While @Stake's behavior might be lame, the report that Greer and friends published is not with out flaws. Among many flaws, the report almost totally ignores the myriad of 3rd party technologies that can make Windows systems more secure. Hence, their models are fundamentally flawed. They are based on the assumption that NOBODY secures their Windows systems. Thus concepts like "cascading" failures are not as likely as the report leads readers to believe. This is a good example of one of the chief problems with information security research. Many of the theories about information security are only relevant in academic settings. In practice, these theories erode and have much less relevance. In this report, the authors talk about the possibility of crafting an exploit that could wipe out or cause massive failure of Windows systems. While it is theoretically possible that such virus could bring the world to its knees, the practical reality is not as dire. There are numerous independent mechanisms in operation that can prevent and stop the widespread distribution of this theoretical virus. Most of these independent mechanisms do not rely on Windows at all. My WatchGuard firewall runs a custom Linux kernel. The ACLs on my switches are handled by Cisco IOS. And even on my Windows machines I have anti-virus and host-IPS from third parties. For this theoretical "world stopping" virus to work, it would have to cut through 4 or 5 independent systems to crash a Windows box. Hence, this kind of research paints impractical pictures of cybersecurity. It makes out Microsoft to be a single point of failure, when in reality, Microsoft is just one player in bigger arena. Moreover, its my belief, that the largest security hole in every organization is between the ears of the employees. I know it sounds like it, but I am not defending Microsoft. I'm the first to admit that Microsoft is a big part of the security problems out there. But security is a bigger issue than just Microsoft. Microsoft might be a 900 lb gorilla, but that doesn't mean there isn't a plenty of 800lb and 725lb gorillas out there that are equally as bug-riddled as Microsoft. The other problem with this report is how it fuels a lot of holy war reasoning. While it might be trendy to bash Microsoft, that trendieness does not translate into a server room full systems. Technology holy wars are entertaining distractions for newsgroups and beer fueled pub rants, but when it comes time to make a business work, holy wars can be destructive and counterproductive. Holy wars are about coercion and emotions, not rational analysis. Smart businesses approach technologies neutrally and analyze their benefits and weaknesses fairly and honestly. They weigh their needs, analyze the data, and make an informed decision. This is where I think some of the anti-Microsoft crusaders have taken their cause too far. They say things like "jihad" and "revolution" when talking about computer technologies. I prefer my "jihads" on the 10 o'clock news. When it comes to my servers, I don't want a jihad or any kind of religious war. I just want the thing to work. And whether you like it or not, Windows systems do work quite well when they are set up and managed properly. Thus, I think I speak for some IT directors and executives in this way. Ivory Tower theories of mass Microsoft collapse and open-source crusades against the Borg-like Bill Gates are fun little distractions, but not very useful to a business. When it comes down to making business decisions, businesses need realistic data, not conspiracy theories. Servers are not religious icons, their tools to get a job done. If I want religion, I'll go to church. If I want a server, I go to Dell (or maybe HP). ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ -----Original Message----- From: musashi@private [mailto:musashi@private] Sent: Friday, September 26, 2003 11:22 AM To: crime@private Subject: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication (fwd) This raises a lot of red flags to me and seems reminiscent to the days of Dan Farmer releasing SATAN and having to leave SGI. The news article also notes that when other security researchers were querried about input into this publication many agreed with the points/theory/ideas but wouldn't join in the research due to fear of Microsoft. -musashi
This archive was generated by hypermail 2b30 : Sat Sep 27 2003 - 13:02:14 PDT