You are correct, the definition of an exploit is a little bit complicated.
A DoS would not even factor in as an expliot in this system. The only exploits that count in this system are ones that either allow illegal read access or destroy data.
The real tricky issue is that companies are not going to count bugs that they discover themselves. We can only make them tell about vulnerabilities that were already known to people in the outside world. On the other hand, we want people who find bugs to report it privately to the software vendors so a fix can be made.
My first draft idea is to define an exploit as a bug that meets the following criteria. 1) In the default settings. 2) Allows illegal read access or destroys data. 3) Has been reported to the vendor 2 or more months previously.
I think 2 months is a reasonable time to create a fix. Also the rating doesn't require companies to explain how they aquired a poor rating only to make the rating available.
For example, there was a known problem with Solaris once that went for nearly a full year without being fixed. That was a case where the fix existed but business reasons made them not release it. Under this rating system Sun could decide not to release the fix but just increment their rating and everyone would be happy.
Thanks for taking the time to read my post. Those are good questions.
Would open source software be unrated? Who would bare the cost of rating open source software?
One of the good things about this system is how easy and cheap it is. Software organistations already keep track of vulnerabilities so now they just need to add them up and apply a rating accordingly.
Would the distributor of an open source application be the responsible party? Define distributor while we are at it -- Red Hat? Source Forge? Download.com? The implications are potentially enormouse.
Anyone who charged money for software would be responsible to rate their software.
Red Hat would be responsible because they have CD's that you may buy from them. CheapBytes.com would be responsible to provide ratings too. (Obvious Cheepbytes has an easier job because their rating is the same as the original RedHat rating).
Sourceforge would not be responsible for rating the software on their website because they do not charge for it.
Microsoft would have to rate IE even though they do not charge for it because it comes on a CD which they do charge for.
It would be a difficult situation if SourceForge charged people for downloads. It is not feasable for them to keep track of vulnerabilities in the software on their site. One solution is to give unrated software a default rating of "F."
I like the letter "F" because it forces people to wonder whether the software is unrated or else just really bad. This would make people more cautious about downloading random files from off the net.
If you raise the cost of entry to a market you are protecting the current players -- i.e.: invoking a rating system, passing a liability law, etc. will help to make sure that the same players are in power for years to come.
If anything the exact opposite is true. New players start out with a perfect score and lower their score as vulnerabilities in their software is found.
Thank you for your reply. You raise a number of important questions and issues.
For instance, clients are not necessarily more secure than servers,
This is absolutely true. However, servers are rated lower than clients for two reasons. First, servers are connected to the internet for longer. Second, servers accept connects from unknown hosts.
In practical terms, this means that if hax0rs want to take advantage of my browser bugs, they first have to send me an icq message claiming that there are pictures of Ana Kornakova on their website. I would immediately visit the site and become infected with virus that makes phone calls to Mongolia from 2 am to 4 am every day. However, with a webserver they can own my box without tantalizing me with images of tennis players. (Clearly the first scenario is preferable.)
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing").
That's not a flaw. A "C" rating is not a bad rating; it just means that there is an open port that users should be careful about.
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc.
P2P nodes would be considered servers.
You bring up a good point by using Windows and Linux distributions as examples. Most software comes as collections of programs. In this case take the program with the worst rating and apply it to the whole distribution. If fingerd has 9 exploits in the last year and it is turned on by default then the distro would get an "F" rating.
One of the great things about this system is that it is extremely easy to rate software. Just count the exploits that are possible in the default settings and assign a letter. A college graduate could do it on his fingers.:)
This was one of the complaints that people had about UCITA. It made software distributed over the net more liable while traditional software companies were not held liable because the shrink wrap license nullified all responsability.
I think any liability laws would unfairly punish smaller companies.
Some people are in favour of Lemon Laws specifically because they dislike Microsoft and think that Microsoft software is insecure. This is stupid and shortsighted.
Deal with Microsoft's monopoly abuses seperately. Monopolies come and go but bad legislation is forever.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
After you have informed the consumer you can let the market decide. If they still use software with a G rating then that's their own problem.
>>I could have sworn that it [the GNU LGPL] did [prevent proprietary derivatives].
Thanks for the reply.
I don't think you understood my post. I was not talking about "prevent[ing] proprietary derivatives," but specifically about statically linking to LGPL code.
There is a popular meme that says the LGPL allows for dynamic linking but forbids static linking.
This comment is the explanation I was looking for.
The thing that makes Linux attractive is that it runs on existing hardware.
If you think about it, this is the difference between "Linux zealots" and "Mac bigots." Mac bigots think that Macs are the best but they realise that not many people have the requisite $1000 to switch. Linux can run on existing hardware and doesn't cost anything so the zealots are always trying to convert people.
>>True, not ALL software companies are MS, but it is MS that has the flaws, and is on most of the machines. Sadly.
All software has flaws.
Probably you could find at least 10 Linux kernel sleep_on race bugs by looking at the links on this page. These aren't serious bugs for most people but they potentially could be crashing (DoS) bugs for some people.
A study by Stanford showed that OpenBSD was twice as buggy as Linux per ksloc.
People claim that mainframes are less buggy, but that is mostly because no one opens those computers to the internet.
Open VMS is supposedly secure, but last week one of my friends found a security bug in it.
Think about it... The Linux kernel is 3 million lines of code, hundreds of drivers, developed over by hundreds of developers over a period of 10 years. You seriously think it is possible to develop something like that without making a single mistake?
I have to admit that I'm impressed with the little file browser that they wrote for mozilla. It's pretty intuitive, it looks nice and it simply worked.
On the other hand, I have to think the greymagic guys could have found more productive ways to spend their time. For example, it would have taken 5 minutes to emaile the mozilla secur... well...
Wait, what am I thinking? Writing a file browser is definately the most productive thing to do...
So basically you fire this guy who was physically forced to arrived 5-10 minutes late everyday for 2 weeks because the bus didn't run on time.
Obviously you are telling the story as an example of how cold hearted you have to be in business. Cold hearts are all well and good, but this story makes you sound stupid.
From your story, I have to assume that there were no other problems with his work.
In that case, what an intelegent manager would have done would be to find a solution to this man's problems. Perhaps the man could car pool. Perhaps you could find ways to deal with him being 10 minutes late.
This builds trust. Also now the man owes you a favour. When he comes into work you can say, "Hi. Great that you're finally here. No I don't mind coverring for you for these last 10 minutes. But here is something you can do for me."
Of course, if there were other problems with the man's work then you are justified to fire him. Bad employees bring everyone down. It's important to mention the real reason you fired him in your story though, or else it makes you sound like a dimwit.
You are obsolutely correct of course, but I say if he spends all his time impersonating CmdrTaco then he's already far too lame to worry about little things like bad prose.
I think that if you take away Microsofts illegal OEM deals then the problem of file formats would go away on its own.
Currently, as we all know, the only office suite that OEMs are allowed to sell is Microsoft Office. However, I am certain that Corel, Sun, Hancom, VistaSource, or Gobe would be willing to supply all the OEM office suite needs for $5 per computer if they were given the opportunity. (Right now, Microsoft Office sells for $200-$300 so this is a huge savings).
There would be a period where everyone used different file formats for documents but after a couple years that would get worked out. Probably people would convert their files to pdf format before sharing.
We need to give OEMs the power to install any software they wish on top of windows without fear that Microsoft will double the price. That's all I ask from this trial: Fair and standard pricing for windows and the power for OEMs to install any software they want to.
When I think of an audit, I think that it is someone who comes in and checks your security. However, from your description of the problem it does not sound as if you have any existing security policy to check.
A good security policy would isolate public servers so that if they get hacked it's not a major problem and it's easy to diagnose.
In my opinion you should hire a security consulting firm to come help you design a scurity policy. It doesn't sound as if you have a DMZ set up and that's a good place to start.
Actually the first place to start is identifying what information needs to be protected. A lot of times companies don't protect everything they need to.
But really you need to look at the whole picture: passwords, email clients, wireless, back ups, recoverry after attack, etc.
A good security policy will help you understand what things you need to worry about and what things don't matter. This will help you sleep better and benifit your whole company.
I think the point was that Eazel had no hope of making money before their product was completed and they couldn't complete it without money.
It's pretty trivial to spend millions of dollars on a new start up. You need to pay programmers. The programmers need offices. The offices need furniture. The programmers need computers. You need to buy servers. Bandwidth alone likely cost them 70 grand per year. You also need accountants and a secretary or two. And they need offices. etc and even more etc.
Getting investor funding was pretty hard at the time and the IDC report made it impossible.
America kept Mabutu in power because of they wanted the uranium. (The uranimium for the bombs used in WWII came from Zaire).
Besides being the third richest person in the world, Mabutu was a dictator. Quite an umpleasant one at that. He destroyed the Zaire economy so badly that some parts of the country reverted to that barter system. I remember people telling me that it cost 3 million in Zaire currency to buy a box of matches.
Take a look at the statistics At one point over half IIS based e-commerce websites had a confirmed backdoor. Months after Code Red hit, 10% of the the e-commerce sites still had a backdoor.
How can anyone look at numbers like that and say it's not a problem? I find the numbers absolutely shocking...
Basically if I buy something from a website, I want to make sure it does not run on IIS. In that sense Code Red crippled many sites for me because I am not able to use them anymore.
3. Suns usability team created CDE; have you used CDE? Was it usable to you? Ok.. I won't talk about that anymore and no offense to the Usability guys I'm sure you know more about this than I do but CDE just was not a usable product.
Heh...
But on the other hand you clearly haven't read the papers that the sun usability guys wrote. They were pretty good.
I sometimes think people imagine if they find the right magic silver bullet of useability everything becomes wonderful and useable. But in real life useability is about a million mundane little things.
One thing that I remember from some of the Sun studies is that people are confused by the log in procedure on gnome. The sun team proposed several changes that would make the log in easier to understand. Stuff like asking for the password on the same window that you ask for the username. I think they also changed some of the phrasing so that it was more clear as well.
The real benifit from Sun's useability work is not the changes they make, but the papers they write. Developers, myself included, need to constantly remind ourselves about how little things like phrasing and placing text boxes makes a tangible difference to users.
Also I think the papers really show how un-magical useability testing is. I bet a bunch of people did testing on their own after reading the papers. The Sun papers provide a good place to start talking about useability in real world terms instead of looking for mythical silver bullets.
I don't think he was talking about video acceleration because people are working on that in the kernel. The only thing I can think of is fam and imon. The code for those sucks and they are unmaintained and Linus is right to reject them.
>>But given Linus' focus on 80 character terminals (not a bad thing either, imho) this is unlikely to happen anytime soon.
It's rather unfair to blame Linus for not programming your favourite feature. It's your job to prgram it, and Linus's job to tell you whether it sucks or not.
Slashdot Mirror
You are correct, the definition of an exploit is a little bit complicated.
A DoS would not even factor in as an expliot in this system. The only exploits that count in this system are ones that either allow illegal read access or destroy data.
The real tricky issue is that companies are not going to count bugs that they discover themselves. We can only make them tell about vulnerabilities that were already known to people in the outside world. On the other hand, we want people who find bugs to report it privately to the software vendors so a fix can be made.
My first draft idea is to define an exploit as a bug that meets the following criteria.
1) In the default settings.
2) Allows illegal read access or destroys data.
3) Has been reported to the vendor 2 or more months previously.
I think 2 months is a reasonable time to create a fix. Also the rating doesn't require companies to explain how they aquired a poor rating only to make the rating available.
For example, there was a known problem with Solaris once that went for nearly a full year without being fixed. That was a case where the fix existed but business reasons made them not release it. Under this rating system Sun could decide not to release the fix but just increment their rating and everyone would be happy.
Would open source software be unrated? Who would bare the cost of rating open source software?
One of the good things about this system is how easy and cheap it is. Software organistations already keep track of vulnerabilities so now they just need to add them up and apply a rating accordingly.
Would the distributor of an open source application be the responsible party? Define distributor while we are at it -- Red Hat? Source Forge? Download.com? The implications are potentially enormouse.
Anyone who charged money for software would be responsible to rate their software.
Red Hat would be responsible because they have CD's that you may buy from them. CheapBytes.com would be responsible to provide ratings too. (Obvious Cheepbytes has an easier job because their rating is the same as the original RedHat rating).
Sourceforge would not be responsible for rating the software on their website because they do not charge for it.
Microsoft would have to rate IE even though they do not charge for it because it comes on a CD which they do charge for.
It would be a difficult situation if SourceForge charged people for downloads. It is not feasable for them to keep track of vulnerabilities in the software on their site. One solution is to give unrated software a default rating of "F."
I like the letter "F" because it forces people to wonder whether the software is unrated or else just really bad. This would make people more cautious about downloading random files from off the net.
If you raise the cost of entry to a market you are protecting the current players -- i.e.: invoking a rating system, passing a liability law, etc. will help to make sure that the same players are in power for years to come.
If anything the exact opposite is true. New players start out with a perfect score and lower their score as vulnerabilities in their software is found.
For instance, clients are not necessarily more secure than servers,
This is absolutely true. However, servers are rated lower than clients for two reasons. First, servers are connected to the internet for longer. Second, servers accept connects from unknown hosts.
In practical terms, this means that if hax0rs want to take advantage of my browser bugs, they first have to send me an icq message claiming that there are pictures of Ana Kornakova on their website. I would immediately visit the site and become infected with virus that makes phone calls to Mongolia from 2 am to 4 am every day. However, with a webserver they can own my box without tantalizing me with images of tennis players. (Clearly the first scenario is preferable.)
Also, most linux distributions would minimally start at a "C" rating under this scheme, while windows 98 would begin at "B" (without enabling "file/printer sharing").
That's not a flaw. A "C" rating is not a bad rating; it just means that there is an open port that users should be careful about.
These problems are indicative of a greater flaw in this scheme, software doesn't have to rigidly conform to _any_ model, be it client/server, P2P, etc.
P2P nodes would be considered servers.
You bring up a good point by using Windows and Linux distributions as examples. Most software comes as collections of programs. In this case take the program with the worst rating and apply it to the whole distribution. If fingerd has 9 exploits in the last year and it is turned on by default then the distro would get an "F" rating.
One of the great things about this system is that it is extremely easy to rate software. Just count the exploits that are possible in the default settings and assign a letter. A college graduate could do it on his fingers.
I think any liability laws would unfairly punish smaller companies.
Some people are in favour of Lemon Laws specifically because they dislike Microsoft and think that Microsoft software is insecure. This is stupid and shortsighted.
Deal with Microsoft's monopoly abuses seperately. Monopolies come and go but bad legislation is forever.
Create laws that arm consumers with security information. Perhaps a grading scheme where software that doesn't connect to the internet is given a A rating. If it is a client then it gets a B rating. If it is a server it starts at C then for every three exploits within the last year the rating increments by one.
After you have informed the consumer you can let the market decide. If they still use software with a G rating then that's their own problem.
>>I could have sworn that it [the GNU LGPL] did [prevent proprietary derivatives].
Thanks for the reply.
I don't think you understood my post. I was not talking about "prevent[ing] proprietary derivatives," but specifically about statically linking to LGPL code.
There is a popular meme that says the LGPL allows for dynamic linking but forbids static linking.
This comment is the explanation I was looking for.
>>It doesn't even prevent it from being static-linked!
I could have sworn that it did. Everyone claims that it does... What's the story?
That's what you do sometimes.
But the storage device needs to run on something. It needs to have an IP stack, an network card driver, filesystem support etc and so it needs an OS.
If you think about it, this is the difference between "Linux zealots" and "Mac bigots." Mac bigots think that Macs are the best but they realise that not many people have the requisite $1000 to switch. Linux can run on existing hardware and doesn't cost anything so the zealots are always trying to convert people.
All software has flaws.
Probably you could find at least 10 Linux kernel sleep_on race bugs by looking at the links on this page. These aren't serious bugs for most people but they potentially could be crashing (DoS) bugs for some people.
A study by Stanford showed that OpenBSD was twice as buggy as Linux per ksloc.
People claim that mainframes are less buggy, but that is mostly because no one opens those computers to the internet.
Open VMS is supposedly secure, but last week one of my friends found a security bug in it.
Think about it... The Linux kernel is 3 million lines of code, hundreds of drivers, developed over by hundreds of developers over a period of 10 years. You seriously think it is possible to develop something like that without making a single mistake?
To which their response is all software has bugs...
Seriously, if you want liability you can have it now if you pay for it.
Do you think that the price of software won't go up if you make liability laws? How high do you want the price to go?
>>Not likely to happen anytime soon, if ever.
if ever?
Everyone has this wierdly distorted time scale where the world seems to end three years from now.
Almost everything that can happen will happen at some point. In this case, my guess is that the point will come within the next couple years.
On the other hand, I have to think the greymagic guys could have found more productive ways to spend their time. For example, it would have taken 5 minutes to emaile the mozilla secur... well...
Wait, what am I thinking? Writing a file browser is definately the most productive thing to do...
That's actually a fairly funny story when you think about someone going to all that work to infect themselves with a virus.
There's really no way to protect a determined user from hurting himself.
I misread.
Obviously you are telling the story as an example of how cold hearted you have to be in business. Cold hearts are all well and good, but this story makes you sound stupid.
From your story, I have to assume that there were no other problems with his work.
In that case, what an intelegent manager would have done would be to find a solution to this man's problems. Perhaps the man could car pool. Perhaps you could find ways to deal with him being 10 minutes late.
This builds trust. Also now the man owes you a favour. When he comes into work you can say, "Hi. Great that you're finally here. No I don't mind coverring for you for these last 10 minutes. But here is something you can do for me."
Of course, if there were other problems with the man's work then you are justified to fire him. Bad employees bring everyone down. It's important to mention the real reason you fired him in your story though, or else it makes you sound like a dimwit.
Currently, as we all know, the only office suite that OEMs are allowed to sell is Microsoft Office. However, I am certain that Corel, Sun, Hancom, VistaSource, or Gobe would be willing to supply all the OEM office suite needs for $5 per computer if they were given the opportunity. (Right now, Microsoft Office sells for $200-$300 so this is a huge savings).
There would be a period where everyone used different file formats for documents but after a couple years that would get worked out. Probably people would convert their files to pdf format before sharing.
We need to give OEMs the power to install any software they wish on top of windows without fear that Microsoft will double the price. That's all I ask from this trial: Fair and standard pricing for windows and the power for OEMs to install any software they want to.
A good security policy would isolate public servers so that if they get hacked it's not a major problem and it's easy to diagnose.
In my opinion you should hire a security consulting firm to come help you design a scurity policy. It doesn't sound as if you have a DMZ set up and that's a good place to start.
Actually the first place to start is identifying what information needs to be protected. A lot of times companies don't protect everything they need to.
But really you need to look at the whole picture: passwords, email clients, wireless, back ups, recoverry after attack, etc.
A good security policy will help you understand what things you need to worry about and what things don't matter. This will help you sleep better and benifit your whole company.
Just order a Russian bride!
There is no problem that technology can't solve, my friend.
You are correct about the spelling. I'm an atrociuos speller.
4 81
However, you are wrong about the uranium.
http://www.zwnews.com/issuefull.cfm?ArticleID=1
It's pretty trivial to spend millions of dollars on a new start up. You need to pay programmers. The programmers need offices. The offices need furniture. The programmers need computers. You need to buy servers. Bandwidth alone likely cost them 70 grand per year. You also need accountants and a secretary or two. And they need offices. etc and even more etc.
Getting investor funding was pretty hard at the time and the IDC report made it impossible.
America kept Mabutu in power because of they wanted the uranium. (The uranimium for the bombs used in WWII came from Zaire).
Besides being the third richest person in the world, Mabutu was a dictator. Quite an umpleasant one at that. He destroyed the Zaire economy so badly that some parts of the country reverted to that barter system. I remember people telling me that it cost 3 million in Zaire currency to buy a box of matches.
How can anyone look at numbers like that and say it's not a problem? I find the numbers absolutely shocking...
Basically if I buy something from a website, I want to make sure it does not run on IIS. In that sense Code Red crippled many sites for me because I am not able to use them anymore.
Heh...
But on the other hand you clearly haven't read the papers that the sun usability guys wrote. They were pretty good.
I sometimes think people imagine if they find the right magic silver bullet of useability everything becomes wonderful and useable. But in real life useability is about a million mundane little things.
One thing that I remember from some of the Sun studies is that people are confused by the log in procedure on gnome. The sun team proposed several changes that would make the log in easier to understand. Stuff like asking for the password on the same window that you ask for the username. I think they also changed some of the phrasing so that it was more clear as well.
The real benifit from Sun's useability work is not the changes they make, but the papers they write. Developers, myself included, need to constantly remind ourselves about how little things like phrasing and placing text boxes makes a tangible difference to users.
Also I think the papers really show how un-magical useability testing is. I bet a bunch of people did testing on their own after reading the papers. The Sun papers provide a good place to start talking about useability in real world terms instead of looking for mythical silver bullets.
I'm curious what he meant by that footnote.
I don't think he was talking about video acceleration because people are working on that in the kernel. The only thing I can think of is fam and imon. The code for those sucks and they are unmaintained and Linus is right to reject them.
>>But given Linus' focus on 80 character terminals (not a bad thing either, imho) this is unlikely to happen anytime soon.
It's rather unfair to blame Linus for not programming your favourite feature. It's your job to prgram it, and Linus's job to tell you whether it sucks or not.