A history on security and how to win the battle

A history on security
and how to win the battle...
Joshua Thijssen

View Slide

Channeling and restricting ﬂow

View Slide

Sometimes channels don’t listen

View Slide

Fighting against ourselves

View Slide

Security is a business value

View Slide

Let others take care of security

View Slide

History of (computer) security

View Slide

Security in the “old days”

View Slide

I wasn’t kidding when I said: “old days”

View Slide

5.25” high density disks

View Slide

Copying was a breeze

View Slide

Copy protection

View Slide

Let’s try dongles

View Slide

NOPE!

View Slide

07C0:0050
07C00
0050+
07C50
0000:7C50
00000
07C50+
07C50
007C:7490
007C0
07490+
07C50
8086 segmented memory layout
segment reg. offset reg.
<< 4 +
physical address
16-bit 16-bit
20-bit

View Slide

386 protected memory layout
+
descriptor
directory entry page table entry
physical address
directory page offset
cr3
gdt / ldt
page directory page table
page frame
linear address
descriptor table
selector offset
32-bit
16-bit

View Slide

Ring 0
Kernel
Ring 1
Device drivers
Ring 2
Device Drivers
Ring 3
Applications

View Slide

Security today

View Slide

The weakest link

View Slide

Humans

View Slide

it is much easier to trick someone into
giving a password for a system than to
spend the effort to crack into the system
-- K. Mitnick

View Slide

Raising awareness on browsers and users

View Slide

It’s a trap!

View Slide

We’re curious

View Slide

People are resourceful

View Slide

Weird hobby’s

View Slide

00710022211101015511130102359000000000

View Slide

00710033308171115011231111700000000000

View Slide

00710033308171115011231111700000000000
00710022211101015511130102359000000000

View Slide

00710022211101015511130102359000000000
00710033308171115011231111700000000000

View Slide

00710044401011200001231122359000000000

View Slide

Magnetic card reader/writer: $ 250
Parking costs per night: $40
Free parking: priceless

View Slide

How can we cure this problem?

View Slide

We need to implement REAL security, not fake.

View Slide

How do we win the war?
How do we win the war?

View Slide

If we as developers have to keep thinking
about security, we will lose...

View Slide

We need to deflect *EVERY* attack,
They only need *ONE* to win...

View Slide

99.999% of all programmers are NOT trained or
have the capability to identify security threats.
The other 0.001% will not be able to identify
them ALL OF THEM ALL THE TIME.

View Slide

A day in the life of a PHP programmer...

View Slide

$result = mysql_query('SELECT * FROM users WHERE username="'.$_GET['username'].'"');

View Slide

You should use mysql_real_escape_string!

View Slide

No, you shouldn’t!

View Slide

You just put a developer who wasn’t aware
of security issues, in charge of security...

View Slide

Let others handle security
(PDO)

View Slide

There is no (quick) solution.
but we have to change the way
we deal with security radically,
by not dealing with security...

View Slide

Let others take care of security

View Slide

Any questions (maximum 5)?

View Slide

Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl
Thank you!

View Slide

A history on security and how to win the battle

A history on security and how to win the battle

Joshua Thijssen

More Decks by Joshua Thijssen

Featured

Transcript