>>Among many flaws, the report almost totally ignores the myriad of 3rd party technologies that >>can make Windows systems more secure. > The main thrust of the report is that monoculture is devastatingly > dangerous. Geer has said publicly that a Linux monoculture of the > same magnitude would be just as bad. "Monoculture" or not. The report still ignores the fact that there are numerous diverse and independent systems that mitigate the risks of a "monoculture" environment. Therefore, the report is artificially elevating the seriousness of the "monoculture" environment. Consider this example: Many tabloids like to report articles about how epidemics could wipe out the human race in weeks. They base this theory on the fact that Bad Virus XYZ can spread to X people in Z time. People accept this as a scientific fact. But it isn't. It's bad science. These articles do not consider the vast array of mitigating factors that have a profound impact on how quickly the virus can spread. When an epidemic hits, people don't just sit there and watch it kill them. They react. That ability to react is what contains and prevents widespread epidemics. That is exactly how Darwin explained evolution. Its not about survival of the fittest, it's about survival of those that adapt. Clearly the security model for the new millennium isn't about having a rock-solid system that can withstand Sobig and a nuclear bomb. It's about having an adaptable matrix of independent systems that can identify, localize, isolate, and eradicate evil things before they can cause widespread damage. >> Hence, their models are fundamentally flawed. They are >> based on the assumption that NOBODY secures their Windows systems. > No, they are based on the assumption that many people don't secure > their Windows systems, which is quite different. In fact, it is > manifestly obvious that most people don't secure their systems, > regardless of what kind they are. Yes, many people and organizations don't secure their systems. That's dumb. And there is a price to pay for that irresponsibility. If you don't secure your assets, then the only person you have to blame when they get stolen, is yourself. As much as I wish we lived in a utopia where there were no viruses or crime, we don't. Modest precautions can prevent a huge swath of intrusions. >> In this report, the authors talk about the possibility of crafting an >> exploit that could wipe out or cause massive failure of Windows >> systems. > Like Code Red, Nimda, Sapphire, and Blaster, each of which were > capable of wiping out most Windows systems, and did. Seems like a > pretty credible claim. But they didn't! You proved my point. Code Red, Nimda, Blaster, etc. all had the ability to wipe out the Internet and grind every machine to a halt. But they didn't. Code Red was probably the worst and it hit maybe 25% of the Windows machines. Why? Again - third party mechanisms (anti-virus, firewalls, intrusion prevention systems, etc.) contained that spread. Normalcy was restored within hours. I have probably three dozen customers who saw very little trouble from Sobig, Blaster, or all the other viruses. Why? Good security measures like effective AV, host-IPS, monitoring, etc. An example of how third party mechanisms (independent of Windows or Microsoft) are doing their job to mitigate risks. > It may not have happened yet, but that's because Windows is right > now on a steep tangent of moving into the embedded world. Most embedded > systems right now are not running Windows, but there is big growth in > embedded Windows systems. So it very well might be just around the > corner. Embedded Windows is hardly a strong market. Sure, they have some little palm things and other simplistic devices. But even so, embedded Windows isn't going to run IIS or MS Word. Windows 2000 and embedded Windows may have some similar components, but they're not the same technologies. So, you're making an apples to oranges comparison. > When the August NE American blackout happened, there was a > significant report of some of the power grid being controlled by > a Windows RPC DCOM system, which is precisely the Windows component > that Blaster exploited. This may not have been the proximate cause > of the blackout, but there's essentially no reason why it could not > have been. Yes I have heard the same thing too. That situation could have been easily and painlessly mitigated with effective AV, a regular patching cycle, and a good firewall. A very modest investment in technology and time could have prevented such a problem. And a decent security auditor should have detected and reported that vulnerability. But, when companies make executive bonuses a priority and hire salespeople to do security audits, then they only have themselves to blame. > And the 5% or so of Windows users who deploy these tools will be > safe, at least from direct attack. I'm running a Linux system > that is entirely safe from the Swen virus, and still I am > laboring under a 300% increase in mail traffic for the last > week due entirely to that single virus. Get a firewall that blocks attachments. Easy as that. I haven't seen a single email with Swen at work. Not a single, solitary one. We have two mechanisms to handle that: outsourced spam/AV scanning and a firewall with an SMTP proxy. > I disagree with the analogy. MS is the 900 lb gorilla, > and the rest of the problems are spider monkeys. MS has: > a near monopoly on desktops > a near monopoly on document systems (Word, PowerPoint, Excel) > the #1 position in servers > the absolute worst security of all popular systems, by a long, long way > I submit that security incidents & problems induced by Microsoft are greater > than the sum of all other problems combined. An easy claim to back up, > when you consider that most security incidents are cleaning up virus-infected desktops. Wait, but Cisco IOS runs 90% of Internet traffic. So, isn't Cisco a 900 lb gorilla as well? Why aren't we breaking up Cisco? Furthermore, read this article: http://www.informationweek.com/story/showArticle.jhtml?articleID=6500344 &pgno=1 Says that Linux has bugs too. And plenty of them. So the "absolute worst security" title is still up for contention. Also, go to this web page: http://www.cve.mitre.org/cve/ Type in keyword "Windows" results in 244 vulnerabilities. Type in "Linux" and it results in "347." I got my ISS X-Force exploit list just a few days ago. I scanned through it. There were 44 exploits listed. 9 affected Windows platforms, 14 affect Linux platforms, and 9 affected both Linux and Windows. The remainder were specific applications or Apple (wow, even MacOS has expoits!). There is no question that Windows has a lot of security issues. It is also the most popular system. It also has a lot of people who are committed to finding every hole in Windows. ISS's X-Force has a whole team of Windows experts who do nothing but beat on Windows machines night and day. eEye Digital does too. With all that scrutiny, it's not surprising that more holes would be found. It also is good in a way, since there is more resources committed to finding Windows holes, it follows that it is more likely that holes will be found. The end result of this is that all platforms suck. And that flawed studies that exaggerate threats aren't helpful to the security or technology communities. Andrew Plato
This archive was generated by hypermail 2b30 : Tue Sep 30 2003 - 10:52:26 PDT