[unisog] [dc-sage] Code Red mutated? (fwd)
Paul L Schmehl
pauls at utdallas.edu
Mon Aug 6 22:00:01 GMT 2001
First let me say that I did not mean to imply that Microsoft (or any other
vendor) is "off the hook". But let's look at your list.
--On Monday, August 06, 2001 1:25 PM -0700 Jeff Anderson-Lee
<jonah at dlp.CS.Berkeley.EDU> wrote:
> Paul L Schmehl <pauls at utdallas.edu> wrote:
> :The problem is two-fold:
> :1) People with no ethics who have no qualms about breaking in to other
> :people's equipment
> :2) IR folks and individuals who, for whatever reason or excuse, won't
> :update their equipment.
> Don't forget:
> 3) Marketing pressure to ship code early and without extensive
> security related code-review.
Vendor is guilty? Or are the users who keep paying for poorly audited code
rather than demanding better? (Mind you, I'd love to have altruistic
vendors, but business being what it is, they will produce what the market
will buy.) Until users vote with their pocketbooks, this won't change.
AFAICT every (major, at least) vendor is guilty of this, aren't they? All
you have to do is monitor bugtraq to see this.
> 4) Products shipped with all the bells and whistles (e.g. IIS)
Again, with the exception of OpenBSD (and now Mac OS X), I'm not aware of
an OS that ships by default with all services *off*. (It seems to be
changing though.) Few seem to want to take the time to learn about
services before enabling them. (Remember the awful, horrible version of
Sendmail that used to ship with Solaris and get relay raped constantly?)
5) People who don't know to patch what they don't know they
> are running.
6) Products shipped with unsafe features because someone
> thinks that users want them and the "Gee Whiz" factor is worth more than
> the risk.
In the case of Microsoft, I can tell you that they are highly market
driven. Just for example, the color of the "Start" button was changed in
XP because of market studies that showed that people were confused by its
color, and when it was changed to Green, they instinctively used it. (I
don't know where they get these people, mind you, but that's another story.)
7) Products marketed and sold to users who don't have the IT
> skills to manage them because after all "it's just point and click",
Isn't that what people are asking for? Even now, when you can buy almost
any *nix at your local computer store, how many copies are bought as
opposed to Mac and Windows machines? Dell is dropping Linux from their
desktop offering due to "lack of sales". (Fortunately, they'll still sell
it for workstations and servers.) Again, this is a people problem.
8) Patches shipped as "Hotfixes" instead of more publicized
> "Critical Updates".
Yet still, it's the responsibility of the purchaser to ensure that their
machine is up to date, isn't it? How many people will blame GM because
they never changed their oil and now their car won't start? (And how many
mechanics would not royally ream them out for doing it? Maybe that's what
we IT folks need to do??) I'll grant you the vendors can do a better job
of clarifying what's needed (especially Microsoft?), but it's still
"people's" responsibility to stay up to date.
> There are many sides to this issue, and Microsoft and other software
> vendors are NOT free of some share in the blame.
I never meant to imply they were. I guess what's eating me right now is
how hard we have to work just to stay ahead of the "idiots with a mouse".
As others have said, it's like that stupid popup game at the arcades. You
can't hardly kill an IIS box before another one pops up somewhere else.
Yes, MS makes those "mouse boxes", but they make them because people buy
them. Unfortunately, what used to be a desktop machine is now a
minicomputer with a full load of services and an idiot with a mouse.
> All software vendors
> may need to start changing their tune very soon or else: CAVEAT
> EMPTOR! This is some "majorly bad" PR and hopefully that will hit home
> if nothing else does.
I couldn't agree more. I think Code Red and like problems are going to
make a lot of people rethink their IT strategies.
> No doubt at least some companies are going to be
> taking a long hard look at the TCO price of running Microsoft products
> (amongst others).
Uh huh....I wouldn't be surprised to see Macs take major market share from
MS over the next few years. They run *nix now (with a pretty GUI front end
for the faint at heart), and they ship with services off. I have no doubt
that the Mac folks are taking notes and learning fast, and when their time
comes, they won't make some of the same stupid mistakes that MS has made
and is still making.
I just wish I could go one day without having to worry about where the next
IIS box will pop up. :-(
Paul L. Schmehl, pauls at utdallas.edu
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member
More information about the unisog