[lbo-talk] Re:

snit snat snitilicious at tampabay.rr.com
Fri Jul 23 10:09:51 PDT 2004


At 12:17 PM 7/23/2004, Dwayne Monroe wrote:


>===========
>
>
>
>Yes.
>
>
>The security unconscious integration of services on
>the Win32 platform (along with the architecture of
>windows networking - i.e. smb/port 135 and 445 holes
>as budge says), in concert with user gullibility,
>creates a cornucopia of exploits.

I know, I know. So, lookee. If we could majikally make it so that other OSes could do same--provide the integration, seamlessnes, and ease of use-- what would happen? I mean, the integration thing is the key. I had to write a white paper on this a few years ago. A client's security dept was desperately trying to stave off a Microsoft Marketing Attack on the IT dept. They'd been running a non-microsoft shop for years. But Microsoft Marketing Dewds got hold of a few key people in the executive suite and.... the rest is history. My valiant attempt to save them with a, uh, "white paper" defending their current policies and laying waste to M$ fell on deaf ears. Because....

Microsoft is integrated and it makes it that much simpler. It's productivity, ease of use, click and drool... over EVERYTHING else. (I had to deal with the same in0house, developing software. I'd come up with the concept, took over the project. The developer and I fought like hell to make sure this thing wasn't only developed for IIS. CEO said, no, we gotta develop for IIS and IE. Well, I've since left the project for the sake of my sanity. It was like talking to a brick wall. I was so glad the u.s. gubmint panned Exploder. FINALLY! And yet, even trying to build Web pages for all the different platforms and browsers. WHAT a PITA!

And, sorry, I like the design stuff. It matters. I just got off the phone with the same VP who was shocked at the difference it made to read the stuff in plain document format, versus the jazzed up design we used for the training materials. It made a difference as to what people actually _learned_. He was falling all over himself thanking me for insisting that the materials were produced a certain way because it mattered as to _how_ people learned and whether they'd even read it or not.

Anyway, I know that a lot of the security issues have to do with the fact that the software development process is different -- commercial v open source. Under marketing pressures, security isn't and wont' ever be built in from the ground up. No one's going to pay people to spend their time seeing how they can break software that an organization has devoted all those resources to. It becomes a matter of groupthink, as well as a organizational issue (bureaucracy and all that jazz.)

Even if you spend some time on security controls in the dev process, you've still got tin ears. Security hole? WHAT security hole? I know NOZZINK! about no security hole!

I'm sure you know all this. I guess what I'm asking is: if other OSes/apps are going to be successful, they end up having to march to the beat of the system.... (It's not that much different than the indie v. chain bookstore discussion we just had.)


>This is a large part of why Win32 targeted malware (a
>perfectly useful word - a shame your users are
>perplexed by it) is able to do so much teeth grinding
>mischief.

Naw. It's this: people can't handle being introduced to a new word or concept. It makes them stop dead in their tracks and think. Now, a person who likes to be challenged will think: "Hmmm. Mal. Mal means "bad". Mal evokes words like "grope" or "paw." "Ware" -- like software. Table ware. Yeah. Ok. Hmm. Neat. Bad Ware. Malware. Bad stuff. Stay away. Clever. I'll remember that."

New word= opportunity to learn. A challenge to expand your domain.

But, see, the ordinary person who has been through our school system has learned to feel dumb in the face of new words. They haven't been taught that it's normal to encounter things you don't know and that it's only a matter of learning more if you want to. or not learning more if you don't. no matter what, it's no reflection on your intelligence if you don't know a word. It's not a reflection on your intelligence if you actually ask. IT's a reflection on the time you have to devote to learning, and that's it.

But that's not how most students learn. Thus, we have readers who are immediately cowed by anything that's unfamiliar to them. Their defense mechanism is to ridicule it or be angry at whoever used the word for "excluding" them. Feeling ridicule or anger doesn't dispose them to want to pay attention. Thus, they tune out.


>For example, consider the Outlook Express MHTML
>Protocol Handler vulnerability:
>
><http://www.us-cert.gov/cas/techalerts/TA04-099A.html>
>
>
>This is a clever hack, built essentially upon layer 8
>weaknesses, which creates a sort of cascade security
>failure beginning with Outlook Express, activated via
>a request to Internet Explorer (which in turn
>processes ActiveX or other malscript), then passed
>back to OE for completion in the 'local zone' of the
>machine. All of this is made possible by the way
>Microsoft has decided to present services and pass
>requests within the operating system. The very
>features that create the illusion of (sometimes)
>seamless integration of Microsoft products also lays a
>smoothly paved, multi-lane highway to elevated
>privileges (or denial of services) land.

see, this is why I love reading you. :)


>There are also, of course, privilege elevation
>exploits haunting the *Nix world but most of these
>require more than a script kiddie level of knowledge
>to cross the shadow separating idea from act and the
>OS supports isolation rather than wildfire.
>

"We're in a fucking stagmire."

--Little Carmine, 'The Sopranos'



More information about the lbo-talk mailing list