Security

Vol. 3 No. 5 – June 2005

Security

Interviews

A Conversation with Peter Tippett and Steven Hofmeyr

There have always been similarities and overlap between the worlds of biology and computer science. Nowhere is this more evident than in computer security, where the basic terminology of viruses and infection is borrowed from biomedicine.

A Conversation with Peter Tippett and Steven Hofmeyr

There have always been similarities and overlap between the worlds of biology and computer science. Nowhere is this more evident than in computer security, where the basic terminology of viruses and infection is borrowed from biomedicine.

The two participants in this month’s conversation, Peter Tippett and Steven Hofmeyr, both come from backgrounds in the life sciences that led them to become leaders in the field of computer security.

Articles

Attack Trends: 2004 and 2005

Counterpane Internet Security Inc. monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security “tickets.” What follows is an overview of what’s happening on the Internet right now, and what we expect to happen in the coming months.

Attack Trends 2004 and 2005

BRUCE SCHNEIER, COUNTERPANE

Counterpane Internet Security Inc. monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security “tickets.” What follows is an overview of what’s happening on the Internet right now, and what we expect to happen in the coming months.

In 2004, 41 percent of the attacks we saw were unauthorized activity of some kind, 21 percent were scanning, 26 percent were unauthorized access, 9 percent were DoS (denial of service), and 3 percent were misuse of applications.

by Bruce Schneier

Programmers Are People, too

I would like to start out this article with an odd, yet surprisingly uncontroversial assertion, which is this: programmers are human.

I wish to use this as a premise to explore how to improve the programmer’s lot. So, please, no matter your opinion on the subject, grant me this assumption for the sake of argument.

Programmers are People, Too

Programming language and API designers can learn a lot from the field of human-factors design.

KEN ARNOLD, INDEPENDENT CONSULTANT

I would like to start out this article with an odd, yet surprisingly uncontroversial assertion, which is this: programmers are human.

I wish to use this as a premise to explore how to improve the programmer’s lot. So, please, no matter your opinion on the subject, grant me this assumption for the sake of argument.

by Ken Arnold

Security - Problem Solved?

There are plenty of security problems that have solutions. Yet, our security problems don’t seem to be going away. What’s wrong here? Are consumers being offered snake oil and rejecting it? Are they not adopting solutions they should be adopting? Or, is there something else at work, entirely? We’ll look at a few places where the world could easily be a better place, but isn’t, and build some insight as to why.

Security Problem Solved?

Solutions to many of our security problems already exist, so why are we still so vulnerable?

JOHN VIEGA, SECURE SOFTWARE

There are plenty of security problems that have solutions. Yet, our security problems don’t seem to be going away. What’s wrong here? Are consumers being offered snake oil and rejecting it? Are they not adopting solutions they should be adopting? Or, is there something else at work, entirely? We’ll look at a few places where the world could easily be a better place, but isn’t, and build some insight as to why.

Why can’t we beat buffer overflows?

by John Viega

Curmudgeon

Syntactic Heroin

User-defined overloading is a drug. At first, it gives you a quick, feel-good fix. No sense in cluttering up code with verbose and ugly function names such as IntAbs, FloatAbs, DoubleAbs, or ComplexAbs; just name them all Abs. Even better, use algebraic notation such as A+B, instead of ComplexSum(A,B). It certainly makes coding more compact. But a dangerous addiction soon sets in. Languages and programs that were already complex enough to stretch everyone’s ability suddenly get much more complicated.

Syntactic Heroin

Rodney Bates, Wichita State University

User-defined overloading is a drug. At first, it gives you a quick, feel-good fix. No sense in cluttering up code with verbose and ugly function names such as IntAbs, FloatAbs, DoubleAbs, or ComplexAbs; just name them all Abs. Even better, use algebraic notation such as A+B, instead of ComplexSum(A,B). It certainly makes coding more compact. But a dangerous addiction soon sets in. Languages and programs that were already complex enough to stretch everyone’s ability suddenly get much more complicated.

What is it?

by Rodney Bates

Articles

The Answer is 42 of Course

Why is security so hard? As a security consultant, I’m glad that people feel that way, because that perception pays my mortgage. But is it really so difficult to build systems that are impenetrable to the bad guys?

The Answer is 42 of Course

If we want our networks to be sufficiently difficult to penetrate, we’ve got to ask the right questions.

THOMAS WADLOW, INDEPENDENT CONSULTANT

Why is security so hard? As a security consultant, I’m glad that people feel that way, because that perception pays my mortgage. But is it really so difficult to build systems that are impenetrable to the bad guys?

OK, I just threw you a ringer. Two, in fact. The first is that lovely word impenetrable. A nice absolute word that makes it seem like you are completely safe and secure (two more words that give similar impressions). If we are talking about the security of your network, or any system for that matter, and you tell me that you need it to be impenetrable, safe, secure, or any similar absolute concept, it suggests that there’s money to be made. By me.

by Thomas Wadlow

Kode Vicious

Kode Vicious Gets Dirty

Dear Kode Vicious, I am a new Webmaster of a (rather new) Web site in my company's intranet. Recently I noticed that although I have implemented some user authentication (a start *.asp page linked to an SQL server, having usernames and passwords), some of the users found out that it is also possible to enter a rather longer URL to a specific page within that Web site (instead of entering the homepage), and they go directly to that page without being authenticated (and without their login being recorded in the SQL database). It makes me wonder what solution you could advise me to implement to ensure that any and all Web accesses are checked and recorded by the Web server.

Articles in Queue focus on the difficult and challenging aspects of using new technologies. Quite often these challenges involve large-scale system and architectural issues that arise when deploying and integrating new software. But what about all that low-level, nitty-gritty koding stuff? Well, thats where Kode Vicious comes in. KV actually enjoys helping people with these dirty details. And not just the technical dirt--no one kodes in a vacuum, and consequently, software development is rife with interpersonal conflict and organizational breakdown. There, too, our resident kode maven offers up his hard-won expertise and strong opinions for the benefit of koders everywhere. His advice may not always be pretty, but its sure to solve your problems. Unfortunately, youre on your own with any resulting medical or legal bills.

by George Neville-Neil