lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040516084633.GD3937@positivism.org>
From: seth at positivism.org (Seth Alan Woolley)
Subject: Support the Sasser-author fund started

On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote:
> Why should Microsoft have more blame?
> 
> In my opinion, I believe that software companies, especially Microsoft, have
> taken all of the appropriate steps to provide security within their
> products.

Keep your head in the sand, then.  The design from the very beginning
was put together without security in mind.  Their OS revolutionized the
anti-virus industry.  There are numerous alternative operating systems
and cases where worms and viruses have been created for them (cf. the
Morris worm, slapper, etc), and most of the bandwidth in the world sits
on non-Microsoft software, mind you.

I run anti-virus software on my servers... to sluff away the moronic
Windows viruses that clog up my email account.  Anti-virus monitors are
a built-in performance drag on the OS.  Microsoft says, "hey, when we
benchmark against samba, we're almost as fast, and this special case,
we're faster".  Add on an the required anti-virus program monitoring
packets in and out and watch your performance drop as that eliminates
the whole concept behind DMA as now you have to route all data through
the host cpu anyways.  Pretty soon, we'll need AV signature engines
encoded in the data bus of Windows machines in silicon.  I wouldn't be
surprised if Intel or AMD had a skunkworks project on this very problem. 
M$ is going to hit a performance wall pretty hard otherwise.

That Microsoft has chosen to run Internet-aware services by default on
Internet-aware interfaces _and_ never notified the user that this was
happening to with no easy way to disable it is asking for trouble.  If
security to you is a thorough code audit done after a hundred million
lines have been written, it might do you some good to take a little
lesson in statistics and the frequency of bugs in C-style languages per
SLOC (source line of code).  A code audit may uncover 90% of those bugs. 
There's still the ten percent that were missed.  Overflow exploits may
be reduced, but what about simple design errors?  What audit team is
going to find those without being integrated into the design discussion?

What other vendors have done is to disable services by default, separate
code privileges by user, run code in various levels of restricted
privileges from limited access to the filesystem (chroot jails) to
limited access to generic capabilities (POSIX 1e), and even just making
simple distinctions like what code is data and what code is
executable...  They've supposedly got a microkernel design in the
flagship NT OSs.  This should be wonderful from a security standpoint,
but in reality, has it helped them?  Why did so many processes require
system level access?  Why are _parsers_ (ASN.1) running with system
level access at all?  OpenSSH learned its lesson on that, and every
other major unix-style daemon has learned how to drop privileges and run
non-privilege-requiring code in users and processes with restricted and
dropped privileges.  Why is M$ so late to the market with even this?

> 
> Imagine you own a home and installed a security system on all the doors and
> windows.  You set the alarm and leave for a weekend.
> 
> A thief comes up to your house, breaks a window, and slides through the
> opening.  The alarm does not go off because the thief found a vulnerability
> in the security system.
> 
> Do you blame the security company that installed your intrusion detection
> system?
> 

Of course.  Blame is not restricted to the final cause.  Stop reading
Plato and move into the Enlightenment.

> Software companies like Microsoft spend a lot of money developing their
> software.  In particular, Microsoft halted development on its products so
> that all of its developers could receive training in 'secure coding'
> techniques.  

That one month did them a lot of good. ;)  Any good security consultant
would have told them to throw out the old codebase written prior to
their 'secure coding' training.  Did they?  Nope.

> Above and beyond that, Microsoft and other software companies
> undergo 3rd-party security testing of their software before it is released.

If they believe that these third party tests are effective, then I'm
sure they wouldn't mind releasing the source code to prove it...

That's not what they said on the witness stand.  Rather, they believe it
to be a national security risk to release their source code.

Auguste Kerckhoffs rolls in his grave...

They knew their products to be defective and sold them for use in
national security-sensitive situations.  That's unpatriotic deception.

They hope people are only listening to one side of their mouth.

> 
> Plus, most of the software is released to the public in the form of Betas or
> Release Candidates months ahead of the release date.  If identifying
> security holes was that easy then why aren't there more vulnerabilities
> reported before the 'gold' release of products.

I didn't get a copy of the source code (not that I would want it for M$
would surely find some way to use that against me).

Many clearly obvious vulnerabilities in source code took years to
uncover in binary form, up to eight years as was previously pointed out. 
What is a month prerelease of compiled code going to do to help find
those obscure but easily exploitable bugs once they are found?

> 
> I do expect that any computer user should have fundamental security training
> before using it.  

Not ... going ... to ... happen ...

> After all, the computer is a tool.  Nobody should operate
> a microwave or chainsaw without reading the safety instructions.  

They do operate these tools without reading the safety instructions. 
Microwave oven manufacturers include a pretty strong suite of security
features that will backthrottle the magnetron in various cirumstances
such as door opening or the presence of extra reflectivity making the
modern microwave almost fool proof.  Kitchen sinks now come with
overflow drains.  Chainsaws and winches automatically brake when the
hand is disengaged from the device.  

However, why is a user required to know how to secure their operating
system out of the box?  Why is the operating system not secure by
default?  Why is the user not given the education they need before they
are allowed to enable certain known risky services?  I know a Linux
distribution that gives security notices on services in their package
collection.  Why can't M$ do that?  They designed it for end users to
bypass the need for an administrator, M$ has thus taken this
responsibility into their own hands.  It was a grave mistake.

Additionally, your analogy is flawed.  The computer is not a microwave
or chainsaw.  It's not going to kill people who violate basic use
practices around them.  In a hospital situation, perhaps, but why is
grandma supposed to worry about her computer any more than her Cutlas
Sierra just because she wants to look for some information about best
practices in planting a rose garden (excepting social engineering which
happens by telephone against the elderly as often as by computer)?

Even the privacy aware individual is unable to update their copy of XP
through the Web because they'll get blaster over dialup. 

An accountant I know got blaster from connecting to MSN's registration
service after a fresh XP install.  Why was the registration service on
Internet-routable IPs?  Why can't one get updates via a M$ dialup BBS
system?  Why is the MSN installation and registration system forcing
people to get exploited and they haven't even finished their
registration?

She was billed $600 dollars by her consultant because of the extra time
it took to get her out of her predicament.  Yes, the consultant should
have just thrown in a NIC card to grab the updates behind a NAT, but why
is that required?  I told her both her consultant and MS were at fault. 
She's still out the $600 dollars though.  That more than doubled her
Microsoft Tax due to circumstances which to her were unforseeable.

I told her to take M$ to small claims court.  If the courts recognize
inflated costs caused by crackers, surely they recognize costs due to
blatant negligence.

Seth

> The same
> care should be taken for computers.
> 
> Thanks for taking the time to listen to my thoughts.
> 
> Sincerely,
> 
> -Shane
> 
> 
> ----- Original Message ----- 
> From: "Georgi Guninski" <guninski@...inski.com>
> To: "Tobias Weisserth" <tobias@...sserth.de>
> Sent: Friday, May 14, 2004 6:00 PM
> Subject: Re: [Full-Disclosure] Support the Sasser-author fund started
> 
> 
> > On Fri, May 14, 2004 at 07:12:08PM +0200, Tobias Weisserth wrote:
> > >
> > > > My personal opinion is that more blame should be put on M$.
> > >
> > > The company is called Microsoft or MS in short. Why don't you use its
> > > proper name?
> > >
> >
> > are you sure it is MS and not M$ ????
> >
> > i was always taught it was M$.
> >
> > -- 
> > When I answered where I wanted to go today, they just hung up -- Unknown
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

-- 
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized
Key id EF10E21A = 36AD 8A92 8499 8439 E6A8  3724 D437 AF5D EF10 E21A
http://smgl.positivism.org:11371/pks/lookup?op=get&search=0xEF10E21A
Security Team Leader Source Mage GNU/Linux http://www.sourcemage.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040516/9c5c8b34/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ