Slashdot Mirror
Microsoft Blames the Messengers
Roger writes: "In an essay published on microsoft.com, Scott Culp, Manager of the Microsoft Security Response Center, calls on security experts to "end information anarchy" and stop releasing sample code that exploits security holes in Windows and other operating systems. "It's high time the security community stopped providing the blueprints for building these weapons," Culp writes in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them." See the story on Cnet News.com."
It's probably high time that Microsoft stop building houses made of straw to defend against big bad 'net wolves... It'd sure make a lot of our lives easier...
---
Information wants...you to shut your pie hole.
And by providing sample code we as administrators are shown exactly where the weakness is.
Everyone here knows that.. I'm just posting to be an asshole
-- 'The' Lord and Master Bitman On High, Master Of All
boy, we're sure learning that lesson fast!
They're trying to say "stop finding holes faster than we can make...err...fix them". My my what a cheap political backstab.
I am !amused.
there are 3 of them pointing at you....
I think the author/Microsoft should not forget this.
Moose
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Much better that the "black-hats" "secretly" circulate the information.
</sarcasm>
If the security experts didn't find and pubilsh the holes, good luck on Microsoft making the fixes a "priority".
Yes, just like keeping Cryptography code secret improves the algorithm. I agree that the company should be notified before the flaw is announced, but seriously, the entire point of a security response center is to inform users as to vulnerabilities...
first post!
Yes, I realize that this isn't a fix, but if obscurity makes it just a little harder for people to do bad things then I don't see why it's such a bad thing. Especially in the case of Microsoft, where only they can fix the source, why should the security companies publish the source on the web instead of sending it directly to microsoft? What gains are there to be had by having the source displayed all over the web?
Doesn't Mr. Culp have it backwards?
If you don't tell anyone that the construction company used shoddy materials, then no one will figure out how to make the building collapse!
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
Attempt to make this drivel effective in the light of the terrorist events.
...Windows®, Linux, and Solaris®...
What's wrong with that picture? Linux *is also* a registered trademark, Microsoft. I suggest you recognize it as such.
Linus, kick some ass here.
Blech. Signatures.
Because, if the security hole didn't exist in the first place, then Microsoft wouldn't have to worry about all this bad press starting to cost them business; and more importantly mindshare.
there are no stupid questions, but there are a lot of inquisitive idiots
"Hackers don't hack Windows machines... bad code hacks Windows machines."
Y'know, if they didn't have so many bugs, there wouldn't be anything to release, and therefor, no 'weapons' to build... it's kinda like an army making a tank with wooden components inside, then getting pissy when the other army brings flamethrowers and napalm...
We know there is a hole... just leave it alone!!
Nice. Next thing you know, they'll be releasing a proxy server called the Microsoft Condom.
may i have your attention please! the bi-monthy slashdot "bash microsoft festival" is just getting underway.
calling all braindead moderators to mark anything remotely anti-microsoft as insightful.
I'm hemos., aka Jeff. Bates.. I help run this site, along with Rob. Malda.. I handle books, and generally posting storie
Information Anarchy? What? Do doctors complain about information anarchy when patients research treatments for diseases on the web?
Doesn't this guy realize that our systems are becoming more secure everyday, now that people have to take worms, trojans, DoS attacks seriously. Maybe he should bet back to securing Microsoft products and spend less time complaining about system admins trying to share info.
Messengers don't kill computers. People kill computers.
Why is this concept so hard to understand? The gun companies laid this out cleary many years ago, and there's no arguing with the logic.
On a clear disk you can seek forever
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found.
And hiding all these security flaws would of made windows more secure? Your product is not secure, stop passing the buck.
And just how am I supposed to know I've patched a hole if I don't know how it gets exploited?
-- Don't Tase me, bro!
It's high time we stopped teaching Chemistry and Biology! People are spreading information that essentially maps out exactly how the human body works, which allows for all sorts of chemical and biological weapons! And explosives, too!
In other news, Master Lock wants to release a new model made out of twine and butter. They ask the community to avoid discussing the security of the lock, since they anticipate it getting deployed widely, and once the ButterLock is being used to secure mission-critical systems, it will be extremely important to keep its flaws a secret.
--
Mod up a post Rob doesn't like and you'll never mod again
By putting out solid information, people who find these exploits are doing two things: Giving the programmers specific information with which to fix the problems, and giving script kiddies some really damn good instructions for hacking into a box.
The system relies on the reaction time of the programmers.. can they supply a patch before the crackers supply an exploit?
Those of us in the *nix world seem to do pretty good.. for all sorts of reasons you don't need to go into here. Windows? Heh.. it can take months for something to get patched up. No wonder he's mad that these 'blueprints' are being provided. It's simply an extension of the security through obscurity mode of thought.
gosand
My beliefs do not require that you agree with them.
Have you ever stood up and hit your head on something *hard*, and then in anger punched whatever it is you hit your head on, even though it's your fault? Apparently that's the Microsoft Certified way to handle security.
In other news, Microsoft has purchased a secret weapon of vast destruction, code named Blamethrower. It strikes out at random targets, displacing reality at near the speed of light.
Zot!
Any connection between your reality and mine is purely coincidental.
it's high time that computer users insisted that the security community live up to its obligation to protect them
I'm not sure whether anyone, other than law-enforcement agents, is obligated to protect computer users, but if anyone is, surely the people who produce the software are more obligated to prevent or solve these problems than are those who merely report on them.
Is this, along with the U.S. government's warning to news agencies to be careful what they broadcast, a sign of a new trend?
Several times we've seen security experts say to a large company, "Hey! there's a nasty exploit here!" The large company indicates they'll fix it and ignores the problem. Only when the exploit is publicized do companies like Microsoft actually take the effort to fix the code. Releasing the information is the only way. Perhaps out of courtesy the security community could give the company with the bug a week's notice.
I thought most security exploits that get released by the major groups are usually passed through MS first and allow them time to provide a patch before issuing the details of the exploit. So why are they so upset? Its not MS nor the security experts who are at fault for not patching machines. At least by publishing them they are provided an incentive to staying on top of security holes, instead of simply allowing them to remain secret. I mean none of the major exploits lately (code red, nimda, etc.) have used unpublished exploits. So this shows a failing in MS's procedures for keeping admins informed and a failing in the admins for keeping on top of their networks. Its such a non-issue, I think MS just wants to preempt law suits or some other such silliness.
boy, what a concept.... You find a big gaping hole in our security, don't share it.... it will go away on its own. Isn't this what the concept of tiger teams is all about? The reason most people share security flaws in MS products is to force MS to action in regards to them. MS has demonstrated in the past a reluctance to do anything about security issues and has ony reacted when the issue was made public.
Gee Bill what do you want to do tonight?
The same thing we do everynight Steve, take over the world
Fly Fish? Participate in our forum
Amendment I
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of
the people peaceably to assemble, and to petition the Government for a redress of grievances.
ubi est Trolligula...?
I'd wager this is the first volley in another push by MS to cover thier asses by legal means. I see another push to make the release of any information that shows weaknesses a criminal activity. Expect lots of flag waving, anti-terrorism rhetoric to be sprinkled throughout, and some suspect demands that seem to be more motivated at gaining market share than protecting machines.
God damn... when did I get so cynical? Oh yeah, after reboot #3 of NT 4.0 today. {grumble grumble grumble}
Although the source of the message certainly lessens its credibility, they have a point. Things like the Honeynet Project have shown a huge _lack_ of intelligent attackers in the wild. The endless waves of attacks filling the internet are pulled off by script kiddies, many of which can't mount a drive, compile a file, or even write a script. And we are feeding them. If we really want things to get better, we have to find a societal solution for the problem. It certainly seems to me that the full disclosure paradigm at least needs to be scrutinized, if not dumped altogether.
Of course, MS just wants to skirt responsibility for negligance on their part.
"You spoony bard!" -Tellah
What a great idea! Then all the malicious hackers will know how to exploit security holes, while those in charge of security won't. Wait a second...isn't that kind of like asking security guards not to carry guns, because those guns might hurt someone?
Hmm, this has always seemed to be a hot discussion...I'm all for full disclosure, but is it really necessary for people to include exploit code?
One argument is that it can help people to test their systems for vulnerabilities, bit I think that exploit code is not strictly necessary for this. People who really need it to test systems are in a position where they should have the capability or the resources to generate a "test script" for themselves, once given an accurate description of the vulnerability.
Making code exploits freely available possibly creates more opportunity for the low-life script kiddies who often don't appreciate exactly what they are doing, or the mechanics of the exploits that they are using. Why should we make it easy for those guys?
My opinion on this element of full disclosure is still not complete though, and I am fully prepared to be convinced... :)
-- Pete.
Monochrome - Probably the UK's largest internet BBS
It is good to note the use of the terrorist rhetoric, "...blueprints for building these weapons...". Talk about riding on the coattails. This seems more like a line out of the evening news than a statement about software security. Spin doctors working overtime on this one.
In other news, consumer advocate Ralph Nader urged leaders in the auto safety industry to "stop finding safety problems with automobiles. We can surely trust the automakers to make their cars as safe as humanly possible, without sacrificing their profit margin, and with no need of safety crash tests."
-dan
into unix? into punk? check out unixpunx
Microsoft intends to force the issue and to call on security experts to draw a line between responsible disclosure and arming people with the tools and software needed to attack computers, said Culp.
"(We) don't purport to have the answer to the problem," he said in a Wednesday interview. "But we believe that these practices are harmful."
Of course M$ believes that these practices are harmful, they've been the ones getting attacked the most. It's actually M$'s fault, because their software is still developed as if it was running on a non-networked, stand-alone PC. Until the decide that their software is to be used on a network (oh, my god...) M$ software will be the most hacked shit out there.
--- Think of it as evolution in action ---
In related news, ford reprimanded crash test labs for disclosing and showing the world about the exploding gastank in the ford pinto.
F*cking idiot. They're willing to blame everyone but themselves for the fact that they have such easily exploitable software.
BTW, to back up this claim, I urge everyone to read up on how exactly how ILOVEYOU and SIRCAM were so popular. ILOVEYOU didn't even need to exploit anything!
...and if you have software which is THAT easily exploitable, maybe you deserve the critisism, rather than blaming the security industry. If nobody published anything on exploits or viruses, E-mail viruses would be even worse because nobody would realize that the way that ILOVEYOU ruined their system is by reading the e-mail called ILOVEYOU which ran script automatically, and everybody would be busy reading a file to have your advise.
It's been a long time.
According to the article, each of the latest worm attacks was preceded by security bulletins which happened to contain exploit code.
Hate to break it to MS, but all this indicates is that the security sites work. That's right. The people who have access to the code to fix the bugs were given notice. If these bulletins didn't exist, you can bet the worms would have still been created. Remember Code Red II? MS had a fix out months before CR2 hit the web, yet it still managed to infect thousands of machines.
Security bulletins (even with exploits) are not the problem. The holes in buggy software are the problem.
here we go:
"It's high time the security community stopped providing the blueprints for building these weapons..."
How about providing the blueprints to your code, so we can secure the systems you release broken to begin with?
I'm not anti-Microsoft (although I'm getting there, definitely getting there...), I do Windows development also in Visual Studio. I'm near the point of stopping that altogether though. My company is already using Linux for damn near everything (including desktops, not just hosting) anyhow.
This is more than just your average case of idiocy from MS. If I ran a pharmaceutical company, and a drug we produced killed 500 people, do you think the public would accept some excuse like this? "No, really, it's all the fault of the doctors who showed their patients how to take the pills..."
Maybe not a perfect analogy, but equally stupid. When will they learn? Probably when Joe Customer starts realizing how indecent their blame machine really is. Apache isn't perfect, Linux isn't perfect... but we admit this and work toward solutions. Average Joe won't stay completely blind forever; most people aren't stupid (my faith in humanity talking here), and you can't fool anyone indefinitely.
Damn, and I was cutting down on my smoking...
... and just write pseudocode or a very detailed step-by-step description of what their code does. In the end script kiddies will have to learn to write their own leet tools, and may later on branch these skills into other areas.
:)
If security experts took the time to make exploit code an exercise for the reader, we might someday end up with skript kiddies who can even write their own hardware drivers for Linux. They might even learn to write and discover new exploits for Windows without the help of security experts.
Microsoft got it on the nose this time
"Look at me, I invented the stove!" -- Ben Franklin
Let's look at the most recent huge hole - the IIS server. If someone had only released a small amount of information - like "it happens at port 80", no one would know how to block the damn thing without affecting other services. By knowing the exact form of the exploit, people were able to block it. You can't help but publish exploit code (or enough code to give anyone a general idea) in cases like this. The code is an easy way to find out how to prevent the attack.
I say give the most information possible to the security people who need it. If people aren't worried enough about security to find out about the holes, then they shouldn't complain.
Last post!
How well would security flaws
HAHAHAHAHAHA ... oh yeah, I can just see it .. this would allow their marketing/pr department to 'fix' each and every bug.
.. ie, that old limitation of 24 hrs in a day. Hell, with MS and a large enterprise network, you'd have to assign a full-time worker just to monitor and install patches.
.... )
Actually, sample code is a very good way to illustrate the severity of a bug.
A bug might be the result of absolutely brutal programming, but require a programmer to jump through hoops to exploit it. In this sense, the bug isn't so bad, and users can assess the path to patching said holes. On the other hand, a bug could be the result of complex, innocent oversight which can be exploited with 3 lines of code.
I, for one, think knowing the code to exploit the bug can give admins a good sense of addressing patch priorities.
Yeah, the security pundits will tell me 'you should be patching 10 secs after the patch comes out regardless of severity', but if you really take that route, you're living in a vacuum. The rest of the world has to worry about priorities
And I'm of the opinion that trusting MS's stance on the 'severity' of a given bug is about as big a security hole as you can have.
(Please remember to flame me on both sides, for even cooking
"Old man yells at systemd"
Will all hackers and crackers please stop attacking Microsoft products. Thank you!
Bill
Messengers expand people's awareness, and thus, knowledge of people to exploit/attack. Microsoft is willing to blame everyone but themselves for a security flaw/hole. Maybe messengers speeded up the process of finding/exploting holes, but the holes are there because MS put them there/didn't fix them. They should also blame the Internet and telephone system for their security holes.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
I hate to say it, but in many cases these security firms notify the manufacturer (if the firms are legit) and allows the manufacturer a reasonable amount of time to fix the bug. Then after a reasonable amount of time (and no visible response from said company) the firm will release the exploit to the real world simply to get the company to fix the hole faster. Nothing is faster than bad press to get a company in gear fixing bugs and not calling them upgrades.
Yhcrana
The voices in my head don't like you
At least the guy doesn't ignore that there are problems:
I know I'm preaching to the anti-choir here, but he has a point.The security watchdogs of the net have no obligation to me. I am glad they do their tasks, but the owe me nothing.
My software providers have an obligation to provide me with secure software or none at all. I commend both Debian and Apple for responding to their occasional security problems in a timely manner.
In the olden days when watchdogs did not release sample code some software providers downplayed their flaws as theoretical problems. If the software providers had been responsive to security flaws, there would be no need for sample code.
How the hell is it the fault of the security experts? To be honest, someone will find the bug, whether it's a person with malicious intent or not. If such holes are posted, it gives the company the chance to fix them, so that fewer people are struck.
If holes were not posted, the public would not even know their software is insecure, and it would surely take longer for any company to patch said holes.
Finally, doesn't blame ultimately fall on the company who made the buggy software in the first place? If I come up with a mathematical formula that proves 2 + 2 = 5, and a math teacher proves that I'm incorrect, who's to blame here? Microsoft believes the math teacher is wrong, something which is obviously misguided.
One final thing: I don't see Linux/BSD/Apple execs complaining.
doing a quick search on bugtraq, I see a lot of linux exploit code too. Hmm... let's blame the linux exploit code for the net-stopping worms like... ummm... and also the.. ahhh... well, you know. No Microsoft, making exploit code widely available does make make your product less secure. You do.
There is no reasonable defense against an idiot with an agenda
:wq
I can imagine that his Scott Culp is very stressed out right now. Can you imagine being in this guy's position with worms like Code Red floating around?
So what does he do? He posts an essay which is basically a reflection of his anxiety. However, he misses two very key points on why this information anarchy is a good thing.
* Patches for popular software that are exploitable tend to come out real quick because the company has to save face and perhaps protect against liability suits.
* A necessary fear is instilled into companies to put software through a secuirty audi before it goes into production.
I hope this guy takes a vacation somewhere on the beach to reflect on his thoughts.
Somebody worried that their os is so unsecured. Maybe its time Microsoft hire better QA staff and fix all of their bugs before making it gold
It's high time that the user community insisted that Microsoft stop shoving their crap down the user's throats and start producing software with, at least, ridimentary security.
It is also high time that Microsoft got off their high horse and took some reponsibility for their crap. They try to take credit for all the good things like TCP/IP and most recently NAT, which they call Secure NAT(S-NAT). The only person, I've seen, try to take more credit for other peoples work was Al Gore.
Yea, I'm a dreamer.....
Hmm.... looks like Microsoft even wants their exploits and hacks to be closed source... Hm... Backwards GPL? (All code that exploits our software MUST be closed source!)
I am unamerican, and proud of it!
So, should we shoot the messengers, or just defenestrate them? This is a really good strategy. Ford should have tried getting Ralph Nader thrown into jail as a solution to the little problem with exploding Pintos.
Hello? Is anybody home? Microsoft should issue warnings like: Due to security problems in IIS, Microsoft is issuing a recall on this product. All users of this product should see www.microsoft.com/refunds for instructions on obtaining a full refund and suggestions on alternative web server products.
That's "Mr. Soulless Automaton" to you, Bub.
Well, that was my first reaction. But now that I'm back in my chair I find it rather sad, to put it mildly.
/.
The only thing it would accomplish is that the relatively harmless scriptkiddies would no longer be able to easily crack random machines. However, crackers with Real Bad Intentions (read: terrorists) would still be able to find and abuse security holes. Since they would be a lot more careful in when to use the holes, the security community would not alerted to the problem.
And there is still the argument that publishing holes is often the only way to get them patched. But we've been over that many, many times already here at
karma capped
...for forcing Micro$oft to fix their security blunders.
"No, that's not security hole. We've got a monopoly that needs abusing before we have to fix that."
I've heard this idea before including from my advisor. The idea is that releasing exploits to the public is creating an environment where it's too easy to hack machines.
Unfortunately, it's simply untrue that there aren't positive reasons for releasing exploits.
I can think of several: testing of machines (risky, but useful), understanding of vulnerability (CERT advisories are pretty much useless for this.), research.
The most important of these (IMHO) is the understanding of the vulnerabilities. In the past, we didn't even talk about vulnerabilities in the open and we have the abhorrent state of affairs we have today. Security isn't even taught in computer science and engineering curricula and when it is, it's treated as a separate set of classes. When I started working in infosec, I had no idea how the exploits worked and what the real coding vulnerabilities were. Without release of exploits, I probably still wouldn't.
Lets think about this.
I buy a new car. It looks pretty, seems to run good on the lot. Now, the guy across the road sold the dealer the car and he knows that the tires are retreads, the engine has sawdust in it and the doorlocks will open if you kick the door....
Why shouldn't he be able to tell me these things??
I think that mircrosoft should be responsible for thier code. Period.
If I can write code that doesn't break, I would think that the dozens of programers they have hired could do the same. Why isn't there a lemon law for sofware?
Just my pair of odors.
"It's high time the security community stopped providing the blueprints for building these weapons," Culp wrote in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them."
Microsoft, you still don't get it...
I'm a computer user and I do not think for one moment that it is the obligation of the security comunity to protect me. I do not pay them to protect me. I paid you for buggy unsecure software. These security holes are your responsibility.
Security guards having guns does not make it easier to distribute guns, it just makes it easier to stop those who bring guns to certain areas.
If those who find the vulnerability to release an exploit, those of us who want to protect ourselves before the "patch" is out, will have no way to test for vulnerability.
I think it's a bad precident to leave everyone vulnerable just so the vendor has time to release a patch. Many of us will limit access, disable the vulnerable product or switch to a different one.
I am not 100% sure of this, since I don't run windows and wasn't affected, but I believe the exploits that were used by Code Red and it's bretheren had patches available, it was just that the patches were not applied. I don't want to have vulnerable machines because other choose to be lazy.
In summary, it's a ridiculous argument.
This argument that Microsoft is making is the same stupid argument that was made by Richard M. Smith on Friday Aug 10, 2001 shortly after Code Red.
d =1&mid=203550
The short story is that eEye's announcement had absolutely nothing to do with Code Red. The person(s) who developed Code Red figured out the exploit on their own. For more details check out Marc Maiffret's (of eEye) email to the Bugtraq list: http://www.securityfocus.com/cgi-bin/archive.pl?i
People who argue that full disclosure is harmful just fail to realize the facts of the matter- people who write these attacks all aren't script kiddies and they're quite capable of developing attacks on their own. And the reality is that most vendors only respond to full disclosure to actually fix bugs (and even then it takes too long).
Nuff said.
It's designed to help lobby politicians. Politicians, who only take up that job because they don't actually have any useful skills, are easily scared by dabblers in black arts like computer programming. It's very easy to whip up a fervor among this largely ignorant set of people making out that by writing code geeks are committing a great sin. Hell, if M$ and the media companies keep this up there may actually come a time when it's illegal for unlicensed individuals to write software on the grounds that you could use that to copy software, 'hack' computers and encrypt communications.
-- SIGFPE
I guess they realized their os is shit and they don't want the world to know. Hell if I had my name on it I wouldn't want anyone to know what a god awful job I did.
I bet they are preparing to create backdoors for Big Brother and they don't want the bad publicity that would get
That's funny, OpenBSD has for a long time.
Secondly, I received a Windows XP update in my hotmailbox today claiming that XP has unmatched security...maybe in the M$ world but not for the real world.
Ah yes, just found my "MSspin2english" translator. Let's see how those comments look now:
"It's high time that the security industry stopped pointing out all of the blatant security flaws in our programs", Culp writes. "Since we insist on developing OSes and highly-integrated applications tuned for usability, rather than security, we can't make as much money as we're accustomed to making, what with all of these viruses/worms targeted at our products."
Culp adds, "it's time that the security industry be held responsible for these worms and viruses, rather than the companies who make products such as ours. By pointing the finger at the amorphous 'security industry', we're better able to deflect blame for the recent rash of high-profile MS OS and web server exploits."
The pomposity of the professor is inversely proportional to the difficulty and importance of the subject being taught.
Microsoft is the company that we love to hate, and as such anything they say is bound to be heard in a biased way.
If there is a security hole in their products, they should be informed before the rest of the world. If there was a city in America that was particularly vulnerable to easily spreading Anthrax (buzzword though it may be...) should the authorities be informed first and exclusively, or should there be a post on terrorismRus.com telling the world?
Believe it or not, none of us are perfect, and the way to make improvements on ourselves is to recieve constructive criticism and meaningful feedback, and in this case, to be informed of a security mistake made. Nobody really benefits from so-called anarchists spreading the information around to anyone who cares to look. It's Microsoft's problem, and they should be given the opportunity to fix it.
------
Leveling up builds character.
Well, Let See.
Security Expert can't just say that OS is bad
or has vulnerability unless he provides
proof and description how bad that vulnerability is.
If expert never provides real proof (usable exploit), chances are noone will ever take
vulnerability seriously.
Some may say, Expert should notify OS provider
only and keep his findings secret.
.. That never works.
Cause software provider will never take you seriously or will never fix the holes or will prefer to keep things quiet or maybe even send FBI to your door.
PS: "It's not a bug, It's a Feature"
-- As Microsoft CEO said after first Outlook
buffer overflow exploit showed up.
"It's not an OS, It's disaster"
-- myself
I guess that the security community refers to the hackers and the IT people who have to deal with these problems. And they're to blame. Come on Microsoft. You have developed a simple, yet uneccesarily powerful (from a "how much access it has to your system" perspective) scripting language that is so easy to learn that 8 year old kids who barely know how to turn a computer on can modify a few lines in one of the many worms that have gone around (and blame outlook for the wide distribution for the source of these worms) and there is a whole new virus.
If Microsoft wants to eliminate all the email worms, they should do the obvious solution and remove VBScript from Outlook. Completely. I really don't need flashy buttons and pop-up boxes to ask where to have lunch today. And yes, I use outlook because my company has an exchange server. But only on my company email accounts.
Poor Microsoft. They crush their competitors and still have the testicular fortitude to whine that we don't do their job for them.
Believe it or not, I believe that MSFT has a real point here.
With the "security" community telling the "hackers" exactly how to create malicious code that takes advantage of poor MS programming, it's like throwing fuel on an already relatively hot fire.
Let's take a slightly more concrete example here. I just thought it up off the top of my head so don't flame me if it doesn't add up to 100%.
Say you're a security consultant for a bank, and you also know some unscruplus people. Say that you discover a way that, in a few minutes and with a few simple tools that most people have in their garages, you could open up the bank's valut, without triggering their security systems. If you told your "friends" (in this case, the equivilant of posting the information to the Internet), and they went and used the information to rob the bank, you'd be an accessory to the act. You didn't do it, and you might not even get charged with it (the "experts" again here), but you were a mechanism for allowing it to be done.
Microsoft should aim towards relasing code that *doesn't* have more security holes than swiss cheese has C0(2) produced ones, but the people who find the bugs in the software should tell Microsoft privately, instead of telling everyone exactly how to bypass the security and execute arbitrary code/read files/run programs/whatever.
It's not either party's total fault, but the people who everyone thinks are innocent aren't really.
IANAL/IMO
JKoebel
I want usability, not perfection. I want software that does what it supposed to do at a fair cost and with as little hassle as possible relative to the work that the software is supposed to be able to do. With that in mind, what can be said of, say, IIS? It fails this test. Because it is such as security nightmare, it is unusable. Apache is free, secure as it gets and does more, better than IIS. Plain and simple: if Microsoft delivered a product (speaking of webservers here) that performed as well as Apache, I would use it, and then I would only use it if it were free as in beer and speech.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
How about if we established a group of white-hat hackers to whom one could submit the details of an exploit. They could attempt to confirm or repudiate the description of the problem and try to assist in developing security patches, without releasing the details of the exploit to the world at large. Then after a suitable time for the patches to be applied, the full story could be told.
Inventor of the LOLbalrog meme.
You have to admit their is some truth to his statement.
Like it or not, most real business enterprises depend on Microsoft products for their daily operations.
If their is a cadre of persons dedicated to crack Microsoft code, then this will inevitably cause harm to American interests.
If a biologist discovers a new super-virus that can be made from commonly acquired materials, the government would likely suppress the information for the common good.
Legitimate research scientists could get access to the information, but in a controlled manner. Likely they would have to prove their worthiness by submitting their curiculum vitae, and submitting to other security protocols.
Other than harming Microsoft (which some people may consider good), what does information about security exploits do.
Most businesses don't have time to check for each new patch and update on an hours notice. Damage will be done as soon as the next virus is released.
Why not limit the dipersal of exploit information until it has gone through proper channels. As an example:
(1) Exploits could be submitted to vendor
(2) Vendor could acknowledge exploit and make bug fix in reasonable time
(3) Create a 60 day safe harbor window to let customers upgrade
(4) Release the exploit information
This will never happen, for three reasons-
.02
1- Security companies need exploits to keep going. Ever wonder why lists like bugtraq stay up? Because the security firms that run them making a fortune charging other companies a crapload of money for advice related to all the exploits that get posted to their lists.
2- Software companies do not care about security. Most big exploits are buffer overflows, which are a result of lazy coding. Multiple free tools exist that analyze source code for such bugs, and overflows are still popping up all the time. Getting companies to fix these bugs takes too long, and often the only way to get it done is to embaress them by making the exploit public.
3- Many of the people who disclose exploits want the attention, not security. They see credit for exploits as fame, and make sure to slap their names all over ever bug report they can put out. This seems to be directly related to the tendency of security hackers to be lacking in the area of social life.
-just my
windows xp is coming out soon and will be on all the new computers shipped.
not sure about the home version, but the pro version has remote administration features all over the place turn on automatically with your install.
I see no good coming of this.
(they have one thing called "remote desktop" which is basically like pcAnywhere, presumably so that you can call customer support and say "I don't know how to do XYZ" and they can then take over your desktop and get it all worked out for you... and hackers will NEVER firgure out how to use that!
they also take over compressed files now (zip and such) and deal with in their own way - which isn't the way I want... annoying.
there are parts of it that are nicer, but for the most part, it just screams "I'm a security hole waiting to happen - hate on me!!!"
There are some odd things afoot now, in the Villa Straylight.
*ROFL*
End of lesson. You may press the button.
"And it's high time that computer users insisted that the security community live up to its obligation to protect them."
Hmmm...I didn't realize there was any obligation involved. I figured it was each user's responsibility to "protect" (read: properly administer) their own systems. The security professional's job is too give them the tools (knowledge and software) to help them do that *for themselves.* Neither Walther nor my martial arts instructor have an obligation to protect me, just because they have tools and knowledge that I do not. But, they make those tools available to me so that I can protect myself.
I suppose their view is that a world in which it is impossible to harm one's self (or one's computer system) much like the soccer moms who would like to see the world coated with Nerf so their precious brats will never know pain.
Blah.
-cw
How about lock-picking? There are all sorts of manuals on locking picking... most locks can be easily picked, but people don't do this for the most part. On top of that, people who are really concerned with security know that you need a decent lock (6+ tumblers) or it can be picked.
Not a bad analogy: if you want to keep something safe and secure, you use a decent lock. Having the info about lock picking gives you the knowledge to do so, and allows you to know just how secure you are.
The same could be said about software... and if you want a good lock, you educate yourself. MS makes bad locks... those locks can be fixed, but it requires the knowledge of the lock picking manual to do so.
Don't get me wrong, Linux, BSD, ect. can be a weak lock too... but with OOS, not only do you have the manual, but you can disassemble and rebuild the lock on your own!
It's like the landlord of a building telling a tenant who complains about the shabby building structure that doesn't protect anyone inside "Listen, by talking about it, you're not making it any better. People will find about it and now break in".
Maybe the problem isn't the source, but what's in the source.
I see no difference in what he says and someone saying "Guns should not be owned by the public." Holding back source code is not going to stop ecploits, Microsoft hold their source code, and that doesn't stop them for being exploited.
So just as Americans have the right to bear arms, all peoples should have the right to bear source!
I have spoken!
I would suggest to Bill & Co. that it is published with the highest regard for how the information will be used. Just because it could be used in a negative way doesn't mean that nobody's thought about it. There's not a security guy out there who hasn't at some time weighed the pros and cons of releasing information like that.
And am I the only one who is insulted by the gratuitous use of the word "weapons", so as to implicitly equate hacking with physical terrorism and fan the flames of paranoia?
> relative novices to build highly destructive
> (malicious software)," he wrote in the essay.
...I wasn't paying attention -- is he talking about the crackers or Microsoft here?
;-)
Okay, all complex software systems have holes.
But it is completely possible to build software
systems that are at least two orders of magnitude safer than the drivel Microsoft currently churns out.
It looks so much like spin-doctoring. Blame the security experts for making exploits `trivial' to write. Never even think about blaming the idiots who wrote the system that is so trivial to hole...
It is because the source code is available to all so easily that the holes get fixed. The exploits are going to be shared, it is better to be on centralized security webpages and not on more distributed methods (some Irc, Some Usenet, Small Webpages, Mailing lists)
>an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin
... yeah, and doctors should only say 'you're sick, take this'. They shouldn't disclose how you actually got sick, cause then other people would just go around 'exploiting' and making more people sick! GET REAL ... saying building X is vulnerable if you have a sledge hammer is a little different than building X is vulnerable if you have a nuclear weapon. It's called 'acceptable risk', and I refuse to live in a world where I can't be crystal clear on what that risk is, and how it can occur. Even if you don't give code examples but explain the details, some smart guy will turn it into a skipt-kiddie tool anyhow, so going the extra mile and providing the code is tantamount to knowing your level of risk and the most probable netographic that will attempt to exploit it.
OH MY GOD
"Old man yells at systemd"
man, slashdot is fun without Trolligula</sarcasm>
Microsoft is frantically trying to shift the blame from themselves following the Gartner groups recommendation that people stop using IIS. It's not that MS developers focus soley on market share instead of quality and security (not that I blame the developers, since this is exactly what MS management wants and pays them for), it's that web-defacing juveniles are 'terrorists' and security researchers are 'anarchists'.
MS had it too easy for too long regarding security issues, especially with the news media reporting Outlook vulnerabilitys not as they really are, as a design flaw in Outlook, but as "e-mail viruses."
"Behind every great fortune there is a crime."
- Honoré de Balzac
"You hear a lot about Bill Gates, don't you, whose net worth in January of the year 2000 was equivalent to the combined net worth of the hundred and twenty million poorest Americans, which says something, not only about the software imitator from Redmond, Washington, it says something about millions of workers who work year after year, decade after decade, and are essentially broke."
- Ralph Nader
It really gets me that people are so incredibly harsh on Microsoft. Yes, they're bastards and so you share some political differences, but on the other hand the produce GOOD CODE. No they don't you say, but what is the last enormous project you took on, and developed over many years. I'm using Windows 2000 right now, and gosh darn it, I LIKE IT. In fact, I like it a lot more than GNOME and KDE (I like gnome more than kde for the record, at least with the Mandrake 8.1 install). For all the evil practices of Microsoft, their developers are probably the best in the world, hands down, no question. They can throw a lot of cash at undergrads looking for a valuable work experience. I think my post has gone a little off topic, but give Microsoft a little credit. They do deserve a little.
Let's say that a life threatening flaw was discovered in the new Ford Focus. When you hit the bumper just right with your fist, the windshield detaches and the seatbelts unfasten. All the automobile safety commissions write articles to every major news outlet identifying the problem and demand a recall from Ford. What Microsoft is saying is that if the automobile safety commisioners hadn't said anything, this flaw wouldn't be as severe. In reality, Ford would be pounded with so much pressure from the governemnt as well as consumers to fix it or face law suits to end your car making days. Why isn't the same true for software?
There is no reasonable defense against an idiot with an agenda
:wq
"Please don't show that the emperor is naked."
Sigged!
"A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties." -- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850
Microsoft Messenger
Microsoft Outlook
Microsoft Outlook Express
Microsoft Internet Explorer
Microsoft.........
Don't blame us...
We just build the houses. Tell the wind to stop knocking them down.
Microsoft is a marketing company. If you expect a them to make stable/secure software, you're crazy.
Oh shit! I forgot to click "Post Anonymously"...
Before I get burned alive here, please actually read this: Why not publish only binaries of exploits? This will prove the exploit exists without letting it quickly be shoved into rootkits everywhere.
The answer is: dont run Windows! OpenBSD makes a great server platform! FreeBSD is not bad either ;)
If you have no intentions of ever fixing any problems discovered with your systems, then of course, you'd want to keep word of problems secret.
Oh, poor Microsoft, the costs of producing and distributing patches must be just a terrible burden. Imagine the burden on the rest of us who have to deal with your buggy systems. I would characterize IIS as a public menace right now.
No, this is just a bad attempt to deny reality: Microsoft's poor practices are coming to light in a way even the average Joe can understand.
"Avast! Prepare for the rodgering!" THWACK! "Arrr.. me nards.."
Is it my imagination or did none of the listed viruses (is that the plural of virus?) attack linux/solaris at all as stated in the artical
christ, next its gonna be my fault if i type file://aux.aux in windows 9x!!!
"Yes," said kingdom spokesman Jim Dilldunnam, "the Emperor is aware of his nudity. But His Majesty's nakedness would not be a problem for the uneducated masses if you irresponsible media types would just cease telling them about it."
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
While this will more than likely be labled as flamebait. I must say that this was one of the most interesting things written from Microsoft.
If you took the time to read the piece it didn't attack any other operating systems or companies, even though it did include Linux.
In a few ways, the piece is right. The patches for those exploits had been available for quite some time and if they had been patched, the exploits would never have happened.
I can also agree that it is important that all OS vendors/developers work towards creating more secure and easily patchable systems. This was simply pointing out the fact that most all vendors have issues with supplying patches to ther products.
Personally, I use Windows, Linux and have been toying with the idea of using *BSD as well as Solaris. I can say that the distros of Linux, that I have used, are equally and sometimes far more dificult to patch and keep up to date than Windows is.
One distro I use, has actually developed a very usefull updating system, similiar to how Microsoft has developed their Windows Update utility. This has made managing Linux a much easier task. In case you are wondering, I am speaking of Mandrake Linux and their Mandrake Update utility.
The one thing that truly amazes me, about this paper, was that Microsoft is suggesting that we all work together towards creating a more secure computing environment. I just find that to be a very unusual thing to come from the mouth of "The Beast". I would have expected them to say something like, "Microsoft intends on providing the only true secure computing platform in existense."
--
.sig seperator
--
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Do you really think the experts are the ones writing the exploits? I don't.
The experts write up about the exploit in detail. Along comes pseudo-hacker who reads said exploit....a week or two later releases something. Script-Kiddie comes in a few days later, downloading pseudo-hacker's kit and breaks into something.
The question is whether or not the experts need to write up the detail that they do for the exploit. The short answer is yes, other experts need to be able to read/duplicate the exploit so that the exploit can be confirmed.
Trouble is...once the expert can duplicate the exploit, so can pseudo-hacker.
... agree, up to a sertain point.
... well.
If people finding security holes, posible exploits etc. first reported the hole to whatever company released the software subject to exposure (e.g. Microsoft.) then these holes could be filled by the people sitting on the code (not sure if that's what they are, sitting at code.) Then they would get a chanse to develop a patch. Of course, they shouldn't be able to stall the process so an ultimatum should be given. After that the source, blueprints - whatever - would be free for grabs. Anyone not applying the pach either didn't get informed of the bug - the company's responsible - or they didn't bother applying it - most likely - and deserves whatever they get.
Having said this, I'm taking a cold shower. Imagine agreeing with
Look a monkey!
I think we should AGREE with Microsoft on this one and then go one step farther: call for a total silence from all security people about Microsoft products. Don't publish or report ANY bugs, holes, or security problems. But don't change a thing when it comes to full disclosure of other products.
A temporary negative side effect would be Microsoft would get a boost in marketing ("See, we don't have as many bugs as reports show other software packages/OSs do.").
The long-term positive effect would be Microsoft would no longer get free debugging by the community, and would end up suffering even more from security through obscurity while other software developers and open source packages would become more secure. In the long run, this would be of great benefit to everyone except Microsoft.
Let's do it! Total silence from now on about ALL Microsoft security problems/bugs/etc.
Can we mod the main slashdot story as
+5 funny?
Rats would be more funny if they could fart.
... to quote from a recent edition of The Onion, "Holy Fucking Shit!" I truly believe Microsoft has lost their collective marbles. Might be a good time to invest in straight jacket stocks.
Skiers and Riders -- http://www.snowjournal.com
Seems to me M$ is trying to put the blame elsewhere for IIS. M$ products have been insecure for years, we all know this - but usually this has been an excuse for M$ to push upgrades (such as Internet Explorer). This time people aren't upgrading IIS, they're jumping ship entirely. Only now after all these years when insecurity hasn't been in their best interests is MS in a panic trying to stop it (defections, not insecurity).
Information Anarchy
Expect to see this term bandied about frequently.
__
Do ya feel happy-go-lucky, punk?
With all the fuss about the proposed copy-protection bill, I couldn't help but draw comparisons to this statement. Let's stifle all talk about these programs, let's inhibit free discussion about problems and proposals and just keep everything nice and hush-hush. Makes me sick.
Beyond the obvious irony that a Microsoft-ite is blasting the security community over flaws exploited in its own operating environments, I think the most interesting part of the article is Culp's statement "And it's high time ... the security community live up to its obligation to protect [software users]."
What obligation is he talking about? For a company that epitomizes a big-money capitalist position, that's the most blatant socialist comment I can imagine. Users collectively pay billions of dollars to software manufacturers each year for endless upgrades, yet he thinks a reasonably loosely knit group of professionals working on their free time somehow owes that same user base the right to be protected???? That's bizarre.
Further, the "Information Anarchy" thing sounds way too much like the "intellectual property virus" tagline they keep using for the GPL. It's a catchy management-speak phrase that sounds nasty and has little real meaning. It's easy to see how they can set the stage to condemn the whole open source community with all it's open and anarchic ways that don't protect innocent users.
Moron.
No replies made to AC posts. Please log in.
I would wager that no more than 10% of the posters here actually read the article.
The solution he proposes is reasonable and fair, and really just common sense. If you must make your points about Microsofts products being generally insecure (and I agree with this sentiment), do so - but don't pretend that the author was saying "someone else is to blame for all our problems".
However you feel about Microsoft, don't allow yourself to have an automatic bias against anything it says.
To those of you who posted without reading and considering the article, you should be ashamed of yourselves.
It usually ends up pointing at an innocent bystander.
"Arming the enemy"
...
"It's high time the security community stopped providing the blueprints for building these weapons,"
It's high time Microsoft stop using inflammatory, mitilaristic sounding rhetoric at a time of national crisis. There are too many actual terrorists about for Microsoft to be irresponsibly crying "terrorist."
"Scott Culp, Manager of the Microsoft Security Response Center..."
I always said you'd go far once you dropped the -able from your last name! ROCK ON, BABY BROTHER! ROCK-THE-FUCK-ON!
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
If you notice near the top of the article they say mention the worms that have hit M$.. Nimda and Codered were among the ones mentioned.. They didnt release the code for these worms.. the worms themselves GIVE the code to the people who didnt patch their IIS.. so its not the security people's fault.. it's M$'s fault for having the hole open in the first place..
I think someone is trying to shut the curtains before big brother takes control!
It wouldn't stop the real crackers, and thus wouldn't stop the script kiddies who use tools written by the real crackers.
to think that the best way to clean up MS security problems is to sweep them under the carpet.
Supporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security...and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.
All three goals? There's some on this later - but assuming that he's right with the rest of the entire essay, you'd expect there to be some pressure to address the vulnerabilities, would there not? He even goes further, saying that pulished exploits are antithetical to getting patches out. Brilliant logic.
Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.
I love this analogy. It actually works. For example - if I knew that the cause of my headaches was an allergy to certain foods, I could avoid those foods, and not have to take aspirin. If I know how an exploit works, I can prevent it with my own tools - firewall, etc. and not have to worry too much about the dubious patches.
Likewise, if information anarchy is intended to spur users into defending their systems, the worms themselves conclusively show that it fails to do this. Long before the worms were built, vendors had delivered security patches that eliminated the vulnerabilities.
Here he's not talking about e-mail "viruses", but worms. Specifically, worms targetting systems people did not know they had on their system. There was plenty of buzz about Code Red before most people had it, and the patch was applied to thousands of computers as people got worried. I'm not an advocate of having people upgrade through fear, but this still disproves his point.
Now - here's his reason for published exploits to take pressure off of vendors to publish fixes :
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor's paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
Crap...I'm trying to find a problem with the logic, but I can't actually understand the argument - anyone? What other ways are there for vendors to protect their customers than put out fixes?
Anyway, that said, I'd just like to express my condolences to the author. Did you see his title? "Manager of Microsoft Security Response Center" Poor guy is probably blamed for half the bugs in code he's never heard of. Can blame him for venting a little. I just wouldn't have done it as publicly.
Last post!
Fucking Idiot.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
You post linux bugs to bugzilla and they thank you. You post M$ bugs publicly and they flame you. I think more than anything, M$ is pissed because more and more people are starting to realize what a true truckload of CRAP their OS really is. So, we post the bugs in an effort to encourage them to fix it, and for us to give them another chance. What do they do? They blame those who would help them fix it for their own stupid code. I mean come on...it's high time they started taking responsibility for their inadequacies.
The people who wrote them have been rightly condemned as criminals.
...and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution.
...information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
Ok, I'm going to be snide, the author points to the exploitation tools, but one could also argue that windows (don't laff) "security model", closed source apps, IIS are the *initial* tools of exploitation. Lest I forget, Integration, legislation, co-opting, barriers to entry keep other (maybe better, maybe worse) products from hitting the market and (say it with me) promoting competition.
It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them.
Why? No one believed that certain (ford/chevy?) trucks would blow up like a bomb when hit from the side...what did they do? Yep, they *Proved IT*, by staging a scenario.
And, not to pick nits or be too smarmy, but "we" are trying to protect users. The fact that PHB's, average users don't *listen* after the 3rd, forth, fifth time of being hacked, wormed, virused, or trojaned via outlook, IIS, IE seem to be nicely sidestepped.
Uh, yes it does...by choosing the most secure of the bunch! No platform is perfect, but if you choose the one with the best track record, gee, you get...surprise, surprise...less of a chance of being exploited. Once bitten, twice shy... but, then again, see my above paragraph with users/phb's.
Ok, I'll ignore the buzzword bingo opportunity, and point out that the author does "get it" a little, that the vulnerabilities mentioned had been patched weeks/months ahead of time.
Ok, cool, Correct me if I a wrong, but I recall seeing a recent article that Microsoft said it needs to "Prioritize" its patches, because, heh, it is confusing!!!
The thing to be rememberd in reading this article the dangerous assumption is this:
If an exploit is found and is dangerous "the security community" *needs* these to tear into and discover how to fight whatever threatens the systems in question.
I'd rather have a fulling working exploit in the hands of a "white hat" than a "black hat".
Don't forget, please, that most of the worms propagated as the result of *malicous* intent and were discovered, stopped, slowed by people with *clear/clean* intent.
That fact seem to be missing.
Moose.
If I am right, I am right...but if I am wrong, show me I a wrong.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
For the closed-source world, I believe that it is better that if you discover an exploit, to send full details to the vendor ASAP, and to release a general statement of a potental vunerability in the software to the general public, but with just info for the end-user to determine severity and criticalness of the bug. If the vendor is unresponsive in releasing a bug fix, then in a few weeks or a month, then release full details such that others in the security community can possibly find a work around. Do note that MS is rather quick to issue patches to fix new security problems, so timeliness isn't an issue here. I don't think this is unreasonable, and still doesn't chill the ability of security professionals to assess software problems. And in addition, with not only the potental for cyber-terrorism to exist today, but with increasing numbers of script-kiddie-like people that simply want to create havoc, it's very important that closed-source software have some time to patch before full information is released.
Of course, with open-source software, most security bugs are found at the same time as a code audit, and thus the bug reports typically consist of full exploit information. But since most good admins on these types of systems are actively aware of security problems, they'll get the patches installed within days of the report, and any damage resulting from the exploit is quickly minimized. Mind you, not everyone that runs open-source software is a good sysadmin, and thus exploits will STILL be used, but this is much less of a problem with the open-source community as it is with closed-source software (such as how many boxens were continued to be infected by Code Red and NIMBA after the original patch was out several months prior).
Regardless, Microsoft still needs to remember that the security community is doing them a big favor by locating and isolating these problems. MS must have some QA and QC, but some of the more harmful exploits have been rather subtle problems (notable buffer overflows).
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
What is it exactly, is MS just too cheap to pay developers to fix security holes when they could be making new products that'd make at least $60/pop?
Oh, yeah, that is it.
Trolls, it must be cool to be that bored.
"...an administrator doesn?t need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin"
This is STUPID.
Headache's have known remedies, fresh exploits DO NOT.
"And it's high time that computer users insisted that the security community live up to its obligation to protect them."
When did the security community ever volunteer to protect Windows users? Did I miss something? I certainly don't remember ever volunteering for that. Isn't the whole *point* of the security community to uncover and publically expose security risks before black hat hackers exploit them? I'd rather find out there's a whole on my system from reading BugTraq than by noticing a strange root shell running. This falls very nicely into the "Security Through Obscurity" line of reasoning..
that phrase reminds me of "intelectual anarchy" form Isaac Asimov's sci-fi story the dead past. In the story the government prevents any research in the area of neutronics so that no one will learn their secerets. to make sure no one is an intelectual anarchist the government takes away grant money from any researcher who strays away from his/her stated research field. which basically restricts everyone's research.
Shouldn't the industry leader be setting examples instead of dumping the blame? It's high time to start doing your damned jobs and providing something worth the fortune you're charging for it. BAH!!!
So here's why NEWS.COM suddenly vanished from the net.
No, to extend you analogy to cars, it would be that the car would explode if the control chip was programmed with a sequence of 1040 instructions.
If someone released the 1040 instructions before the car could be recalled, and a group of criminals went around causing the car to explode, their is culpability on both parties.
No one is saying Microsoft products will crash if run more than 72 hours straight. Instead, they are saying that a Microsoft Product is vulnerable to a security attack if a person were to perform this complex set of tasks, and by the way, here are the tasks.
This is why I don't like black-boxes.... and when companies like MS can't live with security-holes they get
desperate and kill the messenger. Same thing happened to the guy from Russia who broke through the Adobe Encryption code... and same happened to the guy who broke the DVD code.....
this is soo lame... black-boxes are good only untill its broken into... then there is a flood of holes.
"Many people have faulted the patching process itself for the low uptake rate. Fair enough - we
do need to make it easier for users to keep their systems secure, and Microsoft acknowledged this
very point in a recent major security announcement. But if the current methods for protecting systems
are ineffective, it makes it doubly important that we handle potentially destructive information with care. "
The microsoft Patches were released months before any of the Exploits/worms hit the net. Killing the messenger
is not gonna be any fun. When Intrusion analysts get a attack signature which they don't know about, they will panic
and probably be more distructive if they don't know what they are dealing with. Sometimes the only way to get this
info to the Analysts is by discussing the problem on mailing lists like bugtrac.
For anyone (like me) who hasn't heard of the Linux worms here are some links.
Code Red. Windows
Lion. (1i0n) Linux/UNIX
Sadmind. Sun
Ramen. Linux/UNIX
Nimda. Windows
He seems to complain quite a bit, but offer no real solutions. Basically he seems to be trying to create yet another buzzword, "information anarcy". The problem is that it has no real meaning other than things that make his job difficult.
the one good point he had was:
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor?s paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
does anyone know how much info microsoft actuallyshared about their vulnerabilities before the above hacks were made?
if you make people who want to feel pride in their discoveries unable to show off in the way that they desire (publishing exploit code on public lists) then the expliot code & vulnerability reports will just move underground and you won't be able to patch what you don't know about.
I worked for them briefly as a consultant.
I swear - they're like a cult, only scarier.
The smart ones with their eyes open get out fast. The smart ones with their eyes closed (you do have to be pretty smart to stay there, actually) work 60 hour weeks making things worse.
Reverse Engineering.
:-)
Now burn, you troll
karma capped
I agree that it is MSN Messenger that's to blame as well!
Oh, you mean the messenger of the security info? Then it's Microsoft's fault.
Isn't it a good thing that these holes are brought forth to the general public? If they are just hidden away for only for a select few that will attack unknowing victims then the software vendor will be unaware of the problem and unable to distribute patches. If the vender is aware of the problem, they can allow you to patch your system and then no one, not even the select few can get in. But if it goes unnoticed then they can continue to do so seemingly forever.
It's been said about a million times before but it still applies: Security through obscurity is no security at all!
Security Community response to Microsoft:
Bugger off!
It seems like this is a typical statement from Microsoft, really. You'd think that even a half-decent software company would somewhat appreciate people's efforts to exploit their software. But not Microsoft. There have quite literally been hundreds of critical flaws with half of Microsoft's OSes in the past long while. DOS or Win 3.1 were probably the most secure operating systems to date, albeit less dynamic. True, exploiting can do damage, but... where would MS be if it weren't for public displays of hacking? There would be bigger underground hacking parties, who eventually would come out with all the exploits and do big damage to big companies on big networks. Just fresh format and install Win98, for example, (which millions of people still use). Go to http://windowsupdate.microsoft.com/ and see for yourself, you've got a lot of downloading and rebooting to do to make sure you are secure. I really think that, (and this is likely obvious to most people), Microsoft is getting frustrated with having to send out buckets 'o patches. One surefire way of getting rid of exploitation is: If Microsoft completely tested all software and the programmers were more efficient organized and to start with they wouldn't have half the problems. It seems, looking at the source for MS products could give me nightmares. Microsoft really should be, as any company should be, a company aiming for excellence in their products and services. As currently it appears so to the general public! But under a magnifying glass...
"And it's high time that computer users insisted that the security community live up to its obligation to protect them."
I thought that we WERE... hmmm... I guess if I were a Doctor and my patient was sick, it'd be best not to tell him so that he wouldn't treat it.
"You hear a lot about Bill Gates, don't you, whose .NET worth in January of the year 2000 was equivalent to the combined net worth of the hundred and twenty million poorest Americans.."
--
The Cap is nigh. Time to get a fresh new account.
Hey Eve don't eat that apple. God does not want us to have our eyes opened to the world
The people who found the .IDA expoit (eEye security) told MS, and waited until a patch was available before making the press release.
Not only that, but Microsoft thanked eEye in their own press release.
Not only that, but it has been proven beyond all doubt that Code Red, + CRII were based on old exploit code, NOT eEye sample code.
Not only that but the old exploit code that Code Red etc. re-hashed, exploited a hole that was fixed by MS in the traditional manner, i.e. with no exploit sample code published, etc. If the original exploit code that Code Red built on was made public in the same way as the .IDA vulnerability was, the f**kin' thing would never have happened, because every competent IDS system out there would have caught Code Red before it even got off the ground.
The whole thing makes me sick. I can't believe that after Microsoft blitzing^W attempting to blitz the media with it's "renewed security efforts" that they let this slip past marketing. If this is what happened, then before they can even think about 'locking down' IIS, they need to examine their own attitude, and consider abandoning the tried-and-tested-and-FAILED 'security through obscurity' route.
I don't beleave it. Scott I thought you were more insightful that that. The security community had to create this policy becouse as I remember it, "We have no problems ... with security" Bill Gates 1987, Comdex.
And it`s also high time microsoft lived up to it`s obligation to protect it`s users from security flaws. A flaw in software is not the fault of whoever discovers it, it is the fault of whoever wrote the offending code.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
... is no security at all. Microsoft seems to forget that if it were not for the security companies, the only way Microsoft would even KNOW about the glaring security holes in their software would be when someone decided to actually hack them,
"There are more things in Heaven and Earth than are dreamed of in your philosophy" - William Shakespeare
Some observations:
Firstly, security isn't achieved through non-disclosure. For instance, encryption algorithms are all fully published so they can be analyzed by the community for weaknesses. The definition of a good cipher is that you can have all the information on how it works, but it can't be broken.
Secondly, the IIS worm is a rather poor justification for preventing relase of code. The point of a worm is it is self-replicating. Thus the exploit only need to be carried out once for it to be a widespread problem, irrespective of whether variants or script-kiddies ues it.
Finally, from most of the alerts i've seen, enough technical information is kept out so if you understand the exploit code to a point where you could use it, you're good enough to have found it anyways, and if you don't fully understand it, you can't use the code as an exploit properly.
The fact that a micosoft security expert would say this then actually goes a long way to explaining all their security holes!!
Nimda is a good example of what Microsoft is talking about.
There were not legions of script-kiddies running Nimda. It was one programmer who actually had a fair slice of clue (not quite so much as to render him/her too busy to be a problem, though). I doubt that shutting down bugtraq would stop this person from learning that MSIE had a bug in it (or IIS, or Outlook). I *do* think that it would have lead to security admins not knowing the extent of the problem. I *do* think it would have lead to a much greater number of systems being vulnerable.
Windows must now go through what the UNIX world went through in 1987/8. We had screaming/shouting/red-in-the-face "discussions" on USENET for months about the validity of sharing information, sharing exploits, timing, etc, etc.
Bottom line? We came to a reasonable conclusion about how to deal with security and everyone was on-board for a good 2 months before the average admin stopped paying attention.
Most admins could give a rat's petard about security, and will never change. They run around screaming when an "incident" occurs, and otherwise assume the best. MS will have to understand that not accomodating those people by writing safe code will mean a loss of market....
... the foot.
<i>It's high time computer users insisted that the security community live up to its obligation to protect them.</i>
Is that the duty of the security community?
Should they clean up after the mess that Microsoft makes because they do not provide insight into the working of their code?
How could people take "advantage" of blueprints about exploits for Open Source Sofware when they can just read the source?
This is just the other side of the security through obscurity and closed source development combination.
Surely this Microsoft spokesman isn't Culpable.
JET Program: see Japan, meet intere
It's not like every machine that was infected by nimda or code red was done so by a separate cracker. Those worms propogated themselves. One black hat gets the exploit code, then the worm does the rest. Keeping code snippets off the web isn't going to do a damn thing. Like everyone here already understands, that is not the issue. The issue is MS needs to make better software. Stop blaming others for your own faults.
He asked that the security people "stop releasing sample code that exploits security holes". In the article, hey says, "We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it."
:)
Is this so bad? He's not saying they shouldn't find and publish the security holes. Just that they shouldn't release sample code which exploits it. (For the record, I wasn't even aware they did this. All of the security advisory's I've seen -- noting that I'm not in the IT industry, and haven't seen that many -- simply describe the vulnerability, without code that exploits it.)
I actually agree with this. Explaining the vulnerability is good. It helps the developers find and fix the problem. Yes, it helps the crackers exploit the problem too, but that's the price. But releasing code which actually exploits it helps the crackers far for than it helps the developers. It speeds up the cracker's development cycle a lot more than the actual original coders'. Why do they need to do this?
Now the lines between "not enough" and "enough" and "too much" information may be hard to discern. Clearly saying "there's a buffer overflow vulnerability somewhere in IIS" isn't enough, and "here's a worm that takes advantage of the buffer overflow in IIS" is too much, but finding the middle ground can be difficult. But I don't think the article was advocating the security through obscurity mode of thought, just advocating a shift in the amount of detailed info the security reports provide.
-Puk
p.s. Please don't take this as an indication that I like Microsoft at all.
Security through obscurity is no solution but I agree that security advisories should not include exploit code. Why hand out cut-n-paste attack code to a whole bunch of nitwits who could NEVER have figured out how to write the code themselves?
Exactly. The patches are the problem, not the exploits. If Scott Culp really wants to plead with the security community about the way they do their work he should be telling people to tell them first so they can get a patch out.
Unfortunatly, if they know you're also not going to be releasing any details in your advisory they'll just sit on your hole for months and work on the new version of Mr. Annoying Paper Clip Guy.
I can see that Microsoft has dug themselves into a hole where they will have to spend lots of money on rewriting some code to fix it. Yet they think that such a comment like this will stop people from writing future code that exploits the faults in their own software that they should fix in the first place. So what happens when you find a bug in Windows that erases your hard drives contents? Not report it and let people's hard disks get erased? I don't think so.
...they overflow a buffer and run some code; it is just as useful to list the consequences of the exploit without posting the exploit itself. Perhaps eventually it might be ethical to release the exploit, but otherwise 99% of the people who use the code 'exploit' it.
I have a hard time believing any type of article like this when they will not put in the simple functionality of something like tcp/ip wrappers as a basic feature of their operating system. It is something simple, that provides a great deal of first line defense. No you have to get some half assed third party solution, like zone alarm.
Unix was born out of being on networks, and as a consequence they learned how to do stuff in a fairly secure fashion. This also goes to show what happens when people are too stupid to think for themselves and have the level of control over their systems that they need and want.
The microsoft arrogance of "We KNOW BEST, no go away kid your bothering me" is a major contributing factor to their serious operating system insecurities.
For example, I work in the IT industry and interact with a fair amount of people and have done an informal pole on how many people that actually run windows office programs that actually use macros, it is almost nil. So why in the hell do they ship that crap with that stuff wide open?
Those bastards need to shut the hell up and listen to what people are trying to tell them. Else, let them parish and provide us with hours entertainment developing ridicule.
Either give it away or get top dollar, but never sell yourself cheap.
If we want secure software, we should write it. If we don't want to write it ourselves, we should be ready to pay for it. If we do want to write it ourselves, we can call it open source. Either way, there is a motivation to make secure programs.
It is possible to write non-trivial programs without security bugs. It is very difficult, so in the mean time we should settle for the best security we can get. The best security is pretty good if you take reasonable precautions like not choosing a password like 'ant'.
So get off your buts, MS, and make your soft ware secure, and not through obscurity!
... why not open source windows?
I hope this isn't redundant. I don't know how many people have seen this exerpt from long ago.
'An adminstrator doesn't need to understand the problem in order to fix it'
This is pure bullshit. It is *extremely* important to understand how these worms and viruses work in order to respond effectively to such threats.
If I, as a programmer, was writing a web application in C that could potentially be remotely exploited via buffer overflow, such information is *absolutely fucking critical* to me, so that i can write safe code.
M$ seem to suffer from the delusion that they are the only people in the world actually writing computer programs.
This unbelievable arrogance is getting pretty tired, and i imagine that we'll be seeing some pretty big anti-M$ stances being taken by previously devout believers in the near future.
If you can't put up, M$, then for christs sake shut up.
I gots ta ding a ding dang my dang a long ling long
Look, irrelevant of the so called "motivation" for why people publish information on security vulnerabilities, exploits, or detailed guides -- which is impossible to factually discern -- people should be free to publish such, online or in magazines. If I want to publish a specific program which exploits MS' OS, I should be able to do so. If I want to say how to exploit MS' OS, I should be able to do so. I I want to explain how the exploit works, or a particular security flaw, I should be able to do so.
MS or the government should not be able to limit MY freedom of speech. A weakness is there, whether I say so or not, and someone will figure out how to exploit it whether I say so or not. Might as well "open-source" it so it can be dealt with by security experts who have an interest in it.
Just because my security exploit CAN be used for malicious means does not mean I should be prevented from publishing it. This is the same as the DeCSS argument -- just because something CAN be used for so called "illegal" purposes doesn't mean it should be illegal.
Now, lets be clear -- when there is a bug in the program, a security hole that can be exploited, etc., the fault is completely with the developer, whether that developer be MS or Linus Torvelds(LOL, I almost wrote Linus Pauling: of the Linus', who do you think is more brilliant?).
MS should stop whining because people expose their screw-ups. What this really amounts to is they don't want hard criticism. Now, is publishing a specific exploit necessary for criticism? No, it is not. A criticism of a security hole can be published without an accompanying exploit of that hole. However, a specific exploit published adds validity to the security criticism.
social sciences can never use experience to verify their statemen
But why would Bill Clinton care about this. As long as he has several 'cracks' around to make his 'microsoft' into 'megahard', and Hillary is gone, he should be happy. Maybe he is less worried about people cracking the bugs, than about the bugs in the cracks. Don't want to catch anything, seeing as how Hillary knows he couldn't get it from her. She hasn't slept with him since...How old is Chelsea?
The Cisco 675 DSL router/modem. This device has very widespread use consumer home and SOHO environments. Other Ciscos in that line were included in a particular issue that cause the router to hang completely until power cycled. Cisco was first notified about this January 10 2000 (no typo there, 01-10-00). A very easy to prove situation was shown to cause this. After 11 months of waiting and two notifications to Cisco, the notifier had given up on Cisco doing The Right Thing (c), and notified BugTraq about the problem, in this post, Nov 28th, 2000. Users from around the world tested, and verified the issue. Want to know what happened? Nothing. Not a peep from Cisco about this, untill recently. The vulnerability DOS in the Cisco was never acknowledged by Cisco, and still isn't admitted. However, a notification of DOS vulnerability was finally admitted by Cisco here, 8-24-2001. Nineteen months since being notified. However, the entire reason for this wasn't the vulnerability mentioned of a skewed HTTP request, but simply its inability to handle multiple http connections. Why? Code Red. The Code Red virus was banging on port 80 so hard that the routers would lock up hard and die until reset. Many thousands of DSL customers were affected by this, and IMHO, a redux of the HTTP code that should have been done over a year and a half before, would have prevented the entire nightmare of Code Red issues for owners of the Cisco 675 (Their systems are another story however).
Checking for other 'exploit code' on the BugTraq list should show that the people who create it are responsible, usually doing no more than running a 'whoami' in the case of elevated privileges. They don't arm 'script kiddiez', they do it themselves, however the proof that a hole is exploitable is all someone needs to write their own. This is not a bad thing, this is a good thing.
It is general policy on BugTraq that companies be notified and given sufficient time to resolve issues, usually 3 months or so. If that lapses, it is the infosec engineers responsibility to post the exploit for the world. The company won't listed to the voice of one competant person, but they will listen when their entire customer base gets proof that the company shirked on their responsibilities to protect their customers.
Toodles
Toodles D. Clown
"The state of affairs today allows even relative novices to build highly destructive (malicious software),"
That is, "MicroSoft programs are designed and coded so poorly that relative novices can punch holes all through it."
"But I don't wanna kill the bunny!"
i created a word document that covertly send emails out of the document readers mailbox back to themselves just to prove a point of how stupid it was for foreign scripts to have system access by default. i got all the information i need right off of microsoft's website!
I just got my Matrox G450 and I'm about to toast my windows98 system, upgrade to two 80gigs and switch to Mandrake. For those few programs I must use microcrap I will run it with VMware. Sure I haven't gotten rid of MS but now I can move completly to Linux as I find or learn the apps I need!
See Ya Bill !!
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
It's pretty obvious that Microsoft is to lazy and inept to get any use out of the security community. Not only is it correct in principle for security gurus to post exploit concepts, but it is better in practice.
Take (see this coming?) linux for example. The linux/open source community pays attention to proof-of-concept experiments published by the security community. Hence, Linux and linux applications tend to be extremely secure. Security patches for Debian tend to be released only days after the exploit is made public. Apache has maintained its tight security record.
On the other hand, Microsoft security is notoriusly terrible. Outlook express has been the springboard for the last 2^n email worms. Most windows installations can be hacked with the press of a button. IIS is... well, I'm sure you all know about IIS. The common theme here is that every single exploit used against Microsoft products has been well documented and demonstrated by the security community well before they became major security issues. Microsoft ignores the security community until customers start griping about K1dd33z hacking their software. Instead, they whine about how the security community is causing the problem.
The moral of the story? Don't look a gift horse in the mouth, and if you do, don't sue him for biting your nose off!
-3Suns
~~~~
The Revolution will be Slashdotted
Imagine, however, that the only car you could possibly buy was a Dorf. In this case, if someone posts an article that Dorf cars explode when exposed to infrared light, that someone would put thousands of people in danger. Dorf sure as hell is not going to fix their cars - since people HAVE to buy cars, explosion or no explosion.
So, I could easily see this essay as proof that monopoly practices are harmful - since they create an absurd situation that elevates the latest Outlook bug to a national security threat.
>|<*:=
Though I agree with most of your points, this is a bad example. Supposedly, because the gas tank was between the door and the frame rails, it could get pinched in a side collision and rupture, possibly exploding (sounds like a '70 Pinto). Staged is right, as Dateline had a small incindiery device that caused the tanks to blow. GM has a blurb on their 90's history page (see 1993).
Shades also of the Audi 5000 controversy where folks said they had unintended accelration and their cars took off when they weren't hitting the gas. 60 Minutes got it to work too. Well, after pumping random stuff into the transmission, yes. So there you have it folks, if you pump pressure into your trans, expect unexpected accelleration.
You can't properly describe how to fix a security hole without revealing what the hole is. Even binary patches make it easy to create an exploit, simply look at what the patch changes. No matter how you try to socially engineer around it, the security hole itself is the origin of the exploit.
Spreading information about a hole makes exploits it more prevelant, but this isn't a bad thing. We all know bigger the chance of getting hacked the more incentive there is to fix the problem. If the latest round of worms wasn't so virulent they may have gone mostly un-noticed by the general population of IIS admins.
Exploits, like liars, are a necessity to keep people from becoming too trusting and lax.
Ok, so they tell people to stop showing how to crack open gaping holes. It's not going to happen. You can tell me to run off the edge of the grand canyon, I just won't do it.
Some of these guys live by these exploits though. I mean, take the guy at grc.com, as far as I know, all he does is try to find holes in the Operating System, and tries to get them fixed.
The most pertinant hole related to *nix is the use of Raw Sockets in XP, which he is very vocal against. It seems it makes every user the admin, and allows for easier access to the kernel. As well as making for a nice dos box on the net, and one that would not be aware that it is sending.
What this guy is saying is equal to saying that we need to completely shut up on everything in computing, security, and communication. EVERYTHING has exploits, that will never change. Do I blame the securit experts that my firewall is DOS'ed? do I blame the OS and software company when nimbda made my monday morning hell? no, I blame the moron that opened that email, I blame corperate for not giving the front line managers the tools we need to defend the network. At work we run Microsoft, we made that decision. Unfortunately companies and people will not take the responsibility for running a unsecurable operating system. My own corperation asks why this microsoft hole allowed this, I ask why I dont have the funding to close up and protect this insecure operating system and network. Everyone knows that windows products are the most insecure money can buy and that it is the number one target for troublemakers.
Is something done? no, no funds to shore up security, no funds or resources to fix the problem or be proactive.
It's not microsofts fault, It's the fault of the operators and owners that will not allow their techs to do their job, or give them tools to do their job... Because it's too expensive...
Do not look at laser with remaining good eye.
Of course he does dear, now be quiet.
But he doesn't!
He has clothes for as long as we say he has clothes, so say he has clothes, and be quiet.
"Business: Hiawatha Bray thinks Microsoft has a point about laying some blame on those who discover security flaws, then publicize them."
Personally, Bray has always struck me as an idiot so this is nothing new. The last name says it all!
Which of the following scenarios demonstates civil behavior:
A. Hey look everybody! Bill has a chive on his tooth!
B. Psst. Bill. You've got a chive on your tooth.
If you said A, congratulations. You are a brain dead follower of Slashthink.
How does this analogy apply to the situation? Think about it. Wouldn't it be better if companies (including MS) were given a little lead time before bugs are announced to the world? Perhaps a month would be the standard. Then, and only then, you could use public embarassment as the tool of last resort; not the first.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Dipshit.
I have met Scott Culp in person, at Black Hat in 2000. I have never met a person more brazenly corrupt in my life. He tried to bribe me into dirty tricks against Sun. Any prosecutors interested in pursuing this should contact me.
Basicly what is being asked for is :
1) don't tell anybody of the problem
2) If you must tell them, don't prove it
It wories me that some people in the security comunity already seem to accept that the prove should be hidden. I wonder how long it will take untill they think the facts should be hidden too.
--red.
I don't mean to be facetious or anything like that, but..well..if I'm paying for a Microsoft OS, I would expect Microsoft to be the ones protecting -ME-. Not the other way around. I mean they're selling a product, right? If one of the features I'm paying for is a secure system, aren't I supposed to -get- a secure system? If I don't, isn't that false advertising?
Many points have been made, the need to know, pressurise the vendor for better security, prevention before patch comes out etc. Along with all these points I think there is also a strong fame factor as well. If I spend all my effort to track down a new exploit, then I dont want to secretly pass it on to the vendor. I want to publish it in all its gory details in bugtraq and let the whole world - especially the fellow geeks - know how clever I am. Dont deny me my >=15 minutes of bugtraq fame !
For anyone except Microsoft, Microsoft servers *are* third-party servers ...
Yeah, it's high time that Microsfot itself stopped providing all the tools that hackers require to break into customer systems... tools like Internet Explorer and Windows and Word and Outlook...
EVERY Microsoft product provides all the Active X tools and security flaws that a hacker needs to break into company computers and comproomise data and its about time THAT MICROSOFT STOPPED DISTRIBUTING DEFECTIVE CODE HARMFUL TO THE PUBLIC.
When are the government and military going to realize that Microsoft itself is the threat to national security? These products themselves are the problem and the tools. Needless to say, Microsoft refuses to improve its software engineering acumen and produce quality products... they just continue to vend out the same junk, rake in obscene amounts of money and issue the occasional manifesto which absolves them of all blame and responsibility.
-- Speaker
The consensus, based on the other comments, is that the manufacturer of an O/S is responsible for the security, just as the manufacturer of an auto is responsible for the auto's safety.
I think Culp has an ulterior motive. With the frequent cries from Washington (despite occasional backpedaling) and the boardrooms for mandatory back doors, our machines may soon be under attack from inept g-men or indifferent office workers just "doing their jobs" like Calley, Eichmann, and North.
If enough hysteria is created nationwide, the back doors will become mandatory. The same hysteria could be channelled to make dissemination of security-related information an act of terrorism. Look at all the recent examples of opportunistic legislation in Washington to understand how likely this is. Inevitably, hackers will find ways to close the back doors or at least make them ineffective--a criminal act. Culp et alia would love nothing more than to operate without the meddling of Security Experts. By demonizing them and preaching to the choir, he is off to a good start.
"What is the sound of one belly slapping?"
Or did other people note that Linus Torvald's trademark on Linux was overlooked, while Microsoft's (R) and Solaris'(R) got their due.
Perhaps someone should sent them a friendly tip on Linus' IP rights..... I tried but their comments page doesn't have a comments section to type in. =[
The vendor is almost always notified in advance of an exploit being released by a reputable security group (usually a couple of weeks at least). Of course this doesn't mean that exploits didn't exist already, passed around in less-than-reputable circles.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Let's all stop alerting the world when we find a security hole in an MS product. Then let's see if MS's security improves.
I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve. BB
hey, notice that in the essay, microsoft basically implies that they cost consumers billions of dollars from "worm accidents"
-- Betting on the survival of the media industry is a serious risk. I advise investing elsewhere.
If third-party security companies and organisations can be made to take responsibility for the protection of Microsoft customers, can Microsoft sue them for failing to adequately protect the public against software flaws Microsoft itself created and distributed?
What is the real issue here ?
Is it the fact that Security experts show the holes which they know that hackers will find.
No it's more to the point that MS is trying to release software which relies heavily on the fact that they can create secure systems. The whole XP and Hailstorm idea is based on the fact that user information will be protected and that MS can charge for this protection.
MS dosen't want security firms to find holes in it's code that shows how ineffective and inefficent they are at writing good code and creating secure systems.
MS as are most if not all main stream computer firms have inefficent business models and practices. They have been allowed to run amuck while governments all over the world allow them to produce shoddy work.
If it was any other industry other then software there would be millions up in arms. If the car industry built cars and advanced the way microsoft has (Borrowing bills anology) we would be back to the horse and cart as theieves would be stealing our cars left right and centre, and when they weren't being stolen they'd be stalled in our drive way.
This condiction has existed and will continue to exist, beacuse the poliuticians are to narrow minded and just plain stupid to understand the new technological revolution. SO they listen to the industry experts, who just happen to own the biggest software firms in the world.
No one expects perfection from a manufacturer whether they be in software or producing solid products. But we do expect a high degree of professionalism. No manufacturing industry is allowed by law to sell products that are dangerous. Software companies can, they can sell software that has the potential and that have cost the world billions of dollars and large amounts of productivity.
It's time our politicians wake up and learn something about the IT industry instead of just sitting on there butts and thinking happy, happy thoughts. Or we'll all wake up one day and all computer which are connected to the WEB (Except possibly those using Linux and Unix) will not work.
Or does this sound like a response (an admittedly weak one) to the Gartner Group's calling for IT professionals to dump Microsoft?
"Uh, all these secutity holes aren't our fault, it's those damned jerks--Information Anarchists--who publish the details!"
-- Shamus
This space for rent! EZ terms!
At work we recently had a discussion about the current state of viruses - and our consensus was that most were thankfully reasonably benign - in real terms they were simple to detect and eradicate. I for one hope we don't return to the old-school where executables are modified and viruses interact with the OS at the lowest levels - gradually damaging data in order to ensure that errors are propagated thorough grandfather-father-son backups. This sort of low-level virus was a serious problem in days of yore... and can you imagine trying to detect a binary level real-time encrypted/decrypted monster for which there is no clear signature. What a nightmare that would be - at least right now the most prevalent damage seems to be to pride rather than mission critical data.
I'd postulate that without this flurry of viruses that have plagued Windows of late, the masses would still be completely ignorant of security issues. By causing embarrassment, affected users are likely to remember their mistake and avoid future repeats - not that I think virus writing is in any way justifiable. Sure - releasing exploit information to live systems is dangerous - expanding the availability of this information certainly damages the security of the systems in question. However, we all know that the real problems lie with the abominable quality of MS closed source systems.
There is a solution - to both this and the problematic anti-competitive claims - we need legislation. We must require all organisations using computers to manage personal information (in the UK exactly that information which is covered by the DP act) to only use suppliers who fully disclose all interfaces to their systems for public inspection. I don't believe that we should require Open Source (although that certainly meets the requirements of specification) - but I believe that a supplier who falsely, or incompletely documents a formal specification should be held liable without limit for any consequential damage which can be attributed to any discrepancy between the system and it's specification. Simple, effective and our only defence against "evil terrorists" otherwise minority groups with selfish agendas will surely wreak havoc be on the free and democratic world. Start the lobbying!
The problem with the author of this articles point is that you can't stop it. That's the one thing we have learned about information. As soon as it exists or is created you can't stop it. Eventually, it will be everywhere. It's not like these people are doing something new. The information on how to kill security poor products has existed since the first picosecond of the universe... well before anyone wrote dodgy software. I think the real issue here is that people are making it easy for people who have little knowledge of the issues involved to destroy vulnerable systems. I think that's a little like handing Osama the keys to an Airplane. He might not know much about it, but you've trained him just enough to fly it into the WTC. Then again, there are some security problems (Nimda, Code Red) that are SOOOOOOO bad, that it only takes one person to know it for it to bring down millions of computers globally.
I think it's time software companies stopped bleating about people hacking their products and just went ahead and admitted that it costs reay money (or time in the case of opensource) to make software as safe as possible, and that you can't EVER make ANYTHING totally secure. Oh, that and getting their arses in gear and actually fixing the problem.
Has anyone mentioned that security through obscurity is a dangerous thing that does not work?
-- Mike
Bullsh*t. Microsoft is just getting tired of being caught with their pants down. If source to exploits was not published, the concern to fix holes would be dramatically lower, and rather than learning to patch your software after your machine crashes you can learn to patch it after a real cracker uses information on the server to defraud you or your customers out of their money.
Microsoft????? More like...MicroSUCK! Ha!
i was listening to "the connection" on NPR a few years ago when they had the guys from l0pht on. they were pretty good at explaining their reasons for publishing exploits and i heartily agree. as others have said most companies will not make a fix until everyone knows there is a problem. microsoft should just get on the ball. someone finds a hole, they patch it and make a mea culpa. i jsut wish they would cut out the nonsense where they try to shift the blame. it doesn't work. making fixes does. microsoft would be such a better respected company if they would jsut lose some of their attitude and admit when they are wrong.
:)
incidentally. this will proabably piss many folks off but i think i have a point.
Microsoft offices in reno were hit by anthrax. some scientist years ago figured out what anthrax was and how harful it could be. he told everybody. everybody did what they could to avoid anthrax and Bayer came up with cipro, a drug to fight anthrax.
so what the hell is microsoft saying? that we should have locked up the guy that figured out anthrax? and bayer for coming up with the fix?
geeze... that just seems fucked up. am i wrong?
(incidentally I'm certain I'll be hit with tons of responses telling me that yes i am wrong)
-
Basically, by referring to demonstrations of security holes as "blueprints [...] for building weapons", Culp is plugging into the current hysteria and war atmosphere to try to achieve their goal. What is their goal? To cover up that it is Microsoft that fails to use proper development practices to avoid common security holes and that it is Microsoft that is responsible for shipping products that does not meet even minimal security standards.
If you do want to use the language of war, Microsoft is like a very powerful weapons manufacturer that sells weapons to the US military that do not function properly, that they know do not function properly, and that allow the enemy to break in and disable them using trivial, well-known methods. I would say it is every American's patriotic duty to make sure that the shortcomings in the products of such a manufacturer are exposed widely so that both the political and the legal system can curb their abuses and keep them from putting American property and lives at risk in the future.
You see, the key issue is that we know well how to avoid the kinds of security holes that keep appearing in Microsoft software. Microsoft is simply trying to save money by cutting corners on development practices and trying to kill competitors by rushing immature products to market prematurely. That is what Microsoft should be held responsible for, both financially and possibly criminally.
If Microsoft (and other large software companies) were held responsible for bugs in their software, you can bet that the "software crisis" would end soon, as software developers would finally find it more lucrative to invest in proper training, tools, and testing rather than to just grind out flaky code with the equivalent of unskilled labor.
Stop providing the blueprints? ok.
Next week when Microsoft is hacked again this time with absolutely no warning, no way of figuring out how the hack may have taken place, and no way for anyone to secure their machine from it. We all just have to trust Microsoft??!
I dont think so.
Hackers are going to hack, blueprints? Hackers CREATE blueprints and some website displaying what hackers already know isnt going to change that. Displaying the information protects people who dont know what hackers know.
If you use Linux, please help development of Autopac
If my car has a safety issue, does it not affect me if i'm not told about it?
It appears that the advantage of releasing sample code to exploit flaws in computer systems places increased pressure to fix the bug on the manufacturer. This is good, but at a compromise which places serious risk to the consumers of the product. Once suspect code is released, the potential for damage to consumer systems is exponentially increased because the tools to do damage are then available to anybody. Both sides have valid points, but perhaps a set of guidelines to report such bugs which take into account the interests of all involved parties is crucial.
As far as I am concerned, there are five levels of releasing this information which could be used to balance these interests: 1. Say nothing and somebody else will exploit the bug 2. release this information to the manufacturer of the software product and hope they do something about it 3. release a summary of the bug enough so it is realized by the general public 4. release technical information on what theories are used to exploit the flow 5. release the tools necessary to exploit the flaw
The above could be thought of as an agenda for the order in which to release word of any flaws, where one step succeeds the other, starting at #2. 5 should be used with extreme caution - in other words: know what you're doing before using this step, because then anybody can make a toy of the tool to execute the exploit on anybody's system.
The rhetoric in the article is quite misleading:
This is not a call to stop discussing vulnerabilities. Instead, it is a call for security professionals to draw a line beyond which we recognize that we are simply putting other people at risk. By analogy, this isn?t a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
He purposely uses the canonical example of what type of speech is not considered good. He neglects to mention that in the example, there is supposed to be no fire. If however, there was really a fire, we all would want the person to yell out "Fire! over here. On the drapes next to the fourth balcony." Yelling "fire!" is more important, not less, when there is a crowd in the theater. More people are at risk. They deserve to know that.
When researchers post detailed descriptions of security holes and exploits, they are yelling "fire" where there is actually a fire. When PR doublespeaker from Microsoft claims, as they have done elsewhere, that "Open Source results in security vulnerabilities" they are the ones who are yelling "fire" where there is in fact none.
Last time I checked (and it was a while ago) M$ was planning on using raw unix sockets on XP. My understanding is that this is a very bad thing security wise. Do they intend to blame others for this also? Or will they use it to develop a proprietary TCP/IP, and blame others for that necessity?
When it comes to running computers safely and productively, protecting the interests of the users (us), who should we trust, Microsoft or ourselves?
I found this story talking about serious security problem in Novell Groupwise. But they say it is better if they do not tell you what the problem is. But apply the patch NOW
First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written.
CodRed and the other worms were Linux, Solaris worms?? Is that obvious to anyone besides Scott?
[alk]
The security community is so large and diverse that effective controls on exploit code and detailed vulnerability information is impossible. Who would determine who gets access? Microsoft? The US Government? The only practical method is the public one.
The enemy is not Microsoft's unwillingness to produce patches for their security vulnerabilities. They have actually proven to be one of the more cooperative vendors for recognizing flaws and producing and releasing patches, at least in recent times.
The enemy is not the public release of explicit vulnerability information, which is necessary for security research.
The enemy is also not the 13-year-old that breaks into computers. Fighting a war against 13-year-olds is a dumb war.
The enemy is the fact that software vendors like Microsoft have consistently chosen to place their customers at a ridiculous amount of risk through default configurations of their software, and the fact that a 13-year-old can break into thousands of computers with little effort or skill.
Why is it that default configurations of all major OSes (note that I'm not singling out Windows here, I'm saying all OSes) come with an absurd amounts of default services open? If the vast majority of customers do not need a service running, then it should not be running. How many nimda infections were from people who had no idea they were running a web server in the first place?
Why is it that default configurations of most prominent workstation and network client software has poor default configurations, security-wise? Do most users out there really need ActiveX or Javascript in their email client? Not only no, but hell no.
Yes, vulnerabilities do occur in all software. I don't think that anyone out there has any expection for Microsoft or any other vendor to achieve perfection here. However, the issue here is that the default posture leaves users prone not just to known vulnerabilities, but to ones that have yet to be discovered.
All software vendors (including but not limited to Microsoft) need to better examine the features of their products to discover potential points of attack. If the majority of users have no need for a particular feature that might be dangerous at some later point in time (e.g., mobile code capabilities, network services, modules to network services like IIS index server, etc.), then they should be disabled by default. Go ahead and make an easy-to-use checkbox for turning that kind of stuff on individually, but don't have it on by default.
Microsoft has recently stated that it is beginning a new initiative to ship their products in secure configurations. I believe that they probably will succeed somewhat here, but we've been hearing similar lines of bull for so long that they have no credibility here until they actually prove it.
Microsoft and other vendors should stop whining about the messengers, and should start shipping products with default configurations and initial postures that are likely to withstand existing and future attacks. Default configurations are enemy number one, not public vulnerability research. Let's see some proactive work being done instead of only reactive work. Microsoft has plenty of problems to fix in their own development processes before they worry about fixing the "problems" they feel the security community has.
I find it is very handy. I use it to disabuse developers at companies for which I am responsible for the security of that buffer overflows aren't so tough to exploit that they don't have to worry about them in their code. You'd be amazed at how many otherwise excellent developers think that Buffer overflows are unlikely to ever be exploited.
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
If we didn't write sample code and show how to exploit the security hole, Microsoft would never patch things. They only patch holes in a few cases:
#1 If it allows them to 'fix' something else like Quicktime, RealPlayer, or any other competing product
#2 If people make such a big stink that Microsoft has to fix the bug in order to make itself look like its actually doing something (and even then, it has a hidden motive).
#3 If it allows people to bypass their precious ELUA
People forget that Microsoft created the holes in the first place. We wouldnt' have to write sample code to blow holes wide open if they didn't exist!
Brielle
The real problem is, that all those security holes make their software look bad. Especially compared to other software. When he mentions that softwaremakers are more aware of security and faster putting out patches, he conveniently forgets to mention, that specifically Microsoft was extremely reluctant to react on security-flaws until they were publicized widely. He also neglects to mention, that it's not only important that there is a patch, but also to make peolpe aware of it. It is very true, that beyond the complexity of "Hello World" there is rarely a piece of perfect software, but he addresses that statement to the wrong people. The security experts already know this, but the customers of microsoft very obviously don't.
Also it must be said, that most of the damage the worms did was to the image of microsoft. These worms showed the extent of vulnerable machines all over the world, but had there been no worms there would be even more vulnerable machines now, with backdoors open to anyone intelligent and motivated enough to write their own exploit. All those worms that draw so much publicity to the security flaws are just the tip of the iceberg. Someone really malicious will have the abilities to sneak in through a hole without a ready script, and he won't do it with a worm that creates a lot of traffic, but silently install a backdoor and do whatever he set out to do.
When calculating the damages a worm did, that always includes a complete system check for data integrity, backdoors, etc. But if the hole was there and had to be patched, who is to say, there wasn't someone/thing else than a well known worm that came in, installed backdoors and corrupted data? And that person will probably do far more damage, since he probably choose that computer for a reason. Much damage is already done, when the system had a hole and was attackable for some time, since that means that system security and integrity can no longer be guaranteed. Many worms are only making aware of that fact.
Microsoft could do far more for the security of their products by making people aware of the importance of patches, but probably that doesn't sit well with marketing.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Hey, they want the security sites to leave alone exploits - so why not? If they want to blame their best source to the solution for the problems, let them. Watch teh security sites disappear - or rather, stop supporting MS stuff. Then watch MS software go to hell as exploit after exploit rips it appart.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Its about high time that we did away with Free Speach! The press never did any good anway! People need to be more responsable and say only the things I want them to say! That way life will be much better for me! Its the right thing to do! Blah Blah Blah... I can't beleave microsoft published that.
-James
Culp argues in the essay that software flaws--whether in Windows, Linux or another operating system--are not going to go away.
"While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection," he said.
If perfection is the standard, then I agree - no software will ever achieve that state. However, there is plenty of solid code available gratis and for fee that is for all practical purposes, perfectly secure. Take qmail, or djbdns; the OpenBSD kernel; various "trusted" OS; many embedded OS are practically perfect as far as security goes.
You can even take an older Linux distro, install it, and disable all services but those that are required (and upgrade those to the latest stable versions), and you have a box that will resist almost every exploit, and certainly all of the common ones.
You could do this with Windows, but for the fact that sometimes unnecessary services cannot be turned off. This is where Microsoft - and RedHat (who learned) - have made their biggest security blunders, by enabling unneeded servers out of the box. Stop that, and most of the worm problems go away, or are severely limited in scope.
Edith Keeler Must Die
Typical Microsoft. Quit your damn crying, and clean up your code. At least, for God's sake, get it audited by a true independent 3rd party. I really don't blame anyone for hax0r1ng your boxes, the os is truly pathetic, and so is MS for not caring a lot about security. You've dealt with security by keeping a closed source all these years, and it is finally catching up with you.
Don't get me wrong, I'm no open source zealot, nor an anti MS individual. I just think that crying about it will never fix it. It needs to be fixed the first time.
It only takes one to follow pseudocode and create a working script or binary and post it somewhere. It will only buy some time. I am for notifying company, wait a reasonable time, then post complete exploit.
So maybe it should work like this:
Vulnerability discovered
Vendor given 2 days to confirm or deny vulnerability.
I have about 50 Microsoft NT servers from 3.50 thru Windows 2000 REGISTERED with Microsoft. They have my name, my address, my e-mail address, my telephone number.
Never once did they contact me or send me a CD with security patches on it. Never did they send me an email to go to a website to download a fix.
I was told, when I registered my product, that they would keep me informed. They have failed to do so.
The recent exploits of IIS were from known problems that had previous patches. Many users did not patch their system. They did not know that they had to patch their system. Despite Microsoft knowing who the users of NT IIS were, they did not attempt to contact those users and let them know that patches were available.
Not only that, until recently Microsoft made it very difficult to find security patches. Their website is large and complex, and items change location all the time. In the past five years finding patches for security fixes of NT systems has gone from extremely easy, to nearly impossible, to finally getting organized and easier again.
Why is it, that after the outbreak of Code Red, it took days before information was available from a link on Microsoft's main page? Because it is bad marketing. Instead I have to go deeper to find that information. There isn't even a generic link for security from the main page.
When you do get to their security page, you are told that Microsoft is doing the radical step of giving Security Tool Kits away for FREE!!! Amazing, you bloody well better give it to me for free. It's your buggy code that had the problem in the first place. I'm a registered user, I haven't received a kit yet.
Microsoft is finally starting to take some initiative with this security thing. But, they shouldn't run around pointing fingers at anyone other than themselves
October 17th...
oh okay... I was so sure it was april 1st...
God, how can a Billion dollar company be saying something like that?! Guess it's because it's a billion dollar company, heck any small developpers saying something like that would starve...
I guess this is an easy +1 for open source, talk about self-mutilation... I can't beleive we're actually running on over 50,000$ worth of MS products and I am actually reading this...
--- Metamoderating abusive downgraders since my 300th post.
In my most recent finds, not made public yet, there are a number of gross privacy bugs in some pretty major websites ( similar to the hotmail problems, but with banking, news and ecommerce sites ).. Well, besides the difficulty in even finding someone in their organization to tell about the problem, once told they ususally do nothing. So, the question I have is what do I do now? Leave your banking site wide open, or make the exploit public to get something done?
-- these are only opinions and they might not be mine.
" That vulnarability is completle theoretical " --Microsoft
L0pht, making the thoretical practical.
Sometimes publishing details about a hole doesn`t convince everyone, even if it convinces the authors there is a need for a patch and parhaps even auditing the code for these things before release.... What if people dont learn from this mistake (patch it and never make it themself...)
After all of the sleazy marketing tactics they've engaged in, Microsoft is irked that security-oriented websites are being forthright in revealing the flaws associated with the myriad facets of Windows?? Here's a novel idea, which should apply to everyone from the smallest two-bit software shop to the big boys at Redmond -- if I pay for your software, I'm gonna damn well complain as much as I like when it starts breaking!
They don't like it when flaws are posted and exploited, which makes them work harder on securing their newest OS? Why, because it slows down the product development lifecycle of the next, marginally improved generation of software? Then they should either extend the beta until they're more confident in it..... consumers shouldn't have to pay for QA!
In some part or another of 'In the Beginning Was the Command Line.' he talks about the fundamental difference in the handling of bugs in code by commercial and non-commercial software companies. Microsoft has built up this almost communist-party level need to appear infallable, and thus almost never publicly acknowledges any bug. And like most everyone else has said, people writing exploits of some of the more serious bugs forces MS to take note and fix it, lest their products be seen as the straw giants they really are.
To throw in another analogy, who would we be pointing the finger at when some day care service, recently exposed as a sweat shop cover, blames the reporter who outed them?
The only difference here is that most reporters, deservedly or not, are seen as agents of truth and justice. But try convincing the average man on the street that Back Orifice is a good thing in the long run, and see how far you get.
If microsoft were release new software without exploitable bugs that would be abusing their operating system monopoly to unfairly compete with network security device and virus scanning software companies. The DOJ could sue them for anti-competitive business practices. ;)
I'm a big fan of exploit detection tools. If you don't have exploit code, you can't test the efficacy of the fixes.
First, what sane admin would patch a system and then not test to see if it in fact had been fixed?
Second, it's far more cost and time effective to run a black box exploit detection script against a heterogenous network environment than trying to manage a diagnose and patch effort from a white box administrator perspective, -- in short, try to map every machine and os and package version to the appropriate fixes.
DJK
silly Microsoft, exploits are for script kiddies.
where did I read that these kids these days can't code in C or any other langauge, don't know who invented UNIX or the C language, don't know about Babbage or Hopper? may have been Slashdot. They just now how to run pre-made exploit programs. They want an executable - they would not even know how to compile a code fragment since this would require a bit of thought.
Did anyone else notice this -
Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks
then further down -
All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution.
Basically they are attempting to put Solaris and Linux in the same boat as M$ware, it looks like the author Scott Culp hasnt met his quarterly quota for marketing FUD and so has thrown that *cough* article together to make up for it.
Any sufficiently advanced man is indistinguishable from God
isn't it interesting that the name of this person is the root of the term "culpable"? ("mea culpa")
Got Freedom?
Thinking?
I am sorry but when I apply a package that has been certified by SUN for SOLARIS, I've never actually had it break my machine. Now I have had other 3rd party programs have problems, for example using a secure email or secure ftp on Solaris that is NOT SUN provided, will encounter some permision problems following major system patching, but at least the core OS always works.
Apply a M$ service pack and sit BACK AND PRAY, then re-apply all the bloody hotfixes that were invalidate by the SP...what a pathetic joke.
errr....umm...*whooosh* *whoosh* Is this thing on ?
The role of the security community is to protect users from false claims of security by companies which produce shitty software; it is the software producers' obligation to provide the security claimed for their products.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Scott Culp, Manager of the Microsoft Security writes, "...it's high time that computer users insisted that the security community live up to its obligation to protect them."
Uh, then what's he on the payroll for?
http://www.archive.org/details/ThePowerOfNightmares
Oh look, the cry baby is throwing a temper tantrum because he's found out life's not going to be easy and fed on a plate to him, working just the way he wants it..
"There is always some madness in love. But there is also always some reason in madness."- Friedrich Nietzsche
Saatana, perkele. vitulla päähän
Regards, pauli_ojanpera
Providing information about a security hole or bug to the company is a nice thought, but does not apply to open source. The code is maintained and updated by the Internet community as a whole. So bugs must be presented openly in order to get noted and fixed.
Besides 'hacker' groups with malicious intent will share information privately without the companies knowledge. Instead, making this information public as soon as possible is good for everyone. It's good for the company because they will know about the vunerability. It's good for the customer because they can see the unresolved security issues specific to the application and decide wether to shut it down or switch to a more stable solution (or better yet, don't buy into it in the first place). Also, having an outstanding security issue puts pressure on the company providing proprietary solutions to fix thier sloppy mess.
Perhaps Microsoft should consider reducing the feature set within IIS in order to provide a product that they can properly maintain. Otherwise, they might want to try moving IIS to open source. Seems to work well for Apache.
Chow
Removal of this wort of stuff would remove the ability of a purchaser to make an informed decision and protect themselves. We've already seen what happens when the consumer/inhabitant doesn't know what really going on around them security wise.
When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
I dont know why they are bitchin' about people posting virus source code examples. I got hundreds of ILOVEYOU and CodeRed code examples sent to me within hours. I didn't have to look very hard.
That isn't the attitude I'd want someone providing my software to take.
Education is a better safeguard of liberty than a standing army.
Edward Everett (1794 - 1865)
"See no security holes, hear no security holes, speak no security holes"
Let's just forget there is something like a security hole.
They wish.
Meanwhile, in Redmond, someone keeps parroting "We give people what they want." Apparently a lot of us want to be pissed off. If you're in the sysadmin thing, sorry, you have my pity. If you're a worker bee, then don't get your shorts in a knot, make your opinion known once and then kick back and do whatever you have to. Can't deal with it? Get another job. Life's too short to spend being in a bent mood because of some PHB's decision to believe the Redmond propaganda machine.
As for blaming the messenger, whoa, that's only because the messenger has had so much work lately!
A feeling of having made the same mistake before: Deja Foobar
I'd like to see some hard numbers on exploits before they are release to the public and after.
If there is evidence of a subtantial number of real exploits occuring prior to the release of this info to the public, then I believe the public has the right to know about the vulnerability, but if there isn't and it's an exploit that is "theoritical" and not out in the wild, then the company should be notified of the vulnerability and there should be a sort of grace period before the information is released to the public at large. This way Microsoft or any other company would only have themselves to blame for their failure to correct the problem before this information is released to the public.
Hopefully this would prevent some of the rampant spread of vulnerabilities that we have been seeing, that end up affecting everyone using the internet in some way or another.
Not quite, weren't the Lion and Ramen worms mentioned above actually Linux/Unix worms? Or at least Redhat specific ones. Yeah, I know Code Red and Nimda were worse (I'm not excusing MSs crap security), but all of those worms were helped spread by insecure default installs.
Redhat seems to have learnt with 7.1 onwards, and it looks like MS might finally be learning with their talk about IIS 6 defaults (Whether or not that actually happens is another matter of course! I'm not holding my breath).
It doesn't surprise me in the least that Microsoft would blame others for their woes. A simple look at their business practices will show that they only care about the short term bottom line. When will they ever learn? Surely not any time soon. How long do you think it will be before XP has to be repurchased (licensed) on an annual basis, at full price?
A pox on them!
basically, the test engineers find the bugs. Then the project managers decide whether its worth the effort to fix the bugs, or just leave them.
I'm sure its no surprise to anyone, but they don't really strive to create software with the lowest number of bugs possible, they just decide whether its easy to fix or not. And if its not easy, oh well....
...is the brain-dead average Microsoft customer who's told by Microsoft that their product is secure. You can not release code into the wild, and it will still be there, for the majority of security issues are doscovered *in the wild.* You can release a patch, but if your average I-got-my-MCSE-thus-I-rock moron admin doesn't patch their machines, then the exploits will still proliferate, especially automated attack worms like CR.
Perhaps Microsoft should have a "Patching Your System" component within their MCSE track. Obviously the fear of system exploitation just doesn't get them scared enough to patch regularly.
And yes, Microsoft shouldn't ship products which install insecurely by default, but I place the blame more on the admins who place more importance on trying to finance their next house rather than attempting to do a decent job. My iptables logs recently showed nimbda attempts coming from an NYC software consulting firm - I really hope others don't pay them to set up webservers...
It appears to me that Mr. Culp has misunderstood the purpose of the scientific method. The goal of which is to allow other researchers the ability to reproduce one's test/bug/experiment.
Programmers use code to share their experiments because it is the simplest, best, most consistent way to do so. Not asking security and programming experts not to share "blueprints" is like asking toxicologists not to share the chemical formulas for the compounds they're researching.
Mr. Culp needs to take a vacation away from the stress of his job and bone up on how to systemically approach problem solving and the sharing of information used to produce repeatable experiments/tests/exploits.
So, the guy in charge of dealing with the fallout of MicroSquish's utter incompetence in the data security field thinks we'll all be fine if we just pretend that nothing's wrong with his products, and don't tell anyone if we find their mistakes.
What a fucking cretin. There comes a time, when millions of people have lost time and money because MicroSquish doesn't understand the rudiments of multi-user computing (let alone networking), when you have to blame the idiot who makes a house out of flash paper.
Remember that name: Scott Culp. It's the name of an incompetent sniveller.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
...and this essay comes from the folks who want you to trust them with all of your personal information. Riiiiiiiiight....
I wonder how things would be if Linux was the main stream and windows wasn't...
Now don't get me wrong. I'm not a MS fan at all. I just hate people who are so whiny and don't like looking at the big picture and end up being hippocritical about it.
-Mark
Dovie'andi se tovya sagain.
I'd argue that this is "fair use". He uses the word to refer to the real Linux in a normal text. To my knowledge, there is no legal requirement to add "(TM)" to each use of the trademark. Otherwise, you would have to write:
"Linux(TM) *is also* a registered trademark, Microsoft(TM)."
or similar. What about "linuxtmjournal"? Of course, that's silly.
Trademarks protect from *abuse*, e.g. from you labelling your own product "Linux".
IANAL.
Faith is pointless.
faith (fth)
n.
Confident belief in the truth, value, or trustworthiness of a person, idea, or thing.
Belief that does not rest on logical proof or material evidence. See Synonyms at belief. See Synonyms at trust.
Loyalty to a person or thing; allegiance: keeping faith with one's supporters.
often Faith Christianity. The theological virtue defined as secure belief in God and a trusting acceptance of God's will.
The body of dogma of a religion: the Muslim faith.
A set of principles or beliefs.
Sure readers have been able to logically prove his points wrong, but I think he is on to something. Responsibly handling security issues is a good idea to defer script kiddies from giving people a hard time.
though it would probably be a little less popular. As for your example, I think it's biased. Besides, IDS problems can be solved with a work around from a trusted set of individuals or some other solution.
Here's my theory, for what it's worth:
;-).
1. If the *type* of exploit is known, and the *point of communication* (i.e., socket) is known, then an "expert" system can eventually be built that will make exploit creation point and click simple.
2. Any random piece of information can be disseminated to an unlimited number of points on the internet in much much less than 24 hours if there is any semi-organized method of sharing the information. A web site, mailing list, private FTP server, whatever - the internet was created to share information quickly. Code Red shows that even unwilling participants can be used to spread information (or any other payload) to saturation point in less than a day.
3. Even if only one programmer on the internet is creating exploits, there is a system of sharing this information. This is what has occurred with the "zero day" cracks of games that are shared on IRC, and it is very much a formalized and highly popular system. The only difference is that instead of being freely available to Black Hats and White Hats (like a public mailing list), it's only available as information in trade, and is usually traded for something illegal. This creates a nifty little power hiearchy where fifteen-year-olds become something like the Mafia Dons.
4. Exploit code proves that there is a hole. This proof cannot be denied by J Random Marketing Department.
5. A published exploit allows system admins to test whether a published "fix" actually works or not. Even if every admin doesn't do it, a couple will, and if there's a problem it will be announced on security lists (again, spreading at the speed of light).
Conclusion:
Because there will always be groups on the internet willing to share this information, security through obscurity will never work.
As an example, one could interview various games companies in the US and find the mean time between release of a copy-protected piece of software and the crack to bypass the protection. I call this Mean Time Before Crack (MTBC), and it's similar to the open source concept of Mean Time Between Itches (MTBI - the amount of time between the public discussion of a software idea and it's open-source implementation)
Ok maybe I need to add more emphasis -
/. know is not the case, that was the point I was making and therefore by deliberately misleading its intended audeince it qualifies as FUD.
Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks.
Now what viri caused those billions of dollars of damage? Was it Linux ones or M$ ones? See they are trying to tell people that it doesnt matter which of the OSs / apps you run, they are all vulnerable to the same extent and will have equal costs when attacked. This, as many on
Any sufficiently advanced man is indistinguishable from God
When I am pointing my middle finder towards Microsoft, I have 3 fingers pointing down.
If microsoft continues to produce software with security holes in it, then it should fulfill its obligations and notify all its clients each time a new security breach is found, rather than to let the clients get the information second hand form other experts. These experts are doing microsofts job, and although i dont agree with releasing the code to crack through, they are fulfilling a gap in microsofts security niche that needs to be filled. The customers have a right to feel safe with their computer system. Maybe if microsoft produced software without the security holes than there would not be any need for these experts to release the code. Even if microsoft succeeds in getting the security experts to stop releasing the code, others will just release it themselves. Which comes first the chicken or the egg. Its a paradox.
Although it can be funny, tell them to plug the power in.
Well, for most of these buffer overflow exploits, you can just send a really long string and watch your program core dump. There's no need to work out exactly how to turn that into an exploit, though people do have fun doing it, and they have a right to publish their findings. Maybe if the community didn't encourage it so much?
There is a lot of truth in what he says though, much though I hate to admit it. It first sounds like he's saying "don't expect us to fix security problems", but that's just how we view microsoft(not that that's a wholely inaccurate picture, but still). He is in fact right in that security vulnerabilities, in some way or another, will never be totally wiped out. They can be greatly minimized, but that's it. The only totally secure box is one with no monitor, keyboard, network drop, locked in a box, magnetically sheilded... you get the picture.
;)
OTOH he probably just meant they wouldn't have to fix them if they weren't made public.
--Not to be worried, Pitr fix.
"There is some value for having details in the advisories, but not exploit code. " said Chris Wysopal, director of research and development for security firm @Stake,
Once you have the details of what's vulnerable you're less than an hour away from an exploit, even if you're a VB programmer. The message that needs to get out to Culp and others looking to sweep their flaws under the carpet is that once the flaw is published, the exploit is on it's way! Putting the exploit out there forces unwary admins to patch before they get hit. And, if they don't stay on top of security for their system and they get owned; fine. Find a different admin.
The other thing that bothers me about the article is the uncharacteristicly congenial tone Wysopal took WRT M$. Weren't the guys who formed @Stake the same ones slinging shit at them back before they founded @Stake? (Inclusion of an example with an exploit purely intentional.) Takes my opinion of them down a notch.
www.dedserius.com
VB != VisualBasic
Interesting this article was published almost a full month before the next Crypt-o-gram newsletter comes out... let the buzz die down before Schneier rebutts too harhsly, eh?
-ubermuffin
what is exactly the problem guys?
i thought solutions to everything, including security holes, alignment of all the planets, and world peace could all be found in WINDOWS UPDATE???
my blog
Yet.
668: Neighbour of the Beast
Master Locks already have several known security flaws. Especially in their combination locks. One was the locking bar would catch on the first disk, thus you could figure out the first number of the combination by pulling on the lock and turning the dial. They actually fixed that flaw in the newer versions. But the easiest way to open these locks is to pry the back off. The back of the lock is covered by a very thin sheet of metal and you can puncture it easily with a screwdriver or nailset. But all you really have to do is poke a hole in it, then you can look inside at the mechanism and you can see the combination just by looking at the notches in the disks. Master Lock also sells those cheapo key locks that you can open just by filing off the key to make a skeleton key.
Every halfway-intelligent thief knows how to crack those things.
I have to agree with him, its ridiculous. We find a hole, post it on the internet as if we want the first kid to exploit it and then are surprised when theres a virus that effects a million people. Does the computer "nerd" community want these viruses to infect people? Are we for the virus writers? We are practically promoting the virus. And dont give me that bull that if its not posted on the internet immediately for everyone to see/exploit that the companies wont put out patches. They should be given about a month to write and distribute any patches that need to be done before it shows up on the local news site that the software is vulnerable. If you dont agree with me you're a moron and probably just hate Microsoft.
My favorite line in the whole article is:
This isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
Sure, it's a crime when you yell fire and there is none, but when there really is a fire you have a duty to let everyone know. I don't think Microsoft is fulfulling it's duty when they make announcements like this when there's a fire.
Ladies and Gentlemen, we've had a slight problem with the popcorn maker and the lobby is engulfed in flames. You should be safe in the theatre as it is made out of wood, not highly flamable popcorn. Should you wish to leave, we will be unlocking the emergency fire exits as soon as we can find the keys. Please remember your tickets are non-refundable and you may not discuss any event that takes place here outside. Thank you for attending this evening's performace of Microsoft Follies.
Ok, probably a crappy name but the idea is extremely valid. Software engineers, network admins, and the other assorted "geek" trades need a united political voice. Why? Because without one crap like this will become *more* common. I know it sounds stupid but it is true!! A united politcal group with a professional sounding name (ie."Organization of American Technology Trades" or somesuch) with money and lobbyists to congress will improve the public image of the much maligned "hacker" and give some clout to a long deserving segment of the population.
Culp says...
.NET initiative. I suspect this is why Microsoft was so reluctant to repair the security flaws within IIS. Code Red and Nimda exploits APIs that Microsoft intends for their .NET initiative. Disabling these APIs would cripple .NET. Therefore, Microsoft did not fix IIS until they could re-think the design of .NET.
.NET will reinforce his point. Given their track record, I expect .NET to be Microsoft's magnum opus of security deficiency.
.NET is out of the question. I guess Culp feels controlling what the world is allowed to communicate about .NET is easier.
"First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate fallacy. It's true that no code is perfect. It's false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated with flaws being exposed in their code. Frankly, I believe the hacks associated with Microsoft products differ fundamentally from the flaws discovered in Solaris and Linux. When a Linux exploit is discovered, hackers and maintainers consider it a design flaw. Therefore, exploits are generally fixed pretty fast on Linux -- usually within a few days. The same is true for Solaris.
Apparently however, Microsoft does not consider certain exploits to be design flaws. Sometimes, hackers simply leverage "features" (e.g. undocumented APIs) that Microsoft deliberately designed into their applications and/or systems.
Microsoft applications tend to execute arbitrary code. In other words, Microsoft deliberately empowers IIS, Exchange, Internet Explorer, Outlook and certain Office applications to execute unchecked commands fed over the Internet. Once hackers discover these (badly!) hidden APIs, it is only a matter of time before someone sends you an email which does something nasty to your computer.
Interestingly, despite these obvious security issues, Microsoft wants their programs to execute arbitrary code. Remember the Microsoft Word viruses? Remember the Excel viruses? Heck, email viruses were fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since the first MS-Word virus. Obviously, they understand the risks of allowing applications to execute arbitrary code. Nevertheless, they continue to build this ability into all their major products.
In fact, arbitrary code execution appears to be one of the core technologies behind Microsoft's
Culp states that vulnerabilities are here to stay. Most likely,
At this late stage, re-designing
Enjoy! Jon
....only a small one....
By the time you see an exploit in the public, it has already been used in detail on the more critical sites.....
As someone who has has to regularly apply MS patches on a our network, I can say that I never
consider a machine patched until I have applied the patch and tested using the vulnerability. With so many parts integrated there is no other way to be certain that the patch was able to do its job properly.
Now tell me, who has more time to develop the code to test or exploit a vulnerability. An admin who has plenty to keep them busing without the patches, or black hat who wants to break in?
Most MS programmers have zero real world experience in the world of computers beyond the Microsoft campus. MS gets them while they are young and they never see or know anything but Microsoft. This produces extreme loyality to the point that the programmers think they can do no wrong. This is the number one reason that you see such utter bullshit software coming out of the asshole of the US software industry, Redmond WA.
Know yourself, know your enemy, and even in a hundred battles you shall never be in peril.
Sun-Tzu said that in The Art Of War, IIRC.
i seem to remember reading in slash dot about the serial number in every word m$ document.
it seems to me that open source applications are having less heart burn than closed source products when it comes to 'security', and here issues.
And since when is less knowledge better than more knowledge?
This sounds a whole like microsoft is trying poke holes in the open source folks.
To make Bill Gates the richest man on earth.
Maybe in the hopes that some of the magic will rub off on you?
For "truth in advertising" you'll have better luck in a carnival side-show.
In other news Microsoft announced the "Shared 'Sploits" initiative, which has all the advantages of Bugtraq and other security-related sites without the obvious terrorist-related disadvantages.
Please apply for Membership(tm). For a competitive monthly fee you too can share in this priveleged information. If you are not a manager of a Fortune-500 company there is no need to apply.
Cheers
AndyM
Considering that this essay is from Microsoft, I think it reads clearly as a thinly veiled threat to sue anyone who points out vulnerabilities in Microsoft products (UCITA, anyone?). In Microsoft logic, if people stop publishing vulnerabilities for fear of being sued, then the problem of people exploiting known vulnerabilities goes away. This logic is akin to leaving a bank vault wide open, but turning off the lights so thieves won't see it.
In the land of real people, litigation will not solve the problem, and Microsoft needs to know this. The first security expert to get sued will be screwed, but by that time the vulnerability will have been made public, and thus be exploitable. This lawsuit will leave a bad taste in the mouths of the "self-described security community," so that the next exploit that is found will be exploited rather than published. When people start abandoning their products en masse because of constant security problems, Microsoft may realize that they shouldn't've angered the people who point out the chinks in their armor.
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
Of the OS'es I've used, I'd say that Debian (apt-get) and FreeBSD (CVSup and the ports collection) have the best systems for automatically patching systems, with Mandrake close behind (the Software Manager automatically requests that you add a source for security updates). Microsoft could come close to Mandrake if they made better use of their Critical Update Notification utility.
"It take 9 months to bear a child, no matter how many women you assign to the job."
It's silent for years...
Many diseases are deadly if untreated. Often the scarriest ones are those that kill silently over time. This is what MS is asking for. Security holes can be an obvious pain or a silent killer. If exploits are not made popular and fixed then the exploit will be available to those who know the most and can potentially do the most harm. Once again this is a plead for a solution that will benefit MS and nobody else.
I am not one who realy dose any Hacking, but for the heck of it, my friends and myself tryed a few times to hack each others systems. when running windows, top 5 min and where where in. Then moved to unix, bsd and linux, and they took a lot longer, and in most cases where unbreakable by us.
if I can hack windows that fast, then what sucurity dose windows have, and why are they complaining about it. O thats right they want the general public to beleave its safe >:)=
my 2 cents plus 2 more
All of these worms made use of security flaws in the systems they attacked, and if there hadn?t been security vulnerabilities in Windows®, Linux, and Solaris®
For that matter, Linux® is also a registered trademark.
My favorite part, though, is "This is a true statement...." It's true in the same sense that "Hitler, Mahatma Ghandi, and Mother Teresa were collectively responsible for the deaths of 6 million Jews" is a true statement.
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
Gee, what with the current Atrn. General pushing for HUGE e-crime bills, and the administration getting less and less enthusiastic about calling Micro$haft to task for it's monoploy, it seems that they are all sorts of ready to make "security" a crime!!!
".....providing the blueprints for building these weapons"
So anything that could harm a US computer (the Govmnts, yours, mine, etc.) is a terrorist act under the Ashitler bill. Suddenly, M$ starts saying that pointing out the flaws in their products is akin to builing a weapon? Co-inky-dink? Not with the $$$$ The shaft lobbied with this year.
Gotta love the corporate rebuplic.....
Department of Homeland Security: Removing the rights real patriots fought and died for since 2001
This wouldn't be an issue if companies agreed on a good means to protect against security holes. The problem is, many companies, upon getting a good-intentioned e-mail explaining the exploit, not only sit on their asses about the problem, they have their legal departments threaten lawsuit if the researcher publishes the work. The industry needs a standard to keep these vulnerabilities and exploits confidential to the researchers and the company whom wrote the insecure software - BUT ONLY FOR A LIMITED TIME. That's the key. Make a law that binds hands only for a limited time - say, 30 days, adequate time to warn users, write a patch, or both - and then provides full legal protection for the person(s) who publishes the exploit. No more shit like this.
If you did your job and took those exploits and
fixed the problems there would not be a problem.
Do your job instead of sticking you heed in the
sand!!
The irony here would be: Microsoft, found guilty of monopolistic practices, approaching the House or Senate in an attempt to have reporting software vulnerabilities declared a crime. (Heck, take advantage of the terrorism paranoia.)
A feeling of having made the same mistake before: Deja Foobar
Distribute all MS exploits in binary form! In fact, provide RPMs, DEBs, BSD packages, Solaris packages. For intel, and sparc and
.c file to run through our C to VB translator so we can understand the source code!"
Then MS will be saying:
"We can't figure out what is getting exploited since we don't have that
they do heave their heads in the sand...
REALITY.SYS HALTED
or something like that...coupled with a Abort/Retry/Fail or something else like that
Do these kinds of top-secret ultra-spy black-hat crackers really exist, or are they the modern equivalent of the Communist Menace? I've seen plenty of proof of script kiddies, but have never seen evidence (outside of Hollywood) that these kind of people exist. Are we building fortresses to protect ourselves against black-hats who don't exist, or are there really people that talented and that dangerous out there?
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
That has to be the world's biggest cop out that I've ever seen. Pathetic! "Stop showing the smart people our sloppy code, they make it break!"
~LoudMusic
No sig for you. YOU GET NO SIG!
maybe when deitel & deitel start publishing exploits you'll see more of this...
actual working code is probably the cleanest way to communicate with your average programmer or sysadmin. programmers who follow the whole top down development with stepwise refinement and flow charts EVERY TIME and psuedocode process and somehow always manage to remain platform and language independent are called computer scientists and software engineers and they deserve their titles and their stock options.
but most security alerts are going to come from average hackers (dammit -- i had to say it) and are going to be kinda kludgy and thrown together and the exploit code really ends up being the heart of the whole thing.
so there's my tuppence...
/t
Ford knew about the rear axle bolts puncturing the gas tanks in these cars and could have fixed the problem for as little as $5.00 per car. Ford did the cost-benefit analysis and decided it was cheaper to litigate settlements than it was to fix the car. The courts (and juries) found out about this and really screwed Ford and then made them fix the product.
The only way to ensure quality and security in MS products is to hold them liable for the results of their "defective" product. When an e-commerce site gets hacked and all the credit card data stolen, MS should foot the repair bill and pay the fraudulent charges. (Assuming the MS product allowed the hack to take place.)
-ted
this is a complete catch 22... "live up to their job and protect"... uhhg... and just how the f$%@ are we supposed to do so when they dont give us all th ecode they can to study?!?!... and to prevent similar mistakes?!!?
uhhg, M$ needs to go funk themselves... damnit.
-v
"I think, therefore I get paid."
C'mon? Unchecked buffers a feature of .NET??? That's not a feature, that's bad programming. I learned bounds checking on all my IO in CS I! Yeah, it's damn tedious, check input for validity, check output for validity, but that's the way secure and stable software is written.
Other software industries (military, medical, financial, and comercial navigation systems) use incredibly complex software yet, those systems are held to much higher stability and security standards!
MS software is the product of a greedy company with very inadequate development and testing procedures! In short, these "features" as you call them are nothing more than the product of lazy programmers pushed too hard by their bonus hungry bosses.
-ted
Joel, an ex-Microsoft engineer, wrote something in an article last year that gives me hope on occasions such as this. To glibly paraphrase, programmers write bugs into their code. Just imagine how much less time it would take if they didn't put them in there, only to have to take them out again.
MS should be flogging their inept staff for putting so many critical ones in; then flog their QA for not finding the serious ones. Yes, they have some very complicated products, but there's a such thing as unit testing, and dammit, they haven't done any (or enough).
Any connection between your reality and mine is purely coincidental.
What if you were driving a car that had an airbag that sometimes, in some accidents, didn't go off. Oh, and by the way, sometimes your seatbelt unlatches in front-end collisions. (These are both problems that affected some very recent cars.) You'd want to know and hopefully that money-hungry car company that produced that product is shamed into fixing the problem....right?
Now in your world, Consumer Reports wouldn't be allowed to independently test the car, and the public would never know about the defects. Big-Car Co. wouldn't be shamed into fixing your car, and who knows, maybe you would get into a serious accident where you were injured or killed by the defective product.
Gee, that's nice.
Right on target brother! How is it that car companies can track down an owner and notify them of a recall, but MS can't even send you (a registered user) a CD in the mail?
Lazy, just plain lazy!
Behold the law of bending time to suit the Management Mind:
The virus is released, then the security expert releases the reason the exploit works. If the security manager did not release the exploit, the virus wouldn't exist.
given two line that are of equal length, how can one line be made longer than the other. The answer is to make the length of one line longer or to shorten the line of the other. So the answer is not to try to stop "information anarchy" (ie. free speech), but to make the friggin OS more secure.
If the exploit is "theoretical" and looks like entirely too much effort to take advantage of, most likely I will not apply any patches.
If the exploit is freely available, I can test and either patch or devise some workaround that thwarts the exploit. If adequate disclosure does not exist, I feel safer replying to "I send you this file to have your advice".
Look at how much success Microsoft has had getting Code Red and Nimda patched. With the noise about Code Red and company, I patched my RedHat boxes and other than stopping IIS and friends, pretty much gave up on Microsoft as a lost cause. After going to their web page, informing my browser (IE5) that I do not want to run scripts. Several times. And No I do not want to debug the scripts it is running anyway. No. No way is Microsoft going to secure this mess.
To qualify as FUD it would at the very least have had to be in the same sentence, or have made a clear value judgement on them. I don't see the expressions "these equally insecure OSs" or "Microsoft, Linux and Solaris viruses caused billions of dollars of damage".
Seems like you're trying to imply that "viruses that attacked windows caused billions of dollars of damage, but viruses that attacked linux or solaris had no effect whatsoever". Although, it may be somewhat true - largely due to the scale and application of usage of the affected windows platforms vs the affected linux platforms.
Linux and Solaris in general are less vulnerable to these attacks, but if they ARE vulnerable to a particular type of attack, then damage and loss can still be caused. If there had been no security issues with them, THEN it would be possible to stand on a high horse and blame all vulnerabilities and damages on Microsoft.
Rain.Forrest.Puppy has a nice paper http://www.wiretrip.net/rfp/p/doc.asp/i2/d1.htm that details how he engineered a hole that someone else found but did not give details on how they did it. This is just an interesting read and supports your point that if someone is deticated enough to exploit it, they will.
If you have a few hours on your hand and *really* want to better understand what is going on, I would suggest that you sit back and listen to these speechs on Dr Dobbs Technetcast...
? st ream_id=411
? st ream_id=354
? st ream_id=478
? st ream_id=482
? st ream_id=417
? st ream_id=48
If your looking for authority on the subject they come no higher than Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA),
"Meeting Future Security Challenges"
http://www.technetcast.com/tnc_play_stream.html
If you listen to Dr Burnhams speech you will understand why it is so important to keep "pushing" Microsoft on its inherent lack of security.
If you want to sleep at night, don't listen to the following speech by Avi Rubin
"Computer System Security: Is There Really a Threat"
http://technetcast.ddj.com/tnc_play_stream.html
If you listen to the above speech then you will begin to understand Steve Gibsons apocalyptic visions.
And if you want more, the effect of broadband access
"Broadband Changes Everything"
http://www.technetcast.com/tnc_play_stream.html
Directly relating to DDoS ( Distributed Denial of Service )
"Analyzing Distributed Denial of Service Tools: The Shaft Case"
http://www.technetcast.com/tnc_play_stream.html
and "Denial of Service"
http://www.technetcast.com/tnc_play_stream.html
And if you want to get *really* technical, listen how difficult and more technical it is to trace spoofed packets[ Warning - this is heavy tech ]
"Tracing Anonymous Packets to Their Approximate Source"
http://www.technetcast.com/tnc_play_stream.html
"I would rather have Loki uncover and exploit our inherent weaknesses now than have the Ice Giants do so at Ragnarok. - David Mohring"
good lord, this should be the job of those who create, promote and most of all charge for this cr*ppy os.
It's not really RedHat's fault. It's the fact that they rely on a bunch of self-prescribed "programmers" who don't have the discipline to put any thought into the code (includes planning and meticulous logic analysis). No moderately-experienced programmer should ever have buffer-overflow problems bigger than "off-by-one" mistakes. But in wanting the code to "do something already", input routines are written quicky and shoddily.
I'll quit ranting now before I get nasty. Time to get some sleep.
...how am I supposed to protect myself?
"Microsoft this month launched a new security initiative, the Strategic Technology Protection Program (STPP)." Impressive, huh?
If you have a half assed decent network admin most of the time you don't even need the patch.
Exactly. If you know the exploit.
Just a thought. Without verifiable exploit code whats to stop bogus reports?
Bet everyone would get real sick of responding to fictitious security holes everytime someone got pissed at microsoft and started a rumor about an exploit in microsofts newest toy. (Of course there are so few people that engage in malicious microsoft bashing that this would be a tiny problem anyway)
D
"... every time I open my mouth some of my stupid escapes!"
To qualify as FUD it would at the very least have had to be in the same sentence, or have made a clear value judgement on them. I don't see the expressions "these equally insecure OSs" or "Microsoft, Linux and Solaris viruses caused billions of dollars of damage".
/. to go and read some of those types of books, then read articles like this, as well as out and out advertising with those things in mind.
And yet the article makes no distinction between the quality of the OSs and apps from different vendors, no graphs showing number of vulnerabilities and severity are there? Therefore it is left to the reader to draw the conclusion that Solaris and Linux as well as Windows is vulnerable to the same problems. If you go and read almost any book on influence / NLP techniques you'll soon find that it is not a common technique to lead a person in a direction and let them make the conclusion you want themto but the only way. I'd recommend everyone on
Seems like you're trying to imply that "viruses that attacked windows caused billions of dollars of damage, but viruses that attacked linux or solaris had no effect whatsoever". Although, it may be somewhat true - largely due to the scale and application of usage of the affected windows platforms vs the affected linux platforms.
No, its a matter of scale, Windows is more vulnerable,and much more damage has been caused by Windows issues than those on Linux and Solaris to date. The question is, would you rather deploy something that will cost you less upfront in the case of Linux, and less in admin, patching and script kiddie attacks, or whatever m$ advertising puts infront of you? I know many PHBs will soak up the m$ marketroid speak and deploy and then get their fingers burnt with things like Code Red and Nimda, hopefully these PHBs will be fired and go and do something that they canhandle, while cluefull types will get hired / promoted so that the business is not put in such a bad situation again.
Any sufficiently advanced man is indistinguishable from God
Probably the next thing in the MS EULA is;
Any SECURITY HOLE bundled with the SOFTWARE PRODUCT is the property of Microsoft and protected by copyright laws and international copyright threaties.
...on stopping these messengers. The problem is, if they're reporting the truth they're not comitting slander as Microsoft might put it. Microsoft does a good job on their products sometimes, but it is things like this that really show the incompetence in that company. Yes, I know every program out there probably has some sort of exploit, vulnerability, or bug, but it is up to the person or company that wrote the software (that is if the software is not open-source) to fix that bug. Bugs, exploits, and vulnerabilities should be reported because knowing Microsoft, if they found out they would do absolutely nothing.
Microsoft has two options here, release the source or fix their damn bugs themselves and stop crying. I wonder how cryptic the source would be?
"Microsoft exploit, click here to see code."
"I don't use Microsoft, but I'll laugh my ass off now that a month has gone by and they *still* haven't fixed it."
"i r nt admin d00d i own j00%%%disconnected from host."
This story is quoted "asinine" on fark.com. That single fact means a lot about the credibility of the story.
Men are born ignorant, not stupid; they are made stupid by education. Bertrand Russel
Dear Mr. self-described security expert,
you have been providing crackers with blueprints for weapons, thus effectively reducing the security of our customers. Microsoft would like to advise you to take a look at your own security, and will be happy to send you a team of our personal safety experts to help you during the evaluation.
Yours,
Microsoft Other Ways Department
Like someone posted into some other discussion here a few days ago, making exploits public probably reduces the need for potential wannabes or semi-blackhats to compete in the field. What's cool in that if you can do the same as 10000 other similar people, as everything is written already. All you need is gcc -o nukem2 nukem.c.
Closing exploits, or further, even all security hole announcements, could rise a hell, engaging all competent-enough wannabes writing exploits to compete with eachother. Once again there would be a social gain by doing the best exploit in the shortest time.
Yet there are still enough script kiddyzzz to cause harm if companies don't deliver patches and if admins don't install them, thus, getting things get fixed. Would Microsoft ever raise an eyebrow to any security hole if there were no public means to exploit them? Only then, outlawed blackhats would overflow buffers and assuming that they were pros, no one wouldn't probably notice anything until one morning something completely different had happened during the night...
And it's high time that people insisted that the free speech community live up to its obligation to protect them from reality.
my other sig is a 500 page novel
Microsoft sits on registration data about what users have what product, and those registration data contain contact information.
When you register a Microsoft product, they thank you by sending you advertisment material. No critical upgrades or anything to that effect. AOL sends off cd-roms to everybody in america - for free, hoping a few will try out their service. Microsoft customers have PAID for their product, but Microsoft does not provide them with even notifications of upgrades/updates.
It's a sad, sad world.
Stop the brainwash
When a vulnerability shows up on http://securityfocus.com or the like, specifying a vulnerability in a Microsoft product, e.g. "A special crafted URL will overwrite your files" and then there is no information on what the special crafted URL look like, and there is no fix available from Microsoft or others, do you feel more secure?
Perhaps you could block the request in your packet-filtering system, or at least log it, but without knowing what to look for... what do you do?
And, knowning that experienced black-hat crackers also reads securityfocus and sites like this, they don't need anything more than this information (there is a buffer overflow in IIS... ) and then they have a target for what to do the next couple of hours. It's a competition you know. The best crack wins. Giving away exploits doesn't give much credit to the cracker copying it, but the first one to discover a "new" one, gets a lot of attention...
We need to understand the psychology of what makes a crack worthwile, a published exploit every script kiddie can duplicate, but also can the sysadmins countermeasure this fast (provided that they read the right forums as all sysadms should!)
But a hint of a possibility in a not published exploit gives the black-hats something to compeete for, who is the first one to make the best crack? And the poor end-user is not even knowing what to look for...
Second. published exploits are easy to scan for... known, but not published exploits will fluctuate in their signature.
E.g. special HTTP GET request to look for in the logs... you just scan your logs for exactly the string published in the exploit. (or put it in your packet-filter) a not published exploit will result in several different cracks, using the same vulnerability, but probably vary a bit in the exploit methodology, making it harder to scan for.
Would you dare to use your car if the factory sent you a note that "it has a fault", but not providing any details of the fault? It could be anything...
Just tried to read the MS essay referenced in the post....but the site seems to be down, for some strange reason....:)
MS: ALL YOUR
Just have a look at a valid software license.
No construction company could claim in front of a court that it is not possible to build a bugfree bridge and so that they are not responsible for it's collapse.
Programming software is not more complicated than building a car or a bridge. Nobody would accept a car with as many bugs and security problems as there are in computer software.
Now imagine a construction company which would demand to gag all security experts who found a security/stability problem in a bridge they build.
Censorship?
If Microsoft is serious about this, then we need a serious counter-proposal. We agree not to publish exploits if they agree to accept complete and total legal and financial liability for their software, and the incidental and consequential losses to persons and businesses caused by their software, with the presumption of fault being in Microsoft's software, first and foremost.
Thus, if someone successfully attacks a Microsoft OS, Microsoft shall absorb the losses incurred by the affected person or business. If their software is really all that good, and they have confidence in their code, then this should be easy!
Somehow, though, I don't think that they're up to this challenge.
... saying if you don't publish blueprints, nobody will know where the door is. Microsoft should be glad that all these reports are out, for this is a way they can react to them. It is no good putting one's head in the sand. The programmers at Redmond - the one's who left the doors open in the first place - should just read the reports and fix the holes. Maybe this would contibute to the "Win2000" is secure image Microsoft wants to build up in public opinion. If you don't publish the exploits, end user style people will think "Hey, M$-Software is more secure than all others, because there are no exploits found on the net", trust in the M$ offered security and wonder why their computer is periodically hacked every second week by somebody who has the knowledge, but doesn't publish it.
".Sig Stealer" was here
Almost ALL security exploits i have read about, are caused by humans making mistakes in their code. This is a human thing to do. This will always be like this. If a check is missing, someone will find that mistake. How to fix this: Use a stack-guarded compiler (c), or another language (java?). Then this cannot happen. I get upset when i read about security vulnerabilities EVERY week in lwn.net .It is always the same mistake. Why not fix this for all ?
Just add that compiler-switch. Then the problem is no-more.
Some people think the application gets slower. This is not so. I cannot understand why redhat and microsoft don't do this ?
There have not been any breakins into any jsp-servers written under java, which performs range-checking on arguments (which is optimized away from the innen loops by the hotspot compiler).
if you think java is slow:
http://www.cs.vu.nl/manta/ // magnus persson
Blaming the messenger has been the weapon of choice for a number of people and institutions. I would like to throw in the following story about the German Newsmagazin Der Spiegel:
"The SPIEGEL affair of 1962 remains unforgotten. The arrest of the publisher, the business director and several reporters as well as the occupation of the SPIEGEL offices over a period of several weeks set off a storm of indignation in the German public. The government declaration that the cover story "Bedingt abwehrbereit" ('limited defense readiness') about the NATO maneuver "Fallex" constituted treason proved to be unfounded. All of the imprisoned were released. Then Minister of Defense Franz Josef Straua, deeply involved in the affair, finally had to resign and the Adenauer era drew to an end."
Here, the German gouverment simply declared an article on the state of the forces "high treason". A wonderful quote...
Adenauer (head of gouvernment) "High Treason has been committed here"
Someone from the audience "Who says so?"
Adenauer "I say so!"
I am waiting for Microsoft to say something similar...
Alex
Absinthe makes the heart grow fonder
It's high time the security community stopped providing the blueprints for building these weapons...
"...the right of the people to keep and bear Arms, shall not be infringed."
... in a building that's burning or call the fire birgade but wait until they will eventually notice.
...
"Looks like I'm going to need more RAM," observed Tom deflatedly. "This new Windows XP certainly does have a heavy footprint."
...
--- Hot Shot City is particularly good.
"Information anarchy"? And yet no post I've seen so far challenges the terminology as being inherently useless PR. Microsoft is damned good at dreaming up push-button catch-phrases that become subconciously accepted even by it's detractors as viable descriptors. It's the same sort of tactic that convinces people that EULA's are *actual laws*, when they're nothing of the sort - insofar as I know no court of law has even supported them as valid contractual agreements.
The phrase "information anarchy" has no coherent meaning other than that defined through MS's statement, and even there it seems to mean "any public publication of security weaknesses in MS products". Yet MS pushes the phrase over and over again in the attempt to link security reports with the word "anarchy" in the hopes that the average idiot will associate publication of flaws in MS software with irresponsible, undemocratic behavior.
Most of us geeks catch this sort of thing right off (e.g., "viral software") but notice - this one slipped under the wire with nary a comment that I could see.
One of MS's greatest weapons is the introduction of language which precludes one mindset and reinforces another - social programming at it's finest. Accepting the phrase "information anarchy" as valid substantiates the idea that such a thing actually exists, even if you argue that the security reports don't constitute an example of this nebulous "information anarchy".
There's no such animal. It's a buzzword with zero meaning other than a poor attempt to lay the blame for MS security holes on people other than those employed at MS.
Perhaps we should retaliate with terminology of our own that's intimately associated with a Microsoft argument or product. Any ideas (other than the "Microsoft worms" phrase of some days back)?
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Lsat time I checked, Windows and maybe MacOS are the only OSs with security problems coming from Hackers. Linux is the fearless, communist, faceless leader of the OS world. If you are scared about your safety from hackers on Windows, get some firewalls. Otherwise, just switch to Linux.
Nobody rules the streets at night but me, the Atomic Punk
This is the point. There is no advantage of not knowing to problem. Of course it is not good, if
the information about the bug is spread as information as to exploit it. But the information about having this bug is an essential information for every admin. Even before the patch is published.
I think the best analogie is: If you work in an house of paper tinctured with patrol. Would you value it bad, if I stood at the front-door, shouting: "This building is dangerous, it is extremly ignite". Or would
the owner of the house have the right to get be quiet, so that his workers will work and not leave the building?
2 cases in hand that are important from my company's perspective.
1. As a company that engages in web site design, we often have to run out of date software (eg Internet Explorer 4), and find the most convenient way of doing this is if some staff always use older versions and some always use newer versions. A bug in IE's Java implementation came to my attention. The advisory that I discoverd it from said that IE4 & 5 were affected, whereas Microsoft's advisory stated that IE4 wasn't affected. Microsoft hadn't released a patch for IE4. Now, it's not that I don't trust Microsoft or anything, but I was on the verge of upgrading our IE4 user to IE5 (which would have seriously inconvenienced our business) because it would have been complacent for me not to. Fortunately, I found some exploit code for the bug on guninski.com, with which I then determined that IE4 was not affected. Without the exploit code, I couldn't have made this decision and would have had to upgrade the affected machine to the detriment of our business.
2. During the course of an e-commerce setup for one of our clients, I discovered a *serious* security hole in the methods used by their secure payment provider. This hole basically allowed a user to buy a few cheap items from any e-commerce site that used them, use broken cryptography to force a password out of the 'confirmation codes' produced, and then forge a callback to the e-commerce site to validate a more expensive sale. This could cost e-commerce businesses in the UK millions of pounds, fairly trivially. My company discussed this problem with the payment provider, who at first didn't believe the existence of the problem, so I wrote an exploit. Then they had to believe it... but that doesn't mean they've fixed it. You see - we are under a non-disclosure agreement that had to be signed in order to get the details of their authentication mechanism, so I can't release the exploit. They have refused to fix the problem (although they acknowledge it and have provided our clients - and only our clients - with a guarantee that they will pay for any goods fraudulently purchased using this technique). An exploit in the wild would force them to, and anyone with half a brain who has ever seen their documentation could write one in a couple of hours. I'm sure a few people are sitting here reading this, knowing which company I'm talking about, because they too are aware of how exploitable this hole is.
What MS would really like would be for us all to ignore the security issue. It is a huge weakness for them. As managers become more aware of the ammount of time / money lost more people will switch to a half sensible OS.
.net keep control of the content you see. (By "you" I mean your average user.) They are in a bit of a Catch22 here as this stuff is essential to their business model but it is also (hopefully) screwing it up for them.
The sieve like nature of MS products is how they keep control of your system and increasingly with products like XP and
A lot of us have seen days and weeks being wasted because of MS security problems. While it is annoying when some services are lost due to barfing windoze boxes; it is also good ammo when the developer next to you can't do anything on his Windows box and your Linux machine is trundling along.
I wish counterstrike would come out for linux - wanna get rid of this bloody windoze partition on my laptop. grrr.
Hacker: "There's a big hole in the road up ahead. I put up a big sign up to warn everybody." M$: "Take that sign down! Somebody may decide to push someone in it." Hacker: "...."
"Computer makers should also stop making devices that allow hackers to create these weapons. By allowing this to persist, the manufacturers are in effect aiding in the commission of a crime. It's high time the scourge of the KEYBOARD was dealt with! We at Micro$oft are currently lobbying for legislation that will make use and manufacture of a keyboard* a capital offense!"
*Keyboard use permitted by monopolistic companies that laugh and spit on the laws of the government they influence.
Sig
Appended to the end of comments you post. 120 chars
Is that customers being harmed is a good way to force the vendor to release a patch. right.
How we know is more important than what we know.
Patching binary code is not easy, probably not even safe, but it is possible and maybe some companies could get really good at it, and charge a service for it. Oh wait, there's that whole copyright thing.
How we know is more important than what we know.
So let me see, M$ makes a product that almost seems designed to cause problems, fails to fix these problems when offered the chance and gets upset when their failure is publicized?
Excuse me while I shed a tear ( or not ).
When you find a buffer overflow it is trivial to make an exploit that one could use to DOS the service. It's just a few lines of perl, throw lots of AAAA's at it and watch it go down. This serves the purpose of "sysadmins need tools to test the patch" but it is usually not what is released. Usually people release tools which give you a shell and open ended script kiddiness.
How we know is more important than what we know.
Old school bsd flaws, rehashed for your amuzement.
How we know is more important than what we know.
Moderators, please explain how the first post gets modded 'Redundant'. Are you totally dumb fucks?
Have you looked at the entry conditions for the Honeynet project? They put random sploitable boxes up on the net and they dont publish the ip's. That way they know all traffic that passes into the honey net is suspect. That means you will only attract hackers who are scanning for sploitable boxes, which only script kiddies do. The blackhats are out there, they just dont attack anything and everything, they are targeted.
How we know is more important than what we know.
With Solaris or Linux, your odds are better, but they're not immune. His statement is factual.
Scale is irrevelant. Much more damage has been caused because there have been many more broken Windows installations.
I don't believe that Windows as a piece of software is fundamentally more insecure. However, as a general rule, it is less well-understood and administered by those who are less well-equipped to handle security. That is why Windows is more of a risk. The vulnerabilities exploited by the worms are equivalent.
Whether the incapacity of Windows administrators to take care of security is Microsoft's fault is another point entirely.
so when their users and businesses have been wiped out so many times and have had enough, they will lose all their customers to a different software company.
keep it up, microsoft!
.........for me to POOP on!
If I was a MS spokeman, I might answer this by saying:
"Exploits are a proper test of the validity of a patch, but it is not necessary to publish them. They can be developed and tested in closed labs and only the results published."
To which I would have to ask: "Whose lab and how can we trust them?"
There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
With his controversial and incisive essay, Microsoft Security representative Scott Culp thrust himself into the parthenon of computer security public figures.
"Microsoft doesn't want to waste money protecting the interests of users," Culp says. "And no matter how many script kiddies make exploits out of security bulletins and no matter how much is at stake with each vulnerability they will never reach the developers and project mamagers who are responsible."
When asked to get to the bottom line Culp replies "Microsoft actually *wants* to violate the security of its user-base, not catastrophically, but slowly and methodically to gain more and more control over users' work and lives as this translates directly into more control over users' money...hackers who figure out back-doors are troublemakers and usurpers who can't even collect the financial benefits of exploiting users. They are vandalizing an entire emerging economy."
Please note this is a "ha-ha, only serious" parody, and the quotations attributed to Mr. Culp cannot be verified. Caveat Lector.
--- Nothing clever here: move along now...
... but I think this guy has a point. OK, there's a lot of PR crap in this essay, such as calling the way newly found vulnerabilities are handled by the "security community" (whatever that is)information anarchy.
:)
Still, I think that it is true that "exploit howtos" released by security sites DOES help malicious hackers to create their evil stuff. When the vulnerability is a default config problem that admins can fix themselves, then fine, it is their responability to keep up to date with this information. But sometimes the vulnerability can only be fixed by a patch, and because of the proprietary nature of MS software, the patch can only come from MS itself.
In that case I think it would be better to inform MS and wait for the patch... but that's just what should happen in an ideal world. The problem is that MS is notorious for NOT fixing vulnerabilities of which they are aware. This is bad ; MS software will keep on being exploited until this changes. However I do not thing that the "let's release this information so that it will get exploited and them bastards wille be forced to fix it" attitude is a very responsible way to handle it. Innocent bystanders will be hurt because of Redmond's lazyness, and I do not think that this is fair. Just because people run MS servers does not mean that they deserve to get cracked.
OTOH publishing that information does also have its good sides. For example it is the only way admins can check whether they are vulnerable to a specific attack. My point is that determining the proper way to handle information about newly found security holes is a complex issue ; just yelling "arrgh MS ! arrgh evil!" won't make it any simpler.
And please quit pretending this essay is anti-free-speech. Culp is arguing that the way security sites release information about exploit is bad, not that the sites ought to be censored, banned or whatever. Criticizing some form of speech is not equivalent to demanding that it be censored. Even if the critic works for Microsoft
dude. . . information anarchy! yeah!
that's going to be my new band name.
rawk.
Sounds like Mr. Culp is in favor of prior restraint, a big First Amendment no-no.
"Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons."
This canard has been raised about violence on television, pornography, guns, explosives, ....
Culp is pushing a clearly unconstitutional position. Others have pointed out the technical utility of having access to the exploits to verify that a fix works, but I think we should also see that his proposal strikes at the heart of our rights to free speech.
There are limits to our rights - not yelling "fire" in a movie theater as a joke -, but I for one find his and his company's position frightening.
Heil Bill!
-John Van Voorhis
I wish I could write like this guy. He expresses my feelings exactly.
These security problems are the result of a flawed business strategy that tries to exploit an installed base of software without creating a layered architcture to work from. The motivation for not building a layered architecture is not a technical one it is a selfish one. What is truly astoundingly ironic is that they have critically harmed themselves by doing this. Bad karma Bill. You harm no one but yourself.
I want to be alone with the sandwich
Yeah. Because if we don't talk about the holes, they won't exist. We probably shouldn't talk about airport security, either, because then *those* problems will cease to exist.
I can't believe these companies sometimes. The reality is that the blackhats are probably aware of many more holes than the world at large and utilize them on a daily basis. Until whitehats find them, they are free to move about unchecked. Yet, MS (and the FBI, and the security "experts" and...) want us to believe that if we don't *hear* about problems, then MS (or whoever) is doing their job. And, most importantly, they don't fix problems until we point them out.
No interest in doing what's right for the consumers, only what kind of PR they get. Greedy fucking idiots.
"Can I say you're my lovepuppy?" Founding member of SODAMNHOTT
I suggest that those with an interest in security focus their efforts on improving free software, where their contributions will be appreciated instead of condemned. If this results in free software becoming more secure, while Microsoft continues to wear brown paper bags, at least they will not be able to blame "information anarchy".
Microsoft needs to go through all of their code and look for buffers that can be overran. They also need to design their software to be secure, and not to make every moron off the street think they are able to run a datacenter... MCSE anyone?
I want my rights back. I was actually using them when our government stole them after 9/11.
Many people have noticed the disturbing parallels that Scott Culp has tried to make between 'Information Anarchy' and Terrorism. One of the most interesting lines I found at the end of the article:
For its part, Microsoft will be working with other industry leaders over the course of the coming months, to build an industry-wide consensus on this issue. We?ll provide additional information as this effort moves forward, and will ask for our customers? support in encouraging its adoption. It?s time for the security community to get on the right side of this issue.
This paragraph reminds me of Bush's 'you can be on our side, or the terrorist's side...' and their whole coalition building plan! Spooky. I wonder if he crafted it that way on purpose, or if that is just what is in everyone's minds these days...
"All of these worms made use of security flaws in the systems they attacked, and if there hadn?t been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written."
I remember a day when Microsoft would not have even MENTIONED Linux. Now, it's listed ahead of Solaris...
Cool.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
"it?s unrealistic to expect that we will ever achieve perfection."
Let me finish that sentence for him:
"and maintain our revenue stream, so we're giving up on perfection"
People buy features, and expect 'perfection'. Microsoft delivers 'features' at the COST of perfection. And they can't find a revenue stream in fixing bugs...
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Sort of like the Evil Bugblatter beast from the Hitchhiker's Guide TTG. If you can't see the security hole it doesn't exist, right?
Damn liberal society and its free exchange of information keeps getting in MS's way.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Not publishing the details of a virus does NOT stop the virus from existing. The "I Love You Virus" didn't have a post mortem until AFTER it took down entire corporations networks. Not publishing the details of the virii will NOT stop other hackers from getting their hands on the virus code, and making modifications to it.
Culp is assuming that the only people smart enough to decipher the viruses are the security people themselves, and THAT is the false assumption that invalidates the theory behind the 'essay'...
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Great, MS has gotten to the point where the world must change to fit its business goals. Maybe they'll start demanding control over what is tought in university computer sciences classes? They could snuff out potential hackers before they appear in the first place.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
People need to get on Congress's back and get a law passed allowing software users to sue for damages (and punative damages) due to software with known bugs. No other industry is so coddled as the software industry, except maybe the recording industry.
If a person can show that the company either knew about security flaws already or that they informed the company about a hole and it wasn't addressed in a reasonable manner then the company should be held liable. I doubt MS or other companies would be so blase` about security flaws or glaring bugs if it threatened their bottom line.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
All this article manages to do is to have Microsoft verify that they aren't competitive in the information rich environment they helped to create. The Internet has opened all sorts of doors of communication and spawned new ways of doing things based on this (like Open Source), but Microsoft is still rooted in old economy practices and it is starting to show. Proprietary code is, by nature, too slow to change to react to the constantly changing environment (and its inherent dangers) that the Internet presents.
Information is going to get out there. It did when crackers were stuck using a BBS or IRC to conspire. Now, though, the information they had also gets out to the rest of us just as quickly. Those with the capability to use it (Open Source software) take advantage of this. Proprietary model code cannot.
So, in pure reactionary form and joining the likes of the RIAA, Microsoft wants to turn back the clock and pretend the last twenty years never happened. Well, unfortunately, they have and sticking our heads into the sand isn't going to make it go away.
Eric Berg
if partial disclosure were the norm. or more like, zero disclosure:
"Almost every single software vendor has tried to do a cover up or ignore the problem at some point in time."
But the basis of the argument is that the research takes place anyway, and it may be the case that full disclosure warnings such as the eEye advisory showed us a bug nearly a month before the Code Red worm did."
[source]:http://www.vnunet.com/News/1126257
the exploit code is the PROOF OF CONCEPT. No one believes it is a real problem otherwise.
:)
MS should post a bounty for exclusive bug news. E.G., $1000 for 0wning a test box. $100 if you post it to bogtreq first. $50 if you forward them something from bagtruq they haven't seen yet
OK, so the brass doesn't like it. But what has pushed full and open disclosure in the past? Sun et al may have started it, but Microsoft has taken over in the last half-dozen years as the chief promulgator of these proven effective methods:
(1) Ignore bug reports. Make the people who find them so mad they look for some lever to force you, the vendor, to act.
(2) Deny bug reports. Call anyone who finds a flaw a liar. Tell all the news media they're liars trying to lower your stock price.
(3) When confronted with a real flaw, and press who have seen the reports, claim it's only a "theoretical vulnerability." Unless there's a working crack, it ain't real!
(4) Only when confronted with a working exploit should you start to work on a problem. Publish half-assed binary patches. Make sure they'll corrupt any system which doesn't have half a dozen other patches applied in the correct order.
OK, I guess that brings us up to today. Security researchers, and ordinary users, know they have to publish details of the problem and probably a working exploit to get you to work on a fix, however pathetic. Now you have lots of reports and exploits floating around. (You could have developed and published a good product to begin with, but it's too late now!) A breed of vermin known as script kiddies reads the publicly available reports and exploits, and uses them. You may have driven users, your customers, every step of the way to get here, but whose fault is it that the script kiddies are informed and armed? Naturally, it's not your fault; it's the bad people who find the flaws in your crappy software!
then they could just deny the bugs existed saying there were "no known examples of ways to exploit this oversight"...they could delay fixing them until someone exploited them.
I have an idea! Secure your computer by not using windows.
Let's say somebody had published a detailed article in a prominent place describing how to hijack airplanes using box cutters and knives with 2" blades. The furor that might erupt over this results in box cutters and short knives not being allowed on airplanes. Then an enormous security exploit might have been avoided.
We've already seen an example of how this exploit was still used despite not being reported. At least if someone had figured it out and made an issue of it sooner we would have had a chance to prevent it.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
I meant <2" blades. Silly slashdot.
I even selected Plain Old Text.
Oh well, you probably still got my point.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
are there really people that talented and that dangerous out there?
Yes, there really are.
Do you think that Code Red is the work of a script kiddie?
Since (by definition) script kiddies don't actually create anything, someone must be writing exploit code. These "someones" are the black hats.
(And please hold your tounge if you think that the kiddies are using white hat proof-of-concepts - this email posted to Bugtraq clearly disproves that.)
I think that there are a lot of people handy with a hex editor out there.
.ida and .idq extensions in Microsoft IIS does not check its input buffer," then I have just provided information to attackers which can be easily tuned into an attack. If I also state that exploiting this buffer could result in arbitrary code being run, then I have just told an attacker what they can do with it. If I say, here is what a log entry would look like, then I have just told an attacker EXACTLY how to do it, and no actual code was involved. This means that an attacker who does not know C could do it in Python OR VISUAL BASIC.
If, as a security professional, I state that "the idq.dll, which is mapped to
Yet, in telling sysadmins what to watch out for, I have just provided exact blueprints for an attack. If an attacker uses an exploit from a security page, they already know how to program. They can use the information describing the security hole to create their own exploit with relatively trivial effort.
So, if we stop providing the blueprints, we will have to do this by NOT PUBLISHING ANY INFORMATION concerning the actual exploit, and Microsoft can safely ignore it. This is not a way to ensure security and smacks of the old propaganda some time ago concerning Samba, labling it as a "hackers' tool" because it actually documented Microsoft's protocols.
LedgerSMB: Open source Accounting/ERP
READ THE BLOODY MESSAGE BEFORE MODDING THE PARENT DOWN! If that was off topic, every post on slashdot is!
Only Outlaws will have exploits.
They should throw in a few system calls that remove /bin or c:\windows (depending on what platform your on) so that script kiddies get what's coming to them.
D/\ Gooberguy
Karma: Meh (Mostly from meh.)
then you can write secure code. The secure BSD distribution is a good example of this. So is Q-mail and a couple of annonymous ftp packages (not wuftp) have proven that it is possible to write services that are secure.
So, we know it is possible to write software that doesn't have exploits, the question is, why can't microsoft do it despite spending billions on software development?
...than a simple vendor's word that their patch fixed my security hole. I want to be able to test it myself. Sorry, Mr. Culp, but I've been burned a few too many times.
I DO security work for a living and value the exploit code that's released a great deal. Tell a customer or admin that if they don't make some obscure Registry change to their system or stop using those damned stupid ODBC interfaces in IIS (Thank you RFP!) that "someone" will hack them they often give you this blank look. Or better yet they think that what you're saying is "purely theoretical" and could never happen to them. On the other hand when I hand them the list of passwords from their domain controller and explain to them it was all because they didn't bother to keep up with patches and setup things securely they tend to pay attention. If the admin doesn't pay attention to THAT then their management certainly does :-)
:-) Hence L0PHT's catchy byline about making the theoretical a reality or somesuch. I'm surprised that someonein this man's position appears to have forgotten the previous arrogance shown by his employer that got them into the situation they're in now. Microsoft fixed that particular VPN issue shortly after the code was released - a shame they were so arrogant in the first place.
:-)
Anyone but me recall when L0PHT told Microsoft their VPN code was crap? Microsoft's response was something along the lines of "that vulnerability is purely theoretical and we have no evidence of anyone having used it in the 'real world'". The next version of L0PHTCrack proved that the vulnerability wasn't simply a mind excercise
As an aside - is it just me or has the number of files\exploits posted to PacketStorm dropped a great deal in recent past? Where has all the code gone? BugTraq it is then
Build it, Drive it, Improve it! Hybridz.org
I know of a particular piece of mission critical software that a major vendor produces and that my customer uses. At least two individuals have commented on two seperate methods to compromise this piece of software using some valid but somewhat complex methods that required reverse engineering the product. The vendor has blown both of them off.
I have seen, in one case, a code demo that exploits this vulnerability according to the author. However due to a particular Russian hacker having been arested at DEFCON9 this year both authors have placed on hold plans to release these exploits. without that code I cannot prove to my customer, who doubts this will work, or to the vendor who's blown both of them off, that this is a problem. Both authors have published enough data on the issues that I firmly believe that they are correct but without "proof" neither my customer nor the vendor will do anything about it. Oddly enough it's NOT Microsoft that's got their head in the sand but IBM which is truly sad.
Attempts to get the code backdoored to me with a promise not to publicly release it have fallen on deaf ears so I can only hope that at some point the authors will feel able to release the code without being arrested the next time they set foot in the United States.
Such is the effect of the DMCA and believe me it REALLY sux!
Build it, Drive it, Improve it! Hybridz.org
Umm, in what OS "ring" does IIS6 run? :) Whoops.... Yes, Microsoft is moving pieces of IIS6 into the same rings that the kernal runs in. what exactly do you think will occur when the inevitable holes are found in that product?
I agree with your comparison of the platforms security, but I don't think the article was genuine FUD. More like imprecise or lazy journalism.
They aren't trying to imply Linux and Solaris are as vulnerable as Windows, just listing some other worms that gained press coverage lately. The Lion and Ramen worms got a fair amount of coverage and probably deserve a place in the top 5 or so recent worms even if they were nowhere near the damage caused by Nimda or Code Red. What I'm trying to say is that I think Lion and Ramen probably rate higher in the press than the next in line Windows worms (I don't even know what they would be - I'm not including the Outlook worms in this server platform assessment).
I hope my explanantion made sense.
LazyDawg writes (and was modded up to +5):
I have to admit, I've never looked at bugtraq, and know jack about most exploits, but unless the exploit code includes a trojan/propigating method and the compileme.info file, I am assuming that the script kiddies need more then the exploit code to make a working virus/trojan/rootkit.
Sure, 99% of the script kiddies may be dumb, but the other 1% is the source of the tools, and the code. The exploit itself, once explained, is trivial to code, in my (admittedly ignorant) opinion. Code to take advantage of that exploit is not.
Just my $.02
Let's get real. When something goes wrong with any other products we as consumers purchase we hold the manufacturer accountable. These are the same terms that Microsoft or any other software maker should be held to when they release products to market. Microsoft of all people wants security people to come to their aid when it's them who tout their products as being more reliable in their million dollar campaigns to push their lackluster crap on us. I say HELL NO!!! Crawl your way out of this hole alone M$. You guys pay your so-called talented programmers alot of cash to produce all your junk, you need to start teaching to be more aware about security issues in their code. You want some good advice? Stop biting the hands that feed you and maybe you wouldn't be getting 0wNeD as much as you do.
MissMyNewton's post is so precisely on-topic, I can't begin to imagine what somebody needed to have been smoking to have moderated it as "off topic". Reeks of "personal agenda". Moderation quality on slashdot stinks so much these days that even meta-moderation seems to struggle to save it.
I actually sent this to my company's microsoft rep after he sent out the "irresponsible propaganda"
your recent e-mail contained the following statement:
>The first whitepaper addresses the irresponsible practice of publishing
step by step instructions for exploiting >vulnerabilities. Microsoft views
this as an extremely serious issue:
>Everyone has a stake in this issue. Many customers have stayed on the
sidelines, in the belief that this is >just a disagreement between Microsoft
and hackers. But all of our customers have an interest in this issue,
>because it's their systems that are put at risk by this practice.
I disagree utterly and completely with this position. what you are
advocating is essentially removing our constitutional right to a free press
(specifically through the medium of the internet). While this information
makes hacking simpler, it also exposes years of systemic problems with
Microsoft code and the utter disregard at a business level to stay on top of
internet security issues. While I do not condone the illegal activities of
hackers, they are essentially the MUCK RAKERS of the 21st century. They
expose problems in the industry that must be corrected.
It is expedient to blame all of these problems on the hackers, the truth of
the matter is: the entire industry is to blame. Microsoft has failed
miserably in meeting the security needs of the industry (just take a look at
the number of CERT alerts for Microsoft products verses any other vendor).
When patches are produced the industry fails miserably in applying them in a
timely manner (largely due to the enormous costs of testing the patch
against the applications prior to putting a patch into production).
Both the producers and consumers share the liability to protect themselves
collectively from hackers. The publication of the hacking information puts
the information in the hands of the general public (rather than locking it
in a dark closet within Microsoft). It exposes something you would rather
sweep under the rug, and forces the industry as a whole to address the
issue. As far as Microsoft is concerned, the cat is out of the bag - you
cannot stuff it back it. Now is the time to stop looking to blame the
hackers for the problems YOU have caused. It is time to direct your efforts
to correcting the root cause of the problem that you have created.
Sincerely,
Michael J. Schreck
these are my personal views and not necessarily those of my employer
I see you're posting to Slashdot again.
Why did you ditch your old account? Is it becuase you got trolled to hell and back and your karma got seriously butt-raped?