LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

De-worming the net

[Posted November 23, 2004 by corbet]

Worms are a problem on the net. Even users of operating systems which tend not to be afflicted by this sort of malware are affected when worm-caused traffic clogs the net or brings down sites of interest. So everybody has an interest in finding ways to reduce the number of worm infections.

Researcher Douglas Barnes has taken a look at the problem and come up with a new set of recommendations. His work is written up in this 50-page PDF document. We took a look at his work, with an emphasis on its implications for the free software community.

The paper starts by pointing out that market forces have failed to put an end to the worm problem. Indeed, the characteristics of the software market tend to encourage the creation and use of vulnerable software. The company which wins in the market is the one which is able to get its product adopted first and establish the de facto standards. So manufacturers have a great incentive to emphasize features and time to market over security. Since moving away from buggy software can be difficult, software vendors tend not to pay much of a cost for security incidents which involve their products.

The author notes that free software is a pleasant exception to this problem:

Open Source software is often developed by, or with substantial participation from particularly security-conscious users. These users have strong incentives to participate in initial development in order to prevent having to rework the product later or create a more secure "fork." Open source does not directly address the problem of user flaws, and particular projects can be as rushed and buggy as proprietary software. However, because it is open and modifiable by anyone, it is at least capable of responding to those users who are concerned.

Some commenters (notably Bruce Schneier) have proposed that software vendors should be made legally liable for flaws in their products. At that point, they will have a strong motivation to take the time to get things right. Mr. Barnes, however, thinks that the liability approach will not work. Many quirks in the U.S. justice system make it hard to win a suit based on software flaws; these include the enforceability of "click-wrap" licenses, the notion that the vendor is not the real cause of security problems (the crackers are), and the interesting precedent that loss of data is not considered to be "physical harm." The potential harm to free software projects is also mentioned as a reason to avoid the litigation approach.

So how is the worm problem to be solved? Mr. Barnes has three suggestions:

  • Bug Bounties. The success of bounties offered to those who report security-related bugs in programs like Netscape and djbdns is remarked upon. Mr. Barnes notes, however, that software companies are generally uninterested in offering bug bounties. So, he says, bounties should be imposed upon them by way of a publicly-administered program. Software publishers would contribute to a fund which would be used to pay bounties.

  • Quality standards for software. The idea here is that worms should be treated as if they were an environmental issue; some sort of regulatory agency would be empowered to impose standards upon software. No suggestions for specific standards are made.

  • Penalties for use of insecure software. Users, this paper claims, do not sufficiently value security in software. To help them see the error of their ways, a penalty would be imposed on users who insist on running software known to be insecure.

Establishing this sort of regulatory regime looks like an uphill battle, to say the least. That is likely to be a good thing; the imposition of a heavy-handed, low-clue regulatory agency upon the software industry could easily do more harm than good. But the community can - and does - benefit from these ideas already.

Free software projects with the requisite funding have used bug bounties before; the original such bounty may well have been Donald Knuth's rewards to those who found bugs in TeX. Even in the absence of cash bounties, numerous white-hat researchers can be seen digging for security bugs in free software for the reputation benefits and the sheer fun of it. Perhaps groups like OSDL could consider offering bounties on security bugs in certain bodies of code as a way of encouraging this process.

Free projects often have software quality standards as well, though they vary greatly from one project to the next. Peer review can help to find any of a number of obvious mistakes; in some projects, code is increasingly unlikely to be accepted if it is not seen as being up to certain standards. Many project could benefit from stronger standards, however, and from some sort of documentation of just what their standards are.

The community has little sympathy for penalizing users for their software choices, certainly. Still, that approach can be seen in some corners. Firefox will nag at people who use a version known to have vulnerabilities. Hopelessly insecure packages become unsupported and unavailable from distributions, forcing users to find an alternative. But the community has put most of its effort into an alternative approach: making it as easy as possible to run a system without known vulnerabilities. Most modern distributions can be kept updated with little or no effort; it's almost harder not to patch them.

So, perhaps, the free software community already has most of the tools it needs to contribute toward a worm-free net. No regulatory action required. All that is needed is to get the rest of the software community to catch up.

(Log in to post comments)

De-worming the net

Posted Nov 24, 2004 4:31 UTC (Wed) by gte223j (guest, #6492) [Link]

I hate worms as much as the next guy, however this dude is off his rocker!! He feels that government should get involved and set it straight. 1) Bug Bounties - Who would set the prices?? Where would the money come from??? Either from taxpayers:-( or the business:-( 2)Quality Standards- Another government agency that would have to review software?? You wouldn't be able to sell your code without paying for the certification!!! 3)Penalties- Write laws and prosecute people for being stupid.....

Have you ever heard anyone say "The post office was quick and pleasent" or "The DMV handled my needs with promptness" or "The IRS is efficient" or etc......

The problem, to a large degree, is not the quality of software. People can install free firewalls and actually patch their systems before getting on the net!!!! People need to be educated. It is not a simple task because people take it very personally, like driving a car. "I know what I'm doing", I heard lots of times. People just don't realize that the net is a dark place not to be naked in. They buy their shiny new computer and hook it up without any sort of preperation or forethought. Oh well, I have ranted long enough.

Brian

De-worming the net

Posted Nov 24, 2004 12:19 UTC (Wed) by MathFox (guest, #6104) [Link]

The problem, to a large degree, is not the quality of software. People can install free firewalls and actually patch their systems before getting on the net!!!! People need to be educated. It is not a simple task because people take it very personally, like driving a car. "I know what I'm doing", I heard lots of times. People just don't realize that the net is a dark place not to be naked in. They buy their shiny new computer and hook it up without any sort of preperation or forethought.
What kind of information do people get...
[butterflies] Have the MSN XPerience, all of the information on the Internet conveniently at your fingertips
Professionals know the harsh truth. It would help a lot if software providers would get a legal responsibility for the quality of their software so that software users have a standing:
  • To expect that software works as advertised,
  • To get free bug fixes for their software (also for older versions),
  • To expect privacy from the spying eyes of the software provider,
  • To sue their software provider for negligence and malpractice.
I agree with Bruce Schneier that putting a liability on the software providers to fix their problems would help a lot. There should be some "Digital Consumer Protection" act that ensures that the essential rights can not be "clicked away." (Says a few words on fair use rights on DRM protected works too?)

De-worming the net

Posted Nov 24, 2004 15:43 UTC (Wed) by vmole (guest, #111) [Link]

"The post office was quick and pleasant"

While it is great fun and a long tradition to make fun of the USPS, I think the fact that I can put a few pieces of paper in an envelope, attach USD 0.35 to it (by far the smallest single transaction I make these days), put it outside my front door, and have it appear on someone elses front door a thousand miles away a few days later to be a pretty good deal. FedEx wants ~USD 10.00 to perform the same service, and frankly, the people in my local Post Office are nicer and more efficient than the people at my local FedEx dropoff (which is, admittedly, not a "real" FedEx office).

De-worming the net

Posted Nov 24, 2004 23:55 UTC (Wed) by njhurst (guest, #6022) [Link]

Indeed, I was going to pick up on that line too :) Australia Post is by far the cheapest and most reliable way to get physical stuff between point A and B. I have never felt let down by post office service.

Pick on an agency that deserves it. ;)

government

Posted Sep 15, 2005 21:27 UTC (Thu) by rfunk (subscriber, #4054) [Link]

While I don't necessecarily agree with the conclusions in this article
either (my next comment is about bug bounties), I definitely disagree
with your comments on government agencies.

In fact, the U.S. post office is remarkably quick and pleasant (and
cheap) compared to its competition, and the IRS is probably the most
efficient department of the U.S. government despite the byzantine laws
they must enforce.

On the other hand, interactions with the state bureau of motor vehicles
are a somewhat different story. I note two things about that, though.
For one, it's a state agency, not a federal one like your other examples.
And two, in my state almost all interactions with that department are
mediated through an independent local contractor rather than directly
with the state.

De-worming the net

Posted Nov 24, 2004 10:53 UTC (Wed) by khim (subscriber, #9252) [Link]

Minor correction: TEX is either TEX or TeX, not TeX!

De-worming the net

Posted Nov 24, 2004 14:46 UTC (Wed) by maney (subscriber, #12630) [Link]

More significantly, Knuth has offered a bug bounty since at least 1973. In the second edition of Fundamental Algorithms, the first volume of his great work, he mentions this reward in the 2nd preface, dated October 1973. I'm not sure when work on TEX began, but I think it was rather later than that.

De-worming the net

Posted Nov 24, 2004 23:14 UTC (Wed) by nedrichards (guest, #23295) [Link]

Note parent for spelling correction. ;-)

De-worming the net

Posted Nov 24, 2004 12:53 UTC (Wed) by agreenhalgh (guest, #7780) [Link]

One possible comment worth making is that our current internet architecture doesn't do much to help protect the end user from attack. We have an architecture where every device on the network is equal and can send data to or receive data from another host. Ok whilst this is probably what you'd like to have , it does open the large number of client machines out there to be attacked, compromised and reused as spam relays or DoS bots.

This paper we recently presented at the FDNA workshop at Sigcomm goes into some of the issues. The paper is intended to open a discussion and to make people aware of what some of the solutions to this problem is, it is intended to be contravershal.

http://www.sigcomm.org/sigcomm2004/workshop_papers/dos-ar...

De-worming the net

Posted Nov 24, 2004 17:11 UTC (Wed) by farnz (guest, #17727) [Link]

You make it very hard for a random user to set up any sort of services on their own box; examples of services a random user would want to set up (and that you exclude) are remote desktop services, so that I can connect to my home machine from work, and do things on the home machine, and remote administration services, so that I can delegate responsibility for my machine to a remote authority.

What might work as a variation is allowing all Internet nodes to flag which services they have open; an ISP can then e-mail a user to say that (for example) 2001:8b0:104::1 is running an SMTP server now, or a user can indicate to their ISP that they only want 2001:8b0:104::22 to provide an ssh service.

De-worming the net

Posted Nov 24, 2004 18:24 UTC (Wed) by bfields (subscriber, #19510) [Link]

> What might work as a variation is allowing all Internet nodes to flag
> which services they have open; an ISP can then e-mail a user to say
> that (for example) 2001:8b0:104::1 is running an SMTP server now, or a
> user can indicate to their ISP that they only want 2001:8b0:104::22
> to provide an ssh service.

I don't understand the focus on services. Haven't some of the most effective automated attacks in recent years been entirely client-based? Send someone an email, which they download, which exploits their mail client and uses it to send more email.

What's the benefit to drawing distinctions between clients and servers?

De-worming the net

Posted Nov 24, 2004 18:54 UTC (Wed) by andyo (guest, #30) [Link]

...numerous white-hat researchers can be seen digging for security bugs in free software for the reputation benefits and the sheer fun of it.
I've read that there is a perverse incentive to waiting till a version is released before searching for bugs. If you find a security flaw in a released version, you get in the news and make your consulting service look powerful and valuable. If you find a flaw during beta testing, it just gets fixed and you get thanked.

The law I would like

Posted Nov 24, 2004 20:43 UTC (Wed) by error27 (subscriber, #8346) [Link]

In California, if our company gets hacked and our database gets stolen, we have to let our customers know that someone has their data. But the software company that sold me the database doesn't have any legal obligation to inform me about vulnerabilities that can lead to theft. In fact, when I buy software, almost all of it says "secure" right on the box and I can't know if it has had lots vulnerabilities in the past.

Software vendors should be told to put a list of recent vulnerabilities on the outside of the box, and a URL where I can see the list of vulnerabilities that have been found since the box was wrapped. Compare it to the nutrition information that is printed on the outside of food.

This solution is free. It is fair for all software companies regardless of how large they are. It would be effective in making people write secure software and it would affect purchasing descisions.

Bug bounties

Posted Sep 15, 2005 21:40 UTC (Thu) by rfunk (subscriber, #4054) [Link]

As I noted in a comment elsewhere in this LWN, bug bounties a la DJB are
no guarantee of security. In fact they appear to give people a false
sense of security. The people who really need to look at the code in
order to assure that it's safe (or reveal that it's not safe) will not be
persuaded to do so by a few hundred dollars. If they do it, it's because
they want to, not because of the money.

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds