FBI, Pentagon Talk to MS about XP Hole 405
(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.
hmmm...interesting (Score:4, Insightful)
the arrogance (Score:4, Insightful)
I honestly and truly hope that the US government brings them to their knees about this. That's wishful thinking, I know. However, two statements in particular in the Yahoo! article surprised me:
1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.
2. Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.
The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.
Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?
Re:Trust us! (Score:5, Insightful)
But I feel there MUST be some preannouncement on such bugs, even if the details are minimal. Whenever you work on something, you cannot expect that someone else in the world is not also working on the same thing, but not for the same purposes. In the case here, eEye, the group that found the bug, was looking for it for purposes of good, but I would not expect that someone else, maybe a malicious group, was also narrowing in on the bug 5 weeks ago when eEye reported it to MS. (And then you have to add cyber-espionge that might have garnered that info for themselves?). In the 5 weeks it took MS to verify the bug and develop and test the patch, that other group might have caught up and started 'owning' boxes already. A preannouncement of the bug, simply outlining the effects, and any short-term security measures, would have prevented that group from having any significant harm on the boxes if they did exist.
I know from a previous discussion that many sysadmins, when a new bug is discovered, want to know all the details up front so they can test the bug before and after fixing on their systems. This is understandable, but I think in the cases of bugs that can affect a significant large number of systems, such as this XP bug, that limited disclousure is better. I think a key step that could be done is institute a small group of trusted security people; bugs that are found are reported to the vendor and to this group. A person(s) from the group verifies the bug and puts out a digitalled signed statement that this bug exists, and that certain steps can be taken to correct it. Because of the status of these people, if they claim to have verified the fix, then that should be considered to be truthful, and thus limiting the need of sysadmins having to have full details to test it themselves. After a short period (no more than 6 weeks), the full details should be released, regardless if a patch from the vendor was available or not. That way, the limited disclosure lets the sysadmins know there's something going on and there's step they can take to prevent problems, and it gives the vendor time to fix the problem before that information falls into the hands of malicious people.
Re:Trust us! (Score:2, Insightful)
Re:did anybody notice this.... (Score:3, Insightful)
But that's my humble opinion, which isn't as scary or so scary or whatever...
An analogy with the biological world (Score:5, Insightful)
The opposite to this is what's called a monoculture, where one particular genetic structure is present in the large majority of the population. Such situations will usually not last long, beacuse once something is found that affects that population, it spreads quickly and decisively.
With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture? Would one major virus or security flaw cause much more damage to the net than otherwise would have happened, because of the homogenity of the net's computer systems in terms of OS?
Whether the king is Linux or Windows or MacOS, or..., is having a near monopoly market share ofany one OS a good thing in light of this philosophy? Hmm. GFood for thought.
Cracking spree holidays? (Score:3, Insightful)
Probably quite many of those computers go to people who are going to have it as their first computer. And what are they going to do first? Turn it on. And probably, go online with it..
And the crackers will be waiting for the easy prey.
frustrated FBI (Score:3, Insightful)
Looks like MS isn't the only one with good marketers
Re:did anybody notice this.... (Score:1, Insightful)
Not that I necessarily think that the XP auto-updater is a bad thing; I haven't come to a conclusion for myself yet. But the parallel you drew is flawed.
comment from a former Microsoft developer (Score:4, Insightful)
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
At Microsoft the ultimate way people are valued is at review time when bonuses, stock options, and raises are awarded. Do developers get hosed for leaving buffer overflows in? Well, not as of when I left (April 2000). But maybe that will change, slowly.
Eventually you have to stop accepting excuses like "Gee code is really complicated and I thought I was being careful" or "we really tried to think through this design" and recognize that essentially every buffer overflow comes from being lazy as a developer, or not accounting for what kind of garbage packets can come in off the net. If Microsoft starts emphasizing that you can be fired for leaving a buffer overflow in, then things might change. Of course it's a little unfair, there is no doubt lots of clunky code in there that just doesn't happen to expose an externally exploitable buffer overflow (and merely crashes the system or something), but you start emphasizing the necessity to go over things with a fine-tooth comb to prevent buffer overflows, it will improve all the code.
Because although there may be a few cases where someone really tried to check boundary conditions and just did it wrong in the code, in most cases developers are just being lazy about writing the code robustly to begin with. Plus if you have some code to prevent this and you write it wrong, you haven't tested your code properly anyway.
More ruminations at this osopinion article [osopinion.com].
- adam
Why Many Hate Microsoft... (Score:4, Insightful)
I remember when NT 4.0 came out (they were fairly low key with NT 3.x) and Microsoft claiming it was far more secure than UNIX and you wouldn't have buffer overflows because the source was closed and people couldn't find them even if they existed.
I also remember many years ago them claiming NT was more secure and showing the number of submissions of security holes posted to Bugtraq (before NTbugtraq) there were for UNIX vs NT (back when nothing serious ran on NT and no one really cared less about it to look for holes).
Now they want their code running in everything, including acting as firewall devices. I find this so fucking funny I could just split a gut. You're going to protect machines running code "x" by installing a device running much of the same code "x" to protect those machines from the world?
I just find it a bit frightening. The entire world running on code from one manufacturer that is not open to public review. I'm even more surprised that foreign governments are so trusting of it.
You know what's scary? We just bought an EMC disk array and had to give it an IP address for management. Did a port scan on it. WTF? It's listening on netbios ports. Use smbclient to take a gander at it and low and behold....
Domain=[AZBYCXDWEVFU] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Workgroup Master
AZBYCXDWEVFU CLARIION_SPB
I call EMC and they say "Oh, the new clariions run a stripped down NT kernel in their service processors." :-( Joy... my SAN is now trusted to that super sekure Microsoft code. At least I can block it from the world through my router which, for now, is running non-Microsoft code...
Can you imagine the harm one could do with a hole in THAT? The financial world survived WTC through redundancy and real-time mirrors of data kept in far flung locations. There are disaster recovery data centers where entire warehouses are filled with machines just waiting to kick in during a crisis. So now you have your storage area networks themselves controlled by Microsoft code. Just exploit the hole-of-the-week to get your code inside a corporate or government firewall, seek out these storage networks running NT kernel code, trash them, take out the primary and backup locations. Chaos.
Re:Just a thought/Microsoft a target? (Score:1, Insightful)
If your only experience with a gui
interface is windows. If your only
experience with flying objects are
birds, then the first aircraft you
see would appear to be JUST like a bird.
However, they are quite different and
some of their operations are very different.
The similarity of KDE, fvwm95 and gnome
to windows may be more of an attempt to reduce
user learning curve. But look I just caused
my opera window to disappear into the title
bar with a CTRL-S and then switched to my
third desktop with an ALT-3 and then back
again and then I pressed CTRL-ALT-F8 and
I'm looking at an instance of X exported
from by Dell Poweredge server in the basement.
If you pull your head out of your ass you
will see the innovation.
Re:Just a thought (Score:5, Insightful)
You really think that'll work? (Score:3, Insightful)
Re:all rightey then! (Score:1, Insightful)
1. Download and install the available patches automatically.
2. Download and prompt the user to install patches.
3. Prompt the user to download and then prompt the user to install the patches.
4. Do nothing.
As previously stated, even with a patch available, many computers often don't get updated (i.e. Outlook worms when a patch to block the Address Book has been available for over a year.) This service exists to attempt to ensure that people who can connect to the internet can also be informed and up to date. It's an unfortunate but necessary step for consumers, but something easy to disable for power users or slashdotters who watch too much X-Files.
Buffer Overflow as a Decoy to bigger hole (Score:3, Insightful)
It makes sense, from the perspective of a defensive Microsoft. "Buffer overflow? Who hasn't slipped up once or twice and had a buffer overflow bug? We have our code scanners routing out the last one or two of these bugs, they'll all be gone soon and we'll all be safe."
The bigger gaff is that they designed the OS to say "hack me" (or words to that effect) whenever some other device--any other device--asks to fondle, as it were, the OS's drivers. That this is a huge security exposure is obvious to anyone who is old enough to remember the early days of hacking. Some hotshot designers at Microsoft, (probably with degrees in marketing, not computing) designed this "hack me" feature into the OS intentionally.
Now they have the attention of the NIPC/FBI. Even FBI agents (who, over the last 10 years, gave new meaning to the term "anti-intellegence") know that on Christmas day, millions of un-patched XP OS's are going on line, in the same 24-hour period. The hackers will be waiting to stick their electronic -er-fingers in those exposed UPNP ports and leave behind a little deposit.
Maybe, maybe not, the FBI realizes that some of those systems will have time-delay bugs planted in the pre-patched OS's. Then, downloading the patch will produce the false security that keeps the spirit of the XP season alive throughout the coming year.
The silver lining? Corporate PHB's, the holy grail of Microsoft marketing, will lose confidence in any of Mr.Bill's claims of reliability and security, once and for all. XP was supposed to be the one-size-fits-all OS, from palmtops to corporate web front-ends to data warehouses. (not that it was the first attempt at this unification by Microsoft, or even their competitors.) Even the golf-buddy execs are going to remember the day when the FBI started pushing patches to the monopolist's holey flagship.
Did anybody notice, last year, when Bill Gates started to cut the cord to Microsoft? He did see the big fall coming, you know. Not as stupid as we make him out to be, eh?
Re:the arrogance (Score:5, Insightful)
The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.
Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?
Re:comment from a former Microsoft developer (Score:5, Insightful)
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
It takes only one buffer overflow in the whole system that any number of developers, from one to one million, have worked on to make it vulnerable.
It doesn't matter how careful you are. Zero defects at the individual level is a pipe dream. The goal of software quality assurance is that you test code to determine whether it conforms to the specifications with no astonishing side effects. Structured implementation (use of safe libraries, re-use of validated code) can reduce the effort and increase the quality of code.
Want to eliminate buffer overflow? It's easy. Just write a routine ONCE that sucks up characters and puts it into a buffer, debug the corner cases ONCE to ensure you can't go beyond the boundaries, and use that routine for all your work, without exception. Not even when marketing comes in and says "Hey, you didn't come out on top in performance when HAL Magazine ran their tests!" Oh, and your QA people have to actually try to execute some kind of buffer overflow as one part of their suite of test cases...
When a buffer overflow is discovered "in the wild," you find out the source of the buffer overflow and take appropriate action -- against the coder and against QA as well. You have to show these people that you MEASURE them by this sort of stuff.
By the way, don't forget that code should check for attempts to go "outside the box" by using unusual character sequences like ".." in URLs, too. Again, write a single block of code that does the job right, test the hell out of the corner cases, and use that code, without exception.
A Google search yields some interesting approaches. I would like to see the adoption as part of the ANSI definition of the C language an extension to the STR* library routines that are length-safe, such as the STRL* routines found in NetBSD; see the man page [openbsd.org] and the discussion in the Secure Programs HOWTO. [linuxpowered.com]
Don't kid anyone. Buffer overflow can be avoided, by putting in place the proper process and discipline to do the job right.
Re:did anybody notice this.... (Score:5, Insightful)
Whenever you log in on your XP system (of course, no password in XP-home at least) a flurry of packets fly off to Mord- er Microsoft and to the OEM you bought the system from. You have no way of knowing the content of that communication. Since it's all closed source,no one can comb through it for vulnerabilities or trojans like they could for the code for apt or rpmfind. A typical user has no way of knowing that the communication is even taking place at all unless they are running something like tcpdump on the network.
Does that help?
Basically, when you buy XP you are wittingly or unwittingly complicit in your own surveillance. You have given your consent in principle, to be spied upon because you were sipping your morning coffee while XP talked to the higher authorities about you. You looked away and sipped instead of yanking the cat5 out. I say in principle because we've seen that all the consent required for this government to violate your Constitutional rights is that you and others do not resist it with force. Though no one posting here can say for certain what passes through this security hole now, neither can anyone deny that, with a hole like this opened in your systems, a hole which everyone is being conditioned to accept as normal, a feature of their OS, there is literally NO LIMIT to the severity of your insecurity. While you're sipping that coffee, the convenient updater can convert your computer system into a telescreen into your private thoughts, business plans, governmental policies, and so on without end, no matter where you live and what flag you salute. It used to be that spyware was an annoyance foisted on the public sporadically by marketers. Now with XP, spyware connects a government approved monopoly to your most trusted communications and private papers. You don't have to be an anticapitalist socialist or a government hating libertarian to understand that at some level the distinction between a government approved monopoly and an agency of that government is essentially null, or so small it's not worth discussing. (Or maybe someome could point out examples to me where ATT told the government it would not cooperate in its counterintelligence efforts against antiwar protestors and civil rights leaders in the 1960's)
Between the 2 of them, Windows XP users have poor Goatse-man beat by a painful mile for the infinite elasticity of their holes. I have no doubt that the Feebs and Dept.of Deathdance have a million things they'd like to talk over with MS in that regard.
Re:An analogy with the biological world (Score:3, Insightful)
Re:Why Many Hate... (Score:1, Insightful)
Not only that, you get to pay them to allow you to help them fix it... ie, pay for support on a product you've purchased already, which helps them track down problems they can fix in a future service pack.
I'm not talking about getting help changing your wallpaper or setting up tcp/ip, but things that you find in the KB with the explanation "This is a known problem in XXXXX", or, that you don't find at all in the KB. It's insane.
Unfortunately, MS is rich enough to buy off the government, so nothing will be done to force them to make a better product. Then again, we're not held at gunpoint to purchase their product. However, MS is rich enough that they can afford the super-sexy salespeople to convince the suits to use MS throughout your organization. Plus, there really aren't good non-MS options to such standard office products as Word, Access, etc. Not to mention 3rd party software developed specifically to run on Windows. These 3rd party software companies are not likely to abandon X years' work to switch platforms.
I think it will take a very high-profile (rich) company filing suit against MS for damages before anything will happen. Plus they've got to get around the EULA. Typical end users will just put up with it, knowing they don't a chance in hell against MS, but a big company could. Maybe even the US Government. There's got to be some way to argue that their sales pitch is fraud.
Re:An analogy with the biological world (Score:3, Insightful)
Actually a monoculture of clones.
We all know that Microsoft lies, but... (Score:5, Insightful)
Now, we all know that OpenBSD has proved them wrong, by proving not only that open source developers *want* to do hardcore security audits of the source code, but that doing hardcore security audits on source code prevents security holes from being released into the wild. OpenBSD [openbsd.org] hasn't had a remotely exploitable security hole in the default install in FOUR YEARS! Windows XP has been in release for for all of about two months, and already there's a major security exploit found.
This proves by Microsoft's OWN ADMISSION, either they do not hire people to do the hardcore security audits they say they can, or if they do, they can't do it as well as the volunteers who "obviously" don't do it at all because there's no monetary motivation to do so.
With lies like this, Microsoft couldn't get into a Better Business Beurau if they paid each of its members a billion dollars.
Maybe there's another bug.... (Score:2, Insightful)
If the FBI wants universal plug and play off, it sounds to me like there's another security hole there. Why else would they request this? Isn't Microsoft policy to keep these things quiet until they are fixed? They depend on no one knowing about the problem to keep machines safe. But, maybe for the FBI, especially with the terrorism situation, who might have critical data on XP machines, this thin line of defense isn't quite good enough.
Re:Symbol of innovation? (Score:3, Insightful)
Exactly. Microsoft does occasionally innovate. Having to click twice on a menu entry in the menu bar to get all the options is an innovation! It's a lousy one, but still...
The real problem with MS is, as you said, their Real Innovations:Advertised Innovations ratio. It's pretty low. It's not that they're not creative, they're just not as creative as they say they are. If a person acted like that, you'd call them "full of themselves". You probably wonldn't like them very much either
Re:Trust us! (Score:3, Insightful)