The good news as far as the point about downtime is that XP so far has been able to handle all patches at once and only requires one reboot for the 30 patches I put on it yesterday and no reboot for the patch today. Who knows they may even be working on a way to minimize downtime, though if you really require true 100% uptime you most likely have a cluster of servers no matter what OS / web server you are running. Also in the news today Microsoft released a major set of patches for IIS http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=738&e=2&u=/nm/20020 410/tc_nm/tech_microsoft_dc_4 Adam -----Original Message----- From: Alan [mailto:alan@private] Sent: Wednesday, April 10, 2002 2:22 PM To: Andrew Plato; Steve Beattie Cc: crime@private Subject: Re: CRIME Perspective on Criticisms leveled at Microsoft On Wednesday 10 April 2002 09:17 am, Andrew Plato wrote: > > If there is one thing to learn from the CRIME list, it's that computer > > security security people are a cynical, skeptical (probably even bitter > > > > :-)) bunch. It's our job to be skeptical, to find the many flaws and > > > > assume the worst of whatever we're looking at. > > > I find this to be a very incomplete view of the security industry. I > consider myself part of the security industry but I do not see myself as a > cynical, skeptical, or bitter person when it comes to my work. I think this > is a problem in some regards with security people. They are so consumed > with finding faults, they forget (or ignore) methods to patch or repair > those faults. > I see my role as a person who has to actually patch up those holes. And > that is a very different perspective than the academics and pundits who > want to terrify people into action. Spreading FUD may be fun and > emotionally satisfying, but it isn't very productive. Somebody, like me has > to help people patch those holes. And scaring people with "Microsoft is > bad, you're an idiot for using it," rhetoric may help fan the flames of > anti-Microsoft sentiment, but it isn't really practical for IT managers who > then have to return to their office and confront 500 Windows machines. Actually there is another big reason as to why Microsoft machines tend to not get patched. Downtime is a big issue for most companies. Microsoft patches usually require a reboot after each and every patch. (Which is real fun if you have a service pack and a bunch of scattered hotfixes.) In one case, I had to reboot over 30 times to add the patches to an NT 4 box. This is a significant hit on the "five nines" that so many places strive for. Microsoft Service Packs are also known for making changes to the registry that undo previous serurity fixes. So after any patch session, you have to go back and make sure that any changes you have made stay changed and not get reset to an insecure default value. (And don't forget to repatch everything after installing a new device driver. Otherwise, you could have reset things back to an old version...) Many Microsoft admins get a machine to a stable point and then don't want to mess with it "because it works". (Having seen a few service packs hose systems after install, I can understand why.) > > Oh, and as for Robert Graham's article, he seems to advocate punting > > and doing nothing. "Gee, taking your car keys out of the ignition > > and locking/unlocking your car door is an inconvenience? Well, leave > > it unlocked with the keys in the ignition, then. Furthermore, why does > > Fnord Motors get beat up by the auto security community for not putting > > locks in cars at all?" Sure, it's an exaggerated analogy, but in essence > > that's what he's saying. Since most of us (in urban Portland, anyway) > > manage to deal with the inconvenience of locking our cars, the notion > > that users shouldn't have to put up with even minor inconveniences seems > > false. > > > I don't think locking a car and uninstalling a complex software component > are really very comparable. This is what happens when we start to reason > metaphorically. The metaphors become twisted. > The fact is most people simply do not understand how their PC functions. > The don't care about services, ports, or access control lists. They want to > go down to Best Buy, purchase a digital camera, plug it in and have it > immediately work. Ever notice how the aisles at Frys are filled with > obviously returned products. I would bet that a large percentage of those > returns were simply because the person who bought the product did not > understand how to integrate that product with their existing environment > (and the awful documentation probably didn't help.) Actually it is because Fry's is a verb, not a noun. It is also because they have a tendancy to return defective merchandice to the shelves instead of RMAing it. > Graham's point then, is that most people really are not concerned with > security. They want usability and security is second. The challenge to > security folks is to find ways to provide both. And that is not easy and it > won't happen overnight. You are not going to convince people to just throw > off their Windows boxes and adopt highly secure UNIX terminals tomorrow. Most of the security issues are avoidable. Outlook viruses are a prime example. People at home are concerned about security when they have to have someone come in to fix their PC because they got hit by the latest virus. So far I have had to scrape Outlook viruses off the machines of two relatives and a couple of friends. Not a fun thing to have to do. (Especially on a long distance phone call.) > > However, and I think this is the most crucial point that Robert Graham > > misses, the best security solutions are those that are neither a > > nuisance or inconvenience and yet provide real security. It is a failure > > of both designers and security experts that security and convenience are > > seen as opposites, to be traded off against each other. That's what we > > all, including Microsoft, should be working towards. > > > I think the fact that Graham designed an intrusion detection product > (BlackICE now the core technology in ISS's RealSecure) is demonstrative of > his commitment to building solutions that are neither a nuisance or an > inconvenience. In fact, I would argue (although I have a rather obvious > bias here) that Mr. Graham's technologies are some of the least intrusive > security products that still deliver outstanding capabilities. I tend to prefer ZoneAlarm. BlackIce has had too many problems in the past for me to trust it very far.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:02 PDT