[plug] Fwd: Nathan Hanks fails to secure Microsoft server, blames Linux culture for his own errors

Leon Brooks leon at brooks.fdns.net
Sat Jun 14 20:11:01 WST 2003 

FYI

----------  Forward; originally to Continental Airlines 
<investorrelationsdept at coair.com>, Nathan Hanks <nhanks at coair.com> and 
sundry others ----------

Subject: Nathan Hanks fails to secure Microsoft server, blames Linux 
culture for his own errors
Date: Sat, 14 Jun 2003 20:06
From: Leon Brooks <leon at cyberknights.com.au>
To: Continental Airlines <investorrelationsdept at coair.com>, Nathan Hanks 
<nhanks at coair.com>
Cc: Barbara Darrow <bdarrow at cmp.com>, Linux Weekly News Letters 
<letters at lwn.net>, Fredric Paul Editor <fpaul at cmp.com>

Quoting http://www.techweb.com/wire/story/TWB20030603S0012

> Nathan Hanks, managing director at Continental Airlines, said,
> "All the guys hacking Windows are Linux guys." Continental was
> hit hard by SQL Slammer and "our CEO said we'd failed," Hanks
> said.

That's nonsensical, and a miserable excuse for your own poor IT
security procedures. You _had_ failed in your job, and blaming your
failure on others (as well as being "loser's limp") means you're also
abandoning control of the problem.

I run SQL servers - *not* including Microsoft's - and I *never* expose
them to the internet. To pick one example, PostgreSQL has *never* had a
denial-of-service problem on the same scale as MS SQL Server has every
year or two, but I still do not expose it to the Internet.

If you want to connect to something large and complex like an SQL
database, throw together a new VPN and connect safely over that. It
takes less than a minute under Linux (or almost any Unix, for that
matter) and can be easily batched.

Speaking as a "Linux guy", I don't have the tools or the inclination to
go bending Microsoft code, and nor do any of the scores of other "Linux
guys" (and gals) I know. We're too busy building software (our own
software) to bother tearing anyone else's down - even if we had the
inclination.

Since the vast majority (something like 30,000 variants) of viruses are
written for MS-Windows, and only a few (dozens for Mac OS X, a handful
for Linux) for other systems, you should be looking to people with
MS-Windows experience and familiarity for your culprits. Don't take my
word for it, go and examine the hacked-site archives and see for
yourself what they write, and what sites they deface.

The reason that viruses happen to MS-Windows is not because there are
more MS-Windows crackers around (there are) but despite - or because of
- the ready availability of complete source, vulnerabilities in
MS-Windows and related software are considerably easier to find than
elsewhere, and those vulnerabilities usually have much further-reaching
consequences.

One decision leading to this can be found in the decision to make
arbitary network socket creation a public feature in MS-Windows-XP
Home; now any program which runs on that platform can spoof traffic and
bypass firewalls to attack other machines, so when a virus lands it has
open slather. Not that the inherently insecure design of MS-Windows
would make it difficult to escalate to "Ring Zero" anyway (for details,
read http://security.tombom.co.uk/shatter.html and
http://security.tombom.co.uk/moreshatter.html). <*>

Gafar Lawal's comment in the same article about "three times as many
critical patches" is also meaningless. A "critical patch" for RedHat
Linux includes anything that might possibly one day be turned into a
denial-of-service; a "critical patch" for Microsoft means something
like CodeRed, Nimda or Slammer. They have been shown to deliberately
downplay risks in order to *seem* more secure, and it seems to have
worked at least once: they've clearly fooled you.

"Critical patches" for Linux don't have the same tendency to break
things that Microsoft's do, either. I use Mandrake Linux and Debian
Linux, two completely different ways of doing things, and with two
completely different packaging systems, and neither of them have *ever*
supplied me with a patch that broke a system. Microsoft, on the other
hand, seem to do that about annually.

The bottom line is that you began with a poor decision (to believe
Microsoft propaganda and so use Microsoft software), compounded it with
another poor decision (to open MS SQL Server to the internet), and are
now seeking to "duck-shovel" the blame onto someone who's less likely
to sue you for doing so than Microsoft. That's poor sportsmanship, too.
For shame!

CRN and TechWeb really need a rap over the knuckles for posting
sensationalist drivel as well. To them: you have more responsibility
than individuals to support what you say or quote. On the other hand,
you also deserve praise for actually publishing the email addresses of
the journalist and editor and being willing to take responses directly.
Many online publishers refuse to do this.

My final word to Nathan is: apologise publicly if you're man enough to
do so. Face your faults and fix them, instead of throwing the blame for
your own failures at an undeserving, altrusitic Internet community.

Cheers; Leon

I speak here as an individual and not ex-officio in any of the offices
listed below. The views of these organisations may (are likely to)
differ from mine.

<*> These are cached at:
http://www.google.com.au/search?q=cache:security.tombom.co.uk/shatter.html
http://www.google.com.au/search?q=cache:security.tombom.co.uk/moreshatter.html

--
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Committee Member, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Committee Member, Linux Australia

-------------------------------------------------------

Cheers; Leon

More information about the plug mailing list