Port 25: The Open Source Community at Microsoft : Community, Security

Project Quant

Peter Galli — Wed, 15 Apr 2009 22:54:00 GMT

I noticed today that my colleague Jeff Jones in the security group is launching a metric project that appears to be leveraging some of the good bits of open techniques.

I touched base with him briefly and he gave me a little more information about Project Quant, which is being undertaken along with Securosis, an independent security research firm.

Project Quant will be working on the metrics of patch management and is as much an experiment of a new research process as it is one of security metrics, said Securosis founder Rich Mogull in a blog post.

"For this project Jeff wanted to be involved, but also asked for an open, unbiased model that will be useful to community-at-large (in other words, he didn't ask for a sales tool). Rather than us developing something back at the metrics lab, Jeff asked us to lead an open community project with as much involvement from the different corners of the industry as possible," Mogull said.

While he also acknowledged that it is risky for Securosis to allow direct involvement of the sponsor, the company is hoping that the process works the way it thinks it will and which also happens to match Microsoft's project goals.

So, this is what's expected to happen: a project landing site has been set up at Securosis that will contain all material and research as it is developed; every piece of research will be posted for public comment and no comments will be filtered unless they are spam, totally off topic, or personal insults.

All significant contributors will also be acknowledged in the final report, although there will be no financial compensation for contributors and the project itself will retain ownership rights. All material will also be released under a Creative Commons license, with spreadsheets released in both Excel and open formats.

"In short, we are developing all research out in the open, soliciting community involvement at every stage, making all the materials public, acknowledging contributors, and eventually releasing the final results for free and public use. The end goal of the project is to deliver a metrics model for patch management response to help organizations assess their costs, optimize their process, and achieve their business goals. Let us know what you think, even if you think we're just full of it," Mogull said.

For his part, Jones told me that while he has been zealous in past reports about using repeatable methodologies, pointing to his source of public data, and outlining his assumptions step-by-step, he would like to take transparency one step further by developing models and methodologies first, in an open and transparent manner, so that everyone can agree on the pros and cons before the methodologies are applied.

"I think being completely open and transparent will help credibility since, similar to open source, everyone can scrutinize every step of the analysis ... creating open models and potentially getting community involvement just seems to be the right process," he says.

I plan to interview him at greater length in the next few weeks, so look for a follow-up blog then.

Web Sandbox Source Now Available Under Apache License 2.0

Peter Galli — Tue, 27 Jan 2009 02:48:00 GMT

Microsoft has released more source code under an OSI-approved license: this time it has made the source code for the Web Sandbox runtime available under the Apache 2.0 open source license.

The Web Sandbox project explores how to advance the web platform to improve security, isolation, quality of service and extensibility capabilities for web developers and website users.

More information on the licensing details, as well as comprehensive documentation for experimenting and integrating with the Web Sandbox, can be found here.

But, while developers are being encouraged to help define and refine the Web Sandbox, it is not recommended for those developers creating production sites as it is still under development.

The Web Sandbox was created in response to limitations found in the current web platform, and is designed to explore potential solutions. Having a more secure and robust architecture as a foundational building block will help drive the next wave of Web innovation.

The Sandbox is a framework that works on most modern browsers that support the"ECMA-262, 3^rd Edition" (JavaScript) standard, and provides the same features in all modern web browsers. No browser add-ons or changes are required to leverage this technology. Beyond security, the Web Sandbox normalizes the different browsers and provides consistent W3C DOM support.

Since the initial release of Web Sandbox at PDC 2008, the team has received a lot of useful feedback from the web security community, and has also been collaborating with a number of customers, partners and the standards communities, all of whom want to adopt the technology when it is ready.

The goal? An open and interoperable standard that will help foster interoperability with complementary technologies like script frameworks and drive widespread adoption of the Web Sandbox.

This move is good news for Microsoft and the open source communities. But, it is important to note that while an Apache license is being used, the Web Sandbox project is not an Apache Software Foundation project and is not sponsored or endorsed by the ASF.

Microsoft does, however, already have an active relationship with the ASF. In fact, last year the company announced it had become a sponsor of the ASF so as to help enable the Foundation pay administrators and other support staff so that its developers can focus on writing great software.

Sam Ramji, the senior Director of Platform Strategy at Microsoft, also delivered a keynote address at ApacheCon in New Orleans last November.

Microsoft's Interoperability Technical Strategy Team already participates as a code contributor to the Apache Stonehenge incubator project; the company has also contributed a patch to ADOdb, a popular data access layer for PHP used by many applications and which is licensed under the LGPL and BSD; while Microsoft's Powerset team contributes to HBase, an open-source, column-oriented, distributed database written in Java.

Technical Analysis: Security Considerations for rdesktop and Windows Terminal Services

jcannon — Tue, 17 Jun 2008 16:10:00 GMT

Abstract: Microsoft Terminal Services provides an important set of functionality for remote administration and centralized application management. This service allows administrators to log in remotely and with full access to the system. Similarly, users can log in and run specific applications, which are centrally managed by IT personnel. The standard client for Linux systems is rdesktop. Rdesktop is shipped with many Linux distributions and this paper briefly looks at common security considerations around using this client application in Windows environments.

Download Security Considerations for rdesktop and Windows Terminal Services

Note: This paper represents testing and documentation in a lab environment. User Account Control (UAC) is an essential security component to Windows and Microsoft does not recommend turning off UAC in production environments.

Languages Have Become Too Easy...

hjanssen — Mon, 18 Dec 2006 17:40:00 GMT

I have finally found a way to write more blogs!!! When I am in the office I have so much work that I rarely get enough time to sit down and concentrate on a blog. When I get home (My wife tells me normally later than she wants me to) I do not always have the desire to write a blog. But I am flying for work this week and I am finding all kinds of time!

What for me the line is that epitomizes the fact that I must have turned into my parents is “When I was Young”. Yet I am finding myself starting this blog with exactly that.

First a let me describe he catalyst for this blog;

A few months ago I attended OSCON 2006, one of the sessions I went to was called ‘PHP Security Hoedown’ given by Ed Finkler (http://homes.cerias.purdue.edu/~coj/phpsecinafo)

Basically, what this session was about was talking about PHP security. The session was a response to security problems people have been finding with PHP. Specifically the installations and running of PHP.

He stated that a large part of the Security problems that PHP seems to be suffering from can be summed like this (I have taken some liberty to paraphrase some of the things that where said, but check the above link to his original presentation.);

PHP has a fairly shallow learning curve. Because it is a shallow learning curve, there is a lot of variety of people that are wide in range of skill sets. Basically almost anybody can get started in PHP and get something running pretty quickly.
There are really only a small percentage of top level people who could be considered ‘experts’ in the language.

So, now we are getting to the part that I warned about. ‘When I was Young’.

Many moons ago, now more than I am willing to legally admit to, I started my career with Philips/AT&T who at the time had a joint venture, they developed very complex digital telephone switches. The 5ESS line. This was a very sophisticated telephone system that was almost completely written in C.

When I started my programming career with AT&T (Now over 20 years ago) you had to go through a lengthy process of learning the language C. Carrier grade software was and still is of very complex nature. Since people that have ever written in C know, it is a very powerful language that provides you with a very large gun to shoot yourself in almost every body part you can if you are not careful. So we where trained very well before we where let loose writing switching code. One of the other things that was required, if you wanted to make the jump into C++ (Mind you this was when there was no C++ compiler yet, but only CFront which was a pre-compiler/parser), you where not allowed to write in C++ unless you have been programming C for at least 3 years consistently.

There really where not that many higher level languages as there are today.

For the last few years I have seen more and more computer languages born, and in some cases die. And they all try to fix what their authors thought where missing in the languages that came before it. Another trend has been to make languages more accessible and easier to use to people who want to program of all walks of life. Imagine that! A language that does not require a 4 year degree to work in!

Some of these languages for example PHP and Ruby (They sure are not limited to these languages I might add!). They allow people with limited computing background to make in fairly decent programs in a small amount of time.

But this is where some of the security issues are showing up. The languages are becoming easier to use. But a lot of the operating systems they run on really have not become easier. So, many of these programs are now used without the realization on the part of the installer or programmer what the effect and impact of running their programs are on the operating systems. This seems to be a problem on both Linux and Windows platforms.

Although I applaud making programming languages easier for the more casual user, I do see that we are forgetting in many cases to make the environments these programs need to run in safer and easier as well.

I have seen so many times programs that write their files in ‘interesting’ and unsecured places. The presence of multiple libraries that might or might not support the application (heck, I am not sure what makes the thing run, so I will just copy all kinds of libraries in an attempt to make the application work).

File permissions that are set incorrectly, readable by the world. Incorrect owners etc.

And these are just some of the issues that seem to be present. And unfortunately a lot of these problems are easily fixed.

But I think that we need to do more as developers and system architects. Some of the suggestions that come to mind are:

Provide Security and architecture primers as part of the languages that are being developed. This should make it easier for the end app developer to have an appreciation of the program they wrote and what environment it will run in. (Tips and tricks documents, do’s and don’t documents etc)
Keep up with the development of the operating systems to make if safer/easier to deploy these new languages. UML in Linux might be a step in the right direction, and so is the new security mode that Internet Explorer runs in on Vista. But more needs to be done.
Have experts in the language provide more support in the area of the interaction with the OS and application programming for the target audience.
Make installers easier to use and smarter. Taking a lot of the work of deployment out of the hands of those who want to write code without needing a masters in the OS they are deploying on. WIX for Windows does a very nice job. And there are a few on Linux as well (rpm for example) but I would say they have some way to go so that they are easy and safer to use.
Have ‘self check’ modes on the languages that are being developed. E.g. Start the program the end user just wrote and the language will have a mode that will warn/comment/suggest things to the app developer. (Such as there was lint in Unix. But it should be part of the execution of the application program. And it has to be user friendly. Lint at times was downright sadistic in trying to decipher J)
Force files to be created in safe areas.
A lot of OSS software comes with ‘configure’, which is a very old and robust way of building make files and their dependencies. Now create something called ‘deploy’ that will do the same thing for the completed applications the end programmer just created. The things it should check for example are:
o    Are the libraries it needs in the correct place
o    Set up the environment variables if needed
o    Does it follow the language authors best practices for deployment. (Make application programs go to /usr/local/bin instead of /bin)
o    Make sure that the directories it gets deployed in are not owned by the wrong owner/groups
Have more interaction with the OS developers and the Language developers to help each other build better languages and safer deployments on the OS.

It seems to me that languages need to be developed more with the end user in mind regarding deployment and the OS’s they will be running in. A language can have all the cool features you ever thought off, but if on deployment you create system issues of worse a bad security hole, than it all will have been just a hobby.

I can equate it to getting your drivers license, getting your license is fairly easy (at least in the US it is). And you can get it without knowing anything at all about cars. Car manufacturers have realized this and have made their cars tell the driver what is wrong with it. Now if you keep on driving your car with the ‘check engine light’ on, well than you are on your own.

If we want languages to be adopted and thrive, we better find a way to build in a ‘check program’ light.