Slashdot Mirror

Subject: "Opening the Open Source Debate"

Date: 31 May 2002 15:45:59 +1200

Some references you might wish to consider before publishing your article "Opening the Open Source Debate"

http://www.businesswire.com/cgi-bin/f_headline.cgi ?bw.053002/221502375

Bruce Schneier, one of the recognized leading expert on computer security on Kerckhoffs' Principle and Secrecy, Security, and Obscurity of software.

http://www.counterpane.com/crypto-gram-0205.html#1

Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA), gives an keynote speech overview of current encryption and security technologies and outlines possible strategies for future defense.

http://technetcast.ddj.com/tnc_play_stream.html?st ream_id=411

Also you might wish to address the issue of Microsoft's disproportionately high number of open vulnerabilities in its Internet Explorer components. All of which where discovered without access to the source code.

http://jscript.dk/unpatched/

Richard Purcell, Microsoft's director of corporate privacy, has recently stated that any major improvement in regard to the security of it's products may be at least "5, 10 years, maybe".

http://www.businessweek.com/technology/content/may 2002/tc20020523_6029.htm

As for the issue of Trojan horse injection into open source code, it is far from being an open source only issue.

http://www.eeggs.com/

Or were all the "Easter Eggs" currently found in Microsoft's products officially authorized?

If you are looking for a methodology for providing a suitably secure and hardened solution, start with a real world example.

http://www.openbsd.org/security.html

I welcome any open debate.

To Quote Richard Purcell, Microsoft's director of corporate privacy

You can't issue a memo on Jan. 18 and, within two weeks or even two months, have introduced your entire product line that's consistent with that. Trustworthy computing, as I try to emphasize, is about process change, so that products can then be delivered as a result. And it's a very long-term vision -- 5, 10 years, maybe

Is it really going to be another 5 to 10 years before Microsoft's products security becomes "Trustworthy"?

On my windows box, I Use mozilla as my primary browser (tabs, what is new about this?).

The bad history of IE security is the only problem I have with IE, and this is the reason why I won't use it.

As much as I personally don't like using netscape, I would really like to see them succed with a little help from AOL. My motivation isn't to prevent IE winning the browser wars, but more to make web developers accept that IE isn't the only web browser. I get very annoyed by random web pages that require internet explorer.

For what it is worth, I would like MS to win the browser wars, providing web pages like these become a thing of the past, this way all the script kiddies will continue to target IE users, making my browsing more secure with my prefered web browser.

20 May 2002: There are currently 13 unpatched vulnerabilities in Microsoft's Internet Explorer. The lack of source code access provides no real defense.

See the latest issue of Bruce Schneier's Crypto-gram Newsletter

Secrecy, Security, and Obscurity

A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs: in a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm. Modern cryptographers have embraced this principle, calling anything else "security by obscurity." Any system that tries to keep its algorithms secret for security reasons is quickly dismissed by the community, and referred to as "snake oil" or even worse. This is true for cryptography, but the general relationship between secrecy and security is more complicated than Kerckhoffs' Principle indicates. ...

The problem is that MS are releasing a patch they claim fixes certain security holes, while this is not really the case.

MS claim to fix security issues (after a long time), but they don't always hit the target:

http://jscript.dk/unpatched/

This is why it is important to make people aware of Microsoft's security policies. If they were actually secure, or at least fixed vulnerabilities properly, it wouldn't be such a major issue.

...but to make sure that there are alternatives, and to ensure that people have the right to choose. If you love to surf without security, and have no problem with microsoft 0wning your computer, or give a shit about you computer being hijacked by spyware (see if you can find one spyware program for linux) then go ahead, use Microsoft.

I, honestly, deeply, do not give half a rats ass.

The sad thing about Joe User is that he does not want to understand anything, and starts bitching immediatly if things dont work the way he wants them to work. He doesnt want to remember passwords, and much less to turn on the brain for a minute while installing something he just downloaded from the internet. His disgrace is thus of his own making, and I can only hope he gets a tenth of a clue someday (Mind you, I'm not saying he is supposed to be a guru. He just should have basic knowledge about what is going on)

But I don't want me nor anybody to be forced to this way of doing things, and I insist on Joe User having a chance of changing his ways. Viewed this way, linux and OSS have been very successfull.

If the formats used by microsoft were really open, if they didn't insist on being on every computer sold (and thus forcing me to buy what I consider a disaster of a software), and did not seem to have this facist urge of dominating the world and imposing their philosophy on everybody, then nobody would be making a fuzz about this.

rmstar

Thor Larholm released another IE universal cross-site-scripting bug today. And there are more where that came from...

This site lists dozens of IE holes, 13 of which still are open!

13 remote compromises in a web browser!?!?! Good to see that Microsofts one month 'security' jihad went so well.

I found the same bug in Mozilla last summer while I was working at Netscape. My boss fixed it within a week, so versions after Mozilla 0.9.3 did not have the bug. It was bug 88167 if you're interested. I'm not sure why I didn't notice that IE was vulnerable as well. Anyone want to go through old Mozilla security holes and see how many of them affect IE 6?

Anyway, keep using that Back button. If you're using IE to browse warez/porn, you have more to worry about than someone looking at your cookie for another site. An attacker could just copy the IE exploit of the week from
http://jscript.dk/unpatched/. I believe that page has had current IE security holes that allow running arbitrary instructions for two months straight. (That means you can keep up with the latest IE patches, but if an attacker reads jscript.dk and can get you to click a link in AIM or read a message in OE, the attacker wins.)

By the way, what's with IE turning every cross-domain hole into a full remote compromise by letting sites link to res: urls? Current versions of Mozilla block links to chrome/res and even file, so a cross-domain hole doesn't even let sites read local files.

Unless the law specified dstribution of *machine readable* malicious code (ie binaries)

Internet Explorer may be full of security holes and an integral part of Microsoft's plan to maintain its operating system monopoly, but I wouldn't go as far as calling IE binaries "malicious code".

That's interesting. I think we can then say that we are no longer allowed to bitch about Microsoft proposing mandates regarding the same kind of behavior. When Microsoft wants to hide an exploit, we all cry foul. When OSS vendors do it, it's cooperation for the sake of security. Double standard?

Perhaps, but not as severe a double-standard as you say.

* The open-source world called the zlib bug a "vulnerability" and fixed it even no exploit other than a simple DoS had been developed. It makes sense for server software to want to be free of remotely exploitable crashes, but even complex client software like Mozilla (which doesn't try to hide the fact that it sometimes crashes) rushed to fix the bug despite the absense of a larger exploit.

* Red Hat, Mozilla, etc. all announced the fix at the same time, at the same time they made the security hole became public. I can get a rough idea of what's going to be on windowsupdate.microsoft.com for the next few weeks by reading http://jscript.dk/unpatched/, a page that lists known, unpatched IE security holes.

* Commercial products have to be tested before a release, which takes time, and releasing a new version is more expensive for them than simply posting a patch or including the patch in a planned nightly/monthly release. You might notice that Netscape has not (yet) released a 6.2.2 fixing the zlib bug.

... is the relative speed at which open-source problems are located and repaired.

Just for fun, here is a handy summary of some Windows issues, including an XMLHTTP vulnerability that allows a malicious website to read any file on your harddrive, that has been a known issue since December 15th.

What is even more amusing is how the media, including Slashdot, seem to have misunderstood the bulletin entirely. This is not a flaw in MSN Messenger, this is a flaw in Internet Explorer - called crossdomain scripting.
Using MSN Messenger for our example was - just that, an example. We could as easily have used a .NET application and thus miscredited that Microsoft product instead.

Another amusing aspect is how people tie this together with the "privacy disclosure" vulnerability found last week in MSN Messenger. These are 2 completely different things. The "privacy disclosure" gives a malicious programmer the names (and possibly email adresses) of the user and his friends.
This vulnerability allows you to hijack the users MSN Messenger - the application itself ! This is why you can send messages through it, as you can do anything with the application that a normal enduser would be able to - including, but not limited to, sending messages, emails and files and co-starting appplications on the users machine (yes, this allows you to remote control a users entire Windows machine !).

Now, that should have cleared up a few things.

With regards to the latest "superpatch", Microsoft claims that it "eliminates all known security vulnerabilities affecting Internet Explorer 5.01, 5.5 and 6.0.".

As you can see on our vulnerability highlight page, this is not true.

It is still very much possible for a malicious programmer to read a users local files and execute arbitrary commands - even when you are fully patched !

...the 40-day-old ones, that is. See http://jscript.dk/unpatched/ for a full list.