Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Microsoft

Microsoft Apologist Apologizes for Microsoft 446

Posted by michael
from the calling-it-like-it-is dept.
hillbilly1980 writes "Internet Week has published a counter article in response to the number of anti-monoculture security papers recently published. Unfortunately the author starts out by writing off the other papers as simply anti-Microsoft, unfortunate because his paper never gets past being more then just pro-Microsoft. One of his suggestions to secure your enterprise... turn off port 80." Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle. Update: 10/11 00:54 GMT by M : Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.
This discussion has been archived. No new comments can be posted.

Microsoft Apologist Apologizes for Microsoft

Comments Filter:
  • Bah! (Score:5, Funny)

    by Plix (204304) on Friday October 10, 2003 @08:38PM (#7186944) Homepage
    One of his suggestions to secure your enterprise... turn off port 80

    That's nothing. To be *really* secure I just don't even turn my computer on!
    • Re:Bah! (Score:3, Funny)

      by CyberVenom (697959)
      Unfortunately your computer wakes up as soon as I send a packet because you forgot to turn off the Wake-on-LAN feature of your integrated NIC.
    • You forgot: Lock it in a room by itself and epoxy the drives shut, then weld the case together. ;)
    • Funny (Score:5, Interesting)

      by Pan T. Hose (707794) on Friday October 10, 2003 @09:22PM (#7187140) Homepage Journal
      It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.
      • Re:Funny (Score:2, Funny)

        by Brandybuck (704397)
        Or you could just make sure everything is off. I don't know how much more simple you can get. Of course, you do need a little bit of education to know how to tell that you really do have everything off, but it's still a heck of a lot simpler than learning assembler.

        Oh! We're talking about Windows. Maybe learning assembler is easier...
        • Of course (Score:2, Funny)

          by Pan T. Hose (707794)

          Or you could just make sure everything is off. I don't know how much more simple you can get. Of course, you do need a little bit of education to know how to tell that you really do have everything off, but it's still a heck of a lot simpler than learning assembler.

          Great idea. Let me make sure everything is off in my lab. Let me also ask management of my institute to file for bankruptcy while I am at it. I am sure they will thank me for making our network absolutely safe.

      • Well, it doesn't seem people are really searching for a solution, or they'd be working to implement Capability Systems to replace the crappy ACL systems we have today, that provably [nec.com] and significantly reduce many of today's security problems [upenn.edu].
        • Yes (Score:3, Insightful)

          by Pan T. Hose (707794)
          I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.
      • You do realize that depending on the "Threat" for some people your remedy is worse(i.e. more trouble) than the actual threat, unless it actually leads to litigation... On a completely different perspective, lots of "security" has been focused against defending against "something" but until you identify that something, you ain't that much further ahead. Case in point being internal security threats(actual employees abusing actual access required by their jobs to do unauthorized things... That's also a part
      • Re:Funny (Score:3, Funny)

        by Geek of Tech (678002)
        > It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts
  • Slashdot (Score:2, Insightful)

    by Karamchand (607798)
    Slashdot is too subjective.
    Ok, it is completely understandable and ok that slashdot is not a pro-microsoft-newsletter. But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".
    • oh, and if Rob Enderle is from Microsoft everythingh he says is bad

      I can show you countless slashdot-sponsored studies which support this with hard statistical data. :)
      • Why both Slashdot?

        Just use Google and select all his articles and postings. After viewing a few randomly chosen ones you understand why Enderle has earned the title "Microsoft Sock Puppet".

        He only adds to his reputation by making 'suggestions' for improving WinXX security.
    • No, what he said was bad. He shows no knowledge in area. It would have gone a long way to his credibility, if just said step by step how to. Basicly he can't without making it a non-monoculture.
    • Re:Slashdot (Score:4, Informative)

      by zurab (188064) on Friday October 10, 2003 @09:37PM (#7187197)
      But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".


      Here's a little bit more (at the end of the current article):

      PREVIOUSLY BY ROB ENDERLE:
      - Microsoft: Hated Because It's Misunderstood [internetweek.com]
      - Reasons To Shun Open Source-ry [internetweek.com]
      - Linux Is Not Ready For the Enterprise [internetweek.com]


      Further, in the article, after presenting a general statement (that he tries to critique) that diversity is good for security, he claims:

      These arguments were put forward by Gartner and, separately, a panel hosted by the anti-Microsoft Computer & Communications Industry Association.

      But there is no evidence that either party has actually analyzed the cost of diversity or quantified the risks of diversity.


      As opposed to who? Himself? He presents no cost or risk analysis of anything either, including diversity, or any of the arguments that he is trying to put forward. But based on his previous articles and general sentiment, it is obvious that he doesn't need to. It's clear what his conclusion is going to be anyway.
    • I understand that views of slashdot and slashdot fanboys such as myself are tilted in a particular direction as are everyone elses. It is impossible for a human to be fully objective as human minds all posess a cirtain set of values that we personally hold to be true and our morals and integrity usually prevent us from acting against those values meaning that even if a universal truth existed it would be doubtful if it could be followed by anyone.

      I come here because I have tried most of the alternatives t

    • And WHAT, exactly, about your experiences at this place would have made you expect a bit more?
    • Re:Slashdot (Score:5, Informative)

      by Read Icculus (606527) on Friday October 10, 2003 @10:21PM (#7187360)
      Have you read any of this guy's stuff? Or did you just decide to post some now-popular "quit being such a bunch of slashbots" stuff in hopes of getting modded up? Check out this preface to his article on "Linux is Not Ready For the Enterprise" -
      Linux and other open source projects require too much customization, and doubts about the legitimacy of open source code could get users tangled up in lawsuits. Besides, many Linux supporters are a bunch of potty-mouthed malcontents. Enterprises are better off staying away from Linux and open source -- or at least thinking through the possible liabilities

      I agree that any business should think through the liabilities of any piece of software that the are going to deploy, (like maybe think for a second about distributing copies of Windows throughout your buisness, an OS that includes a piece of software that was found to be illegally infringing on a legal patent, unlike the SCO case which is merely in progress, much like all the lawsuits against MS), but what the hell does "Besides, many Linux supporters are a bunch of potty-mouthed malcontents", have to do with a consultant's article on the weaknesses of Linux? Should I write an article about "Why Windows sucks on the Desktop", and then state "Besides, many Windows users are nothing more than software pirates and they download the vast majority of illegal mp3s".

      Here's a good one from the article "Reasons to Shun Open-Source-ry" -
      I now honestly believe that Linux and open source are big, bald-faced lies perpetrated on the industry by itself. ... How many credible people told each other with a straight face that profit didn't matter? This seems much too similar to "free software" to me.

      If you actually read this guy's articles you start to get a pretty good idea of the amount of FUD that he is spreading. Check out his consulting group, do some googling, and check out his bio - GigaWeb [gigaweb.com]. This guy is a marketroid consultant who seemingly only works with and promotes MS products, (according to his own information!). His arguments are also generally full of holes and he often uses ad hominem attacks while bashing anti-MSers for doing the same thing. The only platforms that seem to draw his ire are non-MS, check out all he has to say on OSX and Linux, (If you can stand it). He even asks if OSS supporters have "ever heard of capitalism?", and says that he does not want to go back to the days of cheap software. I've read about a dozen of his articles now, (know thy enemy), and I suggest that anyone who has some questions on this guy do the same.
    • Karamchand, your post could serve as the illustrative example for Webster's definition of 'irony'. In a completely unsupported and subjective manner you blame 'Slashdot' (whatever that means. the editors? an editor? the users? including you?) for being too subjective. It was either a very clever troll or you need to think this through a bit more. My recommendation would be to start with the content of Enderle's works instead of your perception of the personalities.

      BTW, Enderle isn't from Microsoft.


    • Slashdot is too subjective.

      ...meanwhile Rob Enderle is the pinicle of objectivity?

      Slashdot has never claimed any kind of objective viewpoint. Its rather biased. And its become well-known, if not always popular, because of that bias.

      Slashdot filled an interesting niche; a dissenting opinion when the IT press was almost entirely Windows-centric. Linux was quietly seeping in to the Enterprise. But the mainstream IT press either ignored it or was unfairly dismissive. Slashdot was a forum most note

  • by FatCobra (714836) on Friday October 10, 2003 @08:43PM (#7186966)
    Yeah lets all turn off port 80; its like having e-business without the "e"!
    • FYI, There is an official phrase for this

      "Hamlet without the prince"

      Used allusively to refer to a performance or event taking place without the central figure, actor, etc. E19. Excerpted from Oxford Talking Dictionary Copyright (C) 1998

      • "Hamlet without the prince"

        FYI, there is a an official Slashdot phrase for this:

        Darl McBride without the unctuousness"

        Used allusively to refer to an oozing bag of shit, without the shit or the ooze.
        (C), (TM), (IP), (AYB) 1983-2003 SCO Group
  • by diaphanous (1806) <pgarlandNO@SPAMgmail.com> on Friday October 10, 2003 @08:44PM (#7186967)
    The article advocates restricting port 135, not port 80.

    ~Phillip
    • The article advocates restricting port 135, not port 80.

      Why the hell is this port even open in the first place? And unclosable at that?

      I'm about as geeky as they get, and I've never used any RPC-based apps outside of an academic environment. I'm pretty sure the 3 home users in the planet who actually use it can figure out a way around it.

      Ah, good old Microsoft. "It's not our fault people write exploits for needlessly internet-facing services."
      • hy the hell is this port even open in the first place? And unclosable at that?

        I'm about as geeky as they get, and I've never used any RPC-based apps outside of an academic environment. I'm pretty sure the 3 home users in the planet who actually use it can figure out a way around it.

        Microsoft Exchange Server uses port 135 for various purposes, so it cannot be blocked internally at Exchange sites. Which makes the advice a bit ironic.

        sPh

        • And to add to the confusion, when messaging spammers realized that people were blocking port 135, they started spamming on port 1026, which does the same thing. Assuming it's vulnerable to the same exploit, I wonder when the Blaster and Welchia writers will realize this and start using that port too.

          IMO, it's better to block everything anyway, then open up ports as needed.
          • IMO, it's better to block everything anyway, then open up ports as needed.

            In the short term, you block the latest worm. In the long term, you just forced everyone to use an alternative protocol tunneled through an accessible port. Why? Because the internet is successful because almost any computer can send almost any computer almost any digital message in an efficient way. If you feel like complaining about the dumb users on the network, think about the alternative: what if we all grew up where all we had
      • You've never used NFS or Samba? How do you maintain a shared filesystem between multiple hosts?

        There's nothing wrong with RPC-based services - in the right environment they're absolutely vital.

        However opening them up to the internet at large is suicidal. Even the *NIX RPC implimentations have been dodgy at best and although Samba is pretty secure, I still would bever be seen dead opening it up to the internet. Luckily most *NIX distributions agree with this train of thought, but MS? Do they get a sizable
      • And unclosable at that?
        Umm. Not that I'm on Microsoft's side in this, because I'm not, but it is closable. [uksecurityonline.com]
    • I saw the same thing.

      It kind of takes some of the shock value out of the Slashdot story. It's a good idea to block outisde communication over port 135. Inside your network is another story...
    • What's the difference? It's a stupid suggestion either way. And even if it were a valid suggestion, it's hardly insightful to point out in hindsight how a problem may have been averted.
    • by Jeremiah Cornelius (137) on Friday October 10, 2003 @09:13PM (#7187099) Homepage Journal
      This guy has S*hit for brains, and demonstrates this in every one of his hit piece M$ troll "articles".

      Restrict 135 - Yeah Baby!

      Except the major worm infestations haven't used the Internet as the primary exploit vector when demolishing the infrastructure at medium and large enterprises. Blaster and Slammer were "carted in" via laptops, poorly configured VPNs, permissive network sharing with business partners and improperly segmented test/development networks. Slammer just took a major grocery-chain's national WAN down for more than a day. This, 8.5 MONTHS after protecting the edge, and main production boxes for the exploit and blocking SQL discovery.

      There are tag vulnerabilities in the wild, outside the scope of the latest MS patch, 7 days ago. These are capable of planting trojans -- bypassing AV message filters in HTML-formatted mails with Outlook clients, and can be set in invisible-frames, etc.

      Enderle thinks that because he ran through pro-forma auditing that he has the expertise to second guess Schnierer and Geer? Gimme a break! I take Marc Ranum's criticism of these guy's work - not some paid-for-troll who scoffs at the bulk of the working code deployed over the past 40 years as "Open Source-ery".

  • by mst76 (629405) on Friday October 10, 2003 @08:44PM (#7186969)
    From the article:
    This is the big problem with the diversity recommendations I've seen. If they had been implemented as recommended they would have had little impact on the MSBlast virus, which spread via common e-mail, and would likely increase the exposure for other types of threat.
    • If you are letting email-borne trojans into your network, your operating system is the least of your problems.
  • "One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."

    What a great suggestion.. let get rid of all of those different flavors of windows and all those pesky multivendor PCs. A corporate wide upgrade to all new high end laptops for everyone including your servers will save *huge* amounts of money!
  • by kfg (145172) on Friday October 10, 2003 @08:45PM (#7186977)
    that if I'd kept 30% of my infrastructure running Microsoft software for compatability reasons I should just go ahead and ditch it all?

    Or am I just reading that wrong?

    KFG
  • by CrankyFool (680025) on Friday October 10, 2003 @08:48PM (#7186988)
    That's because he's got the wrong focus.

    The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).

    We've used the agriculture analogy before to describe the issues around monocultures, so to continue to use it, we can say that his point is that monoculture isn't really an issue because when you're tilling a single field, it's a pain in the ass to put multiple crops on it. True, but that's not the point -- it's when you've got one crop on *ALL* the fields (all the enterprises) or at least a substantial portion of them that you get into a problem.
    • The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).

      On the contrary, the monoculture risk should affect an enterprise decision whether to participate in that monoculture. When making such decisions, people shouldn't take into account the

  • by Kaboom13 (235759) <kaboom108NO@SPAMbellsouth.net> on Friday October 10, 2003 @08:52PM (#7187010)
    You make several accusations about the article's bias. But instead of giving us the articl and letting the readers make that judgement, or even making a logical argument for why he is wrong, you instead attack the author, and tell us how we should feel about the article. Anyone that reads slashdot can probably pick out the (alleged) MS bias by themselves. Keep your opinions to your damn self if you arent willing to back them up.
    • I have written hundreds of technical articles - some with positive things to say about MS, some with negative things about MS, some with positive things about Linux/open source projects and some with negative things about Linux/open source projects. For EVERY article that I have written which portrayed a negative stance on a Linux/Open Source project, I got ripped to pieces, accused of being pro-MS and anti-open source, and called a whole lot worse. Never at any other time unless teh article wasn't very g
  • and never wonder bout *why* you're paying that bill...

    What nonsense

  • His suggestions.. (Score:4, Insightful)

    by taradfong (311185) * on Friday October 10, 2003 @08:54PM (#7187020) Homepage Journal
    Let's look at some of these...

    - Accelerated adoption of patches.

    Ok, yes you do have to stay patched. But this is like blaming people with flawed cars for not going to the car dealer each week to check for recalls. Microsoft's abundance of patches indicates poor design and methodology, period.

    - Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

    Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.

    - Restricting ports, such as port 135, which effectively stopped the latest virus attack.

    Wow! What a concept! I never thought of this! Now I know where all my problems are coming from! It's not from the software, it's my fault for actually allowing connectivity!

    - maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

    Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.

    - Developing the capability to rapidly restore compromised software and data from backups.

    Right. Key word is, develop. Why does an end user, paying hundreds of dollars per seat need to 'develop' something as common as this.

    - Adding security staff or outsourced services.

    Right. Keep sending us your licensing fees, and then spend more money to make up for the gaps in our software. Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks. Hire an MSCE. Preferably from another country.
    • Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks.


      Actually, that would be "bunch of potty-mouthed malcontents [internetweek.com]." Get your facts straight, please.
  • This guy also predicted one year ago that Macs would today be running on x86 hardware: http://www.gigaweb.com/Content/Media/AdHoc/Desktop Trends.pdf [gigaweb.com]

    • Nice find.

      It also includes, "while Linux plays a siren song of independence from Microsoft...companies increasingly view Linux as a better alternative platform." Sounds far less anti-Linux than after his professed conversion (brought about by some doubtlessly unprofessional letters from many who also certainly are not fit representatives of enterprise Linux).

      Some other nice quotes: "AMD is ... likely to either merge or more closely partner with Transmeta by the end of 2003 to create a more compelling a

  • The author has concluded that many security papers do not address the cost of security - and he's right.

    But anyone who is going to make a business decision regarding security can and will recognize that cost is a factor. Just because not all papers focus on cost doesn't mean that their conclusions are flawed.

    The author fails to present any facts that support his implied position that the costs of securing the Microsoft model is a lower cost.

    The author has written an article about his opinions. He provi
  • by ChangeOnInstall (589099) on Friday October 10, 2003 @09:07PM (#7187070)
    What exactly does "anti-Microsoft" mean?

    Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix. We thus moved away from the MS platform to Java/Linux, a combination that we found to be superior for our needs. I haven't looked back since.

    I think I thus fall into the anti-Microsoft camp. I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.

    The author does not define the term "anti-Microsoft". So my question is, what connotation do people try and draw up with the term "anti-Microsoft"? In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here.
    • I'd prefer to think of myself as being in the "pro-well-written-software" camp though. If Microsoft started writing good, secure, and interoperable software, I'd welcome them with open arms. My problem with MS is that in my "learned-the-hard-way" opinion, they don't.

      Compared to whom?

      For example, compare Metrowerks Codewarrior to MS Visual Studio.

      Using Visual Studio is a pain in the ass.

      Using Metrowerks Codewarrior is like going into a gladiatorial arena, butt naked, bare fisted, and going up against a
      • I would venture that Microsoft Visual Studio and Apple's Project Builder are the only two decent IDEs that I've ever used.

        On the other hand, though, Visual Studio is the only Microsoft product I've ever been able to say was decent. Its companion, Visual SourceSafe is quite possibly the worst version control system I've ever seen. I think a source tree spread across multiple floppy disks would be more secure than having your code in a SourceSafe database.

        Just how much of a joke it is, even within Microsoft
    • Back in 97, I was working at a startup where we were using the usual array of Microsoft tools to create web-based applications: IIS, ASP, Visual Basic (COM controls), and SQL server. The more I learned, the more I grew not to like it. The straw to break the camel's back was finding a significant bug in MDAC (which was acknowledged by a high-level tech once the ticket was escalated), and then having to wait 6 months for a fix.

      I see they're up to their old tricks.

      Back in the REALLY early days (MS-DOS on Pe
      • People like to say that Microsoft is hated because they are big and successful.

        Balderdash. Microsoft has been one of the most hated software companies ever since their inception as a pissant little outfit making interpreters for hobbiest computers.

        Why? Because of the way they behave.

        Nowadays I think the situation is turned around, the only reason some people seem to like them is because they are big.

        Too big to ignore.

        I can't think of any other reason to put up with the sort of treatment they give their
    • The author does not define the term "anti-Microsoft". So my question is, what connotation do people try and draw up with the term "anti-Microsoft"? In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here.

      Perceptive. Dismiss an entire movement with a swipe of the pen, regardless of how well-reasoned the objections may be.

      What really opened my eyes to the possibilities of free software was emailing a bug report t

    • by sheldon (2322) on Friday October 10, 2003 @11:09PM (#7187514)
      MDAC in 1997? That would have been version 1.0. Version 1.5 didn't come out until the NT Option Pack was released in early 1998.

      So you're claiming that Microsoft has a record of not writing good software based upon a bug you found in a 1.0 version of a product?

      Fascinating. BTW, while we're at it... How many bugs have you found in your Java environment? How many times did you have to upgrade to fix them? Where was Java in 1997 and where is it today?

      "In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here."

      Don't you have an irrational hatred of something?
    • I started my career in a Sybase/Microsoft shop, where we deployed (among other things) Microsoft solutions, like SQL Server on NT.

      The straw for me was when I called Microsoft because SQL server was crashing, spending the ONE ENTIRE DAY on the phone with their support, to finally learn that it was a bug in their product.

      Solution? Upgrade your server.

      No, not "admittedly, it's a bug, we'll fix it," but "give us more money to get the latest version, with its own bugs, and oh, by the way, enjoy the migration
  • Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle.

    Given the recent FUD from "our own Roblimo", I think it might be good to block articles from anyone named Rob if you're looking fro honest information.
  • If you don't like Microsoft, for whatever reason, don't buy their software...

    If the benefits outweight the risks for you, then buy their software.

    If not, don't.

    I don't see why it's considered so interesting whenever some "expert" comments on the security of Microsoft software.
    • The problem is that the intersection of the set of people that have a clue about software quality with the set of people that are signing the checks is a null set.
    • If you don't like Microsoft, for whatever reason, don't buy their software...

      I tried that for years. But the hardware manufacturers wouldn't sell me a machine without their software on it - paid for out of the retail price of the machine. B-(
      • Just build your own computers. You can get better quality, exactly the parts you want, at a good price. My personal machine has lots of ram, a big hard drive w/8 mb cache and 3 year warranty, a good burner also w/8 mb chache and burnproof, etc. All the stuff I want, nothing I don't, and the price is right.

        I don't see the point in paying for Windows or Office if I'm just going to wipe them anyway.
      • Uh, then buy some parts on PriceWatch and build your own machine. I mean, it's simple enough and just about as cheap as you can go for a new pc (except for the occasional awesome promotion from Dell)...
  • (Also sent by e-mail.)

    Hi there,

    I just read your article at internetweek (Opinion: Reasons To Shun Open Source-ry) and I must that although I don't agree with your opinions I think you have some backbone to say them in public :o)

    Of particular amusement was this part:

    "He is contemplating building an open source-free saferoom in his solar-powered home."

    I only hope that you weren't planning on installing Windows on any of those machines as the Windows TCP stack and Microsoft SFU are (Free|Open)BSD derived
  • by doodleboy (263186) on Friday October 10, 2003 @09:15PM (#7187107)
    There will always be apologists for the rich and powerful, be they journalists, politicians, or supposedly impartial "analysts" like Enderle. Such people are responsible for the endless flood of Microsoft-sponsored "studies" purporting to show that Windows is more secure, more stable, has a lower total cost of ownership, wipes your ass for you, etc. So when Enderle says
    I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs. Companies can minimize support costs by rolling out identical hardware and software to every desktop through big bang deployments. Going the other way in a knee jerk reaction to just one class of security threat seems poorly founded.
    he seems not to have considered the cheapest possibility - a monoculture of free software, which has lower cost, better security, and higher performance. Now how is that?
  • This seemed flawed in the explanation. If you have a 'master' key then breaking into the desk would make it so any door could be opened. Having a 'ring of keys' makes it more difficult after the theft as no single key will grant access to the kingdom. The breach of course was the inept lady who kept her ring of keys in a desk.
    Also the first port listed would be more accurate. IIS has always been the biggest flaw in their operating system. IIS6 will be exploited by the end of the year (my prediction.. w
  • I didn't see much which actually addressed actual problems in Enderle's "solutions". Closing port 135 will not address Sobig type mail worms, neither will putting all the users machines in a server room. His point about MSOffice on the Mac avoids the source of most viruses as well, Outlook.

    Not only this, but he contradicts himself when he talks about saving money with a single platform in one sentence but then talks about buying more AV products in another.

    Mr. Enderle, what was your point again and can I
  • "One of his suggestions to secure your enterprise... turn off port 80 [135]"

    No, no, no: turn them *all* off, and *open* them as needed. Jeez. They just... don't... get it. And then they come back later and say "windows and unix are equally secure, windows just gets attacked because it has more market share." They just do not understand basic security concepts.
  • He's right... (Score:4, Insightful)

    by chill (34294) on Friday October 10, 2003 @09:37PM (#7187200) Journal
    The article advocates doing actual *STUDIES* to backup the call for diversity. It also calls for other methods that are basically best practices for a business: a disaster recovery plan, proper backups, firewalls & IDS and managed desktops.

    There is nothing wrong with anything he advocated in this article. Getting supporting evidence and adding diversity to a proper BC/DR plan is 100% correct.

    What he fails to acknowledge is that Microsoft has, for its entire history, made security an afterthought that always lost to convenience.

    Windows 95, 98 & Me were designed as *consumer* OSes, not corporate clients. Consumer OSes had no need for all those network services and ports being open by default. These systems were designed for home users, not businesses. WinNT, 2000 and XP Pro are different animals and are designed to be used in LANs where many of those services are going to be needed.

    The DUN 1.4 update should have patched those Win95/98 systems to lock down almost every incoming port short of DHCP, NTP and DNS returns.

    While MS has made noise recently about an emphasis on security, their actions speak louder than words. WinXP, while more stable than Win98/Me, seems to be just as vulnerable to security problems as other versions of their OS.

    Even though Win95 and Win98 are no longer officially supported, MS needs to release one last patch that locks many of those ports down.

    Unfortunately, no patch in the world will stop clueless users from clicking attachments without looking.
  • http://www.enderlegroup.com/

    Provides consulting services during the review process of a poorly founded negative piece on a vendor or its products and, should it be needed, showcases the research errors, statistical mistakes, and unfounded conclusions that often define such a piece.
  • "Microsoft chief executive Steven A. Ballmer said yesterday that there is "much, much, much" left to do to protect computer users from viruses, worms and other malicious software."

    Where he said "computer users" I think he meant to say "Windows users." Linux, BSD, Mac OS X, hell, pretty much ever OS besides Windows has this pretty much sewn up. Not perfect, but on a security scale of 1 to 10, where 1 is "r00ted in 30 seconds" and 10 is "powered off", Windows is about a 2 and *nix is about a 9.8.
  • "It will ship Windows with security precautions activated that are now left off -- for instance, a firewall program that stops Internet worms such as Blaster."

    I think he meant "Windows worms," not "Internet worms," since his example, Blaster, is in the first category. My Mac OS X firewall can be on, off, or sugar coated, I *ain't* gonna get fucking Blaster on it.
  • So someone writes an article saying it's not very practical to run multiple OSs in a work environment solely for security, and probably not more effective since if anything goes down, it'll probably hinder everything. Further he says earlier reports produce no quantitative evidence to show whether or not there will be a cost reduction in pasting together different systems to improve security. Also there is no mention of port 80 in the article. The article's points are reasonable, but not surprisingly slashd
    • [...] if Linux was the prevalent OS, would you still make the arguement that people should diversify away from Linux to improve security?

      I don't know about anyone else, but I know I would. I think networks should include both OS's, Linux and Mac OSX. I'd say BSD, too, but I heard it's dying...

  • This is perhaps the most ridiculous, biased, inaccurate drivel I've read all year. The fact that it's published as an 'authorative' piece when in fact it's probably no more than sponsored FUD[1] is concerning, and is precisely why I won't be wasting my time reading Information Week in the future. It doesn't take a rocket scientist to work out that monocultures are nothing short of dangerous, and it's a shame to see a more reputable firm like Gartner being criticised for drawing our attention to an important
  • Dear Internet Week,

    Please stop publishing stories by Rob Enderle as it is hurting your reputation and "technology street cred". His stories are filled with obvious bias and fanboyism. Even though his error packed rants may generate a lot of page hits, I guarantee that they are not generating any sort of revenue. It probably would not be very hard to look into it for sure and find out I'm right. If you do your own investigation, you'll find out that the "Enderle Group" is made up of one person: Rob En
  • Ask any Microsoft employee or contractor where Code Red, Nimda, Slammer, attacks are the worst: they will tell you: on CorpNet. This is where ITG supposedly runs "the perfect network."

    Weigh that into your decision as to whether or not the Microsoft monoculture can prevent hacks.
  • And the award for the best word palindrome attempt goes to...
  • Ok, all of his suggestions are fine in principle but they cost money. All in all it seems like, you would be spending more to keep your monoculture OS than you to diversify if only slightly.

    - Accelerated adoption of patches.

    Read: hire another person just to test MS patches so that they don't screw up our system. The story would be different if bad patches were a thing of the past, but MS releases a bad patch about once every year. Try explaining to the CEO or CIO that his IT network went down because

  • Funny... (Score:5, Informative)

    by JRHelgeson (576325) on Saturday October 11, 2003 @02:23AM (#7188348) Homepage Journal
    Its funny how this comes on the heels of what is now the THIRD version of the MS03-026 vulnerability. As you know, MS03-026 is the RPC/DCOM vulnerability that brought us MSBlaster.

    Just after Blaster started clearing up, Microsoft released MS03-039 which is essentially the SAME vulnerability as was -026. They blew it. They didn't fix the problem with the -026 patch, so admin's now had to re-patch all their machines.

    Well, here we go again - only this time the exploit code precedes the MS anouncement and corresponding patch. Yes kids, the hacking underworld has perfected the exploit code for MS03-039 and in doing so uncovered yet another hole in the RPC/DCOM service for which there is NO PATCH AVAILABLE!!! (As of 11 Oct, 2003 0100)

    And for those of you who think that this is just FUD... here's the exploit soucre code [security.nnov.ru]. Simply compile under Linux, then change your shorts.

    Network admins: May I suggest you take your sleeping bag and pillow and put it in your car - theres going to be a lot of late nights at the office coming up.

  • by Animats (122034) on Saturday October 11, 2003 @03:23AM (#7188530) Homepage
    It's worth looking at the litigation option. The best case for a lawsuit would be an ISP that runs no Microsoft software on its hosts, but is incurring signficant costs because of incoming traffic (spam, viruses, DDoS attacks) from compromised Microsoft machines.

    In a case like that, Microsoft's EULA doesn't apply at all, because the injured party isn't running Microsoft software and hasn't agreed to any Microsoft contract terms. This makes it an ordinary negligence claim.

    It's like sueing an auto manufacturer because somebody had a brake failure and hit you. Even if the other party was speeding, the manufacturer can still have some liability for the accident.

    Some Linux-based ISP overwhelmed by Microsoft virus spam and mail bounces should go for this. There's a real case here, with real costs (overtime, extra mail servers, more bandwidth) associated with this stuff.

  • by NerveGas (168686) on Saturday October 11, 2003 @04:12AM (#7188642)

    It does work. Rather well, in fact. One of the most simple, common-sense ways to start port-blocking is to block everything below 1024 except for services that you know that you want to provide. It's amazing how many networks get along just fine with nothing but http, ssh, dns, smtp, and pop-3.

    By doing that and disallowing email with any executable attachments, one of the networks that I maintain has weathered all of the email/network virii/worms without a single incident - despite the fact that they have M$ machines that haven't been updated at all.

    Occasionally, they'll call because someone thinks they have a virus. I'll go and scan all of the machines with the latest patterns, and guess what - no virii.

    Of course, this in no way excuses Microsoft for their horrible security. It's simply a way to get at least a good start at protecting yourself.

    steve

"But this one goes to eleven." -- Nigel Tufnel

Working...