Monday, September 22, 2003

The State Of Security sucks.

I know I would've come to this conclusion eventually anyway, but I think my focus lately has hatched this conclusion a bit prematurely. Oh well.

So, here it is. The State Of Security (SOS) sucks. And no, before you ask, I'm not talking about a "security state" or any particular state in the US of A. I mean "state" as in the first definition in Webster's. There is too much information. Too much information drastically increases the chances of misinformation and missing information, and this is a bad thing.

What am I talking about, you ask? I'm talking about the hundreds and hundreds of sites who are attempting to take on the task of spreading information concerning computer, network and information security. Hundreds and hundreds? Yes. I'm talking about the dozens and dozens of mailing lists attempting to spread information concerning computer, network and information security. Dozens and dozens? Yes. I'm talking about the countless IRC channels, message boards, and remote corners of the web run by someone who thinks their idea is new and revolutionary, when in fact it is anything but.

Where do you get your 24/7/365 stream of data to feed your security addiction? Huh? The Securityfocus lists? Full-disclosure? Vuln-watch? #security? #snort? How about any number of other venues? Thats what I thought. You best be careful, because unless you choose your dealer carefully and only after much research, you'll become another (not-so) innocent victim of the FUD-virus, which is typically spread by the bottom feaders of the security arena. These are the people that steal information and ideas from other, more established and respected dealers and reformat/repackage it and put it out as if it were their own. Oftentimes, this information is either incorrect from the beginning, or is merely a snapshot of the information at single point early on in the discovery and exploration of an issue. What results is more useless crap polluting the sea of information.

Actually, wait. What am I talking about? Misinformation is a good thing. Its misinformation and general stupidity that keeps researchers like myself busy and security companies like yours in business. And hell, I like that.

Anyway, I've been up to quite a bit lately, both in the job search world and the research world. Here is a peak at a bug in Sun Solaris' SMC webserver that is pretty ugly, and is likely only to get worse. As an exmaple of why, try this on for size. Just because your language protects against it, why should you still do blatantly stupid things like following in your webserver code:

private void serveStreamAsStream {
       (InputStream inputstream, OutputStream outputstream)
       throws IOException {
       byte[] is = new byte[1024];
       boolean bool = false;
       int i0;
       while ((i = inputstream.read(is)) != -1)
           outputstream.write(is, 0, i);
}

In most other languages, this would be a buffer overflow. But not in Java. Sun merely catches the exception and tries the same thing AGAIN. Must...resist...fist...of...death!

Ok, </rant>

Despite my initial resistance, we went camping this weekend at Pawtuckaway in New Hampshire. It was a great time, and a great way to spend what might have been my last real weekend before I head off into the work force. Highlights include hours and hours of card games, lots of fire, and me making phone calls from 20 feet out in the water. Hey, a guy has gotta get service somehow, right?

And, finally, I wrote two tools. uri-encode and uri-decode are some trivial perl scripts that will encode/decode a string to/from its equivalent hexadecimal form.

No comments: