Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Somehow I don't think I'm going to see this story on slashdot any time soon :)

Somehow I don't think I'm going to see this story on slashdot any time soon :)

  • Comments 66

Michael Howard sent the following news article to one of our internal DL's this morning.  For some reason, I don't think it's going to hit the front page of Slashdot any time soon:

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

                                                :

"When we went in and did a further investigation, we found that there was an IRC bot installed on the system," Marshall said.

So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.  Both of which the slashdot crowd claim only happens on "Windoze" machines.

At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue?  Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow "windows only".  Ubuntu even published a blog post that claimed that they "won" (IMHO they didn't, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows).  The reality is that nobody "wins" these contests (except maybe the security researcher who gets a shiny new computer at the end).  It's just a matter of time before the machine will get 0wned.

Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers.  It's far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.

 

Edit: Ubunto->Ubuntu (oops :))

  • > The reality is that there is no good strategy.  Every release of Windows,

    > we've gotten better at deploying patches that don't require a reboot, in fact,

    > the same analysis that led to the minwin effort also helps to drive our

    > patching effort; Vista is vastly better than previous OS's.

    Vista is better than previous _Microsoft_ OSs.  Maybe in a few decades you'll catch up with *NIX circa 1995.

    > The *nix patching mechanism (unlink the old binary, copy in the new

    > binary) is "interesting", but if we  adopted that, we'd still have the same

    > problem - you don't actually close the hole in that case, because the

    > vulnerable code is still running on the machine (until all processes on the

    > machine get recycled).

    You don't think the various processes get restarted when an update is installed?  All of the major services do, at least the ones that could likely be used for a root-level exploit.

    It's true user apps like firefox and openoffice don't restart themselves automatically, but these days both apps can recover just fine from being restarted without losing state, so it's only a matter of time I think before this is fixed.

    > I don't think anyone "likes" patch tuesday.  But it's better than the

    > alternative - at least patch Tuesday is predictable.

    Or maybe the alternative is like OpenBSD... reboot once every 5 years when a rare kernel vulnerability is found.

    It is only anecdotal, but I have sat through many presentations ruined because the "MS has installed a critical patch and must reboot" popup appears every 5 minutes.  And my co-workers have lost many documents beause they hadn't saved and left unexpectedly on Monday only to find their machine rebooted out from under them on Patch Tuesday.  

  • "The *nix patching mechanism (unlink the old binary, copy in the new binary) is "interesting", but if we  adopted that, we'd still have the same problem - you don't actually close the hole in that case, because the vulnerable code is still running on the machine (until all processes on the machine get recycled)."

    And it is impossible on Windows because of the fact that Windows uses memory mapping for EXEs and DLLs. Imagine if you map a file and the file changed under your back.

  • "Vista is better than previous _Microsoft_ OSs.  Maybe in a few decades you'll catch up with *NIX circa 1995."

    To be honest, in the area of permissions, for example, NT is already better than Unix.

  • Yuhong: We could work around that problem actually - the OS loader opens files with FILE_SHARE_DELETE, so they <i>could</i> be deleted and a new version installed.

    Vince: The last Windows kernel patch security vulnerability was something like a year ago.   Fine, the kernel doesn't get patched that much.  What about the apps that run on top of the kernel?  Why don't they need to be patched?

    FrankAu: I honestly don't know.  I only know what was in the news article.  It might have been CAN-2004-0148 though.

  • Yuhong: We could work around that problem actually - the OS loader opens files with FILE_SHARE_DELETE, so they <i>could</i> be deleted and a new version installed.

    Vince: The last Windows kernel patch security vulnerability was something like a year ago.   Fine, the kernel doesn't get patched that much.  What about the apps that run on top of the kernel?  Why don't they need to be patched?

    FrankAu: I honestly don't know.  I only know what was in the news article.  It might have been CAN-2004-0148 though.

  • Or you can rename the old copy and put the new copy in it's place. Of course, the new copy is not executed until the old one is released.

  • "Vista is better than previous _Microsoft_ OSs.  Maybe in a few decades you'll catch up with *NIX circa 1995."

    On the other hand while *NIX is better than previous *NIX OSs when it comes to being user friendly and conducive to use "out of the box" by 99.995% of the earth's population it's still far inferior to Microsoft Windows circa 1995 on that front.

  • Not sure what happens in kernel space, but I was under the impression that user space programs/libraries are also memory-mapped with Unix (file loading being essentially the same as virtual memory). I recall the AIX documentation covering this. When a program is deleted, the OS keeps the physical bytes around until all memory-mapped instances are gone.

  • I think I must be the only one who likes patch tuesday - the reboot gives me an excuse to go and make coffee!

  • Joshua:  "though I'd hate to see the logic that tries to identify who's running what."

    EnumProcesses and EnumProcessModulesEx.

    Jon:  'My generation of computer experts (I'm in my mid-20's) formed its opinions of Microsoft based on Windows 95 and 98.'

    Some previous generations of computer experts (I wish I were in my mid-20's) formed our opinions of Microsoft based partly on Windows 95 and 98 and NT4 SP4 (SP3 was the good one but SP4 made up for it) and XP prior to SP2, etc., AND based partly on other OSes that existed before Microsoft bought QDOS.  Actually these aren't the biggest parts of it, but I'll try to avoid wandering further off-topic this time.

  • Jon:  "My generation of computer experts (I'm in my mid-20's) formed its opinions of Microsoft based on Windows 95 and 98."

    NT was not very popular back in the 1990s. Only around the beginning of 2000 did Windows 2000 release, and that was when NT really begin to take off, replacing 9x, which is one of the reasons Windows Me did not get popular. XP finally ended the 9x series. Some of the issues caused by this is that many third party apps and even some MS apps, such as Office 95 (search for "Office 95 and Windows NT" to see what I mean), had issues running as non-admin, even though it existed since NT 3.1!

  • This is a link about the transition and how NT is not based on 9x

    http://blogs.msdn.com/because_we_can/archive/2007/04/13/vista-is-not-based-on-a-single-user-pc-operating-system.aspx

  • One of the reasons why NT 4 never got popular is because it did not have some of the new hardware-related features in the *original* Windows 95, such as Plug and Play and Device Manager, let alone OSR2 and Win98. Instead it still have Control Panels like Ports and Devices that were in NT 3.x. Win2000 finally catches NT up to all of the hardware support advances in the 9x series.

  • "Users hate rebooting, so reboots are bad."

    Yes, they are bad.  Theoretically, you could patch a system without requiring a reboot.  Just figure out the memory and disk map before and after the patch is applied, temporarily stop all other running processes, and move everything around to obtain the desired after-patch layout!

    It's surely not practical, though, given the nearly-infinite combinations of running software that a user can have.

  • Well, hope you don't mind me chiming in as well:

    (a) Blaming MS for security vulnerabilities is just the price for success. If you are the #1 desktop OS vendor, it is highly attractive for any virus / trojan writer to target your OS.

    Sometimes I use Zeta as OS for secure browsing. As it is totally niche (not to say "dead"), probably nobody will ever write a virus for it.

    It is not an attractive target. For a long time the Mac was also not, for a long time Linux was not -- but both systems are getting there.

    (b) Any closed-source OS makes security analysis and debugging harder, just by being closed-source.

    You can't "just look up" how this routine you're calling in your code works exactly.

    On the bright side, as an OS vendor of a closed-source OS you can guarantee stable APIs, which in turn makes shipping of binary drivers and applications feasible. And in-box hardware support. And DRM, which gives you those Hollywood movies and tunes we all crave for so urgently.

    Any open-source OS makes security analysis easier - but also tampering with distributions. We already do now and will probably find more "tainted" (Linux) distribution servers in the future. So pick your download archive carefully.

    (c) "Unix security is worse than even NT"... is not true.

    Unix had already some considerable history before NT was incepted (remember OS/2?). Yes, NT had a newer scheme, and the schemes are just different.

    But Unix did offer for a long time "adequate" security that was in its usability better than WinX - again, for a long time.

    IMHO Windows Vista is the first incarnation of the OS where higher security - on the desktop, for the end user - is actually really usable.

    People built ACL-based security for Unices a long time ago, when and where they needed it.

    For Linux, or OpenBSD or FreeBSD - being open source - you can add any component or property you want anyway, or pay someone to do it it, or work with a interest group to get it.

    You can't do this - naturally - with closed source, unless you own the company that makes the OS.

    (d) "*NIX OSs when it comes to being user friendly and conducive to use "out of the box" by 99.995% of the earth's population it's still far inferior to Microsoft Windows circa 1995 on that front."

    Well, in the 90's first I worked as an admin (WfW3.11 on desktops, Novell 3.12/4.11 Servers) and then later in 2nd level support for Windows NT 4.x (desktop, later also for servers).

    At this time I got the "founded opinion" that Windows gives you a very good and nice illusion of easy usability. And as long as you have no problem everything is great.

    But once you DO have a problem, and need to get "under the hood", things start getting really bad.

    One reason things are getting bad is that you don't get any app support from MS if you're too small business -- and for ages they were the only ones that could really analyze and fix problems in their code.

    The complexity, veiled by a prety GUI (anyone remembers "DLL hell"?) means that you cannot track problems easily to its root, the first incarnations of the registry (introduced with Office 4.3, if memory serves well) had... interesting... side effects, and the impossible separation of user and system files (not even via soft or hard links) made administration ...ahem ...difficult.

    When a process crashed in 16bit Windows, you could be lucky if it did not destroy your work files. People who worket with disks (b/c they assumed that would somehow be safer) sometimes found out during save of e.g. an Excel file that there was not enough disk space to store the file... at this moment the old file was overwriten with a partial file. Now introduce a crash or a brownout and your work plus the old copy are both destroyed.

    Not nice.

    And installation? I don't want to count the wasted hours of my life trying to re-install various Windows versions to get your hardware working. NOW is a much better time, with online update services and internet connectivity and cheap laptops (so you have one working computer to set up the other one, with help of the excellent MSKB, Google, etc.)

    Progress is everywhere, though - with the need for end-user configuration via pretty interfaces, and with ever-increasing distribution packages we will soon have similar problems in Linuxland, too.

    Don't get me wrong -- Windows is not at all "bad" per se - after all it's better to have "something usable" (with pain) than to have nothing at all! - but I want a bit of perspective for this statement of "the old times". It were not at all "good old times", it were times with a lot of work finding and tracking bugs or application annoyances, lots of lost work time and lost data because of system hiccups, not much or only beginning internet connectivity (which made support even more difficult), slow processors, slow hard disks and slow modem connections.

    So you please might reconsider this "still far inferior" statement -- especially if you never worked on an Xterm / Sun Sparc or  on a HP-9000 workstation with Motif as X Window manager during that time (which I did ca. 1992).

    (e) Probably there is an intrinsic dilemma between offering huge amounts of flexibility and applications and between easy usability and maintainability. People get along quite well with single-purpose machines - the upcoming game console trend seems to highlight that, and they can handle the maintenance for them. So possible in the future people will not have to make a "dr. windows" degree to set up and run their own systems. Possibly you'll have one computer for games (a console), one for surfing the internet (built-in into the big screen TV), and a portable one for text, calculation, mail and news.

    The future will be interesting, with so much cheap computing power available even today, and with I/O and comms devices slowly reaching or even surpassing these old "star trek" interfaces... so let's look onward!

    ... and in the mean time let's do our best to keep people safe and happy... :-)

Page 3 of 5 (66 items) 12345