blind lead
Blind Lead - Paul Nakada reports on what the author of the original Internet Worm is now up to; apparently peer-to-peer storage ala Farsite. Miguel de Icaza reveals to Dare “Carnage4Life” Obasanjo why he chose C# instead of Java.
Tried Snappy Dragon for the first time today. It is pretty good, just like home cooking. I can recommend everything I tried: the jiaozi, humbow, green onion pancakes, and “sizzling rice soup”.
IIS is gaining against Apache in web server share, and Gartner wants to turn the tide. Now I admit that I might be biased, but this report strikes me as surprisingly ignorant and dangerously misleading. The report makes two fundamental claims:
- Apache and iPlanet “have much better security records than IIS”.
- Apache and iPlanet “are not under active attack by the vast number of virus and worm writers”.
- IIS has better security - The analyst claims that these other web servers have much better security records, but the evidence points to the contrary. The first point the author seems to be missing is that a security bug found and patched is a good thing. My firsthand experience tells me that hackers usually know about security holes in products for many months or even years before a “white hat” security person finds the hole and patches it. Claiming that a product is secure just because it has (slightly) fewer publicized security patches is like claiming that Mozilla isn’t buggy because the bugzilla database doesn’t have many bugs entered. Testing isn’t the sort of thing that most developers find “fun”, and volunteer testing isn’t the same as professional testing. Certainly there is a relationship between overall product quality and the number of bugs that get found. But when you don’t pay good people to find holes in your software, you shouldn’t be surprised when you (and your customers) never know about holes that exist. Furthermore, the author ignores the fact that all of the worms thus far have used known exploits, for which patches have been available for months or longer. The fact that the holes are always discovered and patched before worm authors can exploit them is evidence that someone is doing a good job.
- Monoculture Arguments are Irrational - The author’s comment about iPlanet and Apache not being “under active attack by the vast number of virus and worm writers” could imply a few different things. Between SirCam, CodeRed, Nimda and charitably Code Blue and Code Red II; I count 5. And since all of these people used the same set of previously patched vulnerabilities, I am not sure that you could call these 5 people “writers”. So it seems a bit of a stretch from “5 copycat script kiddies” to “vast number of worm and virus writers”, but even accepting this assertion, we are expected to buy the tired monoculture meme. Since most people use IIS, then criminals target IIS; so therefore you should use something different to “throw them off”, advises the crafty analyst. I consider the whole monoculture idea to be so inane as to be not worth debunking (for every example of a system made weaker by homogeneity, you can find an example of a system made stronger by homogeneity - homogeneity is a de-facto proof of nothing about a system’s resilience).
- Obscurity? - Some of the “security analysts” like to rail against “security through obscurity”. Like the “monoculture” folks, they go to inane extremes, even recommending transparency where it is not appropriate. But this analyst seems to be endorsing obscurity where most reasonable people would agree it is a bad idea. Product security benefits, say the pundits, when you have more people (rather than less) picking at the product and trying to find holes. So the author’s claim that there are more users (and hackers) of IIS would imply that the product is becoming increasingly more secure at a faster pace than alternatives.
- Patching IIS is Easier - As far as I know, IIS is still the only product that has the capability to silently monitor machine configuration and as soon as a new patch is available, alert the administrator and offer to apply it. And even without this feature, I cannot believe that any of the other alternatives would ever even come close to IIS ease of use in usability testing where a number of admins are asked to apply patches. Furthermore, since the author admits that properly installing the patches would have protected a system, he offers a really strange choice. Ripping and replacing the entire platform and converting existing apps using the less productive platform, testing, debugging and ultimately keeping on the treadmill of applying patches to that system — this is what he chooses instead of simply applying the patch to the existing system.
- Rate of Patching is Irrelevant - The analyst claims that IIS has new patches too often, so it is difficult to keep up. Besides the fact that rate of patches is not a negative indicator of security, it is also a patently false claim that this has ever been an issue in spread of worms. The people who got infected, in the vast majority of cases, did not apply any patches. If there had been only one patch, they still would have been infected. And people who keep up with patches tend to keep up with patches. It’s that simple.
- Rate of Patching is Normal - for comparative products where the vendor actually spends money discovering at patching holes, the number of security holes found and patched in IIS is normal. Is the author recommending that companies tear out all of their Cisco routers and replace them with random components from unpopular vendors or hobbyists?
- Contradictory Advice - The author first points out that all of the worms exploited the same vulnerabilities, and that these vulnerabilities have been fixed for some time. Then he claims that those vulnerabilities will not cease to be exploited until Microsoft writes a completely new version of IIS. So let me get this straight: if people install the patches, they won’t be infected by the worm, but the worm still infects people because? A logical person would answer “because people don’t install the patches”. But this analyst replies “because Microsoft doesn’t rewrite IIS”. If people don’t install the patches, why would they install yet another version of IIS (which, BTW the released “new” version of IIS is not vulnerable to these worms).
- Dangerously Misleading - The article leaves the impression with the reader that there exist some “other platforms” (iPlanet and Apache), that do not require patching; or at least allow an administrator to be significantly less vigilant about patching. This is a dangerous and irresponsible attitude to be encouraging, and it is utterly false. Additionally, the article continues to propagate the misconception that the software at the endpoint is the central issue in “Code Red” scale worm attacks. When the network is being saturated by floods from infected machine, installing Apache repeatedly on your machine isn’t going to help one whit. And if everyone were using Apache instead, the network would be just as inaccessible when a worm is released that exploits Apache vulnerabilities. So encouraging people to switch from IIS is ignoring the fact that worms are a network problem, and assumes that no further exploits will ever be found in Apache (which is again a dangerously irresponsible perception to be encouraging).
Changing subjects, I wonder if any impudent youth will dress up like Osama Bin Laden this year for Halloween? I wonder if we will read in the paper about any of them being shot by duped passers-by?