lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2f6cb7b40604071902x668ca04dj65f4f747bc139407@mail.gmail.com>
Date: Sat Apr  8 03:02:58 2006
From: nocfed at gmail.com (nocfed)
Subject: I give up,
	no more posts to Full-Disclosure and DailyDave about Full Trust and
	.Net /Java Sandboxes

> On 4/8/06, nocfed <nocfed@...il.com> wrote:
> > On 4/6/06, Dinis Cruz <dinis@...lus.net> wrote:
> > >  First off all, I want to apologize to the Full-Disclosure and DailyDave
> > > readers for the last couple of posts which I CCed to these lists (the ones
> > > about Full Trust, managed browsers, verifier issues in Java/.Net and
> > > Sandboxing)
> > >
> > >  I know that cross-posting is not good, and that it is quite inconvenient
> > > when you happen to subscribe to more than one of the target lists.
> > >
> > >  The reason I did it was because I wanted to make sure that several
> > > companies/groups were exposed to it (and give them a chance to respond). In
> > > this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, Open
> > > Source projects, etc... (basically the major software development houses and
> > > the ones responsible for most of the software used in the real world).
> > >
> > >  >From the big ones, only Novell had an entry to talk about AppArmor which
> > > is an interesting process level Sandboxing solution.
> > >
> > >  But the ones that I was expecting to see in this conversation were
> > > Microsoft and Sun. We were (and still are) discussing the security
> > > advantages of Sandboxing (Partial Trust in .Net and Security Manager in
> > > Java), and given the investment that both companies have made in this field,
> > > I was expecting to see some core/senior members supporting me (Dinis) in the
> > > defense of the need to 'create environments that are able to securely
> > > execute malicious code (i.e. Sandboxes)'.
> > >
> > >  But no, not a single world. But then I was not surprised since Microsoft
> > > has been ignoring my public comments about this issue for the last two
> > > years.
> > >
> > >  This means that either A) they don't care any more about this topic
> > > (Partial Trust / Security Manager code) or B) they are just playing the good
> > > old trick to ignore the little guy (which works in environments like today
> > > when the Media and paying clients don't care (read: don't understand) about
> > > the issue discussed).
> > >
> > >  Option A) is quite realistic since Microsoft (after what happened with
> > > 'Longhorn managed code failure' and the Vista's reset to Windows 2003 code)
> > > seems to have moved (or kicked) the '.Net guys' to a conner, and decided to
> > > put their bets to create an operating system which delivers a trustworthy
> > > computing environment in the hands of Vista's UAC (User Access Control) and
> > > Vista's capability to run as non-admin (which is a bad bet in my point of
> > > view).
> > >
> > >  [side note: If the .Net framework is just a nice wrapper on the win32 API
> > > (see Richard Grimes articles on this subject) with 99% of its code executed
> > > under a Full Trust environment and never verified, then why the security
> > > overhead of the current versions of .Net framework? (namely 1.1 and 2.0). If
> > > CAS and Strong Naming (just to point two examples) don't really deliver any
> > > real security value (just like 'client side data validation'), then why
> > > incur the overhead? Maybe we would get a nice performance boost in .Net
> > > applications if all those security calls were disabled. (Idea: I want to
> > > apply my 'Rooting the CLR' research into the creation of a patch for the
> > > .Net Framework which disables all security checks and (hopefully) improves
> > > the performance of .Net applications (drop me a line if you are interested
> > > in participating in this new Owasp .Net project))]
> > >
> > >  After two years of trying, I GIVE UP of trying to bring Microsoft to this
> > > discussion.
> > >
> > >  Microsoft doesn't care, can't be bothered to participate (or the powers
> > > that be don't authorize the ones that want to participate), maybe believe
> > > that the types of attacks will not continue to evolve (i.e. the risk will
> > > not increase) or maybe is just that inertia that affects large companies
> > > where nobody is really responsible for anything and the key decision makers
> > > are so distant from the real world (or believe in their own hype and power
> > > to manipulate the market) that they don't really understand the implications
> > > of their decisions.
> > >
> > >  I think that my case is a perfect example of why Microsoft has such a bad
> > > reputation (not just in security), and why the new generation of developers
> > > (and IT professionals) are moving to Open environments (like Open Source).
> > >
> > >  In the medium / long term Microsoft cannot afford to continue to ignore
> > > little guys like me (which are trying to do the right thing and help
> > > Microsoft to solve their security problems). They need to show respect and
> > > (at least) publicly talk about the issues raised.
> > >
> > >  Microsoft and Bill Gates like to talk about trust and trustworthiness. Well
> > > trust is something that is built over time, with respect, dialog and
> > > transparency. Not by ignoring and pretending that one doesn't exist.
> > >
> > >  Maybe Microsoft's problem with me is the fact that i will NOT work for them
> > > nor sign an NDA (since I know that my independence would disappear the
> > > moment I signed one), or maybe they think that I am not good and
> > > knowledgeable enough for them to spend their 'precious time' with.  They are
> > > wrong in not engaging in this conversation, and in ignoring my public
> > > requests to talk. I might be more vocal than some of my security consultant
> > > friends, but I know that most are as frustrated as me in Microsoft's
> > > attitude to Security.
> > >
> > >  Memo to Sun: "Java has the same problem, and you should be worried when
> > > senior members of your community are very surprised to discover that most
> > > Java code is executed in -noverify environments"
> > >
> > >  What I know is that my conscience is clear. Nobody can accuse me of not
> > > trying. Over the last two years I made every ethical effort to call
> > > Microsoft's attention to this problem: I wrote articles, security guides,
> > > security tools, training courses, presentations, collaborated on .Net Open
> > > Source projects (like Owasp), and even had two meetings at Microsoft Redmond
> > > campus with several Key players in Microsoft's security and .Net teams (it
> > > seems, that all that was left to do, was to bring down a couple ISPs /
> > > global companies just to prove my point, but since I am ethical and a 'good
> > > guy', that is something that I will never do).
> > >
> > >  >From all this effort, I have very little to show for (except from my
> > > increased knowledge, several good contracts and some raised awareness to a
> > > couple thousand professionals which read or saw my materials or used my
> > > tools).
> > >
> > >  My main objectives were to get Microsoft to publicly admit that .Net
> > > Framework's Full Trust is a big problem and to start the paradigm change to
> > > a Partially Trusted world.
> > >
> > >  Unfortunately I failed.
> > >
> > >  .Net 2.0 was launched and nothing changed.
> > >
> > >  99% of the applications that exists today and are currently under
> > > development are designed for Full Trust (or equivalent) environments.
> > >
> > >  So, I will wait patiently for the day that Microsoft (and the others)
> > > decide to join the party. Meanwhile I will continue my discussions on the
> > > webappsec@...urityfocus.com, websecurity@...appsec.org and
> > > owasp-dotnet@...ts.sourceforge.net mailing lists, since at
> > > least there my ideas are debated and challenged by other like minded
> > > professionals (thanks guys).
> > >
> > >  I will no more initiate another discussion of Full-Disclosure and DailyDave
> > > about Full Trust and .Net /Java Sandboxes because its audience is not
> > > interested in them and the Microsoft's (and others) subscribers ignore them.
> > >
> > >  To wrap things up here are a couple quotes from a senior Microsoft Security
> > > employee, given to me in his office in Redmond a couple months ago (in Feb
> > > 2006):
> > >
> > >  "...Dinis, what you are saying is important, but at the moment it is not
> > > one of our main priorities... There are several reasons ... a main one is
> > > the fact that we tried that with Vista and it didn't work... but probably
> > > the main one is that we (Microsoft) don't have client pressure to deliver it
> > >
> > >  ... basically there is currently no business case to invest in that since
> > > our (Microsoft) clients are not demanding it...
> > >
> > >  ...what needs to happen is that you (Dinis) need to find 5 major
> > > Microsoft's clients which want this, and then we might do something about it
> > > ..."
> > >
> > >  My response to this last comment was "...look, this is not my problem, this
> > > is Microsoft's problem since it is Microsoft who is promising to deliver
> > > 'trustworthy computing environment'. So if Microsoft doesn't want to do it,
> > > and Microsoft's clients don't put pressure, then there is nothing I can tell
> > > you (Microsoft) that will change your mind..."
> > >
> > >  My conversations with Microsoft's employees tend to always end the same
> > > way: I ask them to start by acknowledging the current Full Trust problem ,
> > > and they respond by saying '... we are working very hard ... or ... things
> > > are better today they they were a couple years ago ...or ... when compared
> > > with the status of the industry we are not that bad ... or ... we know that
> > > we need to do better to educate our developers to write partially trusted
> > > code..'. Basically just words and no actions,
> > >
> > >  Sorry for the 'digital noise' of my previous posts.
> > >
> > >  Best regards
> > >
> > >  Dinis Cruz
> > >  Owasp .Net Project
> > >  www.owasp.net
> > >
> >
> > Congratulations.
> >
> > I have yet to understand why anybody would feel that the majority, if
> > even the minority, of this list could care less if they are here or
> > gone.  You should be sorry about the 'digital noise' that you are
> > spewing now; Speculation and partial, out of context, quotes without
> > an actual source name yet you want people to listen to You.  Think
> > about it for a while.  You are wanting a Company to just jump at what
> > YOU want done, right then, without knowing their current projects nor
> > workload.  I am sure, from the broken information provided, that YOU
> > are not privy to their practices nor even escalation paths.  I am not
> > attempting to defend Microsoft, Sun or any of the other players that
> > you have listed, but Business in general.  The reason they give you
> > those replies is for liability.  When the little man on the totem pole
> > gives a direct reply then they are usually held accountable for their
> > words which could lead to the loss of their position at the company
> > that they are representing.  Just think about it.  "Thank you for this
> > information!  We will get this fixed in the next patch release" just
> > leads to an information leak then some online blogger, or self
> > righteous 'security expert', cross-posting to 20 lists claiming that
> > they got something done like The Twit(TM).  We all know that is not
> > always the case, but many larger companies have dealt with it already
> > and have placed rules and guidelines for handling such situations.
> > Many may not believe that is the best way to do it, but yet again it's
> > not what you want.  In conclusion, let's remember that they got where
> > they are for a reason as well as you are where you are for a reason.
> >
> >
On 4/7/06, michaelslists@...il.com <michaelslists@...il.com> wrote:
> nocfed, are you saying that researchers shouldn't hassle companies
> with notes about the security of their products, because they might
> have more important things to be doing then respond to them?
>
> what fucking list are you on again?
>
> -- Michael
>
>

I have no idea where you gathered that from.  If you feel that the
information needs to be disclosed then do it, but don't expect a
reply, especially in a public forum.

Show common netiquette if you decide to reply.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ