View Single Post
Old 08-21-2003, 01:49 PM   #1 (permalink)
RoadRage
Stay off the sidewalk!
 
RoadRage's Avatar
 
Location: Oklahoma City, OK
Forget California, it's time to recall Micro$oft

(Given the threads here and here and here and here describing various problems in dealing with M$ and its crap-er-I-mean programs, I thought this was only too appropriate not to share.)

From The Register

By Richard Forno

Posted: 21/08/2003 at 11:30 GMT

A sign on a Trenton, NJ railroad bridge says "Trenton Makes, The World Takes."_ In light of recent history, a sign at Sea-Tac airport should probably read "Microsoft Makes, The World Quakes."

For the second time this year, Microsoft is the source of a major internet security event. First was Slammer/Sapphire in January that seriously impacted networks and corporations around the world, including shutting down ATM machines at some large banks. And now, we've got MSBlaster taking advantage of a years-old vulnerability in Microsoft Windows operating systems. But unlike Slammer that only targeted servers, this one goes after desktop computers as well - meaning that ninety percent of the world's computers are potential targets and victims this week._ Consumer desktops are significantly more plentiful than corporate ones but less-protected against viruses, worms, and other attacks. As low-hanging fruit goes, they're a perfect target of opportunity for cyber-mischief.

According to a Wired story today, Microsoft is confused why these worms continue plaguing users when the company's made great effort to improve the patch delivery process. Microsoft says it's working with federal law enforcement to find out who's behind the dastardly deed that's giving the software monopoly yet another embarrassing black eye in the media. This is a typical Microsoft response full of proactive sound of fury, but signifying nothing helpful._ And the media's full of reporting about the pervasiveness of MSBlaster and what people can do to protect themselves against this "latest" cyber-threat.

Yet Microsoft says third-party software accounts for half of all Windows crashes. Funny, it also blamed the competing DR-DOS for Windows 3.1 crashes in an_ attempt to get people to buy MS-DOS back in the 1980s. (It was later discovered that Microsoft had engineered false error messages to trick users into buying MS-DOS.) It also said Internet Explorer couldn't be removed from Windows 95 without crippling the operating system, and was proven wrong by enterprising researchers. So Microsoft's track record for veracity isn't exactly stellar when it comes to its products and business practices.

But, few if any are mentioning the real issues here:_ MSBlaster's ability to affect practically all versions of Windows shows that despite Microsoft's marketing flacks, there is still significant code shared between all versions of Windows. Anyone who thinks DOS is dead, or Windows XP's code internals have little in-common with Windows NT 4 should think again. MSBlaster proves it.

Also, MSBlaster takes advantage of known vulnerable network ports in Windows, ports that any competent network administrator or internet provider should have closed long, long ago. In fact, there's probably no good reason why these ports should be enabled on consumer versions of Windows or supported by ISP networks, for that matter. In other words, it baffles the mind why these well-known ports continue to be a major security vulnerability in Windows.

Of course, Microsoft pledges to continue working on its patch distribution process as part of its larger "Trustworthy Computing" initiative. That's all well and good, but does this mean the security of our networked systems has been reduced to the repeated mantra of "run the patch" and then sit back to wait for the next pair (exploit and fix - a matched set!) to be released? Hopefully not. Security is a two-part process requiring the network staff to administer their resources appropriately and the software vendors to produce code that's much more reliable than it is now.

As it did with the Slammer worm in January, Microsoft proudly says it made available a patch for Windows far in advance of the vulnerability being exploited on a massive scale._ But many users didn't get the message or download the patch - either because home users didn't realize that the automatic Windows Update process was designed for just that reason (or would "do it later") or, in the case of large companies, network administrators likely were too busy installing any number of other patches required (at least 30, according to the number of security bulletins so far in 2003) to keep their Microsoft systems operating in a somewhat more secure manner from week to week. (And we wonder why help desk staffs burn out so quickly.)

If Microsoft really wanted to resolve its software problems, it would take greater care to ensure such problems were fixed before its products went on sale - and thus reverse the way it traditionally conducts business. Doing so means less resources wasted by its customers each year patching and re-patching their systems, hopefully meaning more is available for effective network planning, design, and management to support a robust defense-in-depth security strategy. Customers shouldn't be forced to spend their money cleaning up after Microsoft's mistakes, laziness, or general complacency, but on improving their information environments to take full advantage of the many benefits of the Information Age.

More importantly, why are we - users, administrators, media, and the government - praising Microsoft for their response to this critical problem? If something's wrong with a product, responsible companies are obligated to fix it as a matter of good business practice. A responsible adult knows that if you make a mess, you're expected to clean it up, regardless if anyone compliments you for your efforts. Did anyone expect widespread praise to be heaped on Ford Motors after its Explorer fiasco a few years back? Hardly - there was a serious problem with one of its products, and the company fixed it, albeit under the threat of lawsuits from victims or their families.

But that's not the case with software, from Microsoft or anyone else. When you acquire software, you don't really "buy" it, but rather purchase a license to use it "as is" for a period of time, and the vendor is under no obligation to fix anything wrong with its product. If you take the time to read the thousands of words in a typical software End User License Agreement (EULA) - and many people don't - you'll see that by installing and using the software, you indemnify the vendor against any claims, losses, or problems resulting from using its software, even if the vendor knew about the problem before it sold the product. In some cases, as this Register article notes, you agree to let Microsoft remotely modify your software and you can't hold it liable if something breaks as a result.

Code Red, Love Bug, Slammer, Nimda, Pretty Park, BubbleBoy, Melissa, Code Red II, MSBlaster, and numerous other high-profile Microsoft-sponsored incidents... many view them as "the price of doing business in the Information Age" and cheerfully spend (or lose) increasing amounts of money with each new incident arising from poorly designed software. But rather than face reality by conducting a dollars-and-sense risk assessment of their IT operation to see how much Microsoft's vulnerabilities cost their enterprise annually, these sheeple - at all levels of government, industry, and society - prefer tolerating mediocrity to efficiency and reliability in their software assets, because they're either too lazy to investigate alternatives or don't want to propose changes to the comfortable status quo.

What recourse do you have in such cases?_ You can't just sue the software vendor for problems with their product like you can the maker of a vehicle or appliance since you've given up those rights by using the product under the terms of its license agreement. The only option you have is continue using the software in question and scrambling to update your systems whenever a new problem presents a danger to your information assets. In other words, when Microsoft says "patch" you salute and say "how soon?"

Or, you can vote with your pocketbook and move to an alternative software product that works better, costs less to buy and maintain, and won't burn out your network support staff._ Nobody's saying you must use any one particular product or operating system, and they all tend to perform the same basic functions needed in today's working society - although some are better at it than others. It may take a little bit of effort to switch and get used to the new product, but the long-term payoff will be worth it.

After all, in the real world, if you don't like Ford trucks, you can buy a Jeep instead._®

Copyright © 2003, Richard Forno. All rights reserved.
__________________
Join TFP Team SETI
43K workunits complete, 34 members, more of each needed.
RoadRage is offline  
 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360