On Tue, Apr 09, 2002 at 07:00:23PM -0700, MAGEE Rob wrote:
> IMHO, we are truly in computing's infancy now. It's silly, in my mind, to
> get feathers all ruffled about which OS is "better", when, actually, they
> are all such a long way from being great.
Hmm, I sense somewhat of a misunderstanding, so perhaps some of us need
to clarify our positions. Barry spoke about noticing the cynicism and
skepticism computer security people have for Microsoft. Alan and Crispin
have pretty well covered why Microsoft is E.V.I.L., though Seth did point
out some positive things about Microsoft. I'll add that they have
managed to form one of the largest computing research organizations in
the world, filled with top-notch people both in and out of the computer
security realm.
But pointing out that:
-- Microsoft has designed applications with little thought towards security,
-- Microsoft has actively tried to squash people legally from publishing
security notices about their products, and
-- Microsoft (at least in the past) has generally treated security problems
as public relations problems rather than technical problems
does not mean that we in the security community bow down in worship of
that which is not MS. Far from it.
If there is one thing to learn from the CRIME list, it's that computer
security security people are a cynical, skeptical (probably even bitter
:-)) bunch. It's our job to be skeptical, to find the many flaws and
assume the worst of whatever we're looking at.
Microsoft earns so much enmity because it is so dominant, but that
doesn't mean *nix vendors don't earn their share of scorn from the
security community either. Some points to consider:
-- SunOS/Solaris, Irix, and HPUX all used to ship with known vulnerable
network applications that were enabled by default (Irix and HPUX
were know to be particularly bad). Community pressure, much like
what Microsoft has faced recently, changed that.
-- SunOS at least at one point used to ship with "+ +" in its
/etc/rhosts file. That meant that anyone with administrative
privileges on their machine could log in with administrative
privileges on your machine _without being asked for a password._
-- Sun developed both the NFS and NIS protocols, which have some pretty
fundamental security design flaws in them.
-- the Bugtraq mailing list (a security disclosure list) exists because
the dominant *nix vendors would drag their feet for months or even
years before releasing security updates.
-- an Oracle install usually involves multiple 1+ MB binaries, several
of which are setuid. Oracle also is not known for thinking real
hard about security (even while spreading marketing claims of being
"unbreakable").
And lest you think life is better in the open source world (it is, but
for other reasons :-)), ponder:
-- sendmail, the dominant mail server on the internet, is also a _large_
source of security problems, often remotely exploitable because of
poor design. Mentioning security and sendmail in the same sentence
will get you just as many snickers from computer security people
as mentioning Microsoft and security.
-- bind, the domain name system server, which is even more dominant
on the internet than apache and sendmail, has a terrible security
track record. It's code has been revamped and redesigned multiple
times, and it still is unreliable from a security standpoint.
-- wu-ftpd, a very popular ftp server is another chronic security
offender.
-- UW's imapd, a server for accessing email, has had many problems;
furthermore, the author has publicly stated that he does not
care about (known) buffer overflows that occur after a user has
authenticated. Too bad for you if you wanted to give someone an
email account without giving them shell access.
-- Speaking of buffer overflows, people are still finding them, even
though they've been known as a major security threat for decades.
It doesn't help that people are still writing new vulnerable code.
Oh, and as for Robert Graham's article, he seems to advocate punting
and doing nothing. "Gee, taking your car keys out of the ignition
and locking/unlocking your car door is an inconvenience? Well, leave
it unlocked with the keys in the ignition, then. Furthermore, why does
Fnord Motors get beat up by the auto security community for not putting
locks in cars at all?" Sure, it's an exaggerated analogy, but in essence
that's what he's saying. Since most of us (in urban Portland, anyway)
manage to deal with the inconvenience of locking our cars, the notion that
users shouldn't have to put up with even minor inconveniences seems false.
However, and I think this is the most crucial point that Robert Graham
misses, the best security solutions are those that are neither a nuisance
or inconvenience and yet provide real security. It is a failure of both
designers and security experts that security and convenience are seen
as opposites, to be traded off against each other. That's what we all,
including Microsoft, should be working towards.
(I have my own issues with Schneier and Shostack's article that Robert
Graham is responding to, but Graham's response leaves a lot to be
desired.)
> (thread truncated for brevity's sake)
thread expanded for clarity's sake (I hope :-)).
--
Steve Beattie Don't trust programmers?
<steve@private> Complete StackGuard distro at
http://NxNW.org/~steve/ immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:54 PDT