Slashdot Mirror
Microsoft's Goal, Security Through Obscurity?
dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were
they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.
TRILLIAN CONTAINS NO MICROSOFT CODE. THIS IS A FLAW IN MICROSOFT'S CODE, NOT THE PROTOCOL.
WTF was the author on?? HTF can he say this? It's blatantly wrong.
p.s. I'm a Trillian user.
"Evil will always triumph because good is dumb." -- Dark Helmet
Not quite.
More like security through brillantly designed APIs. See, rather than letting Windows get cracked, MS cleverly designed the APIs to crash the system first. Everytime you see a BSOD, you should thank MS that they prevented a evil hacker from taking over your system. And if MS let people see their APIs, they could stop the APIs from crashing the system in response to hack attempts, leaving all Windows users vurnable with a non-crashing insecure Windows!
-Henry
"Useless organic meatbag" -HK-47
Wow, now that's really something, seeing as how Microsoft doesn't even have the concept of Root.
Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.
Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.
...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.
But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.
The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.
"Provided by the management for your protection."
"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.
Gee ... I guess that's why theres so FEW reported news stories about the hacking of Windows ... and so MANY stories about the hacking of Linux.
Karma? Karma? I don't need no stinkin' karma.
*pauses to wipe coffee off monitor*
Three arguments against Microsoft's position: .Net was released to the wild before the "official" .Net specification.
Nimda.
Code Red.
The fact that a virus framework for
No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.
'Nuff said.
All the world's an analog stage, and digital circuits play only bit parts.
I firmly believe that software should be held accountable to liability laws and consumer rights laws. Microsoft has repeatedly fought laws designed to provide these protections and re-written their EULAs to provide no liability whatsoever. Compare the EULA for MS Office from 1995 to todays. About ten times as long, with each additional page reducing their liability and increasing yours.
More FUD from Microsoft. Their legal department must have more employees than their coding department by now.
hmmm... i'm think i'm going to write a book. and then, on page 156, I'm going to include my IP address and root password. And then, I'm going to make sure that every copy of the book has it's covers bound together tightly together so that it can not be opened without extreme difficulty. Then I'm going to sell the book for $50 dollars a copy(aw hell, why not make it a hundred). And then, If anyone who buys my book actually tries to open it, I'm just going to have to sue them for every penny they have because, goddammit my root password's in their(didn't they read the EULA that came on the complimentary bookmark?).
lysergically yours
One word: Debian.
Put security.debian.org in your sources.list conf file, and then the standard 'apt-get dist-upgrade' procedure will simply, automagically plug those naaaaasty holes. Debian might not be the best distro for everything, but it's great security-wise for a reason.
-- B.
This sig does in fact not have the property it claims not to have.
Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.
Of course, I am speaking of Sendmail.
Oops...
Sometimes it's best to just let stupid people be stupid.
The OSS community typically acts a lot more quickly than Microsoft has on security problems... when security flaws are found on Windows the patches usually take longer to release.
Also... security flaws under *NIX systems usually are limited to one service... not the Internet Explorer/Outlook Express/MS Messenger Core OS holes that seem to plague MS since everything is so entwined.
Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.
In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.
The author is right, completely right. Try reading next time.
"The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.
Allchin also warned that if Microsoft were compelled to disclose all the APIs and technical information the states are asking for, digital rights management would be compromised.
From Tuesday, news.com http://news.com.com/2100-1001-900905.html
However, what most people miss is that obscured code STILL needs to be audited by a neutral third-party. This is where Microsoft fails - they don't appear to have their code audited. Or, if they do, their auditors should be fired.
Security through obscurity should also not be your ONLY parameter. An obscured system should still be using encryption, should still be testing input, and shouldn't have any buffer overflow exploits.
Obscurity can be used effectively. It's not a do-all, be-all, and end-all.
If these security vulnerabilities are so easy and obvious from reading the APIs, then why can't Microsoft's programmers find and close the security holes before someone finds them? Don't they read and adhere to their own APIs?
If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.
Darth --
Nil Mortifi, Sine Lucre
"In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.
'The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,' said Marc Maiffret, Eeye's 'chief hacking officer.'"
i'm sure marc actually said, "1 c4n 0wN j00," but the washington post author didn't know what the hell he was talking about.
---
I'm just an ordinary man with nothing to lose.
"....frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."
I'd rather have a golf course (18 holes per 40 hectares) than swiss cheese (18 holes per pound).
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
On DOS boxen (including, of course, all the non-VMS derived Windows releases, which boot COMMAND.COM and are thus DOS based) all local users are root superusers.
Proof of concept: On a Windows 98 machine, cancel the "windows login" and start a DOS session. Now delete the entire filesystem (including hidden, system, and read-only files). Tada, it works, you are ROOT.
On VMS-derived windows (such as all versions of Windows NT and of course Windows 2K) the root superuser account is named "Administrator" and is directly analogous to Unix "root"
One of the reasons MS can't effectively compete against linux and the BSDs in the server market is that their systems include this same fatal weakness. At least *nix is stable!
Incidentally, now that linux has "capabilities" built into the kernel, and Linus wants to put a resource handle into the filesystem API, the groundwork has been laid to get rid of this stupid root superuser concept and create a real successor to Unix rather than just a clone. Hopefully linux (or perhaps the Hurd) will one day incorporate all the strengths of Unix while jettisoning ancient kludges like "root" and the primitive "rwxrwxrwx" access control system.
--Charlie
Microsoft Reveals Anti-Disclosure Plan
(emphasis in original)
Sig: What Happened To The Censorware Project (censorware.org)
I wonder if it is a coincidence? The poster of this article. There is a Dave Cutler at Microsoft who used to be the lead designer of NT who used to be the lead designer of VMS. There is an interesting Urban Legend about that too.
This is a boring sig
My objection has always been that almost all of the most popular viruses, hacks, and backdoors have been discovered or created by accident.
These bugs are not discovered by accident. There are people (both good and bad) that spend many hours a day looking for these exploits. They do everything they can to find cracks in the armor of any package (be it Slashdot, windows XP or whatever).
And when the good guys find it, they publish information about it so it can be quickly patched and fixed. If the bad guys find it, then it gets posted where the script kiddies can find it. Under no circumstances think that these holes are found by accident. Thats as crazy as thinking that a high school student can sit down and guess the root password at NATO in three tries.
Now that I've done a little research, I see this as a naive view. For one thing, it doesn't explain the frequent security flaws in Linux and Apache.
All programmers write security holes at some time in their life. Having a buffer overrun or a security hole is not exclusive to Microsoft programmers, everybody does it.
The thing that you fail to understand is that since the same security flaws are going to exist in both open source and propriatary software, the security risk is the same for both sides. But, if the open source is openly available, then the white hats can quickly attack it and publish the exploits before the black hats have a chance to use it.
For propritary software, the crackers need to wait for the software to go into the wild. Once it is widly distributed, then they start attacking it slowly. The white hats start examining it too, but without the benifit of the code, they can only move as fast as the crackers. Some times the good guys win, and the exploits are published (and hopefully fixed). Some times the bad guys win,
and you get a Melissa virus.
This suggests that it is far more harmful to publish this info (which really isn't helpful to users anyway) than to keep it secret, where it can do no harm.
Don't for a minute think that obscurity is going to prevent an exploit from being discovered and used. The only think obscurity can do is prevent somebody from finding the bug, and informing the proper people so that it can be fixed before further damange can be done.
All programmers make mistakes. You can either hide those mistakes away and wrongly hope that somebody isn't going to find it, or you can get your mistakes exposed to the world and get them fixed quickly and efficiently.
Do you have Linux and a DotPal? Click here now!
It's my impression that those holes are, in the large majority of cases, discovered by people auditing and examining the code. The auditors then publicize the flaws. I frequently see advisories of the form, "no known current exploits, but..."
On the other hand, security flaws in Windows seem to become publicised when they are used in an attack, too late for many.
PHEM - party like it's 1997-2003!
"For one thing, it doesn't explain the frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."
From the SecurityFocus vulnerability db:
IIS since 5.0 - 56 entries
Apache since 1.3.17 - 7 entries
Your argument is flawed at best, outright FUD at worst.
LEXX
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Quite frankly, I think the "wizards" are a bad idea in Linux. They insulate the user from understanding the underpinnings of the OS.
The fexibility and strength of Linux come at a price - there certianly is a degree of complexity in config and admin. However, hacked 4 times? That doesn't make sense. Go and shut off unused services and block ALL ports except those needed.p? BTW, pardon my rude responses. I'm having a bad day and you happened to catch the brunt of my irritation. Regardless of the fact that I strongly disagree with your points, such responses are not needed.
Computer Science is Applied Philosophy
And Microsoft still crashes a lot.
You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...
Here is the specific difference between closed and open models.
If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].
If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.
Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.
Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.
Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.
Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
I'm not sure about the depth of the State's API and protocol information requests, but this is a perfectly valid statement if you assume detail means code, and it applies to OSS as well. By providing your source code, you provide black hats with an easily accessible opportunity to find your mistakes and use them against you. This is a fact you cannot avoid.
Of course, just describing how your protocols or APIs work should not be a security risk in most cases, unless MS has cut too many corners. As to whether we would see a noticeable increase in MS exploits, your guess is as good as mine.
"The area of penetration will no doubt be sensitive." ~ Spock