[ Gojko Vujovic @ 04.02.2003. 15:04 ] @
http://www.cnn.com/2003/TECH/b...02/01/microsoft.security.reut/

February 1, 2003

SAN FRANCISCO, California (Reuters) -- Computer security experts say
the recent "SQL Slammer" worm, the worst in more than a year, is
evidence that Microsoft's year-old security push is not working.

"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp.
said of the Microsoft initiative. "I gave it a 'D-minus' at the
beginning of the year, and now I'd give it an 'F."'

The worm, which exploited a known vulnerability in Microsoft's SQL
Server database software, spread through network connections beginning
January 25, crashing servers and clogging the Internet.

Public reminded of risks

It hit a year and one week after Microsoft Chairman Bill Gates sent a
company-wide e-mail saying Microsoft would make boosting security of
its software a top priority.

Microsoft placed responsibility on computer users who failed to
install a patch that had been available since at least last June.

"The single largest message is: keep your system up to date with
patches," Microsoft Chief Security Officer Scott Charney said.

But the philosophy of patching is fundamentally flawed and leaves
people vulnerable, Cooper said. For example, Microsoft didn't follow
its own advice as executives confirmed that an internal network was
hit by the worm.

"Microsoft was completely hosed (from Slammer). It took them two days
to get out from under it," said Bruce Schneier, chief technology
officer of Counterpane Internet Security, a network monitoring service
provider. "It's as hypocritical as you can get."

Fix could have nullified problems

"We should have done a better job" in protecting the company's own
network, Mike Nash, corporate vice president of Microsoft's security
business unit, said. "We understood some things customers were facing
and it, in some ways, helped us. It was a learning course."

There was another misstep on Microsoft's part that illustrates the
problems with patches, Cooper said.

In October Microsoft released a fix for a different SQL Server problem
that if installed in the expected manner would have made patched
systems vulnerable again, he said. "If I followed their advice I'd
have been vulnerable."

Microsoft spokesman Rick Miller said administrators were given the
option with the fix to install it so the patch was intact. He also
said he knew of no customers who installed the fix and were still hit
by the worm.

Implementing fix proves complex

But, most people installing the fix would not necessarily have known
how to install it in a safe way, Cooper countered.

Microsoft released a service pack that would have fixed the problems
the week before Slammer hit. But not only are there too many patches
to keep up with, people are reluctant to install them for fear they
will interfere with their systems.

Microsoft admits making a mistake with the SQL fix and has "egg on our
face" over being hit by the worm, Miller said.

"What this demonstrates and what we readily acknowledge is the patch
management process is too complex," he said. "Microsoft is committed
to reorganizing our patch system and delivering high-quality patches
in a streamlined way."

Demanding better products

Nash defended the Trustworthy Computing initiative, saying the
company's security process and culture have changed. For instance, all
Windows developers have received special security training, he said.

However, the fruits of that may not show up until future versions of
products are released, said Richard M. Smith, a Cambridge,
Massachusetts-based computer security consultant. "I'd rather they
focus on the problems we have today."

"The problem is the whole patch regime has lots and lots of problems,"
he said. "It would be much better if the software shipped from
Microsoft with fewer problems to begin with."

The solution: install patches, along with firewalls and other security
software and services, as well as demand better products from
Microsoft, the experts said.

Thinking of switching In the meantime, Schneier said he was thinking
of switching from Windows to the Macintosh platform because of all the
security issues. "My wife has a Mac and she doesn't worry about
viruses, trojans, leaks..., " he said.

A Consumer Reports survey last year found that virus infection rates
on Macs are half what they are on Windows, noted Smith. "Is that
because Macs are safer? I think the answer is yeah."
[ degojs @ 04.02.2003. 22:49 ] @
Citat:
"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp.
said of the Microsoft initiative. "I gave it a 'D-minus' at the
beginning of the year, and now I'd give it an 'F."


Kako stvari stoje videcemo kad u aprilu izadje novi Windows server. Ocenjivati u tom svetlu proizvode koji su izasli pre 2-3 godine (a administratori se ne trzaju da ih okrpe sa zakrpama koje su odavno na raspolaganju) je malo bezveze.
To da je postojeca garnitura servera puna rupa, poznato je. To sto administratori ne krpe Windows dok se ne desi neki virus, druga je prica. Dakako, veliki deo krivice otpada i na MS jer su mnoge stvari po difoltu 'ukljucene' i zbog toga i trpe sve te kritike. I treba da ih trpe.
Kako rekoh, Trustworthy Computing cemo ocenjivati kada izadje Win2003 Server i posle toga.

Citat:
"My wife has a Mac and she doesn't worry about
viruses, trojans, leaks..., " he said.


Vecu glupost odavno nisam cuo. Kad za Mac bude uopste pisano toliko virusa kao za Windows pricacemo o tome. Krajnji korisnici nisu toliko ugrozeni: stavi antivirus i klikni sa vremena na vreme na apdejt definicija i gotova prica. Sa serverima je druga prica - server treba zaustaviti, apdejtovati uz prethodno testiranje itd itd
Jednostavno, ljudi koji se ne razumeju mnogo u racunare cesce koriste Windows nego sto ima svih ostalih korisnika drugih OS-eva zajedno pa jos puta skoro 10. Uzmi neki OS koji ne koristi ni 2% ljudi pa se hvali kako ne dobivas viruse.. pa ni nema ih..

Ja Windows koristim mnogo, dnevno primam 15-tak mailova, cesto bude neki virus prikacen.. nisam jos bio zarazen virusom za sve ove godine. Imam antivirus koji nikad nije omanuo, ali najcesce poruka ni ne stigne do Outlooka - sve sto je sumnjivo brise se jos na serveru. Drugim recima, treba znati da je i nivo poznavanja racunara kod ljudi koji koriste Win prosecno nizi nego kod ostalih OS-eva. Nadji mi nekog coveka koji ne zna mnogo o racunarima a koristi Linux recimo. Nema ih. Ovim 'obicnim ljudima' sto koriste Windows nije ni tesko uvaliti virus.
Kad drugi OS bude drzao 90% desktop trzista, a obican korisnik bude po difoltu imao admin ovlascenja (upravo zbog lakseg koriscenja: ajd ti mom komsiji objasni sta je to admin, zasto treba da ima poseban nalog za korsicenje... pfff) pricacemo o sigurnosti tog OS-a. Mislim.... prica je duza i nije tako crno-bela.

Mozda nije ispravno reci POLAKO, ali MS-u je uvek trebalo vremena.