[unisog] [dc-sage] Code Red mutated? (fwd)
Paul L Schmehl
pauls at utdallas.edu
Mon Aug 6 23:07:40 GMT 2001
--On Monday, August 06, 2001 2:21 PM -0700 Peter Van Epp <vanepp at sfu.ca>
> To which I'd reply probably very true (since I don't know the Microsoft
> Security folks), but the security folks aren't all nor apparantly an even
> very important part of Microsoft. The heaviest uphill battle they seem
> to be facing is against the Microsoft developers/marketing people not the
There's no doubt that they haven't won the battle yet, but they also aren't
going to give up. And you're absolutely right that the corporate culture
at MS has to change. I fully expect it to. Many of you have probably
heard of David LeBlanc (one of the principle programmers of ISS RealSecure
and a frequent contributor to NTBUGTRAQ and bugtraq.) He came on board at
MS Security almost a year ago. That should give you a sense of how serious
> Take apache as an example. It runs on NT, last I heard it was
> around %40 of the deployed web servers on the net. Seen a worm the
> exploited apache but not IIS (cross site scripting I believe hits both
> although I'm not web expert)? Seen exploit after exploit against apache?
> I haven't. To me this would say a reasonably stable web server isn't
It says the same to me. But Apache is not without its problems, as the
recent thread about directory traversal (in bugtraq) shows. Nobody'd
perfect. MS is just less perfect than others perhaps.
> If apparant rampant featureitis was swapped for product
> testing and security reviews before shipping by the people that are
> supposedly experts they we wouldn't have to be concerned that non experts
> don't see the need to patch a product that someone sold them as
> supposedly working and one that installs stuff such as iis by default
> whether the user knows it or not.
All stupid things in my view, and things for which MS should be (and is)
> I'd also point out that when
> Microsoft's own update web site gets hit by the worm is that a customer's
> fault or an indication that the product is so poorly implemented that
> even supposed professionals can't operate it properly?
I'd be more inclined to say that it's a clear indication of the problem
that I'm trying to get at here. That people just don't have a serious
enough concern for security.
Keep in mind that MS is a huge company with a lot of employees. As all of
us should understand fully (being in edu), you can't possibly control
everybody all the time. No amount of preaching will get all the troops in
line. Hopefully, whoever allowed the windowsupdate site to be hacked by
the worm was either severely reprimanded and/or reassigned.
> I know what my
> opinon on that subject is.
> This is without even mentioning Outlook Distress's fine record on the
> email virus front (against for instance Eudora which we mostly run). I'm
> sorry but I don't agree that the customer is at fault here (other than
> by buying Microsoft, but hey whats a non expert to do? They are the
> market leader).
I'm not saying the customer is at fault. I'm saying the customer must
admit to and share some of the blame. I'd be willing to bet that you keep
your *nix boxes patched. How long before the Poisonworm came out had you
patched all your boxes against the sadmind exploit? On the Windows side of
the house, there isn't this same diligence (or even awareness) for security.
I recently read a thread in the focus-ms group (securityfocus.com) where a
guy asked if anyone had ever seen a MS box that got hacked "like a Unix
box". Now that displays a real naivete, but I don't think it's unusual on
the Windows side, both users and admins.
Our own admins constantly complain about me being "too paranoid". (As if I
care. I still bug them to patch.)
> As much as I'd like it to be so Unix isn't the answer for
> the masses either. I will disclaim that this is my personel opinion on
> this subject (as I should have on the last one on this subject). Despite
> all of this I've been reasonably lucky. We've had only around 20 or so
> machines out of our 8 to 16 thousand machines (depending on whether you
> include our dial up users or not some of whom have been infected) but
> its still a pain in the butt. I hate to think what would be happening if
> we were a heavily Microsoft campus.
We had 40 boxes compromised by Poisonworm. Many were "newly discovered"
boxes. We had 10 from the first round of Code Red (hey, we're improving.)
And one from the second round (some TA figured out how to install IIS on
But we've had Linux boxes with default installs hacked as well, and I'm
sure you have too. My whole point is that attitudes about security need to
change. We can't change what the vendor sends us. And we can't change
what people buy, much as we'd like to. But we'd damn sure better change
our attitudes about security and start educating our campuses about the
dangers, or the future will be very bleak. We'll spend all our time
chasing hacked boxes and cursing at the darkness.
Paul L. Schmehl, pauls at utdallas.edu
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member
More information about the unisog