Oh Oh, Zero Day Now Really Means Zero Day…

One of the things I hated about M$ even when their software more or less worked“Microsoft is "evolving" is Advance Notification Service in a way that will make its advance security update information available only to customers with paid Premier support contracts and organizations "involved in its security programs."” was that every Patch Tuesday I would have to rush around making sure all the updates were applied so that the zero-day vulnerability guys had less of a target. They diff the updates and figure out what is wrong with M$’s stuff and exploit it getting everyone who has not updated in some cases. Of course, M$ released its updates in the middle of my day, ruining it. It’s hard to re-re-reboot every machine in the system while folks are using them…

No longer is M$ giving us and the bad guys a heads-up about what’s wrong with M$’s software. They want us to pay for that privilege. Well, the bad guys can pay for it. They can also patch their workbench the instant M$ releases the patch… I will continue using Debian GNU/Linux and be free of M$’s updates forever. There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot.

Oh, you can stick with M$ and hope the bad guys don’t get any clues from the advance notices. “You’ve got to ask yourself one question, “Do I feel lucky?” Well, do you, punk?” (Dirty Harry’s famous words… Hint. The punk always lost…)

See Microsoft's advance security notification service no longer publicly available.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , . Bookmark the permalink.

14 Responses to Oh Oh, Zero Day Now Really Means Zero Day…

  1. oiaohm says:

    http://www.nytimes.com/2015/01/12/us/politics/obama-to-call-for-laws-covering-data-hacking-and-student-privacy.html?_r=0

    I really wonder what will happen if a mandatory 30 day release of breach happens.

    Result could be people wanting to release CVE numbers sooner to explain what happened and to show that the issue is fixed.

  2. oiaohm says:

    Not to mention trivial alternatives like, say, emailing the entire goddamn team every day until somebody actually did something about it.
    DrLoser while we are on the issue of cites. You want me to provide cites disproving this.

    You raised the topic. Now please find the cites that say that this is a functional method from Cert and so on. Come on. Please do. For one thing I know that one you do you will find you are absolutely wrong.

  3. oiaohm says:

    DrLoser in fact using fifi instead of my handle is also enough reason for me not to give you cites. Why I am not fifi.

  4. oiaohm says:

    DrLoser I told you I will never give you cites you called be a buffoon I no longer need to give you cites. This is exactly like Oldman that you thought was cool giving a demand answer all the time. Since you thought that was find you should have absolutely no problem with the current state of affairs.

  5. DrLoser says:

    Google release at 90 at least Microsoft now does 100 percent know about the flaw.

    That comment is so Goddamn Stupid, I’m just going to leave it dangling.

  6. DrLoser says:

    Me: Not to mention trivial alternatives like, say, emailing the entire goddamn team every day until somebody actually did something about it.
    Fifi: That has been done and interesting enough the result was flaws setting around for years.

    I completely agree. That is indeed “interesting enough.”

    Now, tell us (with or without cites) when this miraculous procedure actually happened.

    Fantasising again, aren’t we, Fifi?

  7. oiaohm wrote, “The change to Advance Notification Service really will not change much.”

    That’s probably true, but it was a reminder of how much I hated Patch Tuesdays. I don’t even notice them any longer. Meanwhile folks using “auto update” are getting clobbered rather regularly… I assume the bad guys will get the information one way or another so they will get a few extra days of head start against targets who don’t pay for the information. In that way, it increases the cost of using that other OS, just what I predicted in the End Days. M$ will milk the cash cow until it’s truly dead and keep raising the prices to the truly locked in. It’s an abusive relationship.

  8. oiaohm says:

    DrLoser did I at one say the rules at Nist are sane.

    Not to mention trivial alternatives like, say, emailing the entire goddamn team every day until somebody actually did something about it.
    That has been done and interesting enough the result was flaws setting around for years. Why everyone put the notice about flaws to be released in spam filter because someone else would deal with the problem.

    Before you say assign a person the result has been person critically ill and someone not taking over the job. Basically there is a long list of cases of security flaw information being lost. Everything involving humans and security flaw report releasing has failed. Automated human can extend the how long until it is auto repleased. Did you miss that about the Google flaw release. If Microsoft had contacted Google and told them a very good reason to have the flaw hidden for another 90 days it could have been.

    Shoelaces is the complete wrong example. You have a black box with a button that must be pushed once per day when the light is on. Only 1 of you need to. How many days until none of you do it. Only one problem the complete build collapses because you did not press button killing you all. Is it not sane to automate that even if the result is temporary letting a criminal in.

    Google release at 90 at least Microsoft now does 100 percent know about the flaw.

    http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
    DrZealot you need to start reading here. And keep on reading with all the issue that have been found that have caused security flaws to get lost and remain unfixed.

    Every fix to security fault reporting causes another issue.

    Basically you must act on security flaws if you don’t either a attacker will find them or they will be published.

  9. DrLoser says:

    Automatic software to release flaw information when embargo is expired is in fact the USA Nist recommendation for a correctly configured security flaw storage system.

    Passing by the obvious fact that “a correctly configured security flaw storage system” is complete and utter nonsense, Fifi, this particular observation of yours has no value at all without a relevant cite, does it?

    Humans releasing flaw information can forget to do it.

    Oh yes. Oh yes indeed. I am an expert in “tying my shoelaces”, much as Project Zero are experts in “spotting security defects.”

    You know, if I didn’t have an automated process to remind me to tie my shoelaces every day, I’m pretty darned sure I’d forget to do it.

    Not to mention trivial alternatives like, say, emailing the entire goddamn team every day until somebody actually did something about it.

    You’ve really never once worked anywhere near a proper commercial IT organisation in your life, have you, oiaohm?

    Never mind, keep Googling. Oh, and should you care to extend yourself, a little “formal debate method” would be welcome.

  10. oiaohm says:

    Automatic software to release flaw information when embargo is expired is in fact the USA Nist recommendation for a correctly configured security flaw storage system. Humans releasing flaw information can forget todo it.

    Everything Google did obeyed USA Nist polices. So the response to Google auto releasing a flaw after 90 days should have been status normal. The fact its not status normal tells you how much the system is not working correctly.

  11. oiaohm says:

    The change to Advance Notification Service really will not change much. Most Microsoft security patches come after https://nvd.nist.gov/ information release embargoes are up anyhow. So more upto date information on windows flaws has been in nvd and this is absolutely wrong state of affairs to be going on. Debian or Redhat on the other hand if you get vetted and you get into the Debian or Redhat security mailing lists you will get access to information that is not on the public record somewhere.

    Really this is the classic Microsoft solution to a problem. Something does not work make it a paid service or pay to hide it from the public.

    Security through obscurity is part of the NVD and Cert security reporting process DrLoser. Technically the rules say you only need to give a vendor 90 days of obscurity before publishing. 90 days to fix and get patch out there.

    There is a balance between security by obscurity and security by audit/inspection. Security by obscurity will always fail its only a stop gap measure. A person can only audit that a fault does not exist if they know about it. Anti-virus software can include search for code that uses exploits.

    So the question is how many days from a fault being found should it have to be handed over to anti-virus vendors and administrators the agreed value is 90 days.

    Mostly how Microsoft and other companies has got more than 90 days is paying those who find exploits to keep it secret longer. Google is not interested in being paid because by being paid not to release a flaw does expose Google to legal liability.

    This is the funny part Google followed the NVD/Cert rules exactly. If what Google did was wrong its not Google who need to be changed it is the NVD/Cert rules that need to be changed.

    Really everyone should have to play by the same security reporting rules. Vendors all using different reporting rules only make life harder this is why USA software company not reporting to NVD is a fine-able offense. The allowed obscurity time should also become define and legally enforceable. Yes the current rules say at least 90 days so if you hold back a bug for 10+ years you have done nothing wrong maybe. Current court arguments are if you have held longer than 90 days you are liable for adding and abetting the crime by with holding information. It is most likely going to be the courts that decide what the max obscurity time can be.

  12. DrLoser says:

    Security through obscurity..

    I see you are following Fifi into the righteous path of “formal argument,” Dougie! Good for you! I always like to see an aspiring intellectual do his best to overcome the poverty of his educational background by exploring new vistas!

    Formally, therefore, you are suggesting that this is a case of “security through obscurity.”
    1) In what way?
    2) Assuming this “obscurity” is in place, what would you propose a Windows user without access to the information has lost?

    I think M$ is upset with Google publishing an exploit…

    And you were doing so well before that asinine observation.

    1) Hard to see how this new policy makes any differenced to Google randomly spewing damaging security leaks around.
    2) Hard to see how “punishing your customers” (implicit here, although I don’t see it myself) harms Google in any way.

    … so now they are removing features that people use.

    Cite a single instance of anybody at all “using” this information. For purposes of mitigation, or otherwise.

    Now, Premier organisations might use the info. (I can’t really see how.) And “Security organisations” are obviously going to find the info useful.

    Everybody else?

    I think not, Dougie.

  13. dougman says:

    Evolving??…what a joke.

    Security through obscurity..I think M$ is upset with Google publishing an exploit so now they are removing features that people use.

  14. DrLoser says:

    So, let’s get this straight, Robert.
    Are you saying that, if Microsoft made its “advance security update information,” possibly for zero-day exploits, possibly for everything, free and for instantaneous access for every single user of a Windows machine, then you’d switch in a heart-beat from Debian to Windows?

    That would seem to be the inevitable inference from your argument.

    Otherwise, why bother mentioning this new factoid at all? I mean, it’s not as if anybody who uses Windows actually cares, is it?

Leave a Reply