Slashdot Mirror
Interviews: We Have 2! 1st, L0pht Heavy Industries
Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.
Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?
----
----
Open mind, insert foot.
The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...
Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...
** http://www.nkhumanrights.or.kr/ ** Human rights in North Korea. 1 million estimated dead from starvation.
Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999
I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.
Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.
The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.
Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.
Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.
Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.
So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?
Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?
If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.
Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?
All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.
Ray Malone
MBS Software
Chillicothe, Ohio
a real zero.
What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
--
"But, Mulder, the new millennium doesn't begin until January 2001."
send all spam to theotherwhitemeat@ropine.com
L0pht Crew:
;-)
Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?
If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face
"There are no shortcuts to any place worth going."
"Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert