[Reader-list] Re: WB Govt ties up with MSFT

Raju Mathur raju at linux-delhi.org
Sun Aug 5 20:37:58 IST 2001 

Hi Menso,

I agree that security is the user/administrator's responsibility and
it doesn't matter how many patches MS releases unless the admins are
clued in enough to download and install them.  OTOH, we must also
consider the following:

1.  MS seems to have perennial problems with buffer overflows.  One
would have thought that after the first 100 or so they'd have the
decency to sit down and audit their complete code base and remove all
the buffer overflows they can find, but their attitude seems to be
(and it's valid, from a twisted perspective) that if they deploy the
same engineers in creating new code they can get (buggy) products to
market faster and make more money.  I have nothing against buggy
software.  I /am/ strongly against a corporation which puts the
security and stability of its users and clients second to anything at
all.

2.  The Code Red worm was caught early, but there have been other ones
(and will continue to be more) which have slipped in before anyone in
the MS or security communities saw them.  These will continue to wreak
havoc with the world's computing infrastructure.

3.  MS' own policies deter a propagation of equally effective,
competing products.  Make a Pine/Mutt/Elm/VM/GNUS/Kmail worm and you
hit maybe 10% of the Linux community.  Make an Outlook Express bug and
you hit 99% of Windows users.  Similarly, due to the open nature of
the environment there are many competing browsers on Linux but only
one feasible one on Windows.  Thus MS' policy of stifling competition
indirectly contributes to the ease with which virii and worms
propagate on MS platforms.

For a more fascist way to handle the dumb sysadmin problem, please see
my (tongue-in-cheek) article Standardise and be Damned:

   http://www.linux.com/newsitem.phtml?sid=93&aid=8568

Regards,

-- Raju

>>>>> "Menso" == Menso Heus <menso at r4k.net> writes:

    Menso> On Sun, Aug 05, 2001 at 12:23:59PM +0530, Raju Mathur
    Menso> wrote:
    >> 1.  Security.
    >> 
    >> Microsoft products have time and again demonstrated a
    >> regrettable lack of basic security features.  Recent incidents
    >> which have affected a sizeable portion of Microsoft-based
    >> servers and client systems on the Internet have served to
    >> highlight the fact that Microsoft makes Insecure Products.
    >> 
    >> The Code Red worm (computer virus) infected millions of servers
    >> on the Internet in June 2001 and coordinated them (without
    >> their administrators consent) to simultaneously attack the US
    >> White House web site.  The worm is still alive though dormant
    >> and no one knows exactly where and when it will strike again.
    >> Needless to say, this worm only affects computers running
    >> Microsoft's most popular web server.

    Menso> The patch for the Code Red worm was already available a
    Menso> long time before the worm started to spread. If one would
    Menso> have followed the IIS 5 Security checklist the server
    Menso> wouldn't have been vunerable in the first case. This
    Menso> checklist got released I think at the same time as IIS 5
    Menso> got released.

    Menso> So then, is this a problem in "Microsoft software"? I think
    Menso> not. The list for patches that comes for Unix/Linux systems
    Menso> is quite as long, bugs in bind, sendmail and apache would
    Menso> not make anyone happy either.

    Menso> The situation is comparable to finding a bug in linux,
    Menso> releasing a patch and then not running this patch. The same
    Menso> would happen as happened now with the Code Red worm.  In
    Menso> fact, the first worm ever written, back in in the days,
    Menso> targetted Unix machines. I do not find this a convincing
    Menso> argument.
 
    >> Only a few days after the infamous Code Red attacks (on August
    >> 5, 2001), another worm which infects Microsoft-based web
    >> servers has been discovered and is at the time of writing being
    >> analysed to discover its potential to disrupt the world's
    >> computing and networking infrstructure.

    Menso> Making use of the same hole? The problem here is not so
    Menso> much the security hole as the 'smartness' of the person who
    Menso> wrote the worm. Especially now that the world is hanging
    Menso> together on fiber and data travels fast it is a matter of
    Menso> hours before the world is infected.
 
    >> The SIRCAM virus which replicates itself using e-mail as the
    >> medium has been deemed such a major threat to computing
    >> infrastructure that Microsoft and the FBI have taken the
    >> unprecendented step of releasing a joint warning notice against
    >> it to all computer users in July 2001.  Again, the SIRCAM virus
    >> only affects e-mail users who use Microsoft's products -- all
    >> other software is immune to this threat.

    Menso> I had a discussion about email virusses once before on the
    Menso> nettime mailinglist. I then argued that a virus such as
    Menso> this could just as easily been written for linux systems
    Menso> for example yet that it is a bit more hassle there to get
    Menso> the user to actually execute the virus.

    Menso> In Outlook people just click and pray for the best, with
    Menso> linux/unix systems one would have to save the file by hand
    Menso> first and then give it execute permissions. The person
    Menso> doing this is most likely also the person that reads
    Menso> through the file first before doing so.

    Menso> The problem as I see it is not as much with the Microsoft
    Menso> software which contains as much bugs as any operating
    Menso> system out there, but with the level of knowledge on the
    Menso> operating system a user uses.

    Menso> For some reason people find that they should not read any
    Menso> books on computer subjects since "everything just
    Menso> works". With an out of the box install of Windows this is
    Menso> mostly the case and this works fine in a non-networked
    Menso> world.  However, it still remains the responsibility of the
    Menso> user in my opinion to take appropriate security meassures
    Menso> once they hook up their system to a hostile environment
    Menso> such as the internet.  People who lack to do so get what
    Menso> they deserve and sysadmins who lack to do so get the same.

    Menso> When huge amounts of rogue traffic travels across the
    Menso> network, the network will have problems with this, whether
    Menso> this is a 'virtual sit-in' *cough* or a virus trying to
    Menso> spread itself. Both are bad.

    Menso> In the end it's all a matter of knowing what you're doing,
    Menso> whether you run a Linux server or a Windows 2000 or own a
    Menso> Windows 95 desktop machine.  The problem is, unfortunately,
    Menso> that not a lot of Windows users seem to know what they are
    Menso> doing. It is the job of the sysadmin to prevent misuse then
    Menso> by setting up the network in a correct way and installing
    Menso> virus scanners on the network. Unfortunately, with Code
    Menso> Red, we have also seen that there are a lot of sysadmins
    Menso> out there who do not understand there job. And that, my
    Menso> friend, is the origin of the problem.

-- 
Raju Mathur          raju at kandalaya.org           http://kandalaya.org/

More information about the reader-list mailing list