| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Anti-MS drivel
On Sun, 18 Jan 2004, yossarian wrote:
> I checked the flaws reported the last week - and yes I read many many lists,
> some 250 mails per day - and the only thing getting close to software used
> in bigger environments is this BEA thingie 5 days ago /.../
Yup, security research focuses on home computing, but this does not mean
the quality of enterprise software is any better; quite the opposite. I
had a chance to audit a bunch of big enterprise applications in several
places I've worked in, and it is very uncommon to find a solution that
will not fall apart if you mess with its proprietary protocols and
interfaces - often exposing gross trust model design problems.
These applications usually undergo much more rigorous QA, and this
elliminates most of basic reliability issues that occur in reasonably
"normal" working conditions - but the most common type of QA does almost
nothing to find problems that will surface only when the application poked
with a stick by a sufficiently skilled attacker. Old school development
and quality assurance practices, and developers with mindsets locked on
the network security it used to be in late '80s or so, are far more
prevalent in these environments. And it really really shows.
The relatively low number of vulnerabilities found in those products can
be contributed to a couple of basic factors:
1) Average Joe Hacker does not have access to prohibitively expensive
or highly specialized systems used in high-profile corporations.
He does have his Windows and Linux partition, though, maybe even
a Solaris box somewhere, and can sometimes get ahold of Oracle.
Enterprise applications for VMS or OS/400, doubtly so. This holds true
both for amateur researchers, and for many "vulnerability research"
shops, too - they simply do not have the budget (or incentive) to
do it.
2) Joseph Hacker who happens to be working in a corporation that has such
a platform is usually limited in how far he can experiment with it
while playing it safe, especially if it is a production system "ever
since", and creating a dedicated testbed with appropriate data feeds
would be overly complex or time-consuming.
3) Even if Joseph finds a flaw, he is expected to work with the vendor
to protect his company's assets, instead of disclosing a problem
(otherwise, a swift retaliation from both the vendor and his
now ex-employer would ensue). He does not have the freedom
Joe enjoys.
Moreover, sometimes vendors are extremely non-cooperative, and there
is simply no other choice for this platform that could be used
as a replacement without major transition expenses and problems.
4) The public interest in this type of vulnerabilities is marginal.
Although some solutions may be popular in corporations, the systems
usually do not face the Internet, and are seldom mentioned in the
media. As such, there is very little incentive to disclose this
type of stuff, as only a couple of folks are going to realize
what you are talking about to start with.
Just my $.02.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-01-20 21:31 --
http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists