Skip

Microsoft = Megatarget.
January 25, 2003 11:42 AM   Subscribe

Microsoft = Megatarget. A new worm is rapidly spreading across the Internet, functioning like a massive DDOS attack and crippling ISPs in South Korea. It's host? Microsoft SQL server. (Get yor fix on, then reboot!) What impact will it have over here, I wonder...
posted by insomnia_lj (63 comments total)

 
Essentially, Microsoft is wearing a big "kick me!" sticker on its back. As a result, there will always be a constant threat to their software so long as they insist on being the greediest, most monopolistic, most self-serving software company on the planet. Although they have made security their #1 priority, no amount of security can fully protect them -- all it can do is make their software less functional and infringe on the rights of their users, driving them elsewhere.

Of course, similar things could be said about the United States. . .
posted by insomnia_lj at 11:44 AM on January 25, 2003


the worm for crashing almost all Internet services in South Korea.
posted by thomcatspike at 11:47 AM on January 25, 2003


Holy slashdot drivel Batman, hot grits and Natalie Portman!

This is not a black and white issue that can be reduced to such a sweeping statement. Administrators are culpable. The question is whether MS makes it easy enough to keep up with patches. This vulnerability is six months old.
posted by machaus at 11:51 AM on January 25, 2003


Well, that was a troll...

Come on. Do you seriously think that the only reason Microsoft's products get targeted so much is because they're bad, bad people?
How about the simple fact that much of their software just isn't great on security, and then often doesn't get secured or updated well by the users, anyway? Workign backwards from your logic, the people organizing DDoS attacks like this are motivated pretty much by politics. And we know how hackers just love politics. And why are they having the DDoS attack Microsoft itself, then?
MS software gets targetted because it's easy. This has been explained many times in the past.
posted by Su at 11:52 AM on January 25, 2003


Uh...aren't they having the DDoS attack Microsoft itself...
posted by Su at 11:53 AM on January 25, 2003


well, if MS would give out correct information regarding patches, it sounds like it would have much less effect.
posted by Vidiot at 11:55 AM on January 25, 2003


The worm's been mostly dealt with now — the backbones are blocking MS SQL's server resolution port and packet loss is back down to a little above normal — but this was a big one.

But, really, insomnia, you're too easy on Microsoft — do you think that security has become their #1 priority just because Bill Gates said so? Profitability and stock price are MS's top priorities, and if poor security becomes a marketing weakness, they'll deal with that; first, by claiming to be dealing with it, and then, by doing internal research to find what internal initiatives can increase security without decreasing profitability.

If MS wanted to increase security, wouldn't they spend at least a little of their marketing money on teaching their customers to apply vital security patches sooner than six months after they're released!?
posted by nicwolff at 12:01 PM on January 25, 2003


teaching their customers to apply vital security patches sooner than six months after they're released!?

Did your car manufacturer send you reminders to change your oil?
posted by machaus at 12:13 PM on January 25, 2003


Did your car manufacturer send you reminders to change your oil?

No, but they sent me notice when they found out that the driver's seat was defective... Which analogy might be more appropriate here?
posted by Llama-Lime at 12:19 PM on January 25, 2003


MS's approach to security flaws: ignore it as long as possible, quietly slip out a half-working patch but keep low-key so people don't keep hearing the words 'microsoft' and 'security hole' together and hope nothing bad happens. Then tihs comes along and they wonder why no one applied the patch when it came out.
posted by Space Coyote at 12:20 PM on January 25, 2003


>Did your car manufacturer send you reminders to change your oil?

No, but they'd tell me if my locks were about to break.
posted by shepd at 12:22 PM on January 25, 2003


It's not a DDOS, it's a worm. The fix has been available for six months and was part of more than one update. Some have said there might be a problem with the updater but this is only about end users updating MS SQL thoroughly, it's that simple.
posted by yonderboy at 12:31 PM on January 25, 2003


And, the head of Nissan didn't issue a press release Thursday claiming that their oil-change notification service would help me keep my car from being vulnerable.

Also, Nissan doesn't distribute a Nissan Baseline Oil-Change Analyser that lies to me about what maintenance my car needs.

Still want to make pissy little analogies defending Microsoft?
posted by nicwolff at 12:32 PM on January 25, 2003


It's a worm executing a DDOS, yonderboy. Microsoft SQL Server has zombified Windows servers all over the world, and someone started them waking each other up and spewing packets, and packet loss Net-wide was up around 20% by 1 AM as they ate up all available bandwidth.

It's a good thing they weren't port-hopping, or the lights might still be out.
posted by nicwolff at 12:39 PM on January 25, 2003


teaching their customers to apply vital security patches sooner than six months after they're released!?

Did your car manufacturer send you reminders to change your oil?


The better analogy there would be whether Microsoft reminded you to defragment your hard drive. Routine maintenance shouldn't need reminders, but major security risks should. Especially when you maintain a monopoly.
posted by benjh at 12:42 PM on January 25, 2003


And it's not so simple as "end users updating MS SQL". Jason and Matt are not professional sysadmins — hell, Jason spent the night in the pediatric ER before fixing this! — but Microsoft has sold them expensive buggy software on the proposition that it'll be easy to maintain and safe to use. Are you really proposing that MS is absolved of responsibility when that software gets exploited — especially after they did their best to keep it patched using the tools MS gave them?

Please.
posted by nicwolff at 12:47 PM on January 25, 2003


Argh. This worm downed my entire university's network for a period of 12 hours today. We just got connected again.....grrr. It's definitely not an obsolete problem...
posted by superfem at 12:48 PM on January 25, 2003


Sheesh Nicwolff, Matt's issue is isolated, and very hard to QA for in a lab. Windows Update likely keeps an internal database of applied patches, and if you move that database (registry) to a new drive without all the patches, it loses its value as a semaphore.

Routine maintenance shouldn't need reminders, but major security risks should.

These aren't consumer machines we are talking about, these are SQL servers. Every major OS vendor supplies a mechanism for updating a machine over the internet. Use them.
posted by machaus at 12:50 PM on January 25, 2003


well it could just have easily been Oracle, so I don't know how much I want to blame Microsoft on this one. If your patches are up to date, and your attack surface is minimzed (i.e. why in the world do people have open ports on the internet) you should be in good shape.
posted by stupidcomputernickname at 12:59 PM on January 25, 2003


People people, it's not Microsoft, it's Micro$oft.
posted by Stan Chin at 1:01 PM on January 25, 2003


Micros~1.oft
posted by machaus at 1:04 PM on January 25, 2003


Yay! Metafilter provides me with more uninformed ranting than I can stand, once again! Thanks, Metafilter! Next: fat people with ODD driving SUVs from Israel to Palestine!

Microsoft is a target because it represents millions of machines, not because they're a hated monopoly. Although Jason is now a pediatric resident well on his way to become a full-fledged MD, he is also a professional engineer, and keeps up with security issues. Notably, of the 37 advisories issued by CERT during 2002, twenty-four were for Linux and Unix. Now, some of the more effective exploits of discovered vulnerabilities have been for Microsoft systems, but very often the exploits' effect peaks long after Microsoft's patch has actually been issued. No, the folks at Redmond aren't perfect, and certainly they take a more, shall we say, aggressively capitalist tack toward their business. They do not always share the security concerns as expressed by others. But they do issue patches, and ultimately it is the unpatched systems that prove to be the locus of problems. Ultimately, security is more and more a concern of the little guy. That's not Microsoft's fault, but a natural outgrowth of the spread and democratization of personal computing.
posted by dhartung at 1:05 PM on January 25, 2003


This worm helped remind me how many ports are in use out there. The Intenet is a lot more than just 80 and 25.
posted by gwint at 1:07 PM on January 25, 2003


nicwolff said: It's a worm executing a DDOS

Not true...

The main function of the Slammer worm is to continue propagation. No DDOS or backdoor functionality is incorporated into the worm.

via Internet Security Systems Microsoft SQL Slammer Worm Propagation Alert
posted by yonderboy at 1:25 PM on January 25, 2003


Uninformed, yeah. Except that I'm a network engineer running a Web/DB application-hosting provider with clients among the world's biggest companies. On Linux, Apache, Postgres, and Perl.

Jason's a smart guy. But if even smart diligent guys using all the tools Microsoft gives them can't keep a server secure from well-known exploits, then Microsoft is not just "not perfect" — they're culpable. It's their fault.

And nice try with the CERT advisory count. Gee, a third of last year's advisories were for one company's software? Good for them!
posted by nicwolff at 1:45 PM on January 25, 2003


yonderboy: technically, yes, there's no code in the worm that lets its authors coördinate its attack later, and that's the defining feature of a DDOS, so I'm wrong. But it sure is distributed, and it sure did deny a lot of service!
posted by nicwolff at 1:56 PM on January 25, 2003


Jason's a smart guy. But if even smart diligent guys using all the tools Microsoft gives them can't keep a server secure from well-known exploits, then Microsoft is not just "not perfect" — they're culpable. It's their fault.

Best practices in building servers generally require starting from scratch. What Jason and Matt did with swapping drives was understandable trade off against downtime and personal investment that unfortunately bit them. If you want to hold that against Microsoft, go right ahead.
posted by machaus at 2:09 PM on January 25, 2003


I don't even RUN Microsoft products on my servers, yet they are down and out.. Backbone routers DOWN. Data center routers are DOWN. This is costing me and my clients potential revenue, as well as invaluable customer confidence. So who do I get to blame for costing my business all this money?

Can I sue Microsoft?

Firestone got FUCKED when they released a faulty product. When will Microsoft be held to the same standards?
posted by afx114 at 2:20 PM on January 25, 2003


Every major OS vendor supplies a mechanism for updating a machine over the internet. Use them. — machaus

Yeah, right — except Windows Update doesn't patch SQL Server. Microsoft's Software Update Services doesn't either. And Matt says that Microsoft's Baseline Security Analyzer lied to him.

Still sure this wasn't Microsoft's fault?

Best practices in building servers generally require starting from scratch

Oh, OK, then as long as sysadmins all over the world stick to best practices then we'll be fine. Sounds like we agree, at least, that only enterprises with full-time MSCE's running their servers should deploy the Windows/IIS/SQL Server platform.
posted by nicwolff at 2:32 PM on January 25, 2003


nicwolff:

The worm did not reach critical mass by third party means like irc or email clients prior to the slowdown, that is the definition of 'distributed'. This worm propagated itself directly into its targets, two different terms with intentionally different meanings as they apply here. The general network slowdown occurred as a result of the speed with which it multiplied and propagated throughout the net, not because of flooding or some other directed, repetitive procedure performed from a remote system upon its targets. So, again, no distribution and no denials of service.
posted by yonderboy at 2:43 PM on January 25, 2003


In any case, I think this incident yet again proves the necessity of having diverse internet software. If any company had the same monopoly on servers that Microsoft has on the desktop... well, I'd rather not think of how long I'd lose my precious connectivity.

Once broadband is everywhere and everybody's beige Microsoft home PC's are continually connected to the net things could get much much worse.
posted by Llama-Lime at 2:45 PM on January 25, 2003


Just to clarify things, I did say that it functioned *like* a DDOS, but I was referring to the end effect. If it were a DDOS, I would have said as much.

I think it's naive to say that MS is targeted just because they're big, but not because they're a monopoly. Monopolies are, by definition, big. That's like asking whether light is a particle or a wave...

There is one thing I *will* say about exploits of MS' software as opposed to others -- they tend to be more malicious. I can only assume that some of that malice is due to people's feelings about Microsoft.

So, is Miicrosoft a company trying to do the best it can, or are they a company that releases faulty merchandise and should be held accountable?

Embrace the power of AND.
posted by insomnia_lj at 3:10 PM on January 25, 2003


Several auto analogies here ... like

Also, Nissan doesn't distribute a Nissan Baseline Oil-Change Analyser that lies to me about what maintenance my car needs. Still want to make pissy little analogies defending Microsoft?

and

Did your car manufacturer send you reminders to change your oil?
No, but they'd tell me if my locks were about to break.


and

Firestone got FUCKED when they released a faulty product. When will Microsoft be held to the same standards?

Seems, however, that a rather huge error of logic is present here in the (now just assumed) conclusion that Microsoft should shoulder all of the blame: The fact that in this instance (with SQL Server 2000) and any others you want to bring up, it is NOT a Microsoft product that just "broke" and started magically collapsing servers all over the internet.

THE DAMAGE IS CAUSED BY HACKERS.

Firestone made a flawed product that blew up under normal use. They did get "fucked". But if a group of people took it into their heads that they wanted to use rifles to shoot out Firestone tires on highways and cause major accidents - it would NOT be Firestone that would be blamed for not making absolutely bullet-proof tires ... the blame would rest, as it should, on the fuckwads doing the shooting. Saying that a company has a duty to somehow completely prevent malicious people from delibrately destroying their products, and that when damage is caused as the result of that criminal intent - it is the company, not the criminal, that is to blame is just bizarre.

Yet in looking over every post in this thread, while Microsoft is mostly blamed (with a couple folks defending), and poor administration is also mentioned ... there isn't a single mention of the CAUSE of the problem: The people that write and release attacks.

This weekend is an odd example of the paradoxical nature of the internet culture ... Mitnick's return to the internet is being damn near celebrated - as though he's some sort of freakin' rock star - at the same time as most of South Korea went down due to Mitnick wannabees ... and it is Microsoft that is being blamed.

You want to "sue Microsoft"? Probably a much better, longer-term solution would be for the world to start getting quite intense about hacking. Raise the stakes. Make certain there is mandatory prison time for people that cause severe damage - and let the vicitms of that damage sue the perpetrators of that damage ... let them know ... you want to release a virus that causes millions in economic damage - you'll be in jail, and when you're released, you'll spend the next 25 years paying back the people you harmed.
posted by MidasMulligan at 3:12 PM on January 25, 2003


yonderboy, that's silly. "DDOS" is a term of art which I was misusing for effect, and I 'fessed up. But "distributed" means "distributed", and SQL Server is unfortunately all over the Net. And "denial of service" means services were denied, which they were; there was a general network slowdown due to general flooding of core backbone routers, plus many denials of service due to flooding of many providers' gateways.

Llama-Lime: home PCs were probably a big part of the problem this time — a lot of people have SQL Server installed on their laptops or home PCs for dev purposes. Of course, these people are doing something very wrong, because they're supposed to have professional sysadmins applying best practises to any machine they put on the Net, so that Microsoft doesn't have to QA its software better.
posted by nicwolff at 3:14 PM on January 25, 2003


Also wanted to address the root of the problem.

Usability.

This is a usability issue. When *lots* of smart, dedicated people try to do their best and still have problems, it usually is.

Usability does not mean forcing thousands of people to do x if y happens. That's a workaround. That's a kludge.

Usability is when you install the software, forget about it, and it just works.
posted by insomnia_lj at 3:18 PM on January 25, 2003


I hold Microsoft responsible for this one. Why in hell would that port be open by default? The only people who'd need it would likely also be the ones who'd know how to enable it. Give everyone else a wizard with lots of "are you sure you want to do that?" warnings to enable. Having said that, how would we (and the slashdot crowd) if MS products were required to "phone home" to get latest security updates in order to function? I bet most of us would hate it and accuse MS of some nefarious alterior motive.
posted by TimeFactor at 3:35 PM on January 25, 2003


speaking of usability, I had the old sql server patched, but not the migrated one, but here's something I've always wanted to mention about it: patching ms sql server sucks.

With IIS, you just download an exe, double click it and reboot if necessary. Takes 30 seconds total if you don't have to reboot. SQL server on the other hand requires the downloading of a large package. Then you have to make backup copies of 15-20 individual files, then move the new files over the old ones. You then execute several scripts on the server, then run a few commands to make sure it is patched. The process takes about 15 minutes.

I thought that maybe SQL server installations are so complex and custom that they couldn't make a quick fix exe patch, but the installation instructions basically only offer two or three options (enterprise vs. not, clustered servers vs. not, etc). Why on earth can't they make a GUI to their sql server patches?
posted by mathowie at 3:42 PM on January 25, 2003


"How would we (and the slashdot crowd) if MS products were required to "phone home" to get latest security updates in order to function? I bet most of us would hate it and accuse MS of some nefarious ulterior motive."

Depends. I don't think most people would have a problem with it if they were just getting security upgrades.

The *real* threat is when Microsoft uses its position of power to do things like install DRM software on your computer...

What is clearly needed is for Microsoft to work with those who are seriously concerned about digital rights in order to craft a "good neighbor" policy regarding their automatic updating features, ideally with some kind of regular review to make sure that MS doesn't try to weasel around the spirit of the document.

Until then, it's patently obvious why people wouldn't trust Microsoft... which is another way to say that Microsoft's software won't be trustworthy until Microsoft itself is worthy of our trust.
posted by insomnia_lj at 3:47 PM on January 25, 2003


nicwolff, nothing silly about clarifying terms for the sake of discussion. The nature of the problem and its solution rely on agreed upon definitions, not a vague estimation of 'art'. That's like the telco guys love to talk vaguely around clients they don't want to deal with onsite by intentionally using acronyms and terms they don't understand. All throughout the night network operators used these terms to understand and eliminate various possibilities regarding the worm's machinations.
posted by yonderboy at 3:52 PM on January 25, 2003


Midas, you are correct.. I only mentioned "can I sue Microsoft for this?" half-sarcastically to underscore the silliness in the fact that when these things happen, thousands of people get fucked, and thousands of people sweep it under the rug as "cost of doing business." It's like, "OK we just had our scheduled internet hack for the year, everyone keep on moving, nothing to see here." No one ever asks "Who is to blame?" People just accept these things as if they're supposed to happen. And that's bullshit. What's it going to take for some REAL things to be done about this? Do we wait until the next attack when the internet is completely crippled and takes the entire world economy with it? NO ONE EVER TAKES THE FALL. Someone needs to start pointing fingers. Whether the finger deserves to be pointed at Microsoft, hackers, or the sysadmins, well that's a whole entire discussion alltogether.

I subscribe to the camp that when shit like this happens, it's good. We've been fortunate so far, it seems as if these attacks are just enough to wake people up, but not enough to completely destroy them. Take a hit for a few days, but as a result everyone's (hopefully) a little smarter and machines are (hopefully) a little more secure. Until the next time, that is... It's just a shame that those of us who know what we're doing have to shoulder the fallout/downtime/costs for those of us who don't.
posted by afx114 at 4:51 PM on January 25, 2003


It seems that the analogy of hackers zeroing in on the pressure points of MS software and exploiting them vs Anti-Firestone tire snipers taking shots at Firstone tires and then the aggrieved party turning around and suing Firestone because somebody else's nefariousness caused the tire failure is akin to the old comparison between apples and oranges.

If I'm not mistaken, that which is hacked and exploited by a sentient "sniper" if you will, is exactly what improves the quality of software. Hackers, I've always been led to believe are a necessary evil. Weren't it for them, there would be no impetus for perfection. Which is also, I'll unqualifiedly throw in, what makes open source gpl software that much more robust.

I've heard it said and seen it written many a time in my stint aboard the world wide web, that were Microsoft not so concerned about protection of their proprietary code (that gpl software, mind you, has apparently already demonstrated it can do just as well if not better, for free, than anything microsoft can), these security issues wouldn't need be solved only once vast damage has been done and then turned over to, though a crack team at Microsoft to be sure, but one that is limited insofar as its code can only be known by so few. Of course this argument goes back nearly two decades.
posted by crasspastor at 5:50 PM on January 25, 2003


For what it's worth, 'internet services in South Korea' were not 'taken down'. I couldn't reach about half of the sites I normally hit for about 8 hours. That was it.
posted by stavrosthewonderchicken at 6:31 PM on January 25, 2003


To sidestep the blame discussion, I'm with yonderboy on the language part. These terms do have an agreed-upon meaning that is quite specific, and using them improperly dilutes their meaning and therefore their usefulness.
posted by blissbat at 6:35 PM on January 25, 2003


Just as a footnote as to how serious this attack was, this article indicates that the worm also took down most of Bank of America's automatic teller machines in Korea.

Microsoft is warning users of Visual Studio .NET and Office XP Developer Edition to update their patches -- the MSDE component in MS-SQL that was targeted by the worm also exists in these programs, making them highly vulnerable to future attacks.

... and the beat goes on.
posted by insomnia_lj at 6:38 PM on January 25, 2003


THE DAMAGE IS CAUSED BY HACKERS.

oh, god. ignorance never ends.
posted by Mars Saxman at 7:12 PM on January 25, 2003


the worm also took down most of Bank of America's automatic teller machines in Korea.

I've lived here in Korea on and off for 7 years, and I've never once seen a Bank of America ATM.

Just saying. I hate Microsoft as much as the next guy, but I think you're overcharacterizing the disruption here, _lj.
posted by stavrosthewonderchicken at 7:16 PM on January 25, 2003


A few things...

1. Mars: THANK YOU. I was going to say the same thing. And for anyone who didn't click the link, the point is that the term 'hacker' is always mis-used by the media and society in general--a 'hacker' is simply someone who enjoys tinkering with computers, pushing their limits, being very knowledgeable about them, etc.

A cracker is a malicious hacker (or more often, hacker wannabe, i.e. someone not even motivated enough to learn the system inside and out, but who just wants to know how to break it) and it is they who are responsible for stuff like this.

Hackers good. Crackers bad.

2. Why the heck is there a Bank of America ATM *anywhere* outside of the US? Makes no sense to me...and I am being half serious :P

3. As for blame assignment, I'd just like to say that it's everybody's fault ('everybody' meaning Microsoft, the crackers who perpetrated the worm, and anyone running the affected servers). Yes, Midas, it is the crackers' fault, without their malicious intent the security hole would never have been used in this way.

But, it is also most definitely Microsoft's fault, both for allowing such a security hole to exist in their product (I still find it absolutely disgusting that a company with so much wealth churns out such low-quality products) and for not properly alerting its customers to the hole as soon as it was found. This is a classic Microsoft tactic, as mentioned before--they are so damn quiet about any security holes because they're afraid of bad publicity, but as a result things like this happen. Code Red I/II, anyone?

And, of course, it is also the sysadmins' fault for having DB servers accessible to the Internet. That's just terrible network design, I'm sorry. Internet access to a computer is not adding value, it's usually a BAD thing, and should only be enabled when absolutely necessary for work.
posted by cyrusdogstar at 8:43 PM on January 25, 2003


I don't think the problem is MS making insecure software. Open source software can be buggy and full of holes too. MS admit holes and roll out patches about as well or as badly as any other vendor.

The fault is more subtle. Something I've observed over the years is that Windows sysadmins do not have the same confidence as admins of other platforms that a patched box will reboot successfully, or that they can roll changes back cleanly if they break. This makes them more reluctant to apply patches, and gives an incentive to wait until some other sucker has shown they can be safely applied. If your performance is measured in service uptime, security patches are just one consideration that has to be weighed along with others.


It's the way that Windows services are so reliant on each other, and service packs so opaque to users, that reflects badly on MS, not their security, which is not that bad.
posted by i_am_joe's_spleen at 9:22 PM on January 25, 2003


ROFLMAO at Mida$Mulligan.
posted by quonsar at 9:30 PM on January 25, 2003


Why the heck is there a Bank of America ATM *anywhere* outside of the US? Makes no sense to me...and I am being half serious :P

Why is there a Bank of Guam in San Francisco?

But I do have to agree with i_am_joe's_spleen. Working for a very large and diverse system I can say that we frequently lag way behind on security patches because full testing can take months and as much as possible we limit infrastructure upgrades to very scheduled periods of the year. This is true of all platforms, but plays a large role in why we avoid Microsoft where possible, it just takes even longer.

So, despite highly skilled sysadmins and a very close watch of security issues, we have to create a longer window of vulnerability because the risk of a patch breaking something else is a very high concern as well.

I have no idea if this is true, but the local call-in radio computer show this morning was speculating that Asia (and particulary South Korea) were so hard hit because pirated copies of the software are much more prevelant, and pirated copies are less likely to be patched properly.
posted by obfusciatrist at 9:57 PM on January 25, 2003


A few contributions of my own:

Blame or don't blame Microsoft -- as is too often the case with this issue, people are going to take their preconceived slant and manipulate the facts to support it. But I'm more than willing to take a personal part of the blame on the server getting affected today, because I'm the network admin that fucked up and replaced a general "deny all ip traffic" rule on the firewall with a "deny all tcp traffic" rule. I can't blame Microsoft for that one.

Cyrusdogstar and others, I really can't stand that you still persist with the "Microsoft sucks for not letting people know that this bug existed" bullshit. The patch has been available since July 2002, out there in the open and where any and all SQL Server admins would expect to find it. Matt and I actually applied the patch to the old server; as machaus said, we made a tradeoff when we migrated to the new machine that bit us in the ass, and we paid for that this morning. So be it; it's a fucking community site, and the time that Matt or I or anyone else devote to it is donated time that comes from other things in our lives. You can be sure that if either of us were working and being paid to administer the site, we'd put more care into it.

Nicwolff, I love that the general rebuttal for the CERT stuff is "nice try!" without any other explanation. It's a fact that Linux and other open-source-like operating systems suffer from buffer overruns; it's a fact that there are worms and bugs that thrive in the LAMP world. (And I'd bet that that second one, the apache chunk-encoding bug, is still unpatched, alive, and well on many an apache server out there!) Both MS software and the alternatives have bugs, and all of them are bad; MS bugs are also bad because of the exposure (there are so many more machines running MS software), and as Linux and its ilk gets more popular, the same will hold true for that world. The only reason that a vulnerability like this isn't a big deal is that there are, like, five people in the world that use that web application, not that it's not dangerous.) And by the way, as of right now, there are 4 CERT advisories for 2003, two that affect Linux and two that affect Windows, all of which allow the execution of arbitrary code.

Oh, and while I generally agree with Matt's sentiment about the SQL Server patch process being a pain in the ass, the latest service pack installed like you'd expect it to -- I just double-clicked, and ran and rebooted. (And they even explain in the readme how to do it so that you don't have to reboot, if you're so inclined; in my sleep-deprived state this morning, though, I didn't care whether or not there was a reboot and let it be.)
posted by delfuego at 10:12 PM on January 25, 2003


Probably a much better, longer-term solution would be for the world to start getting quite intense about hacking.

Probably a much better, longer-term solution would be for the world to start writing more secure code and knowing what they're doing.

This worm has been a very gentle wake-up call. It does not damage the host! It only hoses its network connection. I can imagine numerous very easy add-ons for this that would make it much more deadly.

You can talk all you want about punishing the perpetrators, but the fact remains that if your machine fell victim to this worm, it is utterly incapable of operating as an enterprise server, primarily because of your incompetence in setting up the server and trusting the incompetent people who wrote the software in the first place.

People who try to solve technological security problems with social methods are in for a very rude awakening: it does not work. In many cases, you will not be able to track the perpetrators no matter how hard you try, because they are smart enough to demolish all traces; all you are left with will be unusable systems and your own rage.

Keep your boxes secure. Don't run Microsoft software on servers. If for some reason you have to, never ever let the world talk to it - only your own other servers. Expect to be punished for running inadequately engineered and maintained software.
posted by azazello at 11:16 PM on January 25, 2003


People who try to solve technological security problems with social methods are in for a very rude awakening
w3rd.
posted by holloway at 1:19 AM on January 26, 2003


"And they even explain in the readme how to do it so that you don't have to reboot, if you're so inclined; in my sleep-deprived state this morning, though, I didn't care whether or not there was a reboot and let it be."

Actually, the people recommending a reboot in this case were Symantec, which is why I specifically recommended rebooting in the post -- when it comes to security, I trust them to know more than Microsoft does about Microsoft's software.

I'm not going to defend the rationality of that statement, mind you... just leave it out there as a kind of example. Microsoft has a *lot* of work to do before they are seen as the authority on the security of their products. A whole industry has developped, largely to do the work that Microsoft has failed to do themselves.
posted by insomnia_lj at 4:18 AM on January 26, 2003


And furthermore Midas et al affiliated therein. It seems as if there is this commonly held belief that "hackers" (I did understand the actual term to be "crackers" as well, but for ease of semantics. . .) act in some sort of continual activism for some particular "communistic" cause. When in fact, many could be mercenaries, if you will, paid by a cause that requires the hacker/cracker's expertise.

Shit, what would stop a corporation from attacking itself, accruing a host of frivolous lawsuits that in turn, when covered properly by the media they own, would amount to the same kind chagrin by the commoner when he hears of some absurd lawsuit leveled on McDonalds say. Whether we like to admit it or not, the coverage of these lawsuits make good business sense.

Idiotic People vs. Big Junk-Food Corp.

"Sure McDonalds is a place you'd never want to eat at all the time, but what harm did they cause?"

Hackers Bad. Microsoft Good.

Against all odds, the people would rather defend a corporation, getting nothing in return, then actually taking their own destinies into their hands. That is, when the media all but covers any kind of quest for justice when it makes the seekers of such appear as fools, thereby emaciating the definition "justice" and "justice system" itself, how does real humane justice ever get a fair shake? We're more glued to the box to see what happens to Ronald and his annoying litigants, Joe M, Bachelorette etc then we are to recognize that we live in a fucking sick ass fucking society. Look at the utter lack of coverage of the MS antitrust trial for example. I couldn't even tell you about that.

I dunno. Might be a stretch of a causal link (MS/McDs) and the going capitalist justification of rights for corps but not for citz and citz who gratis make excuses for them. But I don't think so.

Both corporations I'll point out begin with the letter M.

Put that in your pipe and smoke it.
posted by crasspastor at 4:40 AM on January 26, 2003


Yet another analogy:
Let's say we had oh, a dozen airliners crash killing all aboard in the last year. And let's say that all of those airliners were manufactured by Boeing.
Would you expect the media to run stories questioning the safety of airplanes in general, or would you demand scrutiny of Boeing and it's quality control and maintenance practices?
posted by 2sheets at 10:19 AM on January 26, 2003


quonsar put that in his pipe, smoked it, got all smiley, and ♥ crasspastor.
posted by quonsar at 8:38 PM on January 26, 2003


... as Linux and its ilk gets more popular, the same will hold true for that world — delfuego

Apache is running twice as many Web servers as IIS right now. Presumably most of them are on Linux. And yet...

And by the way, as of right now, there are 4 CERT advisories for 2003, two that affect Linux and two that affect Windows, all of which allow the execution of arbitrary code.

It freaks me out that Microsoft's customers adduce the fact that half of all exploits reported by CERT this year are for one vendor's software in defense of their choice of that company's products.
posted by nicwolff at 8:11 AM on January 27, 2003


Nic, I use CERT's advisories as a justification for buying Microsoft as much as you probably do for buying non-MS alternatives -- that is to say, not at all. I just point it out as an observation, since people tend to bitch and whine about MS being so much more insecure.
posted by delfuego at 10:37 AM on January 27, 2003


Wow, you really can't hear what I'm saying: CERT says MS is as insecure as all other operating systems put together!

I don't want to sound so snarky: you do a good thing very well hosting and maintaining the MeFi server, and if the Microsoft platform makes that possible, then yay Microsoft.

But bitching and whining about their security practices is appropriate and worthwhile. And, yeah, fun.
posted by nicwolff at 11:04 AM on January 27, 2003


the point is that the term 'hacker' is always mis-used by the media and society in general

That's like the mother who looks at a photo of her son in an Army parade and says proudly, "Look, everyone but Johnny is out of step!"

Once everyone but you is using a word a certain way, the meaning of the word has changed. The primary definition of the word "hacker" is now people that attack computers. We got to reclaim the word "geek" as a positive term, so let'ls call it even, eh? Mainstream America will never start using the word "cracker" for computer criminals; the epithet already has a well-established meaning having nothing to do with computers.
posted by kindall at 11:12 AM on January 27, 2003


As a final note, I figured I would point out this article in the NY Times which indicates how any company running Microsoft's software can very easily become a victim of viruses/worms, no matter who they are.

Of course, the victim in this case was Microsoft.
posted by insomnia_lj at 10:05 AM on January 28, 2003


The RIPE Network Coordination Centre has put out a summary and data report on the attack.
posted by yonderboy at 4:00 PM on February 13, 2003


« Older O wad some Power the giftie gie us   |   Were from the UN and we're here to help! Newer »


This thread has been archived and is closed to new comments



Post