Didn't have a chance to bring it up at the meeting, but I feel it's important to add that wireshark is probably the most frequently security-patched FOSS out there. I watch the security feed from Fedora and the package I see sec-updated most often is wireshark, probably followed by PHPMyAdmin. It's quite astonishing how miserably insecure wireshark is. (Hmm, too bad there doesn't seem to be a page or chart ranking FOSS by CVE count, unless someone else can find one.) So, if you use wireshark, do your package updates frequently and/or before each invocation of wireshark. This is a great argument for not using wireshark on Windows, as there is not yum/apt-get for it, AFAIK, meaning you'd be on your own to check for and install updates.
Your statement is a bit unfair. http://wiki.wireshark.org/Security has a good explanation of why there are so many patches. I'd argue that "number of updates with the security flag" is a terrible metric of security in any product. <rant> Security is the act of mitigating risk, it's not an absolute. Calling something insecure is really unhelpful -- the risk you undertake by using the software depends on how and where you use it, and what compensating controls you have in place. Example: Windows XP possibly deserves the label "miserably insecure". You put it on the Internet for a minute unpatched and it's quite likely infected. I have an unpatched XP Virtual machine I use for embedded development. I don't use the Internet on it. I regularly reset the snapshot back to a former state. Is that XP box really "insecure"? </rant> I will prefix the rest of this by saying I spoke at the Wireshark conference for its first three years, know many of the core team personally, and have even contributed an (embarrassingly small) patch to the product. So Trevor's message, while well-intentioned, struck a bit of a nerve. If you didn't read the first link, the main point is that they have putting an emphasis on finding bugs lately, both through code reviews and automated static analysis. So the fact that you're seeing updates is because the team is driving out the bugs. Most OSS projects don't do this, so the only people looking for bugs are the bad guys. The kinds of bugs found are often in the protocol dissectors. Unless you ignore the warnings, those all run unprivileged. Our adversary needs to be able to put packets on your network for you to display in Wireshark. We aren't on the same level as putting an unpatched Windows XP box on the open Internet. So while I agree you should update frequently, unless you are in an environment where you expect people to be actively attacking you, you should not feel the least bit of worry when you run Wireshark, or the least bit of shame for something that might be called "miserably insecure". If you still like reading, https://research.microsoft.com/en-us/people/mickens/thisworldofours.pdf is actually pretty funny. There are a few themes, but the relevant one is "your security measures depends on your adversary. If the Mossad wants your data, there's nothing you can do. A good password is enough to keep your ex-boyfriend out of your computer though" Sean On Fri, Jan 17, 2014 at 3:46 AM, Trevor Cordes <trevor@tecnopolis.ca> wrote:
Didn't have a chance to bring it up at the meeting, but I feel it's important to add that wireshark is probably the most frequently security-patched FOSS out there. I watch the security feed from Fedora and the package I see sec-updated most often is wireshark, probably followed by PHPMyAdmin. It's quite astonishing how miserably insecure wireshark is. (Hmm, too bad there doesn't seem to be a page or chart ranking FOSS by CVE count, unless someone else can find one.)
So, if you use wireshark, do your package updates frequently and/or before each invocation of wireshark.
This is a great argument for not using wireshark on Windows, as there is not yum/apt-get for it, AFAIK, meaning you'd be on your own to check for and install updates. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sean Walberg <sean@ertw.com> http://ertw.com/
On 14-01-17 08:36 AM, Sean Walberg wrote:
If you still like reading, https://research.microsoft.com/en-us/people/mickens/thisworldofours.pdf is actually pretty funny. There are a few themes, but the relevant one is "your security measures depends on your adversary. If the Mossad wants your data, there's nothing you can do. A good password is enough to keep your ex-boyfriend out of your computer though"
Thank you for that link, the reading of which made me snort a carbonated beverage out through my nose! If you are reading this message in the first place, you are not the majority. You are not a significant minority. You are not a visible minority. You are not the 1%. You are not the 0.1%. You are probably not even the 0.01%, you're more likely [collectively part of the tier that is] 0.001% of the world's population. If you have everything triple-encrypted, you're defending against 0.1% of the 0.001% - someone who simultaneously has the skills to defeat ordinary passwords and good computing hygiene *and* cares about your data *and* is willing to do illegal things to access it. In other words, you're spending a measurable portion of your day defending against, roughly, one or two other persons in the world, and you don't even know who they are. If you don't have an alarm system, a fog system, exploding dye packets scattered randomly throughout your belongings, several guard dogs, bars on your windows, and 24x7 CCTV coverage of your entire property to prevent any and all unwanted intrusions to your home... then you're not defending against 0.1% of the other 99.999%, which is a much more common and likely threat than the Mossad wanting your data. We now know the NSA does want your data, but mostly in a very impersonal way - kind of like an obsessive collector, they simply feel the need to have everything for the sake of having it. I'm unsure if the Mossad wants everyone's data in the same way, but both organizations are perfectly capable of hiring some local criminal (that's the 0.1%) to break into your house and steal your computer. On the other hand, the "organized crime" threat category is, IMHO, a bit more dangerous than the author posits - that's not a huge bin of people, but they do cast a very wide net, and you're now relying on 99% of the 0.001% to apply common sense when building and configuring *their* servers, and we know that simply doesn't happen consistently. Ultimately, I configure my systems correctly, I assume the vendors I rely on aren't complete idiots (until proven otherwise), I don't (usually) do blatantly stupid things online (usually, I said), and beyond that, I *choose* to Not Worry About It, and I spend my life doing more interesting, entertaining and pleasurable things. Or, in reference to what James Mickens wrote: "what he said". :-) -- -Adam Thompson athompso@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515
And ultimately, Wireshark is WAY to much of an essential tool to not use it, regardless of the risk. Like driving, it may be the most risky thing I do every day (especially yesterday), but I still have to go to work. John On Fri, Jan 17, 2014 at 9:36 AM, Adam Thompson <athompso@athompso.net>wrote:
On 14-01-17 08:36 AM, Sean Walberg wrote:
If you still like reading, https://research.microsoft. com/en-us/people/mickens/thisworldofours.pdf is actually pretty funny. There are a few themes, but the relevant one is "your security measures depends on your adversary. If the Mossad wants your data, there's nothing you can do. A good password is enough to keep your ex-boyfriend out of your computer though"
Thank you for that link, the reading of which made me snort a carbonated beverage out through my nose!
If you are reading this message in the first place, you are not the majority. You are not a significant minority. You are not a visible minority. You are not the 1%. You are not the 0.1%. You are probably not even the 0.01%, you're more likely [collectively part of the tier that is] 0.001% of the world's population.
If you have everything triple-encrypted, you're defending against 0.1% of the 0.001% - someone who simultaneously has the skills to defeat ordinary passwords and good computing hygiene *and* cares about your data *and* is willing to do illegal things to access it. In other words, you're spending a measurable portion of your day defending against, roughly, one or two other persons in the world, and you don't even know who they are.
If you don't have an alarm system, a fog system, exploding dye packets scattered randomly throughout your belongings, several guard dogs, bars on your windows, and 24x7 CCTV coverage of your entire property to prevent any and all unwanted intrusions to your home... then you're not defending against 0.1% of the other 99.999%, which is a much more common and likely threat than the Mossad wanting your data. We now know the NSA does want your data, but mostly in a very impersonal way - kind of like an obsessive collector, they simply feel the need to have everything for the sake of having it. I'm unsure if the Mossad wants everyone's data in the same way, but both organizations are perfectly capable of hiring some local criminal (that's the 0.1%) to break into your house and steal your computer.
On the other hand, the "organized crime" threat category is, IMHO, a bit more dangerous than the author posits - that's not a huge bin of people, but they do cast a very wide net, and you're now relying on 99% of the 0.001% to apply common sense when building and configuring *their* servers, and we know that simply doesn't happen consistently.
Ultimately, I configure my systems correctly, I assume the vendors I rely on aren't complete idiots (until proven otherwise), I don't (usually) do blatantly stupid things online (usually, I said), and beyond that, I *choose* to Not Worry About It, and I spend my life doing more interesting, entertaining and pleasurable things.
Or, in reference to what James Mickens wrote: "what he said". :-)
-- -Adam Thompson athompso@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515
_______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- John Lange www.johnlange.ca
On 2014-01-17 Sean Walberg wrote:
Your statement is a bit unfair. http://wiki.wireshark.org/Security has a good explanation of why there are so many patches. I'd argue that "number of updates with the security flag" is a terrible metric of security in any product.
I apologize if I came across as harsh against the valuable and excellent wireshark project. I personally often use wireshark and in no way am trying to dissuade anyone from doing the same. I think I was pretty clear, that I only wanted to remind people to "yum update" their wireshark on a regular basis, and mentioned the probable difficulty of doing that on a non-package-managed OS like Windows. I also made it clear that my only metric of "insecurity" in that email was the raw CVE count. I never claimed that it was a "good" or "best" metric. However, it is often the only metric we have for FOSS, and certainly the one most visible and readily available. I will add, however, that in my viewpoint, CVEs that are remotely exploitable without authentication (most wireshark CVEs fit that bill) are the most pernicious, and dangerous, and do deserve heightened scrutiny. The fact that a (not very) out-of-date wireshark listening on (and displaying results from) an internet connection can be pwned simply by an attacker (or bots) sending malicious packets at random, is precisely identical to the very XP vulnerability you mention. While running wireshark as non-root is recommended, I still would not want my personal non-root account getting pwned, as much damage could still be done (including escalation attempts). Moral of the story we can all agree upon: update your wireshark regularly, and again right before you use it on internet-facing interfaces!
participants (4)
-
Adam Thompson -
John Lange -
Sean Walberg -
Trevor Cordes