Re: Security vs. obscurity (Was: Re: Regmon(a new puz zle))

Well of course. As soon as a patch is available, it can be used for
nefarious purposes. Then one asks, what if no one said a word, and a
patch was never released, would there have been a worm? In my opinion,
it’s better to have the patch than not. So what do you do? There will
always be human nature and other reasons systems are not kept
up-to-date. This thread originated with the question, does it make
sense to write software that monitors the registry for dubious access
patterns? Short of software vendors stopping releasing software with
errors (ha), how does the community of typical, non-expert human
computer end-users protect themselves?

Though I run no anti-virus software, I have never been infected with
anything until this worm (because I am prudent, I like to think). I’m
not your basic home user, but I still got bitten. I am running Internet
Connection Firewall, and it still got through. The XP machine that got
infected I intentionally had never updated for testing purposes. Okay,
you may say I get what I deserve in this case. But the point is there
may be any number of reasons why a worm gets to you before the patch
does, regardless of how “sure” you are you have all the necessary
precautions in place (like a certain firewall). I don’t think this
thread has adequately answered the question of whether adding more panes
of bullet-proof glass is useful or not; it’s a difficult question with
no clear answer. Antony, the OP, was discouraged from entering a red
queen’s race. Ultimately such a race is unwinable, but it might be
enough to be a hair ahead most of the time. As Michal Vodicka pointed
out, my chances of becoming infected may have been reduced had I been
running Antony’s proposed registry monitor.

Another way to pose the question is, how can the damage best be
mitigated in the situation where the black hats are more informed and/or
more up-to-date than the average user?

Chuck

----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Developers Interest List”

Sent: Wednesday, August 20, 2003 9:04 PM
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))

> I’m not quite understanding how Microsoft is supposed to make patches
> available without publicising them. The black hats certainly have NT
systems
> downloading updates for them to examine for new exploits. So who are
we
> protecting here? The public from knowing how vulnerable they are?
>
> =====================
> Mark Roddy
> Hollis Technology Solutions
> www.hollistech.com
> xxxxx@hollistech.com
>
>
> -----Original Message-----
> From: Chuck Batson [mailto:xxxxx@cbatson.com]
> Sent: Wednesday, August 20, 2003 9:50 AM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))
>
>
> Right. Whether specific instructions to take advantage of the expoit
or a
> patch for the exploit are made public, the result is basically the
same.
> Simply making it public knowledge opens the door for those with
malicious
> intent who realize human nature will provide a window of
opportunity – the
> time between the public announcement and the time individual users
apply the
> patch. I’m not advocating any particular position – there are valid
> arguments from both sides, and I personally don’t know what the “right
> answer” is. But I do find it interesting to ponder whether the worm
would
> have come about had there been no public announcement regarding the
exploit
> (including announcement of a patch).
>
> Chuck
>
> ----- Original Message -----
> From: “Andrey Kolishak”
> To: “Windows System Software Developers Interest List”

> Sent: Wednesday, August 20, 2003 6:52 PM
> Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
> zle))
>
>
> >
> > that is not fully correct. The history is following.
> > 1) lsd team has discovered the bug and inform/worked with microsoft
to
> > identify and fix it
> > 2) After microsoft issued patch, lsd published their credits for
> > discovering the problem, but they never published any details (at
> > least no more than mircosoft itself) about the bug and of course
never
> > published any exploits
> > 3) While Microsoft issued patch it urged everybody that bug is quite
> > serious and must be patched asap
> > 4) Using Microsoft patch some hackers made diff and identified fixed
> > code as well as discovered the bug itself
> > 5) some of those hackers wrote exploits and made them publicly
> > available, that is about after 2 weeks patch released
> > 6) Mircosoft urged everybody even more to install the patch
> > 7) in about 2-3 weeks blaster worm appeared
> >
> > So researchers who discovered the bug are not responsible for
blaster
> > worm. The case has showed even if you keep silence it doesn’t stop
> > exploits as soon as patch released.
> >
> >
> > Best regards,
> > Andrey mailto:xxxxx@sandy.ru
> >
> >
> >
> > >> How about a situation such as the most recent blaster worm? In
> that
> > CB> case,
> > >> Microsoft
> > >> found the exploit and made a fix available back in early JULY.
It
> was
> > >> inattentive customers
> > >> who failed to apply the patch and left their systems vulnerable.
> > CB> (Count me
> > >> as one of them
> > >> for a couple of my own systems :frowning:
> >
> >
> > CB> In this case the exploit was published. Which raises an
> interesting
> > CB> question: if it hadn’t, would the virus author have known about
> the
> > CB> exploit and would a worm using this exploit have been written?
> >
> > CB> Chuck

The answer to the last question might be here –

When Brooklyn bridge was built, the architech, engineer(s), and others did
not quite have the idea about stress and strain analysis ( material science
are others were not well discovered), so what they did was :: They put the
matrial(s) and others that was roughly 10 times more than needed as per
modern approach. — This was cited in Yourdon’s Sturctured programming
book.

Antony’s approach brings a similarity here !!!

-prokash

----- Original Message -----
From: “Chuck Batson”
To: “Windows System Software Developers Interest List”
Sent: Wednesday, August 20, 2003 8:03 AM
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz zle))

> Well of course. As soon as a patch is available, it can be used for
> nefarious purposes. Then one asks, what if no one said a word, and a
> patch was never released, would there have been a worm? In my opinion,
> it’s better to have the patch than not. So what do you do? There will
> always be human nature and other reasons systems are not kept
> up-to-date. This thread originated with the question, does it make
> sense to write software that monitors the registry for dubious access
> patterns? Short of software vendors stopping releasing software with
> errors (ha), how does the community of typical, non-expert human
> computer end-users protect themselves?
>
> Though I run no anti-virus software, I have never been infected with
> anything until this worm (because I am prudent, I like to think). I’m
> not your basic home user, but I still got bitten. I am running Internet
> Connection Firewall, and it still got through. The XP machine that got
> infected I intentionally had never updated for testing purposes. Okay,
> you may say I get what I deserve in this case. But the point is there
> may be any number of reasons why a worm gets to you before the patch
> does, regardless of how “sure” you are you have all the necessary
> precautions in place (like a certain firewall). I don’t think this
> thread has adequately answered the question of whether adding more panes
> of bullet-proof glass is useful or not; it’s a difficult question with
> no clear answer. Antony, the OP, was discouraged from entering a red
> queen’s race. Ultimately such a race is unwinable, but it might be
> enough to be a hair ahead most of the time. As Michal Vodicka pointed
> out, my chances of becoming infected may have been reduced had I been
> running Antony’s proposed registry monitor.
>
> Another way to pose the question is, how can the damage best be
> mitigated in the situation where the black hats are more informed and/or
> more up-to-date than the average user?
>
> Chuck
>
> ----- Original Message -----
> From: “Roddy, Mark”
> To: “Windows System Software Developers Interest List”
>
> Sent: Wednesday, August 20, 2003 9:04 PM
> Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
> zle))
>
>
> > I’m not quite understanding how Microsoft is supposed to make patches
> > available without publicising them. The black hats certainly have NT
> systems
> > downloading updates for them to examine for new exploits. So who are
> we
> > protecting here? The public from knowing how vulnerable they are?
> >
> > =====================
> > Mark Roddy
> > Hollis Technology Solutions
> > www.hollistech.com
> > xxxxx@hollistech.com
> >
> >
> > -----Original Message-----
> > From: Chuck Batson [mailto:xxxxx@cbatson.com]
> > Sent: Wednesday, August 20, 2003 9:50 AM
> > To: Windows System Software Developers Interest List
> > Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
> zle))
> >
> >
> > Right. Whether specific instructions to take advantage of the expoit
> or a
> > patch for the exploit are made public, the result is basically the
> same.
> > Simply making it public knowledge opens the door for those with
> malicious
> > intent who realize human nature will provide a window of
> opportunity – the
> > time between the public announcement and the time individual users
> apply the
> > patch. I’m not advocating any particular position – there are valid
> > arguments from both sides, and I personally don’t know what the “right
> > answer” is. But I do find it interesting to ponder whether the worm
> would
> > have come about had there been no public announcement regarding the
> exploit
> > (including announcement of a patch).
> >
> > Chuck
> >
> > ----- Original Message -----
> > From: “Andrey Kolishak”
> > To: “Windows System Software Developers Interest List”
>
> > Sent: Wednesday, August 20, 2003 6:52 PM
> > Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
> > zle))
> >
> >
> > >
> > > that is not fully correct. The history is following.
> > > 1) lsd team has discovered the bug and inform/worked with microsoft
> to
> > > identify and fix it
> > > 2) After microsoft issued patch, lsd published their credits for
> > > discovering the problem, but they never published any details (at
> > > least no more than mircosoft itself) about the bug and of course
> never
> > > published any exploits
> > > 3) While Microsoft issued patch it urged everybody that bug is quite
> > > serious and must be patched asap
> > > 4) Using Microsoft patch some hackers made diff and identified fixed
> > > code as well as discovered the bug itself
> > > 5) some of those hackers wrote exploits and made them publicly
> > > available, that is about after 2 weeks patch released
> > > 6) Mircosoft urged everybody even more to install the patch
> > > 7) in about 2-3 weeks blaster worm appeared
> > >
> > > So researchers who discovered the bug are not responsible for
> blaster
> > > worm. The case has showed even if you keep silence it doesn’t stop
> > > exploits as soon as patch released.
> > >
> > >
> > > Best regards,
> > > Andrey mailto:xxxxx@sandy.ru
> > >
> > >
> > >
> > > >> How about a situation such as the most recent blaster worm? In
> > that
> > > CB> case,
> > > >> Microsoft
> > > >> found the exploit and made a fix available back in early JULY.
> It
> > was
> > > >> inattentive customers
> > > >> who failed to apply the patch and left their systems vulnerable.
> > > CB> (Count me
> > > >> as one of them
> > > >> for a couple of my own systems :frowning:
> > >
> > >
> > > CB> In this case the exploit was published. Which raises an
> > interesting
> > > CB> question: if it hadn’t, would the virus author have known about
> > the
> > > CB> exploit and would a worm using this exploit have been written?
> > >
> > > CB> Chuck
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

you admitted that patch alone is enough for bad guys to make a worms
and exploits. The recent events showed full disclosure or not -
consequences the same. Of course not releasing the patch will just
lead to 0days exploits - when exploits are here but there is not
available. Of course all users will never install patches and that is
normal. But released exploit help people to treat the problem more
seriously and motivate to security determined people install patch in
time. Another example: code red worm. After eEye so called “experts” released their
advisory they also wrote proof-concept exploit and publish how it may
work http://eeye.com/html/Research/Advisories/AD20010618.html. They
mentioned that exploit it not easy and not reliable “The Exploit, as taught by Ryan
“Overflow Ninja” Permeh”. Unfortunately they just mislead people about
exploiting complexity and really things were much easy. After 3 days
real reliable exploit was released by some hacker. First who got it
were hackers and it spread around quite fast. Many normal admins don’t
aware what hackers did in that time but just read official misleading
explanation by eeye experts and deferred fix. They were right and did
it according to assessment of threat. But their assessment of threat
was not correct because of lack of real info.
Month later code red appeared.

Average user always lost but cared users must have enough info about
bug. Actually to assist average users Microsoft is planning enable
automatic update by default.

Best regards,
Andrey mailto:xxxxx@sandy.ru

CB> Well of course. As soon as a patch is available, it can be used for
CB> nefarious purposes. Then one asks, what if no one said a word, and a
CB> patch was never released, would there have been a worm? In my opinion,
CB> it’s better to have the patch than not. So what do you do? There will
CB> always be human nature and other reasons systems are not kept
CB> up-to-date. This thread originated with the question, does it make
CB> sense to write software that monitors the registry for dubious access
CB> patterns? Short of software vendors stopping releasing software with
CB> errors (ha), how does the community of typical, non-expert human
CB> computer end-users protect themselves?

CB> Though I run no anti-virus software, I have never been infected with
CB> anything until this worm (because I am prudent, I like to think). I’m
CB> not your basic home user, but I still got bitten. I am running Internet
CB> Connection Firewall, and it still got through. The XP machine that got
CB> infected I intentionally had never updated for testing purposes. Okay,
CB> you may say I get what I deserve in this case. But the point is there
CB> may be any number of reasons why a worm gets to you before the patch
CB> does, regardless of how “sure” you are you have all the necessary
CB> precautions in place (like a certain firewall). I don’t think this
CB> thread has adequately answered the question of whether adding more panes
CB> of bullet-proof glass is useful or not; it’s a difficult question with
CB> no clear answer. Antony, the OP, was discouraged from entering a red
CB> queen’s race. Ultimately such a race is unwinable, but it might be
CB> enough to be a hair ahead most of the time. As Michal Vodicka pointed
CB> out, my chances of becoming infected may have been reduced had I been
CB> running Antony’s proposed registry monitor.

CB> Another way to pose the question is, how can the damage best be
CB> mitigated in the situation where the black hats are more informed and/or
CB> more up-to-date than the average user?

CB> Chuck

Prokash Sinha wrote:

When Brooklyn bridge was built, the architech, engineer(s), and others did
not quite have the idea about stress and strain analysis ( material science
are others were not well discovered), so what they did was :: They put the
matrial(s) and others that was roughly 10 times more than needed as per
modern approach. — This was cited in Yourdon’s Sturctured programming
book.

Ah. I’m glad you mentioned civil engineering. Suppose someone knew that
the engineering calculations were wrong because the cornerstone of a
pier was vulnerable to, say, being kicked with a steel-toed boot. (I’m
exaggerating here to make the point). So he takes out a full-page ad in
the New York Time to “force” the engineers to fix it. Whereupon the
engineers omit to spin the suspension cables correctly (being distracted
by the urgent need to fix the cornerstone before some hacker gets to
it), and the bridge fails as the mayor is cutting the ribbon.

That’s what I think is the correct analogy to publicizing security
holes.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

Walter,

My stance is completely as yours…

In one line, if an antidote(spell error) has any chance to survive, it
better gets there before the original virus comes. We all know this fromm
our flueshots to other thing.

To avoid getting virus attack before antidote, one has to stay in a
controlled env.

Here, publicizing is similar to open the env.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Walter Oney
Sent: Wednesday, August 20, 2003 11:18 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Security vs. obscurity (Was: Re: Regmon(a new puz
zle))

Prokash Sinha wrote:

When Brooklyn bridge was built, the architech, engineer(s), and others did
not quite have the idea about stress and strain analysis ( material
science
are others were not well discovered), so what they did was :: They put
the
matrial(s) and others that was roughly 10 times more than needed as per
modern approach. — This was cited in Yourdon’s Sturctured programming
book.

Ah. I’m glad you mentioned civil engineering. Suppose someone knew that
the engineering calculations were wrong because the cornerstone of a
pier was vulnerable to, say, being kicked with a steel-toed boot. (I’m
exaggerating here to make the point). So he takes out a full-page ad in
the New York Time to “force” the engineers to fix it. Whereupon the
engineers omit to spin the suspension cables correctly (being distracted
by the urgent need to fix the cornerstone before some hacker gets to
it), and the bridge fails as the mayor is cutting the ribbon.

That’s what I think is the correct analogy to publicizing security
holes.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com