lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074731331.2540.290.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Anti-MS drivel

Hi yossarian,

Am Do, den 22.01.2004 schrieb yossarian um 00:05:
> Have you noticed that you can put diesel in a normal car, cause the muzzle
> at the gas station is too thick?

When you open the lid it says on the inside which type of fuel you need.

When a user buys a computer he knows if he bought a PPC or a x86 the
same way they know they bought a Diesel instead of an Otto fuel engine.
Your fuel analogy may work for cases where consumers have bought Mac
software by accident though they have a PC ;-)

> Ask the local garage how often it happens the other way around.

I don't know how this works in the US but in Europe gas stations and
fuel inlets are only compatible if you use the right fuel. I couldn't
refuel my car with Diesel even if I wanted to.

> Who is to blaim - where are talking product liability
> here, while most of us are not trained in legal matters - hence the example.

There is the difference between a consumer taking action to damage the
product in contrast to the consumer NOT taking action to REPAIR a
product the vendor shipped broken.

> And remember - people are required to have formal training to drive a
> car....

Do you want to establish the same situation for PCs? Vendors will not be
happy since this limits their market.

>  With the laters updates for Outlook, most attachments are blocked by
> default, and guess what: question No.1 to the helpdesk: how do I turn this
> feature off?

See? That's what I actually predicted. If a risky feature is turned off
by default then users who want it enabled have to educate themselves,
using the help-desk at the company or local product documentation in the
case of the home end user. If a single user is willing to take the risk
- fine. Let him. But millions of other users will be happy the way it is
and stupid spreading mechanism like "running an attachment" will not be
spreading Win32/Bagle-A in the future.

> When I drove home after reading this thread, I tried to open the hood while
> driving - guess what? It does.

It's mechanical, right? No electronic stuff between the lever you pull
and the hood, right?

As You must know, such "driving"-"computing" analogies are useless and
pointless since people need a license to drive while a PC is an ordinary
consumer product we expect our kids can operate.

> So things can go wrong when I just push buttons randomly. But only irresponsible and stupid people will do that!

But people are this way. There's no point in trying to change them. Even
when you succeed in doing so, new and maybe even worse stupidity
regrows. When you have a solid product that is near fool-prove it
doesn't matter if Murphy sends waves after waves of stupid users against
you.

> Yep, cause if the wind catches the hood it wil fold over the windscreen.
> Let's sue GM!

Let's say the lever to open the hood is placed in a way the driver or
the co-driver could operate it with ease and without shifting position
in the seat then this would indeed be a reason to sue the manufacturer.
Imagine a curios minor is sitting on the co-driver's seat and plays
around at the radio and pulls the lever next to it. The lever in my car
is placed UNDER the driver's seat so that people don't get the idea of
pulling it. Attachments are usually displayed along with the message and
can be opened without "shifting position while driving".

> My car won't even complain when driving in the dark without
> the lights on. Technically a piece of cake to fix - my former car put them
> on automatically - and the whipers when it rained, too. But the new one
> doesn't - my point is that even in car manufacturing with a 100 years
> experience, certain security features are lacking in new cars. Remember the
> Pinto?

[OT]
Sorry, doesn't ring a bell. I'm not really into the American car market,
sorry. I drive a car you can't buy in the States and there are even more
cars in the States that are not for sale in Europe. It's amazing how a
landscape can differ by just looking at the different types of cars,
don't you think? :-)
[/OT]

> Now the e-mail attachment. E-mail is the killer app, most used PC feature,
> so this is where stupid people are bound to do wrong. If you block opening
> attachments they'll save it to their desktop and either call the helpdesk
> since they can't seem to find the file and start yelling about it, or open
> it from the desktop.

This is already enough. Most users won't even bother when they can't
open an executable attachment they didn't expect. They'll dismiss it and
go on. Even if some individual users pursue their quest of curiosity and
want to start the damn thing then they still form a minority. This
improves things. Imagine only 3 out of 10 users who want to start an
anonymous email attachment, care to find out how to sail around inbuilt
security. The 7 other users give up, don't care or continue in their
work flow. Then only 3 out of 10 PCs get infected where we normally had
10 infected PCs that would have tried to infect more and consumed
valuable bandwidth on the net. Anti-Virus software vendors would gain
more time since the virus spreads slower and companies would have more
time to react. Mission accomplished.

> Believe me, i've seen this happen. What do we do next -
> prevent users from starting executables alltogether?

If people wouldn't run as administrators in XP Home then the execution
of malicious code would only be half as bad as it is.

When a normal user in Unix/Windows/Mac OS X runs a malicious program
then the worst that can happen is that his home directory gets busted.
Only if this program can exploit a local vulnerability then the system
gets compromised. Windows XP Home users bust their whole system when
they make a single mistake. This is a rather high stake considering the
fact that XP Home is aimed at the end consumer who is bound to make
mistakes, don't you think?

[Please don't start an OS war on this. It is a matter of principle, not
OS. Windows 2000 can be used in almost the same way users and groups are
handled in other OSs. It's the "why not this way by default in XP Home"
that is important.]

> Make a .Pol file so the only executable they can run is winword.exe and outlook.exe?

No, mount user partitions [those where they can save files] with the
noexec option. :-)

You see, there ARE already some VERY good and solid concepts to handle
these principal questions. Vendors only need to implement and include
them by default. This is more important than educating users.

Instead I get the impression that most vendors are just saying: "Bring
'em on."

> Theoretically sound, but with the reality in many shops that they give local admin to
> users since the customer is allways right,

You haven't understood this a bit. You are not doing the customer a
favour when you let him be administrator by default. When end user
applications need admin rights to run under Windows then this is serious
design flaw that needs to be changed before demanding changes in users
behaviour.

If you give a user admin accounts by default and he fails to handle them
in a responsible way then you are wrong, it is your fault. And yes:
because the customer is always right. You should have known in the first
place that no good can come from "admin by default" because you must
know your typical customer.

>  or some other lame excuse, it won't work.

Trust me. It already DID work.

> People just clicking everywhere should not be using *any*
> operating system, or any other complex device for that matter, like a car.
> Why blame a device for complexity some people can't handle? ANY device?

Who do you want to sell PCs? Only companies with IT infrastructures?
Only administrators? Computer Science students? Or the average guy on
the street, the six year old, the granny?

This is an economic question. Not a technical one. If you want to sell a
product then it has to be aimed at a specific group of consumers. If
they can't handle your design, then they'll eventually switch as soon as
there is competition available that is doing better. We are about to get
into this situation within this year and the next few years.

> > > The faulty nature does not deter many people from using it, so
> > > the flaws cannot be too serious.
> >
> > A problem is only a problem in the eye of the end consumer if "rien ne
> > va plus". Only when a PC won't start up again, the end user knows
> > "Uh-Oh...".
> >
> > In the meantime this same virus and worm ridden system has caused major
> > traffic jam on email servers and made the day on the Internet a hell.
> 
> Routers choke, servers gasp, let's blame MS, is that it?

Yes. Let's blame MS for not closing down unnecessary services on
consumer boxes by default. Finally you understood me.

But my "blame" isn't simple bashing. I expect MS to do better. If enough
people raise their voice then MAYBE the next releases of Windows will
improve things by not offering admin accounts by default for consumer
versions or having all sorts of outside connections open by default.

> Let's imagine a worm that propagates using something like older OpenSSH, open FTP
> directories accepting anon, and samba shares - use buffer overflows in
> sendmail and apache for effective rights - and CORBA to root. It contains a
> mechanism for detecting the network lay-out, along the lines of p0f, and a
> tunneling mechanism for additional payload over a P2P like network, with a
> TLS communication. And it would trigger at certain intervals ARP flooding to
> all systems with DNS and BootPS. At the end of the year it would tell intel
> processors it is a 286. To make the fun bigger it would find the installed
> certificates on the machine and use it to sign the trojans it installs.
> Would networks crumble?

That depends upon the quantity of infected machines trying to reproduce
and spread the worm.

> Servers and routers need special care, for cases such as this one.

Yes. And end user, consumer versions of operating systems ["advanced
game loaders" as I've read here :-)] don't need unnecessary services and
root access for default users.

> Complaining about either stupid users or Outlook is not going to change
> anything - fix your infra. And chop-bloody-chop with it!

That may be right for you and me but not the average end consumer who
doesn't want to "fix" anything and who doesn't have an "infra". He
simply wants to use it. They expect their PC to work in the same way a
TV set works. You switch it on and switch it off. That's the kind of
"button pressing" they want to do. Not fixing stuff. It is our task to
make this possible.

> If you are to build a virus, go for the greater numbers.

No. Go for the weakest target. If I know 90% of all possible targets
have an exploitable service running by default, then this is the weakest
target.

>  Worms even more so.

Yes, that's true. And use vulnerabilities you can count every target
computer has: like an open RPC port on 99% of end user PCs.

> So this is what it all boils down to - the risk of the monopoly.

I don't worry about the monopoly. It's already seen its best days.
Market powers are already in motion and by the end of this year the
desktop market will show the first signs of changes.

> And yes this puts a huge responsibility on MS. Maybe we can blame them, but any
> monopoly on the desktop brings this risk.

You are absolutely right. That's why my criticism isn't limited to MS or
any other vendor. I can criticise any other vendor without blushing.
Trust me.

> Since standardisation in OS and applications is corporate policy everywhere, and globalization is real,
> there will allways be a monopoly on the desktop with all its inherent risks.

This is where you will be proven wrong. With all the urge to
standardisation, how do you explain the rising number of successful
Linux vendors haven't found a way to standardise methods of packet
management, a common Window-Manager and common widget sets and so on?

Competition and innovation are very inter-dependant. Even more so in
globalisation.

> Maybe not  MS's but then some other. And guess what? The next one will be
> worm and virusridden too That is the reality of being a sysadmin in the 21st
> century. If you can't take the heat, stop whining, this is a kitchen you
> know.

If you fail to see how a few very simple measures by the vendor you and
I have to apply anyway can improve the situation then I feel sorry for
you. You may be able to fix the problems in your organisation but the
real problem are those millions of unsupported end users connected to
the Internet, having their Windows XP Home wide open for anything as
soon as they forget to "sysadmin" it because they have a private life
and a family at home.

cheers,
Tobias


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ