Schneier on Security
A blog covering security and security technology.
« Pseudonymity |
| Movie-Plot Threat: Open Airplane Cockpit Doors During Bathroom Breaks »
August 22, 2011
How Microsoft Develops Security Patches
I thought this was an interesting read.
Posted on August 22, 2011 at 12:19 PM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I got up to page 30 and couldn't continue reading.
It's a typical Microsoft corporate puff piece. "See, we're doing everything right - because we're Microsoft! You're so lucky to be running our software!"
Pardon me while I heave.
Then I'll continue using my openSUSE 11.4 on which security concerns barely enter my head on a daily basis because it's patched every couple of weeks and the tons of crap Microsoft has in Windows isn't done in Linux and neither are the millions of malware.
Microsoft may or may not be correct in claiming "a relatively low number of vulnerabilities in Microsoft products " but the real problem is that their dominant market share inflates the impact of even a single flaw to an incredible degree.
And the Security Update Development Time chart on pg 12 seems inaccurate because the timeline exceeds 100% unless each of the bands is at the bare minimum. For example Finding Variants cannot exceed 20% without sacrificing time from other components.
On page 7, they could have named the blue part of the bar graph Adobe/Java instead of Non-Microsoft.
My thoughts as I was going through the introduction to decide if the rest of the document would be worthwhile priority reading:
1) Example code. There's a difference between a DOS and a security vulnerability. A system should be structured to allow access under limited circumstances and deny access under all others. While that might be inconvenient, it's "fail safe" design.
2) The chart of disclosed security vulnerabilities seems counter intuitive. The mediums and highs have roughly the same numbers and the lows are roughly an order of magnitude lower. Given the premise that coders can make lots of different errors that could result in a security vulnerability, it would seem that the number of identified "low" rated errors would be the highest.
3) Proportion of Microsoft vs. non-Microsoft vulnerabilities reported - by aggregating everything together it appears that Microsoft's issues are a minor fraction of the overall industry problems, but this chart hides the disproportionate effect that a vulnerability in applications/OS used in such a huge percentage of devices can have.
4) # of Security Bulletins issued: While the point of this chart is to show how good they are about avoiding out of band security bulletins, it also shows that while the number of security vulnerabilities industry-wide is supposedly decreasing, the number of MS security bulletins is not.
Conclusion: Likely a puff piece and it goes into the pile for reading when I get around to it.
By reading goat entrails?
John N: Yup. Noticed those self-serving charts, too, which is why I labeled it a puff piece along with the self-congratulating overall tone typical of Microsoft.
If we look on before WinXP and after WinXP era it comes to my mind that Microsoft has changed a lot of its policies.
That they require programmers a security training before they are allowed to commit a single line of code tells me that they have accepted "Security as a process".
Today I would trust a Windows out of the Box more than a Debian out of the box install with no changes done by hand.
You can bash at MS all you want but they have shown remarkable improvement in the last decade!
@ John N:
"2) The chart of disclosed security vulnerabilities seems counter intuitive. The mediums and highs have roughly the same numbers and the lows are roughly an order of magnitude lower. Given the premise that coders can make lots of different errors that could result in a security vulnerability, it would seem that the number of identified "low" rated errors would be the highest."
Both white- and black-hat researchers surely tend to spend their major efforts and time on finding critical vulns. They may find minor to trivial ones in the process, but I would venture that many of the latter are never reported.
"If a user clicks a malicious link, then types qxzy35, the bunny on the page stops dancing"... naah, scrap that and continue looking for something of real consequence. So I'm not so sure that the finding is counter-intuitive.
@ Paul Dittrich:
"And the Security Update Development Time chart on pg 12 seems inaccurate because the timeline exceeds 100% unless each of the bands is at the bare minimum."
Is it not possible for multiple teams to be performing different parts of the task, in parallel?
@ Everyone, but especially Richard Steven Hack:
The chart of "app vulns vs browser vs OS" does seem designed to make us forget that MS Office is an app, and it's made by MS. Frequent target in addition to Adobe Pdf/Flash as mentioned by another poster. Other MS apps too, though Office, IIRC, has the most.
Browser? Figures show that IE consistently has more vulns and takes longer to patch them than most of its competitors. *And* IE shares many files with the Windows OS, though IIUC, the battle with the EU over the bundling and tight integration of IE/Win may be mitigating that somewhat. (I expect the dependency-sharing will continue, even if users must be offered other browsers OOB.)
I don't know this for certain about Win7, because I haven't seen a good reason to leave the most time-tested MS OS ever, XP. I do know that when an IE update is issued, I don't need about half the files included, having deleted IE from the machine a long time ago, but the other half are required by the OS itself.
Combining all of those, what is counter-intuitive is MS's claim of what a low share of vulns is in their product lineup, esp. given the breadth and depth of that line-up and the market share noted by others.
Finally, this writer's longstanding pet peeve (ok, among many):
""Microsoft realizes that out-of-band security updates that address security vulnerabilities are unexpected ... (and inconvenient for enterprises, so even if we have a critical patch ready on August 10, it won't be released until September 13, leaving crackers 31 days to find the same flaw and exploit it.)
Um, being hacked is a bit of an inconvenience, too... Instead of leaving consumers out of your risk/inconvenience model, how about, when it's ready, it's released. Perhaps with a provision for batching several that become ready within, say, three days of each other, or are three days or less from the next Patch Tuesday. The IT person may have a couple more overtime nights each month, but that's why they get the big bucks. :)
Overall, agree with RSH and others that this is a puff piece -- so the question is,
"How exactly is this news?"
The review damns Microsoft's vaunted (and ginormous) R&D budget with faint praise.
If I look at figures 8 and 9, I see that the vulnerability rate has stayed (roughly) constant over the period of the survey.
Given that multiple product releases based on a single code base occurred during the survey period, this suggests that a decade's worth of vulnerabilty research and the corresponding technology "improvements" has done little to improve the resiliency or the robustness of the code.
I agree with you that most researchers would bypass the minor ones and move on, but I have some problems with the idea that roughly similar numbers of "mediums" and "highs" would be disclosed and that the "lows" would be an order of magnitude lower.
Presumably MS would discover those themselves or through the 11 emails an hour sent to the special email address. They might not merit immediate fixing, but they still ought to be disclosed and fixed (if relevant).
Similarly, if you accept the premise that there ought to be more mediums than highs, this chart implies that a significant number of mediums never get disclosed - which is a little disturbing in its own right.
@ John N:
"Similarly, if you accept the premise that there ought to be more mediums than highs, this chart implies that a significant number of mediums never get disclosed - which is a little disturbing in its own right."
Could it possibly speak poorly to the fundamental design of the OS itself that such a a large subset of the set of "all vulns" are "Critical" in their effects? (Ask Nick P. and Clive about isolation of hw and sw, prisons, castles, trust, etc. -- when you have a lot of time to read the answers. :wink:)
ActiveX is peculiarly prone to buffer overrun/overflow vulns, IIRC. This speaks poorly to its basic design. What's worse is that as an internal component of the OS, it has 100% privilege on the local machine (most home users run as admin), so allowing web sites to instantiate AX controls - especially third-party ones - is insane.
Look over the last ten years or so of vuln bulletins, and see how many are AX related. This is a positive-feedback loop: More researchers will hammer AX, and because it is so powerful, the resultant exploits have a high tendency to be "Critical". (remote code execution.)
I remember first trying to fine-tune IE's security settings. Choices:
"Run AX controls marked safe for scripting" (yes, no, prompt)
"Run AX controls not marked safe for scripting" (ditto) ...
Why on Earth would anyone find the latter idea appealing, regardless of their lack of tech knowledge? ... Then later, found out that "marked safe" merely means someone, possibly long since gone, or a summer intern, signed their name to it as "safe". Good luck in your (lack of) liability lawsuit.
The other broken record over the years is, "Component X fails to properly validate input...'
Someone quoted me a trivial example of how an entire class of attacks could have been prevented: Use strncpy instead of strcpy, thus invalidating inputs whose length is excessive. No more overruns, etc. Don't they teach this stuff in programmer kindergarten?
Combine a weak browser with access to powerful web-based executables (AX) *and* tight integration with the OS, and it's hardly surprising that most problems are severe ones.
FWIW, Firefox has no native support for AX, and I've never missed it. Only MS Update "needs" it, but since I like to triage the updates to see whether what MS wants me to have matches what I would like to have, I might as well d/l them manually anyway, with Fx.
There is only *one* ActiveX file (*.ocx) on this 95%-trimmed machine, and that's for an older version of the media player, so I can listen to mp3s minus the psychedelic "visualizations". (I can create my own, thank you, lol.)
btw, sorry about the time-pressured math error in my previous: 34 days, not 31.
Tommy: Dump Media Player and use VLC or any of a hundred other media players. Wallah! No more Active X! :-)
I tend to agree with John N at least to the extent that the low number of low vulnerabilities is suspicious - and likely means they're ignored not just by hackers but by Microsoft as well.
However, I also suspect the high number of criticals matches with the overall bloated and poor design of Windows. Historically, Windows has had maybe twice or more the lines of code of Linux or Unix, indicating a huge amount of 1) redundancy in the code, and 2) unnecessary "features" which eighty percent of users never use.
ChristianO: No way would I trust an out of the box Windows more than an out of the box Linux. If for no other reason than any Linux install is less likely to be hit by the millions of malware that afflicts Windows.
But even regarding a direct attack by an interactive hacker using the latest exploits, I suspect Linux would last longer. Maybe not by much, but some. I can't give exact numbers, but I suspect Linux listens to fewer ports and runs fewer services that are backstopped by as buggy code as Windows.
As far the touted Windows Update, it's my experience with clients that half the time the updates for Microsoft's language products .NET and Visual C++ can't even update themselves.
I don't know how many times I've had one or two .NET updates fail to install, and the only solution from Microsoft is rip out ALL of .NET back to version 1.1 and then reinstall it all. I mean, REALLY? You NEVER see stuff like that on Linux - ever. In a couple of years using openSUSE, the number of update related problems I've had can be counted on the fingers of one hand, if that.I can't remember the last one.
Whereas this past week I installed Microsoft's latest updates on a client with Visual C++ and the two updates failed to install - because previous updates failed and I never bothered to rip out Visual C++ and reinstall it because it was a waste of time since the client only has one or two apps written in it.
Not to mention how many times Windows Update (on XP - I haven't seen this on 7 - yet) simply fails entirely, so often that there are free utilities out there, including one from Microsoft, that automatically repair it.
The same applies to IE, which bongs itself so often people have written utilities to fix it without bothering to find out why.
All in all, the XP experience for end users is FAR from the experience of Linux. 7 may be better, but that's likely only because so far I have few clients running 7. And in one case, one system running 7 hosed its own boot loader TWICE within the first month it was running.
Also, the fact that Microsoft requires programmers to undergo "security training" does not mean security is a "process". A "process" would require catching all the buffer overflows during actual development - which it is clear Microsoft cannot and does not do.
Microsoft offers an example in the article of a coding error that results in a vulnerability that is hard to detect. It does not give us one of the seemingly endless examples of buffer overflows which are clearly a straightforward mechanical code issue which is easy to detect but is not detected. Like Tommy, I cannot understand how ANY buffer overflows continue to be written by ANY programmer. It should be second nature these days to prevent them.
You can argue that ActiveX should be removed, but first you must come up with an alternative. I need a way to seamlessly deliver a binary that executes natively on the machine.
Other browsers allow binary extensions; but they generally require a separate installation. I can't think of any better technology than ActiveX.
please, have a PDF printing feature on your site, very interesting blog
That, Mr. Boyd, is *EXACTLY* the problem! No, you don't need a way to seamlessly deliver YOUR binary to run on MY machine.
At the very least, keep it inside the web browser.
The *last* thing anyone wants or needs is someone else, of completely unknown provenance, running their binaries on your own machine without that machine's owner's complete, informed, and explicit consent.
Sorry, I should stop feeding the troll now.
@ Richard Steven Hack:
Actually, I do have a copy of VLC Portable on a flash drive. It's about 23 MB. I don't know what a full install on a HD is, but judging by the fact that the *installer* is a 20MB d/l, I'd guess 60-70MB.
As discussed with Nick P., one of my approaches to trying to harden the (Micro)soft OS is to get rid of as much as possible. You quote twice the code of Linux? I cut the Windows folder by about 95%, (1/20th), from about 4 GB to 176 MB, and from about 7-10,000 files (some users have 20-40,000 files in %windir%) to ATM 692 files. That's a lot of bloat gone, and a lot of attack surface with it. We agree totally on the redundancy and the features not used, except I'd say "by 90-95% of users" - or more.
So, all that's there for WMP6.4 is a single exe of 4.5k (that is not a misprint; 4k), the single 825k Ax, plus the usual codecs and such that *any* media player is going to need. So to keep total HD usage small (~865 MB ATM), this setup works for me. EMMV.
I agree that MS undoubtedly ignores a large number of low-risk or low-damage vulns, since they can barely keep up with all the high-risk, high-damage ones. :P (at them, not you) They've even delayed some critical patches for an extra month, because this month's plate was full, and they "didn't want to inconvenience users" with too many d/l in one batch. (Did I say something before about the inconvenience of being compromised in the meantime?)
I have an easy solution for the .NET problem: Delete it, completely. Never missed it, not ever. The only app that asked for it to be installed turned out to be scamware anyway (I was doing support and investigation for a user; not something I'd have been interested.)
With regard to WinUpdate, I get them manually with Fx, because I want to triage them anyway, and the installers seem to run fine that way. One less AX control snooping around inside and phoning back home to Redmond.
Why do you still have any clients running IE? Of course it's crap -- you have a professional responsibility to advise them. If they refuse, then if it bongs itself or gets them pwned, it's on them, not you, and you get another juicy repair job.
+10 for reply to Ian Boyd. What he described also matches one definition of criminal hacking.
Regardless of whether he's a troll or not, what you said needed to be said. If we want it installed, we'll install it ourselves. Or keep it in the browser, as you said, which at least we can sandbox or virtualize much more easily than an entire VM.
Note that Firefox deliberately does not allow installations on the machine from the Web.
IE dialog box for installer:
"Run from present location/Save to disk/Cancel"
"Save to disk/Cancel". So you get a chance to look at it, scan with AV, Scroogle it, etc. first.
Well said, Sir.
Speaking of "validating inputs", it must be time once again to link to this hilarious example:
"please, have a PDF printing feature on your site".
Never tried it until you asked, but I just highlighted the entire blog and comment section (that frame only, not the left and right panes), copied, pasted to an Open Office doc, converted that to .pdf. I think it took about 30 seconds -- maybe 45. So there's your printable, mailable, or storable pdf, complete with the links. If you want a link-free version, use Firefox's "Copy as Plain Text" option (add-on). Enjoy.
@Tommy: unfortunately, strncpy isn't a very good solution either. It eliminates the buffer overflow issue, but it doesn't return any value to determine if the string was long enough to hold the source. Even worse, when src >= dest, strncpy will not null terminate the string, which could lead to undefined behavior. Sure it's better than a stack overflow, but so is amputation compared to decapitation. The programmer has to do a lot of work to test the string before and after the copy. The c library is in dire need of modernization for security, especially since other parties, such as Microsoft and the BSD library are implementing non-standard extensions that are not compatible, esp Microsoft (see the default warnings for memset and strncpy controversy).
Some argue that dynamic strings are better. You can handle allocation errors more easily, and a well written library greatly reduces overflows. The biggest problems are printf compatibility and embedded systems where dynamic memory allocation is not desirable. Of course, if you are naively doing string manipulation on such a system, you've got a lot to worry about.
@Joh, @Tommy. i am a software developer, not a troll. We have a web-site provided to a customer's external dealers. They log in to the "dealer portal", and from there they use a custom-written CAD/Design 2D/3D tool that uses native APIs.
i'm not suggesting that binaries be delievered without notification, or consent. But i am suggesting that the requirement exists.
If your security solution says, "Well, then they just can't have this feature", then that's not a solution at all. You have to come back to the real world, where people want to actually get things done.
@Ian: why? Why don't they download a client instead? I am guessing your company provides that software as a service? If so, why can't it be a downloadable program which phones home for the license when it is run? If they need the ability to download addins or plugins, well plenty of models for that exist. Why is it necessary to open a security hole for every Windows user for niche solutions that could probably be solved in a different manner? Even windows update didn't have to be in a browser. No matter how you guard activex, stuff still gets through and users don't know when to click yes or no. Downloading executable code, especially code that uses system APIs, opens a huge attack surface, vs a single special purpose application with a download capability.
@Gabriel: Because it's a web-site. Being available as a web-site provides a lot of *other* features; even if they don't need to use the "drawing tool" that particular visit.
Not to be snarky, but the web has become very popular, and people prefer to just browse a web-site and have it work.
It's not software as a service, it's not licensed. We have a customer, who has dealers. Those dealers use this web-site to do stuff. One of the features of the web-site is a custom CAD tool. We created the web-site, we created the tool.
It's not a downloadable program because nobody wants it to be a downloadable program. i don't want to download and install a program, our customer (the guy paying the bills) doesn't want it to be a downloadable program. Dealers don't want it to be a downloadable program.
But now we get to a knit-pick: ActiveX *is* a downloadable program - one who's setup and installer is integrated into the browser. It's integrated into the browser to make the experience as seamless as possible.
People are insulting one "Binary download and install" mechanism, saying it should use another "Binary download and install" mechanism, when the only difference is friendly user-experience with the former.
Which brings me back to my original point. You can recommend that ActiveX go away, but you have to suggest a replacement. Or, if you want IE to adopt the Firefox binary extension mechanism, you need to update FireFox so that the browser can advertise, download, and install, the binary for the user (with their knowledge or consent, if you wish that).
@Ian: alright you seem rather defensive when someone challenges your assertion. Really no need for that here. My comments are not personal, but directed at risky model of computing. I can understand some want the convenience, but it is at a terrible cost to security. Requiring keys to start a car is rather inconvenient when you lose them, but we accept that as better than not having door locks and a locked ignition, even though the gain is more marginal than removing activex. ActiveX as a download mechanism not only affects your customers, but also every single user of ms windows. How many people do you think fall into a niche such as yours? We have already eliminated windows update, because vista and 7 proved that a standalone client was feasible. So, activex harms everyone's security for the perceived benefit of a small minority. I can't justify that tradeoff.
It isn't too difficult to create a client that uses a web engine and can download program components. Such a custom application, only used by your customers and dealers, would have a much smaller footprint than a browser on 90% of all desktops. That web client could even use activex, if you want a common os specific dl mechanism, but it should not be in IE, which is used to visit a number of sites, most of them untrusted. This approach would leverage existing APIs to do the same thing you are doing now, without depending on a very insecure use case. If MS had never put activex into IE, and had instead required developers to do a tiny bit more work, then the web could have been more secure. Instead, they pushed a very narrow use case on EVERYBODY! Even ms now realizes the problems with taking the convenience route. I wouldn't be surprised if future iterations of windows and IE make it even harder to download and run ax code.
Hi Mr. Boyd, and thank you for your thoughtful responses, although I'm going to stick with my original claim.
If your customer requests and requires such a colossal security hole in the name of a little convenience, I would suggest you consider rewriting the project specifications.
If you want a 'real world' metaphor, imagine a car dealer requiring that everyone who purchased a car from them keep a spare key under the left front fender. Sure, it would be convenient, and would just work, for everything from helping people who are locked out to maintenance to repossession, but once one car thief realizes all cars from that dealer have that weakness...
Imagine the car dealer keeping a copy of everyone's key, but in a safe which only senior management has access to. Not quite as convenient; a little more secure.
Yes, binaries may very well be delivered through all sorts of mechanisms, but some are far more secure than others. The web browser I am using right now was a binary delivered to me over the web. But I went specifically looking for it, found it, found an MD5 checksum for it (although I admit I didn't check it, the ability was there), downloaded it, and installed it myself.
Recall I insisted upon not only requiring consent, but also complete information about what you are downloading, when, and why.
ActiveX isn't just a downloadable and installable binary. It's a downloadable and installable binary *that goes and downloads and installs other things* with or without your permission!
I would also like to reference Gabriel's remark, in that ActiveX doesn't 'just work'. It's highly limiting in what browsers and what operating systems one may use.
Two more details: It could very well be unlawful to push binaries onto a user's computer, although presumably logging onto a protected website might ameliorate your liability. You could still be in trouble if your control was maliciously altered (doesn't even need hacking. There exist disgruntled employees as well).
Second, have you checked for things like typosquatters? Imagine someone setting up a website just like yours, with the URL differing in some trivial typographical error, displaying a login page that lets anyone log in, and promptly sends them malicious ActiveX code? Would your customers be happy with that?
Web design, unfortunately, doesn't yet have professional engineering codes, and so it's hard to say what are best practices, who must follow them, and what should be done about those who don't, but I would say that there is in all skilled professions certain ethical requirements.
If a home-builder insists an architect provide him a structurally unsound house, the architect should refuse to design it. If a client insists his lawyer perform barratry, the lawyer should refuse. If a municipality insists a civil engineer provide an unsafe bridge, the engineer should refuse.
In this case, you have constructed a fundamentally unsafe web site. I know, your customer wanted it that way. But I believe you should have refused to build it that way.
Again, thank you for your thoughful responses, and I humbly withdraw the 'troll' remark.
PS - One last thing: Your final parenthetical remark seems to me to show, once again, that you don't seem to understand what we're on about. I quote, "(with their knowledge or consent, if you wish that)". No no no no no. If *they* wish that! It's not *your* choice to make! J.
"With regard to WinUpdate, I get them manually with Fx, because I want to ..."
I am interested in this. What is the Fx you mention?
@Jon: That's not what i meant by "if they wish". i didn't mean me; the person delivering the digital content.
The "they" i was referring to the self-anointed guardian of all things correct, when it comes to matters of security and the internet. i was referring to the person who's declared himself the authority of how all browsers should behave.
Personally i want the browser to wait for my explicit permission before it downloads any executable. But i certainly shouldn't require all browsers adhere to my views.
Yes ActiveX is limited to security of the host process, and limited to Windows (and in my case 32-bit). That's a non-issue, because we're talking Windows and ActiveX.
i'm still stuck trying to find what alternative you're suggesting. You suggest that rather than have the browser, with the user's permission, download a binary and run it - that i instead that have browser, with the user's permission, download a binary and run it. Is the security hole really that in one case it's "too easy" to download and run the binary, where the other case it's harder to download and run the binary?
Granting the premise that no ActiveX should have ever been installed without user permission; what's the difference?
Tommy: "Actually, I do have a copy of VLC Portable on a flash drive. It's about 23 MB. I don't know what a full install on a HD is, but judging by the fact that the *installer* is a 20MB d/l, I'd guess 60-70MB."
That's because all the codecs are embedded in it. You don't need to load any additional codecs. If VLC (or MPlayer, another good one) can't play it, it's probably been encoded by some weird Matrosky thing or isn't worth playing.
"I cut the Windows folder by about 95%, (1/20th), from about 4 GB to 176 MB, and from about 7-10,000 files (some users have 20-40,000 files in %windir%) to ATM 692 files. That's a lot of bloat gone, and a lot of attack surface with it."
Nice. But it must have been a lot of work to determine what you could cut and not cut.
"So, all that's there for WMP6.4 is a single exe of 4.5k (that is not a misprint; 4k), the single 825k Ax, plus the usual codecs and such that *any* media player is going to need."
VLC Portable by PortableApps is 21MB downloaded, 36-56MB installed. So yeah, it's going to be bigger. But it's not going to require Active X at all.
"I have an easy solution for the .NET problem: Delete it, completely. Never missed it, not ever. "
Generally I would but there ARE more and more utilities coming out that require at least .NET 2.0. So it's been my policy to go ahead and install it for all clients. Wouldn't be a problem except for the ridiculous inability to update so often.
"With regard to WinUpdate, I get them manually with Fx, because I want to triage them anyway, and the installers seem to run fine that way."
I only triage for servers. 99% of the time Windows updates are not an (obvious) problem for most users. And manually downloading and installing them just takes way too much time (especially on a clean reinstall of Windows), which is why I try to use things like AutoPatcher (now on its way out due to lack of support) and WSUS Offline Update.
"Why do you still have any clients running IE?"
I don't. They all use Firefox - except for some of the home users, of course. But Windows Update uses it, so it has to be there.
"If they refuse, then if it bongs itself or gets them pwned, it's on them, not you, and you get another juicy repair job."
Well, repairing IE is not terribly juicy. Generally only needed when malware has messed it up, preventing the end users from running Windows Update. Just run a utility or two that fixes it or the command line that re-initializes it. Takes less than a minute - although of course I have a one-hour minimum. :-)
Ian: One difference has already been pointed out to you. An external binary is not embedded in the browser or the OS where it can be used for multiple purposes like ActiveX - which is a platform, not a binary.
I tell my clients that using Firefox is at least half of what it takes to avoid malware precisely because Firefox does not run ActiveX which is how much if not most malware comes into a system.
There simply is no justification for the existence of ActiveX. And given the number of exploits being used against Java, a case could be made that it being accessible via browser is not a good idea either.
The browser platform is simply too insecure - not to mention unreliable - to be usable as a delivery platform.
I'm well aware that users make demands the consequences of which they don't understand. I have a client that insists on all their users running as Administrator on Windows XP (due to issues with dealing with customer hard drives being attached to the system as well as having to switch user to install programs - no less, the exact security holes that demand not doing so.) I fought that, but lost. Sometimes there's nothing you can do.
But you can't argue that it's a good thing which the industry needs.
Hi Mr. Boyd,
I think you have prepared a slightly false dichotomy. It's not whether it's permitted or not, it's that the user should be specifically required to request it, and given complete information about just what they have requested, and what it can and/or cannot do.
The information for ActiveX would be, basically, "People you have never heard of can do anything they want to your computer, including rendering it completely FUBAR. They can also copy anything on it without you ever knowing.". It's hard to argue for installing a gadget with that sort of power.
Information confirming they're getting what they think they are getting (eg. an MD5 hash or SSL connection, although neither are perfect) would also be nice.
And there is no Grand Panjandrum of Web Browsing, any more than there is a Great Poobah of the Plumbing Code. It's generally a consensus, arrived at through experience, to get reliable pipes for a reasonable cost.
Sharing that experience and discussing the pros and cons of various methods is why we're here.
I came to page 4 before I found a disturbing statement: ...code sample ..... that is difficult to find using code reviews.....
I'm terribly sorry, but "allow_access = TRUE;" followed by "if (access_check ()== ...DENIED) allow_access = FALSE;" is an OBVIOUS security problem waiting to happen.
I'll grant you that it will be hard to find using testing, but a (security) code-reviewer should spot this instantaneously.
Sorry, "Fx" is a common abbreviation for Firefox web browser, approved as official by its parent, Mozilla. Like "IE" for Internet Explorer.
How to get MS Updates with Firefox is described here.
The poster there was correct that you just sub the common three-letter (English-US) abbreviation for the month in question, and the last two digits of the year. So the August 2011 summary listing of security patches would be at
For September, substitute 11-sep for 11-aug in the above; for January 2012, use 12-jan, etc.
@ Gabriel, re: strcpy/srtncpy:
Yes, of course that was an oversimplification, and not a complete solution. It wasn't even my idea. Somebody who was grumbling about MS insecure programming (now why would they do that? ;) mumbled, "If they'd just use strncpy instead, it would stop most buffer overflows." They were just illustrating what Richard S. Hack said, that "having security training" does not equal "security incorporated as an ongoing process at all stages".
You hit a good one:
"The c library is in dire need of modernization for security, especially since other parties, such as Microsoft and the BSD library are *implementing non-standard extensions that are not compatible,...*
Typical MS behavior, although I'm surprised that BSD is doing that. Lots of BSD fans here. (I haven't dug into it.) But you also ID'd the root cause:
"a well written library greatly reduces overflows."
How many MS libraries are "well-written"? We could judge by, say, the number that get critical patches, and the number that get patched repeatedly, same file. (GDIPlus.dll comes to mind, and I could list a lot of others.) Even the kernel exes and driver on XP have been patched, what, half a dozen times or more in the past year or two? - with some single patches covering a double-digit number of individual flaws.
There's no evidence that security is part of the design process, which is why I get rid of as many of the dang files as I can, including one of the four kernel exes. (No details on which kernel exe, please; undocumented and at my own risk.)
Re: Your *very* thoughtful (and 100%, valid, IMHO) discussion with Ian Boyd:
Yes, that's why the combination of Firefox and NoScript is often used and recommended by the security-conscious. Since NoScript is total freeware (donations accepted, but no nag screens etc.), please permit me to use this opportunity to say a bit about it to any readers who aren't familiar with it, since our topic is security vulns. I don't get paid for plugging it or anything, lol.
There's a short learning curve, just as with learning to use a computer or to drive a car. Then it becomes second nature, and your favorite sites have their configurations saved permanently for you. For novices, there's a Beginner's Guide.
No offense to Bruce, but I don't allow scripting at this blog. If Bruce is untrustworthy, we're all hosed, but that's not the point. Aside from hosting user-uploaded content and all, the "least privilege" principle applies here: If you don't need it for the function you want, don't allow it. And it's a compliment to whoever designed the site -- Bruce or anyone else -- that it functions fully, including comment preview, without scripting. Which puts to shame the other similar sites that require it.
NoScript also blocks Flash, Java, MS Silverlight, and others, allowing you to decide which sites you trust to run them; has the best cross-site scripting (XSS) protection, all *user-side* (vs. IE and others that require the web site to do something to implement the protection), stops clickjack attacks, and much more.
Try it; you'll never again browse without it. FAQ and Support forum.
@ Mr. Boyd:
So, now you see how those who are more security-conscious browse, and still accomplish our goals, and why there was such strong reaction to your design?
@ Richard Steven Hack:
I might just try that VLC native install. Would that be the world's first fully-functional (for home use) 100% ActiveX-free install of Windows, at least for the past 10-12 years? Cool! :)
"Nice. But it must have been a lot of work to determine what you could cut and not cut."
Yes, and a lot of foobars along the way. Frequent full-disk-image backups are obviously required, in case your change makes it unbootable. (It's happened.) But there is an excellent guide to the process, written by someone who obviously put thousands of hours into it himself, cutting the time considerably. Free website, although he asks for a donation if you want his batch files to automate some of this. I didn't. One reason: Everyone's mileage varies. He obviously has a bare-bones setup of a single box connected to a cable modem, and apparently, not even a printer (!), whereas I have a wireless router, two wireless laptops, a networked printer/scanner that can be accessed wirelessly, and a stand-alone USB printer.
"C:\WINDOWS\system32\spool (See also Print Spooler in PART 2.)
I delete the spool folder and its contents because I do not have a printer."
Everyone else probably has one, too, and that applies to other individual setup differences as well. Can't just follow it blindly; *read*, and see if you do or don't have or use that component or service. And you will find the //weirdest//, non-intuitive dependencies in Windows... But I was able to find additional deletes beyond his, by a lot of trial and error.
He includes a guide to disabling unnecessary and dangerous Services, but I find Black Viper's (Charles Sparks) to be more detailed and better. Also, the latter covers Win 2000, XP32/64, Vista, and 7, (though only for Services), while the first one is for XP-x86 only. I don't think he has any plans to publish a guide to de-bloating Vista or 7, probably for the same reason I don't care to "migrate": When you've put *that* much time and effort into what amounts to a totally custom install, suiting your exact needs and no more, you're not about to start all over from scratch with a new OS. But I'm sure you could adapt some of the principles if you're wanting to debloat the newer OS -- maybe publish your own guide?
Side note: In addition to disabling a lot of Services, I take the dangerous ones, or the ones I know I'll never use, and delete them completely. Not just their exes and support files, but even their reg entries, so they don't even show in Services. It's cool to open the Services window and see no scroll bar and the page not even full!
(ALL that is deleted, including said reg entries, is of course stored on CDs if ever needed, and a complete backup of every file on the machine was made and stored before starting.)
"99% of the time Windows updates are not an (obvious) problem for most users. And manually downloading and installing them just takes way too much time (especially on a clean reinstall of Windows)..."
But I don't want IE 7, 8, etc., or .NET -- there was a scandal when a .NET update *changed a Firefox config invisibly*, and at first, grayed out the uninstall. Every new version of IE increases the bloat, and adds to the required-file list. And other "features" I don't want added in the updates. I know most users aren't that fussy, but having worked hard to trim this,... You're in a different situation when you talk about a clean reinstall, and of course I agree with you. But I have no reason to do such a thing. HD died; shop put in a new one in a few minutes; I told them not to bother with install; went home and painted the drive with Acronis backup from the previous day, and in 15 minutes, it's the exact same setup, on a new HD. I don't plan to buy a new machine for a long time, lol. Your POV as a serviceperson is naturally different, and I agree with your approach. .
"The browser platform is simply too insecure - not to mention unreliable - to be usable as a delivery platform."
That has become *my* meme! Nick P. agreed completely - won't bother to link the post -- I'm sure we all agree. (except for Mr. Boyd, I guess.)
However, I do use the Java encryption applet at Hushmail (nowhere else that I can think of, and it's delivered over a SSL/TLS connection). Despite the general advice always to use the latest version of anything, IMHO Java made a huge mistake when they expanded into desktop applications. The whole reason that Java wasn't quite so bad as AX is that unlike AX, it ran only in a somewhat-sandboxed runtime, i. e., with limited privileges. (Yeah, I know it wasn't perfect, but at least they *tried*.) The minute I saw "Move Java apps from your browser to your desktop", I puked, then said, "No, thanks.".
Whatever vulns might be in the older Java, it would probably require a corrupt Hush insider to leverage it, and the whole browser is run sandboxed anyway. Personal choice. IMHO. YMMV.
And *of course* you have a one-hour minimum! Just don't let the customer know that you fixed it in five or ten minutes. ;-D
@Tommy: re Windows kernel exe's: each exe on
Windows is a different HAL layer, foR the permutations of ACPI/ no ACPI and multi/uni processor. This is one of the many painful areas of ms complexity that makes me appreciate the Linux kernel. Because when you need a new HAL, you typically have to reinstall windows. I do have to wonder if that was really a technical limitation, or convenient for MS, since it helps their licensing strategy (new pc/mobo: new windows).
Regarding BSD and non standard extensions, it's because it's a necessary evil. Strlcpy is not standard , but BSD did it to correct the bad behavior of strncpy. Other os's picked it up, including solaris, irix, BSD derivatives, and even android (why it's great that the os kernel is not wed to the userland). Unfortunately, no glibc, whochni suspect is due to Ulrich Drepper's stubbornness more than anything. Better to have non standard (but open and widespread) defined behavior than standard undefined behavior.
If you read Drepper's criticism, you will see he believes it makes truncation errors easier to ignore. How that is so vs strncpy I have no clue. Strlcpy returns the length of the source string, so one could quite trivially check for truncation (src longer than dest). Strncpy provides no such relief, to handle truncation, one must call strlen on source.
@Jon: "It's not whether it's permitted or not, it's that the user should be specifically required to request it, and given complete information about just what they have requested, and what it can and/or cannot do."
i disagree that a user should be required to request it. That's poor usability that doesn't add any real security. (i.e. theater)
Tommy: Thanks for the link to the slimming Windows guide, I might use it if I ever need to run Windows XP in a really secure context.
Now, of course, I never run Windows XP except in a VM on top of Linux when needed to do some support-related task. Ditto for 7 and Server 2003/2008.
I've got Black Viper's recommendations. I don't usually do those modifications for clients automatically, but I probably should.
On my clients, I always do image backups. But the downside of those is they do have to be redone periodically or you spend a lot of time running Windows update after a reload. But if you redo them, you just inherit the additional "Windows rot" which eventually requires a clean install anyway.
Which is why I went to AutoPatcher and WSUS Offline Update - to speed up reinstalling the patches after an image reload and make it more or less unattended.
And on one client, they have older versions of Adobe Premiere on some of the XP machines. When you reload an image, Adobe's licensing scheme detects that as a change and you have to reinstall and re-activate Premiere - a pain for reasons involving other software which also has to be loaded (Matrox video capture cards the drivers for which instantly crash XP on installation!)
I REALLY hate Adobe and Matrox. They've made my work at that one client a living hell.
Here we go again. Hi, Mr. Boyd.
The point of requiring requesting isn't security theatre. The point is denying everything that isn't requested.
That you have permission is completely different from having specifically been requested to download and install something.
Metaphor time once more:
Imagine you have a nice house, on a nice street, with a nice front lawn, and a white picket fence. In order to permit the postman to put the mail on the porch, the postman has permission to enter your lawn.
This is fine, until someone shows up (disguised as the postman or not), opens the gate, and lets in a gang of rabid badgers.
Leaving the gate unlocked for the postman is a security hole, even if it is only the postman who, technically, 'has permission'.
The secure version locks the gate, and when the postman arrives, asks him to confirm he's the postman, grants permission to the postman this time only strictly for the purpose of delivering the mail, and locks the gate behind him when he has left.
You'll get a lot fewer badgers that way.
PS - I know, the gender-neutral term is 'letter carrier'. J.
PPS - what if it's the postman, with permission, who's bringing the badgers? The secure version requires that the postman only deliver the mail. How much do you trust your postman? J.
I think at this point we can say successful troll is successful. No offense to mr Boyd if he is for real, but it doesn't take more than a google search (or bing if you must) to find all the criticism of that model. Convenience is why win xp was a security nightmare, Bill Gates basically said to hell with security, for convenience. Yet a
few years later, after the damage was done, he reversed course, leading to a new security focus, whether for show or for real. I would say ms is the holier than thou bible thumping convert; as you see in papers such as the one linked. Of course, no matter how sincere their efforts, many facets of bad security design still haunts windows today, as you see when blatant vulnerabilities, such as the cpl mess a year ago, are discovered.
Thanks for the clarifications. So without doing any further research, I get that because I have only one single-core processor, I was able to delete the exe that dealt with multiples, correct?
If strlcpy is better than both strcpy and strncpy, do you know whether MS has started to include it in their newer systems? I'm stuck in XPland, which I rather like, but I expect that due to their commitment to legacy code, back-compatibility, and not wanting to go through thousands of files and re-writing the commands, or write new ones from scratch, would presage that they're probably not, and the overflows will continue.
@ Richard Steven Hack:
"On my clients, I always do image backups. But the downside of those is they do have to be redone periodically or you spend a lot of time running Windows update after a reload."
The goal would be to train them to do them regularly themselves. Using incremental backups (3-4 per full) saves storage space and time. Automated task scheduling could create them, say, at 2am, if that's when the machine is unused, since many just won't take the time.
Side note: The ability to fit a full-disk-image backup, plus several incrementals and a regular data backup (i. e., in Windows drag/drop format, not compressed or anything), on a single 700 MB CD was a major benefit of the trimming, and actually motivated me to keep looking for cuts far beyond security needs, speed of drive head search, etc.
"But if you redo them, you just inherit the additional "Windows rot" which eventually requires a clean install anyway."
I have my own batch script, evolved over time, to remove the rot regularly. It's currently at about 100 lines, and includes useless log files, useless junk that Windows tends to create and re-create, etc. Includes third-party apps: firewall and AV logs from two years ago? Really? ... You could write something like that very quickly for each client, and put it in the Startup menu so that it runs at each boot.
Of course, your business clients will need longer log retention, for both diagnostic and forensic purposes, than I as a single user would. A month or two, sure. But a year or two?
You may also find interesting that I was able to cut ZoneAlarm Free Home version from triple-digit MB to less than 15MB, and why. Some users have seen %windir%\Internet Logs grow into multiple GB, logging every request, in or out, over the years.
I too hate Adobe, and avoid them almost completely. Foxit for .pdf needs. Sure, Flash in Firefox (sandboxed, default-denied in NoScript, enabled per use only). Your clients may need the more diverse offerings -- I'm not a Photoshopper -- but surely there must be better alternatives. Foxit Reader = 4 MB. Adobe Reader = 350 MB or more. Two whole orders of magnitude of footprint = attack surface. No wonder they're getting to be the target of choice.
@Jon: It might be safe to assume that you don't use Internet Explorer, but i think the user interface in IE already satisfies your "specifically request" requirement.
When a page needs to load an ActiveX control a yellow bar appears at the top, saying that the page needs to load a control. The user has to click on this yellow banner and click "Install ActiveX". (You can pretend the wording on the popup menu says, "I specifically request that this ActiveX control be downloaded and installed", except that's too long to fit in a popup menu)
Then a large warning dialog appears; giving the user all the standard security warnings: danger...untrusted...publisher...blah...blah...blah; all the stuff nobody cares about. (You can pretend that this larger dialog then says, "Yes i specifically request that you download and install this binary". You can even add a checkbox: "Yes, I understand that by proceeding that I may be at risk") (You can add it right before the, "I accept the license terms" checkbox).
The effect is the same as what you want; the user specifically has to click on a stop, clicking the "Install" action. Then they have to read a large scary security warning, and click "Install" again. Except IE does it with a better user interface, because my mother isn't as technical as you.
If you insist, the page can link to download page, where you click a "link", and then an "Open, Save As, Cancel" dialog appears, and you have to be sure to explain to the user that they *want* to click "Open". (A lot of users are stymied by a "Save As" dialog, don't understand folders, and don't realize where, or that, they saved anything).
In one case the download link is rendered in HTML, in the other case the download link is rendered in a yellow bar at the top of the page. The difference is theater - the user still has to click and download.
*Real* security comes from Chrome and Internet Explorer running in "Protected Mode". i don't know if Chrome runs NPAPI plug-ins in protected mode; but i know that IE runs pages, and 3rd party binaries, with reduced privelages. Firefox doesn't yet support reduced privelages as Chrome and IE, but they're working on it.
- a yellow bar into a download link
- an install button with an Open button
isn't adding security, it's window-dressing; it's security theater designed to make you feel safer.
Update: A Chrome NPAPI plugin does not run with reduced privelages, as ActiveX's in IE do.
"Code running in an NPAPI plugin has the full permissions of the current user and is not sandboxed"
This talk has been very useful for me. It inspired me to read about the NPAPI plugin architecture for Chrome.
i can create a page that displays a yellow banner, identical to that of IE, telling the:
This website wants to install the following add-on: 'Consanto Drawing Tool'. If you trust the website and the add-on and want to install it, click here...
Clicking it will start the download an executable, to which they will have to run. After it installs they'll be forced to refresh the page - and it will work.
Chrome's NPAPI architecture is essentially identical to ActiveX; i can make it *almost* as friendly; substituting:
- "Install" for a "Run" button
- manual refresh for an automatic refresh
Chrome would also lose the ability to display the digital certificate of the addon. But it's better than nothing.
Tommy: "The goal would be to train them to do them regularly themselves."
You REALLY don't know my clients! :-)
"Automated task scheduling could create them, say, at 2am, if that's when the machine is unused, since many just won't take the time."
I do them manually periodically, although if I can find a decent freeware image backup utility that can be properly scheduled, I might automate them. Just haven't gotten around to it.
"Side note: The ability to fit a full-disk-image backup...on a single 700 MB CD was a major benefit of the trimming..."
Yes, that would be nice. With DVDs you can go up to at least 4GB. With my clients, almost all backup to an external hard drive these days - with a TB or more of backup available for $100 or so, it's trivial.
I gave up on CD/DVD media when my disk space hit half a TB and 50-100 DVDs to back it up. :-) Now with 2TB of disk in my machine, I backup at 6AM to an external 2TB USB drive. Takes about an hour to crawl the 2TB and back up new and changed files.
And I never compress data backups - too much chance of corruption of the archive format.
"I have my own batch script, evolved over time, to remove the rot"
Oh, no, I use CCleaner. Wonderful utility. There's also a utility called CCEnhancer which improves CCleaner to remove junk from an additional 270 applications.
When I REALLY want to recover space on an XP machine, after running CCleaner, I go into the Documents and Settings and other Temp file locations and manually remove stuff.
On Linux, I have BleachBit which I only rarely use since Linux is good at cleaning itself up. In fact, I just now ran it and it only recovering 18MB - hardly worth the effort on a 2TB system.
"Of course, your business clients will need longer log retention, for both diagnostic and forensic purposes, than I as a single user would."
My clients are so small, they don't need ANY log retention. I capture the event logs from each machine with the BackLog utility continuously and scan them periodically for issues, then remove them.
I did have one client that needed to retain logs showing access to certain critical folders after a former employee apparently accessed them after he was let go. The problem there was that almost all of the Event Log management tools on the market utterly suck. Either they require a dedicated powerful server because they're so slow, or they have lousy search functions, or other severe usability problems. We tried several and it was an eye opener to see how bad they were.
"Some users have seen %windir%\Internet Logs grow into multiple GB, logging every request, in or out, over the years."
That was one reason I dumped Kaspersky AV from one client. It never cleaned up its logs and they quickly occupied multiple GB of space. Ridiculous.
"Foxit Reader = 4 MB. Adobe Reader = 350 MB or more."
Yes, I haven't gotten around to replacing Adobe Reader with Foxit. I probably should. I use Adobe even on Linux, although I have Linux alternatives also installed in case Reader annoys me.
Ian: You might quote the WHOLE of Mozilla's comment on NPAPI:
NPAPI is a really big hammer that should only be used when no other approach will work.
Code running in an NPAPI plugin has the full permissions of the current user and is not sandboxed or shielded from malicious input by Google Chrome in any way. You should be especially cautious when processing input from untrusted sources, such as when working with content scripts or XMLHttpRequest.
Because of the additional security risks NPAPI poses to users, extensions that use it will require manual review before being accepted in the web store or extension gallery.
So, yes, NPAPI has the same SECURITY RISKS as ActiveX!
Another problem with activex, npapi, and even extensions in ff (although xul limits what you can do, I believe) is that these addons, once installed, increase the number of threat vectors in the browser. And to return the favor, the web browser also increases the number of attack vectors for your application, vs a standalone app. It's the same reason why flash and adobe reader are commonly exploited, particularly because the browser automatically loads these plugins when the content they handle is presented in a webpage. (noscript and other flash blockers help with this). So when you're software is running in a browser, it can get a whole lot more crap thrown at it.
@ Richard Steven Hack:
">>> Automated task scheduling could create them, say, at 2am, if that's when the machine is unused, since many just won't take the time."
"I do them manually periodically, although if I can find a decent freeware image backup utility that can be properly scheduled,...."
They're not willing to spend $30-$50 for one of the several COTS FDIB products? ... provided you tell them the horrible dangers and inconvenience of a catastrophic failure without a recent backup. The Windows Task Scheduler would do it, or for example, Acronis has its own scheduler built in. You can schedule for daily, weekly, etc, at what time of day, or simply "when computer is idle" - so it runs while the client is at lunch or whatever. No-brainer on the part of your no-brain clients. (I empathize. Lots of those around.)
Or by "clients", do you mean, not just people who hire you for specific repairs, installs, etc. but actual "clients" of your server, who store their data on your server (you're the cloud here)?
"">>>I have my own batch script, evolved over time, to remove the rot"
"Oh, no, I use CCleaner. Wonderful utility..."
Agee. I have it, too. But my script captures a lot of stuff that CC doesn't. Like, say,
"When I REALLY want to recover space on an XP machine, after running CCleaner, I go into the Documents and Settings and other Temp file locations and manually remove stuff."
Exactly what my script does, and kind of surprised you haven't automated that, too. Batch files are so easy... I wonder if any Clive post has reached 100 lines, in which case, maybe I could post the DOS code, if you and several other readers are interested. Else, I could e-mail it to you at the address on your website. No offense taken if not interested.
"It's the same reason why flash and adobe reader are commonly exploited, particularly because the browser automatically loads these plugins when the content they handle is presented in a webpage. (noscript and other flash blockers help with this)."
Exactly. NoScript's policy is default-deny. Everything is blocked unless you have previously whitelisted the source *and* chosen to "allow all" at trusted sources (I don't), or choose to temporarily allow it for this one occasion, or decide to add a particular script to your whitelist.
This includes all plugins, WebGL, @font-face, and the following tags: audio, video, IFRAME, FRAME, and many other types of protection -- all by default. Only user permission can allow them.
So at YouTube, I am not vulnerable to the millions of videos there. Only to the one that I select, and then give NoScript permission to let run. In a sandboxed browser. So NoScript is one extension that doesn't increase the number of attack vectors; it reduces them drastically.
@ Roger Wolff
Yes, the code snippet and the commentary on it on page 4 brought me to a dead stop, also. And that was without even noticing that the code enables access and then checks for conditions why it should be disabled. The mere fact that the behavior of the AccessCheck(...) function wasn't defined to catch/check all of its possible internal error conditions struck me as a blatantly sub-standard architectural decision.
@Richard Steven Hack i absolutely agree that adding more code to the browser is an attack vector. Flash, Java, Silverlight, OpenOffice file viewer, PDF viewer, Google Talk, mp3 audio: it's all code that can be attacked.
People were calling for binary extensions of IE (ActiveX) to be removed. By extension this means they also want binary extensions of Firefox and Chrome (NPAPI) removed.
The point *i* was making is that you can remove ActiveX, but you need to come up with an alternative.
You may wish that browsers no longer supported any kind of plugin architecture, but that really hurts usability. So before we remove the ability to extend functionality of the browser with binary code plugins: you have to propose an alternative.
The only alternatives i heard were, "I can understand some want the convenience, but it is at a terrible cost to security. ...activex harms everyone's security for the perceived benefit of a small minority. I can't justify that tradeoff."
i, on the other hand, would be fine with everyone being allowed to keep their shoes on - i accept the risk that there may be on bomb in one. "I can justify that tradeoff."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.