Re: Leaving Techwhirlers

Subject: Re: Leaving Techwhirlers
From: Andrew Plato <gilliankitty -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Tue, 23 Sep 2003 08:00:06 -0700 (PDT)


"Bruce Byfield" wrote

> But the fact remains that Microsoft has a very poor record - not in having
bugs,
> but in its policies about them.
>
> To start with, the company is extremely slow to admit that they exist, and
> discourages the publicizing of them.

Could you cite a *specific* example where Microsoft has been "extremely slow"
or "discouraged publicizing" vulnerabilities? Furthermore, how would MS have
ANY control over the publication of vulnerabilities since the overwhelming
majority of vulnerabilities are discovered by third parties - namely security
researchers like ISS, eEye Digital, Foundstone, etc.

Perhaps it would help to explain how vulnerabilities and exploits work:

1. Vulnerability is discovered. A vulnerability is NOT the same as an exploit.
A vulnerability is a weakness in the system. Such as the ability to overflow a
buffer.Vulnerabilities merely are the possibility for an attack, not an actual
attack.

Vulnerabilities are discovered by one of two groups: Security research centers
like Foundstone or ISS or individuals.

Responsible security researchers follow a *rational* process of releasing
vulnerabilities. When they discover a vulnerability, they release it to the
manufacturer or open-source team FIRST. They then wait 30 days to give the
manufacturer or open-source team time to develop a patch. After 30 days, they
announce the vulnerability publicly. This is rational and fair to the
manufacturer and open-source team.

Independently discovered holes typically get posted to one of the numerous
online forums, like Bugtraq. All manufacturers monitor these lists. But,
suffice to say, some the things posted to these lists are not, in fact,
legitimate holes. They must be tested and independently verified. This is where
the eEye Digitals and such perform a valuable service. Testing and
independently validating that a vulnerability actually exists.

2. At sometime in the future, somebody releases exploit code in the form of a
worm, virus, or hack.

Between the time that a vulnerability is discovered and exploit code is
released, there is a window of time. Sometimes, the manufacturer (or open
source team) patches in that window. Sometimes the window is so short, that
there isn't time to get the patch out before exploit code is released.
Sometimes the exploit and the vulnerability are released/disclosed on the SAME
day.

Explain to me how a manufacturer (or an open source team) can fix a hole they
don't know about? Or stop an exploit that comes out at the same time (or even
before) they know there is a hole.

In the case of Blaster, eEye Digital Security released the vulnerability this
past summer and MS had a patch a week later. It was a full month later before
Blaster hit. Explain how this was "slow to react." MS had a patch out BEFORE
exploit code was released.

Unfortunately, most people and organizations have poor security practices and
didn't update their systems properly. Blaster was another example of this. Why
any organization has ports 135-139 or 445 open to the Internet is beyond me.
But, many IT admins have no security training and as such, deploy key
infrastructure components without understanding the ramifications of those
technologies.

Furthermore, home users are also at the mercy of these "set and forget"
technologies that promise to secure them. But, unless these systems are used
intelligently, they are no better than a placebo. For example, tons of people
use ZoneAlarm and have NO IDEA what programs are asking to access the network.
Hence, they just keep clicking OK when it nags them, the end result is zero
security benefit. A worm just disguises itself as some official sounding
program, Joe user clicks OK, and whatever security benefit ZoneAlarm promised
is immediately nullified.

Hence, the real problem here isn't the technologies but how they are used,
managed, and monitored. A poorly configured Microsoft box is just as much of a
security problem as a poorly configured or managed AIX, Solaris, or yes even
Linux box.

The single largest security hole in every organization is between the ears of
the IT staff.

Ignorance leads to poor practices, and poor practices leads to security
problems. I have dozens of customers who saw NOTHING of Blaster, Sobig, or any
of these other worms. The IT staff went home at 5 every night and there were no
incidents. And these are places that are almost 100% Windows shops. The reason
- good security practices. Strong firewall rules, ample use of intrusion
protection technologies, adequate AV management, etc.

No offense Bruce, but the "open-source goooooood, Microsoft baaaaaaad" argument
might fly on Slashdot. But, the rest of the world doesn't care. Its a tired,
boring argument.

We all know, Microsoft baaaaaaaad. The fact of life is that Microsoft is out
there and people need to make sure they take good care of their machines. A
poorly managed open-source program isn't one notch "better" than a poorly
managed Windows machine. They just have different problems.

Andrew Plato



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NEED TO PUBLISH YOUR FRAMEMAKER CONTENT ONLINE?
?Mustang? (code name) is a NEW online publishing tool for FrameMaker that
lets you easily single-source content to Web, intranets, and online Help.
The interface is designed for FrameMaker users, so there is little or no
learning curve and no macro language required! See a live demo that
will take your breath away: http://www.ehelp.com/techwr-l3

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

Previous by Author: Re: Tech Writing Skills, College Degrees, Marketable Skills
Next by Author: Re: Tech Writing Skills, College Degrees, Marketable Skills
Previous by Thread: RE: Leaving Techwhirlers
Next by Thread: Re: Leaving Techwhirlers


What this post helpful? Share it with friends and colleagues:


Sponsored Ads