Re: Security vs. obscurity (Was: Re: Regmon(a new puz zle))

> How about a situation such as the most recent blaster worm? In that
case,

Microsoft
found the exploit and made a fix available back in early JULY. It was
inattentive customers
who failed to apply the patch and left their systems vulnerable.
(Count me
as one of them
for a couple of my own systems

In this case the exploit was published. Which raises an interesting
question: if it hadn’t, would the virus author have known about the
exploit and would a worm using this exploit have been written?

Chuck

Just a thought !!!

Suppose someone landed an attack based on my computer, either I had my own
software running and I’ve some bugs, buffer overrun, stack smashing, heap
overflow etc., etc. OR I BOUGHT SOME SOFTWARE THAT HAD THESE TYPES OF
PROBLEM, and being a dumb as I’m, running my computer as admin ( so to speak
who cares). Now depending on the strength of attacks, it might just be me
down the tube or others depending on others info that can be found from my
system … Who do we blame ?

Is it really helpful to have peer review for possible security holes ? The
the question becomes who are peer(s)? What products should go to peer
review? How can someone say that my product never going to impact anyone
else so I dont need peer review? Host of if(s) and but(s) !!!

Then there are experts(!), they are saying opening the sources not
necessarily mean that code becomes more secure. And there are cases when
obfuscation will raise the bar-- these are all expert advices

Couple weeks ago my system was being hacked, found the ip address, tried to
find who is so interested, could not get there, playing trick to find other
ip address, and reported to the canadian ISP that whoever has this
xxx.yyy.www.zzz address is trying to hack my system — ISP replied, they
would look at it. I knew that if DNS is used hardly any precision is there
to find the person, then who knows that system(s) was not a platform for the
original attacker.

I still believe that reporting any incidence should be purely on NEED TO
KNOW BASIS.

For peer review, not sure whose code should be reviewed for possible holes ?
Who are peer(s) ?

The best I found so far about the state of this security is this ------

“We work in the dark
We do what we can
We gave what we have.
Our doubt is our passion
And our passion is our task.
The rest is the madness of art.”

• by Henry James.

-prokash

----- Original Message -----
From: “Chuck Batson”
To: “Windows System Software Developers Interest List”
Sent: Tuesday, August 19, 2003 6:52 PM
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz zle))

> > How about a situation such as the most recent blaster worm? In that
> case,
> > Microsoft
> > found the exploit and made a fix available back in early JULY. It was
> > inattentive customers
> > who failed to apply the patch and left their systems vulnerable.
> (Count me
> > as one of them
> > for a couple of my own systems
>
>
> In this case the exploit was published. Which raises an interesting
> question: if it hadn’t, would the virus author have known about the
> exploit and would a worm using this exploit have been written?
>
> Chuck
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

that is not fully correct. The history is following.

1. lsd team has discovered the bug and inform/worked with microsoft to
   identify and fix it
2. After microsoft issued patch, lsd published their credits for
   discovering the problem, but they never published any details (at
   least no more than mircosoft itself) about the bug and of course
   never published any exploits
3. While Microsoft issued patch it urged everybody that bug is quite
   serious and must be patched asap
4. Using Microsoft patch some hackers made diff and identified
   fixed code as well as discovered the bug itself
5. some of those hackers wrote exploits and made them publicly
   available, that is about after 2 weeks patch released
6. Mircosoft urged everybody even more to install the patch
7. in about 2-3 weeks blaster worm appeared

So researchers who discovered the bug are not responsible for blaster
worm. The case has showed even if you keep silence it doesn’t stop
exploits as soon as patch released.

Best regards,
Andrey mailto:xxxxx@sandy.ru

> How about a situation such as the most recent blaster worm? In that
CB> case,
> Microsoft
> found the exploit and made a fix available back in early JULY. It was
> inattentive customers
> who failed to apply the patch and left their systems vulnerable.
CB> (Count me
> as one of them
> for a couple of my own systems

CB> In this case the exploit was published. Which raises an interesting
CB> question: if it hadn’t, would the virus author have known about the
CB> exploit and would a worm using this exploit have been written?

CB> Chuck

Right. Whether specific instructions to take advantage of the expoit or
a patch for the exploit are made public, the result is basically the
same. Simply making it public knowledge opens the door for those with
malicious intent who realize human nature will provide a window of
opportunity – the time between the public announcement and the time
individual users apply the patch. I’m not advocating any particular
position – there are valid arguments from both sides, and I personally
don’t know what the “right answer” is. But I do find it interesting to
ponder whether the worm would have come about had there been no public
announcement regarding the exploit (including announcement of a patch).

Chuck

----- Original Message -----
From: “Andrey Kolishak”
To: “Windows System Software Developers Interest List”

Sent: Wednesday, August 20, 2003 6:52 PM
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))

>
> that is not fully correct. The history is following.
> 1) lsd team has discovered the bug and inform/worked with microsoft to
> identify and fix it
> 2) After microsoft issued patch, lsd published their credits for
> discovering the problem, but they never published any details (at
> least no more than mircosoft itself) about the bug and of course
> never published any exploits
> 3) While Microsoft issued patch it urged everybody that bug is quite
> serious and must be patched asap
> 4) Using Microsoft patch some hackers made diff and identified
> fixed code as well as discovered the bug itself
> 5) some of those hackers wrote exploits and made them publicly
> available, that is about after 2 weeks patch released
> 6) Mircosoft urged everybody even more to install the patch
> 7) in about 2-3 weeks blaster worm appeared
>
> So researchers who discovered the bug are not responsible for blaster
> worm. The case has showed even if you keep silence it doesn’t stop
> exploits as soon as patch released.
>
>
> Best regards,
> Andrey mailto:xxxxx@sandy.ru
>
>
>
> >> How about a situation such as the most recent blaster worm? In
that
> CB> case,
> >> Microsoft
> >> found the exploit and made a fix available back in early JULY. It
was
> >> inattentive customers
> >> who failed to apply the patch and left their systems vulnerable.
> CB> (Count me
> >> as one of them
> >> for a couple of my own systems
>
>
> CB> In this case the exploit was published. Which raises an
interesting
> CB> question: if it hadn’t, would the virus author have known about
the
> CB> exploit and would a worm using this exploit have been written?
>
> CB> Chuck

> I think throwing this guy in jail for 16 months means that Tornado had

better lawyers than he did, because the technical grounds are weak in
the
extreme. I am not clear on how he obtained the customer list, and for
that
he could and probably should have prosecuted, but for letting people
know
of a problem he had given his former employer AMPLE opportunity to
fix?? That is a really really bad precedent to set.

You have to admit, in this case his particular choice of method sounds
rather vendetta-like. I question his means. Although he may have (at
first) been primarily concerned with the security of customers’
accounts, it sound like his motives for doing what he did became more
personal toward the end. Was there not any better way for him to act in
the best interest of the at-risk users? In any case, we don’t have all
the facts, so it’s hard to say.

Chuck

And some people can bridge the gap ( tech vs. law) as we can figure out from
Walter’s another site !!!.

And I’m definitely not proficient in it, I have about 6 law semisters ( 4 of
them from an Indian Institute). Pls dont’ yell at me, I dont remember those
anymore !!!. just that pulblicizing onto a web did not make any sense to me,
whatsoever…

-prokash

----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Developers Interest List”
Sent: Wednesday, August 20, 2003 6:02 PM
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz zle))

> > ----------
> > From:
> > xxxxx@compuware.com[SMTP:xxxxx@compuware.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Thursday, August 21, 2003 1:28 AM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new
> > puzzle))
> >
> > This guy, while he may have made these customers vulnerable for a time,
> > actually did them a HUGE favor. How do we know that this vulnerability
> > wasn’t exploited? We don’t. I bet we can be pretty sure that Tornado
> > fixed
> > the vulnerability now. I think the law makers are not consulting the
> > “technology haves” when they write laws, nor judges when they interpret
> > them. Scary stuff.
> >
> Exactly. The problem is we apply technical point of view whereas lawyers
> apply … ugh something else. Two incompatible worlds.
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Wednesday, August 20, 2003, 10:12:17 PM, you wrote:

MV> Do you expect different development in the Europe? I’m pesimist. Only Great
MV> Awakening (see http://www.cs.bgu.ac.il/~omri/Humor/WindowsTrek.html) can
MV> save us.
no i’m not expecting that it will be different because we’re as usual
importing the worst things from the american culture - you’re from .cz
as me so you know how it looks like: after 40 years of soviet big
brother we now have an usa big brother all around us - pathetic
sentimental and patriotic (the USA flag is all over there as they
would have to remind them how patriotic they are!) movies full of
religion nonsenses, pathetic music etc etc. and now after the hysteria
with twins also the american laws. the laws about the cyberspace made
by people who want to rule there too (what? on internet there is
communism! we fought agains it in vietnam in korea etc etc the cold
war is not so far from now and we’ll let it be?? no way) and that know
nothing about the technical issues. *sigh* i’m hell afraid and i’m
starting to be more and more …

(and i’m afraid the great awakening won’t help us neither altough it
would be very nice :-)))

MV> Have you read Amazon famous one-click was patented in Europe recently?
MV> Several years about we smiled something like this is possible only in a
MV> country you mentioned above.
heh yes. i’ve read about it. and i was not so much surprised. after
all we’re not so much different from usa here in europe (look at
germany - what shit serials and movies it is producing now!), we have
our local MTV, we have McDonalds, we have KFC etc etc: the mainstream
culture is becoming so unified that one cannot wonder any more. and
the underground forces don’t have enough power to change things simply
because it’s not so much of them, we have democracy right (if they are
not playing on people’s emotion - greenpeace for example, people will
forgive them radical ecoterorists acts if they save some
kitsch whale).

the stupidity is simply widespread all around the world.

MV> This isn’t security through obscurity issue anymore. This is virtual versus
MV> real world or technical versus human world conflict.
yeas i fully agree.

MV> Why bother? Because it can influence us all. It is easy to ignore all this
MV> nonsense and examine only technicall stuff. Sooner ot later the nonsense
MV> will catch you inevitably. I have to confess Walter was right and things are
MV> worse than I expected. Cases like this can really change things.
yes they can. but i’m afraid, there’s not much i (we) can do about it.
we’re simply not the force politician would listen too, they have
enough sheeps around. and well i don’t care anymore until i’ll be able
to code i’ll be alright and if i won’t be able? i don’t want to think about
it recently

so why did i join this topic if i don’t care? simply because i was
surprised reading the same nonsenses i hear everywhere around me.
i thought that on a technical mailing list it won’t come. and i was
wrong. As usual. And NO i cannot ignore it.

And Walter please don’t take it wrong. I have nothing against you
personally moreover i respect you as a authority in technical skills.
I’m simply just confused with the strange world heh

–
Best regards,
Ivona Prenosilova

ivona prenosilova wrote:

And Walter please don’t take it wrong. I have nothing against you
personally moreover i respect you as a authority in technical skills.
I’m simply just confused with the strange world heh

Well, here’s the *best* part of American culture: You’re free to have
your own opinion, even if it differs from mine – and even if it differs
from John Ashcroft’s or George Bush’s. We can “agree to disagree” on
this issue.

–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

Let’s not waste our attention on this case. On my reading, it’s marred by
the faults of the “whilstle-blower.”

Chuck Batson wrote:

You have to admit, in this case his particular choice of method sounds
rather vendetta-like.

–
If replying by e-mail, please remove “nospam.” from the address.

James Antognini
Windows DDK MVP

Agreed we don’t have all the facts, so it’s hard to say.

I will say this, the guy’s motivation really should have no bearing on the
facts from what I can see, but they obviously did in this court. If they
wanted to charge him with entering Tornado’s servers without permission or
something like that okay, but charging him for whistle blowing, regardless
of any vendetta or hopes for personal gain, is not a good idea in my
opinion. Had he not told the company of the problem and given them 6 months
to fix it, then I believe it would be an entirely different matter. As it
stands, they should have fixed a known security hole faster than that and
they got what they had coming because they didn’t.

But I, unlike some here, am not a lawyer. So, I will defer to those more
qualified.

–
Bill McKenzie
Compuware Corporation
Watch your IRPs/IRBs/URBs/SRBs/NDIS pkts with our free WDMSniffer tool:
http://frontline.compuware.com/nashua/patches/utility.htm

“Chuck Batson” wrote in message news:xxxxx@ntdev…
>
> > I think throwing this guy in jail for 16 months means that Tornado had
> > better lawyers than he did, because the technical grounds are weak in
> the
> > extreme. I am not clear on how he obtained the customer list, and for
> that
> > he could and probably should have prosecuted, but for letting people
> know
> > of a problem he had given his former employer AMPLE opportunity to
> > fix?? That is a really really bad precedent to set.
>
> You have to admit, in this case his particular choice of method sounds
> rather vendetta-like. I question his means. Although he may have (at
> first) been primarily concerned with the security of customers’
> accounts, it sound like his motives for doing what he did became more
> personal toward the end. Was there not any better way for him to act in
> the best interest of the at-risk users? In any case, we don’t have all
> the facts, so it’s hard to say.
>
> Chuck
>
>
>
>

“The Slammer worm penetrated a private computer network at Ohio’s
Davis-Besse nuclear power plant in January and disabled a safety
monitoring system for nearly five hours, despite a belief by plant
personnel that the network was protected by a firewall, SecurityFocus
has learned.”

http://www.securityfocus.com/news/6767

I particularly like this quote, which epitomizes the subject of this
thread:

“Last year the NEI formed a task force to develop updated cybersecurity
management guidelines for the industry. The results – which will be
secret – are expected within a few months.”

Chuck

Okay it is time for me to exit (chicken out!!!). Sorry again, for getting
into this. I wish I could get Anthony to pour in couple Kegs of beer on his
head, no offence please Anthony, I still think you brought up an interesting
topic here. I’m not certainly in a position to evaluate the whole discussion
…

In most (british derived) laws two things are very interesting —

1. Unless one is proved guilty, (s)he is innocent.

2. Igorance of law, is presummed to be a fault of the ignorant.

Others I dont remember.

No. 1 is very enticing for layman. No 2. is very dangerous for everyone.

Now comes the experts to turn and twist indivdual cases, try to correlate
with privious case, and hundreds of hundreds of clues and others to prove
(1). But that does not preclude to start the mess. HE STARTED THE MESS, HE
MIGHT VERY WELL BE OUT ON THE FREE.

But the mess he is in might be just because of the two above…

I’m exiting as per James Antognini’s logic.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Bill McKenzie
Sent: Thursday, August 21, 2003 10:26 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))

Agreed we don’t have all the facts, so it’s hard to say.

I will say this, the guy’s motivation really should have no bearing on the
facts from what I can see, but they obviously did in this court. If they
wanted to charge him with entering Tornado’s servers without permission or
something like that okay, but charging him for whistle blowing, regardless
of any vendetta or hopes for personal gain, is not a good idea in my
opinion. Had he not told the company of the problem and given them 6 months
to fix it, then I believe it would be an entirely different matter. As it
stands, they should have fixed a known security hole faster than that and
they got what they had coming because they didn’t.

But I, unlike some here, am not a lawyer. So, I will defer to those more
qualified.

–
Bill McKenzie
Compuware Corporation
Watch your IRPs/IRBs/URBs/SRBs/NDIS pkts with our free WDMSniffer tool:
http://frontline.compuware.com/nashua/patches/utility.htm

“Chuck Batson” wrote in message news:xxxxx@ntdev…
>
> > I think throwing this guy in jail for 16 months means that Tornado had
> > better lawyers than he did, because the technical grounds are weak in
> the
> > extreme. I am not clear on how he obtained the customer list, and for
> that
> > he could and probably should have prosecuted, but for letting people
> know
> > of a problem he had given his former employer AMPLE opportunity to
> > fix?? That is a really really bad precedent to set.
>
> You have to admit, in this case his particular choice of method sounds
> rather vendetta-like. I question his means. Although he may have (at
> first) been primarily concerned with the security of customers’
> accounts, it sound like his motives for doing what he did became more
> personal toward the end. Was there not any better way for him to act in
> the best interest of the at-risk users? In any case, we don’t have all
> the facts, so it’s hard to say.
>
> Chuck
>
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com