Is no browser safe? Security bods poke holes in Chrome, Safari, IE, Firefox and earn $1m The Pwn2Own and Pwnium hacking contests at the annual CanSecWest conference in Vancouver have earned security researchers over a million dollars in prizes, exposed 34 serious zero-day flaws in popular code, and earned over $82,000 for the Canadian Red Cross. In each of the Pwn2Own and Pwnium competitions, contestants are …
This sounds like an outstanding way to fix stuff, and close loopholes the NSA and associates would like to keep open. Given it has touched many OS's and products the cost seems minimal. Kudos for the in house staff for doing their part to build better product. With any finite staff there are limits to what they can test and correct. The bounty process is wonderful.
Thanks for the concern. Not really concerned about popularity, or instigating anything. Just using the forum to voice an opinion, obviously one of many.
Security relates to administrators, vendors, crooks, and spooks as well as the public using the web for their interests. Better security is helped by better, more robust, software and hardware as well as better design. Design is a standards thing as changes come with a price tag. Better product is better product. Crooks get plenty of attention and are regularly hunted, and periodically shut down. Spooks could use more attention then previous, maybe the Snowden spotlight is a bit much, but ignoring them is not a good thing. Ideally those charged with oversight would step up to the task. Maybe this happens in the UK.
No. A senior government minister asks the head of GCHQ (or similar), "Have you been breaking the law?". He answers, "No, of course not.". This is then converted into officialese and stated by the minister in parliament. It's a much better system than in the USA because there's not as much fuss and shouting. We hate fuss and shouting.
He got a downvote because VUPEN are one of the prime sellers of exploits to the NSA, yet here they are getting back-pats (indirectly).
So not only have VUPEN profitted from selling exploits to the NSA/governments but now we have the hacker convenction rewarding them for marketing those exploits and then disclosing them.
But misses out on three key thoughts:
1) This software had holes in it, and this has just been demonstrated. It doesn't indicate that this is the first time the hole has been exploited.
2) These people got paid for finding *a* zero-day. Finding these flaws doesn't indicate that all the holes have been found
3) Bounties have been paid out for finding these, but worth of these defects is potentially many many times more on the open market - so why claim the reward?
Vupen (and their ilk) base their livelihoods on selling on these exploits privately. The benefit reaped by these contestants is winning isn't the prize, but a seat in the premier league of exploit resellers (and I accept this is assuming they're all the money-grabbing-gits I'd be if I was in their position).
Whitehat
Greyhat
Blackhat
There are differences
Or in somewhat more precise terminology, there are intangible benefits to exchanging information regarding IT security, and different parties will assign different values to those intangibles, and so in many cases the behavior with the greatest incentives for a given researcher is to give the information to some party other than the one that provides the greatest financial component to their incentive.
There is a thing. It is called behavioral economics. It explains that people do not always make the choice that nets them the most filthy lucre.
A slightly more sophisticated approach is to have state-of-the-art (but still inadequate) electronic security - and just be careful what you communicate through those electronic channels. A clever player could seriously mislead eavesdroppers, who are so busy hugging themselves with glee at their superior technology that they don't think to question whether they are deliberately being fed misleading information.
Just saying.
This post has been deleted by its author
Makes me wonder what happens when you have constraints that keep your ideal model from being useable. Perhaps the security is too resource-intensive or there's not enough memory.
It's a real-world issue. What happens when you need security but the resources needed for that security are too limited?
>>Makes me wonder what happens when you have constraints that keep your ideal model from being useable.
Exactly: security says, disable cross mounted file systems, remote logins, just about all practicable file transfers, USB ports and internet access.
Now, with even a few such restrictions, just how does one conduct any business involving more one computer in the infrastructure or that requires customer access for ordering, information etc.? How do your employees send each other data, other than by printing it out (security could forbid that too). Developers, researchers, marketing, recruiters may want internet access to get documentation, software update, market information, exchange information.
It's a question of balance: you can make your house secure by surrounding it with lights, barbed wire, sensors, removing all trees and shrubs, closing the streets around it, steel shutters …. Not much fun to live there though. But safe.
Exactly: security says, disable cross mounted file systems, remote logins, just about all practicable file transfers, USB ports and internet access.
Only to people who have no idea what "security" means.
Outside a threat model and risk assessment, "security" is at best no more than a vague concept. Specific restrictions ("disable cross mounted file systems') are pointless without that framework.
It's a question of balance
There's no need for that sort of handwaving vacillation. It's possible - indeed not particularly difficult - to be formally precise (to the precision of your risk probabilities) in evaluating every aspect of securing a system. Pretending there's some Snowian two-cultures divide between "the secure" and "the free" is just obscurantism, and it plays into the hands of both attackers and the police state by positing a dichotomy that does not exist.
Modern web browsers are extremely complex. Not only do they contain support for multiple image and video files, but also complex layout languages and plugins.
Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.
That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing.
Probably the best we can hope for is sandboxing becoming robust enough to stop break-outs, and maybe aggressive enough to just kill browsers when something dodgy happens.
But there are problems in terms of actually using that - for example you might use Linux's apparmor to limit file access so a browser can't write to sensitive place, nor snaffle your files for uploading to spooks/criminals, but most users will simply howl when they find the browser dies on trying to navigate to, say, their collection of cat photos for uploading to facebook, etc. Sadly so far usability always triumphs over security.
"The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."
It is very dumb indeed. Anyone thinking that a browser as an OS is going to be any more secure than a traditional OS is deluded. In fact it's almost certainly worse.
The traditional OSes have been put through the mill and a lot of problems have been fixed. Whereas a brand new execution ecosystem (which we call a web browser) has got all of it's day-one bugs still extant, and they keep adding more features (and more bugs) all the time.
"Probably the best we can hope for is sandboxing becoming robust enough to stop break-outs, and maybe aggressive enough to just kill browsers when something dodgy happens."
Sandboxing is in itself a useful way of guarding the OS underneath the browser, and I'd rather have it than not. I agree - I think it's is indeed the best we can hope for. Alas, if the browser is acting more like an OS within an OS, then the sandbox isn't adequate. What's to stop some nasty code running riot inside the browser stealing / deleting data stored within the browser? The browser would need adequate protections within itself, as well as the sandbox barrier outside.
There's already proof of concept in-browser viruses floating around (El Reg passum), but there's nothing you can do outside the browser to prevent them causing harm inside it. So what's it to be? A special Macafee webpage that's always running inside your browser checking up on other web pages to make sure they're not doing anything nefarious? Sounds less efficient than an ordinary OS + apps + AV to me.
So far as I can tell HTML5 is making a similar mistake to Android. HTML5 is designed to keep different web apps separate, and no web app can influence another. At least, that's the intention. It doesn't work out that way though because the HTML5 implementation is not perfect. It does make it very difficult to add a third party package (an AV product, a 'Macaffee' web page) to protect the whole browser and the apps and data it's storing. So we're totally dependent on the browser writers immediately fixing bugs, etc. Bit like AV in Android can detect nasties, but can't actually do anything about them because the OS won't let it.
Except a "browser as an OS" has less local state.
My chromebook could be hacked - although the attack surface is probably less than Windows - but I can do a full restart and lose any locally stored data.
So I would have to visit the attacking site immediately before doing my online banking
"That ain't going to happen now that world+dog expect to run javascript/HTML5/etc to display "hello world". The modern web browser is more like an OS than a text rendering application, and so much of the web now depends on that to work. Yes, I know its dumb, but no I don't see it changing."
Yes, but I'm not necessarily talking about "changing the web", but about providing a much more secure and restricted alternative. I mean we (normal people) are not using webmail since it's far to insecure, we use special protocols like IMAPS. We use ssh which even uses key pinning. Both protocols however are inconvenient for GUI tasks over high latency connections. (though there is an alternative to ssh called mosh which can do predictive echoes and stuff)
Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events. It could run over a severely cut down version of Websocket, and you could even write a client for it which runs in browsers.
With a client in HTML5 you could have a migration strategy to native clients.
> I mean we (normal people) are not using webmail since it's far to insecure,
I do...
> Imagine we had some trivial "GUI over IP" protocol
ssh already does X forwarding. Has done for years.
It's very useful - but generally rather slow. Most users will not want to use it.
There are also security issues to consider - do you reallly want to send all your keystrokes in real-time to a server you don't control?
Vic.
Imagine we had some trivial "GUI over IP" protocol which simply uses a GUI toolkit on one side and transmits events.
X11. NeWS. Display Postscript. VNC. Windows RDT.
Now if only someone had created, say, some sort of private network that could be established virtually over IP. Or even added a secure-channel mechanism to a newer version of IP. Then by gosh we'd have something!
(Have you seen my latest invention, the "wheel"? Still having some trouble with the corner cases.)
Referring back to the recent thread about TBL and how good his original Web was, may I point out that it was at least potentially far more secure (or securable) than the mess we have nowadays. Dynamic HTML, scripting, etc. was touted as the way to make the Web more like TV (and hence more profitable). Unfortunately, it was a bit like modifying a helicopter to make it more like a submarine - the end product is not something a smart person would climb into under any circumstances.
Maybe trivial if you have full access and known kernel bugs but from the restricted environment of a subverted browser it is going to me much tougher. A chroot adds a simple extra layer of protection for minimal cost. To break out requires low level access and a known kernel bug but the chroot makes exploiting the bug harder.
I think last time I checked, you could simply chroot out of a chroot "jail". I don't think it ever was designed to be a security feature.
So what do you think it was designed to be for?
To "break out", you need to be root. This is already a little bit of an impediment:
It should be noted that this document was written with protecting web servers from rogue CGI scripts in mind. Therefore it is not unreasonable to assume that a user has access to a Perl interpreter. It is then a matter for the user to gain root access via security holes on the box running the web server. Whilst this is outside the topic of the document, an attacker could make use of application programs which are setuid-root and have security holes within them. In a well maintained chroot() area such programs should not exist. However, it should be noted that maintaining a chroot()ed environment is a non-trival task, for example system patches which fix such security holes will not know about the copies of the programs within the chroot()ed area. Ensuring that there are no setuid-root executables within the padded cell is going to be a must.
Well, today we have Virtual Machines.
If you ran the web browser within a chroot/FreeBSD jail it could surely do what the hell it liked and not hurt anyone.
Gah. Look at the OWASP Top Ten. How many of those would be affected by sandboxing?
Most browser-based exploits affect server-side resources and attack protocol flaws. Sandboxing has no effect on them. A sandboxed browser will be just as vulnerable to XSS, CSRF, etc.
Maybe it might make sense to have a much simpler way to display web pages, combined with a simple way to do "web applications". It would need to have to be so simple you could implement it in a day.
Telnet. If you want more functionality pushed to the client side, TN3270 (or any of the other smart-terminal Telnet variations).
OK, "implement in a day" is pushing it (oh, you gloriously-overengineered Telnet negotiation protocol, you!). But a week should suffice.
"A simpler way to display web pages" won't do much for web security, though. Take a look at the
OWASP Top Ten. Several are primarily or exclusively on the server (including some, such as A2, that are mitigated by using advanced client-side capabilities). The others mostly do not rely on advanced client capabilities, except for CSRF - and it's very hard to see how non-trivial "web applications" could be constructed without opening the door to CSRF attacks.
Maybe "hacking" and designing and writing are three different skills,
Why is so much time and money spent on appearance and tools continue to be poor, underlying design poor etc?
It's daft to claim these contests are part of testing or QA. Quality and security is DESIGNED in, and implemented, not hacked and patched after the fact.
It [patching] leads to messy code and new bugs.
Why about 30 years after C++, Modula-2 and Objects etc are we still seeing Array Bounds vulnerabilities in SW?
I'm on a lot of security mailing lists and the bugs and vulnerabilities on for example PHP based CMS are all the more of the same year in year out.
We are doing it wrong in the first place.
Everyone PLEASE upvote Mage's comment!
"Why is so much time and money spent on appearance and tools continue to be poor, underlying design poor etc?"
That hits the nail precisely on the head. The answer, in brief, is that appearance yields a lot of quick up-front profit, and poor underlying design (including security) mostly harms others and can thus be swept under the carpet as an "externality".
Things would be a lot better if everyone who writes serious software (defined as software that is relied on by a lot of people for anything that matters) had to be properly qualified. But that would entail a solid background of computer science and software engineering - as well as management willing to pay for those things to be used - instead of hiring and firing people who just read the latest book on the latest version of the latest framework for the latest language on the currently fashionable platform.
Oh God.
Yes, I know of a company with a fairly mature product that needed an updated web front end. They hired someone who had just left university and invited him to choose the web framework and security model - because his information was "more up to date" than that of the existing developers.
While people like that exist, security is going to be an afterthought - if that.
While I agree with what you are saying in general, qualifications mean nothing. That's just adding a whitewash to a turd. A turd is a turd. Someone who wants to make money of software is someone who wants to make money off software. So no certification or qualification will change that.
Greed is the problem. Enough compromises and everyone does it. I mean just imagine if... It's already happened. It's like I woke up in the dystopian future.
Ahhh...
"The largest single prize not awarded was the $150,000 for successful demonstration of the grand-prize Exploit Unicorn, a triple-play puzzle specifically designed to provide the greatest challenge for researchers. Though no entrants made that attempt, the record-setting number of entrants and the diverse and creative approaches taken to crafting attacks made this a Pwn2Own for the ages."
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-s-New-Exploit-Unicorn-Prize-Additional-Background-for/ba-p/6357753
"Gorenc said staff at Google found six zero-day vulnerabilities in Microsoft code, as well as a kernel issue in Apple's iOS."
Macs on the rise? Maybe because of the erroneous advice given by friends/family about how great mac is? That's definitely it.
At least 'dows users know to protect themselves and take security seriously. The only security OSX users have is their belief in the system being secure.
I presume that is ironic?
Corporate IT departments with a Windows fleet to administer, yes.
Joe public - no. They buy anti-virus, believe the system is secure (just like OSX users) and then proceed to navigate recklessly around gambling and porn sites clicking on pop-ups.
And then they ask you to set up online banking and their accounts system on the relevant PC.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
