i gathered it from your boring, useless, pathetic, flame-war-inspiring response to dinis' op.
why would i show you 'netiquette' when you didn't show him any? ... isn't the full-disclosure list fun! -- Michael On 4/8/06, nocfed <[EMAIL PROTECTED]> wrote: > > On 4/8/06, nocfed <[EMAIL PROTECTED]> wrote: > > > On 4/6/06, Dinis Cruz <[EMAIL PROTECTED]> wrote: > > > > First off all, I want to apologize to the Full-Disclosure and DailyDave > > > > readers for the last couple of posts which I CCed to these lists (the > > > > ones > > > > about Full Trust, managed browsers, verifier issues in Java/.Net and > > > > Sandboxing) > > > > > > > > I know that cross-posting is not good, and that it is quite > > > > inconvenient > > > > when you happen to subscribe to more than one of the target lists. > > > > > > > > The reason I did it was because I wanted to make sure that several > > > > companies/groups were exposed to it (and give them a chance to > > > > respond). In > > > > this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, > > > > Open > > > > Source projects, etc... (basically the major software development > > > > houses and > > > > the ones responsible for most of the software used in the real world). > > > > > > > > >From the big ones, only Novell had an entry to talk about AppArmor > > > > which > > > > is an interesting process level Sandboxing solution. > > > > > > > > But the ones that I was expecting to see in this conversation were > > > > Microsoft and Sun. We were (and still are) discussing the security > > > > advantages of Sandboxing (Partial Trust in .Net and Security Manager in > > > > Java), and given the investment that both companies have made in this > > > > field, > > > > I was expecting to see some core/senior members supporting me (Dinis) > > > > in the > > > > defense of the need to 'create environments that are able to securely > > > > execute malicious code (i.e. Sandboxes)'. > > > > > > > > But no, not a single world. But then I was not surprised since > > > > Microsoft > > > > has been ignoring my public comments about this issue for the last two > > > > years. > > > > > > > > This means that either A) they don't care any more about this topic > > > > (Partial Trust / Security Manager code) or B) they are just playing the > > > > good > > > > old trick to ignore the little guy (which works in environments like > > > > today > > > > when the Media and paying clients don't care (read: don't understand) > > > > about > > > > the issue discussed). > > > > > > > > Option A) is quite realistic since Microsoft (after what happened with > > > > 'Longhorn managed code failure' and the Vista's reset to Windows 2003 > > > > code) > > > > seems to have moved (or kicked) the '.Net guys' to a conner, and > > > > decided to > > > > put their bets to create an operating system which delivers a > > > > trustworthy > > > > computing environment in the hands of Vista's UAC (User Access Control) > > > > and > > > > Vista's capability to run as non-admin (which is a bad bet in my point > > > > of > > > > view). > > > > > > > > [side note: If the .Net framework is just a nice wrapper on the win32 > > > > API > > > > (see Richard Grimes articles on this subject) with 99% of its code > > > > executed > > > > under a Full Trust environment and never verified, then why the security > > > > overhead of the current versions of .Net framework? (namely 1.1 and > > > > 2.0). If > > > > CAS and Strong Naming (just to point two examples) don't really deliver > > > > any > > > > real security value (just like 'client side data validation'), then why > > > > incur the overhead? Maybe we would get a nice performance boost in .Net > > > > applications if all those security calls were disabled. (Idea: I want to > > > > apply my 'Rooting the CLR' research into the creation of a patch for the > > > > .Net Framework which disables all security checks and (hopefully) > > > > improves > > > > the performance of .Net applications (drop me a line if you are > > > > interested > > > > in participating in this new Owasp .Net project))] > > > > > > > > After two years of trying, I GIVE UP of trying to bring Microsoft to > > > > this > > > > discussion. > > > > > > > > Microsoft doesn't care, can't be bothered to participate (or the powers > > > > that be don't authorize the ones that want to participate), maybe > > > > believe > > > > that the types of attacks will not continue to evolve (i.e. the risk > > > > will > > > > not increase) or maybe is just that inertia that affects large companies > > > > where nobody is really responsible for anything and the key decision > > > > makers > > > > are so distant from the real world (or believe in their own hype and > > > > power > > > > to manipulate the market) that they don't really understand the > > > > implications > > > > of their decisions. > > > > > > > > I think that my case is a perfect example of why Microsoft has such a > > > > bad > > > > reputation (not just in security), and why the new generation of > > > > developers > > > > (and IT professionals) are moving to Open environments (like Open > > > > Source). > > > > > > > > In the medium / long term Microsoft cannot afford to continue to ignore > > > > little guys like me (which are trying to do the right thing and help > > > > Microsoft to solve their security problems). They need to show respect > > > > and > > > > (at least) publicly talk about the issues raised. > > > > > > > > Microsoft and Bill Gates like to talk about trust and trustworthiness. > > > > Well > > > > trust is something that is built over time, with respect, dialog and > > > > transparency. Not by ignoring and pretending that one doesn't exist. > > > > > > > > Maybe Microsoft's problem with me is the fact that i will NOT work for > > > > them > > > > nor sign an NDA (since I know that my independence would disappear the > > > > moment I signed one), or maybe they think that I am not good and > > > > knowledgeable enough for them to spend their 'precious time' with. > > > > They are > > > > wrong in not engaging in this conversation, and in ignoring my public > > > > requests to talk. I might be more vocal than some of my security > > > > consultant > > > > friends, but I know that most are as frustrated as me in Microsoft's > > > > attitude to Security. > > > > > > > > Memo to Sun: "Java has the same problem, and you should be worried when > > > > senior members of your community are very surprised to discover that > > > > most > > > > Java code is executed in -noverify environments" > > > > > > > > What I know is that my conscience is clear. Nobody can accuse me of not > > > > trying. Over the last two years I made every ethical effort to call > > > > Microsoft's attention to this problem: I wrote articles, security > > > > guides, > > > > security tools, training courses, presentations, collaborated on .Net > > > > Open > > > > Source projects (like Owasp), and even had two meetings at Microsoft > > > > Redmond > > > > campus with several Key players in Microsoft's security and .Net teams > > > > (it > > > > seems, that all that was left to do, was to bring down a couple ISPs / > > > > global companies just to prove my point, but since I am ethical and a > > > > 'good > > > > guy', that is something that I will never do). > > > > > > > > >From all this effort, I have very little to show for (except from my > > > > increased knowledge, several good contracts and some raised awareness > > > > to a > > > > couple thousand professionals which read or saw my materials or used my > > > > tools). > > > > > > > > My main objectives were to get Microsoft to publicly admit that .Net > > > > Framework's Full Trust is a big problem and to start the paradigm > > > > change to > > > > a Partially Trusted world. > > > > > > > > Unfortunately I failed. > > > > > > > > .Net 2.0 was launched and nothing changed. > > > > > > > > 99% of the applications that exists today and are currently under > > > > development are designed for Full Trust (or equivalent) environments. > > > > > > > > So, I will wait patiently for the day that Microsoft (and the others) > > > > decide to join the party. Meanwhile I will continue my discussions on > > > > the > > > > [EMAIL PROTECTED], [EMAIL PROTECTED] and > > > > [EMAIL PROTECTED] mailing lists, since at > > > > least there my ideas are debated and challenged by other like minded > > > > professionals (thanks guys). > > > > > > > > I will no more initiate another discussion of Full-Disclosure and > > > > DailyDave > > > > about Full Trust and .Net /Java Sandboxes because its audience is not > > > > interested in them and the Microsoft's (and others) subscribers ignore > > > > them. > > > > > > > > To wrap things up here are a couple quotes from a senior Microsoft > > > > Security > > > > employee, given to me in his office in Redmond a couple months ago (in > > > > Feb > > > > 2006): > > > > > > > > "...Dinis, what you are saying is important, but at the moment it is > > > > not > > > > one of our main priorities... There are several reasons ... a main one > > > > is > > > > the fact that we tried that with Vista and it didn't work... but > > > > probably > > > > the main one is that we (Microsoft) don't have client pressure to > > > > deliver it > > > > > > > > ... basically there is currently no business case to invest in that > > > > since > > > > our (Microsoft) clients are not demanding it... > > > > > > > > ...what needs to happen is that you (Dinis) need to find 5 major > > > > Microsoft's clients which want this, and then we might do something > > > > about it > > > > ..." > > > > > > > > My response to this last comment was "...look, this is not my problem, > > > > this > > > > is Microsoft's problem since it is Microsoft who is promising to deliver > > > > 'trustworthy computing environment'. So if Microsoft doesn't want to do > > > > it, > > > > and Microsoft's clients don't put pressure, then there is nothing I can > > > > tell > > > > you (Microsoft) that will change your mind..." > > > > > > > > My conversations with Microsoft's employees tend to always end the same > > > > way: I ask them to start by acknowledging the current Full Trust > > > > problem , > > > > and they respond by saying '... we are working very hard ... or ... > > > > things > > > > are better today they they were a couple years ago ...or ... when > > > > compared > > > > with the status of the industry we are not that bad ... or ... we know > > > > that > > > > we need to do better to educate our developers to write partially > > > > trusted > > > > code..'. Basically just words and no actions, > > > > > > > > Sorry for the 'digital noise' of my previous posts. > > > > > > > > Best regards > > > > > > > > Dinis Cruz > > > > Owasp .Net Project > > > > www.owasp.net > > > > > > > > > > Congratulations. > > > > > > I have yet to understand why anybody would feel that the majority, if > > > even the minority, of this list could care less if they are here or > > > gone. You should be sorry about the 'digital noise' that you are > > > spewing now; Speculation and partial, out of context, quotes without > > > an actual source name yet you want people to listen to You. Think > > > about it for a while. You are wanting a Company to just jump at what > > > YOU want done, right then, without knowing their current projects nor > > > workload. I am sure, from the broken information provided, that YOU > > > are not privy to their practices nor even escalation paths. I am not > > > attempting to defend Microsoft, Sun or any of the other players that > > > you have listed, but Business in general. The reason they give you > > > those replies is for liability. When the little man on the totem pole > > > gives a direct reply then they are usually held accountable for their > > > words which could lead to the loss of their position at the company > > > that they are representing. Just think about it. "Thank you for this > > > information! We will get this fixed in the next patch release" just > > > leads to an information leak then some online blogger, or self > > > righteous 'security expert', cross-posting to 20 lists claiming that > > > they got something done like The Twit(TM). We all know that is not > > > always the case, but many larger companies have dealt with it already > > > and have placed rules and guidelines for handling such situations. > > > Many may not believe that is the best way to do it, but yet again it's > > > not what you want. In conclusion, let's remember that they got where > > > they are for a reason as well as you are where you are for a reason. > > > > > > > On 4/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > nocfed, are you saying that researchers shouldn't hassle companies > > with notes about the security of their products, because they might > > have more important things to be doing then respond to them? > > > > what fucking list are you on again? > > > > -- Michael > > > > > > I have no idea where you gathered that from. If you feel that the > information needs to be disclosed then do it, but don't expect a > reply, especially in a public forum. > > Show common netiquette if you decide to reply. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
