OT re Cliff Stoll (was Re: [SC-L] Top security papers)

2004-08-11 Thread Dave Aronson
Nash [EMAIL PROTECTED] wrote:

  _Cuckoo's_Egg_, Clifford Stall.
 
  http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/102-7543362-
 2026532?v=glance
 
  [Ed. That's Cliff Stoll, not Stall.  Great book, though -- IMHO! 
  KRvW]

For more on what Cliff's been up to lately, see:

  http://www.kleinbottle.com/

I got one several years ago

-- 
David J. Aronson, Contract Software Engineer in Washington DC area
Resume and other information online at: http://destined.to/program

[Ed. Yes, this is WAY off topic...  Let's make this the last of 
the sub-thread, ok?  KRvW]


Re: [SC-L] Top security papers

2004-08-10 Thread Nash
On Sat, Aug 07, 2004 at 06:41:49PM -0700, Matt Setzer wrote:
 Specifically, what are the top five or ten
 security papers that you'd recommend to anyone wanting to learn more about
 security?  What are the papers that you keep printed copies of and reread
 every few years just to get a new perspective on them?  

These won't teach you much about security, per se, but they're fun to read
and provide some really interesting insights into the personalities involved,
which is sometimes more important.

An Evening with Berferd In Which a Cracker is Lured, Endured, and
Studied, Bill Cheswick.

http://www.google.com/search?hl=enlr=ie=UTF-8q=an+evening+with+berferd+bill+cheswickbtnG=Search

_Cuckoo's_Egg_, Clifford Stall.

http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/102-7543362-2026532?v=glance

[Ed. That's Cliff Stoll, not Stall.  Great book, though -- IMHO!  KRvW]

-- 

Beware of bugs in the above code, I have only proved
it correct, not tried it.

- Donald Knuth


Re: [SC-L] Top security papers

2004-08-09 Thread Crispin Cowan
Matt Setzer wrote:
It's been kind of quiet around here lately - hopefully just because everyone
is off enjoying a well deserved summer (or winter, for those of you in the
opposite hemisphere) break.  In an effort to stir things up a bit, I thought
I'd try to get some opinions about good foundational materials for security
professionals.  (I'm relatively new to the field, and would like to broaden
my background knowledge.)  Specifically, what are the top five or ten
security papers that you'd recommend to anyone wanting to learn more about
security?  What are the papers that you keep printed copies of and reread
every few years just to get a new perspective on them?  
 

Here's my top 5. Things to note:
  1. It is more like 1 + 4. The first paper (Saltzer and Schroeder)
 should be *required* reading for everyone who claims to have the
 slightest clue about security. Everything of significance in
 computer security is in this article in some form. The only
 significant technology missing is public key crypto, and that is
 because it had not been invented yet.
  2. The other 4 are quick  dirty skim through my bibliographic
 database. I could easily have missed some papers that are more
 seminal than these, but these 4 are very good, readable, and
 important.
  3. I excluded my own papers from consideration, but if you want to
 see them  ... :) http://immunix.com/~crispin/
Crispin
@article
 (
   salt75,
   author = Jerome H. Saltzer and Michael D. Schroeder,
   title = {The Protection of Information in Computer Systems},
   journal = Proceedings of the IEEE,
   volume = 63,
   number = 9,
   month = November,
   year = 1975
 )
@article
 (
   one96,
   author = ``Aleph One'',
   title = {Smashing The Stack For Fun And Profit},
   journal = Phrack,
   volume = 7,
   number = 49,
   month = November,
   year = 1996
 )
@article
 (
   miller90,
   author = B.P. Miller and L. Fredrikson and B. So,
   title = {An Empirical Study of the Reliability of {\sc Unix}
   Utilities},
   journal = Communications of the ACM,
   pages = 33-44,
   volume = 33,
   number = 12,
   month = December,
   year = 1990,
   lcindex = QA76.A772
 )
@inproceedings{
   badger95,
   author = Lee Badger and Daniel F. Sterne and et al,
   title = {Practical Domain and Type Enforcement for UNIX},
   booktitle = Proceedings of the IEEE Symposium on Security and Privacy,
   address = Oakland, CA,
   month = May,
   year = 1995
}
@article
 (
   land94,
   author = Carl E. Landwehr and Alan R. Bull and John P. McDermott
   and William S. Choi,
   title = {A Taxonomy of Computer Program Security Flaws},
   journal = ACM Computing Surveys,
   volume = 26,
   number = 3,
   month = September,
   pages = 211-254,
   year = 1994
 )



Re: [SC-L] Top security papers

2004-08-09 Thread Peter G. Neumann
Matt,
You will find lots of references that might appeal to your 
needs in an emerging DARPA report on my web site:
  http://www.csl.sri.com/neumann/chats4.pdf
There's an appendix by Virgil Gligor that might be very
helpful to you, which does not yet appear in the html
(but will as soon as I move the .eps files to .gif...)
But start with the principles, e.g., 
  Saltzer and Schroeder 1975
And don't try to look at security as an isolated problem --
it is an overall system problem, and there are lots of papers
on software decomposition, composability, modularity, etc. 
that are fundamental to security.
You might also try Matt Bishop's book, with lots of references.

PGN




RE: [SC-L] Top security papers

2004-08-09 Thread Wall, Kevin
Matt Setzer wrote...

 It's been kind of quiet around here lately - hopefully just because everyone
 is off enjoying a well deserved summer (or winter, for those of you in the
 opposite hemisphere) break.  In an effort to stir things up a bit, I thought
 I'd try to get some opinions about good foundational materials for security
 professionals.  (I'm relatively new to the field, and would like to broaden
 my background knowledge.)  Specifically, what are the top five or ten
 security papers that you'd recommend to anyone wanting to learn more about
 security?  What are the papers that you keep printed copies of and reread
 every few years just to get a new perspective on them?  

Okay, for starters, in no particular order:

  Ken Thompson's Turing Award lecture, _Reflections on Trusting Trust_, URL:
http://www.acm.org/classics/sep95/

  Saltzer  Schroeder, The Protection of Information in Computer Systems,
Proceedings of the IEEE, Sept. 1975, pp. 1278-1308, available at:
http://web.mit.edu/Saltzer/www/publications/protection/

  David Wheeler, Secure Programming for Linux and Unix HOWTO, URL:
http://www.dwheeler.com/secure-programs/

  Aleph One, Smashing the Stack for Fun and Profit, URL:
http://www.insecure.org/stf/smashstack.txt

  Bruce Schneier, Why Cryptography Is Harder Than It Looks, URL:
http://www.schneier.com/essay-037.html

  Carl Ellison and Bruce Schneier, Ten Risks of PKI: What You're Not Being
Told About Public Key Infrastructure, URL:
http://www.schneier.com/paper-pki.html

Also, I'd probably through in a few RFCs and the Firewall and Snake-Oil
Cryptography FAQs in there as well, but I'm too lazy to look them up
right now.

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
The reason you have people breaking into your software all 
over the place is because your software sucks...
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit





RE: [SC-L] Top security papers

2004-08-09 Thread Jeremy Epstein
There's lots of interesting papers; I couldn't begin to select a top 10.
But for an answer to this question from the late 90s, take a look at the UC
Davis collection available at
http://csrc.nist.gov/publications/history/index.html

Also a plug: every year the Annual Computer Security Applications Conference
(www.acsac.org) invites two or three authors of seminal papers to update 
present their papers given the benefit of hindsight.  Last year's papers
included an update by Gene Spafford on the dissection of the Morris Worm,
and an update from Peter Neumann on PSOS (Provably Secure Operating System).
This year we'll hear a retrospective on the Orange Book by Marv Schaefer
(one of the authors) and an update on some of the classic TCP attacks from
Steve Bellovin.

--Jeremy

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 Behalf Of Matt Setzer
 Sent: Saturday, August 07, 2004 9:42 PM
 To: [EMAIL PROTECTED]
 Subject: [SC-L] Top security papers
 
 
 It's been kind of quiet around here lately - hopefully just 
 because everyone
 is off enjoying a well deserved summer (or winter, for those 
 of you in the
 opposite hemisphere) break.  In an effort to stir things up a 
 bit, I thought
 I'd try to get some opinions about good foundational 
 materials for security
 professionals.  (I'm relatively new to the field, and would 
 like to broaden
 my background knowledge.)  Specifically, what are the top five or ten
 security papers that you'd recommend to anyone wanting to 
 learn more about
 security?  What are the papers that you keep printed copies 
 of and reread
 every few years just to get a new perspective on them?  
 
 
 Amoroso has a list of selected papers in an appendix to 
 Fundamentals of
 Computer Security Technology (sorry, haven't been able to 
 find a web link),
 but I'm interested in hearing other perspectives, as well as 
 hearing about
 newer papers that have excited people.   Any thoughts?
 
  
 
 Matt Setzer