| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: steve at stevesworld.hopto.org (Stephen Clowater)
Subject: GUNINSKI THE SELF-PROMOTER
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry for the usless post....I think we all already knew what I am about to
say....but some of this stuff is just so blatently stupidly wrong...it needs
to be addressed. My apoligies for the spelling :)
> Hackers, software companies feud over disclosure of weaknesses
>
> By Doug Bedell
> The Dallas Morning News
>
> As Muhammad Faisal Rauf Danka recalls it, he tried 10 times to call a
> software maker about a devastating security flaw in one of its most popular
> programs.
>
> "It is so simple it is funny," the Pakistani researcher says. But nothing
> happened. Then he took his findings to a global audience ? a worldwide
> mailing list devoted to exposing and exploring software bugs.
>
> Vindication came swiftly: Within days, Microsoft acknowledged that 200
> million of its Passport accounts had been left open, apparently for months,
> allowing the easy hijacking of credit-card and other personal data.
> The company shut down the Passport system and fixed the hole.
>
> To some, Danka is a hero for publicly prodding a big company into swiftly
> correcting an error. But to Microsoft, he is an "information anarchist"
> who makes it easier for malicious hackers to inflict havoc on the masses.
Of course Microsoft thinks this, he made Microsoft look bad. Of course they
dont like it. It came out that he had not only found such a horrible trivial
bug that could be exploited by anyone anyweres in the world. But he also gave
microsoft time to fix the bug, and they ignored him. They looked like asses
when this was posted on bugtraq. Of course they are trying to discredit him.
Its a classic case of kill the messenger. It was microsoft's own fuck up, but
when it came out, suddenly its Pakistani's fault.
>
>
> Those viewpoints frame the ongoing debate about the principle of "full
> disclosure," the computer world's longtime standard for exposing security
> flaws so that they can be isolated and repaired.
>
> Not long ago, these arguments might have mattered only to programmers
> geeking out code and the hackers who try to crack it. But with software
> so pervasive in Americans' everyday lives ? and growing more so every
> day ? the debate affects almost everyone.
>
> Proponents of full disclosure say that a proliferation of bad software
> makes full disclosure essential. Only public pressure, they say, can
> compel big companies to speedily make fixes available. Microsoft has
> issued a dozen critical security patches this year.
And if these bugs hadnt been showing up on bugtraq, vuln-watch, and full
disclosure, do you really think microsoft would be fixing them out of
concinse?
>
> Microsoft and its peers say the tell-all model of publicizing software
> problems is a road map for computer pirates. Chairman Bill Gates is the
> driving force behind Microsoft's year-old Trustworthy Computing Initiative,
> an effort to improve software reliability.
Oh right, we have the person who has already been sued once for anti-trust
violations as head of the trustworthy computing initaitve? Please.
>
> Under pressure to shore up the nation's computer systems from external
> threats, the federal government is now siding with Microsoft against
> full disclosure.
>
Of course they are, it costs money to make these secure, and it makes the
design flaws in the original system all the more apperent to the voters. Of
course the government dosnt want the world to know about them.
> Its reasoning goes like this: Mistakes in programming are inevitable,
> so there's no need to publicize how to attack millions of computers
> until the software maker has a chance to fix the problem.
Yes they are inevitable, thats why you make a layered desgin for your software
and modulize it, that way, each module covers the ass of the next in case one
fucks up. Mistakes are inevitable, so make a design that conpensates for
them.
>
> "Here we have this really weird situation of security people helping
> the bad guys," said Richard Smith, an independent computer-security
> consultant in Brookline, Mass. "There's little doubt that happens, whether
> they like it or not."
>
> Worming in
>
> Worms and viruses such as Code Red, Nimda, Slapper and Klez have crept
> into virtually everyone's computing experience. When they strike, these
> devilish ones and zeros can slam business and individual users alike,
> costing billions in lost productivity and repairs.
>
> Software controls so much of our daily lives that eradicating its glitches
> has become a national priority. At the front end, developers are
> experimenting with novel approaches to code-writing such as "Extreme
> Programming," which employs teams of collaborating specialists who work
> side by side on projects, sharing keyboards and techniques.
>
> Governments, including the state of Texas, are taking aim at overbudget
> software projects that typically run months behind schedule. Meanwhile,
> as more programming moves overseas to countries with cheaper labor,
> a whole new realm of software security and design issues has arisen.
>
>
> "Bugs in code are not like the weather, but Microsoft would have you
> believe that they are; that they just happen," said Bruce Schneier of
> Counterpane.com. "They are either mistakes in design or development.
> Microsoft doesn't want to make a mistake. When someone discovers one,
> it makes them look really bad."
Exactly, so here we are, trying to cover them up.
>
> In January 2002, Microsoft acknowledged that one of its most important
> responsibilities is to improve the reliability of its software, through
> the Trustworthy Computing Initiative. The Passport vulnerability is perhaps
> the largest snafu to evade the initiative's extensive security reviews.
>
Agian, we have microsoft, the company that has been cornering the desktop
market for years, and who's ehtics have been continually questioned heading
up the "trustworthy" computing initative? Can any one say oxymoron?
>
> Room to improve
>
> Everyone agrees that software quality needs improvement.
>
> One researcher, a Bulgarian named Georgi Guninski, has exposed about
> half of more than 100 security holes in Microsoft's Internet Explorer
> Web browser. Some have allowed scripting on Web pages to execute programs
> that completely surrender control over an Internet-connected computer
> to the bad guys, "black hat hackers" or "crackers."
>
> In many cases, Microsoft has issued patches that shore up security. Smith
> said, however, that the majority of Guninski-found vulnerabilities have
> not been used by virus writers and crackers to infect computer systems.
So what? they are still vulnerabilities, just because someone hasn't written a
virus for them dosnt mean they shouldnt be addressed. Thats like saying this
bomb hasnt gone off yet, so we shouldnt defuse it.
>
>
> That's where the full-disclosure practice of releasing "exploit code"
> polarizes the debate.
>
> When some researchers announce they've found a security hole, they also
> publish a sample of a successful attack. That "exploit code" can be used
> to craft some nasty programs known as "malware," such as Trojan horses,
> worms and viruses.
>
> In the case of the Passport flaw, Danka reported that anyone could gain
> control over Passport accounts by adding "emailpwdreset" to a string
> of commands at the https://register.passport.net Web address. The Web
> page in question had been set up to allow users to regain access to their
> accounts when they forget their passwords.
>
> Passport is an integral part of Windows XP and Microsoft's .NET offerings.
> It allows users to store credit-card numbers, passwords and identification
> information to make online shopping more streamlined.
>
> Full disclosure
>
> Danka and Guninski adhere to the full-disclosure principles by regularly
> reporting findings to security mailing lists such as BugTraq and Full-
> Disclosure. From there, anyone with basic code-writing abilities can
> build their own programs ? both good and bad.
>
> The motivations vary for publishing exploit code. Guninski, for example,
> is an unabashed self-promoter.
>
> "He's looking for work in the security area, so he's looking to establish
> his reputation by finding security holes," Smith said. "He definitely
> publishes exploit code. He's been doing that since Day One, and definitely
> some of the exploit code has ended up in some viruses."
>
He already has a job in the security area, he audits code for the Mozilla
project. Hes not looking for a job with microsoft. This is what he does for a
living, hunt down vunerabilities. Microsoft just dosnt want to address them
> Others may attempt to use the threat of exploit-code release as a way
> to extract money from software manufacturers. And still others may simply
> want to damage the reputation of companies such as Microsoft.
>
I think the microsoft having a good reputation that must remain untarnished
ship sailed with Windows 95.
> For his part, Danka asserts that he was only investigating why his own
> Passport account had been hijacked. He stumbled on the Web page scripting
> flaw within about four minutes of exploring Microsoft's password-reset
> function.
>
> Last year, when Guninski discovered a security hole inside Microsoft's
> Office XP, he informed the company about his discovery, waited 14 days,
> then published instructions on how it could be exploited.
And microsoft ignored the problem hoping it would go away.
>
> Not enough time
>
> Microsoft said that wasn't enough time to issue a patch. And, frustrated
> with the entire full-disclosure principle, it began using such situations
> to bolster arguments that the entire bug-reporting system needs an
> overhaul.
>
Microsoft needs to make the time. This isnt a high school Computer Science
class project. This is a professional Software devlopment project. If you
find a vunarbility, you fix it. Now. You dont sit around for 6 months with
your thumb up your ass. If you get 10 000 vunerabilities, then you consider a
new design for your software. Microsoft was ignorning these problems hoping
they would just go away. And it ended up on bugtraq. So now they are mad that
it didnt go away, and in an effort to cover up the fact that they were doing
nothing, They are crying "we didnt have enough time"
>
> Mike Nash, Microsoft's vice president of the Security Business Unit,
> said in an online chat in November that the company wants the software
> community to behave more responsibly.
Perhaps Microsoft itself should start adhering to these principles before they
run around accusing everyone else of irresponsible behavior. I dont see
Guninski being charged with anti-trust violations by the US government.
>
> "Our goal is to inform people about security issues when we have a way
> to mitigate it," Nash said. "In most cases, the benefit of waiting for
> a quality mitigation (usually a patch) outweighs the timing issue. There
> are exceptions. The goal is to make sure that we provide people a great
> way to protect themselves before we explain issues to potential criminals."
But whats to motivate you to midigate it? And in the mean time, if I have
microsoft products inside my network, how do I secure them agianst this
attack by other means such as firewall and http proxies? Should I continue to
be attacked as I wait for Microsoft to address this problem?
>
>
> But, as Smith points out, even if a patch is issued, it is virtually
> impossible to get every user of the software to install it in a timely
> manner.
>
Thats beyond the scope of the full-disclosure debate
> "This whole idea that you can force the manufacturer to produce fixes
> does no good," Smith said. "You might have 100 million computers that
> need updating. Tell me the mechanism that's going to make that happen.
> I just don't see it."
Apperntly this person has never looked at any Linux, or freeBSD schemes for
updateing. In fact, I can update my freeBSD or my gentoo linux, or even a
red-hat linux machine with between 2 and 4 commands. Perhaps if microsoft
were to keep in mind the inevitability of having to apply these upgrades to
their coding system, they would have a system similar to that of the rest of
the world that can be upgraded easily.
>
> Those in Smith's camp back a model of limited full disclosure. Exploit
> code should not be released in most cases, Smith said.
Then how do we tell the fake bug reports from the real one? the concept of
full disclosure is similar to that of the scientific method, in order for a
report to be taken seriously, it has to be able to be replicated. Without the
code, this is quite difficult to do.
>
> Consensus-building
>
> Microsoft has pressed for industrywide consensus on handling security
> issues. In April, the company joined International Business Machines,
> Intel, Hewlett-Packard and Advanced Micro Devices in forming a body
> they called the Trusted Computing Group to adopt security standards.
>
>
> Microsoft has also allied with Symantec, Network Associates and other
> software companies in the Organization for Internet Safety (OIS). In
> the next few months, it is expected to release a proposal outlining best
> practices for handling security vulnerabilities.
>
> A Microsoft spokesman says the company is committed to "responsible
> disclosure" proposals such as those being prepared by the Internet safety
> group. The spokesman says Microsoft's security chiefs believe those backing
> full disclosure represent a tiny minority.
This is just total crap. Lets cut the bullshit here, Microsoft dosnt want the
world hearing about 10 new bugs in its software every day, and they dont want
to have to be fixing 10 new bugs a day, so they are trying to keep it out of
the public eye, because it costs them time, and money when these disclousres
are released. The bottom line, and Microsoft knows this, is Microsoft Windows
has several very fundamental flaws. And Windows will have to be completely
re-written to correct them. And microsoft will aviod this until the last past
possible moment.
>
> Scott Blake, an OIS spokesman, says the group will ask that no exploit
> code be released until 30 days after a software vendor has issued a patch.
> That delay, he says, would at least give end-users a fighting chance
> to update their software before malicious hackers develop widespread
> attacks.
>
And what if the vendor decides not to patch?
> "Vendors and researchers should work together to find a fix before they
> go public with information," Blake said. "The theory is that vulnerability
> information for which there is no fix only helps the bad guys."
Many researchers are ignored when they bring the vunerabilities to the
attention of vendors. The only way to get the vendor's attention in many
cases is to have public pressure to force them into fixing the problem
>
> Smith said such efforts are futile.
>
> "You've got so many little companies and individuals who are looking
> for security holes, you literally have thousands of people who would
> have to agree on this," he said. "I don't see that happening."
This guy dosnt see much does he? Linux has millons of people looking for bugs
in it every day, yet the entire Linux concept has flourished because of full
disclosure. Sometimes when you get these bug reports, you need to consider
something other than just a quick fix. When patching a vunerability, it
should be patched in such a way that other exploits of this nature are fixed
as well. If your security is only reactive and not proactive, then your
doomed to produce bad software.
>
> But Counterpane's Schneier insists that full disclosure is still the
> best alternative. "What we've learned during the past eight or so years
> is that full disclosure helps much more than it hurts," he said.
>
> "Since full disclosure has become the norm, the computer industry has
> transformed itself from a group of companies that ignores security and
> belittles vulnerabilities into one that fixes vulnerabilities as quickly
> as possible."
>
And those who dont want to listen, will appose full-disclosure. And thats what
this is really about. Alot of companies who just dont feel like listing.
>
>
> Copyright ? 2003 The Seattle Times Company
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
- --
- -
******************************************************************************
Stephen Clowater
You may get an opportunity for advancement today. Watch it!
The 3 case C++ function to determine the meaning of life:
char *meaingOfLife(){
#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ?
/dev/null:/dev/random);
#endif
#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif
#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif
return Meaning_of_your_life;
}
*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/E3N0cyHa6bMWAzYRAmYOAKCTbI/Cc6FSWAUj0rtC5Aku+VkcDgCgoLEY
NyAfzJ7esEOTCYo4HshGJ5A=
=tWbh
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists