Microsoft's Goal, Security Through Obscurity? 380
dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were
they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.
WTF???? (Score:5, Flamebait)
TRILLIAN CONTAINS NO MICROSOFT CODE. THIS IS A FLAW IN MICROSOFT'S CODE, NOT THE PROTOCOL.
WTF was the author on?? HTF can he say this? It's blatantly wrong.
p.s. I'm a Trillian user.
Re:WTF???? (Score:4, Insightful)
Don't use 3d party stuff. Use the latest from MS. It's secure this time. We promise. Really.
Vaguely reminds me of auto glass purveyors out in a parking lot with a bat.
Typo? (Score:2)
I'm sorry, there seems to be a typo in that sentence. Shouldn't there be a "not" or "doesn't" in there somewhere?
Re:WTF???? (Score:5, Informative)
This leads to a couple questions I do not personally know the answer to:
Is there a way to uninstall ActiveX controls?!?
Can I get a list of the ActiveX controls installed on my machine??!?
Re:WTF???? (Score:4, Informative)
ActiveX removal (Score:2, Informative)
I'm not running Windows, so I don't remember where it stashes the GUIDs for lookup. HKEY_LOCAL_MACHINE\Software\Classes might be a place to start, or you could wade through all the links an "ActiveX registry" search on Google will get you in order to find something more adequate.
Re:WTF???? (Score:2)
But, for an actual Activex conrol (with a visual interface), most will have an OCX extension. If you dont want to patch it, search for the file msnchat40.ocx. delete. to be absolutely sure, delete the reg entry for it. There will be an entry in the CLSID section of the HKEY_CLASSES_ROOT (just search for the above file in regedit and delete the keys). Actually, if you delete the class pointers to the interface, no program could call it anyway. but deleting them both is the safest way.
Re:WTF???? (Score:2)
Unless you use Windows XP, in which case it's (cough) integrated. There is no uninstall option available, and even if there was I'm not sure it'd remove the chat control. There is however a workaround, you can run a command from the Run dialog that will manually trigger the uninstall routine. I can't remember it now, but it can be found on google. Doing so does not in any way harm or reduce the functionality of your system - that's how integrated it is.
Rant aside, this is worrying, not least because many people who don't actually use MSN but have WinXP will have MSN installed but not think to update it, as they never use it. Therefore it will sit there, leaving a hole, never to be updated (unless they use the auto-update tool).
This leads to a couple questions I do not personally know the answer to: Is there a way to uninstall ActiveX controls?!? Can I get a list of the ActiveX controls installed on my machine??!?
1) Sort of. You can "unregister" them, but this requires API calls and is therefore normally dealt with by the install program. If an ActiveX control is not associated with a particular program (the IE control for instance), it cannot be easily uninstalled.
2) ActiveX is a loosely defined superset of COM. Look in the registry under HKEY_CLASSES, and look at that rather long list of GUIDS. Each and every one is a COM object, that may or may not be classified as an ActiveX object by the Microsoft marketing department. As far as I know, there isn't any easy way of figuring out (other than manually querying the interfaces) to tell if something is a necessary part of Windows or simply a piece of fluff put there to push a corporate agenda.
Re:WTF???? (Score:2)
Re:WTF???? (Score:2)
ROFL
That statement is so Microsoft.
Read the article (Score:4, Informative)
In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.
The author is right, completely right. Try reading next time.
Re:WTF???? (Score:3)
Re:WTF???? (Score:5, Funny)
---QUOTE---
"The attack doesn't happen through the chat client, so as long as you
have MSN Messenger installed, if I send you a special URL, I can own
you," said Marc Maiffret, Eeye's "chief hacking officer."
---ENDQUOTE---
This kind of paraphrasing is a disgrace to journalistic integrity. I present to slahdot an exclusive direct transcription of this statement, before the WashPost mangled it.
"M4RX M4IFFR3T d03Z n0t R007 j00 7hru 14M3 cl3n7 h4x. M4RX M4IFFR3T iz 31337-h4x0r. H3 wiLL *0WNZ* j00 W/ 1337 j00-R-3ll iF j00 hav m3$$3ng3r 0N j0r 14m3 b0x0r 47 4LL!!!!!!!!!11111111," said M4RX M4IFFR3T, Eeye's K1N6Z0r of 31337.
Security through obscurity? (Score:3, Funny)
More like security through brillantly designed APIs. See, rather than letting Windows get cracked, MS cleverly designed the APIs to crash the system first. Everytime you see a BSOD, you should thank MS that they prevented a evil hacker from taking over your system. And if MS let people see their APIs, they could stop the APIs from crashing the system in response to hack attempts, leaving all Windows users vurnable with a non-crashing insecure Windows!
-Henry
yet another ROOT hole in MS Code? (Score:3, Funny)
Re:yet another ROOT hole in MS Code? (Score:4, Insightful)
Re:yet another ROOT hole in MS Code? (Score:3, Insightful)
No, not quite true. Microsoft (Win9x at least) doesn't have the concept of any user type except root.
MS certainly does have a concept of ROOT ! (Score:3, Informative)
Proof of concept: On a Windows 98 machine, cancel the "windows login" and start a DOS session. Now delete the entire filesystem (including hidden, system, and read-only files). Tada, it works, you are ROOT.
On VMS-derived windows (such as all versions of Windows NT and of course Windows 2K) the root superuser account is named "Administrator" and is directly analogous to Unix "root"
One of the reasons MS can't effectively compete against linux and the BSDs in the server market is that their systems include this same fatal weakness. At least *nix is stable!
Incidentally, now that linux has "capabilities" built into the kernel, and Linus wants to put a resource handle into the filesystem API, the groundwork has been laid to get rid of this stupid root superuser concept and create a real successor to Unix rather than just a clone. Hopefully linux (or perhaps the Hurd) will one day incorporate all the strengths of Unix while jettisoning ancient kludges like "root" and the primitive "rwxrwxrwx" access control system.
--Charlie
Re:yet another ROOT hole in MS Code? (Score:3, Insightful)
Concept of root - absolutely.
Root is basically a user that can do whatever he pleases with no restrictions (or without restrictions that can't be overridden or removed)
non-NT based windows every has absolute access
NT based windows, administrator has this access.
Think of root as a metaphor
Re:yet another ROOT hole in MS Code? (Score:2, Troll)
NT based windows, administrator has this access.
Actually, NT's root user is called SYSTEM. The "Administrator" user is a crippled account that cannot do many things. This is a requirement for some security settings (mostly for auditing). It's also the reason why you can't kill the stupid printing spool service as the Administrator (you need the kill.exe or rkill.exe programs, which are SUID-SYSTEM more or less). You'll also notice that members of the "Backup" group have elevated privileges above the Administrator users for exactly the same reason.
I like the model in NT (Score:2)
Using a nix system requries having absolute permissions make me nervious, even when i have the root account
Re:yet another ROOT hole in MS Code? (Score:3, Informative)
The core of a Win32 operating system runs at Ring 0 (kernel or supervisor mode), which is the highest privilege level.
Re:yet another ROOT hole in MS Code? (Score:2)
Flash: Mogul Predicts BadThings® If Regulated (Score:2)
MS Security Paradigm (Score:5, Interesting)
Re:MS Security Paradigm (Score:4, Insightful)
Of course, since Microsoft's API's are still hidden, we don't know whether or not they're using obscurity as their only model. However, it seems, from the alarming number of remote root exploits available it seems evident that Microsoft's claims for obscurity of their API's as a security measure is the only measure that they're taking. Which leaves one of two possibilities:
I tend to believe the latter. But giving them the benefit of the doubt, we can only argue against the former. Which is that trusting your business to Microsoft's security practices is a very risky proposition.
Re:MS Security Paradigm (Score:2)
Re:MS Security Paradigm (Score:2)
Re:MS Security Paradigm (Score:3)
From the front, you need to get buzzed into the lobby, where you face a guard behind a sheet of bullet proof glass. If you pass credentials, the guard lets you into a hall that has an elevator, and another secure door. You also need a cardkey to use the elevator. So to get to your locked cage, you need to go through 3 locked doors, one which uses a hand-scanner. Sound fairly secure?
The back door to the loading dock was always wide open (a big garage door) during business hours. The single door between the datacenter and the dock (normal key only) was frequently propped open to provide that nice cool air to the loading dock worker.
The bottom line is that you can have a facade of tight security but it's all for naught due to poor internal practices (or shoddy programming on MS's part.) If MS is truely concerned about disclosure due to security reasons, anyone running their business on Windows should really think twice. Security through obscurity doesn't work and that's been proven over and over and over.
Re:MS Security Paradigm (Score:3, Insightful)
Security through obscurity has a place in unique, locally developed systems which only grant access to trusted users. In a commercial product it is nearly useless.
Re:MS Security Paradigm (Score:2)
This definitely needs to be clarified - obscurity is an accepted security paradigm, as long as it is used with other methods of security. Obscurity cannot stand alone as the only means of security. I believe that Microsoft is afraid that it will be shown to the world how weak and insecure their products actually are. They are using obscurity to HIDE their insecurities.
Re:MS Security Paradigm (Score:2)
Example: I am playing around in an "undocumented" networking api through my debugger at work and have noticed that whenever I send a certain control sequence to another api, it crashes my NIC. This means that sending that control sequence on any other machine with the same API will result in similar failure. It's obscure in that I don't know the syntax of the api -- but that doesn't stop me from calling it. In fact, that makes it even more dangerous, because the repair of the API now rests in the hands of a chosen few at MS.
They are right though (Score:5, Insightful)
Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.
Re:They are right though (Score:5, Insightful)
Mod this one up insightful.
For the first, say 5 months, it would be anarchy - People would be fixing bug 24 hours a day all around the world, just to stay a few steps ahead of the crackers. Then as soon as the largest holes are patched, there willl be peace in our time. Machines would be fairly secure, and we could go back to actually using our bandwidth and machines for important things instead of 3 MB of klez and sircam worms daily.
Instead Microsoft would rather keep the bugs obscured, so they will escape slowly over a number of years. And don't get me wrong, they will escape, there is no amount of obscurity that can mask the continious onslaught of people pouring over every inch of the code looking for holes.
Which method would you prefer?
Re:They are right though (Score:2)
We'll never know for sure since MSFT refuses to even consider the alternative of releasing info for their protocols, APIs, source. And that is their fait accompli. Any good software engineer worth his salt has to consider the possibility that he is wrong. Even genius coders forget the occasional semicolon.
Re:They are right though (Score:2)
No they're not. It's an excuse.
Oh, now I see why I might have gotten modded as a troll. By "It's not an excuse" I meant that "The fact that there will be more cracks does not excuse them from having to release the API."
Problem Is... (Score:5, Interesting)
...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.
But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.
The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.
Amok .. amok .. amok ... (Score:3, Interesting)
"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.
Gee ... I guess that's why theres so FEW reported news stories [washingtonpost.com] about the hacking of Windows ... and so MANY stories about the hacking of Linux.
Actually... (Score:2)
For a laugh I did a quick google search and it seems there are more sites for Linux [google.com] than Windows [google.com] but I doubt you can read to much into that.
Re:Amok .. amok .. amok ... (Score:5, Insightful)
This perfectly demonstrates the M$ sekurity mindset - they approach security problems as a PR problem NOT an actual usage or safety issue. What he SHOULD be saying is, "As the dominant OS in the consumer space we need to work to make our OS the most secure for our users because they are the biggest target and the least aware of the threat."Instead he's blathering about their "reputation" instead of actual security.
Bottomline is that M$ doesn't care about security - they only care about there reputation for security. Hence to them obscurity IS security to them and it becomes policy and is encouraged.
=tkk
Re:Amok .. amok .. amok ... (Score:3, Insightful)
*thbppt* (Score:5, Funny)
*pauses to wipe coffee off monitor*
Three arguments against Microsoft's position: .Net was released to the wild before the "official" .Net specification.
Nimda.
Code Red.
The fact that a virus framework for
No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.
'Nuff said.
A new analogy (Score:2, Interesting)
Why? (Score:3, Interesting)
More FUD from Microsoft. Their legal department must have more employees than their coding department by now.
Re:Why? (Score:2)
They're all salivating at that $40B in the bank ... :)
Re:Why? (Score:4, Insightful)
I firmly believe that software should be held accountable to liability laws and consumer rights laws.
That would kill all free software. People could personally sue Linus for bugs in the Linux kernel that caused them problems: "I'm seeking $10,000 in damages because your stupid bottom handler for my POS Promise IDE controller caused me to lose all my data!". The listings on freshmeat would be a pool of future clients for lawyers, and not software projects. Amateurs wouldn't release code for any use whatsoever.
In short: that's a realy, realy, really, really bad idea.
Re:Why? (Score:3, Insightful)
Red Hat, Mandrake, and others that do sell a product would become liable though, and that'd certainly kill them.
I think that liability with a broad brush would definitely be a bad idea. But negligence is another matter... some of the exploits could definitely be shown as negligence on the part of the software maker (e.g. - you were informed of this exploit 5 months ago and failed to remedy it). This isn't just MS either - Sun, IBM, etc. have all had times where they failed to release a security patch within a reasonable time period after being informed of a vulnerability.
That kind of thing should definitely result in liability on the part of the software company. Similarly, applications that have destructive bugs and don't get fixed should result in liability.
The problem becomes one of defining how long is "long enough", and what should the fines be? Realistically we don't need new laws here. We just need to apply some old ones to a new situation.
Re:Why? (Score:2)
Re:Why? (Score:2, Insightful)
Software liability is really only an issue for Microsoft software. In other software markets, where there is not a monopoly, the bad PR from a security incident (or a reliability problem) is enough to incent the producer to produce good code.
Re:Why? (Score:2)
However, Microsoft has found it cheaper to use legal means to defend rushed, incomplete software to meet deadlines for quarterly revenue. Microsoft has accepted the trade-off. Many other companies and individuals have not. And now, it appears that their strategy is beginning to backfire.
Security from non-obscurity (Score:4, Funny)
Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.
Of course, I am speaking of Sendmail.
Oops...
Sendmail always gets a bum rap. (Score:2)
But c'mon we are talking about a program that at best was running on tens of thousands of machines during it's worst security times. As Sendmail usage has gone up so has the security it has offered. Comparing to a hole in a client that is deployed on millions of computers really isn't fair.
Re:Security from non-obscurity (Score:2)
Of course, I am speaking of Sendmail.
Actually almost all of Sendmail's security holes are directly due to its obscurity. Just because the source code is released doesn't mean it's easy to understand.
Target Executives At Large Companies (Score:2, Interesting)
I think that the IT departments of large companies do their jobs too well -- the executive never realizes just how vulnerable they are with MS products.
If we bring the problem home to the people that make decisions, then there will be top-down sponsorship of better computing environments.
Re:Target Executives At Large Companies (Score:2)
the executive never realizes just how vulnerable they are with MS products.
I think they do realize in many cases.
I can't tell you how many times our corporating has warned everyone of the latest Outlook transported virus du jour. As a UNIX user I simply shrug it off, knowning that any ".vbs" attachment getting into my inbox won't go any further.
But corporate IT departments look upon these things as facts of life, like jams on the freeway or catching a cold.
Bombing them with more sploits is unnecessary and probably would be counter productive.
Better would be to demonstrate and make cogent arguments for alternatives that would liberate them from all kinds of problems that they regard as unavoidable facts of life. They're not unavoidable!
Windows users really shouldn't worry too much... (Score:2, Funny)
Hmmm, guess Microsoft is secure now, right? (Score:2, Insightful)
A. Put serious legal pressure on Microsoft to fix them.
B. Switch to Linux, FreeBSD or MaxOSX.
C. Dump computers altogether and move to Tibet.
>>
Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states "would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate" Microsoft's flagship software.
>>
MS can't have it both ways (Score:5, Interesting)
Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.
Re:MS can't have it both ways (Score:2)
You can certainly be sure that, now Microsoft has kicked up this fuss, there will be plenty of black hats looking for these APIs.
How does an open API create security hole? (Score:2, Insightful)
Allchin: States Plan Would Hurt Windows Security (Score:3, Informative)
"The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.
Allchin also warned that if Microsoft were compelled to disclose all the APIs and technical information the states are asking for, digital rights management would be compromised.
From Tuesday, news.com http://news.com.com/2100-1001-900905.html [com.com]
buying the windows source code and releasing it (Score:2)
Now, what would happen if this individual releases it in the wild? Surely he will get fined, blah blah blah. But it would be too late - he will be a martyr, and the entire world will know about the windows source code.
...anyone wants to donate me 1 euro cent?
crazy cheers
Re:buying the windows source code and releasing it (Score:2)
That would hopefully shield the individuals from any damages ...
IANAL, and I don't recommend attempting this ... :)
What they are really saying... (Score:3, Insightful)
Security through obscurity is the last resort of people who KNOW they have a buggy system, and can't fix it without a major rewrite.
M$ isn't willing to take the step that Apple did. They had a buggy, old, single-threaded OS design too, and instead of continuing to twiddle it in the hopes that it'd work better, they finally bit the bullet and redesigned their GUI and API layers to fit atop a known-stable core (which happend to already exist in the form of BSD).
Sure, you'd have to give up a few FPS for your games for the next year or two's worth of revisions... but look at how far the Wine project has come *without published API's* Imagine if M$ were to actually help.
Oh well, it's a nice alternate universe where 40 Billion in savings is enough to make a company start thinking of the future instead of the EULA... not in this one though!
Is anybody really surprised? (Score:2)
and any programmer will know this..
The point is.. these are lawyers.. and they'll argue anything
that may help MS out of this mess..
And since the people deciding are lawyers as well,
(unfortunately) it might just work.
On the other hand, the states' lawyers seem to have
enough technical expertise to expose these bogus claims..
More vulnerable? (Score:2)
Wow, so releasing APIs and protocols would give too much inforamtion about how the system works so people can hack into it. Thank god no operating systems take this a step further release their entire source code or people would be hacking into them like an axe through butter!
Do they read their own APIs? (Score:5, Insightful)
If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.
From the Washington Post article (Score:3, Funny)
As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.
'The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,' said Marc Maiffret, Eeye's 'chief hacking officer.'"
i'm sure marc actually said, "1 c4n 0wN j00," but the washington post author didn't know what the hell he was talking about.
Security Focus - Microsoft Anti-Disclosure Plan (Score:5, Informative)
Microsoft Reveals Anti-Disclosure Plan [securityfocus.com]
(emphasis in original)
Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]
Dave Culter? (Score:3, Interesting)
OpenBSD (Score:2)
patches.. always patches.. (Score:2, Interesting)
PR Issue or Design Flaw? (Score:2, Funny)
Yes, that's it, it's a public relations issue. I guess the idea of FIXING THE GODDAMMED SOFTWARE hasn't occured to him.
Security through what? (Score:2)
Security through obesity
Sure, they'll say they are fit and nimble - they can change their direction quickly, squash bugs in their code in record time, etc. But the truth is that only corporations large enough to squash evildoers, such as those who find bugs, can truly be considered 'secure'. You'd be surprised at how much more information would be out now if certian people didn't have that 800lb gorrilla breathing down their neck...
-Adam
Average Consumer (Score:2)
Think about your average consumer who goes into a store to buy a computer. This person goes in thinking that buying a computer is like buying a TV or stereo. Basically, plug it, turn it on, and it works fine. It's another appliance to them. Little does this person realize that they have just bought themselves a piece of Systems Administrator Hell! What with the barrage of upgrades (read patches) to Windows and IE. Now couple that computer with Broadband and its always on connection to the internet. Now they have to worry about Viruses, SPAM and the script kiddie down the street trying to use their PC in an attack on EBAY or Yahoo. So much for the PC and the internet making life easier!
security in the dark.... (Score:2)
"Luckily for Microsoft, it's difficult to see a naked emperor in the dark."
--- Ted Lewis, (former) editor-in-chief, IEEE Computer
LoB
Salon is just being a good little M$ mouthpiece... (Score:2)
When asked about opening up the Windows API, a Microsoft VP testified that doing so would be bad, since it would allow folks to clone Windows.
Now, out of the blue, Salon decides that opening up Windows would also make it more vulnerable to attacks (is that anything like "more pregnant", btw?).
Can't you just picture the guy leaving the courtroom and saying, "D'oh! I shoulda said that it'd lead to more viruses, too! (Dials Phone) Hello? Salon editor's desk?" ...
Virus exists and not due to obscurity (Score:2)
For those who don't know yet, VBA virii exists just due to a single function. Something called CopyFunction (or something like this), that copies a function from a document to another. If MS removes this function no VBA virii will ever exist againg.
Note that this function is very well documented and is not hidden anywhere, all you need to do is search at VBA documentation.
Now is MS insecure due to obscurity or is it insecure anyway? Maybe that conspiracy theory that MS owns Antivirus software companies is right.
Every crash is probably another exploitable hole (Score:5, Informative)
You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...
Here is the specific difference between closed and open models.
If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].
If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.
Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.
Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.
Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.
Essentially Valid (Score:3, Insightful)
Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.
I'm not sure about the depth of the State's API and protocol information requests, but this is a perfectly valid statement if you assume detail means code, and it applies to OSS as well. By providing your source code, you provide black hats with an easily accessible opportunity to find your mistakes and use them against you. This is a fact you cannot avoid.
Of course, just describing how your protocols or APIs work should not be a security risk in most cases, unless MS has cut too many corners. As to whether we would see a noticeable increase in MS exploits, your guess is as good as mine.
Just another monopoly thing. (Score:2)
Allchin on Security (Score:2)
Why yes, yes you do. You have to work on the fact that you have a reputation for not having any security. There is a two step plan which is the only effective way to build that reputation in today's world:
Anything else is just masturbation, which I enjoy, but not when we're talking about securing systems and networks.
They shouldn't have to disclose information... (Score:2)
this sounds like a pretty good business plan... (Score:3, Funny)
Not necessarily (Score:3, Insightful)
Also... security flaws under *NIX systems usually are limited to one service... not the Internet Explorer/Outlook Express/MS Messenger Core OS holes that seem to plague MS since everything is so entwined.
Re:Not necessarily (Score:2, Insightful)
Immagine if glibc had a buffer overflow in it... How many services/applications would be vulnerable then? If the GNOME libs, or a font renderer had the same problems?
Microsoft uses much more object oriented versions of the shared libraries, and thus it *does* take a bit longer to track down the actual source of the problem, and make sure the fix doesn't break alot more; but that's also what's allowed them to do alot of the things that sells windows (common user interface, good cut/paste)
Re:Not necessarily (Score:3, Interesting)
Yes I do [com.com].
And I have yet to see patches for the mentioned MS programs that use that library according to that news.com page: Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page.
But in Debian, the patch was applied and the fixed debian package distributed on the same day that the vulnerability was discovered.
What was your point?
Re:clearly... (Score:2, Insightful)
Re:Patches (Score:3, Informative)
Put security.debian.org in your sources.list conf file, and then the standard 'apt-get dist-upgrade' procedure will simply, automagically plug those naaaaasty holes. Debian might not be the best distro for everything, but it's great security-wise for a reason.
Re:not so crazy? (Score:2)
http://www.counterpane.com/crypto-gram-0002.htm
Re:not so crazy? (Score:3, Insightful)
However, what most people miss is that obscured code STILL needs to be audited by a neutral third-party. This is where Microsoft fails - they don't appear to have their code audited. Or, if they do, their auditors should be fired.
Security through obscurity should also not be your ONLY parameter. An obscured system should still be using encryption, should still be testing input, and shouldn't have any buffer overflow exploits.
Obscurity can be used effectively. It's not a do-all, be-all, and end-all.
Re:not so crazy? (Score:4, Funny)
I'd rather have a golf course (18 holes per 40 hectares) than swiss cheese (18 holes per pound).
Re:not so crazy? (Score:2)
While none of us here will disagree with the fact that there are programming flaws in Linux and Apache, the time from discovery of a flaw to the fixing of it is MUCH shorter compared to the "it's-my-toy-you-can't-play-with-it" attitude of Microsoft.
The ONLY way Microsoft is going to reduce the number of successful hacking attempts, is to LISTEN to the people reporting the flaws and fix them in a timely manner, with respect to the severity of the flaw. If one person can create the problem, sure enough, another one will find it as well. (I believe that there was an exploit published a couple of months ago, and MS had the info for about 6 months and did nothing, until the report was published ... but I don't know the reference off-hand.)
My objection has always been that almost all of the most popular viruses, hacks, and backdoors have been discovered or created by accident.
Ahhh ... people "thinking outside the box" ... you have to like these people. As a programmer, I rely on these people to "shore-up" my code. Hopefully, these people will be in the testing department, and not the end user.
Re:not so crazy? (Score:3)
These bugs are not discovered by accident. There are people (both good and bad) that spend many hours a day looking for these exploits. They do everything they can to find cracks in the armor of any package (be it Slashdot, windows XP or whatever).
And when the good guys find it, they publish information about it so it can be quickly patched and fixed. If the bad guys find it, then it gets posted where the script kiddies can find it. Under no circumstances think that these holes are found by accident. Thats as crazy as thinking that a high school student can sit down and guess the root password at NATO in three tries.
Now that I've done a little research, I see this as a naive view. For one thing, it doesn't explain the frequent security flaws in Linux and Apache.
All programmers write security holes at some time in their life. Having a buffer overrun or a security hole is not exclusive to Microsoft programmers, everybody does it.
The thing that you fail to understand is that since the same security flaws are going to exist in both open source and propriatary software, the security risk is the same for both sides. But, if the open source is openly available, then the white hats can quickly attack it and publish the exploits before the black hats have a chance to use it.
For propritary software, the crackers need to wait for the software to go into the wild. Once it is widly distributed, then they start attacking it slowly. The white hats start examining it too, but without the benifit of the code, they can only move as fast as the crackers. Some times the good guys win, and the exploits are published (and hopefully fixed). Some times the bad guys win,
and you get a Melissa virus.
This suggests that it is far more harmful to publish this info (which really isn't helpful to users anyway) than to keep it secret, where it can do no harm.
Don't for a minute think that obscurity is going to prevent an exploit from being discovered and used. The only think obscurity can do is prevent somebody from finding the bug, and informing the proper people so that it can be fixed before further damange can be done.
All programmers make mistakes. You can either hide those mistakes away and wrongly hope that somebody isn't going to find it, or you can get your mistakes exposed to the world and get them fixed quickly and efficiently.
Re:not so crazy? (Score:3, Insightful)
It's my impression that those holes are, in the large majority of cases, discovered by people auditing and examining the code. The auditors then publicize the flaws. I frequently see advisories of the form, "no known current exploits, but..."
On the other hand, security flaws in Windows seem to become publicised when they are used in an attack, too late for many.
Re:not so crazy? (Score:5, Informative)
From the SecurityFocus vulnerability db:
IIS since 5.0 - 56 entries
Apache since 1.3.17 - 7 entries
Your argument is flawed at best, outright FUD at worst.
LEXX
I'm thinking (Score:2)
Re:I'm thinking (Score:2)
(for the record I do like Linux more, I just have had more security problems with it it seems).
Re:I'm thinking (Score:3)
Quite frankly, I think the "wizards" are a bad idea in Linux. They insulate the user from understanding the underpinnings of the OS.
The fexibility and strength of Linux come at a price - there certianly is a degree of complexity in config and admin. However, hacked 4 times? That doesn't make sense. Go and shut off unused services and block ALL ports except those needed.p? BTW, pardon my rude responses. I'm having a bad day and you happened to catch the brunt of my irritation. Regardless of the fact that I strongly disagree with your points, such responses are not needed.
Re:I'm thinking (Score:2)
Kintanon