Trustworthy Computing 465
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
Some won't (Score:5, Insightful)
Over/Under (Score:4, Insightful)
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
Sometimes I think they do it on purpose (Score:5, Insightful)
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
Shows how much MS cares for its customers. (Score:5, Insightful)
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Programmers? (Score:5, Insightful)
Is it just me (Score:3, Insightful)
Shame on Hemos (Score:5, Insightful)
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
Re:What's wrong with... (Score:5, Insightful)
Re:Is it just me (Score:4, Insightful)
Why do folks still use Windows? (Score:1, Insightful)
When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.
Somehow the Windows folks keep on choosing to use Windows, even though after the WMF exploit is history, they'll just be waiting for yet another "shoe to drop".
I understand that legacy apps/data formats get you locked-in to Windows, but doesn't "remote exploit" concern you enough to make you think "must switch!"?
Well the truth is.... (Score:5, Insightful)
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
Corporate? Try college. (Score:4, Insightful)
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
In English please... (Score:2, Insightful)
"They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm."
Possibly the worst story ever.
Trust Worthy (Score:1, Insightful)
Comment removed (Score:4, Insightful)
Re:Well the truth is.... (Score:3, Insightful)
There's no "if" about it. The vulnerable component is a genuine Microsoft DLL, shipped as part of Windows, intended to render an official Windows file format. If you were running a "Trusted"(tm) PC, this DLL would 0WNZ0R you with no way out.
Re:Well the truth is.... (Score:5, Insightful)
You have it backwards. If you were running a DRM'd PC, this DLL would allow you to retake your own computer.
Remember, security flaws are only bad when security is protecting you. DRM protects Disney against you, so any hole in a DRM'd computers security makes it more, not less, valuable to its owner.
Maybe, in ten years time when only DRM'd computers are legal to buy, and attempt to install anything but Windows Whatever into them is a crime punishable by death, we will yet end up praising Microsofts total incompetence with anything resembling security.
Re:Over/Under (Score:3, Insightful)
Win98 patch? (Score:4, Insightful)
Your TPM software might refuse to run (Score:5, Insightful)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
Re:Well the truth is.... (Score:5, Insightful)
So let's say I'm JoeISP. Hi JoeISP you might say, I'd laugh and go about my business. Some nasty cruel internet underdwellers would go about writing their programs as they do today, and start delivering their payloads to people over my network. I can't really stop them from doing this; there's simply too much data that goes through my network to look at every packet and assure that the content isn't executable or worse, a virus. I can take some countermeasures, but not to many. Nope, it's the end users who have to be trusted.
So over there is Miss Jane. She loves the internet, and her newly bought Laptop from Dell with a pretty new TPM chip in it. She's a customer as JoeISP, and I love her for it, she pays me a pretty penny a month she could be getting for free if her neighbor would share his wireless access point, but sadly for Jane, her computer doesn't detect that his WAP has a TPM chip, and her operating system says to her that even if the network weren't protected by WPA2, she still wouldn't be allowed to connect to it because it isn't a Trusted connection. She shrugs it off.
So, Jane goes about checking her email when she sees a really funny picture her aunt sent her. Oh boy that's funny she said, and she saves the picture on her desktop so she can look at it later, or maybe even send it to a friend! But what's this? Her computer suddenly locks up tighter than a steel drum and a little popup tells her that "Windows Trusted Computing has detected unauthorized code in memory, and will not allow it to be executed." But she wants to save the image! She dismisses the popup, and saves it again, same message.
She is disheartened and goes to Trusted Go^W Microsoft Search to find an answer. Turns out, lots of people have been having this same exact problem, and nobody knows why. Some guy with a pocket protector and glasses tell them to reboot their computers, go into their BIOS and turn off TPM protection, and she does.
Now when she gets back on the Internet (this of course, assuming that she can, more on this in a minute), she saves the picture and poof, she's now got the exploit running on her machine. Her virus protector (assuming she has one) goes haywire! Of course, Windows File Protection make certain that she can't easily select the file and delete it, after all, it is a running executable now. (Or, even if WFP *did* allow it, most viruses these days are smart enough to break virus protectors in a way that they can't remove the virus on their own, even if their data files are up to date).
She's smarter than your average bear, however, and is able to go to another computer and get back on the internet. She finds a patch for the bug, and a clean up tool that allows her to remove the code from the image. "Goodie" she thinks.
She goes back to the other machine, fixes the DLL, turns back on TPM, and goes to get on the internet.
My ISP (remember me, JoeISP?) instantly alerts an error. Someone has connected to our network with TPM on, but has modified their files! Our policy is not to let those people on our network at all, since that's what Microsoft told us to do. So we block her MAC and continue about our day. She calls in later, furious that she can't get the Internet to work in her house anymore. Any attempts to quell her ar
Re:Why do folks still use Windows? (Score:5, Insightful)
I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.
I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.
My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.
The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.
We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!
I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here [slashdot.org]: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?
I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.
Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.
Re:Programmers? (Score:5, Insightful)
An 'arbitrary jump' is fine inside your own address-space, so long as you jump to storage you own, AND you have requested, AND have the 'key' to, AND is marked 'executable' in your current key/ring.
Jeeze! The mainframe guys had this figured out decades ago.
Don't trust the coder first - trust the computer architect first!
Re:Some won't (Score:2, Insightful)
But you're probably coming at it from a different mindset. If you're used to open source software you probably regularly trust patches from people who you otherwise wouldn't know simply because they released the patch as open source. You probably figure SOMEONE out there must know how to read the thing to determine if it's malicious and would throw up a red flag if they found something.
With Windows users they're not used to that level of trust, even when it involves a patch that includes source code. How many Windows desktops do you know of that have Visual Studio on them to compile this patch from scratch to verify the binary version isn't malicious? Coming from a UNIX world, not having a compiler on your system just seems weird, but Windows users are trained to trust in their binary patches and cross their fingers.
there is always choice (Score:3, Insightful)
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
Re:Why do folks still use Windows? (Score:3, Insightful)
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined.
OK, so you're not a full-time IT guy. That's cool. But if you can't manage 12 machines and only $60K worth of vendor lock-in, then you absolutely, positively need some outside help. It's not an issue of whether you can afford it; at this point, I'd say you have to.
But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story [...]?
I did, but I don't think you did, because it was thoroughly debunked within the first 10 replies.
Let me put that another way. The article you're reading right now is full of stories about people going in on the holidays to patch their Windows systems. How many stories did you hear about Unix admins rushing in this weekend? All of last month? All of last year? So far this millennium? The latest unpatch{ed,able} Windows exploit is set to cause more work for the people who have to manage affected systems than the rest of us have had in the last five years.
But you can choose to believe whomever you want. As for me, I'm enjoying my four-day weekend and relaxing by reading about stuff that doesn't affect me. Hope your new year goes this well!
Re:Programmers? (Score:3, Insightful)
I don't think you could guard against execution (separately from read, on a S/360 successor) until IBM introduced data spaces. Execution is limited to data space 0, and if you don't let a program write to that space you are OK. But even now, though the architecture *can* separate read/write space from execution space, do mainframe OSes take advantage of that?
Re:Is it just me (Score:3, Insightful)
Re:Over/Under (Score:3, Insightful)
Modems existed, sure, but a FAST modem at the time was 19200 baud. People didn't use that to network. Before the Internet arrived, people used modems to call BBSes. When the Internet arrived in my town, it didn't offer SLIP or PPP... you dialed in and ran programs at the Unix shell prompt. There WAS NO LONG DISTANCE NETWORKING, except on the part of a few eggheads in academia. The concept of a worldwide network was something out of science fiction. In 1990, people would have given the ideas of a global network just ten years later and an invasion from Mars about equal credence.... ie, nearly none.
I assume you're too young to remember, but Microsoft had a huge revelation awhile after Netscape had that first monster IPO. "Wow! This internet thing.... it matters!" And THEN they started revamping all their single-user stuff to go on the Net.
In hindsight, it's very easy to see that they should have started really thinking about this in 1993 or 94, when the Net was first really making headway.... people liked it. A lot. Not figuring it out until 95 was pretty darn boneheaded on their part. And then in their rush to get on the Net and take it over, they made a lot of really, really stupid mistakes. And we're still paying for them.
But fer chrissake, the design of WMF... Microsoft is supposed to magically realize that the long-distance network between about five thousand academics is going to *take over the entire world*? When they were designing WMF, they had probably never even *heard of* ARPANET.
So yes, they DO get a pass on this. Their really serious errors were in trying to push '95 and '98 onto the Net, and writing all that functionality into Office that didn't need to be there. They didn't feel they had time to do it right, so they did it quick to grab the market. From 95 on.... the blame is entirely theirs. It was obvious what would happen.
But in 1991? You're high if you think security was much of an issue back then. DOS had *NO* security. None whatsoever. Neither did 3.1, 95 or 98. (well, 95 and 98 had a tiny bit of security, but it was a thin veneer). And everyone got along just fine, at the time. The only time security was needed was when you were in a corporate environment. Nobody talked from one computer to another, it was all from the workstations to the servers.
The only people that needed security at the time, in other words, were big businesses, and they ran Netware. Other than that, if you wanted to secure your data, you locked your computer up.
Extrapolating from that mindset to 'talking to every computer in the world', in advance, would be nearly impossible. Even having BEEN there, it's hard to wrap my head around how different things were back then.
What did they do wrong (Score:3, Insightful)
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, told you about workarounds. If you want to be protected just turn on DEP on all applications. Want to do it on multiple machines, use scripts to edit boot.ini and add
Re:Over/Under (Score:3, Insightful)
It is new, it is called DRM.
Re:Why do folks still use Windows? (Score:2, Insightful)
Short answer: It easily runs everything I want it to. The Linux user experience is significantly worse than Windows.
When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.
What are you doing to make Windows insecure? Downloading unmarked executables from newsgroups and executing them? Running Outlook and double-clicking on every attachment you receive? Running without a firewall?
Let me rephrase your quote:
When I had to pick an OS, I did research and picked one that I felt was compatible enough for my needs. Linux didn't make my cut.
The last time I tried Linux (and I have, I really have), it didn't support all my hardware out of the box. Hardware support should simply work instead of having to recompile my kernel 36 times trying to figure out the correct settings (there were none, I had unsupported hardware). How ancient is that? And then I hated the distribution wars - the infighting over which was the "best way" to do something - the way that distro X does things completely differently from distro Y to the extent that they're binary and logically incompatible to the detrement of the user - and you end up hating both distros as neither of them uses a solution that makes sense for the user.
Then there's the sheer hypocracy of KDE - instead of supporting Microsoft, it's supporting Trolltech, but nobody seems to understand that ought to be just as much of an ethical problem. Trolltech are no better than Microsoft when it comes to trying to leverage a monopoly. The pond may be smaller, but if Linux ever takes off, Trolltech gets a free ride. Except that Linux will never take off while Trolltech are stunting commercial growth and charging $4000 per seat for commercial development licences - Microsoft couldn't have a more unlikely ally in supressing Linux.
And as far as a free OS, I found FreeBSD to be significantly better than Linux as it's logically organized and the maintainers are mature adults compared to the screaming teenagers of the Linux world.
Although neither Linux or FreeBSD run the games or applications that I want to play. If they reliably (and with no messing around) ran the very latest games (eg: World Of Warcraft), tax and financial software (eg: Taxcut and MS Money) - with full support for my graphics card, sound card and printer - I'd take another look. I did once manage to get Unreal Tournament 2003 running under Linux (which was the game I was into at the time) with full 3D acceleration, but the sound was delayed about 2 seconds so it was unplayable.
But given that I no longer use my computer for the sole purpose of messing with my computer, I'm sick of that shit not working. 15 years ago it would have been a fun challenge to "stick it to the man" and "rebel" against Microsoft, but I no longer care. I want as little maintainability as possible - I simply want to be able to read email, yell at people on
Re:Is it just me (Score:3, Insightful)
It all comes down to the question: Who do you trust? A company like Microsoft that has made billions of dollars with sometimes shady and even outright illegal business practices, or a bunch of diehard security enthusiasts who just hate to see their (and other people's) computers hacked?
No matter how you answer the question, it's likely to be an obvious answer.
For you.
Re:can't remove the callback feature (Score:4, Insightful)
CERT may think the function is obsolete, but that doesn't mean
that apps no longer depend on it. Stuff breaks if you go ripping
pieces out of an ABI. Somebody's critical business app might
even depend on the function.
Re:Deploying to many machines is hard (Score:5, Insightful)
Re:Over/Under (Score:2, Insightful)
More to the point: I was there too (I got on the net - the real one, that is, not just BBs-es - in 1988). IMHO, both grandparent posters were right.
The net was very real back then, and multi-user machines were in common use in engineering (I used graphical DomainOS Apollo workstations for my master's thesis, while we mostly still had an experimental and barely usable X11R2 floating about on some of the non-Apollo workstations). But security was indeed very lax in those days. We pulled some amazing pranks on each other back then and didn't really see the true potential impact of what we could do. It was just "having fun amongst the good guys at each other's expense". The bad guys were the ones that wrote viruses for MS-DOS. But since everyone knew that MS-DOS was a toy for kids, it really didn't matter. Once the kid's clever enough to write viruses would grow up a bit and go to college, they'd surely repent. And since they were that clever around computers, they'd be eagerly welcomed "on the job" as soon as they had a CS degree of their own.
Hell, the only security X had was xhost. Get past that, something horribly trivial (especially if open remote access to X is the default as it used to be), and you can do anything you want with people's machines and easily captured passwords. We didn't even need buffer overflows or callback-based image formats to get anything nasty done back then... :-)
My first real understanding of what was about to happen came "only" in 1991 when I spent a year in the Belgian Navy (conscripted) and when one day I had to pull the plug on the network of an entire Navy school due to some stupid but harmless virus that was spreading through the network. Up to that point' I'd never seen standard PC's and any sort of network in ome combination. So that day I really did "see some of the light".
But even so I didn't really get it yet. Back then I thought I'd done a very good job: stopped the spread, got the network cleaned, and defined some rules about not bringing "aboard" untrusted floppies that weren't needed for the job. Now I know what a fool I was: I'd been on the real Internet for several years; I'd just seen "live" what a network could do when combined with MicroSoft toyware; but since that particular school was not on the Internet (after all, they were not using UNIX :-), I imagined that things would be and remain under control if only people would implement a few rules about bringing in floppy disks form home. Real computer users didn't use PCs anyway... Silly me!
Re:Over/Under (Score:3, Insightful)
ANY DECENT AUDIT of such an "important" piece of code should have seen this with big flashing red signs. Registering a callback in a DATA DOCUMENT is patently stupid.
I agree with you that the real question is: who has known about this and for how long?
Because of how easy it is to get someone to view one of these files, how silent and universally easy the callback is (doesn't even need a stack or heap overflow!!!), how easily it can evade intrusion detection signatures, how rediculously easy it would be for an expoloiter to erase their tracks after breaking in -- it is downright scandalous.
Microsoft, organized crime, the NSA, North Korea, the zit-faced kid across the street could have used this bug to: spy on competitors, spy on the government, spy on YOU. And you'd never know. And only now after 15 years is it getting fixed, because HACKERS revealed it.
This should be the pearl harbor for data security. This should be on every tech blog. There should be congressional hearings. People should be talking under oath about this.
Re:Over/Under (Score:3, Insightful)
Just to make my points more briefly, by MS-Dos 3.0 it was well known that one needed a virus scanner/disk cleaner. And the internet worm of 1988 was devastating [std.com]. I still assert that by the end of the 80s O/S vendors had no excuse for ignoring security concerns. Unixes slowly got better (took Sun until about 1995 to clean up the easy SunOS hacks), but the Microsoft platforms didn't. VMS could be locked down, though often wasn't.