Over Microsoft’s Security Problems Grow
I.T. people are simply fed-up with the constant stream of never
ending security problems using Microsoft's Windows products, adding
myself to an ever-growing list of frustrated computer professionals.
Upon returning from a ten-day vacation, and a single security patch
behind, seven out of eleven servers attached to a remote DSL network
were taken over by intruders. Granted I should have had a firewall
in front of these computers, but because of their functionality, I
didn't justify the expense. But still, am I to blame or should
Microsoft be held accountable?
One California woman
believes Microsoft should be held to blame, as she has filed a
lawsuit using the new California privacy law. Marcy Levitas Hamilton
alleges that because of Windows security vulnerabilities that were
exploited by last summer's SoBig worm, thieves were able to steal
her Social Security number and bank details. She is seeking to
represent all Windows users in her suit. If she is successful she
will achieve what many have failed to do and that is hold Microsoft
legally liable for damages linked to flaws with the programming
code, even though the company's customers give up this right under
the terms and conditions of Microsoft's end-user license agreements.
Joe Ritchey, a network
administrator in Orlando Florida disagrees. He believes that
Microsoft is the victim of it’s own popularity and any operating
system with the majority market share would suffer the same fate.
When I asked him,
“Doesn’t it bother
you that sometimes you are kept at work late fixing many of the
problems created by Microsoft security flaws?” Joe's reply was,
“No, not at all. Its what keeps us in business. Repairing these
problems is one aspect of the job that can’t be outsourced to
It seems to many people
that Microsoft is taking too long to fix the over-all problem and
rely too much on security patches that are over lapping a sinking
ship. In early 2002
Microsoft declared that it was halting software development for a
month so that its developer teams could focus on one
issue--security. Two years later, security seems even worse with no
visible improvement from Microsoft.
Wilbur Pan, a pediatric oncologist at the Cancer Institute of New
Jersey in New Brunswick, was quoted in PcWorld Magazine as saying:
"We got hit hard by the rash of viruses that came along back in
August--both in the medical school system and in the university
hospital system," Pan says. Ultimately, he switched his
personal work system over to Linux. "The lack of accountability
is one reason I switched away from using Microsoft products."
Even with people like myself loyal to Microsoft, the constant stream
of security bulletins, and buffer overflows makes me question
whether I have made the right decision for my company using
Microsoft operating systems.
Let me hear from you. Should the security flaws in Windows be viewed
as taking the good with the bad, or should Microsoft have some
accountability for their own product?
Response from Chris Louviere
Security is a layered concept. Each layer is
responsible for a certain area or threshold. Now...very few of
us in this business have the time to do our jobs and write/build all
of the software/hardware we need in house. That means that
almost to the Administrator we purchase hardware/software to help
us. We do this from various Vendors who enter into an
agreement to provide us a product that does what it says it will.
Now there is the rub. In the case of the world versus
Microsoft...they are not doing the job. They are providing a
sub standard product. Now before all of the "should've
had a firewall...and locks on the doors" people get
upset...hear me out.
Microsoft and the rest of the Vendors still write
code that allows for the simplest buffer over-run exploits.
They continue to write code that is half done or broken. They
continue to write code that is desktop centric and written from a
"user fluffy-never have to lift a finger to click a
choice" concept that removes the entire interface from the user
on everything from email to application install. They know
it's insecure. They know it is used by every worm and every
virus under the planet, yet they continue to write code that way.
And they know it's their responsibility because they write patches
and updates to fix it. This tells you a lot. When
something is not a Vendors responsibility...they do not fix it.
No matter how much you yell and scream. They know their
product does not live up the standards of the enterprise and
business community. They are thus responsible for fixing it.
No less responsible than a car manufacturer that installs a faulty
The point is not the locks. The point is
that the contractor installed the locks...and they don't work.
It is a totally different thing when someone discovers a new
exploit. When they are in a very limited minority that is
pushing the envelope. No company can possible prepare for
every possible contingency. And no one I know of is asking
them to. I would just love it if they would stop the known
things...and eventually stop writing code that keeps allowing the
same types of attacks to continue. I personally feel that if
all things are done properly and some kid in
finds an impossible combinations of utilities and applications...and
home grown code that takes advantage of an unknown flaw created by
stacking the deck in his favor...then no...Microsoft is not liable
for that. But they are for the things that they write that
everyone in the world knows is akin to having no lock on the doors
at all. Or worse...when they write something that opens the
doors for anyone who asks in open text.
from Greg Merideth
Chief Technology Officer
In an ideal world, sure,
Microsoft should be held accountable. But then, we hold
everyone accountable for bugs and security flaws, not just the
company that's fun to hate.
We then have a major issues to
address. Lets say Swedish engineer Bill, finds a security flaw
and posts it to NTBugTraq giving Microsoft no warning. People
exploit that flaw in the 10 days it takes Microsoft to fix it.
Can that be justified as a problem that Microsoft created? Not
really. If Swedish Bill posts to Microsoft a month in advance
and is not happy with their response time, then posts with the same
result, is that still, really, Microsoft's problem? Not
really. The release of the flaw is what caused the exploit.
A problem that Microsoft knows about but does not fix is a problem
but then, how do you prove it?
Microsoft released a service pack fix for the SQL Slammer worm and 8
months later look what happened. If your alarm company told
you that there was a known flaw with your alarm system and you did
nothing to fix it, in what manner would you feel justified in suing
them after you get broken into by someone exploiting that?
Granted the release of patches in its current system is obviously
not working but for all of the complaining about it I haven't heard
one idea of how to improve it.
"Granted I should have had a firewall
in front" are the famous last words of every network admin I've
ever talked to after they've been broken into. The cost of 11
servers, even using crap servers at 4 grand each = 44 grand.
The cost of 1 firewall to protect them all, 2 grand. That's just
Other than his stupidity, I love the site.
Keep up the articles.
( o.o )
Chief Technology Officer
"When working on someone's computer, whatever happens, behave
though you meant it to happen." - The Computerman's Code
A response from
Network Engineer, Colorado
Yeah, that happened to me...sort of.
I have this big new expensive house,
and although I should have had locks installed, who has that type
of time and money.
Sure enough, I came home after a short
27 day vacation, and 4 of the 5 bedrooms had bums living in them,
plus they drank all my beer.
Well I tell you, my first call was to
the contractor to bitch him out and let him know I was going to
sue him blind. He said "you know, we talked about
locks, our web site tells you to install locks, even the news
warns you that everyone should have locks, but you didn't want to
spend the time or money to install them".
I ask you, what kind of excuse it
Bottom line, you're responsible for
your own security. If you don't want to secure your systems,
ya spin the wheel and take your chances. Firewalls and
AntiVirus systems are the cost of doing business on the Internet,
just like locks and alarms are required to keep your property safe
P.S. - there are dozens of good,
virtually bulletproof, open source firewall solutions that would
protect all your systems for the cost of a low end Pentium (that's
right just a plan jane Pentium one) and a few hours of your time.
Check out IPCop, or Smoothwall, or NetBoz.