Is it sloppy programming, or do full computer security vulnerability disclosure make it too easy for hackers?
October 18, 2001 7:20 AM Subscribe
Is it sloppy programming, or do full computer security vulnerability disclosure make it too easy for hackers? Microsoft has a personal interest in minimizing the exploit of their code, but the evil you know is better than the evil you don't. Others have weighed in on this debate in the past, or provided a fair but vague blueprint for the computer security community. Do you think that a middle ground exists?
I've always argued that it's sloppy code, and here's why:
There are a few areas where MS isn't the dominant force, most notably web server software. Yet, despite only having hald the marketshare of Apache, they still have a terrible security record.
If Apache and IIS had identical marketshare and an identical policy for releasing known security problems, IIS would still be hit more. Therefore it's bad code on MS's part.
posted by jragon at 7:44 AM on October 18, 2001
There are a few areas where MS isn't the dominant force, most notably web server software. Yet, despite only having hald the marketshare of Apache, they still have a terrible security record.
If Apache and IIS had identical marketshare and an identical policy for releasing known security problems, IIS would still be hit more. Therefore it's bad code on MS's part.
posted by jragon at 7:44 AM on October 18, 2001
hald = half. You know, metafilter should have a preview button to reduce typos.
posted by jragon at 7:45 AM on October 18, 2001
posted by jragon at 7:45 AM on October 18, 2001
willpie - can you explain your comment? I have an idea what you mean, but . . .
posted by yesster at 7:53 AM on October 18, 2001
posted by yesster at 7:53 AM on October 18, 2001
i think this insistance that code illustrating security breaches not be provided is rather corporate, personally. i'm a programmer myself, and i have no ego: i don't care if you found a bug in my code. please, tell me. i can fix it, then. in fact, i think full disclosure is about the only thing the public has as leverage against corporations in this matter: it's the only thing to make them say, well shit, we need to fix this right now.
posted by moz at 8:15 AM on October 18, 2001
posted by moz at 8:15 AM on October 18, 2001
The general consensus in the security community is that if you find a hole you notify the creator of the software with all the details and wait for some time (say a month) before you release the information into the wild (sooner if they come up with a fix and it's publically availible).
Releasing the exploit is a way of saying "this hole exists, there is an exploit for it, it is real, upgrade now."
posted by Fat Elvis at 8:59 AM on October 18, 2001
Releasing the exploit is a way of saying "this hole exists, there is an exploit for it, it is real, upgrade now."
posted by Fat Elvis at 8:59 AM on October 18, 2001
It's funny/ironic/intentional the article does not mention the process as described by Fat Elvis. Indeed, Fat Elvis, that is the way it should be done. It's the best of both worlds: it gives time to Microsoft to patch the hole and save the butts of the users but still gives the world notice about just how many defects the software has and how bad they are. I believe we have here another FUD.
posted by mmarcos at 9:21 AM on October 18, 2001
posted by mmarcos at 9:21 AM on October 18, 2001
I think willpie's point is that Microsoft actually wants to spread FUD about the security of core internet protocols. As Cringely writes:
How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.
Not so much "embrace and extend" as "embrace, extend, destroy the original". Black Widow tactics.
MSN's already implemented application controls so that only Microsoft clients can access its POP3 servers. Never mind that Outlook/Express are the most potent virus carriers of all.
posted by holgate at 9:23 AM on October 18, 2001
How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.
Not so much "embrace and extend" as "embrace, extend, destroy the original". Black Widow tactics.
MSN's already implemented application controls so that only Microsoft clients can access its POP3 servers. Never mind that Outlook/Express are the most potent virus carriers of all.
posted by holgate at 9:23 AM on October 18, 2001
For the past few years we've seen countless advisories of bugs and blatant security holes in Microsoft software.
You know, I used to think that problems like Code Red, SirCam and Nimda were caused by bad design, third-rate quality assurance procedures or a closed development architecture, but Micro$oft in their magnanimity has decided to share with us the real reason behind all these problems: the people who are smart enough to realize that Microsoft's flagship apps are about as impermeable as a slice of swiss cheese.
Well, thank god for that. We wouldn't want to have the Redmond ogre spend too much of its resources on improving QA, redrawing faulty application design or tightening up their code. After all, if we all ignore the problem, it WILL go away! Why didn't they think of this approach before? :-p
posted by clevershark at 10:41 AM on October 18, 2001
You know, I used to think that problems like Code Red, SirCam and Nimda were caused by bad design, third-rate quality assurance procedures or a closed development architecture, but Micro$oft in their magnanimity has decided to share with us the real reason behind all these problems: the people who are smart enough to realize that Microsoft's flagship apps are about as impermeable as a slice of swiss cheese.
Well, thank god for that. We wouldn't want to have the Redmond ogre spend too much of its resources on improving QA, redrawing faulty application design or tightening up their code. After all, if we all ignore the problem, it WILL go away! Why didn't they think of this approach before? :-p
posted by clevershark at 10:41 AM on October 18, 2001
I think the blame also can't be applied solely to Microsoft here -- I think part of the reason for publicizing the exploits so widely is to prod lazy admins into patching their servers. I mean, Code Red is a worm that was already patched, it's just people who didn't upgrade their software who got hit with it. This is not to say that Microsoft doesn't release buggy software, which they do (and who releases 100% bug-free software, anyway?) but that some of the responsibility falls to the user to keep up-to-date with his patches.
posted by zempf at 10:48 AM on October 18, 2001
posted by zempf at 10:48 AM on October 18, 2001
*Part* of the responsibility, yes. But see my comment above... Apache has twice as many admins, meaning twice as many lazy admins, and yet it's never a problem for them.
I think the issue is 90/10 Microsoft/User.
posted by jragon at 2:17 PM on October 18, 2001
I think the issue is 90/10 Microsoft/User.
posted by jragon at 2:17 PM on October 18, 2001
Apache has twice as many admins, meaning twice as many lazy admins
False logic. Twice as many webloggers does not mean twice as many ugly webloggers... Twice as many blogs does not mean twice as many good blogs. Twice as many Mefi users does not mean twice as many good Mefi users. Twice as many orgasms does not mean twice as many good orgasms.
Ad nauseum...
posted by fooljay at 2:52 PM on October 18, 2001
False logic. Twice as many webloggers does not mean twice as many ugly webloggers... Twice as many blogs does not mean twice as many good blogs. Twice as many Mefi users does not mean twice as many good Mefi users. Twice as many orgasms does not mean twice as many good orgasms.
Ad nauseum...
posted by fooljay at 2:52 PM on October 18, 2001
Microsoft created the virus and anti-virus industries decades ago. Bugs (is it a bug when it's a mandatory part of the MS-DOS specification?) in Microsoft products have been used by attackers for many years. Hiding source code and not fixing bugs doesn't seem to have worked so far, but Microsoft continues to do so.
posted by SEWilco at 8:17 AM on October 19, 2001
posted by SEWilco at 8:17 AM on October 19, 2001
« Older When it rains, it pours... | I know where Bruce Lee lives! Newer »
This thread has been archived and is closed to new comments
posted by willpie at 7:32 AM on October 18, 2001