daveimmunitysec.com
Date: Thu Sep 25 2003 - 08:05:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.ccianet.org/index.php3
http://www.ccianet.org/press/03/0924.pdf
http://www.ccianet.org/papers/cyberinsecurity.pdf

I think it's important to note where Microsoft has done well. To
demonstrate that, let's compare their position on MSRPC to Sun's position
with Sadmind. Sadmind was given to Sun years ago, at which point Sun
decided not to fix it. Since then, it's been a default remote root. Even
now, with an exploit available to the public, Sun is basically in denial.
You wouldn't see this reaction from Microsoft. At BlackHat, Microsoft paid
probably $30,000 to hold parties and dinners and such just to pick the
minds and meet the personalities that were shaping the security landscape
for them. Sun wasn't even there, as far as I know.

The papers referenced above argue that Microsoft's problems are now the
United State's problems because of Microsoft's dominant position in the
software marketplace. This is probably true.

They also argue that Microsoft's monopoly has led to its current level of
insecurity via their technique of component integration. I.E. The fact
that undocumented features of Internet Explorer are available as a DCOM
component only to Microsoft programmers is part of how Microsoft maintains
its monopoly. This is also true. Anyone having spent some time working
with Microsoft engineers, I can tell you that there are many odd facets of
their social fabric, and building a buggy internal interface that is only
known and documented within Microsoft is one of them. This allows, say,
Word, to use features of the operating system that are not quite ready for
prime time use by other people, and as a pleasant side benefit, allows
Word to do things that no other word processor on Windows can do.

However, "hidden and undocmented" has a way of biting you in the butt when
 it becomes "known and documented". There's several ways this can happen.
Someone can try to build an interoperable product, and reverse engineer
the hidden interface. Someone can be looking for bugs and reverse engineer
the interface, or someone can read a leaked copy of the source code, and
discover it that way. All of these have happened to Microsoft in the past
year, as they happened to Sun years ago.

In conclusion:

Dan Geer is a very good writer. This makes it doubly important to read
everything he writes with the initial opinion that he is completely full
of it. Sometimes, like with the Return on Investment papers and
statistical research on when you need to buy security consulting for best
value (right now of course!), he is. But after reading this paper
carefully, even if I disagree with his solution for what to do about it, I
can't say I dissagree with any of his supporting points.

In other words, it's a good paper, in my opinion largely filled with
truthful statements and a goal of protecting our country and the Internet
community as a whole from harm.

http://www.atstake.com/events_news/wysopal_testimony.pdf

I think it's telling that Chris Wysopal of stake (aka Weld Pond),
co-founder of "Organization for Internet Safety" was in Congress recently
testifying as to how we need a regulatory agency and set of laws modeled
after OIS. Unlike Dan Geer's paper, he coached his argument in terms of
ethics. He claimed silly things like "if everyone released bugs without
telling the vendor, the internet would be in chaos." Good thing we "the
ethical researchers" would never do that with our bugs!

In reality OIS is one of Microsoft's security initiatives. For Microsoft,
security is about Public Relations. OIS is about getting security
researchers to shut up, under penalty of law. It's always been about that,
and its measure of success in getting in front of Congress is deeply
disturbing.

As far as ethics go, Dan Geer's picture is no longer on the stake homepage.

Dave Aitel
Immunity, Inc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]