Forwarded by: Richard Forno <rfornoat_private> CODE RED IS NOT THE PROBLEM (original with references and active links is at www.infowarrior.org/articles/2001-07.html) Article #2001-07 5 August 2001 Richard Forno (rfornoat_private) (c) 2001 Author. Permission granted to freely reproduce - in whole or in part for noncommercial use - with appropriate credit to author and INFOWARRIOR.ORG. We survived Code Red and the world is once again safe for now.Consumers worldwide can continue using the Internet to buy books, download music, send e-mail, and live this wonderful binary lifestyle that so enamors the Western World. Like Y2K - only eighteen months ago - we dodged a much-hyped bullet full of sound and fury by the media-whoring Sirens of Security, but in reality, it was yet another case of threat inflation by the naysayers of our day, many of whom have agendas rarely based on reality or facts. System administrators have patched and fixed their systems to deal with Code Red, and Microsoft's been seen at the same podium (and in public agreement) with the very same Justice Department that's trying to punish the software collective as a monopoly. What a fantastic public relations boon for Microsoft to receive so much free publicity and mention in the popular press, right alongside the American flag and senior members of the government and other security organizations during this time of crisis! Appearing like the White Knight atop his horse, the Redmond clan miraculously and immediately coded a hotfix for their IIS servers to close down the vulnerability associated with Code Red. Thank You, Microsoft, for being so magnanimous and once again demonstrating your power over the wired world of the enterprise and consumer masses, and for publicizing the fact that even your most hated non-commercial adversary - the Justice Department - has no choice but to endorse your products and company despite your deep differences. As a result of the media hoopla, the hotfixes have been (and continue to be) deployed, and the world is safe until the Next Big Event. Not less than five days after the 2001 version of the "Y2K Scare" or, more appropriately, TEOTWAWKIA (The End Of The World As We Know It Again), Code Red is already serving as the latest fait accompli for the security industry to sell additional security products and government entities to promote controversial knee-jerk laws and regulations based more on fear, misperception, political contributions, and ignorance than objective and factual reality. But even with this latest major Internet security problem, Corporate America and the government still don't get it, and probably never will. Contrary to what the fear-mongers and Sirens of Security proclaim from their pulpits, Code Red isn't the danger, nor is it some "cyber-terrorist" with a mouse and keyboard. Buying products and services will only be a short-term curative, but not beneficial for long term security success. It's like taking taking Tylenol for a headache that just won't go away.....if you go to the doctor, you might learn what is causing the headaches in the first place, and actually get better by addressing the root cause of your pain, and not simply the symptoms. The most significant danger and vulnerability facing the Wired World is continuing to accept and standardize corporate and consumer computer environments on technology that's proven time and again to be insecure, unstable, and full of undocumented bugs ("features") that routinely place the Internet community at risk. But nobody wants to talk about that - not the government, not CERT, not many security vendors, or most of the mainstream media. Such analysis, although true, runs contrary to the status quo and the industry-favoring 'party line' groupthink leading to increased profits for everyone. It's an established fact that the Internet and technology is a significant asset to the economy and the modern way of life. Yet, the IT community continues throwing good money after bad in a never-ending game of cyber-triage (scrambling to acquire and deploy the latest hotfixes) to respond or prevent damages arising from the software they are standardized on. I'm not a business major, but I believe that a product or service costing more to support than acquire is considered a "loss leader" and should have its usefulness and profitability to the corporation seriously and objectively reconsidered. That being said, has anyone done an independent, objective study to determine the Total Cost of Ownership (TCO) associated with Microsoft products? It's got to be astronomical; consider how many man-hours (more likely man-years) are wasted annually by IT departments scrambling to triage the repeating fallout from such notable Microsoft- and/or Microsoft Visual-Basic-based security problems as Melissa, Pretty Park, ExploreZip, Bubbleboy, I Love You, AnnaK, Code Red, SirCam, and others, including dozens of buffer-related exploits that any halfway-decent software quality assurance team should have caught. More amusingly, how many other operating systems can be compromised by exploiting a buffer overflow in a word processor's Clip Art function, or via its integrated MP3 player? How much overtime has been paid to consultants, technical staff, and for products needed to "clean up after" or fix problems caused by Windows? How much money is wasted on so-called vendor certification programs that cover what used to (or should) be included in the product documentation, if it even comes with the product? Adam Lawson's Security News Portal article this week rightfully concluded that "Code Red proved you should always be wary about what Microsoft software does to your machine, like turning it into a server without your implicit knowledge." Our information assets and Wired Society are at ongoing and catastrophic risk by continuing to standardize on products designed more to achieve one company's marketplace dominance than for the security and operational reliability of its products. It's funny that since the US Army moved its main headquarters webservers away from Microsoft technology in 1999, those particular servers have not been compromised once. What does the Army know that the rest of Corporate America doesn't? While nearly every other operating system has its share of vulnerabilities and problems, none of them present the significant levels of risk that Microsoft's does to their respective customer bases. Think about it - Microsoft products sit on some 85% of the world's computer systems, and it's Microsoft products that are responsible for most if not all of the major Internet security headlines in recent years. While technical folks have noted this fact and expressed growing frustration with these products in their circles, their managers, CEOs, and their government counterparts turn a blind eye to this grim reality, choosing instead to maintain the status quo. This places information assets at risk by throwing good money after bad to support a faulty product that's proven to be more problematic than beneficial on an all-too-frequent basis. I was at a security conference recently where it was stated that an organization needing to secure a Windows NT 4.0-based IIS webserver needed to incorporate approximately forty-seven-plus hotfixes that were either included as part of a Service Pack or separate downloads from Microsoft. How is any systems administrator supposed to retain their sanity and maintain positive forward motion (i.e., productivity and a return on the company's investment in them through their salary) when they are dedicating increasing amounts of time to fixing one problem after another on a product that - although sold as a finished item - performs like it's still being beta tested? How many corporate projects are impacted or delayed because technical staff must scramble to address the latest Microsoft security problem? No wonder more and more system administrators are burning out and questioning how seriously their employers are taking the concept and need for true information security and operational reliability, let alone how ignorant their senior management is regarding the true costs of using Microsoft products. The rational and radical thing to do is to formally declare a problem exists and take appropriate action to correct it head-on. In the physical world, there are Lemon Laws and consumer protections for shoddy products and services. If a vendor knowingly sells a product with problems, they can be held legally accountable for culpable or criminal negligence. The same can't be said for the software vendors whose products power the majority of computers in our Wired Society. If the FDA found that a diet drug caused heart problems, the drug maker would be held responsible under federal law, there would be Congressional hearings, and significant public outcry. Not so in the software world - the only recurring Congressional action or interest on computer security issues is at the request of the entertainment industry cartels to maintain their respective monopolies over consumers, or for the annual "we've got to do more" Congressional hearings on the security of federal systems.. Imagine how quickly Microsoft would clean up its software if it faced a large financial penalty for each customer victimized by its five-most-buggy product lines (Internet Explorer, Outlook, IIS, and Windows family of products)? Even insurance firms that underwrite IT reliability and business 'uptime' are charging higher premiums for companies using Microsoft-based servers. Again, what do these folks know that the rest of the world doesn't? Dump Microsoft, and your security posture increases, and your support costs decreases, by nearly an order of magnitude! Of little help on this matter are the various professional and government organizations that should be the vanguards of sanity, reality, and public welfare but instead continue to perpetuate the status quo and cater to Microsoft's needs to maintain a happy and content customer base. Three days after Code Red's moment in the spotlight, I received an e-mail message from SANS discussing the Code Red fiasco. Although reiterating a much-needed pleading for better system administration measures, the message was clearly a marketing note for SANS' latest Roving Road Show this time on how to appropriately secure IIS against Code Red and other known vulnerabilities. Ironically -- but not entirely unexpected -- the letter also stated that "it would be inappropriate to try and capitalize off this attack" but that they hadn't yet "determined pricing" to cover the expenses for the nine-city Code Red Tour '01. SANS doesn't need to call this post-Code Red community-service project a for-profit venture, but you can bet bits to bytes that attendees will be swamped with all sorts of SANS propaganda and "to know more, attend our other conferences" invitations. Thus, regardless of what is claimed, SANS is simply trying to 'get in early' and capitalize on the bow wave of Code Red's notoriety, Fear, Uncertainty, and Doubt. After all, panic sells - but publicized panic sells more! Sadly, all the objective analysis and facts will not change things, since the current state of affairs is rather profitable for two of the three parties involved. Microsoft receives a significant profit for each copy of its product sold, and security vendors receive significant profits selling products and services designed to mitigate the problems associated with the underlying Microsoft products! It's a neat, tidy arrangement, and as a result, past experience shows that there's little reason to hope for a change no matter how bad things get. The more bugs, exploits, and vulnerabilities that are publicized or hyped to the consumer masses and elected officials means more money for these two industries. Information security is a self-fulfilling prophecy, where the customers - individuals and corporations - lose time and again. The only way to break this cycle and achieve what textbooks call "security" is to drastically re-evaluate our professional approach to this discipline at its most basic and fundamental levels, and replacing what's repeatedly found to be broken or faulty. As it currently stands, not even Bob Villa could patch up the Windows in our Wired World's electronic houses! People should be wary of the ambulance-chasaers that use the latest security incident (e.g., Code Red) to pitching security services on panicked customers. While it's certainly necessary to make certain any IIS servers (or systems and networks in general) are protected from any number of security problems, simply downloading the latest fix for your platform is not the Be-All, End-All Solution. Code Red's demise doesn't mean that the world is safe once and for all, nor does it mean that Code Blue, Code Purple, or Code Red Part Drei won't manifest next week on USENET, or that I-LOVE-YA may not reappear in someone's Inbox and start another week of Ether-Hell for Exchange administrators. What you learn at the SANS Code Road Show (or any similar event) or gain from new products purchased in a knee-jerk response to Code Red's myth might not help you during the next incident. After all, what worked well today may not work well tomorrow, precisely because it worked today! Users need to focus on the larger picture and underlying causes of these security events, and not on simply curing the symptoms that crop up with annoying regularity. Continuing to download one fix after another is a short-term remedy for a long-term problem. Instead, look for long-term solutions that will save you time, labor, frustration, and certainly money! Instead of wasting money on post-Code-Red marketing hype and media misperception, organizations should address the larger question. They need to take a large step back and seriously reconsider why they continue to place themselves at risk by standardizing on technology that's been publicly proven time and again to be notoriously exploitable, unstable, and most importantly, continues to detract from corporate profits and shareholder return. Until someone with the intestinal fortitude is able to successfully challenge this dangerous status quo, the Wired World remains at significant risk of not only more security exploits generating headlines, but an endless series of hotfixes, cyber-triage, frustration, fear-mongering, and knee-jerk reactions that further obfuscate the real problems facing us. My sympathies to those that have to deal with this mess on a daily basis, not knowing if (or when) relief is in sight. I've been a system administrator before - but I'd sure hate to be one today. NOTE: This will by my last article discussing Microsoft's many shortcomings and how its products place the Wired World at risk unless there is some seriously-glaring item that just can't be ignored (Smart Tags as a way of exercising control over web content, for instance.) Enough is enough, and after a while it's like beating your head against a brick wall....as I said, it's a sad-but-very-unlikely fact that the security profession or folks in leadership positions will take note of what the reality of the situation is. I'm not a Microsoft-basher ( I actually like some of their stuff), but rather an IT security professional that's tried to provide objective and out-of-the-box analysis on a very real and pressing vulnerability that nobody with any significant responsibility seems to care about addressing. May the the Apple Macintosh, Linux's Tux, the BSD Demon, and their siblings continue to gain ground as sources of truely reliable, secure, pro-community, pro-customer software that drives the Wired World into the next generation despite the wishes of the current establishment. You've got my support! /rick (c) 2001 Author. Permission granted to freely reproduce - in whole or in part for noncommercial use - with appropriate credit to author and INFOWARRIOR.ORG. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 05:23:24 PDT