Home page logo
/

basics logo Security Basics mailing list archives

RE: Security and EOL issues
From: "Donald N Kenepp" <don () videon-central com>
Date: Tue, 17 Jan 2006 12:08:03 -0500

Hi Matthew,

  Let's extract some bait here.

(Full original message from Matthew can be found below.)

I know I'm speaking from my point of view here
  . . . 
A belief that a good company, if Microsoft were one
  . . . 
in this specific instance, an easily exploitable flaw/intentional backdoor

  Yes, I think your vantage point is clear.

  There are some points where you almost seem to concede that Microsoft
doesn't have a responsibility to upgrade the code, but I think you are
eventually discounting some of these points because you feel Microsoft
should be seen as naughty or even malevolent.

  Again, sadly, I have to refer you to the idea that something that is
honorably (or dishonorably - even the staunch Microsoft people aren't big on
Windows Me) discharged it is eventually not worth the time, money, or effort
to fix for either the vendor or the consumer.

  Ford doesn't support the classic 65-72 Mustangs either.  Plenty of people
drive them; more wish they hadn't gotten rid of theirs.  You might even
still find a few wealthy people like to restore Model Ts.  That doesn't
necessarily make them safe to drive, even if the government regulations say
they are safe on the road.

  It also doesn't make Ford "slightly irresponsible" for not making free OEM
three-point seatbelt upgrades for some of them.  I think most people agree
that lap belts aren't necessarily enough.  It is *possible* to get
three-point seatbelts installed for the front seats in a '66 Fastback, but
it takes quite a bit of doing, and still doesn't quite turn out to be
perfect.  For the convertibles, I can only imagine that you'd have to alter
the entire frame of the car, much like eventually NT 4.0 simply can't be
altered enough to be reasonably secure without a complete redesign from the
ground up.

  You have to choose whether to use the stock car or to modify it for
safety.  You also have to realize that after a certain point you can't
necessarily make a rear-wheel drive quite as safe in the snow, or that
putting in the racing cage, all around disc brakes, and the full Shelbe
stabilization package is going to cost you more than a new car.  It's your
choice if you want to try and do it, but when you get that far you are
accepting that you *want* to use the old car more than the new one that's
OEM supported and therefore possible, easier, and cheaper to maintain with
regard to current safety realities.

  If you truly have consumer dissatisfaction rather than a long fishing
pole, I would suggest Linux.  If you don't like what Microsoft is doing,
don't use their systems.  If NT 4.0 support isn't doing it for you anymore,
use something else.  I do like Microsoft products for a lot of tasks, but
Microsoft isn't the only fish in the sea.

However, I can think of a myriad of reasons
why you'd stay on legacy software in many environments, with cost
being an obvious one, but compatibility being another.

  Cost issue?  Pick your free OS flavor.  Compatibility issue?  I don't
think I've run into a program yet, though I suppose I have to admit it isn't
impossible, that ran on NT 4.0 and doesn't run on NT 5.0.  If your systems
don't support anything newer than 4.0, I'd recommend new systems, or again,
a transfer over to a non-GUI-based OS if the cost of replacing old hardware
is an issue.

  If your software vendor doesn't support anything newer, why pick on
Microsoft alone?  Tell your vendors to give you a free software upgrade that
runs on your new OS and see how far you can get telling them they are
"slightly irresponsible" if they don't provide free updates to their
software so that it runs on newer systems.  I'd call them responsible for a
lack of compatibility if they haven't created an option to move off NT 4.0
for you by now.

Compare that with the cost that it would have taken MS to fix the problem
in NT,

  Honestly, I would assume that Microsoft paid quite a bit of overtime on
this already, but yes, perhaps that is a drop in the bucket.  However, how
much does it cost a year for Microsoft to keep resources on Windows NT 4.0,
Windows 98, etc. rather than moving those resources over to newer OS support
or development?  You might find a bigger number.

it would have been a nice bone from a company that's been fairly
anti-consumer since it first flexed its muscle.

  I'm not sure that I buy into Microsoft being anti-consumer, but that's
your right.  To me, the problem in the past was that Microsoft has been a
bit too pro-consumer and anti-security until XPSP2.  They were too concerned
that they would lose customer-base if they created compatibility issues or
more complex installation / configuration needs with enhanced security.

  Microsoft is changing from making a mess trying to keep code that is
insecure just to be compatible and instead are finally ditching some old
code to try and make consumers more secure at the potential cost of making a
few people unhappy.  Do they have a long way to go as far as security
practices?  Yes.  Are they making a good effort in the right direction at
the moment?  I believe so.

  There is always going to be someone still using Windows NT 4.0, or Windows
98 as long as they feel they can get away without upgrading.  The problem is
that there was fair warning that problems like these would eventually
appear.  Where are you actually willing to draw the line?  The vulnerability
exists in some form for Windows 95.  Does Microsoft owe us a patch for that
too?  Perhaps the line seems to magically be at NT 4.0 because that's where
the businesses that would never bother to upgrade if they could manage it
are left standing.

  When I see a friend or client with NT 4.0 or Windows 9x I'm not
complaining that Microsoft doesn't properly support it, I'm working to get
it migrated or protected by other means as fast as humanly possible,
especially because with every year these systems are more susceptible to
security issues.  It's old code trying to beat out new malware innovations.
Eventually it's easier to start with better base code.

  There are people who take the next step and claim Microsoft is is also
slightly irresponsible if they don't patch pirated software.  Sometimes
Microsoft does end up doing it anyway in an effort to keep things safer on
the whole, but are they irresponsible if they don't, or taking on extra
responsibility if they do?  I'd say the later, and I thank them for thinking
of the Internet as a whole regardless of cost when they do, no matter how
often or infrequent that may be in some eyes.  There are plenty of people
using pirated software that want all the updates to work on the unlicensed
versions.

  I do agree with some of the things you said, but I have to disagree with
what seems to be your general attitude toward when Microsoft or any other
software vendor should be called irresponsible.

  I am a bit curious as to what it would take for you to say a system no
longer deserves Microsoft security patches.  If you don't draw the line for
NT 4.0, where do you draw it?  You are welcome to let things rest or reply,
but if it is more allusions to conspiracies and the evil empire, I'll have
to let someone else bite.  It's may also be best served as a direct
discussion rather than on the list.

  So above become my views and recommendations.  Rather than wasting
comments and ending up involved in dirt throwing, I'll let my point rest
from here.  Perhaps something I've said will convince you, or change your
view slightly, or perhaps we need to just assume the other isn't going to
change their view and people listening have made up their minds as well.  I
did take the time to think about my views on the subject, so I do thank you
all for the discussion.
 
  Sincerely,
    Donald

-----Original Message-----
From: Matthew Schiros [mailto:schiros () gmail com] 
Sent: Monday, January 16, 2006 5:51 PM
To: don () videon-central com
Cc: Jeffrey F. Bloss; security-basics () securityfocus com
Subject: Re: Security and EOL issues

I'd like to inject, for a moment, if I may.

I know I'm speaking from my point of view here, but I believe that
what I'm about to say is consistent with what Jeffrey and others who
have made similar points believe as well.

A belief that a good company, if Microsoft were one, would provide
either recalls (in the case of physical products) or updates (in the
case of software) to any of their products that suddenly exhibits
fatally flawed behavior (in this specific instance, an easily
exploitable flaw/intentional backdoor) is NOT the same thing as saying
that that company is somehow responsible for the damage that may
result as a consequence of that flaw (when dealing with EOL'd product
lines).  Microsoft is clearly in no way legally, or even ethically
responsible for maintaining EOL'd code, and they are CLEARLY not
liable for any damages that a system or network incur when people are
using a version of their software that no patch exists for.

That's not my point, and I don't believe that it's anyone else's
point.  What _is_ the point is that Microsoft was confronted with a
flaw in their software that spanned all versions, and it is slightly
irresponsible of them not to fix it in versions of their software that
they know to still be in use.  Ford doesn't support the Model T
because nobody drives a Model T, and because there are a myriad of
regulations governing what the automobile industry must do. 
Thankfully, those regulations don't exist in the software market (very
much, in most sectors), so instead of asking Uncle Sam to solve the
problem for us, we simply register our consumer dissatisfaction.

Is it equally irresponsible for networks to run outdated software? 
Yes, of course, more so.  However, I can think of a myriad of reasons
why you'd stay on legacy software in many environments, with cost
being an obvious one, but compatibility being another.  Compare that
with the cost that it would have taken MS to fix the problem in NT,
especially since they apparently took a fairly simple approach to it. 
It would have been a nice bone from a company that's been fairly
anti-consumer since it first flexed its muscle.

I hope this clears up some issues.  If I spoke for those who disagree
with me, I apologize.

Matt Schiros
On 1/15/06, Donald N Kenepp <don () videon-central com> wrote:
Hi Jeffrey,

  Perhaps Steve's analogy does not fit the case perfectly.  Analogies
usually break down at some point.  Your analogy of asbestos also has major
faults.

  Asbestos was bad for us from the beginning.  The mistake was hidden for
as
long as possible.  All this legacy software was fine to use until someone
else looked as hard as they could to find a problem and then exploited it.
Without discovery of the problem, asbestos still would have killed people.
Without the malicious coders, older software's security would be just
fine.

  By your definition, as long as someone is using the manufacturer's
product, the manufacturer is liable for that person's usage of their
product.  This is not actually the case.

  In new products, we see a product recall, with free replacement or
repair.
This is essentially one part of service packs.  In legacy products, we see
them removed from the shelves, often replaced with a better product.  You
cannot purchase Windows NT 3.11 from Microsoft anymore, just like you
cannot
purchase a Model T.  Ford is no longer responsible for your safety if you
choose to still drive a Model T.  They aren't responsible for your safety
if
you choose to drive a car without safety glass, breakaway steering wheels,
or seatbelts.

  At what point are you willing to say that because Microsoft has removed
Windows NT 4.0, Windows 98, and Windows Me from the shelves, because they
have declared these products EOL with an extended support grace period,
and
because they have given warnings about their core security design being
outdated by widespread availability of current malicious software
technology, that Microsoft is no longer responsible for your insistence on
using that legacy product?

  Would you expect a security company to still be liable for your home
after
they have noted their outdated model security system has a security box
that
is no longer sufficient since a tool has been developed to break in that
is
now readily available to neighborhood thugs?  Should they still be liable
when their outdated security system has been removed from the shelves and
labeled as EOL for several years?  Should they still be liable if their
outdated security system has been replaced on the shelf by a new security
system for which you can obtain a discount on installation since you are
being "forced" to upgrade rather than trying to patch the old system?

  Would you expect every car company to develop and offer free OEM upgrade
kits to electronic locks and satellite tracking systems for their outdated
models with locks and windows susceptible to coat hangers or else be
liable
for the theft of your car?

  Should the car companies have to replace your electronic key every time
someone builds and distributes a new scanner which breaks their
encryption,
or should they be responsible for attempting to resolve this issue on new
cars and try to stay one step ahead of the bad guys for a little while,
lest
they lose new buyers?

  At what point is it the consumer's fault for insisting on using
something
outdated, no longer available from the manufacturer, and proven to be
easily
compromised by advances in the anti-security field?

  Stop trying to lock your door with the same old hook and loop just so
you
can complain that the people who sold you your home should ship you a
deadbolt for free.

  Sincerely,
    Donald


-----Original Message-----
From: Jeffrey F. Bloss [mailto:jbloss () tampabay rr com]
Sent: Thursday, January 12, 2006 8:17 PM
To: security-basics () securityfocus com
Subject: Re: Security and EOL issues (was RE: WMF Exploit Patch released)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 10 January 2006 02:41 pm, Steveb () tshore com wrote:
Hi all,

I must weigh in on this with an analogy.  Asking software companies to
offer free patches to software whose core technologies are considered
out of date by the mainstream industry is like asking Ford Motor company
to offer free airbag installations in all 1920 vintage automobiles.

Not really, for a couple of reasons.

If a flaw exists in a piece of software a "core" technology must exist
too.
1920 era vehicles lack the modern electrical systems and physical features
that allow air bag installation without extensive modification to the
automobile itself. A software patch or bug fix, by definition, is
something
that only modifies an existing "part". Your analogy would be more like
expecting Microsoft to upgrade Notepad so that it was identical to Word.

Installing air bags requires that the automobile manufacturer design,
test,
and produce the upgrade. As does a software patch. But in the automobile
scenario no typical end user is going to be able to order the parts and
perform the work themselves. Unlike software patches. There's an entire
"implementation" phase of fixing automobiles that simple does not exist in
the world of software. In fact, as we just saw first hand the fix can be
manufacturered, packaged, and implemented at little or no cost at all.
Even
by third parties. ;)

The rest of the capitalist world protects themselves from such
expectations in the form of limited time warranties.  Why should the
software world be any different?

This too is a flawed analogy. We're not talking about adding features or
functionality, or fixing something that wears out through normal use.
We're
talking about fixing flaws and errors. The capitalist world most
definitely
does find itself liable for problem in products that are no longer
supported.
A glaring example would be asbestos.

If a significant number of people still drove 1920's era vehicles, and a
major
design miscalculation like wheels falling off due to the usage of
superballs

instead of ballbearings were discovered, it's a pretty safe bet Ford would
be
"patching" a significant number of their 1920's era automobiles.

Yes, it's a silly example, but the point is that product vendors are
accountable for their mistakes long after their advertised warranties
expire.
If a flaw that impacts the end user's "safety" is discovered, a
manufacturer

is almost always held accountable and required to make things right.

Why should the software world be any different? :)

- --
Hand crafted on January 12, 2006 at 19:35:31 -0500

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
                                  -Groucho Marx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDxv90RHqalLqKnCkRAhXCAJ0SjrITxOk1F9QR6hF09EJS0lshMACeMtEP
15QXrab8r5FA4cw/jR9d3rk=
=TpIK
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,

Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus

----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus

----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]