Oh, It’s On!
Thomas Ptacek | August 9th, 2005 | Filed Under: Uncategorized
It’s nice of Lindstrom to respond, particularly because it was nasty for me to lump his post in with Davidson’s screechy rant (caricature-by-association should be an entry in the Nizkor list.)
Lindstrom says my argument is emotional. Here’s the relevant snippet, regarding my inability to keep stripped-down BSD totally secure in 1996:
I don’t know what you did wrong, but I suspect you have a couple of ways to address that problem today - with proxies. In 1996, the risk was higher, though the ultimate impact was likely lower for most people. There were fewer people even on the Internet, and of those, most were technical elites. Tell me again why this matters today? Is it to evoke some sort of emotional commitment on my part? I don’t know - things change. Get over it.
I’m not sure what’s emotional about this. It seems simple to me:
It was simply not possible to run a secure mail server in 1996.
It is possible now.
The reason it’s possible is because security “researchers” beat the living hell out of software in the late 90’s.
(For the record, what I “did wrong” was to operate a server in 1996).
Back in 1996, there were just as many people complaining about “disclosure management” issues as there are now. Donn Parker compared the release of SATAN, a tool that finds open file shares, to “distributing high-powered rocket launchers throughout the world, free of charge”. The same arguments Lindstrom uses now: that disclosure serves no purpose, that the evildoers will use vulnerabilities anyways, all applied and were used back then.
The point is, when you advanced those arguments in 1996, you were dead wrong. Why are you any more correct now?
Lindstrom says, “things change”. I guess so. Can you support that statement with evidence?
Lindstrom says, “so, you made Microsoft accede to your demands”. Are we any better off for it? I don’t know; I don’t go after Microsoft, and I don’t use Windows. But I’m happier to know that they’ve got library and OS-level protection against stack and heap overflows now, and confident that Microsoft customers wouldn’t have had those protections without disclosure work.
Lindstrom recommends I read “Against the Gods” and learn more about risk reduction (serendipity: I’ve got a paperback copy on my desk right now). To show that disclosure helps, he says, we have to find every single vulnerability that the bad guys find (his emph). Flawed premise:
In the “risk reduction game of small numbers”, finding a vulnerability before the Russian Mafia does provides a measurable reduction in the number of machines that can be compromised.
The Microsoft-style response of blanket-level protections preemptively eliminates other as-yet-undiscovered vulnerabilities; this doesn’t just mean “heap overflow protection”, but also things like input sanitization and least-privilege design retrofitting.
The third-party protections Lindstrom advocates, like host IPS, came in to being as a result of disclosure work; their deployment is motivated by ongoing disclosure work. For that matter, you can say the same thing for firewalls. Patching isn’t the only mitigating response. Services that have a demonstrated tendency towards failures can be:
Disabled
Filtered
HIPS-profiled
Segregated to backchannel networks
Proxied
Replaced with secure alternatives
And virtually all of these responses preemptively mitigate vulnerabilities that haven’t yet been discovered; reactions to disclosure that provide a force-multiplying advantage against future work by attackers.
The problem here is that:
They can’t ALL be disabled, filtered, profiled, segregated, proxied, and replaced: securing network software is a triage and risk management exercise, and the most important elements of the information that guide that process come from disclosure work.
Without a market for proxies and replacements, proxies and replacements won’t be designed. In the absence of the ten-year track record of repeated failure in Sendmail, you don’t get qmail and Postfix.
My sense of it is that Lindstrom’s argument is that everything should be proxied or guarded by HIPS. My response is that, for a lower level of effort and expense, we could deploy line-by-line audited open-source replacements to every insecure service. It’s an all-or-nothing argument: either you bite the bullet and spend tens of millions of dollars per F500 enterprise to fix the security problem, or you live in the risk-management world of disclosure and response.
