Microsoft Blasted For Lax Security 402
fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."
If I had a nickle for everytime (Score:2, Funny)
Re:If I had a nickle for everytime (Score:2)
Thank Illiad (Score:3, Funny)
'F' even with a patch... (Score:3, Insightful)
Re:'F' even with a patch... (Score:5, Insightful)
Comment removed (Score:5, Informative)
Re:'F' even with a patch... - But WHICH patch? (Score:2)
Re:'F' even with a patch... - But WHICH patch? (Score:3, Informative)
OK: Let's me get this straight:
- MS publishes their hotfixes with a warning that they may break things and you should only install them if you're having problems;
- Sysadmins are at fault for not ignoring MSs warning and blindly installing all hot-fixes immediately
- If you'd blindly installed all MS hotfixes, you might break earlier hotfixes
-
Service Packs are mostly just rolled-together hotfixes, but they are known to wilfully break things;
- Despite MS warnings to the contrary, Service Packs need regression testing but hot fixes don't.
A hotfix (...) has never (to my knowledge at lest) changed anything.-
The hot fix that would have blocked code red was undone by a later hot fix.
-
The hotfix that would have blocked slammer was at risk of being, itself, slammed by a later hotfix installed in the 'normal' way.
- MS's own servers were broken by the slammer virus.
Just how much knowledge do you have, anyways?Re:'F' even with a patch... - But WHICH patch? (Score:3, Informative)
Actually you are both right. Although Service Packs often roll up hot-fixes, they also can include many more bug fixes that weren't deemed important enough to require releasing as a hot-fix. Thus they are much more likely to include a deliberate incompatible change that breaks an application (i.e. DirectX N+1, or the above-mentioned DBCC behaviour).
However, although hot-fixes are usually small changes targetted to fix a particular problem, they do not undergo the full regression testing that a service pack does. Most MS hot-fixes come with an CYA warning that you shouldn't apply it unless you believe you are in a situation exhibiting the problem and requiring the hot-fix. Since code modularization at Microsoft seems to be dictated at least as much by the marketing and legal departments as by good software engineering practice, a hot-fix has a not-insignificant chance of having an unexpected side effect (witness the problem with the October hot-fix).
So whether it's a hot-fix or a Service Pack, you wind up having to regression test your 3rd-party applications before deployment, and if you think most IT departments can afford to do that with every "hot-fix of the week" you're out to lunch. Most admins would probably have deployed SP3 after performing their own regression tests in another few weeks.
That said, what kind of idiots connect 120,000 unprotected database servers out on the net? I doubt all were in the position of the poor slob a few levels above in this thread who had deployment mandated by upper management.
Re:'F' even with a patch... (Score:4, Informative)
A recent patch sent out in October actually made the servers vulnerable again. So if you patched with the old patch, and then the one in October, you were screwed.
even Microsoft's network got hit with the worm (Score:3, Informative)
Secure in failure (Score:5, Funny)
Also, during the height of worm activity the XP activation servers failed in a secure manner - that it, rather than allowing people to use unlicenced copies of XP willy-nilly, they erred on the side of caution. Note that from Microsoft's POV this is a secure failure mode, and is BY DESIGN.
They're doing exactly what they set out to do, just as they always have. A CNN story won't affect that.
It's not just microsoft (Score:5, Insightful)
When another OS is popular, you'll see it happen to it too. I believe nobody is immune, only the popularity decides what is a vector for transmission
Not necessarily bad coding or seciryty. Many other operating systems could be almost said to be 'hiding' in their obscurity
Security by obscurity is no defence.
Look at a recent article on Macintosh virus attacks. They used to be none-existent. Now with OSX they are up to half as common as Microsoft.
And apple still only has a minor market share. That bares thinking about
Re:It's not just microsoft (Score:2, Interesting)
Let's have less security through obscurity and more security through actual security and proper maintainence.
Kierthos
(Yes, it's probably a pipe dream, I know.)
Re:It's not just microsoft (Score:5, Insightful)
Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.
Re:It's not just microsoft (Score:4, Insightful)
Re:It's not just microsoft (Score:5, Insightful)
Re:It's not just microsoft (Score:2, Insightful)
http://news.zdnet.co.uk/story/0,,t269-s2129682,
Re:It's not just microsoft (Score:2)
http://news.zdnet.co.uk/story/0,,t269-s2129682,
If you were posting this to say that SQL Server is more popular than one thinks because some small vendors bundle SQL Server stuff in thier product means "diddly squat". Oracle and DB2 have a much bigger market in other vendor's software. That is not research.
MOD PARENT UP (Score:2, Offtopic)
The parent comment makes a valid point, it should be modded up to match the +3 score of its parent.
Re:MOD PARENT UP (Score:2)
See told you, my comment gets previous modded down, even though pointing out an interesting post is clearly on-topic.
Microsoft and Monocropping (Score:5, Insightful)
Now if that plant had any vulnerabilities to disease, you are hosed. All of the fields of this same plant are going to die in exactly the same manner at exactly the same time.
Meditate on this, Grasshopper.
Re:It's not just microsoft (Score:2)
and 3/4 of all numbers supporting an argument are made up on the spot.
Microsoft's problem is that they have blurred the distinction between the OS and applications. They received a boost to performance and ease of use, but are paying a cost in massive internal complexity.
Re:It's not just microsoft (Score:2)
I don't do Windows but I would assume that they've got a procedure that's as easy as "apt-get update ; apt-get upgrade" in their more recent offerings. I don't know if they ship their systems with sensible defaults on their services (IE: Disabled by default or listening on the localhost interface only if the OS really needs them.) One thing they're still doing wrong is allowing people to run with full administrative privilidges. They need to force people to run under a limited user level account, force (at the very least) the administrative side to have a password and if the user side has a password, prevent the user and administrative password from being the same.
Is this really news? (Score:2, Insightful)
Re:Is this really news? (Score:3, Interesting)
It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws.
That would be here [microsoft.com].
it just seemed like they based their whole thesis of security shortcommings on one recent incident.
I think it has more to do with the anniversary of the Trustworthy Computing [wired.com] effort within Microsoft. It was a year ago that the Bill announced that security was their new focus, that all the software engineers were standing down for a month of no new code, just security bug-finding and bug-fixing. And there have been recent announcements reiterating this sort of "commitment".
Mind you, this worm is a poor example of Microsoft insecurity. Not only was there a patch out, but it was SQL - any admin who didn't have it patched should at least have had it firewalled. But the timing of it points out that Microsoft has had many years of insecure feature-oriented software engineering to go back and fix up, and that their "new direction" has a lot of inertia to overcome.
Re:Is this really news? (Score:2)
Now, can we compare this with a timeline of security flaws in linux and packages frequently installed on linux like mysql, bind, apache, etc?
Yes, but it is more difficult. A good place to start would be the SecurityFocus Vulnerabilities archive [securityfocus.com]. Part of the difficulty is that vulnerabilities are often reported multiple times due to the various vendors, etc. etc.
Without going into a detailed analysis, Bind has the worst history if you go far back, but its frequency is a lot better now. At its worst, it was at roughly IIS levels of hole frequency and seriousness. Apache and Mysql have both low frequency of holes, and Apache tends to have more non-fatal holes than serious ones (i.e., access to files rather than remote root exploitation).
Another interesting comparison would be the resources and man hours put into, say, IIS versus Apache or MS-SQL versus MySQL. Without hard information, I think its safe to assume that the Microsoft products have had a lot more development done on them. While in a perfect world this would improve their security, I think the practical effect is to decrease their security due to code and feature bloat - "Trustworthy Computing" notwithstanding.
Let's give MS a chance... (Score:5, Insightful)
Furthermore, the product that was compromised is legacy from before their big embracing of security. Let's see what happens with its next major release. If that still had big gaping problems, then we can hang them from the tallest tree.
I don't really want to give them a chance (Score:4, Insightful)
Anyone with that much money in the bank can damn well afford to produce products that actually are best in class. They are number one right now, but clearly do not deserve to stay there when we know there are better and cheaper ways to do things.
Re:Let's give MS a chance... (Score:5, Insightful)
PS, that was 10 year ago.
You don't wake up one morning and decide to be security minded. That's like waking up one morning and deciding to be a ninja. Martial arts are a way of life, and the mindset required comes only after years of study and commitment.
Microsoft's problems are a result of years of neglect and malpractice. You don't get to be that bad overnight. It takes work. Knitting a web browser into an operating system took effort. Knitting an LDAP directory into your domain security model, tied into your DNS and DHCP servers took effort. Creating a sytem by which you can embed executable commands into an office document took work. Making sure that your office document could execute command in your email client took work. Intermingling your email client with the server so that they are passing executable code back and forth took work.
Meditate on this, Grasshopper.
Re:Let's give MS a chance... (Score:3, Insightful)
Embedding the web-browser was done to screw Netscape by inserting a replacement which could not be removed (even though early versions could be).
Other decisions here will have had similar backgrounds.
Under these circumstanced, 'Trustworthy Computing' is nothing but a PR exercise. Correcting design errors like that is an impossible job. I believe that the original NT security model was fundamentally sound, but the add-ons have killed it. MS show no signs of learning this, XP is more bloated than ever.
The *nix model of discrete components which can be installed separately when required, or replaced by other components which do the same job (sendmail/postfix ) is simply safer. An additional advantage is that there is no 'standard configuration' which Virus/Trojan writers can assume present, not that that would have helped with a one-component worm like this one.
Re:Let's give MS a chance... (Score:4, Insightful)
Let's see what happens with its next major release.
If the car you're driving is known to spontaneously explode when the wrong song is played on the radio - would you also continue driving it and wait for next years model?
What about the SysAdmins? (Score:5, Insightful)
And while there are plenty of problems for Microsoft to fix in their code - IE has plenty of unresolved issues - this issue was in large part due to System's Administrators. Let's let is slide that they were "just waiting for the next service pack to come along" so they could update and patch everything. I don't buy that as a good policy for maintaining system - if a patch is out and can be applied, use it. And why leave SQL systems on the internet without some sort of firewall or some sort of protection. If it has to be on the Net, why does it not have every possible security patch applied to it?
I'm sure there are some valid reasons for having your system protected from this bug but in large part Admins dropped the ball.
But thats my $.02
Re:What about the SysAdmins? (Score:2, Informative)
then you get f*** for taking down a working system and you can never prove you had done something necessary
if you can't trust the patches you have to wait 'till you have feedback from other users
that means to have to check for every patch in combination to every applications you use
at many points it is even easier to "drop the ball" and reinstall after something happened
Re:What about the SysAdmins? (Score:5, Insightful)
Patches from Microsoft are not like patches from the OSS community. You don't get to see the code changes and don't know what the Microsoft patch will do and there is no way to know without trying it in a test environment. Ask around and see how many admins have been burned by applying a service pack or hot fix on a production machine even after testing it out in a lab! Microsoft patches are notoriously flawed and impact areas of operation that seemingly have no correlation to the bug being fixed.
So, this particular bug was published six months ago. Is six months long enough to fully test an amorphous piece of software? Maybe if we had the source code, we would know what to test. However, without the source, we have to test everything. Because, you never know what other piece of code Microsoft is going to throw in.
Re:What about the SysAdmins? (Score:3, Insightful)
Sorry, but I know plenty of Linux sysadmins. All of them take the same basic method for patching I do: Try it on a test system, if it works, apply it to all the systems. None of them, even the ones that are programmers too, have the knowledge to dig through the code to figure out precisely what it does. What's more even if they did have the knowledge, it would help at all. It's not like there is going to be something glaringly obviously wrong in the patch. If it causes problem it will be because of an unforseen interaction between something they happen to be running and the patch. This isn't something you can see just by looking at the code to the patch.
IT seems that OSS people get a real warm, fuzzy feeling from being able to get the code. Fine, but you need to realise that 99.% of the time it doesn't matter because you lack the skill, time or both to evaluate it. Are you honestly telling me that you looked at ALL the code on your system? I mean all of it, every program, every module, every driver. Then can you further say that you understand it all, it all makes sense and how it works together? Of course not. I am sure by and large you just use it and don't give it a second though.
Really the only way to test a new patch is to try it on a test server. Even if you have all the code to the whole system the amount of time and skill necessary to fully analize all of it just isn't worth it compared to quick, emperical testing espically when it's possable that you can miss something (after all if the patch just came out it's obvious that everyone else missed this before now).
But what REALLY pissess me off about this whole thing is that you should NEVER have your SQL ports open ot the Internet. Ever. Period. There is no reason. YOu need to access it remotly? Fine, VPN. Ideally, database servers should run on a private, firewalled internal network. If this isn't workable, then on seperate firewalled servers. If they have to run on teh same server as the web server because of money (and I can understand that) then the server needs to have a firewall on it. I don't care what SQL server you use, this holds true. It is not something for public access.
Re:What about the SysAdmins? (Score:5, Interesting)
Don't get me wrong - the sysadmins certainly have some responsibility. At the end of the day, they're paid to keep the system running. If the system isn't running, they're not doing their job. Ergo.
However, many people smarter than me (e.g. Bruce Schneier) have pointed out that Microsoft's patch policy is completely bankrupt. From the article: Another quote from the article: So here you have a vendor who:
- Can't keep their own systems patched, even 6 months after the fact.
- Issues patches that break previous patches.
How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch? While in an ideal world you'd say, "Yes - roll the patch out first on a test system and make sure it fixes the current issue and breaks nothing else." you'd have to be smoking crack to think many people have the manpower or time to do this.The core issue here is that Microsoft has built its software with very little attention to security, and you can't make up for that with a month or two of "security consciousness." They've explicitly sacrificed security at the altar of market share, and now it's coming back to bite them (and all their customers) in the ass.
Re:What about the SysAdmins? (Score:4, Insightful)
Actually, yes. This is called regression testing, and it's pretty common in the software industry. Not only are security holes quite often the result of a bug, but their behavior is quite similar to a bug. Either it is fixed, or it isn't. The same script kiddie code won't affect a successfully fixed security hole, even if the fix opens up a new hole, the old one is fixed. Because the regression test also checks previous holes, you can be assured that the fix hasn't reopened any of them.
As for the manpower problem, there are regression testing suites available that cut the manpower down to nearly nothing. Your manpower argument could be applied to Linux just as easily. The kernel has too much code and too many contributers, it will never work. But at the end of the day, if Linus runs 'make' and your bug-fix fails, then your code is fucked and gets rolled back, end of story.
On the other hand, I do agree with your last paragraph. MS has dug themselves a pretty deep hole. It will take years of code auditing to really fix the problem. By then, the next version of Windows will be out, and all their efforts wil have been wasted. They are honestly better off just focusing all of their newfound security awareness into their next product lines, and continuing to make the less-then-stellar patches we're used to for their current products. Oh well, guess you can't have your cake and eat it to. *shrug*
Re:What about the SysAdmins? (Score:2)
Since when? (Score:3, Insightful)
Now said system was purchased against your recommendation, is proprietary in nature, and the company that made it was bought out by another company, so you can't even get a straight answer on simple questions anymore. The department responsible for this purchase has never hired the person promised to maintain the system, nor have you been sent out for training on its maintenace.
A week after this system is installed a third party contractor installs a replication system so your ticketing system can be connected to a big web server in another state. You don't really know what ports need to be open, how they are being used, and every time you tweak the littlest thing the entire operation comes to a grinding halt.
And you expect me to apply patches at random. Especially when they require taking the system offline, and each has the risk of incapacitating your operations. Right.
Blame me all you want. But the seeds of ruin were planted further up in the decision making process.
They released a patch! (Score:2, Insightful)
Re:They released a patch! (Score:5, Interesting)
1) It was difficult to install
2) They released a later patch which re-enabled the exploit
3) Their own admins didn't install the patch and Microsoft itself fell victim the exploit.
Which leads me to believe that while they can release patches for security - there is not enough ease an consistency to keep your systems "reliable". Many times a patch breaks functionality.
Re:They released a patch! (Score:2, Insightful)
I'm no programmer.. in fact, I'm just a hardware geek trying to break into the IT field and not succeeding very well at it, but I can think of half a dozen times in the last couple years where some major M$ security flaw has been caused by an unchecked buffer....
Now, I MAY be in error here... but they loosely covered buffers in my Intro to Comp Sci. course in college... and they repeatedly went off on making sure to close them up and the like... (I majored in Religion, so my coding vernacular is likely not up to snuff, please forgive.)
Considering the thousands of such vulnerabilities that have been reported over the years (I mean, this is a fairly common screwup..), would it not be safe to assume that a company with ANY sense that its products might need to be secure, and that actually tests its products properly and does adequate QC, would at the very least go through and check the code for such an obvious source of problems? It's not like M$ lacks the manpower, or money.
I've not yet gotten edjumacated properly and switched to Linux, BSD, or some other Open Source OS.. but what this weakness on my part has allowed is an extensive history of playing with M$... and it's my opinion that they just don't test their software properly before releasing it. They've released buggy pieces of crap for YEARS that are unstable as heck, and its often not until the second or third service pack release that the software actually becomes somewhat reliable (if at all)..
That's M$'s shell game.. Release buggy and insecure software, blame everyone else, and at the same time keep users scrambling to buy the newest releases in a vain hope that M$ might actually have a working solution for them. All the while M$ rakes in the dough. They can do it because they are a virtual monopoly with all that comes with it.
Richard M. Smith (Score:5, Funny)
Oh no you don't! Don't think you can fool us with that all too common last name. We know it's you, RMS!
philosophy of patching fundamentally flawed? (Score:4, Interesting)
can anyone explain to me a better method, since even thy mighty god linux is subject to the need occassionally along with every other major OS i can think of?
the paragraph continues with, "For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm." to me, it seems that this statement doesn't support the previous. it would be better to place blame where it belongs, straight in the lap of the admins whose responsibility it is to keep their systems secure, and upon the heads of those who write exploitive code for the purpose of causing havoc.
i mean, more power to those who bring these issues to light, but doing so without perspective just looks like picking on an easy target.
Re:philosophy of patching fundamentally flawed? (Score:2)
A software "patch" is a "recall" by another name.
Besides, can you name the last patch you installed that didn't require upgrading some other component of the operting system?
Re:philosophy of patching fundamentally flawed? (Score:3, Informative)
I can't. But Bruce Schneier can [counterpane.com]
Who's To Blame Here? (Score:3, Insightful)
Who's to blame in this situation? I clearly feel it's the administrative and their immediate managers both at Microsoft and any organization that was hit with the worm. The administrators should keep up with the newest patches and update systems during the maintanance window. Managers should ensure the administrators have applied the patches.
The argument about downtime and untested patches will surely be seen here as well. That argument is not OS specific. Sure, on Windows you generally need to reboot after applying a patch, but what if this happened to Oracle? You would need to take the server down, patch and bring it back up. As for testing, this is again an OS independent. At one time or another I'm sure every piece of software has released a patch that has introduced new bugs, it happens.
Either way, there will be Microsoft bashing in the thread, but regardless of which OS you're running situations like this will arise.
Re:Who's To Blame Here? (Score:3, Insightful)
Any organization that applies patches willy-nilly without preforming application tests is going to have problems. A company that just applies patches with testing is going to have problems that are going to be as big, if not bigger than the security issues that arise from not patching.
Is that really who is to blame? (Score:2)
Ok blame the admin's. But that is like saying a if somebody cuts off their leg with a chainsaw it is the owners fault for not being careful. Yes the chainsaw user is at fault. But the chainsaw manufacturers were also at fault because the saws kept running when the human let go. That intensified the problem. These days all of these "dangerous" tools have safety checks, etc so catastrophic things do not occur anymore. And it has made a huge difference. This is the same situation with MS and its security problems. At some point in time MS has to start changing its habits and thinking about how to address the issue. Because thus far it has not worked worth a DAMM!
Other focus today... (Score:3, Insightful)
Even as security issues are top news usually on Slashdot, this shows where our hearts are.
Yours, Martin
Not applying patches? (Score:2)
Some people blame the admins for not applying the patches, but should you?
Some things to consider about patches:
Re:Not applying patches? (Score:3, Informative)
1. Haven't bothered to keep their SQL servers up to date
and
2. Allow anyone from the internet to connect to that port anyway!
Auntie Gayle's Basic Firewalling Guide for fuckwits
1. Drop EVERYTHING!
2. Specifically open the ports you need.
3. If you do this the other way round (i.e. only drop known problem ports/protocols while leaving everything else open) please report for immediate recycling.
The one thing Microsoft are responsible is for making the sysadmin job seem so easy any moron can do it. This encourages companies to employ button pushers and we end up with things like the 'slammer' debacle.
Stick a fork in this subject... (Score:5, Interesting)
How much longer is this going to continue? My family is not that tech savvy, and they crack jokes about Microsoft's security, or lack thereof. It always seems to me that all these industry groups talk about Microsoft's horrible security record, and Microsoft responds in turn with, "We're doing our best to improve security in our products, for the betterment of the consumer, business, and mankind, forever. Amen." But Microsoft never seems to be called on it.
Are previously Microsoft customers starting to move their business elsewhere? Or does Microsoft's monopoly status simply enable them to say certain things on the surface, and then snicker behind closed doors later? I have to think that eventually, the onus would be on them to fix these things, or their business will fall to those companies that make better, more secure products.
It reminds me of the Oakland Raiders in the latest Superbowl. They simply looked like they weren't in it to win. Microsoft gives me the feeling that they really don't feel like focusing on making secure products is really that important of a goal to them.
Perhaps other companies feel differently.
Re:Stick a fork in this subject... (Score:3, Insightful)
The sad thing is... Nobody else is any better. This is a universal computing industry problem.
CNN's coverage of Microsoft (Score:2)
I'm at least as anti-Microsoft as the average Slashdotter, but this is getting a bit ridiculous. Aside from the fact that a patch was available, what the heck is a database server doing with a direct Internet connection? Five years ago, when I started designing web applications it was common practice to put web servers in a DMZ, with a firewall between the web server and any DB/app servers.
This isn't Security 101, it's Remedial Common Sense 050!
This is news? (Score:2)
Yes, Windows (and related products) blow in regards to security, it just means that we have to go an extra (or more) step to make sure they don't blow up in our faces.
Yes, I run WinNT at work, it's stable, and not been disrupted by exploits/worms/virus/holes/whathaveyou, simply because I take the time to *make sure* it doesn't.
We all know that even *nix can have problems, so this is hardly surprising.
Still, it's
good PR for Microsoft? (Score:2, Interesting)
.Net SDK security also affected (Score:3, Interesting)
Cultural Issue (Score:3, Insightful)
Well, that's nice - but is that really going to do it?
How do you really get secure software? Doesn't that arise over time, as software matures and the flaws are found in the code base?
Is that something Microsoft can embrace as a model for their business? Isn't Microsoft really about making money by churning it's user base through upgrades every two years?
It seems to me that it is going to be very difficult for a company that makes it's money by selling 'features' to end users and churning its software base every few years to achieve the level of maturity in is code base that is necessary to to arrive at a reasonable secure product.
The fact is that Microsoft's business managers with bottom line responsibility are going to do waht is necessary to get new versions out - each version with an ever increasing feature set. No matter how well Microsoft trains its developers, this process is going to leadt to security issues.
Ports ports ports... (Score:2, Interesting)
One issue concerning differences in security regimes between UNIX and Windows system that rarely are discussed, is port scanning
When a Unix exploit emerges, the IT department at my University scripts a portscanner, identifies vulnerable machines and contacts their admins. If the machines are not patched within a certain time, they are disconnected from the network. I for example got an Email about my linux server being vulnerable for the openssh exploit even before I read about it on Slashdot. This way the University system is less prone to hacker attacks. My Windows 2000 box have never been patched and probably as secure as a sieve have never drawn attention from the IT department. I presume this is because a similar scanning procedure is significantly more difficult to launch. This way I suppose the Unix machines should de facto be much more secure than the Windows machines at the University.
This is news? (Score:2, Funny)
Hmmm... this isn't exactly news to us, is it?
Lack of security promotes anti-piracy (Score:2)
Think about this: If you require the populace to get the patch from you then you can monitor key propagation and identify copies.
Now imagine a further twist, prepare the code so that it has "flaws"
Now imagine an even more cynical view: Fund a security watchdog group who have some "amazing" guys that find these problems and publish them.
Hedley
Not so fast... (Score:5, Insightful)
Who certifies system administrators that can barely format a floppy? Microsoft. Who crafted a Fisher-Price operating system with inadequate "wizards" to help unqualified administrators bungle their way through setting up a server? Microsoft. And who pitches their operating system as having a lower cost TCO because you don't need skilled labor to run them? Microsoft.
So when you want to complain that it's the admins that make these systems insecure, remember these are the admins that Microsoft picked.
What Microsoft needs to do (Score:2)
Microsoft has been drudging uphill on the server market since the mid 90's with windows NT, since then they have only achieved a strong foothold in the mid-low end server market, which is now becoming seriously challenged by Linux.
While Linux may not be fundamentally more secure then NT it defiantly has the perception of being so because windows is a vastly larger target with there desktop dominance; every time one hears about a windows exploit that effects the perceived security of all windows, whether it was a client side IE exploit, or a server side only exploit.
I think Microsoft needs to put the fix on the security problem very quickly or suffer a serious erosion of people using Microsoft for critical applications, to do this I think that at a minimal they need to do the following:
Perception:
Put a hard line between the server and desktop market. i.e. drop the Windows name for the server end, call it something like TrustIx Enterprise, anything but windows, that was when there are security exploits for the desktop it doesn't go against the server end.
Make security the number feature requirement in all server products.
Hire a bunch of top security guys, make a big splash about being "unbreakable" like oracle did.
Technology:
Implement the latest security technology, like the new stack protection ideas in OpenBSD.
Be much more aggressive with auto updating, so that unpatched machines get automatically patched, all of the big headline worms on NT exploited holes that had been patched for over 6 months. Any server on the internet should by default auto-update patches.
Patches must be 99.99 correct, meaning that when auto-patching happens it does not break anything. Microsoft should offer a guaranty that if a patch does break something they will fix it; i.e. send people out and fix it for the company. And pay for any lost revenue to the patch.
Lax security costs Microsoft more then they can imagine, with a total saturation of the desktop market there is no-where to go but down. Their only hope for continued growth is expanding in other markets, with so much already invested on the server side it is crucial that security is given a number one priority, otherwise they will lose all that they have done and pull the whole company down with it.
-Jon
The History of MS safe computing (Score:2, Insightful)
-Were not skilled in unix security precautions because UNix vendors had changed their lcienses to close code to those in cs at schools.
-Were influenced to push code out the door rather than refactor, retest, and rewrok to produce security compliant code.
-MS's recent code retraining cannot rease almost 30 years of bad programmign prqactices within MS itself..
The only way for MS to get better is to immediately fire every programmer, which wil not happen and thus the conversion to Linux and MacOSX will gain full speed in the next few months..
a missed point - the salesmen... (Score:2, Interesting)
so between the 'it's easy' part and 'you don't need smart responsible people to manage it', is it any wonder that we have an epidemic of poorly maintained ms systems out there?
Linux may be next . . . (Score:4, Insightful)
However, after laughing myself sick, the seriousness of the situation darkened my mood. Although I believe that Linux is currently a more secure platform, it is not a platform without flaws. Linux could be the next security nightmare if we don't occasionally do a reality check.
Part of Microsoft's strength and ironically part of the reason that Microsoft products tend to be vulnerable to attack is the fact that Microsoft strives to give the customer everything including the kitchen sink.
To do this, products are made with far too much power. VBA is an example of this. Combining data with code is not a good idea. It makes it very convenient for the customer and unfortunately the black hats as well.
Right now Microsoft is pushing their
If successful it may become possible to run many applications that will be developed on the Windows OS that are targeted for the
admins and systems (Score:2)
That's not going to say all windows admins are dumb. And there definitely are lazy and dumb Unix admins, too. However, from what I've seen in several companies, the ratios are that most windows admins don't know what the hell they're talking about, and if you take away their wizards and their mouse, they're lost like newborns. Most Unix admins do know what's going on and can bring a system back from states way beyond where the only microsoft solution would've been a reinstall.
Why is that? Because windows is marketed and sold as if every dumbass could run a server. It really isn't a surprise. There's a truth to all the sayings that start with "if planes/houses/whatever were built the way microsoft makes software..."
The most important part is that nobody has ever gone around and tried to sell people on the idea that being a doctor, or flying a plane or building a house is an easy task.
Guess what, neither is running the corporate serverfarm.
I call that a scam, plain and simple. A scam that has - according to the various overblown estimates on virus and worm damage - done several trillions in damage.
Is it the fault of the lazy sysadmin who didn't do his job? Yes, it is. But he was very much tricked into a very wrong picture about what exactly his job is in the first place.
And so far, we've all been lucky. None of the viruses that I've seen were even close to the level of sophistication that, say, some very early (C64 and amiga age) real viruses had.
Re:admins and systems (Score:2)
Usual MS bashing aside, I've sometimes seriously considered the idea that Windows is an inside joke that's blown out of proportions. This would go in line with their EULAs that deny all responsibility. It's hilarious but sad that so many people and organizations entrust anything valuable to MS software, because there is no basis for trust in the license.
Firewalls anybody? (Score:5, Insightful)
How the public responds (Score:5, Interesting)
I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.
This is a tremendous change. Think on it.
Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."
I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")
I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.
I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.
The death of Microsoft is at hand...
Lax? Maybe...How About The Patch Process? (Score:2)
So while some will harp on Admins for not patching, I claim that Admins can only track so much. If I need to develope something on a MS SQL Server where I need to tinker with the entire DB(ie. I need admin rights) I am going to install one on a throw away machine. I am not going to case patches since the installation will not be used in production and its hard to do right. I will not ask the Admins to maintain it since its not for them.
Why is patching software on MS platforms somewhat like open heart surgery? It looks so complex I wonder how do Admins work with 10+ machine clusters. If it wasn't so complex I may just patch my small test DB instead of ignoring warnings. Until the patching process becomes much less risky and painful then this will happen over and over again.
Is it Microsoft's fault? (Score:3, Insightful)
Can we really blame MS for this? They released a patch in July...MS can't be held accountable for Windows Admins for not updating their software (I'm not saying it's the admins fault either...I know that admin spend 80 - 90% of their time putting out brushfires, and can't find time to do patches). Now, do I think that MS needs to find a better way to notify customers of new patches...b/c I know that I don't have time to sit around and browse and go through what I've installed and what I haven't (are you listening Sun?!?!)
So for example...If I don't stay up to date on all the Solaris/Linux patches does that mean that Solaris/Linux is a security prone OS? Heck, no!
Patching Microsoft Products (Score:3, Interesting)
If you ever have managed Microsoft Products, it basically becomes a crap shoot with the following outcomes with regards to patching your systems:
1) Patch installs, breaks other services.
2) Patch installs, system becomes even more unstable.
(This is the worse because it looks like the system is working, but hits you in the middle of the day, usually during peak times.)
3) Complete failure to reboot after patch is installed, resulting in a very intensive recovery operation. (i.e. Reinstall OS, tape restore, or flash restore with floppy.) All data is usually lost since last backup.
In any case, it is completely laughable, and not applicable I believe if you completely blame Microsoft Admins on not applying these patches.
Especially with some of the messages posted here, such as "Oh, well you have to update your systems, stupid."
How simple and naive you are, and obviously anyone making such a statement has not an ounce of experience managing Microsoft server/desktop products.
I think the people who manage Microsoft Products, know more than anyone here, why it is preferable to update thier systems.
I think it is a serious insult to Microsoft' customers that Microsoft would publish a statement something of the akin "Well, they didn't update thier systems...ITS NOT OUR FAULT".
Bullpucky, and with that in mind however, continue reading.
The shear hell, you have to go through, to patch a monolithic, monster of bloatware that is a Microsoft OS, is purely not economically possible, if you can believe it, for some companies with large installations of Microsoft products.
Patching becomes a project something on the scale of a ERP implementation for some sites that are non trivial in size.
Furthermore, time after time, Microsoft provides NO WAY to reverse patches that they typically publish.. (also known as "HOT UPDATES/FIXES").
As most admins will tell you, HOT FIXES are risky, and can be impossible to reverse because Microsoft publishes these immediately, without thinking properly about the impact on the entire OS.
As I shall note later, this is why Microsft's OS is not practical to expose to the internet for any reason from a security perspective.
Therefore, many admins wait for the service packs to fix the problem, most of the time the service paks are more well thought out, and are for the most part reversible.
It is incredibly expensive, to mirror systems in a test lab, to test patches. EVEN THEN, the production systems are in no way representitive of the test systems. It is expensive, labor intensive to construct mirror systems and network services to make it viable to install hot fixes in a responsible way.
With that said, being a Linux convert, here is the problem and Microsoft isn't addressing it:
1) Microsoft's OS includes too many features out of the box, that Admins cannot control what they want installed.
It it REALLY stupid to put a graphical interface on the OS, espepcially when you are considering a highly secured server and making it a requirement to run it. There is absolutely no reason, why the OS has to carry around the code for a GUI when it is sitting in the server room, under lock N key.
Microsoft appearently doesn't understand software engineering principles regarding the total possible paths in a program and its reliability can only be increased statistically by eliminating the other execution paths in the software. That means not installing the GUI.
On Linux I can do this, easily, with ANY piece of software. Effectively reducing the function of the server to BARE BONES. Making it much faster to identify and fix problems, and of course much easier to update.
Well, you can't do this with a Microsoft product, and that is the root of the problem. In linux, I can slice and dice the OS down to its bones, if I need to.
Also, I would like to point out, linux isn't as complex to administrate as Windows when you start whacking the X server, games, DNS (directory software) and everything else when all I have running is sendmail. The system becomes a very very simple UNIT to admin in my infrastructure, with a very very easy and predictable means to upgrade and far fewer security risks as a result.
NOTICE TOO sendmail has nothing to do with the operating system.
Microsoft ties everything into the OS making it IMPOSSIBLE to build a secure system because you have to install ALL of the system or NONE AT ALL.
Microsoft uses the OPERATING SYSTEM to aggregate services, which as I pointed to above, is a fundamentally flawed software architecture.
Linux on the other hand uses the FILE SYSTEM to agregate services and the file system doesn't require you to even execute the code on start up.
Therefore even if you do a complete install on Linux, the system complexity doesn't increase, only what you include in your RC startup increases system risk to security or bugs that can make your system unstable.
The worse thing that happens is you increase the size of your file system.
As a result the uptime factors, and ease of maintance for Linux based systems easily out paces Microsoft's OS in any large deployment of the OS.
As a result it is impossible, because of these facts, to follow a responsible security policy with medium to large Microsoft IT installations.
I also think Microsoft should stop slapping its customers up in the press as to the importance of updating thier systems.
Most people already understand that, but they are being held hostage by the poor implementation of Microsoft software which by its very design, prevents practical and speedy updates of large installations of Microsoft OS's.
-Hack
Re:People are waking up... (Score:5, Insightful)
Re:People are waking up... (Score:2, Informative)
#1. MS patches have "blown up" my win boxes before.
#2. There are so many you can't keep up.
And automatic update that comes with Windows 2000 SP3 has also hosed my PC.
Re:People are waking up... (Score:2)
Re:People are waking up... (Score:2)
Re:People are waking up... (Score:5, Insightful)
First, with a typical windows system, it's IMO damn hard to know what components you are running and how it all works together - i.e. what breaks if you lock something down at installation time.
Later on, it's also sometimes very hard (IMO) to know if I have to patch or not. For instance, is it really a good to not update internet explorer since this is a server anyway? Maybe somewhere down in IIS something might use one of IE's components (pulled-out-of-my-ass example btw.).
Add to that that some patches seem to need an updated IE, for to me unknown reasons...
Sometimes something might break (as reportet on ntbugtraq), and it's not really transparent for me if this can be reverted.
Compare that to (SuSE) linux. Download rpm, install, done (in many cases, when not, it's always explained in the advisories what to do).
If something breaks, uninstall the rpm and reapply the old on. Nearly no downtime, I just have then to find out what didn't work.
Just from the feeling, I'm a lot more scared when I have to install a ms security fix than when I do the same on linux. And the fact that microsoft was caught with their pants down this time seems to suggest I'm in "respectable" society.
Re:People are waking up... (Score:5, Informative)
The bit that gets missed here is that security is not a product, its a process (something Bruce only seems to remember when writing his books). If we really want to go pointing fingers than how about the folk who designed buffer overflow bugs into the C programming language? Before C every programming language had array bounds checking built in. So who were the turkeys who decided that we should run without elimentary safety checking? Oh yes the same folk who gave us what people would now have us believe is the so-secure UNIX O/S.
It took over ten years for the elimentary security boo-boos to get sorted in UNIX. For years the UNIX crew told us that shadow passwords were dangerous security through obscurity, only the world readable password file and the salt gave genuine security. Then along came crack. It still took four years for shadow passwords to become mainstream.
Even today sendmail is installed by default in most UNIX installations, even though it is historically a security nightmare. Some of the bugs have been fixed but as a sendmail inc. employee admitted to me last week, it is still too dammn complicated for most people to understand how to configure it.
I don't think that this point scoring does any good. UNIX and Windows both have major security problems. Windows has security problems in implementation, UNIX has them built into the architecture. There are still UNIX boxes shipping with rhosts, even though it has been demoinstrated time and again that rhosts is completely insecure. Instaling ssh does nothing to improve the security of the box unless you actually uninstall the rhost commands and the daemon.
Folk who go on about how braindamaged Microsoft is should ask themselves how UNIX programmers managed to botch a command as simple as finger!
Re:People are waking up... (Score:4, Insightful)
I remember a security seminar I attented where the lecturer took a neutral stance toward whether Unix or Windows was more secure. His philosophy was "go with what you know". If you live and breathe Windows, you probably keep up to date with the latest Microsoft news, releases and patches just as well as a Sun/Unix geek might stay up to date with Solaris patches and updates. Knowing network security (gosh, let's protect the potentially vulnerable ports on our server from being publically reachable) is essential to both.
So many new administrators are getting Windows or Linux or other products and implementing them without the experience of security lessons learned from the past. It takes a mass event like this one to re-educate the newbies.
As a reminder for everyone designing, "one degree of separation" architecture, remember that Suki [eds.com] is one of your potential customers.
there is a HUGE difference (Score:4, Insightful)
Re:Yeah (Score:2)
Did you get those hits from production servers six months after exploit fix/patch was posted? Just wondering...
MS Vs Linux Patches: A difference in quality (Score:3, Insightful)
I'm not sure what that 80% refers to, or even if it's accurate. Even if it is, many Linux 'fixes' would never even be considered for patching by MS. Linux fixes range from the benign and theoretical to the very serious. Linux patches are generally released almost immediately after a bug is found that might (in theory) be exploited, or used as part of an exploit. (e.g. someone finds the possibility of a buffer or stack overflow).
Windows patches, on the other hand, often aren't released until somebody proves that a bug is exploitable/ exploited. Even when a proof of concept (or even wild) exploit is made available, security experts sometimes have to argue with MS about whether the exploit is serious enough to be worth fixing. I remember one recent case where MS downgraded a pair of bugs as minor and refused to release a fix. When frustrated security experts were able to combine those bugs to enable arbitrary command execution (their sample code: format a hard drive), they were criticized for not giving MS advanced warning(!).
Nontheless, when MS finally released the fix for these same bugs, they classified them as moderate. Some people think that, having just released one crutitical patch, they didn't want to face the embarrassment of two severe bug fixes in one week.
Because Windows patches are rarely released until the problem is both proven and serious, MS security patches are far more critical to install. Unfortunately, MS security patches are also problem plagued. System admins have no way of knowing exactly what a patch will do. Some patches undo each other, some patches break other (sometimes seemingly unrelated) systems. Because of the nature of closed source, System admins who have problems with a patch can find themselves stuck between a rock and a hard place. They can either install the patch and break their installation, or leave the system unpatched. In either case, they must beg for a compatible fix. The OS solution of engineering their own patch is generally not feasable -- possibly even illegal.
Both the cost and public embarrassment of repeated fixes to a given problem discourage MS from releasing patches against bug fixes. Lack of the ability of a customer to provide -- much less prove -- their own version of a fix exacerbates the problem.
In this environment of fear, uncertainty and doubt, an MS system administrator must decide if, when and how to install their patch. sometimes they get it wrong.
Linux admins face a similar problem, but with a good deal more information and control. Systems are generally more compartmented, so interactions between parts is better understood. If installation of a patch causes problems, users have the ability to examine the source code of the changes, get an exact understanding of what they're doing and determine whether their best course of action is to patch the patch or fix the problem elsewhere. If the solution turns out to be a further patch, they have the ability to release their own fix in hopes of having it folded back into the 'official' distribution. This is an option which most MS users will probably never have.
Re:Perhaps going after those whom cause the issue. (Score:4, Insightful)
Or why not go after the software vendor that wrote and sold vulnerable software? Or go after the software vendor for dumbing down systems so much that incompetent admins are put in charge to maintain them?
Personally, I don't think the whole "blame game" is very effective...but that's just me.
Re:Perhaps going after those whom cause the issue. (Score:2)
A lawsuit against a company with many systems that are left unprotected and are being used as a relay or zombie for an attack may be comming soon to a court near you.
Re:Perhaps going after those whom cause the issue. (Score:2, Insightful)
Re:Perhaps going after those whom cause the issue. (Score:2, Insightful)
Weird view. So if you neglect to lock your door, you're just as responsible as the burglar who carries off your stuff, and ought to be prosecuted for willful negligence?
Okay! Yet another federal law enforcement bureaucracy is born: The Patch Enforcement Agency. It can parallel the organization of the Lock Enforcement Agency and the Don't Go Walking In Central Park After Dark Enforcement Agency.
That's what we need. More ways to hold victims responsible for the acts of criminals.
Here's an idea: why not just let nature (or in this case, the free market) take its course? sysadmins who neglect to patch their servers get fired, and those who employ such sysadmins lose business. The problem will take care of itself without introducing any new government meddling to gum up the works and make life harder for everyone.
This is sadly reminiscent of our present foreign policy. We can't catch Osama, we need the Saudis' oil, we're scared of North Korea, so we attack some tinpot dictator we're pretty sure we can beat.
Re:Non story (Score:2)
Here is one specific example - One of Microsoft's later patches can remove the patch that stops the SQL Slammer worm.
Re:Non story (Score:2)
>people are reluctant to install them for fear they will interfere with their systems.
Our DBA installed the patch on our server at work, and it's been blue screening every few days... Blue screening isn't something that should happen to a DB that drives an eCommerce site.
We're thinking of switching to MySQL on MacOS X servers, since everything else is either on MacOS X or FreeBSD. MacOS X sounds like a good choice because Apple usually comes out with patches through the Secutiy Update software that's easy to use and it actually works.
Re:Non story (Score:4, Informative)
Worst than this, lets suppose that you want to be patched at any cost, as soon at it appears. Another patch coming from microsoft for another MS SQL problem disabled this patch (this is in the CNN article linked in this story), so you must be half responsible, half not, to have one patch applied and not the later one, to be safe.
Re:will happen on linx as well (Score:5, Interesting)
With Linux you have... see... the Linux kernel, and... well that stops there. Also you have a lot of alternative apps mostly multiplataform, with a few Linux that are linux only. If MySQL have a security problem, should not be counted as "linux fault", same with ssh, apache, sendmail, bind, etc.
But, if you want to count, don't know, mplayer security problems as it is not available under windows, well, you must also count all security problems of windows programs as windows security problems.
Re:will happen on linx as well (Score:5, Insightful)
Pine is not Open Source (Score:2)
Pine is also older than Linux, so it's a bit silly to call it a "Linux email client".
Re:Pine is not Open Source (Score:2)
On further thought if linux every becomes as popular as windows on the client side there is no doubt in my mind that linux vendors would still wipe the floor compared to MS products. Think about it. With little manpower and many times shoestrings budgets look at what we do now. Now think about the distros having oodles of cash to spend on security. Things would be a LOT different than they are now.
Re:will happen on linx as well (Score:2, Insightful)
Also, note, MSDE was installed as part of Visual Studio
Re:will happen on linx as well (Score:2)
And for those who will argue that IISLockD can be configured to accomodate your sites needs - I recommend you take a close look at what has to be turned back on to make any site functional and you'll see how useless it really is in the real world.
Re:The solution for lazy admins. (Score:2)
(Actually, that's not true. Responsable admins don't put Microsoft products on the open internet so they shouldn't have been infected.)
Re:What a uselessness! (Score:3, Insightful)
I'm not worried because I have a firwall that works out of the box to protect me from said viruses and expoits and is easy to turn on and configure.
XP also has a firwall available, but, it is hidden in an obscure location and has NO configuration I tried to turn the firewall on and every time I did this it would say that yes it was on, but then I would go back to verify this and NO it was not. Ten times I tried this... to no avail. What use is a firewall if it won't even stay on? Furthermore it has one option ON or OFF, what does that mean? What is it doing? Can I open a port or lock down soemthing it doesn't turn off... ??????
Yes there are shareware and even free firewalls available for XP but that means I have to find them and configure them and pray that they will play nice.
Macs are and always have been more secure than Windows machines.
Why do virus writers and hackers pick Windows? I'd say that it's because it is the easiest OS to exploit. The fact that it is the most prevalent is irrelevant.