Slashdot Mirror
Microsoft Apologist Apologizes for Microsoft
hillbilly1980 writes "Internet Week has published a counter article in response to the number of anti-monoculture security papers recently published. Unfortunately the author starts out by writing off the other papers as simply anti-Microsoft, unfortunate because his paper never gets past being more then just pro-Microsoft. One of his suggestions to secure your enterprise... turn off port 80." Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle. Update: 10/11 00:54 GMT by M : Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.
One of his suggestions to secure your enterprise... turn off port 80
That's nothing. To be *really* secure I just don't even turn my computer on!
Slashdot is too subjective.
Ok, it is completely understandable and ok that slashdot is not a pro-microsoft-newsletter. But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".
Yeah lets all turn off port 80; its like having e-business without the "e"!
-On ones tombstone there will be 2 dates, Make the dash between them count!
The article advocates restricting port 135, not port 80.
~Phillip
that if I'd kept 30% of my infrastructure running Microsoft software for compatability reasons I should just go ahead and ditch it all?
Or am I just reading that wrong?
KFG
That's because he's got the wrong focus.
The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).
We've used the agriculture analogy before to describe the issues around monocultures, so to continue to use it, we can say that his point is that monoculture isn't really an issue because when you're tilling a single field, it's a pain in the ass to put multiple crops on it. True, but that's not the point -- it's when you've got one crop on *ALL* the fields (all the enterprises) or at least a substantial portion of them that you get into a problem.
You make several accusations about the article's bias. But instead of giving us the articl and letting the readers make that judgement, or even making a logical argument for why he is wrong, you instead attack the author, and tell us how we should feel about the article. Anyone that reads slashdot can probably pick out the (alleged) MS bias by themselves. Keep your opinions to your damn self if you arent willing to back them up.
Let's look at some of these...
- Accelerated adoption of patches.
Ok, yes you do have to stay patched. But this is like blaming people with flawed cars for not going to the car dealer each week to check for recalls. Microsoft's abundance of patches indicates poor design and methodology, period.
- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.
Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.
- Restricting ports, such as port 135, which effectively stopped the latest virus attack.
Wow! What a concept! I never thought of this! Now I know where all my problems are coming from! It's not from the software, it's my fault for actually allowing connectivity!
- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.
Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.
- Developing the capability to rapidly restore compromised software and data from backups.
Right. Key word is, develop. Why does an end user, paying hundreds of dollars per seat need to 'develop' something as common as this.
- Adding security staff or outsourced services.
Right. Keep sending us your licensing fees, and then spend more money to make up for the gaps in our software. Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks. Hire an MSCE. Preferably from another country.
Does it hurt to hear them lying? Was this the only world you had?
What exactly does "anti-Microsoft" mean?
Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix. We thus moved away from the MS platform to Java/Linux, a combination that we found to be superior for our needs. I haven't looked back since.
I think I thus fall into the anti-Microsoft camp. I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.
The author does not define the term "anti-Microsoft". So my question is, what connotation do people try and draw up with the term "anti-Microsoft"? In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here.
What has *science* done?!? -- Dr. Weird (ATHF)
The last time one of Rob Enderle's stories hit Slashdot, I went and did some googling around. An hour later, I had absolutely no evidence that the set of analysts comprising the Enderle group was any larger than the set composing Rob Enderle himself.
He probably has a stuffed penguin as a technical advisor, and I'd also bet that his technical advisor frequently gets pins stuck in him.
You want the truthiness? You can't handle the truthiness!
It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
That won't really do either. If you want a real secure computer, here is a nice howto.
http://www.tuxrocks.com/
The article advocates doing actual *STUDIES* to backup the call for diversity. It also calls for other methods that are basically best practices for a business: a disaster recovery plan, proper backups, firewalls & IDS and managed desktops.
There is nothing wrong with anything he advocated in this article. Getting supporting evidence and adding diversity to a proper BC/DR plan is 100% correct.
What he fails to acknowledge is that Microsoft has, for its entire history, made security an afterthought that always lost to convenience.
Windows 95, 98 & Me were designed as *consumer* OSes, not corporate clients. Consumer OSes had no need for all those network services and ports being open by default. These systems were designed for home users, not businesses. WinNT, 2000 and XP Pro are different animals and are designed to be used in LANs where many of those services are going to be needed.
The DUN 1.4 update should have patched those Win95/98 systems to lock down almost every incoming port short of DHCP, NTP and DNS returns.
While MS has made noise recently about an emphasis on security, their actions speak louder than words. WinXP, while more stable than Win98/Me, seems to be just as vulnerable to security problems as other versions of their OS.
Even though Win95 and Win98 are no longer officially supported, MS needs to release one last patch that locks many of those ports down.
Unfortunately, no patch in the world will stop clueless users from clicking attachments without looking.
Learning HOW to think is more important than learning WHAT to think.
Great idea. Let me make sure everything is off in my lab. Let me also ask management of my institute to file for bankruptcy while I am at it. I am sure they will thank me for making our network absolutely safe.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
You mention quite a few very important but frequently underestimated issues here. The network where I work is constantly being monitored and we know that firewalls and IDSs need to work both ways. I think that the prosecution one of our workers who was downloading pornography using our network (the poor bastard thought des encrypted icmp echo reply payload was a good "covert channel" -- not when I am in charge) will face in few weeks pretty much speaks for itself.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Slashdot has never claimed any kind of objective viewpoint. Its rather biased. And its become well-known, if not always popular, because of that bias.
Slashdot filled an interesting niche; a dissenting opinion when the IT press was almost entirely Windows-centric. Linux was quietly seeping in to the Enterprise. But the mainstream IT press either ignored it or was unfairly dismissive. Slashdot was a forum most noted for its pro-Linux and Open Source friendly opinions.
Times have changed.
Now, its not worthy a Slashdot news post just because a mainstream IT rag has mentioned Linux. Its not entirely unlikely to find pro-Linux / pro-Open Source articles in the mainstream. Right next to the pro-Windows articles. And the press releases being masquaraded as an article. Some things don't change, after all.
Slashdot's bias is one of those constants.
I'm kind of curious. It seems that over the years, Slashdot has gained more pro-Windows readers. Mainstream attention has either provided more people with a Windows-centric viewpoint or its attracted more astroturfers and trolls.
But for every time I see someone complain about Slashdot displaying an "unfair" bias against Microsoft, I wonder how many people like myself sit quietly in the background glad that Slashdot keeps that bias firmly in place.
Just after Blaster started clearing up, Microsoft released MS03-039 which is essentially the SAME vulnerability as was -026. They blew it. They didn't fix the problem with the -026 patch, so admin's now had to re-patch all their machines.
Well, here we go again - only this time the exploit code precedes the MS anouncement and corresponding patch. Yes kids, the hacking underworld has perfected the exploit code for MS03-039 and in doing so uncovered yet another hole in the RPC/DCOM service for which there is NO PATCH AVAILABLE!!! (As of 11 Oct, 2003 0100)
And for those of you who think that this is just FUD... here's the exploit soucre code. Simply compile under Linux, then change your shorts.
Network admins: May I suggest you take your sleeping bag and pillow and put it in your car - theres going to be a lot of late nights at the office coming up.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
In a case like that, Microsoft's EULA doesn't apply at all, because the injured party isn't running Microsoft software and hasn't agreed to any Microsoft contract terms. This makes it an ordinary negligence claim.
It's like sueing an auto manufacturer because somebody had a brake failure and hit you. Even if the other party was speeding, the manufacturer can still have some liability for the accident.
Some Linux-based ISP overwhelmed by Microsoft virus spam and mail bounces should go for this. There's a real case here, with real costs (overtime, extra mail servers, more bandwidth) associated with this stuff.
It does work. Rather well, in fact. One of the most simple, common-sense ways to start port-blocking is to block everything below 1024 except for services that you know that you want to provide. It's amazing how many networks get along just fine with nothing but http, ssh, dns, smtp, and pop-3.
By doing that and disallowing email with any executable attachments, one of the networks that I maintain has weathered all of the email/network virii/worms without a single incident - despite the fact that they have M$ machines that haven't been updated at all.
Occasionally, they'll call because someone thinks they have a virus. I'll go and scan all of the machines with the latest patterns, and guess what - no virii.
Of course, this in no way excuses Microsoft for their horrible security. It's simply a way to get at least a good start at protecting yourself.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
You can minimize your risk when staying up-to-date with patches and can block incoming traffic on dangerous ports, for example, but you'll never be totally secure this way. This is why it helps so much running *ix or *bsd , because you can chroot, jail, run apache as wwwrun and so on. Windows gives you full access once exploited, as you all know.
Imagine: Somebody attacks you with a working exploit before you've got the patch installed even if you update every day - unlikely, but possible.
Or imagine: You block all incoming traffic on 135/139 with your firewall and consider yourself immune to the blaster type of windows attacks.
Take a person connecting via a vpn (for example) to your network which has an infected machine at home and think of the consequences once he is connected. Effeciency of firewall -> zero (in most cases).
Ever hear of something called an "SUV"?
Il n'y a pas de Planet B.