Re: [SC-L] Yoran on the state of software security
"Greenarrow 1" <[EMAIL PROTECTED]> wrote: > I feel government should not become involved with the internet and/or its > security. For one if people look at the governments security most > departments have a grade of C or below. ... Not that I'm trying to suggest that "the government" -- I guess you really mean "the US government" so I'll add "or any other government" -- necessarily should be the driver of such things, but the only reason you know how bad ("C or below" you say) your government departments are at IT security is because they actually care enough to one, try to measure it and two, publish the results. > ... Would you want someone like that > telling you how to secure programming? Well, there is plenty of anecdotal evidence that suggests the rest of the private sector is _worse_ than the government sector, so I strongly doubt that self-policing will work! And worse still, the private sector is _heavily_ motivated to hide that fact. If the (US) private sector really was going to be the saviour of IT security, it would have been rampantly in favour of recent attempts to add IT security compliance statements to federal reporting documents for publicly listed and traded companies (or have been championing even stronger measures!), but what did it do -- that's right, lobbied really hard to get such measures and any suggestion of them removed. If the private sector really was vested in IT security concerns it would be rooting for removal of the liability exempt status that almost exclusively applies to computer software and its developers. What other "responsible" professional business sector has got away with such a scam for so long? And don't try to sell me that "but it will depress innovation" BS -- "we" don't have to beat the stinking pinko commie rat- b*stards to the moon, or anywhere else, any more so why are so many software developers (and their political pointsmen) still saddled with such a short-sighted, Cold War mentality that is clearly a significant anti-quality, and therefore anti-security, driver? Oh, and the "but it will kill open-source" BS'ers can butt out too -- if your code is that bad that you won't take _any_ responsibility for it, don't publish it _regardless_ of the licensing terms and, if it is any good, what possible damage (apart from to your reputation and ongoing business viability) can liability to, say, the cost of the software, do to you? (Of course, such a move may have the effect of "forcing" most large s/w developers to adopt freeware or open source approaches to make their insurance premiums affordable, but that would not necessarily be a bad result.) Why hasn't the private sector been actively in favour (beyond actively mouthing support for the general notion that better IT security is something we all need) of public IT security reporting standards, removing software's "liability exempt" status, or any other concrete measures to get a handle on the scale of the problem, provide means to measure whether we're slipping, holding or improving and so on? It wouldn't be that there are vested financial interests in treating us like mushrooms (keeping us in the dark and feeding us sh*t)? Surely not! How scurrilous a suggestion... ... Above I said your government departments "care enough" to actually try to provide some IT security metrics. In fact, I'm sure they don't care for it at all and would prefer, like their private sector counterparts, to not have to do anything of the sort. The reason they "care enough" to make such measurements is simply because they are required to do so. I would just love to see how the high and mighty, reputedly IT security loving, US private sector stacked up against the same metrics... Regards, Nick FitzGerald
RE: [SC-L] Bugs and flaws
"Gary McGraw" <[EMAIL PROTECTED]> wrote: > To cycle this all back around to the original posting, lets talk about > the WMF flaw in particular. Do we believe that the best way for > Microsoft to find similar design problems is to do code review? Or > should they use a higher level approach? I'll leave that to those with relevant specification/design/ implementation/review experiences... > Were they correct in saying (officially) that flaws such as WMF are hard > to anticipate? No. That claim is totally bogus on its face. It is an very well-established "rule" that you commingle code and data _at extreme risk_. We have also known for a very long time that our historically preferred use of (simple) von Neumann architectures make maintaining that distinction rather tricky. However, neither absolves us of the duty of care to be aware of these issues and to take suitable measures to ensure we don't design systems apparently intent on shooting themselves in the feet. I'd wager that even way back then, some designer and/or developer at MS, when doing the WMF design/implementation back in Win16 days (Win 3.0, no?) experienced one of those "We really shouldn't be doing that like this..." moments, but then dismissed it as an unnecessary concern "because it's only for a personal computer" (or some other cosmically shallow reason -- "if I get this done by Friday I'll have a weekend for a change", "if I get this done by Friday I'll make a nice bonus", "usability is more important than anything else", "performance is more important than anything else", etc, etc, etc). Given the intended userbase and extant computing environment at that time, the design probably was "quite acceptable". The real fault is that it was then, repeatedly and apparently largely unquestioningly, ported into new implementations (Win 3.1, NT3x, Win9x, NT4, ME, Win2K, XP, XPSP2, W2K3) _including_ the ones done after Billy Boy's "security is now more important than anything" memo. At some point in that evolution, several someone's should have been raising their hands and saying, "You know, now is the time we should fix this...". Someone on one of the the IE teams obviously noticed and flagged the issue, but why didn't that flag get raised bigger, higher, brighter? ... It is bogus for another reason too -- some of the people at MS making that official claim also said "this is the first such flaw of this kind", and that's just BS. Long before WM/Concept.A (or its forerunner, the oft-forgotten WM/DMV.A) many security and antivirus folk were warning that embedding the more powerful, complex programming language and architecture macros (such as WordBasic, VBA and AccessBasic) into their associated "document" files was an inherently flawed design and would only lead to trouble. So, not only have we long-understood the theoretical reasons for why the underlying causes of WMF are inherently bad design and best avoided if at all possible, BUT MS has had its own, self-inflicted stupidities of exactly the same kind. If MS truly could not anticipate, at some point along the Win3x to W2K3 development timeline earlier than 28 Dec 2005, that this WMF design "feature" would cause trouble, one has to ask if MS should be allowed to make software for general consumption... Regards, Nick FitzGerald ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Bugs and flaws
Al Eridani <[EMAIL PROTECTED]> wrote: > If the design says "For each fund that the user owns, do X" and my > code does X for > all the funds but it skips the most recently acquired fund, I see it as a > "manufacturing" error. > > On the other hand, if a user sells all of her funds and the design > does not properly > contemplate the situation where no funds are owned and therefore the software > misbehaves, I see it as a "design" error. Maybe I'm confused, but... If the design in your second case is still the same one -- "For each fund that the user owns, do X" -- then this second example, like your first, is NOT a design error but an implementation (or "manufacturing" if you prefer) error. (Both are (probably) due to some or other form of improper bounds checking, and probably due to naïve use of zero- based counters controlling a loop... 8-) ) The design "For each fund that the user owns, do X" clearly (well, to me -- am I odd in this?) says that NOTHING be done if the number of funds is zero, hence the second result is an implemention error. Regards, Nick FitzGerald ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] State Department break-in last summer
ative of the "attackers" (or, at least those they buy their exploits from) having access to the reputed/rumoured stolen Office source which, if it ever was stolen, would be code of older versions of Office and thus be more likely to have changed, and thus not exhibit the same vulnerabilities, in newer versions. > Just a thought. Ditto... Regards, Nick FitzGerald ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___