a view from a vet -- Slammered

[Dave Farber <dave () farber net>]

I am keeping this thread open since I believe it is very important to
understand the issues and how we can attack them. Prayer is not sufficient.

Dave


------ Forwarded Message
From: Bob Frankston <rmfxixB () bobf Frankston com>
Date: Sun, 26 Jan 2003 18:15:17 -0500
To: dave () farber net, "'ip'" <ip () v2 listbox com>
Subject: [IP] Slammered

{If I try to edit this I'll never get around to sending it because I
have to catch up after wasting hours on this and it probably captures
the mood in the current form. So please excuse my typos.}


I feel obliged to add to the blaming -- yesterday I noticed my SQLServer
was eating up my CPU so I killed the process and but was too busy to go
to the MS site. Today I was dealing with a network problem that turned
out to be ...

But, as I point out below, I also applaud Microsoft for at least giving
us the rope with which to play.

So I killed the server, downloaded and applied the fix and it failed
with a message saying that something went wrong -- tell me what? Why? So
I deinstalled and reinstalled the whole thing.

Why was I caught? After all I run AV software and I frequently check the
MS site for updates and I run Windows Update and do all of that.

But Microsoft puts the onus on me to keep vigilant about their myriad of
applications. Office has its own procedure and so does SQL server and
who knows what lurks in the bowels of my PC that I don't know about
MDAC?? Whatever that is?

I find Microsoft security claims to totally meaningless if they don't
first address the human factors issues. I remember Multics security was
entirely about human factors. That is, until the military wanted "real"
security and then they installed some cockamamie system whose main
purpose seemed to be to prevent work from being done since just about
any cooperation created insecurities. At least it provided entertainment
as we thought of ways to get around it. Of course, real people didn't
use that stuff.

But having such mechanisms allows people to claim security while putting
all the blame on the users for not spending all of their time and effort
keeping track of the latest postings and for actually trying to use the
software. It's like the legal notices in the newspapers in small type on
some back page. They're a joke and the antidote is to have people whose
job it is to find them and alert others. It's very fallible open loop
signaling.

Why do I run SQL Server? Well, I have been intending to migrate my
databases to it since Access isn't getting the investment necessary to
have it scale but SQL server is a product for IT departments and not for
kneading data. So I'm stuck. But I have used it for some applications
including accessing other SQL servers of the net for a site I built.

Why do I have my ports open? For the same reason that using a condom and
having creating new people are incompatible. I want to use computers and
not treat them as sacred objects to be run by a tribe of wizards.

Does Microsoft deserve blame? Yes. They still need to learn that
security is about people and not guard towers. The idea of shutting the
ports is silly -- I'm on a dynamic network and even if I have a firewall
and shut it down there are also all those internal systems vulnerable
because of firewalls. (At least I run SQLServer on only my main system
at the moment.)

But the lock it down and hide approach is endemic. Outlook locks down my
address book which make it difficult for me to have programs that access
my own data. And then there's that "simple" file sharing in XP which
subverts the ACL system rather than leveraging it and seems to be
blissfully unaware of the Internet. Where's the effort to make the ACLs
usable and making them work in noncorporate environments.

That's part of the problem -- corporations are supposed to have people
dedicated to being vigilant and making sure no users does anything
insecure or even innovative. Small business and homes? Well, they can't
really uses computers because they are too complicated so why worry
about it

That was the challenge I faced when I had the incomprehensible idea of
making networking something you would actually use within the home. I
had to get past all of the complexity that existed because, well,
because it existed. And there is still a lot of that with the NATs being
examples of what makes it so hard to actually use any of this. And
worse, the NATs/Firewalls are given as solutions when they only
contribute to the stifling complexity.

But I also very much applaud Microsoft for at least making these
products available. And I don't expect them to fix the unfixable -- I've
decommissioned my older OS's though I realize that's not a full
solution.

Oracle puts out blatantly false advertisements saying their systems
never have viruses and bugs and they get away with it because they sell
to corporations which need to pretend that is true.

At least Microsoft errs on the side of giving us powerful tools. The key
is to learn from these experiences.

I do not want to drive Microsoft into the liability avoidance mode in
which they say their software only works behind firewalls in static
configurations with a full time IT staff.

I'd rather there be canaries, even if I have to be the one, from whom we
can learn than to listen to Steve Gibson and others who simply tell us
to be afraid and hide. I just want to make sure that there is learning
and not just blame.

Bob Frankston
http://www.Frankston.com


-----Original Message-----
From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com] On Behalf
Of Dave Farber
Sent: Sunday, January 26, 2003 02:30
To: ip


------ Forwarded Message
From: Adam Peake <ajp () glocom ac jp>
Date: Sun, 26 Jan 2003 14:27:30 +0900
To: dave () farber net
Subject: Re: [IP] More on Slammer - Bank of America ATMs impacted

---- Forwarded Message
> From: "Paul E. Robichaux" <paul () robichaux net>
> Date: Sat, 25 Jan 2003 20:12:06 -0500
> To: dave () farber net
> Subject: RE: [IP] More on Slammer - Bank of America ATMs impacted
>
> This is unfair, Dave. Microsoft released a patch for this in July of
2002.
> Blaming the vendor for administrator failure is certainly easy, and
> bashing Microsoft is what I'd expect from Rick; however, any
> administrator who got bitten by this worm has no one to blame but
themselves.


Dave, perhaps you could check the following comment I was sent about
Microsoft's lack of blame:


> Here's a bigger joke: service packs 1 and 2 for SQL Server 2000 and the

> patch issued for the 1434 problem identified in July are unaffective
> against this. Only service pack 3, issued last week, will stop it.


If correct, then it is quite fair to slam Microsoft, and to do so before
the buck is passed elsewhere.

Adam


------ End of Forwarded Message

------ Forwarded Message
From: Joe Touch <touch () ISI EDU>
Date: Sat, 25 Jan 2003 21:47:01 -0800
To: dave () farber net
Subject: Re: [IP] More on Slammer - Bank of America ATMs impacted



Dave Farber wrote:
> ------ Forwarded Message
> From: "Paul E. Robichaux" <paul () robichaux net>
> Date: Sat, 25 Jan 2003 20:12:06 -0500
> To: dave () farber net
> Subject: RE: [IP] More on Slammer - Bank of America ATMs impacted
>
> This is unfair, Dave. Microsoft released a patch for this in July of
2002.

A patch in 2002 on a 2000 product that fixes a buffer overrun error.

Why, in this era of buffer overrun errors (didn't they go back at least
to the Morris worm of 1988?), don't manufacturers check their code
BEFORE they release it?

Joe

-------------------------------------
You are subscribed as rcv-interesting-people () frankston com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at:
http://www.interesting-people.org/archives/interesting-people/



------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/