I heard that the web was slow today.

Mike Vanecek plug-discuss@lists.plug.phoenix.az.us
Tue, 28 Jan 2003 09:25:06 -0600 

Um, well, heh - geez guys, can't a person take a break and do a 
bash-Microsoft dance to stretch his legs once and a while? :)

Sure, IT's are responsible for their systems (like MCSE IT's are all 
that anyway), but we're talking the difference between a system that's 
supposed to be locked down and secure out of the box and easy to 
administer with effective process and port controls and one that's so 
buggy that it's impossible to lock it down. Ala Firestone - the 
tire-treads are *not* supposed to fly off of new tires out of the box, 
regardless of the driver. So, while we can happily blame IT for not 
patching or maintaining systems correctly, MS and all it's bragging for 
it's support and security continues to consistently release outragiously 
buggy products. Not normal buggy that "well, it's an oops but it's fixed 
promptly," that one would expect to see once and again - but 
overwhelmingly infested with bugs to the point that I am amazed that 
*anyone* even pretends to use Microsoft, especially in a mission 
critical environment or on a public network. IT people are so freaking 
overworked trying to keep track of all the crap with Microsoft that it's 
no wonder that it takes a fraction of Unix staff to administer the same 
amount of Unix systems.

Linux, with it's occasional bugs, also has a very good internet 
presense. Yet, server to server, we're not hearing about Linux bugs 
bringing down Root Zone servers or knocking out Worldcom, etc... Always, 
it seems, it's Microsoft systems - be they improperly 
administered/updated or just plain fscked, that can be identified as the 
blame.  And in many cases, like the Root Password snaffu with MS SQL - 
Microsoft claims it's a feature and not a bug. Or it doesn't attribute 
importance to it and patches are slow in release.

Anyone claiming to be a vendor for systems that will go on public 
networks simply has to ensure that these systems are secure out of the 
box and the admin's job is to then open up services as needed and 
perhaps apply the few normal patches rather than the flood of critical 
patches. Remember - these patches have to be tested on the individual 
networks before being released companywide and/or on critical servers - 
so what would seem to be a simple patch takes a lot of time 
individually, unless the IT is lazy and just trusts Microsoft. Of course 
- that "Anyone" doesn't exclude Linux - I do my share of locking down 
open processes, but then I've never used their server version.  Even so, 
I find it very easy to lock down my Linux box, customize my iptables, 
etc and I'm using the cheapbytes version. FreeBSD would be an even more 
rock-solid case - I'd spend my time opening it up rather than locking it 
down. Why then, with the billions and the supposed position in "knowing 
what's right for you", doesn't Microsoft "get it"?

I'm no super MS administrator and not even close to a super cracker - 
but when I can go to a client's Windows XP system (who forgot their 
password), and not only get in, but gain Administrator access and 
authority *inside* of five minutes (most waiting for reboot), then 
something ain't right - and it wasn't a matter of poor password - with 
what I did to get in, password was irrelevant. And these systems are in 
offices around the world! Consistently poor software, atrocious 
security, bad busness practices, poor certifications qualifications, 
hobbled IT's - we're not talking about regular occasional bugs that's 
common to all systems here - we're talking about a world-wide 
catastrophic disaster.

Cheers,
Mike
Disclaimer for Pinko Lawers - all above IMHO. <mike don's foil hat and 
looks under couch cushions for hiding lawyers> :)

der.hans wrote:

>Am 28. Jan, 2003 schwätzte George Toft so:
>
>  
>
>>When you drive that car in the sand, and it gets stuck, maybe it's not
>>Ford's fault?  Why, oh why, does anyone put a database server with any
>>interface exposed to the Internet?  WTF are these people thinking?  The
>>spread of the worm is not Microsoft's fault (directly) - it is the fault
>>    
>>
>
>It is directly m$'s fault. m$ quietly installs m$sql for several software
>packages. It's part of their m$de that's reportedly installed for certain
>releases of packages like visio, m$ project, and m$ office. So not only does
>it default to a bad setup, but people don't even know it's installed. They
>should know, but that's discouraged in the m$ce world...
>
>  
>