Andrew Plato wrote: >>I have a problem with that. A secure system is one that does >>what it is supposed to, and *nothing* else. >> >Crispin, that's cool for you and hardcore UNIX guys who have nothing better to do but spend hour after hour tuning their servers. But that simply is not a practical answer for businesses and individuals who do not have the time or resources to make sure every conceivable hole is plugged. > We seem to be having a communication problem. The above is my attempt to define "secure", because it is useful for purposes of discussion. I did NOT say that everyone must be perfectly secure or they are idiots. The point is that the above is a goal that one should try to approximate in the most cost-effective manner possible. Because it is hard, and approximations are necessary, and effective assessment is well nigh impossible, skepticism WRT claims is called for. >Your statement "a secure system is one that does what it is supposed to and nothing else" sounds great in a seminar at a university. But what is a system supposed to do? This isn't a one-size fits all situation. > But it IS a one-size-fits-all definition. If a system does something that it is not supposed to, then it IS insecure, period, end of story. Naturally, most situations cannot afford to be totally secure, and thus must engage approximations. Even the principles that Spaf presented from Saltzer and Schroder are approximations, as none of them will ever lead to a system that does "nothing else." Only full formal correctness proofs on every last line of code and configuration data will do that, and of course that is infeasible for anything larger than a smart card. >Therefore, the answer is to plug as many as possible without resorting to a massive change in infrastructure. > I disagree. This is known as "penetrate and patch", and while it does have some validity, it is far from the only cost-effective thing you can do. The Principle of Least Privilege is my favorite, and it can be applied at many levels without a massive change in infrastructure. A trivial example is the "Just be friends" <http://www.cigital.com/justbefriends/> tool from Cigital <http://www.cigital.com/> . Proper least privilege for e-mail tools would confine scripts in your mailbox so that they can't do much, and confine the mail client itself so that it basically can only read mail and not (say) edit your registry settings. But that's hard to do, because when you tell users not to use Outlook, they whine about massive changes in infrastructure :) "Just be friends" does a very crude approximation of least privilege: it simply prevents scripted mail messages from sending mail. This doesn't prevent other malicious payloads, but it does prevent mail viruses from exploding through your company in hours. >>It is fundamentally impossible to prove >>the "nothing else" part, and so we are required to resort to >>combinations of inspection and faith to determine how likely >>it is that a given system is secure. Doing this even half-way well >>requires a major dose of skepticizm, or else you will be taken in by snake oil >>salesmen who tell you "Of *course* it is secure" :-( >> >This idea that things are either 100% secure or 100% insecure is inherently faulty. Security is not a black and white problem. Half-secure is better than zero secure. And many places have no choice but to settle with half-secure, because total security is simply too expensive or would obliterate usability. > I never said it was a black and white problem. You seem to be somehow inferring that from what I'm saying, but I have no idea why. "Secure" is definitely a black and white property, but like perfection, it is unattainable. Instead, we must find cost-effective approximations. >And I am sorry but this obsession with ultimate security might be fine for scientists and security experts, but it simply is not a practical answer for the average IT department. > I completely agree. Immunix systems (our products) are not the most secure you can get. They are the most transparently compatible with standard Linux systems that also offer a reasonable degree of security. We approximate security while minimally compromising compatibility. >>"Spreading FUD" is making a claim of risk where there is >>none. >> >No. Spreading FUD is making wild, unsupported, or exaggerated claims about technology for the sole purpose of frightening people into action. > Sounds like the same thing to me. > Usually action to purchase a product or reject a particular technology. When I think of FUD, I think of somebody like Steve Gibson, who is a chronic FUD mongerer. He has about 1/2 the concept baked and then he runs around screaming like a lunatic trying to terrify people into doing something. The mere fact that Steve has a site devoted to debunking his rantings (www.grcsucks.com <http://www.grcsucks.com>) shows what FUD mongering can get you. > I agree; Gibson is a goof who cries "wolf!" too much. His claim that XP is a threat because it allows raw socket access was hugely clueless. >I personally am very tired of FUD mongering. Its annoying and counterproductive. When I meet with customers I try to focus almost exclusively on how to solve security issues in a practical and cost-effective manner. Sometimes that means using security products, sometimes that means making fundamental infrastructure changes. Whatever the case, screaming at people that THEY HAD BETTER STOP USING WINDOWS RIGHT NOW!!!! is in my opinion immature and counter-productive. It doesn't respond to the real world problems that are facing businesses. People are not going to stop using Windows not matter how loud you scream at them. > I never, ever said that. If anything, I said that you had better stop using Outlook right now, if you want to take the easiest step towards securing your infrastructure. Don't do it if you don't mind being insecure. And go right ahead and keep using Windows if you want to, but be aware of the hidden costs: there likely is a cheaper solution to solve your problem than the Windows solution, you just haven't accounted for all the costs properly. >>This is >>the exact dual of selling snake oil: claiming safety where there is >>none. Clearly neither is constructive, and a realistic assessment of >>risks is called for to be effective, including a realistic >>understanding of the costs of implementing a solution vs. the costs of >>enduring the risks. >> >Again, I fail to see where anybody - Graham or the likes has said you're 100% safe if you just install a patch or buy their software. > Again with the black and white. I didn't say that. I said that Graham recommended just blowing off security as not worth the bother. >>IMHO, Robert Graham's article is selling snake oil in a major way. It >>is highly non-credible, and deceptively lures people into >>engaging in some very bad security policies. >> >How? How exactly would Graham's comments lead a person into an insecure situation? > Graham says "Hackers prefer Outlook because of its popularity. Similar holes exist in other software, such as Eudora and Lotus Notes." Pure, unadulterated BULLSHIT. Outlook has the uniquely architected feature of executing attached VBScript. Other mailers do not. This has nothing to do with Outlook's popularity. Graham is blowing smoke. Graham says "SOAP was not designed specifically to bypass firewalls, but was instead designed around a different model of cyberspace." Again, pure bullshit (and *intent* is entirely beside the point). SOAP tunnels through port 80, which has the effect of bypassing firewalls (which inevitably pass port 80 to allow web browsing). This has the beneficial effect of allowing SOAP apps to work through firewalls (yay! for convenience). It has the detrimental effect of making it that much more difficult for firewalls to filter RPC calls (which is what SOAP really is) effectively opening up any organization using SOAP to rampant attack. Graham says "Users don't think in terms of "features", but "benefits". A user wants to be able to go to the store, buy a piece of hardware, plug it in, and have it just work. This might occur a year after the user buys the original PC. It is easy to say that a user doesn't want UPnP at the start. The point is that users might want the feature later, and they don't want to have to make the decision to turn it on." A marvelous excuse for a bad policy. I understand the choice being made: MS decided to configure every Windows workstation to be a server by default, because it reduces their support costs. Good business decision. Unfortunately, at the expense of the customer. They actively promote the idea that every machine is Internet-connected, which makes this configuration EXACTLY the wrong one. Workstations should offer nothing as services, and servers should offer everything. Graham's recommendations: "The easiest way to improve security is through free-market economics: let the customer decide." I agree, but Microsoft's monopoly lock on the desktop market makes this a rather difficult hypothesis to test. "Microsoft should produce a version of Windows Server that ships in a "hardened" state. This lets the customer decide if they want to build up a server by adding components, or the current method of stripping down server by removing unsafe components." Again I agree. But they have not, and it is long past time. Their monopoly position ensures that no market forces actually exist to force them to do so. "Microsoft should provide two versions of IIS. CodeRed was nasty because of the number of third-party products that bundled IIS. Microsoft should provide a more trustworthy version for these vendors - namely one without all these ISAPI filters installed." Again I agree, and again Microsoft has not done it. So we have a bunch of recommendations for things that Microsoft should do, nothing that the users can do, and the pat philosophy that we should "let the market decide", except that the market *cannot* decide because of the Microsoft monopoly. >It seems to me Crispin the undertone of your argument is: "Graham acknowledges Windows, and therefore his argument is wrong." That is faulty reasoning because the assumption is that Windows cannot be secured, which it can. > Not at all. My problem is that Graham makes apologies for Microsoft's shortcomings, and suggests that the end-users should just suck it up and wait for Microsoft to make it all better, because there is no alternative. Of course, while there is no alternative in client space, there is an alternative in servers space, and so Microsoft is feeling the heat. Microsoft's natural reaction: .Net, an effective attempt to cut the competing server operating systems out of the market by making it infeasible to deliver web services for Microsoft clients on non-Microsoft servers. >Keep in mind that most business executives could care less what is running in the server room. As far as they are concerned, you could run the entire compan >y off a Timex Sinclair and a 300 baud modem. What matters to them is productivity. Because any hit against productivity (and usability) means loss in profitability. > Ah, yes, the productivity argument. Microsoft argues that Windows reduces costs because you can employ relatively low-tech admin staff to manage these "easy to use" systems. What they leave out is the astronomical cost of securing Windows, and the fact that you need approximately TEN TIMES as many admins to keep a Windows server farm running as compared to a similarly sized *NIX farm. Even Intel was unable to make their Windows compute farm running. They eventually gave up and replaced the whole mess with FreeBSD, because they were sick and tired of dealing with Windows pitiful stability. The effect of instability is magnified when you scale up to dozens or hundreds of machines. With a large enough Windows farm, chairs with wheels become a critical part of your productivity, so that the guy who re-boots the wedged Windows boxen can scoot from dead node to dead node fast enough to keep them running. >>Really? BlackICE replaced the core NIDS engine in ISS >>RealSecure? This is news to me. At least one of us is confused :) I thought >>ISS bought BlackICE for their personal firewall product, and not to >>replace their NIDS engine. >> >Nope. RealSecure is now pretty much all BlackICE under the covers. The core engine is now BlackICE augmented with RS's signatures. Best IDS there is (in my humble and totally biased opinion.) > Thanks for the clarification. I was unaware that the BlackICE acquisition had such deep implications. Its still rather surprising, since BlackICE was a windows client application, and RealSecure was a UNIX application, even if it was looking for the signatures of Windows attacks. Can you tell us whether the RealSecure product is still available for UNIX systems? Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:05 PDT