Posted by: Dave | March 3, 2010

The “Privilege Equalization Exploit”

The longer I work in the software industry, the less I trust security websites — even the reputable ones. That’s saying a lot since I’ve been building software since 1998, doing it professionally since 2000.

My favorite gem to see on security websites nowadays is what I have heard referred to as the “Privilege Equalization Exploit.” This is a mockery of the term “Privilege Escalation Exploit” where a weakness in software can be exploited to grant you more privileges to a system than you’re supposed to have. The “Privilege Equalization Exploit” is a “dire security issue” which gives you exactly as much access to a system as you already have. These “security experts” express frustration that software vendors are doing absolutely nothing about such issues! OH MAI GAWD, YOUR SOFTWARE IS DOING EXACTLY WHAT IT IS SUPPOSED TO DO — EVERYBODY PANIC!!!!!

All these posts do is demonstrate 1) the “security expert” being completely unaware of basic system design (e.g. a Unix user being able to list the contents of /home), 2) how the contents of “security websites” lack curation by actual experts of information system security and 3) scare novices into thinking there are severe security problems when there are none. Combined, this does nothing more than slander and annoy those that work hard on software production, whether it is FLOSS, commercial software, or anywhere in between.

The bottom line, the next time someone freaks out about security issues, do what you would do for a medical situation: step away from the person saying “the sky is falling”, consult an expert, perhaps get a second opinion and make an independent but informed decision.

An example of “doing it right” with regards to security education is Steve Gibson and his show: Security Now! available for free at http://twit.tv/sn. He sorts through the noise, tests reports independently in his labs and avoids regurgitating every “Privilege Equalization Exploit” folks love spewing over the internet. He does this while conveying rational suggestions to his listeners in plain language.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: