[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Regulation of Security Professionals and Nondisclosure...
- To: debate@lists.fitug.de
- Subject: Regulation of Security Professionals and Nondisclosure...
- From: Kristian Köhntopp <kk@netuse.de>
- Date: Thu, 18 Oct 2001 13:13:21 +0200
http://slashdot.org/comments.pl?sid=22710&cid=2444955
Don't you dare hack .net (Score:5, Interesting)
by wedogs (jonhart_99@yahoo.com) on 3:51 18th October, 2001
(#2444955)
(User #96591 Info | http://slashdot.org/)
Culp says?
"First, let's state the obvious. All of these worms made
use of security flaws in the systems they attacked, and
if there hadn't been security vulnerabilities in Windows®,
Linux, and Solaris®, none of them could have been written.
This is a true statement, but it doesn't bring us any
closer to a solution. While the industry can and should
deliver more secure products, it's unrealistic to expect
that we will ever achieve perfection. All non-trivial
software contains bugs, and modern software systems are
anything but trivial. Indeed, they are among the most
complex things humanity has ever developed. Security
vulnerabilities are here to stay."
In the above argument, Culp uses truth to validate
fallacy. It's true that no code is perfect. It's
false that security will improve by mandating gag orders.
More to the point, Microsoft is especially frustrated
with flaws being exposed in their code. Frankly, I
believe the hacks associated with Microsoft products
differ fundamentally from the flaws discovered in
Solaris and Linux. When a Linux exploit is discovered,
hackers and maintainers consider it a design flaw.
Therefore, exploits are generally fixed pretty fast
on Linux -- usually within a few days. The same is
true for Solaris.
Apparently however, Microsoft does not consider
certain exploits to be design flaws. Sometimes,
hackers simply leverage "features" (e.g. undocumented
APIs) that Microsoft deliberately designed into their
applications and/or systems.
Microsoft applications tend to execute arbitrary code.
In other words, Microsoft deliberately empowers IIS,
Exchange, Internet Explorer, Outlook and certain
Office applications to execute unchecked commands
fed over the Internet. Once hackers discover these
(badly!) hidden APIs, it is only a matter of time
before someone sends you an email which does
something nasty to your computer.
Interestingly, despite these obvious security
issues, Microsoft wants their programs to execute
arbitrary code. Remember the Microsoft Word viruses?
Remember the Excel viruses? Heck, email viruses were
fiction until Exchange and Outlook...
Microsoft has had years of experience and feedback since
the first MS-Word virus. Obviously, they understand the
risks of allowing applications to execute arbitrary
code. Nevertheless, they continue to build this ability
into all their major products.
In fact, arbitrary code execution appears to be one of
the core technologies behind Microsoft's .NET initiative.
I suspect this is why Microsoft was so reluctant to
repair the security flaws within IIS. Code Red and
Nimda exploits APIs that Microsoft intends for their
.NET initiative. Disabling these APIs would cripple
.NET. Therefore, Microsoft did not fix IIS until they
could re-think the design of .NET.
Culp states that vulnerabilities are here to stay. Most
likely, .NET will reinforce his point. Given their
track record, I expect .NET to be Microsoft's magnum
opus of security deficiency.
At this late stage, re-designing .NET is out of the
question. I guess Culp feels controlling what the
world is allowed to communicate about .NET is easier.
--
Kristian Köhntopp, NetUSE AG, Dr.-Hell-Straße, D-24107 Kiel
Tel: +49 431 386 435 00, Fax: +49 431 386 435 99