Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Somehow I don't think I'm going to see this story on slashdot any time soon :)

Somehow I don't think I'm going to see this story on slashdot any time soon :)

  • Comments 66

Michael Howard sent the following news article to one of our internal DL's this morning.  For some reason, I don't think it's going to hit the front page of Slashdot any time soon:

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

                                                :

"When we went in and did a further investigation, we found that there was an IRC bot installed on the system," Marshall said.

So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.  Both of which the slashdot crowd claim only happens on "Windoze" machines.

At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue?  Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow "windows only".  Ubuntu even published a blog post that claimed that they "won" (IMHO they didn't, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows).  The reality is that nobody "wins" these contests (except maybe the security researcher who gets a shiny new computer at the end).  It's just a matter of time before the machine will get 0wned.

Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers.  It's far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.

 

Edit: Ubunto->Ubuntu (oops :))

  • "Blaming MS for security vulnerabilities is just the price for success."

    OK, could be.  Now for a completely separate fact:

    Blaming MS for many years of refusing to fix known security vulnerabilities is just the price for arrogance.

    Fortunately things have changed most of the time, but as several people have observed here, it will take longer to lose the reputation ... especially when the arrogance is still waiting to be lost.

  • Very interesting, and although there are many people who champion Linux endlessly despite the fact that all OSes have their faults, I would like to point out that Linux != Solaris. I find it odd that Larry highlights a Solaris machine and then goes on to bash Ubuntu, which is Linux... there is a difference.

  • "So you please might reconsider this "still far inferior" statement -- especially if you never worked on an Xterm / Sun Sparc or  on a HP-9000 workstation with Motif as X Window manager during that time (which I did ca. 1992)."

    Many things you say are correct but they are not completely on point.  Lets face it, for all of Win95's shortcomings it's still far ahead of most *nix systems on ease of installation AND use for the public at large.  It doesn't matter if a version of *nix beats Win95 on usability if that version can't be successfully installed and configured "out of the box" by but a fraction of the users that could do the same with Win95.

  • "the first incarnations of the registry (introduced with Office 4.3, if memory serves well)"

    I think that was introduced with either Windows 3.1 or OLE 1.0.

    "Any closed-source OS makes security analysis and debugging harder, just by being closed-source."

    NT beats any other closed-source software in making at least symbols public, most closed-source developers don't generate symbols with release builds at all, and even if they do they don't make it public, but still... Anyway, even shared source is much better here.

  • "On the other hand while *NIX is better than previous *NIX OSs when it comes to being user friendly and conducive to use "out of the box" by 99.995% of the earth's population it's still far inferior to Microsoft Windows circa 1995 on that front."

    Or for that matter, Mac OS X even today. And it is based on UNIX and is half open source and half closed source.

  • Larry, would the flash vulnerability work on Linux? Would the attacker be able to gain the same privilege level? I doubt it unless new versions of Flash run as root.

    As for hot patching, the answer is simple -- code reuse. DLLs have failed, .Net has failed (from a user perspective at least), you need to work on a new system for more efficient code reuse. Better reuse means easier patching.

  • Richard: Actually I'm bashing any and every software vendor that doesn't acknowledge that the IT industry is facing a crisis and instead is touting that their software is somehow safer or superior (without evidence to back it up).  I picked on Ubuntu because they decided to take the contest as an opportunity to bash Windows and OSX when the reason that the Windows machine failed was because of a cross platform vulnerability (that would have just as easily affected their platform).

    Posturing like this just hurts customers and that's NOT ok.

    Microsoft acknowledged that there was a problem back in 2002 and has been working tirelessly since then to improve the security of our systems, and the evidence is clear that the work that Microsoft is doing is paying off.  I'm starting to see a glimmer of a hope that Apple is starting to figure this out (their recent moves to enable ASLR, DEP and /GS in their application are (in my opinion) a significant step in the right direction). .

    But except for the folks at FreeBSD and Firefox folks (led by Window Snyder (who helped Microsoft design the SDL)) nobody in the FOSS community seems to be considering security to be a significant problem.  Instead they sit there and laugh at those Windoze idiots who keep on getting p0wned because the run an insecure operating system.

    If the FOSS community HAS realized that there's an issue, I'd expect to see them publish their analyses - after all, if the code's open, why isn't the security analyses of the designs that back that code open?

    There is a crisis in software security that has been building for years.  Microsoft has secured it's part of the stack, and the attackers are starting to look for weaker targets.  Until the rest of the industry stops laughing at those clueless idiots at Micro$oft and starts realizing that they're a part of the problem, our customers (and your customers) won't be safe.

  • Igor: According to Shane (the finder), he believes that the same vulnerability will work on Linux and will get the same privilege level (according to several people where were there, you didn't need root to run Pwn2Own, all you had to do was demonstrate RCE).

  • Larry, "he believes that the same vulnerability will work on Linux" is not the same as "he demonstrated the same vulnerability on Linux".

    What I am trying to say is that remote code execution on Linux machine doesn't guarantee root privileges. On Windows it almost always does. That is the main issue I see when I try to compare security of different platforms.

  • Igor, the only way that a Windows Vista user wll be running as root is if they turn of UAC.  And that rarely happens (we know, David Cross just gave a presentation where he mentioned the percentages of users that turn off UAC).

    And in Pwn2Own, you just had to demonstrate RCE, not an EoP to root.

  • "But except for the folks at FreeBSD and Firefox folks [...] nobody in the FOSS community seems to be considering security to be a significant problem."

    What about Debian? (recent http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html)

  • ygrek: that's actually great! - debian is finally adding NX protection, ASLR and banning unsafe APIs.  But those are ALL bandaids around the design problem.  

    In order to "consider security to be a significant problem", I'd want to see things like mandatory training for contributors to FOSS products, threat analyses being performed on FOSS products, code reviews for security issues, etc.  

    You don't have to do threat models like we do (although I think they're a really good idea); but you DO need to do some level of analysis.  And in an FOSS world, I would expect that those analyses be made public - that's why I know they're not being done.

    In my honest opinion, bandaids are great, but there's no substitute for process.  The SDL is Microsoft's version of that process, other companies have adopted their own versions (I believe Oracle has said that they've invested in a security assurance process, for example).

  • "Lets face it, for all of Win95's shortcomings it's still far ahead of most *nix systems on ease of installation AND use for the public at large."

    (a) Will, did you actually ever do or watch any Unix installation (e.g. HP-UX, Solaris, "rolling Unix" or other)?

    As I was shown and told, initial "out of the box" installations for most of these was pretty easy -- "boot into boot prompt, insert tape, issue 'boot from tape' command".

    (b) You can hardly compare the feature set of Win95 with Unix.

    One is a desktop system for a single end user, the other a server-grade OS designed for multi-user/multi-tasking. These systems were used for servers or scientific workstations and inaccessible (too pricey) for "normal users".

    To paraphrase: "Lets face it, for all of my bike's shortcomings it's still far ahead of most Space Shuttle systems on ease of installation AND use for the public at large." For example, for getting to the next lecture on the university campus... :-)

  • "Igor, the only way that a Windows Vista user wll be running as root is if they turn of UAC."

    And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista.

  • Igor, according to the articles I've read, 88% of all Vista customers have UAC enabled, and 66% of all Vista "sessions" never encounter a UAC prompt.

Page 4 of 5 (66 items) 12345