Microsoft Apologist Apologizes for Microsoft

hillbilly1980 writes "Internet Week has published a counter article in response to the number of anti-monoculture security papers recently published. Unfortunately the author starts out by writing off the other papers as simply anti-Microsoft, unfortunate because his paper never gets past being more then just pro-Microsoft. One of his suggestions to secure your enterprise... turn off port 80." Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle. Update: 10/11 00:54 GMT by M : Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.

Slashdot

[Karamchand]

Slashdot is too subjective.
Ok, it is completely understandable and ok that slashdot is not a pro-microsoft-newsletter. But still I would have expected a bit more. Not just "oh, and if Rob Enderle is from Microsoft everythingh he says is bad".

Slashdot Troll Trolls Slashdot

[Anonymous Coward]

And on the front page, no less.

Yeah, Of Course He's Right

[CrankyFool]

That's because he's got the wrong focus.

The monoculture risk is real when you're looking at the 64,000 view -- the entire population. They're not really all that much of a risk when you're dealing with, say, an enterprise's systems, and there's not that much benefit to them in that kind of environment (disregarding things like security devices for the moment).

We've used the agriculture analogy before to describe the issues around monocultures, so to continue to use it, we can say that his point is that monoculture isn't really an issue because when you're tilling a single field, it's a pain in the ass to put multiple crops on it. True, but that's not the point -- it's when you've got one crop on *ALL* the fields (all the enterprises) or at least a substantial portion of them that you get into a problem.

Re:port 135, not port 80

[freeweed]

The article advocates restricting port 135, not port 80.

Why the hell is this port even open in the first place? And unclosable at that?

I'm about as geeky as they get, and I've never used any RPC-based apps outside of an academic environment. I'm pretty sure the 3 home users in the planet who actually use it can figure out a way around it.

Ah, good old Microsoft. "It's not our fault people write exploits for needlessly internet-facing services."

Message to the Submitters/Editors

[Kaboom13]

You make several accusations about the article's bias. But instead of giving us the articl and letting the readers make that judgement, or even making a logical argument for why he is wrong, you instead attack the author, and tell us how we should feel about the article. Anyone that reads slashdot can probably pick out the (alleged) MS bias by themselves. Keep your opinions to your damn self if you arent willing to back them up.

His suggestions..

[taradfong]

Let's look at some of these...

- Accelerated adoption of patches.

Ok, yes you do have to stay patched. But this is like blaming people with flawed cars for not going to the car dealer each week to check for recalls. Microsoft's abundance of patches indicates poor design and methodology, period.

- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

Ok, so rather than design the apps safely out of the box, we need to handcuff the users and do the dirty work ourselves. I guess all those Outlook viruses were our fault.

- Restricting ports, such as port 135, which effectively stopped the latest virus attack.

Wow! What a concept! I never thought of this! Now I know where all my problems are coming from! It's not from the software, it's my fault for actually allowing connectivity!

- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

Sounds like a way to sell licenses. Ok, since we can't make our product stable, buy 2 copies and hope one works.

- Developing the capability to rapidly restore compromised software and data from backups.

Right. Key word is, develop. Why does an end user, paying hundreds of dollars per seat need to 'develop' something as common as this.

- Adding security staff or outsourced services.

Right. Keep sending us your licensing fees, and then spend more money to make up for the gaps in our software. Don't trust any of that 'free software' crap you read on the internet - those Linux guys are a bunch of hacks. Hire an MSCE. Preferably from another country.

Re:port 135, not port 80

[Jeremiah Cornelius]

This guy has S*hit for brains, and demonstrates this in every one of his hit piece M$ troll "articles".

Restrict 135 - Yeah Baby!

Except the major worm infestations haven't used the Internet as the primary exploit vector when demolishing the infrastructure at medium and large enterprises. Blaster and Slammer were "carted in" via laptops, poorly configured VPNs, permissive network sharing with business partners and improperly segmented test/development networks. Slammer just took a major grocery-chain's national WAN down for more than a day. This, 8.5 MONTHS after protecting the edge, and main production boxes for the exploit and blocking SQL discovery.

There are tag vulnerabilities in the wild, outside the scope of the latest MS patch, 7 days ago. These are capable of planting trojans -- bypassing AV message filters in HTML-formatted mails with Outlook clients, and can be set in invisible-frames, etc.

Enderle thinks that because he ran through pro-forma auditing that he has the expertise to second guess Schnierer and Geer? Gimme a break! I take Marc Ranum's criticism of these guy's work - not some paid-for-troll who scoffs at the bulk of the working code deployed over the past 40 years as "Open Source-ery".

He's right...

[chill]

The article advocates doing actual *STUDIES* to backup the call for diversity. It also calls for other methods that are basically best practices for a business: a disaster recovery plan, proper backups, firewalls & IDS and managed desktops.

There is nothing wrong with anything he advocated in this article. Getting supporting evidence and adding diversity to a proper BC/DR plan is 100% correct.

What he fails to acknowledge is that Microsoft has, for its entire history, made security an afterthought that always lost to convenience.

Windows 95, 98 & Me were designed as *consumer* OSes, not corporate clients. Consumer OSes had no need for all those network services and ports being open by default. These systems were designed for home users, not businesses. WinNT, 2000 and XP Pro are different animals and are designed to be used in LANs where many of those services are going to be needed.

The DUN 1.4 update should have patched those Win95/98 systems to lock down almost every incoming port short of DHCP, NTP and DNS returns.

While MS has made noise recently about an emphasis on security, their actions speak louder than words. WinXP, while more stable than Win98/Me, seems to be just as vulnerable to security problems as other versions of their OS.

Even though Win95 and Win98 are no longer officially supported, MS needs to release one last patch that locks many of those ports down.

Unfortunately, no patch in the world will stop clueless users from clicking attachments without looking.

Re:What exactly does "anti-Microsoft" mean?

[sheldon]

MDAC in 1997? That would have been version 1.0. Version 1.5 didn't come out until the NT Option Pack was released in early 1998.

So you're claiming that Microsoft has a record of not writing good software based upon a bug you found in a 1.0 version of a product?

Fascinating. BTW, while we're at it... How many bugs have you found in your Java environment? How many times did you have to upgrade to fix them? Where was Java in 1997 and where is it today?

"In my opinion, fabricated terms that begin with "anti-" tend to be used to describe an irrational hatred of something, and that's what I'm seeing here."

Don't you have an irrational hatred of something?

Yes

[Pan T. Hose]

I particularly like the GNU operating system approach to improving the Unix security. Of course I mean the Hurd kernel, not Linux. We all know ACLs, MAC, POSIX capabilities and even the Hurd auth servers are not the final solution, but one has to admit it's a good start which will surely lead to quite an interesting research during the following decades.

Re:Slashdot

[ChaosDiscord]

This guy is an amazing tool. My favorite line so far? He claims that open source puts you at more risk for litagation. But doesn't proprietary software have the same risk? No, and here's his claim why:

The pain associated with getting hold of proprietary source code is one of the things that limits intellectual property lawsuits for commercial software. But with open source software, the code is already available, out in the open.

So apparently it's all okay, because you're less likely to get caught.

Humorously, he claims the moral high ground because he argues on logic, not emotion, but his arguments are heavily tainted by his emotional attachment to Microsoft. He attacks strawmen arguments for the Open Source side, real nice debating.

He's a troll and FUDmonger. Fuck him.

Sueing Microsoft for security holes

[Animats]

It's worth looking at the litigation option. The best case for a lawsuit would be an ISP that runs no Microsoft software on its hosts, but is incurring signficant costs because of incoming traffic (spam, viruses, DDoS attacks) from compromised Microsoft machines.

In a case like that, Microsoft's EULA doesn't apply at all, because the injured party isn't running Microsoft software and hasn't agreed to any Microsoft contract terms. This makes it an ordinary negligence claim.

It's like sueing an auto manufacturer because somebody had a brake failure and hit you. Even if the other party was speeding, the manufacturer can still have some liability for the accident.

Some Linux-based ISP overwhelmed by Microsoft virus spam and mail bounces should go for this. There's a real case here, with real costs (overtime, extra mail servers, more bandwidth) associated with this stuff.

As for blocking ports....

[NerveGas]

It does work. Rather well, in fact. One of the most simple, common-sense ways to start port-blocking is to block everything below 1024 except for services that you know that you want to provide. It's amazing how many networks get along just fine with nothing but http, ssh, dns, smtp, and pop-3.

By doing that and disallowing email with any executable attachments, one of the networks that I maintain has weathered all of the email/network virii/worms without a single incident - despite the fact that they have M$ machines that haven't been updated at all.

Occasionally, they'll call because someone thinks they have a virus. I'll go and scan all of the machines with the latest patterns, and guess what - no virii.

Of course, this in no way excuses Microsoft for their horrible security. It's simply a way to get at least a good start at protecting yourself.

steve

Re:port 135, not port 80

[jadavis]

IMO, it's better to block everything anyway, then open up ports as needed.

In the short term, you block the latest worm. In the long term, you just forced everyone to use an alternative protocol tunneled through an accessible port. Why? Because the internet is successful because almost any computer can send almost any computer almost any digital message in an efficient way. If you feel like complaining about the dumb users on the network, think about the alternative: what if we all grew up where all we had was web/email on a thin client? If you give everyone a "smart" network and a dumb client, you end up with television. I'll take my smart linux box on a dumb network, thanks. (heck, even a windows box is smarter than a dumb client. Some assembly required. Or at least winperl.)

So, if you firewall off 99% of the ports, and then some smart users need to innovate and they tunnel over the last 1%, you have a new, slower network stack that will require a new, slower firewall for the new type of protocol. Not to mention that most of that innovation just won't happen when you make it so difficult.

I just don't see restrivtive firewalling as a long-term solution. The real long-term solution is to install a desktop OS that doesn't ship with network services running by default.

Re:Vote with your dollars

[Zontar The Mindless]

Do you honestly think that if a particular brand of automobile actually caused more accidents, that people wouldn't avoid it on their own, if for no other reason than the fact that insurance premiums would be outlandish?

No, I do not.

Ever hear of something called an "SUV"?