[plug] Fwd: Nathan Hanks fails to secure Microsoft server, blames Linux culture for his own errors

Kai vk6ksj at westnet.com.au
Sat Jun 14 20:53:04 WST 2003


nice one Leon !

Leon Brooks wrote:

> FYI
> 
> ----------  Forward; originally to Continental Airlines 
> <investorrelationsdept at coair.com>, Nathan Hanks <nhanks at coair.com> and 
> sundry others ----------
> 
> Subject: Nathan Hanks fails to secure Microsoft server, blames Linux 
> culture for his own errors
> Date: Sat, 14 Jun 2003 20:06
> From: Leon Brooks <leon at cyberknights.com.au>
> To: Continental Airlines <investorrelationsdept at coair.com>, Nathan Hanks 
> <nhanks at coair.com>
> Cc: Barbara Darrow <bdarrow at cmp.com>, Linux Weekly News Letters 
> <letters at lwn.net>, Fredric Paul Editor <fpaul at cmp.com>
> 
> Quoting http://www.techweb.com/wire/story/TWB20030603S0012
> 
> 
>>Nathan Hanks, managing director at Continental Airlines, said,
>>"All the guys hacking Windows are Linux guys." Continental was
>>hit hard by SQL Slammer and "our CEO said we'd failed," Hanks
>>said.
> 
> 
> That's nonsensical, and a miserable excuse for your own poor IT
> security procedures. You _had_ failed in your job, and blaming your
> failure on others (as well as being "loser's limp") means you're also
> abandoning control of the problem.
> 
> I run SQL servers - *not* including Microsoft's - and I *never* expose
> them to the internet. To pick one example, PostgreSQL has *never* had a
> denial-of-service problem on the same scale as MS SQL Server has every
> year or two, but I still do not expose it to the Internet.
> 
> If you want to connect to something large and complex like an SQL
> database, throw together a new VPN and connect safely over that. It
> takes less than a minute under Linux (or almost any Unix, for that
> matter) and can be easily batched.
> 
> Speaking as a "Linux guy", I don't have the tools or the inclination to
> go bending Microsoft code, and nor do any of the scores of other "Linux
> guys" (and gals) I know. We're too busy building software (our own
> software) to bother tearing anyone else's down - even if we had the
> inclination.
> 
> Since the vast majority (something like 30,000 variants) of viruses are
> written for MS-Windows, and only a few (dozens for Mac OS X, a handful
> for Linux) for other systems, you should be looking to people with
> MS-Windows experience and familiarity for your culprits. Don't take my
> word for it, go and examine the hacked-site archives and see for
> yourself what they write, and what sites they deface.
> 
> The reason that viruses happen to MS-Windows is not because there are
> more MS-Windows crackers around (there are) but despite - or because of
> - the ready availability of complete source, vulnerabilities in
> MS-Windows and related software are considerably easier to find than
> elsewhere, and those vulnerabilities usually have much further-reaching
> consequences.
> 
> One decision leading to this can be found in the decision to make
> arbitary network socket creation a public feature in MS-Windows-XP
> Home; now any program which runs on that platform can spoof traffic and
> bypass firewalls to attack other machines, so when a virus lands it has
> open slather. Not that the inherently insecure design of MS-Windows
> would make it difficult to escalate to "Ring Zero" anyway (for details,
> read http://security.tombom.co.uk/shatter.html and
> http://security.tombom.co.uk/moreshatter.html). <*>
> 
> Gafar Lawal's comment in the same article about "three times as many
> critical patches" is also meaningless. A "critical patch" for RedHat
> Linux includes anything that might possibly one day be turned into a
> denial-of-service; a "critical patch" for Microsoft means something
> like CodeRed, Nimda or Slammer. They have been shown to deliberately
> downplay risks in order to *seem* more secure, and it seems to have
> worked at least once: they've clearly fooled you.
> 
> "Critical patches" for Linux don't have the same tendency to break
> things that Microsoft's do, either. I use Mandrake Linux and Debian
> Linux, two completely different ways of doing things, and with two
> completely different packaging systems, and neither of them have *ever*
> supplied me with a patch that broke a system. Microsoft, on the other
> hand, seem to do that about annually.
> 
> The bottom line is that you began with a poor decision (to believe
> Microsoft propaganda and so use Microsoft software), compounded it with
> another poor decision (to open MS SQL Server to the internet), and are
> now seeking to "duck-shovel" the blame onto someone who's less likely
> to sue you for doing so than Microsoft. That's poor sportsmanship, too.
> For shame!
> 
> CRN and TechWeb really need a rap over the knuckles for posting
> sensationalist drivel as well. To them: you have more responsibility
> than individuals to support what you say or quote. On the other hand,
> you also deserve praise for actually publishing the email addresses of
> the journalist and editor and being willing to take responses directly.
> Many online publishers refuse to do this.
> 
> My final word to Nathan is: apologise publicly if you're man enough to
> do so. Face your faults and fix them, instead of throwing the blame for
> your own failures at an undeserving, altrusitic Internet community.
> 
> Cheers; Leon
> 
> I speak here as an individual and not ex-officio in any of the offices
> listed below. The views of these organisations may (are likely to)
> differ from mine.
> 
> <*> These are cached at:
> http://www.google.com.au/search?q=cache:security.tombom.co.uk/shatter.html
> http://www.google.com.au/search?q=cache:security.tombom.co.uk/moreshatter.html
> 
> --
> http://cyberknights.com.au/     Modern tools; traditional dedication
> http://plug.linux.org.au/       Committee Member, Perth Linux User Group
> http://slpwa.asn.au/            Committee Member, Linux Professionals WA
> http://linux.org.au/            Committee Member, Linux Australia
> 
> -------------------------------------------------------
> 
> Cheers; Leon
> 
> 



More information about the plug mailing list