On Wed, 2004-09-15 at 12:19, Chad Perrin wrote:
> Downloading patches from MS doesn't make your computer secure, and
> downloading them without knowing what you're downloading doesn't even
> make it MORE secure than it would otherwise be. In fact, in using
> Windows, I have refused about as many patches as I've accepted. Real
> security (or as close to it as you can get with Windows) involves
> installing and using third-party solutions that cover over Microsoft's
> more egregious flaws. I sympathize with the people that "don't want
> Microsoft poking around" in their PCs. Their failing is not in the fact
> that they refuse to trust Microsoft, but in the fact that they don't use
> non-Microsoft security measures.
Case Study: SQL Slammer at a Fortune 100 Company with a Household Name
The problem is:
1. "Integration" continues to be a major security issue with Win32
2. "Stay current" with patches made the Fortune 100 _vunerable_
3. Microsoft is willing to "pass the buck" onto its own professionals
Regarding #1, Microsoft released a fix in fall of 2002 against the
vunerability that SQL Slammer would exploit at the start of 2003.
Unfortunately, the then released 2 additional patches for MS SQL Server
that then _silently_uninstalled_ the fix that would have prevented SQL
Slammer because it was incompatible with the other 2. _Only_ by reading
the documentation of these additional 2 fixes would one know that this
would occur. A lengthy and extensive _manual_ workaround was required,
and there was no guarantee the 3 patches would co-exist -- much less not
render the server unusable.
Regarding #2, because this Fortune 100 was "so current," taking great
lengths to minimize the time from testing to deployment, they were very
current on all systems. It is very difficult to regression test patches
and rollouts -- especially when deploying even just one patch could mean
an entire bank of Windows servers will be rendered unusable. The team
did superb on maintaining stock patches and configurations.
Unfortunately, that was not good enough.
Regarding #3, after SQL Slammer did, I did the research and found out
about the "conflicting" patches, and that most exposed systems _were_
because they were current. Only *1* responsible IT outlet reported
this! *NO* others -- *NO* Ziff-Davis outlets did -- *NOT* even *1*!
Then I listened in with absolute disgust as Microsoft did not even
mention this fact and, worse yet, blamed it on people "not being
current."
And the final insult was when I disclosed this fact to people. No one
would believe me. But then I _finally_ found the documentation that
proved it. Because, unknowingly to me, management at the Fortune 100
company was coming down hard on the people in charge of patching for
"not doing their jobs." They did their jobs. They did _everything_.
They _were_ current. And that's why we _were_ vunerable!
Which is why, as an original NT 3.1 beta tester and maintainer of every
version since, I have been repeatedly disgusted on the lack of "support"
that Microsoft does not even give its own professionals. It is
unethical, shows a total lack of integrity and utter disregard. And
Microsoft is seemingly more than happy to see the IT media to continue
to ignorantly blame it on people who don't patch.
I tire of it. I don't have the problem with _any_ other platform. Yes,
Microsoft is burdened with the fact that Win32 is over-integrated to the
point they cannot even make their own patches compatible, and that's a
problem with its legacy. But that doesn't mean they can sit there and
expense _good_ professionals who _are_ competent in order to play the
"omission game."
No way do I prefer Microsoft products for that #1 reason. They are more
than ready to expense the livelihood of even people who swear by their
products. It's sad to see these people take the brunt, for a company
that _never_ admits fault. And ladies and gentlemen, I'm not a
conspiracy theorist, but Microsoft is so guilty of gross technical
negligence at the application, development and IT support levels. Not
because of one incident -- but continuous exposure, of which there is no
comparison to any other company I've ever seen.
-- Bryan J. Smith b.j.smith@ieee.org ------------------------------------------------------------------ "Communities don't have rights. Only individuals in the community have rights. ... That idea of community rights is firmly rooted in the 'Communist Manifesto.'" -- Michael Badnarik----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:44:07 EDT