worldwide internet threat map

I don't understand why you don't show us the way? You obviously understand this stuff much better than the rest of us. Why can't you make millions and billions fixing all these problems you claim are so easy to fix?

This reminds me of someone... oh yeah, that guy in the video that understands magnetism.

Rick C.

Reply to
gnuarm.deletethisbit
Loading thread data ...

c is now 46 years old. Windows was introduced 35 years ago. x86 is 39 years old and was obsolete the day it was introduced.

Practically nobody here seems to be willing to consider that things will ever change... and not just about computing. People with that mindset can hardly be expected to design anything interesting, and don't.

--
John Larkin         Highland Technology, Inc 

lunatic fringe electronics
 Click to see the full signature
Reply to
John Larkin

x86 as implemented in the current crop of Windows operating systems brutally mismanages stacks but the Pentium hardware is still capable of operating as a segmented protected architecture to run Unix. Apple manage to run their OS on Intel hardware with much less user pain.

Even Unix platforms can be hacked if they are not properly maintained but it is harder (the most popular applications are often targets).

Are you willing to give up LTSpice and autorouters completely then or live with an interpreted version that runs more than 10x slower?

x86 is by no means perfect but it is also by nowhere near as bad as you try to paint it. The problem is mainly sloppy coding and people failing to do proper sanity checks on external inputs to sensitive routines.

--
Regards, 
Martin Brown
Reply to
Martin Brown

The main CPU of a VAX didn't do i/o; a PDP-8 managed the big iron and did external i/o for the mainframe. The 8 ran simple, solid code. That concept could be applied to a multiprocessor system to absolutely firewall apps from i/o and shared resources.

x86 protections could be, but usually aren't, better applied. Buffer and stack overflow exploits are still outrageous. But it still has tons of dangerous bugs. The architecture is about 40 years old.

"Showstopper" is a good book, about the development of NT. Cutler did it about as well as could be done on x86, a small and tight and fairly secure kernel. After he did that, a gang of idiots at Microsoft went in and broke it.

--
John Larkin         Highland Technology, Inc 

lunatic fringe electronics
 Click to see the full signature
Reply to
John Larkin

That's all great, but a huge hassle that few people could understand, much less manage. Granny, and her smart online refrigerator, aren't going to do that.

IoT and 5G are just going to make the current situation worse. We will eventually need some systematic fixes, and they can't depend on every $8 ebay gadget being secure.

--
John Larkin         Highland Technology, Inc 

lunatic fringe electronics
 Click to see the full signature
Reply to
John Larkin

I hate security discussions. They go on forever, never reach any useful conclusions, and burn too much time. However, I can't resist.

Yeah, Ring (DoorBot, Amazon) is rather sloppy: "A Ring doorbell vulnerability lets people snoop even after a password change" "This Smart Doorbell Was Accidentally Sending Data To China, Until People Started Freaking Out" The real problem is that they store their Wi-Fi passwords as plain text. I can take the backup of the settings file, feed it to the "strings" program, and extract the Wi-Fi password. That's the type of mistake made by beginners. Incidentally, Ring isn't the only company that did that. I'm occasionally finding Wi-Fi wireless routers and devices making the same mistake.

In terms of compromised devices, IoT based devices are probably at the top of the list. However, they lack the storage and performance of a desktop or laptop. So, they're limited to running probes and scans. If they find anything, they report back to the mother ship, which then installs the malware. I've been using Nmap to try and identify devices that are port scanning my various firewalls. Many of them turn out to be commodity devices by Linksys, Netgear, Dlink, and others. Nmap can sometimes tell if they're a router, camera, doorbell, media player, or such, but I haven't done anything useful with that.

Recently? Way back in 1999 or so, I was ranting about "secure by default" in alt.internet.wireless demanding that an out of the box wireless router should be delivered with all the security features nailed down tight. Security should only be reduced if the owner intentionally needs or wants lower security. When I pounded on the various vendors shipping wireless routers with wireless security disabled and a stupid default login password, I was ignored. Things are a little better today among some vendors, but most have decided that convenience and easy setup are more important than security.

My home network topology is a mess and changes every few weeks. My office is worse. I won't offer either mess as something worthy of emulation. (Do like I say, not like I do).

MAC addresses can easily be spoofed. It doesn't matter for attacks originating from the internet because MAC addresses do not go through a router. However, it's important for attacks originating on the LAN side of a router. If I want to impersonate a wireless user, it's useful (but not necessary) to "borrow" their MAC address so that the router is dealing with a known MAC address.

I guess that includes the neighbors kids. Over the years, almost all the kids, including the girls, have attacked my wireless network. Most are successful because they use a scripted attack that they found on the internet. Only a few have a clue what they're doing or how it works.

Discovering a usable MAC address is easy. With the various forms of Wi-Fi encryption, only the data payload is encrypted. The headers and management packets are totally in the clear and easily readable. The source and destination MAC addresses are in the header and be read by Wireshark or any of the utilities found on the various penetration testing tools, as found on the Kali Linux DVD.

Frontal attacks are always spectacular, but I preferred to bypass the defenses. I would just plug into your ethernet cable. If you don't have a convenient outdoor RJ45 jack, I used to crawl under the house, cut the CAT5 cable, insert an ethertap, switch, or hub, and plug my own wi-fi access point. If I want your wireless password, I would recover the saved passwords from the various client computers, not by sniffing: However, even that's usually too much trouble. Most people write the Wi-Fi password on a post it note and tape it to the router. ISP supplied routers/gateways from AT&T and Comcast have everything printed on a label. I don't try to write down all that. I use my smartphone camera. What's nice about PSK (pre-shared key) security is that everyone uses the same key, so stealing one key works for everyone on the same SSID. If you have a full time server setup, think about setting as RADIUS server and using WPA2-Enterprise, or just wait for WPA3 to arrive.

Yeah, that's a problem. If I have to do it at a distance, there's always the big 24dBi dish antenna and Ubiquiti M2 HP wireless bridge. Lots of gain and a really good RF section in the radio. If there are no trees or hills in the way, I can attack your wireless router from a few miles away.

Anomalies, oddities, and attacks usually show up initially as changes in traffic patterns. DD-WRT will produce some nice traffic graphs (using SNMP with MRTG or RRDTool) or with the built in traffic logging. On small commercial installs, I sometimes have something that collects and serves the SNMP traffic data and have someone look for "odd changes" which usually means something has gone wrong. Graphs like these:

Good idea. Is the USB drive encrypted? I'm still using TrueCrypt even though it's been abandoned by its author (because I'm too lazy to change to Veracrypt).

I still hate computer security discussions.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Not convinced about that.

Our Starlink Vax 780 definitely had a 512x512 Sigma Args raster graphics device close coupled to the CPU. The publicity online today claims it was 24 bit colour but it was actually if my memory serves 8 bit deep with just 256 possible levels in the CLUT which was 24 bit RGB.

formatting link

Our IBM 370 (later 3081) also had a bespoke PDP11 based system of terminal concentrators that ran a way better custom multiuser system than IBM's offering at the time. It was very vulnerable to hacking as all IBMs were. The DEC kit by comparison was almost bulletproof.

Unfortunately that also means there are forty years of applications that all run on it warts and all. Apple uses Intel CPUs without problems...

Most of the bugs you refer to are bad coding practices rather than faults with the CPU. There are compilers and tools that could prevent the vast majority of these stupid human errors but developers choose not to use them. It is lamentable but shortest time to market is deemed far more important than getting stuff right first time.

I was involved in early OS/2. It could have been so much better had IBM not insisted on backwards compatibility with the 286 CPU. It was probably the mistake that allowed Win 3 to rapidly gain market share.

Jumping through various insane hoops to make it run on a 286 cost an inordinate amount of software development time to no good end.

--
Regards, 
Martin Brown
Reply to
Martin Brown

Yes, that's a related problem. The way Windoze 10 is currently paving the road to hell, you don't really own the operating system or even the computer. Microsoft allows you to use their products and can at any time decide what can be run and what is "unsafe". Software as a service extends the concept to user programs. The average cable modem or gateway extends the concept to hardware.

I had a fund afternoon trying to install my various hacker tools on Windoze 10. It complained about a few, but for some, it just erased the program and produced no error message. It's much the same on Android and IOS, where apps can sometimes disappear from the phone without warning or notice.

However, none of that really answers the basic question "whom are you going to trust"? If you can't trust yourself to keep your computer up to date, free of malware, and authenticate all communications, it has to be someone else. Will it be the software authors, computer manufacturer, OS vendor, 3rd party anti-everything vendor, the certificate authority, government agency, the kid next door, or perhaps me? Plenty to choose from, but you will eventually be forced to choose at least one trusted entity or live with todays growing chaos.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

I almost never use C anymore, not even for 8 bit processors. Only time I might use it is for "legacy" reasons I doubt I would ever implement a new project with it.

Modern C++ variants make writing secure and bug-free code ten times easier than it was 25 years ago, even on an 8 bit platform and the overhead compared to C is inconsequential. There's no excuse for writing code that has memory leaks or stack overflow bugs in 2018. Should be a fireable offense first time.

I almost never use Windows anymore either I mostly stick to Linux or MacOS when I'm feeling "artistic." a book called "Windows: What The Hell Happened?" probably needs to be written

Reply to
bitrex

Just not writing code something like (as an example someone posted in another group):

if (a.foo[1] == b.bar[2] == a.bar[1] == a.foo[2] == ....etc.)

helps a lot. All "copypaste" code like that is error prone and subject to operator fatigue i.e. coder gets tired and forgets to change all the indicies to what they need to be after copy-pasting. Modern complied languages have proxy objects you use to avoid interacting with the data itself like iterator objects that you operate with as a proxy and can do stuff like std::compare(foo, bar, ...insert your range here)

If you don't actually have to modify the data don't touch the container holding it directly!

Reply to
bitrex

And those who only complain and never attempt action also can hardly be expected to design anything interesting in that area... and don't.

Rick C.

Reply to
gnuarm.deletethisbit

Another way to avoid your Mars orbiter crashing is to use stronger types. an raw int or float shouldn't be used for something representing a dollar value. Money is Money it isn't an int. or a floating point value. meters/second is meters/second, not a float.

You could make a language that enforces that and some do but who likes rules?

Reply to
bitrex

JL is a pretty ridiculous guy. He complains about how bad the x86 architecture because it is "old" but holds up an even older architecture as a good example.

Rick C.

Reply to
gnuarm.deletethisbit

This thread has turned pretty well south. Internet security is an important issue, but talking about trashing pretty much our entire network system and redesigning all PCs from the ground up is insane.

JL like simple solutions whether or not they work. In his little designs he can try things out, but in things like this he has no real concept of the magnitude of what he is suggesting.

Rick C.

Reply to
gnuarm.deletethisbit

Interesting prognostication. Other probems in computing (the halting problem) are known insoluble, but maybe the 'bad packet' scan would work. Of course, you have to know WHAT is a bad one, and that list needs updating, and... do you want to accept bad packets transmitted to your filter demon for updates?

There is no algorithm (effective procedure) for 'security'. There is no reason to think there will be a finite period after which 'all' the 'problems' are 'solved'. Optimism may be pleasant, but is not persuasive.

Reply to
whit3rd

Once we used tubes in radios, and they failed so often that we had tube testers in drug stores. Nothing ever changes, nothing ever gets better, nothing can be done.

--
John Larkin         Highland Technology, Inc 
picosecond timing   precision measurement  
 Click to see the full signature
Reply to
John Larkin

I don't know if JL has read one too many Ayn Rand books or if he is actually channeling the guy in the "I'm the only one who knows anything" video. WTF???

Rick C.

Reply to
gnuarm.deletethisbit

It is a concrete example of the classic maxim that

for every complex problem there is a simple *WRONG* answer.

--
Regards, 
Martin Brown
Reply to
Martin Brown

The people that understand the problems are far from happy, since they know how intractable the problem is.

On this topic, your technical arguments and presumptions are about as valid as a software engineer claiming that it is easy to make hardware because all you have to do is throw lots of gates and lots of very fast opamps at the problem.

Similarly mech engs get tired of people thinking that you can build anything from sheet metal, wire coat hangers, and string.

Now you're being silly.

If you can solve this problem then, quite seriously, the world really will beat a path to your door.

Reply to
Tom Gardner

Oh, now those are /completely/ different claims from your others about it being easy to solve the halting problem.

I most certainly agree with all of those assertions. Indeed, when I returned to dabbling in embedded systems after 20 years working "on the dark side", I was simultaneously delighted and horrified at how little had changed since the mid 80s.

But there are rays of hope. There are a few better languages (especially ones which are less of a mismatch with multicore processors), and better multicore processors with decent inter-processor comms facilities.

But too many people have the "C can do everything and is the best that can be done" attitude.

Reply to
Tom Gardner

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.