Slashdot Mirror
Reliance On MS A Danger To National Security
An anonymous reader writes "A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security." (Even OpenBSD might be bad if it was the only game in town.) M : The report (pdf) makes good reading.
You need to study more math: 10% of web servers, 10% of desktops, and 10% of back-end (DB, etc) stuff not equals 30%.
A + B + C = D
10% of A + 10% of B + 10% of C = 10% of D
I know it's OT, but OpenBSD is probably running all of the services in the default install that you'll ever use.
It's already running a hardened Apache, Sendmail, and OpenSSH and has PF installed and ready to go. What else would you plan on using an OpenBSD box for?
Personally, I'd guess that those programs probably perform 90% of the functions that people use OpenBSD for.
And the muscular cyborg German dudes dance with sexy French Canadians
this so-called expert report is just Gates-bashing
Umm, if you actually read the article, you'd see that there were seven authors of this "gates-bashing" report. Two of which stand out: Dan Geer and Bruce Schneier. Dan Geer being the chief technology officer of @Stake, a security consulting firm. (Ever heard of L0phtCrack?) And Bruce Schneier is famous for his work with cryptography research (ever heard of twofish? blowfish, maybe?), but works for Counterpane Security Consulting firm.
These guys probably detest MS, but I'm sure they're not willing to sacrifice their credibility just to produce a stupid report just to bash gates.
...small furry creatures from Alpha Centauri...
How many computers was Iraq's government relying on? (that's a serious question, I really don't know)
Quite a few.
They even had mobile server racks.
http://jesus.everdense.com/
Amusingly enough the above quote is completely in error.
The report was authored by:
Daniel Geer, Sc.D - Chief Technical Officer, @Stake
Charles P. Pfleeger, Ph.D - Master Security Architect, Exodus Communications, Inc.
Bruce Schneier - Founder, Chief Technical Officer, Counterpane Internet Security
John S. Quarterman - Founder, InternetPerils, Matrix NetSystems, Inc.
Perry Metzger - Independent Consultant
Rebecca Bace - CEO, Infidel
Peter Gutmann - Researcher, Department of Computer Science, University of Auckland
Of which Bruce Schnier is probably the most famous, he came up with Blowfish, Twofish and the Solitaire encryption (that was mentioned in Neil Stephensons novel Cryptomicron)
I highly recommend following Schiers regular column on security at the counterpane web site. ( http://www.counterpane.com/crypto-gram.html )
First of all, welcome to Slashdot, where prejudices are as regular as the sunrise (or moreso). If you want a prejudice-free environment, go elsewhere.
As to the security of OpenBSD (and I suppose everyone should take my comment with a grain of salt, since I run it on my servers), show me another OS with privilege separation, practically no suid programs, a chroot()'ed Apache, integrated ProPolice support, etc., ad nauseum. For heaven's sake, with 3.4 they're switching i386 from a.out to ELF -- forcing all of us i386 users to install from scratch -- simply because it's harder to crack. Show me any other OS that will go to such extremes for security, and maybe I'll quit glorifying OpenBSD.
How To Get Humans To Mars
Imagine for a moment that you were right[1] about the author's credentials. That would make him the IDEAL spokesman for a very valid idea: that a software monoculture (even if it were a good one, rather than a MS monoculture) is BAD.
Think about this: who listens to lobbyists? Why, Senators and Congresscritters do! The very people we're going to have to convince on this issue, to have a prayer of overcoming the bureaucrat's resistance to change. If the authors include some lobbyists, that would be a great thing.
Imagine that! IBM, Oracle and Sun bashing Microsoft.
The idea that software monocultures are bad, and MS's products are insecure, is correct. It's true, even if SCO, or Satan say it. You should avoid ad hominem attacks; they make the attacker look silly.
[1] The authors, by the way, were (from the pdf):
Some of these people know what they're talking about. Some are respectable in political circles. That's all good.See what I've been reading.
even though Linux servers are the most attacked/breached or whatever, when mom and pop ISP #1231 gets '0WNZORD', it doesn't cause the gigantic ripple effect of every server on the 'net falling over, unlike a Windows box.
--snip--
Compare this with most Windows boxes, which, when one is cracked, it automatically turns and attacks more
You're taking one example, and extrapolating that all worms are like that and, moreover, that the actions of the worm are a some sort of indication of the underlying operating system.
- You're conveniently forgetting the Morris worm (if you're allowed to delve into history, so am I) and the Lion worm.
- You say that people get the permission of the logged in user (if a Linux "box" gets compromised) - this is no different than Windows. It is only considered different because most people are admins of their own Windows PC. This is not the default, and shows how badly most Windows enviornments are run.
- You say Windows programs need to have the user logged in as admin. This is rarely the case, but when it is you can blame the programmer, not Windows.
- Besides, crackers generally get in by attacking Internet accessible services/daemons, not the underlying OS.
Whoever modded this guy up needs to learn to think before they apply the "this comment says Linux is better than Windows" rule.Worms like the Ramen and Lion worm are a good example of what happens when a company doesn't take security into consideration.
That said, it's nice that companies like Redhat have learned from their past mistakes, and now disable network services by default, and really push a personal firewall onto you.
There is no need to listen to network ports by default. If someone needs to share something, make them take the concious effort of turning it on themselves.
Anyway, Microsoft is most certainly guilty of not paying enough attention to security issues, and they deserve to be blasted for it, just as Redhat deserved to be blasted by enabling ftp severs and such by default in the pre Redhat 7.1(2?) days..
Why do I keep typing pythong?
one, well lets see, welchia, blaster, klez, lovebug, just to name a few off the top of my head. NONE of those really involve "delving into history" ALL of them are still actively spreading. Welchia successfully shut down the internet in general for OVER A WEEK! Even during brief periods you could get on it CRAWLED... pick any isp, didn't matter.
"This is not the default", not sure what version of "windows" your using, but every version I've ever seen DOES default to full administrative privs, In fact the only version I remember even giving an option to create additional users is XP. And XP does so with the implication that administrative account is the "primary user" or whoever owns the computer, instead of making it clear that it should only be used for maintainance and not day to day use by ANYONE. (yes I realize if you know what your doing you can create additional users on any NT system but xp is the only one that PROMPTS you to do so, and if you only create that one it gives it full admin privs in ADDITION to administrator). Also unless explictily restricted on most versions of windows unpriv'd users have access to NUMEROUS critical files, and if ANY user downloads a virus it quickly has access to everything.
"Besides, crackers generally get in by attacking Internet accessible services/daemons, not the underlying OS."
True, last I checked microsoft considers OE, IE, IIS, the list goes on ALL part of the Operating system. And welchia and blaster definately exploit a service WELL into the zone ms considers part of the operating system.
the number one guy gets picked on the most, and exploited the most
I think that's arguably not true in the web server market, in which Apache pretty clearly dominates. I've been curious for a while to see if anyone would do a study between Apache and IIS comparing rates of security hole discovery, average time to patch/update release, and average time between release and install. My suspicion is that despite being the clear market leader, Apache's stats in this regard are competetive with IIS.
I think Microsoft's spin "we're picked on because we're number one, it's a terrible burden to carry but we do it" is brilliant, but there are few mass markets in which to test that theory. The Apache vs IIS comparison is a great one.
Tweet, tweet.
Yeah, yeah, and look at what the panel actually said rather than the slashdot headline interpreting it. The effect is kind of like Fox News commenting on Wes Clark running for president, headlined 'Hilary to run in 2004?', by the end of the piece they were discussing the fact that Chelsea is not allowed to run until 2016 at the earliest.
Bruce says a lot that makes sense. He also unfortunately says quite a lot that really needs a bit more thought. like the time he went after the design of IPSEC with a report that identified a bunch of security 'holes' that were actually well known, fully discussed and irrelevant.
The flaw in the biological analogy that he uses is that biological viruses evolve through Darwinian processes, survival of the fittests. Viruses evolve through a Lamarkian process, their creators do analyse the environmental challenges they face and adapt in direct and planned responses to those changes.
The result is that simple hybridity does very little for security. There are already examples of viruses that have been designed to exploit multiple vulnerabilities on different platforms - the Moriss worm itself was intended to exploit multiple vulnerabilities on the same platform.
If you think that Unix is such a great security architecture take a look at the C language and the APIs in the standard C runtime. The buffer overun problem was almost non existent before C. Fortran, Algol and even Basic always supported array bounds checking (OK some fortrans made you turn it on). Then along came C with the loosey goosey null terminated strings and array pointers without bounds specifiers.
The APIs of the standard C runtime are not much better, look at the way that functions like atoi signal that the user gave invalid input (they don't). I just spent an hour chassing down a bug in some code I wrote that turned out to be due to a math overflow when multiplying two integers. Fortunately I caught the problem because I had some assertions set up to check for wierd results. But every other language would have signalled a math overflow.
And so it goes on. UNIX is a journeyman operating system. The architecture looks good to the untrained eye but when you look real close you start to realise that the fancy raised panel doors with brass knobs are an after market 'refacing job' and behind them the cabinet frames are made out of chipboard and really don't give enough support for the heavy granite counter top that has been added.
I don't see much evidence of defensive programming or security engineering methodology when looking at UNIX code.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
what on earth has admin access got to do with most of these worms?...pretty simple attacks, sending out internet messages...what user...will not have privileges to send out these messages?
.exe filename extension. There are permissions built right into the filesystem that say whether something is executable or not. Without the executable permission set, that file cannot be run. Period.
It's not sending them out that needs admin privileges...it's receiving them. You can't modify system files on a Linux machine without admin access, so receiving a worm/virus/etc by a service not running as admin would have no effect on the system. Very few network services on Linux run as admin by default.
Remember the latest worm asks the user to install a 'security patch'. How many Linux users would run that?
Well, probably very few. For a start, when something slaims to come from Microsoft Security Division (strange...the way Windows runs, I didn't even think they had one of these.....) of course somebody's going to try to install it on Windows.
When you get a patch claiming to be from RedHat, why the heck would you install it on your Mandrake machine? Even newbies wouldn't do this.
Another thing....when you get a file as an attachment in an email on a Linux box, there is no way (not just no way because the mail program doesn't have that functionality...there actually is no way) for it to be executed automatically.
Linux doesn't decide a file is executable because it ends with a
Since most clueless users won't know how to change permissions, (don't get all hoighty toighty about how Linux is hard. Do most users know how to change permissions on a Windows system? I doubt it.) all of a sudden there won't be any "Gee, it said it was from Red Hat so I just opened it, and now my computer won't boot!" problems. Even if they do know how to change permissions, there's much more time for the thought of "Should I actually be running this program?" when you have to save it, start your file manager, find the file, change the permissions, then execute it, rather than just clicking the link right in the email message.
imagine a linux worm emailed to everyone saying run this binary without an extension.
As I've already said, on Linux it's not an executable binary until the end user makes it an executable binary. Much more secure than the Windows world.
for their convenience, and because they forget where they saved the attachement to otherwise.
Well, since on Linux everybody has their own home directory, and can't save crap loads of stuff to the equivalent of C:\ since they don't have write permission to it, it's much simpler for a user to be able to find a file when they've saved it. Just open the "Home Directory" icon on your desktop. Open any file manager of your choice. Start a command prompt. Anything you'd like, they'll all open up in the spot where you saved the file, unless you specifically saved it somewhere else. And if you did that, but don't remember where you saved it, there are bigger problems with your brain than with your computer.
I wish people would get a more unbiased view on these things
What you propose as an alternative to what you see as an unbiased view is actually an uneducated view. To me, that's much worse.
"City hall" in German is "Rathaus" Kinda explains a few things......