sto...@interchip.de (David Stokes) writes: > is highly dubious. All attempts to create security in computer > systems seem to be doomed as clever people find ways around them. The > Internet is more like a living organism that wants to live and expand > than a traditional piece of technology. As far as counterfactuals go > though, I'm actually pretty sure that with "planned transition" and > "oversight" we wouldn't have an Internet at all, just some more pipes > for advertising, "entertainment" and (mis)information.
in the 90s, the major (internet) exploit was from buffer overflow vulnerabilities related to C-language programming convention for handling strings. The vm/370 tcp/ip product implementation was done in vs/pascal (earlier in thread, I mentioned having done rfc1044 support for the product, getting possibly 500 times improvement in the bytes moved per instruction executed) ... and had none of the buffer overflow vulnerabilities found in c-language implementations. Multics operating system was implementated in PLI and old security vulnerability assessment found no buffer overflow vulnerabilities found in C-language implementations. lots of past posts mentioning buffer overflow vulnerability http://www.garlic.com/~lynn/subintegrity.html#overflow IBM research did a study/paper/presentation "Thirty Years Later: Lessons from the Multics Security Evaluation" (one of the references was no buffer overflow vulnerabilities) http://www.acsac.org/2002/papers/classic-multics.pdf security evaluation paper http://csrc.nist.gov/publications/history/karg74.pdf About a decade ago, the exploits had shifted to approx. 1/3rd buffer overflow vulnerability (related to c-language features), 1/3rd automatic scripting vulnerability (previously mentioned from 1996 Moscone MSDC), and 1/3rd various forms of social engineering (enticing individuals to executing malware applications which would install exploit code into their machines). Earlier in the thread, I also mentioned in the 90s, there was EU FINREAD standard that was countermeasure for malware compromised internet-connected PCs (but various unfortunate circumstances resulted in abandoning the effort). Part of the issue is that there is a fundamental different security paradigm for desktop machines that operate stand-alone and/or on small, safe networks and require no security countermeasures (especially those with heritage of applications, like games, that have convention of taking over the machine) ... and internet appliances ... nearly diamtetrically opposing security requirements (my early reference to going out into open space w/o spacesuit). old post of some work I did on CVE database (2623 reported vulnerability descriptions) http://www.garlic.com/~lynn/2004e.html#43 I was trying to categorize CVE vulnerability&exploit reports. I talked to the CVE people about suggestion for requiring more structure in the reports ... but at the time, their response was they were lucky to even get the unstructured descriptions. earlier posts in this thread: http://www.garlic.com/~lynn/2012j.html#83 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#84 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#87 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#88 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#89 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#90 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#93 Gordon Crovitz: Who Really Invented the Internet? http://www.garlic.com/~lynn/2012j.html#94 Gordon Crovitz: Who Really Invented the Internet? -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN