Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Blames the Messengers

michael posted more than 12 years ago | from the see-no-evil-speak-no-evil dept.

Security 731

Roger writes: "In an essay published on microsoft.com, Scott Culp, Manager of the Microsoft Security Response Center, calls on security experts to "end information anarchy" and stop releasing sample code that exploits security holes in Windows and other operating systems. "It's high time the security community stopped providing the blueprints for building these weapons," Culp writes in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them." See the story on Cnet News.com."

cancel ×

731 comments

I blame Microsoft (-1, Redundant)

SpanishInquisition (127269) | more than 12 years ago | (#2443431)

Like everyone else.

Re:I blame Microsoft (0)

Anonymous Coward | more than 12 years ago | (#2443500)

ubi est Trolligula...?

MS (4, Offtopic)

MissMyNewton (521420) | more than 12 years ago | (#2443437)

"It's high time the security community stopped providing the blueprints for building these weapons,"

It's probably high time that Microsoft stop building houses made of straw to defend against big bad 'net wolves... It'd sure make a lot of our lives easier...

Ya, see.. we do.. (0, Flamebait)

Lord Bitman (95493) | more than 12 years ago | (#2443438)

And by providing sample code we as administrators are shown exactly where the weakness is.
Everyone here knows that.. I'm just posting to be an asshole

Security Through Obscurity (2, Funny)

FreakOfTheWeek (415378) | more than 12 years ago | (#2443440)

boy, we're sure learning that lesson fast!

So basically... (5, Funny)

11thangel (103409) | more than 12 years ago | (#2443441)

They're trying to say "stop finding holes faster than we can make...err...fix them". My my what a cheap political backstab.

Joobles post (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2443442)

Joobles McBoobles, Hoobles and doobles.

-Brought to you by Hootie McBoob

When you point the finger of blame... (2, Insightful)

A_Non_Moose (413034) | more than 12 years ago | (#2443444)

there are 3 of them pointing at you....

I think the author/Microsoft should not forget this.

Moose

Re:When you point the finger of blame... (2, Funny)

irksome (106742) | more than 12 years ago | (#2443540)

which is why you should always point with an open hand ;)

-

Re:When you point the finger of blame... (0)

Anonymous Coward | more than 12 years ago | (#2443570)

When pointing the finger of blame at Microsoft, it is important to use the longest finger.

Right (5, Informative)

IsleOfView (23825) | more than 12 years ago | (#2443447)

<sarcasm>
Much better that the "black-hats" "secretly" circulate the information.
</sarcasm>

If the security experts didn't find and pubilsh the holes, good luck on Microsoft making the fixes a "priority".

Re:Right (1)

csmacd (221163) | more than 12 years ago | (#2443483)

Priority? When have you ever seen a bugfix be a priority?

Well, there was that one bugfix for Win95, I think it was called Win98.....

And (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2443448)

What did you expect?

INCARCERATE ALL NIGGERS (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2443449)

rectal post

fuck ip bans

-sa

history (5, Informative)

Telastyn (206146) | more than 12 years ago | (#2443450)

Yes, just like keeping Cryptography code secret improves the algorithm. I agree that the company should be notified before the flaw is announced, but seriously, the entire point of a security response center is to inform users as to vulnerabilities...

Re:history (2, Insightful)

Ghost-in-the-shell (103736) | more than 12 years ago | (#2443508)

Actually most security firms who announce these flaws inform the company first to allow them to fix the bug/flaw before it can be used as a tool for harm.

just my $.02

1st (0)

Anonymous Coward | more than 12 years ago | (#2443452)

first post!

They Have a Point (2, Funny)

ZeroLogic (11697) | more than 12 years ago | (#2443454)

Yes, I realize that this isn't a fix, but if obscurity makes it just a little harder for people to do bad things then I don't see why it's such a bad thing. Especially in the case of Microsoft, where only they can fix the source, why should the security companies publish the source on the web instead of sending it directly to microsoft? What gains are there to be had by having the source displayed all over the web?

Re:They Have a Point (1)

chowdmouse (155597) | more than 12 years ago | (#2443490)

Security through obscurity is a huge mistake, IMHO. I leads to a false sense of security (err..sorry..) that everything's OK forever and ever so the the software gets worse and worse.

Re:They Have a Point (2, Insightful)

jonnyq (103252) | more than 12 years ago | (#2443504)

Standard courtesy and many mailing lists recommend just this approach, but many companies have a really bad track record about fixing bugs that noone knows about. therefore, after a period of time, the exploit is published to "force" the company to deal with it.

Re:They Have a Point (0)

Anonymous Coward | more than 12 years ago | (#2443518)

Simple,

They won't fix it unless it's widespread. They have a history of leaving known security risks in the code because there were not widespread exploits for it. This is worse for the public since crackers can move through systems at will, these guys mostly don't script worms, but take advantage of the machines.

-lp

Re:They Have a Point (0)

Anonymous Coward | more than 12 years ago | (#2443519)

Dude...

If your bank has serious security violations with their authentication system, would you rather someone told ALL the customers, rather than having a few people with ALL the information? And even fewer people with the solutions? Just imagine the damage a few secret people could do with one security hole. How long do you think the bank would care before investigating the fund that supposedly went "missing"? At least if you KNOW there is a problem, you can call them and tell them to fix the frinking thing.

Re:They Have a Point (0)

Anonymous Coward | more than 12 years ago | (#2443552)

but if obscurity makes it just a little harder for people to do bad things then I don't see why it's such a bad thing. It comes down to the fact that doing as Microsoft says will make things disproportionately more difficult for the customer, and only inconvenience the black hat.

Re:They Have a Point (5, Insightful)

btellier (126120) | more than 12 years ago | (#2443557)

sigh. OK, let's try this again: BECAUSE OTHERWISE PEOPLE WON'T TAKE YOU SERIOUSLY. Now let's review: how many people patched eEye's .IDA exploit when it came out and did not include an exploit? Not bloody many. How many patched it after Code Red made it abundantly clear that this was a very exploitable vulnerability? Hundreds of thousands more. The obvious truth here is that full disclosure and the inclusion of exploit scripts opens people's eyes to the fact that people are going to use this hole to break into YOUR system.

By not giving exploit scripts you allow sysadmins to become lazy. They figure "Nah, i'll just wait until an exploit comes out before i patch it", while the underground hax0r scene is already searching out your box.

Re:They Have a Point (5, Insightful)

irix (22687) | more than 12 years ago | (#2443559)

What gains are there to be had by having the source displayed all over the web?

What makes you think that not having it displayed all over the web will make it any less available to to the people who want to do harm?

Black hats are going to get ahold of the exploit, even if the source code to it is not published on incidents.org or bugtraq. All that not publishing it there does is provide a false sense of security.

Publishing the details in a high-visibility location does several things:

  • gets the company who wrote the software much more motiviated to write a fix
  • allows other people to verify that the vulnerability exists
  • lets you and I (white hats) not make the same mistakes that lead to the vulnerability in our code

The script kiddiez are going to get these exploits when they download them from their favourite r00t kit location. Lets not pretend that not publishing the same exploits to the general public really makes things much safer.

Re:They Have a Point (1)

beldraen (94534) | more than 12 years ago | (#2443567)

Simple, obscurity encourages behavior to program even more shoddy work because they know it is less likely to be caught and proven their fault. Obscurity as a form of protection, in itself, is not a form of security. It is a way to pass the buck. It has been proven time and time again that given obscurity as the protection system lends people into believe they are secure when they are not. After all, the company had said there is a fault, have they? But, the bad guys still know.

Re:They Have a Point (3, Insightful)

Phydoux (137697) | more than 12 years ago | (#2443580)

I just can't agree with this.

The problem with not publishing details of the exploit is that Microsoft and other companies will look at it and say "This doesn't look like that bad of a problem, and besides, nobody will find that easily. No sense in making a patch for it. The potential abuse of this hole is negligable."

So then we end up being at the mercy of the Black Hats to quietly spread the information among themselves.
No, keeping things secret simply won't help.

Backwards? (0)

Anonymous Coward | more than 12 years ago | (#2443456)

Doesn't Mr. Culp have it backwards?

I've heard this one! (5, Interesting)

AntiFreeze (31247) | more than 12 years ago | (#2443458)

If you don't tell anyone that the construction company used shoddy materials, then no one will figure out how to make the building collapse!

What a blatant (0, Flamebait)

dmelomed (148666) | more than 12 years ago | (#2443459)

Attempt to make this drivel effective in the light of the terrorist events.

Linus better do some complainin'... (4, Flamebait)

Ripp (17047) | more than 12 years ago | (#2443462)

...Windows®, Linux, and Solaris®...

What's wrong with that picture? Linux *is also* a registered trademark, Microsoft. I suggest you recognize it as such.

Linus, kick some ass here.

And in similar news.. (5, Funny)

cnkeller (181482) | more than 12 years ago | (#2443463)

Gun manufacturer Smith & Wesson has asked that ammunition maker Black Talon stop making bullets since "guns don't kill people, bullets do."

Because, if the security hole didn't exist in the first place, then Microsoft wouldn't have to worry about all this bad press starting to cost them business; and more importantly mindshare.

Re:And in similar news.. (5, Funny)

cyberformer (257332) | more than 12 years ago | (#2443556)

And the ammunition maker has called on the law-enforcement and medical community to stop revealing that people can be killed by bullet wounds. Such information can only help the wrong-doers.

New Slogan (3, Insightful)

InfinityWpi (175421) | more than 12 years ago | (#2443465)

"Hackers don't hack Windows machines... bad code hacks Windows machines."

Y'know, if they didn't have so many bugs, there wouldn't be anything to release, and therefor, no 'weapons' to build... it's kinda like an army making a tank with wooden components inside, then getting pissy when the other army brings flamethrowers and napalm...

Bastards (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2443466)

Bastards. I mean Slashdot. Bastards.

Microsoft says... (0)

8Complex (10701) | more than 12 years ago | (#2443467)

We know there is a hole... just leave it alone!!

Nice. Next thing you know, they'll be releasing a proxy server called the Microsoft Condom.

jump on the bandwagon kids! (0)

hemos. (151256) | more than 12 years ago | (#2443468)

may i have your attention please! the bi-monthy slashdot "bash microsoft festival" is just getting underway.

calling all braindead moderators to mark anything remotely anti-microsoft as insightful.

A weak point (2, Funny)

crumbz (41803) | more than 12 years ago | (#2443469)

Information Anarchy? What? Do doctors complain about information anarchy when patients research treatments for diseases on the web?
Doesn't this guy realize that our systems are becoming more secure everyday, now that people have to take worms, trojans, DoS attacks seriously. Maybe he should bet back to securing Microsoft products and spend less time complaining about system admins trying to share info.

What about Capitalism (0)

Anonymous Coward | more than 12 years ago | (#2443470)

Messengers don't kill computers. People kill computers.

Why is this concept so hard to understand? The gun companies laid this out cleary many years ago, and there's no arguing with the logic.

Pot/kettle (1)

rebbie (165490) | more than 12 years ago | (#2443471)

Oh really? IMHO It's high time Micro$oft stopped providing Swiss-cheese sofware that can be easily used as weapons because most users find the constant patching impossible to keep up with.

Hiding security flaws... (3, Interesting)

BrookHarty (9119) | more than 12 years ago | (#2443473)

If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found.

And hiding all these security flaws would of made windows more secure? Your product is not secure, stop passing the buck.

Still leaking? (4, Insightful)

Col. Klink (retired) (11632) | more than 12 years ago | (#2443474)

And just how am I supposed to know I've patched a hole if I don't know how it gets exploited?

Let's stop anthrax, too! (5, Funny)

Mike Schiraldi (18296) | more than 12 years ago | (#2443475)

It's high time we stopped teaching Chemistry and Biology! People are spreading information that essentially maps out exactly how the human body works, which allows for all sorts of chemical and biological weapons! And explosives, too!

In other news, Master Lock wants to release a new model made out of twine and butter. They ask the community to avoid discussing the security of the lock, since they anticipate it getting deployed widely, and once the ButterLock is being used to secure mission-critical systems, it will be extremely important to keep its flaws a secret.

Odd that my article was rejected . . . (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2443478)

How is this different then when Microsoft blamed them [buddyhead.com] ?

Oh of course my article was rejected . . . So silly.

. ac

Well, it IS a two way street. (5, Insightful)

Xzzy (111297) | more than 12 years ago | (#2443479)

By putting out solid information, people who find these exploits are doing two things: Giving the programmers specific information with which to fix the problems, and giving script kiddies some really damn good instructions for hacking into a box.

The system relies on the reaction time of the programmers.. can they supply a patch before the crackers supply an exploit?

Those of us in the *nix world seem to do pretty good.. for all sorts of reasons you don't need to go into here. Windows? Heh.. it can take months for something to get patched up. No wonder he's mad that these 'blueprints' are being provided. It's simply an extension of the security through obscurity mode of thought.

Surely you jest! (0)

gosand (234100) | more than 12 years ago | (#2443480)

I am beginning to think that the people at Micropoly [cafepress.com] are starting to believe their own drivel. I really have to wonder what the tech people within the company think of these statements. All of these asinine comments come from management and PR types. I would be embarassed to work for a company that treated the public the way M$ does, like idiotic sheep.

gosand

Haaahahaha (1)

fritter (27792) | more than 12 years ago | (#2443485)

Have you ever stood up and hit your head on something *hard*, and then in anger punched whatever it is you hit your head on, even though it's your fault? Apparently that's the Microsoft Certified way to handle security.

What fscking loser (3, Funny)

The Panther! (448321) | more than 12 years ago | (#2443487)

In other news, Microsoft has purchased a secret weapon of vast destruction, code named Blamethrower. It strikes out at random targets, displacing reality at near the speed of light.

Zot!

whose obligation to protect? (5, Insightful)

Corgha (60478) | more than 12 years ago | (#2443489)

it's high time that computer users insisted that the security community live up to its obligation to protect them

I'm not sure whether anyone, other than law-enforcement agents, is obligated to protect computer users, but if anyone is, surely the people who produce the software are more obligated to prevent or solve these problems than are those who merely report on them.

Is this, along with the U.S. government's warning to news agencies to be careful what they broadcast, a sign of a new trend?

Re:whose obligation to protect? (2, Interesting)

chinton (151403) | more than 12 years ago | (#2443539)

I don't see the connection... Microsoft is covering it's unsecurred ass by trying to focus the blame on the "security community" instead of its broken products.

The government, on the other hand, is letting broadcasters know that /bin/laden could be using their newscasts to deliver messages to his followers. The gub'ment never said (at least publicly) "don't broadcast this", they said to be smart and responsible for what you put on the air.

Good plan. (-1)

theneo (511389) | more than 12 years ago | (#2443491)

Not releasing code must be exactly why linux is so secure.

*claps at Microsofts genius*

We've seen what they propose (4, Insightful)

Derkec (463377) | more than 12 years ago | (#2443494)


Several times we've seen security experts say to a large company, "Hey! there's a nasty exploit here!" The large company indicates they'll fix it and ignores the problem. Only when the exploit is publicized do companies like Microsoft actually take the effort to fix the code. Releasing the information is the only way. Perhaps out of courtesy the security community could give the company with the bug a week's notice.

Don't they already provide a grace period? (5, Insightful)

Suicyco (88284) | more than 12 years ago | (#2443495)


I thought most security exploits that get released by the major groups are usually passed through MS first and allow them time to provide a patch before issuing the details of the exploit. So why are they so upset? Its not MS nor the security experts who are at fault for not patching machines. At least by publishing them they are provided an incentive to staying on top of security holes, instead of simply allowing them to remain secret. I mean none of the major exploits lately (code red, nimda, etc.) have used unpublished exploits. So this shows a failing in MS's procedures for keeping admins informed and a failing in the admins for keeping on top of their networks. Its such a non-issue, I think MS just wants to preempt law suits or some other such silliness.

Security Through Obscurity (1)

mestreBimba (449437) | more than 12 years ago | (#2443496)

boy, what a concept.... You find a big gaping hole in our security, don't share it.... it will go away on its own. Isn't this what the concept of tiger teams is all about? The reason most people share security flaws in MS products is to force MS to action in regards to them. MS has demonstrated in the past a reluctance to do anything about security issues and has ony reacted when the issue was made public.

Gee Bill what do you want to do tonight?
The same thing we do everynight Steve, take over the world

Amendment 1, in case they've forgotten. (0)

Anonymous Coward | more than 12 years ago | (#2443497)

Amendment I

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of
the people peaceably to assemble, and to petition the Government for a redress of grievances.

I can see what's going to happen... (4, Insightful)

FatRatBastard (7583) | more than 12 years ago | (#2443501)

I'd wager this is the first volley in another push by MS to cover thier asses by legal means. I see another push to make the release of any information that shows weaknesses a criminal activity. Expect lots of flag waving, anti-terrorism rhetoric to be sprinkled throughout, and some suspect demands that seem to be more motivated at gaining market share than protecting machines.

God damn... when did I get so cynical? Oh yeah, after reboot #3 of NT 4.0 today. {grumble grumble grumble}

It is a good point (3, Interesting)

ujube (98058) | more than 12 years ago | (#2443502)

Although the source of the message certainly lessens its credibility, they have a point. Things like the Honeynet Project have shown a huge _lack_ of intelligent attackers in the wild. The endless waves of attacks filling the internet are pulled off by script kiddies, many of which can't mount a drive, compile a file, or even write a script. And we are feeding them. If we really want things to get better, we have to find a societal solution for the problem. It certainly seems to me that the full disclosure paradigm at least needs to be scrutinized, if not dumped altogether.

To prevent attacks, you must think like attacker. (5, Interesting)

Maul (83993) | more than 12 years ago | (#2443503)

Code snippits are beneficial, so long as companies like Microsoft promptly provide security updates. I think that examples of attacks provide sysadmins and coders insight into how these holes in security come about, and give software authors an opportunity to think about what holes they might inadvertantly be putting in their software.


Of course, MS just wants to skirt responsibility for negligance on their part.

Bug control (3, Funny)

nougatmachine (445974) | more than 12 years ago | (#2443505)

Eh? The security community should stop documenting weaknesses?

What a great idea! Then all the malicious hackers will know how to exploit security holes, while those in charge of security won't. Wait a second...isn't that kind of like asking security guards not to carry guns, because those guns might hurt someone?

No, it's not. (1)

Yam-Koo (195035) | more than 12 years ago | (#2443561)

Security guards having guns does not make it easier to distribute guns, it just makes it easier to stop those who bring guns to certain areas.

Full disclosure? (5, Insightful)

Pete (big-pete) (253496) | more than 12 years ago | (#2443507)


Hmm, this has always seemed to be a hot discussion...I'm all for full disclosure, but is it really necessary for people to include exploit code?

One argument is that it can help people to test their systems for vulnerabilities, bit I think that exploit code is not strictly necessary for this. People who really need it to test systems are in a position where they should have the capability or the resources to generate a "test script" for themselves, once given an accurate description of the vulnerability.

Making code exploits freely available possibly creates more opportunity for the low-life script kiddies who often don't appreciate exactly what they are doing, or the mechanics of the exploits that they are using. Why should we make it easy for those guys?

My opinion on this element of full disclosure is still not complete though, and I am fully prepared to be convinced... :)

-- Pete.

Interesting (2, Offtopic)

Wo-Fat (197418) | more than 12 years ago | (#2443510)

It is good to note the use of the terrorist rhetoric, "...blueprints for building these weapons...". Talk about riding on the coattails. This seems more like a line out of the evening news than a statement about software security. Spin doctors working overtime on this one.

In other news... Ralph Nader (0, Troll)

djn (118825) | more than 12 years ago | (#2443512)

In other news, consumer advocate Ralph Nader urged leaders in the auto safety industry to "stop finding safety problems with automobiles. We can surely trust the automakers to make their cars as safe as humanly possible, without sacrificing their profit margin, and with no need of safety crash tests."

-dan
into unix? into punk? check out unixpunx [unixpunx.org]

M$ FUD (1)

ScumBiker (64143) | more than 12 years ago | (#2443513)

Microsoft intends to force the issue and to call on security experts to draw a line between responsible disclosure and arming people with the tools and software needed to attack computers, said Culp.

"(We) don't purport to have the answer to the problem," he said in a Wednesday interview. "But we believe that these practices are harmful."


Of course M$ believes that these practices are harmful, they've been the ones getting attacked the most. It's actually M$'s fault, because their software is still developed as if it was running on a non-networked, stand-alone PC. Until the decide that their software is to be used on a network (oh, my god...) M$ software will be the most hacked shit out there.

Who reads subjects anymore? (0, Offtopic)

Sj0 (472011) | more than 12 years ago | (#2443514)

In related news, ford reprimanded crash test labs for disclosing and showing the world about the exploding gastank in the ford pinto.

F*cking idiot. They're willing to blame everyone but themselves for the fact that they have such easily exploitable software.

BTW, to back up this claim, I urge everyone to read up on how exactly how ILOVEYOU and SIRCAM were so popular. ILOVEYOU didn't even need to exploit anything!

...and if you have software which is THAT easily exploitable, maybe you deserve the critisism, rather than blaming the security industry. If nobody published anything on exploits or viruses, E-mail viruses would be even worse because nobody would realize that the way that ILOVEYOU ruined their system is by reading the e-mail called ILOVEYOU which ran script automatically, and everybody would be busy reading a file to have your advise.

Exploit code isn't the problem (3, Informative)

Insideo (171350) | more than 12 years ago | (#2443516)

According to the article, each of the latest worm attacks was preceded by security bulletins which happened to contain exploit code.

Hate to break it to MS, but all this indicates is that the security sites work. That's right. The people who have access to the code to fix the bugs were given notice. If these bulletins didn't exist, you can bet the worms would have still been created. Remember Code Red II? MS had a fix out months before CR2 hit the web, yet it still managed to infect thousands of machines.

Security bulletins (even with exploits) are not the problem. The holes in buggy software are the problem.

Okay, (4, Informative)

trilucid (515316) | more than 12 years ago | (#2443517)


here we go:

"It's high time the security community stopped providing the blueprints for building these weapons..."

How about providing the blueprints to your code, so we can secure the systems you release broken to begin with?

I'm not anti-Microsoft (although I'm getting there, definitely getting there...), I do Windows development also in Visual Studio. I'm near the point of stopping that altogether though. My company is already using Linux for damn near everything (including desktops, not just hosting) anyhow.

This is more than just your average case of idiocy from MS. If I ran a pharmaceutical company, and a drug we produced killed 500 people, do you think the public would accept some excuse like this? "No, really, it's all the fault of the doctors who showed their patients how to take the pills..."

Maybe not a perfect analogy, but equally stupid. When will they learn? Probably when Joe Customer starts realizing how indecent their blame machine really is. Apache isn't perfect, Linux isn't perfect... but we admit this and work toward solutions. Average Joe won't stay completely blind forever; most people aren't stupid (my faith in humanity talking here), and you can't fool anyone indefinitely.

Damn, and I was cutting down on my smoking...

they really should stop giving actual code (5, Insightful)

LazyDawg (519783) | more than 12 years ago | (#2443520)

... and just write pseudocode or a very detailed step-by-step description of what their code does. In the end script kiddies will have to learn to write their own leet tools, and may later on branch these skills into other areas.

If security experts took the time to make exploit code an exercise for the reader, we might someday end up with skript kiddies who can even write their own hardware drivers for Linux. They might even learn to write and discover new exploits for Windows without the help of security experts.

Microsoft got it on the nose this time :)

How can we protect ourselves? (1)

DahGhostfacedFiddlah (470393) | more than 12 years ago | (#2443522)

Let's look at the most recent huge hole - the IIS server. If someone had only released a small amount of information - like "it happens at port 80", no one would know how to block the damn thing without affecting other services. By knowing the exact form of the exploit, people were able to block it. You can't help but publish exploit code (or enough code to give anyone a general idea) in cases like this. The code is an easy way to find out how to prevent the attack.

I say give the most information possible to the security people who need it. If people aren't worried enough about security to find out about the holes, then they shouldn't complain.

what kind of code do they want? (1)

ypheo (465382) | more than 12 years ago | (#2443527)

How well would security flaws

Are you serious?! (3)

SirSlud (67381) | more than 12 years ago | (#2443530)

HAHAHAHAHAHA ... oh yeah, I can just see it .. this would allow their marketing/pr department to 'fix' each and every bug.

Actually, sample code is a very good way to illustrate the severity of a bug.

A bug might be the result of absolutely brutal programming, but require a programmer to jump through hoops to exploit it. In this sense, the bug isn't so bad, and users can assess the path to patching said holes. On the other hand, a bug could be the result of complex, innocent oversight which can be exploited with 3 lines of code.

I, for one, think knowing the code to exploit the bug can give admins a good sense of addressing patch priorities.

Yeah, the security pundits will tell me 'you should be patching 10 secs after the patch comes out regardless of severity', but if you really take that route, you're living in a vacuum. The rest of the world has to worry about priorities .. ie, that old limitation of 24 hrs in a day. Hell, with MS and a large enterprise network, you'd have to assign a full-time worker just to monitor and install patches.

And I'm of the opinion that trusting MS's stance on the 'severity' of a given bug is about as big a security hole as you can have.

(Please remember to flame me on both sides, for even cooking .... )

I Have an Announcement! (1)

TheHulk (80855) | more than 12 years ago | (#2443532)

Will all hackers and crackers please stop attacking Microsoft products. Thank you!

Bill

Messengers (1)

Renraku (518261) | more than 12 years ago | (#2443533)

Messengers expand people's awareness, and thus, knowledge of people to exploit/attack. Microsoft is willing to blame everyone but themselves for a security flaw/hole. Maybe messengers speeded up the process of finding/exploting holes, but the holes are there because MS put them there/didn't fix them. They should also blame the Internet and telephone system for their security holes.

It's High time they make good code!!! (1)

Yhcrana (88366) | more than 12 years ago | (#2443534)

I hate to say it, but in many cases these security firms notify the manufacturer (if the firms are legit) and allows the manufacturer a reasonable amount of time to fix the bug. Then after a reasonable amount of time (and no visible response from said company) the firm will release the exploit to the real world simply to get the company to fix the hole faster. Nothing is faster than bad press to get a company in gear fixing bugs and not calling them upgrades.

Yhcrana

OK, this is Slashdot, but the guy has a point (2, Insightful)

Software (179033) | more than 12 years ago | (#2443535)

By publishing sample code, it really does make it much easier to exploit security holes. The main problem is clueless admins, not lack of information. The good admins need to know a lot of info about the problem to see if affects them, but they don't need sample code. Not giving source would make it a bit harder for the black hats, although a sufficiently good explanation of the problem would be an excellent starting point for a script kiddie.

At least the guy doesn't ignore that there are problems:

First, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written.
I know I'm preaching to the anti-choir here, but he has a point.

Security Watchdogs' Obligation (4, Troll)

victim (30647) | more than 12 years ago | (#2443536)

The security watchdogs of the net have no obligation to me. I am glad they do their tasks, but the owe me nothing.

My software providers have an obligation to provide me with secure software or none at all. I commend both Debian and Apple for responding to their occasional security problems in a timely manner.

In the olden days when watchdogs did not release sample code some software providers downplayed their flaws as theoretical problems. If the software providers had been responsive to security flaws, there would be no need for sample code.

Entirely wrong focus... (3, Informative)

batobin (10158) | more than 12 years ago | (#2443541)

How the hell is it the fault of the security experts? To be honest, someone will find the bug, whether it's a person with malicious intent or not. If such holes are posted, it gives the company the chance to fix them, so that fewer people are struck.

If holes were not posted, the public would not even know their software is insecure, and it would surely take longer for any company to patch said holes.

Finally, doesn't blame ultimately fall on the company who made the buggy software in the first place? If I come up with a mathematical formula that proves 2 + 2 = 5, and a math teacher proves that I'm incorrect, who's to blame here? Microsoft believes the math teacher is wrong, something which is obviously misguided.

One final thing: I don't see Linux/BSD/Apple execs complaining.

linux exploits? (5, Insightful)

Lxy (80823) | more than 12 years ago | (#2443542)

doing a quick search on bugtraq, I see a lot of linux exploit code too. Hmm... let's blame the linux exploit code for the net-stopping worms like... ummm... and also the.. ahhh... well, you know. No Microsoft, making exploit code widely available does make make your product less secure. You do.

Typical response from an overworked manager. (4, Insightful)

Enonu (129798) | more than 12 years ago | (#2443543)

I can imagine that his Scott Culp is very stressed out right now. Can you imagine being in this guy's position with worms like Code Red floating around?

So what does he do? He posts an essay which is basically a reflection of his anxiety. However, he misses two very key points on why this information anarchy is a good thing.

* Patches for popular software that are exploitable tend to come out real quick because the company has to save face and perhaps protect against liability suits.

* A necessary fear is instilled into companies to put software through a secuirty audi before it goes into production.

I hope this guy takes a vacation somewhere on the beach to reflect on his thoughts.

I think (0)

Anonymous Coward | more than 12 years ago | (#2443546)

Somebody worried that their os is so unsecured. Maybe its time Microsoft hire better QA staff and fix all of their bugs before making it gold

It's high time (0)

Anonymous Coward | more than 12 years ago | (#2443547)

It's high time that the user community insisted that Microsoft stop shoving their crap down the user's throats and start producing software with, at least, ridimentary security.

It is also high time that Microsoft got off their high horse and took some reponsibility for their crap. They try to take credit for all the good things like TCP/IP and most recently NAT, which they call Secure NAT(S-NAT). The only person, I've seen, try to take more credit for other peoples work was Al Gore.

Yea, I'm a dreamer.....

Microsoft's Desires (1)

Krach42 (227798) | more than 12 years ago | (#2443548)

Hmm.... looks like Microsoft even wants their exploits and hacks to be closed source... Hm... Backwards GPL? (All code that exploits our software MUST be closed source!)

Question for Mr. Culp (1)

ENOENT (25325) | more than 12 years ago | (#2443551)

So, should we shoot the messengers, or just defenestrate them? This is a really good strategy. Ford should have tried getting Ralph Nader thrown into jail as a solution to the little problem with exploding Pintos.

Hello? Is anybody home? Microsoft should issue warnings like: Due to security problems in IIS, Microsoft is issuing a recall on this product. All users of this product should see www.microsoft.com/refunds for instructions on obtaining a full refund and suggestions on alternative web server products.

ROTFL (2)

snake_dad (311844) | more than 12 years ago | (#2443553)

Well, that was my first reaction. But now that I'm back in my chair I find it rather sad, to put it mildly.

The only thing it would accomplish is that the relatively harmless scriptkiddies would no longer be able to easily crack random machines. However, crackers with Real Bad Intentions (read: terrorists) would still be able to find and abuse security holes. Since they would be a lot more careful in when to use the holes, the security community would not alerted to the problem.

And there is still the argument that publishing holes is often the only way to get them patched. But we've been over that many, many times already here at /.

Of course the messengers are to blame... (1)

rant-mode-on (512772) | more than 12 years ago | (#2443554)


...for forcing Micro$oft to fix their security blunders.

"No, that's not security hole. We've got a monopoly that needs abusing before we have to fix that."

Valid Uses of Exploits (3, Insightful)

The Infamous TommyD (21616) | more than 12 years ago | (#2443555)

I've heard this idea before including from my advisor. The idea is that releasing exploits to the public is creating an environment where it's too easy to hack machines.
Unfortunately, it's simply untrue that there aren't positive reasons for releasing exploits.
I can think of several: testing of machines (risky, but useful), understanding of vulnerability (CERT advisories are pretty much useless for this.), research.

The most important of these (IMHO) is the understanding of the vulnerabilities. In the past, we didn't even talk about vulnerabilities in the open and we have the abhorrent state of affairs we have today. Security isn't even taught in computer science and engineering curricula and when it is, it's treated as a separate set of classes. When I started working in infosec, I had no idea how the exploits worked and what the real coding vulnerabilities were. Without release of exploits, I probably still wouldn't.

not inform of problems??? (2, Interesting)

Mykul (41817) | more than 12 years ago | (#2443558)

Lets think about this.
I buy a new car. It looks pretty, seems to run good on the lot. Now, the guy across the road sold the dealer the car and he knows that the tires are retreads, the engine has sawdust in it and the doorlocks will open if you kick the door....
Why shouldn't he be able to tell me these things??

I think that mircrosoft should be responsible for thier code. Period.

If I can write code that doesn't break, I would think that the dozens of programers they have hired could do the same. Why isn't there a lemon law for sofware?

Just my pair of odors.

Memo to Microsoft (1, Interesting)

BayStealth (137271) | more than 12 years ago | (#2443560)

"It's high time the security community stopped providing the blueprints for building these weapons," Culp wrote in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them."

Microsoft, you still don't get it...

I'm a computer user and I do not think for one moment that it is the obligation of the security comunity to protect me. I do not pay them to protect me. I paid you for buggy unsecure software. These security holes are your responsibility.

So we won't know we are vulnerable... (0)

Anonymous Coward | more than 12 years ago | (#2443563)

If those who find the vulnerability to release an exploit, those of us who want to protect ourselves before the "patch" is out, will have no way to test for vulnerability.

I think it's a bad precident to leave everyone vulnerable just so the vendor has time to release a patch. Many of us will limit access, disable the vulnerable product or switch to a different one.

I am not 100% sure of this, since I don't run windows and wasn't affected, but I believe the exploits that were used by Code Red and it's bretheren had patches available, it was just that the patches were not applied. I don't want to have vulnerable machines because other choose to be lazy.

In summary, it's a ridiculous argument.

Rehash of same stupid argument on BugTraq (4, Informative)

adturner (6453) | more than 12 years ago | (#2443565)

This argument that Microsoft is making is the same stupid argument that was made by Richard M. Smith <rms@privacyfoundation.org> on Friday Aug 10, 2001 shortly after Code Red.

The short story is that eEye's announcement had absolutely nothing to do with Code Red. The person(s) who developed Code Red figured out the exploit on their own. For more details check out Marc Maiffret's (of eEye) email to the Bugtraq list: http://www.securityfocus.com/cgi-bin/archive.pl?id =1&mid=203550

People who argue that full disclosure is harmful just fail to realize the facts of the matter- people who write these attacks all aren't script kiddies and they're quite capable of developing attacks on their own. And the reality is that most vendors only respond to full disclosure to actually fix bugs (and even then it takes too long).

Nuff said.

This isn't a statement for readers of /. (2, Insightful)

SIGFPE (97527) | more than 12 years ago | (#2443566)

It's designed to help lobby politicians. Politicians, who only take up that job because they don't actually have any useful skills, are easily scared by dabblers in black arts like computer programming. It's very easy to whip up a fervor among this largely ignorant set of people making out that by writing code geeks are committing a great sin. Hell, if M$ and the media companies keep this up there may actually come a time when it's illegal for unlicensed individuals to write software on the grounds that you could use that to copy software, 'hack' computers and encrypt communications.

the tough realization of what Windows really is (0)

Anonymous Coward | more than 12 years ago | (#2443568)

I guess they realized their os is shit and they don't want the world to know. Hell if I had my name on it I wouldn't want anyone to know what a god awful job I did.

I bet they are preparing to create backdoors for Big Brother and they don't want the bad publicity that would get

Speaking out of both sides of His mouth (2)

tercero (529131) | more than 12 years ago | (#2443569)

"While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection," he said.

That's funny, OpenBSD has for a long time.

Secondly, I received a Windows XP update in my hotmailbox today claiming that XP has unmatched security...maybe in the M$ world but not for the real world.

Hmmm, let's see here (3, Funny)

TheEviscerator (240966) | more than 12 years ago | (#2443571)

Ah yes, just found my "MSspin2english" translator. Let's see how those comments look now:

"It's high time that the security industry stopped pointing out all of the blatant security flaws in our programs", Culp writes. "Since we insist on developing OSes and highly-integrated applications tuned for usability, rather than security, we can't make as much money as we're accustomed to making, what with all of these viruses/worms targeted at our products."

Culp adds, "it's time that the security industry be held responsible for these worms and viruses, rather than the companies who make products such as ours. By pointing the finger at the amorphous 'security industry', we're better able to deflect blame for the recent rash of high-profile MS OS and web server exploits."

The Company that can do no right (1)

MA17 (309062) | more than 12 years ago | (#2443572)

Microsoft is the company that we love to hate, and as such anything they say is bound to be heard in a biased way.

If there is a security hole in their products, they should be informed before the rest of the world. If there was a city in America that was particularly vulnerable to easily spreading Anthrax (buzzword though it may be...) should the authorities be informed first and exclusively, or should there be a post on terrorismRus.com telling the world?

Believe it or not, none of us are perfect, and the way to make improvements on ourselves is to recieve constructive criticism and meaningful feedback, and in this case, to be informed of a security mistake made. Nobody really benefits from so-called anarchists spreading the information around to anyone who cares to look. It's Microsoft's problem, and they should be given the opportunity to fix it.

------

Well, Let See. (0)

Anonymous Coward | more than 12 years ago | (#2443573)

Well, Let See.
Security Expert can't just say that OS is bad
or has vulnerability unless he provides
proof and description how bad that vulnerability is.

If expert never provides real proof (usable exploit), chances are noone will ever take
vulnerability seriously.

Some may say, Expert should notify OS provider
only and keep his findings secret.
.. That never works.
Cause software provider will never take you seriously or will never fix the holes or will prefer to keep things quiet or maybe even send FBI to your door.

PS: "It's not a bug, It's a Feature"
-- As Microsoft CEO said after first Outlook
buffer overflow exploit showed up.

"It's not an OS, It's disaster"
-- myself

MS Forum (-1)

jaroca (157689) | more than 12 years ago | (#2443575)

Microsoft should really put a comments forum on their site, but I guess it would be bad for business

Responsibility (1)

nick_burns (452798) | more than 12 years ago | (#2443578)

I guess that the security community refers to the hackers and the IT people who have to deal with these problems. And they're to blame. Come on Microsoft. You have developed a simple, yet uneccesarily powerful (from a "how much access it has to your system" perspective) scripting language that is so easy to learn that 8 year old kids who barely know how to turn a computer on can modify a few lines in one of the many worms that have gone around (and blame outlook for the wide distribution for the source of these worms) and there is a whole new virus.

If Microsoft wants to eliminate all the email worms, they should do the obvious solution and remove VBScript from Outlook. Completely. I really don't need flashy buttons and pop-up boxes to ask where to have lunch today. And yes, I use outlook because my company has an exchange server. But only on my company email accounts.

Outrageous! (2)

SecurityGuy (217807) | more than 12 years ago | (#2443579)

Excuse me, but the security community is not obligated to protect anyone but their clients. Where Microsoft is concerned, that's best accomplished by using something else. This reminds me of the asinine congresscritter who lambasted some poor antivirus guy for the perceived failure of the AV industry to protect us against the virus of the day (Melissa? It was before CR). These nitwits entirely fail to understand that the AV industry only exists because Microsoft, and ONLY Microsoft, deeply suck at writing secure code. Viruses are not a significant threat on Macs, nor or they on Unix. I can't think of any OS on which they're as endemic a problem as Windows. Its the same here. The problem isn't the security industry, the problem is that we NEED a security industry.


Poor Microsoft. They crush their competitors and still have the testicular fortitude to whine that we don't do their job for them.

Partially Right (1)

man_ls (248470) | more than 12 years ago | (#2443581)

Believe it or not, I believe that MSFT has a real point here.

With the "security" community telling the "hackers" exactly how to create malicious code that takes advantage of poor MS programming, it's like throwing fuel on an already relatively hot fire.

Let's take a slightly more concrete example here. I just thought it up off the top of my head so don't flame me if it doesn't add up to 100%.

Say you're a security consultant for a bank, and you also know some unscruplus people. Say that you discover a way that, in a few minutes and with a few simple tools that most people have in their garages, you could open up the bank's valut, without triggering their security systems. If you told your "friends" (in this case, the equivilant of posting the information to the Internet), and they went and used the information to rob the bank, you'd be an accessory to the act. You didn't do it, and you might not even get charged with it (the "experts" again here), but you were a mechanism for allowing it to be done.

Microsoft should aim towards relasing code that *doesn't* have more security holes than swiss cheese has C0(2) produced ones, but the people who find the bugs in the software should tell Microsoft privately, instead of telling everyone exactly how to bypass the security and execute arbitrary code/read files/run programs/whatever.

It's not either party's total fault, but the people who everyone thinks are innocent aren't really.

IANAL/IMO

JKoebel
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...