Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750

From: cquirke (MVP Win9x) (name.goes.here_at_nospam.iafrica.com)
Date: 10/14/03


Date: Tue, 14 Oct 2003 12:56:41 +0200

On Mon, 13 Oct 2003 15:28:17 -0700, "Me2" wrote:
>cquirke (MVP Win9x)" <name.goes.here@nospam.iafrica.com> wrote in message
>>"Jim Eshelman" <newsgroups@aumha.org> wrote in message

Must... not... reply to never-ending thread... uhh... aargh!

>And I come away with a new way of thinking - because you used the word
> "meme" (rhymes with dream)! Through a 10^100e search I find much to read.

Susan Blackmore (spelling may be off, may break Google) wrote a book
on memes that I found worth reading, coming from the shoulders of
Dawkins I think it was. She postulates that memes rival genes as the
key item driving evolution in sentinent organisms... no, I lie, she
doesn't exactly say so, that's *my* conclusion after reading her work
(so if that's going a bridge too far, don't blame Susan B., blame me)

Put it this way:
1) Does anyone remember (the impact of) Karl Marx's *children*?
2) Do genes or memes determine your choice of breeding partner?

Answer to (2) is less obvious than you think, if you reject suitors on
the basis of bad manners, poor dress sense etc.

>Cquirke, thank you, your thoughts are replicating.

Wars have been fought for such ends :-)

>> What would you have told the general end-user in the field -- especially
>> those who were hired for skills other than IT-related skills -- that would
>> have been meaningful and practical without being alarmist.
>[about shutting down Internet browsing for all internal users.]

>our conclusion is this: We will tell all users that we (IT and management)
>screwed up when we trusted Microsoft products - if there is a vulnerability
>that creates an unacceptable risk of security compromise and we need to shut
>down all Internet browsing with IE. Good information security *requires*
>being alarmist at times.

Yes. Sometimes the sky *is* flalling !

There are precidents for such appraisals, e.g. the Gartner Group's
advice to not use Outbreak within organizations. We may not place
much weight on that as technical advice, but business often relies on
such sources to digest and "weight" technical detail and then spit out
a business recommendation based on *business* expertese.

In fact, that is the inevitable endpoint if you assert "all 'viruses'
are the user's fault for not practicing 'safe hex' ".

When software automatically executes malware without user consent
(either "by design" e.g. scripts embedded in HTML "messages" or
autorunning macros in "data files" or scripts within cookies - or by
defective coding e.g. holes in SQL, RPC, MSHTML etc.) then only blame
that can be attributed to the user is for choosing that software.

Otherwise you have to shift blame to the software vendor for imprudent
design or incompetent coding, or at least evaluate who to blame based
on the extent of what was delivered as "fit to ship" software diverges
from the information used by the user deciding to use it.

>> There has to be a way "under" this to maintain it, else you have a
>> data death-trap on your hands... an elevators-only skyscraper with no
>> windows or fire escape. Be careful what you wish for.

>> Who has the rights to "maintain" the system at that level? The owner,
>> of course. In consumerland, that should be a matter of who has
>> physical access; if you want a virtualized but nearly-as-safe model to
>> facilitate corporate remote admin, pay up for the Pro version.

>> If OTOH this "ownership" is taken out of the hands of the person
>> buying the product... well, maybe it's time to storm the Bastille.

There are three reasons why that danger could manifest:

1) One design that favors corporate consumer needs over private users
2) Ranking corporate IP [*1] protection higher than user ownership
3) Basic incompetence in predicting consequences

[*1] IP = Intellectual Property, not Internet Protocol, here.

I'm going to put aside (3), though "stupidity vs. malace" is always a
question as fundamental as the halting problem or the Turing Test, and
often as difficult to answer. At a general level, I find it hard to
believe that decades-old professional software companies with budgets
to attract fine minds could easily fall into (3).

Problem (1) is already upon us, in that NT was designed for corporate
consumer needs (remote admin, override the user) and is basically
being punted as a "one size fits all" solution for consumers too.

Problem (2) transcends technology and gets into global politics, where
the ball is currently being dropped AFAIK. We (as global citizens and
as countries-that-are-not-USA) may come to regret this as bitterly as
the original Americans might regret selling Manhatten for beads.

On (2), the gauntlet is down - WPA shows MS to be a vandor, i.e. is
prepared to gouge your interests if its code logic "thinks" its own
interests are threatened (even though we pay MS on the basis that they
bring value to serving *our* interests).

This is a *very* dengerous precedent, in legal terms.

For example, I i might write a database app that would automatically
eat the user's data after 6 months unless I intervened to turn off the
bomb timer (e.g. so I could protect myself against payment with bad
cheques etc.). Prior to the WPA precedent, the courts would likely be
unsympathetic if this happened to a client ho had paid me but then
moved without sending me a forwarding address (so I could not defuse
the data bomb) and my software killed their data.

Accepting WPA tacitly legitimizes these borderline cases of extortion,
and that border is easily crossed (e.g. if I don't defuse the bomb
because you declined my post-sale offer of a maintenance contract)

That precedent plus legislation such as the DMCA raises the stakes on
commercial malware. Prior to these (and as at October 2003), we
assume that while traditional malware should be tackled formally, it
is enough to scan for commercial malware informally (i.e. from within
the "infected" environment) via Spybot, Ad-Aware etc.

Our optimism is based on the belief that commercial software has to at
least pretend to be there by the user's consent, and thus such malware
would not take overtly/unambiguously hostile steps that render it
impossible to "uninstall" from within the OS.

Once you allow DMCA (or is that DCMA) and WPA as guides to acceptable
commercial behaviour, you empower commercial software to take overtly
and unambiguously hostile actions against the user. Not only that,
but you legally prohibit the user against cleaning such malware off
their systems (as this can be construed as "reverse-engineering
copyright protection"). That is a LOT of totallitarian power to
bestow on organisations that are not accountable to the public.

>A thought: Maybe a physical button (non-maskable interrupt) to a separate
>hardware "security computer" within a PC could be entrusted with a users
>data security. A user must physically press the button (or biometrics here)
>to allow access to secured personal data.

Non-access is always preferale to disallowed access. Show me a
"disallowed access" system and I will show you where tomorrow's safety
and security scandals will come from.

Think of it as you would the difference between a pre-ATX power button
and an ATX power button.

An "old fashioned" power switch physically disconnects the mains from
the hardware. Only surges with the raw power to arc across the switch
contacts (or entering via another risk mechanism such as phone or LAN
cables) can pose a threat; when switched off, user can safely change
hardware, and run-of-the-mill power outages and burps pose no threat.

An ATX "power switch" may look reassuringly "physical", but it merely
signals a request for behaviour that mimics the unpowered state. This
operates at a higher level of abstration and works only within and
above that layer of abstraction. If anything goes wrong with that
abstraction layer (e.g. unexpected "wake on modem" effects), or if
there are problems beneath that layer, all bets are off.

So a physical switch that merely requests software to disallow various
activities leaves the spot unhit, IMO.

>--------------- ----- ---- --- -- - - -
Never turn your back on an installer program
>--------------- ----- ---- --- -- - - -



Relevant Pages

  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... She postulates that memes rival genes as the ... (so if that's going a bridge too far, don't blame Susan B., blame me) ... When software automatically executes malware without user consent ... Think of it as you would the difference between a pre-ATX power button ...
    (microsoft.public.security)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... She postulates that memes rival genes as the ... (so if that's going a bridge too far, don't blame Susan B., blame me) ... When software automatically executes malware without user consent ... Think of it as you would the difference between a pre-ATX power button ...
    (microsoft.public.security.virus)
  • Re: No more Busch to blame
    ... header was about lefties in general.... ... you're a rightard through and through. ... Made him look power hungry. ... one cannot lay too much blame on him. ...
    (rec.martial-arts)
  • Re: Display Property Window
    ... >> My reply is at the bottom of your sent message: ... By the same token much of what is defined as malware is subjective. ... crashed into then you're still going to be held at least partially to blame. ... of best practices and an awareness of the dangers that the same ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Display Property Window
    ... > By the same token much of what is defined as malware is subjective. ... > crashed into then you're still going to be held at least partially to blame. ... > on the end-user who didn't take the time to install and configure the best ... > of best practices and an awareness of the dangers that the same ...
    (microsoft.public.windowsxp.help_and_support)