Very Computer

Latest Microsoft attack on open source: open source is a WEAPON!

"Microsoft to hackers: Don't publish code"

http://news.cnet.com/news/0-1003-200-7560391.html?tag=mn_hd

-----=  Posted via Newsfeeds.Com, Uncensored Usenet News  =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
 Check out our new Unlimited Server. No Download or Time Limits!
-----==  Over 80,000 Newsgroups - 19 Different Servers!  ==-----

What the hell are the people at Micro$oft somking !?! It seems this is yet
another poor attemp at dammage control for all the bug's and security holes
that people discover in their software. I geuss if you can't clean up your
code then you should blame the guy who found the bug/security loop hole for
you !?!

Quote:> Latest Microsoft attack on open source: open source is a WEAPON!

> "Microsoft to hackers: Don't publish code"

Noooooooooooo! Stop those terorists posting all that working code on the
internet or they will
destroy the world economy (MS).

;)

Quote:

> http://news.cnet.com/news/0-1003-200-7560391.html?tag=mn_hd

> -----=  Posted via Newsfeeds.Com, Uncensored Usenet News  =-----
> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
>  Check out our new Unlimited Server. No Download or Time Limits!
> -----==  Over 80,000 Newsgroups - 19 Different Servers!  ==-----

MS admits tthat security needs to get better.  But likewise, they are also
acknowledging that even patched vulnerabilities are still a problem on
unpatched systems if exploit code is posted (sometimes years after the
patch).

Many believe the pain of of exploiting unpatched systems is worth forcing
the users to patch them.  Others do not.  Few security companies seem to
find any value in creating exploit code for Linux based vulnerabilities, and
surprisingly there have been few cases of mass exploitation of those
vulnerabilities.

However, in the case of Ramen, the one major worm that effected Linux,
exploit code had been published prior to its creation.  Coincidence?

This isn't a new argument.  Many experts have been arguing both sides of
this for years.

You have a pretty strange view of major. It affected only one dist and
missed the vast majority of that dist that it could infect. Out of ah
undred or so redhat boxes at the uni that where vulnerable maybe 2 or 3
actually go it. Most of the other boxes had already been patched or where
not vulnerable in the first place. Your idea of a major worm is one that
basically did no damage?

Just about every IIS exploit found does a lot more damage then Ramen ever
did but you keep waving that stupid flag. Also remember apache outnumbers
IIS overall about 2:1 however IIS is the one that is doing the damage to
the internet so don't try that bullshit market share argument either. The
windows product is more insecure by default and when it is compromised it
does more damage then any other bug ever has. CodeRed did more actual
damage then the morris worm did during the early days of the internet.

Go back to bill and tell him you don't deserve your paycheck for trolling
this week. This argument is really getting boring.

This mode of "thinking" assumes that the exploits do not get written by
the bad guys unless there is example code published where regular people
can see it.  That is false.

Plenty of example code already gets published where only the kiddies see
it.  Having legitimate security outlets stop publishing exploits won't
make any difference in the number of victims, just in their ability to
find out what happened.  It might make corporations happy because it will
help them hide their problems, but users will still get hacked.

This has been hashed to death already within the security community.  The
fact that MS is making such statements only demonstrates how far behind
the curve they really are.

Quote:>Many believe the pain of of exploiting unpatched systems is worth forcing
>the users to patch them.  Others do not.  

The clear majority of security professionals favor disclosure.  It is
mostly corporations trying to protect their image that favor
non-disclosure.  And image protection is all you'd gain by non-disclosure.  
The kiddies would still be busily exploiting systems just the same.

Quote:>Few security companies seem to find any value in creating exploit code
>for Linux based vulnerabilities, and surprisingly there have been few
>cases of mass exploitation of those vulnerabilities.

That's false too.  Linux exploits are published frequently.  There have
not been mass exploitations of them for varied reasons, but not having
example code is not one of those reasons.

Quote:>However, in the case of Ramen, the one major worm that effected Linux,
>exploit code had been published prior to its creation.  Coincidence?

Yes.  Other exploits have been published.

--
 -| Bob Hauck
 -| To Whom You Are Speaking
 -| http://www.haucks.org/

But you must admit that the next logical step in that thought process
is to outlaw open source operating systems, compilers and all
developement tools.  I mean, if people didn't know how ia32 assembly
functioned or didn't understand C++ then they wouldn't be able to
write viruses either...

It's a stupid windmill to chase, but I suppose Microsoft can mount up
to attack it if they think it'll distract the public from pointing
their fingers at them.

--
It is financially more expensive to go to prison than to attend Harvard.

The linux two-step in action.  Find any stupid reason to discredit the
argument, then you don't have to address the point.

Regardless of whether you call  it major or not, the fact remains that Ramen
was the most widespread of Linux worms.  At one point, I did a search of
google for the Ramen content and found cached pages for many hundreds of
different servers displaying the Ramen page.

The Ramen worm was the direct result of the exploit code being published.
If the authors had wanted to, they could have made it much more virulent
than it was, by attacking more than it did and in different ways.

Quote:> Just about every IIS exploit found does a lot more damage then Ramen ever
> did but you keep waving that stupid flag. Also remember apache outnumbers
> IIS overall about 2:1 however IIS is the one that is doing the damage to
> the internet so don't try that bullshit market share argument either. The
> windows product is more insecure by default and when it is compromised it
> does more damage then any other bug ever has. CodeRed did more actual
> damage then the morris worm did during the early days of the internet.

No, Apached does *NOT* outnumber IIS.  As has been proven by Netcraft, there
are more physical servers running IIS (or a variant) than all others
combined.  For this sort of attack, it doesn't matter how many virtual hosts
you have... physical servers are what do the damage.

Quote:> Go back to bill and tell him you don't deserve your paycheck for trolling
> this week. This argument is really getting boring.

Why don't you address the point rather than flailing around?

No, it does not assume that.  Nobody is saying not publishing exploit code
will stop these things, but if it even stops *ONE* from being developed, is
it not worth it?

Quote:> Plenty of example code already gets published where only the kiddies see
> it.  Having legitimate security outlets stop publishing exploits won't
> make any difference in the number of victims, just in their ability to
> find out what happened.  It might make corporations happy because it will
> help them hide their problems, but users will still get hacked.

If only the kiddies see it, then others can see it too.  Script kiddies
aren't known for their secrecy or skill at hiding things, they just run
pre-canned stuff.

Quote:> This has been hashed to death already within the security community.  The
> fact that MS is making such statements only demonstrates how far behind
> the curve they really are.

More than MS has this position.  There are lots of experts that agree that
posting exploit code is dangerous, regardless of whether there are patches
or not.

Quote:> >Many believe the pain of of exploiting unpatched systems is worth forcing
> >the users to patch them.  Others do not.

> The clear majority of security professionals favor disclosure.  It is
> mostly corporations trying to protect their image that favor
> non-disclosure.  And image protection is all you'd gain by non-disclosure.
> The kiddies would still be busily exploiting systems just the same.

disclosure only works for security people that keep up to date on security.
It harms people who aren't.  They're not advocating not telling anyone.
They're advocating publishing the right amount of information to inform, but
not provide ready made examples of how to use it.

Further, there is nothing wrong with disclosing exploit code to the
maintainers, if done so privately.

Quote:> >Few security companies seem to find any value in creating exploit code
> >for Linux based vulnerabilities, and surprisingly there have been few
> >cases of mass exploitation of those vulnerabilities.

> That's false too.  Linux exploits are published frequently.  There have
> not been mass exploitations of them for varied reasons, but not having
> example code is not one of those reasons.

Linux vulnerabilities are listed frequently, but not exploit code very
often.  Tell me, where's the exploit code for any of the vulnerabilities
published in the last 2 months.  3 Months?  6 Months?

Quote:> >However, in the case of Ramen, the one major worm that effected Linux,
> >exploit code had been published prior to its creation.  Coincidence?

> Yes.  Other exploits have been published.

Do you think Ramen would have occured without the exploit code?

No, you're full of it.  That's a strawman to the highest degree.

Quote:>No, Apached does *NOT* outnumber IIS.  As has been proven by Netcraft,
>there are more physical servers running IIS (or a variant) than all
>others combined.  For this sort of attack, it doesn't matter how many
>virtual hosts you have... physical servers are what do the damage.

According to Computerworld it does.

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64735,00.html

Quote:>> Go back to bill and tell him you don't deserve your paycheck for
>> trolling this week. This argument is really getting boring.

>Why don't you address the point rather than flailing around?

--
Larry Rosen
System & Network Administrator
Senior Technical Staff Member
AT&T Network Services - LOCAL NTWK ENGR & OPNS

          /^>
     ____/  \____
    /            \
   / / /      \ \ \
  /\/\/\/\  /\/\/\/\
         /  \

On Thu, 18 Oct 2001 13:45:51 -0500, Erik Funkenbusch dashed off:

Quote:>> Just about every IIS exploit found does a lot more damage then Ramen ever
>> did but you keep waving that stupid flag. Also remember apache outnumbers
>> IIS overall about 2:1 however IIS is the one that is doing the damage to
>> the internet so don't try that bullshit market share argument either. The
>> windows product is more insecure by default and when it is compromised it
>> does more damage then any other bug ever has. CodeRed did more actual
>> damage then the morris worm did during the early days of the internet.

>No, Apached does *NOT* outnumber IIS.

If IIS outnumbers Apache, its probably due to all the IIS servers installed
without anyones knowledge, and doing absolutely nothing except waiting
to be wormed.

At least Apache servers get installed by intent.

Quote:>  As has been proven by Netcraft, there
>are more physical servers running IIS (or a variant) than all others
>combined.

Considering the large numbers of IIS servers that no one knows anything
about or maintains, this is not suprising.

--
Kind Regards from Terry
My Desktop is powered by GNU/Linux.  
Free Micro Burner http://w3w.arafuraconnect.com.au/~tp/burn.html          
** Registration Number: 103931,  http://counter.li.org **

No, it is not worth it.  For one thing, not publishing will not stop even
*ONE* exploit being developed.  For another, publishing exploits provides
a way of knowing for sure if you are vulnerable.  There are lots of other
reasons why on balance the consensus is for publishing.  You and Microsoft
are the minority opinion on this.

Quote:>> Plenty of example code already gets published where only the kiddies see
>> it.  Having legitimate security outlets stop publishing exploits won't
>> make any difference in the number of victims, just in their ability to
>> find out what happened.  It might make corporations happy because it will
>> help them hide their problems, but users will still get hacked.

>If only the kiddies see it, then others can see it too.  Script kiddies
>aren't known for their secrecy or skill at hiding things, they just run
>pre-canned stuff.

So how is your program going to prevent one smart kiddie from writing
his exploit and giving it to his thousand friends?  That's the way it
works now, the only difference being that some of them get published for
the white hats to review.

Quote:>More than MS has this position.  There are lots of experts that agree that
>posting exploit code is dangerous, regardless of whether there are patches
>or not.

For every one you name I will name two with the opposite view.  MS is in
the minority on this.

Quote:>disclosure only works for security people that keep up to date on security.
>It harms people who aren't.  They're not advocating not telling anyone.

Now you're making stuff up without thinking it through.  People who don't
keep up to date on security aren't affected one way or the other by
disclosure.  They're screwed either way because not everyone will buy into
your program of non-disclosure.  In particular, the crackers won't.  They
will continue on as they are now, only we won't know what they are up to
until we get hacked.

Quote:>They're advocating publishing the right amount of information to inform, but
>not provide ready made examples of how to use it.

Who gets to decide?  What do you do about people who simply don't go along
with the program?  Put 'em in jail?

Quote:>Linux vulnerabilities are listed frequently, but not exploit code very
>often.  Tell me, where's the exploit code for any of the vulnerabilities
>published in the last 2 months.  3 Months?  6 Months?

The above statement just is not true.  In fact, not an hour ago someone
posted an exploit in Bugtraq for a local DoS and for a kernel strace bug.  
Of course, neither of these is direcly exploitable from the network, which
is one of the *real* reasons that Linux vulnerabilities aren't more widely
exploited.

Quote:>Do you think Ramen would have occured without the exploit code?

Yes.  I am 100% sure that it would have.  Just knowledge that there was a
vulnerability was enough for someone, somewhere, to write an exploit.
Keeping the rest of us in the dark wouldn't have stopped that.

--
 -| Bob Hauck
 -| To Whom You Are Speaking
 -| http://www.haucks.org/

Exactly.
M$ are just spewing their usual selfish, arrogant propaganda in order to
pass the buck.

Refusing to admit liability for failures in ones own product, should be a
* offence.

Following their logic then, as an analogy - companies should not be allowed
to advertise their prices, because it encourages other companies to undercut
them. Or how about - road safety organisations should not be allowed to
publish car safety records, because it exposes weaknesses in certain car
designs, etc.

Of *course* M$ are going to react that way, that's how all self-serving,
monopolistic fascists react.

For the benefit of any M$ advocate reading this (the poor folk need all the
help they can get) let me spell it out for you. Security vulnerabilities are
discovered and taken advantage of regardless of whether or not those
vulnerabilities are publicly exposed. It isn't until they *are* publicly
exposed that those security holes become a high enough priority for
ill-motivated companies like M$ to plug them.

With OpenSource and GPL software there is no "market position" or financial
considerations to worry about, therefore "working code" is the highest
priority. Also because of the nature of OpenSource, an infinite number of
developers are testing for security loopholes (amongst other things) in an
*open* environment. It is this kind of environment that M$ is cruising.
Having thousands of people bashing away at their systems looking for
vulnerabilities - is too much like the OpenSource model for their taste,
they don't want anyone touching their code except in the capacity of a
"point and drool user" who, presumably, is more than happy to have his
system destroyed by viruses, and have Trojans broadcasting his credit card
details to the Russian mafia. If you want to develop, pay M$ thousands of
dollar$ for the privilege - then be prepared to submit to their iron will
and draconian policies, if not ... get out. Screwing up is one thing,
complaining that someone noticed it and then exposed it - is another. That's
just criminal. Well who are we to argue with the DOJ :)

Quote:

> MS admits that security needs to get better.  But likewise, they are also
> acknowledging that even patched vulnerabilities are still a problem on
> unpatched systems if exploit code is posted (sometimes years after the
> patch).

In other words, they know there's a problem, they just can't be bothered
fixing it. To reiterate the point again, just because nobody exposes the
weakness, it does not mean the weakness doesn't exist. Are you suggesting we
should all behave like Ostriches, and just stick our heads in the sand.
Security problems need to be *fixed*, not ignored.

Quote:> Many believe the pain of exploiting unpatched systems is worth forcing
> the users to patch them.  Others do not. ...

Why?
What possible reason could their be for *not* exposing (and subsequently
fixing) a security problem?

Quote:> However, in the case of Ramen, the one major worm that effected Linux,
> exploit code had been published prior to its creation.  Coincidence?

Er ... no. I would describe that as a "development cycle". A little harsh
perhaps, forced - definitely, but none the less ... a development cycle.

Quote:> This isn't a new argument.  Many experts have been arguing both sides of
> this for years.

Presumably with the money-grabbing financiers on one side of the argument,
and the actual software engineers on the other?

I have M$ Windows running here now. If I'm such an opponent of M$, why would
I infect my system with one of their viru... ahem ... Operating Systems?
Three reasons:

1) ... As Michael Corleone would say - keep your friends close, but keep
your enemies closer
2) ... I can't very well argue about something of which I have no
experience.
3) ... I'm a Pseudo Sado-*, who enjoys reverse engineering lamers
code to expose it's weaknesses ... probably.

[H]omer

************************************************

************************************************

I'm beginning to think that the Netcraft numbers are just that... raw
numbers.  This leads to another area... effectiveness at handling many
jobs
of serving at once.  From what I've understood in comp.os.vms, is that
it
takes about 4 or more IIS servers to do the job of one good Alpha
server, and of course is more secure than IIS.  So I believe that if we
do a divide-by-four of the IIS servers you'd get a more realistic view
of what the numbers really mean.