Today I was listening to Gary McGraw on Frontline Security talking about software security. One of his points was that a large part of security trouble is poor design.
That reminds me how I’ve been meaning to rant a bit about the really terrible security I’ve seen in proprietary software lately. Some of this is very expensive software that people pay lots of money for.
- World-writable installations. In one case, the documentation for the software directed users to mark the entire program’s directory tree world-writable, including all files and directories within it. In a whole host of additional cases, consultants or support people tasked with installing the software make everything world-writable as a matter of routine. And some of these are programs specifically designed to be used on Unix shell hosts.
- Overuse of telnet. There’s telnet use everywhere. One program actually telnets to a server to start their own server-side component and then send XML to it. So we have to have an account for the server-side component, put the password in plain text on the client side, and maintain *telnet* for the application. Have we never heard of, say, CGI, people???
- Overuse of root. Again, I’ve seen this even in documentation — “run everything as root” or “if you have trouble, just run this as root.” I’ve seen installers actually check to see if they’re running as root, and fail if they’re not, even though they have no need for root privileges.
Sigh. Although I’ve seen some poor code out there in the Free Software community, I’ve never seen anything that even approaches this level of insanity.
Why is the most expensive software the least secure? And what can we do about it when the vendor doesn’t care?
(found this post via planet.debian.org)
John,
My psychologists friends tell me of a phenomenon called Cognitive Dissonance, where things that have a high cost to people explain away that cost when the person justifies it to themselves. Cognitive dissonance has people who pay lots of money for badly-designed, badly-made and badly-implemented software justify the worth of the software because of the cost. Or its bad implementation. Or its prestige as a brand. I’m a bit :-S
Take care.
Ken.
In our particular case, we were aware of some of the security problems going into it, but there were either no better alternatives available, or better alternatives (security-wise) were far more expensive.
But one point Gary McGraw made is that when he brought security flaws to the attention of vendors, they said, “well, you’re not supposed to do that.” Of course not, but we can’t expect hackers to only do what we want them to.
So I think your point is valid for the vendors also ;-)
Another – BAAN – use of rsh.
A lot of BAAN was probably well done originally, then they retrofitted it to relational databases, stuffed a Windows front end (rather than the original green screen stuff, hence the rsh).
Of course at the time Oracle still used fixed passwords on installation, and Net8 set a system level user with a well known password.
As a result very few sites with the most expensive deployments of this stuff have anything even approaching application level security.
I think the answer is for most people it is secure enough (or obscure enough). Sure the whole IT department can own the system in 10 minutes, but they probably all either have the requisite passwords anyway.
Overpriced software and crappy software are very tightly related, because they’re both the product of complacency on behalf of the software company. They either have a niche application with few competitors or they got into the market sector early and became the de facto. The name to ‘trust’ for that type of software.
So they don’t feel the compulsion to compete on quality or price.
Good, valid complaint, John
I bought the Norton SystemWorks 2006 Premier and Norton GoBack wouldn’t install.
The advisory said:
“Norton GoBack Scan Error
—————————
Norton GoBack has detected a multiboot disk.
Norton GoBack can not be installed on multiboot disks.”
The Symatec solution to this problem, on the Symatec help pages, was to NOT INSTALL GoBack.
I don’t know what MultiBoot is or that I had one. My 2005 version works just fine.
I returned the box, opened, for a refund. Then I bought on-line an update to the 2005 version.
I was miffed because the 2006 version would have free except for postage and sales tax.
I realize this is small potatoes compared to large system software. But this was me, personally.
..
> Sigh. Although I’ve seen some poor code
> out there in the Free Software
> community, I’ve never seen anything that
> even approaches this level of insanity.
Mozilla Firefox:
* It attempts to write to the location it was installed to.
* It _has_ to be run once as the user who installed it.
* Software update _silently_ fails if Firefox is not run as the user who installed it.
Happily, I can use the Debian version which fixes this horrible crap.
What we can do? We can just stop using those types of software. It’s not always easy (for lack of alternatives in some cases), but I’d rather work with an awkward workaround than software that compromises system security.
It’s simple, actually. In the free software world, all the deciding factors for the popularity of some software directly or indirectly involve “code”. There is nothing to help an author stuff his glaring security holes under the curtain, because everyone can just plainly see them standing out.
In the case of proprietary software, you can have one or more of:
[list]
[*]No “preview” version, so that you have no way of knowing that this multi-mega-million expensive piece of software which supposedly does what you want does so very insecurely;
[*]Insanely huge marketing budgets which make people think the software is much better than it actually is;
[*]Management types at the proprietary development firm which cut time in important matters such as proper design and security audits, because it’s easier to sell features than it is to sell security;
[*]The (not necessarily correct) feeling that “the most expensive thing which still sells pretty much must probably also be the best”
[/list]
In short, the mechanisms that define Free Software are nothing like those that define Proprietary Software; and since at the end of the day, Proprietary Software is built around “making money” rather than “making good software” (although the latter will probably help in getting at the former), it’s no wonder that a community where “Show me the code” is the only good argument has a much better end result.
Great points; adjacent to that is the unfortunate fact that with such extensive advertising budgets, they need not rely on word-of-mouth the way smaller companies and/or freeware needs/tends to. Because of this, return business, while nice, holds no place in these companies’ priority lists. If they’re making 2000%+ markup on the initial software purchase, it hardly matters to them if one out of five customers throws it in the trash immediately after installing it; even with subscription-based updates, this hardly would cut into their profit margins enough to give any real attention to a squeaky wheel that can’t be heard for all of the extortion around it.