ZouPrime said:
CivIndeed, since you admited not understanding the difference between a risk and a vulnerability, I'm going to explain it to you real quick here.
Feel free to actually quote such an "admission". Making up Yet-Another-Strawman is just silly.
The importance of a risk is in function of a vulnerability and a threat.
Nonsensical imcomprehensible gibberish. I'm sure its all part of the painful process of a "real quick explanation" attempt.
The risk is what's important here; it defines the level of control you implement in your system to make it secure. A very high vulnerability doesn't mean jack **** if the threat is not high enough, since the risk won't be big enough too. <insert long meandering irrelevant paragraph here>
Perhaps it would have been useful to actually make your "real quick explanation", "real quick" (for your attempted strawman dissertation explanation), instead of injecting it with meaningless irrelevant babble.
This risk calculation is highly important in information security, and is teached in the introductory chapter of all books on the topic.
Perhaps it was taught (yes, taught) in same chapter that teaches "How To Make Yet Another Absurd Assertion Using Absolutes" or "Silly Straw-Man: How To Disable Your Argument Through Absurd Asinine Assertions".
Focusing on the vulnerability while ignoring the threat is clear sign of someone not knowledgeable of the subject, since it's pretty poor security.
One more straw-man for the road.....
I cant imagine why there would be focus on it. It must be something like "duhuh, if the specific vulnerability doesnt exist to begin with, you dont have to worry about a specific threat tailored for it and aimed at it", or something to that effect.
No specific vulnerability, no specific vulnerability threat.
Its a logic thing, you clearly dont get it. When you are "teached" proper logic, you'll be made aware of such things, such as the straw-man fallacy (and others, like "making an absolute statement without absolute knowledge in the face of evidence to the contrary")
Speaking of "someone not knowledgeable": Thats a pretty bold statement (pun intended) - ironically coming from someone who thinks being "wormed" and/or "zombied" are somehow "the worst" consequences when it comes to security compromise.
There are thousands of vulnerabilities out there who are routinely ignored by everyone because the threat doesn't justify anything else, and it doesn't mean that security researchers are incompetent, it just mean they understand what they are up to.
How would you know they are "routinely ignored by everyone"?
Oh right, you dont know about them being exploited, and, since you have perfect knowledge of all extant vulnerabilities and all extant exploits (and exploit attempts), you can confidently make such an asinine silly absurd assertion. Got it.
Perhaps this would have been better stated as "I'm really ignorant of most vulnerabilities, and of the existence of exploits for them, but, one time, at security camp..."
I didnt realize that "everyone" actually meant "security researchers". Its good you pointed that out (as part of the "real quick explanation").
I sure hope your usage of the word "incompetence" in regards to "security researchers" not knowing about vulnerabilities isnt some attempt at apologism on behalf of Firaxis. Because they clearly arent "security researchers" - they arent even competent third party code licensing usage and distribution folks, let alone "security researchers".
I just know this wasnt an attempt to minimize and rationalize Firaxis incompetence in this matter. That would just be... silly.
Now, let's look at our current problem.
Again? Hey, i know - you should explain to me - the "guy that pointed out the insecurity situation with Civ 4 as shipped" - what the "current problem" is.
We know the vulnerability (well, up to a point, since without exploit code we can't be sure it is really exploitable. But let's say it is).
Up to a point? Are you back to attempting to claim that the vulnerability doesnt exist? Attempting to minimize the extant nature of the flaws in the zlib code again eh? We dont have to "pretend" its vulnerable - it is vulnerable.
What what are the threats? Let's explore the typical threat scenario possible.
I'm sure this is all a part of the "real quick explanation". I say we explore logic, and logical fallacies like "why the straw man came to town"...
a) The worst case possible is the worm, i.e. an automated and self-replicating network program with or without a payload.
I find it disturbing that you believe this is the "worse case possible".
Perhaps if you are an ISP, or large PC network manager, this might be the "worst case" in terms of network traffic load and PC/device "cleaning time".
As for the individual working on one PC, its moot.
I'll take a generic worm using my PC to propagate itself to other PCs any day over a complete system takeover with 100% loss of data, or confidential/private data loss/theft.
Take for example the (original) Code Red worm: It propagates itself to deface web servers.
Oh yeah, big threat to deskop PCs and individual users/data. No doubt.
They are the bane of modern network security, as most of the critical security incidents happening on big networks are caused by worm replicating and the DOS they are generally creating.
They are a bane, yes, but not "the" bane. They are perhaps more significant as a bane to those sysadmins who cant find the time to properly patch their different PC devices and systems with 1/3/6/12/24/36 month old patches.
However, I'm sure you can poll different corporate network sysadmins and find a plethora of "banes", with different focus issues for each of them. For example, many will find the usage of unathorized software with internet/network connectivity to be their "biggest security bane", especially instant messaging/chat software/connections, and many will will also find "inappropriate browsing and content download" to be their "biggest security bane".
But none of that changes the fact that Civ 4 shipped with vulnerable outdated insecure third party code, which allowed for potential local and remote exploitation leading to a DoS situation, and/or arbitrary code execution.
Worms require two things; the remotely exploitable vulnerability (most of the time, a buffer overflow) and mass presence (the vulnerability must be everywhere, else the worm can't replicate efficiently).
Neither one of those two things are required for worms. The fact that you think they are, again, is very telling as to your lack of expertise (or common sense) in the matter.
Worms can and do propagate without specific code vulnerabilities, whether they are locally or remotely exploitable, and may, or may not engage in malicious conduct.
I suggest you go read up on "worm" in a computing dictionary. I'll facilitate the process:
http://www.m-w.com/dictionary/worm
http://www.smartcomputing.com/edito...searchtype=0&DicID=19654&RefType=Encyclopedia
In the current case, both requirements are not met.
Not met...where? (even though of course, your made-up supposed "requirements" are in no way definitive as i previously explained)
Are you referring to Civ 4 now? Because if you are, its already been established that Civ is insecure, through vulnerable zlib libraries (ZLIB1.DLL and PYTHON24.DLL), which are remotely and/or locally exploitable (depending on the app), and that Firaxis acknowledged Civ 4 was insecure by issuing the latest security fixed version of ZLIB1.DLL (1.2.3) with the 1.09 patch (though they neglected to mention it in their release notes, and they also neglected to update PYTHON24.DLL as well)
Additionally, Civ 4 was shipped, insecure, and was installed on many PCs (it was the #1 selling game there at some point, may still be).
AFAIK, the vulnerability identified are not remotely exploitable, and the program coverage is far from enough.
Yes, because reading is a very hard concept to master, only slightly more difficult than intellectual honesty, or perhaps logic.
Yes, none of the several different security bulletins and advisories linked to or pasted from, indicated any remote exploitation capacity. Still not reading...
Even if Civ4 is the biggest seller ever, it won't remotely touch the coverage of an application such as Windows for example.
What exactly does how many copies of MS Windows are sold relative to Civ 4 have to do with the fact that Civ 4 shipped insecure, and is still insecure, even after the first patch?
Oh, i know - nothing. (This would be covered under (but not limited to) the "fallacy of changing the topic")
If in fact the Civilization series has sold over 6 million units, and if one were to average those 6 over the 3 prior releases of the game (as a whole), that would about 2 million installs per game.
If one were to forecast, say 2 million installs for Civ 4, would that qualify as "mass presence", in your universe? Would 1/4th of that - 500,000 - be considered "mass presence"? Could you give me a number, that would meet your silly supposed "mass presence" or "enough covergage" criteria? Let me guess, its higher than say, 500,000? Or 2 million? I can probably already guess the answer.
Of course, since i informed them of the issue and they updated the zlib library file, it likely wont get to the 2 million mark first in terms of vulnerable ZLIB1.DLL installs. However, of course, Civ 4 is still vulnerable via the outdated insecure version of PYTHON24.DLL.
There's a reason why worms are typically created for program who have a constant network presence and/or are installed everywhere, and not for common games.
At least you are starting to sound slightly reasonable, what with the usage of the word "typically" there.
But then you went and ruined it with "and/or installed everywhere" (instead of something reasonable like "installed on most (or a majority of) desktop PCs" etc etc)
But yeah, all those silly email (or floppy based) worms, how dare they defy your claim!
I'm sure you'll claim that most emails programs "have a constant network presence" or better yet, fit into "and/or are installed everywhere".
Still problematic, but less critical; an locally triggered exploit. some people around here suggested a malformed mod for example, although nobody knows when the vulnerable code is really called and in which circumstances.
I'm sorry, did you just say "less critical". So you now ackowledge that its critical?
In this specific case, that's by far the kind of scenario we should be looking at.
You should be looking at all vulnerabilities, and all exploit vectors, and all possible consequences. Thats what "security" is all about. You still dont get it.
And this from someone claiming to be a "security professional". Scary.
From the point of view of a user having his box zombified by joe hacker through civ4, it sure sucks.
Generally, "zombies" are used for DoS and DDoS attacks.
Again, strange assessement of what an implied worst possible outcome is.
Wouldnt 100% data loss be "worse"? Perhaps theft of private/personal/confidential data?
Id much rather have an intact easily recoverable Windows install that was simply being used as part of some DoS/DDoS than to have the hard disk wiped, or data stolen, etc.
Ask people whether they preferred their PC caused more internet/network traffic, or whether their hard disk was wiped or personal/private data stolen. Common sense leads us to the latter.
But on the grand scheme of things, it's far less impressive.
Doesnt change the fact that its a vulnerability and/or vulnerability vector.
Imagine I'm a hacker, I work hard to trigger the bug in the software, exploit a buffer overflow and make my mod install a rootkit on the user's box.
I'd prefer to imagine you in a Logic class..perhaps an English reading and comprehension class...
How many infectiona can I expect? A thousand?
Well, lets see..count the number of units old...estimate the number of unpatched systems...carry the 1...divide by two....take into account the coefficient of friction for an ethernet frame....look at the ceiling....think about whats coming on TV tonight..and we have..
Only a thousand units old? If thats the case, Take Two (or Firaxis) sure didnt get their investments worth.. You might want to tell them they are really losing money on that whole Civ 4 game selling stuff.
Maybe. If I put it in a popular mod, I risk getting caught.
Its true - any/all human actions have the "risk" of being known/discovered. Good point, that added nothing.
If I put in a stupid, small mod, I won't have a lot of targets. The cost/result ratio is going to be pretty poor, considering that some hackers can install hundreds of thousands of these rootkits using much faster method of propagation (see a)).
Yeah, because it costs so much to program software these days, what with all the freely available programming tools, and all that reuseable third party code out there (hmm) and even that cruddy more-insecure-than-closed-source open source stuff.
Especially some small little exploit utility. We are talking a major corporate development effort, requirings 10s of thousands - if not millions - of development dollars.
Maybe I'm not here to attack the largest numbers of civ4 users, maybe I want to target a specific user; e.g. I want make *you* install my mod/rootkit because the value of the information on your computer is high.
Or maybe the "exploiter" doesnt care about knowing the value of the target system beforehand, aside from the fact that its running Civ 4. Maybe he/she will assess that after system compromise, if at all.
This is a scenario that make sense economically for joe hacker; but in this case, we'll have to wonder why you are running a game (or any other program not designed for security) on a high value machine.
Yeah! Who ever heard of high end gaming PCs!? No one ever buys high end high value PCs to run games! ABSURD! Wait, maybe by "high value" you mean "low end", and yeah, those people wont be running Civ 4 (at least not well).
Shouldnt all programs be "securely" designed? Especially ones that provide network connectivity of some kind, and/or require administrator privileges to run? Shouldnt security matter for everyone, everywhere?
If increased network traffic and network security are so important to you (remember those "worms" and "zombies" that concern you so much), shouldnt you be the among those most streneously arguing for Firaxis to make their network multiplayer code/functionality as secure as possible?
Does the risk exist? Of course. Should Firaxis have known better and ship the fixed code? Sure, but considering they are not in the business of making secure software and are still facing bugs in their own code, it is understandable.
They arent in the business of shipping secure software? You mean they arent in the business of shipping security software, right? That was a typo, right?
Oh, wait, no, you actually did say that. It is true that Civ 4 shipped insecure <chorus>
However, if Firaxis isnt in the business of "securing their software", you might want to tell them that - they include security measures in the multiplayer setup (logins, passwords, etc), and even added more security measures in Patch 1.09 - They updated ZLIB1.DLL as i told them to, they added password encryption, restricted different saved game version loading for saves protected by admin passwords, etc.
Did they do it just to make you look silly and foolish?
Is the risk high enough to justify calling it "critical"? Of course not.
Yes. Locally and/or remotely exploitable, resulting in DoS and/or arbitrary code execution.
Many people here told you so in the very begining of this discussion.
A total of maybe one (yes, 1) person in the third 3 pages of this thread had any interpretable issue with "critical" - adamal. Many? Not even close.
But you did the wrong thing in trying to analyse the impact of what you found, because you obviously have no idea of what you are talking about.
This is a fascinating redirected self-examination. Perhaps you should claim to be a "security professional" again.
That's my problem, and I guess that's the problem of many other posters regarding your original OP.
Yes, indeed it is your problem, what with the obvious banal projection and transference prior to this.
By making it too big a deal, you're not helping, because people will tend to overeact and see the problem everywhere.
No one required you to respond, ever. If the conversation/dialogue itself bothers you and you believe its not contributing to your supposed altruistic concern for everyone, then why did you engage in it?
Obvious inconsistency and intellectual dishonesty here...
Your persistence in answering every single lines of posts separately, making comments over the quality of my english (how childish, really) instead of actually addressing arguments, and acting like a jackass, certainly did not help.
Well, at least you arent exaggerating or distorting - that would clearly be beneath you and your standards. The quality of your English matters, as, in fact, several times, your idea conveyance was clearly obstructed by your inability to express yourself in a comprehensible manner.
In fact, it confirms the suspicion that you aren't here to help anyone, but simply want to make a fuss and defend your "discovery".
Yes, it was "very unhelpful" the way i communicated to the developer/publisher/user community, the existence of security flawed code, and even went so far as to explain to the user community the means to temporarily (or permanently, depending) rectify the situation by updating the security flawed code.
On the other hand, you as a "self proclaimed security professional", doing your best to attempt to minimize the nature and existence of the flawed code, and then defending your inconsistent occasionally incomprehensible silly absurd assertions time and again, well, im sure that had nothing to do with apologism and inferiorityism and selfishness, and everything to with altriusm and "helping the community".
Right.
I think someone said the problem was at least partially mitigated with the new 1.09 patch. Thank god if it's so, since we'll be able to put this whole idiocy behind us and go play the damn game.
Yes, because, as a "security professional" "concerned about helping the Civ 4 community", you know that a partial fix is clearly the desired end result.
I'm sure i wont be seeing any more posts from you at all on the subject, certainly not any "real quick explanations" like this.