Slashdot Mirror
Schneier On Full Disclosure
Bruce let me know that he's written a piece on ZDNet (original home of the for the Window of Exposure idea is on Counterpane ? ) about the problems of not following full disclosure. Very well written and does a great job of summarizing why full disclosure works. The original piece from Culp @ Microsoft is also available, along with the PowerPoint that they did.
ohh how i want fp...
shouts to the good dr.acula
-
I'd like to disclose everything for you guys.
baby
I will become a god one day. I will live forever and remake the universe in my image.
FIRST FUCKING POST BITCHES!!!
Oh yeah... can't beat the llama...
mcdougal
shoutouts to mick, the TPM
First Post for Jesus !!! !!
"culp-ability" for nothing, I guess. :(
Bruce left me know
at least he didn't right you know, that would have been devestating.
Full disclosure may be good, but full exposure will get you thrown in jail!
"People that quote themselves in their signatures bother me" - athakur999
This could be the start of the end for MS. Since Full Disclosure is obviously the only way to go, and seeing as MS's software is pretty buggy and not very secure (mainly out of the box), they are proving to the world that they don't want people to know just exactly how buggy their software is.
my butt is kind of sweaty today. I little bit of moisture in the butt crack - it is very uncomfortable. My taint is a little musty also.
That's at least two spelling errors I could catch, and the style as a whole sucks.
I recommend spending at least 10 seconds on writing a Slashdot post.
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
GOATSE.CX is the best site ever, PLEASE VISIT IT!
would you extend these arguments to support it in non-virtual security? Should the CIA and other international organizations use full exposure? Should they publish something titled, "This is the vulnerability of our Nuclear Piles"? "This is where you can cross the border undetected", "This is how to make a Fake ID?"
-pyrrho
Everybody seems to like "Full Disclosure," so here at Microsoft, we've decided to begin releasing all security vulnerabilities under a "Shared Disclosure" policy. Once the various NDAs are signed, you too can view and work with any security vulnerabilities that we know about.
Just another example of how Microsoft listens to and responds to customer requests. Have a nice day!
If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
When will Taco and Homos fully disclose that they are gay lovers? When will Katz fully disclose that he loves *wink wink* little boys?
Michael Loves Me!
"Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless. Blaming the person who disclosed the vulnerability is like imprisoning the person who first saw the flames."
On a site where 9999 out of 10000 submissions get rejected, I can understand submitters not double-checking their spelling every time. On the other hand, ./ posts, what, 20 or so stories a day? Let the poster give it a once-over.
Even better, I heard there is "spell-checking" software in development somewhere. If it's GPL'ed, maybe Rob will stick it into the next slash release? This is just off the top of my head.
From the powerpoint slide:
Grace Period
Purpose: Give users a reasonable interval during which to protect their systems against newly reported vulnerabilities
- Begins with public notice of vulnerability, and lasts for 30 days
- Is immediately curtailed if vulnerability becomes actively exploited
Do I read this correctly? Does this mean that when an exploit is shown to exist in the wild, then they immediately switch to "full disclosure" mode? This means that there is now an incentive to put an exploit in the wild: it means you can publish your work. Even if you leak the exploit surreptitously.
I know I must be preaching to the choir here, but, this seems exceedingly stupid. Am I missing something?
If guns kill people, then CmdrTaco's keyboard misspells words.
Oh, does this mean the software vendors will establish some *real* Quality Assurance in their development process and produce software without bugs?? :*)
blurring out...
Culp makes a lot more sense than he's given credit for, and a lot of his points have been taken out of context. The procedure he outlines seems very reasonable to me:
"Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is... and what users can do to protect their systems....
"Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly...
Let's not stir that bag of worms...
In the case of national security, the government has strong motivations to fix any security leak they find. As Bruce Schneier has pointed out in the past, commercial software isn't held to the same high standards... although we're entering an era where perhaps it should be, at least in part.
if and when I have a nuclear stockpile installed in my backyard I'd certainly want the CIA to notify me of any vulnerabilities.
But you analogy is seriously flawed. Governments, like all beaurocracies, strive first and foremost to avoid bad publicity and/or responsibility for their actions. That's why openness, accountability, and yes -- full disclosure are important. There is always a gray area in terms of giving the relevant corporation/agency advance notice and some limited exceptions for national security.
But you need not worry about the balance tilting too far. The CIA might publish a guidebook on torture, but it wouldn't publish a guide on getting a fake ID/passport. Hence it's so rare for teenagers or illegal aliens to get any fake documents at all.
When in doubt, have a man come through a door with a gun in his hand.
> Ethics and intelligence aren't a package deal
! Love the fact that's in a MSFT article.
In his essay, Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless.
Slam.
...is starting the widespread debate on issues that many people need to consider.
Computer/network/internet security issues have been around a long time; perhaps now it will be more of a factor in management decision making.
The "fire" quote is really taken out of context.
In the article, the quote serves as reminder that there are times when free speech needs to be curtailed. He is not suggesting it as a metaphor for the entire situation.
The article is riddled with this sort of straw man fallacy.
Let's not stir that bag of worms...
but by the same token, releasing information about a vulnerability is admitting that your application is flawed. This also harms the reputation of your product among some user groups. With Windows XP Microsoft has conclusively proven that their target market is People Who Don't Know What A Mouse Is; these are the same people who would react most negatively to MS security alerts.
At least he admitted this to a certain degree and made certain to point out how absolutely stupid some of the Full Disclosure arguments have been.
I don't think there are two opinions on this, it's more multi-faceted than that. In many ways Schneier agrees with Microsoft... actually in most ways he agrees.
He just has a few points that he has some disagreement with.
Meanwhile there is this large group who can't see the forest for the trees that keeps villifying Mr. Culp and arguing that script kiddie tools are the only way to insure security. "We must destroy the world to prove to people that destroying the world is bad!" would best describe the attitude.
But notice how Schneier says such people are idiots?
vendors didn't have any motivation to fix vulnerabilities. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the vulnerabilities secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of vulnerabilities (even if they omitted details). And so many vulnerabilities remained unfixed for years.
Perhaps it was pointed out that codered et al had patches a month ahead of time.
But, in the same breath/stroke it was mentioned by MS that their meathod of informing, distributing about patches/vulnerability was/is "confusing".
And the article by Culp almost says in effect "we don't want vulnerabilities known so we can stop writing patches and bugfixes or do it when "we" feel like it".
The whole "rely solely on the vendor" schtick is coming full circle it seems.
The author pointed out that is the way "it used to be" and it seems Microsoft is pushing for it to be that way again.
If it is not on fire, it is a software problem.
wats de diff between flamebait, offtopic and troll when the moderaterts mod a comment? i think this is goign to be offtopic cause dats what most of my comments are, but this could still be called a troll or flamebait
1. Discover the vulnerability.
2. Write code to exploit the vulnerability.
3. Arrange with an industry journalist to demonstrate the exploit.
Then it comes down to MS PR vs. journalistic integrity.
P.S. Don't even THINK about doing this unless you're cool with MS buying all the trade rags...
Wow, what a troll. The CIA being an "international organization" is a dead give away. The other is the fantastic false analogy between buggy PC software and nuclear bombs. No orgainization currently mass produces nuclear weapons for daily use on every desktop. No one here would recomend such things.
At the same time, some countries like the USA, recognize that free thought is needed for scientific development and that full disclosure and broad education are in the public interest. While the particular techincal details of how to build bombs is kept secret, the physical priciples are trumpeted and encouraged. Indeed public debate on priciples are encouraged as free dicourse leads to knowledge. "Freedom is the ability to say two plus two is four, all else follows", said George Orwells sad character in 1984. While the Department of Energy and their employees might not tell us details, they will not keep you or me from talking about it. With sufficient study at any good US University, a person can learn all they need to know about bomb design. Knowledge is not yet viewed as evil. The truth will set you free and only the free can be sure they know the truth.
M$, Adobe, RIAA, MPAA and other private interests are going a step further than cold warriors with their "information anarchy" campaign. Such blatant censorship is un-American and against the public interest. They will be defeated in the long run, as will trolls like you.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
http://www.microsoft.com/technet/treeview/defau
- Code RedMicrosoft worm.
- LionLinux worm
- SadmindSolaris worm that affected Microsoft OS's (*ack* if you can call them OS's!)
- RamenLinux worm
- NimdaMicrosoft worm
Now that means that a "representative" list of worms would contain 50% Microsoft worms, 40% Linux worms, and 10% Solaris worms. It's good to see Microsoft presenting a legitimate picture of what's going on. C'mon!! Windows practically breeds worms! Linux has had how many? 4, 5? Morris, Ramen, Lion, Adore. That's all I can come up with. Now, do I start listing the Microsoft worms (not to mention virii)?...-------------
All your sig are belong to us.
IWARS.
People, in general, disappoint me. Politicians even more so.
Culp has a point when he talks about responsibility. (Ironically, of course, Scott is avoiding "mea Culpa.")
Ouch...
and referring to the Culp article again, with the DMCA in effect, it is a lot easier "to shut ppl up about MS's vulnerabilities than it is to fix them.
OOOoooo...that really hits home.
If it is not on fire, it is a software problem.
Parent post does not link to goatse.cx!
The argument that you can't just shout "fire" in a crowded theater entered the law in Schenck v. United States, 249 U.S. 47, 52 (1919). This was a Supreme Court case concerning whether the government may suppress pamphlets encouraging people to resist the draft. Although I think that case may have been correctly decided (with the distinction being expressing opposition to the draft versus encouraging people to violate the draft law), I wonder if the Court realized they were treading on, or near thin ice, when they used the "Fire" analogy.
So it is with people who use the analogy today. Whenever someone start comparing some kind of speech to shouting "Fire" in a crowded theater, don't get carried away by the emotional appeal but keep an eye on your rights, lest someone try to make off with them.
While it is certainly up to the vendor to release as bug free code as possible, I disagree with his exoneration here. "If you don't know how to use it, don't" holds true regardless of what OS we're talking about. A Unix sysadmin that doesn't patch his/her boxe(s) is as much to blame as an MS sysadmin who fails to do so as well.
Whether or not the amount of exploits for IIS are a direct result of how widely it is used outside of the "heavy metal" internet server arena is anybody's guess. But to even suggest that the sysadmins should say "oh, fuck it. It's the vendor's fault" is a bit like putting one's network in the hands of God... maybe it will be OK, and most likely it won't.
is not about shouting "fire" in a crowded room.
It is about lighting a "fire" under a vendors ass.
Perhaps so Culp does not forget this point he should take the advice in another story and "tatoo it on his butt" if he needs to.
And not in invisible ink, btw.
If it is not on fire, it is a software problem.
What the hell is "Taco-snotting" and why does this website's owner keep emailing me about it? Sorry if this is offtopic, but you're webmaster is verging on harassment. He included lewd pictures of his penis last time!!
Meaning:
It Isn't Secure.
How apropos.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
This seems to me to kind of parallel biology. In an environment where exploits are not discussed, there is a smaller penalty for buggy software. With increased discussion, the software that remains will be the software that is more secure, or that evolves to be made more secure.
So how does Microsoft survive? Is it a virus?
JET Program: see Japan, meet intere
COMMENTARY-- M$-Microsloth (hahahahaha!!!) is leading the charge to restrict the free flow of anal kiddie porn.
Last month Scott Culp, manager of the anal response center at M$-Microsloth (hahahahaha!!!), published an essay describing the current practice of publishing anal kiddie porn to be "information anarchy." He claimed that we'd all be a lot safer if researchers would keep details about kiddie porn to themselves, and stop arming hackers with offensive tools. Last week, at M$-Microsloth (hahahahaha!!!)'s Trusted Computing Forum, Culp announced a new coalition to put these ideas into practice.
This is the classic "cock full of semen, ready to explode secrecy vs. full coprophiliac frenzy" debate. I've written about it previously in Crypto-Gram; others have written about it as well. It's a complicated issue with subtle implications all over computer anal, and it's one worth discussing again.
The Window of Exposure I coined a term called the "Window of Exposure" to explain the evolution of a anal kiddie porn over time. A kiddie porn is a cock full of semen, ready to explode; it's a programming mistake made by a programmer during the product's development and not caught during testing. It's an opening that someone can abuse to break into the computer or do something normally prohibited.
Assume there's a kiddie porn in a product and no one knows about it. There is little danger, because no one knows to exploit the kiddie porn. This kiddie porn can lie undiscovered for a short time -- Windows XP kiddie porn were discovered before the product was released -- or for years. Eventually, someone discovers the kiddie porn. Maybe it's a good guy who tells the developer. Maybe it's a bad guy who exploits the kiddie porn to break into systems. Maybe it's a guy who tells no one, and then someone else discovers it a few months later. In any case, once someone knows about the kiddie porn, the danger increases.
Eventually, news of the kiddie porn spreads. Maybe it spreads amongst the anal community. Maybe it spreads amongst the hacker underground. The danger increases as more people learn about the kiddie porn. At some point, the kiddie porn is announced. Maybe it's announced on Bugtraq or another kiddie porn Web site. Maybe it's announced by the anal researcher in a press release, or by CERT, or by the anal-rape porno developer. Maybe it's announced on a hacker bulletin board. But once it's announced, the danger increases even more because more people know about it.
Then, someone writes an exploit: an automatic tool that exercises the kiddie porn. This is an inflection point, and one that doesn't have a real-world analog for two reasons. One, anal-rape porno has the ability to separate skill from ability. Once a tool is written, anyone can exploit the kiddie porn, regardless of his skill or understanding. And two, this tool can be distributed widely for zero cost, thereby giving everybody who wants it the ability. This is where "script kiddies" come into play: people who use automatic attack tools to break into systems. Once a tool is written, the danger increases by orders of magnitude.
Then, the anal-rape porno developer issues a patch. The danger decreases, but not as much as we'd like to think. A great many computers on the Internet don't have their patches up to date; there are many examples of systems being broken into using kiddie porn that should have been patched. I don't fault the sysadmins for this; there are just too many patches, and many of them are sloppily written and poorly tested. So while the danger decreases, it never gets back down to zero.
You can think of this as a graph of danger versus time, and the Window of Exposure as the area under the graph. The goal is to make this area as small as possible. In other words, we want there to be as little danger as possible over the life cycle of the anal-rape porno and the particular kiddie porn. Proponents of cock full of semen, ready to explode secrecy and proponents of full coprophiliac frenzy simply have different ideas for achieving that.
History of full coprophiliac frenzy
During the early years of computers and networks, cock full of semen, ready to explode secrecy was the norm. When users and researchers found kiddie porn in a anal-rape porno product, they would quietly alert the vendor. In theory, the vendor would then fix the kiddie porn. After CERT was founded in 1988, it became a clearing house for kiddie porn. People would send newly discovered kiddie porn to CERT. CERT would then verify them, alert the vendors, and publish the details (and the fix) once the fix was available.
The problem with this system is that the vendors didn't have any motivation to fix kiddie porn. CERT wouldn't publish until there was a fix, so there was no urgency. It was easier to keep the kiddie porn secret. There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of kiddie porn (even if they omitted details). And so many kiddie porn remained unfixed for years.
The full coprophiliac frenzy movement was born out of frustration with this process. Once a kiddie porn is published, public pressures give vendors a strong incentive to fix the problem quickly. For the most part, this has worked. Today, many researchers publish kiddie porn they discover on mailing lists such as Bugtraq. The press writes about the kiddie porn in the computer magazines. The vendors scramble to patch these kiddie porn as soon as they are publicized, so they can write their own press releases about how quickly and thoroughly they fixed things. The full coprophiliac frenzy movement is improving Internet anal.
At the same time, hackers use these mailing lists to learn about kiddie porn and write exploits. Sometimes the researchers themselves write demonstration exploits. Sometimes others do. These exploits are used to break into vulnerable computers and networks, and greatly decrease Internet anal. In his essay, Culp points to Code Red, Li0n, Sadmind, Ramen, and Nimda as examples of malicious code written after researchers demonstrated how particular kiddie porn worked.
Those against the full-coprophiliac frenzy movement argue that publishing kiddie porn details does more harm than good by arming the criminal hackers with tools they can use to break into systems. Security is much better served, they counter, by keeping the exact details of kiddie porn secret.
Full-coprophiliac frenzy proponents counter that this assumes that the researcher who publicizes the kiddie porn is always the first one to discover it, which simply isn't true. Sometimes kiddie porn have been known by attackers (sometimes passed about quietly in the hacker underground) for months or years before the vendor ever found out. The sooner a kiddie porn is publicized and fixed, the better it is for everyone, they say. And returning to cock full of semen, ready to explode secrecy would only bring back vendor denial and inaction.
That's the debate in a nutshell: Is the benefit of publicizing an attack worth the increased threat of the enemy learning about it? Should we reduce the Window of Exposure by trying to limit knowledge of the kiddie porn, or by publishing the kiddie porn to force vendors to fix it as quickly as possible?
What we've learned during the past eight or so years is that full coprophiliac frenzy helps much more than it hurts. Since full coprophiliac frenzy has become the norm, the computer industry has transformed itself from a group of companies that ignores anal and belittles kiddie porn into one that fixes kiddie porn as quickly as possible. A few companies are even going further, and taking anal seriously enough to attempt to build quality anal-rape porno from the beginning: to fix kiddie porn before the product is released. And far fewer problems are showing up first in the hacker underground, attacking people with absolutely no warning. It used to be that kiddie porn information was only available to a select few: anal researchers and hackers who were connected enough in their respective communities. Now it is available to everyone.
This democratization is important. If a known kiddie porn exists and you don't know about it, then you're making anal decisions with substandard data. Word will eventually get out -- the Window of Exposure will grow -- but you have no control, or knowledge, of when or how. All you can do is hope that the bad guys don't find out before the good guys fix the problem. Full coprophiliac frenzy means that everyone gets the information at the same time, and everyone can act on it.
And detailed information is required. If a researcher just publishes vague statements about the kiddie porn, then the vendor can claim that it's not real. If the researcher publishes scientific details without example code, then the can vendor claim that it's just theoretical. The only way to make vendors sit up and take notice is to publish details: both in human- and computer-readable form. (M$-Microsloth (hahahahaha!!!) is guilty of both of these practices, using their PR machine to deny and belittle kiddie porn until they are demonstrated with actual code.) And demonstration code is the only way to verify that a vendor's kiddie porn patch actually patched the kiddie porn.
This free information flow, of both description and proof-of-concept code, is also vital for anal research. Research and development in computer anal has blossomed in the past decade, and much of that can be attributed to the full-coprophiliac frenzy movement. The ability to publish research findings -- both good and bad -- leads to better anal for everyone. Without publication, the anal community can't learn from each other's mistakes. Everyone must operate with blinders on, making the same mistakes over and over. Full coprophiliac frenzy is essential if we are to continue to improve the anal of our computers and networks.
Bug secrecy example
You can see the problems with cock full of semen, ready to explode secrecy in the digital-rights-management industry. The DMCA has enshrined the cock full of semen, ready to explode secrecy paradigm into law; in most cases it is illegal to publish kiddie porn or automatic hacking tools. Researchers are harassed, and pressured against distributing their work. Security kiddie porn are kept secret. And the result is a plethora of insecure systems, their owners blustering behind the law hoping that no one finds out how bad they really are.
The result is that users can't make intelligent decisions on anal. Here's one example: A few months ago, anal researcher Niels Ferguson found a anal flaw in Intel's HDCP Digital Video Encryption System, but withheld publication out of fear of being prosecuted under the DMCA. Intel's reaction was reminiscent of the pre-full-coprophiliac frenzy days: they dismissed the break as "theoretical" and maintained that the system was still secure. Imagine you're thinking about buying Intel's system. What do you do? You have no real information, so you have to trust either Ferguson or Intel.
Here's another: A few weeks ago, a release of the Linux kernel came without the customary detailed information about the OS's anal. The developers cited fear of the DMCA as a reason why those details were withheld. Imagine you're evaluating operating systems: do you feel more or less confident about the anal the Linux kernel version 2.2 , now that you have no details?
Full coprophiliac frenzy and responsibility
Culp has a point when he talks about responsibility. (Ironically, of course, Scott is avoiding "mea Culpa.") The goal here is to improve anal, not to arm people who break into computers and networks. Automatic hacking tools with easy point-and-click interfaces, ready made for script kiddies, cause a lot of damage to organizations and their networks. There are such things as responsible and irresponsible coprophiliac frenzy. It's not always easy to tell the difference, but I have some guidelines.
First, I am opposed to attacks that primarily sow fear. Publishing kiddie porn that there's no real evidence for is bad. Publishing kiddie porn that are more smoke than fire is bad. Publishing kiddie porn in critical systems that cannot be easily fixed and whose exploitation will cause serious harm (e.g., the air traffic control system) is bad.
Second, I believe in giving the vendor advance notice. CERT took this to an extreme, sometimes giving the vendor years to fix the problem. I'd like to see the researcher tell the vendor that he will publish the kiddie porn in a few weeks, and then stick to that promise. Currently CERT gives vendors 45 days, but will disclose kiddie porn information immediately for paid subscribers. M$-Microsloth (hahahahaha!!!) proposes a 30-day secrecy period. While this is a good idea in theory, creating a special insider group of people "in the know" has its own set of problems.
Third, I agree with Culp that it is irresponsible, and possibly criminal, to distribute easy-to-use exploits. Reverse-engineering anal systems, discovering kiddie porn, writing research papers about them, and even writing demonstration code, benefits research; it makes us smarter at designing secure systems. Distributing exploits just make us more vulnerable. I'd like to get my hands on the people who write virus creation kits, for example. They've got a lot to answer for.
This is not clear-cut: there are tools that do both good and bad, and sometimes the difference is merely marketing. Dan Farmer was vilified for writing SATAN; today kiddie porn assessment tools are viable anal administration products. Remote administration tools look a lot like Back Orifice (although less feature-rich). L0phtCrack is a hacker tool to break weak passwords as a prelude to an attack, but LC 3.0 is sold as a network administration tool to test for weak passwords. And the program that Dmitry Sklyarov was arrested for writing has legitimate uses. In fact, most tools have both good and bad uses, and when in doubt I believe it is better to get the information in the hands of people who need it, even if it means that the bad guys get it too.
One thing to pay attention to is the agenda of the researcher. Publishing a anal kiddie porn is a play for publicity; the researcher is looking to get his own name in the newspaper by successfully bagging his prey. The publicizer often has his own agenda: he's a anal consultant, or an employee of a company that offers anal products or services. I am a little tired of companies that publish kiddie porn in order to push their own product or service. Although, of course, a non-altruistic motive does not mean that the information is bad.
I like the "be part of the solution, not part of the problem" metric. Researching anal is part of the solution. Convincing vendors to fix problems is part of the solution. Sowing fear is part of the problem. Handing attack tools to clueless teenagers is part of the problem.
The inevitability of anal kiddie porn
None of this would be an issue if anal-rape porno were engineered properly in the first place. A anal kiddie porn is a programming mistake: either an out-and-out mistake like a buffer overflow, which should have been caught and prevented, or an opening introduced by a lack of understanding the interactions in a complex piece of code. If there were no anal kiddie porn, there would be no problem. It's poor anal-rape porno quality that causes this mess in the first place.
While this is true -- anal-rape porno vendors uniformly produce very shoddy anal-rape porno -- the sheer complexity of modern anal-rape porno and networks means that kiddie porn, lots of kiddie porn, are inevitable. They're in every major anal-rape porno package. Each time M$-Microsloth (hahahahaha!!!) releases an operating system they crow about how extensive the testing was and how secure it is, and every time it contains more anal kiddie porn than the previous operating system. I don't believe this trend will reverse itself anytime soon.
Vendors don't take anal seriously because there is no market incentive for them to, and no adverse effects when they don't. I have long argued that anal-rape porno vendors should not be exempt from the product liability laws that govern the rest of commerce. When this happens, vendors will do more than pay lip service to anal kiddie porn: they will fix them as quickly as possible. But until then, full coprophiliac frenzy is the only way we have to motivate vendors to act responsibly.
M$-Microsloth (hahahahaha!!!)'s motives in promoting cock full of semen, ready to explode secrecy are obvious: it's a whole lot easier to squelch anal information than it is to fix problems, or design products securely in the first place. M$-Microsloth (hahahahaha!!!)'s steady stream of public anal kiddie porn has lead many people to question the anal of their future products. And with analysts like Gartner advising people to abandon M$-Microsloth (hahahahaha!!!) IIS because of all its insecurities, giving customers less anal information about their products would be good for business.
Bug secrecy is a viable solution only if anal-rape porno vendors are followers of Edwards Deming's quality management principles. The longer a cock full of semen, ready to explode remains unfixed, the bigger a problem it is. And because the number of systems on the Internet is constantly growing, the longer a anal kiddie porn remains unfixed, the larger the window of exposure. If companies believe this and then act accordingly, then there is a powerful argument for secrecy.
However, history shows this isn't the case. Read Scott Culp's essay; he did not say: "Hey guys, if you have a cock full of semen, ready to explode, send it to me and I'll make sure it gets fixed pronto." What he did was to rail against the publication of kiddie porn, and ask researchers to keep details under their hats. Otherwise, he threatened, "vendors will have no choice but to find other ways to protect their customers," whatever that means. That's the attitude that makes full coprophiliac frenzy the only viable way to reduce the window of kiddie porn.
In his essay, Culp compares the practice of publishing kiddie porn to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the kiddie porn exist regardless. Blaming the person who disclosed the kiddie porn is like imprisoning the person who first saw the flames. Disclosure does not create anal kiddie porn; programmers create them, and they remain until other programmers find and remove them. Everyone makes mistakes; they are natural events in the sense that they inevitably happen. But that's no excuse for pretending that they are caused by forces out of our control, and mitigated when we get around to it.
Bruce Schneier is the founder and Chief Technical Officer of Counterpane Internet Security, Inc.
On my infinite quest for karma, I decided to email CmdrTaco about what it would take for me to get an account on slashdot with unlimited karma. We exchanged emails for a while, and he always told me that it would take a very special favor to get what I wanted. Finally, I told him I would do anything, without exception, for an unlimited-karma account. He told me to go to his apartment, and I would find out there what I had to do. I thought I was prepared for anything. I wasn't prepared for this.
The first thing I realized when I got off the bus was that something was very different about this part of town. There were no girls in site, but many men. A lot of them were holding hands. I soon realized that I was in the gay corner of town. My boyish young looks got a lot of stares from the people. I found the apartment, and knocked on the door. Cmdrtaco answered the door, he was in a designer pink bathrobe. The first thing that hit me when I walked in to his apartment was the smell. It was a pungent combination: the fishy smell of sex, combined with the feces smell of, well, feces.
The whole Slashdot crew was gathered around the television. They were watching some sort of anime porn involving a little boy and his male schoolteacher. They promptly turned it off when they saw me enter. CmdrTaco told me to sit on a chair that was placed in the living room. When I sat down, him and Jon Katz tied me to the chair tightly with lan-wires. CmdrTaco then walked up to me and opened his robe, and placed his testicles on my face. He said to me "These are the TACO BELLS, LICK THEM", so I did. After licking his balls for 10 minutes he placed his cock in my mouth. I could still taste the stale shit that was encrusted on it. 30 seconds later, he was done. Jon Katz was next. He walked up to me and unzipped his tight leather pants. His erect over-circumcised penis in all its 4 inches of glory was an inch from my nose. He said to me in a high pitched, flamboyantly homosexual voice, "GIVE ME THE HELL-MOUTH, BABY!" so I stuck his penis in my mouth. 45 seconds later, I had the collective semen of two slashdot editors all over my face. Next in line was CowboyNeal. He had the brilliant idea of recording the whole encounter so they could broadcast it on 'geeks in space'. He whipped out his long hairy cock and pointed to it and said in a feminine tone "When it comes to poles, everyone chooses CowboyNeal!" 5 seconds later I had the cum of 3 slashdot editors running down my neck. Next in line was Michael. He was dressed as hitler, and his pubic hair was shaved into a swastika. I didn't even have to do anything, he just blew all over my face right away. I now had the man juice of 4 slashdot editors all sticky in my hair. Then the others did their business, including some people off #slashdot, including emad. When I got home, my black shirt had a hundred white streaks on it.
I now have an account on slashdot with unlimited karma, when I'm not having gay sex, I like to moderate down posts that are already -1. Deep down, I now feel complete. I will never forget that special night I had with the slashdot editors.
The Slashdot Effect: A new for
> By analogy, this isn't a call for
> people for give up freedom of speech;
> only that they stop yelling fire in
> a crowded movie house.
Another wonderful analogy!
Security professionals have been yelling "fire" in crowded movie houses for years. Most of the actual patrons fail to pay any attention, despite the fact that the seats are made of explosively flammable materials, the management allows patrons to smoke cigarettes in the theatre, and occasionally the movie is interrupted by ushers dousing patrons with fire hoses if they are noticeably ablaze. Patrons who do catch fire are not offered a refund, nor a credit for those parts of the movie that they miss, nor even so much as an apology.
--- Zygo Blaxell (zblaxell, feedme.hungrycats.org)
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
But when BIND does the same thing, oh then it's fine, no problem, it's okay, no big deal, etc..
Great article, however...
Schneier always mentions that you have to watch out for people motivations. In this case, he should point out that his company makes its living watching for bugs/hacking/vulnerabilities in the systems of the customers that it monitors. He usually does this, but I definitely see it as fodder for Culp to throw back in his face. If the bugs were hidden, Counterpane would have a lot harder time knowing what to look for.
I really liked the point about software companies being liable for the software they produce. The implication from his article was that a firewall manufacturer isn't not liable if a hacker breaks in because of shoddy code in their firewall. Is this true? Anyone know of (or have a subscription to one of those cool legal services) any legal cases that have proved or disproved this?
It seems pretty fundamental.
Rudy
1. 2.
In the third case, the people there were informed about the attack and were able to stop it in time, because they had full disclosure of what was happening in the other cases.
Now, looking at these two security exploits, which do you think was the better solution, the passengers who were unaware of what was happening until their planes crashed into the World Trade Center buildings, or the ones who were informed and fought back?
Paul Robinson <Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
For example the auto-industry. If you buy a new/used car and it is a lemon or has massive faults that can cause serious damage the vendor is expected to state those faults
I have two children and ANYTIME there is even the slightest risk of problems with the products we have bought for them, the vendor says don't use it any more.
You would think that Microsoft would have learned from Firestone/Ford....
I really think you've misunderstood what the debate is about.
Obviously, people with affected systems need to be informed of information on how to protect their systems - the debate is on what level of extra detail to provide (sample exploit code, more or less tech info, etc..)
In your simple scenario, obviously the solution is simple.
Just yesterday, I discovered a vulnerability on a certain government site. I told them and they fixed it. This isn't the sort of problem we're talking about.
Let's not stir that bag of worms...
I like this piece from the MS article:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
So, now you know, don't yell fire in a crowded movie house!
I am just wondering if the argument also applies when there is fire in the movie theater or, by analogy, when there is a serious vulnerability just discovered.
The whole point of crying "fire" is to alert everybody and prompt them to act quickly; disclosing a vulenrability is about the same.
Almost every piece of commercial software you install these days has something in the license like (taken from the Red Hat legalese):
"There is no warantee for the program, to the extent permitted by applicable law. Except when otherwise stated in writing by the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warantees of merchantability and fitness for a particular purpose. The entire risk of as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair, or correction."
Now someone explain to me why, when software vendors disavow all responsibility for their products, they should be granted some special status with regards to information about those products' misbehavior.
We instead need to find a Lever that is appropriate for today economic climate: Money.
I say, make Vendors financially responsible for the damages incurred during an exploit. We've all seen the outrageous dollar amounts attached to some of the random e-mail worms that exploit Microsoft's Software. Since Vulnerabilities are Programming Mistakes, why not make the same laws that govern other flawed products applicable to Software?
Wasn't Napster held liable for damages done because of their Software Product and Services? Why shouldn't Microsoft be held accountable because of damage done by means of their Software Products and Services? Heck, that might even be something appropriate to tack on the Settlement Agreement by Microsoft's Bitch^H^H^H^H^H^H^H^Hthe DoJ.
I don't think you can get the attention of any corporation unless you hit them where it hurts: the profit margin ... just my $0.02
Now, looking at these two security exploits, which do you think was the better solution, the passengers who were unaware of what was happening until their planes crashed into the World Trade Center buildings, or the ones who were informed and fought back?
I know you think the analogy is amusing but I assure you it isn't. I was in the WTC 1 when this happened and I assure that it isn't amusing at all.
You analogy is also flawed in that if you followed the rules Culp mentioned the people in the third plane would still know. Because an exploit in the wild means immediate discloser. Notwithstanding that some security people would release an exploit just to get published.
So next time think before you open you mouth and conjure horrible memories just to be a sorry troll bastard.
Regards,
askipper22@hotmail.com
When software vendors become liable for data loss, and the associated costs, then they have a very strong financial incentive to fix bugs.
In the current model, even with full disclosure, the most they risk is sales loss due to bad PR, and to modernize the old saw, "nobody ever got fired for buying Microsoft".
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
It's not just what he says; it's how he says it. For some reason, the above sentence makes me think of a particular vendor.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The flames are a feature. They are there on purpose.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Am I the only one who remembers that M$ used the vulnerability holes in IE as a back door to snoop through M$N user's hard drives? Has anyone else noticed how many of the IE vulnerabilities for which M$ has nearly immediate patches (for a company that has regularly been late getting OS releases out the door)? While I am fairly sure that not all of the vulnerabilities in M$ products are back doors (it is a VERY complex system, after all), the company's behavior also make me equally sure that some of those are what I call "bug doors", absolutely intentional trap doors.
I've pulled IE from my home M$-Windows systems (one for the games I cannot get on Linux and one for a system that captures music-keyboard MIDI data to a score, which is another thing that I cannot find for Linux), using IEradicator (http://www.98lite.net) and some registry tweaking, and I've got a couple of layers of firewall running, but I still want to know what holes are in those systems, my Linux boxes, and my Solaris system. I neither want my data stolen or corrupted, nor do I wish to contribute to damaging anyone else's system(s).
The script-kiddie issue is just one we must live with; A sysadmin can only get access to the same data as a script-kiddie can. If the sysadmin needs it, then with that right comes a responsibility to test and patch systems.
If non-disclosure is good for vendors and consumers, then *all* vendors would be pushing for non-disclosure - not just Microsoft. As it is, the *nix vendors are happy with the status quo, because they are reasonably happy with the quality of their software.
However, proof-of-concept code does not necessarily prove/disprove the presence of a threat. If the exploit addresses a particular subset of an overall fault, then just because the exploit fails does not mean that the fault has been fixed - see compiler optimisation "cheats" for example.
When the source is open, then the exploit can be more easily shown to be complete/incomplete - otherwise, the exploit either works/doesn't work - but that could imply a failing in the exploit code, or a partial workaround in the patch, which simply avoids the exploit.
I disagree with the author that there is no incentive for vendors to provide secure code - Secure Solaris being one example - but the customer must pay megabucks for such a promise, and compromise the customisability they expect.
In his essay, Culp compares the practice of publishing vulnerabilities to shouting "Fire" in a crowded movie theater. What he forgets is that there actually is a fire, the vulnerabilities exist regardless. Blaming the person who disclosed the vulnerability is like imprisoning the person who first saw the flames.
Nuff Said.
Author, Shell Scripting : Expert Re
Now, I know I am opening myself to people making fun of my name, and over the years, many have done so. But, it is just too easy...
Since Mr. Culp is Microsoft's appoligist, might his title at MS be Mea, that would make his full title ther Mea Culpa?
Or, since they have found MS guilty of being a Monopoly, would that make this person in charge of culpablity for MS?
ttyl
Farrell (running, ducking and hinding...)
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
because they give politicians lots of money
Can someone explain the benifits of "Full Disclosure" in a closed-source scenario such as bugs in IIS in Windows?
I'm not interested in arguments about open-source systems, or how vendors should be liable for bugs, etc...
I simply want to know why it makes sense to publicise the code for a vulnerability as opposed to saying "there a bug in this area, we're working on a patch". What are the benifits?
I wonder: should we send Osama Bin Laden precise instructions for making Anthrax, Small-Pox, or Nuclear Weapons?
That's their fault for not using Debian.
There aren't enough sys admins to patch every version of Windows XP Home out there, or even every copy of Mac OS X. In the wild and wooly P2P world out there *every* machine is an internet server. How can we expect the entire user community to understand patches?
what better way to describe the "script kiddy" problem.
utter rubbish
Remember the difference with the software industry. If the DoJ puts up another border post, this automatically protects everyeone from that vulnerability. A bug must be patched manually, and so must be announced to everyeone concerned. Your example is analogous to Microsoft finding their own vulenrabilities and (because they're in software) publishing the patch on the Net.
Conversely, Full Disclosure *would* work if private citizens published this info. For example, say I find out how to cross the border. If I announce this to the world, the DoJ would scramble to fix the problem, thereby improving security. If they keep it under their hat, they may not necessarily be motivated to fix it (no budget, didn't feel like making the order, etc., etc..) So, just like in the software industry, Full Disclosure would cause the security agencies to act very quickly.
Actually, even without full disclosure they would act quickly. Using the aforementioned example, if I (say) publicized a border vulnerability, I would be promptly clapped in jail. So the agencies would still work - it's just that they would not do quite what we would want.
Your attitude is the classic example of the thinking of weak-minded and brainwashed morons who automatically respond with the knee-jerk reaction of "WHAT? You gave hackers info on security? Die, traiterous scum!" Next time, try to logically follow your own argument instead of engaging in slashdot posting diarrhia. And moderators! Who modded that clueless individual up in the first place?
-- ;-)
Kuro5hin.org: where the good times never end.
> Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible. A few companies are even going further, and taking security seriously enough to attempt to build quality software from the beginning: to fix vulnerabilities before the product is released.
And Microsoft doesn't like fixing problems, let alone building quality in from the start. Those activities don't add anything to their bottom line; it's a waste of resources.
Microsoft doesn't like the new norm, therefore it doesn't like full disclosure. (Where's the surprise?)
To say nothing of the bad PR that hits the world's presses twice a week when the latest MS-specific exploit shows up at the disclosure site.
Sheesh, evil *and* a jerk. -- Jade
The latter technique, of course, worked admirably on flight 93, reducing losses by at least tens of millions of dollars, and possibly by billions. (If they'd been a little luckier they could have reduced the flight 93 loss to nearly nothing.) Flight 93 didn't rely on a single gov't action : private individuals and companies closed the information loop and then attempted to counteract the threat, while the gov't response had barely started. There are lessons here on how to build a civil defense infrastructure to better handle the future attacks.
Information security attacks are just as expensive as the direct costs of the 9-11 attacks, costing billions of dollars a year in direct financial losses (and billions more from disclosure of sensitive information). The only difference is that infosec attacks are diffuse and don't draw much attention, while an equivalent military attack is spectacular and extremely photogenic. (Attacking the first WTC tower was a military action. The second was a publicity stunt designed to increase indirect losses.)And don't anybody tell me that it's a poor comparison, that computer viruses don't cost lives and how can I be so insensitive. Suppose infosec attacks cost each American an average of one hour of their time each year. (Which is probably within an order of magnitude of being correct.) That's a total loss of 250 million man-hours. Assuming that the total work a person can do is 150000 hours/lifetime, that's 1700 human lifetimes squandered by infosec attacks each year. And that's not considering attacks against military and medical databases, and against industrial equipment, which can and do directly kill people.
People who think there cannot be an "Electronic Pearl Harbor" are in for quite a surprise, just as people who thought foreign affairs don't affect the modern American lifestyle were surprised on 9-11. Most current guerrillas lack the competence to carry out severe infosec attacks, but ignorance and religion are not necessary prerequisites for anger and extremism.
-- ;-)
Kuro5hin.org: where the good times never end.
... your job is to look after the Nuclear stockpile, if you are a border guard, or if you have to check passports as part of your job.
As much as you OY YAY FREE SPEECH YAY proponents would like to babble on, it doesn't matter about these other things. It isn't your damn business.
I run a computer, yes, I need computer security information. But no, I am not a border guard.
A missed implication of MS's way of doing things is that the customer is left entirely out of the loop. As a system administrator I don't want to be left in the dark for 30, or 60, or however many days while the vendor works out a fix; it's *my* goddamn system and *my* ass is on the line, so you'd better bloody well tell me where the break is and fill me in on what I can do to jury-rig the system until the vendor *does* provide a patch. If the vendor thinks no jury-rig is available, that's okay - at least I have the choice to disable the software until it's fixed, or turn to smarter heads outside the company for other options.
The arrogance of Microsoft in taking a non-disclosure line is amazing. Essentially they're saying that the vendor has a right to the information but the people who're actually responsible for the systems the faulty product is running on don't. Excuse me, but in what fucking universe does that crock of shit make sense? The vendor isn't *entitled* to non-disclosure; as the customer I *am* entitled to disclosure just as much as I'm entitled to know if the model of car I'm driving has a known brake line problem.
Screw this non-disclosure, delayed-disclosure, or whatever line of bull MS is selling. I don't give a rat's ass about the credibility or stock value of the company who sells a hackable product; all I care about is how I can secure my system until the hack is fixed, or if the product is so full of holes I should just toss it and migrate to something else. Neither MS nor anyone else gets to make this decision for me.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
You misquoted what he said. He said "You analogy is also flawed in that if you followed the rules Culp mentioned the people in the third plane would still know. Because an exploit in the wild means immediate discloser. Notwithstanding that some security people would release an exploit just to get published.
Cutting out his sent because it explains his point doesn't mean the point doesnt exist.
He is correct. Culp stated that if an exploit is found in the wild then it is immediately Fully Disclosed. Otherwise the vendor gets time to fix it. So he is right that the Third plane would have known just the same and thereby it was a bad analogy Because after 1&2 it is fully discosed(although I agree that the original author didn't really mean it to be amusing).
Actually the point I was tring to make was that the logic made no sense(I still believe this) and thereby it was a dumb analogy. If you are going to make an analogy with a symbol that profound you should think things through a little more.... else you are just trying to amuse yourself with how clever you are.
http://www.theregister.co.uk/content/55/22816.html
It is very well written and the arguments presented are logical. This is the type of rant that MS needs to hear, although they seem to be masters of burying their head in the sand.
For the most part, Bruce is highly intelligent and well-spoken. I agree w/most of what he said, except for the part about the authors of VCK's.
They do have a valid use - that of viral research. I've been collecting and researching virii since about 1984. I enjoy taking old junk PC's and installing different virii on them to see what happens and how to prevent it - along with the obvious value of analyzing other people's code for neat tricks and hacks that I might be able to use one day (I'm a white-hat, so nothing nefarious mind you, but just neat stuff).
VCK's make this experimentation much easier - I can whip up some virii to play with.
I would suspect other researchers do so as well. That some script kiddies abuse them - well, some people use their VCR's or CDR's to violate copyright - but that usually doesn't cause the things to be 'bad'...
The real threat is someone who goes looking for security holes, finds them, and quietly uses them to steal information or money. It's the people who are stealing credit card numbers, bank account info, and military information that are threats. Serious attackers will often work to obtain inside information, and may be willing to combine physical attacks with computer attacks.
Vulnerabilities left open but not publicized open doors for the real attackers. Non-disclosure shuts down only the more inept script kiddies.
(also on The Register).
Check this story about finding a serious cookie vulnerability in Microsoft Internet Explorer and MS policy dealing with it.
Those interested in this subject will almost certainly find this piece in The Register worth reading.
ben_ the technologist and platform agnostic
has been censored in accordance to the responsible disclosure policy of the Microsoft Security Framework.
By disclosing any useful information within this message, one could determine my posting history, motivations, and style, from that extrapolate the sequences in my DNA base pairs, then feed my physical and mental state into a complex iterative model of the Universe.
This could be seen as paving the way for recovery of time machine plans from the future, allowing you to go back and assassinate Bill Gates before he could come up with this crap.
Besides the obvious problem, that being that Microsoft's software of unsurpassed quality will never be released, such an event would create a causative paradox in the Universe, the end result being total destruction of all matter and energy.
In short, all hail Gates and his mighty army of high-priced lawyers!
(Note for the sarcasm-impaired: the preceding message was just a joke; don't mod me down)
Want Linux games? HERE.
Bruce,
Your message is consistent, effective, and helpful. However, one remark you often repeat is being used to justify harmful practices, and even harmful legislation. It plays into the hands of Microsoft and those like them.
In your ZDnet article you wrote, "the sheer complexity of modern software and networks means that vulnerabilities, lots of vulnerabilities, are inevitable." Microsoft's Scott Culp had written, "all non-trivial software contains bugs." The difference between the two statements is probably too subtle for most of your readers. As you say, almost all software vendors do very shoddy work, and most large systems are riddled with holes. Still, the step from "almost all" to "all" is much larger than it might seem.
From Counterpane's business perspective, the distinction probably makes no difference; Counterpane must accept its customers' software deployment choices. From the standpoint of a judge or legislator, though, it makes all the difference in the world. If reliable software really cannot be written, then Microsoft and its ilk must be forgiven their sloppiness at the outset; it would be wrong to hold them to an impossible standard. If in fact reliable software can be written, then such ilk are negligent in failing to produce it.
This is not an academic point. It affects your argument, and Microsoft's. If a software system will always be full of holes no matter how many patches are applied, publicizing holes just makes it harder for network administrators to keep up. It is the availability of reliable alternatives that cinches the full disclosure argument: users can get off the patch treadmill by switching to software that's not buggy. The extra work done to ensure reliability pays off when users switch, or needn't. Full disclosure punishes the sloppy (and their customers) and rewards the careful (and their customers).
It doesn't take many examples of truly reliable software to make the point, in principle. How many bugs remain in Donald Knuth's TeX? In Dan Bernstein's qmail? These were not billion-dollar efforts.
Once it's demonstrated that reliability is possible, getting it becomes a matter of economics. Microsoft, rather than saying reliable software is impossible, is forced to admit instead (forty billion dollars in the bank notwithstanding) that they simply cannot afford to write reliable software, or that their customers don't want it, or, more plausibly, that they just can't be bothered to write any, customers be damned.
Instead of promoting a destructive fatalism about the software components we rely on, you would do better to say simply that current economic conditions lead most organizations to deploy systems known to be full of vulnerabilities. Leave open the possibility that slightly different circumstances would allow for a reliable infrastructure. Reliability is no substitute for effective response, but it just might be what it takes to make effective response possible.
Nathan Myers
ncm at cantrip dot org
I found the story very interesting and on-topic. Thanks for the post, it shoul be modded up.
From the article:
I do fault the sysadmins: It's our job to maintain systems as securely as we are able. It's part of the cost of doing business.
We should maintain continual pressure on the vendors to improve their initial software quality, to improve their security vulnerabilities especially, and to improve their patching experience to make it easier to apply secure patches with some degree of confidence (which would be an outflow of improving their software quality in the first place--the same processes apply to patches as to a full-fledged app).
However, we should never use a vendor's failings as an excuse for not maintaining due diligence on security matters.
A company's management makes a decision--rational or not--to use a system. Part of that decision includes total cost of ownership. If total cost of ownership outweighs the total benefit derived from a system, don't use the system.
Now, most of us aren't in a position to make a final decision on systems, so we must influence the decision by making sure TCO includes the cost of maintaining security patches.
"Do not meddle in the affairs of wizards, for you are crunchy and good with ketchup." --/usr/games/fortune
"The Natural Laws of Digital Content" on November 15 at 7:00 at the University of Minnesota Minneapolis campus.
The subject of the talk is related to the topic of this story - how legislation such as DMCA interact with computer security issues. So if you're interested in this topic and live near Minneapolis click the link above to find out details about this talk.
Also, we hope to tape Bruce's talk and put up video and audio of the talk on our web site at a later date.
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
Imagine a world in which software companies are criminally and/or civilly liable for ill effects resulting from successful attacks on their products.
I think that in such a world, software quality would improve dramatically, and software manufacturers would be at least as motivated to fix bugs as they are in a world with full disclosure.
From Culp's piece at http://www.microsoft.com/technet/treeview/default. asp?url=/technet/columns/security/noarch.asp:
"Providing a recipe for exploiting a vulnerability doesn?t aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
This is Microsoft's opinion in a nutshell: Don't worry about the details, we'll take care of you. That doesn't surprise me for end-users, but for administrators? When I see a bug announcement with a detailed example, such as the ftp_conntrack bug in iptables, it is tremendously advantageous to actually understand the bug and how to deal with it. In that case, several workarounds suggested themselves, because the bug only afected RELATED connections.
Now take the MS paradigm: I wait until they release a patch, or detailed instructions which I should follow by rote. Of course, I am affected by the vulnerability longer; furthermore, I get no transferable knowledge from the experience. Next time there's a similar bug, I just have to wait, again, instead of being able to invent a workaround.
Sure, it's _possible_ to implement a workaround when I don't understand the vulnerability, but I sure feel a lot better when I understand the problem AND the solution. I simply don't understand how this MS scheme (where everyone is an unenlightened end-user, waiting for cryptically-named patches which they don't understand) could appeal to any business OR home user. By assuming that even its administrators are unqualified to do manual reconfiguration by themselves, or even really understand what they're doing with the OS, MS has effectively crippled their fleet of administrators. And this, ultimately, is why the NT(2k/xp, whatever)platform is the huge, gaping security hole it is.
I simply can't believe the arrogance and stupidity of the statement above.
"...an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin."
I think that speaks for itself.
Where the fuck do you people get the right to start talking about infosec and the world trade center attacks???? I worked there and lost 700 co-workers and posts like this just show how lame people in general really are. And how is an attack on 1 world trade center a military attack??? I don't recall peopel working in that tower working for the US government!!!
People get a life, will you?!?!
The difference is that mistakes in the physical world are generally much more difficult, costly, and time-consuming to fix even if they are known.
Software vulnerabilities are rarely unfixable, and usually fixable without any serious disruption to the user.
Physical vulnerabilities may require massive construction projects, forced relocations, and so forth. If there's nothing that *can* be done immediately, too much publicity is bad. It brings out the nut cases who want to get on TV.
But I must disagree with your first statement: If all they were doing was attacking the Pentagon then that was a reasonable and legitimate military action (but it still was wrong for reasons I state below). But attacking the WTC was NOT a legitimate military operation and constituted an act of terrorism. If whoever did this believes they are fighting a war of some kind against the U.S. then - whether we like it or not - the Pentagon was a valid target for attack. Intentionally targeting a civilian structure that does not provide either military operations or military support changes you from a legitimate military operation into criminals. This was settled more than 30 years ago with the trial of Lt. Calley in the Mei Lai Massacre incident. But beyond that, legitimate civilized conduct of any military operation doesn't grab civilian transports and intentionally kill noncombatants.
If they had used planes without civilians on the Pentagon attack or pulled a McVeigh by using a truck bomb there, I'd have no argument that it was a legitimate military attack. But when you intentionally target noncombatants, you're no longer a soldier or a legitimate military, you cross the line into terrorism and criminality.
There's already been a example of this on the TV Show Law and Order where someone figured out a way to reprogram a hospital's insulin pumps to randomly kill some patients because they didn't like one of the doctors who was an owner of the place. That this example of a computer virus killing people is a fictional incident does not make the possibility of a real one that might someday do so any less credible. All I can respond to that is fortunately that is the situation now and for the moment that we've been lucky. If only those hypocrites who allegedly support the Muslim religion through violence would practice what they preach and stay as ignorant as they want everyone else to be made, then there wouldn't be too much of a problem. Unfortunately, the possibility of infowar is very real and will happen eventually. Just like those who predicted serious terrorist attacks on the U.S. would be coming: We just don't know when.Paul Robinson <Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
Consider someone using a hijacked plane to destroy a building and make it unusable.
Now consider someone using a compromised computer to generate a denial of service attack upon a major site and make it inaccessible.
I think the analogy is very close.
Now, let's ask the question: Let's say someone figured out that you could slip box cutters and knives onto a plane and use them to hijack it. Would publicising this help? Well, considering that almost anyone who thought about it could figure it out, you wouldn't be giving anyone any new ideas. The exact same thing has been pointed out many times in a number of books and even done as a plot device in some movies, so it's not like it's a secret. Therefore, making such information public might have helped people be aware of vulnerabilities. But if the passengers on the Pennsylvania plane hadn't known about the other attacks as soon as possible we might also be comiserating the destruction of the White House, too.
Once the 'exploit' was known - that there were hijackers taking planes and using them as bombs - then making people aware of the danger - fully informing everyone, including passengers on the plane in Pennsylvania - resulted in preventing further attacks from occurring. Even if the hijackers knew that the passengers knew, they can still fight back against them. Full disclosure informs everyone and can give some people the opportunity to stop something from happening.
It is arguable that those involved are allegedly in some sort of (what they call) a holy war or 'jihad'. If the World Trade Center had been, say, a privately-owned factory building armaments for the Military, then it would have been a legitimate military target, same as the Pentagon. But the fact of the matter is that even if they were legitimately fighting a war, when you intentionally target non-combatant civilians you're not a soldier, you're a criminal and the organization you operate within, if it sanctions this, is a terrorist organization.Paul Robinson <Postmaster@paul.washington.dc.us>
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.