Security Basics mailing list archives
RE: Security and EOL issues
From: "Donald N Kenepp" <don () videon-central com>
Date: Tue, 17 Jan 2006 12:08:03 -0500
Hi Matthew, Let's extract some bait here. (Full original message from Matthew can be found below.)
I know I'm speaking from my point of view here
. . .
A belief that a good company, if Microsoft were one
. . .
in this specific instance, an easily exploitable flaw/intentional backdoor
Yes, I think your vantage point is clear. There are some points where you almost seem to concede that Microsoft doesn't have a responsibility to upgrade the code, but I think you are eventually discounting some of these points because you feel Microsoft should be seen as naughty or even malevolent. Again, sadly, I have to refer you to the idea that something that is honorably (or dishonorably - even the staunch Microsoft people aren't big on Windows Me) discharged it is eventually not worth the time, money, or effort to fix for either the vendor or the consumer. Ford doesn't support the classic 65-72 Mustangs either. Plenty of people drive them; more wish they hadn't gotten rid of theirs. You might even still find a few wealthy people like to restore Model Ts. That doesn't necessarily make them safe to drive, even if the government regulations say they are safe on the road. It also doesn't make Ford "slightly irresponsible" for not making free OEM three-point seatbelt upgrades for some of them. I think most people agree that lap belts aren't necessarily enough. It is *possible* to get three-point seatbelts installed for the front seats in a '66 Fastback, but it takes quite a bit of doing, and still doesn't quite turn out to be perfect. For the convertibles, I can only imagine that you'd have to alter the entire frame of the car, much like eventually NT 4.0 simply can't be altered enough to be reasonably secure without a complete redesign from the ground up. You have to choose whether to use the stock car or to modify it for safety. You also have to realize that after a certain point you can't necessarily make a rear-wheel drive quite as safe in the snow, or that putting in the racing cage, all around disc brakes, and the full Shelbe stabilization package is going to cost you more than a new car. It's your choice if you want to try and do it, but when you get that far you are accepting that you *want* to use the old car more than the new one that's OEM supported and therefore possible, easier, and cheaper to maintain with regard to current safety realities. If you truly have consumer dissatisfaction rather than a long fishing pole, I would suggest Linux. If you don't like what Microsoft is doing, don't use their systems. If NT 4.0 support isn't doing it for you anymore, use something else. I do like Microsoft products for a lot of tasks, but Microsoft isn't the only fish in the sea.
However, I can think of a myriad of reasons why you'd stay on legacy software in many environments, with cost being an obvious one, but compatibility being another.
Cost issue? Pick your free OS flavor. Compatibility issue? I don't think I've run into a program yet, though I suppose I have to admit it isn't impossible, that ran on NT 4.0 and doesn't run on NT 5.0. If your systems don't support anything newer than 4.0, I'd recommend new systems, or again, a transfer over to a non-GUI-based OS if the cost of replacing old hardware is an issue. If your software vendor doesn't support anything newer, why pick on Microsoft alone? Tell your vendors to give you a free software upgrade that runs on your new OS and see how far you can get telling them they are "slightly irresponsible" if they don't provide free updates to their software so that it runs on newer systems. I'd call them responsible for a lack of compatibility if they haven't created an option to move off NT 4.0 for you by now.
Compare that with the cost that it would have taken MS to fix the problem in NT,
Honestly, I would assume that Microsoft paid quite a bit of overtime on this already, but yes, perhaps that is a drop in the bucket. However, how much does it cost a year for Microsoft to keep resources on Windows NT 4.0, Windows 98, etc. rather than moving those resources over to newer OS support or development? You might find a bigger number.
it would have been a nice bone from a company that's been fairly anti-consumer since it first flexed its muscle.
I'm not sure that I buy into Microsoft being anti-consumer, but that's your right. To me, the problem in the past was that Microsoft has been a bit too pro-consumer and anti-security until XPSP2. They were too concerned that they would lose customer-base if they created compatibility issues or more complex installation / configuration needs with enhanced security. Microsoft is changing from making a mess trying to keep code that is insecure just to be compatible and instead are finally ditching some old code to try and make consumers more secure at the potential cost of making a few people unhappy. Do they have a long way to go as far as security practices? Yes. Are they making a good effort in the right direction at the moment? I believe so. There is always going to be someone still using Windows NT 4.0, or Windows 98 as long as they feel they can get away without upgrading. The problem is that there was fair warning that problems like these would eventually appear. Where are you actually willing to draw the line? The vulnerability exists in some form for Windows 95. Does Microsoft owe us a patch for that too? Perhaps the line seems to magically be at NT 4.0 because that's where the businesses that would never bother to upgrade if they could manage it are left standing. When I see a friend or client with NT 4.0 or Windows 9x I'm not complaining that Microsoft doesn't properly support it, I'm working to get it migrated or protected by other means as fast as humanly possible, especially because with every year these systems are more susceptible to security issues. It's old code trying to beat out new malware innovations. Eventually it's easier to start with better base code. There are people who take the next step and claim Microsoft is is also slightly irresponsible if they don't patch pirated software. Sometimes Microsoft does end up doing it anyway in an effort to keep things safer on the whole, but are they irresponsible if they don't, or taking on extra responsibility if they do? I'd say the later, and I thank them for thinking of the Internet as a whole regardless of cost when they do, no matter how often or infrequent that may be in some eyes. There are plenty of people using pirated software that want all the updates to work on the unlicensed versions. I do agree with some of the things you said, but I have to disagree with what seems to be your general attitude toward when Microsoft or any other software vendor should be called irresponsible. I am a bit curious as to what it would take for you to say a system no longer deserves Microsoft security patches. If you don't draw the line for NT 4.0, where do you draw it? You are welcome to let things rest or reply, but if it is more allusions to conspiracies and the evil empire, I'll have to let someone else bite. It's may also be best served as a direct discussion rather than on the list. So above become my views and recommendations. Rather than wasting comments and ending up involved in dirt throwing, I'll let my point rest from here. Perhaps something I've said will convince you, or change your view slightly, or perhaps we need to just assume the other isn't going to change their view and people listening have made up their minds as well. I did take the time to think about my views on the subject, so I do thank you all for the discussion. Sincerely, Donald -----Original Message----- From: Matthew Schiros [mailto:schiros () gmail com] Sent: Monday, January 16, 2006 5:51 PM To: don () videon-central com Cc: Jeffrey F. Bloss; security-basics () securityfocus com Subject: Re: Security and EOL issues I'd like to inject, for a moment, if I may. I know I'm speaking from my point of view here, but I believe that what I'm about to say is consistent with what Jeffrey and others who have made similar points believe as well. A belief that a good company, if Microsoft were one, would provide either recalls (in the case of physical products) or updates (in the case of software) to any of their products that suddenly exhibits fatally flawed behavior (in this specific instance, an easily exploitable flaw/intentional backdoor) is NOT the same thing as saying that that company is somehow responsible for the damage that may result as a consequence of that flaw (when dealing with EOL'd product lines). Microsoft is clearly in no way legally, or even ethically responsible for maintaining EOL'd code, and they are CLEARLY not liable for any damages that a system or network incur when people are using a version of their software that no patch exists for. That's not my point, and I don't believe that it's anyone else's point. What _is_ the point is that Microsoft was confronted with a flaw in their software that spanned all versions, and it is slightly irresponsible of them not to fix it in versions of their software that they know to still be in use. Ford doesn't support the Model T because nobody drives a Model T, and because there are a myriad of regulations governing what the automobile industry must do. Thankfully, those regulations don't exist in the software market (very much, in most sectors), so instead of asking Uncle Sam to solve the problem for us, we simply register our consumer dissatisfaction. Is it equally irresponsible for networks to run outdated software? Yes, of course, more so. However, I can think of a myriad of reasons why you'd stay on legacy software in many environments, with cost being an obvious one, but compatibility being another. Compare that with the cost that it would have taken MS to fix the problem in NT, especially since they apparently took a fairly simple approach to it. It would have been a nice bone from a company that's been fairly anti-consumer since it first flexed its muscle. I hope this clears up some issues. If I spoke for those who disagree with me, I apologize. Matt Schiros On 1/15/06, Donald N Kenepp <don () videon-central com> wrote:
Hi Jeffrey, Perhaps Steve's analogy does not fit the case perfectly. Analogies usually break down at some point. Your analogy of asbestos also has major faults. Asbestos was bad for us from the beginning. The mistake was hidden for
as
long as possible. All this legacy software was fine to use until someone else looked as hard as they could to find a problem and then exploited it. Without discovery of the problem, asbestos still would have killed people. Without the malicious coders, older software's security would be just
fine.
By your definition, as long as someone is using the manufacturer's product, the manufacturer is liable for that person's usage of their product. This is not actually the case. In new products, we see a product recall, with free replacement or
repair.
This is essentially one part of service packs. In legacy products, we see them removed from the shelves, often replaced with a better product. You cannot purchase Windows NT 3.11 from Microsoft anymore, just like you
cannot
purchase a Model T. Ford is no longer responsible for your safety if you choose to still drive a Model T. They aren't responsible for your safety
if
you choose to drive a car without safety glass, breakaway steering wheels, or seatbelts. At what point are you willing to say that because Microsoft has removed Windows NT 4.0, Windows 98, and Windows Me from the shelves, because they have declared these products EOL with an extended support grace period,
and
because they have given warnings about their core security design being outdated by widespread availability of current malicious software technology, that Microsoft is no longer responsible for your insistence on using that legacy product? Would you expect a security company to still be liable for your home
after
they have noted their outdated model security system has a security box
that
is no longer sufficient since a tool has been developed to break in that
is
now readily available to neighborhood thugs? Should they still be liable when their outdated security system has been removed from the shelves and labeled as EOL for several years? Should they still be liable if their outdated security system has been replaced on the shelf by a new security system for which you can obtain a discount on installation since you are being "forced" to upgrade rather than trying to patch the old system? Would you expect every car company to develop and offer free OEM upgrade kits to electronic locks and satellite tracking systems for their outdated models with locks and windows susceptible to coat hangers or else be
liable
for the theft of your car? Should the car companies have to replace your electronic key every time someone builds and distributes a new scanner which breaks their
encryption,
or should they be responsible for attempting to resolve this issue on new cars and try to stay one step ahead of the bad guys for a little while,
lest
they lose new buyers? At what point is it the consumer's fault for insisting on using
something
outdated, no longer available from the manufacturer, and proven to be
easily
compromised by advances in the anti-security field? Stop trying to lock your door with the same old hook and loop just so
you
can complain that the people who sold you your home should ship you a deadbolt for free. Sincerely, Donald -----Original Message----- From: Jeffrey F. Bloss [mailto:jbloss () tampabay rr com] Sent: Thursday, January 12, 2006 8:17 PM To: security-basics () securityfocus com Subject: Re: Security and EOL issues (was RE: WMF Exploit Patch released) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 10 January 2006 02:41 pm, Steveb () tshore com wrote:Hi all, I must weigh in on this with an analogy. Asking software companies to offer free patches to software whose core technologies are considered out of date by the mainstream industry is like asking Ford Motor company to offer free airbag installations in all 1920 vintage automobiles.Not really, for a couple of reasons. If a flaw exists in a piece of software a "core" technology must exist
too.
1920 era vehicles lack the modern electrical systems and physical features that allow air bag installation without extensive modification to the automobile itself. A software patch or bug fix, by definition, is
something
that only modifies an existing "part". Your analogy would be more like expecting Microsoft to upgrade Notepad so that it was identical to Word. Installing air bags requires that the automobile manufacturer design,
test,
and produce the upgrade. As does a software patch. But in the automobile scenario no typical end user is going to be able to order the parts and perform the work themselves. Unlike software patches. There's an entire "implementation" phase of fixing automobiles that simple does not exist in the world of software. In fact, as we just saw first hand the fix can be manufacturered, packaged, and implemented at little or no cost at all.
Even
by third parties. ;)The rest of the capitalist world protects themselves from such expectations in the form of limited time warranties. Why should the software world be any different?This too is a flawed analogy. We're not talking about adding features or functionality, or fixing something that wears out through normal use.
We're
talking about fixing flaws and errors. The capitalist world most
definitely
does find itself liable for problem in products that are no longer supported. A glaring example would be asbestos. If a significant number of people still drove 1920's era vehicles, and a major design miscalculation like wheels falling off due to the usage of
superballs
instead of ballbearings were discovered, it's a pretty safe bet Ford would be "patching" a significant number of their 1920's era automobiles. Yes, it's a silly example, but the point is that product vendors are accountable for their mistakes long after their advertised warranties expire. If a flaw that impacts the end user's "safety" is discovered, a
manufacturer
is almost always held accountable and required to make things right. Why should the software world be any different? :) - -- Hand crafted on January 12, 2006 at 19:35:31 -0500 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -Groucho Marx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDxv90RHqalLqKnCkRAhXCAJ0SjrITxOk1F9QR6hF09EJS0lshMACeMtEP 15QXrab8r5FA4cw/jR9d3rk= =TpIK -----END PGP SIGNATURE-----
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) jeff (Jan 10)
- <Possible follow-ups>
- RE: Security and EOL issues (was RE: WMF Exploit Patch released) Steveb (Jan 11)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Jeffrey F. Bloss (Jan 15)
- RE: Security and EOL issues Donald N Kenepp (Jan 16)
- Re: Security and EOL issues Matthew Schiros (Jan 16)
- RE: Security and EOL issues Donald N Kenepp (Jan 17)
- RE: Security and EOL issues Leif Ericksen (Jan 20)
- RE: Security and EOL issues Donald N Kenepp (Jan 20)
- RE: Security and EOL issues Leif Ericksen (Jan 21)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Jeffrey F. Bloss (Jan 15)
- Re: Security and EOL issues Robert Newton (Jan 21)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Austin Murkland (Jan 15)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Saqib Ali (Jan 20)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Micheal Espinola Jr (Jan 23)