[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2f6cb7b40604070933w431289d6t3731f03bf9bd05b0@mail.gmail.com>
Date: Fri Apr 7 17:33:13 2006
From: nocfed at gmail.com (nocfed)
Subject: I give up,
no more posts to Full-Disclosure and DailyDave about Full Trust and
.Net /Java Sandboxes
On 4/6/06, Dinis Cruz <dinis@...lus.net> wrote:
> First off all, I want to apologize to the Full-Disclosure and DailyDave
> readers for the last couple of posts which I CCed to these lists (the ones
> about Full Trust, managed browsers, verifier issues in Java/.Net and
> Sandboxing)
>
> I know that cross-posting is not good, and that it is quite inconvenient
> when you happen to subscribe to more than one of the target lists.
>
> The reason I did it was because I wanted to make sure that several
> companies/groups were exposed to it (and give them a chance to respond). In
> this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, Open
> Source projects, etc... (basically the major software development houses and
> the ones responsible for most of the software used in the real world).
>
> >From the big ones, only Novell had an entry to talk about AppArmor which
> is an interesting process level Sandboxing solution.
>
> But the ones that I was expecting to see in this conversation were
> Microsoft and Sun. We were (and still are) discussing the security
> advantages of Sandboxing (Partial Trust in .Net and Security Manager in
> Java), and given the investment that both companies have made in this field,
> I was expecting to see some core/senior members supporting me (Dinis) in the
> defense of the need to 'create environments that are able to securely
> execute malicious code (i.e. Sandboxes)'.
>
> But no, not a single world. But then I was not surprised since Microsoft
> has been ignoring my public comments about this issue for the last two
> years.
>
> This means that either A) they don't care any more about this topic
> (Partial Trust / Security Manager code) or B) they are just playing the good
> old trick to ignore the little guy (which works in environments like today
> when the Media and paying clients don't care (read: don't understand) about
> the issue discussed).
>
> Option A) is quite realistic since Microsoft (after what happened with
> 'Longhorn managed code failure' and the Vista's reset to Windows 2003 code)
> seems to have moved (or kicked) the '.Net guys' to a conner, and decided to
> put their bets to create an operating system which delivers a trustworthy
> computing environment in the hands of Vista's UAC (User Access Control) and
> Vista's capability to run as non-admin (which is a bad bet in my point of
> view).
>
> [side note: If the .Net framework is just a nice wrapper on the win32 API
> (see Richard Grimes articles on this subject) with 99% of its code executed
> under a Full Trust environment and never verified, then why the security
> overhead of the current versions of .Net framework? (namely 1.1 and 2.0). If
> CAS and Strong Naming (just to point two examples) don't really deliver any
> real security value (just like 'client side data validation'), then why
> incur the overhead? Maybe we would get a nice performance boost in .Net
> applications if all those security calls were disabled. (Idea: I want to
> apply my 'Rooting the CLR' research into the creation of a patch for the
> .Net Framework which disables all security checks and (hopefully) improves
> the performance of .Net applications (drop me a line if you are interested
> in participating in this new Owasp .Net project))]
>
> After two years of trying, I GIVE UP of trying to bring Microsoft to this
> discussion.
>
> Microsoft doesn't care, can't be bothered to participate (or the powers
> that be don't authorize the ones that want to participate), maybe believe
> that the types of attacks will not continue to evolve (i.e. the risk will
> not increase) or maybe is just that inertia that affects large companies
> where nobody is really responsible for anything and the key decision makers
> are so distant from the real world (or believe in their own hype and power
> to manipulate the market) that they don't really understand the implications
> of their decisions.
>
> I think that my case is a perfect example of why Microsoft has such a bad
> reputation (not just in security), and why the new generation of developers
> (and IT professionals) are moving to Open environments (like Open Source).
>
> In the medium / long term Microsoft cannot afford to continue to ignore
> little guys like me (which are trying to do the right thing and help
> Microsoft to solve their security problems). They need to show respect and
> (at least) publicly talk about the issues raised.
>
> Microsoft and Bill Gates like to talk about trust and trustworthiness. Well
> trust is something that is built over time, with respect, dialog and
> transparency. Not by ignoring and pretending that one doesn't exist.
>
> Maybe Microsoft's problem with me is the fact that i will NOT work for them
> nor sign an NDA (since I know that my independence would disappear the
> moment I signed one), or maybe they think that I am not good and
> knowledgeable enough for them to spend their 'precious time' with. They are
> wrong in not engaging in this conversation, and in ignoring my public
> requests to talk. I might be more vocal than some of my security consultant
> friends, but I know that most are as frustrated as me in Microsoft's
> attitude to Security.
>
> Memo to Sun: "Java has the same problem, and you should be worried when
> senior members of your community are very surprised to discover that most
> Java code is executed in -noverify environments"
>
> What I know is that my conscience is clear. Nobody can accuse me of not
> trying. Over the last two years I made every ethical effort to call
> Microsoft's attention to this problem: I wrote articles, security guides,
> security tools, training courses, presentations, collaborated on .Net Open
> Source projects (like Owasp), and even had two meetings at Microsoft Redmond
> campus with several Key players in Microsoft's security and .Net teams (it
> seems, that all that was left to do, was to bring down a couple ISPs /
> global companies just to prove my point, but since I am ethical and a 'good
> guy', that is something that I will never do).
>
> >From all this effort, I have very little to show for (except from my
> increased knowledge, several good contracts and some raised awareness to a
> couple thousand professionals which read or saw my materials or used my
> tools).
>
> My main objectives were to get Microsoft to publicly admit that .Net
> Framework's Full Trust is a big problem and to start the paradigm change to
> a Partially Trusted world.
>
> Unfortunately I failed.
>
> .Net 2.0 was launched and nothing changed.
>
> 99% of the applications that exists today and are currently under
> development are designed for Full Trust (or equivalent) environments.
>
> So, I will wait patiently for the day that Microsoft (and the others)
> decide to join the party. Meanwhile I will continue my discussions on the
> webappsec@...urityfocus.com, websecurity@...appsec.org and
> owasp-dotnet@...ts.sourceforge.net mailing lists, since at
> least there my ideas are debated and challenged by other like minded
> professionals (thanks guys).
>
> I will no more initiate another discussion of Full-Disclosure and DailyDave
> about Full Trust and .Net /Java Sandboxes because its audience is not
> interested in them and the Microsoft's (and others) subscribers ignore them.
>
> To wrap things up here are a couple quotes from a senior Microsoft Security
> employee, given to me in his office in Redmond a couple months ago (in Feb
> 2006):
>
> "...Dinis, what you are saying is important, but at the moment it is not
> one of our main priorities... There are several reasons ... a main one is
> the fact that we tried that with Vista and it didn't work... but probably
> the main one is that we (Microsoft) don't have client pressure to deliver it
>
> ... basically there is currently no business case to invest in that since
> our (Microsoft) clients are not demanding it...
>
> ...what needs to happen is that you (Dinis) need to find 5 major
> Microsoft's clients which want this, and then we might do something about it
> ..."
>
> My response to this last comment was "...look, this is not my problem, this
> is Microsoft's problem since it is Microsoft who is promising to deliver
> 'trustworthy computing environment'. So if Microsoft doesn't want to do it,
> and Microsoft's clients don't put pressure, then there is nothing I can tell
> you (Microsoft) that will change your mind..."
>
> My conversations with Microsoft's employees tend to always end the same
> way: I ask them to start by acknowledging the current Full Trust problem ,
> and they respond by saying '... we are working very hard ... or ... things
> are better today they they were a couple years ago ...or ... when compared
> with the status of the industry we are not that bad ... or ... we know that
> we need to do better to educate our developers to write partially trusted
> code..'. Basically just words and no actions,
>
> Sorry for the 'digital noise' of my previous posts.
>
> Best regards
>
> Dinis Cruz
> Owasp .Net Project
> www.owasp.net
>
Congratulations.
I have yet to understand why anybody would feel that the majority, if
even the minority, of this list could care less if they are here or
gone. You should be sorry about the 'digital noise' that you are
spewing now; Speculation and partial, out of context, quotes without
an actual source name yet you want people to listen to You. Think
about it for a while. You are wanting a Company to just jump at what
YOU want done, right then, without knowing their current projects nor
workload. I am sure, from the broken information provided, that YOU
are not privy to their practices nor even escalation paths. I am not
attempting to defend Microsoft, Sun or any of the other players that
you have listed, but Business in general. The reason they give you
those replies is for liability. When the little man on the totem pole
gives a direct reply then they are usually held accountable for their
words which could lead to the loss of their position at the company
that they are representing. Just think about it. "Thank you for this
information! We will get this fixed in the next patch release" just
leads to an information leak then some online blogger, or self
righteous 'security expert', cross-posting to 20 lists claiming that
they got something done like The Twit(TM). We all know that is not
always the case, but many larger companies have dealt with it already
and have placed rules and guidelines for handling such situations.
Many may not believe that is the best way to do it, but yet again it's
not what you want. In conclusion, let's remember that they got where
they are for a reason as well as you are where you are for a reason.
Powered by blists - more mailing lists