No announcement yet.

MS and "Information Anarchy"

  • Filter
  • Time
  • Show
Clear All
new posts

  • MS and "Information Anarchy"

    What the-- Stupid! Sonofa... Mother-f-- GYAAAH!!

    Sorry, just needed to rant incoherently there for a minute. I actually used to like what Scott Culp had to say... But I guess that was back when he was saying Microsoft was trying to get its act together on security.

    If I ever see that guy, he's gettin himself a wedgie, that's all I have to say...

    First off, despite what Scott says, Code Red was not based on the ISS advisory. Of all people, *he* should know that! It was similar, but it was not the same code and didn't attack the same vulnerability. I haven't confirmed that myself, mind you, but Elias Levy did, and when it comes to something like this, I'll trust his word.

    Second, there are other benefits to full disclosure than getting admins to apply patches. People get to see what sort of practices lead to security holes, so they know not to make the same mistake. If we hadn't been seeing details on buffer overflow exploits, and if Elias (aleph1) hadn't written his paper, how many more exploitable programs would we be seeing today?

    Third, telling admins that there is a patch is *not* enough to get them to apply it. Especially in the MS world, when you're never sure if the patch is going to provide you with added security, or cause Outlook to crash and burn (Or, *cough*, 2.2.15, *cough* 2.4.11... sorry Linus).

    If I don't know that there's a security risk involved with a patch, then I don't know that I'll blow a few hours installing it on all our systems; I just don't have time.

    Telling people that there's a security issue isn't enough, though. You need to explain the vulnerability or they'll put it on the back burner. Meanwhile, some attacker with a clue is installing the patch on their system and checking for modification times, tracking down the vulnerability through the patch, and using it to attack anyone who isn't up to date.

    As much as I hate to say it, this is even easier in the open source world, all you have to do is diff the original source and the patched source (or just look at the patch, depending on how its distributed) in order to see where the vulnerability can be found.

    Yes, developing exploits requires some skill. But once that exploit has been built, there is nothing keeping it from spreading through the underground. Meanwhile, the IT workers of the world are busy installing ram, putting out motherboard fires and hooking themselves up to the UPS rather than installing "Patch Q413312343842b" which fixes "A problem with IIS/Outlook/IE/Random .dll that only Tim Mullen and RFP will recognize as doing something".

    Do we need working exploit code released with patches? Maybe not. I've been lucky enough that I can tell the CEO there's an issue that needs to get patched, and have him believe me. Other people might not have the kind of discression that I do when it comes to rolling out updates on production servers or spending 8 hours kicking everyone off their systems so I can install a version of IE that was developed since the stone age.

    Also, as I said before, having that information available can help keep the rest of us from making the same mistake in our own code.

    So what should MS be doing? IIS lockdown and hotfix programs are a step in the right direction. Making the patches easier for admins to install will actually make it possible for some of us to get them handled. Their announced audit of IIS is another good step. They certainly have the resources to put some extra manpower into quality checking their product.

    Bugs, holes and patches are all to be expected; people are fallible, whether they work at MS or not. Not everyone can code like DJB. So, MS needs to handle it well when those problems do arise. I'd been hearing that they'd been handling security holes a lot better lately, but this denialist crap isn't going to cut it.

    Its nothing new for companies like MS to want to drive security back into the closet. They don't like our modern world of rock-star security experts like the CDC, RFP, Bruce Schneier or myself. ;) And as much as I hate to propogate a conspiracy theory, ever since September, they've been trying damn hard to force us back into the dark. The ATA is a prime example; I was trying to decide what country I was going to flee to if it passed, and people at work now refer to me as "the terrorist".

    Big business is trying to close pandora's box, but its too late... and that's a good thing. Its time for MS, Scott Culp, the RIAA and the MPAA -- and everyone else out there -- to figure that out!

    Last edited by Golden_Eternity; October 18, 2001, 07:12.

  • #2
    Re: MS and &quot;Information Anarchy&quot;

    Originally posted by Golden_Eternity

    Do we need working exploit code released with patches? Maybe not.
    Ah, I was forgetting that exploit code can be used to test patches.

    I also seem to have managed to kill this thread before it even got started... Probably a good thing, its getting enough attention on vuln-dev.


    • #3
      Another thought

      I had the misfortune of reading through the article at the link above, and whole heartedly agree with you.

      First and foremost, haveing code that tells the admin exactly what the worm/virus (or other malicious code) is doing, allows him to
      A) Understand what the patch will do to his system
      B) Write a better patch (how many of you trust M$ with your security needs? be honest :))
      C) Convice other less informed people of the need for said patch
      D) Help find places where the code might be changed so that it would work arround the patch.

      Not only that, but if all or most of these worms ran off the same code using the same exploits, then someone isn't doing their job in getting patches installed out there, and it serves them right to have their system attacked multiple times. Besides, last I checked, most major news sites didn't include source code with a virus report. So even if you pretended to crack down on this so called information anarchy you would be doing nothing since the underground community is always one step ahead of the corporate world.
      "If common sense is so common, why do so few people have it?"

      "Reality is an illusion, albeit a persistant one."


      Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad! Mantras are bad!


      • #4
        This can't be written by Scott... maybe a secretary taking some College Writing class wrote an opinion paper or something, but not possibly the listed source.

        Ignorance is bliss?? What kind of security tactic is that? People are going to find the bugs one way or another. Granted, the script kiddies won't get ahold of them as quickly; but without little incidents that wake up admins to these problems (like dying networks), many would remain open to them, and then wonder why they were mysteriously "hacked".

        Took me weeks to convince my supervisor that we had to unplug computers from the network *before we patched for nimda.. we still have nimda floating around; well... not on my servers
        if it gets me nowhere, I'll go there proud; and I'm gonna go there free.