Blessed are the Geeks, for they shall internet the earth

Frustration Over Microsoft’s Security Problems Grow
Douglas Chick

Many I.T. people are simply fed-up with the constant stream of never ending security problems using Microsoft's Windows products, adding myself to an ever-growing list of frustrated computer professionals. Upon returning from a ten-day vacation, and a single security patch behind, seven out of eleven servers attached to a remote DSL network were taken over by intruders. Granted I should have had a firewall in front of these computers, but because of their functionality, I didn't justify the expense. But still, am I to blame or should Microsoft be held accountable? 

     One California woman believes Microsoft should be held to blame, as she has filed a lawsuit using the new California privacy law. Marcy Levitas Hamilton alleges that because of Windows security vulnerabilities that were exploited by last summer's SoBig worm, thieves were able to steal her Social Security number and bank details. She is seeking to represent all Windows users in her suit. If she is successful she will achieve what many have failed to do and that is hold Microsoft legally liable for damages linked to flaws with the programming code, even though the company's customers give up this right under the terms and conditions of Microsoft's end-user license agreements. 

     Joe Ritchey, a network administrator in Orlando Florida disagrees. He believes that Microsoft is the victim of it’s own popularity and any operating system with the majority market share would suffer the same fate. When I asked him, 

     “Doesn’t it bother you that sometimes you are kept at work late fixing many of the problems created by Microsoft security flaws?” Joe's reply was,     “No, not at all. Its what keeps us in business. Repairing these problems is one aspect of the job that can’t be outsourced to another country.”

     It seems to many people that Microsoft is taking too long to fix the over-all problem and rely too much on security patches that are over lapping a sinking ship.  In early 2002 Microsoft declared that it was halting software development for a month so that its developer teams could focus on one issue--security. Two years later, security seems even worse with no visible improvement from Microsoft.

     Wilbur Pan, a pediatric oncologist at the Cancer Institute of New Jersey in New Brunswick, was quoted in PcWorld Magazine as saying:

     "We got hit hard by the rash of viruses that came along back in August--both in the medical school system and in the university hospital system," Pan says. Ultimately, he switched his personal work system over to Linux. "The lack of accountability is one reason I switched away from using Microsoft products."

     Even with people like myself loyal to Microsoft, the constant stream of security bulletins, and buffer overflows makes me question whether I have made the right decision for my company using Microsoft operating systems.

     Let me hear from you. Should the security flaws in Windows be viewed as taking the good with the bad, or should Microsoft have some accountability for their own product?

DougChick@TheNetworkAdministrator.com 

 

Response from Chris Louviere
Network Engineer

Security is a layered concept.  Each layer is responsible for a certain area or threshold.  Now...very few of us in this business have the time to do our jobs and write/build all of the software/hardware we need in house.  That means that almost to the Administrator we purchase hardware/software to help us.  We do this from various Vendors who enter into an agreement to provide us a product that does what it says it will.  Now there is the rub.  In the case of the world versus Microsoft...they are not doing the job.  They are providing a sub standard product.  Now before all of the "should've had a firewall...and locks on the doors" people get upset...hear me out.  

Microsoft and the rest of the Vendors still write code that allows for the simplest buffer over-run exploits.  They continue to write code that is half done or broken.  They continue to write code that is desktop centric and written from a "user fluffy-never have to lift a finger to click a choice" concept that removes the entire interface from the user on everything from email to application install.  They know it's insecure.  They know it is used by every worm and every virus under the planet, yet they continue to write code that way.  And they know it's their responsibility because they write patches and updates to fix it.  This tells you a lot.  When something is not a Vendors responsibility...they do not fix it.  No matter how much you yell and scream.  They know their product does not live up the standards of the enterprise and business community.  They are thus responsible for fixing it.  No less responsible than a car manufacturer that installs a faulty part.  

The point is not the locks.  The point is that the contractor installed the locks...and they don't work.  It is a totally different thing when someone discovers a new exploit.  When they are in a very limited minority that is pushing the envelope.  No company can possible prepare for every possible contingency.  And no one I know of is asking them to.  I would just love it if they would stop the known things...and eventually stop writing code that keeps allowing the same types of attacks to continue.  I personally feel that if all things are done properly and some kid in Sweden finds an impossible combinations of utilities and applications...and home grown code that takes advantage of an unknown flaw created by stacking the deck in his favor...then no...Microsoft is not liable for that.  But they are for the things that they write that everyone in the world knows is akin to having no lock on the doors at all.  Or worse...when they write something that opens the doors for anyone who asks in open text.

 

Reply from Greg Merideth
Chief Technology Officer

In an ideal world, sure, Microsoft should be held accountable.  But then, we hold everyone accountable for bugs and security flaws, not just the company that's fun to hate.

      We then have a major issues to address.  Lets say Swedish engineer Bill, finds a security flaw and posts it to NTBugTraq giving Microsoft no warning.  People exploit that flaw in the 10 days it takes Microsoft to fix it.  Can that be justified as a problem that Microsoft created?  Not really.  If Swedish Bill posts to Microsoft a month in advance and is not happy with their response time, then posts with the same result, is that still, really, Microsoft's problem?  Not really.  The release of the flaw is what caused the exploit.  A problem that Microsoft knows about but does not fix is a problem but then, how do you prove it? 

     Microsoft released a service pack fix for the SQL Slammer worm and 8 months later look what happened.  If your alarm company told you that there was a known flaw with your alarm system and you did nothing to fix it, in what manner would you feel justified in suing them after you get broken into by someone exploiting that?  Granted the release of patches in its current system is obviously not working but for all of the complaining about it I haven't heard one idea of how to improve it.

     "Granted I should have had a firewall in front" are the famous last words of every network admin I've ever talked to after they've been broken into.  The cost of 11 servers, even using crap servers at 4 grand each = 44 grand.  The cost of 1 firewall to protect them all, 2 grand. That's just sad.

     Other than his stupidity, I love the site.  Keep up the articles.

          '''''
         ( o.o )
====oOOO==(_)==OOOo=====================
Greg Merideth
Chief Technology Officer

"When working on someone's computer, whatever happens, behave as
though you meant it to happen." - The Computerman's Code

 

A response from Tom Struble                                                                                    
Network Engineer, Colorado 

Yeah, that happened to me...sort of.
 
I have this big new expensive house, and although I should have had locks installed, who has that type of time and money.
 
Sure enough, I came home after a short 27 day vacation, and 4 of the 5 bedrooms had bums living in them, plus they drank all my beer.
 
Well I tell you, my first call was to the contractor to bitch him out and let him know I was going to sue him blind.  He said "you know, we talked about locks, our web site tells you to install locks, even the news warns you that everyone should have locks, but you didn't want to spend the time or money to install them".
 
I ask you, what kind of excuse it that????
 
Bottom line, you're responsible for your own security.  If you don't want to secure your systems, ya spin the wheel and take your chances.  Firewalls and AntiVirus systems are the cost of doing business on the Internet, just like locks and alarms are required to keep your property safe and secure.
 
P.S. - there are dozens of good, virtually bulletproof, open source firewall solutions that would protect all your systems for the cost of a low end Pentium (that's right just a plan jane Pentium one) and a few hours of your time.  Check out IPCop, or Smoothwall, or NetBoz.
 

 




 


E-mail your comments to dougchick@thenetworkadministrator.com
            
All rights reserved  TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.