[plug] Fwd: Gafar Lawal, director of architecture, demonstrates his ignorance of architecture
Leon Brooks
leon at brooks.fdns.net
Sat Jun 14 22:52:20 WST 2003
FYI
---------- Forward; originally to ML <Investor_Relations at ml.com>, ML
Media Relations <Timothy_Cobb at ml.com>, Gafar_Lawal at ml.com ----------
Subject: Gafar Lawal, director of architecture, demonstrates his
ignorance of architecture
Date: Sat, 14 Jun 2003 22:48
From: Leon Brooks <leon at cyberknights.com.au>
To: ML <Investor_Relations at ml.com>, ML Media Relations
<Timothy_Cobb at ml.com>, Gafar_Lawal at ml.com
Cc: Barbara Darrow <bdarrow at cmp.com>, Linux Weekly News Letters
<letters at lwn.net>, Fredric Paul Editor <fpaul at cmp.com>
Quoting http://www.techweb.com/wire/story/TWB20030603S0012
> "It's Microsoft's fault and it's our fault also," said Gafar Lawal,
> director of architecture at Merrill Lynch. "We were vulnerable
> [because] our process did not handle the number of patches. We
> also took very seriously that our partner [Microsoft] had such a
> flaw in their code."
>
> But Lawal and others said Microsoft is not unique in its
> vulnerabilities. "We have a Linux server that has three times
> the critical updates as our Windows server," he said.
Gafar, your MS-Windows server arrived with maybe half a dozen services
available and probably had all of them running until you shut them off.
If you add a big service, say MS-SQL-Server, you might have the
equivalent of 20 or 30 Linux packages installed on your machine.
I use Mandrake Linux 9.1, which arrives with over 800 packages, zero of
which will be accessible from the Internet after a "kitchen-sink"
install and without the installer switching anything off.
The "critical updates" you speak of cover all 800+ packages on Linux
but only the equivalent of about 20 or 30 on MS-Windows, so in a
parity situation you would expect to see roughly thirty to forty times
as many updates listed. Blow for blow, the Linux server you speak of
is ten time less buggy than your MS-Windows server already.
But the situation is not even blow-for-blow. Microsoft's idea of a
"critical update" is for something like CodeRed, Nimda or Slammer.
At http://www.mandrakesecure.net/en/advisories/updates.php?dis=9.1 (and
look for red padlocks) we see that Mandrake 9.1 has had 45 total patche
releases to date. 5 of them are duplicates because the packages went
out without an encrypted signature, another is a dupe because the
original fix included things that didn't need fixing, leaving 39. 27 of
those are listed as "critical".
Many of those are for such things as (MDKSA-2003:036) fixing maths
errors in image handling. Of the remainder, the vast majority of
vulnerabilities are _potential_ vulnerabilities; that is, they have no
known working exploit, and in many cases have no theoretical exploit
either.
Leaving that aside, many of the remaining vulnerabilities do not
involve any "privilege escalation" - or as CERT Advisory CA-96.13 puts
it, the case where "Non-privileged primitive users can cause the total
destruction of your entire invasion fleet and gain unauthorized access
to files." Most of Microsoft's do.
We're not finished yet. Consider MDKSA-2003:048, which fixes a
vulnerability in EOG. Eye Of Gnome is an image viewer. Would you ever,
let alone regularly, use it on a server? I have seven image viewers
installed (I like to experiment), not counting potential viewers like
graphics editors, scanner/camera managers, the previewers in file
managers, office suites and so on. Odds are therefore 1/7 that I would
use the impacted application even if I did run it on a server. As it
happens, I don't, I prefer Kuickshow in a GUI, or from the command line
the ImageMagick "display" command.
Counting through all of the listed vulnerabilities and picking out the
ones that would impact a default installation to do secure web-enabled
database activities plus email transport, remote administration and a
GUI interface - the equivalent of MS-Windows, IIS, MS SQL Server and
MS-Exchange rolled into one, there are eight. One of them (a kernel
update) requires a reboot after installation.
So... eight actual critical updates, one of them in the OS and one of
them in the webserver. Since the release of Mandrake 9.1 in March,
MS-Windows 2000 and IIS alone have logged patches for three "invasion
fleet" severity patch bundles beyond Service Pack 4, which in itself
rolled in a large number (difficult to assess) of patches.
Over the last year (well, 14 months), Mandrake Linux (from 8.2) has
recorded 2 OS (kernel 2.4) patches (one of which had a simple and
instant no-reboot workaround) and 3 Apache (webserver) patches and zero
PHP (ASP-equivalent) patches. Total "critical updates" potentially
impacting our hypothetical server, about 25.
MS-SQL-Server 2000 Service Pack 3a was also released, but the
description makes it difficult to decide exactly how many patches that
involves - and if you're using the "Desktop Engine (MSDE 2000)" version
there's more bad news confronting you in the form of a pageful of
directions on finding out what to patch and how before you even start.
Each vulnerability that I can find specifies arbitrary code execution
or worse. Compare this with a total of two (related) vulnerabilities in
the last year for PostgreSQL.
The MS-Exchange 2000 "March 2003 Post-SP3 rollup" contains over 70 new
or patched files and requires you to uninstall (yes!) the previous set
of patches before applying it. All the while your email server is down.
Any of the very rare updates for PostFix (a good example of a Linux
MTA; no patches at all in well over a year) typically involves under
half a second of email outage and no reboots.
I don't even understand how to account for the number and complexity of
the Microsoft patches involved here, so I agree that this is a problem,
but to pluck a figure out of the air? Call it 120 individual patches a
year, one every three days on average.
Each of these Microsoft "patches" may roll together work on multiple
vulnerabilities in multiple systems, whereas the Linux patches
typically fix a single vulnerability and by definition do it in a
single system.
How about response time? The KDE developers once took a vulnerability
from bug report to tested deliverable in 95 minutes.
Accountability? You were reportedly "impressed with Microsoft's
response to the [Slammer] problems" but what about their response to
the "Shatter Attacks?" Microsoft may find a way to fix that ongoing
vulnerability in Longhorn, five years down the track, but probably
not. It is a design insecurity right at the core of MS-Windows and
there is no simple way around it. The corresponding insecurity in
Linux doesn't exist, can't exist, because a completely different
mechanism occupies that spot on the flow diagram.
Then we consider the server population. Even for a relatively light
load, Microsoft would recommend that you have a separate server for
MS-Exchange and another for MS-SQL-Server. That's three servers to
maintain and pay for instead of one. And they'd probably also ask you
to add an expensive Cisco router to the collection to firewall it.
There are also a number of features which make individual services much
easier to lock down under Linux than under Windows. Capabilities,
chrooting, chattr and so on within a single OS image. User Mode Linux
for completely partitioned services - it's a simple matter to run any
service under its own specialised UML kernel that has a no-op (or
scream-the-house-down) response to certain OS functions for managing
ownership of files or opening network sockets other than in prescribed
ways. This means that even if an attacker gains total and complete
control of a service, all it does is call attention to his actions and
replace his victim with a fresh, clean copy a few microseconds later.
The final clincher for me is that I have never had an update break a
server. I could have left all of my Linux servers on auto-update for
about the last five years without a care in the world, were I not
naturally suspicious. On the other side of the fence, Microsoft's
updates are reknowned for breaking things.
Back your statement up with specifics, Gafar, or retract it. As it
stands it is at best irresponsible, and certainly looks clumsy and
ill-informed for a "director of architecture" at a world-reknowned
firm.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia
-------------------------------------------------------
More information about the plug
mailing list