-- more on -- Phil Karn -- Why I Hate Microsoft - Part 1: Worms and Viruses

[Dave Farber <dave () farber net>]

> Date: Sun, 24 Aug 2003 13:04:21 -0400
> From: Tom Goltz <tgoltz () QuietSoftware com>
> Subject: Re: [IP] Phil Karn -- Why I Hate Microsoft - Part 1: Worms and 
> Viruses
> X-Sender: tgoltz () mail quietsoftware com
> To: dave () farber net
> Cc: Phil Karn <karn () ka9q net>, Dewayne Hendricks <dewayne () warpspeed com>
>
> At 03:25 AM 8/24/2003 -0400, you wrote:
> > From: Phil Karn
> > To: Dewayne Hendricks
> > Subject: Why I Hate Microsoft - Part 1: Worms and Viruses
>
> (Dave: Feel free to send to IP.)
>
> There seems to be a burst of media and trade press coverage bashing 
> Microsoft and Microsoft's software, largely on an emotional basis and 
> claiming that there are better choices out there.  The fallacy here is 
> that just because Microsoft is bad does not automatically make the 
> competition good.
>
> There are basically three major classes of attacks against networked 
> general-purpose systems: The direct network exploit (represented recently 
> by 'Blaster'), the trojan-horse / worm, (represented by 'Sobig'), and the 
> denial-of-service attack.
>
> Direct network exploits all involve obtaining privileged access to the 
> system, and tend to use one of three methods:
>
> 1. Authentication attacks, usually involving exploitation of public 
> services through weak or compromised passwords.
>
> 2. Malformed data attacks, including buffer overflow exploits and 
> specially constructed HTTP URL's.
>
> 3. Network attacks, involving data sniffing, data replay, connection 
> hijacking and spoofing.
>
> I am not aware of a single operating system in widespread use today that 
> does not suffer from a significant number of direct network exploits.  I 
> include in this all major UNIX variants (including Solaris, IBM's AIX, and 
> Linux), the "mainframe" and "minicomputer" operating systems from DEC and 
> IBM, as well as the operating systems available on desktop machines 
> (MacOS/OS-X, Microsoft Windows, OS/2, etc).  Generally speaking, ANY of 
> these systems that's been released for twelve months or more has known 
> security issues.
>
> I do not believe that Microsoft is any more or less guilty of poor quality 
> software than it's competition.  The difference is that Microsoft has 
> become wildly successful, having some version of their Windows system 
> running on the vast majority of the computers in existence today.  As a 
> result, efforts spent developing attacks against Microsoft systems are by 
> far the most profitable.  Based on just raw numbers alone, Microsoft would 
> have to ship software with barely 1% of the vulnerabilities present in 
> their competition in order to maintain parity in the number of compromised 
> or exploited systems.
>
> As a user and systems administrator of many Linux systems since 1996, I do 
> not believe that Linux is significantly more secure or higher quality than 
> Microsoft Windows.  Virtually all of the general-purpose Linux 
> distributions that are more than twelve months old have multiple known, 
> exploitable network attacks.  Many of these can be fixed by applying 
> patches, but so can Microsoft Windows.  Running both systems in a secure 
> fashion requires extensive and frequent updating and patching.  The sole 
> advantage that Linux posses is that it is easier to build custom 
> "stripped" or special-purpose configurations that have fewer network 
> services available and fewer security vulnerabilities.
>
> The one area where I have severe criticism of Microsoft is in their 
> implementation of their email client.  Including executable content in 
> email messages was not recommend by the original designers, and 
> Microsoft's decision to implement this anyway was inexcusable.  Both 
> Outlook and Outlook Express may represent the single biggest threat to the 
> Internet that exists today.
>
> Without the contribution of these packages, the trojan horse or worm 
> program would be a much smaller or non-existent threat.
>
> Denial of service attacks are the least significant of the three, 
> typically involving no permanent damage to the attacked system.  Once the 
> attack is stopped or eliminated, the affected system can be quickly 
> restored to service with minimal effort.
>
> The trend in the computer industry has been the development of very large 
> software monocultures, with identical software and even identical 
> configurations running on ever-larger numbers of computers.  When combined 
> with the increasing percentage of these computers tied together into a 
> single network, the size of the resulting security problem becomes 
> mind-boggling.
>
> Increasing dominance of software and hardware monocultures are probably 
> inevitable due to the considerable savings in administrative and training 
> costs available.  This creates a need for increasingly secure systems in 
> order to keep the number of flawed and compromised systems at a manageable 
> level.
>
> There are three major areas that must be addressed in order to achieve 
> this goal:
>
> User education.  Just as most people today understand that their house is 
> not secure when the doors are unlocked or when the key is hanging on the 
> outside next to the door, users MUST willingly use high-quality 
> authentication methods and keep those "keys" secure.  Even if we could 
> somehow create the perfect system, a weak password can still turn it into 
> a criminal haven.
>
> Another part of user education is creating the demand for secure 
> systems.  Until their customers are willing to pay for it, the software 
> industry will not invest the money in developing secure software.  In the 
> short-term, secure systems will be more expensive, and are unlikely to 
> exist until customers cease buying their technology based entirely on 
> lowest possible cost while ignoring security.
>
> Finally, our colleges and universities must address the issue by ensuring 
> that their graduates are educated in how to design and implement 
> high-quality secure systems.  It will become increasingly critical that 
> this be treated as a core part of the technology curriculum instead of a 
> token one or two semester course added on as an afterthought.
>
>
> Tom Goltz
> (603) 594-9922

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/