Slashdot Mirror
Microsoft: As of October, 1024-Bit Certs Are the New Minimum
way2trivial writes with this snippet from Information Week about a warning from Microsoft reminding Windows administrators that an update scheduled for October 9th will require a higher standard for digital certificates. "That warning comes as Microsoft prepares to release an automatic security update for Windows on Oct. 9, 2012, that will make longer key lengths mandatory for all digital certificates that touch Windows systems. ... Internet Explorer won't be able to access any website secured using an RSA digital certificate with a key length of less than 1,024 bits. ActiveX controls might be blocked, users might not be able to install applications, and Outlook 2010 won't be able to encrypt or digitally sign emails, or communicate with an Exchange server for SSL/TLS communications."
System have the ability to go further, why not make 2048 the minimum? Does anyone know why 1024 was selected? I would guess it has to do with some backwards compatibility with something. Some of the issuers are making it next to impossible to go below 2048.
Threat model. If Microsoft hacks you, then you sue. The government can get anything you have anyway, so need to hack you. This is how business people think. They don't think about how any backdoor can and will be found by (or just plain out sold to) the bad guys too.
just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes.
Way to go Microsoft! As everyone moves to 2048 bit keys, let me be the first to welcome you to 2002.
We could've gotten notification a week or two after the update.
This is gonna be a pain in the butt though =\
On the bright side things will be more secure!
TechRepublic noted this a while ago and provided detailed instructions on how to work-around the issue.
"Maybe this world is another planet's hell"
Aldous Huxley
Wouldn't be much of an OS if it didn't have a reach-around.
If Microsoft hacks you, then you sue.
a) if MS hacks you, you'd never know it b) they have lawyers that will have you run crying to your mommy.
The government can get anything you have anyway, so need to hack you.
You have way too much faith in the government's ability to gather information. Also, they have to convince a jury with whatever they have and "we're the government so we just know" will generally not cut it.
You are naive to think Windows isn't backdoored. Imagine you're MS and some 3 letter agency comes knocking with the justice department on speed dial. Do you really MS is going to say no? Do you think they did last time when they got miraculously let off?
just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes.
Do you actually think MS would be stupid enough to leave backdoors in the code they hand out? It's not like those universities or governments have access to MS' internal version control. All MS has to do is give a cleaned up version of the source and actually ship anything they like.
Do you oversee Red Hat's build servers? Did you oversee Debian's SSH build when they fucked it up?
Erm, I'm pretty sure he used the words "have access to" not "have actually audited".
Specifically meaning that in theory they could audit the code.
As opposed to Open Source where people don't just AUDIT code, they actually FIX bugs and security failures and submit the changes back to the origin.
Visit CryptoGnome in his home.
Just switch to Linux. Do you really need them telling you what you have to do?
* Carthago Delenda Est *
Did you oversee Debian's SSH build when they fucked it up?
I did. I'm sorry, but that week the NSA check came late, so I wasn't able to make the compromises less obvious.
They paid up later.
That many institutions have access to MS Source Code is kinda like instituting a needle-inna-haystack search.
Yes you might find a needle, but unless you're a needle-collector or perhaps a seamstress what in this universe d'you think you're gonna do with it?
At least with Open Source you can
(1) fix the problem with the code
(2) submit the code back to The Author
(3) expect that The Author will either accept the fix as is or perhaps integrate the solution with more elegance
Sure not *always* but the expectation would be more-often-than-not your fix (in one form or another) reaches the wider community of users.
Visit CryptoGnome in his home.
No matter how few people actually read through the Linux kernel code, it's sufficiently open that blatant backdoors are not going to be inserted.
Open source suffers from quasi-religious stuff too, as you just demonstrated with your claim. Ken Thompson, of Bell Labs and Unix and C fame - the "K" in K&R, demonstrates the insufficiency of being able to read the source code.
http://cm.bell-labs.com/who/ken/trust.html
With countless malware authors out there digging through the NT kernel with SICE and the like you'd assume that such a preexisting backdoor would've already been found and actively exploited in the wild, raw ASM dumps are just as good as source code would ever be if you know how to read them (yes, by that definition everything is open source).
(same AC)
Oh on the contrary, I'm sure Windows is backdoored. Probably multiple times by multiple agencies working for multiple governments, plus a few disgruntled employees looking to sell to the highest bidder. I'm just giving my best guess as to why PHBs don't care.
Thing is I suspect the same is true of Linux. Open source software is inherently more secure than the "trust us" closed source, but it's surprisingly easy to hide a few subtle vulns in plain sight. None has to be a complete back door, just enough to weaken this or that to let you slip in.
Do you oversee Red Hat's build servers? Did you oversee Debian's SSH build when they fucked it up?
Thanks for so clearly spelling out one of the great advantages of the Linux ecosystem. Namely, that a vulnerability in RedHat isn't necessarily a vulnerability in Debian so the damage doesn't propagate to the overall community of users. That's one of the great things about there being so much diversity and unique approaches to Linux. Again, thank you and I commend you on your evangelism of Linux. People need to know!
Ha! Beat by some little old ladies!
The reason Thompson's backdoor is famous is because it was far from blatant.
Sounds like a great way to get people off IE, or fill up customer service inboxes for weeks. Madness!
Thing is I suspect the same is true of Linux. Open source software is inherently more secure than the "trust us" closed source, but it's surprisingly easy to hide a few subtle vulns in plain sight.
I figure the main difference is that with Linux, you actually can go through it line by line even if you're a nobody whereas with Windows you can forget it. So, basically, if security is the most important thing to me I can go much further towards actually being secure than I ever can with Windows and closed source applications.
Speaking of quasi-religious nuts. FOSS is just as much a devotional as anything I've seen from Apple.
Not true when kernel.org itself gets hacked.
http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
Nice weasel word there. Blatant. What makes you think that if there are backdoors in Windows they're blatent?
Think back to the AARD code, they went way out of their way to obfuscate it. Microsoft would not be so stupid as to put a well commented backdoor in there.
Of course, I'm sure someone will bring up the NSAKEY incident, which various security researches (such as Bruce Schneier) have dismissed as merely allowing the NSA to install their own key to be install for their internal systems without having to have MS sign it.
You do know that backdoors have been inserted into Linux distro's in the past, and some of them took a great deal of time to be discovered. Then of course, one never really knows if a security vulnerability is intentional or not (on any platform).
There have also been some near calls as well in the kernel itself. For instance, who remembers this doozy?
http://www.securityfocus.com/news/7388
Yes, it was caught, but not because of "many eyes". It was because the attacker chose to try to modify the version control file directly. Had it gone in by some other means, it may not have been caught at all.
If you need web hosting, you could do worse than here
With countless malware authors out there digging through the NT kernel with SICE and the like you'd assume that such a preexisting backdoor would've already been found and actively exploited in the wild
You'd think but then that also presumes that the source code that MS releases to their partners is the same code that ends up in the shipping products. If there are backdoors it is a virtual certainty that MS isn't going to bundle that code up and then start handing it out.
raw ASM dumps are just as good as source code would ever be if you know how to read them (yes, by that definition everything is open source)
To some very talented and bored people, yes ASM dumps are the same as source code. But those people are few and far between and to lesser hackers, there is a huge chasm between that dump and actual source with comments, etc.
With Linux, I know that the source code I just downloaded and looked through can easily be compiled and installed on my machine. With Windows and their source sharing program, you will never get enough of the product to actually compile a working OS so in order to run Windows, you have to blindly trust the already compiled version. Huge difference.
Not true when kernel.org itself gets hacked.
On the contrary. Which distros actually compiled and released a version of the kernel that was compiled from code downloaded during the window this attack was in effect? If you're running Debian then your kernel is anywhere from just now old to 2 years on the stable version. And if you're doing the right thing and using Ubuntu LTS releases instead of the beta interim stuff then it's the same deal. With Windows, there's only 2 releases to the mainstream. The server and the desktop versions. So whatever kernel MS builds, that's the one everybody uses. With Linux even with kernel.org getting hacked, you have a fighting chance but with Windows, you're done.
Really? Wow. Way to go and show your intellect.
But isn't that the point? Just imagine what you can hide in something as large as the Linux kernel or most modern programs.
There are multiple Microsoft keys with a size under 1024-bit out there in the wild, and certificate chains involving them they were used in state-sponsored attacks. It is therefore quite correct, and very necessary, of them to reject RSA keys with a crackable length. Keys up to 768 bits have been cracked publically.
What I'm mystified about is that 1024-bit RSA keys are still allowed as a baseline - honestly, those should all be phased out already and I haven't considered them safe enough for over half a decade now. While no-one has publically factored the RSA-1024 test vector, estimates in 2007 showed that it would indeed be possible, and tests proved positive - 5 years on, I expect it to be quite feasible to factor a 1024-bit RSA key now, particularly if you implemented parallel parts of the sieve in GPU shaders and used something like... oh, I don't know... the NSA's new Tesla-based supercomputer. And they're far from the only ones: Iran has either factored or swiped at least one 1024-bit key (honestly, either is plausible at this point).
This is why 2048-bit keys going onwards are all that's allowed by CAs (and were mandated from the beginning of the EV standard). In practice this has never been a problem - they'll work on any version of Windows which supports RSA at all. I remember using 4096-bit keys with Windows 95, and indeed I recall experimental builds of PGP happily using 16384-bit RSA keys (although they were, of course, slow as molasses).
Long-term you should probably think about moving to prime256v1 (secp256r1). That's got more juice than 3072-bit RSA, but it's vastly faster and much smaller. Alternatively, curve25519/ed25519, which are extraordinarily optimised binary curve algorithms with nice features such as being secure through the twist, and not needing a random source to create signatures.
No one can factor my 1024-bit cert: 0x0000.....000F.
You do know that backdoors have been inserted into Linux distro's in the past, and some of them took a great deal of time to be discovered. Then of course, one never really knows if a security vulnerability is intentional or not (on any platform).
The difference is if you are that serious about security then with Linux you at least have the option of inspecting the code. With Windows you don't.
There have also been some near calls as well in the kernel itself. For instance, who remembers this doozy?
http://www.securityfocus.com/news/7388
Yes, it was caught, but not because of "many eyes". It was because the attacker chose to try to modify the version control file directly. Had it gone in by some other means, it may not have been caught at all.
So some hacker tries and fails to slip a backdoor into the kernel and you think this shows Linux as insecure? It shows the opposite. He got caught! But, in your case, talk about trying to "weasel". Pot, meet kettle.
The website was hacked. The Linux source was not compromised.
Open source is great mechanism for finding security holes, but it's hardly the only mechanism. OK, Windows is probably not as secure as Linux, but it's not totally insecure either.
Hey, I live in an apartment that doesn't have the best security, but enough for the neighborhood in which I live. By your logic, I should either beef up security to the max (iron bars on the windows, install a CCTV, maybe get a pit bull) or just forget all about it and leave never lock the front door or window by the fire escape. Makes no sense
They present a version of the source code. How do you know it is the version that ships with every OEM and in every COTS box?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Closed source doesn't prevent from disassembling windows functions or testing through a kernel debugger. Open source = easier to see find backdoors, easier to find security vulnerabilities. It's also easier to take legitimate code from the OS modify it maliciously and distribute the binary. In other words being open can work for you and against you. The good guys have an edge, but it's wiped out by edge bad guys get. Closed source it's harder to find backdoors and it's also harder to find security vulnerabilities.
But those people are few and far between and to lesser hackers, there is a huge chasm between that dump and actual source with comments, etc.
If you have respect for variable/function names and comments during code review, then you are a failure at code review. There is a difference between the reading of source code to derive what its expected/claiming to do, and the reading source code to derive what it actually does.
You are right not to trust closed source, but you fail in not extending that mistrust to open source. Faith is not a valid justification for trust.
"His name was James Damore."
I don't really understand how anyone can care whether a closed source operating system is secure.
This is so much garbage.
Opensource systems have their share of holes, and the idea that there is a gigantic pool of people qualified to catch backdoors in something as relatively simple as a web browser-- let alone an OS-- is absurd. Just because you can look at the source doesnt mean you can do a remotely competent job of auditing it; and the idea that a single person could somehow audit hundreds of thousands of lines of code for security "on a whim" is even more absurd.
There are a lot of benefits to open source, but sometimes its advocates really stretch the imaginations with some of the claims and accusations they level against proprietary software.
it's sufficiently open that blatant backdoors are not going to be inserted.
So I suppose the whole potential IPSEC backdoor in freeBSD thing was just my imagination, then?
Youre talking nonsense. Consider that OpenSSL is widely considered a horrendously complex pile of spaghetti code, which I believe has had its share of security issues, and yet we still use it. Is it because we're lazy? No, its because sometimes some of this security stuff is phenomenally complicated, and it would take a horrendous number of man-hours from incredibly talented people to refactor or replace it.
One of the benefits of paid software is that, if theyre competent, they can devote a lot of time to it because they are paid. Im gonna go out on a limb here and say that one of the biggest helpers to good code in a lot of OSS projects are the paid volunteers, not the mere fact that its "open" as if that dash of pixie dust makes a project magically better.
Your argument is that because the burglar slipped on the icy sidewalk and broke his neck, it proves your security system works as expected.
If you need web hosting, you could do worse than here
a) if MS hacks you, you'd never know it
You assume that IT folks have no way of tracking what enters and leaves their networks. Maybe that is true in smaller networks, but any larger business with any kind of budget is going to have an edge firewall, and Im gonna go out on a limb and say its not Microsoft's firewall.
b) they have lawyers that will have you run crying to your mommy.
The idea that Microsoft could somehow win that kind of case through the simple merit of its lawyers is ridiculous. Big companies have been brought to unfavorable judgements before, and if the evidence is clear enough theyd probably just settle with you on very favorable terms.
Youre basically trying to defend fragmentation as a good thing, because while some programs might not work across the myriad of versions, neither will the vulnerabilities.
I find this logic lacking.
Wake up and smell the Firefox/Safari/Chrome grandma!
does anyone on Slashdot even realise how stupid they look wearing their tin-foil hats?
Not true, I heard many people were able to download the source code since then ;-)
Tomorrow is another day...
There are plenty of people who download kernel code from mirror sites without checking the hash matches. The kernel code for OS X is open too. It's called darwin.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The "K" of K&R is wrong.
"K" is Brian Kernighan. You know, the Brian Kernighan of "The C Programming Language" fame. He wrote a book or two. He's quite famous. Maybe you've heard of him.
Look it up.
Grandpa: My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
That is why you should use OpenBSD, as it has been and is continously audited for security, and it uses proactive crypto deployment everywhere it fits. That is why development is slower... Need bleeding edge or stable security? pick ONE.
Tomorrow is another day...
The bored socially-outcase girlfriendless 13-year olds that find all the security vulnerabilities have the time, inclination, and imagination to find all the vulnerabilities whether the code is open or not.
A well maintained open source project tends to fix them quicker than every patch Tuesday, though.
Seriously, Pascal had it right with := being the assignment operator and = being the equality operator. Hard to confuse those two IMHO.
with the literally thousands of security researchers reverse engineering, fuzzing and generally prodding and poking around you would rapidly find them trumpeting to the world any such differences or backdoors. They already do this for every patch that comes out, detailing what is fixed and using it for attack tools.
How many students actually evaluate the source in any detail?
The same number as true open source.
Learn to love Alaska
I suppose you protect against SQL injection attacks by giving your tables weird names? If no one can guess it, no one can hack it! Security by obscurity all the way.
Or submit vulnerabilities back to the origin. They even hold contests to hide the real intention of code.
Test rest of the industry still support keys smaller than 1024 bits. Microsoft won't.
if your security system involves ice machines, then yes.
Yes, it is entirely plausible for one person to read through the entire kernel source to ensure there are no back doors. When you are done in 3 years time, please let me know if you find any.
Not true when kernel.org itself gets hacked.
On the contrary. Which distros actually compiled and released a version of the kernel that was compiled from code downloaded during the window this attack was in effect? If you're running Debian then your kernel is anywhere from just now old to 2 years on the stable version. And if you're doing the right thing and using Ubuntu LTS releases instead of the beta interim stuff then it's the same deal. With Windows, there's only 2 releases to the mainstream. The server and the desktop versions. So whatever kernel MS builds, that's the one everybody uses. With Linux even with kernel.org getting hacked, you have a fighting chance but with Windows, you're done.
So you aren't concerned with the possibilities of an open source project being compromised, just how short the window of opportunity was for a specific attack (determined in retrospect)? That doesn't change anything.
It doesn't take "a gigantic pool of people qualified to catch backdoors" to fix software bugs. If it did, closed source projects would be inherently hoplessly doomed security wise. What it does take is a few or even just one qualified person to catch backdoors. For closed source, the lure of money is usually enough to hire qualified people to do the job, presuming the owner of the code cares to offer such a lure. For open source, the idea is that statistically, there's such a gigantic pool of people out there interested at all with the code that presumably a few qualified people will be in the lot and find the backdoors.
Not so much "on a whim", but there's been multiple security audits by researchers from different universities, often in testing automated code checkers. The same presumably happens against Windows code too, as MS offers access to source code to universities for presumably the same reason. Having said that, it's an actual known when it's done with Linux because there's no NDAs to hide any of the source or otherwise hold back the results from public scrutiny. And probably just as important, it might take a competent person to find the bug, but it often doesn't take a competent person to fix the bug--in part because often researchers spell out the fix. Yet, MS is the only one can fix their bugs--short of some potentially nasty reverse engineering--while there's a gigantic pool of people who can fix the open source bugs.
Well, it's not much of an accusation to point out that Oracle and Adobe frequently learn of security vulnerabilities and seemingly sit on them for months or even years, with no reasonable possibility of anyone else offering a fix--again, short of some nasty reverse engineering. Meanwhile, as much as open source bugs have been discovered, announced, and a few times ignored, the barrier is a lot less as a point to fixing such bugs with open source--with some exceptions on the complexity of reproducing the needed build environment, at times.
You mean OpenBSD? And you notice that it's still only potential-at least, AFAIK--with no code audit so far showing any evidence of a actual backdoor? Meanwhile, in Windows world, if one of the developers on the MS IPSEC code was paid by the FBI, would MS tell us about the potential IPSEC backdoor, would MS do a code audit, would we be aware of that code audit, and would MS bother telling us everything looks okay? You see, as horrible as the whole situation might be with the potential OpenBSD's IPSEC backdoor, the fact that we know about it gives us the option to audit the code or to outright avoid the code because we know of the potential threat. Meanwhile, it's much harder to trust that a corporation, which has a vested interest in keeping as quite as possible about potential vulnerabilities as it risks their bottom line, will be open about the risk to their customers. Sometimes they try to rationalize it within the scope of "responsible disclosure". But it's only really responsible if one presumes that (a) users must use the relevant code and (b) not revealing
Eurohacker European paranoia, gun rights, and h
There is an entire collection of root certs in your browser that are all trusted unconditionally. Hundreds of them, in fact. These root certs have signed thousands (who knows how many, really?) intermediate certs. All of these intermediate certs are trusted unconditionally to authenticate any SSL server whatsoever. It's pointless to have a key longer than the shortest intermediate cert key length in use anywhere. When you use SSL, you are trusting thousands of unknown parties with absolute cert-signing authority. SSL certificates are known to have been used for explicit man-in-the-middle purposes: Trustwave sold root certificate for surveillance. Sure they revoked that one key because of the bad publicity, but it's common industry practice. How is SSL hopelessly broken? Let us count the ways.
"One of the benefits of paid software is that, if theyre competent, they can devote a lot of time to it because they are paid"
Untrue, the corps aim to make a profit, the actual security teams will be pared to a nubbin - oh sure, they can roll out roomfuls of security 'experts' who can talk the talk at the drop of a hat (or more likely at the drop of a $ bill) but the number of actual practicing security people in the big software corporations is very low - and I'd bet most of their time is spent on firefighting and customer support, not refactoring or fixing code.
Indeed. I have a copy of the Windows CE 6 source code (or perhaps partial source code - I haven't tried to compile it) on an external drive somewhere. When I graduated, I went through our MSDNAA site and grabbed everything that looked interesting.
I'd be violating all kinds of licenses if I were to release it, probably even if I read it at this point. But they don't exactly guard their source all that well.
It may sound absurd, but reality is sometimes like that. A large portion of the vast pool is called "students" and the more qualified deep end of that pool is called "graduate students", and many thousands are looking at open source software from all angles for their own benefit.
So, basically, if security is the most important thing to me I can go much further towards actually being secure than I ever can with Windows and closed source applications.
Can you actually do that? In your open source OS, going through the stack of code you are using and fully understanding it is an enormous task.
In one direction, yeah. Not hard to replace an assignment with an equality test, though.
Do people realize how stupid they sound when they use the phrase "tin-foil hat"?
If you are that serious about security, you don't bother with the source code because you don't trust that the compiler isn't compromised. Instead you just inspect the code that's actually running on your system (i.e. the compiled machine code). Since MS ships their compiled machine code, there's no reason you can't inspect it just as well. You can step through it with IDA Pro or your favorite debugger/disassembler.
An example of something you can't inspect is Google's source code (the part that runs on their servers). Another example is encrypted firmware blobs. Windows is not an example of something you can't inspect.
dom
Your comment ignores the fact that Windows had strong ASLR before Linux did, and by all accounts its security is on par with or better than your average Linux distro.
Profit accounts for a lot, but profit requires selling product, which requires meeting customer demands. Having a product with a reputaiton for poor security tends to hurt demand, which means that good security can indeed come about in proprietary software.
but the number of actual practicing security people in the big software corporations is very low
You just ventured out of the realm of opinion, and made a statement of fact that requires some kind of source. On what basis do you make this claim? And by what logic do you say that there are more honest-to-goodness security gurus donating their time to "OSS" in general?
Its almost like you have disdain for anyone who would try to make a living off of their skills, like being PAID to be a good programmer or security expert was somehow a dirty thing.
It might suprise you to know that having a graduate degree and being a good programmer can also net you a job at a company that produces proprietary software. The idea that programmers at Microsoft are all incompetent is partisanship of the most extreme kind; by all accounts it tends to be very competitive and there are truly good programmers there. Certainly noone would accuse Google of hiring slouches.
That particular one came down to code standards and review. There's a reason why most coding standards explicitly disallow assignment inside a conditional structure. It's a security hole waiting to happen, just like null-terminated buffers or processing unsanitized input.
NASA's guidelines, for example, are fairly stringent. An attack would have to be very sophisticated, where the attacker would have to know the system fairly well, and insert seemingly-innocuous code in multiple places. It's harder to attack NASA because a lot of their systems are hidden behind obscurity and contractor diversification. That, and there's nothing to be gained by hacking them. Their standards exist more to prevent careless bugs from creeping in (which is really just a less-glamorous term for "security hole"). But for software like the Linux kernel where the system is completely transparent and then some, doing proper code reviews and strictly enforcing standards is absolutely necessary.
It's also a good reason to not trust binary blobs. But then again, nobody'd be dumb enough to mix their secure system with their gaming system, right?
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
The idea is that common elements pretty much have to be intentional and largely agreed upon. This naturally leads to slower overall development but greater stability.
This is not so much logic as it is philosophy. This is Linux in contrast to Windows/Mac (many Linux developers see the variety of different distributions to be overall positive), P2P file sharing in contrast to dedicated file hosting services, Bitcoin in contrast to traditional payment processors (the community is almost in complete agreement that independently developed clients improves the security of the network).
In the extreme case: Evolution in contrast to Intelligent Design. I certainly agree with you that neither one of these is evidently superior to the other, but evolution most certainly has the stability advantage.
Don't be ridiculous. An SQL injection vulnerability would not be a problem with the table names but in the application layer. This is a perfect example of an unintentional design flaw which would be shrugged off in a highly distributed software development environment but be the death knell for a massively centralised one.
Disallowing assignments in conditions would work too.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
There's a reason why most coding standards explicitly disallow assignment inside a conditional structure.
I've never heard of this. Are you actually trying to say that most coding standards disallow if(condition) { var = true; } else { var = false; }? Or do you actually mean variable declarations when you say assignments? Could you link to some coding standard that actually disallows this, so I could look into this a bit more?
If your security system forced the burglar to take slippery sidewalk what is hazardous.... then yeah!
Security systems are not 100% secure, their purpose is just to make sure that avarage joe's do not get in and professionals needs to find a harder way to do their thing.
Then you build up security system by implementing multiple layers and steps so instead just passing one security system at one point, you have multiple kind in multiple point between outside and items.
So instead just waltzing inside, snap what you want and get out under 3 minutes, you need to search perimeter from where you can penetrate, check what is not possible to do and then take first step and start again checking what is next security perimeter.
You clearly have never heard "Locks are meant for honest people" phrase. As locking something is not enough, there is always someone who get trough the lock and steal what is worth. But the idea of lock (IT security in this case) is to make it such, that honest people does not try to "peek" inside what is behind "closed door" because they know owner does not want them to look.
Closing the source isn't security, it is just a way to keep honest people (hackers) peeking your technic, while bad guys (crackers) will pass it in no time.
So instead trying to stop hackers finding problems and helping you, you throw away the most valuable help and you want to play alone with the crackers who does not tell you what they can and what did they do.
In security, it is better to lure burglars to place what is trap for them. Like in IT, you want to trick crackers to do a mistake what alarms you.
Your post has nothing at all to do with mine apart from some sort of personal attack based on the assumption of extreme ignorance ("It might suprise you" followed by the fucking incredibly obvious) and some fallacious assumption that the above is in some way an attack on others ("that programmers at Microsoft are all incompetent is partisanship of the most extreme kind" - WTF? How do you find an accusation of incompetance in the two sentence post above?). Sorry limecat - it's coming off as insane as saying I must hate tigers because I like dogs. If you want to argue with voices in your head please do not commit the gross insult of pretending that I am one of them.
Yet Debian shipped for a long time with a broken (insecure) key generation code. Yes, this most probably wasn't an intentional backdoor (yet, who knows for sure?), but it shows that people reading the source code isn't sufficient (ironically, if nobody had read the source code at Debian, this specific bug wouldn't have been inserted).
Build it and diff the binaries?
Windows Update backdoor
[citation needed]
The question was "evaluate" not "contribute to" And given the number of "I reported a bug to MS, and they were rude to me" submissions to this site, I'd say more than one.
Learn to love Alaska
Certainly noone would accuse Google of hiring slouches.
No, but I would accuse them of having hiring practices that discourage creativity (even if their employment practices promote it).
I interviewed with Google a little while back. Right at the start I told them I was not interested in the job they were offering as it's somewhat "below" what I currently do (and would require moving to a more expensive city for a similar level of pay as what I'm on now). They said they'd like to interview me anyway and perhaps after that offer me a job that would better fit my skills.
The short version is that after going through their rather long and drawn out process, involving mind-numbingly boring "solve this well known algorithm problem" questions, they offered me the job that I said I didn't want. After I turned them down, they then sent me a letter saying that "after consideration, we don't think you're a good match for Google".
Personally, I would've really liked to work there. But NOT as a code-monkey on their generic sites. I'm a pretty good developer (although by no means brilliant); but where I really shine is creating new things from scratch. I'm an ideas person with the technical aptitude to put the ideas in to practice. Their hiring process showed me very clearly that they had no interest in my creativity and only wanted someone who can churn code, find bugs, and patch systems to keep them running (all important; but not the only thing in the world; and definitely not for me).
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
Just because you can find a backdoor doesn't mean you can use it. It as not hard to make a backdoor, that requires authentication. The only thing that is hard is to make a backdoor that is both secure and does not look like it was made deliberately.
Do you care about the security of your wireless mouse?
That won't work. You don't know how they built, which compiler version they used, etc. A mismatch is almost 100% certain and in no way indicates that the same code base wasn't used to build it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Up to a point fragmentation or variety is a good thing. And not just in software. In agriculture, if your field consists of only one crop, your goose is cooked if there's an outbreak of a plant disease. A country whose GDP comes from a single source, say oil or a single cash crop, is also more vulnerable to price fluctuations in the global market. A crash in the prices of that product would lead to a crash in the country's economy as well.
Too much fragmentation of course is bad. But as far as Linux, the major distros are quite few, namely, Ubuntu, Redhat, Fedora, Debian, and possibly Suse. It's their derivatives that give the impression of excessive fragmentation. Derivatives tend to be compatible with the mother distro at least as far as the installation of third party programs not in the main repository. A binary-only printer driver that can run in Ubuntu would be compatible with Linux Mint for example.
If you use a program like SCCM, SCE, EmminantWare/SolarWinds, Secunia, Local Update Publisher (plug: my OSS alternative), or any other similar program that allows you to publish your own packages through the WSUS system you will also need to worry about this. For some time the default certificate that gets created was 512 bits and will become invalid with this update. Check with your vendor to see what remedy they suggest. One of the recent updates to the WSUS API bumped this default cert creation to 2048 bits but that won't help existing users.
cosmonaut?
LOL, I believe the actual lyric is "confidante".
I'm the head IT manager for this 50-person company so I'm stuck as the server administrator despite having about 12 weeks of MCSE training. Someone else set up our current self-signed certificate so I don't know the size or how to check. I do know they plopped the .cer file itself down on C: though, lol. So I opened it in notepad, pasted its main contents to Word, and ran a character count. It's 2092 total characters in size. I'm going to take a guess that that's a 2048 bit cert, right? So: :-P
1. Am I correct in assuming that?
2. Is there a less stupid way of checking that in Server 03?
3. I have no idea where our other server (exchange 03) keeps its cert or what size it would be expected to be by default. Anyone got some info on that?
Disallowing assignments in conditions would work too.
A lot of C compilers already have compile-time options to warn when the outermost operator in an if or while condition is an assignment. This allows various idioms where conditions have side effects, such as pulling one pointer from an iterator function and then checking whether or not it's a null pointer terminator, while requiring the programmer to make his intent explicit.
I dont disagree with most of what you said, except the general implication that because some proprietary companies suck at security they all must.
Also,
You see, as horrible as the whole situation might be with the potential OpenBSD's IPSEC backdoor, the fact that we know about it gives us the option to audit the code or to outright avoid the code because we know of the potential threat.
Thats true, but youll note that if the accusations are correct (and I see no indication that anyone has actually done the audit, 2 years later), it took 10 years and then the backdoor was not even caught by OSS devs, it was revealed by an insider whose NDA expired.
I have recently discovered the benefits of open source by working on Microsoft Dynamics CRM. That is that if you have an enormously complex web app (CRM) you need the source to figure out what the issues are, unless you feel like spending hours on Google trying to debug "An unexpected error has occurred".
Sadly I do not have the source and so my job is made immeasurably more difficult because of it. I'm sure that the quality of any open source product would not necessarily be better, but if there are any issues with it, I can look at, step through and even change the code at will. CRM prevents me from doing this. Decompiling it helps somewhat but you need to find where the offending code is, and even then you can't see any of the variable values or the flow of the code.
I think you're one of those stupid libertarians,
Youre free to think that, but you would be wrong. I do so enjoy ad hominems, though, I find they are a wonderful way to start a post.
so it'll be hard to argue with you as you assume everyone works only for money despite all evidence to the contrary
Everyone assumes things, but this is not something that I assume. You however seem to be making assumptions full steam. Your post isnt off to a good start.
and they will be "qualified" to catch backdoors of varying subtlety.
Read up on some of the articles like "Trusting trust", where one dev did a PoC corrupted compiler that would insert backdoor code into binaries when it saw certain strings. Students generally are not going to be qualified to catch something of that nature, or of the nature mentioned in the BSD IPSEC backdoor thing.
Indeed - this is one reason why closed source is never going to be as secure.
Generalizations generally make me uncomfortable, because they have a nasty tendency of failing. Both proprietary and non-proprietary softawre have their share of holes; with each you can find examples that are quite good, or quite bad security-wise. In a lot of ways for the last year or so Firefox remained at the BACK of the pack for security, with IE and Chrome being at the lead. Chromium is technically OSS (though chrome isnt quite the same), but IE is definitely not, and is considered a much harder target than firefox. You cant just compare two projects on the simple basis of "OSS or not?"
Seems like open source is doing really well, then.
You arent paying attention if you think thats the extent of "security blowups" in the OSS world. SSH keys being lost, root access to update domains, and of course the wonderful Debian SSH flaw requiring everyone to regenerate their keys all come to mind.
Youll note that with the SSH thing that lasted for quite some time, and was a rather simple bug IIRC (something got commented out), and yet it wasnt caught for years (early 2006 to late 2008).
But the less competent certainly benefit from having the opportunity to code during the day, no doubt. In this there is no difference between Linux as GPL software and Windows as closed source software, though.
So people who code as a job and work a full day are incompetent. Nice.
They are of course of benefit.
If memory serves, theyre one of the main contributors of "hard" stuff like drivers and SELinux.
Face it: Linux has all the paid-eyes advantages of closed source development and more from being open source.
Except for organizational issues, and the fact that your volunteers are generally paid by a third party who can cut the money stream at any time, yea.
Their hiring process showed me very clearly that they had no interest in my creativity and only wanted someone who can churn code, find bugs, and patch systems to keep them running (all important; but not the only thing in the world; and definitely not for me).
I believe it's called "paying your dues", and I believe it's considered standard practice at most major companies.
With closed source you can leverage the SLA's between yourself and the vendor
With closed source, there is only one provider of such SLAs for each product. With open source, you can leverage the competition among several companies that offer SLAs for a given open source platform. For example, one can choose Red Hat, Oracle, or Canonical to support a Linux deployment.
Go here: http://www.kb.cert.org/vuls/html/search/
Type 'Windows XP' in to the search box.
Eat that!
I'm not sure a kilobyte-strength Cert would be strong enough to freshen the breath of some of the people I've worked with...
Yes, and they sign NDA's to get it. That even happened when AT&T's Bell Labs licensed UNIX to colleges back in the dark ages.
... "When you pry the source from my cold dead hands."
Lots of bugs, nothing related to WU..
Sorry, that wasn't the intended implication. The intended implication was that proprietary companies can hire competent security folk, but they have to go out of their way to budget for it, a point most proprietary companies don't focus on. Of course, the truth is that in the open source world, the "many eyes" and "statistically....a few qualified people" only works if the project receives enough attention to have those many eyes. That still leaves the outliers, both in proprietary companies and small projects, where there is enough just good programming practices to mitigate most security risks.
To the contrary, OpenBSD code audit uncovers bugs, but no evidence of backdoor covers the point that an audit was done and while bugs were found--one nasty one at that--, that there was no evidence of an extant backdoor. Of course, a more useful question would be if there ever was a backdoor, and that sort of audit wasn't done, AFAIK--and I'd really love to see someone do that audit since I know I'm not qualified. But the original discussion was the probably of a blatant backdoor surviving. And even a less blatant one apparently couldn't survive in OpenBSD it would seem--unless the backdoor was explicitly removed by the backdoor inserter at some point. Of course, without evidence of there ever being a backdoor, it's really hard to use the whole OpenBSD IPSEC Backdoor as any sort of data point. :/
Eurohacker European paranoia, gun rights, and h
According to GlobalSign (one of the largest CA's), they stopped issuing 1024bit keys back in 2010... The lowest encryption they (and most CA's) use now is 2048bits. https://www.globalsign.com/support/faq/sslfaq.php All orders placed from November 29th 2010 will only be accepted with a CSR key length of 2048 bits or higher. This is to fully comply with the National Institute of Standards and Technology Recommendations (NIST) and the mandatory requirements by Microsoft's Root Certificate Program to issue Certificates from a minimum of 2048 bits by January 1, 2011. Maybe it's related to the Y1969 bug :)
The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
The intended implication was that proprietary companies can hire competent security folk, but they have to go out of their way to budget for it, a point most proprietary companies don't focus on
Thats true, but the beauty of a (properly functioning) competitive market is, you can just avoid the sucky vendors, and they will generally disappear. OSS tends to not have that pressure-- although of course if the project is sucky and unpopular, its unlikely to be wellknown or have any kind of community.
Really, heres the difference youre looking at, and why I dont have this allergy to paid software. If Microsoft releases a crappy OS (bad security, or slow, or something else), there will be intense pressure on them to fix their ways; as a for-profit, publicly traded company, they very quickly run into issues if their product is unpopular.
On the other hand, when a project like AmaroK makes a crappy release (bad security, or they do a 2.0), the devs can tell everyone to go get stuffed (which, in fact, they did), because there is 0 market pressure on them.
Obviously the very large projects like Linux do have some degree of pressure; but at the end of the day, if Linus Torvalds wants to say "Ive decided to remove memory protection", he can do so, and its really no skin off of his back. The saving grace of course is that if you have a talented community (which may not be the case), they can fork it and though painful, you can transition to the fork.
I have a feeling that at least SOME of the people who seem to have this allergy havent had to deal with these kind of issues, but they do happen.
The problem with that statement is the "properly functioning" modifier really leads your statement into "No True Scostman" territory. The simple fact is, it's a very frequent market failure that security or even just program stability takes a back seat to sufficient functionality or sufficient familiarity.
And OSS suffers the same issue as mentioned above, which explains why some huge projects still have massive security and stability problems. The general issue is that there's really little pressure involving the issue of security except in very isolated niches, like OpenBSD. And even there, OpenBSD's track record is really bad if you consider they basically define a crippled base install to claim any sort of real security.
Remind me again on just how unstable and insecure Windows was? And remind me again just how long until the Windows NT was adopted? And then further remind me how long it took before the Windows NT, the "robust" line, became actually remotely robust?
Who uses AmaroK again? I mean, I see your point to an extent, but AmaroK has virtually no "market share" to speak of in the first place so telling "everyone to go get stuffed" just doesn't mean a lot. If, on the other hand, Mozilla were to say something similar about Firefox, I'm almost certain that (a) a fork would start and (b) a good many distros would start using the fork. In fact, isn't that what happened with AmaroK, that distros switched to another media player? On the scale of whole distros, it's why there's Fedora and CentOS and Mandriva.
Well, that'd be sort of the point. Linus is the benevolent dictator, who helps guide inclusion of a lot of code by maintainers. Those maintainers themselves function as their own benevolent dictator upon their own section. If Linus, tomorrow, were to push something as extreme as "to remove memory protection", there's over ten people qualified to fork the Linux kernel--although due to trademarks, they'd have to call it something different. If Linus complained, it'd then be the community telling Linus to "get stuffed", since he already licensed his parts under the GPLv2 and can't rescind his code offer. So, part of what makes OSS work is the code licensing and part is how making the code tends to produce the very people capable of forking, if needed.
The thing is, I really don't have a proprietary code allergy, per se. I certainly put
Eurohacker European paranoia, gun rights, and h
And remind me again just how long until the Windows NT was adopted? And then further remind me how long it took before the Windows NT, the "robust" line, became actually remotely robust?
I mean, I guess thats kind of what I was talking about. Apparently the market cared less about that than some of the other features. Plus, lets remember that Linux wasnt some bastion of usability at that point from what I've read-- not that I can claim to be some guru computer historian. Market pressures caused MS to conform to market expectations, and they were successful (at least enough to gain monopoly status).
. If, on the other hand, Mozilla were to say something similar about Firefox, I'm almost certain that (a) a fork would start and (b) a good many distros would start using the fork
This does happen, and its not without a lot of grief. LibreOffice went relatively smoothly, but was in a bad place for a few months. AmaroK never really got fixed, and the replacements really didnt compare. Im not sure why it was never forked, but thats my point: You cant just expect Joe Random Dev to sit down and pick up a project like that and have everything continue as normal.
that distros switched to another media player
The distros are always switching media players; Im not sure anyone really understands the rationale, or whether there is one.
there's over ten people qualified to fork the Linux kernel--although due to trademarks, they'd have to call it something different.
And now you have massive chaos. Which of the 3 resulting forks to use? What about the kernel updates being pushed out from Linus? Whats the future of support for Linux look like?
This is where you realize, golly, its can be nice to have a single codebase, even when it does things as boneheaded as Metro. At least you only have ONE Metro to deal with, not 3.
since he already licensed his parts under the GPLv2 and can't rescind his code offer.
I believe he can relicense the parts of the code that are exclusively his, but I dont know whether that would be inherited by the forks, or whether their license "as forked" would continue. Doesnt really solve the whole "3 versions" issue that would occur, either way.
I certainly put more trust in an OS kernel and system libraries/utilities that is open source, in the same way I put more trust in an encryption system that has the minimal amount of obfuscation to function.
I dont know that I look at it that way, after the issues I've had with OSS projects and the sometimes spotty support. I love the idea, I love the price, I love the whole "I can download this and stuff it in a VM right now without any signup". But when it comes to a client wanting something, I am VERY hesitant, unless its a major distro (CentOS, Ubuntu Server) and / or has serious support options (pfSense, which for the record has impeccable support even if it is sometimes unstable).
But Ive definately had issues even with Fedora and Ubuntu, where its something like "whoops, our new release cripples E1000 NICs with a bad firmware", and there simply isnt the same kind of market pressure for someone to "do something" asap.
Ive also dealt with it from proprietary vendors ("sorry, we dont know what the problem is and we dont really care"), but at least there I can tell the client that the vendor isnt supporting it, rather than that "the vendor is some community and I have to wait 3 days for a response, and no there isnt a support queue".
So, I guess my point would be is, if I do have a proprietary software allergy, it's to proprietary security software
Not sure if youve ever done whole disk or volume encryption, but TrueCrypt is widely recognized as one of the best volume encryption solutions, especially for window with their WDE. Its also proprietary.
Likewise, PGP is
AFAIK, it's not really proprietary; it's just not "free" because it seems to be anti-commercial and put restrictions on things like forbidding obfuscating the source code.
Well, PGP certainly did have a reputation as being decent, as it was based upon the reputation of its creator and was specifically focused on the security of the information it encrypted. But, now that it's bought out, it sounds like you don't really trust it. Meanwhile, GPG doesn't suffer from this flaw, at least to the extent that while, yes, there might be n forks if the original community around it dissolves, it's rather likely that a few forks will be considered "good enough" based on the same point of reputation. This is, btw, why the chaos of forking usually resolves itself after a while; the "market pressure" of competing forks generally results in a few or only one really getting the focus to actually be considered the successor. That this might be "messy" is more a point that all sorts of market competition for dominance is messy.
And that's probably because most OSS AV solutions focus first on protecting OSS systems which basically don't need AV because of their distribution system. AV solutions are, IMHO, a nasty hack, anyways. Since they fundamentally only work by constantly finding new viruses/malware and adding a signature to a database, it's basically a full-time job focused on every possible bad thing you could possibly do under the hope you find a counterpart malicious person and their malicious software. I'd probably have a lot more respect if this sort of fuzzing went towards fixing software. Instead, it's more like noticing that some piece of software is a sieve and creating a counterpart bit of software to put different shaped swatches of fabric in to prevent rats and roaches and whatever from coming in.
So, on the one hand, you're absolutely right. On the other hand, one could also point out that for years, in the 90s, Windows had some of the best proprietary system crash recovery software. In the OSS world, you'd just work on the point of the system not crashing and efforts to make crash recovery software would be closer to a pet project than a main consideration.
Eurohacker European paranoia, gun rights, and h