mailing list archives
Re: I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
From: nocfed <nocfed () gmail com>
Date: Fri, 7 Apr 2006 21:02:51 -0500
On 4/8/06, nocfed <nocfed () gmail com> wrote:
On 4/6/06, Dinis Cruz <dinis () ddplus net> wrote:
First off all, I want to apologize to the Full-Disclosure and DailyDave
readers for the last couple of posts which I CCed to these lists (the ones
about Full Trust, managed browsers, verifier issues in Java/.Net and
I know that cross-posting is not good, and that it is quite inconvenient
when you happen to subscribe to more than one of the target lists.
The reason I did it was because I wanted to make sure that several
companies/groups were exposed to it (and give them a chance to respond). In
this case I am talking about Microsoft, Sun, Novell, Apple, IBM, Adobe, Open
Source projects, etc... (basically the major software development houses and
the ones responsible for most of the software used in the real world).
>From the big ones, only Novell had an entry to talk about AppArmor which
is an interesting process level Sandboxing solution.
But the ones that I was expecting to see in this conversation were
Microsoft and Sun. We were (and still are) discussing the security
advantages of Sandboxing (Partial Trust in .Net and Security Manager in
Java), and given the investment that both companies have made in this field,
I was expecting to see some core/senior members supporting me (Dinis) in the
defense of the need to 'create environments that are able to securely
execute malicious code (i.e. Sandboxes)'.
But no, not a single world. But then I was not surprised since Microsoft
has been ignoring my public comments about this issue for the last two
This means that either A) they don't care any more about this topic
(Partial Trust / Security Manager code) or B) they are just playing the good
old trick to ignore the little guy (which works in environments like today
when the Media and paying clients don't care (read: don't understand) about
the issue discussed).
Option A) is quite realistic since Microsoft (after what happened with
'Longhorn managed code failure' and the Vista's reset to Windows 2003 code)
seems to have moved (or kicked) the '.Net guys' to a conner, and decided to
put their bets to create an operating system which delivers a trustworthy
computing environment in the hands of Vista's UAC (User Access Control) and
Vista's capability to run as non-admin (which is a bad bet in my point of
[side note: If the .Net framework is just a nice wrapper on the win32 API
(see Richard Grimes articles on this subject) with 99% of its code executed
under a Full Trust environment and never verified, then why the security
overhead of the current versions of .Net framework? (namely 1.1 and 2.0). If
CAS and Strong Naming (just to point two examples) don't really deliver any
real security value (just like 'client side data validation'), then why
incur the overhead? Maybe we would get a nice performance boost in .Net
applications if all those security calls were disabled. (Idea: I want to
apply my 'Rooting the CLR' research into the creation of a patch for the
.Net Framework which disables all security checks and (hopefully) improves
the performance of .Net applications (drop me a line if you are interested
in participating in this new Owasp .Net project))]
After two years of trying, I GIVE UP of trying to bring Microsoft to this
Microsoft doesn't care, can't be bothered to participate (or the powers
that be don't authorize the ones that want to participate), maybe believe
that the types of attacks will not continue to evolve (i.e. the risk will
not increase) or maybe is just that inertia that affects large companies
where nobody is really responsible for anything and the key decision makers
are so distant from the real world (or believe in their own hype and power
to manipulate the market) that they don't really understand the implications
of their decisions.
I think that my case is a perfect example of why Microsoft has such a bad
reputation (not just in security), and why the new generation of developers
(and IT professionals) are moving to Open environments (like Open Source).
In the medium / long term Microsoft cannot afford to continue to ignore
little guys like me (which are trying to do the right thing and help
Microsoft to solve their security problems). They need to show respect and
(at least) publicly talk about the issues raised.
Microsoft and Bill Gates like to talk about trust and trustworthiness. Well
trust is something that is built over time, with respect, dialog and
transparency. Not by ignoring and pretending that one doesn't exist.
Maybe Microsoft's problem with me is the fact that i will NOT work for them
nor sign an NDA (since I know that my independence would disappear the
moment I signed one), or maybe they think that I am not good and
knowledgeable enough for them to spend their 'precious time' with. They are
wrong in not engaging in this conversation, and in ignoring my public
requests to talk. I might be more vocal than some of my security consultant
friends, but I know that most are as frustrated as me in Microsoft's
attitude to Security.
Memo to Sun: "Java has the same problem, and you should be worried when
senior members of your community are very surprised to discover that most
Java code is executed in -noverify environments"
What I know is that my conscience is clear. Nobody can accuse me of not
trying. Over the last two years I made every ethical effort to call
Microsoft's attention to this problem: I wrote articles, security guides,
security tools, training courses, presentations, collaborated on .Net Open
Source projects (like Owasp), and even had two meetings at Microsoft Redmond
campus with several Key players in Microsoft's security and .Net teams (it
seems, that all that was left to do, was to bring down a couple ISPs /
global companies just to prove my point, but since I am ethical and a 'good
guy', that is something that I will never do).
>From all this effort, I have very little to show for (except from my
increased knowledge, several good contracts and some raised awareness to a
couple thousand professionals which read or saw my materials or used my
My main objectives were to get Microsoft to publicly admit that .Net
Framework's Full Trust is a big problem and to start the paradigm change to
a Partially Trusted world.
Unfortunately I failed.
.Net 2.0 was launched and nothing changed.
99% of the applications that exists today and are currently under
development are designed for Full Trust (or equivalent) environments.
So, I will wait patiently for the day that Microsoft (and the others)
decide to join the party. Meanwhile I will continue my discussions on the
webappsec () securityfocus com, websecurity () webappsec org and
owasp-dotnet () lists sourceforge net mailing lists, since at
least there my ideas are debated and challenged by other like minded
professionals (thanks guys).
I will no more initiate another discussion of Full-Disclosure and DailyDave
about Full Trust and .Net /Java Sandboxes because its audience is not
interested in them and the Microsoft's (and others) subscribers ignore them.
To wrap things up here are a couple quotes from a senior Microsoft Security
employee, given to me in his office in Redmond a couple months ago (in Feb
"...Dinis, what you are saying is important, but at the moment it is not
one of our main priorities... There are several reasons ... a main one is
the fact that we tried that with Vista and it didn't work... but probably
the main one is that we (Microsoft) don't have client pressure to deliver it
... basically there is currently no business case to invest in that since
our (Microsoft) clients are not demanding it...
...what needs to happen is that you (Dinis) need to find 5 major
Microsoft's clients which want this, and then we might do something about it
My response to this last comment was "...look, this is not my problem, this
is Microsoft's problem since it is Microsoft who is promising to deliver
'trustworthy computing environment'. So if Microsoft doesn't want to do it,
and Microsoft's clients don't put pressure, then there is nothing I can tell
you (Microsoft) that will change your mind..."
My conversations with Microsoft's employees tend to always end the same
way: I ask them to start by acknowledging the current Full Trust problem ,
and they respond by saying '... we are working very hard ... or ... things
are better today they they were a couple years ago ...or ... when compared
with the status of the industry we are not that bad ... or ... we know that
we need to do better to educate our developers to write partially trusted
code..'. Basically just words and no actions,
Sorry for the 'digital noise' of my previous posts.
Owasp .Net Project
I have yet to understand why anybody would feel that the majority, if
even the minority, of this list could care less if they are here or
gone. You should be sorry about the 'digital noise' that you are
spewing now; Speculation and partial, out of context, quotes without
an actual source name yet you want people to listen to You. Think
about it for a while. You are wanting a Company to just jump at what
YOU want done, right then, without knowing their current projects nor
workload. I am sure, from the broken information provided, that YOU
are not privy to their practices nor even escalation paths. I am not
attempting to defend Microsoft, Sun or any of the other players that
you have listed, but Business in general. The reason they give you
those replies is for liability. When the little man on the totem pole
gives a direct reply then they are usually held accountable for their
words which could lead to the loss of their position at the company
that they are representing. Just think about it. "Thank you for this
information! We will get this fixed in the next patch release" just
leads to an information leak then some online blogger, or self
righteous 'security expert', cross-posting to 20 lists claiming that
they got something done like The Twit(TM). We all know that is not
always the case, but many larger companies have dealt with it already
and have placed rules and guidelines for handling such situations.
Many may not believe that is the best way to do it, but yet again it's
not what you want. In conclusion, let's remember that they got where
they are for a reason as well as you are where you are for a reason.
On 4/7/06, michaelslists () gmail com <michaelslists () gmail com> wrote:
nocfed, are you saying that researchers shouldn't hassle companies
with notes about the security of their products, because they might
have more important things to be doing then respond to them?
what fucking list are you on again?
I have no idea where you gathered that from. If you feel that the
information needs to be disclosed then do it, but don't expect a
reply, especially in a public forum.
Show common netiquette if you decide to reply.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/