Microsoft Microsoft Microsoft

Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.

You know what I find funny?

I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...

Re:You know what I find funny?

Any information that MS puts out is going to be a battle between engineering and PR -- The programmers probably want bugfixes announced prominantly, whereas the PR drones see this as a Bad Thing because it involves admitting that they screwed up in the first place.

MS's windows update is a step in the right direction, but it sucks compared to Red Hat's up2date [redhat.com] program. It's a service that is well worth paying for. Even if you just download the Red Hat ISOs, consider subscribing to RHN [redhat.com] - you are supporting future Linux development and are getting a good service at a fair price. [Disclosure: I own RHAT stock]

Re:You know what I find funny?

You get what you pay for. RedHat has a financial stake in making sure you get your money's worth. Microsoft does not. You've already paid for thier product. So they put out fixes, updates, etc. at their leisure. Where RedHat will lose update subscribers if there is the 'perception' that people aren't getting value for the money spent. The customer can be getting value, they just have to feel like they are not getting value for RedHat to suffer in this way.

Just my $0.02

EFGearman
---

Re:You know what I find funny?

MS posted this bulletin to their security mailing list about 8:00 est today. They are doing a pretty good job of notifying everyone in the event of a failure. To get good, up to date information about security go to www.microsoft.com/security. They usually notify of new security issues and fixes within a day or so. The information is there and its not that hard to find. Just in case you still have trouble finding the link for the bulletin mailing list, here is the link. http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/notify.asp

Re:You know what I find funny?

What is it exactly that you're so baffled by? Just because you've never seen them only shows your ignorance, since they've been sending these out for years now. As far as being in an obscure place, where would you expect to find it? I always use the direct link to the bulletin list (www.microsoft.com/technet/security/current.asp [microsoft.com]), but if I didn't know how to find it, I think I might try www.microsoft.com/security. And whaddaya know, there's a web page there and the second link on the left is for the Security Bulletin service. How obscure. *ahem*

Re:You know what I find funny?

Go to www.microsoft.com

Click on the link to the side that says "For IT Professionals"

There are Security Bulletins highlighted in the upper right hand side of the page. The ones discussed here are listed, along with a link that says "More".

Right on the top of that list is a link that says "Want to receive future security bulletins automatically?" You might want to click on that and subscribe.

Now for home users, they have the WindowsUpdate feature which easily allows you to download patches. Plus it also includes links to find out more information about the patch... these links go to the security bulletins again.

If Microsoft is hiding security bulletins, they are doing a piss poor job.

Re:You know what I find funny?

"For IT Professionals"?

Ha! According to the bulletin, the people that should be reading this are:

Customers using Microsoft® Internet Explorer

That's quite a few people. And consider the link you have to click on. Most users of IE probably don't consider themselves IT Professionals. Heck, some of them are afraid to remove icons from their desktop because it might break Windows.

You expect these people to:

1) Visit www.microsoft.com. That's the boring site. They want www.msn.com or www.hotmail.com (these would be much better places to put bulletins.)

2) Consider themselves IT Professionals. That means they have to be REALLY smart (yeah, sure).

Basically, it IS hidden, especially for people to don't think to look for these security vulnerabilities. Microsoft may consider posting these bulletins in more prominent places. However, as someone above pointed out, there are probably battles between Marketing and the Developers (developers developers developers developers....) about what to make easily available.

Of course there will be more buges reported in MS

Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.

That said however, I don't care for MS and the majority of their software that I do use is out of necessity.

Re:Of course there will be more buges reported in

Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.

Re:Of course there will be more buges reported in

Couldn't put it better myself.

I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.

Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.

Re:Of course there will be more buges reported in

In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.

Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.

The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.

So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.

Re:Of course there will be more buges reported in

I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.

Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.

So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.

Re:Of course there will be more buges reported in

Nope. It's not.

The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.

Nobody cares about them. They are irrelevant.


Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.

Corvair all over again?

I'm just waiting for him to declare Windows XP to be "unsafe at any speed."

Re:Corvair all over again?

Sorry, I wrote this rant and just wanted to put it somewhere. Your mention of Unsafe at any Speed made me think of it.It is a response to Culp's comments last month.

Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks. The people who wrote them have been rightly condemned as criminals. But they needed help to devastate our networks. And we in the security community gave it to them.

By listing worms that attacked a variety of operating systems Culp makes it appear that the security threat is equal to all the players in the OS space. What he doesn't do is supply a severity to the listed worms that lets us see that the worst and most widespread of these attacks were against Microsoft systems. Microsoft's dominance in the OS space only increases their responsibility for security breaches, it does not justify their targetibility.

It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them. We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.

What it is high time for is Microsoft to take security seriously. Their operating systems have always been about ease of use, not security. Just like passenger and baggage check in US airports are about hasslefree service. We have seen one consequence of the airports security measures, and that terrible act is the only reason airport security is increasing. Numerous reports in the past few years have pointed to the insecurity of passenger air travel, yet the airlines took no notice. Code Red may well be the clarion call to reconsider the importance of security in your operating system. If your current vendor isn't supplying it, perhaps you should look elsewhere.

Arming the Enemy

First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay.

According to Ralph Nader automobiles in the 60's were unsafe at any speed. He blew the whistle, and the groundswell response led to drastic changes in the manufacturing of automobiles and the responsibility of those manufacturers for the safety of the cars after the sale had occurred. Fastforward 30 years and juxtapose Microsoft for General Motors and you can hear the whistle blowing. Despite Microsofts attempts to hide behind groups such as the DMCA consumers and lawmakers will not continue to put up with the security risks using Microsoft products make them vulnerable to.

If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.

Do not fear he who hath power to kill your webserver, fear he who hath the power to crack your server, steal your financial data and destroy your very business. Prior to a security fix or announcement of a vulnerability you aren't even aware that your system is at risk. The sooner information is released to the consumer, the sooner they can make a business decision as to which is the greater cost: the possibility of having their system cracked and data stolen, bearing the cost in dollars and man hours to move to a more secure system, or the business impact of shutting an insecure service down until the security bug is fixed.

The relationship between information anarchy and the recent spate of worms is undeniable. Every one of these worms exploited vulnerabilities for which step-by-step exploit instructions had been widely published. But the evidence is more far conclusive than that. Not only do the worms exploit the same vulnerabilities, they do so using the same techniques as were published - in some cases even going so far as to use the same file names and identical exploit code. This is not a coincidence. Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons.

Again, who is it that we fear? The script kiddies who are all bark, but no bite, or the blackhats who have established user accounts on your servers and has your corporate network as their playground?

Good Intentions Gone Awry

Supporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security, by giving system administrators information on how to protect their systems, demonstrating the need for them to take action, and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.

These methods are only antithetical when you have a dominant market position that is dependent upon people perceiving your products as being easy to use, secure, and hassle free to maintain.

Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.

Wrong. Providing the exact details of an exploit allows competent administrators or programmers to go to the source of a program or operating system and provide their own fix if none is available from the community at large or the creator of that program. Furthermore, a community made aware of an exploit is able to marshall its resources to provide a fix as soon as possible. Culp's position is only true in a closed source environment where the system administrator is nothing more than a mouse monkey whose idea of system administration and security are the point and click wizards provided by the vendor; or where the risk to customers of using vulnerable systems is weighed against marketing and PR concerns or the availability of programming resources and the cost of providing them.

Likewise, if information anarchy is intended to spur users into defending their systems, the worms themselves conclusively show that it fails to do this. Long before the worms were built, vendors had delivered security patches that eliminated the vulnerabilities. In some cases, the fixes were available in multiple forms - singleton patches, cumulative patches, service packs, and so forth - as much as a year in advance. Yet when these worms tore through the user community, it was clear that few people had applied these fixes.

Many people have faulted the patching process itself for the low uptake rate. Fair enough - we do need to make it easier for users to keep their systems secure, and Microsoft acknowledged this very point in a recent major security announcement. But if the current methods for protecting systems are ineffective, it makes it doubly important that we handle potentially destructive information with care.

One of my cars had a factory recall, some sort of problem with the CV boots. The auto manufacturer contacted me, on more than one occasion, to let me know that my car had a potential problem, where I could go to get it fixed, and they said they would bear the cost to fix my car. I'm not certain which one of the myriad of forms I signed when I purchased the car that signed me up for this protection plan, but it sure did work. In my 7 years of administrating Microsoft networks, the hundreds of products I have registered with them and the thousands of times I have visited their website, never once has Microsoft contacted me to let me know about a security vulnerability in the product they sold me. Making the fix available is not the same as notifying people that there is a problem and a fix.

Furthermore, like the boy who cried wolf, Microsoft products have so many vulnerabilities and the methods for keeping your systems patched are so time consuming that it can become a full time job just to keep on top of it. After awhile you just cry, "Enough!," I've got other things to do than babysit the Microsoft website to find out what the latest vulnerability is. I've subscribed to Microsoft Security alerts, and typically I have found them to be late in notifying me of problems and so filled with PR that it was hard for me to asses to true risk to my systems.

Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor's paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.

A very good point Culp, vendors must find other ways to protect their customers. What Microsoft has been doing is not sufficient. The whistle has been blown, the users hear it, and they know that Microsoft has not had their best interest in mind. If Microsoft had, they would have found ways to contact users of vulnerabilities and given users incentives to patch their systems.

Responsible Handling is Key

This is not a call to stop discussing vulnerabilities. Instead, it is a call for security professionals to draw a line beyond which we recognize that we are simply putting other people at risk. By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.

"Fire" is not being called in a crowded movie house, a fire alarm is being pulled and people are making an orderly egress. The egress is to Apache, Linux, Solaris, and FreeBSD. I'm grateful for that fire alarm, without it I would have found myself surrounded in flames created by blackhats while a Microsoft infomercial drones on the screen telling me, "There is no fire." I've got news for you Mr. Gates, this isn't the Matrix, and we are not all plugged into your grand scheme. Some of us see where you are taking us not just today, but tomorrow, and we're going to stop you.

Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is - that is, the type and extent of damage that an attacker could cause through it - and what users can do to protect their systems. This type of information protects users by giving them the information they need to decide whether to apply the fix, but it doesn't put them at risk.

Baaahhhh! Sheep, that is what Microsoft wants for customers. Users who blindly follow them to the slaughter house. But, shepard Microsoft can't even protect us that long. The wolves circle and pick off the sheep one by one. Meanwhile, the lead sheep watch what is going on in the slaughterhouse and they are told by the shepard not to tell the other sheep. Such information would cause a panic in the fold and desertions so great that Microsfts stock price would fall into a irretreivable spiral.

Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly. In many cases, it's possible to build a tool that performs non-destructive testing and can only be used by a legitimate system administrator. In other cases, the specifics of the vulnerability make it impossible to limit how the tool could be used - but in cases like these, a decent regard for the well-being of the user community suggests that it would better to not build the tool than to release it and see it misused.

I repeat, those who use open source can always go the extra mile, and at the least, patch their own systems.

What You Can Do

Ending information anarchy will not end the threat of worms. Ethics and intelligence aren't a package deal, and some of the malicious people who write worms are quite smart. Even in the best of conditions, it will still be possible to write worms. But the state of affairs today allows even relative novices to build highly destructive malware. It's simply indefensible for the security community to continue arming cybercriminals. We can at least raise the bar.

What is indefensible is Microsoft's lax security throughout an entire series of Windows operating systems, office suites, and back office products. I once heard a joke that Microsoft was in a uproar because they found a virus that Outlook was not susceptable to; the company vowed to quickly rememdy that situation. The best jokes are baised upon some truth, and this joke was very, very funny. Security warnings do not arm cybercriminals, security holes do. Once again, do you really think the most malicious of crackers out there don't know and take advantage of security holes before they are announced? Of course those crackers know, and the sooner the user knows the sooner they can do something about it.

This issue is larger than just the security community. All computer users have a stake in this issue, and all of us can help ensure that vulnerabilities are handled responsibly. Companies can adopt corporate policies regarding how their IT departments will handle any security vulnerabilities they find. Customers who are considering hiring security consultants can ask them what their policies are regarding information anarchy, and make an informed buying decision based on the answer. And security professionals only need to exercise some self-restraint.

My company can adopt a corporate policy that only open source software will be used for all mission critical systems because only open source has a proven track record of quick security fixes. Instead of worrying about a security consultants policy on security disclosures, a customer would be better served by keeping security in mind when evaluating software solutions. First avoid the obvious danger.

For its part, Microsoft will be working with other industry leaders over the course of the coming months, to build an industry-wide consensus on this issue. We'll provide additional information as this effort moves forward, and will ask for our customers' support in encouraging its adoption. It's time for the security community to get on the right side of this issue.

The security community has always been on the right side of the issue, it is Microsoft who has not. Even now they are trying to sway others to their position instead of adopting that held by the long standing security community.

Re:Corvair all over again?

I have yet to see a root level exploit in windows that has lasted even near as long before being patched.

I'm sorry, but a bug that is found today in NT 4.0or 2000 has most likely been around since the product came out. You're trying to say that Windows bugs don't exist until someone finds them, but Linux bugs are retroactive since the version that they are in came out. Compare apples to apples.

When the root exploit was found in Linux, the patch was available the very same day. Microsoft can't get a security fix out and tested with "a few days of work". They have hundreds of well paid programmers Linux is written by loosely tied mostly unpaid volunteers. You need to get the wool out of your eyes.

California also says

"fuck you" [siliconvalley.com] to MS/DOJ. Gillmor's piece is pretty good:

"California deserves special credit for its stance. Bill Lockyer, the state attorney general, has emerged as the most important public official in America when it comes to holding back the Microsoft tide."

Re:California also says

I wonder if Mike Hatch (MN Attorney General) is going to have time to pursue Microsoft now that he's also suing baseball.

My preferred solution: break Microsoft into 28 operating companies. Give one to each MLB owner. Let Bill & Steve run baseball. Benefits of this solution are that baseball still gets run like a monopoly, but by people who are good at running a monopoly, and baseball comes with a built-in anti-trust exemption. Microsoft goes down the tubes, just like baseball has been doing for years. And best of all, programmer salaries get to match those of baseball players.

Keeping bugs a secret..

Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?

How are software bugs, especially critical ones, different from design flaws in a tire?

Legality

Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.

IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.

Anyone know of any precedence or the true current legal standing of such a situation?

that last one is NOT a hole in windows.

And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows.

If you read the security bulletin, it's not referring to windows at all. It's a problem with Internet Explorer version 5.5 or later.

Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".

Re:that last one is NOT a hole in windows.

ahhh... but Microsoft claimed in court that IE could not be removed from Windows so this is indeed a security hole in Windows.

Unless... *gasp* you're calling Microsoft a liar and telling us that IE and Windows are indeed two separable products?

And don't forget...

The Register, and How Microsoft invented open source, by Billg [theregister.co.uk]

I can't read the details of the security flaw

because I disabled scripting.

Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.

Odd.

Yes. I have to use Windows at work.

Yes. I could use Mozilla.

Re:I can't read the details of the security flaw

Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.

It's the new MS security policy: "if you can't read this page, you're not vulnerable"!

Re:I can't read the details of the security flaw

After making their reccomended changes I can't use
Windows Update either. Very interesting, how ironic that MS stuff is these days.

Nader has credibility

For better or worse, it's good to have a high-profile individual like Nader get involved in this. While anyone can file a letter during the public commentary period, or an amicus curae brief (if they have a valid interest in the outcome of the case), judges are more likely to pay attention to comments that come from respected public figures than they are to listen to J. Random Public. At least his letter will be read by the judge herself, instead of just being skimmed by a junior clerk and tallied up in the appropriate columns.

Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)

Alternate Plan - Security Escrow

OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?

Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.

Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.

Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?

But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.

Quote

Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"

Are they referring to the recent release of XP?

Thanks Ralph

Thanks Raplh, this is why I voted for you.

Also I like seatbelts.

Oh really?

Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"

Funny, Open Source software can have a patch out within a few days, why can't Microsoft?

Re:Not to mention Apple . . .

. . . which managed to get an OS X root exploit [stepwise.com] patch released in just over a day.

But what do I know.

security software

Perhaps the scariest line in the securityfocus.com article is this one:

The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.

Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.

I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.

BEN

BBC Article

The BBC [bbc.co.uk] also has an article [bbc.co.uk] today detailing some of the groups and corporations that are lining up to take on Microsoft on several different fronts.

They could learn from Apple...

Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".

Pardon my french, but *bullshit*.

Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)

Re:They could learn from Apple...

Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)

Note that I am a Debian Linux user, so I have no bias in favor of Microsoft, but come on, the real question should be "Can anyone imagine MS shipping a product with such a horribly-stupid-of-stupid-critical-lose-every-flaw as the recent iTunes 2.0 ultra-blunder?" Apple is no hero for bringing out a fix as fast as they did; simply because such a fix never should have been necessary in the first place.

I have seen Microsoft release products that do really stupid things, but I have trouble recalling the last time they released a music application that unnecessarily formats your harddrive. I mean, come on... MS is bad, but are they as bad as Apple? If Apple was as popular as MS, you would probably be singing a different tune about iTunes 2.0?

Debian Linux has a community run software testing process that would never let something like iTunes ship as "stable".

As a former "black hat"

Back when I was in high school, I was a script kiddie. I would DDoS my classmates to show how k-RaD I was. I had an extensive network of trin00 and BO2k zombies at my disposal. It was fun. For a while.

The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.

Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.

-CT

Let's not be the pot calling the kettle black

It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.

Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.

Re:Let's not be the pot calling the kettle black

It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.

Not at all. The way I see it, there are two things at work here.

1. As pointed out in other posts, Alan Cox is not the one censoring himself, but rather it is the DMCA, which has the enforcement of the entire populace of the United States behind it. That is what it means to make a law, to create a policy with the enforcement of every single individual in the country where the law was made. On the other hand, Microsoft is the one that is censoring itself, without respect for the DMCA, whether or not it applies to the bug as it did to the bugs that Cox refuses to discuss in a forum intended for United States audience.
2. More importantly, the intents of the actions are completely different and somewhat incomparable. When Cox refused to discuss security of the Linux kernel, he had two intentions:
   1. Cover his own ass from possible litigation from the people of the United States, represented by John Ashcroft.
   2. Drive a message to the people of the United States that the DMCA is a bad law, and they should seek its immediate repeal.
   On the other hand, Microsoft, while their intention is also to cover their ass, it's not from litigation and legal hot water, it's from their own bad PR. Microsoft isn't even trying to seek repeal of the DMCA, for obvious reasons. Whereas Cox was making a political statement, Microsoft is just trying to censor bad PR.

Therefore, it is right and consistent that we can hate Microsoft for censorship, and applaud Cox for censorship, because there are deeper levels and motives than simply censorship.

From Ralph Nader's Open Letter

From the open letter:

The agreement provides Microsoft with a rich set of strategies to undermine the development of free software, which depends upon the free sharing of technical information with the general public, taking advantage of the collective intelligence of users of software, who share ideas on improvements in the code. If Microsoft can tightly control access to technical information under a court approved plan, or charge fees, and use its monopoly power over the client space to migrate users to proprietary interfaces, it will harm the development of key alternatives, and lead to a less contestable and less competitive platform, with more consumer lock-in, and more consumer harm, as Microsoft continues to hike up its prices for its monopoly products.

To think that a man who ran for President "gets it" with respect to Free Software boggles the mind. As days go by I just keep feeling more and more vindicated for having voted for him.

Something Amusing

As an experienced IE user, I immediately took the usual steps to get around IE vulnerabilities. I immediately turned off Active Scripting (it was a blunder on my part that it wasn't disabled, because I didn't know IE6 had added THAT MUCH new stuff), and then went to Windows Update...

You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.

Redmond dumb-asses.

MS Rallying end-user support?

From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.

I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.

They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.

Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.

Prrof in the pudding

The point of the Microsoft suit was to bring back competition. Innovation was stifled because no one could get investment $$ if they were in a market Microsoft was even thinking about entering.

So what is the effect on investment capital of the settlement?

The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?

Here's why the government lost

From the MSNBC article:

In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.

So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!

From the FAQ...

Why isn't there a patch available for this issue?

The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.

Hehe.

Bug Non-disclosure

Hey,

Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin

Wasn't @stake [atstake.com] formed from hacker group l0pht [l0pht.com]? Yes, I think they were! They used to attend Def Con, and work on Back Orifice [everything2.com] and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?

My, how times change.

-M

Hard to get a patch in a few days?!

Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.

Sept. 11 As Justification

On Sept. 28, she told the parties in the Microsoft case that 'the recent tragic events affecting our nation' demanded a prompt end to litigation that had already roiled the stock market and generated economic uncertainty.

That exhortation hit home. After Sept. 11, 'the world had changed, with war abroad, threats at home and a deteriorating economy, creating a powerful dynamic to settle,' says Richard Blumenthal, Connecticut's attorney general and one of the more-aggressive state officials involved in the case.

While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?

Re:...every website made for IE??

> In order for the exploit to work, someone must convince you to go to a specially-formed URL.

No. They must convince you to go to a webpage or open an HTML email. Have you never gone to a webpage where it loads a popup (i.e. another webpage)? Or redirects you to another webpage? That's all they have to do.

Poetic Justice: My favorite Nader quote

Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.

Slashdot editor bias

It's interesting. I've already read every one of these articles linked to by slashdot in the last few days.

But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.

For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?

http://news.cnet.com/news/0-1014-201-7819204-0.h tm l?tag=bt_bh

Keep us in the dark huh?

Gee, maybe that explains why http://packetstormsecurity.org has had the rate of submissions slow from many a day to one or two every couple of days. I KNOW vulnerabilities are being found but it's REALLY hard to explain to management why they MUST rollout a security patch if I cannot PROVE to them that, yes its a problem! Has everyone rolled over?

WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.

Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.

Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....

P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!

Re:Keep us in the dark huh?

The only info we have pulled out of the vuldb that I can remember was the telnetd exploit. This was because the copyright holder insisted. We do on occasion have a duplicate BID, or consolidate several into one when it becomes clear that they are the same. Therefore, you may sometimes see a particular BID number "go away", but the info exists under another BID. We also had a few temporary problems while we switched from Roxen to Apache a few weeks ago, and I recall that not all info was showing up for a while.

But basically, no we aren't pulling anything out.

Great Quote from the WSJ

Here is a little quote from the Wall Street Journal article:

James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues". He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"

Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.

This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.

It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.

Irresponsible? Conventional wisdom is wrong...

OK, someone was irresponsible by releasing details so soon after notifying Microsoft and they say that is irresponsible.

Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...

1. Discovery
2. Notification
3. Disclosure
4. Exploits

The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.

We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....

I'm a MS supporter, but this is ridiculous

Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.

From Microsoft's article [microsoft.com]:

We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.

Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.

If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.

I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:

By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.

But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.

It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.

Re:Linux Linux Linux

So many holes in this rant, which ones to choose? Let's go with this one.

I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.

Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.

Or how about this one?

So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.

Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.

Re:Linux Linux Linux

Go call Microsoft and ask them if you can sell your copy of XP, eh?

Hint of what response you can expect: In. Your. Dreams.