Microsoft Apologist Apologizes for Microsoft

hillbilly1980 writes "Internet Week has published a counter article in response to the number of anti-monoculture security papers recently published. Unfortunately the author starts out by writing off the other papers as simply anti-Microsoft, unfortunate because his paper never gets past being more then just pro-Microsoft. One of his suggestions to secure your enterprise... turn off port 80." Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle. Update: 10/11 00:54 GMT by M : Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.

Bah!

[Plix]

One of his suggestions to secure your enterprise... turn off port 80

That's nothing. To be *really* secure I just don't even turn my computer on!

Re:Bah!

[CyberVenom]

Unfortunately your computer wakes up as soon as I send a packet because you forgot to turn off the Wake-on-LAN feature of your integrated NIC.

Re:Bah!

[Llywelyn]

You forgot: Lock it in a room by itself and epoxy the drives shut, then weld the case together. ;)

Re:Bah!

[UserGoogol]

Luckily, Windows has the feature of forcing the user to turn off their computer periodically. Sadly, recent versions of Windows have removed this feature somewhat, but there are countless third party applications which will return this feature to Windows.

Re:Bah!

[LnxAddct]

Who says microsoft products aren't secure? I've got a perfectly secure microsoft product in my basement! Ok, so its an Xbox and its running linux.

Re:Bah!

[killmenow]

No no... You misunderestimate the risk.

Bruce Schneier reveals the truth of the situation:

The only secure computer system in the world is unplugged, locked in a vault at the bottom of the ocean and only one person knows the location and combination of that vault. And he is dead. -- Applied Cryptography

Re:Bah!

[schotty]

Not a bad point really.

Re:Bah!

[bill0755]

"gets past being more then..." should be gets past being more than

Slashdot

[Karamchand]

Slashdot is too subjective.
Ok, it is completely understandable and ok that slashdot is not a pro-microsoft-newsletter. But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".

Re:Slashdot

[spektr]

oh, and if Rob Enderle is from Microsoft everythingh he says is bad

I can show you countless slashdot-sponsored studies which support this with hard statistical data. :)

Re:Slashdot

[jackb_guppy]

No, what he said was bad. He shows no knowledge in area. It would have gone a long way to his credibility, if just said step by step how to. Basicly he can't without making it a non-monoculture.

Re:Slashdot

[Jerry]

Why both Slashdot?

Just use Google and select all his articles and postings. After viewing a few randomly chosen ones you understand why Enderle has earned the title "Microsoft Sock Puppet".

He only adds to his reputation by making 'suggestions' for improving WinXX security.

Re:Slashdot

[Lshmael]

You can just even use the other articles he has written for Internet Week:

PREVIOUSLY BY ROB ENDERLE:
- Microsoft: Hated Because It's Misunderstood
- Reasons To Shun Open Source-ry
- Linux Is Not Ready For the Enterprise

Those are all "Opinion" columns, btw.

Re:Slashdot

[zurab]

But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".

Here's a little bit more (at the end of the current article):

PREVIOUSLY BY ROB ENDERLE:
- Microsoft: Hated Because It's Misunderstood
- Reasons To Shun Open Source-ry
- Linux Is Not Ready For the Enterprise

Further, in the article, after presenting a general statement (that he tries to critique) that diversity is good for security, he claims:

These arguments were put forward by Gartner and, separately, a panel hosted by the anti-Microsoft Computer & Communications Industry Association.

But there is no evidence that either party has actually analyzed the cost of diversity or quantified the risks of diversity.

As opposed to who? Himself? He presents no cost or risk analysis of anything either, including diversity, or any of the arguments that he is trying to put forward. But based on his previous articles and general sentiment, it is obvious that he doesn't need to. It's clear what his conclusion is going to be anyway.

Re:Slashdot

[donscarletti]

I understand that views of slashdot and slashdot fanboys such as myself are tilted in a particular direction as are everyone elses. It is impossible for a human to be fully objective as human minds all posess a cirtain set of values that we personally hold to be true and our morals and integrity usually prevent us from acting against those values meaning that even if a universal truth existed it would be doubtful if it could be followed by anyone.

I come here because I have tried most of the alternatives to linux (Windows 3.1, 95, 98, 2K and XP, MacOS 7, 8 and 9 and even OpenBSD) and I have decided that I not only like LINUX the most, I like it the most by a huge margin. Since I like Linux, I therefore see from a LINUX lover's perspective and therefore like to hear news written from a LINUX lover's perspective, because I see that as objective because it conforms the the values that I hold as universal truth.

For me, anything that concedes that windows 2000 is a tollerable operating system is totally innacurate and most probably biased as I have had three years of personal experiance to the contrary. I however understand that this view is not shared by everyone. Those who I dissagree with possibly have views that are valid as my own, but are however completly wrong from my own perspective, and I will argue insult and bitch accordingly.

See those four letters at the bottom of every page on slashdot? They say OSDN, Open Source Development Network, a project set up to encorage open source development and a subsidury of VA Linux Systems. Why wouldn't you expect it to support Linux with the zeal that is fitting of something with its interests tied so closely with Linux?

As for yourself, I have no idea where you stand on the subject of operating system preference, for all I know you could be a bigger linux fanboy than myself or you could be the guy who wrote that aweful peice of trash security guide. It doesn't really matter. All I call to you to do is to acknowledge that everyone is biased as true objectivity cannot be found anywhere. You should also possibly have a think about whether continuing to read slashdot will give you greater greif than it will bring you enlightenment.

Re:Slashdot

[Brandybuck]

he knows as much about this topic as Rush Limbaugh knows about american football.

Actually, Rush knows quite a bit about football. He has forgotten more about football than you have ever learned. Next time please engage brain before attempting witticism.

Re:Slashdot

[Read+Icculus]

Have you read any of this guy's stuff? Or did you just decide to post some now-popular "quit being such a bunch of slashbots" stuff in hopes of getting modded up? Check out this preface to his article on "Linux is Not Ready For the Enterprise" -

Linux and other open source projects require too much customization, and doubts about the legitimacy of open source code could get users tangled up in lawsuits. Besides, many Linux supporters are a bunch of potty-mouthed malcontents. Enterprises are better off staying away from Linux and open source -- or at least thinking through the possible liabilities

I agree that any business should think through the liabilities of any piece of software that the are going to deploy, (like maybe think for a second about distributing copies of Windows throughout your buisness, an OS that includes a piece of software that was found to be illegally infringing on a legal patent, unlike the SCO case which is merely in progress, much like all the lawsuits against MS), but what the hell does "Besides, many Linux supporters are a bunch of potty-mouthed malcontents", have to do with a consultant's article on the weaknesses of Linux? Should I write an article about "Why Windows sucks on the Desktop", and then state "Besides, many Windows users are nothing more than software pirates and they download the vast majority of illegal mp3s".

Here's a good one from the article "Reasons to Shun Open-Source-ry" -

I now honestly believe that Linux and open source are big, bald-faced lies perpetrated on the industry by itself. ... How many credible people told each other with a straight face that profit didn't matter? This seems much too similar to "free software" to me.

If you actually read this guy's articles you start to get a pretty good idea of the amount of FUD that he is spreading. Check out his consulting group, do some googling, and check out his bio - GigaWeb . This guy is a marketroid consultant who seemingly only works with and promotes MS products, (according to his own information!). His arguments are also generally full of holes and he often uses ad hominem attacks while bashing anti-MSers for doing the same thing. The only platforms that seem to draw his ire are non-MS, check out all he has to say on OSX and Linux, (If you can stand it). He even asks if OSS supporters have "ever heard of capitalism?", and says that he does not want to go back to the days of cheap software. I've read about a dozen of his articles now, (know thy enemy), and I suggest that anyone who has some questions on this guy do the same.

Re:Slashdot

[Geekbot]

Can you really expect someone who is even non-biased to be okay with someone saying to neuter your computer by turning off port 80 to make it more secure? It sounds like that old joke about the only way to have a secure computer is to never plug it in.

Re:Slashdot

[El_Ge_Ex]

Ok, I'm gonna get hurt for asking this. but I got some karma to burn... :)

I use Visual Studio .Net . There. I said it. I'm sorry.

It's just that with the 2003 release (last version only lasted a year?) they did finally get (mostly) up to ANSI C++. I like using the debugger. It makes things easier on a single screen. Also, it's little 'annoyances' can get handy if you got a lot of data structures to keep track of.

Ok, having said all that. It pisses me off that I can use it for Java nor have anything close on a platform other than Windoze. Someone PLEASE show me something near as good that:

1. Compatible with C++/Java/Some scripting languages
2. Intagrated editor/debugger
3. Works well with compiler
4. Multi-platform (or at least Linux for god's sake!)

College student seeks help before he becomes corrupted completely!

-B

Re:Slashdot

[chrismac2264]

If you have read Rob's articles, you know he has no idea what he's talking about. This guy has no business giving anyone advice about technology issues.

Re:Slashdot

[LnxAddct]

ya kow what? if your gonna come up in here saying all that stuff in support of microsoft, you can just click your little alt+F4 and get outta here. "Slashdot is too subjective" my ass

Re:Slashdot

[antiMStroll]

Karamchand, your post could serve as the illustrative example for Webster's definition of 'irony'. In a completely unsupported and subjective manner you blame 'Slashdot' (whatever that means. the editors? an editor? the users? including you?) for being too subjective. It was either a very clever troll or you need to think this through a bit more. My recommendation would be to start with the content of Enderle's works instead of your perception of the personalities.

BTW, Enderle isn't from Microsoft.

Re:Slashdot

[Waffle+Iron]

He has forgotten more about football than you have ever learned.

That's only because drug abuse leads to memory loss.

Re:Slashdot

[Evil+Adrian]

See those four letters at the bottom of every page on slashdot? They say OSDN, Open Source Development Network, a project set up to encorage open source development and a subsidury of VA Linux Systems. Why wouldn't you expect it to support Linux with the zeal that is fitting of something with its interests tied so closely with Linux?

What he said has nothing to do with supporting Linux -- he is complaining about the mindless sheepery that is the Slashdot Anti-"M$" Bash-Fest.

Re:Slashdot

[tuba_dude]

"Rob Enderle?"
"Yeah, that's me."
"You're a jerk."
"What?"
"You're a jerk, a complete kneebiter."
At this point Wowbagger, turn around, get in the ship, and fly away. It should leave him thoroughly confused.

Re:Slashdot

[ergo98]

As opposed to who? Himself? He presents no cost or risk analysis of anything either, including diversity, or any of the arguments that he is trying to put forward.

Refuting an opposing position with facts, when the opposing position is factless, is often futile and counterproductive -- you end up giving credence to that which deserves none. If he critiques their analysis because of a dearth of facts, then take it at that: He doesn't have to present his own to call bullshit to theirs.

Obviously this guy's angle is "defend Microsoft". By the same token you can find countless pundits whose angle is the opposite position -- attack Microsoft -- and every article they author is a perpetual diatribe "exposing" the evil that is Microsoft (many such pieces are linked on Slashdot regularly).

I'm neither for or against this guy or his article (I didn't read it -- sounds like a another factless bunch of tripe. I felt the same way about the similar anti-Microsoft article that got the sheep excited a few days ago.

Re:Slashdot

[ChaosDiscord]

This guy is an amazing tool. My favorite line so far? He claims that open source puts you at more risk for litagation. But doesn't proprietary software have the same risk? No, and here's his claim why:

The pain associated with getting hold of proprietary source code is one of the things that limits intellectual property lawsuits for commercial software. But with open source software, the code is already available, out in the open.

So apparently it's all okay, because you're less likely to get caught.

Humorously, he claims the moral high ground because he argues on logic, not emotion, but his arguments are heavily tainted by his emotional attachment to Microsoft. He attacks strawmen arguments for the Open Source side, real nice debating.

He's a troll and FUDmonger. Fuck him.

Re:Slashdot

[Malcontent]

I didn't know you could use visual studio to write java apps. Is that true or is it some broken flavor of java like java.net or something?

Also why wouln't eclipse fulfill your demands?

Re:Slashdot

[jaylene_slide]

Whoa, Ethel. I think this here's one o' them there potty-mouthed malcontents that there Bobby feller was goin' on about. Cover yer eyes, honey.

Re:Slashdot

[Newcastle22]

Not completely true. In addition to being owned by Microsoft, Rob Enderle also makes little sense.

"Because the key ring was so large it was easy to find and exploit. This is not to say the approach of having a single, master key was more secure, only that the fix actually didn't mitigate the problem at all, in fact it actually made the keys easier to find."

What is he talking about? This analogy was pulled straight from the man's ass, obviously. He's comparing the virtual size of bits to the physical size of a keyring. Sure, size of files are noteworthy to crackers, but any descent sysadmin memorizes his 'keys' anyways. What a stretch this one was.

"For example, if a virus targeted Microsoft Office and an enterprise deployed Apple systems running Office, for compatibility reasons, that enterprise would probably be damaged by the attacks."

This is simpley not true. I can point to the example of internet explorer exploits that only worked on Apple versions of the software (www.w00w00.org, I believe). I'm sure folks here can come up with a hundred examples of why this is not true. Summed up, same applications work differently across different architectures. Its half of the reason why non-monoculture works well to secure networks. (The other half is having different OS's.)

"But he penetrated the site in under a day by attacking another company which had trusted links into the IBM-secured site."

I'll lay a bet this other company was running Windows servers.

"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."

Here is the only good point this guy makes, and he makes it at many different points throughout this article, but in different wording each time (I'm assuming he was having a hard time finding something constructive to say). There is an easy solution to this: use Linux on the entire network. There's a secure AND cheap solution for small, medium, and big businesses! In addition, having servers run Linux, and Windows on the client side (assuming your clients aren't smart enough to learn Linux) isn't an entirely infeasable solution.

Seriously though, Rob is making non-monoculture sound more difficult than it may be. As far as cost goes, since no one has done enough research to balance cost against security in multiplatform networks, he can't assume that the costs will outway the benefits any more than the anti-Microsoft security experts can do the opposite. This basis of his article relies on speculation at best.

Dan

Re:Slashdot

[Newcastle22]

Well, he has worked for Microsoft in the past:

Rob's icky company

Dan

Re:Slashdot

[letxa2000]

I don't have to read any articles

Even when those multiple articles prove with undisputable, acknowledged football statistics that what Rush said was right. Even other sportswriters are confessing it to be true. But don't let reality or facts get in the way of your preconceived notions and stereotypes. Hold your banner up high and shine a light on it for all to see, that way we'll all know who to snicker at. :)

Re:Slashdot

[zurab]

Refuting an opposing position with facts, when the opposing position is factless, is often futile and counterproductive -- you end up giving credence to that which deserves none. If he critiques their analysis because of a dearth of facts, then take it at that: He doesn't have to present his own to call bullshit to theirs.

That is a nice theory, but in this case one side is saying: Diversify - the added cost will be worth reducing security risk; the other side is saying - no, the added cost will not reduce security risk, and then presenting his case on what will reduce security risks. He is not simply refuting the other side, but also presenting his case. If you refute others' suggestions by accusing them of lack of research and analysis, then you do the same when you present your case, that's closer to flaming than a meaningful discussion.

Obviously this guy's angle is "defend Microsoft". By the same token you can find countless pundits whose angle is the opposite position -- attack Microsoft -- and every article they author is a perpetual diatribe "exposing" the evil that is Microsoft (many such pieces are linked on Slashdot regularly).

I'm sure if he was referring to much of /. crowd that would be the scenario; but he was referring to a report from Gartner which, whether you agree with the report or not, is not necessarily an MS competitor, or out to get Bill Gates for some religious reasons. Enderle's past articles and "opinions", however, indicate his attitude and willingness for contribution to discussion about issues at hand:

Besides, many Linux supporters are a bunch of potty-mouthed malcontents. Enterprises are better off staying away from Linux and open source ...

Above quote from another of his "opinion" columns. In other words, while there are ways to argue, correct, or refute Gartner report, there is no way to argue or discuss the stuff this guy is spewing - that's the difference.

I'm neither for or against this guy or his article (I didn't read it -- sounds like a another factless bunch of tripe. I felt the same way about the similar anti-Microsoft article that got the sheep excited a few days ago.

That previous article made quite a few points some of which I didn't agree with but others made sense, logically at least - practice, of course, is different; but that's a different topic.

Re:Slashdot

[sco08y]

1. Compatible with C++/Java/Some scripting languages

2. Intagrated editor/debugger

3. Works well with compiler

4. Multi-platform (or at least Linux for god's sake!)


CodeWarrior is what you're looking for, but standard Unix tools are what you want.

Have a look at DrScheme, too. It has a simple IDE and a lot of tutorials for learning scheme. Don't waste your tens (hundreds?) of thousands of tuition dollars learning C++ when you can do that from a book. You're there to learn concepts and theory which you can apply to any language.

Re:Slashdot

[fucksl4shd0t]

Eclipse

That said, the GNU build tools work with it all, it's just a matter of using an IDE. Personally, I don't give a shit about IDEs, and think they're angels polluting my system. I prefer to use the command line for compiling (and the GNU build tools, of course) and debugging. I use small, syntax highlighting text editors (KWrite on Linux, Programmer's Notepad in windows) that load FAST. I use an explorer window to navigate my source tree (Konqueror on Linux, of course), and I right-click on source files and choose "Open with..." and my text editor. On most files, I have the extension already associated with the app so I only have to single-click it (double-clicking causes seizures ;) ). Class navigator? Who needs that shit? You have your header file and it's corresponding cpp file, each containing only one class and named appropriately. You can use (if you *need* to) your "Find" function that exists in every text editor in the world. Need to look at the api? Open the header in another window. IDEs are overrated, and in my experience, actually reduce productivity. I spend too much time fighting with the IDE to get it to do what I need it to and not enough time actually coding.

Re:Slashdot

[u-235-sentinel]

Your point is well taken however I usually equate Microsoft with the public school system. Sure there are things the public schools are doing that are working well. Overall public schools are not considered the best places to obtain an education.

Same goes for Microsoft. They unfortunately just don't do everything well. Sure a few things are great but like public schools they overall fail.

Re:Slashdot

[LnxAddct]

it was sarcastic in case you didnt notice

Re:Slashdot

[cfuse]

He even asks if OSS supporters have "ever heard of capitalism?"

Those fucking open source commies! When will they learn freedom can't be shared, it has to be paid for by every man, woman and child. Preferably in US dollars, oil, or the blood of foreigners.

God bless America and all who sail in her.

Re:OT: What the hell is wrong with Slashdot?

[Second+Vampyre]

Slashdot is notorious for this.

Numerous times I have suggested that they upgrade to IIS 6, but they refuse- and continue running the notoriously slow II5.0.

They have only themselves to blame.

Slashdot Troll Trolls Slashdot

And on the front page, no less.

Turning off port 80.

[FatCobra]

Yeah lets all turn off port 80; its like having e-business without the "e"!

port 135, not port 80

[diaphanous]

The article advocates restricting port 135, not port 80.

~Phillip

Re:port 135, not port 80

[freeweed]

The article advocates restricting port 135, not port 80.

Why the hell is this port even open in the first place? And unclosable at that?

I'm about as geeky as they get, and I've never used any RPC-based apps outside of an academic environment. I'm pretty sure the 3 home users in the planet who actually use it can figure out a way around it.

Ah, good old Microsoft. "It's not our fault people write exploits for needlessly internet-facing services."

Re:port 135, not port 80

[helix400]

I saw the same thing.

It kind of takes some of the shock value out of the Slashdot story. It's a good idea to block outisde communication over port 135. Inside your network is another story...

Re:port 135, not port 80

[wfrp01]

What's the difference? It's a stupid suggestion either way. And even if it were a valid suggestion, it's hardly insightful to point out in hindsight how a problem may have been averted.

Re:port 135, not port 80

[diaphanous]

I'm not disa

Re:port 135, not port 80

[diaphanous]

Why is Slashdot so fucked right now?

~Phillip

Re:port 135, not port 80

[sphealey]

hy the hell is this port even open in the first place? And unclosable at that?

I'm about as geeky as they get, and I've never used any RPC-based apps outside of an academic environment. I'm pretty sure the 3 home users in the planet who actually use it can figure out a way around it.

Microsoft Exchange Server uses port 135 for various purposes, so it cannot be blocked internally at Exchange sites. Which makes the advice a bit ironic.

sPh

Re:port 135, not port 80

[Jeremiah+Cornelius]

This guy has S*hit for brains, and demonstrates this in every one of his hit piece M$ troll "articles".

Restrict 135 - Yeah Baby!

Except the major worm infestations haven't used the Internet as the primary exploit vector when demolishing the infrastructure at medium and large enterprises. Blaster and Slammer were "carted in" via laptops, poorly configured VPNs, permissive network sharing with business partners and improperly segmented test/development networks. Slammer just took a major grocery-chain's national WAN down for more than a day. This, 8.5 MONTHS after protecting the edge, and main production boxes for the exploit and blocking SQL discovery.

There are tag vulnerabilities in the wild, outside the scope of the latest MS patch, 7 days ago. These are capable of planting trojans -- bypassing AV message filters in HTML-formatted mails with Outlook clients, and can be set in invisible-frames, etc.

Enderle thinks that because he ran through pro-forma auditing that he has the expertise to second guess Schnierer and Geer? Gimme a break! I take Marc Ranum's criticism of these guy's work - not some paid-for-troll who scoffs at the bulk of the working code deployed over the past 40 years as "Open Source-ery".

Re:port 135, not port 80

[Cipster]

They listened to him and turned off port 80....

Re:port 135, not port 80

[MattBurke]

You've never used NFS or Samba? How do you maintain a shared filesystem between multiple hosts?

There's nothing wrong with RPC-based services - in the right environment they're absolutely vital.

However opening them up to the internet at large is suicidal. Even the *NIX RPC implimentations have been dodgy at best and although Samba is pretty secure, I still would bever be seen dead opening it up to the internet. Luckily most *NIX distributions agree with this train of thought, but MS? Do they get a sizable income from AV companies or something?

Re:port 135, not port 80

[Micro$will]

And to add to the confusion, when messaging spammers realized that people were blocking port 135, they started spamming on port 1026, which does the same thing. Assuming it's vulnerable to the same exploit, I wonder when the Blaster and Welchia writers will realize this and start using that port too.

IMO, it's better to block everything anyway, then open up ports as needed.

Re:port 135, not port 80

[killmenow]

And unclosable at that?

Umm. Not that I'm on Microsoft's side in this, because I'm not, but it is closable.

Re:port 135, not port 80

[ScottKin]

Because, freeweed, before there was this thing called the Internet there were LANs and Networks and Database programs and Desktop Software that was used for BUSINESS, not for looking for your favorite brand of pr0n.

Port 135 & 139 were used to verify that a user had certain & specific access rights to LAN resources based on User Authentication. *NIX did this a different way, and yes it worked better - but when the Internet started becoming what it is today, Microsoft didn't see the need to change it's network protocols for LANs.

Don't blame Microsoft for not changing their LAN Software because of established LAN protocols - blame the ISPs that don't block those ports at their routers. No one needs those ports open across the Internet, and if they need access to remote services & resources on their employer's LAN, then provide them by some other protocol like SSH, PPTP (which, unfortunately, has it's own problems) and/or IPSec.

And to respond to your lame dig at Microsoft - Yes, it's the exploit-writer's fault. When someone breaks into my house using a lockpick is it the building contractor's fault or the lock manufacturer's fault? NO, you moron - it's the person who illegally gave or provided the lockpicks or used them to gain illegal access - that's why it's a felony to possess lockpicks if you're not a licenced locksmith.

Now, the other side of the coin: Windows Users - please go and download the Windows Baseline Security Analyzer and run it on every machine you have to make sure that your systems are at least reasonably secure from attack.

Remember: Windows-haters want to try to destroy Windows and Microsoft so that they (Linux-lovers) can grab a bigger share of the market - too bad they can't play fair!

Wake up!

ScottKin - laughing at those who THINK they know it all.

Re:port 135, not port 80

[00420]

Do they [Microsoft] get a sizable income from AV companies or something

I've often wondered that myself. Bill Gates, is an intelligent person. Why doesn't this show in his software? It wouldn't have been hard to have made Windows default settings more secure. What makes Bill want it this way?

Or, maybe he is just stupid.

Re:port 135, not port 80

[iq+in+binary]

Remember: Windows-haters want to try to destroy Windows and Microsoft so that they (Linux-lovers) can grab a bigger share of the market - too bad they can't play fair!

Play fair? Play fair! You use this in defense of Microsoft? A company known for it's shady business practices and even shadier pricing structures? A company who has knowingly and publically cheated many people out of many millions of dollars by forcing them into "upgrade" contracts and heinous licensing plans? A company who has been responsible for the demise of many companies who stood to compete? Play fair?

What irks me the most is that you relevated virus-writers and exploit-finders to "Linux-lovers". I know not one person who glorifies open-source software that is malicious enough to write things like Blaster or Sobig. The only people I know who are that mean are (you guessed it) avid Windows users.

No sir, the Open-Source community (which we prefer to be called, BTW) doesn't want to destroy Microsoft for a bigger market share; we want to destroy MS because it is the Right(TM) thing to do ;)

Re:port 135, not port 80

[Daniel+Phillips]

I saw the same thing. It kind of takes some of the shock value out of the Slashdot story.

And you didn't read the note re the article being changed after posting to refer to port 135 instead of port 80. It kind of takes some of the credibility value out of the Slashdot poster.

Re:port 135, not port 80

[jadavis]

IMO, it's better to block everything anyway, then open up ports as needed.

In the short term, you block the latest worm. In the long term, you just forced everyone to use an alternative protocol tunneled through an accessible port. Why? Because the internet is successful because almost any computer can send almost any computer almost any digital message in an efficient way. If you feel like complaining about the dumb users on the network, think about the alternative: what if we all grew up where all we had was web/email on a thin client? If you give everyone a "smart" network and a dumb client, you end up with television. I'll take my smart linux box on a dumb network, thanks. (heck, even a windows box is smarter than a dumb client. Some assembly required. Or at least winperl.)

So, if you firewall off 99% of the ports, and then some smart users need to innovate and they tunnel over the last 1%, you have a new, slower network stack that will require a new, slower firewall for the new type of protocol. Not to mention that most of that innovation just won't happen when you make it so difficult.

I just don't see restrivtive firewalling as a long-term solution. The real long-term solution is to install a desktop OS that doesn't ship with network services running by default.

Re:port 135, not port 80

[freeweed]

And before multi user computing there was this thing called no passwords on your computer. You could just fire it up, and boom! Instant access to your files. (Yes, facaetious example, and Unix pre-dates things such as DOS, but...).

When we suddenly started letting more than one person come within physical proximity of a computer, Microsoft didn't see the need to do silly things like set up user accounts and passwords. It's the computer owner who should ensure that no one else ever gets close to their machine without watching what they do over their shoulder.

Sounds pretty damn stupid, right? So is their Internet strategy. Oh wait, they never really had one. Anyone else remember the single character password vulnerability on Win9x file sharing that went unpatched for (as I recall) 3 YEARS? The same file sharing protocol bound by default to your Internet-connected TCP/IP stack?

As for the 'moron' comment, you're absolutely correct, it is the person doing the breaking and entering who's at fault. However, if 90% of all houses sold come with doors made out of transparent tissue paper and cannot be replaced, the builder shares at least some culpability.

For the record, I'm a 90% Windows user. It's because I use it so much that I wish they'd do it right the first time, instead of making me have to build a virtual Fort Knox just to be able to check my email.

Re:port 135, not port 80

[linkjunkie]

For what it's worth...

When I first read the article, it said port 80, I kinda chuckled and thought "Port 25 would help too."
It has been changed since I read it early Friday.
If you look quick, you'll find that he references msblaster as an email virus (which comes in over the SMTP port 135, I guess ;-)

It wouldn't surprise me to find out that this guy has a free MSDN subscription or 12.

I also got quite a laugh about the PC blades suggestion.
Why does this sound like another round of hardware upgrades, kinda like what accompanied 2000 and to a lesser extent XP?
How exactly would patch management be ANY easier with blade PC's?
Replacing hardware, sure.
Is he actually suggesting that Microsoft go back to the Mainframe - Terminal model?

Re:port 135, not port 80

[DF5JT]

"Don't blame Microsoft for not changing their LAN Software because of established LAN protocols - blame the ISPs that don't block those ports at their routers."

You gotta be kidding me.

Since when is it the ISP's job to take care of a customer's security? Either you have an admin who knows how to deal with an active RPC service or you don't. Either possibility is none of the ISP's business.

Re:port 135, not port 80

[helix400]

And you didn't read the note re the article being changed after posting to refer to port 135 instead of port 80. It kind of takes some of the credibility value out of the Slashdot poster.

You idiot. Check the times, my post was made before the re was put in there. To add to this, when I discovered the error, I also emailed michael about it. After 10 minutes of my email, the Re: note appeared.

Maybe you should think things through before painting someone as an idiot.

Enderle should get his facts right first

[mst76]

From the article:

This is the big problem with the diversity recommendations I've seen. If they had been implemented as recommended they would have had little impact on the MSBlast virus, which spread via common e-mail, and would likely increase the exposure for other types of threat.

Re:Enderle should get his facts right first

[avery]

MSBlast spreads via email? I'm quite sure that it does not. This article does need fact checking.

Re:Enderle should get his facts right first

[owlstead]

If you call yourself a security expert, which in a way he does, missing this point is fatal. You beat me in posting it early, but I stopped reading the article at that point.

I mean, if the guy doesn't t know THAT, then he should get a job in securing property instead. He could use his muscles instead of his brain :)

Re:Enderle should get his facts right first

[miruku]

with so many ms viruses, its hard to keep track of them all..

Re:Enderle should get his facts right first

[KrispyKringle]

He did comment on how "[a] good chunk of [his] life was spent doing security audits," presumably computer security audits. On one of these (as I said, due to context, presumably computer security) audits, "[t]he central administrator kept a ring of keys for all of the doors, and put the keys to the confidential office safe on the same ring. It was relatively simple to penetrate her desk to get this ring of keys and access virtually everything."

Gee. I didn't realize pen-testing referred to breaking into people's desks and stealing their keyrings. Screw TCP/IP Illustrated. If you want to be a 1337 hacker, grab a fucking crowbar.

Re:Enderle should get his facts right first

[IM6100]

It's euphemistically called 'human engineering' and it's really how most 'hackers' get around. You thought they were technical wizards??

Re:Enderle should get his facts right first

[KrispyKringle]

First off, it's usually called "social engineering," in my experience. Aside from that, yes, poor physical security is a fair consideration, but that has nothing to do with my point. My point was that if he considers himself a security expert in the fields of locks and safes, he still has little qualification to comment on software diversity. Security is security, but prison guars and locksmiths know little about buffer overflows or cross-site scripting.

Diversity is money!

[MrLint]

"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."

What a great suggestion.. let get rid of all of those different flavors of windows and all those pesky multivendor PCs. A corporate wide upgrade to all new high end laptops for everyone including your servers will save *huge* amounts of money!

He seems to be suggesting

[kfg]

that if I'd kept 30% of my infrastructure running Microsoft software for compatability reasons I should just go ahead and ditch it all?

Or am I just reading that wrong?

KFG

Yeah, Of Course He's Right

[CrankyFool]

That's because he's got the wrong focus.

The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).

We've used the agriculture analogy before to describe the issues around monocultures, so to continue to use it, we can say that his point is that monoculture isn't really an issue because when you're tilling a single field, it's a pain in the ass to put multiple crops on it. True, but that's not the point -- it's when you've got one crop on *ALL* the fields (all the enterprises) or at least a substantial portion of them that you get into a problem.

Re:Yeah, Of Course He's Right

[Karadryel]

The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).

Two issues: First off, the security papers to which he's responding did in fact advocate diversity within a single enterprise. They were claiming that diversity was the right way to secure an enterprise, he's responding to that assertion.

Second, to some extent his arguments apply even when you extend it to inter-organizational security. Many businesses find it necessary to trust other systems from other businesses, and this will only become more true as web services start to make real the early promises of the internet changing the face of commerce (IBM, MS, SUN, whichever flavor of web services you like, they're all predicting something like this). When these systems become interdependent even across organizations, this guy's argument becomes relevant even there.

So don't just dismiss it, find a way to refute it.

Re:Yeah, Of Course He's Right

[Frater+219]

The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).

On the contrary, the monoculture risk should affect an enterprise decision whether to participate in that monoculture. When making such decisions, people shouldn't take into account the network benefits (such as being able to skimp on staff training on the grounds that "everyone already knows Windows") without taking into account the network risks (such as the increased likelihood of heavy virus outbreak).

It's true that your organization can't change the fact that the majority of the world uses Windows, and as a result the Internet as a whole is subject to DDoS and packet storms from Windows viruses. However, your organization can reduce its own risks by choosing a different system, one that may still feel the second-hand effects of the harm of monoculture but does not receive the brunt of the damage.

Re:Yeah, Of Course He's Right

[FooAtWFU]

Like cotton in the old South and the boll weevil? Hmm. I'm starting to like this analogy.

Re:Yeah, Of Course He's Right

[Newcastle22]

Two weeks in software years is equivelant to one year on corn years.

Dan

RTFA?

The submittor apparently not, in good /. fashion... I however did read it, and for starters no mention about port 80 (only about port 135). For the rest a lot of bla bla, totally disregarding many of the arguments in the original "monoculture is dangerous" article. For example he assumes that Linux OOo would have exactly the same exploits as Windows OOo. Maybe - but only if you stay within OOo's scripting. Making a cross-platform Blaster or the like is imho next to impossible (are there any cross-platform Windows/Linux binary executables in the first place?)
Lots and lots of nonsensical bla bla from this guy, who really needs to start learning a bit about what he is talking about. Monoculture is dangerous. And no-one promoted multi-culture within one company, only over the whole of the internet population. Multiple platforms within one company will indeed have its own problems.

Wouter.

Re:RTFA?

[ischorr]

It appears that the "port 80" comment was removed after the initial post of the article. I'm not sure if it was due to the initial slashdotting or not, it may have just been a good (and quick!) choice on the publisher's part.

Re:OT: What the hell is wrong with Slashdot?

[ceejayoz]

Well maybe that explains what's been making Slashdot unusable today...

Message to the Submitters/Editors

[Kaboom13]

You make several accusations about the article's bias. But instead of giving us the articl and letting the readers make that judgement, or even making a logical argument for why he is wrong, you instead attack the author, and tell us how we should feel about the article. Anyone that reads slashdot can probably pick out the (alleged) MS bias by themselves. Keep your opinions to your damn self if you arent willing to back them up.

Re:Message to the Submitters/Editors

[molnarcs]

Hey, Enderle is an old friend. He wrote such masterpieces as "Opinion: Reasons To Shun Open Source-ry" and "Linux Is Not Ready For the Enterprise (Opinion)" - check the links below the article. Mr Enderle's past articles are good bases to formulate an opinion of him. He should be banned from the Internet.;)

Or may be not. His articles have some entertainment values, they are funny. I never seen such clueless dude as he is.

Re:Message to the Submitters/Editors

[Pave+Low]

You forget it was michael that posted the article, one of the most dispicable, dishonest, manipulative characters on this site.

I love how slashdot has this nonsensical, convoluted moderation system that can censor and muzzle users if they "troll" or "flame", but editors like michael can troll users with reckless abandon (see the windows switching story today).

Where is the outrage?

Re:Message to the Submitters/Editors

[shaitand]

*sighs* bitching about those who don't read the articles and you don't even read the headlines!!!

The article said port 80 when originally posted, it was altered after that to port 135.

The author also claims msblaster was an email virus.

Re:Message to the Submitters/Editors

[nyseal]

No disrespect intended, but isn't this an opinion forum?

Re:Message to the Submitters/Editors

[Sanga]

The news here is not the contents of the article but that the article was itself written.

Or so the rationale for this front page item goes

Of course

[slobber]

and, BTW, hackers are committing suicide at Microsoft's firewalls...

Re:Of course

[Grave_Rose]

Do you think?

Cracker #1: I'm here to take over www.microsoft.com.

Cracker #2: Uhhh.... I don't think that's such a good idea, Davey.

Cracker #1: clickity-clickity-clickity-DING! 0wned!
10 seconds go by as they look at their handiwork

Police #1~15: Excuse me... We need to talk. [Insert beat downs here with Bill laughing maniaclly behind the police]

Gr@ve_Rose

ok port 80 and some others

[Ricin]

and never wonder bout *why* you're paying that bill...

What nonsense

His suggestions..

[taradfong]

Let's look at some of these...

- Accelerated adoption of patches.

Ok, yes you do have to stay patched. But this is like blaming people with flawed cars for not going to the car dealer each week to check for recalls. Microsoft's abundance of patches indicates poor design and methodology, period.

- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.

- Restricting ports, such as port 135, which effectively stopped the latest virus attack.

Wow! What a concept! I never thought of this! Now I know where all my problems are coming from! It's not from the software, it's my fault for actually allowing connectivity!

- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.

- Developing the capability to rapidly restore compromised software and data from backups.

Right. Key word is, develop. Why does an end user, paying hundreds of dollars per seat need to 'develop' something as common as this.

- Adding security staff or outsourced services.

Right. Keep sending us your licensing fees, and then spend more money to make up for the gaps in our software. Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks. Hire an MSCE. Preferably from another country.

Re:His suggestions..

[Karadryel]

Microsoft's abundance of patches indicates poor design and methodology, period.

Red Hat 9 had 43 security vulnerabilities reported and patched in the first 150 days after it shipped.

Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves.

No, but admins need to do their *jobs*. The apps are designed for consumers, businesses, everybody - the admins' role is to recognize that and protect themselves accordingly.

Wow! What a concept! I never thought of this! Now I know where all my problems are coming from! It's not from the software, it's my fault for actually allowing connectivity!

Nice sensationalism. The underlying point is that admins have to be aware of the security issues in their deployments and respond accordingly. Do you think having an even mix of Windows, Linux and Apple OS's is going to make that easier for the admins?

Ok, since we can't make our product stable, buy 2 copies and hope one works.

The point was that you have to have backups of the *key* elements of the infrastructure. The "diversity" folks have this same issue, because the assumption is that parts will break, and the goal is limiting the damage. Note that having the same functionality replicated by MS, Linux, and OSX is not going to be any cheaper.

Key word is, develop. Why does an end user, paying hundreds of dollars per seat need to 'develop' something as common as this.

It's a build or buy decision - of course you can purchase this as well (and it may be part of the new storage bits in Win2k3). Do you think the diversified solution from Veritas and IBM and EMC is going to be cheaper?

Re:His suggestions..

[Dhalka226]

Look, I hate Microsoft as much as the next guy, but your critique of the article is horrendous and so biased it is worthless.

Ok, yes you do have to stay patched. But this is like blaming people with flawed cars for not going to the car dealer each week to check for recalls. Microsoft's abundance of patches indicates poor design and methodology, period.

Microsoft's abundance of patches does indicate poor design. However, if you or your company choose to use--or must use--a Microsoft product, then you accept that risk and it falls upon you to manage it. You should know it is there and you should do what you can to prevent it. Staring at my inbox, I see plenty of reports on linux packages that if I don't patch them, they may end up getting me rooted. If I ignore the warnings, or do not read them, and somebody uses a hole in them to gain unauthorized access to my system, whose fault is that really? I can tell you I'm not going to be blaming the coders for my unwillingess to keep patched. The only time I would do so is as with the latest MS patch, where their patch fixes the problem in one area but leaves an identical problem open elsewhere.

Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.

It seems to me that the author was essentially suggesting not to run Windows as an administrator. Tell me, do you run your linux box as root? If you do, you're a fool, regardless of how secure or insecure a progam you're running may be.

It's not from the software, it's my fault for actually allowing connectivity!

If you are not running a firewall and blocking potentially dangerous ports, you are, once again, a fool. Why are you criticizing common-sense suggestions because you do not agree with the conclusions the author uses them to support? Are there flaws with Microsoft software? Hell yeah, dozens, maybe hundreds. But you can minimize your risks by instating good security practices yourself, without relying on Microsoft to do it for you--which they have a history of not doing.

Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.

No, it sounded like a way to provide a level of fault-tolerance. If a company does not want to shell out the money for backup systems, then they are going to deal with the loss of productivity that can happen if their systems go down for any reason, including ones not related to security. If that cost is acceptable to the institution than they may disregard the suggestion. If it is not, they should consider backup systems regardless of whether the need for them is security-related or otherwise. Personally I wouldn't invest in this suggestion, but I know companies who lose millions of dollars when something goes wrong and for some, probably most, simply moving away from Windows is not a viable option.

Right. Keep sending us your licensing fees, and then spend more money to make up for the gaps in our software. Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks. Hire an MSCE. Preferably from another country.

Well, I agree with one part of your statement: "Outsourcing" has become a technology buzz-word that most companies don't seem to even understand. It is of question importance, even in the regard of saving money. Yes, a tech support person in India does cost less, but there are less quantifiable costs involved with it too.

As to the rest? Come on. First of all, it is their "[their] software." The guy doesn't work for Microsoft even if he does support them. As for "adding security staff," it isn't a bad idea in big companies: One user who is responsible exclusively for security the company's technology assets. It isn't for everybody or every company, but that does not make it a bad suggestio

Re:His suggestions..

[zurab]

Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks.

Actually, that would be "bunch of potty-mouthed malcontents." Get your facts straight, please.

Re:His suggestions..

[shaitand]

"Red Hat 9 had 43 security vulnerabilities reported and patched in the first 150 days after it shipped."

Zero of which were in the operating system which is part of the red hat distribution. 43 patches in literally HUNDREDS of programs that are included with redhat linux 9. Windows has, lets see, the OS (of which they assure us the browser is part), 1 email app, 1 media player. oh yeah, and notepad (I'll give, I think notepad is a shining proof of concept that microsoft can write a secure and stable app if they just neglect to provide even the most basic of features!).

Of those, ALL of them with the exception of notepad were released with NUMEROUS serious vulnerabilities, none of which were fixed within 1 week of being reported to microsoft.

Re:His suggestions..

[PCM2]

Sure, I've got karma to burn ... what the hell.

Microsoft's abundance of patches indicates poor design and methodology, period.

Oh, for Pete's sake. And I suppose you've never patched anything on your Linux box, right? You just installed Mandrake 8 and hummed merrily along until Mandrake 9 came out, and your toes have been tapping ever since? Please. I mean, I agree Microsoft software kinda sucks, but this kind of argument isn't about to win any converts.

Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.

Yeah, I'm sure glad they got email right on Unix for the start. That Sendmail, whew! Microsoft can only dream of a design as robust as that.

Re:His suggestions..

From my personal experience, the things he suggested does not work against blaster and welchia. We run a relatively large school district in the troubled state of california. We have around 104 school sites to manage and we are only 30 people strong.

Back a few years ago we implemented a solution to manage all of this. We implemented exactly some of those things he suggested. We kept around 3 standards for academic desktops and a single standard for administrative desktops. We use ghost to keep images of all the deployed hardware. This kept things simple, if a desktop break we swap in a replacement and fix the broken one.

We did the same with our routers and servers. They are all standards except for the ones running custom apps of long forgotten ages. We even deployed "network management" servers based on linux to each school sites. All the box does is dhcp, firewall and proxy.

We implemented another one of his suggestion. We lock down academic desktops with deep freeze because the kids will destroy it if we don't...happened way too often in the past.

We have esafe viruswall and norton doing all our virus protection. We use the enterprise managed virus database update too. We have routine schedule for admin desktops to scan for virus during lunch time.

We already have all those unnecessary windows ports closed down on our edge routers and firewalls (yes multiple).

With all of this inplace, you know what it got us? We still got fucked by blaster. And welchia fucked our core routers.

How did they get in you ask? Well for one we cannot enforce patches on desktops. We had same trouble with virus scans. The decission we made was to have virus scan run at lunch time because majority of the users leave their computers on during this time and usually they don't sit there doing stuff. Unfortunately we can't put windows auto update on this same time frame. We don't know how long each virus scan will finish, it depends on how much crap the user have put in the machine. If we put windows update before virus scan, we'll have the same problem of not knowing when the process finish. Both piece of software have their own little scheduler, I wish they are integerated so they can scan and patch at the same time. We can't schedule things at night because we try to save some money on our electricity bill. It's not worth keeping these machines up at night (even on standby, we got way too many machines) to have it autoupdate.

We believe the virus got in via a laptop. It must have been infected at home then infect stuff at work. The first site to get hit was the main offices where we have the most laptop users. None of the school sites got infected until 2 weeks after the blaster/welchia outbreak.

When the high schools get hit...that's when it gets really nasty. The first high school that got hit has the most computer labs and most win2k desktops (at least one in each classroom). It was insane, we had a complete network slow down. The welchia ping scans slowed down routers to a crawl. We turned off icmp on the linux firewall at the school site and all went well again.

Patching was a real pain. With all these desktops deep frozen...yeah you gotta enter password and stuff...then patch and scan. You would think that we could just turn off all machines and they should all come up clean afterward....but no....there was probly one machine we forgot. For this one high school, the infestation was so bad that we abandoned any idea of patching. We built patched images for each of the different hardware we have deployed and reimage the whole school. We are very thankful for ghost multicast and solid ethernet backbone of the school. It still took us 3 days to fix. We had to use some kids (we love those unpaid labors =D) to get all the machines booted to ghost and stuff.

Other high schools we are still trying to patch. One high school has a technology person doing all the patching. Poor guy, it's been 2 or 3 weeks since he started

Re:His suggestions..

[ebyrob]

Okay, I was following along on your side for a bit there, but then this:

(I'll give, I think notepad is a shining proof of concept that microsoft can write a secure and stable app if they just neglect to provide even the most basic of features!)

Come on! Haven't you ever used notepad on a large file with line-wrapping turned on and then tried to save and continue editing? Microsoft can't avoid the bugs even when they LEAVE OUT the features.

Re:His suggestions..

[ebyrob]

The problem is... some of the biased points stick quite well on certain products.

For example:

Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.

If we're talking about Microsoft Outlook (Or "LookOut" as I've come to affectionately call it) then we're talking about an "innovation" the world would truly have been better off without.

If we're talking about Windows 2000 or SQL Server 2000 then we're talking about a couple half-way decent products, with some flaws, which are perfectly workable in the right hands.

And, uh... Outlook *is* explicitly mentioned in this case. This is a product I've seriously considered changing jobs to avoid.

Re:His suggestions..

[Daniel+Phillips]

- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.

And since the user can quickly switch to the backup system it must be online, in other words chances are the worm will get there first.

Re:His suggestions..

[taradfong]

I think my point here didn't come across to some of you.

Microsoft is doing the minimum, and expecting us to believe that's the best that can be done, and we need to live with that and handle the gaps ourselves.

I mean, we used to all think that adjusting and rebuilding carburetors was an unchangeable way of life. With billions in reseach dollars, I think Microsoft can figure out how to give users fuel injection.

Yes, having exposed ports is a problem users/admins should deal with.

Or is it? I mean, when I install Linux, I'm at least asked if I want some basic firewall protection. Nothing mentioned in Windows.

Come on, Redmond. With your beautiful GUI apps, why not have use one of your world-famous, patented 'wizards' to walk a user through something as basic as blocking network ports. Or a gui version of netstat -vat. No, of course that sort of thing doesn't belong integrated in the OS the way IE does.

Or, while Microsoft Office can annoy me to no end as it (wrongly) guesses I'm sending a letter by my first 3 keystrokes, why can't we have the same feature to detect suspicious network traffic patterns?

Re:His suggestions..

[shaitand]

yes it has bugs, but I don't recall any SECURITY breeches resulting specifically from the use of notepad... yet.

uh... article not so bright?

[wo1verin3]

>> - maintaining "hot sites," or duplicates of
>> key elements of the IT infrastructure, so if
>> the main infrastructure is compromised, users
>> can quickly switch to backup systems.

If you don't know what infected your infastructure in the first place, why would you put up another one to get infiltrated?

Valve may have screwed up big, but at least they are unplgged while they clean up.

Hamlet without the prince

[bstadil]

FYI, There is an official phrase for this

"Hamlet without the prince"

Used allusively to refer to a performance or event taking place without the central figure, actor, etc. E19. Excerpted from Oxford Talking Dictionary Copyright (C) 1998

Re:Hamlet without the prince

[orthogonal]

"Hamlet without the prince"

FYI, there is a an official Slashdot phrase for this:

Darl McBride without the unctuousness"

Used allusively to refer to an oozing bag of shit, without the shit or the ooze.
(C), (TM), (IP), (AYB) 1983-2003 SCO Group

diversity doesn't mean hosing your own network

[bratgrrl]

This is a pretty awful article. It's a seriously sucky world, when world-class trolls and flamebaiters post for free on Slashdot, and this Enderle guy gets paid for half-assed trolling.

I don't know where he got the idea that 'diversity is good' means every PC on your network is running a different operating system, and different applications. Wotta weenie.

Other prediction

[heli0]

This guy also predicted one year ago that Macs would today be running on x86 hardware: http://www.gigaweb.com/Content/Media/AdHoc/Desktop Trends.pdf

Re:Other prediction

[KrispyKringle]

Nice find.

It also includes, "while Linux plays a siren song of independence from Microsoft...companies increasingly view Linux as a better alternative platform." Sounds far less anti-Linux than after his professed conversion (brought about by some doubtlessly unprofessional letters from many who also certainly are not fit representatives of enterprise Linux).

Some other nice quotes: "AMD is ... likely to either merge or more closely partner with Transmeta by the end of 2003 to create a more compelling alternative to Intel's offerings."

"Microsoft animosity: The license changes instituted by Microsoft in the previous period have clearly forced policy changes that should shift business away from the company long term. This will be slowed by the unavailability of reasonable alternatives -- but the bar for that 'reasonableness' has been lowered substantially and we expect certain accounts, like government, to be unusually aggressive when considering the alternatives through 2003."

I didn't bother to gather up the stupid typos, etc. Maybe I should become a freelance editor for stupid hacks.

The author is right! But...

[ljavelin]

The author has concluded that many security papers do not address the cost of security - and he's right.

But anyone who is going to make a business decision regarding security can and will recognize that cost is a factor. Just because not all papers focus on cost doesn't mean that their conclusions are flawed.

The author fails to present any facts that support his implied position that the costs of securing the Microsoft model is a lower cost.

The author has written an article about his opinions. He provides few facts that support his opinion. This article is not informative to me - someone who needs to make decisions.

I don't care about his opinions. Give me facts that help me decide what to do in my organizations.

Re:The author is right! But...

[Tony-A]

The author does put out one number:

Few companies can continue to function if even 30% of their systems fail catastrophically.

Assuming that number is realistic, there are two things to look at.

First, there is the probability of causing that failure. Patches applied blindly, particularly patches to what you shouldn't be running anyway, would seem to increase that probability. Knowing exactly what the patch does and affects would strongly decrease that probability.

Second, if there is a catastrophic failure, can you do anything about it? In a monoculture, somewhere between probably and certainly not. In a heterogeneous environment, there will probably be two or three alternatives to get you out of the catastrophe.

I you use Linux and I use FreeBSD (or vice-versa) we get most of the benefits and few of the liabilities of a monoculture.

What exactly does "anti-Microsoft" mean?

[ChangeOnInstall]

What exactly does "anti-Microsoft" mean?

Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix. We thus moved away from the MS platform to Java/Linux, a combination that we found to be superior for our needs. I haven't looked back since.

I think I thus fall into the anti-Microsoft camp. I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.

The author does not define the term "anti-Microsoft". So my question is, what connotation do people try and draw up with the term "anti-Microsoft"? In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here.

Re:What exactly does "anti-Microsoft" mean?

[Ciderx]

You are right. What it is about is objectivity. Oddly, enough, this is something I was thinking about earlier this week. I was on a panel for interviews for a new guy (oops, or gal!) for our server team.

I decided one question I would use would be a curve ball question which was about strategy and in terms of technology, would they regard themselves pro towards Microsoft, Linux, open source or other technologies. 2 of the 5 guys I asked this to were savvy enough to say they would evaluate the technologies available at the time, but 3 said they were leant towards Microsoft (2 of them) and Linux technologies. For those 3, I noted their response down as a bad thing. I wouldn't want on a team in charge of servers, people who lack objectivity.

I personally think it is a future problem for the IT industry because we see far too many people who adopt what I actually call a "slashdot attitude" - unable to evaluate technologies without their own personal feelings getting in the way.

Re:What exactly does "anti-Microsoft" mean?

[spectecjr]

I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.

Compared to whom?

For example, compare Metrowerks Codewarrior to MS Visual Studio.

Using Visual Studio is a pain in the ass.

Using Metrowerks Codewarrior is like going into a gladiatorial arena, butt naked, bare fisted, and going up against a guy in armor with a chainsaw.

That's why they call it codewarrior. Because you have to fight with it.

sighs... ok, so maybe I'm just having a "can't believe they're so f*&*@*(# stupid" day compiling my coldfire code today. I wish I was using ARM and Embedded CE. At least that stuff's easy. The defaults make sense. The tools are correctly documented. And they don't just throw you a "Stationery Project" and expect you to go through it line by line to find out what the hell it is.

So go ahead... good, secure, interoperable ... compared to what exactly?

Re:What exactly does "anti-Microsoft" mean?

[doodleboy]

The author does not define the term "anti-Microsoft". So my question is, what connotation do people try and draw up with the term "anti-Microsoft"? In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here.

Perceptive. Dismiss an entire movement with a swipe of the pen, regardless of how well-reasoned the objections may be.

What really opened my eyes to the possibilities of free software was emailing a bug report to the developer of a free software program, getting a reply that day and a fix the next. Proprietary vendors simply cannot touch this level of support, at least not for mere individuals like myself. It's not so much that Microsoft is bad, although it is in many ways, but that free software is so much better.

Re:What exactly does "anti-Microsoft" mean?

[Peaker]

Well, for some people its about morality.

I'd say those that lean towards Free Software are moral enough and man/woman enough to stand for their morals, at the cost of risking their acceptance to the job (On the other hand, why work for an immoral company?)

Assuming that using the best technology for any given task is the best and most "savvy" option is arrogant.

In my oppinion, one should lean towards software that promotes Freedom and should avoid as much as possible Closed software.

To exaggerate in order to make a point: What if you were asked to rape children as part of your daily job?

Re:What exactly does "anti-Microsoft" mean?

[Cecil]

I would venture that Microsoft Visual Studio and Apple's Project Builder are the only two decent IDEs that I've ever used.

On the other hand, though, Visual Studio is the only Microsoft product I've ever been able to say was decent. Its companion, Visual SourceSafe is quite possibly the worst version control system I've ever seen. I think a source tree spread across multiple floppy disks would be more secure than having your code in a SourceSafe database.

Just how much of a joke it is, even within Microsoft, is quite apparent. There is an option in Visual Studio .NET which has a special annotation which reads (approximately): "Warning, selecting this option with certain source control systems such as Visual SourceSafe can cause data loss or database corruption."

Re:What exactly does "anti-Microsoft" mean?

[sheldon]

MDAC in 1997? That would have been version 1.0. Version 1.5 didn't come out until the NT Option Pack was released in early 1998.

So you're claiming that Microsoft has a record of not writing good software based upon a bug you found in a 1.0 version of a product?

Fascinating. BTW, while we're at it... How many bugs have you found in your Java environment? How many times did you have to upgrade to fix them? Where was Java in 1997 and where is it today?

"In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here."

Don't you have an irrational hatred of something?

Re:What exactly does "anti-Microsoft" mean?

[philovivero]

I started my career in a Sybase/Microsoft shop, where we deployed (among other things) Microsoft solutions, like SQL Server on NT.

The straw for me was when I called Microsoft because SQL server was crashing, spending the ONE ENTIRE DAY on the phone with their support, to finally learn that it was a bug in their product.

Solution? Upgrade your server.

No, not "admittedly, it's a bug, we'll fix it," but "give us more money to get the latest version, with its own bugs, and oh, by the way, enjoy the migration from one RDBMS to another, because we like to watch you squirm."

I, like the parent, started out my life liking Microsoft, because they had such a cool OS (NT) that gave me so many opportunities for work, but then I stopped being a selfish person and realised that everytime I advocated a Microsoft solution, I was advocating burning money for the client. I was asking them to waste valuable resources, lay off other workers, all in favour of sending Microsoft some undeserved cash.

Now I'm "anti-Microsoft." Because I like people to keep their jobs, and I like software that works, and I don't like being embarassed when the multi-million dollar project I rolled out runs like an amateur wrote it.

It should work right and all the time.

Re:What exactly does "anti-Microsoft" mean?

[schotty]

I think I thus fall into the anti-Microsoft camp. I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.

Can this be any more well put? That is really what it boils down to.

They write shit code, and they are in truly despararete need to fix that. When they do, I agree, that the closed source OS posterboy wont be that bad to use and deal with.

I think tha it is not Ballmer's idiot comments, but their sheer lack of quality that pushes most of us away fromn their product line.

MS : If you are really listening, fix yor shit and keep up to date. This is not a job security thing, but a reality check.

Re:What exactly does "anti-Microsoft" mean?

[r00zky]

Well, it could be possible that the one "leant towards Linux technologies" had already "evaluated the technologies available at the _current_ time".

Re:What exactly does "anti-Microsoft" mean?

[tugrul]

So you're claiming that Microsoft has a record of not writing good software based upon a bug you found in a 1.0 version of a product?

No. The version of the product is really irrelevant to his main point, which you don't address in the process of deflecting.

The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix.

I would expect more from a product I paid for, regardless of the vendor. Even the bias you may think the grandparent is operating under doesn't excuse the point.

Re:What exactly does "anti-Microsoft" mean?

[groundpig]

...and then having to wait 6 months for a fix.

This is exactly the problem with big business and security. In big business, it is much more difficult to get a patch or new version released then for an open source product. The reason for the difficulty is the amount of verification needed because of government guidelines and the bureaucracy involved with releasing a new version or patch.

For open source products, the developers usually do not have these restrictions and can test locally. This makes it far easier to release a patch or version upgrade. I'm not saying that open source products don't get as much testing as non, but there is definately more bureaucracy involved with non.

the pig

Re:What exactly does "anti-Microsoft" mean?

[naelurec]

The answer is simple .. I found a platform which tends to work more like I want to work .. easy to automate repetitive tasks, very customizable and logical.

Sure, a year or two ago I wouldn't mind having Microsoft Office and perhaps the Flight Sim on my box, but its not available since Microsoft doesn't feel the need to be crossplatform saavy.

Whats interesting is all the major programs I use now on a daily basis ARE crossplatform.. Linux, BSD, Windows, Mac OS X .. you name it, there is probably a port.

So why would I want to be locked into a specific vendor for ALL of my computing software needs if the products they are offering simply don't suit my needs?

I like using OpenOffice, Mozilla, Apache, Python, PHP, etc.. and knowing I can load it up on virtually any computer I come across .. Not only will it load up on those computers, but unlike Microsoft's attempt at cross platform (ie Office for Mac vs Windows), it is virtually identical (except for perhaps the widgets).. No need to relearn items (or in the case of MS Office, finding out entire applications are removed or replaced by a completely different app)

So does that make me anti-Microsoft? Perhaps. I like to think about it more of "Pro-software that fits my computing style & needs". Sure I use to use Micorosoft (at one time, almost exclusively MS software) but have since found software that fits my needs better. If that makes me anti-Microsoft, then so be it .. but if someone claims I am irrational because I didn't pick the most popular software package, that is insane.

Like you, if Microsoft provided software that fit my needs and they changed their business practices to be more aligned with what I believe are ethical guidelines for businesses, then I would have no qualms about considering using them in the future.

Re:What exactly does "anti-Microsoft" mean?

[ebyrob]

bwahhahahhahha

"no consideration" tee hee.

".NET better than what it ripped off" ho ho!

First off... Java is FREE! Linux is FREE! Why the heck would he consider paying a cow when he can get the milk for free??!

Re:What exactly does "anti-Microsoft" mean?

[Haeleth]

> What really opened my eyes to the possibilities of free software was emailing a bug report to the developer of a free software program, getting a reply that day and a fix the next. Proprietary vendors simply cannot touch this level of support, at least not for mere individuals like myself.

Your example is mistaken. I have personally experienced this level of support from commercial software companies, when I have contacted them in my ever-so-important capacity as... an unemployed student working on minor projects in my spare time. The companies in question were small one-or-two person outfits. In other words, the implication is that it is the size of the project, not its business model, which is significant.

My experience of reporting bugs to free software projects, by the way, is that the standard response is "this is free software, fix it yourself." Now that's what I call support.

Re:What exactly does "anti-Microsoft" mean?

[Peaker]

That was an exaggaration to make a point.

Not always the best technical option is the option you should choose.

Some people value the Freedom of speech in its form of software above the few extra dollars.

I did not even imply that I had preferred it, but that these people were brave enough to stand for their morals above their financial requirements.

Re:What exactly does "anti-Microsoft" mean?

[Peaker]

Commercial software development not only gives me freedom of speech, it feeds my family. Such a higher cause is far more moral than your zealotry.

You demonstrate ignorance. "Commercial" has nothing to do with open/closed software.

Commercial Free Software is fine. Commercial closed-source software is immoral. Same with non-commercial software.

Distributing closed-source software under restrictive licensing limits everyone's freedom of speech with regard to that piece of software and increases the dependency of people on closed solutions from which one cannot learn and get inspired to create new works.

You can work doing commercial Free Software development, feed your family and promote Freedom.

Re:What exactly does "anti-Microsoft" mean?

[travisb]

I must agree with your position. I have very few problems with MS technology. Although I believe some things are harder then need be due to what can only be marketing requirements finding their way into the applications.

My issues with MS are based almost completely on policy. Continuously MS is hindering the growth of the industry as a whole. I expect though that the problem is bigger then just MS after all it should be the goal of any company to become more and more profitable. Here we see an example of Capitalism failing miserably. Not mind you that I could offer a better alternative, but I think Open Source is providing an interesting new age in public involvement and self determination.

This is a revolution of historic proportions and we are all part of it.

reset

[quixotiCfluX]

Ahh, forget all that, the solution is for everyone to develop and build propreitary systems inhouse, so NOTHING is the same company to company...

Re:Michael is a hippie.

[An+Onerous+Coward]

The last time one of Rob Enderle's stories hit Slashdot, I went and did some googling around. An hour later, I had absolutely no evidence that the set of analysts comprising the Enderle group was any larger than the set composing Rob Enderle himself.

He probably has a stuffed penguin as a technical advisor, and I'd also bet that his technical advisor frequently gets pins stuck in him.

block articles by Rob?

[nacturation]

Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle.

Given the recent FUD from "our own Roblimo", I think it might be good to block articles from anyone named Rob if you're looking fro honest information.

Vote with your dollars

[rnd()]

If you don't like Microsoft, for whatever reason, don't buy their software...

If the benefits outweight the risks for you, then buy their software.

If not, don't.

I don't see why it's considered so interesting whenever some "expert" comments on the security of Microsoft software.

Re:Vote with your dollars

[El]

The problem is that the intersection of the set of people that have a clue about software quality with the set of people that are signing the checks is a null set.

Re:Vote with your dollars

[rnd()]

People should take responsibility for the security of the software they use. Experts can publish statistics, but a lot of the discussion about the "phenomenon" of Microsoft and its impact on security is rather absurd.

Re:Vote with your dollars

[rnd()]

I don't see how this analogy holds, or even makes sense for automobiles.

Do you honestly think that if a particular brand of automobile actually caused more accidents, that people wouldn't avoid it on their own, if for no other reason than the fact that insurance premiums would be outlandish?

If you own an ISP with colocation services and frequent Windows worms cause your bandwidth to get swamped now and then, raise the price on Windows hosting to cover your bandwidth costs...

Re:Vote with your dollars

[Zontar+The+Mindless]

Do you honestly think that if a particular brand of automobile actually caused more accidents, that people wouldn't avoid it on their own, if for no other reason than the fact that insurance premiums would be outlandish?

No, I do not.

Ever hear of something called an "SUV"?

Re:Vote with your dollars

[rnd()]

SUVs don't cause more accidents compared to other vehicles. If they were they'd be way more expensive to insure. I went from a 4 door sedan in my last lease to a smaller SUV in this one, and I pay $30 less per month in insurance fees. Same insurance company, same plan, etc.

A reply to him...

[Realistic_Dragon]

(Also sent by e-mail.)

Hi there,

I just read your article at internetweek (Opinion: Reasons To Shun Open Source-ry) and I must that although I don't agree with your opinions I think you have some backbone to say them in public :o)

Of particular amusement was this part:

"He is contemplating building an open source-free saferoom in his solar-powered home."

I only hope that you weren't planning on installing Windows on any of those machines as the Windows TCP stack and Microsoft SFU are (Free|Open)BSD derived code. Longhorn will include elements of ksh (free) and several other new 'innovations' also derived from Open Source (although not GPL) code. You cant even dive for Apple who use Darwin (free, BSD derived) and khtml (free, developed on Linux) as well as other things - or Solaris (ships huge quantites of GNU applications). Almost every operating system on earth is now 'tainted' by code donated because when the marginal cost of something is zero, giving it away helps the whole world benefit.

We might not do it better all the time, but every now and again our community turns out something that everyone can see is better (Apache for example) and quite often they even beat a proprietary vendor at their own game (Samba versus Windows/CIFS). Given another time, every closed source tool will be replaced with something open, and resources will be redeployable into something more worthwhile as the market dictates.

Good luck anyway,

Re:A reply to him...

[callforsco]

**email text deleted**

... and I sent him the following message:

Dear Sir,

I just read some of your articles, including open source-ry and "in defense of the microsoft monoculture".

You ever heard of the newspeak word 'duckspeak'? To hold a position unthinking, to quack like a duck?

Well you sir, quack like a duck.

Just another doofus, move along...

[doodleboy]

There will always be apologists for the rich and powerful, be they journalists, politicians, or supposedly impartial "analysts" like Enderle. Such people are responsible for the endless flood of Microsoft-sponsored "studies" purporting to show that Windows is more secure, more stable, has a lower total cost of ownership, wipes your ass for you, etc. So when Enderle says

I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs. Companies can minimize support costs by rolling out identical hardware and software to every desktop through big bang deployments. Going the other way in a knee jerk reaction to just one class of security threat seems poorly founded.

he seems not to have considered the cheapest possibility - a monoculture of free software, which has lower cost, better security, and higher performance. Now how is that?

Re:Just another doofus, move along...

[dbirchall]

Darn tootin'. Even a monoculture of Macs would be more secure (since that's the buzzword in play), although price and performance would be more of a wash.

Re:Just another doofus, move along...

[Maverick+Hunter+Zero]

Such people are responsible for the endless flood of Microsoft-sponsored "studies" purporting to show that Windows is more secure, more stable, has a lower total cost of ownership, wipes your ass for you, etc.

Clippy: Hey! It looks like you are taking a dump! Would you like MS Office TP to wipe your ass for you?

*Yes
*No
*What's MS Office TP?
*Completely Irrelevant Option 1
*Completely Irrelevant Option 2
*Fuck off already!

Ha ha ha

[0spf]

Oh the ring of keys analogy really works for me. What planet is this guy living on? I am soon implementing a program where we are going to remove the power supplies from all computers in the company and servers achieving 100% airtight, bulletproof security and reducing support costs to nothing.
/sarcasm

snip/
"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms. The IT staff will have to focus more resources on keeping these systems interoperating and have fewer resources available to concentrate on things like securing the site."
/snip

I would love to have my IT staff focusing on something other than the virus or patch of the week. They are getting real good at disinfecting and patching Microsoft machines.

Another crackhead writer

[c1ay]

This guy's really a goofball trying to make the argument against diversity as a tool to gain fault tolerance. NASA makes the argument for diversity in life-critical software systems and NIST studies show it's value in High Assurance Systems. KLabs has found the use of diverse and redundant systems on spacecraft offers high protection against failures due to design deficiencies and that it can offer lower cost where the backup system is used as a lifeboat for the primary system.

Funny

[Pan+T.+Hose]

It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.

Re:Funny

[Brandybuck]

Or you could just make sure everything is off. I don't know how much more simple you can get. Of course, you do need a little bit of education to know how to tell that you really do have everything off, but it's still a heck of a lot simpler than learning assembler.

Oh! We're talking about Windows. Maybe learning assembler is easier...

Re:Funny

[Peaker]

Well, it doesn't seem people are really searching for a solution, or they'd be working to implement Capability Systems to replace the crappy ACL systems we have today, that provably and significantly reduce many of today's security problems.

Re:Funny

[perlchild]

You do realize that depending on the "Threat" for some people your remedy is worse(i.e. more trouble) than the actual threat, unless it actually leads to litigation... On a completely different perspective, lots of "security" has been focused against defending against "something" but until you identify that something, you ain't that much further ahead. Case in point being internal security threats(actual employees abusing actual access required by their jobs to do unauthorized things... That's also a part of security. Most people who like firewalls forget how important WHO you are defending against is also just as important... Not just what their ip is, but their skills, mindset and goals...

Re:Funny

[Geek+of+Tech]

> It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.

Great idea! After I get done with that, I think I'll teach the users the difference between real error messages and banner ads.....

Re:Funny

[Peaker]

Hey Kuwanger, Long time no see! Any idea where the rest of the gang can be found these days? :)

Capabilities would definitely diminish MSBlaster like attacks, because the RPC service would only have capabilities to accept connections on port 135 and to do very specific things, not incluing the creation of new connections to other 135 ports. This means that once taking over an RPC service, one cannot make it redistribute itself.

Re:Funny

[leonbrooks]

There is no working snake oil.

Working from behind NAT and with no ports open comes pretty close.

Not so good for services, BoC you can jail those, and most of them can even be put in a read-only jail. Run those services on a MIPS or Alpha box and rare indeed is the day a crack will succeed.

Re:Funny

[mawwuk]

Right... and do everything yourself? There is one other alternative. Just don't use Windows with it's reputation of having no security whatsoever.

There are enough other systems you can run... I'd say go for Mac (but heck, I am a Mac freak)

Showing a Heavy Microsoft Bias

[Smurfboy]

Note the article titles of previous pieces by the same author:
PREVIOUSLY BY ROB ENDERLE:
- Microsoft: Hated Because It's Misunderstood
- Reasons To Shun Open Source-ry
- Linux Is Not Ready For the Enterprise

Sure, it's quite possible that he's a Microsoft advocate by choice, but after skimming his previous articles, I'm left seriously wondering if he's compensated to write these obviously pro-Microsoft propagandish articles.

key ring example

[neoThoth]

This seemed flawed in the explanation. If you have a 'master' key then breaking into the desk would make it so any door could be opened. Having a 'ring of keys' makes it more difficult after the theft as no single key will grant access to the kingdom. The breach of course was the inept lady who kept her ring of keys in a desk.
Also the first port listed would be more accurate. IIS has always been the biggest flaw in their operating system. IIS6 will be exploited by the end of the year (my prediction.. well more of a highly informed guess :)

Hey Michael

[Pave+Low]

Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle.

You can say the same thing about slashdot, home of "news" that may or may not be true, doomsday scenarios that Microsoft is responsible for, and the US government coming after you stories.

P.S. This is a direct, ontopic editorial comment responding to the article text.

Did I missread something

[theolein]

I didn't see much which actually addressed actual problems in Enderle's "solutions". Closing port 135 will not address Sobig type mail worms, neither will putting all the users machines in a server room. His point about MSOffice on the Mac avoids the source of most viruses as well, Outlook.

Not only this, but he contradicts himself when he talks about saving money with a single platform in one sentence but then talks about buying more AV products in another.

Mr. Enderle, what was your point again and can I get a job like yours where I make money by praising some company willing to pay for it.

typical

[sootman]

"One of his suggestions to secure your enterprise... turn off port 80 [135]"

No, no, no: turn them *all* off, and *open* them as needed. Jeez. They just... don't... get it. And then they come back later and say "windows and unix are equally secure, windows just gets attacked because it has more market share." They just do not understand basic security concepts.

Real Security

[Newsome]

That won't really do either. If you want a real secure computer, here is a nice howto.

Re:Real Security

[Ianoo]

Damn, that site made me spit coffee all over my poor computer screen!

He's right...

[chill]

The article advocates doing actual *STUDIES* to backup the call for diversity. It also calls for other methods that are basically best practices for a business: a disaster recovery plan, proper backups, firewalls & IDS and managed desktops.

There is nothing wrong with anything he advocated in this article. Getting supporting evidence and adding diversity to a proper BC/DR plan is 100% correct.

What he fails to acknowledge is that Microsoft has, for its entire history, made security an afterthought that always lost to convenience.

Windows 95, 98 & Me were designed as *consumer* OSes, not corporate clients. Consumer OSes had no need for all those network services and ports being open by default. These systems were designed for home users, not businesses. WinNT, 2000 and XP Pro are different animals and are designed to be used in LANs where many of those services are going to be needed.

The DUN 1.4 update should have patched those Win95/98 systems to lock down almost every incoming port short of DHCP, NTP and DNS returns.

While MS has made noise recently about an emphasis on security, their actions speak louder than words. WinXP, while more stable than Win98/Me, seems to be just as vulnerable to security problems as other versions of their OS.

Even though Win95 and Win98 are no longer officially supported, MS needs to release one last patch that locks many of those ports down.

Unfortunately, no patch in the world will stop clueless users from clicking attachments without looking.

Re:He's right...

[pjrc]

Unfortunately, no patch in the world will stop clueless users from clicking attachments without looking.

But simply not executing attachment code would be a very easy patch. Then it wouldn't matter if clueless people clicked on them or not.

The cospiracy theorist in me suspects that taking such a simple and effective measure now would seriously lessen the demand for secure or "trusted" computing in a couple years from now.... and Microsoft can't afford to miss the lock-in potential the Next Gen Secure Computing Platform (or whatever they're calling it now) will bring.

Up to their old tricks.

[Ungrounded+Lightning]

Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix.

I see they're up to their old tricks.

Back in the REALLY early days (MS-DOS on Peanut, I think, but it MIGHT have been the Altair/Imsai days) I happened to be reading the letter column of Byte magazine and ran across a complaint from a really early Microsoft user.

Seems Microsoft had come out with a Fortran complier. The letter-writer had found a bug in how it handled one of the terms of formats - one he REALLY needed to work right to port some software from a mainframe to a personal computer. He had reported it. But they hadn't fixed it. After much escalation he finally got a statement from them that they KNEW it was a bug and were NEVER going to fix it. Thus his letter.

After reading that I spent my entire carreer avoiding Microsoft software. It's decades later and I haven't regretted it for a minute.

Re:Up to their old tricks.

[kfg]

People like to say that Microsoft is hated because they are big and successful.

Balderdash. Microsoft has been one of the most hated software companies ever since their inception as a pissant little outfit making interpreters for hobbiest computers.

Why? Because of the way they behave.

Nowadays I think the situation is turned around, the only reason some people seem to like them is because they are big.

Too big to ignore.

I can't think of any other reason to put up with the sort of treatment they give their customers.

KFG

Keymaker?

[psychogentoo]

For instance, in one site, they used different door locks and therefore couldn't use a master key. The central administrator kept a ring of keys for all of the doors, and put the keys to the confidential office safe on the same ring. It was relatively simple to penetrate her desk to get this ring of keys and access virtually everything.

Didn't Neo use this exploit to gain access to the Architect?

I tried that for years.

[Ungrounded+Lightning]

If you don't like Microsoft, for whatever reason, don't buy their software...

I tried that for years. But the hardware manufacturers wouldn't sell me a machine without their software on it - paid for out of the retail price of the machine. B-(

Re:I tried that for years.

[doodleboy]

Just build your own computers. You can get better quality, exactly the parts you want, at a good price. My personal machine has lots of ram, a big hard drive w/8 mb cache and 3 year warranty, a good burner also w/8 mb chache and burnproof, etc. All the stuff I want, nothing I don't, and the price is right.

I don't see the point in paying for Windows or Office if I'm just going to wipe them anyway.

Re:I tried that for years.

[rnd()]

Uh, then buy some parts on PriceWatch and build your own machine. I mean, it's simple enough and just about as cheap as you can go for a new pc (except for the occasional awesome promotion from Dell)...

Survivability - Not Security

[BSDorBSOD]

The ZDNet article addressed survivability, not security. The "counter" article on Internet Week completely ingored the survivability aspect and countered instead the security concerns of a monolithic computing environment. Both are correct.

To condense and paraphrase the articles, the ZDNet article said "do not put all your eggs in one basket" while the Internet Week article said "keep it simple stupid." And according to Dogbert's Top Secret Management Handbook all truth comes from hackneyed sayings. Ergo, we know that both are correct.

WTF Is This Post?

[ThreeToe]

You hate Microsoft? Well, you've got friends here at Slashdot.

But why do Slashdot's editors have to broadcast pointless invective such as this? The post is of a contentless article prefaced with mean-spirited and libelous accusations.

You hate Microsoft? Defend your hatred intelligently.

I happen to like Microsoft today. My mom just got broadband and upgraded to WinXP. Herself! And she got on the Internet and sent me an e-mail via Outlook Express. This is the same mom who, a few years ago, was still inserting floppy disks upside down. Microsoft enabled my Mom to be a part of this great Internet thing. That's way frickin' cool!

Re:WTF Is This Post?

[im+a+fucking+coward]

You hate Microsoft? Defend your hatred intelligently.
The same way you cheer for M$?
Microsoft enabled my Mom to be a part of this great Internet thing. That's way frickin' cool!
Just kiddin'. Many of us have made a ton of $ by admin'ing MS products. I'm happy as heck they gave me an affordable entry into the amazing world of IT.
But as you'll soon come to discover, when you're awakened @ 3:00 am. by an emergency page because the Exchange servers have just crashed for the 10th time this month, and 500 employees are coming into work in 4 hours, and CO. X will loose million$ in man hours, the MS OS can be down right hillarious!
Good luck to you and your mom, they never fixed that memory leak in XP, so if she uses MS Office, the machine will slow to a crawl in a month. If she just surfs with IE, it might make it 'til Christmas. That'll be hillarious too!
Welcome to our world :-)

I'll bet nobody advertised this perk when you plunked down two grand for a computer, huh? Get ready to be dazzled!!

Honestly, if you do any corporate work on computers, you come to discover that MS ain't the only game in town. If you're supremely lucky, some of your clients will make you try a free OS that mysteriosly runs like a bat outta hell. Good luck skippy! Enjoy the frivolity!

Looks like Enderle's Counterpoint 'Product'

[samj]

http://www.enderlegroup.com/

Provides consulting services during the review process of a poorly founded negative piece on a vendor or its products and, should it be needed, showcases the research errors, statistical mistakes, and unfounded conclusions that often define such a piece.

typo in the article

[sootman]

"Microsoft chief executive Steven A. Ballmer said yesterday that there is "much, much, much" left to do to protect computer users from viruses, worms and other malicious software."

Where he said "computer users" I think he meant to say "Windows users." Linux, BSD, Mac OS X, hell, pretty much ever OS besides Windows has this pretty much sewn up. Not perfect, but on a security scale of 1 to 10, where 1 is "r00ted in 30 seconds" and 10 is "powered off", Windows is about a 2 and *nix is about a 9.8.

Slashdot Poster Posts to Slashdot

[serendigital]

From the redundancy department of redundancy. Microsoft Apologist Apologizes for Microsoft. Couldn't resist.

another typo

[sootman]

"It will ship Windows with security precautions activated that are now left off -- for instance, a firewall program that stops Internet worms such as Blaster."

I think he meant "Windows worms," not "Internet worms," since his example, Blaster, is in the first category. My Mac OS X firewall can be on, off, or sugar coated, I *ain't* gonna get fucking Blaster on it.

Ports open on my system

[Brandybuck]

Running FreeBSD, checking what ports are open...

None. I'm not running a server, so I never turned anything on. inetd is off. Every connection made is by my explicit command.

Why this isn't the default on every single operating system out there is beyond my comprehension.

Let me see if *I* get it then...

[khenson]

So you're saying that our *nix systems DO turn on/off ports as needed then...?

Because if not, the original statement placing security in the hands (and head) of the user/administrator is correct. Proper security methodologies can never, will never, have never been a function of the OS. While some OS's are more conscious of security than others in their design they are not the "base" for implementation.

That "base" is conceptual and subject to the intelligence and wisdom of the user.

After all - I trust NO OS for security implementations because I have effectively trusted someone else at that point and quite simply - that doesn't sit well with me.

Gene Hackman said it best in The Replacements about who wanted to carry the ball when it really counted - "Winner's always do..." - When it comes to security I don't want Symantec, DLink, Cisco, LinkSys, Microsoft, Linux, BSD, CheckPoint, etc... carrying the ball for me...

I will carry that ball myself... and I trust no-one...

Actually, he's half right

[Crag]

I'm a sysadmin at a major online media company with a large-eared mascot where we have about 700 windows and 100 unix servers. We have competent people tightening everything, but historical and political reasons our production environment is exposed to our desktop environment, and we were heavily impacted by several worms.

If we had a mono-culture consisting entirely of Free Software, we would be completely unexposed and invulnerable to threats introduced via email. :)

In all seriousness, security analisys in our environment would be a lot simpler if we had less varieties of software to contend with. It's true that any compromise would be a more complete comprimise, but automating our security would be much simpler at the same time. As it is, we have virtually every desktop and server OS available for i386, PPC and sparc, and it's a security nightmare. I have a lot of respect for the folks I work with for keeping it all under control.

slashdot proves once again it's not credible.

[geekee]

So someone writes an article saying it's not very practical to run multiple OSs in a work environment solely for security, and probably not more effective since if anything goes down, it'll probably hinder everything. Further he says earlier reports produce no quantitative evidence to show whether or not there will be a cost reduction in pasting together different systems to improve security. Also there is no mention of port 80 in the article. The article's points are reasonable, but not surprisingly slashdot is on a smear campaign that makes the LA Times look objective. Consider this, if Linux was the prevalent OS, would you still make the arguement that people should diversify away from Linux to improve security? If your answer is no, you should consider your opinion biased. Anyway, the anti-MS tirade is getting old, and /. should get some objectivity if they ever want to be considered a credible news source.

Re:slashdot proves once again it's not credible.

[Dr.Dubious+DDQ]

[...] if Linux was the prevalent OS, would you still make the arguement that people should diversify away from Linux to improve security?

I don't know about anyone else, but I know I would. I think networks should include both OS's, Linux and Mac OSX. I'd say BSD, too, but I heard it's dying...

Sponsored FUD?

[samj]

This is perhaps the most ridiculous, biased, inaccurate drivel I've read all year. The fact that it's published as an 'authorative' piece when in fact it's probably no more than sponsored FUD[1] is concerning, and is precisely why I won't be wasting my time reading Information Week in the future. It doesn't take a rocket scientist to work out that monocultures are nothing short of dangerous, and it's a shame to see a more reputable firm like Gartner being criticised for drawing our attention to an important issue.

THAN! Than, than, than, than, than...

[outrage98]

...his paper never gets past being more then just pro-Microsoft

where the hell is this guy posting at?

[t0ny]

And WHAT, exactly, about your experiences at this place would have made you expect a bit more?

Re:OT: What the hell is wrong with Slashdot?

[jeffasselin]

Or I get timeouts, same here. It's been that way the whole day since 12.

microSoft - a class all it's own

[KRzBZ]

Enderle, last statement: "Going the other way in a knee jerk reaction to just one class of security threat seems poorly founded."

Seems to me that the "one class of security threat" he is referring to is the microsoft product line...

Really, this guy Enderle, he's just a paid shill for m$ and $CO. What a wuss. It must suck to wake up every day as a spineless, totally whipped pussyboy, knowing that your whole life is a sham, that all you are is a mouthpiece for the company that lines your pockets. I mean, where is the satisfaction in a good days work, a sense of accomplishment with what you are doing with your life? "Oh boy, I really lied to those suckers today. Whoot! Barkeep - Another round, on me!".

Glad I live a life unlike that one. I enjoy my freedom - life on a leash would *suck*.

The point

[t0ny]

If you are letting email-borne trojans into your network, your operating system is the least of your problems.

Re:The point

[t0ny]

1. Try logging in, jackass. If you are going to lie and troll, you can at least be a man about it.

2. Saying "oh, well, if, um, your firewall goes down, and, um, you stop blocking trojans in your email, and, um, if a hacker teleports into your server room, blah blah blah, is really dodging the issue (as well as making stupid excuses).

The fact of the matter is that, as long as a corporation is following established best practices, they can run whatever they want an will be safe in the vast majority of cases. In the remaining tiny minority of cases, which OS they are running is the least of their concerns.

And from your statement, its obvious you have no clue regarding risk management or computer security. So just go back to studying for your high school classes, junior, and leave this big stuff to us adults, mkay?

feedback@internetweek.com

[Sevn]

Dear Internet Week,

Please stop publishing stories by Rob Enderle as it is hurting your reputation and "technology street cred". His stories are filled with obvious bias and fanboyism. Even though his error packed rants may generate a lot of page hits, I guarantee that they are not generating any sort of revenue. It probably would not be very hard to look into it for sure and find out I'm right. If you do your own investigation, you'll find out that the "Enderle Group" is made up of one person: Rob Enderle. He has never been taken very seriously and will never be considered an expert. The amusing nickname that people in the industry that do know security have given him is "Microsoft's Sock Puppet". Please consider doing your fine publication the strong service of issuing a retraction and apology for the ridiculous article you published by this supposed "expert" and never publish anything by him again. It still may not be too late to mend the damage this has done to your reputation.

Authors routinely get bashed by the extremists

[mrscott]

I have written hundreds of technical articles - some with positive things to say about MS, some with negative things about MS, some with positive things about Linux/open source projects and some with negative things about Linux/open source projects. For EVERY article that I have written which portrayed a negative stance on a Linux/Open Source project, I got ripped to pieces, accused of being pro-MS and anti-open source, and called a whole lot worse. Never at any other time unless teh article wasn't very good (fortunately that's only happened once or twice out of the 200). It kinda sucks that people who actually enjoy working with and writing about the technology get bashed when they say something negative -- even when they back it up with hard facts.

Ask any Microsoft employee or contractor...

[Saint+Stephen]

Ask any Microsoft employee or contractor where Code Red, Nimda, Slammer, attacks are the worst: they will tell you: on CorpNet. This is where ITG supposedly runs "the perfect network."

Weigh that into your decision as to whether or not the Microsoft monoculture can prevent hacks.

Diversity Training

[Slavinski]

Sounds like they need a bit of "diversity training."

[OT] Re:THAN! Than, than, than, than, than...

[Dr.Dubious+DDQ]

Oh, good, it's not just me who's a raging anal-retentive about that sort of thing.

And don't get me started on loose/lose, either :-)

Re:OT: What the hell is wrong with Slashdot?

[Chatmag]

Ok,it seems to be working again.

We now return you to our regularly scheduled /.'ing, which is already in progress.

Drum roll please...

[darkpurpleblob]

And the award for the best word palindrome attempt goes to...

Enderle advertises he's a paid shill

[isn't+my+name]

Check out his website. You can get his Counterpoint product which is

Provides consulting services during the review process of a poorly founded negative piece on a vendor or its products and, should it be needed, showcases the research errors, statistical mistakes, and unfounded conclusions that often define such a piece.

or better yet try out a Certified Reference Account:

This acts as shield for a qualified reference account from unwanted exposure and attention by press and other IT managers. Enderle Group can provide the documentation, press contact and quotes about a product success while maintaining the integrity of the reference.

I wish that last quote could be published with every article he gets out there.

Reduced Efficiency is the point of diversity

[phsolide]

The article quotes Bob Muglia: Moreover, forcing a company to diversify means reducing efficiency

As Frank Herbert wrote in The Dosadi Experiment, "eternal sloppiness is the price of freedom", ya big lug. Holy cow, reduced efficieny for the attacker is the point of diversity. Think about it: I'm getting hits from Code Red and Nimda Two Years after they were released, and during the first two or three cycles of Code Red, I got 20 hits a day. In comparison, I got maybe 20 hits total for Slapper, and they went away after a week. Microsoft and the anti-virus people need to realize that (as a whole) the Internet doesn't need absolute immunity from worms or viruses: we just need to have a large fraction of the population immune from any given virus or worm. We can tolerate 10% crappy, poorly-administered Windows boxes, but we can't tolerate 97% crappy, poorly-administered Windows boxes. Sobig.f should have proved that to everyone.

Another critique of the "monoculture" paper

I wrote another critique of the monoculture paper on my blog. This monoculture business is a flawed analogy. It makes sense for crops, because if one crop gets infected it doesn't shoot firebombs into all the other crops and burn them to the ground. However, infections in a widespread OS can be just as harmful to systems based on other operating systems, as the recent DDOS attacks which took down some of the anti-spam servers showed.

Security Breeches?

[Anonymous+DWord]

You mean like these?

Who's editing that poor bastard's stuff? Fire 'em outta there!

Where is the cost savings?

[UnknowingFool]

Ok, all of his suggestions are fine in principle but they cost money. All in all it seems like, you would be spending more to keep your monoculture OS than you to diversify if only slightly.

- Accelerated adoption of patches.

Read: hire another person just to test MS patches so that they don't screw up our system. The story would be different if bad patches were a thing of the past, but MS releases a bad patch about once every year. Try explaining to the CEO or CIO that his IT network went down because you applied a patch system wide without testing it first.

- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

Read: Spend lots of time and resources securing PCs that should have been done at installlation.

- Restricting ports, such as port 135, which effectively stopped the latest virus attack.

Read: Spend time and resources to block a port that should not have been open in the first place that nobody at MS bothered to think to lock down.

- Implementing additional security products, such as virus software and firewalls.

Read: yada, yada, yada. A firewall would not have proctected a network if a single computer in the network became infected with Blaster. Also AV software like Norton were totally ineffective at detecting and stopping the issue until after widespread infection.

- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

Read: Spend lots of money on a mirror system.

- Developing the capability to rapidly restore compromised software and data from backups.

For most companies this already being done.

- Deploying Windows on alternative hardware. For example, "PC blades" centralize the processors, memory and storage of PCs in a datacenter, while the display, keyboard and mouse are at the user's desktop. PC blades give users the benefit of having their own dedicated PC, while keeping the hardware in a centralized location where it can be more easily maintained and secured.

WTF? Spend money on PC blades. Imagine if I went to my boss and said, "Boss, I can solve our Windows security problems."
Boss: "Great, what is it? Better, faster patches. Better quality control? Better support."
Me: "No, give 3x the capital budget to spend on new hardware."
Boss: "You're fired."

- Adding security staff or outsourced services.

Read: spend more money on personnel to try to patch the problem instead of spending more money on personnel to fix the problem by diversifying infrastructure.

Of course

[Pan+T.+Hose]

Or you could just make sure everything is off. I don't know how much more simple you can get. Of course, you do need a little bit of education to know how to tell that you really do have everything off, but it's still a heck of a lot simpler than learning assembler.

Great idea. Let me make sure everything is off in my lab. Let me also ask management of my institute to file for bankruptcy while I am at it. I am sure they will thank me for making our network absolutely safe.

Re:OT... My best friend's a whore!

[Anonvmous+Coward]

"'I got a better idea, install Linux on her machine. She'll get the hint when she's forced to type 'man mount'"

It's off-topic. But give him some credit, at least it's funny.

Good point

[Pan+T.+Hose]

You mention quite a few very important but frequently underestimated issues here. The network where I work is constantly being monitored and we know that firewalls and IDSs need to work both ways. I think that the prosecution one of our workers who was downloading pornography using our network (the poor bastard thought des encrypted icmp echo reply payload was a good "covert channel" -- not when I am in charge) will face in few weeks pretty much speaks for itself.

Then vs Than.

[simetra]

... being more then just pro-Microsoft.

At risk of being called a grammar Nazi, I must point out the differences between Then and Than. Here are some examples of proper usage of each:

THAN. I am smarter THAN you.

THEN. Why don't you shut up THEN?

THAN. You are dumber THAN a rock.

THEN. I'll go cry THEN.

Please, make an effort.
Please, please, oh please!!!!

Thanks

Re:Then vs Than.

[dbCooper0]

Wholeheartedly, I agree. It literally hurts my ears^H^H^H^H eyes to see this misuse of common words.

Locking down the desktop... Right.

[Chordonblue]

And the easiest way to do this is....?

Don't give me that BS about using 'Power Users' with profiles, etc. That's fine, as long as all of your apps play nice. NOT. There are several apps (newer ones too!) our school depends on that absolutely demand local root access in order for them to function.

Without going to something like SMS or some other kind of desktop lockdown system, a small .org like us is totally screwed. Adding another program to the setup is painful. Due to junkware, I end up rebuilding the labs at a minimum every other month.

This isn't necessarily all MS's fault, btw. But the problem is, Windows wasn't initially designed with security in mind. Instead, convenience took priority and to this day, a lot of Winapp programmers just don't get it. In my limited experience with Linux I can truthfully say that rights seem to be granted properly, i.e., anything that can permanently modify the system requires root access.

Yes

[Pan+T.+Hose]

I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.

Re:Yes

[Peaker]

ACLs are probably not even a part of any secure solution, and are not very useful for secure computing. That when comparing them to capabilities.

POSIX has done a very bad service to the computing world by defining the term POSIX capability contraductory to the original term.

POSIX capabilities are more like ACLs than real capabilities.

Re:Yes

[yanestra]

Mach has the concept of acquiring privileges instead of losing them, like in Linux or other Unices. (E.g. ftpd in Linux starts as root and later switches to the user who logs in.)

Since Hurd is a Mach-inspired kernel, there should be this feature. Is this the case?

Hate to say it...

[fanatic]

..because Enderle is a fool and an asshole (and MS does suck), but this time he is right on many points. For example:

Few companies can continue to function if even 30% of their systems fail catastrophically. However, diversity will clearly increase costs sharply for sites that are highly consistent now.
A much better approach is to look at the entire security problem first, including the risks and costs of not doing anything, so that you have a foundation on which you can build alternatives. These alternatives include:

- Accelerated adoption of patches.

- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

- Implementing additional security products, such as virus software and firewalls.

Some of these are obvious, - like, what exactly is the exscuse for not patching a month after MS makes the patches available and getting bit by blaster a/b/c/d/e?
Once again, Enderle is a fool and an asshole, but apparently he's got someone intelligent ghost-writing for him this time. Diversity by itself is not the real answer for most organizations, because "security is a process, not a product". (Was that Schneier I just quoted?)

install virus software?

[oneishy]

- Implementing additional security products, such as virus software and firewalls.

This is news! we have now been asked to install virus software on our pc's to help with security. Last i checked we were trying to install anti-virus software to protect against security vulnerabilities. The closest case of installing a virus to help fix a security problem would be the worm that went around *trying* to patch the msblaster virus (and we all know how that went).

Perhaphs they should edit the article again...

Re:install virus software?

[prandal]

Time taken for a new virus to wreak considerable havoc? A few hours.

Time taken for antivirus vendors to release detection patterns? Considerably longer than a few hours.

And while we're on this subject, why do antivirus vendors still insist on a weekly pattern update schedule? For God's sake NAI / Symantec and whoever else indulges in these archaic practices, pattern updates are required as soon as a new virus is detected. Forget the "you'll have to wait for next week's" DAT files to come out approach, it only serves to spread viruses, not eradicate them.

Enderle says...

[The+Monster]

Besides, many Linux supporters are a bunch of potty-mouthed malcontents

What the fuck is this guy talking about? Goddamn Micro$erf asshole!

Turnabout is Fair Play.

[_Sprocket_]

Slashdot is too subjective.

...meanwhile Rob Enderle is the pinicle of objectivity?

Slashdot has never claimed any kind of objective viewpoint. Its rather biased. And its become well-known, if not always popular, because of that bias.

Slashdot filled an interesting niche; a dissenting opinion when the IT press was almost entirely Windows-centric. Linux was quietly seeping in to the Enterprise. But the mainstream IT press either ignored it or was unfairly dismissive. Slashdot was a forum most noted for its pro-Linux and Open Source friendly opinions.

Times have changed.

Now, its not worthy a Slashdot news post just because a mainstream IT rag has mentioned Linux. Its not entirely unlikely to find pro-Linux / pro-Open Source articles in the mainstream. Right next to the pro-Windows articles. And the press releases being masquaraded as an article. Some things don't change, after all.

Slashdot's bias is one of those constants.

I'm kind of curious. It seems that over the years, Slashdot has gained more pro-Windows readers. Mainstream attention has either provided more people with a Windows-centric viewpoint or its attracted more astroturfers and trolls.

But for every time I see someone complain about Slashdot displaying an "unfair" bias against Microsoft, I wonder how many people like myself sit quietly in the background glad that Slashdot keeps that bias firmly in place.

Re:Turnabout is Fair Play.

[ScottKin]

To answer your question:

One too many.

You do nothing but give lip-service to /. - the most over-rated, self-serving BLOG for penguin-fetishists, RMS-o-philes and OSDN-shills in existence.

When will the rest of the visitors here and this community wake up from it's self-enduced coma and look at who supports /. - A Developer's Network (if you could call it that) for Open Source Software: OSDN. Why are we suprised of the consistant, pro-*NIX, anti-Microsoft rhetoric and propaganda produced by this onanistic collection of obviously-pubescent posters? Maybe because so many of the posters and readers are still hooked-up to the liberal-brainwashing system called THE US EDUCATIONAL SYSTEM and have yet to venture out into the Real World that they are easily swayed by all of the *NIX evangelists planted by anti-Corporate/pro-socialist organizations like OSDN - and if you think for a moment that OSDN cares about the economy or indusry or corporations, think about how companies are going to make any REAL money from selling software that can be downloaded for FREE?

Posters here who attack pro-Microsoft organizations who are in some way supported by Microsft are nothing but uninformed hypocrites, since /. is supported and partially funded by OSDN.

Nothing like the pot calling the kettle "black".

ScottKin - Whom has used "su" more times than he can remember.

Re:Turnabout is Fair Play.

[_Sprocket_]

When will the rest of the visitors here and this community wake up from it's self-enduced coma and look at who supports /. - A Developer's Network (if you could call it that) for Open Source Software: OSDN.

The implication seems to be that Slashdot gets its bias from its corporate sponsor. But it completely ignores the fact that Slashdot has been expressing the same bias since its inception - years before OSDN showed up.

Why are we suprised of the consistant, pro-*NIX, anti-Microsoft rhetoric and propaganda produced by this onanistic collection of obviously-pubescent posters? Maybe because so many of the posters and readers are still hooked-up to the liberal-brainwashing system called THE US EDUCATIONAL SYSTEM and have yet to venture out into the Real World...

Out here in the "Real World", there is plenty of "pro-*NIX, anti-Microsoft" sentiment to go around. Many of the opinions and sentiments expressed on Slashdot are shared by, if not made by, professionals in the trenches of the IT industry. I've witnessed this from senior technologists as well as some of the rank-and-file within Fortune 50 and major federal US Government organizations.

Its not all a Linux love-fest, of course. There are plenty who don't understand the whole Open Source concept. There are those who are stringent supporters of Microsoft or otherwise solidly devoted to the Windows platform. And there are others who prefer other Unix platforms - specifically Solaris or HP/UX (but then, they're part of that "pro-*NIX" camp).

But to represent the sentiments found on Slashdot as solely those of inexperienced, young residents of academic ivory towers is inaccurate... if not simply misleading.

Posters here who attack pro-Microsoft organizations who are in some way supported by Microsft are nothing but uninformed hypocrites, since /. is supported and partially funded by OSDN.

Its interesting you compare OSDN to Microsoft. Let's take a look at the two.

Microsoft - major IT player. Produces operating systems marketed for everything from consumer devices and desktops to large-scale corporate enterprise servers. Also produces software packages that target everything from consumer gaming to corporate enterprise architecture. Inamous for its ultra-agressive marketing style.

OSDN - media company with a focus on Open Source development and community as well as web development. Also owns ThinkGeek - an online shop for geek-oriented merchandise such as TShirts, desktop toys, nerf guns, and consumer electronics. Owned by VA Software - origionally a Linux hardware company, dropped out of the market when they discovered that commodity hardware is a rough market even if you include Linux. Now VA Software produces a collaberative development suite (and development methodology) based on the widely popular community development service Sourceforge. Most known for sponsoring the popular Open Source and Linux friendly news commentary site Slashdot.

Readers should keep these facts in mind when reading from sources sponsored by either group. Look at what motivates either group. And then consider how these motivations may affect the opinions expressed.

The best ports to block on a windows box

[Allnighterking]

Are ports RJ-45 or RJ-11

Bulletproof IT security policy.

[rice_burners_suck]

Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.

I don't understand why so many companies have problems with IT security. Our company's IT security policy is simple and bulletproof: We do not use computers. In fact, just to be absolutely sure that those dangerous computer viruses don't get into our building somehow, there are no phone lines, cable lines, electric lines, water lines, or sewage lines entering the building. We don't even have windows or doors. We, the employees, simply stood around on a foundation while the brick walls were built around us. Nothing gets out; nothing gets in. We are 100% safe.

And while you're at it...

[whiteranger99x]

Choose life. Choose a job. Choose a career. Choose a family. Choose a fucking big television, Choose washing machines, cars, compact disc players, and electrical tin openers. Choose good health, low cholesterol and dental insurance. Choose fixed- interest mortgage repayments. Choose a starter home. Choose your friends. Choose leisure wear and matching luggage. Choose a three piece suite on hire purchase in a range of fucking fabrics. Choose DIY and wondering who you are on a Sunday morning. Choose sitting on that couch watching mind-numbing sprit- crushing game shows, stuffing fucking junk food into your mouth. Choose rotting away at the end of it all, pishing you last in a miserable home, nothing more than an embarrassment to the selfish, fucked-up brats you have spawned to replace yourself. Choose your future. Choose life... But why would I want to do a thing like that?

Diversity-free?

[darkest_light]

There's something to be said for *any* article including the words "I'm not a big fan of diversity" Oh Microsoft... where would we be without you?

This guy looks like a total doofus

[multiplexo]

Who would hire him? He doesn't even have executive hair. Maybe he's really tall...

I think his profile explains it all...

[Comatose51]

http://www.enderlegroup.com/profile.asp

No mention of any real technical education or experience. I'm so sick of these so called "experts" who do not have any real training or education in computing. Last I checked the Aberdeen group (and other consulting groups), most of them were English and History majors. When will they realize that their background isn't applicable to this field??? Being a student at one of our nation's leading universities in the humanities, I've realized that some of these people are so full of themselves that they think their intelligence will carry them through anything. This is simply dead wrong.

Re:I think his profile explains it all...

[im+a+fucking+coward]

No mention of any real technical education or experience. I'm so sick of these so called "experts" who do not have any real training or education in computing.

I was a little skeptical of your assertion, until I searched 'Rob Enderle college'. Here's the ugly truth:

Rob earned a degree in marketing from Orange Coast College, a B.S. in business and an M.B.A. with an emphasis on market research, both from the California State University at Long Beach, and a C.M.A. Certificate from Pace University.

The CMA certificate is a little hazy, that can mean a truckload of things, none of which would apply to IT. Give that man a cigar! You sir are hopelessly correct in your accusation; +5 for insight. Bob is qualified to analyze the shit out of commercials, and could probably make sense of any balance sheet. But his background doesn't indicate he even knows where the 'any key' is. Sad and typical state of affairs in silicon valley, redmond, where ever.

Re:I think his profile explains it all...

[E-Pimpalicious]

idiocy in people, is not necessarily dependent upon their education.

i know plenty of people that i would consider experts in the field, that have had little or no college background. and... on the other hand... plenty that actually graduated with majors in the field, and/or masters... and i have to question exactly who their professors were.

although most dont want to think it... there is such thing as a "stupid college graduate".

My letter to the editor

[theolein]

In Rob Enerle's latest column countering the latest anti-monoculture reports, (http://www.internetwk.com/breakingNews/showArticl e.jhtml?articleID=15202192) he makes a few factual erros, one of which id his claim, and I quote, "This is the big problem with the diversity recommendations I've seen. If they had been implemented as recommended they would have had little impact on the MSBlast virus, which spread via common e-mail, and would likely increase the exposure for other types of threat. ".

This is clearly wrong, as the MSBlast virus was NOT propagated via e-mail, but by systems being vulnerable to an unpatched RPC service vulnerability that was open on port 135 (changed from the earlier port 80 in your article). There is ironically another error in that same, incorrect statement, and that is that of all the e-mail viruses and worm out there, they are all propagated by Microsoft's Outlook and Outlook Express, as no other e-mail software allows automatic scripting that can access the system.

To be fair, one should be fairly secure if one remains up to date with patches from Microsoft and followed good security practices such as closing the port and switching on the integrated firewall and turning off scripting macros in Outlook, and that is the answer I would have expected from a so called security consultant. His credibility might suffer a little bit for this article, and I think you owe it to your readers to make corrections, as you did with the port 80 statement.

Logical Crap

[dasunt]

The writer in the article mentions how diverse environments lead to security breeches. He uses the example of a workplace where the door locks are all different, preventing one master key. This is insecure because all of the keys for the doors were on the same ring as the key for the safe.

Obviously, master keys must have a little known feature that prevents them from being put on a keyring with any other key.

*Sigh*

Funny...

[JRHelgeson]

Its funny how this comes on the heels of what is now the THIRD version of the MS03-026 vulnerability. As you know, MS03-026 is the RPC/DCOM vulnerability that brought us MSBlaster.

Just after Blaster started clearing up, Microsoft released MS03-039 which is essentially the SAME vulnerability as was -026. They blew it. They didn't fix the problem with the -026 patch, so admin's now had to re-patch all their machines.

Well, here we go again - only this time the exploit code precedes the MS anouncement and corresponding patch. Yes kids, the hacking underworld has perfected the exploit code for MS03-039 and in doing so uncovered yet another hole in the RPC/DCOM service for which there is NO PATCH AVAILABLE!!! (As of 11 Oct, 2003 0100)

And for those of you who think that this is just FUD... here's the exploit soucre code. Simply compile under Linux, then change your shorts.

Network admins: May I suggest you take your sleeping bag and pillow and put it in your car - theres going to be a lot of late nights at the office coming up.

Re:Funny...

[E-Pimpalicious]

i was wondering the same. i have to say though... i am glad crap like this happens. everytime it does, it makes it that much easier to turn another friend over to linux. you get them hooked... they never go back. its like crack-rock.

Re:Funny...

[JRHelgeson]

Every time I try and warn people about an impending crisis - I get libeled as a purveyor of FUD, which pisses me off.

So, I post access to the source code. Sure, the source code may be 'broken' in some subtle way to prevent some 1337 $kr1p7 k1dd13 from compiling and launching it. This code has been circulating the hacking underworld for weeks.

Either way I get lambasted for making the posts, primarily by people with a strong desire to remain ignorant.

Re:Funny...

[Krach42]

God damn... you know... all this stuff makes me want to slap my works new lab behind a firewall running Linux.

I know Linux isn't perfect either, but its generally easier to keep one computer uptodate and patched, and have that computer provide security into the internal network.

Re:Funny...

[Krach42]

The computers won't be recieving email.

They're part of a psychology lab looking at teamwork (basicly, paying people to play computer games, and record their actions, and more specifically their verbal communication.)

The HR folks are shocked!

[daltonlp]

I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs.

You, sir, need to attend diversity training!

differentiation

[MegaFur]

Are you trying to raise an army of informed sysadmins or an army of grubby computer crackers?

Oh wait, I forgot. There's very little difference between those two skill sets isn't there?

(Note to sysadmins: please don't flame me! I aspire to *be* one of you guys some day.)

Re:differentiation

[irc.goatse.cx+troll]

The difference is all in the mind. Its just like the difference between a Private Investigator and a Social Engineer. Or a locksmith and a theif.

Its all in the mind... which is why its generally best to keep us happy;)

Re:differentiation

[sco08y]

Are you trying to raise an army of informed sysadmins or an army of grubby computer crackers?

Oh wait, I forgot. There's very little difference between those two skill sets isn't there?


One knows how to bathe and dress well enough to hold down a 9 to 5.

Re:differentiation

[PugMajere]

Odd, how sysadmins frequently barely fit into that category.

Re:differentiation

[fucksl4shd0t]

Odd, how sysadmins frequently barely fit into that category.

Even odder is how frequently they barely fit into anything.

Except MCSEs. THose guys are usually running around the building so much putting out fires that it's not possible for them to keep weight on.

Note to self: Make sure any MCSEs you hire are ADHD, so they can handle running around the building fixing half a dozen broken computers before breakfast.

Re:differentiation

[catman]

(Note to sysadmins: please don't flame me! I aspire to *be* one of you guys some day.)

Sad. One of the entries in the FAQ for alt.sysadmin.recovery reads:

Q: I want to be a sysadmin. What should I do?
A: Seek professional help.

And that's NOT IT-professional, you understand.

Catman - recovered(?) into Smalltalk programming.

Re:differentiation

[sco08y]

Odd, how sysadmins frequently barely fit into that category.

Ba-dum-bum!

Sueing Microsoft for security holes

[Animats]

It's worth looking at the litigation option. The best case for a lawsuit would be an ISP that runs no Microsoft software on its hosts, but is incurring signficant costs because of incoming traffic (spam, viruses, DDoS attacks) from compromised Microsoft machines.

In a case like that, Microsoft's EULA doesn't apply at all, because the injured party isn't running Microsoft software and hasn't agreed to any Microsoft contract terms. This makes it an ordinary negligence claim.

It's like sueing an auto manufacturer because somebody had a brake failure and hit you. Even if the other party was speeding, the manufacturer can still have some liability for the accident.

Some Linux-based ISP overwhelmed by Microsoft virus spam and mail bounces should go for this. There's a real case here, with real costs (overtime, extra mail servers, more bandwidth) associated with this stuff.

Re:Sueing Microsoft for security holes

[E-Pimpalicious]

True, but the thin grey line as far as liability goes... is just that. a thin grey line. microsoft has enough power, money, and pull, to get away with a slap on the wrist for even the largest issues. it would take one hell of an isp to tackle that project.

even with the eula, it might be easier to tackle this from an "end user" aspect. band a massive group of people together (that were actually stupid enough to PURCHASE a copy of one of their OS's) and tackle it from a class action stance. when word gets out to the john and jane doe's that 1) they might get some money out of this, and 2) they might get some sort of promise or attempt at making what they had purchased secure.... then there could be a fairly large group forming to jump in line.

but again... it all boils down to this: what is that going to solve? microsoft has more money than god... and all a large lawsuit would do to them, would be to either make the cost of their software go up even further, which would jack the price of pre-fab computers up, which would cause sales to go down, which would cause hardware manufacturers to slow R&D.... (see where i am going with this? good. i'll stop then.) or, would make them spend what would be chump change to microsoft, to pay it off monetarily. in the end... you are still going to be left with a pile of crap for an operating system, and just enough money to buy a coke. the eual could be stretched or pulled in either direction to use in either argument. the end user argrees that they wont do a, b, c or d, and that the software company is not liable for x, y, and z. however, had the user known that said software would allow a violation of their rights as a us citizen, and a compromise of their privacy and personal information... they might not have purchased this software. there are plenty of holes in the eula... it would just take a good attorney to exploit them... wait... that sounds familiar.

Look at the references...

[Pahalial]

PREVIOUSLY BY ROB ENDERLE:
- Microsoft: Hated Because It's Misunderstood
- Reasons To Shun Open Source-ry
- Linux Is Not Ready For the Enterprise

If only they put these at the front of the article and spared my valuable minutes.

Not only that, but I bothered to check the links out and they're just plain rants.
And this is labelled news? Even /. has more news than this, despite being in large part activists for something or other (i'm one too, no worries)

Man, do yourself a favor

[ebyrob]

And get a copy of gVim and the GCC...

Once you go command line, you never come back.

Re:Man, do yourself a favor

[ebyrob]

It's not about leet.

It's about whether to torture yourself with a "sofa" that has big ugly spikes sticking up or to simply sit on a nice solid floor...

Oxymoron: monoculture of free software

[axxackall]

a monoculture of free software

There is no such thing. You will always consider:

• GNOME vs KDE
• Linux vs BSD
• PostgreSQL vs MySQL
• Emacs vs vi
• Python vs Perl
• interpreter vs compiler
• source tarball vs a binary package
• Mozilla vs Lynx
• Postfix vx Qmail
• Zope vs Apache

... Did I forget anything? TCP vs UDP? Never mind that one.

Free software is culture that will guarantee that there will be no monoculture. There will be always a choice. And pay attention: you as a user will make a choice (not like the choice will be done for you somewhere in Redmond).

As for blocking ports....

[NerveGas]

It does work. Rather well, in fact. One of the most simple, common-sense ways to start port-blocking is to block everything below 1024 except for services that you know that you want to provide. It's amazing how many networks get along just fine with nothing but http, ssh, dns, smtp, and pop-3.

By doing that and disallowing email with any executable attachments, one of the networks that I maintain has weathered all of the email/network virii/worms without a single incident - despite the fact that they have M$ machines that haven't been updated at all.

Occasionally, they'll call because someone thinks they have a virus. I'll go and scan all of the machines with the latest patterns, and guess what - no virii.

Of course, this in no way excuses Microsoft for their horrible security. It's simply a way to get at least a good start at protecting yourself.

steve

Step forward a few hundred years....

[mormop]

Scientists today found evidence of a civilisation that once existed on a planet, third out from a sun in a far off part of the galaxy.

It's believed that the entire population was wiped out after a scientist (we think), Rob Enderle, recommended that because diversity of genetics made making drugs to cure cancer difficult, all humans (as they called themselves) should be made genetically identical to allow one cancer drug to cure everybody.

Within a day, scientists had developed the cancer drug and cancer was cured, worldwide, overnight. Unfortunately, the entire population was then wiped out by a single mutation of the common cold in the entirely predictable kind of way that anyone with half an ounce of common sense would have seen coming.

Commentators today stated that the kind of twisted logic that would allow this scenario to happen is generally caused by having your head stuffed too far up your own arse, or in extreme cases, up the arse of the CEO of a major corporation. The justification that it would make it easy for even the poorly trained doctors to cure cancer seems good at first but neglects to consider that it's really stupid.

Microsoft hatred, unjust

[xahlee]

please see: Microsoft Hatred, the beginning

Re:Microsoft hatred, unjust

[sydb]

Thanks for your link.

It provides powerful evidence that, as I have long suspected, Microsoft Word is a dangerous gateway Microsoft application. Dabblers think that they can use it now and again harmlessly. In a way they are write. It's easy to run off the odd letter in Microsoft Word and think nothing of it. Even the occasional report or binge essay writing session leaevs users able to function normally in society.

But your brave public exposure shows the real danger that lies behind Microsoft Word use. It provides the user with an initial reassurance. To paraphrase your courageous admission, the unsuspecting victim thinks: "Hey, Microsoft Word is OK. I am just using it to get by. I know that Microsoft are evil and that they sell other, more dangerous pieces of software (which should probably be illegal) but look - I recognise that and you won't catch me touching that other stuff."

But after Word, you dabble in Windows NT. Sure, it blue screens, you think. But I can handle it. I'll just keep rebooting.

That's the nature of this software. Those who use it start off like any other sane person. They can see the dangers. They think they can avoid them. And the software makes them think that way. It's a trap. There is the illusion of interoperability. Microsoft software looks like any other innocent piece of software at first glance. But that is a veneer. Once you have spent as long as you did in the Microsoft haze, your mind starts to detriorate.

You become locked in by the proprietary protocols and data formats. At first you think you can cope. You'll save in text only! No problem! But the truth is that each line is terminated with a carriage return and if you try to give up Microsoft the withdrawal will be a plague of ^Ms. ^M
^M
As your mind deteriorates, you are no longer able to see this. As you have shown, the unfortunate victim of this social plague looses the ability to construct logical thoughts. At this point, the victim is lost. Even a brave public admission such as your own is a sham. The hopeless sufferer of Microsoft addiction believes that they are vindicating Microsoft but all around can see the truth.^M
^M
The sufferer's mind has been destroyed. There is no hope.^M
^M
I have been there myself, I stood on the precipice, one more step and I too would have been like you. Fate and her angels prevented my tragic loss. I was rescued by the Church of Emacs and am forever grateful to Saint IGNUcius.^M
^M
I weep for lost souls such as yourself. But there remains hope! Even in your tortured outpourings you have revealed a glint of light at the end of your dark tunnel. Embrace the church! Reject the ^Ms!

I pray for you.

I am not the one who set the rules

[Pan+T.+Hose]

Great idea! After I get done with that, I think I'll teach the users the difference between real error messages and banner ads.....

Nobody said you have to be competent yourself, but don't come crying to me when you realize that, for example, one can write an ASCII string which is a valid x86 shellcode after conversion to UTF-16, also having a plausible spectrum analysis signature. This post will probably get moderated as Score:-1, Obvious Example but sometimes even the most trivial attack may be successful if you are not careful enough, or if you don't know your architecture's binary instruction set for that matter.

Re:Server with no ports open is useless

[YOU+ARE+SO+SUED!]

>I don't allow Windows on my network. Do you think I'm stupid?

Well then you're offtopic, because the articles is about Windows systems. How was the grandparent to know you weren't referring to them?
YASS

The difference is simple

[Pan+T.+Hose]

Are you trying to raise an army of informed sysadmins or an army of grubby computer crackers?

The most fundamental knowledge they need is exactly equivalent. The only difference is that "army of grubby computer crackers" needs to know only one successful attack to win, while any even remotely competent sysadmin needs to know all of them to be able to detect any of them every time. Of course you can always choose the easy way and hire Counterpane or similar service, but I always advise to have a security response team on site ready to counter the attack 24 hours a day, 7 days a week, with the flawless cooperation between them and your armed guards being the clue in case of insider job or physical compromise.

(Note to sysadmins: please don't flame me! I aspire to *be* one of you guys some day.)

This is an exciting job, but may be dangerous if you are in charge of any important network due to physical attack possibility. Never underestimate the power of rubber-hose cryptanalysis. I mean it. Don't learn it the hard way like I did.

Read the article...

[cnelzie]

Then you to can attack the writer of said article. He said that the MSBlaster worm wouldn't have been stopped by having different systems in place, because it was "...spread by common email..."

If you recall, the MSBlaster worm was a Microsoft RPC vulnerability and was spread by just having an unpatched Microsoft Windows 2000/XP based machine connected to the Internet. It had nothing to do with email.

Even if he was referring to an email virus... If you are running software other then Outlook, then you are likely going to be completely safe from MOST Microsoft email virus attacks. Again, which the MSBlaster Worm was not...

The guy doesn't seem to really have his information for writing such articles... He needs to get on the clue train and then start writing his articles...

Thanks a lot! For Nothing!

[jimcooncat]

uncovered yet another hole in the RPC/DCOM service for which there is NO PATCH AVAILABLE!!! ... here's the exploit soucre code.

Thanks for publicizing source code which exploits a vulnerabilty for which no patch is available. Since M$ doesn't share it's source (with me anyway), there's nothing we can do but wait for them to get around to fixing it.

Do you think this doesn't affect you, because you use only free software? Well, I can't really work on development in my spare time when I have to support Windows users whose boxes are blowing up, now can I?!!!

Yeah, I know you didn't write the code, or make it publicly available. But your publicizing it with a direct link in such a widely read forum is dishearting.

Re:OT... My best friend's a whore!

[Anonvmous+Coward]

ChickenHawk is back!

Re:OT... My best friend's a whore!

[NanoGator]

"NG's posts really bother me, but I'm too stupid to use the foe feature!"

As if I don't know who you are, heh.

Re:Oxymoron: monoculture of free software

[doodleboy]

I suppose if a company were to have a monoculture of free software, they would have standardized on a particular desktop, os, editor, interpreted language (if such were needed), etc., etc., etc. You lower enterprise computing costs by making all the computers the same. That way you only have to test one configuration before releasing patches or software upgrades, etc.

That was why Enderle argued that monocultures are cheaper in principle than the diversified infrastructures Gartner and the CCIA are suggesting we should have. All I said was, you can do the same thing with OSes other than Windows, a point that seems to have escaped him.

Everything you need to know about Rob...

[zecg]

...was written by himself, in his "opinions" column titled: "Opinion: Reasons To Shun Open Source-ry"

The very first two sentences are so mind-boggingly imbecilic, not to mention a self-contained circus act of jumping into one's own mouth, that one needs not read further:

"Linux is not ready for the enterprise.

When I argued that point a month ago, I didn't really believe it."

I believe that the answer to the question WHY he argued that question if he didn't believe it himself, is a kind of Zen puzzle, with MS money acting the part of the sound in the felled forest of Forrester research's successes.

multicropping in a single field actually good

[midgley]

Actually putting strips of different plants in a single field can be a very good idea for reducing vulnerability to particular predators. I don't know examples[1] of it used for reducing disease propagation by insect vectors but it seems highly likely that this would be a worthwhile tactic. And very green. [1] IANAF (I am not a farmer)

The Enderle Group

[doc4]

Check out Rob's side job, The Enderle Group.

One of their main services is Counterpoint

Provides consulting services during the review process of a poorly founded negative piece on a vendor or its products and, should it be needed, showcases the research errors, statistical mistakes, and unfounded conclusions that often define such a piece.

Professional FUDmeister.

Security design

[cdemon6]

You can minimize your risk when staying up-to-date with patches and can block incoming traffic on dangerous ports, for example, but you'll never be totally secure this way. This is why it helps so much running *ix or *bsd , because you can chroot, jail, run apache as wwwrun and so on. Windows gives you full access once exploited, as you all know.

Imagine: Somebody attacks you with a working exploit before you've got the patch installed even if you update every day - unlikely, but possible.

Or imagine: You block all incoming traffic on 135/139 with your firewall and consider yourself immune to the blaster type of windows attacks.
Take a person connecting via a vpn (for example) to your network which has an infected machine at home and think of the consequences once he is connected. Effeciency of firewall -> zero (in most cases).

Re:Security design

[robwills]

I'm not sure which firewall you're using, but the vpn connections can still be firewalled. You can still block ports on connections made from vpn clients.

Efficency of firewall : not affected by VPN.

Some of his stuff makes no sense...

[MadAnthony02]

The Page 2 of his "Microsoft is misunderstood" article contains a few things that made me say "huh"?

The one I really noticed was "Don't copy entire software images from old PCs to new ones; leave that to the hardware OEMs, who have testing and procedures in place to make sure the imaging is done right"

If he is saying we should use factory images, that makes no sense, and would hurt security, since the from the factory images I've seen usually 1)do not have up to date patches/service packs and 2)don't have antivirus software.

He also says never to upgrade memory, which would majorly increase costs. Where I work we have P2 and P3 boxes still running with 2K or XP on them, and they would be useless if we hadn't upgraded the RAM, since they probably shipped with 64 or 128.

He speaks by fearmonging

[werdna]

Over the years, I've seen many IT executives lose their jobs or trash their careers because they made a decision that was obvious to them but could not be effectively defended to upper management or internal auditors.

Nobody ever got fired for buying IBM, I suppose. This is how the instant vendors retain their clout. No doubt, a Microsoft-only sysadmin has much to defend his case: (1) nearly everybody else --that matters-- does it; (2) it costs more, so it must be better; (3) they have been making money at this for years, so it must be better.

And then what? Presumably, in time, a high-minded management will expect answers more detailed than, "I played it safe and spent 28% of our overhead on infrastructure that everybody else has." The neat thing about commerce is that money does talk -- it is the flow of the dollars that will dicatate policy.

Guys like this don't matter, although they do intimidate weak minds. That's ok, we are not at the stage where the weak-minded matter -- they would ultimately come out the same way whether this guy scares them or not. Open source needs to address the "cost-of-ownership" issues and polish for enterprise, and in time, the nearly-best of us (presumably the best of us will still be making great stuff) will be promoted to positions to change the world.

Then we get to fire the fearmongers and weak-minded.

Re:Oxymoron: monoculture of free software

[axxackall]

you are right. We even have started to move one by one servers to Gentoo. Very helpful to keep a reasonable balance between unified platform on one side, and different packages (at least in differen versions) on the other side.

Re:Michael is a hippie.

[wfrp01]

Exactly. Clearly some moderators don't understand humor. Or maybe I'm just not funny.

Turn it off how?

[gr8_phk]

turn off port 135.

How exactly is that done on Windows? And why isn't it turned off by default? If all ports were closed by default, then software *I* install could require certain ones to be opened and do it for me as part of installation. Oh, MS doesn't allow you to disable individual ports do they?

Re:Michael is a hippie.

[p00ya]

He probably has a stuffed penguin as a technical advisor,
Given that this could potentially be seen as him advocating linux, I think its much more likely that he has an advisor in the form of a talking paper clip.

"It looks like you're writing some pro-microsoft FUD. Would you like some help with that?"

Grammar? Readability?

[DaveCBio]

Why do so many front page posts have major grammar and readability problems? I couldn't tell from that post what the article was about besides something to do with Microsoft. There are not that many posts per day. Is it so hard to correct a few obvious errors so that we can tell what the articles are about?

If you want a really *bad* example...

[freeBill]

...of a Microsoft Apologist Apologizing for Microsoft on the monoculture reports, check out this 3-part series:

Part I: Wherein the author proves he doesn't know the difference between an API and the OS which implements it He also manages to confuse integration with breaking encapsulation and argues that integration is acheived by eliminating modular programming. He also resorts to the traditional monopolists' excuse that the economics of scale trumps competition, imagining that Adam Smith would actually support this excuse.

Part II: Wherein the author proves that he has failed to notice the CCIA convinced a judge he was wrong about Microsoft's status as a monopoly. Then he goes on to lie about the accessibility of MS's APIs.

Part III: Wherein the author argues that 15-years-out-of-date MS technology is "cutting edge" while ignoring the fact that IE is still not standards compliant with a standard which he says evolves too slowly to to up with that "cutting edge."

The author of these diatribes (John Carroll) managed to convince me he was so clueless about the fundamentals of programming (compare Microsoft Press's own "Code Complete" with the "facts" in these stories to see how far off base he is) that I am sure I would never hire his consulting firm, Turtleneck Software, for anything.

The issues raised by the CCIA report deserve hard scrutiny. But that scrutiny must be based on facts. And on what the monoculture report actually said. Diversity of API is bad, and the report acknowledges this by arguing for strong international standards. Diversity of implementation is good, and the report makes a strong case for this.

Carroll lies to his readers by claiming the report favors diversity of API. He then compounds this inaccuracy by claiming Microsoft has achieved its monocultural monopoly by promoting a single API that has become a public standard. In fact, they achieved it by constantly changing the API, hiding it from their competitors, and forcing those who wrote competing products for their platform to write to a different API, which itself changed when it was convenient for MS (i.e., inconvenient for their competitors).

This level of dishonesty should get Carroll fired at ZDNet, but it probably won't.

And we still don't have a good, rigorous criticism of the CCIA's report. A criticism we desperately need.

big bang

[jvv62]

Microsoft Apologist Apologizes for Microsoft [Slashdot] "Companies can minimize support costs by rolling out identical hardware and software to every desktop through big bang deployments." Of course, this does mean you have to have enough support staff to do a big bang deployment. To my mind, diversity is closer to the reality of even an all MS shop. Back when I dealt with such things daily, we always had at least 2 and sometimes 3 versions of Windows running. We had enough different applications running that not all of them were upgradable to the next OS at the same time.

Saying that big bang is the best way to go is as big an indictment Microsoft and its problems with Windows as anything the naysayers and critics could say. "I not only don't play well with others, I only play nicely with my own clones."

Yes, I much prefer the intelligent, careful...

[leonbrooks]

...thoughtful, deeply cutting MS bash-fests.

BTW, Anti-"M$" Bash-Fests are misnamed because BASH is not a Microsoft product, and I'm not even sure that you get it with SFU.

Dang, no mod points!

[leonbrooks]

The joke was kind of foreseeable, but your actual delivery was more tongue-in-cheek than a woodpecker. Well done.

I'd settle for having him follow his own advice

[leonbrooks]

If he closed his own Port 80, the world would be a better place. (-:

I think we should focus on blaming Microsoft.

[leonbrooks]

After all, practically everyone else changed their protocols to suit; and SMB was bsed on a butchered, hopelessly design-insecure version of LanMan anyway.

This kind of stupidity has a long tradition in Microsoft; for example, they took VMS, an easy-to-secure system, an gave us Windows NT.

Go and read some of the SaMBa design (and so by implication reverse engineering) documents and code comments, it'll give your eyebrows an extended holiday behind your hairline.

After you've done that, you'll probably criticise me for being too lenient on Mr Money & Co.

CC'ed FYI: Dear Rob

[leonbrooks]

To: renderle SPLAT gigaweb SPLOT com
Subject: Rob, are you actually paid to do this?
Date: Sat, 11 Oct 2003 19:53:01 +0800

Two high-profile organizations recently argued that diverse environments are inherently more secure than "monoculture" (read: Microsoft-only) environments.

...and from other sources: [-text in brackets is filler to make lame SlashDot lameness filter happier-]

The report's authors said the report was a reflection of their own views [...] "I wouldn't put all of the blame on Microsoft," Schneier said, "the problem is the monoculture."

From the horse's mouth, the security problem harped on in the report is explicitly the monoculture, not the Microsoft. So you've started on a misconception. Do you recover from this?

These arguments were put forward by Gartner [-text in brackets is filler to make lame SlashDot lameness filter happier-]

Er... what? Gartner are hardly known for being critical of Microsoft, in fact they've got an informal reputation for being on Microsoft's cheer squad, if anything.

As if to underscore their reluctance to injure or offend such a lucrative and dominant source of income, Gartner speak as little as possible to Microsoft, as such, limiting themselves to Windows. I believe this to be a mistake, since the majority of reported vulnerabilities on desktop PCs have been in Microsoft applications other than the OS - such as Outlook, Internet Explorer or IIS.

They also make it plain, regardless of motives, that their primary concern is the lack of diversity, and I quote: [-text in brackets is filler to make lame SlashDot lameness filter happier-]

By spreading critical business functions across multiple desktop platforms or by maintaining key operating groups on separate platforms, you can enhance your ability to keep at least some of your key personnel and processes functioning and communicating during an attack.

Perhaps Gartner have realised that there is an issue here that they need to be seen to be addressing? [-text in brackets is filler to make lame SlashDot lameness filter happier-]

Two strikes against Rob. But you go on to say: [-text in brackets is filler to make lame SlashDot lameness filter happier-]

separately, a panel hosted by the anti-Microsoft Computer & Communications Industry Association.

Also wrong (third strike), at least in origins: the report now filtered through CCIA was originally released by the diverse group of security consultants through security firm @Stake - and it seems that @Stake are so pro-Microsoft that Dan Geer, then @Stake's CTO, was fired over the publication.

This brings to mind an interesting statement from [the] President of the Verm[o]nt Library Association:

If you have to worry about what your reading list might look like to an FBI agent, you might decide to censor yourself and not read what you really want to read. And the moment you have to think about those kinds of decisions, then you are no longer truly free. -- Trina Magi

To be sure, Microsoft are not the FBI - but the principle is exactly the same.

The whole set of premises that you justify your article by are completely wrong. This essentially makes it worthless. But even if the raison d'etree had been sound, you also muck up the content:

We have yet to see a cost/benefit analysis that supports the conclusion that a heterogeneous computing environment lowers the overall threat level of a corporation, or that it is the most cost effective of the choices available to you.

A Microsoft-aimed worm took out one large local ISP's mail service for a day, and kept it lagged for about 3 days this last week. A consultant I wo

Just in case

[Pan+T.+Hose]

Right... and do everything yourself? There is one other alternative. Just don't use Windows with it's reputation of having no security whatsoever.

Just in case you missed my other comment (foolishly moderated as Score:0, Flamebait, because I dared to say I don't use Windows) I want to clarify few things: I don't allow Windows on my network. Period.

Re:Just in case

[mawwuk]

Excellent choice :)

Speaking about chroot jail

[Pan+T.+Hose]

There is no working snake oil.

Working from behind NAT and with no ports open comes pretty close.

Why, yes, indeed...

Not so good for services, BoC you can jail those, and most of them can even be put in a read-only jail.

Speaking about chroot jail, make sure nothing inside runs with euid 0 and there's no suid and/or local exploitable vulnerabilities (a, so called, "local r00t 'sploit") inside the jail, otherwise breaking out is surprisingly trivial. I just wanted to point it out just in case anyone reading your comment could think chroot is a panaceum, while we know it doesn't work against superuser euid privileged processes.

UID==0 doesn't necessarily break chroot

[leonbrooks]

In Linux, either Capabilities or the SE patches nail that down quite convincingly. You could also put the jail on a NOSUID,NOSGID partition if you were worried about crackers being able to set a SUID bit on an executable.

I'd be surprised if OpenBSD didn't take similar precautions.

Re:Hey Pavelow, your STILL OFFTOPIC

[Pave+Low]

looking at most all your posts, you really dont contribute much.

You're right on that. I come here to get a good chuckle at the knuckleheads , the great trolls, and crapfloods, and idiotic articles. I didn't know "contributing" was one of the requirements of being here.

1)your criticism towards people moderating your posts, 2) how slashdot sucks, and 3) how the articles are crap.

1, 2, 3 still continue to be true. When it changes, then I could write something else.

You whine like a mule, and yet you do NOTHING about it.

I am just like any good critic. Please spare me the tired 'love it or leave it' argument.

I like how any criticism that offends your sensibilities will be automatically modded down by you. I feel so much better now.