Re: Critique of CyberInsecurity report
Yup, and also don't forget all the security holes in IE that would allow even more enjoyable fun stuff... things that are(were?) exploited by scumware sites such as Xupiter that installed themselves into IE and allowed pop-up ads from hell. [Sorry about the previous message, had lots of typos in there... should have proofread it before sending. :) ] --Kaos-Keraunos-Kybernetos--- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ --*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD.\|/ + v + : The look on Sadam's face - priceless! [EMAIL PROTECTED] http://www.sunder.net On Sat, 27 Sep 2003, James A. Donald wrote: -- On 26 Sep 2003 at 17:30, Sunder wrote: Ever seen WebX? - it's like PCAnywhere, or VNC or TimbukTu, only it works over the web. A user just goes to a web page, and a user at the other end can take over their machine because IE allows such software to run! Ok, at least WebX is a commercial product designed to provide tech support, and asks if it's ok to allow it, but if it's technically possible to do it for legitimate reasons, it's technically feasable to do it for rogue reasons too. IE first checks that the software is digitally signed, and then asks the user do you want to run this software signed by so and so. Then IE allows it to run. You do not just go to the web page. You go to the web page and IE asks if this is OK. Of course there are lots and lots of web pages that say Hey, click here to view me naked -- just click yes to all the stupid dialogs that come up --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG EVBFXSY8i4yhJTutdCL23/zyQbi/geQCUHZqoCr7 4J07R9CO6/ynTCaqgsY63x7wtTEVaTRpK5nt5xMio
Re: Critique of CyberInsecurity report
-- On 26 Sep 2003 at 17:30, Sunder wrote: Ever seen WebX? - it's like PCAnywhere, or VNC or TimbukTu, only it works over the web. A user just goes to a web page, and a user at the other end can take over their machine because IE allows such software to run! Ok, at least WebX is a commercial product designed to provide tech support, and asks if it's ok to allow it, but if it's technically possible to do it for legitimate reasons, it's technically feasable to do it for rogue reasons too. IE first checks that the software is digitally signed, and then asks the user do you want to run this software signed by so and so. Then IE allows it to run. You do not just go to the web page. You go to the web page and IE asks if this is OK. Of course there are lots and lots of web pages that say Hey, click here to view me naked -- just click yes to all the stupid dialogs that come up --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG EVBFXSY8i4yhJTutdCL23/zyQbi/geQCUHZqoCr7 4J07R9CO6/ynTCaqgsY63x7wtTEVaTRpK5nt5xMio
RE: Critique of CyberInsecurity report
Wow, the problem is solved, right? Wrong. With the number of systems on the net growing rapidly, any realistic extrapolation leaves the number of Windows systems as being even larger than today. Hence we face at least as much exposure as at present, which the evidence has shown is more than enough to cause tremendous economic damage. You miss out on the fact that, if Windows has, say, 90% of the machines (disregarding differences between desktop/server/whatever), the damage would, with your metric, be three times as large as the cost you point at, which would affect a third of the machines (with numbers higher than today, but still less that what they would be with 90% of machines running MS). And in fact, it is worse, because any flaws in the Mac or Linux OSs will now be just as dangerous as for Windows! What we will face is a situation where the *weakest* of the widely used OS's will determine the risk factor for the system as a whole. Yes, you are right: when you don't put all your eggs in the same basket, you have *more* risk to get crushed eggs. But, in return, you have less risk of losing *all* your eggs. The point is to contain worst case cost, at the expense of having more likely minimum cost. chosen Windows because it is popular, has good development tools, and in the early days was easier to write for (remember that up until a few years ago, the Mac lacked preemptive multitasking, and Linux wasn't even a blip on the radar). Windows 2000 was only a few years ago too. Windows NT 3 and 4 were not desktopo OSes, used only on servers. And I worked in a company that had the misfortune of running an NT 3 server. Preemptive multitasking does not imply stability, as this experience showed, though I won't claim our experience was typical. There was BeOS too, which could have been widely available save for MS having the computer makers' ear (firmly grasped in an iron fist). But you still have a fair point on this point, and I agree at varying degrees with the rest of your points, except where you come back to: The result is that we will have a system where, as pointed out above, not one but several architectures are each widespread enough to bring the net to its knees when an exploit is discovered. This network will only be as strong as its weakest link. Diversity, in this context, is a risk factor, not a risk mediator. For serial systems, not parallel ones. Encryption is a serial one. Redundancy using different systems is not: you need to destroy all branches to bring the system down (though I do not deny that you can bring the quality of service down by bringing a node down, depending on the degree of redundancy). Of course, the above holds for a more or less homogeneous distribution of the different (here) OSes. Otherwise, you have a connected graph of monocultures, and the first argument applies. -- Vincent Penquerc'h
Re: Critique of CyberInsecurity report
On Fri, Sep 26, 2003 at 12:47:38AM +0200, futureworlds wrote: Overall, this is a terrible analysis with a misguided solution which, if adopted, would only make things worse. It is shocking to see the Please describe, how exactly it would be worse. We're kinda curious. well known figures who have allowed their names to be attached to this document. Apparently hatred of Microsoft runs so deep that people are unable to think critically when presented with an analysis that attacks the company. We saw the same thing with the absurd lies and exaggerations about Palladium last year. It's a *tiny* *little* bit premature to conclude that, don't you think? Now your rhetoric does strike me as pro-establishment, if not outright as a Redmond mole. Kindly go insert your troll stick elsewhere. Let's look at these three portions. The problem in principle, according to the report, is the existence of a monoculture, which should be addressed by diversification. There are nonsense figures in here Nonsense, my ass. Go ask your nearest friendly biologist and immunologist/epidemiologist about the value of diversity. that claim to quantify the power of the net, using absurd, handwavey formulations like Metcalfe's Law or Reed's Law. (Reed's so-called Law is a joke, predicting that the Internet will be 228 quadrillion times more powerful in 10 years if the number of systems increases 50% per year!) This is not logic, this is not reason, it is just rhetoric. If you don't see that the value of the network increases with its size what exactly are you doing in that thar Innurnet here? Ah, you just don't understand this nonlinear metric thing. I see. Just log it, if it will make you more comfortable. But the fundamental problem with the analysis here, which is what makes the report's recommendation so misguided, is that claim that diversification will somehow solve the problem. In fact, diversification will make it worse, as a moment's thought should make clear. Don't put all your eggs in one basket. If it breaks, all will be lost. Dilute susceptible system with inert (immune) ones. That'll take care of kinetics (local loop systems are tighly coupled, so there's a distance even though there's a 95% global connectivity). Hardly takes a five-sigma egghead to grok it, right? Let's suppose that the government stepped in, and the kind, wise government bureaucrats we all know and love so well decided to aid disadvantaged operating systems. This affirmative action program is so Disadvantaged? Sure, open source has eaten a few industry branches alive, and now we've got a monopolist shitting their pants because they know they can't compete on the middle run. Yawn. Goverments are adopting it, resulting in fax effect? Good, that will accelerate the inevitable. effective that after many years, Microsoft has only a third of the market; Half a decade sounds about right. You'll see a lot more players than just *BSD derivates in the dominating 2/3rds, though. Macs have another third; and Linux has most of the remaining third. Wow, the problem is solved, right? Just three systems are not enough diversity by far. Ten would be better. It'd be nice to have it run on diversified hardware as well, and offer stack protection and several iterations of security-conscientous redesign steps. However, worse is better, so we'll probably see only a slight improvement over the status quo. It would sure be nice to see liability for commercial software products, though. Wrong. With the number of systems on the net growing rapidly, any realistic extrapolation leaves the number of Windows systems as being even larger than today. Hence we face at least as much exposure as at present, which the evidence has shown is more than enough to cause tremendous economic damage. Bullcrap once again. A fraction of all systems will be taken out, with a much slower kinetics due to phlegmatizing aspect of dilution (look up phlegmatization in HE chain reaction context). Moreover, the mission critical stuff *will* be running hardened systems after a few rounds of current worm roulette. Everybody else would be taken of circulation. Let's see how much pressure business need to start adapting rational strategies instead of the current snakeoil jacuzzi. (Probably, a lot). And in fact, it is worse, because any flaws in the Mac or Linux OSs will now be just as dangerous as for Windows! What we will face is a situation where the *weakest* of the widely used OS's will determine the risk factor for the system as a whole. I'm distinctly underwhelmed with the logic of the remainder of the diatribe, so I won't address it. [demime 0.97c removed an attachment of type application/pgp-signature]
Re: Critique of CyberInsecurity report
Look, the answers are excruciatingly simple: 1. your email should not execute. 2. your web browser should not be able to run script that can access anything other than contect that came from that server - or in the least that domain -- especially not your hard drive. Things like ActiveX are a security nightmare. 3. your machine should not serve any services to the outside world that it doesn't need to. It doesn't matter what OS you run, the above are all still true. Do that, the 90% of insecurity goes away. Add buffer overflow protections, and another 5% goes away. Add parameter checking to libraries, good security permissions on file systems and other objects, and things like per process capabilities limitations, and another 4% goes away. If you run a network of unhardened Macs, Linux boxes, FreeBSD or even OpenBSD boxes, you may as well hang up a sign that says break in please. All of this has been previously dealt with elsewhere, and it isn't that hard to grok. The only reason to cricize the redmond beast that should not be is points 1-3. The paragraph following it hasn't been implemented anywhere that's widely in use. Things like SE Linux and OBSD have attempted some of them and succeeded, but they're not as widely used as they should be. Worrying about what percentage of machines are hetro vs homogenous is a waste of time. Do you run Linux or MacOS X? Did you bother to upgrade OpenSSH last week? No? Is ssh open for anyone on the internet to access? Well then, you're fucked, and you're not even running Windows! If someone breaks into a windows 95 machine on your network whose owner has access to files vital to your company's existance, the potential to break into the server is already there. Don't just harden SOME machines and your firewall, harden them all. A simple activeX component off some rogue web page is enough to take over a lame little win9x machine. Example: Ever seen WebX? - it's like PCAnywhere, or VNC or TimbukTu, only it works over the web. A user just goes to a web page, and a user at the other end can take over their machine because IE allows such software to run! Ok, at least WebX is a commercial product designed to provide tech support, and asks if it's ok to allow it, but if it's technically possible to do it for legitimate reasons, it's technically feasable to do it for rogue reasons too. Worms aren't the only problems out there. --Kaos-Keraunos-Kybernetos--- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ --*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD.\|/ + v + : The look on Sadam's face - priceless! [EMAIL PROTECTED] http://www.sunder.net
