[Linux-aus] Nathan Hanks fails to secure Microsoft server, blames Linux culture for his own errors

Leon Brooks leon at cyberknights.com.au
Sun Sep 14 22:39:02 UTC 2003


Quoting http://www.techweb.com/wire/story/TWB20030603S0012
> Nathan Hanks, managing director at Continental Airlines, said,
> "All the guys hacking Windows are Linux guys." Continental was
> hit hard by SQL Slammer and "our CEO said we'd failed," Hanks
> said.

That's nonsensical, and a miserable excuse for your own poor IT security 
procedures. You _had_ failed in your job, and blaming your failure on 
others (as well as being "loser's limp") means you're also abandoning 
control of the problem.

I run SQL servers - *not* including Microsoft's - and I *never* expose 
them to the internet. To pick one example, PostgreSQL has *never* had a 
denial-of-service problem on the same scale as MS SQL Server has every 
year or two, but I still do not expose it to the Internet.

If you want to connect to something large and complex like an SQL 
database, throw together a new VPN and connect safely over that. It 
takes less than a minute under Linux (or almost any Unix, for that 
matter) and can be easily batched.

Speaking as a "Linux guy", I don't have the tools or the inclination to 
go bending Microsoft code, and nor do any of the scores of other "Linux 
guys" (and gals) I know. We're too busy building software (our own 
software) to bother tearing anyone else's down - even if we had the 
inclination.

Since the vast majority (something like 30,000 variants) of viruses are 
written for MS-Windows, and only a few (dozens for Mac OS X, a handful 
for Linux) for other systems, you should be looking to people with 
MS-Windows experience and familiarity for your culprits. Don't take my 
word for it, go and examine the hacked-site archives and see for 
yourself what they write, and what sites they deface.

The reason that viruses happen to MS-Windows is not because there are 
more MS-Windows crackers around (there are) but despite - or because of 
- the ready availability of complete source, vulnerabilities in 
MS-Windows and related software are considerably easier to find than 
elsewhere, and those vulnerabilities usually have much further-reaching 
consequences.

One decision leading to this can be found in the decision to make 
arbitary network socket creation a public feature in MS-Windows-XP 
Home; now any program which runs on that platform can spoof traffic and 
bypass firewalls to attack other machines, so when a virus lands it has 
open slather. Not that the inherently insecure design of MS-Windows 
would make it difficult to escalate to "Ring Zero" anyway (for details, 
read http://security.tombom.co.uk/shatter.html and 
http://security.tombom.co.uk/moreshatter.html). <*>

Gafar Lawal's comment in the same article about "three times as many 
critical patches" is also meaningless. A "critical patch" for RedHat 
Linux includes anything that might possibly one day be turned into a 
denial-of-service; a "critical patch" for Microsoft means something 
like CodeRed, Nimda or Slammer. They have been shown to deliberately 
downplay risks in order to *seem* more secure, and it seems to have 
worked at least once: they've clearly fooled you.

"Critical patches" for Linux don't have the same tendency to break 
things that Microsoft's do, either. I use Mandrake Linux and Debian 
Linux, two completely different ways of doing things, and with two 
completely different packaging systems, and neither of them have *ever* 
supplied me with a patch that broke a system. Microsoft, on the other 
hand, seem to do that about annually.

The bottom line is that you began with a poor decision (to believe 
Microsoft propaganda and so use Microsoft software), compounded it with 
another poor decision (to open MS SQL Server to the internet), and are 
now seeking to "duck-shovel" the blame onto someone who's less likely 
to sue you for doing so than Microsoft. That's poor sportsmanship, too. 
For shame!

CRN and TechWeb really need a rap over the knuckles for posting 
sensationalist drivel as well. To them: you have more responsibility 
than individuals to support what you say or quote. On the other hand, 
you also deserve praise for actually publishing the email addresses of 
the journalist and editor and being willing to take responses directly. 
Many online publishers refuse to do this.

My final word to Nathan is: apologise publicly if you're man enough to 
do so. Face your faults and fix them, instead of throwing the blame for 
your own failures at an undeserving, altrusitic Internet community.

Cheers; Leon

I speak here as an individual and not ex-officio in any of the offices 
listed below. The views of these organisations may (are likely to) 
differ from mine.

<*> These are cached at:
http://www.google.com.au/search?q=cache:security.tombom.co.uk/shatter.html
http://www.google.com.au/search?q=cache:security.tombom.co.uk/moreshatter.html

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Committee Member, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Committee Member, Linux Australia




More information about the linux-aus mailing list