One problem is that it's not an easy fix. E.g. if a list of all connections you make is recorded for "child protection" then what happens when there's a murder investigation? They, quite rightly, get a warrant which lets them look at the pre-existing data. They have a right to look at anything which they know of and which is likely to help them.
The real problem is that once that mechanism exists it is used for private lawsuits and is abused for tracking down dissidents in repressive countries (which might include your one in future). There's nothing that can be done to avoid it if the data is available.
To get a local copy of the source just contact us at support@getabine.com
This is even less than Microsoft shared source. If I was basing something, for example a security audit, on this offer I'd want to know that someone independent had actually downloaded the source and verified that they could build the end module.
+1 informative. NOW I understand the advice not to contribute unless it's GPL copyleft. It protects your volunteer work.
Exactly right; lots of of the anti-GPL FUD spread around has it's origin in people, like Microsoft, who don't want you having their work, but feel they have the right to steal yours. There's another group which is specifically doing the free stuff now with the hope of getting people addicted and then doing a bait and switch later (look for FreeBSD developers who switched over to Apple e.g. or Nessus which was under the GPL but with one primary copyright owner who could just change the license). The MIT / X11 people made a really big effort to try to get people to switch from copyleft to unprotected licenses and then almost got away with completely closing X; a big warning against contributing without some protection.
However there's also a bunch of people who simply disagree. E.g. some of the OpenBSD developers. They really do believe what they say and (I believe) they are doing something good for the sake of it. When you work with these people you get some protection simply from who they are and what they believe. If you have some simple fixes e.g. to OpenSSH, then contributing them back really does save effort and get more F/OSS software written, so the general advice is that you should contribute smaller / more integrated changes directly back to them. When it comes to bigger / more independent changes, e.g. a new library, those might be better in a separate project with a copyleft license.
Question:
It appears the TACO tool only stops the behavioral advertising. It doesn't stop them from spying on you and seeing which sites you visited. Right?
TACO seems to opt out of as much as it possibly can. The advertising networks should be "voluntarily" stopping tracking you at that point in order to comply with various privacy laws/regulations/standardards/policies. However, you can't be sure of that. You might find looking at the EFF Panopticlick and other similar privacy tools will help you find out how easily you can be tracked by people who aren't following the "rules".
Thanks for that; now I understand your policy clearly; that you insisted on the features being switched off and that you would have liked to warn about the license, I'm much happier about the Mozilla update process than I was. Is there any bug related to the lack of license change notification that we can vote for??
It can feel frustrating when something you are using goes from free to commercial. You often get the "sold out" feeling.
I love when something free goes commercial. Red Hat is one of my favourite companies. What annoys me is when something "Free" goes proprietary. These are are two very different things. For such a license change Mozilla should be insisting on a change of name so that people who don't want the change still have their computer free of that stuff.
Yes; dammit; that was my joke as you can clearly see from the submission but I guess it wasn't funny enough for the greater wisdom of the our Slashdot overlords.
When people do that there is a strong tendency for the company to come in around stage three, find a compliant judge and police group and have the security researcher's computers confiscated to avoid stage 4 and beyond. Whilst this is effectively illegal behaviour by the company and shouldn't happen, it's common enough that I really think it rules out your (otherwise theoretically wise) advice. Have a look at CISCO's attempts to surpress vulnerability information or the Massachusetts Bay Transportation Authority for example. Ormandy has actually come out of this quite well considering. Basically you either go fully "responsible" or you come out with the full info with no warning so that it's too late to sue. There is no reasonable middle ground.
What part of "Microsoft is not a military organisation; they do not have faraday cages around their offices," Are you unable to read???
I don't think non-trivial means what you think it means.
"When I use a word it means just what I choose it to mean -- neither more nor less."
The Microsoft security process is the key to Windows. Windows is the key to 99% of enterprises world wide. If I were running government level industrial espionage (as the US accuses China) and did not have significant information about that process I would want a very detailed explanation why from my intelligence group. I think this would be non-easy. I think that probably the core of the process might not be directly penetrated, but I'm sure that at least some of the people who regularly work near the security group (the cleaner???) are in some way acting as agents of "foreign powers". I'm sure that significant information does leak at least occasionally.
He decided 60 days was a reasonable schedule. More, he decided 5 days was too long for a corporate entity to tell him what they were going to do. He set not one but two bars, and decided that if MS wasn't going to meet his second bar, he was going to lower his first bar to the same point. How is this not childish?
I've already addressed this and your later point that 60 days should be 60 days elsewhere. Basic summary; he is weighing the risks for two different groups. One small but more critical and one larger but with less critical needs. Any wait damages the first group. Waiting only helps the second if Microsoft is actually working.
In this particular case, that registry hack remains useless to anyone who's got a box likely to be vulnerable. You and I, and everyone else who ignore the part of every KB article that warns us how dangerous registry editing is are more likely to follow best practices and have generally secure systems than Joe Wait-For-Patch-Tuesday. Well, it's Joe who just got screwed because Joe won't ever know about any registry edits until his system is screwed over (perhaps tomorrow). Great.
If Joe's system is important then he needs to learn to hire a decent security consultant and redesign it. If it isn't, he needs to learn to do backups and should either shutdown or reinstall when compromised.
Wait. There are no smilies or other indications that you're making a big joke. Nothing for his own profit. A Google security engineer opting for early disclosure doesn't profit more than if he'd kept his mouth shut for a reasonable amount of time? Sorry, but if he'd waited... say until a patch was actually released, we'd never have heard of this guy's name. Instead he - and Google - are in the press as white knights protecting Joe from the evil Microsoft. Yeah. No profit at all. Just a pat on the back and a nice write-up in his personnel file in HR.
I have a different interpretation (I believe him that it was a private project; I believe that Google won't be happy with him about this; I believe that he didn't think fully through about this being associated with work) but since this is all speculation about the mind of a third party and either of us could be wrong I'm not going to speculate further.
We who? Joe? Show me where Joe's EULA entitles him to patches with X days of disclosure of exploit? Your company as perhaps a subscriber to Software Assurance or something similar? Please clarify.
Sorry, I wasn't as clear as I should be. We should be read as "companies I work for". I'm not a representative so I'm definitely not going to state exactly who that means. I personally simply don't have a copy of Windows. These companies pay for basically every possible assurance/license/maintenance thing Microsoft is willing to sell. At that level their competitors make it very clear that they will work immediately at maximum effort indefinitely until they have a fix for a problem if I invoke the word "security".
That's awesome. I've got a support infrastructure in place for the couple thousand PCs I support across about a hundred customers. They range from small shops with one or two PCs and zero budgeted IT funds through a couple multi-office customers where I can reasonably use things like GPO to make registry changes. Included are customers who have potentially fifty or more PCs scattered one-to-a-location over 50km diameter of land.
Get this. Relying on Microsoft Update for small businesses is reasonable. Until Captain Awesome at Google decides to increase the risk to those machines from unknown to guaranteed. I assure you the small shops appreciate the unexpected service.
It sounds like they aren't using tools appropriate for the job. If this were repeated often enough they might begin to question that. Unfortuantely, I think they will likely be subject to occasional random virus
I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them".
So... You're assuming that serious security researchers use insecure means of communication* and have spyware infested computers? Once you throw out the ridiculous, you end up contradicting yourself.
What part of
Microsoft is not a military organisation; they do not have faraday cages around their offices,
Are you unable to read??? Actually, to be honest I probably am assuming too much. You should look up tempest attacks and assume that they are in use in high level industrial espionage and basic national spying of the type that MS security team is likely to be subject to. That's likely to be rare. On the other insertion of a spy into a commercial organisation or bribing an employee for information is easy and common.
have you heard
I've seen enough strange stuff to know I would likely not hear of this. Notice that during the google incident tens of US companies were hacked, but only one chose to mention that it happened. Assume that 90% of security stuff you never hear of and that for professional targeted attacks that rises to 99%.
This application is a continuation of U.S. application Ser. No. 11/022,089, filed Dec. 22, 2004, now U.S. Pat. No. 7,386,464 which is a division of U.S. patent application Ser. No. 10/780,486, filed Feb. 17, 2004, now U.S. Pat. No. 7,194,419 which is a continuation of U.S. patent application Ser. No. 09/348,355, filed Jul. 7, 1999 (now U.S. Pat. No. 6,714,916), which is a continuation of U.S. application Ser. No. 08/962,997, filed Nov. 2, 1997 (now U.S. Pat. No. 6,269,369).
A continuation application gets the same precedence date as the original patent but validity time from the date of acceptance. The Wikipedia article referenced, whilst lacking some citations seems to be correct (at least it's current version) as you can verify against the the Patent office FAQ
The circumstances are different for each bug and difficult to judge in general. However for this bug we have the simple fact that the functionality is easily and safely disabled without affecting much of the function of the computer.
Ormandy is clearly justified in releasing the bug immediately since this will allow people who care about computer security; mostly the ones who are most affected by such problems; to take countermeasures. Every day, or even minute, he waits increases risk for such people since it is perfectly possible for someone else to find (or have already found) such a vulnerability and start (or continue) exploiting it. By this judgement, even his initial five day delay is difficult to justify.
On the other hand, at his own judgement, if Ormandy believes that Microsoft is working as hard as reasonable on this problem, then he would have been justified in keeping the bug under wraps. The justification would be that, whilst this increases risk for the first group, it reduces risk for those who wait for Microsoft automatic updates. N.B. This is a somewhat questionable justification since MS could simply and quickly release an update turning off the help function.
The problem is that he didn't believe that MS was working as hard as it should, so the second justification doesn't come into play. Hopefully this is a learning experience for MS who will work harder and/or communicate more clearly in future. Maybe Ormandy is now convinced he made a misjudgement about MS and will be more slow next time. Maybe he's learned that reporting publically without a pseudonym is dangerous and will be more difficult to contact next time. Whichever way that is, second guessing Ormandy when he was in such a difficult situation is unfair.
Look at the justifications floating around that this was "just before patch tuesday so MS was busy". This is the moment when a patch might be delayed due to a small hitch and if that happens the maximum possible delay (one month) occurs. That means that just before patch tuesday, MS must be on Maximum possible alert. There was no justification for their not being able to respond quickly and at least say that they would try to get it in for the next but one patch tuesday.
That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready.
You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.
In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible
That's blackmail.
And that's hyperbole. He is demanding nothing for his own profit.
Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.
"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."
If he had done that, there'd be no complaint.
60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.
Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?
We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.
When and if my customers' PCs get owned by this, I will blame the exploit discoverer.
It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.
The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days.
How do you know it was unknown? There are lots of unexplained break ins to systems. Maybe this has been used almost since the beginning? By withholding the data, he's even putting himself at risk of being silenced by either legal or physical means. It's funny the way you feel the right to demand that he does that to save you a few minutes work.
Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.
You'd maybe be better off. Others would have vulnerabilities they didn't know about not being fixed.
To be perfectly clear, you are implying that there is a non-trivial possibility that Microsoft may leak usable details about security vulnerabilities before they release patches.
I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them". Given that, the rest of your statement, which in the best case would be beside the point, becomes irrelevant. Microsoft is not a military organisation; they do not have faraday cages around their offices, they cannot do full security clearance for all employees. Even if their security process is much better than the rest of the company, even if it were better than all of their competitors it is still run by humans and subject to a "non trivial" risk of a leak.
It may be his decision, but it affects many people. Any second guessing and debate now may influence future decisions by those participating. Thus, your statement that this debate is wrong is baseless. It may come to nothing, or it may bear fruit.
Currently the attempt to "influence" those involved in the debate is the attempt to intimidate the security researchers. Ormandy never claimed to represent Google and yet MS's supporters have loudly brought Google into the debate. Clearly a future security researcher should use a pseudonym and make sure that it is not associated with his own work. That has unfortunate consequences for our ability to contact the researcher. Debate good. Intimidation bad.
If you were going to test a fishing lure, would you use a "control group" consisting of trout, bass, pike, baleen whales, and tiger sharks? Would you then apply the results to all "fish", despite the fact that some of those weren't fish at all? I would hope not.
When you are talking about large scale testing for "fish" you would do it on whatever you call "fish". The trick is, that the control group shouldn't "consist of" anything different from the original group. If you test on "fish" then your control group should be "fish". If you test on "big dark fish" then our control group should be "big dark fish". There are a few important things.
you start by writing down your procedure clearly and following it.
you first identify your a target and decide if it is in or out of the experiment
only after having identified a target, you assign it randomly between the test and control groups.
you continue the experiment to the end and record the result.
In this case, the group you are targetting is probably "clouds that might potentially be seeded". How you decide that could even be as stupid as "ones fred thinks look good". Because you ask him first and then do the assignment afterwards it doesn't matter. You will see if there is a real effect or not. If there is a real effect, you now repeat the experiment with a bigger group to have better certainty. If there isn't, you may give up and leave it for someone else or you may try to find a different way to select clouds. Again, it doesn't matter what it is as long as you write it down honestly and clearly.
He did; he's even fundamentally right. Serious / important systems should not be reliant on one single security function. If there's a flaw in one vendor's authentication server that shouldn't be a problem. You just disable it and use the other vendor's one where you should have an up to date mirror of the data.
Unfortunately we have got to a level where such functions are running on monocultures of operating systems such as Windows and even Linux which just aren't suitable for the job. This means that the vulnerability could do serious damage.
However, we shouldn't forget who is to blame. It's not the security researcher. The people to blame are the ones who chose to rely on only Windows XP and don't have a backup. If their system isn't important they should just switch it off and wait for the fix. If their system is "important" then they must have it running on an operating system suitable for the job (e.g. VMS / Z/OS / maybe OpenBSD or AIX / maybe RHEL in specific configurations) and should have a backup alternative install on a different secure operating system
Right now, there has been too much change too recently and the effects of Microsoft's monopoly destruction of it's competitors in the 90's are too strongly felt for this to be a practical immediate goal for everybody. However we shouldn't lose track of where fault lies and who should be trying to deal with it. Ultimately this largely means Microsoft and their customers are to blame. If they get away with this irresponsibility without penalty or damage then there is no possibility for a market based solution to this and even a regulatory solution would be very difficult.
Except you're lying. TFA, which I've actually read, has only this to say:
"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
It took me 20 minutes looking at Ormandy's description to realise that there's a perfectly adequate work around (disable help links). It would take me another 20 minutes to write a mail saying
Yes, we can see your problem with help links. To be sure we can release this we'll have to do some checks to see that this isn't a broader vulnerability; that normally takes us about five days, though it could be up to three weeks if it turns out to be complex. If we can't fix this within 60 days we'll send out an advisory telling people to disable the help function. After all, they can always open it manually.
Maybe I'm such a super genius that I should be taking over as head of MS security section on a million a year salary, and this isn't something that would occur to a normal person who'd been working some tens of years in security, but somehow I doubt that.
It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.
The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.
The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.
Thanks; I hope I didn't give the wrong impression.
Any mechanical system can be forced to fail if you know how it is built
(my emphasis) - you need to work out the right trick to cause a failure; you need to work out how to get that trick to happen through the control system; you need to integrate your software with the particular configuration of the control system in the particular power station you are attacking. Most of all, you need to repeat this whole process across many different installations all over a country.
This becomes an extremely non trivial "multi-vendor" (at least the attacker + the control software author, if not also the network software) integration case and needs time and energy.
Compared to the resources of the average army this is totally trivial. People who calmly send tens of thousands to their deaths are not worried by having to hire a few tens of programmers. On the other hand, to a little disorganised hacker band this is the kind of thing they can only achive through fairly serious advances in AI. One man and his iphone is just not going to cut it.
Which is not to say that killing a few hundred or even thousand people (e.g. by breaching a well chosen dam or causing a fire in the bottom of a tall building), a goal well within the reach of one bored skillful and lucky man and his iphone is something that we should just totally ignore. It's just that it's not really close to warfare.
Your local supermarket keeps less than a day of stock even taking into account it's warehouses and relies entirely on it's networked computer system to ensure that orders get to suppliers in time to deliver directly on site. They couldn't even do the truck routing correctly without the computer. Think about it. How many days stock of food do you have at home?
Pinch???? Google doesn't seem to help me here. A HANE above such sites would definitely be a counterpart for cyber-warfare guaranteeing much longer recovery times. For a true "cyber" part, wait for the US to launch satellites with nuclear weapons (for stopping "terrorist states"); then, during your cyber attack, take control of the satellite and use the bombs from that to cause your HANE.
That's really interesting and quite resource intensive; to get a practical attack on a nuclear equipped satellite nowadays, I bet you would have to infiltrate the development program; you'd certainly need powerful transmitters and you'd need to have serious levels of engineers. You could in principle attack via the US ground station, but that's run by people who actually know something about security so it's not on the open internet. Your iphone will likely not help here.
I think that this isn't a good way to do this. Let's stick with traditional and clear definitions.
cyber-warfare
high resource entities such as states or possibly major corporations carry out large scale or unlimited attacks with the aim of disabling or destroying other high resource entities. Typical example; the USA disables the Iraqi command and control system and uses parts of it to send messages suggesting surrender around the start of the second gulf war.
cyber-guerilla(-warfare)
a small group of independent, but possibly attackers carry out effective but small scale attacks on a countries infrastructure; typical example Estonia or an effective attack on an entire stock exchange causing actual large scale money transfer.
cyber-terrorism
small, high visibility attacks aimed at changing behaviour through fear. Typical example; a terrorist manages to get a programmer working at Boeing and that programmer manages to get some code in to fly a plane into the ground in some specific situation.
cyber-vandalism
a low resource person spends considerable effort to make a minor and temporary irritation. Typical exmple; defacing a web site; switching off a power station for a day.
Cyber-vandalism, I think, can be characterised by the fact that simple and obvious methods would largely limit the damage. It can still cause surprisingly large damage, but when that happens much of the fault is clearly with the person vandalised or surrounding systems.
There's a real thing going on here and there are real changes in the way that people can carry out some types of attacks. That the military has got it partly "wrong" is inevitable. That doesn't mean that people with lots of "cyber" experience and no "warfare" experience are instant gurus who can tell the military all they need to know. Sensible and valuable discussion will happen when both sides work together and most of all try to work towards civilian systems which have some level of military level survivability as used to happen with telecomms networks.
Slashdot Mirror
One problem is that it's not an easy fix. E.g. if a list of all connections you make is recorded for "child protection" then what happens when there's a murder investigation? They, quite rightly, get a warrant which lets them look at the pre-existing data. They have a right to look at anything which they know of and which is likely to help them.
The real problem is that once that mechanism exists it is used for private lawsuits and is abused for tracking down dissidents in repressive countries (which might include your one in future). There's nothing that can be done to avoid it if the data is available.
It isn't a dupe till yours gets accepted on the front page. In fact yours would be the dupe then. Mine is a better statement of the story. Anyway
And following on from that bout of maturity; naaahah naaaah neee naaa naa.
Seriously though; I'm guessing mine was closer to "house style" and so I am the winner
They already made an offer to release the source for 3.0: http://www.abine.com/taco_source.php
FTFY. On their page it says:
To get a local copy of the source just contact us at support@getabine.com
This is even less than Microsoft shared source. If I was basing something, for example a security audit, on this offer I'd want to know that someone independent had actually downloaded the source and verified that they could build the end module.
+1 informative. NOW I understand the advice not to contribute unless it's GPL copyleft. It protects your volunteer work.
Exactly right; lots of of the anti-GPL FUD spread around has it's origin in people, like Microsoft, who don't want you having their work, but feel they have the right to steal yours. There's another group which is specifically doing the free stuff now with the hope of getting people addicted and then doing a bait and switch later (look for FreeBSD developers who switched over to Apple e.g. or Nessus which was under the GPL but with one primary copyright owner who could just change the license). The MIT / X11 people made a really big effort to try to get people to switch from copyleft to unprotected licenses and then almost got away with completely closing X; a big warning against contributing without some protection.
However there's also a bunch of people who simply disagree. E.g. some of the OpenBSD developers. They really do believe what they say and (I believe) they are doing something good for the sake of it. When you work with these people you get some protection simply from who they are and what they believe. If you have some simple fixes e.g. to OpenSSH, then contributing them back really does save effort and get more F/OSS software written, so the general advice is that you should contribute smaller / more integrated changes directly back to them. When it comes to bigger / more independent changes, e.g. a new library, those might be better in a separate project with a copyleft license.
Question:
It appears the TACO tool only stops the behavioral advertising. It doesn't stop them from spying on you and seeing which sites you visited. Right?
TACO seems to opt out of as much as it possibly can. The advertising networks should be "voluntarily" stopping tracking you at that point in order to comply with various privacy laws/regulations/standardards/policies. However, you can't be sure of that. You might find looking at the EFF Panopticlick and other similar privacy tools will help you find out how easily you can be tracked by people who aren't following the "rules".
You are beginning to sound like an Astroturfer
c'mon. Astroturfers by definition do not identify themselves. He's clear about who he is, why he's involved etc.
Thanks for that; now I understand your policy clearly; that you insisted on the features being switched off and that you would have liked to warn about the license, I'm much happier about the Mozilla update process than I was. Is there any bug related to the lack of license change notification that we can vote for??
It can feel frustrating when something you are using goes from free to commercial. You often get the "sold out" feeling.
I love when something free goes commercial. Red Hat is one of my favourite companies. What annoys me is when something "Free" goes proprietary. These are are two very different things. For such a license change Mozilla should be insisting on a change of name so that people who don't want the change still have their computer free of that stuff.
Yes; dammit; that was my joke as you can clearly see from the submission but I guess it wasn't funny enough for the greater wisdom of the our Slashdot overlords.
When people do that there is a strong tendency for the company to come in around stage three, find a compliant judge and police group and have the security researcher's computers confiscated to avoid stage 4 and beyond. Whilst this is effectively illegal behaviour by the company and shouldn't happen, it's common enough that I really think it rules out your (otherwise theoretically wise) advice. Have a look at CISCO's attempts to surpress vulnerability information or the Massachusetts Bay Transportation Authority for example. Ormandy has actually come out of this quite well considering. Basically you either go fully "responsible" or you come out with the full info with no warning so that it's too late to sue. There is no reasonable middle ground.
What part of "Microsoft is not a military organisation; they do not have faraday cages around their offices," Are you unable to read???
I don't think non-trivial means what you think it means.
"When I use a word it means just what I choose it to mean -- neither more nor less."
The Microsoft security process is the key to Windows. Windows is the key to 99% of enterprises world wide. If I were running government level industrial espionage (as the US accuses China) and did not have significant information about that process I would want a very detailed explanation why from my intelligence group. I think this would be non-easy. I think that probably the core of the process might not be directly penetrated, but I'm sure that at least some of the people who regularly work near the security group (the cleaner???) are in some way acting as agents of "foreign powers". I'm sure that significant information does leak at least occasionally.
He decided 60 days was a reasonable schedule. More, he decided 5 days was too long for a corporate entity to tell him what they were going to do. He set not one but two bars, and decided that if MS wasn't going to meet his second bar, he was going to lower his first bar to the same point. How is this not childish?
I've already addressed this and your later point that 60 days should be 60 days elsewhere. Basic summary; he is weighing the risks for two different groups. One small but more critical and one larger but with less critical needs. Any wait damages the first group. Waiting only helps the second if Microsoft is actually working.
In this particular case, that registry hack remains useless to anyone who's got a box likely to be vulnerable. You and I, and everyone else who ignore the part of every KB article that warns us how dangerous registry editing is are more likely to follow best practices and have generally secure systems than Joe Wait-For-Patch-Tuesday. Well, it's Joe who just got screwed because Joe won't ever know about any registry edits until his system is screwed over (perhaps tomorrow). Great.
If Joe's system is important then he needs to learn to hire a decent security consultant and redesign it. If it isn't, he needs to learn to do backups and should either shutdown or reinstall when compromised.
Wait. There are no smilies or other indications that you're making a big joke. Nothing for his own profit. A Google security engineer opting for early disclosure doesn't profit more than if he'd kept his mouth shut for a reasonable amount of time? Sorry, but if he'd waited... say until a patch was actually released, we'd never have heard of this guy's name. Instead he - and Google - are in the press as white knights protecting Joe from the evil Microsoft. Yeah. No profit at all. Just a pat on the back and a nice write-up in his personnel file in HR.
I have a different interpretation (I believe him that it was a private project; I believe that Google won't be happy with him about this; I believe that he didn't think fully through about this being associated with work) but since this is all speculation about the mind of a third party and either of us could be wrong I'm not going to speculate further.
We who? Joe? Show me where Joe's EULA entitles him to patches with X days of disclosure of exploit? Your company as perhaps a subscriber to Software Assurance or something similar? Please clarify.
Sorry, I wasn't as clear as I should be. We should be read as "companies I work for". I'm not a representative so I'm definitely not going to state exactly who that means. I personally simply don't have a copy of Windows. These companies pay for basically every possible assurance/license/maintenance thing Microsoft is willing to sell. At that level their competitors make it very clear that they will work immediately at maximum effort indefinitely until they have a fix for a problem if I invoke the word "security".
That's awesome. I've got a support infrastructure in place for the couple thousand PCs I support across about a hundred customers. They range from small shops with one or two PCs and zero budgeted IT funds through a couple multi-office customers where I can reasonably use things like GPO to make registry changes. Included are customers who have potentially fifty or more PCs scattered one-to-a-location over 50km diameter of land.
Get this. Relying on Microsoft Update for small businesses is reasonable. Until Captain Awesome at Google decides to increase the risk to those machines from unknown to guaranteed. I assure you the small shops appreciate the unexpected service.
It sounds like they aren't using tools appropriate for the job. If this were repeated often enough they might begin to question that. Unfortuantely, I think they will likely be subject to occasional random virus
I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them".
So... You're assuming that serious security researchers use insecure means of communication* and have spyware infested computers? Once you throw out the ridiculous, you end up contradicting yourself.
What part of
Microsoft is not a military organisation; they do not have faraday cages around their offices,
Are you unable to read??? Actually, to be honest I probably am assuming too much. You should look up tempest attacks and assume that they are in use in high level industrial espionage and basic national spying of the type that MS security team is likely to be subject to. That's likely to be rare. On the other insertion of a spy into a commercial organisation or bribing an employee for information is easy and common.
have you heard
I've seen enough strange stuff to know I would likely not hear of this. Notice that during the google incident tens of US companies were hacked, but only one chose to mention that it happened. Assume that 90% of security stuff you never hear of and that for professional targeted attacks that rises to 99%.
This application is a continuation of U.S. application Ser. No. 11/022,089, filed Dec. 22, 2004, now U.S. Pat. No. 7,386,464 which is a division of U.S. patent application Ser. No. 10/780,486, filed Feb. 17, 2004, now U.S. Pat. No. 7,194,419 which is a continuation of U.S. patent application Ser. No. 09/348,355, filed Jul. 7, 1999 (now U.S. Pat. No. 6,714,916), which is a continuation of U.S. application Ser. No. 08/962,997, filed Nov. 2, 1997 (now U.S. Pat. No. 6,269,369).
A continuation application gets the same precedence date as the original patent but validity time from the date of acceptance. The Wikipedia article referenced, whilst lacking some citations seems to be correct (at least it's current version) as you can verify against the the Patent office FAQ
This is an extremely evil patent.
The circumstances are different for each bug and difficult to judge in general. However for this bug we have the simple fact that the functionality is easily and safely disabled without affecting much of the function of the computer.
Ormandy is clearly justified in releasing the bug immediately since this will allow people who care about computer security; mostly the ones who are most affected by such problems; to take countermeasures. Every day, or even minute, he waits increases risk for such people since it is perfectly possible for someone else to find (or have already found) such a vulnerability and start (or continue) exploiting it. By this judgement, even his initial five day delay is difficult to justify.
On the other hand, at his own judgement, if Ormandy believes that Microsoft is working as hard as reasonable on this problem, then he would have been justified in keeping the bug under wraps. The justification would be that, whilst this increases risk for the first group, it reduces risk for those who wait for Microsoft automatic updates. N.B. This is a somewhat questionable justification since MS could simply and quickly release an update turning off the help function.
The problem is that he didn't believe that MS was working as hard as it should, so the second justification doesn't come into play. Hopefully this is a learning experience for MS who will work harder and/or communicate more clearly in future. Maybe Ormandy is now convinced he made a misjudgement about MS and will be more slow next time. Maybe he's learned that reporting publically without a pseudonym is dangerous and will be more difficult to contact next time. Whichever way that is, second guessing Ormandy when he was in such a difficult situation is unfair.
Look at the justifications floating around that this was "just before patch tuesday so MS was busy". This is the moment when a patch might be delayed due to a small hitch and if that happens the maximum possible delay (one month) occurs. That means that just before patch tuesday, MS must be on Maximum possible alert. There was no justification for their not being able to respond quickly and at least say that they would try to get it in for the next but one patch tuesday.
That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready.
You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.
In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible
That's blackmail.
And that's hyperbole. He is demanding nothing for his own profit.
Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.
"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."
If he had done that, there'd be no complaint.
60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.
Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?
We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.
When and if my customers' PCs get owned by this, I will blame the exploit discoverer.
It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.
The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days.
How do you know it was unknown? There are lots of unexplained break ins to systems. Maybe this has been used almost since the beginning? By withholding the data, he's even putting himself at risk of being silenced by either legal or physical means. It's funny the way you feel the right to demand that he does that to save you a few minutes work.
Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.
You'd maybe be better off. Others would have vulnerabilities they didn't know about not being fixed.
To be perfectly clear, you are implying that there is a non-trivial possibility that Microsoft may leak usable details about security vulnerabilities before they release patches.
I am not implying "Microsoft may leak" I am implying "the details may leak from Microsoft or from the process of communicating to them, or even from the computer I use to send to them". Given that, the rest of your statement, which in the best case would be beside the point, becomes irrelevant. Microsoft is not a military organisation; they do not have faraday cages around their offices, they cannot do full security clearance for all employees. Even if their security process is much better than the rest of the company, even if it were better than all of their competitors it is still run by humans and subject to a "non trivial" risk of a leak.
It may be his decision, but it affects many people. Any second guessing and debate now may influence future decisions by those participating. Thus, your statement that this debate is wrong is baseless. It may come to nothing, or it may bear fruit.
Currently the attempt to "influence" those involved in the debate is the attempt to intimidate the security researchers. Ormandy never claimed to represent Google and yet MS's supporters have loudly brought Google into the debate. Clearly a future security researcher should use a pseudonym and make sure that it is not associated with his own work. That has unfortunate consequences for our ability to contact the researcher. Debate good. Intimidation bad.
If you were going to test a fishing lure, would you use a "control group" consisting of trout, bass, pike, baleen whales, and tiger sharks? Would you then apply the results to all "fish", despite the fact that some of those weren't fish at all? I would hope not.
When you are talking about large scale testing for "fish" you would do it on whatever you call "fish". The trick is, that the control group shouldn't "consist of" anything different from the original group. If you test on "fish" then your control group should be "fish". If you test on "big dark fish" then our control group should be "big dark fish". There are a few important things.
In this case, the group you are targetting is probably "clouds that might potentially be seeded". How you decide that could even be as stupid as "ones fred thinks look good". Because you ask him first and then do the assignment afterwards it doesn't matter. You will see if there is a real effect or not. If there is a real effect, you now repeat the experiment with a bigger group to have better certainty. If there isn't, you may give up and leave it for someone else or you may try to find a different way to select clouds. Again, it doesn't matter what it is as long as you write it down honestly and clearly.
He did; he's even fundamentally right. Serious / important systems should not be reliant on one single security function. If there's a flaw in one vendor's authentication server that shouldn't be a problem. You just disable it and use the other vendor's one where you should have an up to date mirror of the data.
Unfortunately we have got to a level where such functions are running on monocultures of operating systems such as Windows and even Linux which just aren't suitable for the job. This means that the vulnerability could do serious damage.
However, we shouldn't forget who is to blame. It's not the security researcher. The people to blame are the ones who chose to rely on only Windows XP and don't have a backup. If their system isn't important they should just switch it off and wait for the fix. If their system is "important" then they must have it running on an operating system suitable for the job (e.g. VMS / Z/OS / maybe OpenBSD or AIX / maybe RHEL in specific configurations) and should have a backup alternative install on a different secure operating system
Right now, there has been too much change too recently and the effects of Microsoft's monopoly destruction of it's competitors in the 90's are too strongly felt for this to be a practical immediate goal for everybody. However we shouldn't lose track of where fault lies and who should be trying to deal with it. Ultimately this largely means Microsoft and their customers are to blame. If they get away with this irresponsibility without penalty or damage then there is no possibility for a market based solution to this and even a regulatory solution would be very difficult.
Cite: TFA.
Except you're lying. TFA, which I've actually read, has only this to say :
"I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days,"
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
It took me 20 minutes looking at Ormandy's description to realise that there's a perfectly adequate work around (disable help links). It would take me another 20 minutes to write a mail saying
Yes, we can see your problem with help links. To be sure we can release this we'll have to do some checks to see that this isn't a broader vulnerability; that normally takes us about five days, though it could be up to three weeks if it turns out to be complex. If we can't fix this within 60 days we'll send out an advisory telling people to disable the help function. After all, they can always open it manually.
Maybe I'm such a super genius that I should be taking over as head of MS security section on a million a year salary, and this isn't something that would occur to a normal person who'd been working some tens of years in security, but somehow I doubt that.
It's not the fact that he found it. It's the fact that he released it with a working exploit 5 days after notifying Microsoft of the vulnerability.
The entire point is that delay in notification for people that their systems are vulnerable after a vulnerability has been disclosed to anyone increases the risk for those who are responsible. As they say, a secret only stays secret when it is known to exactly one person. The only justification for delaying disclosure is if Microsoft is working maximally to fix the vulnerability. Once the information about the vulnerability was released you could disable your XP systems and wait for MS to react, or you could disable that function in your XP installation. If you have an important ("business critical") system then you of course have mitigation systems in place such as firewalls where you can change rules. This can only be done once you know about the flaw.
The fact that the vulnerability was know about for five days, but the vulnerable people were not told put them at risk, for example from inadvertent disclosure. It was Microsoft's job to convince Ormandy that they were doing enough work to justify his delay. I'm not sure about his judgement in this case; maybe there was some misunderstanding because MS security people were overloaded with other work. More likely they just aren't willing to put in enough effort to be convincing because they don't want to delay product schedules. A guarantee that "we will make every effort to resolve this within 60 days if it's as important as you say it is" would almost certainly have been enough and is certainly completely justified. In any case, it's Ormandy's decision; and trying to second guess his judgement between two bad possibilities is completely wrong.
(my emphasis) - you need to work out the right trick to cause a failure; you need to work out how to get that trick to happen through the control system; you need to integrate your software with the particular configuration of the control system in the particular power station you are attacking. Most of all, you need to repeat this whole process across many different installations all over a country.
This becomes an extremely non trivial "multi-vendor" (at least the attacker + the control software author, if not also the network software) integration case and needs time and energy.
Compared to the resources of the average army this is totally trivial. People who calmly send tens of thousands to their deaths are not worried by having to hire a few tens of programmers. On the other hand, to a little disorganised hacker band this is the kind of thing they can only achive through fairly serious advances in AI. One man and his iphone is just not going to cut it.
Which is not to say that killing a few hundred or even thousand people (e.g. by breaching a well chosen dam or causing a fire in the bottom of a tall building), a goal well within the reach of one bored skillful and lucky man and his iphone is something that we should just totally ignore. It's just that it's not really close to warfare.
Your local supermarket keeps less than a day of stock even taking into account it's warehouses and relies entirely on it's networked computer system to ensure that orders get to suppliers in time to deliver directly on site. They couldn't even do the truck routing correctly without the computer. Think about it. How many days stock of food do you have at home?
Pinch???? Google doesn't seem to help me here. A HANE above such sites would definitely be a counterpart for cyber-warfare guaranteeing much longer recovery times. For a true "cyber" part, wait for the US to launch satellites with nuclear weapons (for stopping "terrorist states"); then, during your cyber attack, take control of the satellite and use the bombs from that to cause your HANE.
That's really interesting and quite resource intensive; to get a practical attack on a nuclear equipped satellite nowadays, I bet you would have to infiltrate the development program; you'd certainly need powerful transmitters and you'd need to have serious levels of engineers. You could in principle attack via the US ground station, but that's run by people who actually know something about security so it's not on the open internet. Your iphone will likely not help here.
I think that this isn't a good way to do this. Let's stick with traditional and clear definitions.
cyber-warfare high resource entities such as states or possibly major corporations carry out large scale or unlimited attacks with the aim of disabling or destroying other high resource entities. Typical example; the USA disables the Iraqi command and control system and uses parts of it to send messages suggesting surrender around the start of the second gulf war. cyber-guerilla(-warfare) a small group of independent, but possibly attackers carry out effective but small scale attacks on a countries infrastructure; typical example Estonia or an effective attack on an entire stock exchange causing actual large scale money transfer. cyber-terrorism small, high visibility attacks aimed at changing behaviour through fear. Typical example; a terrorist manages to get a programmer working at Boeing and that programmer manages to get some code in to fly a plane into the ground in some specific situation. cyber-vandalism a low resource person spends considerable effort to make a minor and temporary irritation. Typical exmple; defacing a web site; switching off a power station for a day.Cyber-vandalism, I think, can be characterised by the fact that simple and obvious methods would largely limit the damage. It can still cause surprisingly large damage, but when that happens much of the fault is clearly with the person vandalised or surrounding systems.
There's a real thing going on here and there are real changes in the way that people can carry out some types of attacks. That the military has got it partly "wrong" is inevitable. That doesn't mean that people with lots of "cyber" experience and no "warfare" experience are instant gurus who can tell the military all they need to know. Sensible and valuable discussion will happen when both sides work together and most of all try to work towards civilian systems which have some level of military level survivability as used to happen with telecomms networks.