[prev] [thread] [next] [lurker] [Date index for 2003/08/13]
--JYK4vJDZwFMowpUq Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I finally wrote down some of the thoughts floating around in my head wrt buggy software (Microsoft being the chief distributor of such). The below is taken from http://darkuncle.net/microsoft_rant.html - I've attached it in text format. --=20 Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="microsoft_rant.txt" (WARNING: long rant ahead) <rant topic="Microsoft" style="frustrated"> So it looks like the latest Microsoft security hole <http://www.counterpane.com/alert-v20030801-001.html> (get the patch <http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp> if you're unfortunate enough to be responsible for a Windows box) is going to, once <http://www.cs.berkeley.edu/~nweaver/sapphire/> again <http://www.cert.org/advisories/CA-2001-19.html> (and <http://www.cert.org/advisories/CA-2001-26.html> again <http://www.aaxnet.com/editor/edit003.html>), wreak havoc on the entire Internet due to a nice combination of entirely clueless end-users and poorly-written, bug-ridden software in which security is a distant third to bells and whistles and time to market. This one affects every version of Windows since Win95 that hasn't been patched in the past two weeks. Oh, and for bonus points, the worm <http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html> that exploits this hole attempts a DDoS of windowsupdate.com, effectively preventing any of the systems that might otherwise automatically patch themselves from doing so. It was about two weeks between the public announcement of this hole and the appearance of the worm to exploit it (which is about what I predicted; I also predicted, jokingly, that it would be especially evil if the worm DDoS'ed windowsupdate so that users couldn't patch. Maybe I should stop making predictions, or only make pleasant ones, or else start up my own prophecy business.) For my next bold prophecy, I predict that Microsoft will suffer no damage whatsoever from this incident. There will be no lawsuits filed, no measurable loss of business, no public outcry (aside from the usual pundits on tech websites and the slashdot crowd), no demands that MS live up to their "Trustworthy Computing" <http://www.salon.com/tech/feature/2002/04/09/trustworthy/> marketing slogan. This corporation, with its vast market share and nearly complete saturation of the world's computer networks, has been so negligent for so long that the majority of computer users, whether business or personal, have been conditioned to think that this kind of experience is not only normal, but to be expected. Expectations have been so lowered by this pattern of behavior that bloated software full of security holes, released by a company in which security takes a distant third to time-to-market and bells and whistles (read: additional new "features" in every release which, rather than fixing the bugs in the previous release, only serve to introduce NEW problems), has become the norm for computer users and administrators. People think that this is the way that computing is supposed to be, that having your servers raped and your network swamped with zombie traffic from the worm-of-the-week is just the way things are. They don't know to expect any better - and worse still, when someone tries to introduce something better (Linux, BSD, Apache), it is quickly squashed by those with a financial interest in maintaining the status quo, or else by so-called "system administrators" not worthy of the title that can't function without a mouse and a point-and-click interface and installation wizards. I realize that there is currently no alternative to Microsoft (except possibly Apple, which has its own problems (price being chief among them)) that's ready for prime-time (and by this, I mean ready to replace Windows and MS software on the desktops of millions of AOL users and corporate drones that think THE INTARWEB consists of Outlook, Internet Explorer, Powerpoint/Excel/Word documents, and whatever trojan-ridden filesharing software they've managed to sneak onto their computer to create havoc for the MIS help desk this week). That said, I would be happy if we could just eliminate Microsoft and their horrid software, which is a nightmare for administrators, from the server room. If we could relegate Windows and Windows software to the desktop, where it belongs (and occasionally, where it actually does a decent job), a very large portion of the problem would disappear. Anyone running any public-facing, unfiltered service on a Microsoft platform is just plain irresponsible. Especially if that service is httpd or smtpd. There just aren't any excuses for that anymore - MS Exchange and IIS (not to mention their client counterparts, Outlook and MSIE) have the worst track records of any software that performs their respective functions. Not only that, they cost a fortune, are terrible resource hogs, need to be rebooted at least weekly for stability, and are no longer the only options for ease-of-administration (why you'd want somebody administering your network who's so unskilled he/she can't manage without a mouse is a whole other rant, but anyway). There are now point-and-click GUIs for UNIX systems running server software like postfix, exim and apache that have PROVEN track records with regards to not just security, but _correctness_ and ability to easily handle large loads with relatively few resources. There is no longer any excuse for running Microsoft in the server arena (with the possible exception of Outlook's calendaring functionality, which will soon be available in a work-alike free software product for UNIX systems). The sooner businesses realize that running Microsoft software is _the_ main factor in rising IT costs (not to mention liability for business and customer data), the better off we will all be. Microsoft is hardly the only vendor out there putting profits ahead of security, but they're certainly the most egregious offender. And their market saturation means that a small mistake from them costs the rest of us dearly. </rant> --T4sUOijqQbZv57TR-- --JYK4vJDZwFMowpUq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/OmnLWaB7jFU39ScRArGMAJ9dyq9SRKaCl0IToe0o0CqmWRXgggCgwCdN eNcm3CW460ZI3vtCxc2DpU8= =7wEQ -----END PGP SIGNATURE----- --JYK4vJDZwFMowpUq--
Generated at 14:02 on 01 Jul 2004 by mariachi 0.52