Slashdot Mirror
Microsoft Blasted For Lax Security
fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
there was a post like this, well I'd be richer than Bill Gates himself.
Hey, maybe this open source thing ain't so bad after all...
Because microsoft is the most widely used homogeneous operating system on the planet, it happens to have its fair share of bugs. However, when Linux begins to get a larger market share, viruses, and worms will start popping up on more and more linux boxes, I doubt they will have the same effect as microsoft virii and worms, but it will happen, Linux just needs to hit critical mass.
While it is stupid of MS not to update their own servers, you can't blame them for the SQL worm. They issued a patch months ago...it's no one's fault but the server admins.
doh! from the CNN article: "The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney said. But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.
Oh my God, it's goatse.cx all over!
"Stop failing the Turing test!" -- Dilbert
The viruses themselves are tough to track down (South Korea Inet cafee?). So why not go after the people whom have their computers open, not downloading the latest patches for security? These people are as responsible as the people whom create the viruses that take advantage of such flaws... So why not go after those with open computers, causing the issue... then if the issue is an unpatchable one, go after whos at fault... I mean someone has to take the blame. If they do find the person who created the virus, they can prosicute them as well, but I think this is a 2 front war...
Send it to these guys. Might be something for their Photoshop Phriday or Comedy Goldmine sections.
Will their next initiative be called ex-lax?
I thought the MS-SQL worm worked in a very secure fashion. The servers offered a service, client worms connected and used it just as the software was designed. What's the problem? All it generated was traffic. From the network's POV, is it really any better if that traffic is /. commentary or pr0n? Or CNN stories?
Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.
I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.
When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission
Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity
Security by obscurity is no defence.
Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.
And apple still only has a minor market share. That bares thinking about
Besides the one recent example of the SQL worm cited in the article, CNN made no mention of other security problems. This isn't to say that they aren't there because they obviously are, but it just seemed like they based their whole thesis of security shortcommings on one recent incident. It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws. The article seemed like some kind of publicity plug for "TruSecure Corp."
They can't even make their software secure. Who thought they'd be able to secure a major international airport?
You asked for it.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
This was patched over 6 months ago. Anyone not smart enough to keep an eye out for security deserves what they get. By the way I'm sick of all these people claiming how MS patches and updates break things. Tell me specific examples and then we'll talk. I am also quite aware of whats involved in patching SQL. Manually copying files running scripts blah blah and you unix guys bitch about it? Please.
Only the State obtains its revenue by coercion. - Murray Rothbard
There was a patch for this bug available months ago. Isn't it possible that some of the problem could be attributed to the website administrators?
1. Gain monopoly 2. Make insecure products 3. ??? 4. Profit!
webpage
Pictures like that aren't a coincidence. The CNN editor who put it on that story chose it specifically to make Gates look silly. If s/he were a Microsoft apologist, the picture would have been more dignified. So yes, I suppose it is begging for something, but mostly it's there to manipulate your opinion.
You're just pissed because linux has never had a worm bring down the internet (twice).
BTW, you can run MS Office on Linux. Ever herd of wine?
Karma: The shiznight, mostly because I am the Drizzle.
Or why not go after the software vendor that wrote and sold vulnerable software? Or go after the software vendor for dumbing down systems so much that incompetent admins are put in charge to maintain them?
Personally, I don't think the whole "blame game" is very effective...but that's just me.
---
Open Source Shirts
Okay, I'll be the first to bash Microsoft and say that their security sucks. I'll be the first to say that their initative to improve security is marketing smoke and mirrors. But let's give them a real chance to prove this to us. The vunerability that caused the Slammer worm is one that they actually found and fixed a long time ago. This is admins not doing a good job of keeping up to date and fixing problem.
Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.
This sig has been temporarily disconnected or is no longer in service
Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.
And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?
I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.
But thats my $.02
A lawsuit against a company with many systems that are left unprotected and are being used as a relay or zombie for an attack may be comming soon to a court near you.
Fight Spammers!
Why does Microsoft's "grade" drop when they released a patch for the worm a long time ago? All OS's have security problems. It think it is more accurate to say that Microsoft SQL Server Admins get an "F", not Microsoft itself. This is not to say that I think MS has good security, but it's an unfair slam when the worm is really the fault of admins who failed to apply a vendor patch.
According to MacNN.com:
"Computer security experts said the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working, according to Reuters. The article quotes one CTO (as well as a security consultant) as saying the security issues have prompted them to consider the Mac as an alternate platform: "A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. 'Is that because Macs are safer? I think the answer is yeah.'"
The fact is that in the past year Macs almost never crash due to virii or any other cause. They're like telephones and toasters, they do the job unobtrusively.
It's already been done. This picture was the subject of a fark.com photoshop a while back. I'm afraid I don't have the link though. Perhaps someone with more spare time than myself could try digging through the archives; I'm pretty sure it happened within the last year.
Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!
"But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said."
can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?
the paragraph continues with, "For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm." to me, it seems that this statement doesn't support the previous. it would be better to place blame where it belongs, straight in the lap of the admins whose responsibility it is to keep their systems secure, and upon the heads of those who write exploitive code for the purpose of causing havoc.
i mean, more power to those who bring these issues to light, but doing so without perspective just looks like picking on an easy target.
We've had this discussion before, and we're having it yet again.
Who's to blame in this situation? I clearly feel it's the administrative and their immediate managers both at Microsoft and any organization that was hit with the worm. The administrators should keep up with the newest patches and update systems during the maintanance window. Managers should ensure the administrators have applied the patches.
The argument about downtime and untested patches will surely be seen here as well. That argument is not OS specific. Sure, on Windows you generally need to reboot after applying a patch, but what if this happened to Oracle? You would need to take the server down, patch and bring it back up. As for testing, this is again an OS independent. At one time or another I'm sure every piece of software has released a patch that has introduced new bugs, it happens.
Either way, there will be Microsoft bashing in the thread, but regardless of which OS you're running situations like this will arise.
Even as security issues are top news usually on Slashdot, this shows where our hearts are.
Yours, Martin
If a suit is won against such a company, I'll be sure to sue the living shit out of some random business after I raid and pillage their store.
After all, it's their fault they didn't stop me!
Idiocy.
The related article is here:
Survey Reveals Geographic Illiteracy
which is impossible to judge right now. No amount of scanning code after it has been written can catch all problems. Nobody ever understands code as well as the person that wrote it. Microsoft's code base is huge beyond belief. With a full press effort, it is likely that it will be another 3 to 5 years before we truly know whether or not they've successfully changed their ways today because it will take that long to replace the code base with one mostly written by people conscious of security.
As to where I THINK they are today, it seems that they are truly security focused. The classes that every programmer have been subjected too have been more grueling than any from any other company I've ever heard of whose core business was not security software. This is despite the fact that the talent Microsoft hires is some of the best. They've taken their best talent and drilled it in that they've got to focus on security first and foremost. We will see results. They will take time.
I'd say that we will know the success of their efforts when we see the first .Net framework only OS (no legacy Win32 support) or OS installation option about four to five years from now.
Some people blame the admins for not applying the patches, but should you?
Some things to consider about patches:
Fight Spammers!
why do we keep posting these stories? why don't we post links to stories on how to setup secure firewalls, systems, etc? of course if you're a horrible administrator using a default installation of redhat / microsoft / etc. on a public network you should be beaten over the head for letting it on the public network in the first place.
In the meantime, Schneier said he was thinking of switching from Windows to the Macintosh platform because of all the security issues. "My wife has a Mac and she doesn't worry about viruses, trojans, leaks..., " he said.
My mother uses Windows and doesn't worry about stuff like the SQL worm, but that doesn't mean everyone should switch stay with Windows. If this guy isn't worried about the Mac, he isn't a very good person to take advice from (not an attack on Macs). I think everyone needs a healthy dose of paranoia. Even if you run the most secure OS around, there is still reason to be paranoid about something.
Also, the article makes it sound like the only options are Windows and Mac. What about any of the other commercial or free operating systems?
I'm at least as anti-Microsoft as the average Slashdotter, but this is getting a bit ridiculous. Aside from the fact that a patch was available, what the heck is a database server doing with a direct Internet connection? Five years ago, when I started designing web applications it was common practice to put web servers in a DMZ, with a firewall between the web server and any DB/app servers.
This isn't Security 101, it's Remedial Common Sense 050!
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
also, we could go after the people who get mugged too, as they clearly aren't doing everything they can do to protect themselves from muggings, and it encourages muggers to mug you and I then. Or for that matter, people whose cars break down during rush hour. The list goes on and on...
JWall: GUI client for IPTables
Sorry, I've known this (and my clients are becoming {finally!} increasingly aware) for ages.
/., so it must be News for Nerds.
Yes, Windows (and related products) blow in regards to security, it just means that we have to go an extra (or more) step to make sure they don't blow up in our faces.
Yes, I run WinNT at work, it's stable, and not been disrupted by exploits/worms/virus/holes/whathaveyou, simply because I take the time to *make sure* it doesn't.
We all know that even *nix can have problems, so this is hardly surprising.
Still, it's
So rise up, all ye lost ones, as one, we'll claw the clouds.
Recently, RedHat has stated supporting their free download products for no longer than 1 year. This is understandable since relatively little really pay for that service and most people who don't use it for dedicated server purposes tend to upgrade or install the latest version. Now we can add that upgrading or installing the latest (as opposed to updating old systems) might be a practice that should be encouraged.
RH has also expressed their plans of coming out with server products in between their free and Advanced Server products. I'm sure these will be cheap enough that mom & pop type shops can afford them and will be supported for far longer than a year.
I wonder if Microsoft considers this good PR. Why? because when they start heavily pushing .NET and their Palladium plan, they will use examples such as these worms as to why everyone must go on a platform where Microsoft must authorize every piece of software and every piece of hardware to work with it.
It automatically patches servers left unpatched by irresponsible sysadmins for 6 or more months. Sure. Sounds great. Open source fix everything.
The only thing it fixes is that you can then go back after the fact and dodge responsibility saying that the sysadmins (who were too lazy or stupid to patch MS systems for 6 months or more) could have RTFM, edited the source code and presto, everything's perfect.
OSS doesn't fix arrogance, stupidity, ignorance, or laziness.
Interestingly enough, the Slammer worm also affected the .NET Framework SDK whether or not the full SQL Server was installed on the machine or not. This is because a component of SQL Server is included in the 1.0 release of the SDK. Microsoft issued a critical patch for this issue too.
Even after having spent spent 100M on their Trustworthy Computing Initiative by July of 2002, we have not seen a great deal of proactive security fixes from Microsoft. Instead, external exploits seem to still be easy (even old ones), and then Microsoft takes action. Microsoft software still has a lot of maturing to do. We shouldn't expect magic anytime soon.
Gates says security is job #1 and sends all his programmers to security training.
Well, that's nice - but is that really going to do it?
How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?
Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?
It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.
The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.
becuase the lax security with microsoft..and this latest worm...it was the straw of hey that broke the camels back, it is making me go all linux, there will be no end to windows sad security...
If we don't end war, War will end us. - H.G. Wells
Weird view. So if you neglect to lock your door, you're just as responsible as the burglar who carries off your stuff, and ought to be prosecuted for willful negligence?
Okay! Yet another federal law enforcement bureaucracy is born: The Patch Enforcement Agency. It can parallel the organization of the Lock Enforcement Agency and the Don't Go Walking In Central Park After Dark Enforcement Agency.
That's what we need. More ways to hold victims responsible for the acts of criminals.
Here's an idea: why not just let nature (or in this case, the free market) take its course? sysadmins who neglect to patch their servers get fired, and those who employ such sysadmins lose business. The problem will take care of itself without introducing any new government meddling to gum up the works and make life harder for everyone.
This is sadly reminiscent of our present foreign policy. We can't catch Osama, we need the Saudis' oil, we're scared of North Korea, so we attack some tinpot dictator we're pretty sure we can beat.
One issue concerning differences in security regimes between UNIX and Windows system that rarely are discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
while certainly no ms supporter myself, a few things struck me as I read this article.
1. M$ gets blasted for the sql-worm. Uh, didn't they post the fix many months ago? As far as I am concerned (afaiac), this was the result of lazy admins (lazy MCSEs) rather than microsoft itself. Lazy MCSE's is another subject. I was patched and I didn't get hit. I check the patches once a week or so. Apparently many lazy admins dont do this. Also, as my SQL is not publically accessable thanks to my firewall. Why do so many places have their SQL externally available? Does it need to be? Probably not...
2. The other thing I take issue with is the fellow that said this sort of thing doesn't happen on a Mac. Why? According to him because Macs are in fact more secure. Maybe. Probably even. But I suspect the reason that 90% of the worms are written for m$ because 90% of US companies use m$. If mac had 90% of business market share, I would wager that 90% of the worms would be written for macs. I can write a program that is full of holes. Nobody would ever know if nobody used it.... I agree windows is a script kiddies' best friend and its security all around sucks, but I don't like cnn's simplistic approach to the subject. I have never heard of a BeOS worm. Is it more secure than windows? probably. But do any businesses use it?
There is an expression 'Fool me once, shame on you, fool me twice, shame on me'. MS has its share of people hacking it and attacking it. But the problem is that with this amount of attention something should have changed!
Ok blame the admin's. But that is like saying a if somebody cuts off their leg with a chainsaw it is the owners fault for not being careful. Yes the chainsaw user is at fault. But the chainsaw manufacturers were also at fault because the saws kept running when the human let go. That intensified the problem. These days all of these "dangerous" tools have safety checks, etc so catastrophic things do not occur anymore. And it has made a huge difference. This is the same situation with MS and its security problems. At some point in time MS has to start changing its habits and thinking about how to address the issue. Because thus far it has not worked worth a DAMM!
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
"News for Nerds".
Hmmm... this isn't exactly news to us, is it?
Follow me
One issue concerning differences in security regimes between UNIX and Windows system that rarely seems to be discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
Looks like we have the "Microsoft" moderators here again. Within a couple of minutes, every pro-Microsoft comment, no matter how off topic or mundane was modded up and sensible anti-Microsoft comments modded down.
The parent comment makes a valid point, it should be modded up to match the +3 score of its parent.
Think about this: If you require the populace to get the patch from you then you can monitor key propagation and identify copies.
Now imagine a further twist, prepare the code so that it has "flaws"
Now imagine an even more cynical view: Fund a security watchdog group who have some "amazing" guys that find these problems and publish them.
Hedley
I see a lot of people stepping up and complaining that it's not Microsoft's fault as much as it is the sloppy admins. Yes - Microsoft systems that were hit by this worm were poorly managed. However, the problem is that shitty admins are exactly who Microsoft designed this "server" operating system to be managed by.
Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.
So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.
Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.
Meditate on this, Grasshopper.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Microsoft has been drudging uphill on the server market since the mid 90's with windows NT, since then they have only achieved a strong foothold in the mid-low end server market, which is now becoming seriously challenged by Linux.
While Linux may not be fundamentally more secure then NT it defiantly has the perception of being so because windows is a vastly larger target with there desktop dominance; every time one hears about a windows exploit that effects the perceived security of all windows, whether it was a client side IE exploit, or a server side only exploit.
I think Microsoft needs to put the fix on the security problem very quickly or suffer a serious erosion of people using Microsoft for critical applications, to do this I think that at a minimal they need to do the following:
Perception:
Put a hard line between the server and desktop market. i.e. drop the Windows name for the server end, call it something like TrustIx Enterprise, anything but windows, that was when there are security exploits for the desktop it doesn't go against the server end.
Make security the number feature requirement in all server products.
Hire a bunch of top security guys, make a big splash about being "unbreakable" like oracle did.
Technology:
Implement the latest security technology, like the new stack protection ideas in OpenBSD.
Be much more aggressive with auto updating, so that unpatched machines get automatically patched, all of the big headline worms on NT exploited holes that had been patched for over 6 months. Any server on the internet should by default auto-update patches.
Patches must be 99.99 correct, meaning that when auto-patching happens it does not break anything. Microsoft should offer a guaranty that if a patch does break something they will fix it; i.e. send people out and fix it for the company. And pay for any lost revenue to the patch.
Lax security costs Microsoft more then they can imagine, with a total saturation of the desktop market there is no-where to go but down. Their only hope for continued growth is expanding in other markets, with so much already invested on the server side it is crucial that security is given a number one priority, otherwise they will lose all that they have done and pull the whole company down with it.
-Jon
this is my sig.
This one's my favourite.
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
...the wrong reasons.
The security of SQL Server should never have become an issue. Not because of the fact that MS had a patch for it, or not. Nor even the fact that someone who installed a patch may have inadvertantly uninstalled that patch by installing another patch.
Microsoft should be lambasted for not encouraging users of SQL Server to keep those boxes behind a firewall.
There is only one marginally excusable reason to have an SQL server visiable on the net. That would be if the web server at a web host needed to communciate with the Company's SQL server at the company. Even that should be done over a secure link.
In all other cases, an SQL server should be behind some sort of firewall, and not directly visable to the Internet.
The fact that there were enough copies of SQL server visable on the Internet to allow SQL-Slammer to cause enough bandwidth to be used to be a problem for other network users is not an indication of a security problem with SQL Server. It is an indictment of the awarenes of security issues being provided to users and administrators.
I realize that with all the possible security issues that exist, some people will get glazed eyes and so on. Sorry, it happens that security will be a cost that has to be addressed.
Of course that is just my feeling, and I could be wrong.
-Rusty
You never know...
Pine is also older than Linux, so it's a bit silly to call it a "Linux email client".
Well, that is contrary to reality as everyone knows, but their marketing machine has been very effective at repeating that mantra. Security is hard, no matter who is doing it. There is no such thing as easy security besides, turn off your computer and burry it in concrete. From that perspective, Microsoft created the problem for themselves. It's not the product of poor engineering or inferior software. It's the admin and development culture MS promotes. This is also why things like .NET is having a hard time getting adopted. High performance distributed computing isn't easy and won't be for another 100yrs or more. Saying ".NET will make development a breeze" in the context of enterprise software development is undesirable and detrimental.
If enterprise high performance software was easy to build, than SQL Server 2K would be able to supports thousands of connection in it's connection pool. Which it doesn't.
This problem was clearly the fault of sysadmins and company's not taking regular downtime for security fixes.
because they have had enough already.
Anyone with that much money in the bank can damn well afford to produce products that actually are best in class. They are number one right now, but clearly do not deserve to stay there when we know there are better and cheaper ways to do things.
Blogging because I can...
Folks remember that wehn MS first started hiring devloeprs in its beginnings that those devlopers :
-Were not skilled in unix security precautions because UNix vendors had changed their lcienses to close code to those in cs at schools.
-Were influenced to push code out the door rather than refactor, retest, and rewrok to produce security compliant code.
-MS's recent code retraining cannot rease almost 30 years of bad programmign prqactices within MS itself..
The only way for MS to get better is to immediately fire every programmer, which wil not happen and thus the conversion to Linux and MacOSX will gain full speed in the next few months..
Don't Tread on OpenSource
Schneider (CTO of the mentioned security corp.) makes the solution crystal clear at the end of the article.
The difference is that other manufacturers, Apple in particular, don't do the incredibly stupid things that Microsoft does like turning on running scripts in your email program by default. Apple even went so far as to not have a root account on Mac OS X. So you can't simply make a root kit to compromise it. That's not to say it doesn't have any vulnerabilities, but it has far fewer than other OSes simply because Apple thought about the problem before writing their software. Microsoft has repeatedly not done this, even when 3rd parties alert them to the problems again and again. (And even after the problems cause major problems for millions of people again and again!)
there is a missing issue here: ms bent over backward over the last 7-10 years to sell their products to poeple based on *Ease of Use*. you don't have to be a rocket scientist (or unix guru) to do 'big things' with computers if you bought ms products. one of the key selling points was you didn't have to have these expense engineers to maintain the systems.
so between the 'it's easy' part and 'you don't need smart responsible people to manage it', is it any wonder that we have an epidemic of poorly maintained ms systems out there?
Now said system was purchased against your recommendation, is proprietary in nature, and the company that made it was bought out by another company, so you can't even get a straight answer on simple questions anymore. The department responsible for this purchase has never hired the person promised to maintain the system, nor have you been sent out for training on its maintenace.
A week after this system is installed a third party contractor installs a replication system so your ticketing system can be connected to a big web server in another state. You don't really know what ports need to be open, how they are being used, and every time you tweak the littlest thing the entire operation comes to a grinding halt.
And you expect me to apply patches at random. Especially when they require taking the system offline, and each has the risk of incapacitating your operations. Right.
Blame me all you want. But the seeds of ruin were planted further up in the decision making process.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
What does it feel like to be the only person to fall for an obvious troll? I'm curious what you're thinking right now. Please don't hold back.
Microsoft should sue all companies, which were attacked and infected with SQL Sapphire Worm.
Seriously! The fault wasn't entirely on Microsoft side - the patch was avaiable in two versions, one since half a year, and second, with easy-installable Service Pack 3 released _before_ worm hit.
Microsoft "good name" was impaired by those admins, who haven't patched they SQLs.
Maybe there can be some kind of "improper use of software" case, and Microsoft will make licensing terms harder or cancel support for infected companies?
:wq
The nation's newest security administrations are extremely vulnerable as they are nearly all MS shops now. The irony is MS was chosen for their security strength. This information is very public and very disturbing.
According to the CNN article: In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."
As a server admin, how do you know which patches will cause more harm than good? Is a good server admin one who installs every patch that's released right away and breaks things, or one who doesn't and gets broken into? When we installed SQL Server's SP3 at work, we found that the statement "DBCC SHRINKDB('insertDatabaseNameHere')" was depricated and disabled in favor of using "DBCC SHRINKDATABASE('insertDatabaseNameHere')". This wasn't a new release... this was a service pack! I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Okay, anyone who has read my posts knows that I'm not a Microsoft supporter. I find it hard not to see the humor in Microsoft's own servers getting hit when the vulnerability was not new and patchable especially after they proclaimed that they were now striving to be secure.
.NET platform. They are hopeful that this will become the development platform of choice across multiple OSes. Parts of the Linux community are scrabbling to enable Linux to benefit from this emerging technology thought the Mono project.
.NET platform. If Microsoft introduces a .NET version of their flagship Office package it is likely to incorporate some form of VBA. Running a VBA enable application on Linux will not help the security of the Linux platform.
However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.
Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.
To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.
Right now Microsoft is pushing their
If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the
The race isn't always to the swift... but that's the way to bet!
brown eyes.
Things like SQL Server need to be patched regularly. Sysadmins who are lazy/ignorant don't do that. So to solve the problem, you must FORCE sysadmins to patch the system.
How do we force sysadmins to do this? Easy: MAKE THE SOFTWARE _REQUIRE_ A PATCH EVERY TWO MONTHS, or it STOPS WORKING.
Two weeks before it stops working, make it send an e-mail to the sysadmin telling him it's about to go pop unless he gets his act together. Just insert some time-dependent code in there. That way, everyone's forced to patch their systems every two months. If there aren't any outstanding patches, then the vendor should create a patch that simply fixes the expiry timecode to be another two months in advance.
OK, so it won't the problem if a worm exploits something within two months of a patch coming out. But it be a darned sight better than the current situation. There might be issues with firewalls, as you prolly don't want your DBMS to have access to the net. but these could all be got around.
You could even get the machines to apply the patches themselves, automatically.
The only issue I can see is that some MS patches actually introduce new bugs/break existing features. Grrr.
I'm surprised discerning /.ers manage to post such crap. Not only is this article vague. For example, aside from the "many problems" with the patch system, try figuring out what these problems are. You can't, not from this article!
Check out this beauty of a quote:
A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. "Is that because Macs are safer? I think the answer is yeah."
I wonder why there are fewer viruses for MACs... maybe they're safer... maybe...
Oh, that's right! No on uses a MAC!
Admins are the problem, and microsoft is the problem as well. In fact, the main issue is that microsoft is breeding lazy and dumb administrators.
That's not going to say all windows admins are dumb. And there definitely are lazy and dumb Unix admins, too. However, from what I've seen in several companies, the ratios are that most windows admins don't know what the hell they're talking about, and if you take away their wizards and their mouse, they're lost like newborns. Most Unix admins do know what's going on and can bring a system back from states way beyond where the only microsoft solution would've been a reinstall.
Why is that? Because windows is marketed and sold as if every dumbass could run a server. It really isn't a surprise. There's a truth to all the sayings that start with "if planes/houses/whatever were built the way microsoft makes software..."
The most important part is that nobody has ever gone around and tried to sell people on the idea that being a doctor, or flying a plane or building a house is an easy task.
Guess what, neither is running the corporate serverfarm.
I call that a scam, plain and simple. A scam that has - according to the various overblown estimates on virus and worm damage - done several trillions in damage.
Is it the fault of the lazy sysadmin who didn't do his job? Yes, it is. But he was very much tricked into a very wrong picture about what exactly his job is in the first place.
And so far, we've all been lucky. None of the viruses that I've seen were even close to the level of sophistication that, say, some very early (C64 and amiga age) real viruses had.
Assorted stuff I do sometimes: Lemuria.org
What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?
Sure it's fun to bash a company that said they were overhauling their security everytime they have a security problem, but serious people would look a bit deeper than that.
Having the IS team not keep up with a few of their own patches is silly indeed, but I believe the security push was mostly targeted at developers.
Still that's something Microsoft can be faulted for. And that's the only thing:
In the whole SQL worm incident, what exactly can be blamed on Microsoft?
There was a patch, the problem itself came from code written before the 2002 security freak-out.
It feels like people expects that, since Microsoft has said they cared about security, suddenly all of their existing softare is supposed to become security bug-free, and any failure of an old installed piece of code to fix itself is a massive failure for Microsoft.
That's unrealistic.
Judge Microsoft's security effort by the quality of what's been coming out of their oven for the past 6 months. If the new stuff is as unsecure as the old one (arguably hard to measure), then bash Microsoft to hell and back. Until that can be established, give them a chance.
If you want to get a feel for the kind of things microsoft is doing for security, you should check out "Writing secure Code", by Michael Howard and David Leblanc, 2d edition.
If you need a great reference book on how to approach security issues at your workplace, check it out.
--
um. This is probably a great time to mention I am NOT affiliated with MS in any shape or form.
Ah internet comics[userfriedly.org]
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Sys Admins are just being dumb. They had a patch for this bug 6 months ago. Microsoft has a little known component to Windows 2000 server called SUS, or Software Update Services. It essentially lets you control which packages and updates the clients in an Active Directory domanin are updated with. But you can have two W2k servers running this in tandem, so you can distribute all the packages from Microsoft to a test group, and then have the second server pass out an approved list to clients. Sys Admins who claim that they don't know which things to patch or what will break aren't doing their jobs.
.sig error: carrier signal lost.
Also, this article, written by somebody who barely knows computers and probably lives on slashdot, is just bullshit MS bashing, and pretty untrue at that.
When there were DoS attacks caused by Cisco routers being out-of-date, they blamed the admins. When there were Linux boxes being taken over and used for DoS attacks, they blamed the admins. But when MS SQL servers are used for DoS via an vulnerability fixed over 6 months ago, they blame MS. Well, the article and the so-called expert they quote do anyway. Any reputable organization blames the admins for not patching their equipment.
So instead of being lazy and not keeping up on updates, sign up for MS's security alerts, test them out as soon as they are made available, and apply them after they test out. Its called being PROACTIVE, not reactive.
Manipulate the moderator system! Mod someone as "overrated" today.
The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.
I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.
This is a tremendous change. Think on it.
Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."
I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")
I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.
I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.
The death of Microsoft is at hand...
Since when is patching fundamentally flawed? I dont want anyone forcing a patch on my production servers. If there is a patch, it needs to be tested. Maybe forcing a patch is fine for little Billy's PC, but for a server that is used for email for over a thousand people, or an SQL server with vital information, I'll do the patching myself, thank you very much.
Then those people should get the fuck out of the IT field; the last thing any company needs is non-technical technical staff. Wow, installing the SQL service pack was so hard... click on the .exe! installing the SQL hotfixes were also hard... click on the .exe! Unless you are an idiot and install them out of order, I dont see how you can go wrong.
I just LOVE the anti-MS FUD! The SQL Server 2000 Service Pack 2 was posted October 03, 2002. Look on http://www.microsoft.com/sql/downloads/2000/sp2.as p. I just love to see reporters who really get their facts right. Unfortunately, these ones dont. Shame on you, CNN!
Manipulate the moderator system! Mod someone as "overrated" today.
I hope they're not going to use that as an excuse to promote "other things".
In another post I mention that patching is dangerous and hard to do for an average developer. Why risk your dev time by executing complex patches? I bet more than anything most companies were bit by small and unknown installation of DBs inside of their intranets.
So while some will harp on Admins for not patching, I claim that Admins can only track so much. If I need to develope something on a MS SQL Server where I need to tinker with the entire DB(ie. I need admin rights) I am going to install one on a throw away machine. I am not going to case patches since the installation will not be used in production and its hard to do right. I will not ask the Admins to maintain it since its not for them.
Why is patching software on MS platforms somewhat like open heart surgery? It looks so complex I wonder how do Admins work with 10+ machine clusters. If it wasn't so complex I may just patch my small test DB instead of ignoring warnings. Until the patching process becomes much less risky and painful then this will happen over and over again.
But a service pack is _WAY_ different then a hotfix/patch. Services packs do need to be tested a lot because many times there are changes in functionality. A hotfix (released in Jul for this particular problem) has never (to my knowledge at lest) changed anything. So sure, you have to reboot, but that's the only excuse for not installing a patch right away... but months later?
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. "Is that because Macs are safer? I think the answer is yeah." This person obviously doesn't understand worms and viruses very well. Hackers want to see how many computers they can infect. This being the case, what kind of idiot hacker would create a worm/virus for the Mac platform? They are not very prevalent in the market and therefore would not be a target for hackers. Maybe if enough hosers who think Macs are more secure, go out and buy one, then those of us who stick with PC will have less worms/viruses to worry about.
~ I am logged on, therefore I am.
Manipulate the moderator system! Mod someone as "overrated" today.
I don't normally chime in, but I thought that I would for this one. Let me start by saying that I don't like MS...I'm using a mac as we speak (with Safari)...and I'm a Senior UNIX admin at work....anyway...
Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software (I'm not saying it's the admins fault either...I know that admin spend 80 - 90% of their time putting out brushfires, and can't find time to do patches). Now, do I think that MS needs to find a better way to notify customers of new patches...b/c I know that I don't have time to sit around and browse and go through what I've installed and what I haven't (are you listening Sun?!?!)
So for example...If I don't stay up to date on all the Solaris/Linux patches does that mean that Solaris/Linux is a security prone OS? Heck, no!
Microsoft's security record won't get any better until people start to do something about it.
If you think MS is so insecure, don't use it. I certainly would never trust a windows server with anything important. That's a job for mainframes, or unix servers.
You'd be amazed how much less stressful your job is after you ditch windows.
The link you provided, http://www.netcraft.com/Survey/index-200106.html, doesn't seem to support your conclusion that "...IIS *IS* the most popular web server." The graph half-way down the page states that windows runs 49.2% of computers running public Internet web sites (which is not 50% and not a majority). But it doesn't say anything about what web server is being used. Apache runs on windows in addition to *nix; however, IIS only runs on windows. Therefore, the statement "...IIS *IS* the most popular web server" is plain and simple a false statement, supported neither by the facts you link to nor any conclusions that can be legitamitly drawn from these facts.
Life has many choices. Eternity has two. What's yours?
The Microsoft security strategy is much like the idea of going to a crowded beach and leaving your wallet in your shoe. Just my two cents...
Service Packs are just hotfix rollups. You can get all the stuff that's in a service pack separately.
Personally, from having to manage Microsoft systems for the better part of 12 years, it was almost impossible to patch anything immediately, when a Security Fix was announced.
If you ever have managed Microsoft Products, it basically becomes a crap shoot with the following outcomes with regards to patching your systems:
1) Patch installs, breaks other services.
2) Patch installs, system becomes even more unstable.
(This is the worse because it looks like the system is working, but hits you in the middle of the day, usually during peak times.)
3) Complete failure to reboot after patch is installed, resulting in a very intensive recovery operation. (i.e. Reinstall OS, tape restore, or flash restore with floppy.) All data is usually lost since last backup.
In any case, it is completely laughable, and not applicable I believe if you completely blame Microsoft Admins on not applying these patches.
Especially with some of the messages posted here, such as "Oh, well you have to update your systems, stupid."
How simple and naive you are, and obviously anyone making such a statement has not an ounce of experience managing Microsoft server/desktop products.
I think the people who manage Microsoft Products, know more than anyone here, why it is preferable to update thier systems.
I think it is a serious insult to Microsoft' customers that Microsoft would publish a statement something of the akin "Well, they didn't update thier systems...ITS NOT OUR FAULT".
Bullpucky, and with that in mind however, continue reading.
The shear hell, you have to go through, to patch a monolithic, monster of bloatware that is a Microsoft OS, is purely not economically possible, if you can believe it, for some companies with large installations of Microsoft products.
Patching becomes a project something on the scale of a ERP implementation for some sites that are non trivial in size.
Furthermore, time after time, Microsoft provides NO WAY to reverse patches that they typically publish.. (also known as "HOT UPDATES/FIXES").
As most admins will tell you, HOT FIXES are risky, and can be impossible to reverse because Microsoft publishes these immediately, without thinking properly about the impact on the entire OS.
As I shall note later, this is why Microsft's OS is not practical to expose to the internet for any reason from a security perspective.
Therefore, many admins wait for the service packs to fix the problem, most of the time the service paks are more well thought out, and are for the most part reversible.
It is incredibly expensive, to mirror systems in a test lab, to test patches. EVEN THEN, the production systems are in no way representitive of the test systems. It is expensive, labor intensive to construct mirror systems and network services to make it viable to install hot fixes in a responsible way.
With that said, being a Linux convert, here is the problem and Microsoft isn't addressing it:
1) Microsoft's OS includes too many features out of the box, that Admins cannot control what they want installed.
It it REALLY stupid to put a graphical interface on the OS, espepcially when you are considering a highly secured server and making it a requirement to run it. There is absolutely no reason, why the OS has to carry around the code for a GUI when it is sitting in the server room, under lock N key.
Microsoft appearently doesn't understand software engineering principles regarding the total possible paths in a program and its reliability can only be increased statistically by eliminating the other execution paths in the software. That means not installing the GUI.
On Linux I can do this, easily, with ANY piece of software. Effectively reducing the function of the server to BARE BONES. Making it much faster to identify and fix problems, and of course much easier to update.
Well, you can't do this with a Microsoft product, and that is the root of the problem. In linux, I can slice and dice the OS down to its bones, if I need to.
Also, I would like to point out, linux isn't as complex to administrate as Windows when you start whacking the X server, games, DNS (directory software) and everything else when all I have running is sendmail. The system becomes a very very simple UNIT to admin in my infrastructure, with a very very easy and predictable means to upgrade and far fewer security risks as a result.
NOTICE TOO sendmail has nothing to do with the operating system.
Microsoft ties everything into the OS making it IMPOSSIBLE to build a secure system because you have to install ALL of the system or NONE AT ALL.
Microsoft uses the OPERATING SYSTEM to aggregate services, which as I pointed to above, is a fundamentally flawed software architecture.
Linux on the other hand uses the FILE SYSTEM to agregate services and the file system doesn't require you to even execute the code on start up.
Therefore even if you do a complete install on Linux, the system complexity doesn't increase, only what you include in your RC startup increases system risk to security or bugs that can make your system unstable.
The worse thing that happens is you increase the size of your file system.
As a result the uptime factors, and ease of maintance for Linux based systems easily out paces Microsoft's OS in any large deployment of the OS.
As a result it is impossible, because of these facts, to follow a responsible security policy with medium to large Microsoft IT installations.
I also think Microsoft should stop slapping its customers up in the press as to the importance of updating thier systems.
Most people already understand that, but they are being held hostage by the poor implementation of Microsoft software which by its very design, prevents practical and speedy updates of large installations of Microsoft OS's.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
The truth is that with open source, you have thousands of eyes scouring code for problems. Alot of these problems are even found by accident. Much more secure. With Microsoft, businesses are expected to rely on Microsoft solely to discover and resolve vulnerabilities. Sources like CERT can only do so much to help, as even they don't have ready access to the source code. To compound the problem, Microsoft routinely realeses multiple versions of multiple dll's without warning, rendering a system that was pathced just the day before, in good faith by the admin, vulnerable yet again. And then the process repeats itself.
Yes, crackers live a loser existance that revolves around wasting their life looking for potential exploits in popular software. At least with open source, you can defeat them with numbers: 5 crackers try their hardest to find a flaw in mySQL, while about 2 on the white hat side do the same. But, the white hats also have the luxury of a thousand other coders around the world looking at the code for different reasons, coders that just might (and usually do) find a flaw before the 5 crackers can.
But fool yourselves all you like and keep relying on Microsoft and their new "secure motives" (or whatever the term one of their marketing people came up with). The more sensible amongst us will run our open source "alternatives" and only face a potential threat once in a blue moon, while you MS guys will have to fret over the next big threat constantly.
I was listing the causes of bluescreens. I never said hardware was HIS cause but to look into the problem. A program causing a bluescreen, not likely. You people are so thick headed sometimes, its called troubleshooting. It used to work and now it doesn't. Oh well throw it away and buy a new one when 5 minutes of searching could fix it.
Only the State obtains its revenue by coercion. - Murray Rothbard
every two years m$ totally changes their server products. what you knew with nt4 is obsolete with win2k, is useless with .NET/whatever server. you learn to admin unix, your skills improve over time, 'cause your doing the same things you were 5 years ago. with m$ servers, you have to learn all over again, and you are at m$'s mercy to provide patches, etc. so no, don't compare unix to m$. unix had its growing pains sure, but it is a mature product. and linux is becoming one really fast. every freakin ne m$ product is a NEW product. and it experiences the same crap over and over. why does m$ do it? somebody who knows, please do tell.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Actually you are both right. Although Service Packs often roll up hot-fixes, they also can include many more bug fixes that weren't deemed important enough to require releasing as a hot-fix. Thus they are much more likely to include a deliberate incompatible change that breaks an application (i.e. DirectX N+1, or the above-mentioned DBCC behaviour).
However, although hot-fixes are usually small changes targetted to fix a particular problem, they do not undergo the full regression testing that a service pack does. Most MS hot-fixes come with an CYA warning that you shouldn't apply it unless you believe you are in a situation exhibiting the problem and requiring the hot-fix. Since code modularization at Microsoft seems to be dictated at least as much by the marketing and legal departments as by good software engineering practice, a hot-fix has a not-insignificant chance of having an unexpected side effect (witness the problem with the October hot-fix).
So whether it's a hot-fix or a Service Pack, you wind up having to regression test your 3rd-party applications before deployment, and if you think most IT departments can afford to do that with every "hot-fix of the week" you're out to lunch. Most admins would probably have deployed SP3 after performing their own regression tests in another few weeks.
That said, what kind of idiots connect 120,000 unprotected database servers out on the net? I doubt all were in the position of the poor slob a few levels above in this thread who had deployment mandated by upper management.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
A good admin is one who isn't a fucking idiot and has all their SQL ports (as well as every other port that has no bussiness being public) firewalled off.
And if you want to start heaping blame on developers well teh turn the glass back on the OSS people. Start screaming at the ISC BIND people, at the Apache group, and so on. They do their best, but they still seem to produce software that has hole in it, despite being open source.
There is no magical perfect software. Open, closed, doesn't matter, bugs happen. I feel so long as the programmers do their best to prevent them and issue patches when they are discovered, they are doing their job. You can't expect perfection because you are never going to get it.
What sysadmin in his right mind would give up control of their server(s) to the beast?
Small wonder that more patches aren't getting installed.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Bullshit. All software has bugs. All software . Even Open Source software. Even high profile Open Source software that has many more eyes looking over the code than normal. Even that brand new Linux kernel you just installed has security holes in it. I guarantee it.
Bugs are a part of software. When you install anything, you need to take that into account: when holes are discovered, they get patched. If you fail to patch, the fault lies directly on you. Microsoft did their part.
NO CARRIER
Microsoft did their part by releasing a patch later
that broke their first patch. I can tell you have
a lot of angst about this and want to cast blame
everywhere you can, but clearly Microsoft dropped
the ball. So sorry. Thank you for playing.
The most important thing any republican needs to know.
You all can kiss my ass . There is no virus in windoze and sql server. If you want more protection then pay me 1 million dollars and may be I can fix it.
I think these are features not holes you morons. The world is under M$ grip we rule you all loose and there is no substitute for windoze.
MUUUHAHAHAHHAAAAAHA !!!!
..oh wait, yes I do...
when was the last time you saw a I hate Apache! Apache is Evil! Stop Apache now! website/post/rant?
The truth doesn't care what I think.
market share is about 95%, but their share of the virus market is more like 99.99%.
sounds about right to me. 95% market share = the only one that matters.
of course, your numbers are probably wrong; you appear to make up numbers instead of looking them up.
The truth doesn't care what I think.
AOL gets their news division to write an article after interviewing a few guys who's job it is to scare customers into hiring them by saying that "Microsoft's security is shit, only a professional security advisor can help you."
What a great piece of information. I love it when 'news for the clue-less masses' shows up on a 'news for nerds' site.
The truth doesn't care what I think.
Okay, well prolly not, but it is not good that everyone is screaming "We need better security!" right before MS is about to release Palladium... err I'm sorry... Next Generation Secured Computing or whatever they are calling it now so everyone will grab it up as quickly as possible. Kinda like the conspiracy theory that Bush ignored the September 11th warnings so that everyone would approve of his "war" after they saw the trade centers fall.
-Derick
While Linux may not be fundamentally more secure then NT
Should read:
While Linux may be fundamentally more secure then NT
I can only assume this is what you meant to type
because of the well known advantage Linux has over
NT in the security arena. I mean, the department of
Homeland Security even made the switch recently for
this exact same reason.
The most important thing any republican needs to know.
la la la, lowercase lowercase one two three
astro-yawn-turf
...tshak isn't interested in your reply, shes just spreading fake-green
First, this quote:
"...hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority. "
Now, this bug has existed long before. I don't remember when SQL2000 was released, but I believe it was longer than a year ago. Even if it weren't, the code was developed long before. Therefore, saying that the initiative is not working is just lame. No initiative works in retrograde.
Then the comment about macintoshes. Hey, if I pull out my Commodore 64 from the garage and hook it up to the net, I bet it won't be affected by any viruses. Is macintosh more secure? I don't know. Is the rate of infection indicative of the security of the system, or its prevailance?
Looking over my last security bulletin, I see plenty of Linux backdoors (libpng overflow, mysql vulnerabilities, cvs double-free...)
There is no substitute for administrator vigilance. Yes, we are afraid of updates and patches, and their impacts, as much as the next guy. However our solution is simple: we keep a mirror of our critical servers. We apply the patches on these mirrors and check for bugs. If there are no bugs, we swap out the production server with the mirror, and the production server becomes the mirror. We have not had any major problems with this approach.
It's marketing. The idea that you don't have to know what you are doing. Computer engineering is logic, system logic and a fair amount of important abstractions that are used as tools. That logis underlied all languages, script, VM based, compiled, etc.
If you make it easy to set something up, that's good, but if you extend that to mean you don't have to understand the logic you have just deployed, that's wrong. The benefit has to be just that it saves time in setting up the system, not that it frees you from understanding what you have just done.
Microsoft markets to the idea that it's easy AND that means you don't have to know what you are doing, but you do.
Also, a Microsoft patch is a risky thing... much more risky than the redhat patches I've been applying blindly.
-pyrrho
While Micorsoft may certianly be working on improving security as of late, I have to wonder if this is a case of a day late and a dollar short? How many more hits like this is corporate america willing to take before they bite the bullet and abandon MS? And by hits like this, where it is publisized that MS cannot even keep their products secure. When it was Melisa or Code Red, or you're virus of choice it was easy for MS to say: Bad admins, not our fault.
For a company built on PR, this could be the begining of the end, or maybe the end of the beginning and MS will actually do something to improve its products.
I'm not defending it - it's security issues are rediculous! I'm saying that _IF_ MS is really getting their act together regarding security, it's too early to pass judgement. From what I've heard, IIS6 is a significant improvement to security. Just don't exepct a "magic patch" to fix MS's security problems within a year of their "trusted computing initiative".
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
First point excellently put.
Second point, I disagree.
All of these examples reek of slack S/W engineering (monopoly retaining activities aside.)
High cohesion, loose coupling? You have to work hard to achieve that, but if you just don't give a fsck you'll quickly find your browser bound to your O/S, your LDAP bound to your DNS and your HEAD bound to your ARSE.
Oh, and virii bound to attack!
asking admins to monitor their network more carefully is about one step semantically shy of asking them to keep up to date with patches. if you don't have time to keep up with patching, why would you have any time to watch your network more closely? if it's either/or, sure, take the high road and monitor, but if you're doing neither, nothing is solved.
later, he says that in a perfect world patches would automatically download, install, and always work. as for the automatically download and install, microsoft has that covered. but as for always working... well if that was the case, patches wouldn't be needed in the first place. there's a catch-22 there that he missed or ignored.
Supervisors need to impart an attitude that a job isn't done until the software works, and is secure.
Recently, I had some time on my hands and did a cursory check on some security issues on a few linux and MS boxes. Guess what? I found a few issues that needed to be addressed.
If everyone spent just a little time doing this type of thing, there would be a lot less security problems. Maybe supervisors should offer a case of beer as bounty for the biggest security hole found. They're overused sayings, but very true: Security really is everyone's job, and an ongoing process.
Also very true: people who think about security have a fraction of the security problems everyone else has.
Your scenario is a bit bad, try this one:
What if the car has a defect or flaw... and while there is a fix, released for said defect, some people aren't notified, and thus get in to fatal car accidents.
That being said, people are definately dumb for putting SQL databases online when not needed - however I worked for a company that this was needed at, so some of these were probably in that group.
In addition, good sysadmins should check for such patches, etc - especially with software known to have bugs or vulnerabilities at various intervals. Even 'nix software has bugs, but 'nix/bsd/etc sysadmins are often smart enough to check up on them.
Which is of course, one of the reasons I read slashdot. That and to laugh at those that don't and get downed by code-red, sapphire, whatever
Check the box next to "Microsoft" on your preferences page.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Grasshoppers, or bugs in the M$ cheat, ah, I mean, wheat field
Your statement is misleading. The .NET SDK does not install MSDE by default. A user must manually install MSDE from the SDK in order for this to be an issue. .NET Framework SDK" is false. All developers that use MSDE realize that it is a subset of SQL Server, and act accordingly.
So, your first statement that this "affected the
-jerdenn
I'm not sure what that 80% refers to, or even if it's accurate. Even if it is, many Linux 'fixes' would never even be considered for patching by MS. Linux fixes range from the benign and theoretical to the very serious. Linux patches are generally released almost immediately after a bug is found that might (in theory) be exploited, or used as part of an exploit. (e.g. someone finds the possibility of a buffer or stack overflow).
Windows patches, on the other hand, often aren't released until somebody proves that a bug is exploitable/ exploited. Even when a proof of concept (or even wild) exploit is made available, security experts sometimes have to argue with MS about whether the exploit is serious enough to be worth fixing. I remember one recent case where MS downgraded a pair of bugs as minor and refused to release a fix. When frustrated security experts were able to combine those bugs to enable arbitrary command execution (their sample code: format a hard drive), they were criticized for not giving MS advanced warning(!).
Nontheless, when MS finally released the fix for these same bugs, they classified them as moderate. Some people think that, having just released one crutitical patch, they didn't want to face the embarrassment of two severe bug fixes in one week.
Because Windows patches are rarely released until the problem is both proven and serious, MS security patches are far more critical to install. Unfortunately, MS security patches are also problem plagued. System admins have no way of knowing exactly what a patch will do. Some patches undo each other, some patches break other (sometimes seemingly unrelated) systems. Because of the nature of closed source, System admins who have problems with a patch can find themselves stuck between a rock and a hard place. They can either install the patch and break their installation, or leave the system unpatched. In either case, they must beg for a compatible fix. The OS solution of engineering their own patch is generally not feasable -- possibly even illegal.
Both the cost and public embarrassment of repeated fixes to a given problem discourage MS from releasing patches against bug fixes. Lack of the ability of a customer to provide -- much less prove -- their own version of a fix exacerbates the problem.
In this environment of fear, uncertainty and doubt, an MS system administrator must decide if, when and how to install their patch. sometimes they get it wrong.
Linux admins face a similar problem, but with a good deal more information and control. Systems are generally more compartmented, so interactions between parts is better understood. If installation of a patch causes problems, users have the ability to examine the source code of the changes, get an exact understanding of what they're doing and determine whether their best course of action is to patch the patch or fix the problem elsewhere. If the solution turns out to be a further patch, they have the ability to release their own fix in hopes of having it folded back into the 'official' distribution. This is an option which most MS users will probably never have.
OS Software is like love: The best way to make it grow is to give it away.
OK: Let's me get this straight:
- MS publishes their hotfixes with a warning that they may break things and you should only install them if you're having problems;
- Sysadmins are at fault for not ignoring MSs warning and blindly installing all hot-fixes immediately
- If you'd blindly installed all MS hotfixes, you might break earlier hotfixes
-
Service Packs are mostly just rolled-together hotfixes, but they are known to wilfully break things;
- Despite MS warnings to the contrary, Service Packs need regression testing but hot fixes don't.
A hotfix (...) has never (to my knowledge at lest) changed anything.-
The hot fix that would have blocked code red was undone by a later hot fix.
-
The hotfix that would have blocked slammer was at risk of being, itself, slammed by a later hotfix installed in the 'normal' way.
- MS's own servers were broken by the slammer virus.
Just how much knowledge do you have, anyways?OS Software is like love: The best way to make it grow is to give it away.
This is about as shocking and newsworthy as McDonald's being accused of selling food that's bad for your health.
...that the basic security model in place for software today for mitigating the risk of an attacker modifying service code (0wning y0ur b0xen) is to automate the process of modifying your service code via patching.
DDL
You are correct. The list of Microsoft products that include MSDE 2000 can be found here. The .Net SDK is one of the 15 products that does not install MSDE by default (you must explicitly select it), instead of of being one of the other 10 or so products that do install MSDE by default.
BSA: "The licensing and audit process is fair. Just because no one has ever passed a BSA audit doesn't mean that it's not possible to pass; it just means that we're omniscient in knowing who to audit."
You: "The patching process is secure. Just because no one, not even Microsoft, seems to be able to keep their servers patched correctly doesn't mean that it's not possible to secure; it just means that everyone in the world, including Microsoft, is bad at it."
I see that reality remains as unpopular as ever.
The security push marketed by Chairman Bill and co. seems to have little or nothing to do with security and is perhaps only a smoke screen to distract from lobbying efforts, other security privacy and false advertising problems, or losses on various fronts. Alternately, the security rhetoric could be a simple case of "pump-n-dump" as options are offloaded to chumps.
Seriously, that company has such a long and poor track record on all fronts, except marketing, that it is not a viable alternative to consider for servers or embedded systems where *BSD, Linux, QNX, Solaris, and others are best practice. Similarly, the desktop market is looking for security, stability, ease of use, ease of maintenance areas where Microsoft is far behind OS X and the major Linux distros.
They had their chance, in fact many. For a dot-com, they've had a long run, but now the best thing they could do for the economy and for the Internet would be to get out of the way.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I looked on CERT's site for any evidence to back your assertion that CERT found a significant overlap between the open-source community and script kiddies. I couldn't find any.
The only reason I could find for attacking IIS over Apache is that it's easier, and the administrators are often less skilled.
#define BITCOUNT(x) (((BX_(x)+(BX_(x)>>4)) & 0x0F0F0F0F) % 255)
#define BX_(x) ((x) - (((x)>>1)&0x77777777) \
- (((x)>>2)&0x33333333) \
- (((x)>>3)&0x11111111))
-- really weird C code to count the number of bits in a word
- this post brought to you by the Automated Last Post Generator...