Slashdot Mirror
Schneier On Full Disclosure
Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.
Full disclosure may be good, but full exposure will get you thrown in jail!
"People that quote themselves in their signatures bother me" - athakur999
This could be the start of the end for MS. Since Full Disclosure is obviously the only way to go, and seeing as MS's software is pretty buggy and not very secure (mainly out of the box), they are proving to the world that they don't want people to know just exactly how buggy their software is.
That's at least two spelling errors I could catch, and the style as a whole sucks.
I recommend spending at least 10 seconds on writing a Slashdot post.
would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"? "This is where you can cross the border undetected", "This is how to make a Fake ID?"
-pyrrho
Everybody seems to like "Full Disclosure," so here at Microsoft, we've decided to begin releasing all security vulnerabilities under a "Shared Disclosure" policy. Once the various NDAs are signed, you too can view and work with any security vulnerabilities that we know about.
Just another example of how Microsoft listens to and responds to customer requests. Have a nice day!
If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
"Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless. Blaming the person who disclosed the vulnerability is like imprisoning the person who first saw the flames."
On a site where 9999 out of 10000 submissions get rejected, I can understand submitters not double-checking their spelling every time. On the other hand, ./ posts, what, 20 or so stories a day? Let the poster give it a once-over.
Even better, I heard there is "spell-checking" software in development somewhere. If it's GPL'ed, maybe Rob will stick it into the next slash release? This is just off the top of my head.
From the powerpoint slide:
Grace Period
Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
- Begins with public notice of vulnerability, and lasts for 30 days
- Is immediately curtailed if vulnerability becomes actively exploited
Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.
I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?
If guns kill people, then CmdrTaco's keyboard misspells words.
Oh, does this mean the software vendors will establish some *real* Quality Assurance in their development process and produce software without bugs?? :*)
blurring out...
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
Let's not stir that bag of worms...
In the case of national security, the government has strong motivations to fix any security leak they find. As Bruce Schneier has pointed out in the past, commercial software isn't held to the same high standards... although we're entering an era where perhaps it should be, at least in part.
if and when I have a nuclear stockpile installed in my backyard I'd certainly want the CIA to notify me of any vulnerabilities.
But you analogy is seriously flawed. Governments, like all beaurocracies, strive first and foremost to avoid bad publicity and/or responsibility for their actions. That's why openness, accountability, and yes -- full disclosure are important. There is always a gray area in terms of giving the relevant corporation/agency advance notice and some limited exceptions for national security.
But you need not worry about the balance tilting too far. The CIA might publish a guidebook on torture, but it wouldn't publish a guide on getting a fake ID/passport. Hence it's so rare for teenagers or illegal aliens to get any fake documents at all.
When in doubt, have a man come through a door with a gun in his hand.
> Ethics and intelligence aren't a package deal
! Love the fact that's in a MSFT article.
In his essay, Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless.
Slam.
...is starting the widespread debate on issues that many people need to consider.
Computer/network/internet security issues have been around a long time; perhaps now it will be more of a factor in management decision making.
The "fire" quote is really taken out of context.
In the article, the quote serves as reminder that there are times when free speech needs to be curtailed. He is not suggesting it as a metaphor for the entire situation.
The article is riddled with this sort of straw man fallacy.
Let's not stir that bag of worms...
but by the same token, releasing information about a vulnerability is admitting that your application is flawed. This also harms the reputation of your product among some user groups. With Windows XP Microsoft has conclusively proven that their target market is People Who Don't Know What A Mouse Is; these are the same people who would react most negatively to MS security alerts.
At least he admitted this to a certain degree and made certain to point out how absolutely stupid some of the Full Disclosure arguments have been.
I don't think there are two opinions on this, it's more multi-faceted than that. In many ways Schneier agrees with Microsoft... actually in most ways he agrees.
He just has a few points that he has some disagreement with.
Meanwhile there is this large group who can't see the forest for the trees that keeps villifying Mr. Culp and arguing that script kiddie tools are the only way to insure security. "We must destroy the world to prove to people that destroying the world is bad!" would best describe the attitude.
But notice how Schneier says such people are idiots?
vendors didn't have any motivation to fix vulnerabilities. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the vulnerabilities secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of vulnerabilities (even if they omitted details). And so many vulnerabilities remained unfixed for years.
Perhaps it was pointed out that codered et al had patches a month ahead of time.
But, in the same breath/stroke it was mentioned by MS that their meathod of informing, distributing about patches/vulnerability was/is "confusing".
And the article by Culp almost says in effect "we don't want vulnerabilities known so we can stop writing patches and bugfixes or do it when "we" feel like it".
The whole "rely solely on the vendor" schtick is coming full circle it seems.
The author pointed out that is the way "it used to be" and it seems Microsoft is pushing for it to be that way again.
If it is not on fire, it is a software problem.
1. Discover the vulnerability.
2. Write code to exploit the vulnerability.
3. Arrange with an industry journalist to demonstrate the exploit.
Then it comes down to MS PR vs. journalistic integrity.
P.S. Don't even THINK about doing this unless you're cool with MS buying all the trade rags...
Wow, what a troll. The CIA being an "international organization" is a dead give away. The other is the fantastic false analogy between buggy PC software and nuclear bombs. No orgainization currently mass produces nuclear weapons for daily use on every desktop. No one here would recomend such things.
At the same time, some countries like the USA, recognize that free thought is needed for scientific development and that full disclosure and broad education are in the public interest. While the particular techincal details of how to build bombs is kept secret, the physical priciples are trumpeted and encouraged. Indeed public debate on priciples are encouraged as free dicourse leads to knowledge. "Freedom is the ability to say two plus two is four, all else follows", said George Orwells sad character in 1984. While the Department of Energy and their employees might not tell us details, they will not keep you or me from talking about it. With sufficient study at any good US University, a person can learn all they need to know about bomb design. Knowledge is not yet viewed as evil. The truth will set you free and only the free can be sure they know the truth.
M$, Adobe, RIAA, MPAA and other private interests are going a step further than cold warriors with their "information anarchy" campaign. Such blatant censorship is un-American and against the public interest. They will be defeated in the long run, as will trolls like you.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
http://www.microsoft.com/technet/treeview/defau
- Code RedMicrosoft worm.
- LionLinux worm
- SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
- RamenLinux worm
- NimdaMicrosoft worm
Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...-------------
All your sig are belong to us.
IWARS.
People, in general, disappoint me. Politicians even more so.
Culp has a point when he talks about responsibility. (Ironically, of course, Scott is avoiding "mea Culpa.")
Ouch...
and referring to the Culp article again, with the DMCA in effect, it is a lot easier "to shut ppl up about MS's vulnerabilities than it is to fix them.
OOOoooo...that really hits home.
If it is not on fire, it is a software problem.
The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.
So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.
While it is certainly up to the vendor to release as bug free code as possible, I disagree with his exoneration here. "If you don't know how to use it, don't" holds true regardless of what OS we're talking about. A Unix sysadmin that doesn't patch his/her boxe(s) is as much to blame as an MS sysadmin who fails to do so as well.
Whether or not the amount of exploits for IIS are a direct result of how widely it is used outside of the "heavy metal" internet server arena is anybody's guess. But to even suggest that the sysadmins should say "oh, fuck it. It's the vendor's fault" is a bit like putting one's network in the hands of God... maybe it will be OK, and most likely it won't.
is not about shouting "fire" in a crowded room.
It is about lighting a "fire" under a vendors ass.
Perhaps so Culp does not forget this point he should take the advice in another story and "tatoo it on his butt" if he needs to.
And not in invisible ink, btw.
If it is not on fire, it is a software problem.
Meaning:
It Isn't Secure.
How apropos.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
This seems to me to kind of parallel biology. In an environment where exploits are not discussed, there is a smaller penalty for buggy software. With increased discussion, the software that remains will be the software that is more secure, or that evolves to be made more secure.
So how does Microsoft survive? Is it a virus?
JET Program: see Japan, meet intere
> By analogy, this isn't a call for
> people for give up freedom of speech;
> only that they stop yelling fire in
> a crowded movie house.
Another wonderful analogy!
Security professionals have been yelling "fire" in crowded movie houses for years. Most of the actual patrons fail to pay any attention, despite the fact that the seats are made of explosively flammable materials, the management allows patrons to smoke cigarettes in the theatre, and occasionally the movie is interrupted by ushers dousing patrons with fire hoses if they are noticeably ablaze. Patrons who do catch fire are not offered a refund, nor a credit for those parts of the movie that they miss, nor even so much as an apology.
--- Zygo Blaxell (zblaxell, feedme.hungrycats.org)
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
But when BIND does the same thing, oh then it's fine, no problem, it's okay, no big deal, etc..
Great article, however...
Schneier always mentions that you have to watch out for people motivations. In this case, he should point out that his company makes its living watching for bugs/hacking/vulnerabilities in the systems of the customers that it monitors. He usually does this, but I definitely see it as fodder for Culp to throw back in his face. If the bugs were hidden, Counterpane would have a lot harder time knowing what to look for.
I really liked the point about software companies being liable for the software they produce. The implication from his article was that a firewall manufacturer isn't not liable if a hacker breaks in because of shoddy code in their firewall. Is this true? Anyone know of (or have a subscription to one of those cool legal services) any legal cases that have proved or disproved this?
It seems pretty fundamental.
Rudy
1. 2.
In the third case, the people there were informed about the attack and were able to stop it in time, because they had full disclosure of what was happening in the other cases.
Now, looking at these two security exploits, which do you think was the better solution, the passengers who were unaware of what was happening until their planes crashed into the World Trade Center buildings, or the ones who were informed and fought back?
Paul Robinson <Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
For example the auto-industry. If you buy a new/used car and it is a lemon or has massive faults that can cause serious damage the vendor is expected to state those faults
I have two children and ANYTIME there is even the slightest risk of problems with the products we have bought for them, the vendor says don't use it any more.
You would think that Microsoft would have learned from Firestone/Ford....
I really think you've misunderstood what the debate is about.
Obviously, people with affected systems need to be informed of information on how to protect their systems - the debate is on what level of extra detail to provide (sample exploit code, more or less tech info, etc..)
In your simple scenario, obviously the solution is simple.
Just yesterday, I discovered a vulnerability on a certain government site. I told them and they fixed it. This isn't the sort of problem we're talking about.
Let's not stir that bag of worms...
I like this piece from the MS article:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
So, now you know, don't yell fire in a crowded movie house!
I am just wondering if the argument also applies when there is fire in the movie theater or, by analogy, when there is a serious vulnerability just discovered.
The whole point of crying "fire" is to alert everybody and prompt them to act quickly; disclosing a vulenrability is about the same.
Almost every piece of commercial software you install these days has something in the license like (taken from the Red Hat legalese):
"There is no warantee for the program, to the extent permitted by applicable law. Except when otherwise stated in writing by the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warantees of merchantability and fitness for a particular purpose. The entire risk of as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair, or correction."
Now someone explain to me why, when software vendors disavow all responsibility for their products, they should be granted some special status with regards to information about those products' misbehavior.
We instead need to find a Lever that is appropriate for today economic climate: Money.
I say, make Vendors financially responsible for the damages incurred during an exploit. We've all seen the outrageous dollar amounts attached to some of the random e-mail worms that exploit Microsoft's Software. Since Vulnerabilities are Programming Mistakes, why not make the same laws that govern other flawed products applicable to Software?
Wasn't Napster held liable for damages done because of their Software Product and Services? Why shouldn't Microsoft be held accountable because of damage done by means of their Software Products and Services? Heck, that might even be something appropriate to tack on the Settlement Agreement by Microsoft's Bitch^H^H^H^H^H^H^H^Hthe DoJ.
I don't think you can get the attention of any corporation unless you hit them where it hurts: the profit margin ... just my $0.02
Now, looking at these two security exploits, which do you think was the better solution, the passengers who were unaware of what was happening until their planes crashed into the World Trade Center buildings, or the ones who were informed and fought back?
I know you think the analogy is amusing but I assure you it isn't. I was in the WTC 1 when this happened and I assure that it isn't amusing at all.
You analogy is also flawed in that if you followed the rules Culp mentioned the people in the third plane would still know. Because an exploit in the wild means immediate discloser. Notwithstanding that some security people would release an exploit just to get published.
So next time think before you open you mouth and conjure horrible memories just to be a sorry troll bastard.
Regards,
askipper22@hotmail.com
When software vendors become liable for data loss, and the associated costs, then they have a very strong financial incentive to fix bugs.
In the current model, even with full disclosure, the most they risk is sales loss due to bad PR, and to modernize the old saw, "nobody ever got fired for buying Microsoft".
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
It's not just what he says; it's how he says it. For some reason, the above sentence makes me think of a particular vendor.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The flames are a feature. They are there on purpose.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Am I the only one who remembers that M$ used the vulnerability holes in IE as a back door to snoop through M$N user's hard drives? Has anyone else noticed how many of the IE vulnerabilities for which M$ has nearly immediate patches (for a company that has regularly been late getting OS releases out the door)? While I am fairly sure that not all of the vulnerabilities in M$ products are back doors (it is a VERY complex system, after all), the company's behavior also make me equally sure that some of those are what I call "bug doors", absolutely intentional trap doors.
I've pulled IE from my home M$-Windows systems (one for the games I cannot get on Linux and one for a system that captures music-keyboard MIDI data to a score, which is another thing that I cannot find for Linux), using IEradicator (http://www.98lite.net) and some registry tweaking, and I've got a couple of layers of firewall running, but I still want to know what holes are in those systems, my Linux boxes, and my Solaris system. I neither want my data stolen or corrupted, nor do I wish to contribute to damaging anyone else's system(s).
The script-kiddie issue is just one we must live with; A sysadmin can only get access to the same data as a script-kiddie can. If the sysadmin needs it, then with that right comes a responsibility to test and patch systems.
If non-disclosure is good for vendors and consumers, then *all* vendors would be pushing for non-disclosure - not just Microsoft. As it is, the *nix vendors are happy with the status quo, because they are reasonably happy with the quality of their software.
However, proof-of-concept code does not necessarily prove/disprove the presence of a threat. If the exploit addresses a particular subset of an overall fault, then just because the exploit fails does not mean that the fault has been fixed - see compiler optimisation "cheats" for example.
When the source is open, then the exploit can be more easily shown to be complete/incomplete - otherwise, the exploit either works/doesn't work - but that could imply a failing in the exploit code, or a partial workaround in the patch, which simply avoids the exploit.
I disagree with the author that there is no incentive for vendors to provide secure code - Secure Solaris being one example - but the customer must pay megabucks for such a promise, and compromise the customisability they expect.
In his essay, Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless. Blaming the person who disclosed the vulnerability is like imprisoning the person who first saw the flames.
Nuff Said.
Author, Shell Scripting : Expert Re
I got it as well. WTF is going on?
Now, I know I am opening myself to people making fun of my name, and over the years, many have done so. But, it is just too easy...
Since Mr. Culp is Microsoft's appoligist, might his title at MS be Mea, that would make his full title ther Mea Culpa?
Or, since they have found MS guilty of being a Monopoly, would that make this person in charge of culpablity for MS?
ttyl
Farrell (running, ducking and hinding...)
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
because they give politicians lots of money
Can someone explain the benifits of "Full Disclosure" in a closed-source scenario such as bugs in IIS in Windows?
I'm not interested in arguments about open-source systems, or how vendors should be liable for bugs, etc...
I simply want to know why it makes sense to publicise the code for a vulnerability as opposed to saying "there a bug in this area, we're working on a patch". What are the benifits?
I wonder: should we send Osama Bin Laden precise instructions for making Anthrax, Small-Pox, or Nuclear Weapons?
That's their fault for not using Debian.
There aren't enough sys admins to patch every version of Windows XP Home out there, or even every copy of Mac OS X. In the wild and wooly P2P world out there *every* machine is an internet server. How can we expect the entire user community to understand patches?
what better way to describe the "script kiddy" problem.
utter rubbish
Remember the difference with the software industry. If the DoJ puts up another border post, this automatically protects everyeone from that vulnerability. A bug must be patched manually, and so must be announced to everyeone concerned. Your example is analogous to Microsoft finding their own vulenrabilities and (because they're in software) publishing the patch on the Net.
Conversely, Full Disclosure *would* work if private citizens published this info. For example, say I find out how to cross the border. If I announce this to the world, the DoJ would scramble to fix the problem, thereby improving security. If they keep it under their hat, they may not necessarily be motivated to fix it (no budget, didn't feel like making the order, etc., etc..) So, just like in the software industry, Full Disclosure would cause the security agencies to act very quickly.
Actually, even without full disclosure they would act quickly. Using the aforementioned example, if I (say) publicized a border vulnerability, I would be promptly clapped in jail. So the agencies would still work - it's just that they would not do quite what we would want.
Your attitude is the classic example of the thinking of weak-minded and brainwashed morons who automatically respond with the knee-jerk reaction of "WHAT? You gave hackers info on security? Die, traiterous scum!" Next time, try to logically follow your own argument instead of engaging in slashdot posting diarrhia. And moderators! Who modded that clueless individual up in the first place?
-- ;-)
Kuro5hin.org: where the good times never end.
> Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible. A few companies are even going further, and taking security seriously enough to attempt to build quality software from the beginning: to fix vulnerabilities before the product is released.
And Microsoft doesn't like fixing problems, let alone building quality in from the start. Those activities don't add anything to their bottom line; it's a waste of resources.
Microsoft doesn't like the new norm, therefore it doesn't like full disclosure. (Where's the surprise?)
To say nothing of the bad PR that hits the world's presses twice a week when the latest MS-specific exploit shows up at the disclosure site.
Sheesh, evil *and* a jerk. -- Jade
The latter technique, of course, worked admirably on flight 93, reducing losses by at least tens of millions of dollars, and possibly by billions. (If they'd been a little luckier they could have reduced the flight 93 loss to nearly nothing.) Flight 93 didn't rely on a single gov't action : private individuals and companies closed the information loop and then attempted to counteract the threat, while the gov't response had barely started. There are lessons here on how to build a civil defense infrastructure to better handle the future attacks.
Information security attacks are just as expensive as the direct costs of the 9-11 attacks, costing billions of dollars a year in direct financial losses (and billions more from disclosure of sensitive information). The only difference is that infosec attacks are diffuse and don't draw much attention, while an equivalent military attack is spectacular and extremely photogenic. (Attacking the first WTC tower was a military action. The second was a publicity stunt designed to increase indirect losses.)And don't anybody tell me that it's a poor comparison, that computer viruses don't cost lives and how can I be so insensitive. Suppose infosec attacks cost each American an average of one hour of their time each year. (Which is probably within an order of magnitude of being correct.) That's a total loss of 250 million man-hours. Assuming that the total work a person can do is 150000 hours/lifetime, that's 1700 human lifetimes squandered by infosec attacks each year. And that's not considering attacks against military and medical databases, and against industrial equipment, which can and do directly kill people.
People who think there cannot be an "Electronic Pearl Harbor" are in for quite a surprise, just as people who thought foreign affairs don't affect the modern American lifestyle were surprised on 9-11. Most current guerrillas lack the competence to carry out severe infosec attacks, but ignorance and religion are not necessary prerequisites for anger and extremism.
-- ;-)
Kuro5hin.org: where the good times never end.
... your job is to look after the Nuclear stockpile, if you are a border guard, or if you have to check passports as part of your job.
As much as you OY YAY FREE SPEECH YAY proponents would like to babble on, it doesn't matter about these other things. It isn't your damn business.
I run a computer, yes, I need computer security information. But no, I am not a border guard.
A missed implication of MS's way of doing things is that the customer is left entirely out of the loop. As a system administrator I don't want to be left in the dark for 30, or 60, or however many days while the vendor works out a fix; it's *my* goddamn system and *my* ass is on the line, so you'd better bloody well tell me where the break is and fill me in on what I can do to jury-rig the system until the vendor *does* provide a patch. If the vendor thinks no jury-rig is available, that's okay - at least I have the choice to disable the software until it's fixed, or turn to smarter heads outside the company for other options.
The arrogance of Microsoft in taking a non-disclosure line is amazing. Essentially they're saying that the vendor has a right to the information but the people who're actually responsible for the systems the faulty product is running on don't. Excuse me, but in what fucking universe does that crock of shit make sense? The vendor isn't *entitled* to non-disclosure; as the customer I *am* entitled to disclosure just as much as I'm entitled to know if the model of car I'm driving has a known brake line problem.
Screw this non-disclosure, delayed-disclosure, or whatever line of bull MS is selling. I don't give a rat's ass about the credibility or stock value of the company who sells a hackable product; all I care about is how I can secure my system until the hack is fixed, or if the product is so full of holes I should just toss it and migrate to something else. Neither MS nor anyone else gets to make this decision for me.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
You misquoted what he said. He said "You analogy is also flawed in that if you followed the rules Culp mentioned the people in the third plane would still know. Because an exploit in the wild means immediate discloser. Notwithstanding that some security people would release an exploit just to get published.
Cutting out his sent because it explains his point doesn't mean the point doesnt exist.
He is correct. Culp stated that if an exploit is found in the wild then it is immediately Fully Disclosed. Otherwise the vendor gets time to fix it. So he is right that the Third plane would have known just the same and thereby it was a bad analogy Because after 1&2 it is fully discosed(although I agree that the original author didn't really mean it to be amusing).
Actually the point I was tring to make was that the logic made no sense(I still believe this) and thereby it was a dumb analogy. If you are going to make an analogy with a symbol that profound you should think things through a little more.... else you are just trying to amuse yourself with how clever you are.
http://www.theregister.co.uk/content/55/22816.html
It is very well written and the arguments presented are logical. This is the type of rant that MS needs to hear, although they seem to be masters of burying their head in the sand.
For the most part, Bruce is highly intelligent and well-spoken. I agree w/most of what he said, except for the part about the authors of VCK's.
They do have a valid use - that of viral research. I've been collecting and researching virii since about 1984. I enjoy taking old junk PC's and installing different virii on them to see what happens and how to prevent it - along with the obvious value of analyzing other people's code for neat tricks and hacks that I might be able to use one day (I'm a white-hat, so nothing nefarious mind you, but just neat stuff).
VCK's make this experimentation much easier - I can whip up some virii to play with.
I would suspect other researchers do so as well. That some script kiddies abuse them - well, some people use their VCR's or CDR's to violate copyright - but that usually doesn't cause the things to be 'bad'...
The real threat is someone who goes looking for security holes, finds them, and quietly uses them to steal information or money. It's the people who are stealing credit card numbers, bank account info, and military information that are threats. Serious attackers will often work to obtain inside information, and may be willing to combine physical attacks with computer attacks.
Vulnerabilities left open but not publicized open doors for the real attackers. Non-disclosure shuts down only the more inept script kiddies.
(also on The Register).
Check this story about finding a serious cookie vulnerability in Microsoft Internet Explorer and MS policy dealing with it.
Those interested in this subject will almost certainly find this piece in The Register worth reading.
ben_ the technologist and platform agnostic
has been censored in accordance to the responsible disclosure policy of the Microsoft Security Framework.
By disclosing any useful information within this message, one could determine my posting history, motivations, and style, from that extrapolate the sequences in my DNA base pairs, then feed my physical and mental state into a complex iterative model of the Universe.
This could be seen as paving the way for recovery of time machine plans from the future, allowing you to go back and assassinate Bill Gates before he could come up with this crap.
Besides the obvious problem, that being that Microsoft's software of unsurpassed quality will never be released, such an event would create a causative paradox in the Universe, the end result being total destruction of all matter and energy.
In short, all hail Gates and his mighty army of high-priced lawyers!
(Note for the sarcasm-impaired: the preceding message was just a joke; don't mod me down)
Want Linux games? HERE.
Bruce,
Your message is consistent, effective, and helpful. However, one remark you often repeat is being used to justify harmful practices, and even harmful legislation. It plays into the hands of Microsoft and those like them.
In your ZDnet article you wrote, "the sheer complexity of modern software and networks means that vulnerabilities, lots of vulnerabilities, are inevitable." Microsoft's Scott Culp had written, "all non-trivial software contains bugs." The difference between the two statements is probably too subtle for most of your readers. As you say, almost all software vendors do very shoddy work, and most large systems are riddled with holes. Still, the step from "almost all" to "all" is much larger than it might seem.
From Counterpane's business perspective, the distinction probably makes no difference; Counterpane must accept its customers' software deployment choices. From the standpoint of a judge or legislator, though, it makes all the difference in the world. If reliable software really cannot be written, then Microsoft and its ilk must be forgiven their sloppiness at the outset; it would be wrong to hold them to an impossible standard. If in fact reliable software can be written, then such ilk are negligent in failing to produce it.
This is not an academic point. It affects your argument, and Microsoft's. If a software system will always be full of holes no matter how many patches are applied, publicizing holes just makes it harder for network administrators to keep up. It is the availability of reliable alternatives that cinches the full disclosure argument: users can get off the patch treadmill by switching to software that's not buggy. The extra work done to ensure reliability pays off when users switch, or needn't. Full disclosure punishes the sloppy (and their customers) and rewards the careful (and their customers).
It doesn't take many examples of truly reliable software to make the point, in principle. How many bugs remain in Donald Knuth's TeX? In Dan Bernstein's qmail? These were not billion-dollar efforts.
Once it's demonstrated that reliability is possible, getting it becomes a matter of economics. Microsoft, rather than saying reliable software is impossible, is forced to admit instead (forty billion dollars in the bank notwithstanding) that they simply cannot afford to write reliable software, or that their customers don't want it, or, more plausibly, that they just can't be bothered to write any, customers be damned.
Instead of promoting a destructive fatalism about the software components we rely on, you would do better to say simply that current economic conditions lead most organizations to deploy systems known to be full of vulnerabilities. Leave open the possibility that slightly different circumstances would allow for a reliable infrastructure. Reliability is no substitute for effective response, but it just might be what it takes to make effective response possible.
Nathan Myers
ncm at cantrip dot org
I found the story very interesting and on-topic. Thanks for the post, it shoul be modded up.
From the article:
I do fault the sysadmins: It's our job to maintain systems as securely as we are able. It's part of the cost of doing business.
We should maintain continual pressure on the vendors to improve their initial software quality, to improve their security vulnerabilities especially, and to improve their patching experience to make it easier to apply secure patches with some degree of confidence (which would be an outflow of improving their software quality in the first place--the same processes apply to patches as to a full-fledged app).
However, we should never use a vendor's failings as an excuse for not maintaining due diligence on security matters.
A company's management makes a decision--rational or not--to use a system. Part of that decision includes total cost of ownership. If total cost of ownership outweighs the total benefit derived from a system, don't use the system.
Now, most of us aren't in a position to make a final decision on systems, so we must influence the decision by making sure TCO includes the cost of maintaining security patches.
"Do not meddle in the affairs of wizards, for you are crunchy and good with ketchup." --/usr/games/fortune
"The Natural Laws of Digital Content" on November 15 at 7:00 at the University of Minnesota Minneapolis campus.
The subject of the talk is related to the topic of this story - how legislation such as DMCA interact with computer security issues. So if you're interested in this topic and live near Minneapolis click the link above to find out details about this talk.
Also, we hope to tape Bruce's talk and put up video and audio of the talk on our web site at a later date.
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
Imagine a world in which software companies are criminally and/or civilly liable for ill effects resulting from successful attacks on their products.
I think that in such a world, software quality would improve dramatically, and software manufacturers would be at least as motivated to fix bugs as they are in a world with full disclosure.
From Culp's piece at http://www.microsoft.com/technet/treeview/default. asp?url=/technet/columns/security/noarch.asp:
"Providing a recipe for exploiting a vulnerability doesn?t aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
This is Microsoft's opinion in a nutshell: Don't worry about the details, we'll take care of you. That doesn't surprise me for end-users, but for administrators? When I see a bug announcement with a detailed example, such as the ftp_conntrack bug in iptables, it is tremendously advantageous to actually understand the bug and how to deal with it. In that case, several workarounds suggested themselves, because the bug only afected RELATED connections.
Now take the MS paradigm: I wait until they release a patch, or detailed instructions which I should follow by rote. Of course, I am affected by the vulnerability longer; furthermore, I get no transferable knowledge from the experience. Next time there's a similar bug, I just have to wait, again, instead of being able to invent a workaround.
Sure, it's _possible_ to implement a workaround when I don't understand the vulnerability, but I sure feel a lot better when I understand the problem AND the solution. I simply don't understand how this MS scheme (where everyone is an unenlightened end-user, waiting for cryptically-named patches which they don't understand) could appeal to any business OR home user. By assuming that even its administrators are unqualified to do manual reconfiguration by themselves, or even really understand what they're doing with the OS, MS has effectively crippled their fleet of administrators. And this, ultimately, is why the NT(2k/xp, whatever)platform is the huge, gaping security hole it is.
I simply can't believe the arrogance and stupidity of the statement above.
"...an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
I think that speaks for itself.
Where the fuck do you people get the right to start talking about infosec and the world trade center attacks???? I worked there and lost 700 co-workers and posts like this just show how lame people in general really are. And how is an attack on 1 world trade center a military attack??? I don't recall peopel working in that tower working for the US government!!!
People get a life, will you?!?!
The difference is that mistakes in the physical world are generally much more difficult, costly, and time-consuming to fix even if they are known.
Software vulnerabilities are rarely unfixable, and usually fixable without any serious disruption to the user.
Physical vulnerabilities may require massive construction projects, forced relocations, and so forth. If there's nothing that *can* be done immediately, too much publicity is bad. It brings out the nut cases who want to get on TV.
But I must disagree with your first statement: If all they were doing was attacking the Pentagon then that was a reasonable and legitimate military action (but it still was wrong for reasons I state below). But attacking the WTC was NOT a legitimate military operation and constituted an act of terrorism. If whoever did this believes they are fighting a war of some kind against the U.S. then - whether we like it or not - the Pentagon was a valid target for attack. Intentionally targeting a civilian structure that does not provide either military operations or military support changes you from a legitimate military operation into criminals. This was settled more than 30 years ago with the trial of Lt. Calley in the Mei Lai Massacre incident. But beyond that, legitimate civilized conduct of any military operation doesn't grab civilian transports and intentionally kill noncombatants.
If they had used planes without civilians on the Pentagon attack or pulled a McVeigh by using a truck bomb there, I'd have no argument that it was a legitimate military attack. But when you intentionally target noncombatants, you're no longer a soldier or a legitimate military, you cross the line into terrorism and criminality.
There's already been a example of this on the TV Show Law and Order where someone figured out a way to reprogram a hospital's insulin pumps to randomly kill some patients because they didn't like one of the doctors who was an owner of the place. That this example of a computer virus killing people is a fictional incident does not make the possibility of a real one that might someday do so any less credible. All I can respond to that is fortunately that is the situation now and for the moment that we've been lucky. If only those hypocrites who allegedly support the Muslim religion through violence would practice what they preach and stay as ignorant as they want everyone else to be made, then there wouldn't be too much of a problem. Unfortunately, the possibility of infowar is very real and will happen eventually. Just like those who predicted serious terrorist attacks on the U.S. would be coming: We just don't know when.Paul Robinson <Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
Consider someone using a hijacked plane to destroy a building and make it unusable.
Now consider someone using a compromised computer to generate a denial of service attack upon a major site and make it inaccessible.
I think the analogy is very close.
Now, let's ask the question: Let's say someone figured out that you could slip box cutters and knives onto a plane and use them to hijack it. Would publicising this help? Well, considering that almost anyone who thought about it could figure it out, you wouldn't be giving anyone any new ideas. The exact same thing has been pointed out many times in a number of books and even done as a plot device in some movies, so it's not like it's a secret. Therefore, making such information public might have helped people be aware of vulnerabilities. But if the passengers on the Pennsylvania plane hadn't known about the other attacks as soon as possible we might also be comiserating the destruction of the White House, too.
Once the 'exploit' was known - that there were hijackers taking planes and using them as bombs - then making people aware of the danger - fully informing everyone, including passengers on the plane in Pennsylvania - resulted in preventing further attacks from occurring. Even if the hijackers knew that the passengers knew, they can still fight back against them. Full disclosure informs everyone and can give some people the opportunity to stop something from happening.
It is arguable that those involved are allegedly in some sort of (what they call) a holy war or 'jihad'. If the World Trade Center had been, say, a privately-owned factory building armaments for the Military, then it would have been a legitimate military target, same as the Pentagon. But the fact of the matter is that even if they were legitimately fighting a war, when you intentionally target non-combatant civilians you're not a soldier, you're a criminal and the organization you operate within, if it sanctions this, is a terrorist organization.Paul Robinson <Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.