Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication (fwd)

From: Crispin Cowan (crispin@private)
Date: Sat Sep 27 2003 - 17:23:36 PDT

  • Next message: Jeff Bryner: "RE: CRIME [Fwd: [Politech] Does Justice Department prosecute denial ofservice attacks?]"

    Andrew Plato wrote:
    >Among many flaws, the report almost totally ignores the myriad of 3rd
    >party technologies that can make Windows systems more secure.
    The main thrust <> of the 
    report is that monoculture is devastatingly dangerous. Geer has said 
    publicly <> that a 
    Linux monoculture of the same magnitude would be just as bad.
    However, the nature of Linux and Microsoft with respect to monoculture. 
    Linux's open source allows and encourages forks, and so even a Linux 
    monoculture would be running a lot of different versions. Microsoft, in 
    contrast, works hard to lock customers into Microsoft products and 
    protocols, and engages various semi-synthetic mechanisms to try to force 
    as many users as possible to the current version.
    So the threat of a Microsoft monoculture is greater than Linux, both 
    actual and potential.
    > Hence,
    >their models are fundamentally flawed. They are based on the assumption
    >that NOBODY secures their Windows systems.
    No, they are based on the assumption that *many* people don't secure 
    their Windows systems, which is quite different. In fact, it is 
    manifestly obvious that most people 
    <> don't secure 
    their systems, regardless of what kind they are.
    >This is a good example of one of the chief problems with information
    >security research. Many of the theories about information security are
    >only relevant in academic settings. In practice, these theories erode
    >and have much less relevance. 
    Geer is not an academic. He was CTO of a large infosec consultancy 
    company, essentially a much larger version of Anitian. In fact, all of 
    the other report authors (except Gutmann) are similarly industrial 
    leaders, not academics.
    >In this report, the authors talk about the possibility of crafting an
    >exploit that could wipe out or cause massive failure of Windows systems.
    Like Code Red, Nimda, Sapphire, and Blaster, each of which were capable 
    of wiping out most Windows systems, and did. Seems like a pretty 
    credible claim.
    >While it is theoretically possible that such virus could bring the world
    >to its knees, the practical reality is not as dire.
    It may not have happened yet, but that's because Windows is right now on 
    a steep tangent of moving into the embedded world. Most embedded systems 
    right now are not running Windows, but there is big growth in embedded 
    Windows systems. So it very well might be just around the corner. When 
    the August NE American blackout happened, there was a significant report 
    of some of the power grid being controlled by a Windows RPC DCOM system, 
    which is precisely the Windows component that Blaster exploited. This 
    may not have been the proximate cause of the blackout, but there's 
    essentially no reason why it could not have been.
    > There are numerous
    >independent mechanisms in operation that can prevent and stop the
    >widespread distribution of this theoretical virus. Most of these
    >independent mechanisms do not rely on Windows at all.
    And the 5% or so of Windows users who deploy these tools will be safe, 
    at least from direct attack. I'm running a Linux system that is entirely 
    safe from the Swen virus, and still I am laboring under a 300% increase 
    in mail traffic for the last week due entirely to that single virus.
    >I know it sounds like it, but I am not defending Microsoft.
    It sure does sound like it :)
    > I'm the
    >first to admit that Microsoft is a big part of the security problems out
    >there. But security is a bigger issue than just Microsoft. Microsoft
    >might be a 900 lb gorilla, but that doesn't mean there isn't a plenty of
    >800lb and 725lb gorillas out there that are equally as bug-riddled as
    I disagree with the analogy. MS is the 900 lb gorilla, and the rest of 
    the problems are spider monkeys. MS has:
        * a near monopoly on desktops
        * a near monopoly on document systems (Word, PowerPoint, Excel)
        * the #1 position in servers
        * the absolute worst security of all popular systems, by a long,
          long way
    I submit that security incidents & problems induced by Microsoft are 
    greater than the sum of all other problems combined. An easy claim to 
    back up, when you consider that most security incidents are cleaning up 
    virus-infected desktops.
    >The other problem with this report is how it fuels a lot of holy war
    >reasoning. While it might be trendy to bash Microsoft, that trendieness
    >does not translate into a server room full systems. 
    It is only "trendy" if you think 15 years is a "trend" :)
    >Technology holy wars are entertaining distractions for newsgroups and
    >beer fueled pub rants, but when it comes time to make a business work,
    >holy wars can be destructive and counterproductive. Holy wars are about
    >coercion and emotions, not rational analysis. Smart businesses approach
    >technologies neutrally and analyze their benefits and weaknesses fairly
    >and honestly. They weigh their needs, analyze the data, and make an
    >informed decision. 
    Fair enough. Rational analysis says that the decision maker should weigh 
    the cost of porting or managing interop for a given application run on a 
    non-windows platform against the very high vulnerability of hosting on 
    Windows. If your threat level is low, and your porting costs are high, 
    then Windows is justified. But if Windows is your default choice, you 
    are being irresponsible.
    Crispin Cowan, Ph.D. 
    Chief Scientist, Immunix

    This archive was generated by hypermail 2b30 : Sat Sep 27 2003 - 17:46:01 PDT