best regards, dave m.
Begin forwarded message:
From: "David R. Matusiak" <[EMAIL PROTECTED]> Date: Thu Sep 11, 2003 3:51:07 PM US/Eastern To: [EMAIL PROTECTED] Cc: "BRM" <[EMAIL PROTECTED]> Subject: Re: [support] Accountability and possible solutions
While I would wholeheartedly echo the sentiments of Bentley Midkiff about making software vendors more accountable for insecure products, I fear that our selfless, heroic governmental representatives are too far in the pockets of big software firms to hear the weak carping of their constituents. Witness "Shrink Wrap Licensing," UTICA, and the DMCA. All of these things are designed to protect the profit margins of software corporations while whittling away at the rights and freedoms afforded those that give the corporations money - US, the consumers - each and every one of us.
So I do not think that our efforts are best spent chasing down dirty deals between Washington and Silicon Valley. Instead I believe that we must fight this approaching menace on the home front. What is meant by that is that each technology dollar spent (both as individuals and as a university) should be subject to strict review, not only in terms of unit cost economics, but more importantly in terms of the impact that said technology will have on us, our networks, our students and co-workers, and perhaps our careers.
As I read through the summer log of major problems and outages that came across the UNC Support list, I am not so much surprised by what has taken place, but instead bothered by the fact that such limited solutions (if any) have been presented. Please do not read that as "Certain campus sectors not doing their jobs," because I think that individual departments (especially ATN Networking and Security) are doing excellent jobs. Considering the magnitude of some of the recent attacks, we should be thankful to have any network connectivity at all -- not to mention such great and available support people.
Instead I want you to consider this one fact - the only advice ever really offered is "Go to Microsoft and apply their patches." This paltry token is the most that can be offered, however, to those who are running these inherently insecure operating systems. And we have had reports of responsible admins following this advice and still seeing their machines get infected over and over again. To further belabor this point, please note this article from eWeek (published yesterday) where the author has the opportunity to point out "Three New Critical RPC Flaws Found" in current Microsoft products.
http://www.eweek.com/article2/0,4149,1261437,00.asp
This is a very sad state of affairs. Almost two years ago, Bill Gates promised he was pulling engineers away from the development of "new features" in order to shore up the security of their products. And this summer has shown us all just how much integrity that gesture had. Week after week, virus and worm activity has skyrocketed and with new exploits coming out regularly, there is no reasonable hope in sight. So I would like to offer some more effective solutions in hopes of improving both network security and End User happiness on the campus here at Carolina.
First and foremost, Rule # 1 should always be to understand the process(es) necessary to keep your machine (or those you are responsible for) patched and secure, both at the OS level and at the application level. No product is perfect and any device can be dangerous if these vitals are ignored. You must keep track of these things or we will see more and more problems. I cannot stress this point enough.
Next on the list would be to rectify misperceptions about "the competition." Believe it or not, there are actually other companies out there whose primary purpose is to manufacture computer operating systems. One of the world's largest is our Raleigh neighbor, Red Hat Linux, Inc. While I would not solely endorse Red Hat above other Linux vendors (mainly a personal preference issue), I do see them doing good things for the software community and users alike. Perhaps most important amongst the recent improvements in Linux are the "ease of use" factors and auto-updating functions being developed to help both users and administrators alike successfully complete a transition to Linux. Besides this, we have some of the best LUGs (Linux User Groups) in the country to assist with problems and questions (much like this list does). There are now very few proprietary application products that have not been either ported to Linux or created anew to draw users who used to say "Well, I need so-and-so and it only runs on Windows 98." 1998 was almost 7 years ago - a lot has changed since then.
Perhaps you have heard of the SCO lawsuit against IBM, in which they are trying to scare users and organizations away from Linux adoption with their FUD (Fear, Uncertainty, Doubt) campaign that insists their Intellectual Property has been infringed by Linux developers. If rational minds are allowed into the courtroom to testify, this will become clear that SCO has no case and they themselves released and/or jumbled code into Linux with their own Caldera Linux product. You cannot take back what you have already released under the GPL license. Sorry SCO, no doughnut.
Still, wise IT managers must keep abreast of these issues and protect their organization from such legal quagmires and threats. If Linux is not the thing for you, then I would suggest *BSD products (which are all branches of the original Berkeley Software Development UNIX model). Not only are the best of these products completely FREE, they are also responsible for running most of the powerhouse destinations on the Internet. FreeBSD, NetBSD and OpenBSD are amongst the most respected and time-trial proven operating systems in the world. All of these products have just as active and helpful userbase as Linux. You could even go with BSDi if you are in need of corporate-level support.
And my last suggestion is the easiest of all - Macintosh products by Apple Computers, Inc. The new OS for Mac, dubbed OS X (or OS "Ten"), is itself based upon a Mach kernel derivative of BSD UNIX. What has this brought to Apple? Unbelievable stability and all the power of a full-fledged UNIX server. What has Apple sacrificed to reach this level? Nothing - all the same plug and play niceness and GUI simplicity is still present, perhaps refined even more over the aging OS 9 that has been phased out. And for personal computers (as opposed to server hardware), Apple has some of the most durable and functional machines out there today. Please go take a look at either the RAMs Head Shop or the Apple Store out at Streets of Southpoint.
What we need is a clear and direct cultural shift away from supporting the hegemony of operating systems that is Microsoft. As outlined above, no product is perfect and all need proper attention. What is undeniable, however, is the fact that most (if not all) of this nasty virus and worm activity would have nowhere to go if we made this shift. Its malevolent seed could find no fertile ground for purchase, so to speak. And then we could all spend more time doing what we are here to do instead of making trouble calls, creating trouble tickets, balking at the hard word of the Networking people, and wondering why we lost all our data or are machine is attacking others on the Internet.
While our RAMs Head Shop claims to be a fully functional Apple reseller and repair shop, I am always more than disheartened when I'm in there and hear a student inquiring about the row of Macs only to have the Store employee say that "they are not supported" and then point them to the back row of IBM/CCI machines. I think we are doing a major disservice to both our student population and those that have to manage the networks at UNC by denying that other options exist. I think that we, as a campus, need to reexamine our tight alliances with companies that make inferior and/or insecure products.
Unfortunately, I only just heard of the fact that UNC is in the process of hiring a new Chief Information Officer. This is THE person involved in making decisions as to the computing future of UNC and the person whom I would like to ask my most difficult and pointed questions, however, the last interview/presentation was on Sept. 8th and I was unable to attend. I think it is a travesty to continue along the lines of our narrowly focused options for students, faculty and staff alike. I believe that the apprehension surrounding other options needs to be addressed and vocally challenged by those interested in keeping UNC-Chapel Hill on the cutting edge of technology research and development.
Obviously, a lot more is at stake than cutting down on malicious network activity across our campus. Losing the right to compare and choose will certainly impair the abilities of our students and it has certainly caused many headaches this summer for the campus support personnel. Please take a moment and consider some of my suggestions. Also, please understand that I am not in any way paid or endorsed by any of the companies and products I've mentioned above. I am only trying to put this issue in perspective for those that may not have heard of such alternatives.
Thanks! dave m.
On Thursday, September 11, 2003, at 10:27 AM, BRM wrote:
Support Group:
Weak admin passwords notwithstanding, does anybody else think
Microsoft should be held accountable for the onslaught of viruses, worms
and Trojans that continue to disable networks and drive up the cost of
IT? Consider this article, written on 6/30/2003 by Caron Carlson at
http://www.eweek.com/article2/0,4149,1141769,00.asp. Here is an
excerpt...
"The greatest threat to the nation's data networks today is not
nascent cyber-terrorism lurking in the shadows but rather technology
vendors unwilling to invest adequately in security, experts told
Congress last week. Increasingly, industry insiders are seeking ways to
make vendors accountable for their products."
"The CERT Centers at the Software Engineering Institute at
Carnegie Mellon University, in Pittsburgh, found that security features
in most products have not improved over the past few years."
Steve Gibson warned everybody about this potential problem more than two years ago. See http://grc.com/dos/grcdos.htm.
If MS-Windows were a new car, it would be recalled immediately. Why? Because there would be millions of wrecked vehicles strewn across the landscape.
Q: Where does a 50 million dollar gorilla drive? A: Anywhere it wants.
Bentley R. Midkiff, B.S., A+ Research Technician III Biochemistry & Biophysics
-- David R. Matusiak NC LIVE Systems Admin, UNC-Chapel Hill v: 919.962.1288 f: 919.962.0484 e: [EMAIL PROTECTED] --
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
