Slashdot Mirror
FBI, Pentagon Talk to MS about XP Hole
(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.
MS XP patch disabled network card on my computer!
I guess the computer is really safe now.
Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.
In my opinion they should _STILL_ withdraw it and fix it.
By this, I mean that they should recall every vulnerable CD off of shelves, and send everyone who they know has bought one a new copy that is already patched.
Computers bought with Windows XP preinstalled should have the offer of being recalled to have the patch applied, and everyone should be sent an updated recovery disk.
Why? Because otherwise, 90% of computers out there, run by the technologically clueless population will never get this patch applied.
But I feel there MUST be some preannouncement on such bugs, even if the details are minimal. Whenever you work on something, you cannot expect that someone else in the world is not also working on the same thing, but not for the same purposes. In the case here, eEye, the group that found the bug, was looking for it for purposes of good, but I would not expect that someone else, maybe a malicious group, was also narrowing in on the bug 5 weeks ago when eEye reported it to MS. (And then you have to add cyber-espionge that might have garnered that info for themselves?). In the 5 weeks it took MS to verify the bug and develop and test the patch, that other group might have caught up and started 'owning' boxes already. A preannouncement of the bug, simply outlining the effects, and any short-term security measures, would have prevented that group from having any significant harm on the boxes if they did exist.
I know from a previous discussion that many sysadmins, when a new bug is discovered, want to know all the details up front so they can test the bug before and after fixing on their systems. This is understandable, but I think in the cases of bugs that can affect a significant large number of systems, such as this XP bug, that limited disclousure is better. I think a key step that could be done is institute a small group of trusted security people; bugs that are found are reported to the vendor and to this group. A person(s) from the group verifies the bug and puts out a digitalled signed statement that this bug exists, and that certain steps can be taken to correct it. Because of the status of these people, if they claim to have verified the fix, then that should be considered to be truthful, and thus limiting the need of sysadmins having to have full details to test it themselves. After a short period (no more than 6 weeks), the full details should be released, regardless if a patch from the vendor was available or not. That way, the limited disclosure lets the sysadmins know there's something going on and there's step they can take to prevent problems, and it gives the vendor time to fix the problem before that information falls into the hands of malicious people.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.
A feeling of having made the same mistake before: Deja Foobar
MagikSlinger is almost certainly right about this. However, if there is a terrorist group out there which was organized and sophisticated enough to carry out another large-scale, imaginative attack (which I doubt), Microsoft might be on their list for these reasons:
- It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
- It's extremely visible.
- Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that.
- It's a center of wealth and therefore, in puritanical minds, of evil decadence.
- It could be thought of as a "vital organ" of the American economy by someone who doesn't realize how decentralized the American economy is.
Arguing against an attack on Microsoft is the idea that it's causing enough trouble for the US by itself, but this concept is probably beyond the reach of most fanatics.
Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.
So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.
However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?
So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...
Here's my rant...
Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.
Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?
In epidemiology, one of the mitigating factors of the spread of any disease is simply the diverse genetic makeup of the targeted population.
The opposite to this is what's called a monoculture, where one particular genetic structure is present in the large majority of the population. Such situations will usually not last long, beacuse once something is found that affects that population, it spreads quickly and decisively.
With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture? Would one major virus or security flaw cause much more damage to the net than otherwise would have happened, because of the homogenity of the net's computer systems in terms of OS?
Whether the king is Linux or Windows or MacOS, or..., is having a near monopoly market share ofany one OS a good thing in light of this philosophy? Hmm. GFood for thought.
There's 10 types of people in this world, those who understand binary and those who don't.
I have to agree with the the one post on the site I linked to above. Microsoft knew about the security hole in XP for 5 weeks yet they continued to tout it as the most secure system ever. I believe it was irresponsible of them not to at least inform the government about this bug. Heck, I think they should have gone as far as tell the consumers. The whole thing tells me that Microsoft cares nothing more than their bottom line (yes I know that they are a business, but this could be a national security issue). I think that there is criminal negligence here. I think there is grounds for consumer fraud. I for one am going to write the states attorney and ask them what stance they are going to take on this issue.
The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.
Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
It takes only one buffer overflow in the whole system that any number of developers, from one to one million, have worked on to make it vulnerable.
It doesn't matter how careful you are. Zero defects at the individual level is a pipe dream. The goal of software quality assurance is that you test code to determine whether it conforms to the specifications with no astonishing side effects. Structured implementation (use of safe libraries, re-use of validated code) can reduce the effort and increase the quality of code.
Want to eliminate buffer overflow? It's easy. Just write a routine ONCE that sucks up characters and puts it into a buffer, debug the corner cases ONCE to ensure you can't go beyond the boundaries, and use that routine for all your work, without exception. Not even when marketing comes in and says "Hey, you didn't come out on top in performance when HAL Magazine ran their tests!" Oh, and your QA people have to actually try to execute some kind of buffer overflow as one part of their suite of test cases...
When a buffer overflow is discovered "in the wild," you find out the source of the buffer overflow and take appropriate action -- against the coder and against QA as well. You have to show these people that you MEASURE them by this sort of stuff.
By the way, don't forget that code should check for attempts to go "outside the box" by using unusual character sequences like ".." in URLs, too. Again, write a single block of code that does the job right, test the hell out of the corner cases, and use that code, without exception.
A Google search yields some interesting approaches. I would like to see the adoption as part of the ANSI definition of the C language an extension to the STR* library routines that are length-safe, such as the STRL* routines found in NetBSD; see the man page and the discussion in the Secure Programs HOWTO.
Don't kid anyone. Buffer overflow can be avoided, by putting in place the proper process and discipline to do the job right.
Whenever you log in on your XP system (of course, no password in XP-home at least) a flurry of packets fly off to Mord- er Microsoft and to the OEM you bought the system from. You have no way of knowing the content of that communication. Since it's all closed source,no one can comb through it for vulnerabilities or trojans like they could for the code for apt or rpmfind. A typical user has no way of knowing that the communication is even taking place at all unless they are running something like tcpdump on the network.
Does that help?
Basically, when you buy XP you are wittingly or unwittingly complicit in your own surveillance. You have given your consent in principle, to be spied upon because you were sipping your morning coffee while XP talked to the higher authorities about you. You looked away and sipped instead of yanking the cat5 out. I say in principle because we've seen that all the consent required for this government to violate your Constitutional rights is that you and others do not resist it with force. Though no one posting here can say for certain what passes through this security hole now, neither can anyone deny that, with a hole like this opened in your systems, a hole which everyone is being conditioned to accept as normal, a feature of their OS, there is literally NO LIMIT to the severity of your insecurity. While you're sipping that coffee, the convenient updater can convert your computer system into a telescreen into your private thoughts, business plans, governmental policies, and so on without end, no matter where you live and what flag you salute. It used to be that spyware was an annoyance foisted on the public sporadically by marketers. Now with XP, spyware connects a government approved monopoly to your most trusted communications and private papers. You don't have to be an anticapitalist socialist or a government hating libertarian to understand that at some level the distinction between a government approved monopoly and an agency of that government is essentially null, or so small it's not worth discussing. (Or maybe someome could point out examples to me where ATT told the government it would not cooperate in its counterintelligence efforts against antiwar protestors and civil rights leaders in the 1960's)
Between the 2 of them, Windows XP users have poor Goatse-man beat by a painful mile for the infinite elasticity of their holes. I have no doubt that the Feebs and Dept.of Deathdance have a million things they'd like to talk over with MS in that regard.
Johnny Quest has two Daddies.
This is a really, really, really big one. It should be in the newspapers. Microsoft has claimed some time ago (free karma to the one who posts a link) that closed source, for-profit software and operating systems are more secure because the company can actually *hire* people to do security audits of the source code, whereas open source developers aren't motivated to do it because it's really boring, and there's no glory in it.
Now, we all know that OpenBSD has proved them wrong, by proving not only that open source developers *want* to do hardcore security audits of the source code, but that doing hardcore security audits on source code prevents security holes from being released into the wild. OpenBSD hasn't had a remotely exploitable security hole in the default install in FOUR YEARS! Windows XP has been in release for for all of about two months, and already there's a major security exploit found.
This proves by Microsoft's OWN ADMISSION, either they do not hire people to do the hardcore security audits they say they can, or if they do, they can't do it as well as the volunteers who "obviously" don't do it at all because there's no monetary motivation to do so.
With lies like this, Microsoft couldn't get into a Better Business Beurau if they paid each of its members a billion dollars.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert