Slashdot Mirror
New Security Group Hedges Bets And Builds Hedges
7card writes: "ok i was just doing my morning surfing and i found
this article, which may be of some interest. It looks like the world has another club of security experts with the goal of security through obscurity. some of the members include Microsoft, Oracle, and Cisco." Reader Junin points to this CNET story as well.
Well, this is a dangerous step toward the evolution and existence of sovreign corporations.
The real problem with the concept of 'private networks of information' is that they tend to grow, especially with the impetus this one has. It's in their best interest to keep as much of the knowledge they gather classified for as long as they can. If there is the perception that this kind of limited sharing is effective and one has to pay to become a member, there will be leaps and bounds of growth to this organization. Unlike the federal government, there are no laws in place to protect average citezens from this type of secrecy.
What's even more disturbing is the kind of actions this organization will eventually take to protect its secrets. At first it will be legal actions. They will sue to prevent people from releasing important security information. Then the proliferation of 'inter-agency' controls will increase, say giving back-doors to certain law enforcement agencies into certain applications. I'm certain this already goes on to some extent, but this gives tech companies a reason for this to become common practice.
How long is it before this kind of alliance has the ability to conduct its own 'Security' raids and anti-hacker activities through its contacts in law enforcement? Not too damn long, if I'm not mistaken.
What laws are in place to keep a corporation from harrasing and causing problems for an individual? Abso-fricken-lutely none. American business law is written to favor a business or corporation over an individual every single time.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Reminds me of of the US raid on Tehran. The special-warfare troopers were out in the middle of the desert, in a spot so remote nobody would be there looking for them... and they got discovered by a busload of people who stumbled across the area by virtue of getting lost.
Moral of the story: security through obscurity doesn't work. It's a numbers game, a calculated risk, and the risk involved is far higher than other more proactive forms of security.
Would you be willing to do all your online banking if your bank told you, "We don't bother to encrypt your financial records or firewall our system from malicious hackers--but don't worry! All the data is kept on a URL so obscure nobody will ever come across it!"
At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.
Speaking as a cryptographic engineer, I find this amazingly hilarious.
To this utter naievete, your typical malicious attacker would respond with:
... In other words, you're being just plain silly.
What's more than this is you're also lying.
At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.
No, you make sure your site is secure by locking down ports 21 and 23 for starters (telnet and mail). I know this because I just tried to telnet into them to see if they were open. So if security-through-obscurity is so darned good, why do you need to take the additional step of locking down your ports?
The answer is: because security through obscurity is a failed policy. Always has been, always will be. Locking down ports, on the other hand, is a smart and proactive policy.
It may seem to work for the Banking industry... but how could you even tell? No way will these kind of companies be able to communicate sensitive internal problems with rivals in a timely manner. Management will stifle it every step of the way.
Obviously, I'm assuming this is a troll. But just on the offchance it isn't, let's talk about the problems of your point.
First of all, logically extrapolating, there's some substance to what you say: if someone *doesn't* know about the security flaws of a system, they can't deliberately exploit them. However, your "hidden treasure" analogy isn't valid. For hidden treasure to be a useful mechanism, it has to stay hidden. The best way to keep it hidden is to put it somewhere that people are unlikely to look, like in a hole in an anonymous sand dune on a faraway island.
A modern OS, application platform or Web data centre isn't a desert island with much sand and few shovels. It's a series of interconnected systems based on a limited (actual) range of semantics. And it's faced by people who understand black and white box testing, boundary cases of data and so on -- the equivalent of seismic sensors, metal detectors, ground-penetrating radar and the like. And they all have a pretty good idea of the contours of the landscape and where different systems meet, and might not quite tesselate. They also understand where sysadmins are lazy, or tend to be less able.
All this means a better analogy is a bank. Lots of people walk in and out, and everyone knows where the treasure is. It's likely easy to find out how it's protected, too. But it's still hard to get at, because of well designed systems, monitoring and response procedures.
By all means take your pick: dig a hole in your back garden (or hell, make it tricky, use someone else's garden) or put your money in the bank. But don't sell those two options as having the same security level in the real world.
Just look at the game Quake when it came out and after the source was released. Yes there was cheating when the source was closed, but there is a lot more cheating now that the source is open. There are ways to solve the problems if the source is open, but they would have been inefficient back in the days when Quake came out. Security is a tradeoff between performance and security. The higher the security the lower the performance of the product. In most products this is not a problem, but with a game that's designed to work over a modem, performance is critical.
Let's take and example from Quake. Quake sends extra data to a user for prediction purposes, like where a users location is even though the user is not suppose to see that person. This is so that if the user doesn't get a packet update with the other users location in time, then the users client side can predict where the other user will be and if he is about to pop out of a corner and be visible. Sure this data can be taken away from the user to prevent cheating, but then the performance of the game drops critically. The users have to be kept unaware that this information is available to them.
So what are some possible solutions? Well, not sending the data to the user is the best solution but then this will decrease performance. The users framerate and updates on what other people were doing would effectivly be limited by their ping time or modem speed. What about encrypting the data? Well, somewhere on the clients machine the user has to decrypt the data and perform calculations on it so the data is still available. How about hiding the data inside of a binary that the user does not have the source for and therefore does not know where to look for the data? This will prevent the user from finding the data while still allowing the client program access to the data, although only until the user gets smarts and finds where the data is hidden. This is a tradeoff between security and performance.
So what is the ultimate security protection? Well just have keystrokes sent to a server, then have the server render an image, a "screenshot" of the game, and then send it to the users machine to be drawn. This way no information is sent to the user except for an image which only the user can interpret. Is this very secure? Yes, but the level of performance would be horribly low. Somewhere a tradeoff has to be made between what information a user is allowed to see to increase performance and what information stays hidden.
That's just my splurge of the day, wonder if it makes sense...Outdoor digital photography, mostly in New Engl
Maybe I should get fitted for an eye patch? :)
James - Arrrrrrrrrrrr!
Isn't this like what gangs charge in "their" neighborhoods? Protection money? If we give them $5k a year, they'll give us their information. Otherwise, we're screwed, and they'll decide whether or not they wish to come forward. And, as we've seen in the past, they will only come forward if there is some benefit to them.
This quote is really the best part of the article. Does anyone -not- see the hypocrisy?
"We have to put down our differences and our competitiveness and share more if we're going to prosper together," Mr. Copeland said. "If you're going to wall yourself off and not share, then you're going to be hurting. This will be a venue and a forum where we can start to build a level of trust."
Um, aren't these companies going to wall themselves off and not share with the rest of us?
And therein lies the rub. The basic presumption is if they don't know, they can't find out. Except, of course, that they can find out. And if they do, you won't know about it until after something happens. Screw external attacks, look internally. Are you 100% certain that everyone who knows those deep, dark secrets are completely and totally trustworthy??
At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.
Shouldn't they be running a more recent version of Apache?
It is a helpful element in any security arragement, ever since Blackbeard buried his treasure in the Carribean.
Blackbeard had other deterrents to those who knew his secrets, and might be tempted to steal 'is loot. Your basic shooting, stabbing, beating, keelhaulling, or walking the gang plank all have their place. But for the most part, we can't use any of those tools...sigh
James
I'd like set up a non-profit company to develop my for-profit products, and then write off all my R&D as contributions to a non-profit organization.
Presumably, a security hole, classified as a bug, becomes property of the consortium and a value added commodity.
This gives rise to a potentially revolutionary revenue stream for microsoft and friends...
Yes, I read the article before I posted (hence citing some of the companies involved as examples), and Clinton's approval makes it all the more disturbing. Let me share something with you.
In our nation's (US's) history, there have been four presidents assasinated. Two were saints. Two were mediocre. But four out of soon to be forty-three is a miniscule percentage. It's barely over 9%. No wonder our government and our leaders have gotten out of touch with the American people. They're not beholden to us anymore, because they no longer have the fear of the masses beaten into them. That must change.
There are four more days before Clinton leaves office. He must be shot today. And then we have to shoot Bush when we're done with Clinton. There must be blood on the floor tonight, if our government will ever learn to tread lightly on the liberties of man.
This information-cartel outrage is only the latest volley in an ongoing war we have been fighting since we decapitated Louis XVI and drank from his blood at the guillotine (ingesting his divine sovereign mandate and becoming a true sovereign democracy). Our leaders are out of touch and out of their minds. The mail isn't being delivered anymore. The snake problem is at a fevered pitch. A grown man can't even walk to the corner store without getting passing stares from gawking subversives. Is that the kind of world we want to leave for our children?
The information cartel must be killed tonight. Tonight. Tomorrow, we'll go after the guys who planned it. They must be brought to a pointy reckoning. Shudder them.
Read the rest of this comment...
Before I begin, let me state that there is some merit to the Open Source security "process" (if you could call it that) AND there are legitimate concerns with companies merely shirking off ALL concern for security while depending 100% on so-called obscurity. That being said, I have real issue with going from "security through obscurity" is not a cure-all, to the Open Source mantra that "security through obscurity" has absolutely no merit. A couple key points that all too many just glaze over:
First, the only way the Open Source security philosophy really works is if people ACTUALLY (as opposed to theoretically) sit down and read the code for security flaws in its entirity. I would argue that in a great many cases, no one even approaches this level. Because the Open Source community has very little centralization of effort, there is going to be a great deal of redundancy. In other words, even if you believe that 1000 security "experts" will spend some time reviewing the code, they may well be looking at the same piece of code (which in and of itself, can be a good thing), while leaving other pieces of code largely unscrutinized. Furthermore, I suspect that very few people truely give the code the time of day.
Second, while Open Source makes it easier for white hats to find flaws, it also makes it easier for blackhats to find and exploit flaws. This is particularly relevant if, as I point out, the code is not getting the right kind of attention from white hats.
Third, Closed Source can make it HARDER and DULLER to find flaws. Many people seem to assume that just because obscure products have been cracked, that there is absolutely no reedeeming value to it being closed. In other words, at any given moment in time, if we could some how have two parallel universes that would allow you to have the same piece of code (let's say the latest stable linux kernel with all patches applied) in Open Source and Closed Source at the same time, without knowledge leaking either way, most reasonable people would prefer the Closed Source option.
Fourth, security flaws are found all the time in Open Source code projects. A lot of them are presumably stable pieces of code that have already been put into production. These systems get hacked REGULARLY. Now this isn't to say the same doesn't apply to closed source, but you can't ignore the problem either way.
Fifth, many people constantly bring up the point "well if you just patch regularly...". While I agree that everyone SHOULD do this if possible, it's not always possible, and it's frequently not economical. If there is a piece of closed source code that hasn't had any published (or suspected) security flaws in 4 years of existence, while the competing Open Source alternatives have had many (constantly forcing their admins to patch), then that's a real issue for any competent admin.
Sixth, it's entirely possible for a Closed Source company to do a full internal security audit of their code. It may not be perfect, but it's better than nothing. Although I fully realize that hardly anyone does this, it'd be a mistake to ignore this as an option. If a company can get _most_ of the (presumed) benefits of an Open Source security audit without the corresponding exposure of their source code to blackhats (or at least less "risk" of that), then that might be very good indeed.
In summation, this is not nearly as black and white as people protray it. It comes down to numbers and many other unquantifiable elements. A simple philosophy is a not a one time cure-all. For instance, as I have alluded to, if there are very few white hats reviewing the code (say 50) and those white hats are mostly replicating their own work (say 15% efficiency) while allowing any black hat with proper monetary motivation to put the effort into cracking easy to read source code, then you might well be worse off. The same goes the other way around, if a software company, as all too many do, rush their product out with little to no review and depend entirely on obscurity, they might well use some routines that are well known security problems that can be easily searched for....
The bottom line is that it is just as stupid to assume your carelessness will be automatically covered by "peer review" (or "Open Source") as it is to assume it will be covered by "obscurity".
Not only did I post it with my name, I meant every word of it. You are a coward and a hypocrite.
Read the rest of this comment...
The RSA algorithm is not an obscure algorithm; every single detail of the algorithm is in the public domain, and a staggering amount of academic scholarship (the vast majority of which is also in the public domain) is available.
If I pick 17 as one of my RSA primes, that doesn't change the algorithm. Okay, so I'm picking a stupid prime, but the algorithm is unchanged. If I pick a 300-decimal-digit prime, that doesn't change the algorithm, either.
"Security through obscurity" means "as long as I don't tell you how it works, then the system is secure".
Real security is "I'll tell you how it works, I'll tell you about all its known weaknesses, and I'll help you understand it inside and out--and it'll still work within its specified operational parameters."
In the case of RSA, part of its specified operational parameters is that the private part of the keypair is kept secret.
Where's the obscurity?
(Sidebar: cracking RSA does not rely on the private prime being obscure. For a very long time it was conjectured that breaking RSA was dependent upon factoring an extremely large composite number into two primes, but the recent attacks against PKCS1, etc., show that it's possible to stage cryptanalytic attacks against RSA that don't involve factorization.
RSA is based on three conjectures. One, that P!=NP. Two, that factorization is NP-complete. Three, that factorization is the only way to break RSA. Neither of the first two conjectures have been proven, and the third conjecture has been proven false.
That said, RSA is still a well-trusted algorithm. The non-factorization attacks are well-known and fairly easy to avoid.)
A lot is known simply from a cursory inspection--site hosted by Hypermart on elderly FreeBSD, running software that anybody can buy from e-classifieds (and privately audit for security holes), etc.
Your site (assuming you in fact have anything to do with it) of course isn't utterly secure.
But people who rely on security through obscurity to protect their networks are simply waiting for trouble to happen. Because you're childish and "elite"?-- Stanislav Shalunov
The difference is that, with Open Source, the good guys can find AND FIX the holes. With closed source, you're dependant on the good will of the companies.
I'll send $5 too, but only in CDN$... ;)
Actually, what went through my mind first when I read, "Other technology firms will be able to join the alliance for $5,000 a year" was, "Gee, it's just like a fraternity. How nice it must be to pay to have friends."
The second thing that went through my head was, "Guess this is a big boys' club only. $5000 a year to join isn't much if your total assets (or asses) are zillion$, but it effectively puts most small businesses out of the running...and they're probably the ones who need something like this organization the most...if something like this is truly needed."
I don't in principle think it's necessarily a Bad Thing[TM], but even a kitchen implement in the wrong hands...
?!
I'm not a geek, I'm just a clever script.
RSA keys are not purely entropic--they possess a great deal of predictability, which is why the keys are so long. For instance, if you're using a 512-bit prime, you can be assured that bits 0 and 511 are set.
If bit 0 is not set, then the number is evenly divisible by two, and it's not prime. If bit 511 is not set, then it's not a 512-bit prime (it's a 511-bit, or what-have-you).
Right there I've predicted two bits, out of 512. With more advanced mathematical techniques you can discover more properties about the binary representation of prime numbers, which helps you winnow out even more possibilities.
It's been widely conjectured that a 1024-bit RSA key is roughly commeasurate to about 128 bits of entropy. Of course, distilling entropic properties of asymmetric keys is more black art than formal science, so I generally err on the side of rampant paranoia and guesstimate a 1024-bit RSA key as roughly equal to an 80-bit key. Still plenty good for most purposes, but if you're worried about major governments, 2048-bit keys are appropriate.
Moral of the story: asymmetric algorithm keys must possess a large degree of entropy to be useful, but the key itself is not one hundred percent random.
No difference. /bin/login that calls crypt() and add a call to your own function before calling crypt(). (Patching crypt() is a long honored tradition, used for example in the old telnetd LD_PRELOAD bug.)
It isn't that hard to edit a binary to include a trojan as well.
For example, you could find the part of
If you doubt this I encourage you to take a look at for example fravia's site. (Use google.)
> No, you make sure your site is secure by locking down ports 21 and 23 for starters (telnet and mail). I know this because I just tried to telnet into
> them to see if they were open. So if security-through-obscurity is so darned good, why do you need to take the additional step of locking down
> your ports?
Since you mention those two ports, out of curiosity, did the prompt identify the software running on those ports? (e.g., sendmail, postfix or exchange on port 23?)
Another simple step to take is to make sure that your web server always returns a 404 error if someone looks for non-existent pages. (You'd be surprised how many web servers don't do this, & cheerfully identify the software running instead.)
The reason I mention this is that I've seen it mentioned in several different places to disable self-identification of server software -- it's trivial to do for most of these applications, & it makes a cracker's job a bit more difficult.
No, if you take these measures you can't unsubscribe from your favorite security mailling list & still sleep soundly at night. These steps will only slow down the determined cracker -- maybe enough so that you can catch the miscreant in action & foil him.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
"{blah}...launch the nonprofit center, known as IT-ISAC."
Just say "itty-sack"
"Because I love Pat Benatar." -- Britney Spears, when asked why she covered Joan Jett's "I Love Rock 'n' Roll"
A much better example is that I bought my house lock from Acme and Acme keeps private how the innards works, not revealing the fact they just figured out that all hairpins in the world work just fine if bent in a certain way.
dear lord, /. sure brings in the odd ones, eh?
Port 25 is mail, 21 is ftp, 23 is the default telnet port
I think this is more of a publicity thing. Over the past year or so there have been some pretty high-profile security problems that have made the software industry look pretty bad ('oh my, the mighty Microsoft got "hacked"'). I think they're just doing this so the general public thinks that they're taking security seriously. I doubt it will really change much about the companies' approach to security fixes.
Of course, that's the technical end of things. I don't approve of the social message that sends out. I don't like the trend that the industry is taking with regard to openness and accountability. It goes back to the thing about how the quality of something goes up when it's being developed under public scrutiny (why I love Debian so much!).
noah
However, having a members-only club with sharing of information doesn't directly relate to security through obscurity. Saying that any closed source or hidden method of security is 'security through obscurity' just because its closed is a perversion of the term. Many closed systems actually have adequate security that wouldn't be compromised if the system were open.
I am curious how they determined the cost for theft of proprietary information. Also this seems like a drop in the bucket compared the time and money that anyone of these companies would be spending on security to begin with.
It's really an unclear decision to make, whether to fully disclose every security hole or to shut up about it until the hole is fixed (or forever, whichever comes first). Both sides have some good arguments justifying their case, but it is unclear which method results in the highest security.
The point of the full disclosure folks is that once a hole is found, it will be exploited by those who know. Therefore it is necessary for everyone to be aware of these holes in order to create counter-measures aimed at closing the hole. Exposing all security hazards also has the side effect of forcing software houses to release a security patch more quickly. Since no security hole is safe from hackers, it makes no sense in trying to hide them from the public since the public (or at least the malicious) is probably already aware of it.
The other side of the coin says that security holes should not be announced for the express reason of preventing massive exploitation of them. This line of reasoning has some solid evidence behind it. *Real* hackers with the ability to find these holes are few in number, but the script kiddies with virtually no skills whatsoever are legion. It is arguable that the damage caused by a few 'in the know' is far outdone by the damage of the kiddies with their point and click hacking devices. Likewise, by the time the exploits are known to places like Bugtraq and the various software houses, the hole has pretty much been well exploited by the discoverers. It then seems that hiding the exploits from the general public seems like quite the pragmatic thing to do.
So which is it? Disclose every exploit openly or hide them until they are fixed? I don't know.
Dancin Santa
Or maybe I'm just nuts... either way, it'd be damn funny (see ironic) to see /. & co. pull this off.
Hi! This is the Sig, blatantly attached to the end of this comment.
Imagine how secure your data would be if nobody knew where it was except you - you wouldn't need any expensive safes or firewalls then.
Not unless script kiddies obtained some sort of "port scanning" software, of course.
If I know I'm being trolled, and I respond anyway, does it make me more or less of an idiot?
Then again, I suppose it isn't good business to admit that your primary email proggy (Outlook) is a bored script kiddies wetdream.
What I want to know is how long do they think they can keep this info from the press? Leaks, Bad!
You forgot to mention one another point that an attacker would reply with:
4. That sounds like a challenge! You're on.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
What will likely happen is that every bug that comes up will be seriously considered for political and economic fallout and they'll only allow the information that's relatively safe to them get out to this group. So, only the truely innocuous bugs will get dealt with and the big nasty ones will still be out there.
And you know where the nasty bugs will get discussed? Bugtraq!
I'd save my money if I was Cisco or Oracle or what have you. The only possible value in this is getting some dirty laundry on your competitors and that's only if their dumb enough to tell you in the first place (and if they are that dumb they'll be dead in a couple years anyhow).
---
This sig has been temporarily disconnected or is no longer in service
I find it funny that this (mentioned in the article) was all brought about by President Clinton suggesting that the tech industry create an exclusive "members only" club like this to "promote security". (Of course, this is also the point I stopped reading. Any tech company that takes the advice of a politician....left to your imagination.)
The funny thing is that they are trying to emulate the spirit of open source while still remaining closed. They want to "share" information that could be of great help to them, but they don't want to share that information with the public at large. Something about that just strikes me wrong. Their idea is that they are protecting us (the public) and them from more debilitating attacks, but isn't this entire idea flawed? As the poster I am responding to said, security through obscurity just doesn't seem to work.
Granted, open source isn't perfect. But it seems to do the job pretty well. And apparently the businesses involved in the creation of this new "security" group is aware that an open policy can do some good. But their idea that only they (as in the special multi-national interests/corps) should have this "open" information seems kind of a deterrant to the idea of "open" information.
Opening up your information to a bunch of like-minded individuals in similar situations probably isn't going to solve underlying problems any more quickly. It's the fact that such hugely diverse people can look at the same problem from so many angles that open source projects can solve security problems quickly (when they need to). Letting someone with a fresh and possibly completely new way of looking at something is always good for any project.
But, another way of looking at this is that they are going out of their way to adapt as many open source ideas as they can without truly admitting that open source ideas work. Maybe eventually someone there will get a clue that if opening things up amongst the companies was good, perhaps opening up further would be better. I don't really see this as a conspiracy. But I think it's kind of funny. Like one of the AC's in this thread said, they've set up their own little closed source version of the OSS community. And the AC is right, it is kind of cute, in an odd way.
------------
You have to be a Cisco employee to view some of the bugs
The Information Revolution will be fought on the command line.
In addition to the NDAs, it's very likely that some members have veto power over new members. A prospect who was seen to be joining in bad faith probably would get their $5k sent back to them.
It works fine in Mozilla 0.7.
I started using it recently at work, at it's muucchh better than previous releases. Still not quite ready for prime time, but damn close.
Yes, with the employees of Oracle (who have no time) and the employees of Microsoft (who have no time and no skills) looking for stuff that hackers already know about things are gunna be more secure. Please.. Whilst the Cartel is sitting on discoverys so they can take their time fixing the damn things the rest of the world is going to be doing the same thing it already does ie, find bugs and report them. This is just a big excuse to delay releasing patches.
How we know is more important than what we know.
My, the original link really made my eyes hurt, even with Junkbuster.
-- Stanislav Shalunov
You just lost your house key in your front yard on your way out to go to work befoe you locked the front door. Which would you do: 1) get a bull horn and announce it to the neighborhood and leave for work or 2) keep it quiet, lock the front dor from the inside and leave out of the back for work quietly and llok for it when you get home. Nuf said people. Stop the black-helicopter conspiracy theories and the if-it-ain't-open-source-its-crap knee jerks for a second and think think think. These companies produce virus alerts and security alerts for the public and nothing they said indicates they won't continue that effort. Their alliance is for two purpose: 1) they are just going to communicate more quickly among themselves next time. The was no formal network response to LoveBug and is cost many people dearly. I know my former firm's mail servers were shut down for two days. And 2) they are going to keep little-known vulnerbilities quiet while they fix them--a good thing (see analogy at start of message). Relax--SlashDot community members must drink too much coffee. Chill out.
microsoft would be scared to let a security audit of the code be performed by a 3rd party.
Actually Microsoft, Sun and many other closed source vendors do have their code verified by 3rd Parties in order to gain ITSEC (now CC) evaluations.
But really, your point about the poster being one with a grudge, and directing you to the target of the grudge. On the other hand, this illustrates where security through obscurity does work - misdirection. Sure, the first time someone looks at your hand instead of what you are pointing at, you are a sitting duck, but all the time it does work is time that no one scruntinizes the real security that's in the hat.
+1 Mixed Metaphors
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
You are one scary dude. Betchya own some black metal albums too. :) Nuff said.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Here's a couple clues for you all who freaked out about this, the world doesn't revolve around security announcements and none of these companies are obligated to tell anyone jack-shit about their security problems. Its not like these companies were quick to share security information with anyone before. People will continue to find security holes in products, both open source and closed, and big companies will continue to drag their feet fixing then. No big change here.
If your really looking for a corporate group to fear try the World Economic Forum. A thousand of the most powerful CEOs, bankers, politicians, media moguls, etc. meet in Davos Switzerland every year to decide global economic policy, i.e. how to increase the flow of money from the lower and middle class to the upper class.
And as for the poster who suggested that Bill Clinton should be shot over this why don't you try moving to the Congo, the president was just shot and killed there today. Let us know in a year or two whether you enjoy living in a country where policy is made with a gun rather than through free and open debate.
So now, when a hole in Oracle is discovered they can immediately put it in the M$ SQL server brochures to make their product look better :-)
I have to wonder, tho, if the original poster has a grudge against americanwiccan.com? Call me cynical, but I suspect something like that...
:)
No, I'll call you ragingly paranoid--which is good, that's a compliment, I like that.
At any rate, I sent off mail to the people over at Americanwicca.com, telling them that they might be the target of malicious attacks as the result of that Slashdot post. So we've given them some warning, which is about all we can do in this situation.
Translate to computerese to fit your desires.
Good point. Even if these organizations do attempt to close ranks, it only takes one employee with access to the reports and willingness to leak them to ensure that outside parties "discover" the same holes that the club members do.
There is no such thing as a productive meeting with 19 entities. It will be on this order:
(Mr. Jones) uh... uh... what's port 23?
(Mr. Smith) (inaudible) Oh that's the Frabazz port.
(Mr. Gates) When I was writing DOS...(inaudible) any ports at all.
(Mr. Wilson) um...fscken kiddies
And so on.
What will come of this is blathersgate. These fellows will have a marvelous time pulling one anothers' puds and releasing statements. Nothing productive will emerge.
I figure if a bunch of us throw in a bit of money, Slashdot could join this exclusive club, and then we'd get access to the reports on all the unpublished, undiscovered holes and bugs that the marketroids are hiding from us.
So, I pledge $5/year for this endeavour.
Some evil haxor has hacked MSNBC so that it won't work with netscape.
134340: I am not a number. I am a free planet!
So the big players share their security holes with each other? Will this stop DDOS attacks? Perhaps, if CISCO puts a patch on their routers to Prevent fragmented packets from hitting Microsoft NT boxes (do they allready? they should!), the world may be a better place. But, what about tiny security bugs that no one knows about but the industry big players? "Oh that bug? I'll fix it next week sometime." Meanwhile, it's discovered by a clever 14 year old and half the Internet's servers crash. They only way to improve security is to 'Put [security bugs] on the front page of every major newspaper for any hacker to see'. This way, THEY GET FIXED. No more committees. No more talk. No more PR BS. PUBLISH IT. FIX IT.
-Ignore this post, please- NoOneSpecial
The only way to true security is through open source. You can't hide your security flaws behinde a binary and expect people not to find them. Open source lets the entire community find security flaws - and patch them. The point is not to create a product which has no apparent security flaws, it is to make a product with no security flaws period.
It has been proven time and time again in life and with computers (especially NT) that trying to hide security holes just doesn't work.
So, keep your code open and let others find it's flaws.
Do you sleep well at night?
I sure wouldn't, knowing that anyone who decides to get information about my website would be able to crack it.
Lets compare this to a game of hide and seek.
If you have played hide and seek, you know, that no matter where you hide, you will be found. Unless you are in a place that the seeker cannot get access too, you will eventually be found.
Ys... in your example, in the physical world, if you can't find it you cna't have it.
That's also it's weakness. The main point is that there is no way that you would even know. As with most security holes in closed programs, no one knew... or really had the capability to know until that one person found it.
It may have taken a while but things like "Netscape engineers are weenies" do get found.
Let's take a look at this page:
http://www.w3.org/Consortium/Prospectus/Joining
Hmm, looks like joining W3C costs 50 grand a year for a company, nearly ten times the amount proposed by this security group. Non-profit/educational access costs $5k annually, the same price as this security group. How come nobody accuses W3C of being an "information cartel"? Simple... it's not, and neither is this group. $5k per year is nothing for a company that is interested in security issues, even a small company.
How is keeping a vulnerability secret until you've got a fix for it "security through obscurity?" There's a big difference between releasing source and releasing vulnerabilities. Releasing vulnerabilities only guarantees that they'll be exploited.
Even the mighty Linux community sometimes keeps vulnerabilities secret until a fix is released.
What makes this security through obscurity rather than good security practices?
Won't some strong virile slashbot please explain it to timid pert little me?
--Shoeboy
We should be fair, and be unbiased. There is nothing wrong with security through obscurity. It is a helpful element in any security arragement, ever since Blackbeard buried his treasure in the Carribean. Thanks!
I am being fair and unbiased. Security through obscurity never works.
Read a few books on cryptography, and then come back with a clue.
Somebody as naive as you should NOT be using the ship name of an AI several billion times smarter.
If Banks were dead, he would be turning over in his grave.
PS. Nice Troll.
IIRC, Senator Lieberman endorsed their work, and asked them to continue doing what they do best. This new group is a reactive measure, spouting the same tired old tripe: posting security issues on the net encourages hackers. This is complete BS. Hackers will find a way to hack, with, or without L0pht, and with or without the "IT-ISAC".
std::disclaimer<std::legalese> sig=new std::disclaimer; sig->dump(); delete sig;
Okay, so now if there's a major security flaw in something these people share it amoung themselves then give out a 'product update' to their customers while glossing over the details so that the users of the software are completly unaware that there was a major flaw/they could have already been comprimised/what crappy software they are running.
;)
Imagine what it would be like if the whole outlook executing any old VBscript(not that i have to worry with the Os I run) but the public should know about these things, it just gives corporations another way to cover shit up,... next they'll be forming their own government
A sterling example of an historical BOFH.
Blackbeard had other deterrents to those who knew his secrets, and might be tempted to steal 'is loot. Your basic shooting, stabbing, beating, keelhaulling, or walking the gang plank all have their place.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Considering this was brought on by the government (President Clinton to be exact, read the article) I doubt too many government officials are going to oppose it. Even if they get loads of mail over it. Unless those loads of mail contain as many dollars as the kick-backs and other money they recieve from the players involved in this move, I really don't think anything will be done to prevent it. Not to mention that the government seems to really be working with the big multi-nationals to make them bigger and more consolidated. The reasons? Well, if you want the conspiracy reason, probably because a few sources of information are much easier to regulate (i.e. controll) than large numbers of smaller sources of information. One large corp (supported and enhanced by the state) would be much easier to watch than the multiple small corps that exist today. Not that government usually watches all that closely. Unless, like MS, the corp in question gets a little too greedy and leaves the government out of one or more of its schemes.
Most corps have caught on. Work with and through the government. Don't work against them. Maybe MS has finally adopted this idea too. With Gates out of the real lead, perhaps we will see them making some more smart moves.
But seriously, this probably isn't that big of a deal. Just an attempt to 'open up' on what they consider industry secrets with others within the industry. Unless they start colluding on prices (price fixing) and features (you offer this, I offer that and they have to purchase both), I don't think the government could intervene even if they wanted to. But I could be wrong on that. My legal interpretations occasionally are questionable.
------------
*cough*ftp*cough*telnet*
I need some *cough*smtp=mail=25*cough* medicine.
But your points are well taken...I have to wonder, tho, if the original poster has a grudge against americanwiccan.com? Call me cynical, but I suspect something like that...
James - I summon the unholy demons of apathy, sarcasm and cynicism!
Where's the incentive for a corporation to fix a security hole if they know that they can effectively keep knowledge of the existence of that hole a secret? Fixing problems costs money, covering something up is (usually) easier (i.e. cheaper) if you can catch the problem before knowledge of it grows out of hand.
Your point about script kiddies is well taken, however you have to admit that nothing motivates a corporation to fix a problem more than public attention on that problem.
My opinion (for whatever it's worth), is that attempting to keep knowledge of flaws in your product a secret is self-serving and unethical. At the very least, even if you don't have a fix for the problem, your customers deserve to know that the problem exists and if there is any way they can work around it. The corporations are *supposed* to be in business to serve their customers, not themselves.
--
www.scorbett.ca
Damn length limit. Anyway, what the hell is so damn bad with security-through-obscurity? Why is it conventional geek wisdom that it is "really no security at all"? When items of great value are transported, how is it handled? They have great physical security in the armoured truck, but they also use obscurity, in that they don't advertise the time they will be moving in the New York Times. In fact they don't even tell the driver and others until the day they move, and how the person actually carrying the item may not be the guy with the briefcase handcuffed to his wrist, but could be any one of the other guards. You need to KNOW who is carrying it to steal it. You want as few people to know this info as possible.
I have always used the analogy that crytography is like a safe, it limits pysical access to the data/material. But you don't put your safe in the middle of a room, you hide it in a closet or in the floor, etc. This provides another layer of protection, of varying efectiveness.
Some famous bank robber was asked why he robbed banks, he replied "because that is were the money is." Even though this was a humorous remark, it makes my point that because everyone knows that banks have money, that is where they go to get it. But what if you coudn't tell a bank from any other building? Then you would have to find out which damn building to rob before you could actually rob it. This ends my rant.
Numbers 31:17,18 Now kill all the boys. And kill every woman who has slept with a man,but save for yourselves every virg
The problem with security by obscurity can perhaps be understood best through your reference to Blackbeard's treasure. Blackbeard buried his treasure with the thought that if his enemies couldn't find it, they couldn't have it. The problem with relying on this as a security measure is simple: if they can find it, they can have it -- you don't have any other way to protect it -- and one fine day when you go back to reclaim your treasure you discover some elderly guy from Florida with a metal detector has waddled off with your ill-gotten gains. Yo, ho, ho, and a bottle of rum.
The situation is much worse with respect to the internet, in which there is a small (?) army of script kiddies, all armed with metal detectors and pickaxes, randomly digging holes all over the place for the sheer destructive hell of it, and in which you've conveniently placed a sign (your URL) on top of your treasure. The question isn't whether one of them's going to find the treasure, it's how far will they have to dig and will they be able to break the lock on the treasure chest when they get down there.
... they're colluding to fix output and prices. Laws against collusion and cartels are NOT made to prevent corporations from "patting each others' backs and shunning the upcoming little guy." They're made to prevent producers from splitting the market by limiting output, creating shortages, high profits, and above-equilibrium prices (e.g. OPEC). Unless this is happening (and I doubt it is), this isn't any different from any other industry group, such as the collective of milk producers that pays for those clever "got milk?" ads.
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
Moral of the story: security through obscurity doesn't work. It's a numbers game, a calculated risk, and the risk involved is far higher than other more proactive forms of security.
I don't follow your logic, you're saying that since you know one story where the govt failed to hide their operation, then security through obscurity doesn't work. If you can't think of more than a handful of those stories for every war we've had, then the govt obviously has had far more success than failure with their technique.
Also, if a single example proves something to be a worthless concept, then security without obscurity has also had plenty of its shares of defeat.
Would you be willing to do all your online banking if your bank told you, "We don't bother to encrypt your financial records or firewall our system from malicious hackers--but don't worry! All the data is kept on a URL so obscure nobody will ever come across it!"
Security through obscurity doesn't nessesarily mean that their security IS obscurity. They would have regular security measures in place, it's just that they wouldn't release exactly what they are.
2. "We don't use any security measures to speak of"
Same thing as above, they're not saying that their obscurity is their only security, only that they believe obscurity enhances it.
-j
There have been plenty of flaws in Microsoft products that took the company a few months to publicly acknowledge, such as that nasty one where people could execute code using a buffer overflow in Outlook.. I guess they can use this secret society to communicate with partners about flaws without admitting their guilt to the world.
--
From the article: "THE OVERRIDING GOAL is to protect ourselves from cyber-hazards, whether they be deliberate attempts or accidental events," said Guy Copeland of Computer Sciences Corp.
An accidental event?! I can see it now: "Whoa, what was that? Did I just overflow a buffer or something? What the fsck is that root shell doing there????"
--
So now these large corporations are going to be sharing vulnerabilities with each other. I don't know about everyone else, but I trust Microsoft almost as much as I trust the 12 year old down the street trying to infect users with back orifice.
These companies are composed of people, people who could leak these newly found vulnerabilities to the script kiddies anyways, or use the vulnerabilities themselves.
Ok. Done...
IT-ISAC Reporting Society: Join our reporting society and earn $400 cash for any new security exploit that you find and report! Terms & Conditions: ..... blah blah .....
5(g) Reporter agrees to refrain from disclosing to any third party and refrain from publishing, communicating, transmitting, or posting the Exploit, in any manner, other than as provided above in 2(a) Reporting Procedure. ..... blah blah .....
If you've found something, unless you have a strong personal interest in free security information, why wouldn't you want to make a few bucks?
I have the strong impression that all those coalitions will make things go worse.
They will understand that, even if it won't improve the actual situation, a "security trough obscurity" environment will at least give them some sense of power.
They will put aside all rivalities and join together to create at least an alliance against a common enemy: Insecurity. But how will they understand that the great majority of the dangers involving security are due to human incompetence?
Will they virtually stand up against idiocy? Will they fire their own emplyers because they can be the weakest point of their network?
Or will they just cover this up and create a virtual enemy, pumping the figure of the 'oh-my-god-it's-scaring' so-called hacker?
Now they are rivals, but soon they'll be together (as who knows how many other companies) against freedom of knowledge, against the fact that the human being must learn trough its mistakes, and so on.
My only hope? That they'll soon break this alliance, because there's no such thing as a common enemy, and if they won't understand, they'll just fight against Windmills until they'll be tired. They'll create smaller and internal alliances, they'll fight each other assumptions, and on the long run nothing will change.
Perhaps I'm hoping too much..
As the Latin said, "break up and rule": The 19 founders represent some of the industry's largest firms, but they come with historic rivalries. Cisco and Nortel Networks compete bitterly in sales of computer-networking hardware. Microsoft was found to have violated antitrust laws to influence contracts with AT&T and IBM; Oracle has admitted to hiring private investigators to dig through the trash of groups supportive of Microsoft. Can these companies, in an industry known for unusually aggressive executives, ever trust each other?"
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
This is exactly the sort of thing antitrust laws are intended to prevent: collusion among market dominators, patting each others' backs and shunning the upcoming little guy. If you're not a major conglomerate like Oracle or Microsoft (much less AT&T and others), you can't possibly break into this information cartel. Don't people understand that information is the currency of the new age?
Having a cartel like this is not only unnecessary; it's plain wrong. It simulatneously flies in the face of libertarian notions of self-help and of liberal notions of the omnipotent government who can protect citizens corporations on its own. Like so many areas of our economy, things were just fine until the corporations decided to start merging into one giant monopolistic hairball. I urge you all to write your congressmen and senators. This must be put to a stop.
Read the rest of this comment...
Members that discover a new cyber-threat -- a new strain of virus or a break-in method that foils existing electronic defenses -- will be able to send detailed warnings to the rest of the group via e-mail, telephone, fax and pagers.
I wish I had $750,000 dollars to sink into a non-profit center so that I could email, telephone, fax and/or page my friends when something important happened.
*Sigh*
Too bad only big buisness has these capabilities. I guess I'll go feed my carrier pigeons now.
--Shoeboy
"Tech firms team up against hackers"
With the current boom in open-software products and the increased visibilty to ordinairy computer users some of the Industries (monopolistic computer firms) decided to team up to be able to tackle these problems. "Linux is getting too big and these hackers are causing us way to many losses" said one OS rep (who then took Jobs style approach and started cursing!).....
ohhhh wait wait... stop the presses, thats the wrong story... this ones about crackers......
Non-Deterministic Finite Automata
I can see the news story now "The Information Technology Information Sharing and Analysis Center website, used to share vital security information among members including Micro$oft, Oracle, Inhell, and more, has been shutdown after it was discovered that hackers had broken into it months ago and had replaced the real security and hacker info with false information making it even easier to gain access to systems from these companies"
Top Most Bizarre/Disturbing Error Messages
Another way this is bad: we have CERTs for a reason - to deal with this kind of thing. By forming this "coalition", they're further fragmenting the system of disaster recovery. CERT.org was created some time ago just for things like this, and it doesn't cost $5k a year to get warnings. It's free.
Propaganda is the best term for this, and marketing is a close runner up. If they really want to team up and help stop attacks on computer systems, they can work with everyone else instead of creating a members-only club.
My karma's bigger than yours!
SIG: HUP
And in the case of incurable viri, I think the cat would be outta the bag long before any one of these guys gets a chance to warn the others. Maybe virus writers should find a way to only target these companies and make this cartel actually serve a purpose.
As many if not all of the companies listed in the article currently provide some for of security notifications to their customers, how is this going to really change anything? Many of these companies are rivals, and have not in the past freely given out information, especially on security flaws in their products - will this new "openness' Really come to pass? It is also often common that rivalry will mean that in a sales situation your local 'friendly' Corporate salesperson will quote flaws, vulnerabilities in a rivals product - will this new group simply give sales guys more ammunition, or will it really help cure problems before they escalate. (I do believe this is the original intent, but simply can't believe it will work).
"Linux users never complain about Microsoft. They don't need to!"
This is no different from my favourite OSs, the BSDs. They prefer to fix the holes and are usually in the -STABLE brang for a week or so before they anouce the holes to the public.
If the hole is found by someone on the outside they usually issue a warning while working on a fix.
OpenBSD does this to the extreme, they fix the holes and doesn't mention it because it's obvious to run cvsupd if you are a BSD guy like me.
Note that Blackbeard the pirate ensured his security through obscurity by murder. Not the most enlightening example. And I noticed above, you publicly admit the name of the site you're supposedly closemouthed about. What happened to not talking about security? I'll have to give that subnet a quick scan, to see if any simple, dumb mistakes were made by one set of eyes that could be uncovered by many eyes.
Security through obscurity just plain doesn't work.
This situation is in clear violation of the Sherman Antitrust Act. It is a group of all the top businesses making individual business decisions based on a membership-only basis. The fact it is so cheap has nothing to do with it. Businesses like Oracle, MS, IBM, Cisco, et. al. will have some serious inside information, not just in terms of stocks, but also compatibility, design. and security specifications. This kind of info would do nothing but to help these businesses aquire info in their trade w/o learning it the same way the rest of us do. Think of what that would do to the industry? This security "cartel" is exactly what the Sherman Antitrust Act was setup to prevent. This is a horrible, horrible, horrible alliance.
BTW--I'm not planning on putting up the dough to join and do you know why? Whatever I think about the changes this alliance would have no impact on the overall courses of action these businesses would take.
Finder of the any key.
Since all the "What is CERT for?" and "Bugtraq rocks my scary little world" posts seem to have been made, I thought I would point my slashbot tendencies at the Treaty of Rome.
<SLASHBOT>
The EU will soon be *easily* the largest economy on the planet (except China. OK, Maybe India. You know what I mean). 500 million eager consumers with shedloads of cash. Enough cash to support some *very* fat lawyers. In the EU, we send our fattest, most offensive lawyers to Strasbourg, where they can do most harm.
Then we have this little thing called the Treaty of Rome, which has much the same purpose as the US Constitution, except you can't fit it on a sheet of A4, no matter how 'leet your PostScript skillz are.
Article 85 of the Treaty of Rome says some interesting things.
One of the things it explicitly forbids is arrangements to establish contractual conditions that bear no direct connection to the subject of the contract, like tie-in clauses.
Now, If global giants like Sun, Cisco, Microsoft etc. use a forum like the one they have just set up to restrain trade, you wouldn't need a lawyer to win an antitrust case against them My blind old dog (if I had one) could win it.
</SLASHBOT>
So, there you go. If they do *anything* that pisses off the EU commission, they'll get nailed to the proverbial tree.
For those too stupid to work out how to get rich here, all you need to do is to start up a tech company that relies on one of their products in a way that directly competes with them or one of their "valued partners", wait for a security flaw to be announced, prove that they did not disclose it to *all* their customers at the same time and *BLAMMO!* a lot of fat lawyers get even fatter over a period of several years.
If I had ~50 million Euros to burn, I'd do it.
Share and enjoy.
Yeah, I don't know what I was thinking of. I goofed.
"Three can keep a secret if two of them are dead." -- Benjamin Franklin
eudas
Blessed is he who expects the worst, for he shall not be disappointed.
RSA doesn't rely on 'prime numbers being obscure'.
It relies on the (as of yet) fact that multiplying is extremely fast and easy, and factoring is time-consuming and difficult (although parallel-izable).
--
Soma: because a gramme is better than a damn.
Yes; there's a fine line. Good security means that the variable, secret part of the algorithm is small and well-defined, and that there are no secrets elsewhere in the system. The first step towards an analysable system is to separate key from algorithm. All the secrecy is concentrated in the key. And the key should be 100% random - pure entropy.
Among many other benefits, this enables us to answer the question, "How many bits of entropy does the key have?", which also says, "How long would it take to brute-force this system?"
Many failures of real-world security occur because users didn't know which parts of the system needed to be secret - they were told 'everything is secret'.
groan....
tagline
... hi bingo
This is another one of the disturbing security trends I've seen recently; the way some companies--and in this case several togather as a group--turtle in the face of security threats.
If you ask me, there should be less reaction to this sort of thing and more action. I don't hold a lot of faith in the big companies any more. I believe in the little fellows who work on stuff like the BSDs (now -they- understand security issues).
Hell, that Interbase backdoor wasn't dealt with by Borland/Inprise, but by OSS hackers. I say bring security concerns into the light, and let some more open minds worry about things like this. As a user and developer I would like not to be left in the dark by these close source, and closed minded people.
Beware the Whyte Wolf.
With a gun barrel between your teeth, you speak only in vowels...
Talk about letting the rhetoric begin. You build up this big straw man and expect people to kock it down. Well OK, "poof" your straw man is blown down.
The Open Source argument is about access. Its about giving everyone (yes, even the bad guys) access to the source code. In a closed source world, the bad guys may already have access to the source code, but you certainly do not. The opportunity to find and fix things, such as security vulnerabilities (and backdoors) exists.
If you can't grasp this, then you've missed them entire point behind the free (as in speech) software movement.
The "security thru obscurity does not work" argument refers to security that depends on obscurity to succeed. If your entire security model rests on the proposition that no one must even find out how it works, then your security model fails the moment that obscurity evaporates. Which is a bad security model. Plain and simple.
Python
Python
So what - will they withhold vital info to help prevent hacking until you join their group or buy their solution - it could happen!
Top Most Bizarre/Disturbing Error Messages
If you didnt get the above sentance, dont bother reading the rest of the article, because the companies involved in this are making mony off of the habits of skript kiddies abroad ($5000 for membership). However, does anyone here smell a rotten apple? This is what we want to avoid in the security industry today, because now the crackers have *something ELSE* to crack on? I think it was said best when Microsoft: "That vulnerability is completely theoretical!". The potential of this "team" is completely theoretical. l8rz
Leave me alone, I'm drunk.
This policy will only matter in the event that someone within one of these companies is the first person to discover the flaw.
Given that many flaws will be found by people outside of this group, and that it only takes one source to leak a flaw, I doubt this supposed secrecy will be very secret.
Personally, and maybe I'm off-base here, I think a more public forum - though significantly more discreet than modern media - would better suit addressing security issues than a privately vested group. I mean, great, now all the "big" tech companies are helping to cover each others asses. But who's looking out for the mid-sized companies, the small companies? Sure, we could say that the big fish are going to be targets for problems more often, but that's really narrow minded and a bit selfish.
Anyway, I'm glad to see this happen, but I would feel better knowing that they were looking out for more than just themselves. Perhaps I'm becoming more ideallistic lately? I don't know. Perhaps I misread what the article was saying? Anyway, there you have it, my (our) take on things.
Looks like we missed out on some juicy patent discussions whilst we were out... damn.
Hi! This is the Sig, blatantly attached to the end of this comment.