Cars and guns are all about freedom, too. If a technology is widespread enough to be both important to the culture (economically or whatever) and dangerous to life and limb, then it gets regulated in one way or another.
If it's not done through legislation, then courts will establish "standards of due care." In other words, if you persist in using techniques that everyone knows will allow your system to be stolen by someone else, then you're providing an attractive nuisance, like a backyard swimming pool without a childproof fence. That makes you liable for civil damages at least.
Of course, today's typical computer users can't tell whether their systems are cracker bait or not, so the "clueless" defense works. Given the state of computer system, this defense should continue to work for several more years.
When I started in computing, all the most interesting work (ARPAnet development, for example) was in R&D labs dominated by PhDs. So I went out and got one. It has in fact helped me get more jobs in advanced R&D organizations.
The PhD is one of the few achievements that actually sticks with you as you get older. Your first jobs, regardless of how glamorous, carry a lot less punch as you move on, and they eventually fall off the bottom of your resume.
On the other hand, keep in mind that a PhD is really an internship for the world of academic research. The right adviser teaches you about research, getting grants, and getting published. This is useful in the world of R&D, since it plugs you into the machine that gets you your research funding.
The technical training you receive is probably going to be too narrow to be useful to a typical employer. For many employers, the PhD simply indicates that the individual knows how to finish a lengthy, self-directed project. This is a valuable capability, but not necessary for every job.
So maybe the PhD isn't so useful in industry. However, if you ever aspire to be a senior researcher or to someday hold an academic position, the PhD is essential.
It's possible that the "750,000 cases of identity theft" includes each and every fraudulent transaction reported against a credit card. So you get dozens of "cases" for each instance in which one person is abusing a card or two.
Is there anyone out there who has credit cards but has not had at least one fradulent transaction? That makes you a "victim of identity theft," or even a whole community of them, if each transaction is counted in that number.
It's like the FBI/CSI computer crime survey. Some of the reports no doubt reflect each bad password report collected by the sys admin as well as every rejected connection to a blocked TCP port.
I've written two books, so don't dismiss this as the rant of a recovering Amazon addict (maybe) with overflowing bookshelves (definitely).
I love books, but I also think the whole copyright thing is 'way overblown. Copyrights can amply compensate an author if they only last 20 years instead of lasting the better part of a century, and then passing along to children.
Although I love tangible books, I'm also an avid reader of e-books. I've downloaded just about every smarmy 19th century novel I could find onto my palmtop. I'm always reading or re-reading one of them while riding a plane, eating a solitary lunch, or waiting for an appointment.
It's the story, stripped of everything else, and that's what matters. Otherwise paperbacks would have never flourished.
Long term, publishers have to come to grips with the fact that they can't milk properties for decades, since it's just too easy to download them and pass them around. We just need the law to catch up with reality.
Back in the late '90s the NSA made a very brief foray into firewall evaluation. They took their 'favorite' firewalls at that time (Gauntlet, Sidewinder, and CheckPoint) and tested them. They had planned to test more, but I never heard of others finishing the test cycle.
The interesting part is that they used the vendors' marketing claims as the basis for testing. If the vendor claimed the system did such-and-such, the NSA tested it and included the results in the final, released report.
When the tests were performed, the intention was to release them as soon as both the vendor and the NSA were satisfied that the report accurately portrayed the results of testing and contained no sensitive or proprietary information.
Only two of the reports were ever released: Gauntlet and Sidewinder. They were (briefly) posted on an NSA web site, but then government policies changed regarding the posting of computer security information. I never heard an explanation of why the CheckPoint report wasn't released.
>Man in the middle attacks have been rampant for some time now...
Indeed?
Is this documented somewhere (CERT quarterly reports, for instance), or is it based on the availability of tools (which ones are there, aside from dsniff), and what sort of documented losses have occurred?
This is a bit of amplification on how type enforcement fits (or doesn't fit) into traditional secure systems. But, first, a correction:
NSA has funded a long series of special-purpose secure systems, many of which are on the Evaluated Products List.
Actually, the EPL only includes commercial products. Although a government sponsored system can earn an evaluation level, the EPL listing is generally reserved for companies that pay their way.
High security systems traditionally provide multilevel security (MLS). Today, lots of military types want to share data across multiple classification levels, but they don't want the specific technical feature called "multi-level security." It just doesn't solve the real problem.
Various technical folks at NSA have liked type enforcement (TE) because it helps enforce least privilege, encapsulation, and process pipelining. While you can do that with MLS, it's like using an incrementing while() loop to do addition. TE gives developers a more direct way of representing their requirements. TE provides the bones necessary to build multilevel "guard" systems and it's been field proven (the mail guard, Sidewinder, etc.), even though it doesn't implement MLS directly.
As far as security evaluations go, nobody in their right minds is doing C2 or B1/B2/B3 style evaluations any more. People are doing the Common Criteria, if anything. There have been discussions about evaluating Linux, but it's 'way too soon to tell what might happen in that arena.
I wonder what is covered by the patent Secure are so proud of?
I work for Secure Computing and I've read the Type Enforcement patent. I have no idea how the patent might be enforced, since I'm no lawyer. The patent is from the late '80s and was originally written on the assumption that TE would be implemented in firmware. Actually, the first implementation was in C on a 68020.
The patent talks about controlling access based on applications instead of being based on user IDs. Software processes are assigned to domains and resources are assigned to types. There is a TE database that establishes accesses between them. The TE database can not be modified during normal system operation.
As other posters noted, it's been used in Sidewinder, SecureZone, and a military mail guard. Some folks of NSA like it because it puts really strong separation between processes and administrators can't shut it off by accident or on purpose.
I am in the process of implementing this for linux right now... I was working from the 1996 TIS papers on "DTE" (domain and type enforcement), and saw (well, noticed) no mentions of patents.
Previous management at Secure went through this phase of trademarking technical terms. TIS came up with "DTE" as so their research folks could work on similar concepts without getting into lawyer wars. The government has some sort of license for using Type Enforcement, and TIS was doing lots of government work.
Slashdot Mirror
Cars and guns are all about freedom, too. If a technology is widespread enough to be both important to the culture (economically or whatever) and dangerous to life and limb, then it gets regulated in one way or another.
If it's not done through legislation, then courts will establish "standards of due care." In other words, if you persist in using techniques that everyone knows will allow your system to be stolen by someone else, then you're providing an attractive nuisance, like a backyard swimming pool without a childproof fence. That makes you liable for civil damages at least.
Of course, today's typical computer users can't tell whether their systems are cracker bait or not, so the "clueless" defense works. Given the state of computer system, this defense should continue to work for several more years.
Rick.
When I started in computing, all the most interesting work (ARPAnet development, for example) was in R&D labs dominated by PhDs. So I went out and got one. It has in fact helped me get more jobs in advanced R&D organizations.
The PhD is one of the few achievements that actually sticks with you as you get older. Your first jobs, regardless of how glamorous, carry a lot less punch as you move on, and they eventually fall off the bottom of your resume.
On the other hand, keep in mind that a PhD is really an internship for the world of academic research. The right adviser teaches you about research, getting grants, and getting published. This is useful in the world of R&D, since it plugs you into the machine that gets you your research funding.
The technical training you receive is probably going to be too narrow to be useful to a typical employer. For many employers, the PhD simply indicates that the individual knows how to finish a lengthy, self-directed project. This is a valuable capability, but not necessary for every job.
So maybe the PhD isn't so useful in industry. However, if you ever aspire to be a senior researcher or to someday hold an academic position, the PhD is essential.
It's possible that the "750,000 cases of identity theft" includes each and every fraudulent transaction reported against a credit card. So you get dozens of "cases" for each instance in which one person is abusing a card or two.
Is there anyone out there who has credit cards but has not had at least one fradulent transaction? That makes you a "victim of identity theft," or even a whole community of them, if each transaction is counted in that number.
It's like the FBI/CSI computer crime survey. Some of the reports no doubt reflect each bad password report collected by the sys admin as well as every rejected connection to a blocked TCP port.
I've written two books, so don't dismiss this as the rant of a recovering Amazon addict (maybe) with overflowing bookshelves (definitely).
I love books, but I also think the whole copyright thing is 'way overblown. Copyrights can amply compensate an author if they only last 20 years instead of lasting the better part of a century, and then passing along to children.
Although I love tangible books, I'm also an avid reader of e-books. I've downloaded just about every smarmy 19th century novel I could find onto my palmtop. I'm always reading or re-reading one of them while riding a plane, eating a solitary lunch, or waiting for an appointment.
It's the story, stripped of everything else, and that's what matters. Otherwise paperbacks would have never flourished.
Long term, publishers have to come to grips with the fact that they can't milk properties for decades, since it's just too easy to download them and pass them around. We just need the law to catch up with reality.
Rick.
Back in the late '90s the NSA made a very brief foray into firewall evaluation. They took their 'favorite' firewalls at that time (Gauntlet, Sidewinder, and CheckPoint) and tested them. They had planned to test more, but I never heard of others finishing the test cycle.
The interesting part is that they used the vendors' marketing claims as the basis for testing. If the vendor claimed the system did such-and-such, the NSA tested it and included the results in the final, released report.
When the tests were performed, the intention was to release them as soon as both the vendor and the NSA were satisfied that the report accurately portrayed the results of testing and contained no sensitive or proprietary information.
Only two of the reports were ever released: Gauntlet and Sidewinder. They were (briefly) posted on an NSA web site, but then government policies changed regarding the posting of computer security information. I never heard an explanation of why the CheckPoint report wasn't released.
Rick.
xp0rnstar (sil@antioffline.dot.com) says:
...
>Man in the middle attacks have been rampant for some time now
Indeed?
Is this documented somewhere (CERT quarterly reports, for instance), or is it based on the availability of tools (which ones are there, aside from dsniff), and what sort of documented losses have occurred?
Rick.
NSA has funded a long series of special-purpose secure systems, many of which are on the Evaluated Products List.
Actually, the EPL only includes commercial products. Although a government sponsored system can earn an evaluation level, the EPL listing is generally reserved for companies that pay their way.
High security systems traditionally provide multilevel security (MLS). Today, lots of military types want to share data across multiple classification levels, but they don't want the specific technical feature called "multi-level security." It just doesn't solve the real problem.
Various technical folks at NSA have liked type enforcement (TE) because it helps enforce least privilege, encapsulation, and process pipelining. While you can do that with MLS, it's like using an incrementing while() loop to do addition. TE gives developers a more direct way of representing their requirements. TE provides the bones necessary to build multilevel "guard" systems and it's been field proven (the mail guard, Sidewinder, etc.), even though it doesn't implement MLS directly.
As far as security evaluations go, nobody in their right minds is doing C2 or B1/B2/B3 style evaluations any more. People are doing the Common Criteria, if anything. There have been discussions about evaluating Linux, but it's 'way too soon to tell what might happen in that arena.
I work for Secure Computing and I've read the Type Enforcement patent. I have no idea how the patent might be enforced, since I'm no lawyer. The patent is from the late '80s and was originally written on the assumption that TE would be implemented in firmware. Actually, the first implementation was in C on a 68020.
The patent talks about controlling access based on applications instead of being based on user IDs. Software processes are assigned to domains and resources are assigned to types. There is a TE database that establishes accesses between them. The TE database can not be modified during normal system operation.
As other posters noted, it's been used in Sidewinder, SecureZone, and a military mail guard. Some folks of NSA like it because it puts really strong separation between processes and administrators can't shut it off by accident or on purpose.
Previous management at Secure went through this phase of trademarking technical terms. TIS came up with "DTE" as so their research folks could work on similar concepts without getting into lawyer wars. The government has some sort of license for using Type Enforcement, and TIS was doing lots of government work.