Slashdot Mirror
Microsoft Blasted For Lax Security
fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
there was a post like this, well I'd be richer than Bill Gates himself.
Because microsoft is the most widely used homogeneous operating system on the planet, it happens to have its fair share of bugs. However, when Linux begins to get a larger market share, viruses, and worms will start popping up on more and more linux boxes, I doubt they will have the same effect as microsoft virii and worms, but it will happen, Linux just needs to hit critical mass.
While it is stupid of MS not to update their own servers, you can't blame them for the SQL worm. They issued a patch months ago...it's no one's fault but the server admins.
doh! from the CNN article: "The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney said. But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.
I thought the MS-SQL worm worked in a very secure fashion. The servers offered a service, client worms connected and used it just as the software was designed. What's the problem? All it generated was traffic. From the network's POV, is it really any better if that traffic is /. commentary or pr0n? Or CNN stories?
Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.
I hate to break it to you but Microsoft is popular, and hence they will be all the more targets of these worms. Every tiny fault will be implemented, and all operating systems have these.
When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission
Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity
Security by obscurity is no defence.
Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.
And apple still only has a minor market share. That bares thinking about
Besides the one recent example of the SQL worm cited in the article, CNN made no mention of other security problems. This isn't to say that they aren't there because they obviously are, but it just seemed like they based their whole thesis of security shortcommings on one recent incident. It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws. The article seemed like some kind of publicity plug for "TruSecure Corp."
So they forgot to update. The error here, believe it or not, isn't all upon Microsoft. First off, they didn't patch. Microsoft had the patch available since June. It's not like you never have to patch open-souce either... Second, Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons. And yet, they did it anyway. You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive. Open source has its merits, as does Microsoft.
webpage
This was patched over 6 months ago. Anyone not smart enough to keep an eye out for security deserves what they get. By the way I'm sick of all these people claiming how MS patches and updates break things. Tell me specific examples and then we'll talk. I am also quite aware of whats involved in patching SQL. Manually copying files running scripts blah blah and you unix guys bitch about it? Please.
Only the State obtains its revenue by coercion. - Murray Rothbard
There was a patch for this bug available months ago. Isn't it possible that some of the problem could be attributed to the website administrators?
Or why not go after the software vendor that wrote and sold vulnerable software? Or go after the software vendor for dumbing down systems so much that incompetent admins are put in charge to maintain them?
Personally, I don't think the whole "blame game" is very effective...but that's just me.
---
Open Source Shirts
Okay, I'll be the first to bash Microsoft and say that their security sucks. I'll be the first to say that their initative to improve security is marketing smoke and mirrors. But let's give them a real chance to prove this to us. The vunerability that caused the Slammer worm is one that they actually found and fixed a long time ago. This is admins not doing a good job of keeping up to date and fixing problem.
Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.
This sig has been temporarily disconnected or is no longer in service
Now while I'm no fan of MS, do we really need to have stories everytime someone accueses Microsoft of having poor security? Might as well dedicate an entire section of Slashdot to their exploits. At least then I could turn it off in my preferences.
And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?
I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.
But thats my $.02
A lawsuit against a company with many systems that are left unprotected and are being used as a relay or zombie for an attack may be comming soon to a court near you.
Fight Spammers!
Why does Microsoft's "grade" drop when they released a patch for the worm a long time ago? All OS's have security problems. It think it is more accurate to say that Microsoft SQL Server Admins get an "F", not Microsoft itself. This is not to say that I think MS has good security, but it's an unfair slam when the worm is really the fault of admins who failed to apply a vendor patch.
Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!
I am always running behind on M$ patches for 2 reasions:
#1. MS patches have "blown up" my win boxes before.
#2. There are so many you can't keep up.
And automatic update that comes with Windows 2000 SP3 has also hosed my PC.
Karma: The shiznight, mostly because I am the Drizzle.
"But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said."
can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?
the paragraph continues with, "For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm." to me, it seems that this statement doesn't support the previous. it would be better to place blame where it belongs, straight in the lap of the admins whose responsibility it is to keep their systems secure, and upon the heads of those who write exploitive code for the purpose of causing havoc.
i mean, more power to those who bring these issues to light, but doing so without perspective just looks like picking on an easy target.
We've had this discussion before, and we're having it yet again.
Who's to blame in this situation? I clearly feel it's the administrative and their immediate managers both at Microsoft and any organization that was hit with the worm. The administrators should keep up with the newest patches and update systems during the maintanance window. Managers should ensure the administrators have applied the patches.
The argument about downtime and untested patches will surely be seen here as well. That argument is not OS specific. Sure, on Windows you generally need to reboot after applying a patch, but what if this happened to Oracle? You would need to take the server down, patch and bring it back up. As for testing, this is again an OS independent. At one time or another I'm sure every piece of software has released a patch that has introduced new bugs, it happens.
Either way, there will be Microsoft bashing in the thread, but regardless of which OS you're running situations like this will arise.
Even as security issues are top news usually on Slashdot, this shows where our hearts are.
Yours, Martin
The related article is here:
Survey Reveals Geographic Illiteracy
Some people blame the admins for not applying the patches, but should you?
Some things to consider about patches:
Fight Spammers!
Well, I'm running windows servers and linux (suse) servers. And I certainly see a difference between the feasiblity of being up to date security wise with each system.
First, with a typical windows system, it's IMO damn hard to know what components you are running and how it all works together - i.e. what breaks if you lock something down at installation time.
Later on, it's also sometimes very hard (IMO) to know if I have to patch or not. For instance, is it really a good to not update internet explorer since this is a server anyway? Maybe somewhere down in IIS something might use one of IE's components (pulled-out-of-my-ass example btw.).
Add to that that some patches seem to need an updated IE, for to me unknown reasons...
Sometimes something might break (as reportet on ntbugtraq), and it's not really transparent for me if this can be reverted.
Compare that to (SuSE) linux. Download rpm, install, done (in many cases, when not, it's always explained in the advisories what to do).
If something breaks, uninstall the rpm and reapply the old on. Nearly no downtime, I just have then to find out what didn't work.
Just from the feeling, I'm a lot more scared when I have to install a ms security fix than when I do the same on linux. And the fact that microsoft was caught with their pants down this time seems to suggest I'm in "respectable" society.
why do we keep posting these stories? why don't we post links to stories on how to setup secure firewalls, systems, etc? of course if you're a horrible administrator using a default installation of redhat / microsoft / etc. on a public network you should be beaten over the head for letting it on the public network in the first place.
I'm at least as anti-Microsoft as the average Slashdotter, but this is getting a bit ridiculous. Aside from the fact that a patch was available, what the heck is a database server doing with a direct Internet connection? Five years ago, when I started designing web applications it was common practice to put web servers in a DMZ, with a firewall between the web server and any DB/app servers.
This isn't Security 101, it's Remedial Common Sense 050!
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
also, we could go after the people who get mugged too, as they clearly aren't doing everything they can do to protect themselves from muggings, and it encourages muggers to mug you and I then. Or for that matter, people whose cars break down during rush hour. The list goes on and on...
JWall: GUI client for IPTables
Sorry, I've known this (and my clients are becoming {finally!} increasingly aware) for ages.
/., so it must be News for Nerds.
Yes, Windows (and related products) blow in regards to security, it just means that we have to go an extra (or more) step to make sure they don't blow up in our faces.
Yes, I run WinNT at work, it's stable, and not been disrupted by exploits/worms/virus/holes/whathaveyou, simply because I take the time to *make sure* it doesn't.
We all know that even *nix can have problems, so this is hardly surprising.
Still, it's
So rise up, all ye lost ones, as one, we'll claw the clouds.
Recently, RedHat has stated supporting their free download products for no longer than 1 year. This is understandable since relatively little really pay for that service and most people who don't use it for dedicated server purposes tend to upgrade or install the latest version. Now we can add that upgrading or installing the latest (as opposed to updating old systems) might be a practice that should be encouraged.
RH has also expressed their plans of coming out with server products in between their free and Advanced Server products. I'm sure these will be cheap enough that mom & pop type shops can afford them and will be supported for far longer than a year.
I wonder if Microsoft considers this good PR. Why? because when they start heavily pushing .NET and their Palladium plan, they will use examples such as these worms as to why everyone must go on a platform where Microsoft must authorize every piece of software and every piece of hardware to work with it.
Interestingly enough, the Slammer worm also affected the .NET Framework SDK whether or not the full SQL Server was installed on the machine or not. This is because a component of SQL Server is included in the 1.0 release of the SDK. Microsoft issued a critical patch for this issue too.
Even after having spent spent 100M on their Trustworthy Computing Initiative by July of 2002, we have not seen a great deal of proactive security fixes from Microsoft. Instead, external exploits seem to still be easy (even old ones), and then Microsoft takes action. Microsoft software still has a lot of maturing to do. We shouldn't expect magic anytime soon.
Gates says security is job #1 and sends all his programmers to security training.
Well, that's nice - but is that really going to do it?
How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?
Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?
It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.
The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.
Weird view. So if you neglect to lock your door, you're just as responsible as the burglar who carries off your stuff, and ought to be prosecuted for willful negligence?
Okay! Yet another federal law enforcement bureaucracy is born: The Patch Enforcement Agency. It can parallel the organization of the Lock Enforcement Agency and the Don't Go Walking In Central Park After Dark Enforcement Agency.
That's what we need. More ways to hold victims responsible for the acts of criminals.
Here's an idea: why not just let nature (or in this case, the free market) take its course? sysadmins who neglect to patch their servers get fired, and those who employ such sysadmins lose business. The problem will take care of itself without introducing any new government meddling to gum up the works and make life harder for everyone.
This is sadly reminiscent of our present foreign policy. We can't catch Osama, we need the Saudis' oil, we're scared of North Korea, so we attack some tinpot dictator we're pretty sure we can beat.
One issue concerning differences in security regimes between UNIX and Windows system that rarely are discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
There is an expression 'Fool me once, shame on you, fool me twice, shame on me'. MS has its share of people hacking it and attacking it. But the problem is that with this amount of attention something should have changed!
Ok blame the admin's. But that is like saying a if somebody cuts off their leg with a chainsaw it is the owners fault for not being careful. Yes the chainsaw user is at fault. But the chainsaw manufacturers were also at fault because the saws kept running when the human let go. That intensified the problem. These days all of these "dangerous" tools have safety checks, etc so catastrophic things do not occur anymore. And it has made a huge difference. This is the same situation with MS and its security problems. At some point in time MS has to start changing its habits and thinking about how to address the issue. Because thus far it has not worked worth a DAMM!
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
"News for Nerds".
Hmmm... this isn't exactly news to us, is it?
Follow me
One issue concerning differences in security regimes between UNIX and Windows system that rarely seems to be discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
Looks like we have the "Microsoft" moderators here again. Within a couple of minutes, every pro-Microsoft comment, no matter how off topic or mundane was modded up and sensible anti-Microsoft comments modded down.
The parent comment makes a valid point, it should be modded up to match the +3 score of its parent.
The bit that gets missed here is that security is not a product, its a process (something Bruce only seems to remember when writing his books). If we really want to go pointing fingers than how about the folk who designed buffer overflow bugs into the C programming language? Before C every programming language had array bounds checking built in. So who were the turkeys who decided that we should run without elimentary safety checking? Oh yes the same folk who gave us what people would now have us believe is the so-secure UNIX O/S.
It took over ten years for the elimentary security boo-boos to get sorted in UNIX. For years the UNIX crew told us that shadow passwords were dangerous security through obscurity, only the world readable password file and the salt gave genuine security. Then along came crack. It still took four years for shadow passwords to become mainstream.
Even today sendmail is installed by default in most UNIX installations, even though it is historically a security nightmare. Some of the bugs have been fixed but as a sendmail inc. employee admitted to me last week, it is still too dammn complicated for most people to understand how to configure it.
I don't think that this point scoring does any good. UNIX and Windows both have major security problems. Windows has security problems in implementation, UNIX has them built into the architecture. There are still UNIX boxes shipping with rhosts, even though it has been demoinstrated time and again that rhosts is completely insecure. Instaling ssh does nothing to improve the security of the box unless you actually uninstall the rhost commands and the daemon.
Folk who go on about how braindamaged Microsoft is should ask themselves how UNIX programmers managed to botch a command as simple as finger!
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Think about this: If you require the populace to get the patch from you then you can monitor key propagation and identify copies.
Now imagine a further twist, prepare the code so that it has "flaws"
Now imagine an even more cynical view: Fund a security watchdog group who have some "amazing" guys that find these problems and publish them.
Hedley
I see a lot of people stepping up and complaining that it's not Microsoft's fault as much as it is the sloppy admins. Yes - Microsoft systems that were hit by this worm were poorly managed. However, the problem is that shitty admins are exactly who Microsoft designed this "server" operating system to be managed by.
Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.
So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.
Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.
Meditate on this, Grasshopper.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Microsoft has been drudging uphill on the server market since the mid 90's with windows NT, since then they have only achieved a strong foothold in the mid-low end server market, which is now becoming seriously challenged by Linux.
While Linux may not be fundamentally more secure then NT it defiantly has the perception of being so because windows is a vastly larger target with there desktop dominance; every time one hears about a windows exploit that effects the perceived security of all windows, whether it was a client side IE exploit, or a server side only exploit.
I think Microsoft needs to put the fix on the security problem very quickly or suffer a serious erosion of people using Microsoft for critical applications, to do this I think that at a minimal they need to do the following:
Perception:
Put a hard line between the server and desktop market. i.e. drop the Windows name for the server end, call it something like TrustIx Enterprise, anything but windows, that was when there are security exploits for the desktop it doesn't go against the server end.
Make security the number feature requirement in all server products.
Hire a bunch of top security guys, make a big splash about being "unbreakable" like oracle did.
Technology:
Implement the latest security technology, like the new stack protection ideas in OpenBSD.
Be much more aggressive with auto updating, so that unpatched machines get automatically patched, all of the big headline worms on NT exploited holes that had been patched for over 6 months. Any server on the internet should by default auto-update patches.
Patches must be 99.99 correct, meaning that when auto-patching happens it does not break anything. Microsoft should offer a guaranty that if a patch does break something they will fix it; i.e. send people out and fix it for the company. And pay for any lost revenue to the patch.
Lax security costs Microsoft more then they can imagine, with a total saturation of the desktop market there is no-where to go but down. Their only hope for continued growth is expanding in other markets, with so much already invested on the server side it is crucial that security is given a number one priority, otherwise they will lose all that they have done and pull the whole company down with it.
-Jon
this is my sig.
Correct.
Recent history, however, tells us that it's pretty hard to find arrogant, stupid, ignorant or lazy sysadmins amongst those who administer Linux/BSD/OSS systems. It appears that great majority of lazy/stupid ones take (or don't) care of Windows computers.
Pine is also older than Linux, so it's a bit silly to call it a "Linux email client".
Well, that is contrary to reality as everyone knows, but their marketing machine has been very effective at repeating that mantra. Security is hard, no matter who is doing it. There is no such thing as easy security besides, turn off your computer and burry it in concrete. From that perspective, Microsoft created the problem for themselves. It's not the product of poor engineering or inferior software. It's the admin and development culture MS promotes. This is also why things like .NET is having a hard time getting adopted. High performance distributed computing isn't easy and won't be for another 100yrs or more. Saying ".NET will make development a breeze" in the context of enterprise software development is undesirable and detrimental.
If enterprise high performance software was easy to build, than SQL Server 2K would be able to supports thousands of connection in it's connection pool. Which it doesn't.
because they have had enough already.
Anyone with that much money in the bank can damn well afford to produce products that actually are best in class. They are number one right now, but clearly do not deserve to stay there when we know there are better and cheaper ways to do things.
Blogging because I can...
Folks remember that wehn MS first started hiring devloeprs in its beginnings that those devlopers :
-Were not skilled in unix security precautions because UNix vendors had changed their lcienses to close code to those in cs at schools.
-Were influenced to push code out the door rather than refactor, retest, and rewrok to produce security compliant code.
-MS's recent code retraining cannot rease almost 30 years of bad programmign prqactices within MS itself..
The only way for MS to get better is to immediately fire every programmer, which wil not happen and thus the conversion to Linux and MacOSX will gain full speed in the next few months..
Don't Tread on OpenSource
I don't think that this point scoring does any good. UNIX and Windows both have major security problems.
I remember a security seminar I attented where the lecturer took a neutral stance toward whether Unix or Windows was more secure. His philosophy was "go with what you know". If you live and breathe Windows, you probably keep up to date with the latest Microsoft news, releases and patches just as well as a Sun/Unix geek might stay up to date with Solaris patches and updates. Knowing network security (gosh, let's protect the potentially vulnerable ports on our server from being publically reachable) is essential to both.
So many new administrators are getting Windows or Linux or other products and implementing them without the experience of security lessons learned from the past. It takes a mass event like this one to re-educate the newbies.
As a reminder for everyone designing, "one degree of separation" architecture, remember that Suki is one of your potential customers.
there is a missing issue here: ms bent over backward over the last 7-10 years to sell their products to poeple based on *Ease of Use*. you don't have to be a rocket scientist (or unix guru) to do 'big things' with computers if you bought ms products. one of the key selling points was you didn't have to have these expense engineers to maintain the systems.
so between the 'it's easy' part and 'you don't need smart responsible people to manage it', is it any wonder that we have an epidemic of poorly maintained ms systems out there?
Now said system was purchased against your recommendation, is proprietary in nature, and the company that made it was bought out by another company, so you can't even get a straight answer on simple questions anymore. The department responsible for this purchase has never hired the person promised to maintain the system, nor have you been sent out for training on its maintenace.
A week after this system is installed a third party contractor installs a replication system so your ticketing system can be connected to a big web server in another state. You don't really know what ports need to be open, how they are being used, and every time you tweak the littlest thing the entire operation comes to a grinding halt.
And you expect me to apply patches at random. Especially when they require taking the system offline, and each has the risk of incapacitating your operations. Right.
Blame me all you want. But the seeds of ruin were planted further up in the decision making process.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
The nation's newest security administrations are extremely vulnerable as they are nearly all MS shops now. The irony is MS was chosen for their security strength. This information is very public and very disturbing.
According to the CNN article: In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."
As a server admin, how do you know which patches will cause more harm than good? Is a good server admin one who installs every patch that's released right away and breaks things, or one who doesn't and gets broken into? When we installed SQL Server's SP3 at work, we found that the statement "DBCC SHRINKDB('insertDatabaseNameHere')" was depricated and disabled in favor of using "DBCC SHRINKDATABASE('insertDatabaseNameHere')". This wasn't a new release... this was a service pack! I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Okay, anyone who has read my posts knows that I'm not a Microsoft supporter. I find it hard not to see the humor in Microsoft's own servers getting hit when the vulnerability was not new and patchable especially after they proclaimed that they were now striving to be secure.
.NET platform. They are hopeful that this will become the development platform of choice across multiple OSes. Parts of the Linux community are scrabbling to enable Linux to benefit from this emerging technology thought the Mono project.
.NET platform. If Microsoft introduces a .NET version of their flagship Office package it is likely to incorporate some form of VBA. Running a VBA enable application on Linux will not help the security of the Linux platform.
However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.
Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.
To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.
Right now Microsoft is pushing their
If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the
The race isn't always to the swift... but that's the way to bet!
Things like SQL Server need to be patched regularly. Sysadmins who are lazy/ignorant don't do that. So to solve the problem, you must FORCE sysadmins to patch the system.
How do we force sysadmins to do this? Easy: MAKE THE SOFTWARE _REQUIRE_ A PATCH EVERY TWO MONTHS, or it STOPS WORKING.
Two weeks before it stops working, make it send an e-mail to the sysadmin telling him it's about to go pop unless he gets his act together. Just insert some time-dependent code in there. That way, everyone's forced to patch their systems every two months. If there aren't any outstanding patches, then the vendor should create a patch that simply fixes the expiry timecode to be another two months in advance.
OK, so it won't the problem if a worm exploits something within two months of a patch coming out. But it be a darned sight better than the current situation. There might be issues with firewalls, as you prolly don't want your DBMS to have access to the net. but these could all be got around.
You could even get the machines to apply the patches themselves, automatically.
The only issue I can see is that some MS patches actually introduce new bugs/break existing features. Grrr.
#2. There are so many you can't keep up. SUS server is your friend. As well as a good admin, as you clearly are not.
Admins are the problem, and microsoft is the problem as well. In fact, the main issue is that microsoft is breeding lazy and dumb administrators.
That's not going to say all windows admins are dumb. And there definitely are lazy and dumb Unix admins, too. However, from what I've seen in several companies, the ratios are that most windows admins don't know what the hell they're talking about, and if you take away their wizards and their mouse, they're lost like newborns. Most Unix admins do know what's going on and can bring a system back from states way beyond where the only microsoft solution would've been a reinstall.
Why is that? Because windows is marketed and sold as if every dumbass could run a server. It really isn't a surprise. There's a truth to all the sayings that start with "if planes/houses/whatever were built the way microsoft makes software..."
The most important part is that nobody has ever gone around and tried to sell people on the idea that being a doctor, or flying a plane or building a house is an easy task.
Guess what, neither is running the corporate serverfarm.
I call that a scam, plain and simple. A scam that has - according to the various overblown estimates on virus and worm damage - done several trillions in damage.
Is it the fault of the lazy sysadmin who didn't do his job? Yes, it is. But he was very much tricked into a very wrong picture about what exactly his job is in the first place.
And so far, we've all been lucky. None of the viruses that I've seen were even close to the level of sophistication that, say, some very early (C64 and amiga age) real viruses had.
Assorted stuff I do sometimes: Lemuria.org
Did you get those hits from production servers six months after exploit fix/patch was posted? Just wondering...
What are supposedly serious companies doing without firewalls blocking 1433 and 1434? I run a little home network, of which one machine has SQLServer 2000, but my firewall has been blocking all 1433 and 1434 as "suspicious UDP" data. This is a little less than $150 hardware box. What? Bank of America can't afford a firewall?
Sure it's fun to bash a company that said they were overhauling their security everytime they have a security problem, but serious people would look a bit deeper than that.
Having the IS team not keep up with a few of their own patches is silly indeed, but I believe the security push was mostly targeted at developers.
Still that's something Microsoft can be faulted for. And that's the only thing:
In the whole SQL worm incident, what exactly can be blamed on Microsoft?
There was a patch, the problem itself came from code written before the 2002 security freak-out.
It feels like people expects that, since Microsoft has said they cared about security, suddenly all of their existing softare is supposed to become security bug-free, and any failure of an old installed piece of code to fix itself is a massive failure for Microsoft.
That's unrealistic.
Judge Microsoft's security effort by the quality of what's been coming out of their oven for the past 6 months. If the new stuff is as unsecure as the old one (arguably hard to measure), then bash Microsoft to hell and back. Until that can be established, give them a chance.
If you want to get a feel for the kind of things microsoft is doing for security, you should check out "Writing secure Code", by Michael Howard and David Leblanc, 2d edition.
If you need a great reference book on how to approach security issues at your workplace, check it out.
--
um. This is probably a great time to mention I am NOT affiliated with MS in any shape or form.
I don't even use MS SQL, I use MySQl and Oracle 8i so there.
Karma: The shiznight, mostly because I am the Drizzle.
Ah internet comics[userfriedly.org]
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Also, this article, written by somebody who barely knows computers and probably lives on slashdot, is just bullshit MS bashing, and pretty untrue at that.
When there were DoS attacks caused by Cisco routers being out-of-date, they blamed the admins. When there were Linux boxes being taken over and used for DoS attacks, they blamed the admins. But when MS SQL servers are used for DoS via an vulnerability fixed over 6 months ago, they blame MS. Well, the article and the so-called expert they quote do anyway. Any reputable organization blames the admins for not patching their equipment.
So instead of being lazy and not keeping up on updates, sign up for MS's security alerts, test them out as soon as they are made available, and apply them after they test out. Its called being PROACTIVE, not reactive.
Manipulate the moderator system! Mod someone as "overrated" today.
The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.
I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.
This is a tremendous change. Think on it.
Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."
I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")
I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.
I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.
The death of Microsoft is at hand...
Since when is patching fundamentally flawed? I dont want anyone forcing a patch on my production servers. If there is a patch, it needs to be tested. Maybe forcing a patch is fine for little Billy's PC, but for a server that is used for email for over a thousand people, or an SQL server with vital information, I'll do the patching myself, thank you very much.
Then those people should get the fuck out of the IT field; the last thing any company needs is non-technical technical staff. Wow, installing the SQL service pack was so hard... click on the .exe! installing the SQL hotfixes were also hard... click on the .exe! Unless you are an idiot and install them out of order, I dont see how you can go wrong.
I just LOVE the anti-MS FUD! The SQL Server 2000 Service Pack 2 was posted October 03, 2002. Look on http://www.microsoft.com/sql/downloads/2000/sp2.as p. I just love to see reporters who really get their facts right. Unfortunately, these ones dont. Shame on you, CNN!
Manipulate the moderator system! Mod someone as "overrated" today.
In another post I mention that patching is dangerous and hard to do for an average developer. Why risk your dev time by executing complex patches? I bet more than anything most companies were bit by small and unknown installation of DBs inside of their intranets.
So while some will harp on Admins for not patching, I claim that Admins can only track so much. If I need to develope something on a MS SQL Server where I need to tinker with the entire DB(ie. I need admin rights) I am going to install one on a throw away machine. I am not going to case patches since the installation will not be used in production and its hard to do right. I will not ask the Admins to maintain it since its not for them.
Why is patching software on MS platforms somewhat like open heart surgery? It looks so complex I wonder how do Admins work with 10+ machine clusters. If it wasn't so complex I may just patch my small test DB instead of ignoring warnings. Until the patching process becomes much less risky and painful then this will happen over and over again.
But a service pack is _WAY_ different then a hotfix/patch. Services packs do need to be tested a lot because many times there are changes in functionality. A hotfix (released in Jul for this particular problem) has never (to my knowledge at lest) changed anything. So sure, you have to reboot, but that's the only excuse for not installing a patch right away... but months later?
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Actually in this case Microsoft released a second patch that made you vulnerable again. If I was in charge and my databases weren't infected I would fire my stupid, lazy admin.
(Actually, that's not true. Responsable admins don't put Microsoft products on the open internet so they shouldn't have been infected.)
Manipulate the moderator system! Mod someone as "overrated" today.
Compare that to (SuSE) linux. Download rpm, install, done (in many cases, when not, it's always explained in the advisories what to do). If something breaks, uninstall the rpm and reapply the old on. Nearly no downtime, I just have then to find out what didn't work.
I don't know. I have this Linux box that different people are messing around with (it's just a hobby...). Lately I wanted to install some packet with the packet manager, and it insisted on installing apache because other packets depend on it. I couldn't work out what other packet might depend on apache (none of the ones I wanted to add - unless my adding them made SuSE add other packets that in turn depended on apache). In the end I decided not to use the packet manager anymore. It doesn't sound much better than MS to me.
I don't normally chime in, but I thought that I would for this one. Let me start by saying that I don't like MS...I'm using a mac as we speak (with Safari)...and I'm a Senior UNIX admin at work....anyway...
Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software (I'm not saying it's the admins fault either...I know that admin spend 80 - 90% of their time putting out brushfires, and can't find time to do patches). Now, do I think that MS needs to find a better way to notify customers of new patches...b/c I know that I don't have time to sit around and browse and go through what I've installed and what I haven't (are you listening Sun?!?!)
So for example...If I don't stay up to date on all the Solaris/Linux patches does that mean that Solaris/Linux is a security prone OS? Heck, no!
Microsoft's security record won't get any better until people start to do something about it.
If you think MS is so insecure, don't use it. I certainly would never trust a windows server with anything important. That's a job for mainframes, or unix servers.
You'd be amazed how much less stressful your job is after you ditch windows.
The link you provided, http://www.netcraft.com/Survey/index-200106.html, doesn't seem to support your conclusion that "...IIS *IS* the most popular web server." The graph half-way down the page states that windows runs 49.2% of computers running public Internet web sites (which is not 50% and not a majority). But it doesn't say anything about what web server is being used. Apache runs on windows in addition to *nix; however, IIS only runs on windows. Therefore, the statement "...IIS *IS* the most popular web server" is plain and simple a false statement, supported neither by the facts you link to nor any conclusions that can be legitamitly drawn from these facts.
Life has many choices. Eternity has two. What's yours?
The Microsoft security strategy is much like the idea of going to a crowded beach and leaving your wallet in your shoe. Just my two cents...
Personally, from having to manage Microsoft systems for the better part of 12 years, it was almost impossible to patch anything immediately, when a Security Fix was announced.
If you ever have managed Microsoft Products, it basically becomes a crap shoot with the following outcomes with regards to patching your systems:
1) Patch installs, breaks other services.
2) Patch installs, system becomes even more unstable.
(This is the worse because it looks like the system is working, but hits you in the middle of the day, usually during peak times.)
3) Complete failure to reboot after patch is installed, resulting in a very intensive recovery operation. (i.e. Reinstall OS, tape restore, or flash restore with floppy.) All data is usually lost since last backup.
In any case, it is completely laughable, and not applicable I believe if you completely blame Microsoft Admins on not applying these patches.
Especially with some of the messages posted here, such as "Oh, well you have to update your systems, stupid."
How simple and naive you are, and obviously anyone making such a statement has not an ounce of experience managing Microsoft server/desktop products.
I think the people who manage Microsoft Products, know more than anyone here, why it is preferable to update thier systems.
I think it is a serious insult to Microsoft' customers that Microsoft would publish a statement something of the akin "Well, they didn't update thier systems...ITS NOT OUR FAULT".
Bullpucky, and with that in mind however, continue reading.
The shear hell, you have to go through, to patch a monolithic, monster of bloatware that is a Microsoft OS, is purely not economically possible, if you can believe it, for some companies with large installations of Microsoft products.
Patching becomes a project something on the scale of a ERP implementation for some sites that are non trivial in size.
Furthermore, time after time, Microsoft provides NO WAY to reverse patches that they typically publish.. (also known as "HOT UPDATES/FIXES").
As most admins will tell you, HOT FIXES are risky, and can be impossible to reverse because Microsoft publishes these immediately, without thinking properly about the impact on the entire OS.
As I shall note later, this is why Microsft's OS is not practical to expose to the internet for any reason from a security perspective.
Therefore, many admins wait for the service packs to fix the problem, most of the time the service paks are more well thought out, and are for the most part reversible.
It is incredibly expensive, to mirror systems in a test lab, to test patches. EVEN THEN, the production systems are in no way representitive of the test systems. It is expensive, labor intensive to construct mirror systems and network services to make it viable to install hot fixes in a responsible way.
With that said, being a Linux convert, here is the problem and Microsoft isn't addressing it:
1) Microsoft's OS includes too many features out of the box, that Admins cannot control what they want installed.
It it REALLY stupid to put a graphical interface on the OS, espepcially when you are considering a highly secured server and making it a requirement to run it. There is absolutely no reason, why the OS has to carry around the code for a GUI when it is sitting in the server room, under lock N key.
Microsoft appearently doesn't understand software engineering principles regarding the total possible paths in a program and its reliability can only be increased statistically by eliminating the other execution paths in the software. That means not installing the GUI.
On Linux I can do this, easily, with ANY piece of software. Effectively reducing the function of the server to BARE BONES. Making it much faster to identify and fix problems, and of course much easier to update.
Well, you can't do this with a Microsoft product, and that is the root of the problem. In linux, I can slice and dice the OS down to its bones, if I need to.
Also, I would like to point out, linux isn't as complex to administrate as Windows when you start whacking the X server, games, DNS (directory software) and everything else when all I have running is sendmail. The system becomes a very very simple UNIT to admin in my infrastructure, with a very very easy and predictable means to upgrade and far fewer security risks as a result.
NOTICE TOO sendmail has nothing to do with the operating system.
Microsoft ties everything into the OS making it IMPOSSIBLE to build a secure system because you have to install ALL of the system or NONE AT ALL.
Microsoft uses the OPERATING SYSTEM to aggregate services, which as I pointed to above, is a fundamentally flawed software architecture.
Linux on the other hand uses the FILE SYSTEM to agregate services and the file system doesn't require you to even execute the code on start up.
Therefore even if you do a complete install on Linux, the system complexity doesn't increase, only what you include in your RC startup increases system risk to security or bugs that can make your system unstable.
The worse thing that happens is you increase the size of your file system.
As a result the uptime factors, and ease of maintance for Linux based systems easily out paces Microsoft's OS in any large deployment of the OS.
As a result it is impossible, because of these facts, to follow a responsible security policy with medium to large Microsoft IT installations.
I also think Microsoft should stop slapping its customers up in the press as to the importance of updating thier systems.
Most people already understand that, but they are being held hostage by the poor implementation of Microsoft software which by its very design, prevents practical and speedy updates of large installations of Microsoft OS's.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
with easy-installable Service Pack 3 released _before_ worm hit.
ONE WEEK before the worm hit.
How can Microsoft sue companies for not applying patches that they could not manage to apply themselves? The fact is that Microsoft is being totally hypocritical in blaming others for not following a process that they, as the most profitable company in the world can't manage to implement themselves, on their own products.
There is only one marginally excusable reason to have an SQL server visiable on the net.
A lot of companies (including Mircorosft) are having their internal netowrks hammered by this because the worm can spread from laptops brought in behind and across VPN's.
Recent history, however, tells us that it's pretty hard to find arrogant, stupid, ignorant or lazy sysadmins amongst those who administer Linux/BSD/OSS systems.
Can you qualify this or do you just "feel" this way because of your bias and minimal anecdotes?
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
The truth is that with open source, you have thousands of eyes scouring code for problems. Alot of these problems are even found by accident. Much more secure. With Microsoft, businesses are expected to rely on Microsoft solely to discover and resolve vulnerabilities. Sources like CERT can only do so much to help, as even they don't have ready access to the source code. To compound the problem, Microsoft routinely realeses multiple versions of multiple dll's without warning, rendering a system that was pathced just the day before, in good faith by the admin, vulnerable yet again. And then the process repeats itself.
Yes, crackers live a loser existance that revolves around wasting their life looking for potential exploits in popular software. At least with open source, you can defeat them with numbers: 5 crackers try their hardest to find a flaw in mySQL, while about 2 on the white hat side do the same. But, the white hats also have the luxury of a thousand other coders around the world looking at the code for different reasons, coders that just might (and usually do) find a flaw before the 5 crackers can.
But fool yourselves all you like and keep relying on Microsoft and their new "secure motives" (or whatever the term one of their marketing people came up with). The more sensible amongst us will run our open source "alternatives" and only face a potential threat once in a blue moon, while you MS guys will have to fret over the next big threat constantly.
I for one don't respect vendors that pass off almost the entirety of security responsibilities onto the user. That's like Redhat telling their users "You know, you really should use our OS on a workstation that has access to the internet". Today a database is a crucial piece of any network, and yet, it shouldn't be exposed to the same risks? Even Apple doesn't approach commercial use that way (however ingsigficant their corporate prescence may be).
But it is true that macs are safer because less people use them. This is why diversity is important with plants and software.
I was listing the causes of bluescreens. I never said hardware was HIS cause but to look into the problem. A program causing a bluescreen, not likely. You people are so thick headed sometimes, its called troubleshooting. It used to work and now it doesn't. Oh well throw it away and buy a new one when 5 minutes of searching could fix it.
Only the State obtains its revenue by coercion. - Murray Rothbard
every two years m$ totally changes their server products. what you knew with nt4 is obsolete with win2k, is useless with .NET/whatever server. you learn to admin unix, your skills improve over time, 'cause your doing the same things you were 5 years ago. with m$ servers, you have to learn all over again, and you are at m$'s mercy to provide patches, etc. so no, don't compare unix to m$. unix had its growing pains sure, but it is a mature product. and linux is becoming one really fast. every freakin ne m$ product is a NEW product. and it experiences the same crap over and over. why does m$ do it? somebody who knows, please do tell.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Actually you are both right. Although Service Packs often roll up hot-fixes, they also can include many more bug fixes that weren't deemed important enough to require releasing as a hot-fix. Thus they are much more likely to include a deliberate incompatible change that breaks an application (i.e. DirectX N+1, or the above-mentioned DBCC behaviour).
However, although hot-fixes are usually small changes targetted to fix a particular problem, they do not undergo the full regression testing that a service pack does. Most MS hot-fixes come with an CYA warning that you shouldn't apply it unless you believe you are in a situation exhibiting the problem and requiring the hot-fix. Since code modularization at Microsoft seems to be dictated at least as much by the marketing and legal departments as by good software engineering practice, a hot-fix has a not-insignificant chance of having an unexpected side effect (witness the problem with the October hot-fix).
So whether it's a hot-fix or a Service Pack, you wind up having to regression test your 3rd-party applications before deployment, and if you think most IT departments can afford to do that with every "hot-fix of the week" you're out to lunch. Most admins would probably have deployed SP3 after performing their own regression tests in another few weeks.
That said, what kind of idiots connect 120,000 unprotected database servers out on the net? I doubt all were in the position of the poor slob a few levels above in this thread who had deployment mandated by upper management.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
A good admin is one who isn't a fucking idiot and has all their SQL ports (as well as every other port that has no bussiness being public) firewalled off.
And if you want to start heaping blame on developers well teh turn the glass back on the OSS people. Start screaming at the ISC BIND people, at the Apache group, and so on. They do their best, but they still seem to produce software that has hole in it, despite being open source.
There is no magical perfect software. Open, closed, doesn't matter, bugs happen. I feel so long as the programmers do their best to prevent them and issue patches when they are discovered, they are doing their job. You can't expect perfection because you are never going to get it.
Sitting at Starbucks wireless, completely insecure connection on my Mac running OS X. Am I worried, no. Is it because there are few viruses written for OS X? no. Is it because there are plenty of viruses/exploits written for UNIX based OSes.... OS X being one of them, a valid reasoned to be worried but still I am not.
I'm not worried because I have a firwall that works out of the box to protect me from said viruses and expoits and is easy to turn on and configure.
XP also has a firwall available, but, it is hidden in an obscure location and has NO configuration I tried to turn the firewall on and every time I did this it would say that yes it was on, but then I would go back to verify this and NO it was not. Ten times I tried this... to no avail. What use is a firewall if it won't even stay on? Furthermore it has one option ON or OFF, what does that mean? What is it doing? Can I open a port or lock down soemthing it doesn't turn off... ??????
Yes there are shareware and even free firewalls available for XP but that means I have to find them and configure them and pray that they will play nice.
Macs are and always have been more secure than Windows machines.
Why do virus writers and hackers pick Windows? I'd say that it's because it is the easiest OS to exploit. The fact that it is the most prevalent is irrelevant.
A fool throws a stone into a well and a thousand sages can not remove it.
What sysadmin in his right mind would give up control of their server(s) to the beast?
Small wonder that more patches aren't getting installed.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Bullshit. All software has bugs. All software . Even Open Source software. Even high profile Open Source software that has many more eyes looking over the code than normal. Even that brand new Linux kernel you just installed has security holes in it. I guarantee it.
Bugs are a part of software. When you install anything, you need to take that into account: when holes are discovered, they get patched. If you fail to patch, the fault lies directly on you. Microsoft did their part.
NO CARRIER
Yeah it's SOOOO hard to run the MS Security Baseline Analyzer - which tells you what you do and do not have installed as far as patches are concerned. Being ignorant is not an excuse.
l t. asp?url=/TechNet/Security/tools/tools/MBSAHome.ASP
http://www.microsoft.com/technet/treeview/defau
big difference between OSS & MSS is the fact you don't need to reboot unless you are replacing the kernel. updating the SMTP server isn't likely to have seemingly unrelated side effects such as locking out users
Microsoft did their part by releasing a patch later
that broke their first patch. I can tell you have
a lot of angst about this and want to cast blame
everywhere you can, but clearly Microsoft dropped
the ball. So sorry. Thank you for playing.
The most important thing any republican needs to know.
My response took into consideration only the tone of the original post and recent history of few major events, when good chunks of the Internet were literally brought down due to unpatched, long-time known holes in IIS and MS SQL (Code Red, Nimda, Slammer). None of the three was anecdotal (I beleive cost incured is meassured in Giga$) and was covered to great extent not only by IT press but by mainstream media worldwide. All events occured even though patches were available for months. They were supposed to be applied by Windows sysadmins, of course. I cannot recall any recent events of such kind and impact caused by security holes in 'open source' products. I, thus, believe that conclusion I drew in response to (arguably) 'flamebait' AC post was logical - it was Windows sysadmins who did not do what had to be done, although there was plenty of time to do it.
To clarify things further, I must point out that I did not say that majority of Windows sysadmins are stupid, lazy, ignorant or arrogant. Whoever thinks this is full of crap. Trust me, I know much better than this. Few guys (yes, MCSE_s) I happen to work with are clearly amongst the brightest people I know.
Remark was intended only (am I repeating myself?) as a response to pretty shallow post. Shallow because system administrators can't be the culprit here. The root of this whole thing is definitelly in the way of how Microsoft design their products and their totally iresponsible attitude to everything else but $$$.
Wasn't there a post on slashdot a few months ago saying something like 80% of linux boxes weren't patched and vulnerable. Windows sysadmins have no monopoly on ignorance/laziness/stupidity.
Vote for Pedro
when was the last time you saw a I hate Apache! Apache is Evil! Stop Apache now! website/post/rant?
The truth doesn't care what I think.
The error here, believe it or not, isn't all upon Microsoft
No, but most of it is.
First off, they didn't patch. Microsoft had the patch available since June
Yes, this is true, but ignores the fact that Microsoft themselves were hit.
If the people who wrote the damn thing in the first place can't keep up with their own patches, why do you expect everybody else to be able to?
Microsoft explicitly warns users of SQL databases to not put them openly on the internet, for obvious reasons.
And again, MS is guilty of doing exactly what they tell others not to do... why?
And what exactly are those obvious reasons? Could one of them be "the software has too damn many holes"?
You can blame Microsoft for this if you want, but it isn't car companies' fault that people get killed because they can't drive.
No, but it is the car company's fault if thier car blows up in a minor collision. (Which is a much more fitting analogy, although still flawed.)
market share is about 95%, but their share of the virus market is more like 99.99%.
sounds about right to me. 95% market share = the only one that matters.
of course, your numbers are probably wrong; you appear to make up numbers instead of looking them up.
The truth doesn't care what I think.
AOL gets their news division to write an article after interviewing a few guys who's job it is to scare customers into hiring them by saying that "Microsoft's security is shit, only a professional security advisor can help you."
What a great piece of information. I love it when 'news for the clue-less masses' shows up on a 'news for nerds' site.
The truth doesn't care what I think.
Okay, well prolly not, but it is not good that everyone is screaming "We need better security!" right before MS is about to release Palladium... err I'm sorry... Next Generation Secured Computing or whatever they are calling it now so everyone will grab it up as quickly as possible. Kinda like the conspiracy theory that Bush ignored the September 11th warnings so that everyone would approve of his "war" after they saw the trade centers fall.
-Derick
While Linux may not be fundamentally more secure then NT
Should read:
While Linux may be fundamentally more secure then NT
I can only assume this is what you meant to type
because of the well known advantage Linux has over
NT in the security arena. I mean, the department of
Homeland Security even made the switch recently for
this exact same reason.
The most important thing any republican needs to know.
We are all dumber for having just read that.
First, this quote:
"...hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority. "
Now, this bug has existed long before. I don't remember when SQL2000 was released, but I believe it was longer than a year ago. Even if it weren't, the code was developed long before. Therefore, saying that the initiative is not working is just lame. No initiative works in retrograde.
Then the comment about macintoshes. Hey, if I pull out my Commodore 64 from the garage and hook it up to the net, I bet it won't be affected by any viruses. Is macintosh more secure? I don't know. Is the rate of infection indicative of the security of the system, or its prevailance?
Looking over my last security bulletin, I see plenty of Linux backdoors (libpng overflow, mysql vulnerabilities, cvs double-free...)
There is no substitute for administrator vigilance. Yes, we are afraid of updates and patches, and their impacts, as much as the next guy. However our solution is simple: we keep a mirror of our critical servers. We apply the patches on these mirrors and check for bugs. If there are no bugs, we swap out the production server with the mirror, and the production server becomes the mirror. We have not had any major problems with this approach.
It's marketing. The idea that you don't have to know what you are doing. Computer engineering is logic, system logic and a fair amount of important abstractions that are used as tools. That logis underlied all languages, script, VM based, compiled, etc.
If you make it easy to set something up, that's good, but if you extend that to mean you don't have to understand the logic you have just deployed, that's wrong. The benefit has to be just that it saves time in setting up the system, not that it frees you from understanding what you have just done.
Microsoft markets to the idea that it's easy AND that means you don't have to know what you are doing, but you do.
Also, a Microsoft patch is a risky thing... much more risky than the redhat patches I've been applying blindly.
-pyrrho
I'm not defending it - it's security issues are rediculous! I'm saying that _IF_ MS is really getting their act together regarding security, it's too early to pass judgement. From what I've heard, IIS6 is a significant improvement to security. Just don't exepct a "magic patch" to fix MS's security problems within a year of their "trusted computing initiative".
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
asking admins to monitor their network more carefully is about one step semantically shy of asking them to keep up to date with patches. if you don't have time to keep up with patching, why would you have any time to watch your network more closely? if it's either/or, sure, take the high road and monitor, but if you're doing neither, nothing is solved.
later, he says that in a perfect world patches would automatically download, install, and always work. as for the automatically download and install, microsoft has that covered. but as for always working... well if that was the case, patches wouldn't be needed in the first place. there's a catch-22 there that he missed or ignored.
Supervisors need to impart an attitude that a job isn't done until the software works, and is secure.
Recently, I had some time on my hands and did a cursory check on some security issues on a few linux and MS boxes. Guess what? I found a few issues that needed to be addressed.
If everyone spent just a little time doing this type of thing, there would be a lot less security problems. Maybe supervisors should offer a case of beer as bounty for the biggest security hole found. They're overused sayings, but very true: Security really is everyone's job, and an ongoing process.
Also very true: people who think about security have a fraction of the security problems everyone else has.
Your scenario is a bit bad, try this one:
What if the car has a defect or flaw... and while there is a fix, released for said defect, some people aren't notified, and thus get in to fatal car accidents.
That being said, people are definately dumb for putting SQL databases online when not needed - however I worked for a company that this was needed at, so some of these were probably in that group.
In addition, good sysadmins should check for such patches, etc - especially with software known to have bugs or vulnerabilities at various intervals. Even 'nix software has bugs, but 'nix/bsd/etc sysadmins are often smart enough to check up on them.
Which is of course, one of the reasons I read slashdot. That and to laugh at those that don't and get downed by code-red, sapphire, whatever
Check the box next to "Microsoft" on your preferences page.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Your statement is misleading. The .NET SDK does not install MSDE by default. A user must manually install MSDE from the SDK in order for this to be an issue. .NET Framework SDK" is false. All developers that use MSDE realize that it is a subset of SQL Server, and act accordingly.
So, your first statement that this "affected the
-jerdenn
I'm not sure what that 80% refers to, or even if it's accurate. Even if it is, many Linux 'fixes' would never even be considered for patching by MS. Linux fixes range from the benign and theoretical to the very serious. Linux patches are generally released almost immediately after a bug is found that might (in theory) be exploited, or used as part of an exploit. (e.g. someone finds the possibility of a buffer or stack overflow).
Windows patches, on the other hand, often aren't released until somebody proves that a bug is exploitable/ exploited. Even when a proof of concept (or even wild) exploit is made available, security experts sometimes have to argue with MS about whether the exploit is serious enough to be worth fixing. I remember one recent case where MS downgraded a pair of bugs as minor and refused to release a fix. When frustrated security experts were able to combine those bugs to enable arbitrary command execution (their sample code: format a hard drive), they were criticized for not giving MS advanced warning(!).
Nontheless, when MS finally released the fix for these same bugs, they classified them as moderate. Some people think that, having just released one crutitical patch, they didn't want to face the embarrassment of two severe bug fixes in one week.
Because Windows patches are rarely released until the problem is both proven and serious, MS security patches are far more critical to install. Unfortunately, MS security patches are also problem plagued. System admins have no way of knowing exactly what a patch will do. Some patches undo each other, some patches break other (sometimes seemingly unrelated) systems. Because of the nature of closed source, System admins who have problems with a patch can find themselves stuck between a rock and a hard place. They can either install the patch and break their installation, or leave the system unpatched. In either case, they must beg for a compatible fix. The OS solution of engineering their own patch is generally not feasable -- possibly even illegal.
Both the cost and public embarrassment of repeated fixes to a given problem discourage MS from releasing patches against bug fixes. Lack of the ability of a customer to provide -- much less prove -- their own version of a fix exacerbates the problem.
In this environment of fear, uncertainty and doubt, an MS system administrator must decide if, when and how to install their patch. sometimes they get it wrong.
Linux admins face a similar problem, but with a good deal more information and control. Systems are generally more compartmented, so interactions between parts is better understood. If installation of a patch causes problems, users have the ability to examine the source code of the changes, get an exact understanding of what they're doing and determine whether their best course of action is to patch the patch or fix the problem elsewhere. If the solution turns out to be a further patch, they have the ability to release their own fix in hopes of having it folded back into the 'official' distribution. This is an option which most MS users will probably never have.
OS Software is like love: The best way to make it grow is to give it away.
OK: Let's me get this straight:
- MS publishes their hotfixes with a warning that they may break things and you should only install them if you're having problems;
- Sysadmins are at fault for not ignoring MSs warning and blindly installing all hot-fixes immediately
- If you'd blindly installed all MS hotfixes, you might break earlier hotfixes
-
Service Packs are mostly just rolled-together hotfixes, but they are known to wilfully break things;
- Despite MS warnings to the contrary, Service Packs need regression testing but hot fixes don't.
A hotfix (...) has never (to my knowledge at lest) changed anything.-
The hot fix that would have blocked code red was undone by a later hot fix.
-
The hotfix that would have blocked slammer was at risk of being, itself, slammed by a later hotfix installed in the 'normal' way.
- MS's own servers were broken by the slammer virus.
Just how much knowledge do you have, anyways?OS Software is like love: The best way to make it grow is to give it away.
I was talking about rpm, not yast[2].
First, the security analyzer is _relatively_ new, second, I'm not interested in just knowing what patches I have to theoretically install, this I know. Since patching (esp. MS servers) is always a risk, I want to install just the patches which are absolutely needed (i.e. just patch used components). I doubt the MSBA is a great help with that.
Btw. I was not caught by any worm/exploit/whatever, it just takes more time caring for one MS server than for 5 linux servers, and it is more risky.
Maybe MS hasn't products for ignorant people like me and SuSE has - if that's really true, MS is in deep trouble.
I think what irks most people is the fact that Microsoft themselves were hit by this, as in they didn't patch their own servers. Mind you this isn't the first time either. They were hit pretty hard with a few of those email worms (code red, melissa, etc). With all the problems with passport, and people not really knowing what they are doing with .net, they aren't really doing a good job at showing the public that they can be a secure, service oriented company of the future...
I am not really saying that UNIX is the best there is, or that the Microsoft OS's are the worst. You do have to admit that a company who was supposed to be focusing on security this past year failed the test.
...that the basic security model in place for software today for mitigating the risk of an attacker modifying service code (0wning y0ur b0xen) is to automate the process of modifying your service code via patching.
DDL
You are correct. The list of Microsoft products that include MSDE 2000 can be found here. The .Net SDK is one of the 15 products that does not install MSDE by default (you must explicitly select it), instead of of being one of the other 10 or so products that do install MSDE by default.
Redundent. As if awareness of the problem doesn't need to be pounded into the heads of users everywhere.
Also don't seem to recall any notes previous to this that covered the same teritory for this story.
-Rusty
You never know...
The security push marketed by Chairman Bill and co. seems to have little or nothing to do with security and is perhaps only a smoke screen to distract from lobbying efforts, other security privacy and false advertising problems, or losses on various fronts. Alternately, the security rhetoric could be a simple case of "pump-n-dump" as options are offloaded to chumps.
Seriously, that company has such a long and poor track record on all fronts, except marketing, that it is not a viable alternative to consider for servers or embedded systems where *BSD, Linux, QNX, Solaris, and others are best practice. Similarly, the desktop market is looking for security, stability, ease of use, ease of maintenance areas where Microsoft is far behind OS X and the major Linux distros.
They had their chance, in fact many. For a dot-com, they've had a long run, but now the best thing they could do for the economy and for the Internet would be to get out of the way.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I looked on CERT's site for any evidence to back your assertion that CERT found a significant overlap between the open-source community and script kiddies. I couldn't find any.
The only reason I could find for attacking IIS over Apache is that it's easier, and the administrators are often less skilled.