FW: Why Easy To Use Software Is Putting You At Risk


Al,
Strange that you should pick on architecture. We have the fall of a piece of major architecture today which as killed a large number of people. The 2nd by the same person. The twin towers failed due to structural deficiencies more than the planes. Do you wish for me to quote the statistics on architectural failure? They are greater than you may think.

You seem to make the simplification that all code can be written correctly and tested. That no matter how long and complex there is a way of determining the error rate - this is wrong and I shall get to this in the post. I will even help you develop an argument that you may use to dispute me.

The majority of libraries used in development (excluding open source eg Linux) are complied object code. Are you expecting that the world stop using all code unless they have the source? That all source be checked?

Dijkstra developed the method "correct by construction". He also did extensive work on the mathematical proof of algorithms. Please read the works below.

Kert Godel, Alan Turning and Alonzo Church (GTC) did work which resulted in "Computability Theory". They discovered that certain basic problems cannot be solved by computers. Cohen, Hollingworth and Dijkstra all developed this theory further.

Now I stated I would get to error determination. GTC demonstrated in computational theory that it is not possible to create a machine that can determine wether a mathematical statement is true or false. All code and programming is a mathematical statement or algorithm. The determination of the codes function is a mathematical proof (see Cohen and Dijkstra).

As it is not possible for either an automata or turning machine to determine the correctness of the programme, it is not possible to determine the effects of code.

Dijkstra's started work on formal verification (what you are calling for) in the 1970's. Formal verification was the prevailing opinion at the time. This was that one should first write a program and then provide a mathematical proof of correctness.

"The Cruelty of Really Teaching Computer Science" (Dijkstra, 1988) saw Dijkstra trying to push computable correctness. This missed the need for engineers to compromise on the one hand with the physical world and on the other with cost control.

This is the issue. To move ahead and develop code that people want we can not complete mathematical software verifications. No machine (at least yet known) can verify code. The term machine refers to the computer science idea of a machine - not a physical item.

To state that all code should be verified would be great for myself. I am a mathematician. Computers can not verify code (see the theory of computation). This would make my mathematical skills in greater demand and help next time I go for a raise.

I seem to be adding facts to the discussion. Dijkstra, Turing et al are the people who created the foundations of computer science.

Please feel free to add comment on the use of finite state machines, labelled transition systems, Petri nets, timed automata, hybrid automata, process algebra, formal semantics of programming languages such as operational semantics, denotation semantics, Hoare's logic or any other existing method of computational verification.

I have attached a paper of Dijkstra's. This paper could act as a foundation for your argument. Dijkstra argues for formal verification against software engineering. Please feel free to build on the argument - if you manage to come up with something that is verifiably valid not only will you get to have one up on me you may be remembered in years to come in the computer science discipline.

Regards,
Craig

<attachment stripped, see http://www.cs.utexas.edu/users/EWD/ewd10xx/EWD1036.PDF>

Cohen, Fred, "Protection Testing", http://www.sdmagazine.com/documents/s=818/sdm9809c/, September 1998

Cohen, Fred, 1997, "Managing Network Security, Penetration Testing?", Available from http://all.net/journal/netsec/1997-08.html

Cohen, Fred, 1996, "National Info-Sec Technical Baseline, Intrusion Detection and Response" Lawrence Livermore National Laboratory, Sandia National Laboratories December, 1996

Cohen, Fred, 1992, "Operating System Protection, Through Program Evolution" research for ASP, PO Box 81270, Pittsburgh, PA 15217, USA

Dijkstra, Edsger W. (1976). A Discipline of Programming. Englewood Cliffs, NJ: Prentice Hall

Hollingworth, D., S. Glaseman and M. Hopwood, "Security Test and Evaluation Tools: an Approach to Operating System Security Analysis," P-5298, The Rand Corporation, Santa Monica, CA., September 1974.

-----Original Message-----
From: Al Sutton [mailto:asutton@xxxxxxxxxxxxxxxxxx]
Sent: 24 February 2006 8:33
To: Craig Wright; 'dave kleiman'; 'Darren W Miller'
Cc: 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk

Hi,

I too am very open to being proven wrong, but as a scientist I need solid proof which involves cold hard facts, not statements such as "I can't go into all the details for various reasons.".

I've been involved in many development projects, and at the end of the day a product ships with bugs from a library then it's the developer who is responsible for their choice of libraries. The attitudes Darren describes are typical in Development, the "If it ain't in my code it ain't my problem"
is one of the most fundamental problems of current development mentality.
How many architects do you know that would design for the side of a hill without making sure the hill could support their design?, or design an extension to a house without ensuring the house was sound?, the same is true of code, if you're writing software you need to make sure your libraries support it securely, if not, then you're not doing your job. Developers can add verification code before they send code to libraries, and if they have concerns of a library this is what they should be doing (after all why rewrite a string copy routine when you just need to check that the length of your copy is less than the length of your destination buffer?).

My view is that the original paper was FUD, intended or not, that's how it appeared, that's how it read, and it it walks like a chicked and clucks like a chicken people are going to call it a chicken.

Al.


-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: 23 February 2006 21:10
To: dave kleiman; Darren W Miller
Cc: Al Sutton; defendingthenet
Subject: RE: Why Easy To Use Software Is Putting You At Risk



Hello,

Dave stated; "Craig.. And be gentle Craig will pick apart opinions and bring back factual information without batting an eye."

True and I am always open to being proved wrong. The thing is that I have to be PROVED Wrong. Opinion and anecdotal evidence is not proof. Validated points and correctly collected statistical data are.

As much as many people find this difficult to believe (even my wife) I enjoy being proved wrong. It is both a learning opportunity for my self and a demonstration that others are engaging in serious peer review processes outside of academe.

In the past 20 years I have performed close to 5,000 engagements. At the moment I am conducting one of the largest vulnerability and risk assessments ever conducted in Australia in association with the Attorney Generals CNVA programme.

The first issue to address is yes you found a vulnerability and it was exploitable. What is the risk? The impact threat vectors and other analysis factors need to be considered. Vulnerabilities do not matter by themselves.
They create a risk potential. When you understand this you will both serve your clients more effectively and also add value in a manner they will understand. You need to sell to management. They understand finance and risk. Vulnerabilities are FUD. They do not help.

As for engineering something not to fail. This is where I have an issue with people who think they are engineers. Engineering is the process of building something to a set specification. An example is giving a 95% Confidence Internal of a 5 year expected life. It involves the analysis and design of hazard functions and survival processes.

Regards,
Craig

PS this is about as nice as I get unless people actually seek to open their minds and learn.


-----Original Message-----
From: dave kleiman [mailto:dave@xxxxxxxxxxxxxxx]

Sent: 23 February 2006 4:25
To: 'Darren W Miller'
Cc: Craig Wright; 'Al Sutton'; 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk

Darren,

I am going to explain this to you, since you are new here on this forum, or at least I have only saw one or two of your posts go by recently. I am not the form moderator, nor do I have any influence over the posts that make the forum.

First, I wanted to give you a friendly heads-up, because you are throwing "articles" out to this forum and they are your opinion.

Secondly, I am a nice guy :), maybe you are taking this personally, but you need to read through the archives, this s what we do here debate!!


"""I don't have the time to keep this discussion (if that I what we are actually having) going for an infinite amount of time""" You posted this to a Security Discussion board, that is what we do here.

Do not get me wrong you have the right to post almost anything you want pertaining to security, but if throw your opinion out here, expect to have to defend it, and back it by fact. Because it is going to get torn up by the professionals.

I have seen threads, that is what you started a thread, go for 20-30 days.
See "Forensic/Cyber Crime Investigator" in the archives, it went from mid-Jan until Feb 15th, and I thought Craig was going to kill me on that one, but that is how this forum goes, you make a statement expect educated well-informed/experienced responses, a lot of them you will not agree with, but will not be able to tap dance away from.

Craig.. And be gentle Craig will pick apart opinions and bring back factual information without batting an eye. He and I have gone toe-to-toe on many a subject on this and other discussion forms.

Darren, I know you are used to posting articles at CastleCops were the home user is the basic audience and nobody is retorting, but when you step into this arena you will see some serious professionals in varying fields and they will not let misinformation slide. You of course do not have to respond to the responses, but expect even heavier discussion when you post and disappear.

By the way if you were to post this at a higher level forum such as pen-test, they would eat your below write-up for breakfast. But since you left it off post, I did the same....however I know Craig loves pen-testing so he may not.




Dave



-----Original Message-----
From: Darren W Miller [mailto:Darren.Miller@xxxxxxxxxxxxx]

Sent: Wednesday, February 22, 2006 20:06
To: Craig Wright; dave kleiman
Cc: Darren W Miller
Subject: RE: Why Easy To Use Software Is Putting You At Risk


Gentlemen,


I don't have the time to keep this discussion (if that I

what we are actually having) going for an infinite amount

of time. But let me give you a couple high-level examples

of what I am talking about here. The key word is

high-level, I can't go into all the details for various reasons.


In the last 3 months I have performed 5 assessments. Phase

I of these assessments involved penetration testing of

external public facing systems. Out of the 5, we achieved

total systems penetration / compromise of 4. All 4 of

these systems were web based services. All 4 of these

systems were compromised by exploiting "custom" code or

modules. During post-assessment meetings the developers

(who were independents) were present. When they were shown

what modules were used to achieve the compromise everyone

one them blamed it on other external modules they used (or

re-usable code / modules,) and that they had no idea these

bugs existed. They further explained that some of the

source code, at least the ones they had access to, were so

extensive and complex that they probably would never had

found the bugs. One gentleman even stated that it was not

up to him to make sure code developed by others is secure

even if he is using that code. That did not go over well

in the meeting, trust me


AS far as "engineering something not to fail", I don't

even think that is possible at this point in time. Or ever

will be. Quite frankly, if someone were to tell me that a

particular system, any system, was fail-proof, I'd say

that they were off the wall. Let me just include a couple

bullet point items that may fall into this category of

"complex systems" and security:


1) Compromise of internal network systems using citrix as

an entry point. End users thought that the citrix remote

desktop profiles were secure because of how they were

setup but never realized that flaws in something as simple

(or complex) as ms-word would allow an isolated compromise

to lead to additional systems compromise.
2) System A interacts with System B which interacts with

system C. End users are aware, to an extent, about the

flaws in system A & B and their interaction, but not aware

of much regarding system C. In fact, they were not even

aware there was a system C. That interaction with system C

resulted in a security breach. In this case, complex

systems interacting with other complex systems, some of

which were unknowns, leading to security breaches.

3) IT department decides to increase the over all security

of authentication methods so increase complexity rules and

other related items such as aging.... However, they have

poor auditing measures internally and have know idea that

there are 150 user accounts for people who no longer work

for the company. Even though authentication measures /

procedures have been changed on the system, these

particular accounts will not have them applied until the

next time they are used. Several of these accounts are

compromised because they don't meet even basic complexity

rules for passwords. However, the end user thought that

the system would take care of this and force all accounts

to abide by the same rules immediately. Did not happen.


Here is the bottom line. Either I did a really poor job at

trying to get my message across in a high-level way, or I

am just being totally misunderstood. I would suggest it's

a little of both based on this dialoged.


Note: One final point. I would rather you not make the

statement that I am using FUD as a selling tool. The fact

is that is not true and is not my intention. If either of

you new me personally you would know that. I would never,

and have never, made that kind of assumption without

knowing for sure. Quite frankly, I'm not sure I would make

that kind of statement about anyone, even if I knew for

sure that is what they were all about.


Regards,


Darren W. Miller


-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: Wednesday, February 22, 2006 5:41 PM
To: dave kleiman; security-basics@xxxxxxxxxxxxxxxxx
Cc: Darren W Miller; defendingthenet
Subject: RE: Why Easy To Use Software Is Putting You At Risk




Hello


Here I have to state that I agree 100% and categorically with Dave.


FUD - Fear Uncertainty and Doubt is a common tool used by

vendors to sell security. It is also one of the greatest

threats to security today.


It makes people inured to security in the long run (i.e.

cry wolf) and in the short term results in a lot of

technical solutions that generally fail to address the issue.


NASA uses hazard and survivability models to determine

risk. They do not engineer to not fail - they just reduce

the probability of an incident. What needs to be

remembered that is that 1 in a million occurrence happens

all the time in the real world. Even a 1 in a billion

occurrence will happen daily somewhere in the world.

Welcome to the world of risk.


So as to the original post, how would complex software

make you less risk prone?


Regards,
Craig




-----Original Message-----
From: dave kleiman [mailto:dave@xxxxxxxxxxxxxxx]


Sent: 23 February 2006 2:23
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: Darren.Miller@xxxxxxxxxxxxxxxxxxx; 'defendingthenet'
Subject: RE: Why Easy To Use Software Is Putting You At Risk


Inline....







-----Original Message-----
From: defendingthenet [mailto:mlapidus@xxxxxxxx]
Sent: 20 February 2006 14:35
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Why Easy To Use Software Is Putting You At Risk












Title
-----
Why Easy To Use Software Is Putting You At Risk




Can Easy To Use Software Also Be Secure
----------------------------
Anyone who has been working with computers for a long time


will have noticed
that mainstream operating systems and applications have


become easier to use
over the years (supposedly). Tasks that use to be complex


procedures and
required experienced professional to do can now be done at


the push of a
button. For instance, setting up an Active Directory


domain in Windows 2000
or higher can now be done by a wizard leading even the


most novice technical
person to believe they can "securely" setup the operating


environment.


Where does it claim that it is "securely" setting up AD in

the wizard?


This
is actually quite far from the truth. Half the time this


procedure fails
because DNS does not configure properly or security


permissions are relaxed
because the end user cannot perform a specific function.


Sounds like you have had this problem a few times, maybe

you should not use the wizard, or attempt AD setups.


Do you understand how to "securely" setup AD, for your

comments here, I would say no.


Instead of using the "sky is falling routine" suggest how

to do these things securely instead of syaing "look how

terrible this is"










If It's Easy To Develop, Is It Also Secure
--------------------------------------------------
One of the reasons why operating systems and applications


"appear" to be
easier to work with then they use to is developers have


created procedures
and reusable objects to take care of all the complex tasks


for you.






Are you referring to shared code? In case you do not know

what that is, it is code that is shared by apps for the

same routines.




For instance, back in the old days when I started as a


developer using assembly
language and c/c++, I had to write pretty much all the


code myself.




Are you suggesting your code was more secure back in the

"old" days, when security was not a concern in coding?




Now everything is visually driven, with millions of lines of


code already
written for you. All you have to do is create the


framework for your
application and the development environment and compiler


adds all the other
complex stuff for you. Who wrote this other code? How can


you be sure it is
secure. Basically, you have no idea and there is no easy


way to answer this
question.







Secure Environments Don't Exist Well With Complexity
----------------------------
The reality is it may look easier on the surface but the


complexity of the
backend software can be incredible. And guess what, secure


environments do
not coexist well with complexity. This is one of the


reasons there are so
many opportunities for hackers, viruses, and malware

to attack your
computers. How many bugs are in the Microsoft Operating


System? I can almost
guarantee that no one really knows for sure, not even


Microsoft developers.
However, I can tell you that there are thousands, if not


hundreds of
thousands of bugs, holes, and security weaknesses in


mainstream systems and
applications just waiting to be uncovered and maliciously


exploited.




How Reliable and Secure are Complex Systems?
----------------------------------------------------------
Let's draw a comparison between the world of software and


security with that
of the space program. Scientists at NASA have know for


years that the space
shuttle is one of the most complex systems in the world.


With miles of
wiring, incredible mechanical functions, millions of lines


of operating
system and application code, and failsafe systems to


protect failsafe
systems, and even more failsafe systems to protect other


systems. Systems
like the space shuttle need to perform consistently, cost


effectively, and
have high Mean-Time-Between-Failure(MTBF).






*All in all the space shuttle has a good record.*






One thing


it is not though
is cost effective and consistent. Every time there is a


launch different
issues crop up that cause delays. In a few circumstances,


even the most
basic components of this complex system, like "O" rings,


have sadly resulted
in a fatal outcome. Why are things like this missed? Are


they just not on
the radar screen because all the other complexities of the


system demand so
much attention? There are million different variables I'm


sure. The fact is,
NASA scientists know they need to work on developing less


complex systems to
achieve their objectives.








Ok now you have stepped out of bounds, first of all I love

NASA and have the utmost respect for them and all the

astronauts who have braved the frontier.
However, the record of the shuttle is 110+ scrubbed

launches. That is more than the number of launches. You

can do the math for the rest, but it does not add up to a

good record, you might have to use one of those "complex

systems" though to run calc.




So your saying a more simplistic system would create a

better record, maybe they should try fly the Kitty Hawk to

the moon.




I am just going to stop here and say Hogwash.


My advice to you is stop selling fear and your opinion,

and start selling solutions to problems. Next time tell us

how to fix your proposed problems.










Respectfully,


______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE


www.SecurityBreachResponse.com
 










This same principal of reducing complexity to

increase security,
performance, and decrease failures really does apply to


the world of
computers and networking. Ever time I here associates of


mine talk about
incredibly complex systems they design for clients and how


hard they were to
implement I cringe. How in the world are people suppose to


cost effectively
and reliably manage such things. In some cases it's almost


impossible. Just
ask any organization how many versions or different brands


of intrusion
detection systems they have been through. As them how many


times the have
had infections by virus and malware because of poorly


developed software or
applications. Or, if they have ever had a breach in


security because the
developer of a specific system was driven by ease of use


and inadvertently
put in place a piece of helpful code that was also helpful


to a hacker.




Can I Write A Document Without A Potential Security

Problem Please
-----------------------------------------------
Just a few days ago I was thinking about something as


simple as Microsoft
Word. I use MS-Word all the time, every day in fact. Do


you know how
powerful this application really is? Microsoft Word can do


all kinds of
complex tasks like math, algorithms, graphing, trend


analysis, crazy font
and graphic effects, link to external data including


databases, and execute
web based functions.






Do you know what I use it for, to write documents. nothing


crazy or complex,
at least most of the time. Wouldn't it be interesting that


when you first
installed or configured Microsoft Word, there was an


option for installing
only a bare bones version of the core product. I mean,


really stripped down
so there was not much to it. You can do this to a degree,


but all the shared
application components are still there. Almost every


computer I have
compromised during security assessments has had MS-Word


installed on it. I
can't tell you how many times I have used this


applications ability to do
all kinds of complex tasks to compromise the system and


other systems
further. We'll leave the details of this for another


article though.




Conclusion
----------
Here's the bottom line. The more complex systems get,


typically in the name
of ease of use for end users, the more opportunity for


failure, compromise,
and infection increases. There are ways of making things


easy to use,
perform well, and provide a wide variety of function and


still decrease
complexity and maintain security. It just takes a little


longer to develop
and more thought of security. You might think that a large


part of the blame
for complex insecure software should fall on the

shoulders of the
developers. But the reality is it is us, the end users and


consumers that
are partially to blame. We want software that is bigger,


faster, can do just
about everything, and we want it fast. We don't have time


to wait for it to
be developed in a secure manner, do we?






You may reprint or publish this article free of charge as


long as the
bylines are included.







Original URL (The Web version of the article)
------------
http://www.defendingthenet.com/NewsLetters/WhyEasyToUseSoft
wareIsPuttingYouA
tRisk.htm




About The Author
----------------
Darren Miller is an Information Security Consultant with


over seventeen
years experience. He has written many technology &


security articles, some
of which have been published in nationally circulated

magazines &
periodicals. If you would like to contact Darren you can


e-mail him at
Darren.Miller@xxxxxxxxxxxxxxxxxxxx If you would like to


know more about
computer security please visit us at


http://www.defendingthenet.com.












-----------------------------------------------------------
----------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The Norwich University program offers unparalleled Infosec

management education and the case study affords you

unmatched consulting experience.


Tailor your education to your own professional goals with

degree customizations including Emergency Management,

Business Continuity Planning, Computer Emergency Response

Teams, and Digital Investigations.




http://www.msia.norwich.edu/secfocus
-----------------------------------------------------------
----------------




Liability limited by a scheme approved under Professional

Standards Legislation in respect of matters arising within

those States and Territories of Australia where such

legislation exists.


DISCLAIMER
The information contained in this email and any

attachments is confidential. If you are not the intended

recipient, you must not use or disclose the information.

If you have received this email in error, please inform us

promptly by reply email or by telephoning +61 2 9286 5555.

Please delete the email and destroy any printed copy.





Any views expressed in this message are those of the

individual sender. You may not rely on this message as

advice unless it has been electronically signed by a

Partner of BDO or it is subsequently confirmed by letter

or fax signed by a Partner of BDO.


BDO accepts no liability for any damage caused by this

email or its attachments due to viruses, interference,

interception, corruption or unauthorised access.






Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.


Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------