Microsoft Unveils Open Source Exploit Finder 310
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
This is M$ double speak for "Finding Free Sofware" (Score:0, Interesting)
The threat free software has to your buddies at M$ is astronomical. This is the reason M$ will do anything ion their power to remove all free softwre from M$ Winblows, which includes the use of M$'s new tactic of removing free software and using multiple accounts [slashdot.org] to back the story. The only way to eliminate the M$ exploits is to use free software instead of non-free software, or any software from M$.
--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.
Re:Open Source?! Wait for it... (Score:2, Interesting)
Wrong? Maybe... Note that MS-PL is not compatible with GNU GPL. That may have been just a coincidence from other requirements they had, but it may also have been #1 requirement for all MS-* licenses.
As far as I can tell MS-PL is exactly like BSD license, except it has a clause that makes it GPL-incompatible. MS-RL is very much like GPL plus a clause that makes it GPL-incompatible. I notice a trend here and it fits parents comment quite well.
Note that I'm not saying everything needs to be GPL-incompatible, I'm just pointing out an important feature in these license.
Re:THOUSANDS OF BUGS? (Score:3, Interesting)
Shipping a large project with 1,000 bugs might be a perfectly valid decision
Why don't we just change that to Shipping a large project with 1,000 bugs might be a perfectly valid business decision
I don't ship crap.
And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
I still can remember back to the days when "version one-point-oh" didn't always have to mean "train wreck, we'll start seriously fixing bugs around 2.5". Today's translation works as follows: Today's 1.0 is yesterday's early beta. Today's 2.0 is yesterday's Still Beta. Today's 3.0 is yesterday's 1.0.
Software should work out of the box. You shouldn't have to wait for an update or two for it to become stable enough to use.
Re:Libre? (Score:4, Interesting)
The GPL maximises protection against software patents and forbids distribution as proprietary-only software. The Ms-PL minimizes protection against software patents and forbids distribution as libre-only software. The Ms-PL formally fulfills the requirements for an OSI approval but apart from that it is everything what you would expect a license from Microsoft to be. To understand the Ms-PL just imagine the Venn diagram for the following equation: MsPL = ( OSI - GPL ) & Microsoft
Re:THOUSANDS OF BUGS? (Score:3, Interesting)
I don't ship crap. And if I had a really large project, I still wouldn't ship crap. Too many pinheads cutting corners to save a buck, particularly on large projects, because they count that an an excuse and want to rush it out the door ASAP to start generating revenue. Not me thank you very much. Just because there's a fair number of vendors that play that game doesn't mean it's the rule.
There's a balance, there are also those people that think that perfect software can be created in some kind of bubble and you might be one of them, I think. In a large project I can assure, with 100% certainty, that between the start of the project and the final release the requirements have changed. A lot. It does not matter if you design up a perfect software development method, not that I think such a thing exists, because people are very poor at specifying in an abstract specification what it is they want to do. Sometimes they don't even know exactly how, even if you could hire a telepath at the start of the project. And thinking that all code is written after one master plan is unlikely, more likely you've bought up functionality from other companies or migrated it from legacy products and it's patchwork under the hood.
Releasing early and getting feedback is usually the only way to get the design right. It's much better to hear "yeah umm, but that's not the way we work" or "yeah umm, but that doesn't solve our challenge" before everything's set in stone. If you get told at the very end to rip out that well tested and well integrated piece of code then all that effort is really wasted. In large development projects these kinds of communication problems are very real. You could accept lots of small issues like a house where they said "that light fixture doesn't work, but it'll get fixed in the next release". What you couldn't accept is "the foundation is quicksand, the drainage is shot and the pillars rotten". In computer terms things like "the solution can't scale, it's crashing often and we have major data loss".
Seriously, think of all the trivial things that can be considered bugs. Typos are bugs. A non-working shortcut is a bug. I think the most trivial bug I've seen is that you have a list. A to Z will jump you to the first item starting with that letter. But Æ, Ø and Å will not. Workaround? Scroll and pick. It's a genuine bug, but like hell if it's something that should hold up a software release. On the admin side I'm more like "if there's a dark voodoo way of doing it then fine" because I'm much more interested in them fixing bugs affecting a thousand people than me. Software delivers value and bugs detract from value, but this is important - a bugfree but useless application also has no value. Something that isn't used where they put it in an Excel spreadsheet instead has no value. Developers need to be working on the right things first, then they can do them right. Sounds easy and obvious but damn how hard that is.
Re:Open Source?! Wait for it... (Score:4, Interesting)
So what? The viral GPL license is not the only one that makes your software free.
What you say is factually correct yet it misses the point entirely. I like benefit of doubt so I'll assume that you were not being deliberately obtuse. If Microsoft really wanted to release source in a way that is useful for the community, then they would be compatible with the GPL or would simply use the unmodified GPL. They know very well that the vast majority of Free Software, especially that which is available for Unix-like operating systems, is GPL.
So a developer who maintains GPL software has two choices regarding the code that Microsoft releases. The first choice is to ignore it and avoid using it, because I would certainly expect Microsoft to vigorously pursue anyone who violates their license. The second choice is to abandon the GPL and release the software under the Microsoft license so that Microsoft's code could be incorporated into the project. This has two benefits for Microsoft. At the very least, they can talk a good game about how "open" they are becoming while actually doing very little for the community. At the most, they can tempt people to stop using the GPL.
The GPL and Free Software in general is perhaps Microsoft's first experience with a potential competitor that they cannot buy out and cannot embrace-and-extend, so their huge resources and preferred tactics are rendered useless. Either they just give up or they realize that they cannot use the "direct approach". I would not expect them to just give up. The saying that comes to mind is "if you get into bed with Microsoft, you're going to get fucked." Anyone who really believes that Microsoft has had a change of heart and is now a trustworthy ally of Free Software is frankly rather naive. You're dealing with an entity that became so dominant in its industry by means of shrewd business decisions and Machiavellian strategy. I would expect a close-source software company with even half of their willingness and ability to dominate to see Free Software as an implacable enemy that requires new tactics. If anyone believes it could possibly be otherwise, the evidence against you is strong but I'd like to know why you feel that way.
Re:I'm feeling quite dizzy... (Score:2, Interesting)
Nono, it only finds exploits in open-source code. Microsoft code is safe from this evil tool. It's just another way they are attacking open source!
You know what's incredibly funny? If they did use an evil tool to uncover every exploit in open source code, to make the FOSS community look bad, they'd be shooting themselves in the foot because the bugs would get fixed at warp speed. Beyond the initial "bad" publicity they'd generate for FOSS (there's no such thing as bad publicity), the joke would be on them because they'd still be stuck with their bugs but we'd be free of ours. :-)
There are questions we want answers to (Score:2, Interesting)
Has it been run on itself?
Will subsequent versions exploit the exploits, setup botnets, send spam etc?
If Microsoft entered the armor business, would they also supply arms to the other side?
But seriously, Microsoft put a ton of research into finding their security holes, including embedding the acquired techniques in tools. They're useful tools, and have been critically useful to them. Why not release them? My only worry is that it is not in their fighter-nature to help their competitors, and of course the tool can also be used by crackers.