Sendmail Bug Tests US Dept Homeland Security 297
yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."
A list is only as strong as its weakest link. -- Don Knuth
bug o this week (Score:2, Funny)
The trend is back!
Wow (Score:2, Informative)
bleh (Score:5, Insightful)
Free flow of information > Security
Re:bleh (Score:5, Insightful)
If the parties involved are actively seeking to fix the problem, in a timely manner, I see no harm in not shouting from the mountain top what the problem is.
Full disclosure after a patch is done, yes. But doing it before serves no purpose but to conform to some wishy washy idealism and potentially amplifies the damage an exploit could cause.
And I'm talking in terms of a couple days. If the affected parties hit the snooze button and two weeks roll by, then yes, release the info and make fun of them for the havoc it causes.
Re:bleh (Score:5, Informative)
FYI, this flaw was actually found in December [msnbc.com] and just reported yesterday, roughly two months later.
Timeline? (Score:3, Interesting)
It would be interesting to see the time line on this... Did it take this long for the patch to be created or did it get left on someones desk of periods of time before some one spent an hour making the patch.
MG
Not that bad (Score:5, Insightful)
Thanks for the link. You know, I don't think 2 months is exorbitant in this case. As your article states below,
"Because there are so many different flavors of Sendmail, twenty software vendors had to develop a variety of patches for the flaw..."
So, they had to patch a ton of different versions, and you don't necessarily want them issuing a shitty patch. So if you blame anyone, blame those sendmail monkeys for the delay. ;) Given the nature of the coordination effort, I think they did quite well.
Responsibility && responsibility && (Score:4, Insightful)
If the parties involved are actively seeking to fix the problem, in a timely manner, I see no harm in not shouting from the mountain top what the problem is.
I think it reflects well on discoverers of vulnerabilities if they notify the software maintainers first by backchannel means and describe the vulnerability with enough precision for the authors to be able to fix the problem in a timely manner. DoVs should get extra credit if they submit an actual patch that fixes the vulnerability (does not apply to proprietary binary products, clearly).
But the vulnerabiltiy is a ticking time bomb out there for users in the real world. The white hat DoV may have discovered the vulnerability after 3 black hats who are shoving it into their latest malware.
The discoverer of the vulnerability and the maintainers of the software are jointly responsible for doing everything in their power to expedite their work, to notify users of the vulnerability, and to provide a patch for them.
Finally, all software users have the responsibility to keep appraised of the latest security alerts and patches for vulnerabilities and to apply them.
If any of the 3 parties: discoverer, software maintainers, software users fall short on any of these responsibilities, then all users will suffer.
As a user, I must rely upon the goodwill of the DoVs and the maintainers.
Full disclosure protects users, even with no patch (Score:5, Insightful)
The problem is that just because I (an innocent user of the product) don't know about the vulnerability doesn't mean that the evil crackers don't know about it. Sure, a public announcement increases the number of crackers who know about it, but also gives me enough information to react. There is a security hole in sendmail, but no patch yet? Well, without real information, I can't confirm if my particular installation is at risk. Once I know about it, I can take reactive steps. With enough information I could try to patch the vulnerability myself. With enough information I could try to limit my risk (say, changing my sendmail configuration to limit what an attacker can get, or adding a wrapper to detect the attack and terminate the connection). With enough information I reasonably weigh the options of disabling sendmail for security reasons versus keeping it up for my users.
With no information, I'll just keep ignorantly running the vulnerable version, possibly getting attacked by crackers who already knew about it. With a little information, I don't have enough information to decide if I'm really at risk and to weigh my possible solutions.
Re:bleh (Score:5, Interesting)
But what is reasonable? A week? A month? What if the exploit is a deep flaw in the system, something that cannot be fixed [tombom.co.uk]?
So, how long is long enough to keep an exploit from the general public? Does it depend upon the exploit, the company that makes the product, or the person who finds it? Is there a balance to be found?
Re:bleh (Score:5, Insightful)
But, by definition, if any of the "good guys" have found the problem, it's equally likely that any number of "bad guys" also have found the problem. With exploits in the wild. So telling everybody to be on the look-out, or even close down some services, could easily be the "Rigth Thing(tm)" to do.
Look, for instance, on all the bad press Symantec drew for keeping info on Slammer to their own customers instead of alerting everybody.
Actually, this can be argued for ever. And what's rigth in one instance might be wrong in a different... so...
M.
Re:bleh (Score:2, Insightful)
This can be a complex situation and there are no easy answers. I still think that generally 90 days should be the max to sit on any of these. Of course there will be cases that warrant more but they should be few.
Where does this leave CERT? (Score:5, Interesting)
The fact that CERT always seemed to do a decent job makes this even more interesting. The biggest criticisms voiced about CERT were that they acted too slow and didn't provide enough detail information about problems (other than to acknowledge the general nature of it). How will the government do better in these areas?
My guess is that the answer to the latter question is 'not much', and that we'll start hearing the same complaints about the Dept. of Homeland Security soon...
Re:Where does this leave CERT? (Score:5, Funny)
The biggest criticisms voiced about CERT were that they acted too slow and didn't provide enough detail information about problems
In other words, CERT was a day late and a dollar short.
we'll start hearing the same complaints about the Dept. of Homeland Security soon...
I agree. Except they'll be a year late and ten billion dollars short.
Re:Where does this leave CERT? (Score:2, Interesting)
Re:Where does this leave CERT? (Score:2, Informative)
So CERT will still go on. In this case all the people involved cut out CERT voluntarily, ISS,SANS, FedCIRC and the like. I'm sure of course CERT (in that they have a notification about it) wasn't really cut out.. then again.. they didn't neccessarily do all the coordination work.. they're proabably happy about that one. They can worry about other stuff. My opinion everybody should be this involved in fixing security issues.
getting into the "tarist" snitch business (Score:3, Interesting)
begin more generic rant
Don't know about anyone else, but with patriot act 2 coming into law soon, where the government can just call someone a "terrorist" on their say-so, and with the definition just vague enough to apply to-just about anyone it appears- and that means they are now not under any civil protection or rights, I am wondering if they are starting to set up even more infrastructure to add to "the lists".
Anyone who don't take the "lists" serious is someday gonna be waving bye bye from the back of a truck heading..someplace.
When I was growing up, the stuff the US government is doing right now was something we were taught only "bad" places like east germany did. And those bad places had a complete blend of bureaucracy, large corporations, and then the military and police. Everyone snitched on each other. government had all the rights, you had none, even if some word drivel was printed on paper someplace, government ignored it. That's exactly what those bad places were.
We were taught that was definetly "wrong".
Now it's "patriotic".
Yes, we have a need for some sort of law enforcement effort on the net,and it's there and quite frankly it's more than enough to function, the net is part of society,but what we are seeing now goes WAY beyond it. And now all these other weird things? Model toy rocket permits now but leave the border just wide open, millions of illegals ayear free to just walk across? Huh? They are going to regulate or ban model airplanes, while they have been sprayinbg HUGE amounts of weird crap over america for several years now and outright lying about it? huh?? We have a MAJOR goon run cia front company called "wackenhut security" running private prisons,running for -profit manufacturing efforts using prisoners, running some mental institutions, and now RUNNING ROADBLOCKS on the public highway? This just broke a few days ago, private security org manning roadblocks. Just THINK on this one. We have "secret" Total Informational Awareness efforts codified into law? Is there something about the word "total" that isn't understood? Forced collection of DNA samples at roadblocks? Taking hair and blood samples and you aren't going to be able to say NO? Collation of all purchase records? High level officials who just blatantly WARN YOU that if you are NOT 100% behind their efforts that YOU ARE A TERRORIST? And now they are taking over these internet efforts when it comes to security, telling people what they can and can't do, and this "they" guy will tell you when an exploit gets noted and "official" patches released? Huh? What's to stop them from eventually making little cute distinctions between what they release and what they don't, suppose "they" decide they would like a little pre-patch hacking so they can get into machines THEMSELVES. Maybe they JUST DID THAT, hmmm?
sweet deal for them.
I am against non disclosure of exploits in a timely manner. Waiting months is not timely. Anyone writing code now can review it before release. Anyone NOT knowing about "security" in general needs to stop and step back away from the keyboard and stop writing code until they "get it" on security, because GUARANTEED if this constant release of buggy code continues,and if people who maintain what are historical examples of just dismal exploitable code that should just be chucked out as lame don't voluntarily just admit it's buggy and pull it off the distribution mirrors, this government will start regulating all releases themselves, after a "review". they don't do it now, but they sure as heck could make it a law tomorrow. In my opinion, it's better to be able to not give them any more excuses. If that's what everyone wants,because known sloppy stuff keeps being used and released, this is what's going to happen. You are going to see licenses, you are going to see full governmental review of code, probably fees attached, stuff like that, I tell you, the internet is going to turn into an electronic "highway" whoops they call it that, so that means that this highway is going to be full of smokey the bears and roadblocks and regulations. And I am NOT kidding on that. We saw them just hijacking sites last week. I can see them starting to do that on a much larger scale. And if sites get hosted overseas, you know what, government will have no problems dealing with that, if anyone cares to notice, they have no problems going over stomping on other nations, they can control some wires if they choose to. Host at home, you are going to outfox them? Not when they can just call up your isp and have you dropped, then they send over some goons to pick you up once you are on the "suspicious" list. And they'll do some of these efforts from major backbones or routers if they have to, I am not so convinced that carnivore and such-like efforts only have the capability to just sniff.
Encouraging (Score:4, Interesting)
Re:Encouraging (Score:5, Insightful)
we have (mostly) good timing getting patches out (even ms gets patches out), but getting end users to *apply* the patches has been a problem. lack of knowledge, time, technical skills, etc.
at this point, this does seem to be addressed.
how do we (ahum) fix the end user? my belief is that it should be required that end users have staff/contractors that are certified on their stuff *and* that hey maintain a maintenance log that documents actions or lack of them. if you look at radio stations and the requirements they include licensed radio engineers and logs and other must-dos and must-haves.
it's time people understood that being connected to everyone else requires a little bit more work.
eric
Re:Encouraging (Score:2, Funny)
you forgot the most important one. Refusing to let MS ownz your system with Service Pack EULAs. EVIL SP, EVIL EULA
Re:Encouraging (Score:3, Funny)
how do we (ahum) fix the end user? With a pair of pliers, of course.
Re:Encouraging (Score:3, Informative)
Re:Encouraging (Score:2)
Gee... What about if I have to move away? As an end user, what will my mom do then? I guess under your plan she will just have to stop using the internet or be thrown in jail. Maybe you should be nicer to my mom.
Come on folks! Remember that the internet and servers aren't tied directly to our nervous system (in most cases). When an internet connected computer goes down or is hacked we are talking about economic disruption at worst, but usually it is no more than an annoyance.
Re:Encouraging (Score:3, Insightful)
Also
Re:Encouraging (Score:3, Insightful)
Does anyone remember that the Internet was a network designed to continue to operate after a nuclear war? We should not have to worry about this stuff. This is a problem for network architects, not the server admins.
If my server get's hacked then that should and must remain only my problem. Don't tell me the obvious, and don't shift responsibilities. These challenges can only be solved with distribution of resources and by maintaining excess capacity.
It must be taken as a given that a network like the internet will have bad actors whose malicious actions it must be able to absorb until the problem is corrected or blocked.
Re:Encouraging (Score:3, Insightful)
How exactly are network archetects supposed to design for 300 drones all sending traffic to one place? There is no amount of overcapacity that would handle that.
Re:Encouraging (Score:4, Insightful)
I don't throwing a pile of Beareaucratic Bullshit is going to improve the situation. That's one of the points lauded by previous posters. This was an example of someone who was able to get something done technically without the forms in triplicate. You are advocating those forms!
Like we have time for the patches already, you want to make us spend countless hours filling in stupid forms?
Personally, I think that public humiliation of the company that fails basic security patches is a pretty effective method. It now becomes an interest to the company to maintain a positive PR profile. And we all know that the only thing greater to a Corporation than profits is the Image it portrays.
Re:Encouraging (Score:2, Funny)
Re:Encouraging (Score:2, Interesting)
What happens when a non-US company/individual finds a bug? The information might be held back in the US for security reasons, but *might* break out outside. What would then happen is that US would be the most affected. Remember that a lot of the later viruses/worms were of non-US origin.In this case they got ISS to shut up, might not be true always.
So what? (Score:5, Insightful)
Re:So what? (Score:3, Insightful)
> What if Joe Nobody finds a hole, and makes it public before the DHS gets with
> the makers of the software? What about the businesses in the private sector that
> fail to patch their systems? Wasn't the fix for SQL Slammer out for months? I'm
> sure this is a step in the right direction, but really, what happens next time?
I think no matter who is in control of oversite, be it CERN or the government or anyone, the same problem of "If we dont find out first, we cant do much about it" is true.
You also have to keep in mind, this bug was discovered in December and released in March. This only pertains to one person at ISS.
Not to belittle his work finding this bug, but its still technically possible someone else has already found it before, and is good at keeping secrets.
If you assume that is true in all cases (Which from a security standpoint you need to assume) it really doesnt matter. That they are telling you about this hole now at all doesnt have anything to do with the fact that ALL systems using sendmail since version 5 have been exploitable for the past 10+ years.
The hole being disclosed isnt what causes the security problem. Its the other way around.
> Sometimes I doubt your commitment to Sparkle Motion.
That sig sounds like a product of fear
Sendmail - too flexible for most (Score:5, Insightful)
It's power and configuration settings make it a good choice for admins who have taken the time to read on it. However, more often then not we find that there are a lot of lazy admins out there who just get it "up and running" and don't care to understand the security issues with the server. While I've used sendmail for years in the past, but now use postfix. There are a slew of other mail programs out there that can be configured without having to use m4 rules, understand sendmail's rewrite metods etc. I would suggest that if you must have a mail server up, but don't want to take the time to learn sendmail, PLEASE, use something else. I realize this is a little off-topic but it's not too much. It all boils down to securing the net. That takes more then a few bug fixes (and YES you must apply all of them) and a good admin to configure the server/services.
Why does sendmail still in use? (Score:2, Insightful)
Superior alternatives exist... so why is anyone still using sendmail???
Re:Why does sendmail still in use? (Score:5, Interesting)
Superior alternatives exist... so why is anyone still using Windows???
--
Sure Joe runs sendmail, and sendmail is insecure. But does Joe's server get attacked frequently? Chances are it probably doesn't. If it does, Joe may be looking into alternatives, or Joe may have found one already.
Joe doesn't have the time to fix every potential threat. Joe probably installs patches and updates as frequently as possible, maybe even on a schedule. Joe does his best to keep sendmail from being a problem, and at the same time Joe tries not to waste time.
If Joe were working for a huge company that depended heavily on it's e-mail, Joe would probably spend more time on sendmail. But odds are Joe doesn't, and Joe is doing the best he can.
Superior Posts exist.... (Score:3, Funny)
Re:Why does sendmail still in use? (Score:2, Interesting)
Because there has been so much software installed that knows how to talk to the original sendmail, it has been common to make new mailers present the same UI to the world. This way, a new mailer can just be dropped in as a replacement for sendmail, and everything works.
One of the oldest of these, written in the mid-80's, was called "smail". After a few releases, the authors listened to the complaints about the difficulty of installing it in place of sendmail. So they added code that checked argv[0], and if it was called as "sendmail", it interpreted its command line the same way as the original sendmail. It didn't do everything, but it had most of the functionality that was actually in use, and a simple ln command usually sufficed to replace the old monster with the new, smaller monster This made it spread very quickly among systems whose admins were unhappy with the problems with sendmail. Others have since used the same approach.
Most of the newer "sendmail" programs are quite a bit smaller and less bloated with featuritis than the old one. Of course, this means that they don't have all the bells and whistles. But it means that there are a lot fewer places for obscure security holes. And since most people just install sendmail and run it, and never learn to config it, this works pretty well.
In effect, "sendmail" is now just a description of a set of command-line options used in the rc and cron scripts. If a mail daemon implements these, it can be dropped in as a replacement for whatever "sendmail" is there, and it'll do the job required on your system.
On several systems, I've replaced sendmail with a small (100-200 lines) perl script that mimics all the functionality in use there. This has given me a large number of geek points among non-perl-hackers. I just grin and say something like "That's trivial for a true perl guru." They don't have to know that it doesn't take a perl guru to do such a job.
This does bring up a significant question about this news item. When they talk about a "sendmail flaw", which sendmail are they talking about? Presumably it only effects one of the N sendmails that are in use.
Of course, one interpretation of the push to install a "patch" is that this purported patch is merely a way of getting one specific sendmail clone installed as widely as possible. I'd guess that this "patch" is not, say, a set of source diffs, but is a binary. When you install it, you are replacing your current sendmail with a completely different program. Since the article refers to the Sendmail Consortium, this "patch" is probably a version of the original, sendmail. When you install it, you have reverted to a version of the old, bloated sendmail, which probably now has zillions of security holes waiting to be discovered.
The fact that they don't tell us what the security flaw was or how to test for it is supporting evidence that this is what they're doing.
Re:Why does sendmail still in use? (Score:4, Informative)
Please get a clue before your next post.
Dept. of Homeland Security (Score:5, Informative)
Re: Dept. of Homeland Security (Score:5, Insightful)
> Speaking of the Dept. of Homeland Security, here's an link [democratic...ground.org] to an article with some suggestions to Tom Ridge on how to improve his department, so that it actually keeps the citizenry well-informed and aware of possible terrorist threats and how to handle them (as opposed to keeping them scared and in an information blackout).
You're making a mighty big assumption about what the DoHS was created for.
I work for the government. (Score:5, Interesting)
Everyone is working togther to get all the systems running sendmail patched.
While this doesn't seem like a big deal in the corporate world, in the government world, all red tape has been removed and we can make changes to critical systems INSTANTLY.
FIX FIRST, meet later. It's an entirely different attitude, and it allows me to do my job more efficently. It works.
Re:I work for the government. (Score:2)
red tape exists everywhere. just ask people in banks or insurance companies.
Re:I work for the government. (Score:3, Insightful)
No scanner, no tester, no exploit code, no help. Thanks ISS and DHS! I feel so much better with this new process.
Re:I work for the government. (Score:4, Interesting)
Gosh the exact opposite of that reminds me of NASA in the early 90s. A problem would happen. We'd have a meeting about the problem only to realize we needed another meeting to discuss the problem. Between the meetings to discuss the problem, we'd have a meeting to discuss the format for the next meeting. Of course in each meeting various contracting companies would be represented. The problem was always the fault of either A) the person or contract company not present at any of the meetings (hence why they have so many meetings) or B) the person to the left while seating around a table.
I never knew how the problems were solved. I never saw any solutions at the meetings. It's my belief that NASA has trained MICE doing the repairs for slices of cheese.
Homeland Security (Score:3, Interesting)
The reason I ask is because this type of co-operation with public defense organisations and the private sector are likeley to become much more important as we come to rely more on these technologies, OR if we ever see any kind of cyber-terrorism. Ideally there would be a single point through which relevant information flows - as hinted at in the article, any leaks could be a problem.
Do these agencies have a reputation for hiring good security people?
Re:Homeland Security (Score:2, Interesting)
Re:Homeland Security (Score:5, Insightful)
they're responsible for releasing alert warnings every so often. placing the country on a level 3 or orange alert whatever that means, but it sure spikes the sales of bottled water, canned foods, batteries and duct tape for when the big bombs and chemical warfare comes our way.
to be honest this entire administration has been doing a complete knee-jerk reaction to the WTC and Pentagon events from 2001. they're molding those knee-jerk reactions into something they can use to bomb Iraq and overthrow Suddam because quite frankly there's some big roots in the big state of Texas where "all Your Oil are belong to us"
here's my favorite quote from the folowwing article:
http://www.msnbc.com/news/872585.asp?0c
That warning regarding tape and three days of water is profoundly helpful to people who are choosing to go to war with Iraq and need to cause an environment of fear in order that the public will do anything to break the fear fever. It serves the administration for the public to be so afraid. When you are afraid enough, you'll get on any train that's leaving the station, even if it is not going where you want to go. That sentence says it all.
So what's... (Score:2, Insightful)
In the future, the Department of Homeland Security will be the U.S. agency that will manage any response to major cyberthreats.
Will the DHS publish Security Recommendation Guides [nsa.gov] like the NSA?
Improved policy? (Score:5, Insightful)
That being said, good to see a well coordinated patch release. I just wish the paranoids would get advance warning.
Re:Improved policy? (Score:3, Insightful)
Oh, yeah. I run a small ISP that does about 1.6 million messages / day. Other siblings of my department do 10 times that. If I tried implementing a safer stand-by system, I would be laughed right out of a job. Not to mention the safer backup systems for everything else -- web serving, news, authentication, online tools, etc..
If you had a more secure solution... (Score:2)
What about international software? (Score:5, Interesting)
For example, it seems that a lot of OpenSSH [openssh.org] development is done in Canada and Germany. And the server is run out of Canada.
The OpenSSL [openssl.org] team looks primarily international too (UK, Germany, Sweden, New Zealand). There server is managed by Brits and Swedes.
Actually... I think you'll find that a lot of crypto software is based outside the US. Probably due to constraints placed on crypto development in the last decade.
Re:What about international software? (Score:2, Insightful)
I know I know, prolly flamebait, but i gots the karma to burn
bugs (Score:2, Troll)
Re:bugs (Score:2)
I'm a bit confused ... (Score:3, Funny)
A critical flaw in Sendmail, the Internet's most popular e-mail server,
But I've been reading all these claims that Outlook handles 99% of all email.
Which of these claims is a lie?
(Is it possible that they're both lies?)
Re:I'm a bit confused ... (Score:3, Informative)
Not exactly (Score:2)
Its job is to receive email and to send email. That's it.
YHBT, was Re:I'm a bit confused ... (Score:3, Informative)
The original poster was rather obviously going for a +5, Funny.
Re:YHBT, was Re:I'm a bit confused ... (Score:2, Funny)
He seems to have fallen a bit short.......
Re:YHBT, was Re:I'm a bit confused ... (Score:2)
Jeez, folks; whaddayahaftado to get a "funny" rating? Use a smiley?
I'm beginning to think that irony is truly dead. At least on
DHS versus Early Disclosure (Score:5, Insightful)
I liked the handling of ssh's problems last year much better. "Heads up, there's a problem in these versions. We'll let you know exactly what after we get the patch out." It's not enough to give a hacker a reasonable foot up, but it gets the service off the network should anyone already be quietly taking advantage of the weakness.
Showcase for open source (Score:5, Informative)
Quote:
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute
Re:Showcase for open source (Score:3)
No, this is a classic case of why this myth keeps getting passed on by the masses. Simply put, how do you know the bad guys didn't spot this a long time ago? You're assuming the bad guys will put out a big press release saying "We found a big bug in sendmail and we're exploiting it!"
That is definitely not how it works and its not even logically consitent. Absence of evidence is not evidence of absence. "Bad guys" can and have kept their exploits to themselves in the past. We know this for a fact. So why should this case be any different? Its not.
Why would anyone that has owned your servers tell you that they owned them, unless they didn't want to own those boxes in the future. If you're a "bad guy" and you figured out a nifty way to own 75% of all the mail servers out there, why would you be so stupid as to tell everyone?
In short, if you think you're safe because the "good guys" found it "first", because the "bad guys" didn't put up a big notice that they found a flaw in your software, you're doomed. Software is flawed: it was written by people for goodness sake. It is very difficult to write "secure software" so you must assume that the software you use is filled with holes and they someone, somewhere, has figured out how to exploit one of or more of them.
Real computer risk management is about acknowledging that fact. There are vulnerabilities that you and the good guys do not know about.
The solution to computer security is not more obscurity, its about building your risk management model around reality. Your software has holes, your employees can not be trusted, life is dangerous: there be dragons out there.
ISS - proven shills (Score:5, Interesting)
Re:ISS - proven shills (Score:3, Insightful)
nice eh?
-- greetings from _OLD_ europe
So what youre telling me... (Score:2)
Re:So what youre telling me... (Score:4, Insightful)
Nobody outside the US is going to place their security below that of the US. Yet everybody, US included, runs the same software. This means something has to give and if the issue is forced then yet another chunk of the industry leaves the country. How is this good?
It's already started. Many developers won't visit the US because they discuss vulnerabilities "that could circumvent a copyright protection". Hello! They have to do that to fix problems. Pentagon-style paranoia could much worse than the DMCA. This industry is hurting as it is. We don't need more government imposed problems.
Sounds nice but... (Score:5, Insightful)
And this is just DHS's "first test" - I imagine after they build up a cozy relationship with the major security-problem vendors (i.e. Microsoft), they might not even disclose any known flaws until patches come out (i.e. months to "never").
Remember that government officials will probably listen a lot more attentively to "captains of industry" (i.e. MS) than "those unwashed hippy hackers" (i.e. the open-source community).
Re:Sounds nice but... (Score:4, Insightful)
Sure, it sucks to be "left in the dark" while vendors slowly come up with patches. Sure, you'd like the vendor's "feet held to the fire" to write, test and release the patch as quickly as possible. If that's painful for them, well, they dman well deserve it since they wrote the but in the first place. Or at least that's how it feels to you and me, small-time admins (at least me) who find out when the patch is released weeks or even months (2 in this case) after the initial discovery. It's easy to feel this way.
But historically, the biggest problem has not been the timeliness of releasing patches. The REAL problem has been that most admins/users do not install the patch until _after_ an attack has begun.
Pathces not getting applied is by far the largest problem. It dwarfs the problem that of several weeks elapsing between initial discovery to patch availability to public announcment (where the "problem" is that some black-hats might have known for some time and might have been quietly exploiting systems for a long time).
Sure, it rubs you and me the wrong way and might even hurt our feelings a bit that we were kept in the dark for 2 months. Yeah, it sucks that our servers were on-line and open to attack all that time (and long before initial discovery by ISS). But get over it.
In the larger picture, what has always mattered much more is getting all or most systems patched. That has historically been a giant problem. Admins don't patch, for one reason or another. Some are overworked, a few might be lazy, many don't find out about the patch, and in a great many cases the admin isn't authorized to make "unnecessary" changes, or would be risking his job patching a critical system before upper management felt it was urgent.
In the past, only a widespread attach has given most admins that sense of urgency to apply the patch. That sucks.
The DOH using its clout to provide that sense of urgency to apply the patch before an attack begins is a good thing. To the extent they pull this off (it's still too early to judge), they'll have gone a long way towards solving the largest computer security problem.
So whine all you like about being left in the dark. Mod me down for going against the flow here on slashdot. Complain about the extreemly unlikely chance that some black-hat knew before ISS and was quitely and undetectably exploiting the bug. But don't try to deny that by far, by at least an order of magnitude, the largest problem has been a widespread failure to apply released patches until after a highly successful and widespread attack.
To the extent the DOH puts pressure on admins to install this patch before an attack, they will have made a huge improvement in overall security. The several weeks from initial discovery until patch availablity and security advisory just isn't significant in comparision.
That's It! (Score:3, Interesting)
This is the beginning of the end. It's not hard to imagine an "Office of System Software Security Review" or some other government group of 'experts' that mandates all software go through their security analysis. I'm sorry. I have enough trouble explaining my code and system architecture to corporate 'security experts' (the types that don't understand TLS/SSL or SSH, and insist that we use tcp_wrappers enabled tftp since it doesn't use plain-text passwords going over the network!).
So the big question is, what do I do with my life now? Maybe open a Subway sandwich shop. Any other suggestions?
An Impressive Debut (Score:3, Troll)
Although there have been a few grumblings, it looks like there are a lot of others who feel the same way I do: it's perfectly OK to have a short lag time between vulnerability discovery and disclosure, as long as the Baddies don't start taking advantage of the situation before the patches are available. In this case, I read that the lag time was about 2 weeks, which seems perfectly reasonable.
Kudos to all involved!
Publicity keeps vendors honest (Score:5, Insightful)
It's precisely the threat of publicity that pressures vendors into patching their compromised software quickly. If that threat is relieved, by Official KeepYerDamnMouthShut Orders from a government body, those same vendors may start to think "Phew, now we can wait for the next upgrade".
This is Not a Good Thing.
Re:Publicity keeps vendors honest (Score:2)
Remember, the US is not the world. (Score:3, Insightful)
Goverment is getting credit! (Score:5, Interesting)
I think it's interesting that the government is getting credit for working with the private sector in releasing information. Part of the the point of open sourced software is so that bugs can be found and patched quickly. The CERT email I got yesterday afternoon had MANY patch sources listed by vendor (RedHat, Apple, Sendmail etc) and was timely. I don't belive that the pat on the back goes to Uncle Sam in this situation, but rather the folks at Sendmail who worked to resolve this issue in a timely and organized fashion. They released the information to those who needed to know (including the DHS) and worked on a solution to get this stuff out to the public.
To quote Eric Raymond, "Given enough eyeballs, all bugs are shallow"
Kudos to Sendmail for getting this taken care of.
Re:Goverment is getting credit! (Score:2, Insightful)
First, notice that they give credit to ISS and Sendmail.
Then they discuss that they alerted key owners and facilitated communication. Sendmail *themselves* noted that the coordination of the government helped... Bottom line, yes Sendmail gets kudos. But so does the government for being the coordinator of the entire effort. I'm not a big fan of this department of homeland defense, but in this case their agency did a nice job, and it deserves the mention it is getting.Re:Goverment is getting credit! (Score:2)
The elephant in the living room (Score:2, Interesting)
managing risk in Redmond... (Score:5, Funny)
I hope these guys have Microsoft's number on speed dial...
Did they notify non-commercial dists like Debian? (Score:3, Insightful)
I'm curious to know whether the NIPC notified non-commerical interests such as the Debian organization? Also, did they notify any non-US-based distributions such as Suse?
It is not clear to me that the NIPC is anything more than a bureauratic clearing house and censor. I suspect that the security community that is referred to as giving high marks includes only the commercial side of the industry. I'll bet that Mr. Lemos could get a meatier article out of investigating some of these questions.
Maintain Obscurity!! (Score:5, Interesting)
The one thing I didn't like about this article was the idea that this kind of process should be followed by everyone. This is what I saw as the process:
Here's the flaw(s) in this process:
I guess the biggest thing that I don't like about this is that idea that this model will support the Closed Source software model because of the arguments of:
In this case, obscurity was best. (Score:3, Interesting)
It was old - years old - and to knowledge, never used as an exploit.
It was found by a white hat - so this isn't a case of "the criminals having all the guns."
Therefore, what are the chances that, though no one found the bug in five years, that both a black hat and a white hat will find the same exploit within 2 months of each other? Pretty much nil.
As usual,the chances of an exploit coming out are higher if disclosed. So, in terms of a damage perspective, we have to compare two things: greater chance of attack if disclosed, or greater damage per attack if not disclosed from people not being prepared.
In this case, since the chance of double discovery of this bug was VERY low, the chance of total damage was greater if it was disclosed, giving black hats a head start. So I agree with what they did, and given the scope of the project (patching all flavors of sendmail), two months ain't all that bad.
Ultimately, the government doesn't really care about any RMS-style "info wants to be free" crap. They just want the fewest exploited boxes possible. In this case, their actions were pretty well correct. I don't think this will always be the correct action, so we'll have to watch them on other issues, including how they interact with OSS groups, should the need arise.
I had a friend once... (Score:2, Offtopic)
I thought it was a bit silly at the time (~10 years ago) but I'm starting to wonder.
TWW
hmph... Homeland Security (Score:5, Insightful)
This is about the level of competency I've come to expect from Large Government Entities.
Re:hmph... Homeland Security (Score:4, Insightful)
Has anyone checked the rpms (Score:4, Funny)
Re:Kind of laughable, really (Score:3, Interesting)
They helped participate in the coverup though, didn't they?
When the government comes to you and tells you to cooperate or face charges for aiding terrorism, what would you say?
System failed. (Score:2)
The debian version of the patch wasn't available yesterday. The whole point of delaying the announcement is to get the fix out there ahead of the knowledge of the vulnerability. I'd say their system for "working with vendors" needs some work.
And what exactly is the knowledge dissemination path here? This time the mass media spread knowledge far and wide that attention was needed. They'll get bored after a couple more of these and stop prominantly reporting it. How does homeland security plan to get the message out then?
I have a problem... (Score:2)
qmail anyone? (Score:2, Insightful)
It's time for the sendmail people to start from scratch. You can keep patching all you want (and apparently take two months to do it), but if your initial security design model is flawed, you are going to keep finding holes.
sensationalist (Score:2, Troll)
You want to accuse someone of 'cyberterrorism?' How about the RIAA, the MPAA, or those who passed the DMCA?
Yes, the handling of this vulnerability was a good joint effort between ISS and the DHS. No, it wasn't anything spectacular. Maybe the DHS will be able to put pressure on our favorite monopoly to 'unenable' some of their terribly insecure features.
hmm, what's the next step (Score:3, Insightful)
This isn't one of those "all our freedom and rights are being removed by the evil government" type posts. But yet...
In this case DHS seem to have done a good thing, coordinated the patching and disclosure between different vendors. Now, for me it isn't a stretch to ask the question, what if someone had announced while DHS were still working on it? What if it is a truly critical bug or hole. Say wide open root-enabling flaw in SSH, Samba or some other service that's very common (for the geeks that can't take that as an example without saying that they should never be used as root bla bla bla, please just move on, I'm trying to make a point here, and it's not about best security practices).
Say such a security hole of a great magnitude is discovered, and someone announces it publically on a mailinglist. Or say vendor A wants to release the patch immediately, but vendor B wants to test for another week. Vendor A goes ahead and releases it without DHS approval.
In either case, will DHS see it as a risk to homeland security and a prosecutable offense? Is software security now suddenly a matter that the government should oversee? How far does their involvement stretch? Will security discussions require a DHS representative or approval to avoid premature disclosures that could be a threat to homeland security?
I really don't wanna sound alarmist here, but I'm not sure the goverment getting involved in things like this is a great idea. Software bugs or flaws can be a real threat to a nation, and so DHS should perhaps be involved. But again, I can't help but wonder, where will that take us and where will that involvement stop.
If you're not the US, this is bad (Score:3, Interesting)
Think about it, the Department of Homeland Security (and by proxy, the entire US Government) is getting a heads up on potential exploits.
The US spies on it's allies [washingtonpost.com]. If you're the Germans, then the NSA are the blackhats. Nobody but the US government themselves should feel more comfortable knowing that they're being informed first.
cost? (Score:2)
Not that bad a security hole (Score:3, Informative)
So this is not a good candidate for a worm or automated exploit, and only useful for a direct attack if you happen to be relatively unlucky and the attacker knows it.
Differing Agenda's (Score:3, Interesting)
Why should I (an australian) have to rely on the "Department of Homeland Security" of another country for information regarding a sendmail patch?
What if someone found a root exploit affecting 75% of say, iraq's servers and reported it to the "Department of Homeland Security"?
I wonder how long it would take for them to issue a release about that one? As far as I'm concerned , the body that looks after this sort of thing should be international and not have any majority government control, as otherwise they start acting in their own interests, and not the greater interests of the other technically competent people on the planet.
(And "Department of Homeland Security" always has a weird , 1984-ish sound to me, hence the quotes)
Re:The text... (Score:2)
Re: Good coordination? Ha. (Score:2, Funny)
> Regardless, I read the exploit has been known since January of this year. Is this correct? If so, I find it hard to believe The Office of Homeland Security kept this under wraps and away from the hacker community for this long a period of time. The announcement and fix to this exploit are anything but timely.
Sorry, but they were too busy buying up stock in duct tape and plastic wrap last month. Everything in good time, my man.
Delete it, dumbass (Score:3, Interesting)
Install one of the many far-superior free alternatives that provide the same functionality. Exim, for example. Your applications that call
Well, unless they rely on broken header rewriting and slow delivery...
Re:As if Ridge and (Score:3, Interesting)
do with this.
The Homeland department contracted out the
NCIP coordination to ISS, allowing them to
hire programmers to do code review. As
part of the NCIP review, this bug was found,
and kept quite for over a month while the
government and industry got first crack at
updates and patches.
OK, it wasn't a government employee who found
the bug, but it was a private contractor
doing work for the government. (You don't
really expect republicans to hire gov't workers
when they can just contract out to industry
do you?)
And by the way, it wasn't Ridge that started
this whole process. The Critical Infrastructure
protection process started under Clinton.
After 9/11, it all got moved under Homeland
to coordinate with other agencies. (E.g.,
the Department of Defense has known about
this bug in Iraqi mail servers since last
year....) Now THAT'S coordination.