A history on security and how to win the battle

A history on security and how to win the battle...
Joshua Thijssen

Channeling and restricting ﬂow

Sometimes channels don’t listen

Failure is always an option

Security is a business value

Let others take care of security

History of (computer) security

Security in the “old days”

I wasn’t kidding when I said: “old days”

5.25” high density disks

Copying was a breeze

Copy protection

Let’s try dongles

8086 segmented memory layout

8086 segmented memory layout segment reg. 16-bit

8086 segmented memory layout segment reg. offset reg. 16-bit 16-bit

8086 segmented memory layout segment reg. offset reg. physical address
16-bit 16-bit 20-bit

8086 segmented memory layout segment reg. offset reg. << 4
physical address 16-bit 16-bit 20-bit

+ physical address 16-bit 16-bit 20-bit

07C0:0050 07C00 0050+ 07C50 8086 segmented memory layout segment reg.
offset reg. << 4 + physical address 16-bit 16-bit 20-bit

07C0:0050 07C00 0050+ 07C50 0000:7C50 00000 07C50+ 07C50 8086 segmented
memory layout segment reg. offset reg. << 4 + physical address 16-bit 16-bit 20-bit

07C0:0050 07C00 0050+ 07C50 0000:7C50 00000 07C50+ 07C50 007C:7490 007C0
07490+ 07C50 8086 segmented memory layout segment reg. offset reg. << 4 + physical address 16-bit 16-bit 20-bit

+ physical address 16-bit 16-bit 20-bit

386 protected memory layout + descriptor directory entry page table
entry physical address directory page offset cr3 gdt / ldt page directory page table page frame linear address descriptor table selector offset 32-bit 16-bit

Ring 0 Kernel

Ring 0 Kernel Ring 1 Device drivers

Ring 0 Kernel Ring 1 Device drivers Ring 2 Device
Drivers

Ring 0 Kernel Ring 1 Device drivers Ring 2 Device
Drivers Ring 3 Applications

Security today

The weakest link

Humans

it is much easier to trick someone into giving a
password for a system than to spend the effort to crack into the system -- K. Mitnick

Raising awareness on browsers

It’s a trap!

We’re curious

People are resourceful

Weird hobby’s

00710022211101015511130102359000000000

00710033308171115011231111700000000000

00710033308171115011231111700000000000 00710022211101015511130102359000000000

00710022211101015511130102359000000000 00710033308171115011231111700000000000

00710044401011200001231122359000000000

Magnetic card reader/writer: $ 250

Magnetic card reader/writer: $ 250 Parking costs per night: $40

Magnetic card reader/writer: $ 250 Parking costs per night: $40
Free parking: priceless

How can we cure this problem?

We need to implement REAL security, not fake.

How do we win the war? How do we win
the war?

If we as developers have to keep thinking about security,
we will lose...

We need to deflect *EVERY* attack, They only need *ONE*
to win...

99.999% of all programmers are NOT trained or have the
capability to identify security threats. The other 0.001% will not be able to identify them ALL OF THEM ALL THE TIME.

A day in the life of a PHP programmer...

$result = mysql_query('SELECT * FROM users WHERE username="'.$_GET['username'].'"');

You should use mysql_real_escape_string!

No, you shouldn’t!

You just put a developer who wasn’t aware of security
issues, in charge of security...

Let others handle security (PDO)

There is no (quick) solution.

There is no (quick) solution. but we have to change
the way we deal with security radically,

There is no (quick) solution. but we have to change
the way we deal with security radically, by not dealing with security...

Let others take care of security

Any questions (maximum 5)?

Find me on twitter: @jaytaph Find me for development and
training: www.noxlogic.nl Find me on email: [email protected] Find me for blogs: www.adayinthelifeof.nl Thank you! http://joind.in/6853

A history on security and how to win the battle

A history on security and how to win the battle

More Decks by Joshua Thijssen

Other Decks in Technology

Featured

Transcript