Date: 07/14/03

  • Next message: morning_wood: "Re: [Full-Disclosure] GUNINSKI THE SELF-PROMOTER"
    To: full-disclosure@lists.netsys.com
    Date: Mon, 14 Jul 2003 09:03:31 -0700

    Hash: SHA1

    Schneier has a little more credibility that Smith methinks.


    Hackers, software companies feud over disclosure of weaknesses

    By Doug Bedell
    The Dallas Morning News

    As Muhammad Faisal Rauf Danka recalls it, he tried 10 times to call a
    software maker about a devastating security flaw in one of its most popular

    "It is so simple it is funny," the Pakistani researcher says. But nothing
    happened. Then he took his findings to a global audience a worldwide
    mailing list devoted to exposing and exploring software bugs.

    Vindication came swiftly: Within days, Microsoft acknowledged that 200
    million of its Passport accounts had been left open, apparently for months,
     allowing the easy hijacking of credit-card and other personal data.
    The company shut down the Passport system and fixed the hole.

    To some, Danka is a hero for publicly prodding a big company into swiftly
    correcting an error. But to Microsoft, he is an "information anarchist"
    who makes it easier for malicious hackers to inflict havoc on the masses.

    Those viewpoints frame the ongoing debate about the principle of "full
    disclosure," the computer world's longtime standard for exposing security
    flaws so that they can be isolated and repaired.

    Not long ago, these arguments might have mattered only to programmers
    geeking out code and the hackers who try to crack it. But with software
    so pervasive in Americans' everyday lives and growing more so every
    day the debate affects almost everyone.

    Proponents of full disclosure say that a proliferation of bad software
    makes full disclosure essential. Only public pressure, they say, can
    compel big companies to speedily make fixes available. Microsoft has
    issued a dozen critical security patches this year.

    Microsoft and its peers say the tell-all model of publicizing software
    problems is a road map for computer pirates. Chairman Bill Gates is the
    driving force behind Microsoft's year-old Trustworthy Computing Initiative,
     an effort to improve software reliability.

    Under pressure to shore up the nation's computer systems from external
    threats, the federal government is now siding with Microsoft against
    full disclosure.

    Its reasoning goes like this: Mistakes in programming are inevitable,
     so there's no need to publicize how to attack millions of computers
    until the software maker has a chance to fix the problem.

    "Here we have this really weird situation of security people helping
    the bad guys," said Richard Smith, an independent computer-security consultant
    in Brookline, Mass. "There's little doubt that happens, whether they
    like it or not."

    Worming in

    Worms and viruses such as Code Red, Nimda, Slapper and Klez have crept
    into virtually everyone's computing experience. When they strike, these
    devilish ones and zeros can slam business and individual users alike,
     costing billions in lost productivity and repairs.

    Software controls so much of our daily lives that eradicating its glitches
    has become a national priority. At the front end, developers are experimenting
    with novel approaches to code-writing such as "Extreme Programming,"
    which employs teams of collaborating specialists who work side by side
    on projects, sharing keyboards and techniques.

    Governments, including the state of Texas, are taking aim at overbudget
    software projects that typically run months behind schedule. Meanwhile,
     as more programming moves overseas to countries with cheaper labor,
    a whole new realm of software security and design issues has arisen.

    "Bugs in code are not like the weather, but Microsoft would have you
    believe that they are; that they just happen," said Bruce Schneier of
    Counterpane.com. "They are either mistakes in design or development.
    Microsoft doesn't want to make a mistake. When someone discovers one,
     it makes them look really bad."

    In January 2002, Microsoft acknowledged that one of its most important
    responsibilities is to improve the reliability of its software, through
    the Trustworthy Computing Initiative. The Passport vulnerability is perhaps
    the largest snafu to evade the initiative's extensive security reviews.

    Room to improve

    Everyone agrees that software quality needs improvement.

    One researcher, a Bulgarian named Georgi Guninski, has exposed about
    half of more than 100 security holes in Microsoft's Internet Explorer
    Web browser. Some have allowed scripting on Web pages to execute programs
    that completely surrender control over an Internet-connected computer
    to the bad guys, "black hat hackers" or "crackers."

    In many cases, Microsoft has issued patches that shore up security. Smith
    said, however, that the majority of Guninski-found vulnerabilities have
    not been used by virus writers and crackers to infect computer systems.

    That's where the full-disclosure practice of releasing "exploit code"
    polarizes the debate.

    When some researchers announce they've found a security hole, they also
    publish a sample of a successful attack. That "exploit code" can be used
    to craft some nasty programs known as "malware," such as Trojan horses,
     worms and viruses.

    In the case of the Passport flaw, Danka reported that anyone could gain
    control over Passport accounts by adding "emailpwdreset" to a string
    of commands at the https://register.passport.net Web address. The Web
    page in question had been set up to allow users to regain access to their
    accounts when they forget their passwords.

    Passport is an integral part of Windows XP and Microsoft's .NET offerings.
    It allows users to store credit-card numbers, passwords and identification
    information to make online shopping more streamlined.

    Full disclosure

    Danka and Guninski adhere to the full-disclosure principles by regularly
    reporting findings to security mailing lists such as BugTraq and Full-
    Disclosure. From there, anyone with basic code-writing abilities can
    build their own programs both good and bad.

    The motivations vary for publishing exploit code. Guninski, for example,
     is an unabashed self-promoter.

    "He's looking for work in the security area, so he's looking to establish
    his reputation by finding security holes," Smith said. "He definitely
    publishes exploit code. He's been doing that since Day One, and definitely
    some of the exploit code has ended up in some viruses."

    Others may attempt to use the threat of exploit-code release as a way
    to extract money from software manufacturers. And still others may simply
    want to damage the reputation of companies such as Microsoft.

    For his part, Danka asserts that he was only investigating why his own
    Passport account had been hijacked. He stumbled on the Web page scripting
    flaw within about four minutes of exploring Microsoft's password-reset

    Last year, when Guninski discovered a security hole inside Microsoft's
    Office XP, he informed the company about his discovery, waited 14 days,
     then published instructions on how it could be exploited.

    Not enough time

    Microsoft said that wasn't enough time to issue a patch. And, frustrated
    with the entire full-disclosure principle, it began using such situations
    to bolster arguments that the entire bug-reporting system needs an overhaul.

    Mike Nash, Microsoft's vice president of the Security Business Unit,
    said in an online chat in November that the company wants the software
    community to behave more responsibly.

    "Our goal is to inform people about security issues when we have a way
    to mitigate it," Nash said. "In most cases, the benefit of waiting for
    a quality mitigation (usually a patch) outweighs the timing issue. There
    are exceptions. The goal is to make sure that we provide people a great
    way to protect themselves before we explain issues to potential criminals."

    But, as Smith points out, even if a patch is issued, it is virtually
    impossible to get every user of the software to install it in a timely

    "This whole idea that you can force the manufacturer to produce fixes
    does no good," Smith said. "You might have 100 million computers that
    need updating. Tell me the mechanism that's going to make that happen.
    I just don't see it."

    Those in Smith's camp back a model of limited full disclosure. Exploit
    code should not be released in most cases, Smith said.


    Microsoft has pressed for industrywide consensus on handling security
    issues. In April, the company joined International Business Machines,
     Intel, Hewlett-Packard and Advanced Micro Devices in forming a body
    they called the Trusted Computing Group to adopt security standards.

    Microsoft has also allied with Symantec, Network Associates and other
    software companies in the Organization for Internet Safety (OIS). In
    the next few months, it is expected to release a proposal outlining best
    practices for handling security vulnerabilities.

    A Microsoft spokesman says the company is committed to "responsible disclosure"
    proposals such as those being prepared by the Internet safety group.
    The spokesman says Microsoft's security chiefs believe those backing
    full disclosure represent a tiny minority.

    Scott Blake, an OIS spokesman, says the group will ask that no exploit
    code be released until 30 days after a software vendor has issued a patch.
    That delay, he says, would at least give end-users a fighting chance
    to update their software before malicious hackers develop widespread

    "Vendors and researchers should work together to find a fix before they
    go public with information," Blake said. "The theory is that vulnerability
    information for which there is no fix only helps the bad guys."

    Smith said such efforts are futile.

    "You've got so many little companies and individuals who are looking
    for security holes, you literally have thousands of people who would
    have to agree on this," he said. "I don't see that happening."

    But Counterpane's Schneier insists that full disclosure is still the
    best alternative. "What we've learned during the past eight or so years
    is that full disclosure helps much more than it hurts," he said.

    "Since full disclosure has become the norm, the computer industry has
    transformed itself from a group of companies that ignores security and
    belittles vulnerabilities into one that fixes vulnerabilities as quickly
    as possible."

    Copyright 2003 The Seattle Times Company
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger

    Promote security and make money with the Hushmail Affiliate Program:
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: morning_wood: "Re: [Full-Disclosure] GUNINSKI THE SELF-PROMOTER"

    Relevant Pages

    • Re: [Full-Disclosure] GUNINSKI THE SELF-PROMOTER
      ... > software maker about a devastating security flaw in one of its most popular ... Of course Microsoft thinks this, ... > disclosure," the computer world's longtime standard for exposing security ... And if these bugs hadnt been showing up on bugtraq, vuln-watch, and full ...
    • Re: [Full-Disclosure] GUNINSKI THE SELF-PROMOTER
      ... guninski or danka at this point in the game. ... can't expect the need for full disclosure to abate or diminish. ... > software maker about a devastating security flaw in one of its most popular ... Within days, Microsoft acknowledged that 200 ...
    • Cyber terrorist @taviso responds to criticism
      ... Hyenas of the Security Industry ... Associating my actions with my employer is just an attempt to ... Tavis actually only gave Microsoft ~3 business working day to fix the bug ... Disclosure * Full Disclosure: he would have sent out the advisory ...
    • [Full-Disclosure] Disclosure Debate FW: [ISN] When to Shed Light
      ... Information security, in particular, cannot exist. ... full disclosure results in FEWER hands at work in this process, ... Microsoft because of how dependent publishers are on access to beta software ... > I think actively seeking vulnerabilities is just plain destructive. ...
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...