Slashdot Mirror
Microsoft Apologist Apologizes for Microsoft
hillbilly1980 writes "Internet Week has published a counter article in response to the number of anti-monoculture security papers recently published. Unfortunately the author starts out by writing off the other papers as simply anti-Microsoft, unfortunate because his paper never gets past being more then just pro-Microsoft. One of his suggestions to secure your enterprise... turn off port 80." Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle. Update: 10/11 00:54 GMT by M : Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.
...should have his lower horn removed.
One of his suggestions to secure your enterprise... turn off port 80
That's nothing. To be *really* secure I just don't even turn my computer on!
Slashdot is too subjective.
Ok, it is completely understandable and ok that slashdot is not a pro-microsoft-newsletter. But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".
turn off all of your computers running MS
Slashdot is notorious for this.
Numerous times I have suggested that they upgrade to IIS 6, but they refuse- and continue running the notoriously slow II5.0.
They have only themselves to blame.
Rob Enderle might be a bit of weirdo, but NOT all of what he says is completely untrue. Some of this claims, do have a basis. Just not all of them.
And on the front page, no less.
I"m getting the same thing here, I just thought it was me.
/. or a JCvD movie. Not a very big choice.
Its either
Pete Carr Owner Chatmag.com
I'm neither really, I'm a practicalist. Give me something I don't have to spend 20 hours each week patching, testing, cleaning up, and god knowns what else I'll have to do in the future and I'll say it's better than Microsoft products. Wait, I think that's everything on the market.
Now, let's see, first thing to do is block port 80. Well, I'll be, I guess I can't use your servers to host websites then can I? Then what the bleeding hell is IIS for? Oh wait, it's for spreading viruses, I'm sorry I forgot. After all gotta be in bed with the AV software manufacturers.....damn, got me again, they are an AV manufacturer now.
Yeah lets all turn off port 80; its like having e-business without the "e"!
-On ones tombstone there will be 2 dates, Make the dash between them count!
The article advocates restricting port 135, not port 80.
~Phillip
Actually, most of hate Microsoft because we envy Bill Gates for being smarter and better at both programming and business than we are.
"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."
What a great suggestion.. let get rid of all of those different flavors of windows and all those pesky multivendor PCs. A corporate wide upgrade to all new high end laptops for everyone including your servers will save *huge* amounts of money!
that if I'd kept 30% of my infrastructure running Microsoft software for compatability reasons I should just go ahead and ditch it all?
Or am I just reading that wrong?
KFG
you get to release software without bothering to test!! Of course all these programmers love it (and dont have jobs)
Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle.
It's not just Rob Enderle, you damn left wing-nut communist pro-choice feminazi Michael! It the Enderle Group !!! The whole damn bunch of them!! Are you trying to say that they're all nuts!? That's just nuts.
--Lawrence Lessig for Congress!
That's because he's got the wrong focus.
The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).
We've used the agriculture analogy before to describe the issues around monocultures, so to continue to use it, we can say that his point is that monoculture isn't really an issue because when you're tilling a single field, it's a pain in the ass to put multiple crops on it. True, but that's not the point -- it's when you've got one crop on *ALL* the fields (all the enterprises) or at least a substantial portion of them that you get into a problem.
The submittor apparently not, in good /. fashion... I however did read it, and for starters no mention about port 80 (only about port 135). For the rest a lot of bla bla, totally disregarding many of the arguments in the original "monoculture is dangerous" article. For example he assumes that Linux OOo would have exactly the same exploits as Windows OOo. Maybe - but only if you stay within OOo's scripting. Making a cross-platform Blaster or the like is imho next to impossible (are there any cross-platform Windows/Linux binary executables in the first place?)
Lots and lots of nonsensical bla bla from this guy, who really needs to start learning a bit about what he is talking about. Monoculture is dangerous. And no-one promoted multi-culture within one company, only over the whole of the internet population. Multiple platforms within one company will indeed have its own problems.
Wouter.
How many morons are going to keep using then for than when their usage of English is otherwise so good? I can understand it in someone who misspells every multi-syllabic word, but just that one? And people wonder why all the good tech jobs are going to India. At least they can use English.
Well maybe that explains what's been making Slashdot unusable today...
You make several accusations about the article's bias. But instead of giving us the articl and letting the readers make that judgement, or even making a logical argument for why he is wrong, you instead attack the author, and tell us how we should feel about the article. Anyone that reads slashdot can probably pick out the (alleged) MS bias by themselves. Keep your opinions to your damn self if you arent willing to back them up.
and, BTW, hackers are committing suicide at Microsoft's firewalls...
"You mortals are so obtuse." -Q
Few companies can continue to function if even 30% of their systems fail catastrophically.
So, 30% was running on windows?
I am the unwilling control for my Origin.
He's right... mixed computing environments are bad. All the more reason to go 100% Linux.
and never wonder bout *why* you're paying that bill...
What nonsense
Let's look at some of these...
- Accelerated adoption of patches.
Ok, yes you do have to stay patched. But this is like blaming people with flawed cars for not going to the car dealer each week to check for recalls. Microsoft's abundance of patches indicates poor design and methodology, period.
- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.
Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.
- Restricting ports, such as port 135, which effectively stopped the latest virus attack.
Wow! What a concept! I never thought of this! Now I know where all my problems are coming from! It's not from the software, it's my fault for actually allowing connectivity!
- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.
Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.
- Developing the capability to rapidly restore compromised software and data from backups.
Right. Key word is, develop. Why does an end user, paying hundreds of dollars per seat need to 'develop' something as common as this.
- Adding security staff or outsourced services.
Right. Keep sending us your licensing fees, and then spend more money to make up for the gaps in our software. Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks. Hire an MSCE. Preferably from another country.
Does it hurt to hear them lying? Was this the only world you had?
>> - maintaining "hot sites," or duplicates of
>> key elements of the IT infrastructure, so if
>> the main infrastructure is compromised, users
>> can quickly switch to backup systems.
If you don't know what infected your infastructure in the first place, why would you put up another one to get infiltrated?
Valve may have screwed up big, but at least they are unplgged while they clean up.
"Hamlet without the prince"
Used allusively to refer to a performance or event taking place without the central figure, actor, etc. E19. Excerpted from Oxford Talking Dictionary Copyright (C) 1998
Help fight continental drift.
Ok this is crazy.... Did any of you guys bother to read the Greer paper? It was a piece of politically motivated rhetorical garbage. It was in no way a technical document it was just basically a long Dennis Miller style nit picking rant without all the literary references and high brow attempts at humor. It was about as professional and well thought out as those Bill Joy articles and speeches about how if we are not careful we are going to build cyborgs that will kill us.
This is a pretty awful article. It's a seriously sucky world, when world-class trolls and flamebaiters post for free on Slashdot, and this Enderle guy gets paid for half-assed trolling.
I don't know where he got the idea that 'diversity is good' means every PC on your network is running a different operating system, and different applications. Wotta weenie.
---
SCO is weenies
Gator is Spyware
Microsoft is thugs
mod parent up!
pretty much sums it up.
No, but if you read "turn off port 80 to secure your network" as a security advisory... any IDIOT can tell you that if you need to get out or serve html to the world... well, you CANT... sheesh... and its not like the emails and worms annihilating windows servers use Port 80 exclusively... I recall RPC was 5100 and such... not 80. I could be mistaken... but god knows I do business, I run servers, I code... nobody foocks with my servers or code, or nothing... and I run both winblows and linux. (and a bsd box for those that give a sh1t).
Anyways, go read up on your idiocy remarks before you comment on "anti microsoft".
The guy simply said that posting such blatant idiocy in his newsletter, the man deserves to be blocked before he further misinforms the already IGNORANT windows folks out there.
-Khye
Funny, another article by Rob was blasted a week ago on another site for being blatantly pro MS.
Must be some truth to it after all...
This guy also predicted one year ago that Macs would today be running on x86 hardware: http://www.gigaweb.com/Content/Media/AdHoc/Desktop Trends.pdf
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
The author has concluded that many security papers do not address the cost of security - and he's right.
But anyone who is going to make a business decision regarding security can and will recognize that cost is a factor. Just because not all papers focus on cost doesn't mean that their conclusions are flawed.
The author fails to present any facts that support his implied position that the costs of securing the Microsoft model is a lower cost.
The author has written an article about his opinions. He provides few facts that support his opinion. This article is not informative to me - someone who needs to make decisions.
I don't care about his opinions. Give me facts that help me decide what to do in my organizations.
This is a slow day for Slashdot.
So the problem with diversity is that it increases costs, right? And, the cost savings of monoculture can maintain security by. . .
* maintaining "hot sites," or duplicates of key elements of the IT infrastructure
* Adding security staff or outsourced services
* Implementing additional security products
. . . spending lots of money.
What exactly does "anti-Microsoft" mean?
Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix. We thus moved away from the MS platform to Java/Linux, a combination that we found to be superior for our needs. I haven't looked back since.
I think I thus fall into the anti-Microsoft camp. I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.
The author does not define the term "anti-Microsoft". So my question is, what connotation do people try and draw up with the term "anti-Microsoft"? In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here.
What has *science* done?!? -- Dr. Weird (ATHF)
So should we adopt crop rotation?
e.g Change to Linux may-october, up root and install openBSD then change to a legume for example OSX to allow the nitrates to build up again (then ban spraying pig shit on fields becuase of some doubtful science oh oh going off on a rant there...)
of course if we adopt the practice of writing everything in Java(TM) then the user need never know, and we would solve the monoculture problem!
(HINT Irony, like brassey but made of iron)
Ahh, forget all that, the solution is for everyone to develop and build propreitary systems inhouse, so NOTHING is the same company to company...
Registrant:
;; ANSWER SECTION:
:)
Enderle Group
389 Photinia Lane
San Jose, CA 95127
US
Domain name: ENDERLEGROUP.COM
Administrative Contact:
Enderle, Robert renderle@enderleresearch.com
^^^^^^^^^^^^^^^^^^
dig mx enderleresearch.com
enderleresearch.com. 994 IN MX 10 mailhost.enderleresearch.com.
telnet mailhost.enderleresearch.com 25
Trying 216.219.253.216...
Connected to mailhost.enderleresearch.com.
Escape character is '^]'.
220 ams005.ftl.affinity.com ZMailer Server 2.99.38 #1 ESMTP ready at Fri, 10 Oct 2003 21:07:14 -040
Ooops. Good 'ol ZMailer.
Oh... wait.
telnet www.enderleresearch.com 80
Trying 207.36.51.223...
Connected to www.enderleresearch.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 11 Oct 2003 01:08:15 GMT
Server: Apache
Last-Modified: Mon, 08 Sep 2003 23:03:06 GMT
ETag: "b98f4-1a99-3f5d0aaa"
Accept-Ranges: bytes
Content-Length: 6809
Connection: close
Content-Type: text/htm
Apache. Hmmm. Who'da thunk it?
Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle.
Given the recent FUD from "our own Roblimo", I think it might be good to block articles from anyone named Rob if you're looking fro honest information.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
If you don't like Microsoft, for whatever reason, don't buy their software...
If the benefits outweight the risks for you, then buy their software.
If not, don't.
I don't see why it's considered so interesting whenever some "expert" comments on the security of Microsoft software.
Amazing magic tricks
After reading I checked a link to another of Enderle's articles (Reasons to Shun Open-Sourcery) and after claiming that the admirable open source users considered alternatives including Microsoft first, then spreading a bunch of FUD he was kind enough to label as such, there's an interesting bit in the "about the author" lines:
He is contemplating building an open source-free saferoom in his solar-powered home.
So open source users have to consider Microsoft, but he gets to hide in a bunker to protect himself from the evils of Linux.
Or whoever wrote the about blurb wanted him to look biased and emphasized the fact that the room was open-source free? Who knows.
(Also sent by e-mail.)
:o)
Hi there,
I just read your article at internetweek (Opinion: Reasons To Shun Open Source-ry) and I must that although I don't agree with your opinions I think you have some backbone to say them in public
Of particular amusement was this part:
"He is contemplating building an open source-free saferoom in his solar-powered home."
I only hope that you weren't planning on installing Windows on any of those machines as the Windows TCP stack and Microsoft SFU are (Free|Open)BSD derived code. Longhorn will include elements of ksh (free) and several other new 'innovations' also derived from Open Source (although not GPL) code. You cant even dive for Apple who use Darwin (free, BSD derived) and khtml (free, developed on Linux) as well as other things - or Solaris (ships huge quantites of GNU applications). Almost every operating system on earth is now 'tainted' by code donated because when the marginal cost of something is zero, giving it away helps the whole world benefit.
We might not do it better all the time, but every now and again our community turns out something that everyone can see is better (Apache for example) and quite often they even beat a proprietary vendor at their own game (Samba versus Windows/CIFS). Given another time, every closed source tool will be replaced with something open, and resources will be redeployable into something more worthwhile as the market dictates.
Good luck anyway,
Beep beep.
Oh the ring of keys analogy really works for me. What planet is this guy living on? I am soon implementing a program where we are going to remove the power supplies from all computers in the company and servers achieving 100% airtight, bulletproof security and reducing support costs to nothing.
/sarcasm
snip/
"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms. The IT staff will have to focus more resources on keeping these systems interoperating and have fewer resources available to concentrate on things like securing the site."
/snip
I would love to have my IT staff focusing on something other than the virus or patch of the week. They are getting real good at disinfecting and patching Microsoft machines.
This guy's really a goofball trying to make the argument against diversity as a tool to gain fault tolerance. NASA makes the argument for diversity in life-critical software systems and NIST studies show it's value in High Assurance Systems. KLabs has found the use of diverse and redundant systems on spacecraft offers high protection against failures due to design deficiencies and that it can offer lower cost where the backup system is used as a lifeboat for the primary system.
It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Note the article titles of previous pieces by the same author:
PREVIOUSLY BY ROB ENDERLE:
- Microsoft: Hated Because It's Misunderstood
- Reasons To Shun Open Source-ry
- Linux Is Not Ready For the Enterprise
Sure, it's quite possible that he's a Microsoft advocate by choice, but after skimming his previous articles, I'm left seriously wondering if he's compensated to write these obviously pro-Microsoft propagandish articles.
k.h.
This seemed flawed in the explanation. If you have a 'master' key then breaking into the desk would make it so any door could be opened. Having a 'ring of keys' makes it more difficult after the theft as no single key will grant access to the kingdom. The breach of course was the inept lady who kept her ring of keys in a desk. :)
Also the first port listed would be more accurate. IIS has always been the biggest flaw in their operating system. IIS6 will be exploited by the end of the year (my prediction.. well more of a highly informed guess
Unless this is a troll, I feel sorry for you. I've been in a similar situation (although not that bad) a few times and it wasn't exactly fun. Tell both of them to fuck off and get yourself a new chick.
You can say the same thing about slashdot, home of "news" that may or may not be true, doomsday scenarios that Microsoft is responsible for, and the US government coming after you stories.
P.S. This is a direct, ontopic editorial comment responding to the article text.
SIG:Slashdot: indymedia for nerds.
I didn't see much which actually addressed actual problems in Enderle's "solutions". Closing port 135 will not address Sobig type mail worms, neither will putting all the users machines in a server room. His point about MSOffice on the Mac avoids the source of most viruses as well, Outlook.
Not only this, but he contradicts himself when he talks about saving money with a single platform in one sentence but then talks about buying more AV products in another.
Mr. Enderle, what was your point again and can I get a job like yours where I make money by praising some company willing to pay for it.
Quick, install Windows XP on her machine. That'll teach her to fuck with you.
Can I get an eye poke?
Dog House Forum
Observing some of Mr. Enderle's previous work as a technical journalist with such a brilliant portfolio of works such as : * Microsoft: Hated because it's Misunderstood * Reasons to Shun Open Sourcery * Linux is not Ready for the Enterprise Do the words Journalistic Integrity really mean anything anymore. How can someone supposedly proclaiming to know something about Enterprise Network Infrastructure ever be taken seriously after writing such drivell.
"One of his suggestions to secure your enterprise... turn off port 80 [135]"
No, no, no: turn them *all* off, and *open* them as needed. Jeez. They just... don't... get it. And then they come back later and say "windows and unix are equally secure, windows just gets attacked because it has more market share." They just do not understand basic security concepts.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
That won't really do either. If you want a real secure computer, here is a nice howto.
http://www.tuxrocks.com/
The article advocates doing actual *STUDIES* to backup the call for diversity. It also calls for other methods that are basically best practices for a business: a disaster recovery plan, proper backups, firewalls & IDS and managed desktops.
There is nothing wrong with anything he advocated in this article. Getting supporting evidence and adding diversity to a proper BC/DR plan is 100% correct.
What he fails to acknowledge is that Microsoft has, for its entire history, made security an afterthought that always lost to convenience.
Windows 95, 98 & Me were designed as *consumer* OSes, not corporate clients. Consumer OSes had no need for all those network services and ports being open by default. These systems were designed for home users, not businesses. WinNT, 2000 and XP Pro are different animals and are designed to be used in LANs where many of those services are going to be needed.
The DUN 1.4 update should have patched those Win95/98 systems to lock down almost every incoming port short of DHCP, NTP and DNS returns.
While MS has made noise recently about an emphasis on security, their actions speak louder than words. WinXP, while more stable than Win98/Me, seems to be just as vulnerable to security problems as other versions of their OS.
Even though Win95 and Win98 are no longer officially supported, MS needs to release one last patch that locks many of those ports down.
Unfortunately, no patch in the world will stop clueless users from clicking attachments without looking.
Learning HOW to think is more important than learning WHAT to think.
Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix.
I see they're up to their old tricks.
Back in the REALLY early days (MS-DOS on Peanut, I think, but it MIGHT have been the Altair/Imsai days) I happened to be reading the letter column of Byte magazine and ran across a complaint from a really early Microsoft user.
Seems Microsoft had come out with a Fortran complier. The letter-writer had found a bug in how it handled one of the terms of formats - one he REALLY needed to work right to port some software from a mainframe to a personal computer. He had reported it. But they hadn't fixed it. After much escalation he finally got a statement from them that they KNEW it was a bug and were NEVER going to fix it. Thus his letter.
After reading that I spent my entire carreer avoiding Microsoft software. It's decades later and I haven't regretted it for a minute.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Didn't Neo use this exploit to gain access to the Architect?
If you don't like Microsoft, for whatever reason, don't buy their software...
I tried that for years. But the hardware manufacturers wouldn't sell me a machine without their software on it - paid for out of the retail price of the machine. B-(
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Dismissing Rob's article as simply "pro-Microsoft" propaganda is definitely very ironic coming from the biggest propaganda machine for free software (which, by the way, was never PROVEN to be more secure in the first place).
To condense and paraphrase the articles, the ZDNet article said "do not put all your eggs in one basket" while the Internet Week article said "keep it simple stupid." And according to Dogbert's Top Secret Management Handbook all truth comes from hackneyed sayings. Ergo, we know that both are correct.
This has nothing to do with anything remotely Slashdot related, but I need to do something before my head explodes...
There's a place for this.
Once upon a time this would have been perfect for alt.angst, but of course alt.angst went to hell and gone along with the rest of usenet somewhere around the intersection of 1996 and aol.com
The best replacement I've found is craigslist.org. It has a post board called "rants and raves" for which your post would be an excellent contribution and highly appreciated.
Since craigslist is sub-domained by (major) cities, and given that you think it's 3am, I'd suggest their London "office".
And best of luck and you have my sincere sympathies.
Putting on my amatuer psychologist hat (it's a threadbare hat), it seems she wants you to know in no uncertain terms that she couldn't handle, after ten years of friendship, hooking up with you. Maybe she hopes a rather cruel and swift demonstration of this will salvage the friendship by showing you precisely how and why it wouldn't work out. Or perhaps she's trying to tell you (and herself) that the hookup was so insignificant (in her mind) that she can do the same thing the next week right in front of you and with your roommate no less.
I figure (having been your friend for 10 years) she can't be oblivious to what this is doing to you, so doing it in front of you must be her way of communicating something. Perhaps you (after they've finished rutting) sinply ask her what the fuck that something is.
(Since this is off-topic, I'll post without my karma bonus, and I'll gracefully accept whatever karma hit whomever is modding tonight thinks deserved.)
Opinions on the Twiddler2 hand-held keyboard?
"Quick, install Windows XP on her machine. That'll teach her to fuck with you."
I got a better idea, install Linux on her machine. She'll get the hint when she's forced to type 'man mount'.
"Derp de derp."
While I understand the sentiment, uh, go whine somewhere else. Angst sucks.
You hate Microsoft? Well, you've got friends here at Slashdot.
But why do Slashdot's editors have to broadcast pointless invective such as this? The post is of a contentless article prefaced with mean-spirited and libelous accusations.
You hate Microsoft? Defend your hatred intelligently.
I happen to like Microsoft today. My mom just got broadband and upgraded to WinXP. Herself! And she got on the Internet and sent me an e-mail via Outlook Express. This is the same mom who, a few years ago, was still inserting floppy disks upside down. Microsoft enabled my Mom to be a part of this great Internet thing. That's way frickin' cool!
http://www.enderlegroup.com/
Provides consulting services during the review process of a poorly founded negative piece on a vendor or its products and, should it be needed, showcases the research errors, statistical mistakes, and unfounded conclusions that often define such a piece.
"Microsoft chief executive Steven A. Ballmer said yesterday that there is "much, much, much" left to do to protect computer users from viruses, worms and other malicious software."
Where he said "computer users" I think he meant to say "Windows users." Linux, BSD, Mac OS X, hell, pretty much ever OS besides Windows has this pretty much sewn up. Not perfect, but on a security scale of 1 to 10, where 1 is "r00ted in 30 seconds" and 10 is "powered off", Windows is about a 2 and *nix is about a 9.8.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
From the redundancy department of redundancy. Microsoft Apologist Apologizes for Microsoft. Couldn't resist.
"It will ship Windows with security precautions activated that are now left off -- for instance, a firewall program that stops Internet worms such as Blaster."
I think he meant "Windows worms," not "Internet worms," since his example, Blaster, is in the first category. My Mac OS X firewall can be on, off, or sugar coated, I *ain't* gonna get fucking Blaster on it.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Let Rob know how you feel about his article:
Rob Enderle
renderle@enderlegroup.com
389 Photinia Lane
San Jose, CA 95127
(408) 272 8560 Office
(408) 832 6326 Cell
(408) 904 5274 Fax
Running FreeBSD, checking what ports are open...
None. I'm not running a server, so I never turned anything on. inetd is off. Every connection made is by my explicit command.
Why this isn't the default on every single operating system out there is beyond my comprehension.
Don't blame me, I didn't vote for either of them!
So you're saying that our *nix systems DO turn on/off ports as needed then...?
Because if not, the original statement placing security in the hands (and head) of the user/administrator is correct. Proper security methodologies can never, will never, have never been a function of the OS. While some OS's are more conscious of security than others in their design they are not the "base" for implementation.
That "base" is conceptual and subject to the intelligence and wisdom of the user.
After all - I trust NO OS for security implementations because I have effectively trusted someone else at that point and quite simply - that doesn't sit well with me.
Gene Hackman said it best in The Replacements about who wanted to carry the ball when it really counted - "Winner's always do..." - When it comes to security I don't want Symantec, DLink, Cisco, LinkSys, Microsoft, Linux, BSD, CheckPoint, etc... carrying the ball for me...
I will carry that ball myself... and I trust no-one...
So people who follow this dope's dopey advice put themselves at risk. Does this mean this dope is committing a felony, computer sabotage? :)
I'm a sysadmin at a major online media company with a large-eared mascot where we have about 700 windows and 100 unix servers. We have competent people tightening everything, but historical and political reasons our production environment is exposed to our desktop environment, and we were heavily impacted by several worms.
:)
If we had a mono-culture consisting entirely of Free Software, we would be completely unexposed and invulnerable to threats introduced via email.
In all seriousness, security analisys in our environment would be a lot simpler if we had less varieties of software to contend with. It's true that any compromise would be a more complete comprimise, but automating our security would be much simpler at the same time. As it is, we have virtually every desktop and server OS available for i386, PPC and sparc, and it's a security nightmare. I have a lot of respect for the folks I work with for keeping it all under control.
He meant to say block tcp/ip.
That is a lot safer.
(Altho I will admit, that by not turning your windows computer on, I think you open up the possibility of really achieving that C2 security they laud.)
So someone writes an article saying it's not very practical to run multiple OSs in a work environment solely for security, and probably not more effective since if anything goes down, it'll probably hinder everything. Further he says earlier reports produce no quantitative evidence to show whether or not there will be a cost reduction in pasting together different systems to improve security. Also there is no mention of port 80 in the article. The article's points are reasonable, but not surprisingly slashdot is on a smear campaign that makes the LA Times look objective. Consider this, if Linux was the prevalent OS, would you still make the arguement that people should diversify away from Linux to improve security? If your answer is no, you should consider your opinion biased. Anyway, the anti-MS tirade is getting old, and /. should get some objectivity if they ever want to be considered a credible news source.
Vote for Pedro
This is perhaps the most ridiculous, biased, inaccurate drivel I've read all year. The fact that it's published as an 'authorative' piece when in fact it's probably no more than sponsored FUD[1] is concerning, and is precisely why I won't be wasting my time reading Information Week in the future. It doesn't take a rocket scientist to work out that monocultures are nothing short of dangerous, and it's a shame to see a more reputable firm like Gartner being criticised for drawing our attention to an important issue.
...his paper never gets past being more then just pro-Microsoft
And WHAT, exactly, about your experiences at this place would have made you expect a bit more?
Manipulate the moderator system! Mod someone as "overrated" today.
Or I get timeouts, same here. It's been that way the whole day since 12.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Seems to me that the "one class of security threat" he is referring to is the microsoft product line...
Really, this guy Enderle, he's just a paid shill for m$ and $CO. What a wuss. It must suck to wake up every day as a spineless, totally whipped pussyboy, knowing that your whole life is a sham, that all you are is a mouthpiece for the company that lines your pockets. I mean, where is the satisfaction in a good days work, a sense of accomplishment with what you are doing with your life? "Oh boy, I really lied to those suckers today. Whoot! Barkeep - Another round, on me!".
Glad I live a life unlike that one. I enjoy my freedom - life on a leash would *suck*.
If you are letting email-borne trojans into your network, your operating system is the least of your problems.
Manipulate the moderator system! Mod someone as "overrated" today.
Dear Internet Week,
Please stop publishing stories by Rob Enderle as it is hurting your reputation and "technology street cred". His stories are filled with obvious bias and fanboyism. Even though his error packed rants may generate a lot of page hits, I guarantee that they are not generating any sort of revenue. It probably would not be very hard to look into it for sure and find out I'm right. If you do your own investigation, you'll find out that the "Enderle Group" is made up of one person: Rob Enderle. He has never been taken very seriously and will never be considered an expert. The amusing nickname that people in the industry that do know security have given him is "Microsoft's Sock Puppet". Please consider doing your fine publication the strong service of issuing a retraction and apology for the ridiculous article you published by this supposed "expert" and never publish anything by him again. It still may not be too late to mend the damage this has done to your reputation.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
I have written hundreds of technical articles - some with positive things to say about MS, some with negative things about MS, some with positive things about Linux/open source projects and some with negative things about Linux/open source projects. For EVERY article that I have written which portrayed a negative stance on a Linux/Open Source project, I got ripped to pieces, accused of being pro-MS and anti-open source, and called a whole lot worse. Never at any other time unless teh article wasn't very good (fortunately that's only happened once or twice out of the 200). It kinda sucks that people who actually enjoy working with and writing about the technology get bashed when they say something negative -- even when they back it up with hard facts.
Enderle's article refers to CCIA paper, and then claims it defended the diversity in
a corporation.
However, CCIA paper defends the diversity on the Internet at large, not it single companies. Enderle then goes to say mono-culturalism is better for a company but then this is irrelevant to CCIA paper's claim. I don't understand why Enderle refers to CCIA paper.
Ask any Microsoft employee or contractor where Code Red, Nimda, Slammer, attacks are the worst: they will tell you: on CorpNet. This is where ITG supposedly runs "the perfect network."
Weigh that into your decision as to whether or not the Microsoft monoculture can prevent hacks.
Sounds like they need a bit of "diversity training."
Oh, good, it's not just me who's a raging anal-retentive about that sort of thing.
And don't get me started on loose/lose, either :-)
Hacker Public Radio is our Friend
Ok,it seems to be working again.
/.'ing, which is already in progress.
We now return you to our regularly scheduled
Pete Carr Owner Chatmag.com
And the award for the best word palindrome attempt goes to...
Check out his website. You can get his Counterpoint product which is
Provides consulting services during the review process of a poorly founded negative piece on a vendor or its products and, should it be needed, showcases the research errors, statistical mistakes, and unfounded conclusions that often define such a piece.
or better yet try out a Certified Reference Account:
This acts as shield for a qualified reference account from unwanted exposure and attention by press and other IT managers. Enderle Group can provide the documentation, press contact and quotes about a product success while maintaining the integrity of the reference.
I wish that last quote could be published with every article he gets out there.
that sounds dangerous. Don't get one. And don't have doors on your house because that just makes it easier to bring a computer in.
The article quotes Bob Muglia: Moreover, forcing a company to diversify means reducing efficiency
As Frank Herbert wrote in The Dosadi Experiment, "eternal sloppiness is the price of freedom", ya big lug. Holy cow, reduced efficieny for the attacker is the point of diversity. Think about it: I'm getting hits from Code Red and Nimda Two Years after they were released, and during the first two or three cycles of Code Red, I got 20 hits a day. In comparison, I got maybe 20 hits total for Slapper, and they went away after a week. Microsoft and the anti-virus people need to realize that (as a whole) the Internet doesn't need absolute immunity from worms or viruses: we just need to have a large fraction of the population immune from any given virus or worm. We can tolerate 10% crappy, poorly-administered Windows boxes, but we can't tolerate 97% crappy, poorly-administered Windows boxes. Sobig.f should have proved that to everyone.
Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
I wrote another critique of the monoculture paper on my blog. This monoculture business is a flawed analogy. It makes sense for crops, because if one crop gets infected it doesn't shoot firebombs into all the other crops and burn them to the ground. However, infections in a widespread OS can be just as harmful to systems based on other operating systems, as the recent DDOS attacks which took down some of the anti-spam servers showed.
You mean like these?
Who's editing that poor bastard's stuff? Fire 'em outta there!
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
- Accelerated adoption of patches.
Read: hire another person just to test MS patches so that they don't screw up our system. The story would be different if bad patches were a thing of the past, but MS releases a bad patch about once every year. Try explaining to the CEO or CIO that his IT network went down because you applied a patch system wide without testing it first.
- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.
Read: Spend lots of time and resources securing PCs that should have been done at installlation.
- Restricting ports, such as port 135, which effectively stopped the latest virus attack.
Read: Spend time and resources to block a port that should not have been open in the first place that nobody at MS bothered to think to lock down.
- Implementing additional security products, such as virus software and firewalls.
Read: yada, yada, yada. A firewall would not have proctected a network if a single computer in the network became infected with Blaster. Also AV software like Norton were totally ineffective at detecting and stopping the issue until after widespread infection.
- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.
Read: Spend lots of money on a mirror system.
- Developing the capability to rapidly restore compromised software and data from backups.
For most companies this already being done.
- Deploying Windows on alternative hardware. For example, "PC blades" centralize the processors, memory and storage of PCs in a datacenter, while the display, keyboard and mouse are at the user's desktop. PC blades give users the benefit of having their own dedicated PC, while keeping the hardware in a centralized location where it can be more easily maintained and secured.
WTF? Spend money on PC blades. Imagine if I went to my boss and said, "Boss, I can solve our Windows security problems."
Boss: "Great, what is it? Better, faster patches. Better quality control? Better support."
Me: "No, give 3x the capital budget to spend on new hardware."
Boss: "You're fired."
- Adding security staff or outsourced services.
Read: spend more money on personnel to try to patch the problem instead of spending more money on personnel to fix the problem by diversifying infrastructure.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Great idea. Let me make sure everything is off in my lab. Let me also ask management of my institute to file for bankruptcy while I am at it. I am sure they will thank me for making our network absolutely safe.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Perhaps it's best to turn off both 80 and 135. And 20, and 21, and 8080, and and and....
"'I got a better idea, install Linux on her machine. She'll get the hint when she's forced to type 'man mount'"
It's off-topic. But give him some credit, at least it's funny.
If you bought a computer you bought a Windows license, right? Thus all computer users MUST be Windows users. Yeah, I see many, many, many Windows open on my Mac at the moment.
What ticks me off is, for example TODAY, a loser was asking me how to take his Windows Media Player 9 imported files (couldn't seem to only get audio, but also got Video of nothing) -- and strip the video, convert and save down to a MP3. It was some old record collection he was importing and wanted to play.
I laughed and asked him what I told him to buy. A Mac. Ooohh, but XP is so pretty. Fucking useless operating system, start to finish. I told him to buy another hard drive to store his damn music.
Fuck that
You mention quite a few very important but frequently underestimated issues here. The network where I work is constantly being monitored and we know that firewalls and IDSs need to work both ways. I think that the prosecution one of our workers who was downloading pornography using our network (the poor bastard thought des encrypted icmp echo reply payload was a good "covert channel" -- not when I am in charge) will face in few weeks pretty much speaks for itself.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
well.. other than the repetition, i might agree with microsoft on this one because since they are saying diversity is better than monoculture, it stops short of addressing the bennefits of monoculture -- so it's not exactly an analysis that is intended to educate on the bennefits of both, it is leaning towards anti-monoculture, which might as well be judged as bias.
non-objective analysis
... being more then just pro-Microsoft.
At risk of being called a grammar Nazi, I must point out the differences between Then and Than. Here are some examples of proper usage of each:
THAN. I am smarter THAN you.
THEN. Why don't you shut up THEN?
THAN. You are dumber THAN a rock.
THEN. I'll go cry THEN.
Please, make an effort.
Please, please, oh please!!!!
Thanks
"Would it kill you to put down the toilet seat?" -- Maya Angelou
And the easiest way to do this is....?
.org like us is totally screwed. Adding another program to the setup is painful. Due to junkware, I end up rebuilding the labs at a minimum every other month.
Don't give me that BS about using 'Power Users' with profiles, etc. That's fine, as long as all of your apps play nice. NOT. There are several apps (newer ones too!) our school depends on that absolutely demand local root access in order for them to function.
Without going to something like SMS or some other kind of desktop lockdown system, a small
This isn't necessarily all MS's fault, btw. But the problem is, Windows wasn't initially designed with security in mind. Instead, convenience took priority and to this day, a lot of Winapp programmers just don't get it. In my limited experience with Linux I can truthfully say that rights seem to be granted properly, i.e., anything that can permanently modify the system requires root access.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Just close off port 135 - or even better, disconnect it from the net completely to achieve Orange Book C2 security.
How secure is it anyway?
It'd be useless for just about everything except typing Word documents and balancing your checkbook, but at least it's secure from Internet Worms and SQL queries.
Karma: Whore (you post anonymously when you're a troll)
..because Enderle is a fool and an asshole (and MS does suck), but this time he is right on many points. For example:
Some of these are obvious, - like, what exactly is the exscuse for not patching a month after MS makes the patches available and getting bit by blaster a/b/c/d/e?Once again, Enderle is a fool and an asshole, but apparently he's got someone intelligent ghost-writing for him this time. Diversity by itself is not the real answer for most organizations, because "security is a process, not a product". (Was that Schneier I just quoted?)
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
This is news! we have now been asked to install virus software on our pc's to help with security. Last i checked we were trying to install anti-virus software to protect against security vulnerabilities. The closest case of installing a virus to help fix a security problem would be the worm that went around *trying* to patch the msblaster virus (and we all know how that went).
Perhaphs they should edit the article again...
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Hello Mitch;
I would like to comment about Rob Enderle's article on Microsoft's security (http://www.internetwk.com/breakingNews/showArticl e.jhtml?articleID=15202192). Mr. Enderle is wrong on many points and I would like to mention just a few.
1: MS Blaster virus ONLY affects Microsoft Windows (NT kernel) since it is a RPC DCOM buffer overflow (http://www.trendmicro.com/vinfo/virusencyclo/defa ult5.asp?VName=WORM_MSBLAST.A). So running Microsoft Office on a Mac will not give you the virus. A little research on Mr. Enderle's part would make this seem less of a piece of Microsoft shrill.
2: Name 2 HPUX viruses in the wild. Having all your critical business systems running on one platform is like having all the locks in the world having the same master key. While you may not care if the punk kid down the street has a master key to your home, do you want him to use that same key to open your bank?
3: No firewall or virus scanning software can defeat an infected laptop and a fast moving virus. I know several companies infected with Blaster because an infected laptop was brought into a company before all the systems were patched. Weeks later infected systems are still being found. The problem is it take more time to patch thousands of computers than it does to infect them. By the way the HPUX oracle systems never noticed the problem and critical business functions continued while Windows systems were patched furiously.
4: While disaster recovery is absolutely critical to any organization (August power outage), there is simply not enough time or manpower to make this a business model. Think about this. A major virus takes ALL your systems at 2 AM. Hundreds of technicians rush through the night to try to restore thousands of systems so business can continue at 9 AM. Mr. Enderle idea of a quick restore may work for a few systems but what about a company with thousands of computers? What doe they do? This not a scalable solution.
5: This is week 41 and Microsoft has released 40 critical patches so far. That means every week every windows server and workstation should have been patched. The vast majority of these patches require system reboots. This shoots your uptime to pieces. Yes I know you can use clusters so only one part of the cluster is down at a time, but what about the manpower to install all those patches and all those reboots? Even Microsoft release broken patches(MS03-32) that breaks things and thus system administrators are leery of blindly applying patches. With a new critical patch every week it would require teams of system administrators to verify the necessity of each patch and then test it against each production server to verify it does not break the software running on each system.
6: Knowing multiple systems does require very talented people. For the ordinary tech support there is specialization. Unix team and a Windows team. In small companies then it is hard to avoid the jack of all trades master of none problem. Even in a pure Microsoft environment in a large organization it is impossible to expect every tech to know the ins and outs of all server applications (IIS, Exchange, SQL, Terminal server, etc). A general knowledge of each is quite possible but the 3AM everything is down and the boss is screaming "Fix it now!" is not a reasonable hope.
That is enough for now. There are many things wrong with this article but I will leave it at that. Mr. Enderle did not mention the equivalence principle(if everybody use some other operating system then they would have as many virus as Microsoft) but I know people like him who have. This is a bogus comment made by people who do not really know anything about what they are talking. Let me explain how an e-mail virus works in Linux. a message arrives with a Linux virus attached. The instructions in the message read "Save this on your disk. Change it to executable and run as root". That is 3 user required steps to infect a Linux system with a virus. This
Slashdot has never claimed any kind of objective viewpoint. Its rather biased. And its become well-known, if not always popular, because of that bias.
Slashdot filled an interesting niche; a dissenting opinion when the IT press was almost entirely Windows-centric. Linux was quietly seeping in to the Enterprise. But the mainstream IT press either ignored it or was unfairly dismissive. Slashdot was a forum most noted for its pro-Linux and Open Source friendly opinions.
Times have changed.
Now, its not worthy a Slashdot news post just because a mainstream IT rag has mentioned Linux. Its not entirely unlikely to find pro-Linux / pro-Open Source articles in the mainstream. Right next to the pro-Windows articles. And the press releases being masquaraded as an article. Some things don't change, after all.
Slashdot's bias is one of those constants.
I'm kind of curious. It seems that over the years, Slashdot has gained more pro-Windows readers. Mainstream attention has either provided more people with a Windows-centric viewpoint or its attracted more astroturfers and trolls.
But for every time I see someone complain about Slashdot displaying an "unfair" bias against Microsoft, I wonder how many people like myself sit quietly in the background glad that Slashdot keeps that bias firmly in place.
Nah, I just hate him for being a better thei-- buisnesman.
I'm too lazy to RTFM right now - what runs on port 135?
Are ports RJ-45 or RJ-11
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.
I don't understand why so many companies have problems with IT security. Our company's IT security policy is simple and bulletproof: We do not use computers. In fact, just to be absolutely sure that those dangerous computer viruses don't get into our building somehow, there are no phone lines, cable lines, electric lines, water lines, or sewage lines entering the building. We don't even have windows or doors. We, the employees, simply stood around on a foundation while the brick walls were built around us. Nothing gets out; nothing gets in. We are 100% safe.
Enough's said!
Choose life. Choose a job. Choose a career. Choose a family. Choose a fucking big television, Choose washing machines, cars, compact disc players, and electrical tin openers. Choose good health, low cholesterol and dental insurance. Choose fixed- interest mortgage repayments. Choose a starter home. Choose your friends. Choose leisure wear and matching luggage. Choose a three piece suite on hire purchase in a range of fucking fabrics. Choose DIY and wondering who you are on a Sunday morning. Choose sitting on that couch watching mind-numbing sprit- crushing game shows, stuffing fucking junk food into your mouth. Choose rotting away at the end of it all, pishing you last in a miserable home, nothing more than an embarrassment to the selfish, fucked-up brats you have spawned to replace yourself. Choose your future. Choose life... But why would I want to do a thing like that?
Join the TWIT army now!
There's something to be said for *any* article including the words "I'm not a big fan of diversity" Oh Microsoft... where would we be without you?
Orationem pulchram non habens, scribo ista linea in lingua Latina.
Who would hire him? He doesn't even have executive hair. Maybe he's really tall...
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
http://www.enderlegroup.com/profile.asp
No mention of any real technical education or experience. I'm so sick of these so called "experts" who do not have any real training or education in computing. Last I checked the Aberdeen group (and other consulting groups), most of them were English and History majors. When will they realize that their background isn't applicable to this field??? Being a student at one of our nation's leading universities in the humanities, I've realized that some of these people are so full of themselves that they think their intelligence will carry them through anything. This is simply dead wrong.
EvilCON - Made Famous by
In Rob Enerle's latest column countering the latest anti-monoculture reports, (http://www.internetwk.com/breakingNews/showArticl e.jhtml?articleID=15202192) he makes a few factual erros, one of which id his claim, and I quote, "This is the big problem with the diversity recommendations I've seen. If they had been implemented as recommended they would have had little impact on the MSBlast virus, which spread via common e-mail, and would likely increase the exposure for other types of threat. ".
This is clearly wrong, as the MSBlast virus was NOT propagated via e-mail, but by systems being vulnerable to an unpatched RPC service vulnerability that was open on port 135 (changed from the earlier port 80 in your article). There is ironically another error in that same, incorrect statement, and that is that of all the e-mail viruses and worm out there, they are all propagated by Microsoft's Outlook and Outlook Express, as no other e-mail software allows automatic scripting that can access the system.
To be fair, one should be fairly secure if one remains up to date with patches from Microsoft and followed good security practices such as closing the port and switching on the integrated firewall and turning off scripting macros in Outlook, and that is the answer I would have expected from a so called security consultant. His credibility might suffer a little bit for this article, and I think you owe it to your readers to make corrections, as you did with the port 80 statement.
The writer in the article mentions how diverse environments lead to security breeches. He uses the example of a workplace where the door locks are all different, preventing one master key. This is insecure because all of the keys for the doors were on the same ring as the key for the safe.
Obviously, master keys must have a little known feature that prevents them from being put on a keyring with any other key.
*Sigh*
Just after Blaster started clearing up, Microsoft released MS03-039 which is essentially the SAME vulnerability as was -026. They blew it. They didn't fix the problem with the -026 patch, so admin's now had to re-patch all their machines.
Well, here we go again - only this time the exploit code precedes the MS anouncement and corresponding patch. Yes kids, the hacking underworld has perfected the exploit code for MS03-039 and in doing so uncovered yet another hole in the RPC/DCOM service for which there is NO PATCH AVAILABLE!!! (As of 11 Oct, 2003 0100)
And for those of you who think that this is just FUD... here's the exploit soucre code. Simply compile under Linux, then change your shorts.
Network admins: May I suggest you take your sleeping bag and pillow and put it in your car - theres going to be a lot of late nights at the office coming up.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Two high-profile organizations recently argued that diverse environments are inherently more secure than "monoculture" (read: Microsoft-only) environments.
Is that really true? I don't know.
I do know that anything is more secure than Microsoft, and of that there can be no more discussion, and if Enderle had better than sh*t for brains and an MS paycheck in his pocket, he'd admit it too.
What do you expect from an analyst?
Surprise, surprise. An analyst without a clue.
Ahhh, where to start? Let's try at the top of the bit that I quoted above. There's more shit, but I won't waste too much time on this because this guy simply is an idiot. He should keep his analyst position, as most analysts share his open source knowledge. Ok, from the top,
It is clear that open source is a strong, low-cost replacement for Unix, and that most packaged applications for Linux and BSD cost the same as their Unix counterparts.
Wrong. Most applications that come in the distro, which is a large number of them, cost one copy. After that, you can 1. pay for support, where the distro company may expect you to buy "seats", or 2. you can hire an outside consultant, or one of your own employees to hack the code and provide your own support. And if that employee or consultant can hack the code for that one app, they can hack the code for just about any other app that came with the distro. So, thanks to the gpl license, a company is free to copy the distro, including the app, to more than one desktop or server. Or both. Instead of paying for licenses. Just to take the gimp as an example, for companies where the gimp is sufficient to their needs, instead of spending $1,000 per seat, in a 50 seat install base for photoshop costing $50,000, the gimp costs...a free download! Or comes with most major distributions of linux.
Applications separate from the distro? Some can be obtained, LEGALLY, by free download. You pay for support, if you need support. OR YOU USE THE OPEN SOURCE EMPLOYEE OR CONSULTANT WITHIN YOUR OWN COMPANY to hack the code and answer support questions (who will have the open source community to turn to in order to answer questions, often quicker than a closed source company).
Will Oracle on linux be cheaper than Oracle on windows? I'm sure Oracle will charge WHAT THE MARKET WILL BEAR, but I'll bet that Oracle on linux is priced, with the same capabilities, on par with windows. The savings will come from not paying the microsoft licensing, and increased performance on the same hardware, or lower costs for not requiring beefed up hardware to run windows bloat. Also, thanks to linux, microsoft is being forced to offer competitive pricing. 80% profit margins? Don't hold your breath for too long.
What a lot of foss advocates aren't aware of, is that for Oracle on Linux, you can't just use an off the shelf copy of Red Hat if you
I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs.
You, sir, need to attend diversity training!
Are you trying to raise an army of informed sysadmins or an army of grubby computer crackers?
Oh wait, I forgot. There's very little difference between those two skill sets isn't there?
(Note to sysadmins: please don't flame me! I aspire to *be* one of you guys some day.)
Furry cows moo and decompress.
In a case like that, Microsoft's EULA doesn't apply at all, because the injured party isn't running Microsoft software and hasn't agreed to any Microsoft contract terms. This makes it an ordinary negligence claim.
It's like sueing an auto manufacturer because somebody had a brake failure and hit you. Even if the other party was speeding, the manufacturer can still have some liability for the accident.
Some Linux-based ISP overwhelmed by Microsoft virus spam and mail bounces should go for this. There's a real case here, with real costs (overtime, extra mail servers, more bandwidth) associated with this stuff.
PREVIOUSLY BY ROB ENDERLE:
/. has more news than this, despite being in large part activists for something or other (i'm one too, no worries)
- Microsoft: Hated Because It's Misunderstood
- Reasons To Shun Open Source-ry
- Linux Is Not Ready For the Enterprise
If only they put these at the front of the article and spared my valuable minutes.
Not only that, but I bothered to check the links out and they're just plain rants.
And this is labelled news? Even
Stuff.
And get a copy of gVim and the GCC...
Once you go command line, you never come back.
I love you.
There is no such thing. You will always consider:
Free software is culture that will guarantee that there will be no monoculture. There will be always a choice. And pay attention: you as a user will make a choice (not like the choice will be done for you somewhere in Redmond).
Less is more !
It does work. Rather well, in fact. One of the most simple, common-sense ways to start port-blocking is to block everything below 1024 except for services that you know that you want to provide. It's amazing how many networks get along just fine with nothing but http, ssh, dns, smtp, and pop-3.
By doing that and disallowing email with any executable attachments, one of the networks that I maintain has weathered all of the email/network virii/worms without a single incident - despite the fact that they have M$ machines that haven't been updated at all.
Occasionally, they'll call because someone thinks they have a virus. I'll go and scan all of the machines with the latest patterns, and guess what - no virii.
Of course, this in no way excuses Microsoft for their horrible security. It's simply a way to get at least a good start at protecting yourself.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Scientists today found evidence of a civilisation that once existed on a planet, third out from a sun in a far off part of the galaxy.
It's believed that the entire population was wiped out after a scientist (we think), Rob Enderle, recommended that because diversity of genetics made making drugs to cure cancer difficult, all humans (as they called themselves) should be made genetically identical to allow one cancer drug to cure everybody.
Within a day, scientists had developed the cancer drug and cancer was cured, worldwide, overnight. Unfortunately, the entire population was then wiped out by a single mutation of the common cold in the entirely predictable kind of way that anyone with half an ounce of common sense would have seen coming.
Commentators today stated that the kind of twisted logic that would allow this scenario to happen is generally caused by having your head stuffed too far up your own arse, or in extreme cases, up the arse of the CEO of a major corporation. The justification that it would make it easy for even the poorly trained doctors to cure cancer seems good at first but neglects to consider that it's really stupid.
Hmmmmmm..... Deep fried and look like Squirrel.
If I am going to turn all of the ports on our servers off, then I can just shut the whole damn network down as well. Both of those "solutions" are technically equivalent, the only difference being the obvious savings on electricity bill.
Indeed...
I don't allow Windows on my network. Do you think I'm stupid? I am not going to trust in security through obscurity done by the most ignorant people in the industry. This is an important network and I am not going to basically ask for trouble.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
please see: Microsoft Hatred, the beginning
Xah
xahlee.org
http://xahlee.org/PageTwo_dir/more.html
Nobody said you have to be competent yourself, but don't come crying to me when you realize that, for example, one can write an ASCII string which is a valid x86 shellcode after conversion to UTF-16, also having a plausible spectrum analysis signature. This post will probably get moderated as Score:-1, Obvious Example but sometimes even the most trivial attack may be successful if you are not careful enough, or if you don't know your architecture's binary instruction set for that matter.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
The most fundamental knowledge they need is exactly equivalent. The only difference is that "army of grubby computer crackers" needs to know only one successful attack to win, while any even remotely competent sysadmin needs to know all of them to be able to detect any of them every time. Of course you can always choose the easy way and hire Counterpane or similar service, but I always advise to have a security response team on site ready to counter the attack 24 hours a day, 7 days a week, with the flawless cooperation between them and your armed guards being the clue in case of insider job or physical compromise.
This is an exciting job, but may be dangerous if you are in charge of any important network due to physical attack possibility. Never underestimate the power of rubber-hose cryptanalysis. I mean it. Don't learn it the hard way like I did.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Then you to can attack the writer of said article. He said that the MSBlaster worm wouldn't have been stopped by having different systems in place, because it was "...spread by common email..."
If you recall, the MSBlaster worm was a Microsoft RPC vulnerability and was spread by just having an unpatched Microsoft Windows 2000/XP based machine connected to the Internet. It had nothing to do with email.
Even if he was referring to an email virus... If you are running software other then Outlook, then you are likely going to be completely safe from MOST Microsoft email virus attacks. Again, which the MSBlaster Worm was not...
The guy doesn't seem to really have his information for writing such articles... He needs to get on the clue train and then start writing his articles...
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
uncovered yet another hole in the RPC/DCOM service for which there is NO PATCH AVAILABLE!!! ... here's the exploit soucre code.
Thanks for publicizing source code which exploits a vulnerabilty for which no patch is available. Since M$ doesn't share it's source (with me anyway), there's nothing we can do but wait for them to get around to fixing it.
Do you think this doesn't affect you, because you use only free software? Well, I can't really work on development in my spare time when I have to support Windows users whose boxes are blowing up, now can I?!!!
Yeah, I know you didn't write the code, or make it publicly available. But your publicizing it with a direct link in such a widely read forum is dishearting.
ChickenHawk is back!
"NG's posts really bother me, but I'm too stupid to use the foe feature!"
As if I don't know who you are, heh.
"Derp de derp."
felcher.
I suppose if a company were to have a monoculture of free software, they would have standardized on a particular desktop, os, editor, interpreted language (if such were needed), etc., etc., etc. You lower enterprise computing costs by making all the computers the same. That way you only have to test one configuration before releasing patches or software upgrades, etc.
That was why Enderle argued that monocultures are cheaper in principle than the diversified infrastructures Gartner and the CCIA are suggesting we should have. All I said was, you can do the same thing with OSes other than Windows, a point that seems to have escaped him.
...was written by himself, in his "opinions" column titled: "Opinion: Reasons To Shun Open Source-ry"
The very first two sentences are so mind-boggingly imbecilic, not to mention a self-contained circus act of jumping into one's own mouth, that one needs not read further:
"Linux is not ready for the enterprise.
When I argued that point a month ago, I didn't really believe it."
I believe that the answer to the question WHY he argued that question if he didn't believe it himself, is a kind of Zen puzzle, with MS money acting the part of the sound in the felled forest of Forrester research's successes.
Actually putting strips of different plants in a single field can be a very good idea for reducing vulnerability to particular predators. I don't know examples[1] of it used for reducing disease propagation by insect vectors but it seems highly likely that this would be a worthwhile tactic. And very green. [1] IANAF (I am not a farmer)
They should introduce security into the protocol if there is some sort of problem, simply blocking it means that you cannot use the service any longer. What are they saying, that DCOM is not a good thing or that they are unable to write a security layer?
Too Much Litigation Risk: Not only is there risk from the SCO lawsuit, but I also received reports of many lawsuits brought by employers against their own employees for overzealous inclusion of the employers' proprietary code in open-source distributions.
Let him know what you think at:
Rob Enderle heads the Enderle Group, a company that will formally launch in September of 2003. He has been an external IT analyst since 1993. He is contemplating building an open source-free saferoom in his solar-powered home. He can be reached at renderle@enderlegroup.com.
renderle@enderlegroup.com
renderle@enderlegrou
renderle@enderlegroup.com
renderle@enderle
renderle@enderlegroup.com
renderle@end
renderle@enderlegroup.com
renderle
renderle@enderlegroup.com
rend
renderle@enderlegroup.com
renderle@enderlegroup.c
renderle@enderlegroup.com
One of their main services is Counterpoint
Professional FUDmeister.
You can minimize your risk when staying up-to-date with patches and can block incoming traffic on dangerous ports, for example, but you'll never be totally secure this way. This is why it helps so much running *ix or *bsd , because you can chroot, jail, run apache as wwwrun and so on. Windows gives you full access once exploited, as you all know.
Imagine: Somebody attacks you with a working exploit before you've got the patch installed even if you update every day - unlikely, but possible.
Or imagine: You block all incoming traffic on 135/139 with your firewall and consider yourself immune to the blaster type of windows attacks.
Take a person connecting via a vpn (for example) to your network which has an infected machine at home and think of the consequences once he is connected. Effeciency of firewall -> zero (in most cases).
The Page 2 of his "Microsoft is misunderstood" article contains a few things that made me say "huh"?
The one I really noticed was "Don't copy entire software images from old PCs to new ones; leave that to the hardware OEMs, who have testing and procedures in place to make sure the imaging is done right"
If he is saying we should use factory images, that makes no sense, and would hurt security, since the from the factory images I've seen usually 1)do not have up to date patches/service packs and 2)don't have antivirus software.
He also says never to upgrade memory, which would majorly increase costs. Where I work we have P2 and P3 boxes still running with 2K or XP on them, and they would be useless if we hadn't upgraded the RAM, since they probably shipped with 64 or 128.
I have blog like everyone else
Over the years, I've seen many IT executives lose their jobs or trash their careers because they made a decision that was obvious to them but could not be effectively defended to upper management or internal auditors.
Nobody ever got fired for buying IBM, I suppose. This is how the instant vendors retain their clout. No doubt, a Microsoft-only sysadmin has much to defend his case: (1) nearly everybody else --that matters-- does it; (2) it costs more, so it must be better; (3) they have been making money at this for years, so it must be better.
And then what? Presumably, in time, a high-minded management will expect answers more detailed than, "I played it safe and spent 28% of our overhead on infrastructure that everybody else has." The neat thing about commerce is that money does talk -- it is the flow of the dollars that will dicatate policy.
Guys like this don't matter, although they do intimidate weak minds. That's ok, we are not at the stage where the weak-minded matter -- they would ultimately come out the same way whether this guy scares them or not. Open source needs to address the "cost-of-ownership" issues and polish for enterprise, and in time, the nearly-best of us (presumably the best of us will still be making great stuff) will be promoted to positions to change the world.
Then we get to fire the fearmongers and weak-minded.
you are right. We even have started to move one by one servers to Gentoo. Very helpful to keep a reasonable balance between unified platform on one side, and different packages (at least in differen versions) on the other side.
Less is more !
How exactly is that done on Windows? And why isn't it turned off by default? If all ports were closed by default, then software *I* install could require certain ones to be opened and do it for me as part of installation. Oh, MS doesn't allow you to disable individual ports do they?
"... being more then just pro-Microsoft"?
/. editors themselves either don't know the difference or can't spell? Then I rather read VB code than frontpage stuff like that.
Please tell me this is a deliberate stab at those not even knowing (nor caring it seems) the difference between then and than, or is it really that even the
Ya know, "anti-Microsoft" is getting a lot of press lately, and I get the feeling that people (particularly at Microsoft) dismiss this as simple envy or jealousy at Microsft's pre-eminent position.
This is just plain wrong! The truth is that Microsoft's present goals do not coincide with those of their customers anymore.
When Microsoft was first struggling to gain marketshare, interoperability and increased functionality were their goals.
I remember working with the horrible mess that was Banyan vines. When Microsoft added compatibility with Banyan's product, I found that Microsoft's clients worked better with Banyan than Banyan's own products did.
Customers wanted certain features and weren't getting them from competitors, Microsoft gave it to them. I used the mess that was WordPerfect Office: it crashed often, they had many features but most of them didn't work correctly, and converting to/from other formats was always iffy at best. Moving to MS Office at that time was like a breath of fresh air: things mostly worked and the single biggest reason that I installed Word the first time was to be able to convert to/from other formats. Word did that so well that I didn't even use it as a word processor at first; simply as a format converter.
Fast froward to the present: there are no competitors of note on the desktop anymore and Microsoft's attitude towards their ustomers has changed. Rather than wooing them, they treat them as yet another resource. Times get bad, revenues fall and Microsoft's only responses are to persecute them (through the BSA = software Gestapo) and to create artificial upgrade policies and price increases to make sure their bottom line doesn't suffer. At the same time worries about piracy forced the addition of ever more intrusive and draconian registration policies that annoy legitimate users and do little to stop piracy. And, to cap all this off, interoperability became a dirty word at Microsoft; their products beagn to be deliberately designed to work well only with their products, no one else's.
Microsoft made huge gains in th marketplace by giving their customers what they want. They are threatened now beacuse they have changed to giving the customers what Microsoft wants, NOT what the customers want!
I can hear Bill or Steve at meetings now: 'I don't understand it! We have increased revenue in spite of the fact that there was a recession. We have hired thousands of H1B workers so we don't have to pay the prevailing wages in the US. We hire contract workers and lay them off at the proper times to prevent paying medical benefits. We have locked in customers to our products and then increased the price during the worst economic times this country has seen since our founding. We even invented the BSA and then sic'ed them on all those rotten bastards who dared to leave our products on the hard disks of machines without using them. We have become the most profitable company in the world and people are shunning us for that damned upstart, Linux! Why?'
'Ya know, now that I think about it, none of those things a I mentioned have anything to do with writing software! Maybe, just maybe, we should go back to writing software. Maybe we forgot about answering the customer's needs and selling them a product that actually increases productivity. Do ya think?'
'Nawwww, crank up the FUD machine! Hire another 1000 lawyers! Fund another 100 TCO studies that prove Windows is best! See about moving our entire coding staff to India. Stupid fucking customers, they'll buy our produt and like it!'
He says:
"Public "debates" about Linux contain behavior that could easily violate HR rules as the arguments drift into language that has become unacceptable in the enterprise and has little to do with the topic being debated"
Hey fucks him. If he could get laid, I'm sure it would mostly be from male goats who were tied down and drugged so they wouldn't struggle so much.
As to his intelligence, a flatworm just crawled by and laughed when it saw his picture.
Fucking moron.
Reading through Rob's list of security options, there's one that is conspicuously missing -- don't use Microsoft products in the Enterprise until they get their act together on security. Intersting that he missed this in his plan of action....
Why do so many front page posts have major grammar and readability problems? I couldn't tell from that post what the article was about besides something to do with Microsoft. There are not that many posts per day. Is it so hard to correct a few obvious errors so that we can tell what the articles are about?
...of a Microsoft Apologist Apologizing for Microsoft on the monoculture reports, check out this 3-part series:
Part I: Wherein the author proves he doesn't know the difference between an API and the OS which implements it He also manages to confuse integration with breaking encapsulation and argues that integration is acheived by eliminating modular programming. He also resorts to the traditional monopolists' excuse that the economics of scale trumps competition, imagining that Adam Smith would actually support this excuse.
Part II: Wherein the author proves that he has failed to notice the CCIA convinced a judge he was wrong about Microsoft's status as a monopoly. Then he goes on to lie about the accessibility of MS's APIs.
Part III: Wherein the author argues that 15-years-out-of-date MS technology is "cutting edge" while ignoring the fact that IE is still not standards compliant with a standard which he says evolves too slowly to to up with that "cutting edge."
The author of these diatribes (John Carroll) managed to convince me he was so clueless about the fundamentals of programming (compare Microsoft Press's own "Code Complete" with the "facts" in these stories to see how far off base he is) that I am sure I would never hire his consulting firm, Turtleneck Software, for anything.
The issues raised by the CCIA report deserve hard scrutiny. But that scrutiny must be based on facts. And on what the monoculture report actually said. Diversity of API is bad, and the report acknowledges this by arguing for strong international standards. Diversity of implementation is good, and the report makes a strong case for this.
Carroll lies to his readers by claiming the report favors diversity of API. He then compounds this inaccuracy by claiming Microsoft has achieved its monocultural monopoly by promoting a single API that has become a public standard. In fact, they achieved it by constantly changing the API, hiding it from their competitors, and forcing those who wrote competing products for their platform to write to a different API, which itself changed when it was convenient for MS (i.e., inconvenient for their competitors).
This level of dishonesty should get Carroll fired at ZDNet, but it probably won't.
And we still don't have a good, rigorous criticism of the CCIA's report. A criticism we desperately need.
Eternal vigilance only works if you look in every direction.
Your sampling of Ng's response doesn't show him being lame. It shows him being decent. If more people were to act like he did and say "sorry I overreacted", then Slashdot would be a better place.
As for his karma, it's excellent. Not bad considering most of his posts are modded as funny, and you don't get karma for that. Looking a little closer, he also has a long list of fans.
There is no real substance to your claims. I am not the least bit surprised you posted anonymously.
Saying that big bang is the best way to go is as big an indictment Microsoft and its problems with Windows as anything the naysayers and critics could say. "I not only don't play well with others, I only play nicely with my own clones."
-John Van Voorhis
P.S. This is a direct, ontopic editorial comment responding to the article text.
/. editors have worked with problems in the past, and you would see how difficult it is to
build a moderation system which can be efficient, objective, and cannot be abused. Similar to trying to create a fair government. Furthermore, if your going to whine, do it in a journal. Ironically, your complaints just add to the amount of stuff that needs to be moderated, so your just adding more work to the system.
whatever you say buddy. looking at most all your posts, you really dont contribute much. You constantly complain about being modded flaimbait, offtopic, or troll in the wrong places at the wrong times. Surprise surprise, these get modded down. THEN you proceed to complain about your previous complaint being modded down because either slashdot is fundamentally flawed or that some person at slashdot is out to waste mod points on you.
Here's an idea, grow up. If someone mods you down, live with it! Move on and start contibuting something besides: 1)your criticism towards people moderating your posts, 2) how slashdot sucks, and 3) how the articles are crap.
You whine like a mule, and yet you do NOTHING about it. So if you won't change your attitude, why not try setting up your own site using slashcode? Let's see how fair and unbiased your site ends up. Let's see how many good stories you can find on the internet. Hell, slashcode is opensource, so if you think you can come up with a fairer system, you can try coding it yourself, or toss the idea onto a slashdot forum (or even a high volume non-moderated usenet forum) and see if anyone (including OSDN, slashcode developers, etc) likes it or can offer some constructive criticism.
let me just repeat for clarity: noone cares how flawed slashdot is. if you bothered to read the faq, you would see how the
And no, your comment would still be OFFTOPIC if I had mod points to give. OTOH, there seem to be a lot of people who complain about slashdot for exactly the same reasons you do, and, like you, they don't even contribute any helpful suggestions. So you'd more likely be modded REDUNDANT. I could post my complaint about your complaints about slashdot story ABC in slashdot story ABC, and even though I could mention the name of the story and maybe even the theme, it still doesn't contribute: 1)any NEW information about story ABC, 2) anything insightful towards it, or 3) anything funny that relates to the forum threads.
get over it.
BTW, Anti-"M$" Bash-Fests are misnamed because BASH is not a Microsoft product, and I'm not even sure that you get it with SFU.
Got time? Spend some of it coding or testing
The joke was kind of foreseeable, but your actual delivery was more tongue-in-cheek than a woodpecker. Well done.
Got time? Spend some of it coding or testing
If he closed his own Port 80, the world would be a better place. (-:
Got time? Spend some of it coding or testing
This kind of stupidity has a long tradition in Microsoft; for example, they took VMS, an easy-to-secure system, an gave us Windows NT.
Go and read some of the SaMBa design (and so by implication reverse engineering) documents and code comments, it'll give your eyebrows an extended holiday behind your hairline.
After you've done that, you'll probably criticise me for being too lenient on Mr Money & Co.
Got time? Spend some of it coding or testing
Subject: Rob, are you actually paid to do this?
Date: Sat, 11 Oct 2003 19:53:01 +0800
...and from other sources: [-text in brackets is filler to make lame SlashDot lameness filter happier-]
From the horse's mouth, the security problem harped on in the report is explicitly the monoculture, not the Microsoft. So you've started on a misconception. Do you recover from this?
Er... what? Gartner are hardly known for being critical of Microsoft, in fact they've got an informal reputation for being on Microsoft's cheer squad, if anything.
As if to underscore their reluctance to injure or offend such a lucrative and dominant source of income, Gartner speak as little as possible to Microsoft, as such, limiting themselves to Windows. I believe this to be a mistake, since the majority of reported vulnerabilities on desktop PCs have been in Microsoft applications other than the OS - such as Outlook, Internet Explorer or IIS.
They also make it plain, regardless of motives, that their primary concern is the lack of diversity, and I quote: [-text in brackets is filler to make lame SlashDot lameness filter happier-]
Perhaps Gartner have realised that there is an issue here that they need to be seen to be addressing? [-text in brackets is filler to make lame SlashDot lameness filter happier-]
Two strikes against Rob. But you go on to say: [-text in brackets is filler to make lame SlashDot lameness filter happier-]
Also wrong (third strike), at least in origins: the report now filtered through CCIA was originally released by the diverse group of security consultants through security firm @Stake - and it seems that @Stake are so pro-Microsoft that Dan Geer, then @Stake's CTO, was fired over the publication.
This brings to mind an interesting statement from [the] President of the Verm[o]nt Library Association:
To be sure, Microsoft are not the FBI - but the principle is exactly the same.
The whole set of premises that you justify your article by are completely wrong. This essentially makes it worthless. But even if the raison d'etree had been sound, you also muck up the content:
A Microsoft-aimed worm took out one large local ISP's mail service for a day, and kept it lagged for about 3 days this last week. A consultant I wo
Got time? Spend some of it coding or testing
Just in case you missed my other comment (foolishly moderated as Score:0, Flamebait, because I dared to say I don't use Windows) I want to clarify few things: I don't allow Windows on my network. Period.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Why, yes, indeed...
Speaking about chroot jail, make sure nothing inside runs with euid 0 and there's no suid and/or local exploitable vulnerabilities (a, so called, "local r00t 'sploit") inside the jail, otherwise breaking out is surprisingly trivial. I just wanted to point it out just in case anyone reading your comment could think chroot is a panaceum, while we know it doesn't work against superuser euid privileged processes.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
In Linux, either Capabilities or the SE patches nail that down quite convincingly. You could also put the jail on a NOSUID,NOSGID partition if you were worried about crackers being able to set a SUID bit on an executable.
I'd be surprised if OpenBSD didn't take similar precautions.
Got time? Spend some of it coding or testing