Every System Has Vulnerabilities

September 5, 2006

Reading today at ha.ckers.org web application security lab, I was intrigued by RSnake’s comments about internet security:

I’ve never been a fearmonger, but for the first time in my life I’ve found myself telling people, “I don’t know a company I couldn’t break into.” Every system I’ve found has vulnerabilities. There was something Bruce Schneier wrote a number of years back (and I’m paraphrasing here) that said that for every man hour it takes to build security it takes n+1 to break it. That is, if there are vibration mics in the ground it will take exactly n+1 the time it took to place them and test them and get them working properly as it would to break in.

On Mythbusters episode 59 the other night the crew cracked into several physical devices like fingerprint scanners, and walked past various versions of motion detection devices (with something as simple as a pane of glass). The point being here are always way around security, physical or otherwise. In the case of JavaScript port scanning it is similar to a Trojan horse. The idea is to sneak something otherwise normall and innocuous into an internal interface.

JavaScript seemed the most likely candidate, so we tackled that first. Yes, that means nearly every company on earth is vulnerable to that. Is that the only weapon in the arsenal? No way. Are there ways to fix it? We’re already working on them. Will that solve things? No way. It will just shift the problem elsewhere at best, and at worst, it will continue to be an esoteric attack vector that is only used by the few people who really get it’s consequences.

What really struck me is the concept that every system has vulnerabilities. William Gibson wrote about computers, networks and cracking those networks in Neuromancer,Count Zero, and Mona Lisa Overdrive, a wonderful trilogy that started me out with a healthy skepticism and love of networks and computers. I love what you can do with a computer and linking them together but I have no illusions that anything created with and/or stored on a computer is anything more than 1s and 0s and can be altered or deleted with a moment’s notice. I’ve got a rather decent network set up at my home and neighborhood, wired and wireless, that neighbors are free to use (hopefully with permission) and a beefy firewall between me and that semi-public network and another one between the semi-public network and the internet at large. I know that all of these can be cracked; my only hope is in making it difficult enough that someone else is a more attractive target than I am.

If you haven’t read the above trilogy then hop, skip and jump down to your local library and get them, all three, at once. Trust me; they are quite entertaining. You might even learn something.

As a postscript, I still find it amazing that William Gibson published those stories between 1984 and 1988, long before the World Wide Web came into existence and the internet as we now perceive it was conceived of, let alone implemented. Even more amazing is that at the time, the world was experiencing the beginning of the personal computer with the IBM PC beginning its invasion and the Apple Macintosh nipping at its heels. I started college at Utah State University in 1984 and as a student had access to a rather advanced VAX/VMS mainframe computer. We did our homework on it, chatted with students at other universities in real time, sent email, even played text games that stretched the limits of that system (ASCII version of Star Trek rocked! Still one of the most fun games I’ve ever played). Twenty years has me typing this on a laptop that would dwarf that VAX System with a PocketPC sitting in its cradle, ready to go where I want to and still connect to any local network.

I can’t imagine what computers and networks will be like in the next twenty years – but I’ll bet William Gibson has.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: