Worm of the Week (or, still waiting for everyone to realize the obvious)

[prev] [thread] [next] [lurker] [Date index for 2003/08/13]

From: Scott Francis
Subject: Worm of the Week (or, still waiting for everyone to realize the obvious)
Date: 17:39 on 13 Aug 2003
--JYK4vJDZwFMowpUq
Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline


--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I finally wrote down some of the thoughts floating around in my head wrt
buggy software (Microsoft being the chief distributor of such). The below is
taken from http://darkuncle.net/microsoft_rant.html - I've attached it in
text format.
--=20
Scott Francis || darkuncle (at) darkuncle (dot) net
      illum oportet crescere me autem minui

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="microsoft_rant.txt"

(WARNING: long rant ahead)

<rant topic="Microsoft" style="frustrated">

So it looks like the latest Microsoft security hole
<http://www.counterpane.com/alert-v20030801-001.html>; (get the patch
<http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp>;
if you're unfortunate enough to be responsible for a Windows box) is
going to, once <http://www.cs.berkeley.edu/~nweaver/sapphire/>; again
<http://www.cert.org/advisories/CA-2001-19.html>; (and
<http://www.cert.org/advisories/CA-2001-26.html>; again
<http://www.aaxnet.com/editor/edit003.html>;), wreak havoc on the entire
Internet due to a nice combination of entirely clueless end-users and
poorly-written, bug-ridden software in which security is a distant third
to bells and whistles and time to market. This one affects every version
of Windows since Win95 that hasn't been patched in the past two weeks.
Oh, and for bonus points, the worm
<http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html>; that
exploits this hole attempts a DDoS of windowsupdate.com, effectively
preventing any of the systems that might otherwise automatically patch
themselves from doing so. It was about two weeks between the public
announcement of this hole and the appearance of the worm to exploit it
(which is about what I predicted; I also predicted, jokingly, that it
would be especially evil if the worm DDoS'ed windowsupdate so that users
couldn't patch. Maybe I should stop making predictions, or only make
pleasant ones, or else start up my own prophecy business.)

For my next bold prophecy, I predict that Microsoft will suffer no
damage whatsoever from this incident. There will be no lawsuits filed,
no measurable loss of business, no public outcry (aside from the usual
pundits on tech websites and the slashdot crowd), no demands that MS
live up to their "Trustworthy Computing"
<http://www.salon.com/tech/feature/2002/04/09/trustworthy/>; marketing
slogan. This corporation, with its vast market share and nearly complete
saturation of the world's computer networks, has been so negligent for
so long that the majority of computer users, whether business or
personal, have been conditioned to think that this kind of experience is
not only normal, but to be expected. Expectations have been so lowered
by this pattern of behavior that bloated software full of security
holes, released by a company in which security takes a distant third to
time-to-market and bells and whistles (read: additional new "features"
in every release which, rather than fixing the bugs in the previous
release, only serve to introduce NEW problems), has become the norm for
computer users and administrators. People think that this is the way
that computing is supposed to be, that having your servers raped and
your network swamped with zombie traffic from the worm-of-the-week is
just the way things are. They don't know to expect any better - and
worse still, when someone tries to introduce something better (Linux,
BSD, Apache), it is quickly squashed by those with a financial interest
in maintaining the status quo, or else by so-called "system
administrators" not worthy of the title that can't function without a
mouse and a point-and-click interface and installation wizards. I
realize that there is currently no alternative to Microsoft (except
possibly Apple, which has its own problems (price being chief among
them)) that's ready for prime-time (and by this, I mean ready to replace
Windows and MS software on the desktops of millions of AOL users and
corporate drones that think THE INTARWEB consists of Outlook, Internet
Explorer, Powerpoint/Excel/Word documents, and whatever trojan-ridden
filesharing software they've managed to sneak onto their computer to
create havoc for the MIS help desk this week).

That said, I would be happy if we could just eliminate Microsoft and
their horrid software, which is a nightmare for administrators, from the
server room. If we could relegate Windows and Windows software to the
desktop, where it belongs (and occasionally, where it actually does a
decent job), a very large portion of the problem would disappear. Anyone
running any public-facing, unfiltered service on a Microsoft platform is
just plain irresponsible. Especially if that service is httpd or smtpd.
There just aren't any excuses for that anymore - MS Exchange and IIS
(not to mention their client counterparts, Outlook and MSIE) have the
worst track records of any software that performs their respective
functions. Not only that, they cost a fortune, are terrible resource
hogs, need to be rebooted at least weekly for stability, and are no
longer the only options for ease-of-administration (why you'd want
somebody administering your network who's so unskilled he/she can't
manage without a mouse is a whole other rant, but anyway). There are now
point-and-click GUIs for UNIX systems running server software like
postfix, exim and apache that have PROVEN track records with regards to
not just security, but _correctness_ and ability to easily handle large
loads with relatively few resources.

There is no longer any excuse for running Microsoft in the server arena
(with the possible exception of Outlook's calendaring functionality,
which will soon be available in a work-alike free software product for
UNIX systems). The sooner businesses realize that running Microsoft
software is _the_ main factor in rising IT costs (not to mention
liability for business and customer data), the better off we will all
be. Microsoft is hardly the only vendor out there putting profits ahead
of security, but they're certainly the most egregious offender. And
their market saturation means that a small mistake from them costs the
rest of us dearly.

</rant>


--T4sUOijqQbZv57TR--

--JYK4vJDZwFMowpUq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/OmnLWaB7jFU39ScRArGMAJ9dyq9SRKaCl0IToe0o0CqmWRXgggCgwCdN
eNcm3CW460ZI3vtCxc2DpU8=
=7wEQ
-----END PGP SIGNATURE-----

--JYK4vJDZwFMowpUq--

Generated at 14:02 on 01 Jul 2004 by mariachi 0.52