(OT) The Stupid Leading the Blind, or Is It Just Me?

Recently, the latest Perl.com newsletter alerted me to this article about Microsoft's .NET and security concerns. Interestingly, it was pointed out that .NET could have even greater security problems than other Microsoft products. Virtually all of the security concerns, however, used free and open-source products to illustrate the potential danger, as if the danger stemmed from them and not from .NET's architecture. One telling quote:

The ability for the platform to understand programmes in different languages makes the threat from worms and trojans much greater, as many of these are written in other languages such as Perl and currently have no anti-virus products.

How, exactly, does one write a worm or trojan in Perl? Frankly, you can't do it now.¹ I haven't paid much attention to the .NET blather as things from Redmond tend not to get me very excited. Is there something here that I am missing?

The above quote was from Eric Chien, the chief researcher for Symantec. The article was almost entirely quotes from him. Here's another interesting tidbit:

Chien delivered his misgiving s in a research paper last Friday, in which he admitted his worries that attempts to port .NET to other operating systems - such as the Mono project to make it available on Linux - will ignore Microsoft's various security settings, leaving the platform open to attack.

Is Chien bucking for a job at MS, or is Symantec so far in bed with BillG and friends that he has no choice but to say that, or is there some serious concern here? I don't use Linux much, but from what I've seen about the open-source community, they've done an admirable job of adhering to standards (much better than MS, in fact²). Something just strikes me as being wholly disengenous in the above quote where there's a suggestion that the open-source community might have trouble following the standards that MS lays down.

Cheers,
Ovid

1. Well, okay, you can do it, but it wouldn't be very effective. I have some Perl virus code that someone wrote once, but all it does is illustrate the ridiculousness of the concept.

2. To be perfectly fair to Microsoft, I don't have much of a problem with standards violations per se. With respect to Web browsers, JavaScript (nee Livescript) wasn't a standard when it came out. Many new tags have arisen because one of the browser manufacturers wanted to add new features to differentiate between them and the competition. In this respect, Microsoft needs to violate the standards. Any browser that's one hundred percent standards compliant is already out-of-date.

Vote for paco!

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (OT) The Stupid Leading the Blind, or Is It Just Me?

Replies are listed 'Best First'.
Re: (OT) The Stupid Leading the Blind, or Is It Just Me? by Masem (Monsignor) on Oct 04, 2001 at 19:45 UTC
I won't necessarily critize you too much on your second footnote :-), however... I don't have a problem with a browser maker adding new tags to try to differentiate themselves from the competition. However, three significant points must be made: We have yet to see a fully-compliant browser. When both NS and IE were getting new tags, neither supported the HTML3 or 4 spec exactly, and in the case of some test suites, they were less than 90% compliant with standards that were well-established (6 or more months) from release. If you cannot get the standard right to begin with, you really have no 'right' to start adding new features. This is most dramatically shown when you talk about CSS and IE3 or NS4, as well as the introduction of TABLE in NS. I'm still waiting for a browser to adquetely impletement the OBJECT tag that is part of HTML4 such that one can provide multiple levels of alternate content for multimedia elements. Most of the 'new' tags were ill-defined from an SMGL stand-point, in that in browsers where the tags were not supported or impossible to render, there was no way to deliever alternatively content without significant workups behind the scenes or hacks. Again, TABLEs come to mind specifically with when Mosiac and Lynx were significant, as well as IE's MARQUEE tag, or the IFRAME tag. A 100%-standards compliant browser should be able to view the majority of the web (ignoring plug-in technology) without problems as long as the addition of new tags to standards (or non-standards as the case may be) follow standard SMGL rules; even today, a browser with the ability to use DTD's effectively will be able to handle new additions to the HTML/XHTML specs without problems. As it is, no browser yet can claim that, and those few rendering bug differences between the latest-and-greatest make it very hard to design good pages that look right on all browsers, notably due to slight differences in CSS2 support and other newer features. As someone who's been using the web since nearly day 1, I've been rather disappointed with how the browser wars initially fractured the design of web pages, but most of those wounds are healing with the latest browser releases; it's very hard to find pages that "You must be using Browser X to view this page" save for antiquited pages. Right now, if anything, the splintering of the web is mostly due to using closed-vs-open formats for media (GIF vs JPG/PNG, Real vs Windows Media vs MPeg vs Quicktime, etc). But I still believe that all browsers should strive to get 100% of HTML4 and CSS2 before they move on to other arenas; deliver that to us, and designers would be overjoyed that they can actually write once, view anywhere once again. ----------------------------------------------------- Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain It's not what you know, but knowing how to find it if you don't know that's important	[reply]
Re (tilly) 1: (OT) The Stupid Leading the Blind, or Is It Just Me? by tilly (Archbishop) on Oct 05, 2001 at 00:08 UTC
The only virus that I know of written in Perl was SelfGOL, written by TheDamian. And very few people out of the Perl community have ever heard of it. By contrast the list of viruses written in Microsoft's VB is extremely long, and includes a substantial fraction of the best known and most costly viruses in history. (Can anyone say Melissa and derivatives? I knew you could.) However - still - members of the general public have no clue that most of your virus concerns are eliminated in one stroke by removing Outlook/Exchange. And a good portion of the remaining commonly exploited holes are removed by switching away from IIS. Ah well. It just goes to show that even in the Internet age, the Big Lie still works just as well as it did in Stalinist Russia...	[reply]
Re: Re (tilly) 1: (OT) The Stupid Leading the Blind, or Is It Just Me? by TheDamian (Vicar) on Oct 06, 2001 at 10:01 UTC
The only virus that I know of written in Perl was SelfGOL, written by TheDamian And even that's not actually a virus: merely a program to (amongst other things) confer a `-s` self-replication flag on other programs. Damian	[reply]
Re: (OT) The Stupid Leading the Blind, or Is It Just Me? by wardk (Deacon) on Oct 04, 2001 at 23:32 UTC
I think this is just an excellent example the sophistication of microsoft's FUD machine. They are true masters, I can't speak to MS innovations in the technical arena, but they have an uncanny ability to disparage and create fear (uncertainty and doubt) in the most subtle and innvovative ways. as far as symantec, this tag-teaming by partners is so ingrained over the years that I feel all microsoft has to do is plant the seed and any number of industry pundits will intuitively pile on. this isn't that much different that putting friendly warnings when encoutering DR-DOS in Win 3.x, or recompiling windows and releasing it as an anti-pirating fix in order to slyly move the entry-point IBM was using in OS/2 for Windows (which was immediately broadcast by PCWeek, Computer/InfoWorld, and others as a major "bug" in OS/2) I truly think it's a "badge of honor" for Perl to have MS FUD'ing it, it means Perl is a real player anyway, my $.02 on an excellent Meditation...	[reply]
Re: (OT) The Stupid Leading the Blind, or Is It Just Me? by jepri (Parson) on Oct 05, 2001 at 00:02 UTC
There's a high chance that Symantec are pissy because they have no market share for Unix and no chance of getting one. They won't get a market because the built in Unix securty is good enough. (Note that the Windows NT line would be more secure than Unix if people would just stop logging in as Administrator). But you can bet there will be a Symantec SafeGuard for .NET (TM) or some garbage like that. Mono won't need it because most GNU programmers are raving paranoiacs who build security in from the word go. MS likes to leave a few security holes in for future upgrade releases. So in a way Chien is absolutely correct. The GNU programmers won't be following standards when it comes to securing your data - they will be exceeding them. I could, and possibly should spend the rest of this post bashing the computer press who seem to be less sophisticated than their readers, but it's breakfast time. ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]
Re: Re: (OT) The Stupid Leading the Blind, or Is It Just Me? by hans_moleman (Beadle) on Oct 06, 2001 at 09:15 UTC
moving more OT, I know, but I think people would stop logging in as administrator in the NT world if there was a convenient way to change the current user context...	[reply]
Re^2: (OT) The Stupid Leading the Blind, or Is It Just Me? by Aristotle (Chancellor) on Oct 08, 2001 at 12:15 UTC
The concept of NT may be potentially more secure than that of Unix - but with all the bugs in the code? There have been so many exploits to remotely become Admin on an NT box it isn't funny.	[reply]
Re: (OT) The Stupid Leading the Blind, or Is It Just Me? by echo (Pilgrim) on Oct 05, 2001 at 00:28 UTC
The ability for the platform to understand programmes in different languages makes the threat from worms and trojans much greater, as many of these are written in other languages such as Perl and currently have no anti-virus products. It's rather amusing that this statement is in direct contradiction with one of the major features of the .NET architecture: the Common Language Runtime. Microsoft writes that code built upon CLR benefits from features such as cross-language integration. A little further down, it is stated that The common language runtime makes it easy to design components and applications whose objects interact across languages. Objects written in different languages can communicate with each other, and their behaviors can be tightly integrated. . Clearly one of the key features in CLR is the ability to mix different languages. Did the author of the paper miss out on such an important feature? Or is the language we monks all love perhaps too different?	[reply]
Re: Re: (OT) The Stupid Leading the Blind, or Is It Just Me? by stefp (Vicar) on Oct 05, 2001 at 02:21 UTC
statement cited by ovid: �The ability for the platform to understand programmes in different languages makes the threat from worms and trojans much greater, as many of these are written in other languages such as Perl and currently have no anti-virus products. echo: It's rather amusing that this statement is in direct contradiction with one of the major features of the .NET architecture: the Common Language Runtime. My understanding is that there is no known design problem involving CLR with multiple languages. The problem is a that M$ is unwilling to restart from scratch. M$ need indeed to leverage its existing code. So, to use M$ terminology, managed code is allowed to call unmanaged code. As a result, a cleanly designed sandbox is opened to all virii thru this use of unmanaged code. It will take years to transmogrify existing code to "managed code". -- stefp	[reply]

Back to Meditations