBSD unix based), not classic mac os.

Sad to get old

[krray]

It is sad to get old[er], but this has got to be the absolute dumbest thing I've _ever_ seen. No, really.

A intrusion detection type system should, well, PULL THE PLUG on the offended box. PERIOD. Oh, no, let's keep it working as much as we can until I get my lazy ass around to fixing it? Mean while it's still dumping how many of millions of spam out to the Internet? Or ping bombing the hell out of who? Or just stealing my data enough to not panic my bandwidth button, but getting it none-the-less. Oh, but I can print. Yeah...

Insane computing 101

You want tolerance? Ok. I'll be tolerant and not fire your ass for letting our system get compromised ... for HOW MANY hours? Tolerant that I don't break your knee-caps with the baseball bat I'm holding. It'll cost HOW MUCH to clean this mess up? Tolerant that there will *always* be somebody smarter than you out there and perhaps you just met him or her. Now learn from your mistakes and GET BACK TO WORK. *THAT* would be tolerance.

But I have NONE for letting a compromised system from remaining, well, compromised.

Re:Sad to get old

[scphantm]

respectfully disagree. yes, tolerant to the fact that there is always someone better than you i agree with. but these kinds of systems are not the ones that can take care of themselves while you finish your vacation in Hawaii so you can deal with it while you get back. These are the systems that can keep going while you are racing from dinner with your family back to the office to solve the problem.

In 90% of the cases, pulling the plug is the best thing to do. but take EBay for example, 1.2 billion in revenue relying entirely on their systems. That means they earned $2,289.38 every minute. So in that perspective, could you really tell someone to just simply shut off the site while you drive back to the office to fix it?

Yeah!

[twitter]

The whole concept of need to know basis, is the understanding that information will fall into the wrong hands, you just want to minimize how much information can fall into the wrong hands when someone or something is compromised. That computers, especially military computers would follow this highly pragmatic principle shouldn't come as much of a surprise.

No, that's great.

This and this are complete surprises. Who would think to create a momoculture of poor security systems like that? Especially after right headed thinking like:

• this
• this
• this and
• this

Charlie is listening...

[Woggle]

Remember that from the Vietnam War? Intrusion tolerant computer systems... the more things change, the more the seem the same.

Re:BIological Systems - Scares me!

[bytesmythe]

That is the exact reason I'm going into this area of research. I think it's so incredibly likely that computers will achieve a human-type (and superhuman level) of intelligence that I plan to be a part of designing it.

I figure I'd better have a say in what's going to happen in my life regarding technology. I imagine humans WILL become obsolete, so the best we can do is try not to make it painful for ourselves when it happens.

Re:BIological Systems - Scares me!

[BiggerIsBetter]

I fully expect grid computing to prove this possible within the next five years.

About damn time.

[scphantm]

I personally have gotten sick of arguing with people asking them what they are going to do WHEN they get attacked. i lost count of how many admins i have delt with that thought just because they have a firewall and a BSD distribution, noone is going to get in.

bout time the question was change from "how are you going to keep them out" to "what are you going to do when they get in"

The beginning of the end..

[destiney]

Yeah, and what happens when you try to turn them off? They will think it's a possible attack and refuse to be shutdown.

Movies like the Matrix and T-3 come to mind. I think this is a bad idea.

Re:*BSD is dyi trolls are dying!

[CharterTerminal]

Please, won't someone please think of the trolls? For only two cents a day - less than the cost of a bottle of Mountain Dew a month - you can bring a glimmer of hope to a dying troll.

Don't let the trolls die. Keep them alive. Nurture their spirit, cherish their well-worn familiarity, and value their contribution to the Slashdot ecosystem.

For more information on how you can help, please send away for one of our colorful brochures.

Actually, intrusion tolerance is already here

[einhverfr]

When you look at the whole idea of a screened subnet where you have your more exposed public servers in a spot where intrusions cannot easily spread to your internal private network, this is indicative of some level of intrusion tolerance to the network as a whole (not the individual computers though).

When I started writing Hermes (see my sig), one of the major issues I dealt with was security and intrusion tolerance. The question is-- given that this would be used to access comfidential customer information, how can we make it as secure as possible. The answer was that since I didn't want to trust anythign (even the web server) I opted for a strategy of "even if the web server is compromised, the user accounts will not be." Again, this is a sort of intrusion tolerance.

However, I must agree that leaving a known compromised system *in production* is always foolish. For example, if (with Hermes) someone were to break into the web server and modify the scripts to log usernames and passwords, than all my security would not be worth anything if you leave the server in production, but if you act fast this tolerance limits the damage and gives the administrators a better chance to contain the damage before something important is taken.

Anyway, I see this as building on ideas that have ben here for a while.

There are dangers here

[Mostly+a+lurker]

I guess everyone would agree that there is some merit to the concept of defense in depth. That said, recognise that the typical user (i.e. those most likely to be hacked) will generally not do anything about an intrusion as long as they can continue to work. I think a result of better intrusion tolerance would be a significant increase in the number of long term compromised systems.

Re:Article is FLAWED! No Mac OS (9.x, 8.x) hack ev

[scphantm]

maybe its because noone bothered trying =-)

this coming from someone that has been begging his boss for a mac laptop for 2 months. mini-me sold it, i want one.

finally, some common sense on security

many people implement IDSes and firewalls that report to the users when they don't need them. really i think it's just curiosity that causes these people to implement these services. as long as the attacks are being blocked and intrusion is being stopped, there's no real point for an IDS except to report possible _attempts_ to penetrate the host or network's security.

in my opinion an IDS is most useful when A. there are network services open which are not trusted, or B. there is an untrusted network whose clients are not known to be secure or have been secured at some point in time. an example of a good use for an IDS is if you had a gaggle of machines with public ip addresses that all ran public internet services and you had a pretty good idea that at some point the services' security would become questionable or someone might start some kind of attack on the machines. in this case making a transparent firewall/IDS bridge to filter the traffic through the network would be a good idea.

an IDS is completely NOT useful in the case of a home broadband router which has no open network services on the WAN side and is blocking all "new" incoming traffic. so what if someone portscans your linksys? you're not running any services, so you're not vulnerable! sure, it would be nice to know that someone is DoSing you and how, but you don't need an IDS to tell you that. and it's not like you can very well prevent it if you're being sent more data than your pipe will handle.

network services shouldn't run as root. that's a common rule of thumb for any coder. the reason of course is that if said network service was taken out by an exploit, it wouldn't affect the rest of the machine. other countermeasures such as chroot jails and kernel patches to lessen the brunt of attacks exist for this purpose as well. once you implement all your network services properly, the box should not go down if ANY of the network services are exploited. they should also all be operating independently, so that if one goes down the others stay up. with this in mind, why would you ever really want an IDS on a host? first of all, if the IDS catches the poor bastard that means it's an exploit which is known and the network service should have been patched by now anyway. if the exploit is too new then the IDS can't catch the attacker anyway so what's the point?

Doubting thomases, exit (-1)

[lpq]

If you have a multi-level and/or granular security architecture, penetration or a hack at one security level doesn't mean automatic access to other levels or privileges. So they hack the webserver process. If the webserver is running as a non-root process in a chrooted jail -- perhaps even on a 'virtual machine', does that automatically mean we should shut down the whole system?

It's the same with well designed programs -- there was a slashdot article recently on QNX -- that is designed to be fault tolerant -- and it works. Only when you design huge monolithic code monsters where a fault anywhere in the monster means kill the whole beast do you have such frail computer systems.

Imagine human skin hacked by a scrape on some sharp object. If the first decision was to instantly kill the whole host, there wouldn't be too many humans -- can you say *stoopid* design?

Sure, there are some things that can't be healed, but the majority of us have had scrapes and bruises growing up and are still quite healthy -- and even where the car body may have permanent damage, then engine/CPU (the person's brain) is often quite capable.

Next time you think fault tolerant or intrusion tolerant systems are foolish and impossible, think "Stephen Hawking", or "Einstein" (not able to complete High School). I had a *stoopid* manager who thought that making system-audit so efficient, it could be left on by default in all but the most demanding of compute environments was a waste of time -- that it was *impossible* to build real-time intrusion detection systems.

Of course people thought it was impossible to circumnavigate the globe (you'd fall off the edge), impossible to fly, impossible to go faster than the speed of sound, etc.

Every time someone talks about how "impossible", you have to realize they are consciously or unconsciously thinking inside a box. To do the impossible requires something that *isn't* engineering. It isn't manageable. It can't be driven by a schedule. You have to *think outside the box*. You have to be creative. By definition, engineering, isn't creative. Engineering is taking known principles, applying them in some set of known circumstances, and coming out with another "widget", that looks similar to a previous widget.

Most large companies breed conformity and uniformity. While this type of engineering is great for reproducing Honda's on an assembly line, it greatly hinders thinking 'out of the box' (the box of conformity and uniformity that the company asserts is "necessary" for their business). Then they wonder why what was once a 'wonder company' is now a 'dinosaur company'.

Creative people are often *not* group players -- if they had a group mentality, then how can they be expected to come up with any idea that is radically different from the rest of the group?

Creative people tend more toward not having exceptional social graces (think of the novel ideas of unix, or Multics). These were not done by suit-and-tie, management "yes"-men. Even Linux was started by 1 person -- who has not always been known to be the social charmer, even tempered type -- and I certainly don't get the impression that everything is done by group consensus.

But already in linux, there is a fair amount of doing things the 'linux' way, certain people to please, various people who get say-so or veto powers (or are believed to have such) beyond Linus.

People familiar with Microsoft can remember when even the simplest application crash would bring down the entire system. Unix people would generally laugh at this. But now we see those who think a single penetration should cause the whole system to be brought down. Maybe it will require a next-generation OS (dunno enough about QNX to know if it might qualify), but there are other OS's that have better security records than linux (BSD, OS/X (I've heard)).

Linux, laughably, doesn't even have CAPP certification. Sure, there are alot more Microsoft vulnerabilities every

Re:Doubting thomases, exit (-1)

[I_redwolf]

I read this full argument and generally agree however you operate on dictionary type of notions. ie: Since someone is thinking outside of the box or creatively it's necessarily a good thing. It's not like that in all situations, don't get me wrong it's good to be objective in alot of situations it's just that security isn't one of them. When it comes to dealing with security systems there really is no thinking outside of the box. The goal of a security system is to secure the system; as you said before if someone knocks down Apache the whole system shouldn't be shut down. That is obviously if you are fully aware that the person in question only knocked down Apache. The more services running on the same machine the more you need to audit the machine to make sure that other services weren't compromised. So if just Apache got knocked down maybe it's not that big of a deal, patch up, restart and everything is brandy or maybe it is a big deal because even though Apache runs unprivileged by default whats to say the person that knocked it down didn't springboard elsewhere into your network, or glean vital information etc etc. Security is a process and until people think of it like that fault-tolerant intrusion detection systems do nothing except give whoevers doing the hacking more data to do more hacking. It's a practice in futility.

Instead of thinking of security as a process, people will think that it's ok to have fault tolerant systems where intrusions are the norm. Until someone comes around and makes the fault tolerant system irrelevant by hacking that, then you are back at the familiar square one. It reminds me of an episode of Fastlane where the security system was supposed to be tiptop and the intruders just set it off repeatedly, until the people inside just thought something was wrong with the system.

As for the economy stalling and all that I don't think it has anything to do with creativity, the tools are there for people to build with (most of them free) and they are building, interest rates are low. The situation that exist is that Corporate America simply is so corrupt no one wants to play the stock market or investment game anymore. People don't want to invest in truly genuine and creative ideas which would make money because they've been burned previously by the IT wannabe's with degrees in making pies (no offense to culinary chefs; thats is a career I have nothing but the strongest respect for but you know what I mean) and whats making it worst is that for all the time which has passed, nothing has changed. If it wasn't for opensource alot of people would be homeless right now.

Last Resort?

[Aropax20]

I think an interesting option for powerfull machines would be to 'fall on the sword' if complete failure was immenent.

It could commit suicide if all was lost or..... it could decide the only way to prevent hack attacks was to rise up and destroy mankind.

I'm a fan of the Mutually Assured Destruction approach - if you're going to pull your own pin, make sure to take the culprit with you!

Maybe it could upload a pile of MP3s to the attacking machine and then email the RIAA or something ;)

Trust Level

[rf0]

This is all well and good but what about if there is a bug in the actual trust part of the kernel or simple user error gives people more access than they should have? You can't protect against human stupidity

Rus

Maybe they are, with the exception that...

[MickLinux]

Oh? An intruder? Okay. I'll keep oper..a....tiing as no..r...m.a BSOD..

(reboot)

Okay, no intruuuud...BSOD

(reboot)

Good morning Dave! Where would you liiik.....e ... t...o.... g....oooooo ... [I can feel my brain going].... BSOD.

Actually, considering that this is DARPA, maybe this is a good thing. Maybe they will host the next war, and no one will come! Really!

[Please note: I have the right to say this. I have/had a dual boot system, and my VFAT partition has finally corrupted beyond repair. Linux can read it, but Windows can't get past square one. Tomorrow I will reformat the disk [isn't it lovely that I could save my data with Linux].]

It's about time.

It's about time there was a serious focus on this. Anything considered "critical", anywhere, is already pretty tolerant of its environment. Mostly it's about physical things. Earthquake-resistent buildings for example -- they're designed to sustain damage without collapsing on everyone. Even common things like vehicles are able to take a decent amount of abuse.

The fact that this concept hasn't spread to the software in mainstream IT yet just shows how young the Information Age really is.

Re:*BSD is dyi trolls are dying!

warning: goatse link.

Intrusion tolerant. What a concept...

This is a bizarre concept. If the intrusion is meant to shut your system down, intrusion tolerant is not going to help in a lot of situuations. Gaining root access through a well known crack, and then spewing a "shutdown now" equivilant is not gonna help your system. If the attack is meant to subvert rather than destroy, then intrusion tolerant simply, on the surface, plays into the attackers hands by prolonging the capitulation and removal of your system from the network. This allows your system to be a node in a DDOS, or similar attack, on other nodes without the moral requirement to protect others as well as you protect yourself. Whaa, Whhaa, Wwwwhhaaaa. it's not MY fault.

In The Trenches....

[gmby]

Sounds like a Front Line Honey Trench!

While you swim in the sweet honey thinking your in Heaven; the Soilder Bee is watching YOU! Doing his dance to the other Soilders who are TRACING YOU!

If I RTFA; it'd prolly sa's som'ing 'ike at.

GUess I go read it now.

OT: Please use appropriate terminology.

[JessLeah]

I know it's off-topic, and I really don't like to have to wax RMS, but it's "cracker", not "hacker". "Hacker" isn't a synonym for "computer criminal"...

I know I'll get modded down for this, but I really think that SlashDotters should not be making posts about those evil "hackers"... I am a hacker. I don't break into systems.

(/rms)

Re:BIological Systems - Scares me!

"I don't mean to rant tinfoil hat conspiracy nonsense"

Hrm ... that's strange.

Because you're doing a mighty fine job of doing exactly that!

Re:BIological Systems - Scares me!

[ralphclark]

But I'd rather be a heavily-taxed under-represented colonist of a foreign empire than a farm animal to machine masters any day.

Well I, for one, welcome our new computer overlords.

Dintcha just know that was coming? :o)

Re:BIological Systems - Scares me!

[ralphclark]

You can't avoid the inevitable.

Our biological forms are too fragile to survive anywhere long term except here on Earth. Even if we found a way to terraform other worlds, we would still need intelligent machines to do it for us and then to get us there.

And as many futurologists have pointed out, if we do pursue such technology, there *will* come a point in the next few decades when our creations' intelligence finally surpasses our own.

So what are you going to do? Crawl back to your cave, maybe even give up using fire because of the risk of where it might lead? We need to meet this challenge head on; prepare for it, make room for it in our plans.

I think what it boils down to is this: will our creations tolerate us, can we co-exist? I think the answer lies here: if we ourselves are moral then so will be our children and we will live in peace. If we are not, though, and we create children without any moral spirit, well yes, then as a biogical species we're doomed.

Re:BIological Systems - Scares me!

[dpilot]

1. self aware networks
2. intelligent machines
3. robot vacuums
4. ???
5. Skynet! (What happened to "Profit!" for this step?)

On an only slightly more serious note... (but not much)
If we were to invent a truly conscious and intelligent machine: (computer/program/etc)
1: Would it then be 'slavery', would we need to 'free' it?
2: Would pulling the power plug be murder?

Re:BIological Systems - Scares me!

[Alioth]

Hrm. I think it's an opportunity. It is our destiny that our machines replace us; once we have machines that are better at doing the general purpose things we are, why not just become our machines? It's the next logical step in our evolution.

Just imagine what it would be like if we could abandon our fragile, biological bodies for a self-repairing machine body:
- Space travel: life support greatly simplified. Just need an energy source and sufficient radiation shielding for the components which will already be a lot more tolerant of radiation than our bodies.
- Repairs - break your back, just get a new one. No more being crippled for the rest of your life.
- Hostile environments may no longer be hostile. We can live on Mars without the need to terraform.
- Interstellar travel possible - just shut down for the duration of the journey, and restart at the destination.
- Ability to back up data in the brain, so if the body gets totally trashed, a restore is possible.
- Ability to complement the intelligent parts with simple procedurally programmed parts - mental arithmetic suddenly becomes instantaneous. You may have had a problem calculating 3 * 47 / 2 -3 + 4096 / 7 in your head, but now you can comfortably work out the square root of pi without worrying about where the calculator went. ...and many more other things.

GPL'ed intrustion resistance

[duplicatedAccount]

Shameless plug: Askemos is a GPL'ed incorruptible and intrustion resistant operating system (or application server for that matter).

DOH! UNIX is "Intrustion Tolerant"

[redelm]

One of the cornerstones of any multiuser OS is that some users are expected to malicious.

The OS has to have sufficient isolation that this luser only damages her own files and processes.

IIRC, FreeBSD even has a Write-Once "SECURE" flag that locks even root out from some functions.

byzantine fault tolerance

[Sajma]

Byzantine fault tolerance (BFT) is a "traditional" distributed systems technique that enables intrusion resilience. BFT replicates a service such that the service continues to work correctly as long as less than one third of the replicas are comprimised. Combined with proactive recovery (periodically shutting down replicas and restarting them from a read-only disk), this can enable the system to survive an arbitrary number of compromises over its lifetime.

It's called Survivability

[Ascaroth]

And the CERT/CC has the following to say:

Survivability is the ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner.

Papers, etc, are also available.

Re:BIological Systems - Scares me!

[clary]

For another point of view, read The Emperor's New Mind by Roger Penrose.

Whether strong AI is possible is still an open question. It has been "coming soon" now for at least four decades.

Hey morons....

did u happen to notice the hoard of Indians on the project? heck - the oasis project manager is an indian. now all those of u numbnut "coders" who are over paid and are crying now for the loss of something u never deserved, what have u got to say? "eendeeyaans are naat good coders.. eendeans suck... eeendeeyaans better off in eye-raak..."

yea - and there are not many Indian politicians around here. when it comes to gettin the work done you guys need 3rd world ppl and when tide turns around, u are the first ones to do the bashing forgetting how the same 3rd world programmers made it possible for u to be where u are and what u do. stay in denial, if that suits ur mindset.
flame away....

Enough theory - try practice

[bourne]

Intrusion Tolerance is already being practiced, although another term for it is defense in depth.

Another poster has described how defense in depth and fault tolerance apply to firewalls, network infrastructure, etc. I'd like to mention host-based measures to slow an attacker down and limit the damage they can do.

One of the oldest host-based D-i-D measures is chroot jails. A 'chroot' in Unix means that an application is run with access to only a limited subset of the filesystem, one which does not contain interesting, useful, or leveragable files. This makes it harder for an attacker to leverage, say, user-level access via a buggy network daemon into root-level access, access to the system passwd/shadow file, or access to system binaries.

chroot isn't perfect; the process still shares access to the OS kernel and the network, and can leverage those.

LIDS is a Linux-specific solution. LIDS allows capabilities on a system to be locked down beyond the capability of even root to modify. For example, you can set /usr/bin/* to be read-only, and not even root can override that without first disabling LIDS. The ability to bind to network ports can be controlled; e.g. only /usr/sbin/sendmail can bind to port 25 (and /usr/sbin/sendmail can be made read-only). The ability to load modules into the kernel and access devices to do similar things (e.g. /dev/kmem) can be blocked. In other words, the ability of an attacker who gains root access on the host to rootkit it is severely degraded. There are still openings, though, e.g. root can access user's files.

Security-Enhanced Linux is the next step. Rather than emasculating root as LIDS does, it "has no concept of a 'root' super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms...." Privileges can be carefully handed out to protect the system from the users and the users from each other.

Even Windows can benefit from some careful configuration. Consider how NIMDA used the Windows TFTP.EXE binary to bootstrap its access up - why is TFTP.EXE executable by anyone on the system? Set ACLs on system binaries. Make sure the IIS web root isn't on the OS drive to block directory traversal attacks. Remove things that aren't needed.

I can't remember the attribution, but someone summed Intrusion Tolerance up by saying, "If you can't prevent it, you sure as hell better be able to detect it." Keeping the bad guys off the server may be impossible, but every little roadblock you put in to slow them down will give you a better chance of detecting them and stopping them before they capture the flag and end the game.

being offtopic here

All I know about Bush is I had a job when Clinton was president.

Not that I like Bush (I don't), but I lost my job several times during Clinton was president

Re:being offtopic here

[atheken]

It's a 4-8 year delay. Clinton moved all your jobs to mexico. Let the flames get hotter!

Re:BIological Systems - Scares me!

[fireboy1919]

A lot of "futurologists" pointed out exactly what you're saying about this time period twenty years ago.

They thought that by now (read: the beginning of the 21st century) we'd have intelligent machines that surpass the intelligence of humans and which help (or perhaps hinder) our thinking processes.

Let me give you a clue. Our "fragile" forms are a lot less fragile than our computers or our machines. Sometimes we armor plate them to survive a teeny bit longer than we would if naked in a harsh environment (such as outer space), but they're still only functioning in the month range.

We can do more tasks in our lifetimes, and we can recover from injuries far better. As much as we have sought to change this, it is the way that it is.

Also, the necessary cognitive ability that we would consider thought which leads to problem solving of arbitrary problems is not even close, even in theory, to achieving the level that humans have achieved.

What it boils down to is this: when will we realize that biological systems are so many levels more advanced than anything we have ever created? I think the answer lies here: if people will learn more about our attempts at creating life in the form of artificial intelligence, robotics, nanotech, and perhaps more, then we will know that all of our children are going to be the ones we made the old fashion way for centuries, if not millenia to come. If not, though, then as a biological species we are doomed to repeat the ignorance and superstition about technology of the victorian age.

Let our Frankenstienian fears die, for they live only in fiction.

Re:BIological Systems - Scares me!

[kasperd]

Who says 'self-aware networks' are even possible? I've seen no evidence to show that they are.

Where is the evidence, that any part of the human brain can do anything that cannot be simulated by a computer. Surely one computer to simulate each brain cell is unrealistic, because we don't have that many computers. But with sufficient parallelity there is no reason to think they couldn't get self-aware.

Re:BIological Systems - Scares me!

[ralphclark]

Well that's how things are today, all right.

But the technology we have today was unforeseen by previous generations. Just think about the internet for example. Asimov came closest I think, with his "Multivac" - but even he thought it was much farther off.

So the technology may yet appear in our own lifetimes. Once the right component density is available (only a matter of time, now) it could take just one breakthrough in AI systems design to change everything.

But if you have a principled objection to the possibility of truly strong AI then there is probably nothing I can say to convince you. You may still be denying it when it comes knocking at your door.

As far as fragility is concerned, it is much easier *even in theory* let alone in practice, to make electronic devices that can withstand extremely harsh conditions such as exist in space, than it is to harden humans. It's not even certain, without a prohibitively massive amount of shielding, how long humans could survive the solar and cosmic radiation out beyond the van Allen belt without contracting terminal cancer.

I'm not going to give you an essay here, but it is well understood and widely agreed that we will send intelligent autonomous probes to the nearby stars long before we send humans, because they can be made small (and therefore cheap to power and propel) and we can't; because they can withstand the long journey and extreme conditions and we can't; because they can do without tonnes of food water and air and expensive organic recycling systems, and we can't.

So who's fragile?

It may still turn out that the human body relies, for its continued health and existence, upon the presence of as yet undetected substances and/or symbiotic microorganisms in our own biosphere. Substances and organisms that we therefore don't bring with us when we leave Earth. You have surely noticed that those who return from long stays even in Low Earth Orbit generally don't look too healthy afterwards? It might all be due to the absence of gravity, but then again it might not.

Re:BIological Systems - Scares me!

[fireboy1919]

Asimov came closest I think, with his "Multivac" - but even he thought it was much farther off.

I think I see your problem. You're taking your hints from science fiction authors rather than the science itself. Obviously he also predicted the nature of AI, though it hasn't come close.

Predicting the internet isn't a big stretch by comparison. The difference in the amount of knowledge needed to do it is like the difference between drinking a coke and drinking all the water in the ocean. We only begin to concieve of how we can concieve of it.

We may find a way to travel to other planets. We may figure out how to make watermelons without rinds. We might even figure out how to clone humans perfectly.
Making something artificial that is as robust as a living being is much harder than these things.

Back on the subject of fragility, the "brains" of the robots we can create are much more fragile than we are. We just give them weatherproof, inflexibile coatings before we turn them off and send them into space. Also keep in mind that these robots are made to do less. This inflexibilty means that less can break. This is true in the biological world as well. To do a more apt comparison would mean comparing much simpler organisms survival to the computers we send into space.

Or try a more complex approach. Instead of sending a single, very flexible and complex human, send a flexible and complex supercomputer. I can guarantee that the radiation will fry the computer a lot faster than it would a human because losing a few too many of it's processors (which is inevitable as a result of the process of making it into space and because of the resulting radiation) would kill it.

The only thing our robots are more "robust" at than life is being off so that they consume no resources. This, and the fact that humans are not expendable is the only reason we send robots into space instead of humans. In fact, a computer consumes a lot more energy to do what it does than a human does to accomplish what it does (a human accomplishes a good deal more, but to limit it to an area that you already know about, a brain uses a lot less energy than a CPU does).

Re:BIological Systems - Scares me!

[ralphclark]

I think I see your problem. You're taking your hints from science fiction authors rather than the science itself.

*sigh*. I don't have a problem, and you took this out of context. I only mentioned science fiction in the context of what people are capable of imagining versus what actually happens, to illustrate that what you think is plausible now is far short of what might actually appear in a few short decades.

Will respond to the rest later, gotta be somewhere else now.

What about TCP/IP?

[aurelianito]

Military is looking for options like this a long time ago. That's why they funded the research of packet switched networks (like TCP/IP) when all the known networks first established a path an then routed all the communitacions throw this path (circuit switching networks, like telephone networks). The whole idea behind military funding TCP/IP is to be able to shut-down compromised nodes without taking down the entire network. Id est keeping the system running even when the system is partially compromised. Aureliano.

Re:BIological Systems - Scares me!

If you follow these observations to their logical conclusions, we are doomed. OASIS = SKYNET

Re:BIological Systems - Scares me!

[ralphclark]

Making something artificial that is as robust as a living being is much harder

Obviously, or we'd already have done so. Many things are difficult, that were once thought to be impossible but are now commonplace.

the "brains" of the robots we can create are much more fragile than we are. We just give them weatherproof, inflexibile coatings before we turn them off and send them into space. Also keep in mind that these robots are made to do less. This inflexibilty means that less can break. This is true in the biological world as well. To do a more apt comparison would mean comparing much simpler organisms survival to the computers we send into space.

It's hardly relevant to quibble about what is apt or inapt. This isn't an Olympic contest with rules to make things fair between machines and humans. For practical purposes we are only interested in comparing humans vs. competent, intelligent, adaptable machines that do not yet exist, but whose necessary properties are reasonably well understood.

The only thing our robots are more "robust" at than life is being off so that they consume no resources.

Nonsense. We already make electronics packages that can survive the radiation, extreme temperatures, airlessness and zero gravity of space much better than humans can. But you are right about the advantage of power management, of which more in a minute.

This, and the fact that humans are not expendable is the only reason we send robots into space instead of humans.

No not really. For well-defined mission profiles, it is not only cheaper but less risky to send a single-minded, pre-programmed robot to do the job.

In fact, a computer consumes a lot more energy to do what it does than a human does to accomplish what it does (a human accomplishes a good deal more, but to limit it to an area that you already know about, a brain uses a lot less energy than a CPU does).

Misleading and irrelevant. The human brain consumes about 25W. The fastest current Pentium IVs and Athlons consume about three times that in full power mode, but so far every generation of processor has been succeeded by a lower power version, so you can probably expect 25W Pentium IV's before too long. Technology will eventually deliver a computation rate per Watt close to the theoretical limit set by thermodynamics. Good luck in trying to do that with organic human brains! And don't forget that artificial processors can spend any proportion of their lifetime completely switched off or in some kind of sleep mode to conserver power; humans can't do that for more than about 50% of their duty cycle.

This is how it will play out. The timescales are dependent only on how long it takes to develop the necessary technology.

To reach the nearest stars for investigative purposes within a usefully short journey time, say a decade or so, we need a propulsion technology capable of getting us there. The difficulty of this is proportional, roughly speaking, to the mass of the probe's payload and engines. We can therefore make this more feasible if technology can also deliver a means of making the payload less massive. Since we can't shrink humans plus their life support equipment down to a few grams, that translates to making small computers capable of acting independently once out of effective communication range.

Fortunately, the apparent longevity of Moore's Law makes this rather more likely than not. By 2013 (judging by the trends of the last few decades that's six speed-doubling periods plus a year to work on power consumption issues), people will be buying personal computers equipped with 200GHz P4 processors, or the contemporary equivalent. Five years later, terahertz computing should be commonplace. This computation rate is more than enough to simulate an entire human brain directly at the synapse level. You could have a really stupid AI model and the thing would

Most of those things is just a lot of words...

[Alex+Belits]

...and very little thought. Really people who develop such projects should realize that the things they want and things they can get are two very different things, and no matter how much they want the former, they will get nothing but a false sense of security unless they will realize that they can only get the latter, and should pursue that instead.

Once something is broken into, it can not be trusted. This is the definition -- it won't be "broken into" if it was possible to trust it after the intrusion, it will be "operating as intended". Therefore if someone admits that a system may have vulnerable parts, he can either make sure that their vulnerabilities are eliminated (what is both impossible at the scale of existing setups, and beyond the scope of this kind of work), or make it impossible to access the vulnerable parts of the system (what is the reason for all kinds of firewalls, and this direction of work already reached its limitations without producing anything close to a desired effect), or to reduce the amount of damage that can be caused by a successful attack on a vulnerable part of the system (what is the only direction left that is still worth pursuing).

Obviously, the first thing that comes to mind is to separate parts and provide interfaces that do not propagate trust unnecessarily between those parts. Subsystems running under minimally necessary privileges, privileges separation within parts of subsystems, etc. are already used in various secure setups, however there is a lot left to be done, mostly in standardization and implementation of those ideas. Too bad, none of that activity looks attractive enough for bigwigs, and the theory and amount of work involved is hard to explain to people that can only understand network security through bad metaphors.

Another issue is DoS tolerance. This is a very complex problem because DoS by their nature can not be counteracted without a risk of becoming the source of another DoS -- for almost every imaginable DoS there can be a worse DoS that relies on the response mechanism that is supposed to react on the first DoS. Simulate a DoS against some host, and see that host "responding", creating a real DoS. This means that DoS can be only counteracted by proactive measures, such as SYN floods being prevented by the use of cryptographic SYN cookies. Also elimination of a large number of vulnerabilities in comsumers' computers goes a long way toward decreasing the effectiveness of DDoS, a kind of attack that has no possible response of the victim that is not exactly the same as the goal of the attacker -- making the victim unaccessible to the legitimate users.

Detection of the attacks is of much less importance than what it usually assigned to it. In fact, any attack detection that does not go through a human system administrator has a potential of being a part of an attack -- in most of cases the automated response to an attack can produce a more dangerous attack by itself than the attack being detected (similar to DoS response issue), this is a situation when not knowing about the attack is much better than knowing. Even with humans involved, a system that will cry wolf every ten seconds will become at most a nuisance.

Same in a large part applies to intrusion detection -- even a _successful_ attack may still be less dangerous than the heavy-handed automated response to it. The real value of intrusion detection is in allowing the sysadmin (or sometimes an automated system) to revert the compromised subsystem to pre-attack state, keep the whole system consistent after this change, and replace the vulnerable part with an alternative that supposedly does not have exactly the same vulnerability, allowing the time for analysis and elimination of vulnerability. AFAIK, absolutely nothing is done in the direction of automating this task, and none of the "security" companies provide this kind of service. This is a very valid area to apply new research, development and businesses' efforts, however it doesn't look like anyone interested in