Flutterby™! : Shneier, Sun, SOAP, Reed 2002-05-17 17:08:39+00

Shneier, Sun, SOAP, Reed

2002-05-17 17:08:39+00 by Dan Lyke 8 comments

A little nerdliness this morning: Dave Winer: Shneier, Sun, SOAP, Reed. Some clarifications: Dave, you might not have seen SOAP as a deliberate firewall run-around, but Microsoft pushes SOAP as designed to get around firewalls:

Remote objects can give a program almost unlimited power over the Internet, but most firewalls block non-HTTP requests. SOAP, an XML-based protocol, gets around this limitation to provide intraprocess communication across machines.

Bruce Schneier may spend a lot of time bashing Microsoft software, but I'm not getting megabytes of virus email every day from holes in, say, Pine or Netscape Mail. Microsoft is not the anti-christ, but neither can we call it "bashing" when security conscious people call them out for their flaws 10 times more than others, because they have at least an order of magnitude more security holes than any other offender. It's not profiling if you're busting each for their proportions of committed crimes.

Firewalls is one thing; proxy servers is another. Software designed to let people work through proxy servers is beneficial, since proxy servers are mostly meant to share a connection where individual IPs can't be allocated, and this is a headache for lots of people.

Firewalls, there for the purpose of security, is another matter, and I hope a stateful firewall can pick SOAP out of a connection and block it if necessary.

Microsoft has already published an article showing how to block SOAP based on content at the firewall. It's based on their own firewall software, of course, but if they can do it so can others. Universal http connectivity is on the way out, I expect.

I've said plenty of nasty things about MS security myself, but I think "order of magnitude" is an exaggeration. I base this on daily reading of three or four security mailing lists over the past several years. Much virus e-mail does originate on MS systems of course, but that's in part because there are many of them out there. And Dan, I guess you're just lucky; we don't get anywhere near megabytes per day here.

Whether this has anything to do with the original article I don't know, because my life is better since I stopped following links to Whiner.

A 'stateful' firewall with that much intelligence is possible, probably not even expensive. Configuring it to decide where to and when to allow such a connection is beyond most network admins. They'll either block it all as policy, or leave it all open.

Soap, XML, Comma delimited text, or a variable infested URL can all be used to do this, going both ways through almost ANY firewall. Add in the 'Active-X' and Java executibles capable of running on your machine, and lots of possibilities exist to bypass a firewall, sending information both ways. But heck, most systems can't even stop e-mail viruses.

Again, smart people aware of what they are doing will try to practice safe computing and the rest of the world will find their financial spreadsheats and documents e-mailed or uploaded to people they never intended.

Last night, we tore through a colo'd Linux box for an hour, and found that what really made things break on the machine was a changed PATH statement, and not that it had been hacked. The box owner is a fairly competent geek, recent to Linux, and he was sure it had been hacked or comprimised. I'm starting to wonder if this mentality is being promoted to keep people from blaming the system. It makes people think: It must be the evil hackers, not bad software or stupid practices that is the problem.

Every time I have seen a system comprimised, it'd because I (or someone else) left the doors open. It's not the doors fault if it was a perfectly good door and I left it open. If the door is made of cardboard, and the lock does not work then it is a bad door. The question may be is SOAP and XML even a door at all? No, it's a window to pass information through. It's up to us to use it, open the window, or tint and bar it. In the internet neighborhood, you may want to make yours out of Lexan, and have it mesh reinforced. Let the light through, pass information, but make sure that's all that goes through.

I think most people should have an idea in their head about security. Nothing is secure. Your box will get hacked and abused. It will happen. Just look at Gaming Community... every new copy protection scheme that comes out get cracked in a matter of hours, days or weeks. CD copy protection, DVD encrytion, the list goes on. Why would the security of your computer systems be any different? People should concentrate on detection and resolution rather than prevention. SOAP might make it easier for a rogue program to communicate to it's master through a firewall, but even without SOAP, trojans and virus writers have used other methods for years. As network and system admins figure out these methods, the bad guys just develop new methods.

One of the coolest examples of an abusable protocol is Parasitic Computing. Just because 25,000 programmers development the ultimate firewall doesn't mean that their expertise is better than the largest distributed computer in the world: the human race. It's scarey sometimes to realize that no matter what new product is created to ensure security, that given enough time someone will figure out how to bypass it.

The real issue about security is that in large portion it's a matter of the state of mind of the user. The latest BIND or wu-ftpd exploit doesn't cause as much problem as an IIS one because the people who run the former are conscious of what's going on in the computing world in general. But...