| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Apr 8 03:02:58 2006 From: nocfed at gmail.com (nocfed) Subject: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes > On 4/8/06, nocfed <nocfed@...il.com> wrote: > > On 4/6/06, Dinis Cruz <dinis@...lus.net> wrote: > > > First off all, I want to apologize to the Full-Disclosure and DailyDave > > > readers for the last couple of posts which I CCed to these lists (the ones > > > about Full Trust, managed browsers, verifier issues in Java/.Net and > > > Sandboxing) > > > > > > I know that cross-posting is not good, and that it is quite inconvenient > > > when you happen to subscribe to more than one of the target lists. > > > > > > The reason I did it was because I wanted to make sure that several > > > companies/groups were exposed to it (and give them a chance to respond). In > > > this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, Open > > > Source projects, etc... (basically the major software development houses and > > > the ones responsible for most of the software used in the real world). > > > > > > >From the big ones, only Novell had an entry to talk about AppArmor which > > > is an interesting process level Sandboxing solution. > > > > > > But the ones that I was expecting to see in this conversation were > > > Microsoft and Sun. We were (and still are) discussing the security > > > advantages of Sandboxing (Partial Trust in .Net and Security Manager in > > > Java), and given the investment that both companies have made in this field, > > > I was expecting to see some core/senior members supporting me (Dinis) in the > > > defense of the need to 'create environments that are able to securely > > > execute malicious code (i.e. Sandboxes)'. > > > > > > But no, not a single world. But then I was not surprised since Microsoft > > > has been ignoring my public comments about this issue for the last two > > > years. > > > > > > This means that either A) they don't care any more about this topic > > > (Partial Trust / Security Manager code) or B) they are just playing the good > > > old trick to ignore the little guy (which works in environments like today > > > when the Media and paying clients don't care (read: don't understand) about > > > the issue discussed). > > > > > > Option A) is quite realistic since Microsoft (after what happened with > > > 'Longhorn managed code failure' and the Vista's reset to Windows 2003 code) > > > seems to have moved (or kicked) the '.Net guys' to a conner, and decided to > > > put their bets to create an operating system which delivers a trustworthy > > > computing environment in the hands of Vista's UAC (User Access Control) and > > > Vista's capability to run as non-admin (which is a bad bet in my point of > > > view). > > > > > > [side note: If the .Net framework is just a nice wrapper on the win32 API > > > (see Richard Grimes articles on this subject) with 99% of its code executed > > > under a Full Trust environment and never verified, then why the security > > > overhead of the current versions of .Net framework? (namely 1.1 and 2.0). If > > > CAS and Strong Naming (just to point two examples) don't really deliver any > > > real security value (just like 'client side data validation'), then why > > > incur the overhead? Maybe we would get a nice performance boost in .Net > > > applications if all those security calls were disabled. (Idea: I want to > > > apply my 'Rooting the CLR' research into the creation of a patch for the > > > .Net Framework which disables all security checks and (hopefully) improves > > > the performance of .Net applications (drop me a line if you are interested > > > in participating in this new Owasp .Net project))] > > > > > > After two years of trying, I GIVE UP of trying to bring Microsoft to this > > > discussion. > > > > > > Microsoft doesn't care, can't be bothered to participate (or the powers > > > that be don't authorize the ones that want to participate), maybe believe > > > that the types of attacks will not continue to evolve (i.e. the risk will > > > not increase) or maybe is just that inertia that affects large companies > > > where nobody is really responsible for anything and the key decision makers > > > are so distant from the real world (or believe in their own hype and power > > > to manipulate the market) that they don't really understand the implications > > > of their decisions. > > > > > > I think that my case is a perfect example of why Microsoft has such a bad > > > reputation (not just in security), and why the new generation of developers > > > (and IT professionals) are moving to Open environments (like Open Source). > > > > > > In the medium / long term Microsoft cannot afford to continue to ignore > > > little guys like me (which are trying to do the right thing and help > > > Microsoft to solve their security problems). They need to show respect and > > > (at least) publicly talk about the issues raised. > > > > > > Microsoft and Bill Gates like to talk about trust and trustworthiness. Well > > > trust is something that is built over time, with respect, dialog and > > > transparency. Not by ignoring and pretending that one doesn't exist. > > > > > > Maybe Microsoft's problem with me is the fact that i will NOT work for them > > > nor sign an NDA (since I know that my independence would disappear the > > > moment I signed one), or maybe they think that I am not good and > > > knowledgeable enough for them to spend their 'precious time' with. They are > > > wrong in not engaging in this conversation, and in ignoring my public > > > requests to talk. I might be more vocal than some of my security consultant > > > friends, but I know that most are as frustrated as me in Microsoft's > > > attitude to Security. > > > > > > Memo to Sun: "Java has the same problem, and you should be worried when > > > senior members of your community are very surprised to discover that most > > > Java code is executed in -noverify environments" > > > > > > What I know is that my conscience is clear. Nobody can accuse me of not > > > trying. Over the last two years I made every ethical effort to call > > > Microsoft's attention to this problem: I wrote articles, security guides, > > > security tools, training courses, presentations, collaborated on .Net Open > > > Source projects (like Owasp), and even had two meetings at Microsoft Redmond > > > campus with several Key players in Microsoft's security and .Net teams (it > > > seems, that all that was left to do, was to bring down a couple ISPs / > > > global companies just to prove my point, but since I am ethical and a 'good > > > guy', that is something that I will never do). > > > > > > >From all this effort, I have very little to show for (except from my > > > increased knowledge, several good contracts and some raised awareness to a > > > couple thousand professionals which read or saw my materials or used my > > > tools). > > > > > > My main objectives were to get Microsoft to publicly admit that .Net > > > Framework's Full Trust is a big problem and to start the paradigm change to > > > a Partially Trusted world. > > > > > > Unfortunately I failed. > > > > > > .Net 2.0 was launched and nothing changed. > > > > > > 99% of the applications that exists today and are currently under > > > development are designed for Full Trust (or equivalent) environments. > > > > > > So, I will wait patiently for the day that Microsoft (and the others) > > > decide to join the party. Meanwhile I will continue my discussions on the > > > webappsec@...urityfocus.com, websecurity@...appsec.org and > > > owasp-dotnet@...ts.sourceforge.net mailing lists, since at > > > least there my ideas are debated and challenged by other like minded > > > professionals (thanks guys). > > > > > > I will no more initiate another discussion of Full-Disclosure and DailyDave > > > about Full Trust and .Net /Java Sandboxes because its audience is not > > > interested in them and the Microsoft's (and others) subscribers ignore them. > > > > > > To wrap things up here are a couple quotes from a senior Microsoft Security > > > employee, given to me in his office in Redmond a couple months ago (in Feb > > > 2006): > > > > > > "...Dinis, what you are saying is important, but at the moment it is not > > > one of our main priorities... There are several reasons ... a main one is > > > the fact that we tried that with Vista and it didn't work... but probably > > > the main one is that we (Microsoft) don't have client pressure to deliver it > > > > > > ... basically there is currently no business case to invest in that since > > > our (Microsoft) clients are not demanding it... > > > > > > ...what needs to happen is that you (Dinis) need to find 5 major > > > Microsoft's clients which want this, and then we might do something about it > > > ..." > > > > > > My response to this last comment was "...look, this is not my problem, this > > > is Microsoft's problem since it is Microsoft who is promising to deliver > > > 'trustworthy computing environment'. So if Microsoft doesn't want to do it, > > > and Microsoft's clients don't put pressure, then there is nothing I can tell > > > you (Microsoft) that will change your mind..." > > > > > > My conversations with Microsoft's employees tend to always end the same > > > way: I ask them to start by acknowledging the current Full Trust problem , > > > and they respond by saying '... we are working very hard ... or ... things > > > are better today they they were a couple years ago ...or ... when compared > > > with the status of the industry we are not that bad ... or ... we know that > > > we need to do better to educate our developers to write partially trusted > > > code..'. Basically just words and no actions, > > > > > > Sorry for the 'digital noise' of my previous posts. > > > > > > Best regards > > > > > > Dinis Cruz > > > Owasp .Net Project > > > www.owasp.net > > > > > > > Congratulations. > > > > I have yet to understand why anybody would feel that the majority, if > > even the minority, of this list could care less if they are here or > > gone. You should be sorry about the 'digital noise' that you are > > spewing now; Speculation and partial, out of context, quotes without > > an actual source name yet you want people to listen to You. Think > > about it for a while. You are wanting a Company to just jump at what > > YOU want done, right then, without knowing their current projects nor > > workload. I am sure, from the broken information provided, that YOU > > are not privy to their practices nor even escalation paths. I am not > > attempting to defend Microsoft, Sun or any of the other players that > > you have listed, but Business in general. The reason they give you > > those replies is for liability. When the little man on the totem pole > > gives a direct reply then they are usually held accountable for their > > words which could lead to the loss of their position at the company > > that they are representing. Just think about it. "Thank you for this > > information! We will get this fixed in the next patch release" just > > leads to an information leak then some online blogger, or self > > righteous 'security expert', cross-posting to 20 lists claiming that > > they got something done like The Twit(TM). We all know that is not > > always the case, but many larger companies have dealt with it already > > and have placed rules and guidelines for handling such situations. > > Many may not believe that is the best way to do it, but yet again it's > > not what you want. In conclusion, let's remember that they got where > > they are for a reason as well as you are where you are for a reason. > > > > On 4/7/06, michaelslists@...il.com <michaelslists@...il.com> wrote: > nocfed, are you saying that researchers shouldn't hassle companies > with notes about the security of their products, because they might > have more important things to be doing then respond to them? > > what fucking list are you on again? > > -- Michael > > I have no idea where you gathered that from. If you feel that the information needs to be disclosed then do it, but don't expect a reply, especially in a public forum. Show common netiquette if you decide to reply.
Powered by blists - more mailing lists