Full Disclosure mailing list archives
Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
From: "Michael Silk" <michaelslists () gmail com>
Date: Sat, 8 Apr 2006 13:37:06 +1000
i gathered it from your boring, useless, pathetic, flame-war-inspiring response to dinis' op. why would i show you 'netiquette' when you didn't show him any? ... isn't the full-disclosure list fun! -- Michael On 4/8/06, nocfed <nocfed () gmail com> wrote:
On 4/8/06, nocfed <nocfed () gmail com> wrote:On 4/6/06, Dinis Cruz <dinis () ddplus net> wrote:First off all, I want to apologize to the Full-Disclosure and DailyDave readers for the last couple of posts which I CCed to these lists (the ones about Full Trust, managed browsers, verifier issues in Java/.Net and Sandboxing) I know that cross-posting is not good, and that it is quite inconvenient when you happen to subscribe to more than one of the target lists. The reason I did it was because I wanted to make sure that several companies/groups were exposed to it (and give them a chance to respond). In this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, Open Source projects, etc... (basically the major software development houses and the ones responsible for most of the software used in the real world). >From the big ones, only Novell had an entry to talk about AppArmor which is an interesting process level Sandboxing solution. But the ones that I was expecting to see in this conversation were Microsoft and Sun. We were (and still are) discussing the security advantages of Sandboxing (Partial Trust in .Net and Security Manager in Java), and given the investment that both companies have made in this field, I was expecting to see some core/senior members supporting me (Dinis) in the defense of the need to 'create environments that are able to securely execute malicious code (i.e. Sandboxes)'. But no, not a single world. But then I was not surprised since Microsoft has been ignoring my public comments about this issue for the last two years. This means that either A) they don't care any more about this topic (Partial Trust / Security Manager code) or B) they are just playing the good old trick to ignore the little guy (which works in environments like today when the Media and paying clients don't care (read: don't understand) about the issue discussed). Option A) is quite realistic since Microsoft (after what happened with 'Longhorn managed code failure' and the Vista's reset to Windows 2003 code) seems to have moved (or kicked) the '.Net guys' to a conner, and decided to put their bets to create an operating system which delivers a trustworthy computing environment in the hands of Vista's UAC (User Access Control) and Vista's capability to run as non-admin (which is a bad bet in my point of view). [side note: If the .Net framework is just a nice wrapper on the win32 API (see Richard Grimes articles on this subject) with 99% of its code executed under a Full Trust environment and never verified, then why the security overhead of the current versions of .Net framework? (namely 1.1 and 2.0). If CAS and Strong Naming (just to point two examples) don't really deliver any real security value (just like 'client side data validation'), then why incur the overhead? Maybe we would get a nice performance boost in .Net applications if all those security calls were disabled. (Idea: I want to apply my 'Rooting the CLR' research into the creation of a patch for the .Net Framework which disables all security checks and (hopefully) improves the performance of .Net applications (drop me a line if you are interested in participating in this new Owasp .Net project))] After two years of trying, I GIVE UP of trying to bring Microsoft to this discussion. Microsoft doesn't care, can't be bothered to participate (or the powers that be don't authorize the ones that want to participate), maybe believe that the types of attacks will not continue to evolve (i.e. the risk will not increase) or maybe is just that inertia that affects large companies where nobody is really responsible for anything and the key decision makers are so distant from the real world (or believe in their own hype and power to manipulate the market) that they don't really understand the implications of their decisions. I think that my case is a perfect example of why Microsoft has such a bad reputation (not just in security), and why the new generation of developers (and IT professionals) are moving to Open environments (like Open Source). In the medium / long term Microsoft cannot afford to continue to ignore little guys like me (which are trying to do the right thing and help Microsoft to solve their security problems). They need to show respect and (at least) publicly talk about the issues raised. Microsoft and Bill Gates like to talk about trust and trustworthiness. Well trust is something that is built over time, with respect, dialog and transparency. Not by ignoring and pretending that one doesn't exist. Maybe Microsoft's problem with me is the fact that i will NOT work for them nor sign an NDA (since I know that my independence would disappear the moment I signed one), or maybe they think that I am not good and knowledgeable enough for them to spend their 'precious time' with. They are wrong in not engaging in this conversation, and in ignoring my public requests to talk. I might be more vocal than some of my security consultant friends, but I know that most are as frustrated as me in Microsoft's attitude to Security. Memo to Sun: "Java has the same problem, and you should be worried when senior members of your community are very surprised to discover that most Java code is executed in -noverify environments" What I know is that my conscience is clear. Nobody can accuse me of not trying. Over the last two years I made every ethical effort to call Microsoft's attention to this problem: I wrote articles, security guides, security tools, training courses, presentations, collaborated on .Net Open Source projects (like Owasp), and even had two meetings at Microsoft Redmond campus with several Key players in Microsoft's security and .Net teams (it seems, that all that was left to do, was to bring down a couple ISPs / global companies just to prove my point, but since I am ethical and a 'good guy', that is something that I will never do). >From all this effort, I have very little to show for (except from my increased knowledge, several good contracts and some raised awareness to a couple thousand professionals which read or saw my materials or used my tools). My main objectives were to get Microsoft to publicly admit that .Net Framework's Full Trust is a big problem and to start the paradigm change to a Partially Trusted world. Unfortunately I failed. .Net 2.0 was launched and nothing changed. 99% of the applications that exists today and are currently under development are designed for Full Trust (or equivalent) environments. So, I will wait patiently for the day that Microsoft (and the others) decide to join the party. Meanwhile I will continue my discussions on the webappsec () securityfocus com, websecurity () webappsec org and owasp-dotnet () lists sourceforge net mailing lists, since at least there my ideas are debated and challenged by other like minded professionals (thanks guys). I will no more initiate another discussion of Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes because its audience is not interested in them and the Microsoft's (and others) subscribers ignore them. To wrap things up here are a couple quotes from a senior Microsoft Security employee, given to me in his office in Redmond a couple months ago (in Feb 2006): "...Dinis, what you are saying is important, but at the moment it is not one of our main priorities... There are several reasons ... a main one is the fact that we tried that with Vista and it didn't work... but probably the main one is that we (Microsoft) don't have client pressure to deliver it ... basically there is currently no business case to invest in that since our (Microsoft) clients are not demanding it... ...what needs to happen is that you (Dinis) need to find 5 major Microsoft's clients which want this, and then we might do something about it ..." My response to this last comment was "...look, this is not my problem, this is Microsoft's problem since it is Microsoft who is promising to deliver 'trustworthy computing environment'. So if Microsoft doesn't want to do it, and Microsoft's clients don't put pressure, then there is nothing I can tell you (Microsoft) that will change your mind..." My conversations with Microsoft's employees tend to always end the same way: I ask them to start by acknowledging the current Full Trust problem , and they respond by saying '... we are working very hard ... or ... things are better today they they were a couple years ago ...or ... when compared with the status of the industry we are not that bad ... or ... we know that we need to do better to educate our developers to write partially trusted code..'. Basically just words and no actions, Sorry for the 'digital noise' of my previous posts. Best regards Dinis Cruz Owasp .Net Project www.owasp.netCongratulations. I have yet to understand why anybody would feel that the majority, if even the minority, of this list could care less if they are here or gone. You should be sorry about the 'digital noise' that you are spewing now; Speculation and partial, out of context, quotes without an actual source name yet you want people to listen to You. Think about it for a while. You are wanting a Company to just jump at what YOU want done, right then, without knowing their current projects nor workload. I am sure, from the broken information provided, that YOU are not privy to their practices nor even escalation paths. I am not attempting to defend Microsoft, Sun or any of the other players that you have listed, but Business in general. The reason they give you those replies is for liability. When the little man on the totem pole gives a direct reply then they are usually held accountable for their words which could lead to the loss of their position at the company that they are representing. Just think about it. "Thank you for this information! We will get this fixed in the next patch release" just leads to an information leak then some online blogger, or self righteous 'security expert', cross-posting to 20 lists claiming that they got something done like The Twit(TM). We all know that is not always the case, but many larger companies have dealt with it already and have placed rules and guidelines for handling such situations. Many may not believe that is the best way to do it, but yet again it's not what you want. In conclusion, let's remember that they got where they are for a reason as well as you are where you are for a reason.On 4/7/06, michaelslists () gmail com <michaelslists () gmail com> wrote:nocfed, are you saying that researchers shouldn't hassle companies with notes about the security of their products, because they might have more important things to be doing then respond to them? what fucking list are you on again? -- MichaelI have no idea where you gathered that from. If you feel that the information needs to be disclosed then do it, but don't expect a reply, especially in a public forum. Show common netiquette if you decide to reply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes Dinis Cruz (Apr 07)
- Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes nocfed (Apr 07)
- Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes michaelslists (Apr 07)
- Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes nocfed (Apr 07)
- Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes Michael Silk (Apr 07)
- Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes michaelslists (Apr 07)
- Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes nocfed (Apr 07)