Microsoft Apologist Apologizes for Microsoft

hillbilly1980 writes "Internet Week has published a counter article in response to the number of anti-monoculture security papers recently published. Unfortunately the author starts out by writing off the other papers as simply anti-Microsoft, unfortunate because his paper never gets past being more then just pro-Microsoft. One of his suggestions to secure your enterprise... turn off port 80." Probably the best thing to do to prevent disinformation from entering your company is to block articles by Rob Enderle. Update: 10/11 00:54 GMT by M : Note for the record that the original version of the article referred to blocking port 80; the article has now been edited to refer to port 135.

RTFA?

[Anonymous Coward]

The submittor apparently not, in good /. fashion... I however did read it, and for starters no mention about port 80 (only about port 135). For the rest a lot of bla bla, totally disregarding many of the arguments in the original "monoculture is dangerous" article. For example he assumes that Linux OOo would have exactly the same exploits as Windows OOo. Maybe - but only if you stay within OOo's scripting. Making a cross-platform Blaster or the like is imho next to impossible (are there any cross-platform Windows/Linux binary executables in the first place?)
Lots and lots of nonsensical bla bla from this guy, who really needs to start learning a bit about what he is talking about. Monoculture is dangerous. And no-one promoted multi-culture within one company, only over the whole of the internet population. Multiple platforms within one company will indeed have its own problems.

Wouter.

Just another doofus, move along...

[doodleboy]

There will always be apologists for the rich and powerful, be they journalists, politicians, or supposedly impartial "analysts" like Enderle. Such people are responsible for the endless flood of Microsoft-sponsored "studies" purporting to show that Windows is more secure, more stable, has a lower total cost of ownership, wipes your ass for you, etc. So when Enderle says

I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs. Companies can minimize support costs by rolling out identical hardware and software to every desktop through big bang deployments. Going the other way in a knee jerk reaction to just one class of security threat seems poorly founded.

he seems not to have considered the cheapest possibility - a monoculture of free software, which has lower cost, better security, and higher performance. Now how is that?

Funny

[Pan T. Hose]

It may be funny, but sadly some people do really think that firewalling port 80 (or 8080, or 21, or 20, or 22, or 443 -- et cetera, ad nonsensum) is the answer indeed. Some people may be surprised (not Slashdot readers though, mind you) but there simply is no simple answer. There is no working snake oil. The buzzword of the week alone will not save you. What are my answers then? Simple. Read Security Focus. Read Crypto-Gram. Read Phrack. Read the underground IRC discussions. Read encrypted Usenet posts. Read the articles posted on Freenet. Read the books for god's sake! Read about systems. Read about networking protocols. Read about cryptography. Read about cryptanalysis. Employ honeypots in every network. Learn C. Learn Assembly (Intel as well as AT&T syntax, for different CPU architectures). Learn executable binary formats. Learn how to see polymorphic shellcodes in network packets hex dump, just looking at tcpdump output scroling on your terminal. Learn how to speak different protocols (http, smtp, pop3, etc.) with netcat, then making your own tcp packets, then your own hand-made ip packets, then ethernet, ppp and slip. Learn. Read. Then learn some more. Read. Read. Read. And learn the one most important thing: security is not easy. When everything fails, you are on your own.

Another critique of the "monoculture" paper

[Anonymous Coward]

I wrote another critique of the monoculture paper [invisiblog.com] on my blog. This monoculture business is a flawed analogy. It makes sense for crops, because if one crop gets infected it doesn't shoot firebombs into all the other crops and burn them to the ground. However, infections in a widespread OS can be just as harmful to systems based on other operating systems, as the recent DDOS attacks [slashdot.org] which took down some of the anti-spam servers showed.

Re:His suggestions..

[Anonymous Coward]

From my personal experience, the things he suggested does not work against blaster and welchia. We run a relatively large school district in the troubled state of california. We have around 104 school sites to manage and we are only 30 people strong.

Back a few years ago we implemented a solution to manage all of this. We implemented exactly some of those things he suggested. We kept around 3 standards for academic desktops and a single standard for administrative desktops. We use ghost to keep images of all the deployed hardware. This kept things simple, if a desktop break we swap in a replacement and fix the broken one.

We did the same with our routers and servers. They are all standards except for the ones running custom apps of long forgotten ages. We even deployed "network management" servers based on linux to each school sites. All the box does is dhcp, firewall and proxy.

We implemented another one of his suggestion. We lock down academic desktops with deep freeze because the kids will destroy it if we don't...happened way too often in the past.

We have esafe viruswall and norton doing all our virus protection. We use the enterprise managed virus database update too. We have routine schedule for admin desktops to scan for virus during lunch time.

We already have all those unnecessary windows ports closed down on our edge routers and firewalls (yes multiple).

With all of this inplace, you know what it got us? We still got fucked by blaster. And welchia fucked our core routers.

How did they get in you ask? Well for one we cannot enforce patches on desktops. We had same trouble with virus scans. The decission we made was to have virus scan run at lunch time because majority of the users leave their computers on during this time and usually they don't sit there doing stuff. Unfortunately we can't put windows auto update on this same time frame. We don't know how long each virus scan will finish, it depends on how much crap the user have put in the machine. If we put windows update before virus scan, we'll have the same problem of not knowing when the process finish. Both piece of software have their own little scheduler, I wish they are integerated so they can scan and patch at the same time. We can't schedule things at night because we try to save some money on our electricity bill. It's not worth keeping these machines up at night (even on standby, we got way too many machines) to have it autoupdate.

We believe the virus got in via a laptop. It must have been infected at home then infect stuff at work. The first site to get hit was the main offices where we have the most laptop users. None of the school sites got infected until 2 weeks after the blaster/welchia outbreak.

When the high schools get hit...that's when it gets really nasty. The first high school that got hit has the most computer labs and most win2k desktops (at least one in each classroom). It was insane, we had a complete network slow down. The welchia ping scans slowed down routers to a crawl. We turned off icmp on the linux firewall at the school site and all went well again.

Patching was a real pain. With all these desktops deep frozen...yeah you gotta enter password and stuff...then patch and scan. You would think that we could just turn off all machines and they should all come up clean afterward....but no....there was probly one machine we forgot. For this one high school, the infestation was so bad that we abandoned any idea of patching. We built patched images for each of the different hardware we have deployed and reimage the whole school. We are very thankful for ghost multicast and solid ethernet backbone of the school. It still took us 3 days to fix. We had to use some kids (we love those unpaid labors =D) to get all the machines booted to ghost and stuff.

Other high schools we are still trying to patch. One high school has a technology person doing all the patching. Poor guy, it's been 2 or 3 weeks since he started

Turnabout is Fair Play.

[_Sprocket_]

Slashdot is too subjective.

...meanwhile Rob Enderle is the pinicle of objectivity?

Slashdot has never claimed any kind of objective viewpoint. Its rather biased. And its become well-known, if not always popular, because of that bias.

Slashdot filled an interesting niche; a dissenting opinion when the IT press was almost entirely Windows-centric. Linux was quietly seeping in to the Enterprise. But the mainstream IT press either ignored it or was unfairly dismissive. Slashdot was a forum most noted for its pro-Linux and Open Source friendly opinions.

Times have changed.

Now, its not worthy a Slashdot news post just because a mainstream IT rag has mentioned Linux. Its not entirely unlikely to find pro-Linux / pro-Open Source articles in the mainstream. Right next to the pro-Windows articles. And the press releases being masquaraded as an article. Some things don't change, after all.

Slashdot's bias is one of those constants.

I'm kind of curious. It seems that over the years, Slashdot has gained more pro-Windows readers. Mainstream attention has either provided more people with a Windows-centric viewpoint or its attracted more astroturfers and trolls.

But for every time I see someone complain about Slashdot displaying an "unfair" bias against Microsoft, I wonder how many people like myself sit quietly in the background glad that Slashdot keeps that bias firmly in place.

Re:Slashdot

[Newcastle22]

Not completely true. In addition to being owned by Microsoft, Rob Enderle also makes little sense.

"Because the key ring was so large it was easy to find and exploit. This is not to say the approach of having a single, master key was more secure, only that the fix actually didn't mitigate the problem at all, in fact it actually made the keys easier to find."

What is he talking about? This analogy was pulled straight from the man's ass, obviously. He's comparing the virtual size of bits to the physical size of a keyring. Sure, size of files are noteworthy to crackers, but any descent sysadmin memorizes his 'keys' anyways. What a stretch this one was.

"For example, if a virus targeted Microsoft Office and an enterprise deployed Apple systems running Office, for compatibility reasons, that enterprise would probably be damaged by the attacks."

This is simpley not true. I can point to the example of internet explorer exploits that only worked on Apple versions of the software (www.w00w00.org, I believe). I'm sure folks here can come up with a hundred examples of why this is not true. Summed up, same applications work differently across different architectures. Its half of the reason why non-monoculture works well to secure networks. (The other half is having different OS's.)

"But he penetrated the site in under a day by attacking another company which had trusted links into the IBM-secured site."

I'll lay a bet this other company was running Windows servers.

"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."

Here is the only good point this guy makes, and he makes it at many different points throughout this article, but in different wording each time (I'm assuming he was having a hard time finding something constructive to say). There is an easy solution to this: use Linux on the entire network. There's a secure AND cheap solution for small, medium, and big businesses! In addition, having servers run Linux, and Windows on the client side (assuming your clients aren't smart enough to learn Linux) isn't an entirely infeasable solution.

Seriously though, Rob is making non-monoculture sound more difficult than it may be. As far as cost goes, since no one has done enough research to balance cost against security in multiplatform networks, he can't assume that the costs will outway the benefits any more than the anti-Microsoft security experts can do the opposite. This basis of his article relies on speculation at best.

Dan