Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
because I disabled scripting.
Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.
Odd.
Yes. I have to use Windows at work.
Yes. I could use Mozilla.
The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.
Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.
I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.
BEN
I think this just goes to show that the grey hats are the real white hats.. and supposidly white hats like these are really pretty grey. Clearly, the black hats want to keep their secrets and it seems that white hats want their secrets too, but grey hats seems to have been previoously defined to include anyone who keeps no secrets.
I can just see these "white hats" using their secrets to prove that their potential customers are insecure.. only to ignore the problem untill MS fixes it one or two years later.
The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.
Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.
-CT
You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.
Redmond dumb-asses.
The point of the Microsoft suit was to bring back competition. Innovation was stifled because no one could get investment $$ if they were in a market Microsoft was even thinking about entering.
So what is the effect on investment capital of the settlement?
The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?
So many holes in this rant, which ones to choose? Let's go with this one.
I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.
Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.
Or how about this one?
So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.
Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.
Electronic Frontier Foundation for online civil rights information
From the MSNBC article:
In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.
So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!
www.lucernesys.comHorizon: Calendar-based personal finance
Besides, I've set Mozilla to be my default mail and html program, and that works great, as long as I don't have any instances of IE open on the desktop at the same time. As soon as you open one IE window, Windows decides that it should open ALL webpages in IE instead of mozilla, like I've told it to do on ALL occurrences of running across HTML files and links people post to IM clients, programs, etc. So I completely agree, it's a Windows problem, not just an IE problem. What's funny is that despite warning people how active scripting can cause problems without having all the appropriate security patches installed, they're displaying this info with an .asp page! Now that's what I call a short attention span.
I have seen Microsoft release products that do really stupid things, but I have trouble recalling the last time they released a music application that unnecessarily formats your harddrive. I mean, come on... MS is bad, but are they as bad as Apple? If Apple was as popular as MS, you would probably be singing a different tune about iTunes 2.0?
Debian Linux has a community run software testing process that would never let something like iTunes ship as "stable".
Hey,
Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin
Wasn't @stake formed from hacker group l0pht? Yes, I think they were! They used to attend Def Con, and work on Back Orifice and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?
My, how times change.
-M
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.
Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.
I don't want knowledge. I want certainty. - Law, David Bowie
Speaking as someone who was at the conference, I would like to make a few corrections.
First, it wasn't Microsoft that proprosed the idea at the conference.
Second, the idea of this is to try to get people to follow a standard way of reporting vulnerabilities and force companies to take a responsible role in addressing and responding to vulnerabilities.
Third, this is not designed to try to hide vulnerabilities from anyone.
Basically, it works as thus:
Joe Random Person finds a vulnerability in a program or service. He then documents the vulnerability, along with sample code to reproduce the bug. He contacts secure@company.com with the information he has. Joe is now expected not to release information on the bug at this time, but will stay in contact with the company.
The company now has to respond with a couple things.
1) Acknowledgement of the bug
2) An estimated date when it will be fixed
3) Any further questions the company may have
The company will be responsible for keeping in touch with Joe and provide updates on timeframe.
Once there is a patch in place or a fix has been implemented, the company goes public with the bug, including high level information on the exploit. This will not contain code that will exploit the vulnerability, but rather a description and model by which it could be exploited. The company will give credit for the find to Joe. Joe is also free to release his own high-level description of the issue.
After the grace period (around 30 days, there are exceptions), full information on the exploit is released, including code that can be used to exploit the vulnerability. This grace period is intended to allow administrators to have a chance to patch their products. At this time, Joe can also release a full paper with sample code and more details. Again, full credit is given to Joe for the find.
The intent of this is not to prevent the details from becoming public. It is rather intended to lessen the damage that can happen after the release of exploit code. It is not gaurenteed to prevent damage, just to try to help reduce it.
There could be errors in this, and don't take this as a summary of the eventual document. This is my summarized take on it.
"All the things I really like to do are either immoral, illegal, or fattening."
- Alexandar Woolcot
Anyone else remember when l0pht.com used to be the place to find information on Windows vulnerabilities? I see that @stake is one of the 5 security companies announcing this anti-information coalition.
Heh, security through obscurity! That's a good idea that has always worked for Microsoft;)
Though that strategy looks downright effective compared to yelling at "grownups" who've seen the error of their ways.
Gee, maybe that explains why http://packetstormsecurity.org has had the rate of submissions slow from many a day to one or two every couple of days. I KNOW vulnerabilities are being found but it's REALLY hard to explain to management why they MUST rollout a security patch if I cannot PROVE to them that, yes its a problem! Has everyone rolled over?
WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.
Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.
Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....
P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!
Build it, Drive it, Improve it! Hybridz.org
It's scary that the lead anti-trust lawyer for the government said this:
James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues." He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"
And we all know security through obscurity works so well.
Why can't M$ get a patch out in the "few days" of warning they had? Because they are too bussy breaking other people's applications to fix their own code. M$ is rulled by the $, don't think engineering has any power any more. If PR and management wanted a good reputation, you would think they would quit trying to screw everyone.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I have a lot of respect for Nader (I even voted for him), but I don't think he knows much about computers or software. MS is an easy target and Nader hasn't had been particularly effective at protecting consumers in recent years. I wish he would do more to break the Ticketmaster monopoly which is far more comprehensive than Microsoft's and has measurably harmed consumers financially.
I'm sorry, but a bug that is found today in NT 4.0or 2000 has most likely been around since the product came out. You're trying to say that Windows bugs don't exist until someone finds them, but Linux bugs are retroactive since the version that they are in came out. Compare apples to apples.
When the root exploit was found in Linux, the patch was available the very same day. Microsoft can't get a security fix out and tested with "a few days of work". They have hundreds of well paid programmers Linux is written by loosely tied mostly unpaid volunteers. You need to get the wool out of your eyes.
For what it's worth, here is what I wrote after I read Culp's essay for the first time:
I agree that some aspects of the current computer security community are quite strange. A few parties have indeed conflicting interests: They sell products which wrap around other software in order to enhance its security (from a purely methodological point of few, a questional practice in itself). In addition, these parties discover and analyze vulnerabilities (sometimes in very great detail), and they are clearly benefitting from the recent Microsoft worm craze.
However, a few of Scott Culp's arguments are slightly wrong and do not reflect reality. For example, he claims,
Is this really true? And if it is, could it have been avoided? After all, an attacker knows which components are vulnerable (just by reading the vendor announcement), and he or she can compare the machine code of the vulnerable and fixed versions. Of course, the recent worms didn't show a very sophisticated design. But it is really reasonable to expect that the attackers of the future are unable to retrieve the necessary information from a few pieces machine code?In addition, we should remember that the most visible worms were targeting closed-source, proprietary systems. By the same argument, operating systems based on free software would be facing a tremendous amount of worm-based attacks because it's much easier to write these worms based on the publicly available information. However, there is no evidence supporting that, and this is very unlikely that this is just caused by different market shares.
Furthermore, Culp questions the usefulness of detailed information on vulnerabilities to administrators:
I whish this were true, but I have seen circumstances under which additional information is essential, even for system administrators:- Vendors do not release complete information. Over and over again,
products are not mentioned, either due to neglect or because they
are no longer officially supported.
- Vendors release vulnerable versions after a vulnerability has
become known, and after public authorities (such as CERT/CC)
have stated that these vendors do not ship vulnerable versions
of the software.
-
New vulnerability types might exist in a wide range of software
from different vendors, even though they do not share common code.
- If code is shared, some vendors respond faster than other ones.
No vendor information might be available for some products.
This means that responsible system administrators have to check their system themselves in order to be sure that they are not vulnerable.Unfortunately, closed, automated tools do not help much in this context, at least without partly re-introducing the concept of full disclosure. Past experience suggests that the vulnerability has to be actually tested in order to minimize the number of false negatives. Our main concern are remote buffer overflow vulnerabilities, and even if such a testing tool is closed-source and does not contain any actual exploit code, it is not too difficult to snoop the network traffic, insert the appropriate exploit code, and try the result on some victims. In addition, testing tools require time to write and distribute, which is unacceptable in most cases. (Usually, the attacks start after the first advisory has been released, the Microsoft worms are rather exceptional in this regard.)
But my favorite argument is the following one, which has been rehashed in many, many different contexts, most of the time suggesting that software vendors should be exempted from responsibility for the consequences of using their products:
Nearly error-free software exists and is in wide use, but of course not in the general-purpose computing business. There are no technical reasons (or even mathematical ones, such as Goedel's Incompleteness theorem) for software being faulty. There is complex software which is believed to be close to zero defects, and Donald E. Knuth has shown with TeX that it is possible to write such software for use on workstations even if it uses tricky algorithms and it is fairly large. Poor software quality has different roots, many of them related to business models which force vendors to continuously release substantially different software versions, in order to generate a constant revenue stream from customers upgrading to the newest version.In addition, there is no evidence that the security vulnerabilities exploited by the worms were related in any way to the overall complexity of the system. If we look at typical buffer overflow problems in free software (for obvious reasons, we can't do that with Microsoft software, but there is no indication that Microsoft source code is entirely different), these problems are local problems in most cases, which could be caught automatically by using different software construction tools, often obvious from local code inspection, and a local fix was usually sufficient. If software shows buffer overflow problems because of its overall complexity, something is very wrong.
Indeed, security vulnerabilities will not disappear soon, but not because of fundamental technical problems. And even if complexity starts to become an issue, why not reduce complexity, then? Security vulnerabilities are going to stay simply because too many people accept them.
(And, by the way, like Windows and Solaris, Linux is a trademark, and since we aren't talking about the kernel alone, we should probably call this operating system "GNU/Linux".)
So, the step-by-step instructions for an exploit can be looked at as a bug report (I'd argue that is exactly what they are) that the responsible company can use to find and patch the bug, and that a sysadmin can use to verify that the patch was correctly installed (using due caution, naturally).
There ain't no rules here; we're trying to accomplish something.
the worst fact about this is that i had to read it on /.
when ie loads for the first time it checks with a MS server... why can't it make a quick to check for awful security flaws like this and notify the user?