lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040120213114.P17455@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Anti-MS drivel

On Sun, 18 Jan 2004, yossarian wrote:

> I checked the flaws reported the last week - and yes I read many many lists,
> some 250 mails per day - and the only thing getting close to software used
> in bigger environments is this BEA thingie 5 days ago /.../

Yup, security research focuses on home computing, but this does not mean
the quality of enterprise software is any better; quite the opposite. I
had a chance to audit a bunch of big enterprise applications in several
places I've worked in, and it is very uncommon to find a solution that
will not fall apart if you mess with its proprietary protocols and
interfaces - often exposing gross trust model design problems.

These applications usually undergo much more rigorous QA, and this
elliminates most of basic reliability issues that occur in reasonably
"normal"  working conditions - but the most common type of QA does almost
nothing to find problems that will surface only when the application poked
with a stick by a sufficiently skilled attacker. Old school development
and quality assurance practices, and developers with mindsets locked on
the network security it used to be in late '80s or so, are far more
prevalent in these environments. And it really really shows.

The relatively low number of vulnerabilities found in those products can
be contributed to a couple of basic factors:

1) Average Joe Hacker does not have access to prohibitively expensive
   or highly specialized systems used in high-profile corporations.
   He does have his Windows and Linux partition, though, maybe even
   a Solaris box somewhere, and can sometimes get ahold of Oracle.
   Enterprise applications for VMS or OS/400, doubtly so. This holds true
   both for amateur researchers, and for many "vulnerability research"
   shops, too - they simply do not have the budget (or incentive) to
   do it.

2) Joseph Hacker who happens to be working in a corporation that has such
   a platform is usually limited in how far he can experiment with it
   while playing it safe, especially if it is a production system "ever
   since", and creating a dedicated testbed with appropriate data feeds
   would be overly complex or time-consuming.

3) Even if Joseph finds a flaw, he is expected to work with the vendor
   to protect his company's assets, instead of disclosing a problem
   (otherwise, a swift retaliation from both the vendor and his
   now ex-employer would ensue). He does not have the freedom
   Joe enjoys.

   Moreover, sometimes vendors are extremely non-cooperative, and there
   is simply no other choice for this platform that could be used
   as a replacement without major transition expenses and problems.

4) The public interest in this type of vulnerabilities is marginal.
   Although some solutions may be popular in corporations, the systems
   usually do not face the Internet, and are seldom mentioned in the
   media. As such, there is very little incentive to disclose this
   type of stuff, as only a couple of folks are going to realize
   what you are talking about to start with.

Just my $.02.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-01-20 21:31 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ