Security Basics mailing list archives
Re: Security and EOL issues
From: "Robert Newton" <technews () cfl rr com>
Date: Thu, 19 Jan 2006 11:38:32 -0500
Matthew,Sorry I have to disagree with you and Jeffrey and align myself with Don on this issue.
Software such as NT4.0 was designed around hardware constraints as well as software. If memory serves me, the 1st primary partition for NT4 maxed out at 4GB. OS software resources are designed that reserved ram and disk space among other resources, to reflect what current hardware size is available. If too many resources are reserved for possible future enhancements including patches, the OS is considered bloated and the minimum hardware requirements to run it become too expensive. NT4 was designed around the hardware in 1996. Also remember that NT4 was designed prior to the buffer overflow vulnerabilities became evident.
(There was a security patch a few years ago that could not be applied to NT4 as it required more resources then NT4 could provide. Microsoft suggestion was to put all NT4 boxes behind firewalls. We had to rewrite our apps to work with Windows 2000 as sitting behind a firewall was not an option.)
Upgrades and discontiued support has been a practice long before Microsoft and PC's. As IBM and Univac mainframes evolved in hardware and software, familys or lines of computers were discontinued. To help convince the customers to migrate to new systems and software, the price for support would exponentially increase each year until it became just bad economic sense to stay with the old system. Apple did this as well with their Apple II when they released the Lisa and Mac. The Apple II OS was not compatiable with the Mac. Any apps you bought for you Apple II would not be transferable to a Mac. You would have to rebuy them for the Mac version if and when you decided to upgrade to the faster hardware.
Thanks Robert M. Newton----- Original Message ----- From: "Matthew Schiros" <schiros () gmail com>
To: <don () videon-central com>Cc: "Jeffrey F. Bloss" <jbloss () tampabay rr com>; <security-basics () securityfocus com>
Sent: Monday, January 16, 2006 5:50 PM Subject: Re: Security and EOL issues I'd like to inject, for a moment, if I may. I know I'm speaking from my point of view here, but I believe that what I'm about to say is consistent with what Jeffrey and others who have made similar points believe as well. A belief that a good company, if Microsoft were one, would provide either recalls (in the case of physical products) or updates (in the case of software) to any of their products that suddenly exhibits fatally flawed behavior (in this specific instance, an easily exploitable flaw/intentional backdoor) is NOT the same thing as saying that that company is somehow responsible for the damage that may result as a consequence of that flaw (when dealing with EOL'd product lines). Microsoft is clearly in no way legally, or even ethically responsible for maintaining EOL'd code, and they are CLEARLY not liable for any damages that a system or network incur when people are using a version of their software that no patch exists for. That's not my point, and I don't believe that it's anyone else's point. What _is_ the point is that Microsoft was confronted with a flaw in their software that spanned all versions, and it is slightly irresponsible of them not to fix it in versions of their software that they know to still be in use. Ford doesn't support the Model T because nobody drives a Model T, and because there are a myriad of regulations governing what the automobile industry must do. Thankfully, those regulations don't exist in the software market (very much, in most sectors), so instead of asking Uncle Sam to solve the problem for us, we simply register our consumer dissatisfaction. Is it equally irresponsible for networks to run outdated software? Yes, of course, more so. However, I can think of a myriad of reasons why you'd stay on legacy software in many environments, with cost being an obvious one, but compatibility being another. Compare that with the cost that it would have taken MS to fix the problem in NT, especially since they apparently took a fairly simple approach to it. It would have been a nice bone from a company that's been fairly anti-consumer since it first flexed its muscle. I hope this clears up some issues. If I spoke for those who disagree with me, I apologize. Matt Schiros On 1/15/06, Donald N Kenepp <don () videon-central com> wrote:
Hi Jeffrey, Perhaps Steve's analogy does not fit the case perfectly. Analogies usually break down at some point. Your analogy of asbestos also has major faults.Asbestos was bad for us from the beginning. The mistake was hidden for aslong as possible. All this legacy software was fine to use until someone else looked as hard as they could to find a problem and then exploited it. Without discovery of the problem, asbestos still would have killed people.Without the malicious coders, older software's security would be just fine.By your definition, as long as someone is using the manufacturer's product, the manufacturer is liable for that person's usage of their product. This is not actually the case.In new products, we see a product recall, with free replacement or repair.This is essentially one part of service packs. In legacy products, we see them removed from the shelves, often replaced with a better product. Youcannot purchase Windows NT 3.11 from Microsoft anymore, just like you cannotpurchase a Model T. Ford is no longer responsible for your safety if youchoose to still drive a Model T. They aren't responsible for your safety ifyou choose to drive a car without safety glass, breakaway steering wheels, or seatbelts. At what point are you willing to say that because Microsoft has removed Windows NT 4.0, Windows 98, and Windows Me from the shelves, because theyhave declared these products EOL with an extended support grace period, andbecause they have given warnings about their core security design being outdated by widespread availability of current malicious software technology, that Microsoft is no longer responsible for your insistence on using that legacy product?Would you expect a security company to still be liable for your home after they have noted their outdated model security system has a security box that is no longer sufficient since a tool has been developed to break in that isnow readily available to neighborhood thugs? Should they still be liable when their outdated security system has been removed from the shelves and labeled as EOL for several years? Should they still be liable if their outdated security system has been replaced on the shelf by a new security system for which you can obtain a discount on installation since you are being "forced" to upgrade rather than trying to patch the old system? Would you expect every car company to develop and offer free OEM upgrade kits to electronic locks and satellite tracking systems for their outdatedmodels with locks and windows susceptible to coat hangers or else be liablefor the theft of your car? Should the car companies have to replace your electronic key every timesomeone builds and distributes a new scanner which breaks their encryption,or should they be responsible for attempting to resolve this issue on newcars and try to stay one step ahead of the bad guys for a little while, lestthey lose new buyers?At what point is it the consumer's fault for insisting on using something outdated, no longer available from the manufacturer, and proven to be easilycompromised by advances in the anti-security field?Stop trying to lock your door with the same old hook and loop just so youcan complain that the people who sold you your home should ship you a deadbolt for free. Sincerely, Donald -----Original Message----- From: Jeffrey F. Bloss [mailto:jbloss () tampabay rr com] Sent: Thursday, January 12, 2006 8:17 PM To: security-basics () securityfocus com Subject: Re: Security and EOL issues (was RE: WMF Exploit Patch released) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 10 January 2006 02:41 pm, Steveb () tshore com wrote: > Hi all, > > I must weigh in on this with an analogy. Asking software companies to > offer free patches to software whose core technologies are considered > out of date by the mainstream industry is like asking Ford Motor company > to offer free airbag installations in all 1920 vintage automobiles. Not really, for a couple of reasons.If a flaw exists in a piece of software a "core" technology must exist too.1920 era vehicles lack the modern electrical systems and physical features that allow air bag installation without extensive modification to theautomobile itself. A software patch or bug fix, by definition, is somethingthat only modifies an existing "part". Your analogy would be more like expecting Microsoft to upgrade Notepad so that it was identical to Word.Installing air bags requires that the automobile manufacturer design, test,and produce the upgrade. As does a software patch. But in the automobile scenario no typical end user is going to be able to order the parts and perform the work themselves. Unlike software patches. There's an entire "implementation" phase of fixing automobiles that simple does not exist in the world of software. In fact, as we just saw first hand the fix can bemanufacturered, packaged, and implemented at little or no cost at all. Evenby third parties. ;) > The rest of the capitalist world protects themselves from such > expectations in the form of limited time warranties. Why should the > software world be any different? This too is a flawed analogy. We're not talking about adding features orfunctionality, or fixing something that wears out through normal use. We're talking about fixing flaws and errors. The capitalist world most definitelydoes find itself liable for problem in products that are no longer supported. A glaring example would be asbestos. If a significant number of people still drove 1920's era vehicles, and a majordesign miscalculation like wheels falling off due to the usage of superballsinstead of ballbearings were discovered, it's a pretty safe bet Ford would be "patching" a significant number of their 1920's era automobiles. Yes, it's a silly example, but the point is that product vendors are accountable for their mistakes long after their advertised warranties expire.If a flaw that impacts the end user's "safety" is discovered, a manufactureris almost always held accountable and required to make things right. Why should the software world be any different? :) - -- Hand crafted on January 12, 2006 at 19:35:31 -0500 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -Groucho Marx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDxv90RHqalLqKnCkRAhXCAJ0SjrITxOk1F9QR6hF09EJS0lshMACeMtEP 15QXrab8r5FA4cw/jR9d3rk= =TpIK -----END PGP SIGNATURE----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degreecustomizations including Emergency Management, Business Continuity Planning,Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degreecustomizations including Emergency Management, Business Continuity Planning,Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) jeff (Jan 10)
- <Possible follow-ups>
- RE: Security and EOL issues (was RE: WMF Exploit Patch released) Steveb (Jan 11)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Jeffrey F. Bloss (Jan 15)
- RE: Security and EOL issues Donald N Kenepp (Jan 16)
- Re: Security and EOL issues Matthew Schiros (Jan 16)
- RE: Security and EOL issues Donald N Kenepp (Jan 17)
- RE: Security and EOL issues Leif Ericksen (Jan 20)
- RE: Security and EOL issues Donald N Kenepp (Jan 20)
- RE: Security and EOL issues Leif Ericksen (Jan 21)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Jeffrey F. Bloss (Jan 15)
- Re: Security and EOL issues Robert Newton (Jan 21)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Austin Murkland (Jan 15)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Saqib Ali (Jan 20)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Micheal Espinola Jr (Jan 23)