NYT: SkyNet is almost upon us, run in circles, scream and shout

There is so much wrong with this article it boggles the mind. My commentary below the fold...

There is the claim that viruses/worms have approached "cockroach" intelligence levels. Please...spare me the drama guys, eh?

The ONLY reason viruses and worms persist is because of technological inertia in the installed base of software and hardware. If everyone switched to "dumb" browsers and email readers like LYNX and PINE that simply don't implement client side execution of any content, one huge avenue of vulnerability would be eliminated. We don't do this because we like eye candy trinkets and shiny shit.

The other major avenue of attack relates to CPU architectures -- i.e. Intel's x86 architecture when placed in protected mode with paging enabled was never intended for running truly secure software, nor can it ever be terribly effective at doing so. Having your memory protection mechanism operate on 4K chunks rather than granularity that matches the intrinsic size of data quantities being manipulated leaves you vulnerable to buffer overruns due to coding bugs.

In reality, the old 80286 was a much more suitable CPU architecture for implementing secure systems than the 80386(and subsequent designs) ever was. The age old still-born i432 architecture was even better than the 286, and IBM's AS/400 architecture is damn near ideal. All those systems were capable of implementing object level protection granularity.

Another major vulnerability of the x86 is/was the executable stack. In many generations of those chips, turning on paging makes the stack area executable. This was/is one of the main vectors for virus/worm infection. All one needs do is find a buffer overrun bug in some code and use that to scribble your virus/worm into the stack area. Carefully constructed return address overwrite data will execute the intruder on the next subroutine RET.

TCP/IP port attacks could be a thing of the past if TCP stacks were actually proven correct code. Doing correctness proofs is tedious work though, so we simply don't bother and accept the potential for vulnerability.

I could rant on and on about this idiot article, but the bottom line is any real or imagined threat from the machines exists only because we allow it to exist out of laziness, convenience and inertia. We choose to allow it because the cost of eliminating it is too disruptive and/or costly at the moment. It is however a risk landscape that we can choose to control any time we damn well please to.

Does anyone FORCE you to put mineable data on your cell phone? NO! A standard issue Mk 1 Mod 0 pencil and a little pocket notebook will create a "personal database" that's unminable by any remote software that could ever be created. The battery on the pocket notebook will never go dead on you either, because it doesn't have one.

posted by Purp at 01:26 AM

| Access Comments