IP: GOVNET redux

[David Farber <dave () farber net>]

> From: "Perry E. Metzger" <perry () wasabisystems com>
> To: dave () farber net
>
>
> I've been somewhat amused by the answers to my original message about
> GOVNET.
>
> To redirect, preventing Code Red, Melissa, and other recent outbreaks
> would not have required verifiably secure systems, multi-level
> security, or any other such thing. They were caused by obvious
> architectural mistakes in the way Microsoft systems are built --
> horribly misguided decisions with obvious security impact.
>
> For the better part of a decade, people in my part of the security biz
> made fun of Microsoft and other companies for setting themselves up
> for this. Microsoft was BEGGING for these things to be done to their
> users, much like an auto with a giant target painted over a vulnerable
> part and a "hit here to make the car explode" sign pointing at the
> target. None of the outbreaks of the last few years were the least bit
> surprising.
>
> For years, I and people like me said "Why is Microsoft putting
> arbitrary executable code into document formats? Now the documents
> can't be considered safe. There is no need for this." People stared at
> us like we were aliens. Didn't we know we were standing in the way of
> progress! Why, thanks to being able to embed arbitrary code, you can
> have your word document play sounds! The idea that if you wanted your
> word document to play sounds you might want to use a multimedia format
> instead of embedding executable content did not occur to people it seems.
>
> Now we live in a world where poor benighted virus scanners have to paw
> through .doc files and .xls files and such, searching for evil
> programs, but we all know the horrid truth, which is that Godel and
> Turing taught us that this is just an arms race. No recognizer can
> find all evil programs. The right solution was not to play the game in
> the first place because you can never win it. Other systems happily
> can do world processing and spreadsheets without incorporating full
> Turing-equivalent languages, of course. When we said over and over
> "you're setting yourself up for horror by embedding executable
> programs into word processing documents", there was no need to invoke
> Orang Book or other security standards. This was obvious stuff. This
> was the sort of mistake we made fun of as comp sci
> undergrads. Unfortunately, it wasn't obvious to Microsoft.
>
> Did the non-exportability of "secure" OSes drive Microsoft to do this?
> No. No one forced them to do it.
>
> Take the entire realm of email worms, for example. These do not
> typically attack Unix users, and not merely because Unix users are a
> minority. They do not attack Unix users because Unix users typically
> do not have mail programs that will blindly execute programs sent to
> them. Microsoft is finally fixing some of this, belatedly, but the
> mistake was obvious from the start.
>
> Did the non-exportability of "secure" OSes drive Microsoft to do this?
> I don't think so.
>
> Take the area of such Microsoft abominations as the "self-extracting
> file" -- that is, an arbitrary executable sent as a way of packaging
> data to avoid needing extraction and viewing software at the remote
> end. For years, friends of mine would routinely send me
> "self-extracting files" which need not have been designed that way,
> videos that came in executables, etc. I would send them back email
> saying "I won't run that. You realize, of course, that one day someone
> will mail you a program that will erase your hard drive and YOU WILL
> RUN IT." They'd make fun of me for being paranoid. Well, now many of
> them have lost work because their hard drives have vanished into the
> night, and perhaps they now understand what I meant when I said that
> they were being trained my Microsoft to be good victims for the day
> that someone sent them malicious executables.
>
> When Microsoft introduced "Active X", which allowed websites to
> download arbitrary code into people's machines, it was obviously a
> horrible idea. Colleagues of mine quickly put up web sites
> demonstrating the folly of this, in which you could click a button and
> have your machine shut down for you and such. They were ignored. (They
> still are often ignored.)
>
> Microsoft continues to pioneer extraordinarily bad ideas that
> seriously harm system security. Take the recent IIS worms, for
> example. As shipped, Microsoft systems typically turn on numerous
> unneed services, and many of these services run with far too many
> privileges. This isn't because Microsoft's systems have no ability to
> run software with low privilege but because they've ignored making
> such use easy for so many years that now many of their systems
> effectively run only with one level of privilege.
>
> Want to know why Code Red spread like wildfire? Well, IIS was turned
> on by all sorts of programs for no good reason, has no security
> architecture to speak of, and usually runs with privileges. On typical
> Unix systems, Apache gets run as some user that has no privileges to
> speak of to prevent such nonsense from happening.
>
> Why has Microsoft operated like this for so long? I don't know. Their
> programmers are typically very smart people. Their managers are
> typically very smart people. My suspicion is, though, that they always
> have been rewarded for ignoring hazards and increasing functionality
> in the fastest possible ways. This may also be why Microsoft systems
> crash so often.
>
> So what's my conclusion?
>
> This isn't rocket science, folks. Don't go off blaming regulations,
> don't go off blaming the marketplace. Don't blame the lack of
> multi-level secure operating systems, because Microsoft Word and Excel
> doc formats aren't caused by the lack of multi-level secure operating
> systems. A freshman in CS can articulate why it is stupid to
> incorporate executable code into document formats, or why you don't
> train users to execute programs coming in off the net, or why you
> don't want to make it easy for people to unknowingly load arbitrary
> code when they go to a web site, or why you want to run systems with
> the minimum privilege, and all that.
>
> Don't say none of this is easy, because much of it *is* easy. It is
> hard to make a network server impossible to break, but it is
> straightforward to make the consequences of breaking in to it mild. It
> is not so much harder to create a better document format than to ship
> Visual Basic code in your documents. It is tempting to allow people to
> download "Active X Controls" off of web sites, but we should know
> better than to follow that path.
>
> This is not to say that more complex measures like multi-level secure
> operating systems have no place. They certainly have a place. However,
> the problem right now is not a lack of A1 systems on desktops. It is
> the fact that every time my lawyers sends me a contract to view, I
> have to worry that it could contain malicious code.
>
> --
> Perry E. Metzger                perry () wasabisystems com
> --
> NetBSD Development, Support & CDs. http://www.wasabisystems.com/


For archives see: http://lists.elistx.com/archives/interesting-people/