It's possible that there is more to this than what I have divined from the 'uber-secret-vendor-only' disclosure but this seems to be little more than traditional cache poisoning with random-number-generator (RNG) prediction. Both of these situations have been well known and documented within the security community for a number of years.
Cache poisoning was predicted long ago by Dan Bernstein (as mentioned by a previous poster or two)[1]. (Nobody listens to me either, DJB.) The combination of this and RNG prediction was wrapped up nicely by Joe Stewart in his 2002 (I think) paper [2]. Joe used Michal Zalewski's free TCP/IP sequence number prediction software [3] to visualize random number generator attacks on DNS responses from various resolvers. The paper is well worth a look if you made it through the last sentence and are still reading this one.
Incidentally, Paul Vixie (BIND author,) posted a potential fix to this (or a surprisingly similar) problem to the Namedroppers mailing list at the end of February [4]. Time will tell whether the two events are connected.
This whole saga appears to be another case of 'marketing department run amok' but we'll have to wait for the BlackHat presentation to find out if all of this is just regurgitated previously ignored security advice.
Release Everything
Make sure that you release all documentation and tools (preferably with source) for the hardware and the drivers. The last thing a "free" developer wants to do is re-invent all of the wheels that your company created.
Provide Good Documentation If you provide well organized and complete documentation to a quality product, developers will most likely flock to it.
Support the Developers
You will want to have staff on hand to answer questions about the technical details of the product. Create a forum that is monitored by the engineers who designed and create code for the product. Make sure that questions are answered thoroughly and quickly.
Basically, you have to explicitly accept a license agreement with the third party. They say nothing in here about installing and using 3rd party software on your computer without your consent.
Um... did you actually read the excerpt that you posted?
2.4 Third Parties. You acknowledge and agree that the Skype Software may be incorporated into, and may incorporate itself, software and other technology owned and controlled by third parties. Skype emphasizes that it will only incorporate such third party software or technology for the purpose of (a) adding new or additional functionality
I can think of some 'new functionality...' Like sending back 'diagnostic' sessions of voice conversations for review later; like using your machine to distribute software; like creating a distributed network of file sharing control nodes that's nearly impossible to hold anyone accountable for.
I am not saying that they have or will do this. I object to the open-endedness of the agreement. I'm all for free, ubiquitous communication, but I would like to have a vague idea of what will be done to my PC in the process.
or (b) improving the technical performance of the Skype Software. Any such third party software or technology that is incorporated in the Skype Software falls under the scope of this Agreement.
Basically, any software that they want to incorporate into Skype they can add without your additional consent. This provision does not explicitly allow them to add software automatically though. That's in Article 2.5 below...
Any and all other third party software or technology that may be distributed together with the Skype Software will be subject to you explicitly accepting a license agreement with that third party.
If they want to later distribute Skype with Super Duper Toolbar that they don't deem to be party of 2.4(a) or (b) then you will see an agreement for Skype and an agreement for Super Duper Toolbar.
You acknowledge and agree that you will not enter into a contractual relationship with Skype or its Affiliates regarding such third party software or technology and you will look solely to the applicable third party and not to Skype or its Affiliates to enforce any of your rights.
You agree that you won't sue Skype when they bundle Super Duper Toolbar, privacy laws change, and you want to sue someone for tracking your activities online and associating it with your name and address in order to sell you [insert performance enhancing substance here.]
2.5 New Versions of the Skype Software. Skype, in its sole discretion, reserves the right to add additional features or functions, or to provide programming fixes, updates and upgrades, to the Skype Software....
This is where they reserve the right to change what's on your computer at any time. I don't understand why people enter into this type of agreement for a non-essential product with a company that they have no control over.
This concludes your IANAL lesson today. Thanks for joining us.
It's true that viruses preceded the ubiquitous network, but their spread nearly stopped over shared media and grew exponentially over the Internet. In the grand scheme of things shared media is unlikely to be part of an infection vector anymore.
All of your bullet-point suggestions are practically impossible for a normal human user to implement except for Long-term backups are important. This is an excellent point and one that I forgot to include.
Firewalls are important in malware control for two primary reasons:
They separate the target system from the hostile environment. Even the simplest firewall protects you from most IP-borne worms
They provide a choke-point for information where it can be restricted and audited. This allows you to stop infections before sigs/patches are available and determine if machines are infected with unknown malware.
Automated patching is critically important for the masses. This doesn't mean that windows update should be set on all machines to 'download and install' mode. It means that there should be a mechanism for machines to be easily updated to correct problems. WU is a step in the right direction and so far having 'download and install' enabled would have prevented almost all of the major outbreaks that involved the Windows OS components and would have broken a small percent of machines with mostly rare configurations.
I wish that MS would have taken heed of my suggestion to allow for multiple signatures on patches (and a mechanism in the OS to verify/act on them.) This would allow users to delegate any number of trusted third parties to verify that the patch: came from MS, actually works, and doesn't adversely affect the other apps that I run. This could all be done without the user having to look at any code or test it themselves.
Warning when things on the machine seem strange can definitely prevent virus outbreaks because it provides the user with an indication that something may be amiss. Many people have spread malware for months because they didn't realize that it was there. Simple things like 'Are you sure you want SpamPasser.exe to access your address book?' (implemented in OL 2002 SP2) or 'Should fileBot5.exe be granted access to the Internet?' (implemented in XP SP2) are steps in the right direction to at least clue-in people that there may be a problem. In fact, I think that behavior-based detection will be used in favor of signatures in the NearFuture(TM).
To put a system in a 'known-good' state, boot from your favorite OS CD. Knoppix is an excellent example of this. There is also a very good Windows XP-based CD called BartPE.
Finally, limited execution environments are excellent for dealing with untrusted code in a secure system, but make it more difficult to allow useful (and fast) interaction between processes. In the *NIX world there are quite a few options that work reasonably well (jail, chroot, emulated execution, VM.) In Windows NT+ you can launch processes in different user contexts with limited separation. These have existed for a while and work well for some medium-security applications. Unfortunately, it usually slows down execution and as one wise security guru once told me, 'Functionality trumps security every time.'
I actually used to use Outlook as my preferred mail client. Then they 'updated' it and prevented my mail-viewing template from working properly. I basically created a filter that (before any non-text email was rendered) removed a list of about 15 strings that had potential for being harmful (ActiveX, XSL, CSS, JS, images, etc.) The geniuses that updated OL in OfficeXP SP2 changed the behavior of OL to actually pre-render the HTML content before it hit my filter. So the images were downloading, CSS would format the text, JS would run, etc. That's when I ditched OL in favor of Mozilla Mail.
I recognize that there are some rudimentary protections in SP1 and SP2 that supposedly make some of this content 'safe,' but given the ease with which people have found cross-zone scripting, redirecting, and spoofing problems I would rather just use something that gives me more control over the content that gets executed on my machine.
If you still use Outlook/IE, please patch it now to correct the latest JPEG overflow in addition to a few other holes from the past few months. That only prevents the currently known-to-work problems from biting you. If history is any indicator, there will be quite a few more in the future.
You stated that you don't automatically patch, but have Windows Update alert you when there is a problem. That's an excellent idea as long as you actually install the patches that most affect you. I used to promote that behavior but found that most people just ignore the 'ready to install' notification and contract the malware that would have been prevented. I don't advocate 'automatic install' from WU for all people. There are other excellent methods of automating patching (SUS and SMS come to mind for organizations.)
Unfortunately, common sense avoiding doesn't work anymore with executable content. Defense-in-depth is necessary. You have to set up independent layers (Good software selection, AV, Firewall/IDS, AutoPatching) to protect you because it's really inconvenient to surf without JPEGs and you didn't even know to block them until 6 months after the problem was found...
This is an interesing academic exercise, but the basic defenses that have been preached for years work just fine:
- Avoid IE for surfing
- Avoid OL/OE for eMail
- Firewall (in and out) all OSes with large numbers of exploitable bugs
- Automate patching
- Warn on Anomolous behavior
- Have a virus scanner that is up to date
I don't even rely on the last one and I've been virus free for the past 9 years!
Slashdot Mirror
It's possible that there is more to this than what I have divined from the 'uber-secret-vendor-only' disclosure but this seems to be little more than traditional cache poisoning with random-number-generator (RNG) prediction. Both of these situations have been well known and documented within the security community for a number of years.
Cache poisoning was predicted long ago by Dan Bernstein (as mentioned by a previous poster or two)[1]. (Nobody listens to me either, DJB.) The combination of this and RNG prediction was wrapped up nicely by Joe Stewart in his 2002 (I think) paper [2]. Joe used Michal Zalewski's free TCP/IP sequence number prediction software [3] to visualize random number generator attacks on DNS responses from various resolvers. The paper is well worth a look if you made it through the last sentence and are still reading this one.
Incidentally, Paul Vixie (BIND author,) posted a potential fix to this (or a surprisingly similar) problem to the Namedroppers mailing list at the end of February [4]. Time will tell whether the two events are connected.
This whole saga appears to be another case of 'marketing department run amok' but we'll have to wait for the BlackHat presentation to find out if all of this is just regurgitated previously ignored security advice.
[1] http://cr.yp.to/djbdns/dns_random.html
[2] http://www.lurhq.com/dnscache.pdf
[3] http://razor.bindview.com/publish/papers/tcpseq/vseq.tgz (currently down)
[4] http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg00378.html
Make sure that you release all documentation and tools (preferably with source) for the hardware and the drivers. The last thing a "free" developer wants to do is re-invent all of the wheels that your company created.
Provide Good Documentation
If you provide well organized and complete documentation to a quality product, developers will most likely flock to it.
Support the Developers
You will want to have staff on hand to answer questions about the technical details of the product. Create a forum that is monitored by the engineers who designed and create code for the product. Make sure that questions are answered thoroughly and quickly.
I am not saying that they have or will do this. I object to the open-endedness of the agreement. I'm all for free, ubiquitous communication, but I would like to have a vague idea of what will be done to my PC in the process.
Basically, any software that they want to incorporate into Skype they can add without your additional consent. This provision does not explicitly allow them to add software automatically though. That's in Article 2.5 below... If they want to later distribute Skype with Super Duper Toolbar that they don't deem to be party of 2.4(a) or (b) then you will see an agreement for Skype and an agreement for Super Duper Toolbar. You agree that you won't sue Skype when they bundle Super Duper Toolbar, privacy laws change, and you want to sue someone for tracking your activities online and associating it with your name and address in order to sell you [insert performance enhancing substance here.] This is where they reserve the right to change what's on your computer at any time. I don't understand why people enter into this type of agreement for a non-essential product with a company that they have no control over.This concludes your IANAL lesson today. Thanks for joining us.
All of your bullet-point suggestions are practically impossible for a normal human user to implement except for Long-term backups are important. This is an excellent point and one that I forgot to include.
Firewalls are important in malware control for two primary reasons:
Even the simplest firewall protects you from most IP-borne worms
This allows you to stop infections before sigs/patches are available and determine if machines are infected with unknown malware.
Automated patching is critically important for the masses. This doesn't mean that windows update should be set on all machines to 'download and install' mode. It means that there should be a mechanism for machines to be easily updated to correct problems. WU is a step in the right direction and so far having 'download and install' enabled would have prevented almost all of the major outbreaks that involved the Windows OS components and would have broken a small percent of machines with mostly rare configurations.
I wish that MS would have taken heed of my suggestion to allow for multiple signatures on patches (and a mechanism in the OS to verify/act on them.) This would allow users to delegate any number of trusted third parties to verify that the patch: came from MS, actually works, and doesn't adversely affect the other apps that I run. This could all be done without the user having to look at any code or test it themselves.
Warning when things on the machine seem strange can definitely prevent virus outbreaks because it provides the user with an indication that something may be amiss. Many people have spread malware for months because they didn't realize that it was there. Simple things like 'Are you sure you want SpamPasser.exe to access your address book?' (implemented in OL 2002 SP2) or 'Should fileBot5.exe be granted access to the Internet?' (implemented in XP SP2) are steps in the right direction to at least clue-in people that there may be a problem. In fact, I think that behavior-based detection will be used in favor of signatures in the NearFuture(TM).
To put a system in a 'known-good' state, boot from your favorite OS CD. Knoppix is an excellent example of this. There is also a very good Windows XP-based CD called BartPE.
Finally, limited execution environments are excellent for dealing with untrusted code in a secure system, but make it more difficult to allow useful (and fast) interaction between processes. In the *NIX world there are quite a few options that work reasonably well (jail, chroot, emulated execution, VM.) In Windows NT+ you can launch processes in different user contexts with limited separation. These have existed for a while and work well for some medium-security applications. Unfortunately, it usually slows down execution and as one wise security guru once told me, 'Functionality trumps security every time.'
I recognize that there are some rudimentary protections in SP1 and SP2 that supposedly make some of this content 'safe,' but given the ease with which people have found cross-zone scripting, redirecting, and spoofing problems I would rather just use something that gives me more control over the content that gets executed on my machine.
If you still use Outlook/IE, please patch it now to correct the latest JPEG overflow in addition to a few other holes from the past few months. That only prevents the currently known-to-work problems from biting you. If history is any indicator, there will be quite a few more in the future.
You stated that you don't automatically patch, but have Windows Update alert you when there is a problem. That's an excellent idea as long as you actually install the patches that most affect you. I used to promote that behavior but found that most people just ignore the 'ready to install' notification and contract the malware that would have been prevented. I don't advocate 'automatic install' from WU for all people. There are other excellent methods of automating patching (SUS and SMS come to mind for organizations.)
Unfortunately, common sense avoiding doesn't work anymore with executable content. Defense-in-depth is necessary. You have to set up independent layers (Good software selection, AV, Firewall/IDS, AutoPatching) to protect you because it's really inconvenient to surf without JPEGs and you didn't even know to block them until 6 months after the problem was found...
This is an interesing academic exercise, but the basic defenses that have been preached for years work just fine:
- Avoid IE for surfing
- Avoid OL/OE for eMail
- Firewall (in and out) all OSes with large numbers of exploitable bugs
- Automate patching
- Warn on Anomolous behavior
- Have a virus scanner that is up to date
I don't even rely on the last one and I've been virus free for the past 9 years!