Slashdot Mirror
Microsoft's Goal, Security Through Obscurity?
dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were
they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.
Here is a mirror.
Alan Thicke's Journal
My Slashdot ads say "
clearly the rebuttal to this is the security of OSS tools. Hackers have access to their source and are able to break into systems running them, just as much as Microsoft systems can be broken into without source available.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
TRILLIAN CONTAINS NO MICROSOFT CODE. THIS IS A FLAW IN MICROSOFT'S CODE, NOT THE PROTOCOL.
WTF was the author on?? HTF can he say this? It's blatantly wrong.
p.s. I'm a Trillian user.
"Evil will always triumph because good is dumb." -- Dark Helmet
Not quite.
More like security through brillantly designed APIs. See, rather than letting Windows get cracked, MS cleverly designed the APIs to crash the system first. Everytime you see a BSOD, you should thank MS that they prevented a evil hacker from taking over your system. And if MS let people see their APIs, they could stop the APIs from crashing the system in response to hack attempts, leaving all Windows users vurnable with a non-crashing insecure Windows!
-Henry
"Useless organic meatbag" -HK-47
This is what, Nimda part #5 now? Oh yeah...
It's great that open source software comes out patches so often, but maintaining them is quite a hassle - I'm constantly getting security updates for Linux. I guess that's better than leaving your box wide open while M$ takes time releasing a service pack. It's just the nature of the beast.
Wow, now that's really something, seeing as how Microsoft doesn't even have the concept of Root.
Having just spent another bad week wrangling with Win9X (wish they'd at least fund 2K upgrades) and SirCam viri, while my *nix boxes just run flawlessly - All I can say is what utter rubbish, bullocks.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Of course MickEysoft knows best!! If qualified Windows administrators can't handle sealing windows MickeySoft will do it for you. Just dont question it and when they have emergency patches believe them when they say they are doing the 'BEST' they can.
What a joke, dont tell anyone about our security model and no one will figure it out?!?!
Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.
Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.
So ... as long as know one knows whats really going on under the hood. We'll all be safer!? ...
I hardly think so
Hopefully Judge CKK will see right thru this attempt at obviously controlling the market thru obscurity and risking the virtual safety of its customers. Customers who, in essence, dont have choice.
"Corporate rock still sucks. What are you gonna do about it?"
...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.
But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.
The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.
"Provided by the management for your protection."
you helped him reach his goal!
"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.
Gee ... I guess that's why theres so FEW reported news stories about the hacking of Windows ... and so MANY stories about the hacking of Linux.
Karma? Karma? I don't need no stinkin' karma.
This all the results after taking 1 month fixing bugs and educating sw people about security? Wow!
*pauses to wipe coffee off monitor*
Three arguments against Microsoft's position: .Net was released to the wild before the "official" .Net specification.
Nimda.
Code Red.
The fact that a virus framework for
No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.
'Nuff said.
All the world's an analog stage, and digital circuits play only bit parts.
It's more like, if we hack it together so badly, it will be really secure because people won't be able to understand it.
That is why the "Print" pop-up menu button in the windows explorer actually has to launch MS Word (and take over your full screen and control of your desktop - but don't hit a key or it will mess up!) rather than doing it non-graphically in the background, right?
I'm going to hide a cookie in this glass cookie jar over there. If I find out that you ate it, I'll just have to put a new cookie in the jar and hide it somewhere else.
I firmly believe that software should be held accountable to liability laws and consumer rights laws. Microsoft has repeatedly fought laws designed to provide these protections and re-written their EULAs to provide no liability whatsoever. Compare the EULA for MS Office from 1995 to todays. About ten times as long, with each additional page reducing their liability and increasing yours.
More FUD from Microsoft. Their legal department must have more employees than their coding department by now.
How is this possible?
With a new hole in Outlook being found every few days, and massive security holes being patched every couple of months in IIS and the OS itself, how can it *possibly* get any worse?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
hmmm... i'm think i'm going to write a book. and then, on page 156, I'm going to include my IP address and root password. And then, I'm going to make sure that every copy of the book has it's covers bound together tightly together so that it can not be opened without extreme difficulty. Then I'm going to sell the book for $50 dollars a copy(aw hell, why not make it a hundred). And then, If anyone who buys my book actually tries to open it, I'm just going to have to sue them for every penny they have because, goddammit my root password's in their(didn't they read the EULA that came on the complimentary bookmark?).
lysergically yours
People aren't digging security holes; they're falling into them.
Now that I've done a little research, I see this as a naive view. For one thing, it doesn't explain the frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course. Also, a wealth of evidence suggests that at least 85% of exploited bugs in Microsoft products (discounting IIS and Windows 2k and later) are from well-documented public APIs. This suggests that it is far more harmful to publish this info (which really isn't helpful to users anyway) than to keep it secret, where it can do no harm.
Karma: Good (despite my invention of the Karma: sig)
Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.
Of course, I am speaking of Sendmail.
Oops...
Sometimes it's best to just let stupid people be stupid.
The OSS community typically acts a lot more quickly than Microsoft has on security problems... when security flaws are found on Windows the patches usually take longer to release.
Also... security flaws under *NIX systems usually are limited to one service... not the Internet Explorer/Outlook Express/MS Messenger Core OS holes that seem to plague MS since everything is so entwined.
Somebody should maintain a list of executives at large companies and specifically bomb them with these 'sploits as soon as they become available.
I think that the IT departments of large companies do their jobs too well -- the executive never realizes just how vulnerable they are with MS products.
If we bring the problem home to the people that make decisions, then there will be top-down sponsorship of better computing environments.
My linux box has been hacked 4 times...
Nothing has ever happened to my windows Machine...
-Mark
Dovie'andi se tovya sagain.
The computer will crash before an exploit can be used anyway, thus proving once again Windows is far more secure than that *other* OS which some people run for years at a time.
If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does.
Just how much easier can they make it? You can already walk right in the front door whistling Dixie with the way things are currently. It's scary - they're admitting that their API's are so full of holes that it can be that much worse than it already is. It's not like they're trying to make crackers work for it - they sneeze and a new crack is born. At least with open API's the public will be exposed to how atrociosly bare bellied Microsoft really is and perhaps either:
A. Put serious legal pressure on Microsoft to fix them.
B. Switch to Linux, FreeBSD or MaxOSX.
C. Dump computers altogether and move to Tibet.
>>
Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states "would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate" Microsoft's flagship software.
>>
it is quite obvious, they are desperate to hold on to their marketshare & desktop dominence...
M$ sometimes takes weeks to get a update built & loaded on to their servers for their customers...
with Linux & OSS when a vulnerability is found ANY programmer can build a patch or update and have it loaded on to servers within a few minutes, and with Linux being Open Source there are many many many more programmers to perform this operation, and they do it because they want to do it...
i want to see bill gates someday as a old has-been alcoholic getting DUIs in his Rolls Royce ROFLMAO
Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.
Yes Sendmail had some atrocious holes. Yes it seemingly took forever to get them fixed.
But c'mon we are talking about a program that at best was running on tens of thousands of machines during it's worst security times. As Sendmail usage has gone up so has the security it has offered. Comparing to a hole in a client that is deployed on millions of computers really isn't fair.
--- I do not moderate.
Why should they release their API's?
So you or I can "fix" their bugs for them?
Modify our MS programs?
Tinker here and there...fiddle and faddle around?
Now, if they were to SELL their info...
oh but we all know that you'd just have to download Kazaa or some similar P2P software
in order to get access to it 10 minutes or less
after it was released...
(10 min to allow for driving time from store-->home)
So they REALLY have no material gain in releasing their API's. Sure they may retain a bulk-load of positive PR, but positive PR is rarely the catalyst for positive cash flow.
"Just Smile and Nod." --Huck
In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.
The author is right, completely right. Try reading next time.
The bad guys are motivated (and some of them are clever!). You must assume that they *will* figure out the obfuscated, confusing, or secret portions of your code (if by no other means than disassembling it and inspecting it, line by line).
Certainly, secrecy may be a component of a security implementation -- for example, it is important to not disclose your password to others. But it is not a proper *foundation* for security engineering. If you system is vulnerable in the event that "somebody figured the undocumented flag", then you must assume it is vulnerable, period.
If you build a system such that it is insecure when provided with certain input, the you are being careless and sloppy. At a minimum, users of your system deserve to know the details so that they can make an informed decision about whether the risk is acceptable.
What are they complaining about? Their code couldn't be any less secure than it is now! :P
Am I missing something here? How is it that opening up the API creates a security flaw? I can maybe see them saying that giving away their source will, but how is an API going to? The API is just how to talk to the machine. Unless their API contains something like "let me do anything I want on the target machine", how does this cause a security breach?
"The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.
Allchin also warned that if Microsoft were compelled to disclose all the APIs and technical information the states are asking for, digital rights management would be compromised.
From Tuesday, news.com http://news.com.com/2100-1001-900905.html
It may sound silly and idiot, but I wonder what could happen if some open-source company or just any individual buys windows source code. Or just the APIs. Or whatever they sell (because they DO sell their source code, obviously under heavy NDAs).
:)
Now, what would happen if this individual releases it in the wild? Surely he will get fined, blah blah blah. But it would be too late - he will be a martyr, and the entire world will know about the windows source code.
...anyone wants to donate me 1 euro cent?
crazy cheers
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
And releases tools under GPL to verify it!
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
This is why everybody should be using Linux, or another varient of open source software. Obviously Microsoft has no concept of security, and shouldn't be used in really any circumstance.
;-)
I run my business on complete linux boxes, and nobody has any trouble using them. The interfaces are consistant, and well thought out, and we've developed an efficient system to upgrade and patch about 20 or so workstations whenever new versions come out. There haven't been any major issues of the company learning UNIX either. It's amazing to watch the 40 year old women in accounting hack away at VI!
When these boxes had win2k on them, it was not uncommon for them to crash upwards of 2-3 times per day.
The real crime is not that they have a buggy, insecure Instant Messenger client, but that you can't remove the damn thing without manipulating the registry (on an XP box anyway). Simply finding the preferences within Windows Messanger and de-selecting "Run this program when Windows starts" and "Allow this program to run in the background" DOES NOT prevent it from re-launching when you reboot.
Ok... so "Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites. "
Still pisses me off.
..were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
Wow, so releasing APIs and protocols would give too much inforamtion about how the system works so people can hack into it. Thank god no operating systems take this a step further release their entire source code or people would be hacking into them like an axe through butter!
Outdoor digital photography, mostly in New Engl
If these security vulnerabilities are so easy and obvious from reading the APIs, then why can't Microsoft's programmers find and close the security holes before someone finds them? Don't they read and adhere to their own APIs?
If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.
Darth --
Nil Mortifi, Sine Lucre
"In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.
'The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,' said Marc Maiffret, Eeye's 'chief hacking officer.'"
i'm sure marc actually said, "1 c4n 0wN j00," but the washington post author didn't know what the hell he was talking about.
---
I'm just an ordinary man with nothing to lose.
sure this joke was not funny at all. sure I love to see jokes while reading here.
It might be cool having some JokeTroll to paste random jokes.
There was this joke I really liked, that was posted some time, about the teacher that asked the students about ghosts, seen ghosts? touched ghosts?... and so on, until he asked if anyone has had sex with a ghost and one student said he did, he then was told to aproach the teacher, and asked again if he has ever had sex with a ghost, and the student replied... "ghosts? i thought you were talking about goats"
I think it was pretty funny.
All you Microserf users, I will own you! Muhahaha
"... so as long as you have MSN Messenger installed, if I send you a special URL, I can own you," said Marc Maiffret, Eeye's "chief hacking officer."
article
On DOS boxen (including, of course, all the non-VMS derived Windows releases, which boot COMMAND.COM and are thus DOS based) all local users are root superusers.
Proof of concept: On a Windows 98 machine, cancel the "windows login" and start a DOS session. Now delete the entire filesystem (including hidden, system, and read-only files). Tada, it works, you are ROOT.
On VMS-derived windows (such as all versions of Windows NT and of course Windows 2K) the root superuser account is named "Administrator" and is directly analogous to Unix "root"
One of the reasons MS can't effectively compete against linux and the BSDs in the server market is that their systems include this same fatal weakness. At least *nix is stable!
Incidentally, now that linux has "capabilities" built into the kernel, and Linus wants to put a resource handle into the filesystem API, the groundwork has been laid to get rid of this stupid root superuser concept and create a real successor to Unix rather than just a clone. Hopefully linux (or perhaps the Hurd) will one day incorporate all the strengths of Unix while jettisoning ancient kludges like "root" and the primitive "rwxrwxrwx" access control system.
--Charlie
Now please dont mod me down as a troll on this, but this is my personal experience and some facts:-
Windows XP isn't vulnerable to this.
I run windows XP, I run messenger, XP runs my personal web site, I haven't been infected with Code Red, attacked, trojaned, cracked nor got an email virus. I havent with any MS OS in the last 5 years (I got a virus before that).
PARANOIA is the problem here. Dealing with the holes in a logical manor and keeping your machines patched up will stop nearly all of the potential problems you think you are going to have. There are mechanisms there to sort it out and protect you.
Windows has mistakes in code, as does OpenBSD, as does Linux, as does Solaris. Fill in bug reports, keep patched up (run windows update/download countless RPMs/apply source patches etc). Its the same, and ITS YOUR CHOICE.
As a side note, I run OpenBSD too and its a hell of a lot more work keeping that patched than windows.
Now please slashdot, can we have some unbiased reporting for a change? IS that possible?
--- And on the 7th day, God created Windows. He must have been tired by then.
The class id for the control (1.1 anyway) is D6526FE0-E651-11CF-99CB-00C04FD64497, so:
/u to remove it from the registry.
#include
1. Open regedit (Windows key-R, "regedit", ).
2. "Edit...Find" or CTRL-F.
3. Put D6526FE0-E651-11CF-99CB-00C04FD64497 in the the text box and hit "Find Next."
To remove:
1. It's not installed on my box, so regedit couldn't find it. If it's there, the name of the DLL or OCX control should be there somewhere.
2. Find where the control lives on your box.
3. Open a DOS prompt, cd to that directory, and do regsvr32
4. Delete the control.
In my meager 3 years as a network admin/sysadmin
I've been root'd 3 times on Redhat systems, 0 on NT/Windows...
but the viral infections on the windows machines have caused a greater about of woe than the 3 root hacks on Linux.
Then again at the time I didn't know diddly about network/e-mail security...*shrugs* maybe I just got lucky.
"Just Smile and Nod." --Huck
Microsoft Reveals Anti-Disclosure Plan
(emphasis in original)
Sig: What Happened To The Censorware Project (censorware.org)
I'm not running Windows, so I don't remember where it stashes the GUIDs for lookup. HKEY_LOCAL_MACHINE\Software\Classes might be a place to start, or you could wade through all the links an "ActiveX registry" search on Google will get you in order to find something more adequate.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
this says more about your skills as a Linux user / admin than the security of the box.
Computer Science is Applied Philosophy
I wonder if it is a coincidence? The poster of this article. There is a Dave Cutler at Microsoft who used to be the lead designer of NT who used to be the lead designer of VMS. There is an interesting Urban Legend about that too.
This is a boring sig
Its a good thing OpenBSD doesn't provide a good amount of detail about their protcols and API's. Otherwise, it might become vulnerable to crackers real quick.
What if MS tells the truth and most of their security is really through obscurity ? No sane judge would make them release the source code then; there is just too much code and too many security holes to fix. Consquently MS will have its "corporate security". IMO the only possibility is to force open APIs or sourcecode in newly realeased products starting X years from now.
It really irks me to no end that every piece of software you every seem to get off the shelves seems to follow the same thought as a downloaded product that you can patch it up as you go.. (take windows-update for example) and I always end up feeling like I am endlessly beta-testing everything, down to my OS (luckily I run windows under vmware, so at least it reboots faster).. So as far as security goes in MS products, because I treat it as an endless "beta" and the fact that off the shelf, windows seems to barely work, I am not surprised as each new security hole comes up. In all reality, the fact that they obscure everything seems to make people all the more interested in digging around in it. just my 2-cents..
anime+manga together at last.. in real time.
Because sendmail sucks but is open, there are lots of alternative mail transport agents out there for Unix systems -- bad open software doesn't have to be fixed if it can be bypassed. Bad closed software is just, well, bad.
2*3*3*3*3*11*251
You've been had! Clearly the Queueing component is actually completely watertight, but there are five million other serious flaws in other components waiting to be discovered that MS want your attention distracted from........."knowing" there's a flaw in Queueing, you'll expend the next two years in a fruitless search for the non-existent flaw. Meanwhile MS point to how the discovery rate for new flaws is dropping.......
Taken directly from the Eeye vulnerability page:
Greetings:
Mom, Dad, and all of the little people that helped me and believed in me - oh - and a big YO HO to the homeboyz in the h00d.
Hrm....
AntiFA: An abbreviation for Anti First Amendment.
From Jim Allchin: "We have to work on our reputation for security in the marketplace."
Yes, that's it, it's a public relations issue. I guess the idea of FIXING THE GODDAMMED SOFTWARE hasn't occured to him.
Stop-Prism.org: Opt Out of Surveillance
I mean, her boyfriend's a tech, but she freaks out if he makes the slightest little change.
To top it all off, she's running WinME.
You are not the customer.
I agree with this post.
I don't even see the need for discussion,
this is part of the M$ phil against OSS.
It would be contradictory for them to state
otherwise.
Any large corporation can tell you where true security lies:
Security through obesity
Sure, they'll say they are fit and nimble - they can change their direction quickly, squash bugs in their code in record time, etc. But the truth is that only corporations large enough to squash evildoers, such as those who find bugs, can truly be considered 'secure'. You'd be surprised at how much more information would be out now if certian people didn't have that 800lb gorrilla breathing down their neck...
-Adam
There probably are more news stories about *hacking* linux than *hacking* windows (altough how many of these are news it's difficult to say). Cracking, well maybe that's a different matter :P
For a laugh I did a quick google search and it seems there are more sites for Linux than Windows but I doubt you can read to much into that.
Ya see... we can't help our competitors write code for our platform, it's a security risk.
No artist tolerates reality. -- Nietzsche
a shit about the stuff that you are working on. Not so for IT, i'm afraid.
In this case, the reverse may be better.
Reality is what we taste, smell, see, hear and touch yet we cannot comprehend it...only approximate it.
Just look at NetBSD! Nobody seems able to break into that Obscure OS.
They don't want u to see it b/c then you'll
see all the secret backdoors they put in for them
and their buddies. In other words it _would_ indeed be a HUGE security risk for M$ b/c of poor
code. Remember this:
!seineew era sreenigne epacsteN
i'm sure a lot more of this would come out....
...there would be several posts "educating" us on the difference between "hacker" and "cracker".
What were the skies like when you were young?
Judge: Can you name other programs and/or operating systems which the technical information is openly available and is prone to hackers and viruses?
..but they are OPEN!
M$ Lawyer: Yes. KDE and Gnome!
Judge:..But aren't KDE and Gnome desktop environments that run ontop of Linux?
M$ Lawyer: uhh..yes.
Judge: well........
M$ Lawyer:
Judge: Okay then, give me an instance where malicious users used open-information to crack open-programs...
M$ Lawyer: hmm...
$cat
Active X controls is just a fancy name for COM components. They come in two flavors: Out-of-process EXEs, and In-process DLLs. An OCX is really just a DLL.
/u [filename]. This program is found in \winnt\system2 or \windows\system (depending on the flavor of windows you are running.)
/UnregServer.
Active-X controls are instantiated through COM by using entries in the registry. These entries could be manually removed (as some people have posted) but this would entail quite a headache.
The proper way to un-register (remove) an in-process COM components is to run regsvr32.exe
The proper way to un-register (remove) out-of-process COM components is to run the EXE with the command switch
As for listing what components are registered on your machine, Visual Studio 6 comes with "OLE View" which does just that. For those without VS6, you'll need to hunt for a 3rd party application.
This isn't about security through obscurity. Other than the obvious, control, it's also about hiding their reputation for bad code. You won't know how bad it is, until you see it; and they even proved it by trying to hide behind closed source. Nothing new really because BSOD etc. are already enough proof, but you always need to hear it from them.
Think about your average consumer who goes into a store to buy a computer. This person goes in thinking that buying a computer is like buying a TV or stereo. Basically, plug it, turn it on, and it works fine. It's another appliance to them. Little does this person realize that they have just bought themselves a piece of Systems Administrator Hell! What with the barrage of upgrades (read patches) to Windows and IE. Now couple that computer with Broadband and its always on connection to the internet. Now they have to worry about Viruses, SPAM and the script kiddie down the street trying to use their PC in an attack on EBAY or Yahoo. So much for the PC and the internet making life easier!
"Luckily for Microsoft, it's difficult to see a naked emperor in the dark."
--- Ted Lewis, (former) editor-in-chief, IEEE Computer
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
but obscurity is an accepted security paradigm
Obscurity is the only paradigm. The only difference is degree. If I have a machine on the street corner that despenses money to anyone that asks, I'll likely go broke if the command sequence is "give me money". I can save myself for a while by making the command something like JJ6554, but eventually the word will get out. This is a base example of security through obscurity; I'm counting on the fact that there are a lot of commands I could be using and it will take the bad guys a while to guess which ones I'm actually using.
I could buy more time by making the numeric portion of command sequence different for each user, and tying it to some even more obscure pattern of magnetic bits on a little card for each user, etc., but all I am doing is increasing the obscurity and thus gaining additional temporary security.
The problem isn't with "security through obscurity" as the/part of the/all of the security model. The real question is, can you quantify the obscurity (and thus the risk). In a closed security model, there's no way to measure the obscurity/security without breaking it. In an open model, the system is divided into two parts; a specification or standard of some sort which is visible and from which you can compute the size of the second, obscure portion (e.g. C^N where C is the number of characters in the password character set and N is the length of the password). That way at least you can estimate how long you have before the bad guys get in.
-- MarkusQ
The problem is that security though obscurity merely shifts the problem from one place to another: it's guranteed that someone at some point in the future will figure it out and take advantage of it. Then we get to wait for someone to fix it; which is homework they should have done in the first place. We have a precedent in cases like this; product liability lawsuits are the only real check against products with problems which manufacturers would rather hide.
yes .. they're totally correct. Take any pile of speghetti-coded slop and expose its *unfixable* weaknesses and you've got troubles.
"There are 11 kinds of people: those who know binary, those who don't, and those who could not care less!"
When asked about opening up the Windows API, a Microsoft VP testified that doing so would be bad, since it would allow folks to clone Windows.
Now, out of the blue, Salon decides that opening up Windows would also make it more vulnerable to attacks (is that anything like "more pregnant", btw?).
Can't you just picture the guy leaving the courtroom and saying, "D'oh! I shoulda said that it'd lead to more viruses, too! (Dials Phone) Hello? Salon editor's desk?" ...
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states "would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate" Microsoft's flagship software.
Now if this ain't a compliment for software that lets you see what goes on inside (you know the kind) and still isn't broken into at a rate anywhere near a comparable Microsoft offering then what is?
For those who don't know yet, VBA virii exists just due to a single function. Something called CopyFunction (or something like this), that copies a function from a document to another. If MS removes this function no VBA virii will ever exist againg.
Note that this function is very well documented and is not hidden anywhere, all you need to do is search at VBA documentation.
Now is MS insecure due to obscurity or is it insecure anyway? Maybe that conspiracy theory that MS owns Antivirus software companies is right.
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
Christ, if I read another post about how you cant remove Messenger from a XP box.....
/program files/messenger....change the folder name to something else!
I personally dont use any messenger.
2 QUICK(registry editing FREE) ways to get rid of Messeneger from XP.
1)
2) in windows/inf there is a file called 'sysoc'...open it in a editor and remove every instance of "hide". DO NOT remove any commas or anything else. save the file and reboot. after it comes back up, goto add/remove software in Control Panel/Windows Components, select Messenger and remove.
now, was that so hard????
the history of the world
Of course there aren't going to be huge amounts of stories about the hacking of *nix's.
a) Most people use windows for their desktop, so more people care and are affected.
b) MS is famous -- it's more interesting when they screw up.
c) *nix users are more likely to check security updates. Windows users may not hear about an exploit, so if anyone REALLY wants that bug fixed, it will have to be in the news.
d) *nix users are used to the idea of security holes, so it isn't news. Windows users are potentially more titillated by the idea of exploits in their boxes, since it is a less familiar concept to them.
e) MS seems to not want to publish security problems. Therefore ANYTHING that gets published is almost certainly news-worthy.
I wonder what incentives Microsoft is using to try and achieve this. It is not in the self interest of any company in the security business to limit the perception in the market place of need for security.
If you notice the likes of Symantec etc goes out of their way to publish information of various virii.
I bet the Carrot is that MS will NOT enter that business if they play ball. If not "Embraze and extend"
Help fight continental drift.
And Microsoft still crashes a lot.
You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...
Here is the specific difference between closed and open models.
If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].
If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.
Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.
Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.
Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.
REGEDIT4 .tlbs in DLLs and EXEs .tlb and .odl files using VC6's regtlib.Y _CLASSES_ROOT\.ocx]O OT\dllfile\shell\Register COM Server\command]t er COM Server\command] /u \"%L\""Y _CLASSES_ROOT\exefile\shell\Register COM Server\command] /regserver"e gister COM Server\command] /unregserver"Y _CLASSES_ROOT\typelib\shell\Register TypeLib\command]t er TypeLib\command]_ CLASSES_ROOT\odllib\shell\Register Imported TypeLibs\command]e r Imported TypeLibs\command]s t er Bundled TypeLib\command]s t er Bundled TypeLib\command]
; regsvr.reg, Copyright (c) 1997-1998, Chris Sells.
; All rights reserved. NO WARRANTIES ARE EXTENDED. USE AT YOUR OWN RISK.
; P.S. Enjoy and send comments to csells@sellsbrothers.com.
; History:
; 5/13/99:
; Took out registration for embedded
; as it became too annoying.
; 1/12/98:
; Added support for
; 10/25/98
; Replaced %1 with %L to get long file name support.
; (Thanks to Sergey Tetkin [SergeyT@vest.msk.ru] for the suggestion!)
; Sometime in early 1997: 1st release
; Don, Tim, Keith and I were sitting around at a GCOM talking about
; what a pain it was to perform self-registeration and couldn't I
; add a shell extension to augment the context menu (I had written
; the Win95 course)? I said I could do even better than that and
; this regfile was born.
; Register and Unregister COM DLLs and OCXs
[HKEY_CLASSES_ROOT\.dll]
@="dllfile"
[HKE
@="dllfile"
[HKEY_CLASSES_R
@="regsvr32 \"%L\""
[HKEY_CLASSES_ROOT\dllfile\shell\Unregis
@="regsvr32
; Register and Unregister COM EXEs
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
[HKE
@="\"%L\"
[HKEY_CLASSES_ROOT\exefile\shell\Unr
@="\"%L\"
; Register COM TLBs
[HKEY_CLASSES_ROOT\.tlb]
@="typelib"
[HKE
@="regtlib -q \"%L\""
[HKEY_CLASSES_ROOT\typelib\shell\Unregis
@="regtlib -q -u \"%L\""
; Register COM TLBs listed in ODL
[HKEY_CLASSES_ROOT\.odl]
@="odlfile"
[HKEY
@="regtlib -q -o \"%L\""
[HKEY_CLASSES_ROOT\odllib\shell\Unregist
@="regtlib -q -u -o \"%L\""
; Register COM TLBs in DLLs
;[HKEY_CLASSES_ROOT\dllfile\shell\Register Bundled TypeLib\command]
;@="regtlib -q \"%L\""
;[HKEY_CLASSES_ROOT\dllfile\shell\Unregi
;@="regtlib -q -u \"%L\""
; Register COM TLBs in EXEs
;[HKEY_CLASSES_ROOT\exefile\shell\Register Bundled TypeLib\command]
;@="regtlib -q \"%L\""
;[HKEY_CLASSES_ROOT\exefile\shell\Unregi
;@="regtlib -q -u \"%L\""
Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
I'm not sure about the depth of the State's API and protocol information requests, but this is a perfectly valid statement if you assume detail means code, and it applies to OSS as well. By providing your source code, you provide black hats with an easily accessible opportunity to find your mistakes and use them against you. This is a fact you cannot avoid.
Of course, just describing how your protocols or APIs work should not be a security risk in most cases, unless MS has cut too many corners. As to whether we would see a noticeable increase in MS exploits, your guess is as good as mine.
"The area of penetration will no doubt be sensitive." ~ Spock
The idea that you can have users that are not admins but at the same time can make some changes (i.e. power users) is a good idea.
Using a nix system requries having absolute permissions make me nervious, even when i have the root account
Did Microsoft not renew for the VS.NET ads they had on OSDN?
Again.. if they weren't a monopoly, it would be a non-issue. Could you imagine an embedded systems OS company refusing to reveal their APIs? I mean, the API *IS* the product.
Microsoft's goal isn't security through obscurity, but things being obscure doesn't hurt.
Just as an obscure password is harder to guess, undocumented API's make a system harder to crack.
I am amused by the name of the poster. Dave cutler is the one primarily designed NT, right ?
The title is very misleading: :)
There is no question whatsoever that security through obscurity is no security in fact.
This means that a good design of OS/application, etc. and then an as good as possible implementatin of it, is mandatory to achieve a really secure platform.
However, in the windows case, the platform is already here, it is not security oriented (or wasn't at first) hence all the flaws we all know about.
Now since everybody has 'root privileges', Microsoft is absolutely correct in stating that not disclosing all the API (let alone the source) does indeed increase security. (again, in an already flawed system).
Any cracker knows that when you are on a new project, wether it be dongle cracking, visual basic application cracking, visual C cracking, palm os cracking etc.. the very first thing you look for is all the available documentation of the API or the working internals of the baby you are about to "own"
You start softice and you look for this nasty register dialog box hmm.. ok so what does the APi tells me.. hmm.. ok I'll try a breakpoint on this call... ok.. getwindowtexta ok... hmm... here it is...
Outside the cracking scope, it is still completely obvious that obscurity does increase security if you are on an already compromised system.
Say your little system has a flaw so by doing a litle trick someone can get access... and a few one actually get to do it.
Great... now let everybody know about it and watch your problems increase exponentially.
Of course this is not to mean you couldn't patch, but in a case like the whole windows OS, there is really not much you can do against crackers, this is beyond repair, and like it or not, obscurity is what works best to.
Yea right - IANAP so I'm not sure about their API's - but as far as protocols go - they wouldn't want to release details about them because they would be embarrassed about how BLOATED the code is. Come on - it's only taken them about 4 years to get TCP/IP right - wonder how the rest of it looks...
RFC 1925 - "(12) In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away." I know that its funny - but this RFC is really very true.
FreeBSD: Nothing runs like a daemon with a pitch fork.
Problem is, they already do. Wake up, Microsoft - closed source code has never stopped hackers before, and never will. If you want to do more "Trustworthy" computing, show us the code. After all, if you're not doing something wrong, what do you have to hide?
The second part of this Cringely column details the "Microsoft security fix", which includes 'embracing and extending' TCP/IP with a propriatary stack.
. html
Read the article here: http://www.pbs.org/cringely/pulpit/pulpit20010802
--geethree
"The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,"
hmm using words like "own you" makes me suspect this is some spotty skript kiddie somewhere.
Netscape engineers are weenies.
regsvr32 -u whatever.dll
Why yes, yes you do. You have to work on the fact that you have a reputation for not having any security. There is a two step plan which is the only effective way to build that reputation in today's world:
Anything else is just masturbation, which I enjoy, but not when we're talking about securing systems and networks.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.
only humans, lawyers and politicians (3 distinct groups unless the lawyer goes into politics - then it's two distinct groups.)
And your grammar skills, apparantly.
graspee
but if they don't they shouldn't be allowed to market products that get an unfair advantage by using the undisclosed information.
The race isn't always to the swift... but that's the way to bet!
About the MS Win32 API Source:
:P
There's an old saying that I think applies to this case:
If you could actually see what's under the fat lady (or Bill)'s dress, would you REALLY want to?
Be careful what you wish for, lest that fat lady give you a booty call
I'm sorry, there seems to be a typo in that sentence. Shouldn't there be a "not" or "doesn't" in there somewhere?
Got Rhinos?
Security through obscurity is a wonderful paradigm
for the misinformed, arrogant, intellectual that
feels his or her ideas are above the understanding
of everyone else. Rose-colored glasses anyone.
Security through obscurity only works if the amount
of time allowed to break into the system is limited.
Time is not an issue in this case because the computer
is in my house, under my control. 24x7x365
In military cryptography it is assumed that the enemy
knows how the cipher works. ONLY the secrecy of the
keys protects the system from prying eyes.
Good luck Microsoft
A Google search turns up a few ways to put a UI on it. My favorite way is use a .REG file as described (and google-cached) here. The article also mentions putting a shortcut to regsvr32.exe on the desktop, then dragging and dropping DLLs and OCXs onto it.
What the heck are you talking about? OpenBSD 2.9
has had 26 patches since May 29, 2001. Not a single
one of them was a remote hole (unless YOU did somethin
stupid to open your system up to attack)
If its a server in a vulnerable physical location
where the employees like to crack the local systems
you had 26 patches to apply.
If the system was at your house and you were the
only user, you didn't have to do anything. Even if
it was connected to the internet. NO WORK NOTHING
openbsd.org-- Read it and weep windows users.
Read it and weep Microsoft. $4 billion on R&D and
you have enough security breaches to keep a platoon
of MSCEs busy year round.
are unprofessional and completely asinine. The articles are completely unrelated. Did Michael even read the article he attached before his mindless masterbation about "yet another remote root hole?" Windows has no concept of "root." What in the fuck is he babbling about? The article he attached is about Microsoft alerting customers about a hole. The title is "Microsoft Warns of Critical Instant Messaging Flaw." There is absolutely no mention of integration with Microsoft's operating system. Why the hell does he insist on bashing needlessly?
Dijkstra Considered Dead
Of course I can contact Microsoft, but they won't respond for the shorter of 4 months
Obviously you have never really contacted Microsoft, because they take security issues very seriously, and usually respond back to you within 24 hours (if you've discovered a real security problem)
Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply.
I don't know about you, but I've never had a hotfix on XP/2k/NT4 break anything. Follow the directions and it works fine.
Not All Who Wander Are Lost
That's NOT to say that OSS/FS is automatically more secure. But even proprietary vendors often describe their APIs and protocols, without claiming that this information will cause security problems.
Hiding the APIs and protocols has little hope in making a program secure if the program is widely available to attackers anyway. Attackers will just examine the software directly. What secures programs is diligence by the developers, combined with serious security review by independent people who know how to review software. Trying to hide the APIs and protocols is just begging for trouble, because then you won't get much help from the "good guys".
The cryptographic community learned this years ago; look at the process that was used to develop the Advanced Encryption Standard (AES). Clearly an encryption standard is critical for security, yet the standard was publicly analyzed for quite some time.
- David A. Wheeler (see my Secure Programming HOWTO)
I have already stated this. The vendor should specify the security level rating of the product. That is, offer some limited warranties.
Microsoft you offer their products for home destop users at a NO WARRANTY AT ALL level, same as with Open Source.
But competing firms in biz markets (say Sun, or whoever) could offer some higher security product (implied warranty, or public scrutiny of the source, private audition, etc). And finantial firms, banks and the goverment should be forced to use products like this.
For Open Source, it would mean that companies would be able to audit the code for money and release them back for us. Also, they could provide warranties, or "promot response" (warranty to solve an issue in a given timeframe), etc.
unfinished: (adj.)
So by saying that virus writers and crackers will run rampant if more information is released, they are effectively ADMITTING THAT THERE ARE MANY MORE BUGS FOR CRACKERS TO FIND..
It shows how much faith microsoft really have in their products, once you cut through the marketting hype.
Even without access to the sourcecode, many vulnerabilities are already found... even compared to systems where the source is available such as Linux and OpenBSD.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
So what are they saying? - that the source code kept at MS HQ is basically a key to every MS based server in the world. The number of MS servers that store private data for me is scary - anyone who has access to the source code has my data - bank details, mail, accounts its all theirs, and im not sure how much i trust the current owners, let alone anyone who stole it. Its amazing how the world got into the mess of using MS on a large scale, even though they write some of the worlds worst software. It just mirrors what i see everyday - good people, good ideas, good things are all crushed by assholes and stupid ideas and products for some reason. Kinda reminds me of the "asshole theory" on everything2.com
This comment does not represent the views or opinions of the user.
there are disassemblers available that show you what REALLY in your code.
:-) These T00LZ make life so much easier.
They'll overlay a linkage symbol table file if you've got one but its just a suggestion (obfuscation?) Some will let you overlay multiple symbol tables and create concordances between versions.
3L33t HAXORZ don't need no stinkin' symbol table.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Swear to god, I think the next headline we're going to see is:
MICROSOFT TO STATES: SETTLEMENT COULD LEAD TO DANCING
AMCGLTD.COM. Where cats, science fictio
A very well known fact in information security management is that no matter how well you try to hide your implementation, somebody will figure it out.
Microsoft, and a majority of the companies online have moved to a posture where they have given up on actually trying to develop secure software and instead demand that the government, and lawyers "handle" the security of the software. If someone breaks the security, instead of fixing the problem, Microsoft sues them, sues us, sues you, etc. Until everyone is sued who in someway was related to the exploit, and Microsoft is bleeding rich.
The DMCA is a half-hearted attempt by companies with no skilled cryptographers, or programmers. Who have realized that unless they spend the big bucks to create an effective code, their codes will be broken. Anyone in the info sec sector will be able to tell you that encryptions do exist that are basically unbreakable, but the companies standing behind incompetence and these useless laws attempt to avoid actually doing the work required of them.
Microsoft does it with its operating systems (thus why they cannot release the code without large fear of security problems being discovered.)
DeCSS is the same thing, an algorithm that was reasonably easy to crack that they depended on laws to cover up.
And... unfortunately, there will be more of this until the government realizes that it's not their job to clean up after a commercial company's mistakes in security.
--Anonymous Coward-- and darn proud of it.
This is nothing more than JC (hmmmm, interesting initials) throwing up a smokescreen. FUD. It is a pathetic play to the judge so they don't have to play fair. Boo hoo, I feel so bad for them. At least, if they lose this case, they'll be able to blame all future security problems in Windows on the judge.
This may be a completely alien concept to you, coming from a windows background, but linux has these little things called "accounts". If you don't set a password for such an account, anyone can login to it. If someone gets into the account called "root" they can do whatever they want with your system.
I used pop3 through a telnet client back in my winDOS day to avoid outlook worms. I had constant blue screens of death, and my computer was exploited several times.
Now I use linux, and BSDs on my network, with linux on my desktop, laptop, palmop, and primary server. They have never been broken into since I made the switch. I went to no great lengths to secure them. I don't have an army of virus scanners. I don't have my webserver hidden behind a firewall and a transparent http proxy. I don't need any of that anymore.
Tux is my pal, and I personally blame Linux Torvalds for this. It is his fault that I don't get to DoS people for breaking into my server. I no longer get to spend weeks of my worthless time hunting down bugs that I won't be able to fix. And most importantly, I can't run all those love.exe and sircam.exe files that all of my friends email me!!!!
Your the man Linus.
Your the penguin Tux!!!
I don't know about you, but I've never had a hotfix on XP/2k/NT4 break anything. Follow the directions and it works fine.
And you run how many boxes? Look at these:
Windows 2000 SP1 Breaks Hotfix for Q260353
Security Update MS00-024 Breaks SHGetFolderPath in Shfolder.dll
PRB: Cannot Use MSXML 3.0 Functionality After You Install MSXML 4.0 Security Patch
And these are just *some*, mind you some, of the problems which can arise if you install a security patch.
Just because you haven't experienced it, doesn't mean automatically that it cannot happen.
it is IMPOSSIBLE to create bug-free or totally secure software. Anyone with a BS in CS knows that. you can try hard...VERY hard, but there is always a loophole somewhere. Plus you can only spend so much money on a project before it becomes overbudget (even for MS. Its not how much money you have, its how much the project will bring in, in relation to how much it costs...)
This is not true. There are many programs (e.g. "hello world") which are completely free of bugs, and there are several (admittedly low-functionality) network-aware products which cannot be remotely compromised. It would be more accurate to say that currently known methods of specification and verification make it financially unreasonable to create large, provably correct software systems.
Can you give any theoretical obstructions to the possibility of a bug-free OS or application? Gödel incompleteness is inapplicable here, but I have no CS BS, so I may be unenlightened.