Slashdot Mirror
Google Security Expert Finds, Publicly Discloses Windows Kernel Bug
hypnosec writes "Security expert Tavis Ormandy has discovered a vulnerability in the Windows kernel which, when exploited, would allow an ordinary user to obtain administrative privileges of the system. Google's security pro posted the details of the vulnerability back in May through the Full Disclosure mailing list rather than reporting it to Microsoft first. He has now gone ahead and published a working exploit. This is not the first instance where Ormandy has opted for full disclosure without first informing the vendor of the affected software."
Is it news every time someone finds a security vulnerability?
Sheesh, evil *and* a jerk. -- Jade
That's bad. That's destructive and dangerous. He needs to be sacked for this, given the potential for this to be abused in the wild - otherwise we know that Google really is on the side of the criminals...
Seriously. I think it was a comic strip (possibly xkcd) that pointed out that an exploit that had user level privileges could impersonate someone on web sites, do money transfers at their banks, etc... While a system level exploit would all it to install drivers. Whohooo!
if he was an independent researcher doing this it might be one thing, but in this case he's not revealing the vulnerability based on full disclosure principals, he's doing it to give his employer's largest competitor a black eye. Motives matter
If it hadn't been Microsoft, Google may have been a bit more responsible about this, but since it makes their competitor look bad, time to forget about "do no evil".
I'm betting this is the only way to get MS to fix the problem in a timely fashion. If it's in the wild, they HAVE to fix it, and fast. Guys had to do this with Apple, as well, because they never fixed any bugs unless absolutely forced to.
But... but... "Do no evIl" !
The irony of the difference between closed source and open source is that while Ormandy has posted an exploit to this Windows bug, in the open-source world he potentially could have posted a fix too, considering he's the one who seems to understand the bug itself the best...
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
You could assume that Administrators using windows in business don't let their users run with administrative privileges but outside of those environments what home user doesn't run with administrative privileges?
I have to admit I haven't used windows in a while, so maybe I'm wrong and computers with windows 7/8 do not come from BIG_BOX_STORE with a user users already setup with administrative privileges.
Yeah, ok. troll better please.
it's been 4 weeks. Clearly we should go after those who disclose vulnerabilities instead of those responsible for fixing them. /sarcasm
I believe this would be the one.
That's bad. That's destructive and dangerous
No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one. Someone could use that information to perpetrate a crime. Why do you throw freedom of speech out the window when it comes to software bugs?
The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.
History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.
- Michael T. Babcock (Yes, I blog)
Is it news every time someone finds a security vulnerability?
When someone publishes a working exploit that provides privilege escalation for the world's most widely used operating system, it definitely is news.
I know this is Slashdot, but did you look at the vulnerability or exploit. It is an unpatched kernel exploit that will now wreak havoc on Windows users, the vast majority of the world by a long shot, as malware writers incorporate it into their malware. Now, previously secure(relatively) systems that had UAC enabled will be just as vulnerable to drive-by installs as 2000 and XP were.
Looks like from TFA he posted both the flaw and the working exploit as himself, not as an employee. So that is at least something.
He should have known about proper disclosure practices: File a defect report, permit the company to fix the exploit, and then release the exploit to the wild at the same time the fix is released, or release it if the company fails to take action. Instead of following the protocol he put the information about the exploit both on his personal blog and on the disclosure newsgroup, with the comment that he doesn't have time to deal with it. (But apparently he does have time to blog about it.)
Was it wrong? Absolutely. There is a protocol to follow that generally protects the public and still discloses the vulnerability if it is not fixed immediately.
Should he be fired from his job as a security programmer? Maybe. He should at least get a chat with his boss and HR to explain his side.
//TODO: Think of witty sig statement
Been a long time coming, but we finally don't have Microsoft pushing us around any longer.
Some of us with long memories see absolutely no issue with disclosing MS bugs on public forums.
Doesn't matter what history shows. The best procedure is to give the company notice of the bug and give them a chance to fix it. Not years, certainly but a few months seems very reasonable. The only reason not to do would be if you knew someone was already taking advantage of the vulnerability in the wild.
For UAC.
Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal
subject should be 1896 fraud and abuce act - didnt proofread the subject - Do'H
If it were us little people without political connections to bail our asses out, we'd be in jail!
Jesus Mother Fucking Christ!.
I just want to put on a sandwich board with "They are going to Fuck us!" and just mumble "Bullshit! Bullshit! Bullshit! Bullshit! Bullshit!Bullshit! "
Look at the timline... But with Microsoft, there's really no "enough time" to correct a problem that THEY don't see as a problem.
Why do you throw freedom of speech out the window when it comes to software bugs?
Get on your soapbox much? Nobody is infringing on Freedom of Speech since there is no law against this. There are issues of being reasonable and responsible though that have nothing to do with the law. Nor is anywhere here suggesting that he shouldn't publish, just that he should inform Microsoft directly, instead of assuming that everyone on the planet should read that mailing list, and give them some reasonable time to fix it before publishing.
History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.
Disclosing responsibly gets a patch to users as well. Given them a little while (one calendar quarter max), and then publish.
I don't think anyone is saying he should sit on it forever, but you don't know what other exploitable things they're working on, and now everyone is completely vulnerable because there is no patch.
Google's policy is to back researchers disclosing the vulnerability if the vendor does not fix it was 60 days, or 7 days if there is an active exploit in the wild
Responsible disclosure is an oxymoron.
History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.
No, what actually gets a patch to users is when you find a vulnerability, use it to hack into Microsoft servers, download their repository, fix the bug, rebuild the kernel, generate the patch, steal Microsoft signing certificates, sign the patch, upload it to Windows Update servers, and pray that all users download it before someone notices you.
Ezekiel 23:20
The same thing happened last time if I remember correctly. It's a tricky situation ... his employer shouldn't be able to control his hobbies, but he shouldn't be making them look like dicks either. Does he advertise himself as a Google employee, or is this the usual anti-Google FUD campaigners throwing this information in where it's not warranted?
Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal
How are you today, Mr. Ballmer.
With sites like scroogle slamming google for the same things M$ is doing and the even more attrocious things they want to do (See patent on kinect to pull demographics from your living room), Microsoft gets whatever they deserve.
Months? Hell no. 3 or 4 weeks, maybe, and that's pushing it.
He's no more aiding and abetting a hacker than a billy-club company is aiding a cop that beats you senseless.
I guarantee every talking head on TV would be calling for the DoJ to look into it...
This is all about PR and image, Google and apple are sexy, MS is big and boring, but arguably more critical to daily life (you have no idea how many devices and backend systems you use everyday are on Windows)
That's bad. That's destructive and dangerous
No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one.
This is closer to posting a list of homes where firearms are registered. Exposing the vulnerabilities without letting the homeowners without guns know that they're about to be greenlighted for burglary.
The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.
Now everyone has to scramble as script kiddies within their organizations implement this (internal attackers are still most dangerous). A balance must be struck. He's not looking to keep people secure; he's looking to make MS Windows operating systems a battlefield.
So negative advertising should beget exploits that hurt users? What should Microsoft's response have been to the Mac vs. PC ads then?
Its a privileged escalation vulnerability... your machine has to already be compromised for this to be abused in the wild.
A more apt analogy would be someone taking classified military information and making it public (which IS a serious crime and is NOT covered under freedom of speech).
Fuck it. have them patch to Linux Mint 15.
Why is it so hard to only have politicians for a few years, then have them go away?
This just in: Windows is even hackable by really really stupid morons!
And by classified information, I mean like information about military systems, their configurations, hardware used, so on and so forth (as opposed to say, names of spies or whatnot. Not the right analogy).
What is the exploit that makes the carriage return in posts on /. work?
Whole host of Android vulnerabilities found by Microsoft researchers, published online immediately.
This would be like my neighbor finding out about how the lock on my back door is broken, and then he posts that information up on the Internet, along with my full address and work hours, instead of privately informing me about the problem. Now that's just plain rude... Karma is a bitch, if you act like an ass.
The chat happens the first time (so that should have already happened 2 years ago). The second time he should be fired.
The code is clearly targeted for x86 only, not for x64 (__declspec(naked)).
I don't have x86 PC.
On Win7x64 the code plainly crashes.
Unimpressed.
Nuclear war
...but not disclosing it to the vendor first and giving them a chance to release a fix is both unprofessional and irresponsible. Add in the fact that this is coming from a Google employee makes it inexcusable, and reflects poorly on Google. If I were his manager he would certainly receive a reprimand.
The only reason not to do would be if you knew someone was already taking advantage of the vulnerability in the wild.
Or worse, if you didn't know someone was already taking advantage of the vulnerability in the wild.
Not telling the sysadmins of the world that their systems are potentially at risk is a far worse crime than telling the attackers that they assuredly are.
"I got a half gallon of Jack, and 2 dozen Ant Traps. I'm about to get wild." -me
It's really not.
No explanation required
Actually, I'd really like to see what kind of explanation you can pull out of your ass to justify that.
Security through obscurity is no security at all.
A security hole is a security hole. A hole that is not widely known about is not in any credible sense "safer" than one with a demonstration exploit posted on mailing lists.
I would rather that news of exploitable security holes be widely published, so that mitigating secondary security blocks can help cover the hole, and reduce the attack surface as soon as the exploit is discovered. While you can't recompile the kernel on day-0, you CAN filter network traffic, isolate unprotected systems, and take other affirmative actions to safeguard company and private data from unauthorized persons, and prevent the silent execution of malicious software early.
The problem one runs into there, is that most software out there today is not so much "secure", so much as it actually is analogous to a block of aged swiss cheese. Hardened in some places, and totally see-through in others. Managing many disparate suites of software packages means dealing with, and mitigating the risks, of a great, great many peepholes.
But again, a security hole is a security hole, and security through obscurity is no security at all. Wishful thinking that "if nobody says anything, then its perfectly safe to let slide for now!" Puts systems, data, and people at risk for the sake of convenience.
Look at the fallout of the near miss between that german drone aircraft and a small passenger plane that just came to light. Secrecy of the problem does not make the problem go away, and hiding the risks from people (for any reason) who are at risk is beyond inconscionable.
Security through obscurity is no security at all.
Spoken like someone who has no fucking clue what they are talking about.
ALL computer/network security is security through obscurity, just like the locks on your house are security through obscurity.
Encryption uses an obscure key.
A password is by definition, security through obscurity.
Stop repeating shit you heard someone else say without any fucking clue what it means.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Umm. Many do.
Do you know if the 3 to 5 guys who own that codebase in MS read that site?
Microsoft never gets off its ass and fixes stuff before it goes public.
Quite simply untrue.
So. Fuck it. Publish. Make em work.
So, no -- responsible disclosure first. Extreme measures after that. Don't be an asshole. Not being an asshole is generally not hard.
Microsoft never gets off its ass and fixes stuff before it goes public.
Really? Every bug fix they ever made was from public disclosure? News to me, since I personally have seen them fix things disclosed only to them.
What you actually mean is that you, a home user, with a best a handful of machines, thinks its better to rush a patch out that could break shit, than to do a proper fix and test cycle.
What this lets the rest of us know is that you have no fucking clue what its like to deal with large scale software maintenance. Any admin worth his salt knows that if you can mitigate the problem away and wait for a proper patch that has been thoroughly tested is about 10 billion times better than some random hack made by some guy at 3am this morning.
There are few exploits that can not be mitigated in some way. This particular issue is easy to mitigate at most companies by simply firing any jack ass caught exploiting it. It requires local access (via RDP counts), so its not like we're talking about an internet facing, anyone can take you down, kind of bug.
On top of that, any admin worth his salt his going to do proper testing, which means even if they got a patch 10 seconds after the exploit was found, its STILL GOING TO BE A WHILE BEFORE THE ADMIN DEPLOYS THE PATCH ... unless he is some ignorant clueless douche like you who doesn't have any idea what he's doing.
All your post does is shows your complete ignorance of the bigger picture.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Not telling the sysadmins of the world that their systems are potentially at risk is a far worse crime than telling the attackers that they assuredly are.
Let me give you a hint. You are not a sysadmin. Stop acting like you have any idea how sysadmins should behave or be notified.
Why?
Because any actual sysadmin (not someone like you, running linux in mommies basement) knows that ... the system is at risk because its turned on.
Its all about risk mitigation, not flawless systems.
You're an idiot if you think your systems are 'safe' just because you're 'all up to date and patched'.
Any real admin will simply mitigate the issue away until a patch can be tested and installed. Real sysadmins don't have retarded knee jerk reactions to exploits.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"Doesn't matter what history shows."
That's the refrain of the conquered and the unscientific.
Just because they have a patent does not mean they will implement or even test out the idea. Patent just means they have someone in the company that came up with the idea before someone else did.
The same thing happened last time if I remember correctly. It's a tricky situation ... his employer shouldn't be able to control his hobbies
Correct, the employer can't control his hobbies. However, this sort of irresponsible behavior is akin to a Charlie Sheen going on TV and calling Chuck Lorre some sort of Jew.
What you do publicly reflects on you and those around you. Companies, just like your friends, will distance themselves from you or cut you off when you are clearly being a douche bag.
His actions show everyone that he is irresponsible and selfish. More concerned with getting himself attention than fixing the problem.
Google would be dumb to keep him around, his intelligence and skills are trivial in comparison to his inability to play well with others and be a good citizen in general. His irresponsible actions here are not going to be his only selfish and irresponsible actions. Why would Google want to take the risk that next time he pulls this sort of stunt, that he DOES claim it was with Google's blessing?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Let us say you came to know someone's username/passowrd and go ahead and post it on internet, would that be legal? If not, why this is legal? This is like posting every windows users admin user/password. It the Google employee used any of google resources, then google should be made personally liable for this act.
Would you like if someone posted your garage door opener code, car code or other things? If not, boycott google for this brazen act of privacy and security breach.
PS3 encryption== security through obscurity. (That salt doesn't need to ACTUALLY be random--each and every time-- does it? Cause, that would be a pain to implement!)
PROPER key pair generation == impossible to realistically derive the secret key from the public key and the payload, due to addition of true random salt. (Where "reasonable" means within the attacker's lifetime.) There simply is not enough information to derive all the factors to refactor the secret key. This is by design, and is considerably different from a simple password in implementation.
In other words, you are being specious, and are downplaying that the security involved with proper encryption is most definately not "if nobody looks, nobody will see!" Type security.
"Herp! He said a commonly used phrase, and I tooked exceptshun tuh dat! Hur-hur, so I calleded him an idjut and a mohron and stuffs! He coulndna poshibly know what dat phraseology thimgy rully means, like I'z does!"
Seriously, that's what you sound like when you say such dumbassery.
When you're given access to classified information you sign an agreement to protect that information. I fail to see how this is analogous at all. Are you sure your not BadAnalogyGuy in disguise?
Poor analogy. Your billy-club company is making something anyone can make -- it's common knowledge how to make one, and it's even easily replaced with other objects. Ormandy found the exploit -- making his knowledge of it unique. By publishing it, he made it common knowledge. There was not even anything that could be used to substitute it. People are running to defend Ormandy in their glee that he did something to hurt MS. If MS had published an exploit in the Linux kernel without first submitting a patch and waiting for it to be accepted, I guarantee you your stance would be the exact opposite of what it is now.
The Google employee handbook explicitly mentions that you represent the company even during your off-work hours and should act accordingly. This guy is an arrogant asshole and should have been fired a long time ago.
Disclaimer: I work for Google
Either way, bad analogy... sorta.
Military classified material are formed and protected to prevent both discovery of vulnerabilities, and to prevent discovery of new advances or knowledge of technology, intelligence, and so forth. revelation of such can have a very high probability of endangering lives and civilian security.
This Windows bug is, well, the result of deficiency, nothing more. The worst that can happen? Well, if someone were both a flaming dumbass and exposed a SCADA box unprotected to the Internet, while simultaneously surfing the web or downloading random/untrusted bits to said box. But then, that flaming dumbass is the problem more than the bug.
Quo usque tandem abutere, Nimbus, patientia nostra?
Quite the opposite. Firing Charlie Sheen's regardless of what he said was a very bad mistake. Same would apply to Google in this case. Fortunately Google is a lot smarter than that, and than you...
Mitigation requires that the admin is informed. Which requires disclosure
If you're offering yourself as an example, your posts to this article suggest you have retarded knee jerk reactions to just about everything.
Any real admin will simply mitigate the issue away until a patch can be tested and installed. Real sysadmins don't have retarded knee jerk reactions to exploits.
Devil's Advocate: You can't mitigate what you don't know about. See also the (semi-)infamous WPF bug.
Quo usque tandem abutere, Nimbus, patientia nostra?
From the paritynews article:
He also noted that another working exploit may already be circulating in the wild.
Whether this means before he posted or not?
Like a good neighbor, fsck is there
Except that he's right. The "Security through obscurity is no security at all" mantra is the first thing that people who know nothing about security fall back on again and again. Asymmetric keys are merely *better* obscurity than most other means. You're still just counting on not being a sufficiently interesting target that your keys are not going to be put to the test by somebody with access to a proper compute cluster (or maybe a quantum computer), or that they won't bypass that and exploit you some other way.
You should know this already. Speaking generally, all security mechanisms can be broken, so you need to ensure the cost of exploiting is greater than the thing you get access to after exploiting.
It's is short for it is or it has. This is a 100% rule. It cannot be used for anything else. If you cannot expand it's to it is or it has, then it is wrong.
Its
Its is like his and her.
Read more at http://www.grammar-monster.com/easily_confused/its_its.htm#ofYKtpWvWVT8w4VO.99
"I got a half gallon of Jack, and 2 dozen Ant Traps. I'm about to get wild." -me
History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.
This guy gave them 4 weeks before publishing actual exploit code (not just vulnerability info), and did not report it to Microsoft before publishing the vulnerability. To produce and, most importantly, QA a patch to the most used OS environment in the world is not trivial and takes time. Even if you want to stick it to MS, this is a big middle-finger from this Google guy to user all over the world.
You don't know his motivations, you're making an assumption.
It's funny - I was just having a conversation with a friend about this very subject.
On some level, of course, you're perfectly correct that can't "really know" what's in his head, however what you're attempting here is a misuse of epistemological concepts to undercut social or ethical criticism.
There is no absolute certainty regarding motives - hell, you can't even be certain of your own motives to that degree (we're all capable of fooling ourselves).
Yet we all talk about motives all the time (and juries do ascribe motives to defendants to within a reasonable doubt) - how can this be?
The obvious conclusion is that we all actually understand this situation pretty well and know that we're making certain assumptions (and that our claims are falsifiable) and that we all license those sorts of assumption when discussing the motives of others.
So, in other words, yes the OP is making assumptions, but since we all knew that anyway rebuking him/her as you did is neither helpful nor warranted.
Devil's Advocate: You can't mitigate what you don't know about. See also the (semi-)infamous WPF bug.
I think his/her point is that it is irrelevant, to some degree. When you're running an application, you're accepting the risk it brings with it, even the ones you can't enumerate. You mitigate everything else about the system so only what the appplication requires is accessible.
Disclosing an unpatched vulnerability does little good to a well-protected system.
I never said I believed in "unbeatable protection". That's a strawman. I basically said that "out of sight, out of mind!" Is not a proper risk mitigation practice. Most certainly NOT the same thing as professing a belief in perfect security.
Proper keypair generation attempts to make it more costly for the attacker to profit from the action of hacking, and actually demonstrates this fact for them, should they try anyway.
Shitty obscurity based half-assery fakes being strong, to detur attempts, but fails easily on inspection. Something like using a password to XOR a file, and calling it "encrypted.", or doing what sony did and reusing the sae salt over and over again, completly defeating the purpose of the salt in the process.
Relying on "don't tell anybody! We'l get to it eventually, and if you don't tell, nobody will find out!" Is bullshit, which is what typically happens with so called "responsible disclosure." I have heard of serious exploits hanging around for YEARS after being "responsibly disclosed."
I understand that you can't fix the hole instantly, and that the patch needs to be tested to make sure it doesn't poke another hole elsewhere. However, informing the people at the most risk, (customers), that they need to take some mitigating actions to reduce the threat, and to watch for signs of exploit until the patch is ready is what is the responsible thing for the software vendor to do. NOT hide the exploit and try to forget about it, while less scrupulous crackers silently use it in combination with other exploits to commit fraud, steal company prividleged information, steal user persona data, build botnets, and worse, while pretending that "it won't happen, because nobody squealed!"
I sure as hope so. Google..Do no Evil HAHAHAHAHHAHAHAHHAHAH
Jack of all trades,master of none
The only reason not to do would be if you knew someone was already taking advantage of the vulnerability in the wild.
Google is in competition with Microsoft. Google would prefer people to use chromebooks and android so raising anxiety about Microsoft based products furthers their corporate goals. It could easily be as simple as that.
Ok, good point on the billy-club. If I read correctly, didn't he give MS 4 weeks to patch it before publishing an exploit for the bug? MS is a commercial company that provides a product and has an obligation to ensure its security. The Linux kernel, however, comes with no such guarantees; maybe if you bought a commercial distro but even then it depends on the EULA. You can always speculate better/different ways of doing something after it's done. I'm not going to bash Ormandy for publicizing the bug anymore than I would bash somebody for publicizing a bug in the Linux kernel. Come to think of it, aren't all the bugs for linux (and other opensource projects) public on a bug site?
History proofs you wrong. this article too. http://technorati.com/technology/it/article/hackers-use-google-published-exploit-to/
Jack of all trades,master of none
This.
Even if MS has a history, it's irresponsible not to give them some industry standard (or even vendor requested, so long at it is reasonable) timeline to get in front of the information release with a patch.
Even if the bug is "in wild", that's not sufficient excuse. "In the wild" tells us almost nothing about how widespread knowledge of the exploit is, how dangerous the exploit is, what mitigation efforts the average customer is capable of, what mitigation efforts highly skilled admins are capable of, and whether anyone has the time to implement mitigation.
Failing to rigorously follow a responsible timeline leads eventually to the following. A hotshot hacker with a short trigger and something to prove IM's a low level MS employee with a notice of a bug. The MS drone fails to respond how and when and how the hacker thinks is good enough (possibly instantly, and with fawning adoration of the hacker's L33T SKILZ). Hacker goes off in a public forum to embarass MS, which was likely their goal all along.
Like it or not, you can be a professional and part of the solution. Or you can be part of the problem. Don't be part of the problem.
subject should be 1896 fraud and abuce act
No, it really shouldn't.
First: Please proof your comments, especially when trying to prove someone wrong.
Second: How is he responsible for the actions of the website developers? They could have been using the exploit for a long time. The article just says that a site is using that bug, not that they got the idea from his publishing or even that they just started using the exploit within a week. You have a guy that has published a bug, then you have a site that is said to be exploiting the bug; nothing linking the two.
I like how the summary was written, it doesn't come down either in favor or against what the Google researcher did, but instead left that judgement to the comments.
More like that please.
That's why one should responsibly disclose with a time limit-2 weeks maybe? Give the company ( even m$) a head start on the crackers who didn't yet know this hole.
They still haven't fixed this:
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
In fact there's now exploits in the wild now, and frankly it was a stupid idea in the first place.
Also if the bad guys have access to a machine (yes, RDP counts) you lose.
I don't care how locked down you think your system is.
The only secure computer is one powered off and in a fire safe at the bottom of a mineshaft.
This bug was reported to MS in march.
They were given a deadline of 60 days.
Then another 14 days extra.
They still blew it.
The nonsequitor there, is in asserting that because the whitehat hasn't disclosed his findings, that others haven't also independently found the hole, and been more mum about it.
Which is more profitable for a person who makes their living by stealing company secrets, laundering money through wire fraud, or selling stolen identity information?
Using an exploit that has been publicly discosed, and thus, everyone is super paranoid about it, and actively trying to plug it-- OR-- a nice little treasure trove of privately discovered exploits that aren't public knowledge that you can quiety switch to once the hole you are currently using gets discovered?
"Saving face" for the company fascilitates the real blackhats by keeping admins and users ignorant of the threat.
All public disclosure does is make real blackhat attackers silently move to their next vector, and cause a spike in script kid activities. (And of course, make the software vendor look bad.)
Keep in mind - the more you make full disclosure a crime, the less likely white hats will disclose vulnerabilities in the future, as you would be increasing all white hats' liabilities.
Security through obscurity is no security at all.
I have a password that's "june2013". I don't mind telling you that because you don't know what system it's for and what the user name is. That's prenty secure just because of the obscurity.
Yes, sure, soon they'll come after me with their quantum computers.
And nobody know if P = NP isn't true.
After all, there's no difference between cryptographers and snake-oil peddlers. Just "obscurity". If the latter just knew to better keep their "secret"...
First I did prove you wrong even with the grammar mistake. like im going to loose sleep over it. Link says enough and get real, read the article it proofs you wrong. Ya the poor guy find the exploit makes a too to exploit it without telling MS anything was amiss and you say hes not abating criminals HAHAHAHAHAHAHAHHAH. Yes the mistakes are on purpose this time just to piss ya off.
Jack of all trades,master of none
Let's see, AC.
I could very well pull one of the blackhat user credential database dumps (many is better!), cross reference that plaintext stream, and get a surprisingly narrow view into already compromised accounts that use that password.
This is because users are, by and large, dumb, lumbering creatures of habbit, and reuse usernames and passwords. when you spread the attack surface over many disparate systems like that, you make yourself far more vulnerable than you realize.
While I can't garantee that your precious account will be in a combined assortment of clandestine database dumps like that, it gives me a very good starting point in hunting your ass down.
Surely you're being a dick on purpose, or you're completely ignorant of what you do for a living, if it is indeed related to software development on any scale as you're suggesting (but not actually disclosing). Your comments show a complete disregard for the valid arguments raised by the grandparent poster, the complexities of software development, testing, and deployment.
My judgement of you, which may not win me any arguments but makes me feel super-great, is that you are a tool.
He reported the vuln to Microsoft early March.
Their PR shills are out in full force to try turn this into a "google is teh evil" incident.
That's a shit ton of work just to have a completely minute chance of finding the system and account that password is for. If it were "no security at all" you'd have already done it to show him up. But we all know you won't bother because it's not worth your time now. Sounds like it was much better than no security at all to me!
-Different AC who also recognizes the futility of blanket absolute statements
That guy sounds like a real Dongle.
The main crux behind "security through obscurity...", is the same behind other types of "ignorance is bliss" arguments.
Using the changing room at Dillards to try on a suit, that has a peep cam installed, takes pictures of your junk regardless of if you know about it or not.
In fact, I you have been warned that the changing booth has a peep cam, you can mitigate your risk of having your dick on somthingawful, by either not using the changing room, or by putting gum over the lens.
If you don't know about the camera, THAT'S when you have the most problem with people being crotch cammed.
If Dillards KNOWS about the crotchcams, but can't easily remove them and make the booths camera free, but fails to inform their patrons and ask that they forgo the use of the changing booths until they are fixed and safe, what does that say about the store?
Again, being crotched cammed unawares doesn't mean you weren't crotchcammed.
Same holds true for security exploits in computer systems. These days, you really should expect to be getting crotchcammed regardless, and be ever vigilant. It isn't tinfoil hattery. Just put an unpatched XP fresh install on the net, and watch the fireworks.
Companies refusing to disclose threats to the public only puts them at increased risk.
wow, why so angry?
I see you have resorted to ad-hominem attacks and childish name calling.
Did he rape your mother?
Did he douse your dog in petrol, set it on fire and burn it to death?
Did he kidnap your sister and dissolve her, alive and screaming, in concentrated acid?
So again I ask, why so angry?
Umm. Many do.
Do you know if the 3 to 5 guys who own that codebase in MS read that site?
Probably not. But it's pretty-much a certainty that MS's security response team does. And that's the guys you'd notify, anyway... you don't send bug details directly to the owner of the code in question.
TFA states nothing about him giving MS 4 weeks. AFAIK that was the previous time he went public on MS's ass; this time he just went out guns blazing as soon as he discovered the issue.
In terms of obligations (to release secure software), I disagree. You don't even need to look at EULAs (for Windows or for commercial Linux distros). There is no such thing as "absolutely secure" software. You simply cannot release X software and make the statement "X is secure -- I guarantee it". What you can do (and what Microsoft does better than most -- this is documented -- here's a random citation in support of that) is you can follow secure development practices, use defense in depth, and have a good patching mechanism.
I'm not going to bash Ormandy for publicizing the bug anymore than I would bash somebody for publicizing a bug in the Linux kernel. Come to think of it, aren't all the bugs for linux (and other opensource projects) public on a bug site?
This is plain incorrect. You have a responsible disclosure mechanism for Linux just as much as you do for MS/Windows (or any other product/entity/whatever). Disclosing an exploit on Linux without first giving the maintainers a chance to patch, is fucking them over just the same as this is fucking MS over. The fact that's he's done this twice now just shows that he's doing it out of spite.
Yes, sure, soon they'll come after me with their quantum computers.
They won't -- because you are obscure -- get it?
with a kernel that doesn't support (my) wifi hardware when ubuntu does. lubuntu is plenty light weight for my hardware too. android runs fine on my phone and tablet too, i have a gaming desktop and that is windows 7, but despite steam for linux gaming just isn't the same.
ubuntu is still way better nomatter what distrowatch says.
https://www.gnu.org/philosophy/free-sw.html
Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal
If they/he can be prosecuted, Microsoft should be prosecuted too. They made the bug and a whole lot of other bugs. That's basically aiding and abetting AND neglect.
You can't mitigate what you don't know about.
Sure you can (layered security, heuristics, mutually assured destruction, etc)
Exactly. MS has a well-documented monthly patch cycle. Give them until the next patch release date if you don't think there are exploits in the wild. Give them 1-week if there are already exploits. Similar rules for any other vendor depending on their patch cycles etc. Little common sense is all it takes.
the human brain uses between 12 and 20 watts, despite rumours of some people being 'smarter' than others the hardware varies very little, and it's simply a matter of efficiency at tasks being given to it. so really a 'smart' person isn't 'wired differently' its just they didn't motivate themselves the way people who memorized things in school.
and google isn't using hardware that can compete with real nurons. illusionists are so amazing because they know that people are designed to throw away data very fast and see what the illusionist wants them to see rather than what their brains threw away with no reguard to values.
i know exactly how stupid people are because i've been there thinking i was smarter because i could do well in school. if we wipe ourselves out i know why, because we couldn't get past thinking ourselves greater than we are.
https://www.gnu.org/philosophy/free-sw.html
I never said I believed in "unbeatable protection". That's a strawman. I basically said that "out of sight, out of mind!" Is not a proper risk mitigation practice. Most certainly NOT the same thing as professing a belief in perfect security.
"out of sight, out of mind!" is a bigger strawman than anything I said. Responsible disclosure, so MS has at least a chance to respond -- that's all people are calling for. And the point wasn't about unbeatable protection -- the point was to dispel of this silly one-liner that only serves to hinder meaningful discussion of security issues.
Shitty obscurity based half-assery fakes being strong, to detur attempts, but fails easily on inspection. Something like using a password to XOR a file, and calling it "encrypted.", or doing what sony did and reusing the sae salt over and over again, completly defeating the purpose of the salt in the process.
*This* is a strawman. Don't point out stupid shit that other people did, and claim that it makes your point valid. Remember again the general recommendation -- the cost of breaking your scheme must be greater than the value of what you're protecting. If you're using the scheme above, you should be using it to protect minesweeper scores at best.
Relying on "don't tell anybody! We'l get to it eventually, and if you don't tell, nobody will find out!" Is bullshit, which is what typically happens with so called "responsible disclosure." I have heard of serious exploits hanging around for YEARS after being "responsibly disclosed."
This is a strawman again. Simply, disclose responsibly. The patch cycle is well documented. If 1 cycle goes without a patch, you can remind them. If they second one goes by and no patch, disclose. How hard is that? Answer -- not hard at all. When you're not out to fuck people over, and don't have some agenda you're trying to further, it's really not that hard to be reasonable.
I understand that you can't fix the hole instantly, and that the patch needs to be tested to make sure it doesn't poke another hole elsewhere.
It's not just that. The patch needs to be tested to ensure that it actually works! That was an issue the last time Ormandy did this -- he provided a binary patch that did not fix the issue! In addition to that, it has to not cause other bugs (not necessarily exploits -- but bugs -- because those too can cause work stoppage etc.). When the hole is being exploited already, all this goes out the window -- exchange information openly and get that shit fixed ASAP. When it's not yet being exploited actively, you can spare users a lot of headache, and a lot of lost productivity by simply following responsible disclosure guidelines that are well documented and well-known to Ormandy himself.
However, informing the people at the most risk, (customers), that they need to take some mitigating actions to reduce the threat, and to watch for signs of exploit until the patch is ready is what is the responsible thing for the software vendor to do.
Dude, you can drop the veneer about caring about MS's customers. Ormandy can drop that too. There's a clear course of action by which Ormandy and MS could have done right by them together. Ormandy made sure that's no longer an option, and they are in greater danger now than was strictly necessary. And you are defending his actions out of glee that MS is looking like an idiot.
NOT hide the exploit and try to forget about it, while less scrupulous crackers silently use it in combination with other exploits to commit fraud, steal company prividleged information, steal user persona data, build botnets, and worse, while pretending that "it won't happen, because nobody squealed!"
Nobody is asking to HIDE anything! You complained about a strawman earlier??? Responsible disclosure does not imply infinite time. Ormandy works for Google right? He can
While I agree with you insofar as relying too heavily on "nobody knows this attack vector exists so its as good as patched" provides a false sense of security, I don't think saying it is "no security at all" is any more accurate. For example, a lot of people keep a spare key for their vehicle hidden somewhere using a magnetic key holder in case they accidentally lock themselves out. While this is in fact an exploitable vulnerability, hiding a key somewhere on the car is still more secure than leaving a spare key inside the door lock in case you lock yourself out.
Why do today what you can put off until tomorrow?
The nonsequitor there, is in asserting that because the whitehat hasn't disclosed his findings, that others haven't also independently found the hole, and been more mum about it.
Blindly assuming there is no exploit in the wild is silly. Blindly assuming there is an exploit in the wild is equally silly. You have to examine each case as you encounter it.
Using an exploit that has been publicly discosed, and thus, everyone is super paranoid about it, and actively trying to plug it-- OR-- a nice little treasure trove of privately discovered exploits that aren't public knowledge that you can quiety switch to once the hole you are currently using gets discovered?
For the 99% of users that don't read Slashdot, vendor-sec, arstechnica, cnet, etc. etc. how did they even know about the exploit? I'm sick of people making this point without thinking it through for even a moment. Public disclosure will reach the black hats -- guaranteed! Public disclosure will not reach the 99% of non-technical computer users in the world -- also guaranteed! How effing complicated is this point that you seem unable to grasp??
"Saving face" for the company fascilitates the real blackhats by keeping admins and users ignorant of the threat.
Nobody gives a shit about saving face. Responsible disclosure can save *users* from encountering exploits before patches are ready -- if there wasn't an active exploit out there, there damn sure is one right now, there damn well isn't a patch. Give it one patch cycle, two at the most. How fucking hard is that. You keep on and on and on treating it as if the choice is "disclose now" vs. "never disclose". Why do you insist on being so dense?
All public disclosure does is make real blackhat attackers silently move to their next vector, and cause a spike in script kid activities. (And of course, make the software vendor look bad.)
*This* is non-sequitur and shows a lack of understanding as well. One -- it assumes there were already active exploits, so it does not account for having put users in danger if there were none. Second, there is no patch yet, so attackers will not "move on" as you put it. Third, attackers do no move to their next vector. They generally use a broad spectrum of attacks and assume some low percentage of success (which is all they need for creating botnets). They just had an easy one drop into their laps, and they know that a defense doesn't exist for now. That's all that happened. Blackhats are not a homogeneous entity either. Even if a small number of them know about this exploit earlier, now they all do and the race is on.
Asymmetric keys are merely *better* obscurity than most other means
Secrets that cost substantially less to discover than the value of whatever they're protecting are merely "obscured". That's the difference between a quantitative difference and a qualitative one, when different words apply. An atmospheric vortex that's too weak to damage anything of value is a dust devil. A vortex strong enough to rip houses apart is a tornado. See? A large enough quantitative difference becomes qualitative. "Large enough" generally involves orders of magnitude. Just hoping nobody deciphers your corporate login's minified .js or throws a fuzzer at your kernel isn't going to cut it.
"Shoot the messenger" actually works when the messenger and the miscreant are the same, or the miscreant cares and know you'll shoot. They're a team -- and if they're supposed to be on your team, then you've got a right to be angry. But when a white hat tells you about a breach, he's the messenger, but the messenger is not the miscreant. Him telling you rather than selling it to the highest bidder actually does put him on your team ... unless what you're trying to protect isn't what the actual system is ostensibly there to protect, but is instead your image.
As always, all IMO. Insert "I think" everywhere grammatically possible.
This particular issue is easy to mitigate at most companies by simply firing any jack ass caught exploiting it. It requires local access (via RDP counts), so its not like we're talking about an internet facing, anyone can take you down, kind of bug.
That's true of all privilege escalation bugs. The problem is that they make a hash of proper security protocols like running as a non-admin user. If you combine it with another exploit that gives local access, you can have both a remote exploit and an admin exploit at the same time.
Properly used, exploits shouldn't take you down. They should leave the attacker with access to your systems. Being taken down means that you can't read the secrets in your email today. Tomorrow everything will be back to normal. Being compromised means that someone else can access your secrets. They can then choose to interfere or not. They can even take you down if they want.
I'm also a bit confused as to what side you're arguing. Mitigation strategies favor public disclosure of a vulnerability. You don't mitigate things of which you are unaware. The kind of exploits that should not be disclosed are those without mitigation strategies.
Secrets that cost substantially less to discover than the value of whatever they're protecting are merely "obscured".
Well put. This is exactly what I was explaining to OP. This is also why the obscurity mantra is irritating -- think about cost/effort of breaking the scheme instead of repeating tried slogans.
Just hoping nobody deciphers your corporate login's minified .js or throws a fuzzer at your kernel isn't going to cut it.
Sure -- but MS isn't doing that.
Him telling you rather than selling it to the highest bidder actually does put him on your team ... unless what you're trying to protect isn't what the actual system is ostensibly there to protect, but is instead your image.
Incorrect -- he told (sold whatever) it to everyone (including the so-called highest bidder) for a price of $0. He did not achieve the "on your team scenario". He could arguably have abetted the "highest bidder", therefore could arguably have hurt MS's customers. He did hurt MS's image, which I do not care about -- but it seems like the only rationale for his insistence on going this route. I repeat -- I don't give a damn about MS's image. But I can't help but think Ormandy likes to hurt them, and that influenced his choice. Because as I said, he certainly achieved no goals of protected users, and he arguably has hurt them, with the route he chose.
He's done that for the closed source code Google runs as well then, right (prior to giving Google time to fix it)? Because anything else would be hypocrisy at best.
If they/he can be prosecuted, Microsoft should be prosecuted too. They made the bug and a whole lot of other bugs. That's basically aiding and abetting AND neglect.
Let he who has written absolutely secure software cast the first stone.
In other words, that's a pretty dumb response. No software can be guaranteed to be secure -- it's just not provable that you have no security bugs no matter how good your processes and testing (never mind the fact that new *classes* of exploits are found on a decently regular basis). Besides if you see the details of Ormandy's bug, it's actually an extremely esoteric issue so it's not like you can call MS negligent for not finding it first.
If Microsoft would open their source cose like a decent Software citizen, this wouldn't be an issue. If they want to be closed source and sneaky, there is no reason to play nice.
* Carthago Delenda Est *
It might be dangerous, but not evil. Microsoft has a habit of dragging their heels over securing their software. This simply is a kick to tell them to get their asses in gear. This kind of exploit would be totally ridiculed in the open source world, so Microsoft, with its effectively unlimited budget and manpower resources has no excuse.
The sooner they get started, the sooner it'll be fixed. And no, it is not acceptable to keep customers waiting until the Tuesday after next. Or longer.
no.
That's a really great way to move even more people like Tavis over to selling their exploits on extremely profitable black markets. The black market pays a fuck ton more and it's pretty trivial to sell exploits anonymously.
Let's send the few decent white hats we have to prison for the rest of their lives because they publicly disclose vulnerabilities in shitty software! That will definitely make the situation better!
Allow me to explain then:
You might use every security mechanism and precaution in the book, and still get 'hacked' if you are a sufficiently interesting target. If you're some random obscure individual (which most of us are) you can get away by merely using good passwords, and keeping your OS and apps updated, not visiting compromised sites, not opening random-ass attachments (basic measures like that). Does it mean the software and processes you use are secure? Hell no. Does it mean you are effectively secure? Could be. But even so, you're relying on the fact that you are a random, uninteresting, obscure individual that nobody would bother to single out and specifically target.
Same thing applies to GP's point about asymmetric keys. You can use PKI -- it won't matter if you do careless shit with it and cheaply cough up the symmetric key you exchanged with it. Or if you chose some idiotic block cipher. Or if you do something silly like saving unencrypted data to a temp file. It's a house of cards and attackers are not necessarily looking at it top-down the way you are -- they'll exploit anything they can. You can't say you use encryption therefore you are truly secure and you do not rely on security through obscurity. No -- you have to discard useless clichés like that and actually take the trouble to follow secure development practices.
What that means is -- you draw up your threat models, find your weak points, eliminate the issues you find, mitigate what can't be eliminated, follow other secure practices (banned APIs, code reviews, static analysis tools, fuzz testing, pen testing) etc. etc. -- it's a long list. You do everything you possibly can, and THEN, you still acknowledge that you cannot possibly have found all flaws. There will be exploits found that you'll need to patch. So you prepare an infrastructure for developing, testing, deploying said patches, and a notification system for people to let you know about these holes when they find them.
All of the above exists. All that effort has been taken. Ormandy just defeated it all because he doesn't give a fuck.
> Ormandy found the exploit -- making his knowledge of it unique.
Nope. The only thing unique here is his public disclosure of his knowledge. You have no way of knowing who else knew of this bug. Even without any exploits in the wild, it could easily be in a handful of spear-phishing attacks currently in use by any of those organizations that have been buying zero-day exploits for the last decade or so.
When information is power, privacy is freedom.
That's not the dichotomy. It depends how responsible the disclosure is. Say you notice the girl next door sleeps naked with her window accidentally open. Do you go to the seediest pub with a street map to her house and stand on a table to point out what a problem this is, or do you inform her so she can fix the security issue?
Obviously that's a terrible analogy as the point of publicly disclosing a security flaw is to warn those who may be affected (if we're generous, perhaps it's self-serving publicity). However doing so contains elements of the pub analogy. Responsible disclosure is weighing up the damage of both courses of action. Can anyone protect themselves knowing this exploit? In this case not easily. Can a script kiddy take the convenient code example and run with it? They surely can.
He is a decent fellow. I knew him in the days of yore when I was trying out fvwm. Both he and I used to post rc's on its site. Nice to see him doing well.
Nope. The only thing unique here is his public disclosure of his knowledge. You have no way of knowing who else knew of this bug.
This is a pointless line. I can't prove that *nobody else* knew about it. You can't prove that anyone else *did* know about it. But if a spear-phishing attack occurs, we will know immediately that this is now in the wild. In the meantime, a patch is not ready, no mitigating instructions are ready, but the exploit is known to world+dog now -- so the likelihood of such an attack has gone up if anything.
The flaw in the argument of anyone defending Ormandy is that once you consider the generic case in which a security hole can be found in anyone's product (not just MS's), you'll realize that supporting Ormandy's actions here is the same as saying that responsible disclosure serves no purpose. That's a really extreme stance and it is absolutely not what the industry as a whole has agreed to (Google included, AV vendors and the vast majority of security researchers included). And if that's not what you're advocating, then why does MS not deserve the same courtesy afforded to the rest of the industry? Why does Ormandy think this hole he found is so much more deserving of glory than all the thousands of holes found by researchers each day, who do disclose responsibly? What was so special about this one particular issue that necessitated this extreme step that left users vulnerable?
Yeah, because opensource never have any security holes, and they always fix it immediatly.. think again...
This moron should have reported the bug first to MS and later publish it, it would have the same effect.. Now MS doesn't have a chance to even fix the security in a timely fashion (you do know fixes have to be tested thoroughly which takes time, windows is not your simple hello world application)..
I do agree that it's not acceptable to let customers wait until the next patch-tuesday if you already have a decend fix ready..
Security through obscurity is no security at all.
That's not really relevant because the choice is between disclosing to the software makers and disclosing to the public, not leaving the hole in the product. Given the hole already exists, is it more secure to let the public (consisting of both good and bad actors) know or not?
The answer to that can change depending on the nature of the vulnerability (can the public protect themselves by changing a setting for example) and the way the software company can be expected to respond (will they sit on their hands unless faced with a PR disaster?).
Their PR shills are out in full force to try turn this into a "google is teh evil" incident.
Ah.. the new Goodwins law of Slashdot discussions. Thanks. I just also posted recommendation to use Chrome and FF over IE10, but I guess that is just part of the conspiracy.
He reported the vuln to Microsoft early March.
Any sources for this? As all articles, including the ones linked in summary here, claims he just published them directly and did not report anything to Microsoft beforehand. The March publication included. Do you have an citation on claiming otherwise? Or are the Google PR shills out in force? /s
Or, maybe for the recent YouTube app squabble? Maybe Google just got tired of Microsoft playing dirty and gave them a dose of their own medicine.
Nope, just making exploits public without even trying to tell the vendor about them first is just a dickhead move, esp. on the users.
Security through obscurity is no security at all.
Of course it is. EVERYTHING is security through obscurity. It depends on how obscure it is.
So you wouldn't mind me telling everyone how to get into your house without being noticed, because I'm just exercising my freedom of speech. The 3d printed gun doesn't have to be used for crime, but a zero day exploits is really only useful for one thing. I guarantee this google researcher was told to release it to the public not MS, so they could make them look worse (not that they need any help).
Rocket Surgeon.
Conquered scientists, just as problematic as religious scientists.
for the same things M$ is doing on a much smaller scale. ftfy.
I'm sure he could have given the vendor (Microsoft) 5 or 10 days to work on a fix and devise a rollout before disclosing it. The only reason not to do this is if the exploit were being actively used in the wild, where the damage was already being done so there was nothing to gain from giving them more time.
If he is the smartest person on the planet, he's likely to be the only one knowing about it. If not, it's likely that someone smarter than him found it before him and didn't tell anybody publically (they may however still have sold it privately to russian malware writers - months ago).
With 7 billion people, the chance of being the smartest person on the planet is pretty low, though.
I for one don't want to bet my security on someones ego. I want to be able to work around the problem (unplugging being the last resort, but still up to me to choose), as soon as possible. Anyone who finds a security problem and keeps it hidden from the public is therefore a bad guy, whether or not they sell the information privately to malware writers.
No.
We've been there. The discussion about full disclosure is a decade old and absolutely every argument for or against it has been made, back and forth, hundreds of times.
Assorted stuff I do sometimes: Lemuria.org
If he is the smartest person on the planet, he's likely to be the only one knowing about it. If not, it's likely that someone smarter than him found it before him and didn't tell anybody publically (they may however still have sold it privately to russian malware writers - months ago).
That's an artificial condition you're placing there (he could merely be the only whitehat who happened to be researching this particular approach at the time, or this particular module). And the way you speculate that the worst case scenario could be true, anyone can speculate that the best-case scenario could have been true. How many times do we play out that nonsensical speculation before people tire of pointing it out and accept it as an unknown for which the best guess has to be made? The illogical part of your scenario btw is that the malware writers got access to this months ago and yet we know of no exploits -- that part does not make sense.
With 7 billion people, the chance of being the smartest person on the planet is pretty low, though.
Two things -- as I already pointed out, this is an extremely arbitrary requirement you are placing, and secondly if he is not the smartest person in the world he should pause before acting unilaterally as he did.
I for one don't want to bet my security on someones ego. I want to be able to work around the problem (unplugging being the last resort, but still up to me to choose), as soon as possible.
You're always welcome to your preferences -- just note that Ormandy's ego made you less secure because whatever % of blackhats knew about this hole, that % just got elevated to 100% and there is still no patch, and no mitigations aside from stupid ones (pull the network cable / shut down the system type nonsense. I'd love to see you recommend that to a hospital or a business with a straight face). MS (software vendors in general -- could be anybody) doesn't have the liberty of catering to just your preferences anyway. They have to consider the world at large which is full of users that will never even know of this event having transpired, so they will not resort to any of the actions that were prescribed above. Many of them wouldn't even know how to, even if they stumbled upon the news of this exploit.
Anyone who finds a security problem and keeps it hidden from the public is therefore a bad guy, whether or not they sell the information privately to malware writers.
The choice is not quantized in this manner, my friend. Between "disclose" and "hidden from the public" lie infinite shades of grey that you fail to mention. Absolutely nobody -- not one single person of the several 100 posts on this issue is asking him to keep it hidden from the public *forever*. Just that he give MS a fighting chance to fucking patch it before he fucks them (or rather their users) over.
Asymmetric keys are merely *better* obscurity than most other means.
You are using a false information model.
"Obscurity" in the context of IT security does not refer to private information of any kind.
"Security through Obscurity" refers to the false assumption that my ROT13 encryption algorithm is any better if I don't tell you that I'm using ROT13. The assumption being that it'll take you additional time to figure out what algorithm I'm using, making it more difficult to crack my code.
That assumption is false, because with any actual security measure, the amount of work required to figuring out the algorithm is insignificant compared to the amount of work required to break it.
Asymmetric keys are not "better" obscurity. You can't break a good encryption algorithm with even a huge cluster. That's the whole point - that I don't need obscurity. I can tell you what algorithm I used, what size my key is, absolutely everything except the key itself - and it'd still take you a century with all the current computing power on the planet to break it.
Obscurity is usually a weak algorithm that can be broken in minutes once you've figured out the one "trick" they keep secret.
If you still don't see the difference, re-read Applied Cryptography.
Assorted stuff I do sometimes: Lemuria.org
Responsible disclosure, so MS has at least a chance to respond -- that's all people are calling for.
We've been there, done that. Every argument pro or contra full disclosure has been made a hundred times.
Do you have any statistics I don't know about that show a clear advantage for "responsible disclosure"?
Assorted stuff I do sometimes: Lemuria.org
Tavis Ormandy is fortunate to be working for Google. Had he done exactly the same thing on his own, he'd have been investigated by the FBI and be facing a long drawn-out sequence of charges from the DoJ.
"you have no idea how many devices and backend systems you use everyday are on Windows"
Frightening thought!
I have nothing -- I share your interest in this if anyone else has some stats.
One word regarding disclosure though -- a happy medium has been reached in the industry -- incidents like this are the outlier these days. Everyone agrees that disclosure is good -- both in terms of doing right by users, and in terms of maintaining a credible threat that vendors better take security seriously or else they will get publicly pantsed. Everyone agrees pure obscurity (basically a cover-up is bad). Almost everyone agrees pure transparency is bad (since vendors & users are sitting ducks that way). I say almost only because every once in a while (for example today) you get a guy trying to make a name for himself, or trying to make an example out of someone, or just generally being a dick.
Spoken like someone who can only see in black and white. Security by obscurity IS security, it can be very effective security, it just shouldn't be relied on in place of other security methods.
There are almost certainly dozens, likely hundreds, of critical bugs in all major operating systems. All of which are currently secured purely by people not being aware of them due to the complexity of the systems. The majority will never be found because the method of exploitation is sufficiently obscure that no one will pull the pieces together.
When one of those exploits is spotted by a 'white hat' then the immediate question should be how likely is it that a 'black hat' has already discovered this and that it is being widely exploited? If so, then how much damage would be done during a reasonable private notice period to the vendor vs the likely damage that would be done if it is disclosed publicly straight away?
In a real world scenario it is naive at best to think that the public release will cause less problems.
However; it would be better even in such a loaded example. If my security method was to post based on a cypher of the current stock market movements then although all the information is public the fact that no one else knew that is what I am doing would make it an extremely effective encryption method. I would never suggest using security by obscurity but that doesn't mean it is entirely ineffective. Beyond which it was a poster suggesting that not releasing the exploit publicly was 'security by obscurity' so it is pretty obvious we're not talking about it in that strict sense.
Can we stop with retarded analogies already. There is a difference between asking people not to use a changing room and telling people not to use their operating system because of theoretical risk. Not only is the situation entirely different to your analogy but it doesn't even address the core points; in your analogy there is nothing related to the increased risk of people exploiting the issue once it is publicly announced; ironically because you suggested that it is the vendor that knows of the issue (which is the whole fucking point about disclosing privately first!).
Please someone, mod this fucker up!, he just made an antiMS remark, come on. Jackass
> You can't prove that anyone else *did* know about it.
Yep, you were the one hanging your hat on a unsupportable assertion - I didn't say anything beyond that. If your arguments start with unsupportable hyperbole, don't expect anyone to take you seriously.
> But if a spear-phishing attack occurs, we will know immediately that this is now in the wild.
It doesn't sound like you understand how spear-phishing works.
When information is power, privacy is freedom.
ALL security is through obscurity!
I'm not sure about this specific exploit - didn't read TFA, but windows has several known exploits that allow arbitrary code injection into system DLLs, and one of those was even a suggested solution on stackoverflow for getting around the deprecation of the security token manipulation APIs, forcing a process to run at high level if you needed to do anything interesting. So with that ability firmly in place for at least 20 years, I'd say any other kernel level exploit is almost irrelevant. Also, disclosing the problem is not the same as providing an exploit kit. To follow your analogy, you could state at the bar that open windows are a security hazard, you don't need to mention anything else. (I do like the metaphor in that statement though - well done)
The cesspool just got a check and balance.
Read his response again:
News to me, since I personally have seen them fix things disclosed only to them.
That line explicitly means he works for Microsoft.
I'd be angry, too, if I'd fucked up and everybody was shouting it around.
In the corrupt thinking of corporate America and the American government, the messenger IS indeed the miscreant. YOU are supposed to be an obedient little creature and politely report to your owners and masters every day. You are not supposed to communicate anything of relevance to the other slaves.
Welcome to the degenerated world of capitalism ca 2013.
Here is my opinion about why the guy does not let MS know about the bug but rather posts on mailing list. He mentioned about "As vuln-dev is dead, I thought I'd post here, I don't have much free time to work on silly Microsoft code ..." at the time. What is the purpose of "Vuln Dev" site? The purpose of the site is quoted below (taken from http://www.securityfocus.com/archive/82/description ).
The VULN-DEV list is dedicated to the concept of full disclosure. We believe that release of exploit code serves the security community overall. Since the list is dedicated to interactively researching vulnerabilities, there will there will generally NOT be an opportunity to warn software vendors or authors. In many cases it will not be clear that there is a problem until the exploit or description is finalized, at which point all list subscribers will know. It is very appropriate to notify vendors or authors as soon as it is clear there is a problem.
My take on this is that he is not completely clear about the bug and needs clarification from security community. He was hoping to get clarification on Vuln-dev but he could not at the time (from the part "I don't have much free time ..."). As a result, he posted on seclists instead. That was on May 17, 2013. Therefore, I am not sure that your analogy is suitable to the situation at all because the meaning of "seeing something and let others know" is not the same as in computer security. The only thing I may agree is that once he completely understands the bug (as his second post on June 2), he should let MS know before he posts it.
I am not being a dick.
I believe that in most cases that you should give the company a few months to put out a patch.
Microsoft has shown many times that they will wait a year or more to patch stuff that people find for them.
This is dangerous. If one person can find it and give it to you to fix another can find it and exploit it.
The only way to make Microsoft patch things with importance is to disclose. Same with Oracle.
Why is it so hard to only have politicians for a few years, then have them go away?
Old Ubuntu I like. the last few have moved too far from what I want in a desktop OS.
The truly wonderful thing about Linux though is that you can like yours and I can like mine and for the most part we can still work together.
Why is it so hard to only have politicians for a few years, then have them go away?
Sure - but MS isn't doing that
Microsoft has a very long history of doing exactly that, when given the chance. Why do you think this time it'd be different? Be specific.
They're not even remotely alone in this. How best (most ethically, least damaging pick any reasonable metric) to proceed in the face of wagon-circling, timewasting defensiveness has been hotly debated in whitehat circles for many years now. Ormandy's behaving as if his considered conclusion is that they will stall and deny and ignore again, leaving this vulnerability unpatched for the entire duration.
As always, all IMO. Insert "I think" everywhere grammatically possible.
It is grossly irresponsible to release a vulnerability into the public domain before first alerting the software maker. This just shows how shitty Google is.
The crucial difference is that a cipher key is a known thing that needs to be obscure, is small, needn't be widely distributed, and can be specifically protected. The cipher system itself needn't be obscure. The idea that the key is the only unknown part of a cipher predates computers, and it's a well-tested maxim. Note that you aren't going to brute-force a 128-bit symmetric key with any compute cluster limited to the Solar System, and nobody knows if quantum computers with that many qubits are ever going to work. (If they will, go to a 256-bit symmetric key, like AES-256, since a quantum computer can break it down no further than into a couple of 128-bit problems.) It may be possible to break into the source or destination computer and extract the key, but that requires special access.
A security hole in an OS is not a known thing, can be fairly large, and has to be distributed to everybody as part of the OS. It's not possible to specifically protect it except by fixing the exploit. Anybody can find it at any time, whether they know whether you exist or not. The simple fact that a white hat found it indicates that one or more black hats may well have found it, and are exploiting it now. They may be using it on your computer right now, regardless of whether the publisher knows of it, or considers it obscure.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Full disclosure might be a wise choice if it is a vulnerable service on whatever win platform, as a fix/counter measure users can then themselves disable the service affected. Since I've not looked into this exploit code, I can only presume. So what choice does every user has when it comes to dealing with this kind of exploit? What do you suggest? That every user/company/etc. writes a patch? Responsible disclosure always depends on the kind of exploit. And there is no generalisation in disclosure policy. It must be decided individually from vulnerability to vulnerability. Oh well.............
Is he on microsoft's payroll? If not, why should he inform them? Because they screwed up and didn't find their own bug? He can do whatever he wants to do with his research. He can tell Microsoft. He can post the info. He call sell it to the highest bidder. It is his work. If microsoft really cared, at least they could offer a bug bounty. That would show they are serious about getting bugs out of their software.
I think I should start a website where I publish Windows exploits along with thorough step by step details on how they can be used to compromise a system.
I won't sell exploits, or kits, or use the word "tutorial," but I will collect ad revenue and giddy little chuckles in my Linux loving soul ;-)
Now to find a domain name for this 8-D
So how was it wrong?
He did some research.
He published it.
Was he under any obligation to show it to google? to microsoft?
I don't think so.
This 'protocol' you speak of is just what some people want. That doesn't make it correct, common, or required.
He has done nothing that should get him fired. If he were, he could sue someone's a$$.
Get a clue.
You can't prove that anyone else *did* know about it.
Yep, you were the one hanging your hat on a unsupportable assertion - I didn't say anything beyond that. If your arguments start with unsupportable hyperbole, don't expect anyone to take you seriously.
Unsupportable assertion?? You're being overly pedantic. Before he went public, Ormandy's knowledge was either exclusive to him, or exclusive to an incredibly small number of people -- as opposed to common knowledge to all -- it's a simple point really.
But if a spear-phishing attack occurs, we will know immediately that this is now in the wild.
It doesn't sound like you understand how spear-phishing works.
Really now? Care to explain?
Its a privileged escalation vulnerability... your machine has to already be compromised for this to be abused in the wild.
Unless your machine is used by multiple users, most of whom do not have admin rights. Think Windows Server, or a laptop that has been locked down for guests or kids to use. Or if you're one of those smart/paranoid people who doesn't give their day-to-day user account admin rights, in order to protect themselves.
Many of of assume that our machines are already compromised out of the box. The compromises just haven't been found or disclosed, yet.
This is personal.
Its plain and simple.
Antisocial behavior is Antisocial behavior.. even if he's challenged, special, autistic or whatever the latest term for it is.
He's a spoiled brat with no principals out to hurt people. Its blantantly simple.
That his employer hasn't sat him in a corner and given him a timeout is irresponsible.
Only if Microsoft can be prosecuted for this, for the negligence and conspiracy to harm their millions upon millions of users through ignorance.
That the exploit could be used by blackhats. Now, blackhats are technical boys who read tech forums and stuff, but the average joe is not, and would not know that his system has a vulnerability. So by public disclosure, you are disclosing it to more to enable the perpetrators than to disable them.
I have an idea! Roughly 1/3-1/4 of all devices and backend systems run Windows, while the rest run a Unix variant. This of course does not include grandma's PC.
I particularly enjoy how you refuted each of his "strawmen" with an even flimsier one yourself. It should come as no surprise that this exploit WAS disclosed, and there was nothing done about it. Your childlike naivete about the exploit not being in use is charming though :) The proper rule of thumb is that if one person has found the exploit and disclosed it to the vendor, it is 100% GUARANTEED that there are live, active exploits on the internet owning Windows boxes all over. If you aren't aware of this, I have TONS of bridges to sell you!!!
Considering that most Windows machines ARE already compromised unbeknownst to the owner, that obstacle has been cleared for decades.
Asymmetric keys are not "better" obscurity. You can't break a good encryption algorithm with even a huge cluster. That's the whole point - that I don't need obscurity. I can tell you what algorithm I used, what size my key is, absolutely everything except the key itself - and it'd still take you a century with all the current computing power on the planet to break it.
Completely dead wrong! First, let's look at some expensive methods:
http://www.h-online.com/security/news/item/Cracking-WPA-keys-in-the-cloud-1168636.html (WPA)
http://www.darkreading.com/authentication/cloud-based-crypto-cracking-tool-to-be-u/229000423 (SHA-1)
http://web.archive.org/web/20121115112940/http://people.ccmr.cornell.edu/~mermin/qcomp/chap3.pdf (RSA)
Next: less expensive is to circumvent that altogether and look for other weaknesses (less expensive, and much more common -- and Ormandy's exploit is an example of that -- he gains root by some other weakness rather cracking crypto to get passwords and then authenticate as root -- get it?). And lastly, depending on the value of the protected data (or the desperation of the attacker) a gun can be held to your head, or other such extreme measures can be taken. The point is not what you stated. The point is that everything can be broken by some means! Make sure the cost of breaking is greater than the value of the thing being protected. If you disagree with that line, re-read Applied Cryptography -- you'll see it mentioned in that book. And in any case, my larger point to GP was to discard of this idiotic one-liner that hinders meaningful discussion of security issues.
Can someone supply a link on Microsoft's website to submit a bug report form? Would this link be easily found?
Security through obscurity is no security at all.
ALL security is accomplished through obscurity. The difference is in the degree of obscurity used, which usually correlates to the desired level of security.
More than Unix? You joke.
Agreed.
I personally thing that things have shifted too much towards "responsible disclosure" (which, at least in its originally proposed form, is just an euphemism for "help us cover everything up"). I'm all for telling the vendor first. I don't think holding the rest back for more than a few days gives anyone any advantage at all.
Because, frankly, most exploits these days are discovered when they're already being used. They are discovered by being used.
Assorted stuff I do sometimes: Lemuria.org
No, it wouldn't.
You still assume that it takes a lot of effort to figure out your method. Most likely, you are vastly overestimating this factor. The crypto community is littered with the bodies of those who came before you. Well, the bodies of their "clever" schemes, at least.
Yes, you gain some additional factor. But a) that factor is insignificant compared to the actual workload of decryption, at least if your algorithm is worth anything at all and b) it's a one-time benefit. Basically, you're giving all your machines the same default password. As soon as one person on the planet figures it out and posts it on Usenet, you're fucked.
That is why we dislike security through obscurity - obscurity is easily and terminally defeated. If someone figures out your encryption key, you can re-encrypt all your stuff with a new key (but the same tools) and you're safe again.
Assorted stuff I do sometimes: Lemuria.org
First, all your examples are looking at crypto which has long been broken.
Next, of course circumvention is the technique to use. That's the whole point of a good crypto algorithm: Making sure that the actual encryption is too tough to crack.
ob-xkcd: http://xkcd.com/538/
My point still is that asymmetric keys are not some kind of "better obscurity". Obscurity is a non-security theatre crap, encryption keys of some actual encryption algorithm are real security. Won't save you from the xkcd-approach, but other than some obscurity method, it'll force your attackers to actually use a method like that instead of laughing for a minute and then breaking it like a toy because most of the crap out there isn't even as obscure as its victims think.
Assorted stuff I do sometimes: Lemuria.org
First, all your examples are looking at crypto which has long been broken.
RSA has long been broken? This is news to me. And the 'fix' for RSA 1024 being 'broken' even by conventional means is what -- a longer key right? That's higher level of obscurity, that's all.
Next, of course circumvention is the technique to use. That's the whole point of a good crypto algorithm: Making sure that the actual encryption is too tough to crack.
Not necessarily too tough to crack -- just harder to crack than anything else in your system suffices. I'm *not* advocating the use of weak crypto though -- my point is simple -- there's a ton of other techniques that go into creating a secure system. Once you have a good crypto scheme, you need to concentrate on everything else, and some of those things will fall under what people love to call security through obscurity. Thinking of obscurity as bad is not helpful. Thinking of security in terms of "cost to break things" and "cheapest thing to break" is what's helpful. High cost = high obscurity, if you will. Good crypto just represents the best obscurity there is (and therefore has the highest cost to break). Then you move on to the next cheapest thing and make it more expensive to break, and so on, until all options for breaking your system are more expensive than the value of what your system is protecting. This is a pretty standard rule of evaluating threat models -- I don't know why people are resisting it so much.
My initial point was merely this: When security issues are discussed on Slashdot some idiot (several of them actually) will come along and put in a one-liner about security through obscurity being no good -- and that spells the end of rational discussion on the topic. The fact of the matter is that there has always been a balancing act between obscurity, and transparency, and cost when it comes to security, and that clichéd effing line contributes absolutely nothing of value to the conversation.
" why the guy does not let MS know about the bug" The entire point of all this to me is that MS should know about the bug and all the others. It's their job to know. Who is ultimately responsible at MS for mistakes such as this? No one? How many people must that company have who test their products for security vulnerabilities?
"If MS had published an exploit in the Linux kernel without first submitting a patch and waiting for it to be accepted, I guarantee you your stance would be the exact opposite of what it is now."
Citation required.
The FOSS world is not a world of sleaze-bags who only worship the God Of the Money. There are plenty of people who will openly admit their faults and talk about it. In short, the FOSS world is much more honest than those who primarily want to trick others out of their money.
There are quite a few people here suggesting that publishing exploits is at least morally reprehensible, maybe illegal and might even be construed as treason. ("Lockfart Mortal used Windows to store the president's daily intelligence reports, you posted and exploit, that threatens the president's super-duper-secret-intelligence, so you are a traitor and must be court-martialled and git-moed")
This is nothing new... Windows has been exploited for years... people in general are finally learning about computer security and the lack of it is all. If there is a front door to an application, it is hackable...always.
So the old refrain "those who ignore history are bound to repeat it" means nothing to you?
Making decisions based on historical precedent is the only logical course of action.
- Michael T. Babcock (Yes, I blog)
Yawn, I am actually a sysadmin and I'm thrilled that people do what's necessary to make vendors do their jobs. I spent too many years hoping nobody would exploit Windows systems that were vulnerable with no patches available ...
Luckily I now maintain primarily Linux boxes, and much of that is because of my history working with NT 3.51 and 4.x ... thank God for source code.
- Michael T. Babcock (Yes, I blog)
Yawn ... I do in fact write software, and I know how long it takes to proof-test patches. That doesn't change that Microsoft has historically been incredibly sluggish at acknowledging vulnerabilities in the wild until they go public.
You did live through IE 3 and 4 right?
- Michael T. Babcock (Yes, I blog)
In the sense that SHA has been broken. To cryptographers, that was old news 10 years ago. "Broken" in cryptography means "there is a way to break it that is considerably easier than brute-force". It could still take 10 billions years.
my point is simple -- there's a ton of other techniques that go into creating a secure system.
I agree with that.
and some of those things will fall under what people love to call security through obscurity.
I disagree with that. Security through obscurity is no security. If your systems security relies on obscurity, then it is broken by design.
Now we do tell our clients to not display the version number of the webserver and stuff, but that's not because it would make it any more secure. It's because a large number of attacks these days are automated, untargeted and to save time and bandwidth they often scan for targets first. It's the old "I don't have to run faster than the bear" approach.
High cost = high obscurity, if you will. Good crypto just represents the best obscurity there is (and therefore has the highest cost to break).
I'm sorry, I won't follow there. You're just playing semantic tricks there and re-defining a word. "Obscurity" is not a synonym for "cost". Never was, never will be. If you want to talk about cost, then talk about cost, and not about obscurity.
This is a pretty standard rule of evaluating threat models -- I don't know why people are resisting it so much.
Because you are using words in meanings that are private to yourself and contrary to established meaning.
My initial point was merely this: When security issues are discussed on Slashdot some idiot (several of them actually) will come along and put in a one-liner about security through obscurity being no good -- and that spells the end of rational discussion on the topic. The fact of the matter is that there has always been a balancing act between obscurity, and transparency, and cost when it comes to security, and that clichéd effing line contributes absolutely nothing of value to the conversation.
Maybe you need to step back and ask yourself why we security professionals - otherwise not exactly known for making anything simple and straightforward - apply such a strict one-liner? It's because too many scammers and idiots have done so much damage to IT security by labelling something as "security" that really was just obscurity.
And obscurity is not security. Anyone claiming otherwise is trying to sell you snake-oil.
Assorted stuff I do sometimes: Lemuria.org
In the sense that SHA has been broken. To cryptographers, that was old news 10 years ago. "Broken" in cryptography means "there is a way to break it that is considerably easier than brute-force". It could still take 10 billions years.
That is constricted thinking. If brute-force becomes cheap your scheme is broken. Citing a real-world example, what is the difference between RSA-512 vs. RSA-2048 that you would consider one secure and the other insecure? That alone should illustrate to you that your above definition of "broken" in cryptography is incorrect. The longer (more obscure) key increases the cost of the attack.
I disagree with that. Security through obscurity is no security. If your systems security relies on obscurity, then it is broken by design.
In ASLR you *obscure* addresses from an attacker. It's an important security mechanism, any modern OS is incomplete without it, and there's just no escaping the fact that it is nothing but a form of obscurity.
Now we do tell our clients to not display the version number of the webserver and stuff, but that's not because it would make it any more secure. It's because a large number of attacks these days are automated, untargeted and to save time and bandwidth they often scan for targets first. It's the old "I don't have to run faster than the bear" approach.
You actually supported my point there. Obscuring the version info increases the cost (time, bandwidth) of the attack. Also remember -- a slightly more resourceful attacker could even catalog this info and save it for a day when an attack against this version falls into their lap. However intangible the difference, you did recommend obscurity to your client (rightly so) and you did make them ever so slightly more secure by doing so.
I'm sorry, I won't follow there. You're just playing semantic tricks there and re-defining a word. "Obscurity" is not a synonym for "cost". Never was, never will be. If you want to talk about cost, then talk about cost, and not about obscurity.
You're missing my point again, which is that you *should* really be talking about *cost*. By any means necessary (obscurity, dancing naked, whatever helps), increasing the *cost* of a successful attack is what's important. Writing malware is a for-profit business. As a security professional your job is to make their cost of doing business in your neighborhood prohibitively high.
Because you are using words in meanings that are private to yourself and contrary to established meaning.
Established on slashdot, and in journalism circles perhaps.
Maybe you need to step back and ask yourself why we security professionals - otherwise not exactly known for making anything simple and straightforward - apply such a strict one-liner? It's because too many scammers and idiots have done so much damage to IT security by labelling something as "security" that really was just obscurity.
I don't know what to tell you at this point. You yourself recommend obscuring version info to your customers. If you're truly a security professional, then you know very well that absolutely any unnecessary piece of information you give an attacker about your system is one piece too many. Real world example: would you ever let your clients share even the slightest information about a DB schema publicly? Even if you authenticate all entry points? C'mon man!
And obscurity is not security. Anyone claiming otherwise is trying to sell you snake-oil.
Obscurity is an inextricable part of security. Anyone claiming otherwise has never worked in the profession.
Nope, just making exploits public without even trying to tell the vendor about them first is just a dickhead move, esp. on the users.
===
I would fire the guy. Yes, there was a bug, and Microsoft is a competitor, but it was not for Microsoft, Google would not exist. I thought that Google's motto was "Do no harm".
Well, here is a guy that did the most harm possible for his ego trip.
Google, remember this, what goes around comes around. Your employee did harm, revenge will be saught. Your critical applications will be analyzed six ways to Sunday, and the exploits will be pushed to the hackers around the world. Chromium and other software are not safe.
Leslie Satenstein Montreal Quebec Canada
That is constricted thinking. If brute-force becomes cheap your scheme is broken
Errr... you need to upgrade your crypto knowledge. If brute-force means 1 mio. times the lifetime of the universe, and it becomes a million times cheaper, it is still a tiny bit impractical.
Citing a real-world example, what is the difference between RSA-512 vs. RSA-2048 that you would consider one secure and the other insecure?
Well, using a real-world metaphor, if RSA-512 is a grain of sand (let's say 10 micrograms) then RSA-2048 is the entire mass of the entire universe. Put into a grain of sand in yet another entire universe, where every grain of sand represents an entire universe and then taking that entire universe and multiplying it by a couple trillion.
That's not a matter of "brute-force becoming cheap". If every grain of sand in the entire universe were a supercomputer that could break one RSA-512 per second, RSA-2048 would still be secure against brute-force attacks.
Obscuring the version info increases the cost (time, bandwidth) of the attack.
Yes, but it is not a security measure. It's a one-time tiny benefit. We recommend it because it doesn't really cost you much and thus it's a net-gain. Real-world example: If you have a server running at a version that has a known exploit in the wild, then you wouldn't consider obscuring the version number as a mitigating action, would you?
It does not provide security.
In ASLR you *obscure* addresses from an attacker. It's an important security mechanism, any modern OS is incomplete without it, and there's just no escaping the fact that it is nothing but a form of obscurity.
No, you don't.
ASLR has nothing to do with "security through obscurity". Please stop playing tricks with semantics. You won't be able to quote even a single serious source that puts ASLR even in the vicinity of "security through obscurity".
You're missing my point again, which is that you *should* really be talking about *cost*.
Negative. Cost is one factor, but not the only one. Plus you don't generally know the cost equations of your attacker. Sometimes, work time is expensive, sometimes it is cheap. Sometimes acquiring an exploit is expensive, sometimes it is cheap. Sometimes, you all you need is being a less easy target than the guy next door and sometimes, costs don't even matter to your attacker as long as they can afford it at all.
You should be talking about security. Cost is one factor, since most security measures are imperfect. But sometimes, you have one that isn't. One-time pads can not be cryptographically cracked, for example. Cost of cryptoanalysis stops being a factor if you use one-time pads, and the efforts shift to stuff like key distribution.
Established on slashdot, and in journalism circles perhaps.
Nice strawman, I'm not biting. You are trying to re-define the meaning of the term in order to win an argument.
Real world example: would you ever let your clients share even the slightest information about a DB schema publicly? Even if you authenticate all entry points? C'mon man!
There's a difference between "don't tell them if it doesn't serve a purpose" and "the security of this system lies with this being kept a secret".
If a client would ask me if they should publish their DB schema on their website, I'd not tell them the sky is falling, I'd ask them why. Because the security of their DB should not rest with the schema being a secret.
I used to work with the SELinux crowd, contributed a couple patches, held a couple talks. For demo purposes, I once put the IP address and root password of my notebook on a piece of paper. With a proper policy, you can do that on an SELinux system. I wouldn't recommend it, but once again, the security of the system rests with the policy and
Assorted stuff I do sometimes: Lemuria.org
your logic is flawed. your bashing someone because they found a sec flaw and reported it to the sec community for more info. if m$ read the sec blogs and full disclosure blogs they would to then know about the exploit. research much?
give them two weeks to patch? are you kidding me? if that's the case then m$ should have a team to find it's own sec holes if people like u get so butt hurt over it. oh wait? they do and they keep the vulnerabilities in house and don't tell consumers but I guarantee you hackers know about those vulnerabilities. which leaves consumers siting around with systems they think r secure while hackers are rubbing their hands back and forth in giddiness.
atleast with someone releasing the exploit it gives proper sys admins time to find a temporary fix while m$ takes their time and laughs at how U need to keep sucking on their nipples for more milk. the 99% you talk about not reading slashdot and having proper knowledge don't matter in this case anyway, because they don't patch their systems most of the time and those "99%" end up as spam or ddos bots. by the way nice way to pull that number out of your ass.
seems to me that you want other people to do microsofts job for them but still want Microsoft to get all the credit. why should we have to wait on them? just because they r closed source? bullshit, lets keep it a secret because it's m$ and give them time to fix it. while we are waiting for them to fix it hackers are pwning machines and sys admins have no clue why
whoaaaa cowboy tuff words there.
here's why I think the community should know first before Microsoft...
lets say it's takes 3 weeks for m$ to release a patch to fix a sec hole or vulnerability that wasnt posted to the public. that's 3 weeks of not knowing you had an exploitable machine. that gives hackers 3 weeks to exploit their way in.
atleast if it's public knowledge sys admins have the time to take the proper steps necessary to mitigate a break in. because even after the patch is released there's another 2 week period of testing before the patch goes live in a production environment.
That is constricted thinking. If brute-force becomes cheap your scheme is broken
Errr... you need to upgrade your crypto knowledge. If brute-force means 1 mio. times the lifetime of the universe, and it becomes a million times cheaper, it is still a tiny bit impractical.
My crypto knowledge is fine. What do you think I meant by "cheap" above? And you're accusing me of arguing semantics. Do you measure the cost of brute-forcing RSA-512 in terms of the lifetime of the universe? Please upgrade your crypto knowledge if that's the case.
Citing a real-world example, what is the difference between RSA-512 vs. RSA-2048 that you would consider one secure and the other insecure?
Well, using a real-world metaphor, if RSA-512 is a grain of sand (let's say 10 micrograms) then RSA-2048 is the entire mass of the entire universe. Put into a grain of sand in yet another entire universe, where every grain of sand represents an entire universe and then taking that entire universe and multiplying it by a couple trillion. That's not a matter of "brute-force becoming cheap". If every grain of sand in the entire universe were a supercomputer that could break one RSA-512 per second, RSA-2048 would still be secure against brute-force attacks.
This is just dissembling now. So many words, because you refuse to acknowledge a simple point: algorithmically there is no difference between the two.
Obscuring the version info increases the cost (time, bandwidth) of the attack.
Yes, but it is not a security measure. It's a one-time tiny benefit. We recommend it because it doesn't really cost you much and thus it's a net-gain. Real-world example: If you have a server running at a version that has a known exploit in the wild, then you wouldn't consider obscuring the version number as a mitigating action, would you? It does not provide security.
Same issue again. So many words to exlain why you prescribe it, and so many words to then disown it as a security measure. The point is simple and clear. Obscuring that version info is a tiny little security measure. No individual thing provides security -- so your line at the end does not apply.
In ASLR you *obscure* addresses from an attacker. It's an important security mechanism, any modern OS is incomplete without it, and there's just no escaping the fact that it is nothing but a form of obscurity.
No, you don't. ASLR has nothing to do with "security through obscurity". Please stop playing tricks with semantics. You won't be able to quote even a single serious source that puts ASLR even in the vicinity of "security through obscurity".
Playing tricks with semantics? After you ramble on with some nonsense about grains of sand instead of just discussing the core of the issue? As an attacker, you know there's a freaking stack (for example), don't you? With ASLR the only difference is that you don't know where it is anymore -- because it has been *obscured* from you. That's not a semantic trick -- you are the one dancing around with endless verbiage to defend a stupid and pointless stigma over the word 'obscurity'.
You're missing my point again, which is that you *should* really be talking about *cost*.
Negative. Cost is one factor, but not the only one.
What are the other factors? Everything translates into cost eventually.
Plus you don't generally know the cost equations of your attacker.
You know the relatives costs inside your system. What is the cheapest point of attack in your system currently? That is your first priority. Once that's dealt with, ask and answer that question again and again. You will *raise* the *cost* of breaking your system by doing so. You don't need to project the attackers c
Yawn ... I do in fact write software, and I know how long it takes to proof-test patches. That doesn't change that Microsoft has historically been incredibly sluggish at acknowledging vulnerabilities in the wild until they go public.
You did live through IE 3 and 4 right?
I did, and they knocked Netscape of the throne in all respects (seriously, IE4 was *the* best browser at the time). I don't dispute they have been sluggish. But if you know anything about large scale software QA, 3-4 weeks are nothing. That is why we used to have sensible disclosure guidelines, which this Google guy completely ignores.
The point is simple and clear. Obscuring that version info is a tiny little security measure.
No it is not. I'm using "so many words" because you refuse to acknowledge a simple point:
"Security" is something that still provides security if your attacker knows about it. Example: The fact that you now know that my front door has 2 locks does not make breaking and entering any easier for you.
"Obscurity" is something that provides "security" only as long as it is unknown. Example: If I were to tell you that I keep a spare key under the door mat, my entire entry-system security would be instantly compromised.
If you really, really can't see the fundamental difference between these two concepts, I'm now out of ideas how to explain it.
With ASLR the only difference is that you don't know where it is anymore -- because it has been *obscured* from you.
I'm not discussing semantics with someone who insists on having his own meaning for words. Quote one expert on the topic who uses the word "obscurity" to describe ASLR. "Security through obscurity" does not refer to a specific number being unknown - otherwise every password or crypot key system ever would be "security through obscurity". STO (I need to abbreviate it) refers to a system design or specification being unknown.
What are the other factors? Everything translates into cost eventually.
In a capitalistic world or for a sufficiently meaningless definition of the word, yes. If your attacker is, say, religiously motivated (and it happens, there are islamic hacking groups), cost doesn't matter. Their limits are the limits of their available time, computing power and expert knowledge.
Yes, you will argue, all of those can be expressed as "costs". So if you want to insist on that POV, be my guest. I'm simply saying that some attackers don't go about calculating a $ value of the attack and then running a ROI estimate.
What is the cheapest point of attack in your system currently? [...] You don't need to project the attackers cost to do that.
Pray tell, how do you calculate the cheapest point of attack without projecting the attack cost?
Stop doing this! See your above strawman -- did I suggest that hiding your IP address is a single point of defense you should rely on? WTF is this logic?
Yes, effectively you are arguing that. Or rather: You are arguing that hiding my IP address is a security measure because it - however slightly - raises the cost to the attacker.
I'm arguing that if factors like this even make a difference, your security is seriously broken. It should be just as secure with or without your IP address being known, because it really isn't as hard to figure it out as you think.
Same thing with all your examples. If you think that the fact that your system uses ASLR is worth keeping a secret, because it'll confuse attackers, you are doing STO. But ASLR itself is real security, because it adds actual difficulty.
Low cost measure of what? Low cost measure of what? Ans: security.
So you think anything that adds even one cent to the cost of breaking into a system is a security measure, yes? Well, as I said above, for a sufficiently meaningless definition of "cost", you can claim to be right. In the real world, such bullshit is meaningless.
But you do obscure something -- the key
omg
You are using words and have no idea what they mean.
A cryptographic secret is not an obscurity measure. This is just ridiculous.
If you use words within a context, you need to use them in the meaning they have within that context. You can't talk about, say, "intent" in a court and use the philosophical definition, you'll have to use the legal definition.
oh look, it even has a fucking Wikipedia entry:
Assorted stuff I do sometimes: Lemuria.org
Some burglars specifically target homes with firearms, I once met a man who did this professionally before being reformed in prison by islam.
http://www.sfgate.com/crime/article/Cops-fear-they-re-targets-of-gun-thieves-4356659.php
Gun-rights advocates argue that burglars may steer clear of homes where they know residents have firearms, to avoid being shot or captured. But some researchers who have studied gun theft say the opposite may be true - that burglars may be drawn to firearms. They say officers and other gun owners shouldn't advertise where they live.
"Anyone that has a sign saying, 'This house is protected by Smith and Wesson,' is gambling," said Philip Cook, a public policy professor at Duke University who found higher burglary rates in communities where many people own guns. "They're saying that this house has some loot available."
"Guns are one of the items that are prized by burglars when they break into houses," said Graham Barlowe, the head of the federal Bureau of Alcohol, Tobacco, Firearms and Explosives' office in Sacramento. "Firearms are portable. They're concealable. They're high value. As other things sort of come in and out of favor, guns are a constant."
7 days to fix vulnerabilities, not 2 years, like Microsoft did with the fake certificates and mirrored servers for MS updates, first reported internally to MS in 2009! For over one year, MS Windows 7 users were pawned and getting their updates from fake cert fake servers. Hoorah for Google improving the security landscape by forcing MS to fix IE (and Office (KB1033) issues now! (Just try deleting your hidden administrator account and see what happens).
I'm sure he could have given the vendor (Microsoft) 5 or 10 days to work on a fix and devise a rollout before disclosing it. The only reason not to do this is if the exploit were being actively used in the wild, where the damage was already being done so there was nothing to gain from giving them more time.
===
If the exploit was actively used, I have two responses. a) Microsoft would have known about it, and b) instead of posting the bug, the author should have posted a fix
Leslie Satenstein Montreal Quebec Canada