Bad Beowulfs &c

Sun May 14 12:02:35 PDT 2000

"jok707s at mail.smsu.edu" wrote:

> Nathan L. Cutler mentions the speed with which many of the security holes are
> discovered and how fast the fixes are developed and made available.  This
> leads him to argue that a centralized "map" of Internet weaknesses would
> become obsolete fairly quickly.  Of course, there is a big difference between
> a patch being *available* and that patch being actually *applied* to all the
> appropriate systems.  I'm sure that there are some network admin types on this
> list, so it seems reasonable to ask this question: how many of you can
> honestly say that you *always* keep fully updated with *all* the security
> procedures that you should have in place?  How far behind do you sometimes
> get?  Of course, I'm not asking anyone out there to reveal any really
> dangerous secrets about their systems.

There was a recent study on the amount of time it took a vendor to release a patch.
The average was about 30 days for Red Hat, 60 days for Solaris, and 90 days
for MS Windows. These are approximate numbers.

As for the patch actually being applied, you've got to be kidding. A timely
application is the exception, not the norm.

> There was also a mention of possible non-electronic, strictly physical attacks
> on the Net infrastructure.  If a large & dispersed terrorist group were
> planning something big, they could combine hi-tech, medium-tech, and low-tech
> attacks to do the most damage.  Perhaps beowulfs and other computers could be
> used to analyze the "topologies" for these broader scenarios as well.

Yes. For example, the major pipelines can be completely and thoroughly disrupted
by simply cutting them. In fact, this happens not infrequently, when a workcrew
accidently does it. Often it can take days before it is identified, located and fixed.
And we're talking about the major pipelines here.

These lines are out in the open. E.g. running alongside railroad tracks; there's
not much you can do to prevent that. Modeling the behaviour of such outages
would be of interest.

Check out the cypherpunks mailing list for past discussions on this stuff.
They go into far more detail, and are far more expert on infowar.

> In summary, I would say that the amount of disagreement on this list about the
> level and variety of security threats (both beowulf and non-beowulf) is a good
> argument for doing some appropriate war-gaming.  Even if such gaming is
> already in progress, we could always use more; there are too many possible
> scenarios.  Consider all the possible permutations and combinations of beowulf
> cluster configurations that have not been tried yet; we might need a beowulf
> just to calculate how many arrangements there could be for each given number
> of nodes.  (BTW: has anyone done these kinds of calculations yet?  Just
> curious.)

There have been some similar models in the past of networking and topologies,
though for other purposes. It would make for an interesting wargame.

> If anyone knows someone who knows someone who might be willing & able to offer
> a research grant, give them my email address. . . .

Given that a major Chinese newspaper has announced that the Chinese
government intends to do exactly some of the things that you've outlined to
the U.S. in case of a conflict, you would think that someone in the U.S. would
be interested.

> Thanks once more for the feedback.  If I dream up any more nasty questions,
> I'll be sure to let you folks see them.

And please let us know of any results from any research.

Best Regards,

    -dwight-

---------------------------------------------------------------------------
The Beowulf Mailing list archives can now be searched by visiting:
        http://www.supercomputer.org/Search/
The Calendar of Events in supercomputering can be found at:
        http://www.supercomputer.org/calendar/