Let me begin by stating that DoS is not a vulnerability — it is a result; it is an effect of an underlying issue. The fact that a DoS occurs may be an indication of a vulnerability. A long input string leading to a crash may stem from a failed buffer overflow that is exploitable under the correct conditions. Malformed TCP packets that cause the network interface to lock up, may be caused by an invalid memory allocation or a NULL pointer dereference, either of which may be exploitable.

Now, back to the Word 2007 DoS 0day claims. The so-called MS security-guru David LeBlanc touts these claims as “security features”. Word crashed due to a protection mechanism that causes a crash instead of allowing for a possible exploit. Nobody is going to argue that a crash is much preferred over an exploit, but people, such as myself and ComputerWorld’s Frank Hayes, will argue that DoS should be classified as a security concern.

LeBlanc claims that crashes and DoS conditions fall into one of three categories:

1. “Your code blew up, and you’re about to get 0wn3d. Yup, it’s exploitable, and the customers are not going to be happy.
2. Your code blew up, and maybe it is exploitable, maybe not.
3. Your code blew up, and you meant it to blow up, and it’s clearly not exploitable.”

And states that 0days fall into the third category and are unexploitable.

Hayes points out that a crash could lead to further, systemic issues. For example, researchers have found exploits (e.g., CVE-2006-3648) regarding the exception handling in other MS products (see Exploiting the Otherwise Non-exploitable on Windows). So, just because a bug (or “feature” in MS lingo) isn’t exploitable, it still may have a security impact.

Also, I would like to call into account Microsoft’s own history regarding “unexploitable crashes”. For example, the Javascript window() issue in IE was publicly reported as a DoS in May 2005 and was ignored by MS, until being reported as exploitable in November 2005. It was finally patched in MS05-054 in December 2005.

Finally, in a comment to MS, exactly how are researchers suppose to know the exploitability of your code? With everything being closed source, we cannot tell if such issues are anything beyond a denial of service.

Coming from the security and vulnerability space, PHP is the worst offender of security. PHP is easy to use, but hard to use securely. Stefan Esser’s Hardened PHP project goes to show how much more improving PHP needs. Giving the PHP development some credit, they have starting taking some steps to improving security, like finally disabling the register_globals and allow_url_fopen options by default. However, this is too little too late.

You can tell a language is a threat, when the vulnerability researchers have to come up with new classes of vulnerabilities just to describe the language’s security deficiencies — PHP Remote File Inclusion and Dynamic Variable Evaluation come to mind. Let’s see, how many hundred (thousands?) of websites have been compromised due to PHP’s mainstream exposure and “ease-of-use”. All of that in addition to the increased XSS threat from global variables and multiple problems with CSRF and session handling.

Even the PHP language (and Zend Engine) has had its share of critical issues: CVE-2006-3017 and CVE-2006-5465. According to NVD’s CVE data, in 2006 and 2007, PHP has had 90 reported vulnerabilities (quite a few of which were from Esser’s recent Month of PHP Bugs (MoPB)). [Sorry, I can't find a way to link to the NVD search results.]

At least people other than O’Reilly can profit off of PHP’s mainstream recognition.

Imagine you are living in a beautiful house, but the walls are constantly needed to be patched, the floor is not level, and the house tends to flood. You keep hiring contractors to fill the holes in the dry wall, add supports, re-lay tiling, and clean up the water damage. You can maintain this process for the next several decades before the house becomes hazardous, but most people would become suspicious after the first year or two. It is only then to they step outside the problem and look at the structural foundations, only to realize that the house was built on top of sand and right next to an ocean…

So, what is the point? What does that have to do with computer security?

That house is the computer and Internet — the icons of the Information Age, and we’ve been living in a rotting house since 1970 (but did not start to notice until the mid 1990′s). Security has become a huge issue, and we are just trying to survive by throwing technology and halfbaked ideas at the problem.

When it comes to digital security, why do we always try to bandage and mitigate problems instead of solving them? Anti-virus is just about dead. Firewalls can do only so much. IDS systems are fairly error prone and don’t do well as preventing new attacks. Our authentication and permissions systems consist of archaic passwords and rwx file permissions.

The chips and memory and programming techniques have advanced, but security has done very little to keep pace. We cannot do much to stop e-mail spam, control network activity, or prevent against attacks because the network, hardware, operating systems, and applications either don’t support security or implement it as an afterthought. I mean, how are we suppose to protect ourselves if we are facing more than 15 new vulnerabilities per day!

Most users cannot and do not track and maintain their installed programs. Most don’t know how to be more secure and are not savvy enough to even understand how to work today’s complex (security) software. Remember: Your security is only as good as your weakest point; I only need to find one hole in order to slip past your security.

Security is a never ending battle for the defenders, which becomes more bleak when you realize that there is absolutely no way of winning. I think the only way we are going to have any real success is to compile all of our lessons learned from the past few decades, go back to the drawing board, and redraft the architecture of networks, computers, and software. Build security and usability into the design from the start. Take the bullet out of the gun and enable the safety to prevent people from getting attack (or shooting themself in the foot).

As far as management goes, each manager approaches their job in a different way and has certain characteristic and tendencies. I have already enumerated the various managing styles in a previous post.

So, how do managing characteristics and operating systems compare?

• Linux: You are an engineer. You like technology and tinkering. You prefer to be your own boss and to stay away from personnel issues.
• Windows: You are a micro-manager. You like to be informed and approve every action. You tend to be more old fashioned and worry about the consequences of Thinking Different (i.e., change). “You are making a management decision. Confirm or deny?”
• Mac (OS X): You just want things to work and run smoothly. You empower your employees to get the job done and only need to be alerted when something major occurs. You are willing to spend the extra money for the look, reliability, and reduced maintenance. You may be easily excited about unsubstantiated rumors and unrealistic visions.

For example, I tend to be self-motivated, enjoy being involved in many different tasks, and do best when I am able to manage my own time and priorities. I have come to the realization that either I am an anomaly in the workforce or I am incompatible with my management.

Since I work with similar, self-motivated types, I’ll immediately discount being an anomaly, which leaves me at option two. After talking to management, I have found that my feelings of frustration and incompatibility were not reflective; they saw no problems and were satisfied with my work (why doesn’t management like to give any appreciation?).

I think I’m safe to assume that management will not work to better interface with me, so the onus for improvement is on me. I have put together a guide to help understand management and provide some direction as to when to stay and when to start looking for a new position. When dealing with management, I have found that they tend to fall into one of four categories:

• Adaptible — these people are born to be managers. They understand the strengths and weaknesses of each of their employees and leverages each to their potential. In order to be effective, these managers adapt their management style to best supplement each subordinate. They will bend over backwards for you and will try to address your every need. One of the unfortunate side effects, is that these managers are so good at supporting their employees, that they have high employee turn-over because of a high promotion rate (a good thing for you), and they spend so much energy supporting their employees that their accomplishments are often overlooked.
• Inflexible — one of the most common managerial types. They can usually be identified by their tendency to micromanage, never provide any useful feedback, regulary schedule meetings that have no outcome, or other stereotypical management action. In conversations they tend to excuse things since “they’ve always been done that way” and will use phrases such as “in the past” and “typically”. Inflexible managers tend to have strong organizational, customer relations, technical, or other important skill that is perceived to be beneficial to the department or company. When coupled when a non-confrontational personality, these people will slowly creep into management.

  As far as their relation with their subordinates, they have a lot of understanding to do. Inflexible managers continue to do the same things in the same manner that got them promoted to their current position. They have one management style, which makes them ineffective at communicating with their subordinates.

  Luckily for some, an “Inflexible manager” can fall into one of two subclasses: those who realize their inflexibility and those who don’t. People who understand they are not adaptible will tend to only hire employees compatible with their management style or will depend on others to fill any deficiencies. Unfortunately, if your manager does not realize their inflexibility and it is highly unlikely your management will transform, it is your best (professional) interest to change management (or jobs).

• Hands-off — these managers seem to not understand “management”. They simply do not manage their personnel. Hands-off managers appear to intentionally avoid any conflicts or issues and believe that things will take care of themselves. If you are managed by a hands-off person, you can say goodbye to any chance of promotion, as they will ignore all the good along with the bad. These management types are the worst, since many assume that the lack of communication means everything is okay.
• The Pointy-haired Boss — as depicted in Dilbert these managers are just clueless. They think they know everything, but they cause more harm and frustration than good. The only benefit to these managers is that they are easy to identify and avoid as they tend to be enveloped by an aura of incompetency.

So, which type of manager is your boss? Is it in your best interest to stay in your current position? (Remember: it is usually in your boss’s and the company’s best interest to keep you, but usually they will next to nothing to show their appreciation.)

Since the content may be of interest to others, I will try to keep everything as generalized and anonymous as possible and actively encourage any passersby to leave feedback.

As a bit of insight into the motivation behind this effort, I am a supporter of the EFF and overtly aware of the information-dominated society that we are becoming. Stories such as George Orwell’s 1984 and the Wachowski brothers’ V for Vendetta. For any of you not familiar with 1984, the blog’s title “ownlife” is from Orwellian Newspeak and means “Individualism and eccentricity. A desire to do something for your own benefit.”