Re: [ISN] Security woes: Who is to blame?

From: InfoSec News (isnat_private)
Date: Fri Nov 09 2001 - 02:17:51 PST

  • Next message: InfoSec News: "[ISN] Hacker watchdog group in the works"

    Forwarded from: security curmudgeon <jerichoat_private>
    
    > http://news.cnet.com/news/0-1014-201-7819204-0.html?tag=bt_bh
    > 
    > By Robert Lemos
    
    > The issue is not new, but Culp's article marked the beginning of a push
    > by Microsoft to call the security industry and hackers into account for
    > distributing dangerous code. In many ways it isn't surprising, since
    > Microsoft loses face every time a widespread security incident
    > compromises its software. 
    
    Hopefully Microsoft stops distributing Frontpage then. That is a clear
    cut, easy to use, GUI based exploit utility for defacing web servers.
    
    And I hope that they stop distributing Outlook Express since that too
    is half the recipe for all these nasty worms. None of them would work
    without the built in default functionality of OE.
    
    > However, if new vulnerability disclosure policies become widespread
    > and cut down on the number of worms and attacks targeted at Internet
    > companies, everyone stands to gain. CNET News.com caught up with Culp
    
    Ironically no.. not everyone. Security companies really lose out big time.
    They lose out of security advisories. They lose out on reporting bugs to
    their customers (be it a service or a 'value add'). 
    
    > Q: Why the name information anarchy?
    > 
    > A: Well, because it's accurate. The practice that the essay was
    > discussing was the practice of throwing exploit information out freely
    > on the Internet without regard to how it might be used. There has been
    
    This is incorrect. Culp obviously has little working knowledge of the
    computer underground, and has done no research into it.
    
    Historically, these exploits start out in the hands of one person that
    wrote it. S/he either uses it to hack servers or doesn't. After that, s/he
    may share it with other hackers or a close group of friends. After that,
    they begin to share it with more and more people for various reasons. This
    could be because they no longer have a use for it, are finding less
    vulnerable machines, or can use it to leverage newer/different exploits.
    After a while it leaks out to "irc" (ie: a lot of people, not necessarily
    via irc but that level of distribution). Shortly after that it often pops
    up on Bugtraq, sometimes as a working exploit, sometimes as a variation of
    the original, sometimes crippled, sometimes downright broken. The
    difference in the code posted to bugtraq is widespread, and the reasons
    are as well.
    
    So, looking back at a one paragraph description that could be expanded to
    a chapter in a book.. is that information anarchy? If so, then we should
    label Microsoft "anarchists" and level the playing field. When Microsoft
    issues a patch or new program, it goes through the same process. Starts
    out at the developer, moved to the team, passed on to testers, shared
    companywide perhaps, released to customers, posted on the Internet.
    
    Forget a second what is being passed around in each example, that is
    irrelevant to the term and branding here. There is a very well defined and
    repeated series of events here, each following a fairly well defined
    hierarchy.
    
    To those who aren't seeing it yet.. that is not anarchy. Not at all.
    
    But, 'anarchy' is a great buzzword and no doubt the result of a Microsoft
    PR team (or perhaps buggy Word thesauras..). 
    
    It conjures up really bad images and makes all the good law abiding
    citizens hate those anarchists!
    
    > disclosed about security vulnerabilities. And for the longest time,
    > folks arguing both pro and con could cite theory about why their
    > position was correct. But the five worms (Ramen, 1i0n, Sadmind, Code
    > Red and Nimda) that were released over the past year answer the
    > question with actual data and conclusively.
    
    Ooooh, actual data and conclusively. Can anyone drag this up? Culp? Care
    to cite a source for this claim? Mind if I pass it on to someone that
    knows more about data, numbers, and 'proving' stuff than you do?
    
    > What does that tell you?
    > 
    > Those five worms tell us the posting exploit information on the Web is
    > harmful and dangerous. In all five cases, the worms were built using
    > information that was publicly posted on the Web and posted to no good
    > purpose.
    
    Wow, amazing leaps of logic here. If this is such a truth, why isn't Sun
    Microsystems starting this initiative or partnering with Microsoft on it?
    You DO remember that 'sadmind' was a multi-OS worm right?
    
    And can you quote each place the vulnerability basis for the worms was
    originally published? After you do that, can you really say that each had
    'no good purpose'? Does it matter that each one of these had working
    exploit code MONTHS before they were utilized in worms?
    
    > Are you trying to hush up those that find these vulnerabilities?
    > 
    > Absolutely not. Our reputation and our practices speak for themselves.
    
    Now this is a truly accurate statement. Microsoft's reputation and
    practices speak for themselves.
    
    > Nobody else in the industry is as open about reporting their own
    > security vulnerabilities in their own products as Microsoft is. That's
    
    Wrong. Absolutely and CONCLUSIVELY (since you like using that word) wrong.
    The linux community is much better.
    
    > The essay is not calling for people to refrain from looking for
    > security vulnerabilities, to stop reporting them to the vendors, to
    > stop telling customers about them. We don't want to change any of
    > that.  The only thing that we are suggesting is that reasonable people
    > should be able to agree that telling bad guys how to use those
    > vulnerabilities to attack innocent users is wrong.
    
    Oh jeez. This is a complete fallacy here. So the solution is to stop
    giving bugs to the bad guys is it?
    
    In the past, exploit information has been taken from vendors (via
    'hacking'). It has been shared by employees that had access to it. It has
    been accidentally leaked out to the public. It has been shared with
    contractors and more.
    
    At what point can you say each of those people are good and bad? It's a
    pipe dream to even think the world is so black and white as to allow us to
    conveniently 'withold' that info from 'bad guys'.
    
    What about the person who is good during the day at work, and bad at
    night?
    
    > As far as releasing information and vulnerabilities, what about
    > reports that the latest Windows XP patch has five security fixes, but
    > only two are documented?
    > 
    > It's interesting that you can claim that you can know and don't know
    > how many vulnerabilities are being fixed in the patch while at the
    > same time saying you know how many fixes are in the patch. That seems
    > to be a logical contradiction.
    
    Huh? Re-read the question there Scott..
    
    > But let's talk about that update. It's the first critical update for
    > Windows XP and contains all the fixes to Windows XP between the
    > release to manufacturing and its availability in the market on 25
    > October. The idea between doing a single fix is that it is more
    > convenient for customers because you only have to apply the one fix
    > and you get everything. It can be applied at install time.
    
    Uh, yeah, let's talk about that update and answer the question for a
    change. What a cop out.
    
    The word is the patch fixed FIVE security holes, yet only TWO were
    documented anywhere for the public. Meaning there are more problems than
    Microsoft is admitting to. What was that earlier about being so good at
    admitting/reporting problems?
    
    Next, Oct 25 was just a couple weeks ago. There are already 2 to 5 serious
    security vulnerabilities in that short a time frame? Could you comment on
    what auditing or testing was done that Microsoft could miss these?
    
    And this last comment about patching in a big batch, doesn't that help
    address the real reason you want little to no public vulnerability
    disclosure? These big patches help you in so many ways. They let you
    procrastinate on serious problems with less perceived threat since the
    exploit code isn't "public".
    
    > How much of a difference will your new initiative make to Internet
    > security? Are we going to see a big decrease in the number of worms?
    > 
    > We have to be realistic. There will be malicious users who will write
    > malicious code. They will probably write worms, and they will attack
    > users. The number of incidents will almost certainly be smaller than
    > the number of incidents we have today. Judging by those five worms
    > that tore through the Internet over the past year, recognizing that
    > all of them relied on information that was posted to the Internet, we
    
    .. as much as they relied on shoddy products from Microsoft that made them
    possible in the first place. 
    
    > Are you going for a mutual consensus of people here? What happens when
    > a hacker finds a hole in some software package and posts it to a
    > bulletin board or Usenet list? Is there anything you can do about
    > that?
    > 
    > Microsoft is not the world's policeman. There is only so much that
    > Microsoft can do. And the extent of what we are advocating now is
    > self-restraint. We are not advocating the creation of cybercrime laws
    > to prevent the posting of exploit code; we are not for any kind of
    > punitive or coercive measures. We believe that security professionals,
    > for the most part, are in this business to protect users--and that
    > when they understand that certain actions are really protecting users,
    > they'll do the right thing. So our goal here is, working with the rest
    > of the industry, to try to develop some reasonable and moderate
    > standards for handling security vulnerabilities that are likely to
    > have the desired effect--that is protecting users.
    
    Wow, thanks for not answering the question.
    
    Let me rephrase it. What is Microsoft doing to address those who do NOT
    follow the Microsoft Vision (tm) for vulnerability disclosure?
    
    > That's not true. There are a lot of dimensions to the problem of
    > improving security. One of them is that vendors need to write better
    > software, and we certainly count ourselves in that circle. We need to
    > develop more secure products; we need to make it easier for people to
    > manage their security on their machines. And we have been very up-front
    > about our obligation to do that and our intention to do that. 
    
    .. obligation.. intention..
    
    Yeah thanks for nothing. What is Microsoft doing to IMPLEMENT this?
    
    > For instance, the Strategic Technology Protection Program that we
    > rolled out a few weeks ago. For the most part, it's a listing of the
    > specific things we are going to change in our products to make them
    > more secure. We have talked in the past about the secure Windows
    > initiative and the steps we are taking at Microsoft to change our
    
    .. and now that the STPP is out of headlines.. how is it working out?
    Without hearing more about the ups and downs, sounds like a press gimick.
    
    > The essay was intended to jump-start the debate in the community. We
    
    The debate was not dead by any means. Every few weeks one thread or
    another on a high traffic mail list reverts into the full disclosure
    discussion. It is typically killed off by the moderator (usually for good
    reason since the argument basically can't be won).
    
    Jump starting the debate is a good media spin really.
    
    > to help us figure out what the next step needs to be. The essay was a
    > problem statement--it identified a problem that needs to be solved. It
    
    In defining the problem, you clearly mislabeled it though. That doesn't
    encourage anyone to jump on the bandwagon. (see above, re: the term
    anarchy)
    
    > wasn't intended to propose a solution; It was intended to start a
    
    Yet you did. Your solution is to "not give info to the bad guys".
    
    > debate about the problem. That's what we are here at the Trusted
    > Computing Conference to do. We hope at the end of the conference we
    > have some recommendations that we and the rest of the industry can
    
    Care to comment on why you didn't speak and give the audience a fair
    chance to play question? Rumor is several were there with good questions
    and they were looking for your input. Instead, they saw Weld and ohers
    pushed up to the podium instead of you..
    
    > for years. Our perspective is that it is time to stop talking. We all
    > understand what the problem is. Now it is time as an industry to come
    > up with a plan of what we are going to do to solve the problem and
    > then start executing on the plan.
    
    How very Microsoft. There is a reason it has been talked about for years
    and nothing done. You can't stop it from happening. Even if the project
    was a "100% success" (heh), it would lower the number of times
    "vulnerability info would be given to the bad guys". So does Microsoft
    really think this is feasible? Do you really think that goal can be
    obtained?
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 05:51:02 PST