Um, well, heh - geez guys, can't a person take a break and do a bash-Microsoft dance to stretch his legs once and a while? :) Sure, IT's are responsible for their systems (like MCSE IT's are all that anyway), but we're talking the difference between a system that's supposed to be locked down and secure out of the box and easy to administer with effective process and port controls and one that's so buggy that it's impossible to lock it down. Ala Firestone - the tire-treads are *not* supposed to fly off of new tires out of the box, regardless of the driver. So, while we can happily blame IT for not patching or maintaining systems correctly, MS and all it's bragging for it's support and security continues to consistently release outragiously buggy products. Not normal buggy that "well, it's an oops but it's fixed promptly," that one would expect to see once and again - but overwhelmingly infested with bugs to the point that I am amazed that *anyone* even pretends to use Microsoft, especially in a mission critical environment or on a public network. IT people are so freaking overworked trying to keep track of all the crap with Microsoft that it's no wonder that it takes a fraction of Unix staff to administer the same amount of Unix systems. Linux, with it's occasional bugs, also has a very good internet presense. Yet, server to server, we're not hearing about Linux bugs bringing down Root Zone servers or knocking out Worldcom, etc... Always, it seems, it's Microsoft systems - be they improperly administered/updated or just plain fscked, that can be identified as the blame. And in many cases, like the Root Password snaffu with MS SQL - Microsoft claims it's a feature and not a bug. Or it doesn't attribute importance to it and patches are slow in release. Anyone claiming to be a vendor for systems that will go on public networks simply has to ensure that these systems are secure out of the box and the admin's job is to then open up services as needed and perhaps apply the few normal patches rather than the flood of critical patches. Remember - these patches have to be tested on the individual networks before being released companywide and/or on critical servers - so what would seem to be a simple patch takes a lot of time individually, unless the IT is lazy and just trusts Microsoft. Of course - that "Anyone" doesn't exclude Linux - I do my share of locking down open processes, but then I've never used their server version. Even so, I find it very easy to lock down my Linux box, customize my iptables, etc and I'm using the cheapbytes version. FreeBSD would be an even more rock-solid case - I'd spend my time opening it up rather than locking it down. Why then, with the billions and the supposed position in "knowing what's right for you", doesn't Microsoft "get it"? I'm no super MS administrator and not even close to a super cracker - but when I can go to a client's Windows XP system (who forgot their password), and not only get in, but gain Administrator access and authority *inside* of five minutes (most waiting for reboot), then something ain't right - and it wasn't a matter of poor password - with what I did to get in, password was irrelevant. And these systems are in offices around the world! Consistently poor software, atrocious security, bad busness practices, poor certifications qualifications, hobbled IT's - we're not talking about regular occasional bugs that's common to all systems here - we're talking about a world-wide catastrophic disaster. Cheers, Mike Disclaimer for Pinko Lawers - all above IMHO. :) der.hans wrote: >Am 28. Jan, 2003 schwätzte George Toft so: > > > >>When you drive that car in the sand, and it gets stuck, maybe it's not >>Ford's fault? Why, oh why, does anyone put a database server with any >>interface exposed to the Internet? WTF are these people thinking? The >>spread of the worm is not Microsoft's fault (directly) - it is the fault >> >> > >It is directly m$'s fault. m$ quietly installs m$sql for several software >packages. It's part of their m$de that's reportedly installed for certain >releases of packages like visio, m$ project, and m$ office. So not only does >it default to a bad setup, but people don't even know it's installed. They >should know, but that's discouraged in the m$ce world... > > >