Interesting People mailing list archives
IP: GOVNET redux
From: David Farber <dave () farber net>
Date: Mon, 15 Oct 2001 17:03:48 -0400
From: "Perry E. Metzger" <perry () wasabisystems com> To: dave () farber net I've been somewhat amused by the answers to my original message about GOVNET. To redirect, preventing Code Red, Melissa, and other recent outbreaks would not have required verifiably secure systems, multi-level security, or any other such thing. They were caused by obvious architectural mistakes in the way Microsoft systems are built -- horribly misguided decisions with obvious security impact. For the better part of a decade, people in my part of the security biz made fun of Microsoft and other companies for setting themselves up for this. Microsoft was BEGGING for these things to be done to their users, much like an auto with a giant target painted over a vulnerable part and a "hit here to make the car explode" sign pointing at the target. None of the outbreaks of the last few years were the least bit surprising. For years, I and people like me said "Why is Microsoft putting arbitrary executable code into document formats? Now the documents can't be considered safe. There is no need for this." People stared at us like we were aliens. Didn't we know we were standing in the way of progress! Why, thanks to being able to embed arbitrary code, you can have your word document play sounds! The idea that if you wanted your word document to play sounds you might want to use a multimedia format instead of embedding executable content did not occur to people it seems. Now we live in a world where poor benighted virus scanners have to paw through .doc files and .xls files and such, searching for evil programs, but we all know the horrid truth, which is that Godel and Turing taught us that this is just an arms race. No recognizer can find all evil programs. The right solution was not to play the game in the first place because you can never win it. Other systems happily can do world processing and spreadsheets without incorporating full Turing-equivalent languages, of course. When we said over and over "you're setting yourself up for horror by embedding executable programs into word processing documents", there was no need to invoke Orang Book or other security standards. This was obvious stuff. This was the sort of mistake we made fun of as comp sci undergrads. Unfortunately, it wasn't obvious to Microsoft. Did the non-exportability of "secure" OSes drive Microsoft to do this? No. No one forced them to do it. Take the entire realm of email worms, for example. These do not typically attack Unix users, and not merely because Unix users are a minority. They do not attack Unix users because Unix users typically do not have mail programs that will blindly execute programs sent to them. Microsoft is finally fixing some of this, belatedly, but the mistake was obvious from the start. Did the non-exportability of "secure" OSes drive Microsoft to do this? I don't think so. Take the area of such Microsoft abominations as the "self-extracting file" -- that is, an arbitrary executable sent as a way of packaging data to avoid needing extraction and viewing software at the remote end. For years, friends of mine would routinely send me "self-extracting files" which need not have been designed that way, videos that came in executables, etc. I would send them back email saying "I won't run that. You realize, of course, that one day someone will mail you a program that will erase your hard drive and YOU WILL RUN IT." They'd make fun of me for being paranoid. Well, now many of them have lost work because their hard drives have vanished into the night, and perhaps they now understand what I meant when I said that they were being trained my Microsoft to be good victims for the day that someone sent them malicious executables. When Microsoft introduced "Active X", which allowed websites to download arbitrary code into people's machines, it was obviously a horrible idea. Colleagues of mine quickly put up web sites demonstrating the folly of this, in which you could click a button and have your machine shut down for you and such. They were ignored. (They still are often ignored.) Microsoft continues to pioneer extraordinarily bad ideas that seriously harm system security. Take the recent IIS worms, for example. As shipped, Microsoft systems typically turn on numerous unneed services, and many of these services run with far too many privileges. This isn't because Microsoft's systems have no ability to run software with low privilege but because they've ignored making such use easy for so many years that now many of their systems effectively run only with one level of privilege. Want to know why Code Red spread like wildfire? Well, IIS was turned on by all sorts of programs for no good reason, has no security architecture to speak of, and usually runs with privileges. On typical Unix systems, Apache gets run as some user that has no privileges to speak of to prevent such nonsense from happening. Why has Microsoft operated like this for so long? I don't know. Their programmers are typically very smart people. Their managers are typically very smart people. My suspicion is, though, that they always have been rewarded for ignoring hazards and increasing functionality in the fastest possible ways. This may also be why Microsoft systems crash so often. So what's my conclusion? This isn't rocket science, folks. Don't go off blaming regulations, don't go off blaming the marketplace. Don't blame the lack of multi-level secure operating systems, because Microsoft Word and Excel doc formats aren't caused by the lack of multi-level secure operating systems. A freshman in CS can articulate why it is stupid to incorporate executable code into document formats, or why you don't train users to execute programs coming in off the net, or why you don't want to make it easy for people to unknowingly load arbitrary code when they go to a web site, or why you want to run systems with the minimum privilege, and all that. Don't say none of this is easy, because much of it *is* easy. It is hard to make a network server impossible to break, but it is straightforward to make the consequences of breaking in to it mild. It is not so much harder to create a better document format than to ship Visual Basic code in your documents. It is tempting to allow people to download "Active X Controls" off of web sites, but we should know better than to follow that path. This is not to say that more complex measures like multi-level secure operating systems have no place. They certainly have a place. However, the problem right now is not a lack of A1 systems on desktops. It is the fact that every time my lawyers sends me a contract to view, I have to worry that it could contain malicious code. -- Perry E. Metzger perry () wasabisystems com -- NetBSD Development, Support & CDs. http://www.wasabisystems.com/
For archives see: http://lists.elistx.com/archives/interesting-people/
Current thread:
- IP: GOVNET redux David Farber (Oct 15)