Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes

["Michael Silk" <michaelslists () gmail com>]

i gathered it from your boring, useless, pathetic, flame-war-inspiring
response to dinis' op.

why would i show you 'netiquette' when you didn't show him any?

...

isn't the full-disclosure list fun!

-- Michael


On 4/8/06, nocfed <nocfed () gmail com> wrote:
> > On 4/8/06, nocfed <nocfed () gmail com> wrote:
> > > On 4/6/06, Dinis Cruz <dinis () ddplus net> wrote:
> > > >  First off all, I want to apologize to the Full-Disclosure and DailyDave
> > > > readers for the last couple of posts which I CCed to these lists (the ones
> > > > about Full Trust, managed browsers, verifier issues in Java/.Net and
> > > > Sandboxing)
> > > >
> > > >  I know that cross-posting is not good, and that it is quite inconvenient
> > > > when you happen to subscribe to more than one of the target lists.
> > > >
> > > >  The reason I did it was because I wanted to make sure that several
> > > > companies/groups were exposed to it (and give them a chance to respond). In
> > > > this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, Open
> > > > Source projects, etc... (basically the major software development houses and
> > > > the ones responsible for most of the software used in the real world).
> > > >
> > > >  >From the big ones, only Novell had an entry to talk about AppArmor which
> > > > is an interesting process level Sandboxing solution.
> > > >
> > > >  But the ones that I was expecting to see in this conversation were
> > > > Microsoft and Sun. We were (and still are) discussing the security
> > > > advantages of Sandboxing (Partial Trust in .Net and Security Manager in
> > > > Java), and given the investment that both companies have made in this field,
> > > > I was expecting to see some core/senior members supporting me (Dinis) in the
> > > > defense of the need to 'create environments that are able to securely
> > > > execute malicious code (i.e. Sandboxes)'.
> > > >
> > > >  But no, not a single world. But then I was not surprised since Microsoft
> > > > has been ignoring my public comments about this issue for the last two
> > > > years.
> > > >
> > > >  This means that either A) they don't care any more about this topic
> > > > (Partial Trust / Security Manager code) or B) they are just playing the good
> > > > old trick to ignore the little guy (which works in environments like today
> > > > when the Media and paying clients don't care (read: don't understand) about
> > > > the issue discussed).
> > > >
> > > >  Option A) is quite realistic since Microsoft (after what happened with
> > > > 'Longhorn managed code failure' and the Vista's reset to Windows 2003 code)
> > > > seems to have moved (or kicked) the '.Net guys' to a conner, and decided to
> > > > put their bets to create an operating system which delivers a trustworthy
> > > > computing environment in the hands of Vista's UAC (User Access Control) and
> > > > Vista's capability to run as non-admin (which is a bad bet in my point of
> > > > view).
> > > >
> > > >  [side note: If the .Net framework is just a nice wrapper on the win32 API
> > > > (see Richard Grimes articles on this subject) with 99% of its code executed
> > > > under a Full Trust environment and never verified, then why the security
> > > > overhead of the current versions of .Net framework? (namely 1.1 and 2.0). If
> > > > CAS and Strong Naming (just to point two examples) don't really deliver any
> > > > real security value (just like 'client side data validation'), then why
> > > > incur the overhead? Maybe we would get a nice performance boost in .Net
> > > > applications if all those security calls were disabled. (Idea: I want to
> > > > apply my 'Rooting the CLR' research into the creation of a patch for the
> > > > .Net Framework which disables all security checks and (hopefully) improves
> > > > the performance of .Net applications (drop me a line if you are interested
> > > > in participating in this new Owasp .Net project))]
> > > >
> > > >  After two years of trying, I GIVE UP of trying to bring Microsoft to this
> > > > discussion.
> > > >
> > > >  Microsoft doesn't care, can't be bothered to participate (or the powers
> > > > that be don't authorize the ones that want to participate), maybe believe
> > > > that the types of attacks will not continue to evolve (i.e. the risk will
> > > > not increase) or maybe is just that inertia that affects large companies
> > > > where nobody is really responsible for anything and the key decision makers
> > > > are so distant from the real world (or believe in their own hype and power
> > > > to manipulate the market) that they don't really understand the implications
> > > > of their decisions.
> > > >
> > > >  I think that my case is a perfect example of why Microsoft has such a bad
> > > > reputation (not just in security), and why the new generation of developers
> > > > (and IT professionals) are moving to Open environments (like Open Source).
> > > >
> > > >  In the medium / long term Microsoft cannot afford to continue to ignore
> > > > little guys like me (which are trying to do the right thing and help
> > > > Microsoft to solve their security problems). They need to show respect and
> > > > (at least) publicly talk about the issues raised.
> > > >
> > > >  Microsoft and Bill Gates like to talk about trust and trustworthiness. Well
> > > > trust is something that is built over time, with respect, dialog and
> > > > transparency. Not by ignoring and pretending that one doesn't exist.
> > > >
> > > >  Maybe Microsoft's problem with me is the fact that i will NOT work for them
> > > > nor sign an NDA (since I know that my independence would disappear the
> > > > moment I signed one), or maybe they think that I am not good and
> > > > knowledgeable enough for them to spend their 'precious time' with.  They are
> > > > wrong in not engaging in this conversation, and in ignoring my public
> > > > requests to talk. I might be more vocal than some of my security consultant
> > > > friends, but I know that most are as frustrated as me in Microsoft's
> > > > attitude to Security.
> > > >
> > > >  Memo to Sun: "Java has the same problem, and you should be worried when
> > > > senior members of your community are very surprised to discover that most
> > > > Java code is executed in -noverify environments"
> > > >
> > > >  What I know is that my conscience is clear. Nobody can accuse me of not
> > > > trying. Over the last two years I made every ethical effort to call
> > > > Microsoft's attention to this problem: I wrote articles, security guides,
> > > > security tools, training courses, presentations, collaborated on .Net Open
> > > > Source projects (like Owasp), and even had two meetings at Microsoft Redmond
> > > > campus with several Key players in Microsoft's security and .Net teams (it
> > > > seems, that all that was left to do, was to bring down a couple ISPs /
> > > > global companies just to prove my point, but since I am ethical and a 'good
> > > > guy', that is something that I will never do).
> > > >
> > > >  >From all this effort, I have very little to show for (except from my
> > > > increased knowledge, several good contracts and some raised awareness to a
> > > > couple thousand professionals which read or saw my materials or used my
> > > > tools).
> > > >
> > > >  My main objectives were to get Microsoft to publicly admit that .Net
> > > > Framework's Full Trust is a big problem and to start the paradigm change to
> > > > a Partially Trusted world.
> > > >
> > > >  Unfortunately I failed.
> > > >
> > > >  .Net 2.0 was launched and nothing changed.
> > > >
> > > >  99% of the applications that exists today and are currently under
> > > > development are designed for Full Trust (or equivalent) environments.
> > > >
> > > >  So, I will wait patiently for the day that Microsoft (and the others)
> > > > decide to join the party. Meanwhile I will continue my discussions on the
> > > > webappsec () securityfocus com, websecurity () webappsec org and
> > > > owasp-dotnet () lists sourceforge net mailing lists, since at
> > > > least there my ideas are debated and challenged by other like minded
> > > > professionals (thanks guys).
> > > >
> > > >  I will no more initiate another discussion of Full-Disclosure and DailyDave
> > > > about Full Trust and .Net /Java Sandboxes because its audience is not
> > > > interested in them and the Microsoft's (and others) subscribers ignore them.
> > > >
> > > >  To wrap things up here are a couple quotes from a senior Microsoft Security
> > > > employee, given to me in his office in Redmond a couple months ago (in Feb
> > > > 2006):
> > > >
> > > >  "...Dinis, what you are saying is important, but at the moment it is not
> > > > one of our main priorities... There are several reasons ... a main one is
> > > > the fact that we tried that with Vista and it didn't work... but probably
> > > > the main one is that we (Microsoft) don't have client pressure to deliver it
> > > >
> > > >  ... basically there is currently no business case to invest in that since
> > > > our (Microsoft) clients are not demanding it...
> > > >
> > > >  ...what needs to happen is that you (Dinis) need to find 5 major
> > > > Microsoft's clients which want this, and then we might do something about it
> > > > ..."
> > > >
> > > >  My response to this last comment was "...look, this is not my problem, this
> > > > is Microsoft's problem since it is Microsoft who is promising to deliver
> > > > 'trustworthy computing environment'. So if Microsoft doesn't want to do it,
> > > > and Microsoft's clients don't put pressure, then there is nothing I can tell
> > > > you (Microsoft) that will change your mind..."
> > > >
> > > >  My conversations with Microsoft's employees tend to always end the same
> > > > way: I ask them to start by acknowledging the current Full Trust problem ,
> > > > and they respond by saying '... we are working very hard ... or ... things
> > > > are better today they they were a couple years ago ...or ... when compared
> > > > with the status of the industry we are not that bad ... or ... we know that
> > > > we need to do better to educate our developers to write partially trusted
> > > > code..'. Basically just words and no actions,
> > > >
> > > >  Sorry for the 'digital noise' of my previous posts.
> > > >
> > > >  Best regards
> > > >
> > > >  Dinis Cruz
> > > >  Owasp .Net Project
> > > >  www.owasp.net
> > >
> > > Congratulations.
> > >
> > > I have yet to understand why anybody would feel that the majority, if
> > > even the minority, of this list could care less if they are here or
> > > gone.  You should be sorry about the 'digital noise' that you are
> > > spewing now; Speculation and partial, out of context, quotes without
> > > an actual source name yet you want people to listen to You.  Think
> > > about it for a while.  You are wanting a Company to just jump at what
> > > YOU want done, right then, without knowing their current projects nor
> > > workload.  I am sure, from the broken information provided, that YOU
> > > are not privy to their practices nor even escalation paths.  I am not
> > > attempting to defend Microsoft, Sun or any of the other players that
> > > you have listed, but Business in general.  The reason they give you
> > > those replies is for liability.  When the little man on the totem pole
> > > gives a direct reply then they are usually held accountable for their
> > > words which could lead to the loss of their position at the company
> > > that they are representing.  Just think about it.  "Thank you for this
> > > information!  We will get this fixed in the next patch release" just
> > > leads to an information leak then some online blogger, or self
> > > righteous 'security expert', cross-posting to 20 lists claiming that
> > > they got something done like The Twit(TM).  We all know that is not
> > > always the case, but many larger companies have dealt with it already
> > > and have placed rules and guidelines for handling such situations.
> > > Many may not believe that is the best way to do it, but yet again it's
> > > not what you want.  In conclusion, let's remember that they got where
> > > they are for a reason as well as you are where you are for a reason.
> On 4/7/06, michaelslists () gmail com <michaelslists () gmail com> wrote:
> > nocfed, are you saying that researchers shouldn't hassle companies
> > with notes about the security of their products, because they might
> > have more important things to be doing then respond to them?
> >
> > what fucking list are you on again?
> >
> > -- Michael
>
> I have no idea where you gathered that from.  If you feel that the
> information needs to be disclosed then do it, but don't expect a
> reply, especially in a public forum.
>
> Show common netiquette if you decide to reply.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/