[unisog] [dc-sage] Code Red mutated? (fwd)

Paul L Schmehl pauls at utdallas.edu
Mon Aug 6 22:00:01 GMT 2001


First let me say that I did not mean to imply that Microsoft (or any other 
vendor) is "off the hook".  But let's look at your list.

--On Monday, August 06, 2001 1:25 PM -0700 Jeff Anderson-Lee 
<jonah at dlp.CS.Berkeley.EDU> wrote:

>
> Paul L Schmehl <pauls at utdallas.edu> wrote:
>  :The problem is two-fold:
>  :1) People with no ethics who have no qualms about breaking in to other
>  :people's equipment
>  :2) IR folks and individuals who, for whatever reason or excuse, won't
>  :update their equipment.
>
> Don't forget:
> 3) Marketing pressure to ship code early and without extensive
>    security related code-review.

Vendor is guilty?  Or are the users who keep paying for poorly audited code 
rather than demanding better?  (Mind you, I'd love to have altruistic 
vendors, but business being what it is, they will produce what the market 
will buy.)  Until users vote with their pocketbooks, this won't change. 
AFAICT every (major, at least) vendor is guilty of this, aren't they?  All 
you have to do is monitor bugtraq to see this.

> 4) Products shipped with all the bells and whistles (e.g. IIS)
> auto-enabled.

Again, with the exception of OpenBSD (and now Mac OS X), I'm not aware of 
an OS that ships by default with all services *off*.  (It seems to be 
changing though.)  Few seem to want to take the time to learn about 
services before enabling them.  (Remember the awful, horrible version of 
Sendmail that used to ship with Solaris and get relay raped constantly?)

 5) People who don't know to patch what they don't know they
> are running.

My #2.

 6) Products shipped with unsafe features because someone
> thinks that users want them and the "Gee Whiz" factor is worth more than
>    the risk.

In the case of Microsoft, I can tell you that they are highly market 
driven.  Just for example, the color of the "Start" button was changed in 
XP because of market studies that showed that people were confused by its 
color, and when it was changed to Green, they instinctively used it.  (I 
don't know where they get these people, mind you, but that's another story.)

 7) Products marketed and sold to users who don't have the IT
> skills to manage them because after all "it's just point and click",
>    right?

Isn't that what people are asking for?  Even now, when you can buy almost 
any *nix at your local computer store, how many copies are bought as 
opposed to Mac and Windows machines?  Dell is dropping Linux from their 
desktop offering due to "lack of sales".  (Fortunately, they'll still sell 
it for workstations and servers.)  Again, this is a people problem.

 8) Patches shipped as "Hotfixes" instead of more publicized
> "Critical Updates".
>
Yet still, it's the responsibility of the purchaser to ensure that their 
machine is up to date, isn't it?  How many people will blame GM because 
they never changed their oil and now their car won't start?  (And how many 
mechanics would not royally ream them out for doing it?  Maybe that's what 
we IT folks need to do??)  I'll grant you the vendors can do a better job 
of clarifying what's needed (especially Microsoft?), but it's still 
"people's" responsibility to stay up to date.

> There are many sides to this issue, and Microsoft and other software
> vendors are NOT free of some share in the blame.

I never meant to imply they were.  I guess what's eating me right now is 
how hard we have to work just to stay ahead of the "idiots with a mouse". 
As others have said, it's like that stupid popup game at the arcades.  You 
can't hardly kill an IIS box before another one pops up somewhere else.

Yes, MS makes those "mouse boxes", but they make them because people buy 
them.  Unfortunately, what used to be a desktop machine is now a 
minicomputer with a full load of services and an idiot with a mouse.

>  All software vendors
> may need to start changing their tune very soon or else:  CAVEAT
> EMPTOR!  This is some "majorly bad" PR and hopefully that will hit home
> if nothing else does.

I couldn't agree more.  I think Code Red and like problems are going to 
make a lot of people rethink their IT strategies.

>  No doubt at least some companies are going to be
> taking a long hard look at the TCO price of running Microsoft products
> (amongst others).

Uh huh....I wouldn't be surprised to see Macs take major market share from 
MS over the next few years.  They run *nix now (with a pretty GUI front end 
for the faint at heart), and they ship with services off.  I have no doubt 
that the Mac folks are taking notes and learning fast, and when their time 
comes, they won't make some of the same stupid mistakes that MS has made 
and is still making.

I just wish I could go one day without having to worry about where the next 
IIS box will pop up.  :-(

Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list