Archived Online security increasingly feels patched-up. What changes are needed to create a secure, better internet? (AskVoat)
submitted ago by Sire
Posted by: Sire
Posting time: 5.5 years ago on
Last edit time: 5.5 years ago on
Archived on: 2/12/2017 1:51:00 AM
Views: 360
SCP: 3
3 upvotes, 0 downvotes (100% upvoted it)
Archived Online security increasingly feels patched-up. What changes are needed to create a secure, better internet? (AskVoat)
submitted ago by Sire
view the rest of the comments →
[–] Sire [S] ago (edited ago)
TL;DR 7 hackers (Lopht-group) told senators in 1998 computers were not safe, and a major overhaul was necessary. They didn't listen. Now the same security issues arise time and time again, in a tech world culture of "patch and pray".
[–] Voatify 0 points 1 point 1 point (+1|-0) ago
What parts of the Internet did l0pht warn about being insecure? Are these the same parts that are still insecure/getting less secure? The most insecure parts of the Internet require massive resources to attack, and even those have been steadily improved for years and years, I don't see how anything relevant in 1998 will still be a problem unless the ones you're afraid of are core Internet players like the USA or one of the major Internet DNS players.
[–] dijit 0 points 2 points 2 points (+2|-0) ago
Few problems, for instance DNS is UDP, UDP doesn't require a handshake.
So, you can craft UDP packets with different "reply to" headers, like the mail system in the real world.
This means that you can do DNS amplification attacks, where you have 2-5 machines which all spoof packets and make a large number of DNS servers send 50x the size of a packet to a single host. (which is how cloudflare got hit with a 300GB/s DDoS).
l0pht also mentioned SQLi, a method of accessing a database behind a website (which has been mostly fixed over the course of a decade) and buffer overflows (which is still very much a cat/mouse game).
most protocols speak in an unencrypted and unsigned manner, for instance HTTP can be watched with little or no effort, all you need is the right switch (which is anything over $1,000, trust me, you ISP has much better than this) and you can basically just watch anyone.
the internet was designed with the idea that nobody is malicious.. every portion of security we have is due to the flexibility of the systems in the first place.. it's turtles all the way down.
that said, I'm glad they didn't listen to l0pht.. pretty much every "secure" protocol from 1998 is broken completely, every ciphersuite.. xD
[–] Sire [S] ago
The article didn't specify any flaws in particular, except the general business culture surrounding online features. It seems businesses tend to suffer from "featurism", where features are implemented in online environments without vigorously solving security issues.