Posted on 01/31/2003 1:22:27 AM PST by HAL9000
SAN FRANCISCO (Reuters) - Computer security experts said on Thursday the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft Corp.'s year-old security push is not working."Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F."'
The worm, which exploited a known vulnerability in Microsoft's SQL Server database software, spread through network connections beginning on Saturday, crashing servers and clogging the Internet.
It hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority.
Microsoft placed responsibility on computer users who failed to install a patch that had been available since at least last June.
"The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney told Reuters.
But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.
"Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."
FIX COULD HAVE NULLIFIED PATCH
"We should have done a better job" in protecting the company's own network, Mike Nash, corporate vice president of Microsoft's security business unit, said on Wednesday. "We understood some things customers were facing and it, in some ways, helped us. It was a learning course."
There was another misstep on Microsoft's part that illustrates the problems with patches, Cooper said.
In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again, he said. "If I followed their advice I'd have been vulnerable."
Microsoft spokesman Rick Miller said administrators were given the option with the fix to install it so the patch was intact. He also said he knew of no customers who installed the fix and were still hit by the worm.
But, most people installing the fix would not necessarily have known how to install it in a safe way, Cooper countered.
Microsoft released a service pack that would have fixed the problems the week before Slammer hit. But not only are there too many patches to keep up with, people are reluctant to install them for fear they will interfere with their systems.
EGG ON FACE
Microsoft admits making a mistake with the SQL fix and has "egg on our face" over being hit by the worm, Miller said.
"What this demonstrates and what we readily acknowledge is the patch management process is too complex," he said. "Microsoft is committed to reorganizing our patch system and delivering high-quality patches in a streamlined way."
Nash defended the Trustworthy Computing initiative, saying the company's security process and culture have changed. For instance, all Windows developers have received special security training, he said.
However, the fruits of that may not show up until future versions of products are released, said Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant. "I'd rather they focus on the problems we have today."
"The problem is the whole patch regime has lots and lots of problems," he said. "It would be much better if the software shipped from Microsoft with fewer problems to begin with."
The solution: install patches, along with firewalls and other security software and services, as well as demand better products from Microsoft, the experts said.
In the meantime, Schneier said he was thinking of switching from Windows to the Macintosh platform because of all the security issues. "My wife has a Mac and she doesn't worry about viruses, trojans, leaks..., " he said.
A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. "Is that because Macs are safer? I think the answer is yeah."
And it won't cost you a dime.* (Hehehe)
* (Except for the subscription to Bill's new .PATCH system.)
America's Fifth Column ... watch Steve Emerson/PBS documentary JIHAD! In America
New Link: Download 8 Mb zip file here (60 minute video)
A Consumer Reports survey last year found that virus infection rates on Macs are half what they are on Windows, noted Smith. "Is that because Macs are safer? I think the answer is yeah."
This stuff really makes the mean and cranky Anti-Mac people mad.
Cheers, CC :)
Welcome to Hillbilly Computing 101....
Now don't put down Microsoft's by sayin' their 'puter skills aren't as good as them Hillbillies. It taint nice.
The option?? "Do you want to keep the last security patch you applied? (Default = No)"
.. not only are there too many patches to keep up with, people are reluctant to install them for fear they will interfere with their systems.
This, unfortunately, is Microsoft's legacy... it has taught people to never be the first on their block to try anything.
"The problem is the whole patch regime has lots and lots of problems," [Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant] said. "It would be much better if the software shipped from Microsoft with fewer problems to begin with."
The solution: install patches, along with firewalls and other security software and services, as well as demand better products from Microsoft, the experts said.
Hey, what a concept!
That's really something to be proud of, eh?
In any case, Apple's marketshare did increase last year.
Based on the messages we're seeing on the forum lately, there seems to be a lot of FReepers switching to Linux and OS X. I think that trend will continue.
I've written a program that identifies every freeper's ip address, real name, age, political party affiliation, shoe size, and known whereabouts in the last 6 months. You can buy this program from me for about $250. You must submit to the license agreement (use this software at your own risk) which may or may not post all your personal data on the web, will allow me to take control of your computer if I so choose and give me the authority to send thugs to arrest you if you use the software in any manner not pleasing to me. You agree not to hold me liable for anything whatsoever.
Technical support is free for 3 days starting with the day the software is shipped. You must sign up for a technical support plan after that costing, on an annual basis, $36000 for the first year and $39k for the second. The tech support number is not toll free.
There is no warranty with this sofware, implied or expressed. In fact, it won't work out of the box and you'll have to call tech support for help. It will always be a hardware problem and never a software problem-- no matter what. If, for some reason you cannot get the software to run at all, there is a remedy. We will offer upgrades every 3 years that will run at least as well.
Cheers! CC :)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.