Slashdot Mirror
Microsoft Blames the Messengers
Roger writes: "In an essay published on microsoft.com, Scott Culp, Manager of the Microsoft Security Response Center, calls on security experts to "end information anarchy" and stop releasing sample code that exploits security holes in Windows and other operating systems. "It's high time the security community stopped providing the blueprints for building these weapons," Culp writes in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them." See the story on Cnet News.com."
It's probably high time that Microsoft stop building houses made of straw to defend against big bad 'net wolves... It'd sure make a lot of our lives easier...
---
Information wants...you to shut your pie hole.
boy, we're sure learning that lesson fast!
They're trying to say "stop finding holes faster than we can make...err...fix them". My my what a cheap political backstab.
I am !amused.
there are 3 of them pointing at you....
I think the author/Microsoft should not forget this.
Moose
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Much better that the "black-hats" "secretly" circulate the information.
</sarcasm>
If the security experts didn't find and pubilsh the holes, good luck on Microsoft making the fixes a "priority".
Yes, just like keeping Cryptography code secret improves the algorithm. I agree that the company should be notified before the flaw is announced, but seriously, the entire point of a security response center is to inform users as to vulnerabilities...
Yes, I realize that this isn't a fix, but if obscurity makes it just a little harder for people to do bad things then I don't see why it's such a bad thing. Especially in the case of Microsoft, where only they can fix the source, why should the security companies publish the source on the web instead of sending it directly to microsoft? What gains are there to be had by having the source displayed all over the web?
If you don't tell anyone that the construction company used shoddy materials, then no one will figure out how to make the building collapse!
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
...Windows®, Linux, and Solaris®...
What's wrong with that picture? Linux *is also* a registered trademark, Microsoft. I suggest you recognize it as such.
Linus, kick some ass here.
Blech. Signatures.
Because, if the security hole didn't exist in the first place, then Microsoft wouldn't have to worry about all this bad press starting to cost them business; and more importantly mindshare.
there are no stupid questions, but there are a lot of inquisitive idiots
"Hackers don't hack Windows machines... bad code hacks Windows machines."
Y'know, if they didn't have so many bugs, there wouldn't be anything to release, and therefor, no 'weapons' to build... it's kinda like an army making a tank with wooden components inside, then getting pissy when the other army brings flamethrowers and napalm...
Information Anarchy? What? Do doctors complain about information anarchy when patients research treatments for diseases on the web?
Doesn't this guy realize that our systems are becoming more secure everyday, now that people have to take worms, trojans, DoS attacks seriously. Maybe he should bet back to securing Microsoft products and spend less time complaining about system admins trying to share info.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found.
And hiding all these security flaws would of made windows more secure? Your product is not secure, stop passing the buck.
And just how am I supposed to know I've patched a hole if I don't know how it gets exploited?
-- Don't Tase me, bro!
It's high time we stopped teaching Chemistry and Biology! People are spreading information that essentially maps out exactly how the human body works, which allows for all sorts of chemical and biological weapons! And explosives, too!
In other news, Master Lock wants to release a new model made out of twine and butter. They ask the community to avoid discussing the security of the lock, since they anticipate it getting deployed widely, and once the ButterLock is being used to secure mission-critical systems, it will be extremely important to keep its flaws a secret.
--
Mod up a post Rob doesn't like and you'll never mod again
By putting out solid information, people who find these exploits are doing two things: Giving the programmers specific information with which to fix the problems, and giving script kiddies some really damn good instructions for hacking into a box.
The system relies on the reaction time of the programmers.. can they supply a patch before the crackers supply an exploit?
Those of us in the *nix world seem to do pretty good.. for all sorts of reasons you don't need to go into here. Windows? Heh.. it can take months for something to get patched up. No wonder he's mad that these 'blueprints' are being provided. It's simply an extension of the security through obscurity mode of thought.
In other news, Microsoft has purchased a secret weapon of vast destruction, code named Blamethrower. It strikes out at random targets, displacing reality at near the speed of light.
Zot!
Any connection between your reality and mine is purely coincidental.
it's high time that computer users insisted that the security community live up to its obligation to protect them
I'm not sure whether anyone, other than law-enforcement agents, is obligated to protect computer users, but if anyone is, surely the people who produce the software are more obligated to prevent or solve these problems than are those who merely report on them.
Is this, along with the U.S. government's warning to news agencies to be careful what they broadcast, a sign of a new trend?
Several times we've seen security experts say to a large company, "Hey! there's a nasty exploit here!" The large company indicates they'll fix it and ignores the problem. Only when the exploit is publicized do companies like Microsoft actually take the effort to fix the code. Releasing the information is the only way. Perhaps out of courtesy the security community could give the company with the bug a week's notice.
I thought most security exploits that get released by the major groups are usually passed through MS first and allow them time to provide a patch before issuing the details of the exploit. So why are they so upset? Its not MS nor the security experts who are at fault for not patching machines. At least by publishing them they are provided an incentive to staying on top of security holes, instead of simply allowing them to remain secret. I mean none of the major exploits lately (code red, nimda, etc.) have used unpublished exploits. So this shows a failing in MS's procedures for keeping admins informed and a failing in the admins for keeping on top of their networks. Its such a non-issue, I think MS just wants to preempt law suits or some other such silliness.
I'd wager this is the first volley in another push by MS to cover thier asses by legal means. I see another push to make the release of any information that shows weaknesses a criminal activity. Expect lots of flag waving, anti-terrorism rhetoric to be sprinkled throughout, and some suspect demands that seem to be more motivated at gaining market share than protecting machines.
God damn... when did I get so cynical? Oh yeah, after reboot #3 of NT 4.0 today. {grumble grumble grumble}
Although the source of the message certainly lessens its credibility, they have a point. Things like the Honeynet Project have shown a huge _lack_ of intelligent attackers in the wild. The endless waves of attacks filling the internet are pulled off by script kiddies, many of which can't mount a drive, compile a file, or even write a script. And we are feeding them. If we really want things to get better, we have to find a societal solution for the problem. It certainly seems to me that the full disclosure paradigm at least needs to be scrutinized, if not dumped altogether.
Of course, MS just wants to skirt responsibility for negligance on their part.
"You spoony bard!" -Tellah
What a great idea! Then all the malicious hackers will know how to exploit security holes, while those in charge of security won't. Wait a second...isn't that kind of like asking security guards not to carry guns, because those guns might hurt someone?
Hmm, this has always seemed to be a hot discussion...I'm all for full disclosure, but is it really necessary for people to include exploit code?
One argument is that it can help people to test their systems for vulnerabilities, bit I think that exploit code is not strictly necessary for this. People who really need it to test systems are in a position where they should have the capability or the resources to generate a "test script" for themselves, once given an accurate description of the vulnerability.
Making code exploits freely available possibly creates more opportunity for the low-life script kiddies who often don't appreciate exactly what they are doing, or the mechanics of the exploits that they are using. Why should we make it easy for those guys?
My opinion on this element of full disclosure is still not complete though, and I am fully prepared to be convinced... :)
-- Pete.
Monochrome - Probably the UK's largest internet BBS
It is good to note the use of the terrorist rhetoric, "...blueprints for building these weapons...". Talk about riding on the coattails. This seems more like a line out of the evening news than a statement about software security. Spin doctors working overtime on this one.
According to the article, each of the latest worm attacks was preceded by security bulletins which happened to contain exploit code.
Hate to break it to MS, but all this indicates is that the security sites work. That's right. The people who have access to the code to fix the bugs were given notice. If these bulletins didn't exist, you can bet the worms would have still been created. Remember Code Red II? MS had a fix out months before CR2 hit the web, yet it still managed to infect thousands of machines.
Security bulletins (even with exploits) are not the problem. The holes in buggy software are the problem.
here we go:
"It's high time the security community stopped providing the blueprints for building these weapons..."
How about providing the blueprints to your code, so we can secure the systems you release broken to begin with?
I'm not anti-Microsoft (although I'm getting there, definitely getting there...), I do Windows development also in Visual Studio. I'm near the point of stopping that altogether though. My company is already using Linux for damn near everything (including desktops, not just hosting) anyhow.
This is more than just your average case of idiocy from MS. If I ran a pharmaceutical company, and a drug we produced killed 500 people, do you think the public would accept some excuse like this? "No, really, it's all the fault of the doctors who showed their patients how to take the pills..."
Maybe not a perfect analogy, but equally stupid. When will they learn? Probably when Joe Customer starts realizing how indecent their blame machine really is. Apache isn't perfect, Linux isn't perfect... but we admit this and work toward solutions. Average Joe won't stay completely blind forever; most people aren't stupid (my faith in humanity talking here), and you can't fool anyone indefinitely.
Damn, and I was cutting down on my smoking...
... and just write pseudocode or a very detailed step-by-step description of what their code does. In the end script kiddies will have to learn to write their own leet tools, and may later on branch these skills into other areas.
:)
If security experts took the time to make exploit code an exercise for the reader, we might someday end up with skript kiddies who can even write their own hardware drivers for Linux. They might even learn to write and discover new exploits for Windows without the help of security experts.
Microsoft got it on the nose this time
"Look at me, I invented the stove!" -- Ben Franklin
HAHAHAHAHAHA ... oh yeah, I can just see it .. this would allow their marketing/pr department to 'fix' each and every bug.
.. ie, that old limitation of 24 hrs in a day. Hell, with MS and a large enterprise network, you'd have to assign a full-time worker just to monitor and install patches.
.... )
Actually, sample code is a very good way to illustrate the severity of a bug.
A bug might be the result of absolutely brutal programming, but require a programmer to jump through hoops to exploit it. In this sense, the bug isn't so bad, and users can assess the path to patching said holes. On the other hand, a bug could be the result of complex, innocent oversight which can be exploited with 3 lines of code.
I, for one, think knowing the code to exploit the bug can give admins a good sense of addressing patch priorities.
Yeah, the security pundits will tell me 'you should be patching 10 secs after the patch comes out regardless of severity', but if you really take that route, you're living in a vacuum. The rest of the world has to worry about priorities
And I'm of the opinion that trusting MS's stance on the 'severity' of a given bug is about as big a security hole as you can have.
(Please remember to flame me on both sides, for even cooking
"Old man yells at systemd"
At least the guy doesn't ignore that there are problems:
I know I'm preaching to the anti-choir here, but he has a point.The security watchdogs of the net have no obligation to me. I am glad they do their tasks, but the owe me nothing.
My software providers have an obligation to provide me with secure software or none at all. I commend both Debian and Apple for responding to their occasional security problems in a timely manner.
In the olden days when watchdogs did not release sample code some software providers downplayed their flaws as theoretical problems. If the software providers had been responsive to security flaws, there would be no need for sample code.
How the hell is it the fault of the security experts? To be honest, someone will find the bug, whether it's a person with malicious intent or not. If such holes are posted, it gives the company the chance to fix them, so that fewer people are struck.
If holes were not posted, the public would not even know their software is insecure, and it would surely take longer for any company to patch said holes.
Finally, doesn't blame ultimately fall on the company who made the buggy software in the first place? If I come up with a mathematical formula that proves 2 + 2 = 5, and a math teacher proves that I'm incorrect, who's to blame here? Microsoft believes the math teacher is wrong, something which is obviously misguided.
One final thing: I don't see Linux/BSD/Apple execs complaining.
doing a quick search on bugtraq, I see a lot of linux exploit code too. Hmm... let's blame the linux exploit code for the net-stopping worms like... ummm... and also the.. ahhh... well, you know. No Microsoft, making exploit code widely available does make make your product less secure. You do.
There is no reasonable defense against an idiot with an agenda
:wq
I can imagine that his Scott Culp is very stressed out right now. Can you imagine being in this guy's position with worms like Code Red floating around?
So what does he do? He posts an essay which is basically a reflection of his anxiety. However, he misses two very key points on why this information anarchy is a good thing.
* Patches for popular software that are exploitable tend to come out real quick because the company has to save face and perhaps protect against liability suits.
* A necessary fear is instilled into companies to put software through a secuirty audi before it goes into production.
I hope this guy takes a vacation somewhere on the beach to reflect on his thoughts.
Well, that was my first reaction. But now that I'm back in my chair I find it rather sad, to put it mildly.
/.
The only thing it would accomplish is that the relatively harmless scriptkiddies would no longer be able to easily crack random machines. However, crackers with Real Bad Intentions (read: terrorists) would still be able to find and abuse security holes. Since they would be a lot more careful in when to use the holes, the security community would not alerted to the problem.
And there is still the argument that publishing holes is often the only way to get them patched. But we've been over that many, many times already here at
karma capped
I've heard this idea before including from my advisor. The idea is that releasing exploits to the public is creating an environment where it's too easy to hack machines.
Unfortunately, it's simply untrue that there aren't positive reasons for releasing exploits.
I can think of several: testing of machines (risky, but useful), understanding of vulnerability (CERT advisories are pretty much useless for this.), research.
The most important of these (IMHO) is the understanding of the vulnerabilities. In the past, we didn't even talk about vulnerabilities in the open and we have the abhorrent state of affairs we have today. Security isn't even taught in computer science and engineering curricula and when it is, it's treated as a separate set of classes. When I started working in infosec, I had no idea how the exploits worked and what the real coding vulnerabilities were. Without release of exploits, I probably still wouldn't.
Lets think about this.
I buy a new car. It looks pretty, seems to run good on the lot. Now, the guy across the road sold the dealer the car and he knows that the tires are retreads, the engine has sawdust in it and the doorlocks will open if you kick the door....
Why shouldn't he be able to tell me these things??
I think that mircrosoft should be responsible for thier code. Period.
If I can write code that doesn't break, I would think that the dozens of programers they have hired could do the same. Why isn't there a lemon law for sofware?
Just my pair of odors.
This argument that Microsoft is making is the same stupid argument that was made by Richard M. Smith on Friday Aug 10, 2001 shortly after Code Red.
d =1&mid=203550
The short story is that eEye's announcement had absolutely nothing to do with Code Red. The person(s) who developed Code Red figured out the exploit on their own. For more details check out Marc Maiffret's (of eEye) email to the Bugtraq list: http://www.securityfocus.com/cgi-bin/archive.pl?i
People who argue that full disclosure is harmful just fail to realize the facts of the matter- people who write these attacks all aren't script kiddies and they're quite capable of developing attacks on their own. And the reality is that most vendors only respond to full disclosure to actually fix bugs (and even then it takes too long).
Nuff said.
It's designed to help lobby politicians. Politicians, who only take up that job because they don't actually have any useful skills, are easily scared by dabblers in black arts like computer programming. It's very easy to whip up a fervor among this largely ignorant set of people making out that by writing code geeks are committing a great sin. Hell, if M$ and the media companies keep this up there may actually come a time when it's illegal for unlicensed individuals to write software on the grounds that you could use that to copy software, 'hack' computers and encrypt communications.
-- SIGFPE
That's funny, OpenBSD has for a long time.
Secondly, I received a Windows XP update in my hotmailbox today claiming that XP has unmatched security...maybe in the M$ world but not for the real world.
Ah yes, just found my "MSspin2english" translator. Let's see how those comments look now:
"It's high time that the security industry stopped pointing out all of the blatant security flaws in our programs", Culp writes. "Since we insist on developing OSes and highly-integrated applications tuned for usability, rather than security, we can't make as much money as we're accustomed to making, what with all of these viruses/worms targeted at our products."
Culp adds, "it's time that the security industry be held responsible for these worms and viruses, rather than the companies who make products such as ours. By pointing the finger at the amorphous 'security industry', we're better able to deflect blame for the recent rash of high-profile MS OS and web server exploits."
The pomposity of the professor is inversely proportional to the difficulty and importance of the subject being taught.
Poor Microsoft. They crush their competitors and still have the testicular fortitude to whine that we don't do their job for them.
How about if we established a group of white-hat hackers to whom one could submit the details of an exploit. They could attempt to confirm or repudiate the description of the problem and try to assist in developing security patches, without releasing the details of the exploit to the world at large. Then after a suitable time for the patches to be applied, the full story could be told.
Inventor of the LOLbalrog meme.
This will never happen, for three reasons-
.02
1- Security companies need exploits to keep going. Ever wonder why lists like bugtraq stay up? Because the security firms that run them making a fortune charging other companies a crapload of money for advice related to all the exploits that get posted to their lists.
2- Software companies do not care about security. Most big exploits are buffer overflows, which are a result of lazy coding. Multiple free tools exist that analyze source code for such bugs, and overflows are still popping up all the time. Getting companies to fix these bugs takes too long, and often the only way to get it done is to embaress them by making the exploit public.
3- Many of the people who disclose exploits want the attention, not security. They see credit for exploits as fame, and make sure to slap their names all over ever bug report they can put out. This seems to be directly related to the tendency of security hackers to be lacking in the area of social life.
-just my
windows xp is coming out soon and will be on all the new computers shipped.
not sure about the home version, but the pro version has remote administration features all over the place turn on automatically with your install.
I see no good coming of this.
(they have one thing called "remote desktop" which is basically like pcAnywhere, presumably so that you can call customer support and say "I don't know how to do XYZ" and they can then take over your desktop and get it all worked out for you... and hackers will NEVER firgure out how to use that!
they also take over compressed files now (zip and such) and deal with in their own way - which isn't the way I want... annoying.
there are parts of it that are nicer, but for the most part, it just screams "I'm a security hole waiting to happen - hate on me!!!"
There are some odd things afoot now, in the Villa Straylight.
How about lock-picking? There are all sorts of manuals on locking picking... most locks can be easily picked, but people don't do this for the most part. On top of that, people who are really concerned with security know that you need a decent lock (6+ tumblers) or it can be picked.
Not a bad analogy: if you want to keep something safe and secure, you use a decent lock. Having the info about lock picking gives you the knowledge to do so, and allows you to know just how secure you are.
The same could be said about software... and if you want a good lock, you educate yourself. MS makes bad locks... those locks can be fixed, but it requires the knowledge of the lock picking manual to do so.
Don't get me wrong, Linux, BSD, ect. can be a weak lock too... but with OOS, not only do you have the manual, but you can disassemble and rebuild the lock on your own!
It's like the landlord of a building telling a tenant who complains about the shabby building structure that doesn't protect anyone inside "Listen, by talking about it, you're not making it any better. People will find about it and now break in".
Maybe the problem isn't the source, but what's in the source.
I would suggest to Bill & Co. that it is published with the highest regard for how the information will be used. Just because it could be used in a negative way doesn't mean that nobody's thought about it. There's not a security guy out there who hasn't at some time weighed the pros and cons of releasing information like that.
And am I the only one who is insulted by the gratuitous use of the word "weapons", so as to implicitly equate hacking with physical terrorism and fan the flames of paranoia?
>an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin
... yeah, and doctors should only say 'you're sick, take this'. They shouldn't disclose how you actually got sick, cause then other people would just go around 'exploiting' and making more people sick! GET REAL ... saying building X is vulnerable if you have a sledge hammer is a little different than building X is vulnerable if you have a nuclear weapon. It's called 'acceptable risk', and I refuse to live in a world where I can't be crystal clear on what that risk is, and how it can occur. Even if you don't give code examples but explain the details, some smart guy will turn it into a skipt-kiddie tool anyhow, so going the extra mile and providing the code is tantamount to knowing your level of risk and the most probable netographic that will attempt to exploit it.
OH MY GOD
"Old man yells at systemd"
Microsoft is frantically trying to shift the blame from themselves following the Gartner groups recommendation that people stop using IIS. It's not that MS developers focus soley on market share instead of quality and security (not that I blame the developers, since this is exactly what MS management wants and pays them for), it's that web-defacing juveniles are 'terrorists' and security researchers are 'anarchists'.
MS had it too easy for too long regarding security issues, especially with the news media reporting Outlook vulnerabilitys not as they really are, as a design flaw in Outlook, but as "e-mail viruses."
"Behind every great fortune there is a crime."
- Honoré de Balzac
"You hear a lot about Bill Gates, don't you, whose net worth in January of the year 2000 was equivalent to the combined net worth of the hundred and twenty million poorest Americans, which says something, not only about the software imitator from Redmond, Washington, it says something about millions of workers who work year after year, decade after decade, and are essentially broke."
- Ralph Nader
Let's say that a life threatening flaw was discovered in the new Ford Focus. When you hit the bumper just right with your fist, the windshield detaches and the seatbelts unfasten. All the automobile safety commissions write articles to every major news outlet identifying the problem and demand a recall from Ford. What Microsoft is saying is that if the automobile safety commisioners hadn't said anything, this flaw wouldn't be as severe. In reality, Ford would be pounded with so much pressure from the governemnt as well as consumers to fix it or face law suits to end your car making days. Why isn't the same true for software?
There is no reasonable defense against an idiot with an agenda
:wq
Once Microsoft finishes taking over the function of making laws from Congress, do you really expect them to pay any attention to the more inconvenient parts of the Constitution?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Before I get burned alive here, please actually read this: Why not publish only binaries of exploits? This will prove the exploit exists without letting it quickly be shoved into rootkits everywhere.
If you have no intentions of ever fixing any problems discovered with your systems, then of course, you'd want to keep word of problems secret.
Oh, poor Microsoft, the costs of producing and distributing patches must be just a terrible burden. Imagine the burden on the rest of us who have to deal with your buggy systems. I would characterize IIS as a public menace right now.
No, this is just a bad attempt to deny reality: Microsoft's poor practices are coming to light in a way even the average Joe can understand.
"Avast! Prepare for the rodgering!" THWACK! "Arrr.. me nards.."
"Yes," said kingdom spokesman Jim Dilldunnam, "the Emperor is aware of his nudity. But His Majesty's nakedness would not be a problem for the uneducated masses if you irresponsible media types would just cease telling them about it."
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
... to quote from a recent edition of The Onion, "Holy Fucking Shit!" I truly believe Microsoft has lost their collective marbles. Might be a good time to invest in straight jacket stocks.
Skiers and Riders -- http://www.snowjournal.com
Information Anarchy
Expect to see this term bandied about frequently.
__
Do ya feel happy-go-lucky, punk?
Beyond the obvious irony that a Microsoft-ite is blasting the security community over flaws exploited in its own operating environments, I think the most interesting part of the article is Culp's statement "And it's high time ... the security community live up to its obligation to protect [software users]."
What obligation is he talking about? For a company that epitomizes a big-money capitalist position, that's the most blatant socialist comment I can imagine. Users collectively pay billions of dollars to software manufacturers each year for endless upgrades, yet he thinks a reasonably loosely knit group of professionals working on their free time somehow owes that same user base the right to be protected???? That's bizarre.
Further, the "Information Anarchy" thing sounds way too much like the "intellectual property virus" tagline they keep using for the GPL. It's a catchy management-speak phrase that sounds nasty and has little real meaning. It's easy to see how they can set the stage to condemn the whole open source community with all it's open and anarchic ways that don't protect innocent users.
"Arming the enemy"
...
"It's high time the security community stopped providing the blueprints for building these weapons,"
It's high time Microsoft stop using inflammatory, mitilaristic sounding rhetoric at a time of national crisis. There are too many actual terrorists about for Microsoft to be irresponsibly crying "terrorist."
Supporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security...and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.
All three goals? There's some on this later - but assuming that he's right with the rest of the entire essay, you'd expect there to be some pressure to address the vulnerabilities, would there not? He even goes further, saying that pulished exploits are antithetical to getting patches out. Brilliant logic.
Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.
I love this analogy. It actually works. For example - if I knew that the cause of my headaches was an allergy to certain foods, I could avoid those foods, and not have to take aspirin. If I know how an exploit works, I can prevent it with my own tools - firewall, etc. and not have to worry too much about the dubious patches.
Likewise, if information anarchy is intended to spur users into defending their systems, the worms themselves conclusively show that it fails to do this. Long before the worms were built, vendors had delivered security patches that eliminated the vulnerabilities.
Here he's not talking about e-mail "viruses", but worms. Specifically, worms targetting systems people did not know they had on their system. There was plenty of buzz about Code Red before most people had it, and the patch was applied to thousands of computers as people got worried. I'm not an advocate of having people upgrade through fear, but this still disproves his point.
Now - here's his reason for published exploits to take pressure off of vendors to publish fixes :
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor's paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
Crap...I'm trying to find a problem with the logic, but I can't actually understand the argument - anyone? What other ways are there for vendors to protect their customers than put out fixes?
Anyway, that said, I'd just like to express my condolences to the author. Did you see his title? "Manager of Microsoft Security Response Center" Poor guy is probably blamed for half the bugs in code he's never heard of. Can blame him for venting a little. I just wouldn't have done it as publicly.
Last post!
You post linux bugs to bugzilla and they thank you. You post M$ bugs publicly and they flame you. I think more than anything, M$ is pissed because more and more people are starting to realize what a true truckload of CRAP their OS really is. So, we post the bugs in an effort to encourage them to fix it, and for us to give them another chance. What do they do? They blame those who would help them fix it for their own stupid code. I mean come on...it's high time they started taking responsibility for their inadequacies.
The people who wrote them have been rightly condemned as criminals.
...and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution.
...information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
Ok, I'm going to be snide, the author points to the exploitation tools, but one could also argue that windows (don't laff) "security model", closed source apps, IIS are the *initial* tools of exploitation. Lest I forget, Integration, legislation, co-opting, barriers to entry keep other (maybe better, maybe worse) products from hitting the market and (say it with me) promoting competition.
It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them.
Why? No one believed that certain (ford/chevy?) trucks would blow up like a bomb when hit from the side...what did they do? Yep, they *Proved IT*, by staging a scenario.
And, not to pick nits or be too smarmy, but "we" are trying to protect users. The fact that PHB's, average users don't *listen* after the 3rd, forth, fifth time of being hacked, wormed, virused, or trojaned via outlook, IIS, IE seem to be nicely sidestepped.
Uh, yes it does...by choosing the most secure of the bunch! No platform is perfect, but if you choose the one with the best track record, gee, you get...surprise, surprise...less of a chance of being exploited. Once bitten, twice shy... but, then again, see my above paragraph with users/phb's.
Ok, I'll ignore the buzzword bingo opportunity, and point out that the author does "get it" a little, that the vulnerabilities mentioned had been patched weeks/months ahead of time.
Ok, cool, Correct me if I a wrong, but I recall seeing a recent article that Microsoft said it needs to "Prioritize" its patches, because, heh, it is confusing!!!
The thing to be rememberd in reading this article the dangerous assumption is this:
If an exploit is found and is dangerous "the security community" *needs* these to tear into and discover how to fight whatever threatens the systems in question.
I'd rather have a fulling working exploit in the hands of a "white hat" than a "black hat".
Don't forget, please, that most of the worms propagated as the result of *malicous* intent and were discovered, stopped, slowed by people with *clear/clean* intent.
That fact seem to be missing.
Moose.
If I am right, I am right...but if I am wrong, show me I a wrong.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
For the closed-source world, I believe that it is better that if you discover an exploit, to send full details to the vendor ASAP, and to release a general statement of a potental vunerability in the software to the general public, but with just info for the end-user to determine severity and criticalness of the bug. If the vendor is unresponsive in releasing a bug fix, then in a few weeks or a month, then release full details such that others in the security community can possibly find a work around. Do note that MS is rather quick to issue patches to fix new security problems, so timeliness isn't an issue here. I don't think this is unreasonable, and still doesn't chill the ability of security professionals to assess software problems. And in addition, with not only the potental for cyber-terrorism to exist today, but with increasing numbers of script-kiddie-like people that simply want to create havoc, it's very important that closed-source software have some time to patch before full information is released.
Of course, with open-source software, most security bugs are found at the same time as a code audit, and thus the bug reports typically consist of full exploit information. But since most good admins on these types of systems are actively aware of security problems, they'll get the patches installed within days of the report, and any damage resulting from the exploit is quickly minimized. Mind you, not everyone that runs open-source software is a good sysadmin, and thus exploits will STILL be used, but this is much less of a problem with the open-source community as it is with closed-source software (such as how many boxens were continued to be infected by Code Red and NIMBA after the original patch was out several months prior).
Regardless, Microsoft still needs to remember that the security community is doing them a big favor by locating and isolating these problems. MS must have some QA and QC, but some of the more harmful exploits have been rather subtle problems (notable buffer overflows).
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Reverse Engineering.
:-)
Now burn, you troll
karma capped
I agree that it is MSN Messenger that's to blame as well!
Oh, you mean the messenger of the security info? Then it's Microsoft's fault.
Isn't it a good thing that these holes are brought forth to the general public? If they are just hidden away for only for a select few that will attack unknowing victims then the software vendor will be unaware of the problem and unable to distribute patches. If the vender is aware of the problem, they can allow you to patch your system and then no one, not even the select few can get in. But if it goes unnoticed then they can continue to do so seemingly forever.
It's been said about a million times before but it still applies: Security through obscurity is no security at all!
The people who found the .IDA expoit (eEye security) told MS, and waited until a patch was available before making the press release.
Not only that, but Microsoft thanked eEye in their own press release.
Not only that, but it has been proven beyond all doubt that Code Red, + CRII were based on old exploit code, NOT eEye sample code.
Not only that but the old exploit code that Code Red etc. re-hashed, exploited a hole that was fixed by MS in the traditional manner, i.e. with no exploit sample code published, etc. If the original exploit code that Code Red built on was made public in the same way as the .IDA vulnerability was, the f**kin' thing would never have happened, because every competent IDS system out there would have caught Code Red before it even got off the ground.
The whole thing makes me sick. I can't believe that after Microsoft blitzing^W attempting to blitz the media with it's "renewed security efforts" that they let this slip past marketing. If this is what happened, then before they can even think about 'locking down' IIS, they need to examine their own attitude, and consider abandoning the tried-and-tested-and-FAILED 'security through obscurity' route.
Nimda is a good example of what Microsoft is talking about.
There were not legions of script-kiddies running Nimda. It was one programmer who actually had a fair slice of clue (not quite so much as to render him/her too busy to be a problem, though). I doubt that shutting down bugtraq would stop this person from learning that MSIE had a bug in it (or IIS, or Outlook). I *do* think that it would have lead to security admins not knowing the extent of the problem. I *do* think it would have lead to a much greater number of systems being vulnerable.
Windows must now go through what the UNIX world went through in 1987/8. We had screaming/shouting/red-in-the-face "discussions" on USENET for months about the validity of sharing information, sharing exploits, timing, etc, etc.
Bottom line? We came to a reasonable conclusion about how to deal with security and everyone was on-board for a good 2 months before the average admin stopped paying attention.
Most admins could give a rat's petard about security, and will never change. They run around screaming when an "incident" occurs, and otherwise assume the best. MS will have to understand that not accomodating those people by writing safe code will mean a loss of market....
Surely this Microsoft spokesman isn't Culpable.
JET Program: see Japan, meet intere
He asked that the security people "stop releasing sample code that exploits security holes". In the article, hey says, "We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it."
:)
Is this so bad? He's not saying they shouldn't find and publish the security holes. Just that they shouldn't release sample code which exploits it. (For the record, I wasn't even aware they did this. All of the security advisory's I've seen -- noting that I'm not in the IT industry, and haven't seen that many -- simply describe the vulnerability, without code that exploits it.)
I actually agree with this. Explaining the vulnerability is good. It helps the developers find and fix the problem. Yes, it helps the crackers exploit the problem too, but that's the price. But releasing code which actually exploits it helps the crackers far for than it helps the developers. It speeds up the cracker's development cycle a lot more than the actual original coders'. Why do they need to do this?
Now the lines between "not enough" and "enough" and "too much" information may be hard to discern. Clearly saying "there's a buffer overflow vulnerability somewhere in IIS" isn't enough, and "here's a worm that takes advantage of the buffer overflow in IIS" is too much, but finding the middle ground can be difficult. But I don't think the article was advocating the security through obscurity mode of thought, just advocating a shift in the amount of detailed info the security reports provide.
-Puk
p.s. Please don't take this as an indication that I like Microsoft at all.
So how are you going to prevent an unethical company from alleging fake bugs and providing tools to detect the fake bug and providing patches that don't do a thing for security but destabilize the software a bit. Bottom line, the exploit code needs to be out there somewhere or we're just setting ourselves up for a different type of exploitation
DB
but is an exploit REALLY necessary?
It's very useful. For example, you can scan your network for machines running given servers, then launch exploits agains all those that are running, as a double check to find unpatched srervers. Since MS installs servers by default on damn near everything*, without advising the installer, this is the ONLY to be sure your not running unpatched servers. My organization found numerous vulnerable machines this way, even though we thought we had this nailed down.
*(example: Visio 2000 installs MSDE, a form of SQL server, vunerable. CiscoWorks 4.2 (getting old, now) installs IIS vulnerable.)
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
If we want secure software, we should write it. If we don't want to write it ourselves, we should be ready to pay for it. If we do want to write it ourselves, we can call it open source. Either way, there is a motivation to make secure programs.
It is possible to write non-trivial programs without security bugs. It is very difficult, so in the mean time we should settle for the best security we can get. The best security is pretty good if you take reasonable precautions like not choosing a password like 'ant'.
So get off your buts, MS, and make your soft ware secure, and not through obscurity!
'An adminstrator doesn't need to understand the problem in order to fix it'
This is pure bullshit. It is *extremely* important to understand how these worms and viruses work in order to respond effectively to such threats.
If I, as a programmer, was writing a web application in C that could potentially be remotely exploited via buffer overflow, such information is *absolutely fucking critical* to me, so that i can write safe code.
M$ seem to suffer from the delusion that they are the only people in the world actually writing computer programs.
This unbelievable arrogance is getting pretty tired, and i imagine that we'll be seeing some pretty big anti-M$ stances being taken by previously devout believers in the near future.
If you can't put up, M$, then for christs sake shut up.
I gots ta ding a ding dang my dang a long ling long
The Cisco 675 DSL router/modem. This device has very widespread use consumer home and SOHO environments. Other Ciscos in that line were included in a particular issue that cause the router to hang completely until power cycled. Cisco was first notified about this January 10 2000 (no typo there, 01-10-00). A very easy to prove situation was shown to cause this. After 11 months of waiting and two notifications to Cisco, the notifier had given up on Cisco doing The Right Thing (c), and notified BugTraq about the problem, in this post, Nov 28th, 2000. Users from around the world tested, and verified the issue. Want to know what happened? Nothing. Not a peep from Cisco about this, untill recently. The vulnerability DOS in the Cisco was never acknowledged by Cisco, and still isn't admitted. However, a notification of DOS vulnerability was finally admitted by Cisco here, 8-24-2001. Nineteen months since being notified. However, the entire reason for this wasn't the vulnerability mentioned of a skewed HTTP request, but simply its inability to handle multiple http connections. Why? Code Red. The Code Red virus was banging on port 80 so hard that the routers would lock up hard and die until reset. Many thousands of DSL customers were affected by this, and IMHO, a redux of the HTTP code that should have been done over a year and a half before, would have prevented the entire nightmare of Code Red issues for owners of the Cisco 675 (Their systems are another story however).
Checking for other 'exploit code' on the BugTraq list should show that the people who create it are responsible, usually doing no more than running a 'whoami' in the case of elevated privileges. They don't arm 'script kiddiez', they do it themselves, however the proof that a hole is exploitable is all someone needs to write their own. This is not a bad thing, this is a good thing.
It is general policy on BugTraq that companies be notified and given sufficient time to resolve issues, usually 3 months or so. If that lapses, it is the infosec engineers responsibility to post the exploit for the world. The company won't listed to the voice of one competant person, but they will listen when their entire customer base gets proof that the company shirked on their responsibilities to protect their customers.
Toodles
Toodles D. Clown
What this guy is saying is equal to saying that we need to completely shut up on everything in computing, security, and communication. EVERYTHING has exploits, that will never change. Do I blame the securit experts that my firewall is DOS'ed? do I blame the OS and software company when nimbda made my monday morning hell? no, I blame the moron that opened that email, I blame corperate for not giving the front line managers the tools we need to defend the network. At work we run Microsoft, we made that decision. Unfortunately companies and people will not take the responsibility for running a unsecurable operating system. My own corperation asks why this microsoft hole allowed this, I ask why I dont have the funding to close up and protect this insecure operating system and network. Everyone knows that windows products are the most insecure money can buy and that it is the number one target for troublemakers.
Is something done? no, no funds to shore up security, no funds or resources to fix the problem or be proactive.
It's not microsofts fault, It's the fault of the operators and owners that will not allow their techs to do their job, or give them tools to do their job... Because it's too expensive...
Do not look at laser with remaining good eye.
Which of the following scenarios demonstates civil behavior:
A. Hey look everybody! Bill has a chive on his tooth!
B. Psst. Bill. You've got a chive on your tooth.
If you said A, congratulations. You are a brain dead follower of Slashthink.
How does this analogy apply to the situation? Think about it. Wouldn't it be better if companies (including MS) were given a little lead time before bugs are announced to the world? Perhaps a month would be the standard. Then, and only then, you could use public embarassment as the tool of last resort; not the first.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Basicly what is being asked for is :
1) don't tell anybody of the problem
2) If you must tell them, don't prove it
It wories me that some people in the security comunity already seem to accept that the prove should be hidden. I wonder how long it will take untill they think the facts should be hidden too.
--red.
I don't mean to be facetious or anything like that, but..well..if I'm paying for a Microsoft OS, I would expect Microsoft to be the ones protecting -ME-. Not the other way around. I mean they're selling a product, right? If one of the features I'm paying for is a secure system, aren't I supposed to -get- a secure system? If I don't, isn't that false advertising?
Many points have been made, the need to know, pressurise the vendor for better security, prevention before patch comes out etc. Along with all these points I think there is also a strong fame factor as well. If I spend all my effort to track down a new exploit, then I dont want to secretly pass it on to the vendor. I want to publish it in all its gory details in bugtraq and let the whole world - especially the fellow geeks - know how clever I am. Dont deny me my >=15 minutes of bugtraq fame !
The consensus, based on the other comments, is that the manufacturer of an O/S is responsible for the security, just as the manufacturer of an auto is responsible for the auto's safety.
I think Culp has an ulterior motive. With the frequent cries from Washington (despite occasional backpedaling) and the boardrooms for mandatory back doors, our machines may soon be under attack from inept g-men or indifferent office workers just "doing their jobs" like Calley, Eichmann, and North.
If enough hysteria is created nationwide, the back doors will become mandatory. The same hysteria could be channelled to make dissemination of security-related information an act of terrorism. Look at all the recent examples of opportunistic legislation in Washington to understand how likely this is. Inevitably, hackers will find ways to close the back doors or at least make them ineffective--a criminal act. Culp et alia would love nothing more than to operate without the meddling of Security Experts. By demonizing them and preaching to the choir, he is off to a good start.
"What is the sound of one belly slapping?"
Or did other people note that Linus Torvald's trademark on Linux was overlooked, while Microsoft's (R) and Solaris'(R) got their due.
Perhaps someone should sent them a friendly tip on Linus' IP rights..... I tried but their comments page doesn't have a comments section to type in. =[
The vendor is almost always notified in advance of an exploit being released by a reputable security group (usually a couple of weeks at least). Of course this doesn't mean that exploits didn't exist already, passed around in less-than-reputable circles.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
If third-party security companies and organisations can be made to take responsibility for the protection of Microsoft customers, can Microsoft sue them for failing to adequately protect the public against software flaws Microsoft itself created and distributed?
What is the real issue here ?
Is it the fact that Security experts show the holes which they know that hackers will find.
No it's more to the point that MS is trying to release software which relies heavily on the fact that they can create secure systems. The whole XP and Hailstorm idea is based on the fact that user information will be protected and that MS can charge for this protection.
MS dosen't want security firms to find holes in it's code that shows how ineffective and inefficent they are at writing good code and creating secure systems.
MS as are most if not all main stream computer firms have inefficent business models and practices. They have been allowed to run amuck while governments all over the world allow them to produce shoddy work.
If it was any other industry other then software there would be millions up in arms. If the car industry built cars and advanced the way microsoft has (Borrowing bills anology) we would be back to the horse and cart as theieves would be stealing our cars left right and centre, and when they weren't being stolen they'd be stalled in our drive way.
This condiction has existed and will continue to exist, beacuse the poliuticians are to narrow minded and just plain stupid to understand the new technological revolution. SO they listen to the industry experts, who just happen to own the biggest software firms in the world.
No one expects perfection from a manufacturer whether they be in software or producing solid products. But we do expect a high degree of professionalism. No manufacturing industry is allowed by law to sell products that are dangerous. Software companies can, they can sell software that has the potential and that have cost the world billions of dollars and large amounts of productivity.
It's time our politicians wake up and learn something about the IT industry instead of just sitting on there butts and thinking happy, happy thoughts. Or we'll all wake up one day and all computer which are connected to the WEB (Except possibly those using Linux and Unix) will not work.
Or does this sound like a response (an admittedly weak one) to the Gartner Group's calling for IT professionals to dump Microsoft?
"Uh, all these secutity holes aren't our fault, it's those damned jerks--Information Anarchists--who publish the details!"
-- Shamus
This space for rent! EZ terms!
Reverse Engineering
:)
That's not a good argument against releasing exploit binaries. Sure, crackers who know what they are doing may be able to reverse engineer it, but the not-so-hot kiddies won't be able to. This would at least delay the appearance of exploits in the wild.
However, disclosing source is better because it allows users to test their own systems for vulnerability. I sure as hell won't test for an exploit using code I didn't inspect and compile myself.
It'd be an interesting new virus vector - security lists being hit with 'I send you this exploit example for your review'
Vs lbh pna ernq guvf, ybt bss abj. Tb bhgfvqr. Syl n xvgr.
i was listening to "the connection" on NPR a few years ago when they had the guys from l0pht on. they were pretty good at explaining their reasons for publishing exploits and i heartily agree. as others have said most companies will not make a fix until everyone knows there is a problem. microsoft should just get on the ball. someone finds a hole, they patch it and make a mea culpa. i jsut wish they would cut out the nonsense where they try to shift the blame. it doesn't work. making fixes does. microsoft would be such a better respected company if they would jsut lose some of their attitude and admit when they are wrong.
:)
incidentally. this will proabably piss many folks off but i think i have a point.
Microsoft offices in reno were hit by anthrax. some scientist years ago figured out what anthrax was and how harful it could be. he told everybody. everybody did what they could to avoid anthrax and Bayer came up with cipro, a drug to fight anthrax.
so what the hell is microsoft saying? that we should have locked up the guy that figured out anthrax? and bayer for coming up with the fix?
geeze... that just seems fucked up. am i wrong?
(incidentally I'm certain I'll be hit with tons of responses telling me that yes i am wrong)
-
Basically, by referring to demonstrations of security holes as "blueprints [...] for building weapons", Culp is plugging into the current hysteria and war atmosphere to try to achieve their goal. What is their goal? To cover up that it is Microsoft that fails to use proper development practices to avoid common security holes and that it is Microsoft that is responsible for shipping products that does not meet even minimal security standards.
If you do want to use the language of war, Microsoft is like a very powerful weapons manufacturer that sells weapons to the US military that do not function properly, that they know do not function properly, and that allow the enemy to break in and disable them using trivial, well-known methods. I would say it is every American's patriotic duty to make sure that the shortcomings in the products of such a manufacturer are exposed widely so that both the political and the legal system can curb their abuses and keep them from putting American property and lives at risk in the future.
You see, the key issue is that we know well how to avoid the kinds of security holes that keep appearing in Microsoft software. Microsoft is simply trying to save money by cutting corners on development practices and trying to kill competitors by rushing immature products to market prematurely. That is what Microsoft should be held responsible for, both financially and possibly criminally.
If Microsoft (and other large software companies) were held responsible for bugs in their software, you can bet that the "software crisis" would end soon, as software developers would finally find it more lucrative to invest in proper training, tools, and testing rather than to just grind out flaky code with the equivalent of unskilled labor.
It appears that the advantage of releasing sample code to exploit flaws in computer systems places increased pressure to fix the bug on the manufacturer. This is good, but at a compromise which places serious risk to the consumers of the product. Once suspect code is released, the potential for damage to consumer systems is exponentially increased because the tools to do damage are then available to anybody. Both sides have valid points, but perhaps a set of guidelines to report such bugs which take into account the interests of all involved parties is crucial.
As far as I am concerned, there are five levels of releasing this information which could be used to balance these interests: 1. Say nothing and somebody else will exploit the bug 2. release this information to the manufacturer of the software product and hope they do something about it 3. release a summary of the bug enough so it is realized by the general public 4. release technical information on what theories are used to exploit the flow 5. release the tools necessary to exploit the flaw
The above could be thought of as an agenda for the order in which to release word of any flaws, where one step succeeds the other, starting at #2. 5 should be used with extreme caution - in other words: know what you're doing before using this step, because then anybody can make a toy of the tool to execute the exploit on anybody's system.
Last time I checked (and it was a while ago) M$ was planning on using raw unix sockets on XP. My understanding is that this is a very bad thing security wise. Do they intend to blame others for this also? Or will they use it to develop a proprietary TCP/IP, and blame others for that necessity?
I respectfully disagree with this. Surely you don't think that the readily availably rootkits are put together by not-so-hot kiddies?
:-)
A binary exploit would be a pretty small program, not to difficult to disassemble. It would take only one knowledgable person to translate it into c source, and distribute that source. And then only one small step into rootkits.
So I do think it is a good argument. Your other argument is a good one as well. And I do look forward to exploits being mailed to me for testing the senders security
karma capped
When it comes to running computers safely and productively, protecting the interests of the users (us), who should we trust, Microsoft or ourselves?
I found this story talking about serious security problem in Novell Groupwise. But they say it is better if they do not tell you what the problem is. But apply the patch NOW
The security community is so large and diverse that effective controls on exploit code and detailed vulnerability information is impossible. Who would determine who gets access? Microsoft? The US Government? The only practical method is the public one.
The enemy is not Microsoft's unwillingness to produce patches for their security vulnerabilities. They have actually proven to be one of the more cooperative vendors for recognizing flaws and producing and releasing patches, at least in recent times.
The enemy is not the public release of explicit vulnerability information, which is necessary for security research.
The enemy is also not the 13-year-old that breaks into computers. Fighting a war against 13-year-olds is a dumb war.
The enemy is the fact that software vendors like Microsoft have consistently chosen to place their customers at a ridiculous amount of risk through default configurations of their software, and the fact that a 13-year-old can break into thousands of computers with little effort or skill.
Why is it that default configurations of all major OSes (note that I'm not singling out Windows here, I'm saying all OSes) come with an absurd amounts of default services open? If the vast majority of customers do not need a service running, then it should not be running. How many nimda infections were from people who had no idea they were running a web server in the first place?
Why is it that default configurations of most prominent workstation and network client software has poor default configurations, security-wise? Do most users out there really need ActiveX or Javascript in their email client? Not only no, but hell no.
Yes, vulnerabilities do occur in all software. I don't think that anyone out there has any expection for Microsoft or any other vendor to achieve perfection here. However, the issue here is that the default posture leaves users prone not just to known vulnerabilities, but to ones that have yet to be discovered.
All software vendors (including but not limited to Microsoft) need to better examine the features of their products to discover potential points of attack. If the majority of users have no need for a particular feature that might be dangerous at some later point in time (e.g., mobile code capabilities, network services, modules to network services like IIS index server, etc.), then they should be disabled by default. Go ahead and make an easy-to-use checkbox for turning that kind of stuff on individually, but don't have it on by default.
Microsoft has recently stated that it is beginning a new initiative to ship their products in secure configurations. I believe that they probably will succeed somewhat here, but we've been hearing similar lines of bull for so long that they have no credibility here until they actually prove it.
Microsoft and other vendors should stop whining about the messengers, and should start shipping products with default configurations and initial postures that are likely to withstand existing and future attacks. Default configurations are enemy number one, not public vulnerability research. Let's see some proactive work being done instead of only reactive work. Microsoft has plenty of problems to fix in their own development processes before they worry about fixing the "problems" they feel the security community has.
I find it is very handy. I use it to disabuse developers at companies for which I am responsible for the security of that buffer overflows aren't so tough to exploit that they don't have to worry about them in their code. You'd be amazed at how many otherwise excellent developers think that Buffer overflows are unlikely to ever be exploited.
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
The real problem is, that all those security holes make their software look bad. Especially compared to other software. When he mentions that softwaremakers are more aware of security and faster putting out patches, he conveniently forgets to mention, that specifically Microsoft was extremely reluctant to react on security-flaws until they were publicized widely. He also neglects to mention, that it's not only important that there is a patch, but also to make peolpe aware of it. It is very true, that beyond the complexity of "Hello World" there is rarely a piece of perfect software, but he addresses that statement to the wrong people. The security experts already know this, but the customers of microsoft very obviously don't.
Also it must be said, that most of the damage the worms did was to the image of microsoft. These worms showed the extent of vulnerable machines all over the world, but had there been no worms there would be even more vulnerable machines now, with backdoors open to anyone intelligent and motivated enough to write their own exploit. All those worms that draw so much publicity to the security flaws are just the tip of the iceberg. Someone really malicious will have the abilities to sneak in through a hole without a ready script, and he won't do it with a worm that creates a lot of traffic, but silently install a backdoor and do whatever he set out to do.
When calculating the damages a worm did, that always includes a complete system check for data integrity, backdoors, etc. But if the hole was there and had to be patched, who is to say, there wasn't someone/thing else than a well known worm that came in, installed backdoors and corrupted data? And that person will probably do far more damage, since he probably choose that computer for a reason. Much damage is already done, when the system had a hole and was attackable for some time, since that means that system security and integrity can no longer be guaranteed. Many worms are only making aware of that fact.
Microsoft could do far more for the security of their products by making people aware of the importance of patches, but probably that doesn't sit well with marketing.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Hey, they want the security sites to leave alone exploits - so why not? If they want to blame their best source to the solution for the problems, let them. Watch teh security sites disappear - or rather, stop supporting MS stuff. Then watch MS software go to hell as exploit after exploit rips it appart.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Culp argues in the essay that software flaws--whether in Windows, Linux or another operating system--are not going to go away.
"While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection," he said.
If perfection is the standard, then I agree - no software will ever achieve that state. However, there is plenty of solid code available gratis and for fee that is for all practical purposes, perfectly secure. Take qmail, or djbdns; the OpenBSD kernel; various "trusted" OS; many embedded OS are practically perfect as far as security goes.
You can even take an older Linux distro, install it, and disable all services but those that are required (and upgrade those to the latest stable versions), and you have a box that will resist almost every exploit, and certainly all of the common ones.
You could do this with Windows, but for the fact that sometimes unnecessary services cannot be turned off. This is where Microsoft - and RedHat (who learned) - have made their biggest security blunders, by enabling unneeded servers out of the box. Stop that, and most of the worm problems go away, or are severely limited in scope.
Edith Keeler Must Die
Sample code alone won't break a system (unless a sysadmin is dumb enough to run it themselves).
;)
This is a case of obfuscation masking as security. Or, perhaps better, your availability as a mask for my deficiencies.
It's like me saying "I'm going to sue you for tripping on your front steps" because I broke my arm using a sledgehammer and am feeling litigious today.
Not that I ever would, mind you.. Yes, I know Your Honor, I'm not discussing this case, honestly...
I used to be someone else. Now I'm someone better.
Real life is underrated.
I have about 50 Microsoft NT servers from 3.50 thru Windows 2000 REGISTERED with Microsoft. They have my name, my address, my e-mail address, my telephone number.
Never once did they contact me or send me a CD with security patches on it. Never did they send me an email to go to a website to download a fix.
I was told, when I registered my product, that they would keep me informed. They have failed to do so.
The recent exploits of IIS were from known problems that had previous patches. Many users did not patch their system. They did not know that they had to patch their system. Despite Microsoft knowing who the users of NT IIS were, they did not attempt to contact those users and let them know that patches were available.
Not only that, until recently Microsoft made it very difficult to find security patches. Their website is large and complex, and items change location all the time. In the past five years finding patches for security fixes of NT systems has gone from extremely easy, to nearly impossible, to finally getting organized and easier again.
Why is it, that after the outbreak of Code Red, it took days before information was available from a link on Microsoft's main page? Because it is bad marketing. Instead I have to go deeper to find that information. There isn't even a generic link for security from the main page.
When you do get to their security page, you are told that Microsoft is doing the radical step of giving Security Tool Kits away for FREE!!! Amazing, you bloody well better give it to me for free. It's your buggy code that had the problem in the first place. I'm a registered user, I haven't received a kit yet.
Microsoft is finally starting to take some initiative with this security thing. But, they shouldn't run around pointing fingers at anyone other than themselves
October 17th...
oh okay... I was so sure it was april 1st...
God, how can a Billion dollar company be saying something like that?! Guess it's because it's a billion dollar company, heck any small developpers saying something like that would starve...
I guess this is an easy +1 for open source, talk about self-mutilation... I can't beleive we're actually running on over 50,000$ worth of MS products and I am actually reading this...
--- Metamoderating abusive downgraders since my 300th post.
In my most recent finds, not made public yet, there are a number of gross privacy bugs in some pretty major websites ( similar to the hotmail problems, but with banking, news and ecommerce sites ).. Well, besides the difficulty in even finding someone in their organization to tell about the problem, once told they ususally do nothing. So, the question I have is what do I do now? Leave your banking site wide open, or make the exploit public to get something done?
-- these are only opinions and they might not be mine.
Did anyone else notice this -
Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks
then further down -
All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution.
Basically they are attempting to put Solaris and Linux in the same boat as M$ware, it looks like the author Scott Culp hasnt met his quarterly quota for marketing FUD and so has thrown that *cough* article together to make up for it.
Any sufficiently advanced man is indistinguishable from God
I am sorry but when I apply a package that has been certified by SUN for SOLARIS, I've never actually had it break my machine. Now I have had other 3rd party programs have problems, for example using a secure email or secure ftp on Solaris that is NOT SUN provided, will encounter some permision problems following major system patching, but at least the core OS always works.
Apply a M$ service pack and sit BACK AND PRAY, then re-apply all the bloody hotfixes that were invalidate by the SP...what a pathetic joke.
errr....umm...*whooosh* *whoosh* Is this thing on ?
The role of the security community is to protect users from false claims of security by companies which produce shitty software; it is the software producers' obligation to provide the security claimed for their products.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Providing information about a security hole or bug to the company is a nice thought, but does not apply to open source. The code is maintained and updated by the Internet community as a whole. So bugs must be presented openly in order to get noted and fixed.
Besides 'hacker' groups with malicious intent will share information privately without the companies knowledge. Instead, making this information public as soon as possible is good for everyone. It's good for the company because they will know about the vunerability. It's good for the customer because they can see the unresolved security issues specific to the application and decide wether to shut it down or switch to a more stable solution (or better yet, don't buy into it in the first place). Also, having an outstanding security issue puts pressure on the company providing proprietary solutions to fix thier sloppy mess.
Perhaps Microsoft should consider reducing the feature set within IIS in order to provide a product that they can properly maintain. Otherwise, they might want to try moving IIS to open source. Seems to work well for Apache.
Chow
That isn't the attitude I'd want someone providing my software to take.
Education is a better safeguard of liberty than a standing army.
Edward Everett (1794 - 1865)
Meanwhile, in Redmond, someone keeps parroting "We give people what they want." Apparently a lot of us want to be pissed off. If you're in the sysadmin thing, sorry, you have my pity. If you're a worker bee, then don't get your shorts in a knot, make your opinion known once and then kick back and do whatever you have to. Can't deal with it? Get another job. Life's too short to spend being in a bent mood because of some PHB's decision to believe the Redmond propaganda machine.
As for blaming the messenger, whoa, that's only because the messenger has had so much work lately!
A feeling of having made the same mistake before: Deja Foobar
It appears to me that Mr. Culp has misunderstood the purpose of the scientific method. The goal of which is to allow other researchers the ability to reproduce one's test/bug/experiment.
Programmers use code to share their experiments because it is the simplest, best, most consistent way to do so. Not asking security and programming experts not to share "blueprints" is like asking toxicologists not to share the chemical formulas for the compounds they're researching.
Mr. Culp needs to take a vacation away from the stress of his job and bone up on how to systemically approach problem solving and the sharing of information used to produce repeatable experiments/tests/exploits.
So, the guy in charge of dealing with the fallout of MicroSquish's utter incompetence in the data security field thinks we'll all be fine if we just pretend that nothing's wrong with his products, and don't tell anyone if we find their mistakes.
What a fucking cretin. There comes a time, when millions of people have lost time and money because MicroSquish doesn't understand the rudiments of multi-user computing (let alone networking), when you have to blame the idiot who makes a house out of flash paper.
Remember that name: Scott Culp. It's the name of an incompetent sniveller.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Here's my theory, for what it's worth:
;-).
1. If the *type* of exploit is known, and the *point of communication* (i.e., socket) is known, then an "expert" system can eventually be built that will make exploit creation point and click simple.
2. Any random piece of information can be disseminated to an unlimited number of points on the internet in much much less than 24 hours if there is any semi-organized method of sharing the information. A web site, mailing list, private FTP server, whatever - the internet was created to share information quickly. Code Red shows that even unwilling participants can be used to spread information (or any other payload) to saturation point in less than a day.
3. Even if only one programmer on the internet is creating exploits, there is a system of sharing this information. This is what has occurred with the "zero day" cracks of games that are shared on IRC, and it is very much a formalized and highly popular system. The only difference is that instead of being freely available to Black Hats and White Hats (like a public mailing list), it's only available as information in trade, and is usually traded for something illegal. This creates a nifty little power hiearchy where fifteen-year-olds become something like the Mafia Dons.
4. Exploit code proves that there is a hole. This proof cannot be denied by J Random Marketing Department.
5. A published exploit allows system admins to test whether a published "fix" actually works or not. Even if every admin doesn't do it, a couple will, and if there's a problem it will be announced on security lists (again, spreading at the speed of light).
Conclusion:
Because there will always be groups on the internet willing to share this information, security through obscurity will never work.
As an example, one could interview various games companies in the US and find the mean time between release of a copy-protected piece of software and the crack to bypass the protection. I call this Mean Time Before Crack (MTBC), and it's similar to the open source concept of Mean Time Between Itches (MTBI - the amount of time between the public discussion of a software idea and it's open-source implementation)
Ok maybe I need to add more emphasis -
/. know is not the case, that was the point I was making and therefore by deliberately misleading its intended audeince it qualifies as FUD.
Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks.
Now what viri caused those billions of dollars of damage? Was it Linux ones or M$ ones? See they are trying to tell people that it doesnt matter which of the OSs / apps you run, they are all vulnerable to the same extent and will have equal costs when attacked. This, as many on
Any sufficiently advanced man is indistinguishable from God
Well, for most of these buffer overflow exploits, you can just send a really long string and watch your program core dump. There's no need to work out exactly how to turn that into an exploit, though people do have fun doing it, and they have a right to publish their findings. Maybe if the community didn't encourage it so much?
Culp says...
.NET initiative. I suspect this is why Microsoft was so reluctant to repair the security flaws within IIS. Code Red and Nimda exploits APIs that Microsoft intends for their .NET initiative. Disabling these APIs would cripple .NET. Therefore, Microsoft did not fix IIS until they could re-think the design of .NET.
.NET will reinforce his point. Given their track record, I expect .NET to be Microsoft's magnum opus of security deficiency.
.NET is out of the question. I guess Culp feels controlling what the world is allowed to communicate about .NET is easier.
"First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate fallacy. It's true that no code is perfect. It's false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated with flaws being exposed in their code. Frankly, I believe the hacks associated with Microsoft products differ fundamentally from the flaws discovered in Solaris and Linux. When a Linux exploit is discovered, hackers and maintainers consider it a design flaw. Therefore, exploits are generally fixed pretty fast on Linux -- usually within a few days. The same is true for Solaris.
Apparently however, Microsoft does not consider certain exploits to be design flaws. Sometimes, hackers simply leverage "features" (e.g. undocumented APIs) that Microsoft deliberately designed into their applications and/or systems.
Microsoft applications tend to execute arbitrary code. In other words, Microsoft deliberately empowers IIS, Exchange, Internet Explorer, Outlook and certain Office applications to execute unchecked commands fed over the Internet. Once hackers discover these (badly!) hidden APIs, it is only a matter of time before someone sends you an email which does something nasty to your computer.
Interestingly, despite these obvious security issues, Microsoft wants their programs to execute arbitrary code. Remember the Microsoft Word viruses? Remember the Excel viruses? Heck, email viruses were fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since the first MS-Word virus. Obviously, they understand the risks of allowing applications to execute arbitrary code. Nevertheless, they continue to build this ability into all their major products.
In fact, arbitrary code execution appears to be one of the core technologies behind Microsoft's
Culp states that vulnerabilities are here to stay. Most likely,
At this late stage, re-designing
Enjoy! Jon
Considering that this essay is from Microsoft, I think it reads clearly as a thinly veiled threat to sue anyone who points out vulnerabilities in Microsoft products (UCITA, anyone?). In Microsoft logic, if people stop publishing vulnerabilities for fear of being sued, then the problem of people exploiting known vulnerabilities goes away. This logic is akin to leaving a bank vault wide open, but turning off the lights so thieves won't see it.
In the land of real people, litigation will not solve the problem, and Microsoft needs to know this. The first security expert to get sued will be screwed, but by that time the vulnerability will have been made public, and thus be exploitable. This lawsuit will leave a bad taste in the mouths of the "self-described security community," so that the next exploit that is found will be exploited rather than published. When people start abandoning their products en masse because of constant security problems, Microsoft may realize that they shouldn't've angered the people who point out the chinks in their armor.
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
It's silent for years...
Many diseases are deadly if untreated. Often the scarriest ones are those that kill silently over time. This is what MS is asking for. Security holes can be an obvious pain or a silent killer. If exploits are not made popular and fixed then the exploit will be available to those who know the most and can potentially do the most harm. Once again this is a plead for a solution that will benefit MS and nobody else.
All of these worms made use of security flaws in the systems they attacked, and if there hadn?t been security vulnerabilities in Windows®, Linux, and Solaris®
For that matter, Linux® is also a registered trademark.
My favorite part, though, is "This is a true statement...." It's true in the same sense that "Hitler, Mahatma Ghandi, and Mother Teresa were collectively responsible for the deaths of 6 million Jews" is a true statement.
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.
Gee, what with the current Atrn. General pushing for HUGE e-crime bills, and the administration getting less and less enthusiastic about calling Micro$haft to task for it's monoploy, it seems that they are all sorts of ready to make "security" a crime!!!
".....providing the blueprints for building these weapons"
So anything that could harm a US computer (the Govmnts, yours, mine, etc.) is a terrorist act under the Ashitler bill. Suddenly, M$ starts saying that pointing out the flaws in their products is akin to builing a weapon? Co-inky-dink? Not with the $$$$ The shaft lobbied with this year.
Gotta love the corporate rebuplic.....
Department of Homeland Security: Removing the rights real patriots fought and died for since 2001
If you did your job and took those exploits and
fixed the problems there would not be a problem.
Do your job instead of sticking you heed in the
sand!!
The irony here would be: Microsoft, found guilty of monopolistic practices, approaching the House or Senate in an attempt to have reporting software vulnerabilities declared a crime. (Heck, take advantage of the terrorism paranoia.)
A feeling of having made the same mistake before: Deja Foobar
That has to be the world's biggest cop out that I've ever seen. Pathetic! "Stop showing the smart people our sloppy code, they make it break!"
~LoudMusic
No sig for you. YOU GET NO SIG!
Joel, an ex-Microsoft engineer, wrote something in an article last year that gives me hope on occasions such as this. To glibly paraphrase, programmers write bugs into their code. Just imagine how much less time it would take if they didn't put them in there, only to have to take them out again.
MS should be flogging their inept staff for putting so many critical ones in; then flog their QA for not finding the serious ones. Yes, they have some very complicated products, but there's a such thing as unit testing, and dammit, they haven't done any (or enough).
Any connection between your reality and mine is purely coincidental.
Two things:
1) If we didn't build fortesses to protect against these black-hats, then there certainly would be these sorts of attacks, because they would be easier (lower barrier to entry).
2) Consider the possibility, motivation, expected return:
Given the above, I would say it's almost certain these sorts of people exist. Of course you don't hear about them, because they're good at what they do. Industrial espionage existed before computers, and will continue to exist. Computers just make it easier (in some ways) than it was before.
If you have a few hours on your hand and *really* want to better understand what is going on, I would suggest that you sit back and listen to these speechs on Dr Dobbs Technetcast...
? st ream_id=411
? st ream_id=354
? st ream_id=478
? st ream_id=482
? st ream_id=417
? st ream_id=48
If your looking for authority on the subject they come no higher than Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA),
"Meeting Future Security Challenges"
http://www.technetcast.com/tnc_play_stream.html
If you listen to Dr Burnhams speech you will understand why it is so important to keep "pushing" Microsoft on its inherent lack of security.
If you want to sleep at night, don't listen to the following speech by Avi Rubin
"Computer System Security: Is There Really a Threat"
http://technetcast.ddj.com/tnc_play_stream.html
If you listen to the above speech then you will begin to understand Steve Gibsons apocalyptic visions.
And if you want more, the effect of broadband access
"Broadband Changes Everything"
http://www.technetcast.com/tnc_play_stream.html
Directly relating to DDoS ( Distributed Denial of Service )
"Analyzing Distributed Denial of Service Tools: The Shaft Case"
http://www.technetcast.com/tnc_play_stream.html
and "Denial of Service"
http://www.technetcast.com/tnc_play_stream.html
And if you want to get *really* technical, listen how difficult and more technical it is to trace spoofed packets[ Warning - this is heavy tech ]
"Tracing Anonymous Packets to Their Approximate Source"
http://www.technetcast.com/tnc_play_stream.html
"I would rather have Loki uncover and exploit our inherent weaknesses now than have the Ice Giants do so at Ragnarok. - David Mohring"
It's not really RedHat's fault. It's the fact that they rely on a bunch of self-prescribed "programmers" who don't have the discipline to put any thought into the code (includes planning and meticulous logic analysis). No moderately-experienced programmer should ever have buffer-overflow problems bigger than "off-by-one" mistakes. But in wanting the code to "do something already", input routines are written quicky and shoddily.
I'll quit ranting now before I get nasty. Time to get some sleep.
Just a thought. Without verifiable exploit code whats to stop bogus reports?
Bet everyone would get real sick of responding to fictitious security holes everytime someone got pissed at microsoft and started a rumor about an exploit in microsofts newest toy. (Of course there are so few people that engage in malicious microsoft bashing that this would be a tiny problem anyway)
D
"... every time I open my mouth some of my stupid escapes!"
To qualify as FUD it would at the very least have had to be in the same sentence, or have made a clear value judgement on them. I don't see the expressions "these equally insecure OSs" or "Microsoft, Linux and Solaris viruses caused billions of dollars of damage".
/. to go and read some of those types of books, then read articles like this, as well as out and out advertising with those things in mind.
And yet the article makes no distinction between the quality of the OSs and apps from different vendors, no graphs showing number of vulnerabilities and severity are there? Therefore it is left to the reader to draw the conclusion that Solaris and Linux as well as Windows is vulnerable to the same problems. If you go and read almost any book on influence / NLP techniques you'll soon find that it is not a common technique to lead a person in a direction and let them make the conclusion you want themto but the only way. I'd recommend everyone on
Seems like you're trying to imply that "viruses that attacked windows caused billions of dollars of damage, but viruses that attacked linux or solaris had no effect whatsoever". Although, it may be somewhat true - largely due to the scale and application of usage of the affected windows platforms vs the affected linux platforms.
No, its a matter of scale, Windows is more vulnerable,and much more damage has been caused by Windows issues than those on Linux and Solaris to date. The question is, would you rather deploy something that will cost you less upfront in the case of Linux, and less in admin, patching and script kiddie attacks, or whatever m$ advertising puts infront of you? I know many PHBs will soak up the m$ marketroid speak and deploy and then get their fingers burnt with things like Code Red and Nimda, hopefully these PHBs will be fired and go and do something that they canhandle, while cluefull types will get hired / promoted so that the business is not put in such a bad situation again.
Any sufficiently advanced man is indistinguishable from God
Probably the next thing in the MS EULA is;
Any SECURITY HOLE bundled with the SOFTWARE PRODUCT is the property of Microsoft and protected by copyright laws and international copyright threaties.
Like someone posted into some other discussion here a few days ago, making exploits public probably reduces the need for potential wannabes or semi-blackhats to compete in the field. What's cool in that if you can do the same as 10000 other similar people, as everything is written already. All you need is gcc -o nukem2 nukem.c.
Closing exploits, or further, even all security hole announcements, could rise a hell, engaging all competent-enough wannabes writing exploits to compete with eachother. Once again there would be a social gain by doing the best exploit in the shortest time.
Yet there are still enough script kiddyzzz to cause harm if companies don't deliver patches and if admins don't install them, thus, getting things get fixed. Would Microsoft ever raise an eyebrow to any security hole if there were no public means to exploit them? Only then, outlawed blackhats would overflow buffers and assuming that they were pros, no one wouldn't probably notice anything until one morning something completely different had happened during the night...
And it's high time that people insisted that the free speech community live up to its obligation to protect them from reality.
my other sig is a 500 page novel
Microsoft sits on registration data about what users have what product, and those registration data contain contact information.
When you register a Microsoft product, they thank you by sending you advertisment material. No critical upgrades or anything to that effect. AOL sends off cd-roms to everybody in america - for free, hoping a few will try out their service. Microsoft customers have PAID for their product, but Microsoft does not provide them with even notifications of upgrades/updates.
It's a sad, sad world.
Stop the brainwash
When a vulnerability shows up on http://securityfocus.com or the like, specifying a vulnerability in a Microsoft product, e.g. "A special crafted URL will overwrite your files" and then there is no information on what the special crafted URL look like, and there is no fix available from Microsoft or others, do you feel more secure?
Perhaps you could block the request in your packet-filtering system, or at least log it, but without knowing what to look for... what do you do?
And, knowning that experienced black-hat crackers also reads securityfocus and sites like this, they don't need anything more than this information (there is a buffer overflow in IIS... ) and then they have a target for what to do the next couple of hours. It's a competition you know. The best crack wins. Giving away exploits doesn't give much credit to the cracker copying it, but the first one to discover a "new" one, gets a lot of attention...
We need to understand the psychology of what makes a crack worthwile, a published exploit every script kiddie can duplicate, but also can the sysadmins countermeasure this fast (provided that they read the right forums as all sysadms should!)
But a hint of a possibility in a not published exploit gives the black-hats something to compeete for, who is the first one to make the best crack? And the poor end-user is not even knowing what to look for...
Second. published exploits are easy to scan for... known, but not published exploits will fluctuate in their signature.
E.g. special HTTP GET request to look for in the logs... you just scan your logs for exactly the string published in the exploit. (or put it in your packet-filter) a not published exploit will result in several different cracks, using the same vulnerability, but probably vary a bit in the exploit methodology, making it harder to scan for.
Would you dare to use your car if the factory sent you a note that "it has a fault", but not providing any details of the fault? It could be anything...
... saying if you don't publish blueprints, nobody will know where the door is. Microsoft should be glad that all these reports are out, for this is a way they can react to them. It is no good putting one's head in the sand. The programmers at Redmond - the one's who left the doors open in the first place - should just read the reports and fix the holes. Maybe this would contibute to the "Win2000" is secure image Microsoft wants to build up in public opinion. If you don't publish the exploits, end user style people will think "Hey, M$-Software is more secure than all others, because there are no exploits found on the net", trust in the M$ offered security and wonder why their computer is periodically hacked every second week by somebody who has the knowledge, but doesn't publish it.
".Sig Stealer" was here
...
"Looks like I'm going to need more RAM," observed Tom deflatedly. "This new Windows XP certainly does have a heavy footprint."
...
--- Hot Shot City is particularly good.
"Information anarchy"? And yet no post I've seen so far challenges the terminology as being inherently useless PR. Microsoft is damned good at dreaming up push-button catch-phrases that become subconciously accepted even by it's detractors as viable descriptors. It's the same sort of tactic that convinces people that EULA's are *actual laws*, when they're nothing of the sort - insofar as I know no court of law has even supported them as valid contractual agreements.
The phrase "information anarchy" has no coherent meaning other than that defined through MS's statement, and even there it seems to mean "any public publication of security weaknesses in MS products". Yet MS pushes the phrase over and over again in the attempt to link security reports with the word "anarchy" in the hopes that the average idiot will associate publication of flaws in MS software with irresponsible, undemocratic behavior.
Most of us geeks catch this sort of thing right off (e.g., "viral software") but notice - this one slipped under the wire with nary a comment that I could see.
One of MS's greatest weapons is the introduction of language which precludes one mindset and reinforces another - social programming at it's finest. Accepting the phrase "information anarchy" as valid substantiates the idea that such a thing actually exists, even if you argue that the security reports don't constitute an example of this nebulous "information anarchy".
There's no such animal. It's a buzzword with zero meaning other than a poor attempt to lay the blame for MS security holes on people other than those employed at MS.
Perhaps we should retaliate with terminology of our own that's intimately associated with a Microsoft argument or product. Any ideas (other than the "Microsoft worms" phrase of some days back)?
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Imagine for example a "hacker" discovers an exploit in a popular system and only notifies the software vendor. The patch get posted but without any hackers exploiting it the admins are going to sit on their hands with it rather than risk upseting their production servers. The result is only people who use the exploit will be the software vendors (just protecting their IP) and possibly the Gov (just protecting us from the current set of bad-guys).
Seems like a no brainer, who do you want to hack your system, a kiddy that only wants bragging rights or a real dangerous type like a spy? About a third of these "exploits" are legit networking tools slightly modified anyways. The worms are only the crude highly visible stuff the tip of the iceberg, not as dangerous as the stealthy stuff you don't hear alot about.
What most of these hackers want is respect anyways, like the respect that was conspicously absent by Scott Culp's placing Linux® without the registered Tm between Windows® and Solaris®; both with their registered Tm symbols.
All tho I only complied my own kernal, I still made my own Linux so when Linux is insulted like this I still take it personaly. I was going to tell them about it to, but guess what, their stupid web sites contact page is BROKEN ! Yeah right we trust you to fix things without the ability to independently verify it. (I realy tried not to go on a rant honest)
Apocalypse Cancelled, Sorry, No Ticket Refunds
Is that customers being harmed is a good way to force the vendor to release a patch. right.
How we know is more important than what we know.
Patching binary code is not easy, probably not even safe, but it is possible and maybe some companies could get really good at it, and charge a service for it. Oh wait, there's that whole copyright thing.
How we know is more important than what we know.
When you find a buffer overflow it is trivial to make an exploit that one could use to DOS the service. It's just a few lines of perl, throw lots of AAAA's at it and watch it go down. This serves the purpose of "sysadmins need tools to test the patch" but it is usually not what is released. Usually people release tools which give you a shell and open ended script kiddiness.
How we know is more important than what we know.
Old school bsd flaws, rehashed for your amuzement.
How we know is more important than what we know.
Have you looked at the entry conditions for the Honeynet project? They put random sploitable boxes up on the net and they dont publish the ip's. That way they know all traffic that passes into the honey net is suspect. That means you will only attract hackers who are scanning for sploitable boxes, which only script kiddies do. The blackhats are out there, they just dont attack anything and everything, they are targeted.
How we know is more important than what we know.
With Solaris or Linux, your odds are better, but they're not immune. His statement is factual.
Of course they do. Ever hear of corporate espionage?
If I was a MS spokeman, I might answer this by saying:
"Exploits are a proper test of the validity of a patch, but it is not necessary to publish them. They can be developed and tested in closed labs and only the results published."
To which I would have to ask: "Whose lab and how can we trust them?"
There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
"All of these worms made use of security flaws in the systems they attacked, and if there hadn?t been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written."
I remember a day when Microsoft would not have even MENTIONED Linux. Now, it's listed ahead of Solaris...
Cool.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
"it?s unrealistic to expect that we will ever achieve perfection."
Let me finish that sentence for him:
"and maintain our revenue stream, so we're giving up on perfection"
People buy features, and expect 'perfection'. Microsoft delivers 'features' at the COST of perfection. And they can't find a revenue stream in fixing bugs...
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Not publishing the details of a virus does NOT stop the virus from existing. The "I Love You Virus" didn't have a post mortem until AFTER it took down entire corporations networks. Not publishing the details of the virii will NOT stop other hackers from getting their hands on the virus code, and making modifications to it.
Culp is assuming that the only people smart enough to decipher the viruses are the security people themselves, and THAT is the false assumption that invalidates the theory behind the 'essay'...
-- You can't idiot-proof anything, because they're always coming out with better idiots.
I think that there are a lot of people handy with a hex editor out there.
.ida and .idq extensions in Microsoft IIS does not check its input buffer," then I have just provided information to attackers which can be easily tuned into an attack. If I also state that exploiting this buffer could result in arbitrary code being run, then I have just told an attacker what they can do with it. If I say, here is what a log entry would look like, then I have just told an attacker EXACTLY how to do it, and no actual code was involved. This means that an attacker who does not know C could do it in Python OR VISUAL BASIC.
If, as a security professional, I state that "the idq.dll, which is mapped to
Yet, in telling sysadmins what to watch out for, I have just provided exact blueprints for an attack. If an attacker uses an exploit from a security page, they already know how to program. They can use the information describing the security hole to create their own exploit with relatively trivial effort.
So, if we stop providing the blueprints, we will have to do this by NOT PUBLISHING ANY INFORMATION concerning the actual exploit, and Microsoft can safely ignore it. This is not a way to ensure security and smacks of the old propaganda some time ago concerning Samba, labling it as a "hackers' tool" because it actually documented Microsoft's protocols.
LedgerSMB: Open source Accounting/ERP
LazyDawg writes (and was modded up to +5):
I have to admit, I've never looked at bugtraq, and know jack about most exploits, but unless the exploit code includes a trojan/propigating method and the compileme.info file, I am assuming that the script kiddies need more then the exploit code to make a working virus/trojan/rootkit.
Sure, 99% of the script kiddies may be dumb, but the other 1% is the source of the tools, and the code. The exploit itself, once explained, is trivial to code, in my (admittedly ignorant) opinion. Code to take advantage of that exploit is not.
Just my $.02
MissMyNewton's post is so precisely on-topic, I can't begin to imagine what somebody needed to have been smoking to have moderated it as "off topic". Reeks of "personal agenda". Moderation quality on slashdot stinks so much these days that even meta-moderation seems to struggle to save it.