security and MS??? YEAH! RIGHT!

foodog plug-discuss@lists.PLUG.phoenix.az.us
Thu, 28 Jun 2001 03:00:02 -0700


Jason wrote:
> 
> Just goes to show ya that the advantages of open source in mass-market
> products that require security is quite real.

No argument from me.

>... With open source, there are
> both security professionals and hackers who want nothing more than
> their name in lights, as authors of a script (hence gaining fame and
> admiration from script kiddies the world round...) who will search day
> and night for a hole. 

IMO, the people getting the most fame are the one's probing
closed-source software, mostly from MS.

>... When such is found, its generally reported to
> something like BUGTRAQ pretty quickly, right?

If Good Guys (tm) find the hole; there's no way to know if "generally"
is accurate.  There are people searching for holes to exploit them for
profit or underground fame (there's an odd term.).  There have been
exploits posted to bugtraq after they happen to be captured on the wire
(by snort, for example) or binaries recovered from compromised machines. 

(My daughter's Furby calls itself 0day. Hmm.)

> The net result of this constant repurging of security flaws is that
> its quite rare that the same security flaw sits undiscovered for half
> a decade in Open Sourced software... 

It's unusual for "security" software, but not software in general. 
Auditing code's insanely boring.

> What eEye has discovered is quite
> shocking, really, if the story is reported factually... 

Really? ;-)  I've come to expect incredible, gaping holes every month or
so from MS.

> Ive heard from a friend who develops for Microsoft that they DO
> release their source code, ...
> I'd bet money this is how eEye was able to discover this
> flaw, and the one they discovered prior to it.

I'd take that bet, but I might feel guilty about it :-)  For finding
certain types of bugs like format string vulnerabilities an automated
code search would be effective.  Trying to break running software with
unexpected input is very popular and accounts for lots of MS
vulnerabilities.  A smaller population use debuggers or  disassemblers (
http://www.blackhat.com/html/bh-usa-01/bh-usa-01-speakers.html#Havlar
Flake ).  Finally, there are some scary people like Geoff Chappell, who
wrote:

> I may be the only person on the planet who works primarily with VxDs but who doesn't use SoftICE (and indeed never have), but yes, if I talk of looking over code, I mean the code that the machine sees. I prefer to think of this as high-quality documentation written in a language that happens not to be English. It is, however, the only authoritative, reliable documentation that Microsoft releases. 

> Microsoft could dramatically better its image if it offered
> high-dollar rewards to companies that could demonstrate, privately for
> MS, working exploits with patches to provided source to prevent
> them... ah well.

Maybe, someday.  I'm reminded of Lily Tomlin's operator sketch: "Sir,
we're the phone company. We don't have to care."

Steve