Hear, hear! ap
---------------------------------------------------------------------- Andrew J Perrin - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill [EMAIL PROTECTED] * andrew_perrin (at) unc.edu On Thu, 11 Sep 2003, David R.Matusiak wrote: > hello Linux Lubbers -- i took a few moments today to address a major > problem we are seeing on the UNC-Chapel Hill campus (and presumably at > other institutions). i thought my note might be of interest to those > on TriLUG. any feedback appreciated. > > best regards, > dave m. > > Begin forwarded message: > > > From: "David R. Matusiak" <[EMAIL PROTECTED]> > > Date: Thu Sep 11, 2003 3:51:07 PM US/Eastern > > To: [EMAIL PROTECTED] > > Cc: "BRM" <[EMAIL PROTECTED]> > > Subject: Re: [support] Accountability and possible solutions > > > > While I would wholeheartedly echo the sentiments of Bentley Midkiff > > about making software vendors more accountable for insecure products, > > I fear that our selfless, heroic governmental representatives are too > > far in the pockets of big software firms to hear the weak carping of > > their constituents. Witness "Shrink Wrap Licensing," UTICA, and the > > DMCA. All of these things are designed to protect the profit margins > > of software corporations while whittling away at the rights and > > freedoms afforded those that give the corporations money - US, the > > consumers - each and every one of us. > > > > So I do not think that our efforts are best spent chasing down dirty > > deals between Washington and Silicon Valley. Instead I believe that > > we must fight this approaching menace on the home front. What is > > meant by that is that each technology dollar spent (both as > > individuals and as a university) should be subject to strict review, > > not only in terms of unit cost economics, but more importantly in > > terms of the impact that said technology will have on us, our > > networks, our students and co-workers, and perhaps our careers. > > > > As I read through the summer log of major problems and outages that > > came across the UNC Support list, I am not so much surprised by what > > has taken place, but instead bothered by the fact that such limited > > solutions (if any) have been presented. Please do not read that as > > "Certain campus sectors not doing their jobs," because I think that > > individual departments (especially ATN Networking and Security) are > > doing excellent jobs. Considering the magnitude of some of the recent > > attacks, we should be thankful to have any network connectivity at all > > -- not to mention such great and available support people. > > > > Instead I want you to consider this one fact - the only advice ever > > really offered is "Go to Microsoft and apply their patches." This > > paltry token is the most that can be offered, however, to those who > > are running these inherently insecure operating systems. And we have > > had reports of responsible admins following this advice and still > > seeing their machines get infected over and over again. To further > > belabor this point, please note this article from eWeek (published > > yesterday) where the author has the opportunity to point out "Three > > New Critical RPC Flaws Found" in current Microsoft products. > > > > http://www.eweek.com/article2/0,4149,1261437,00.asp > > > > This is a very sad state of affairs. Almost two years ago, Bill Gates > > promised he was pulling engineers away from the development of "new > > features" in order to shore up the security of their products. And > > this summer has shown us all just how much integrity that gesture had. > > Week after week, virus and worm activity has skyrocketed and with new > > exploits coming out regularly, there is no reasonable hope in sight. > > So I would like to offer some more effective solutions in hopes of > > improving both network security and End User happiness on the campus > > here at Carolina. > > > > First and foremost, Rule # 1 should always be to understand the > > process(es) necessary to keep your machine (or those you are > > responsible for) patched and secure, both at the OS level and at the > > application level. No product is perfect and any device can be > > dangerous if these vitals are ignored. You must keep track of these > > things or we will see more and more problems. I cannot stress this > > point enough. > > > > Next on the list would be to rectify misperceptions about "the > > competition." Believe it or not, there are actually other companies > > out there whose primary purpose is to manufacture computer operating > > systems. One of the world's largest is our Raleigh neighbor, Red Hat > > Linux, Inc. While I would not solely endorse Red Hat above other > > Linux vendors (mainly a personal preference issue), I do see them > > doing good things for the software community and users alike. Perhaps > > most important amongst the recent improvements in Linux are the "ease > > of use" factors and auto-updating functions being developed to help > > both users and administrators alike successfully complete a transition > > to Linux. Besides this, we have some of the best LUGs (Linux User > > Groups) in the country to assist with problems and questions (much > > like this list does). There are now very few proprietary application > > products that have not been either ported to Linux or created anew to > > draw users who used to say "Well, I need so-and-so and it only runs on > > Windows 98." 1998 was almost 7 years ago - a lot has changed since > > then. > > > > Perhaps you have heard of the SCO lawsuit against IBM, in which they > > are trying to scare users and organizations away from Linux adoption > > with their FUD (Fear, Uncertainty, Doubt) campaign that insists their > > Intellectual Property has been infringed by Linux developers. If > > rational minds are allowed into the courtroom to testify, this will > > become clear that SCO has no case and they themselves released and/or > > jumbled code into Linux with their own Caldera Linux product. You > > cannot take back what you have already released under the GPL license. > > Sorry SCO, no doughnut. > > > > Still, wise IT managers must keep abreast of these issues and protect > > their organization from such legal quagmires and threats. If Linux is > > not the thing for you, then I would suggest *BSD products (which are > > all branches of the original Berkeley Software Development UNIX > > model). Not only are the best of these products completely FREE, they > > are also responsible for running most of the powerhouse destinations > > on the Internet. FreeBSD, NetBSD and OpenBSD are amongst the most > > respected and time-trial proven operating systems in the world. All > > of these products have just as active and helpful userbase as Linux. > > You could even go with BSDi if you are in need of corporate-level > > support. > > > > And my last suggestion is the easiest of all - Macintosh products by > > Apple Computers, Inc. The new OS for Mac, dubbed OS X (or OS "Ten"), > > is itself based upon a Mach kernel derivative of BSD UNIX. What has > > this brought to Apple? Unbelievable stability and all the power of a > > full-fledged UNIX server. What has Apple sacrificed to reach this > > level? Nothing - all the same plug and play niceness and GUI > > simplicity is still present, perhaps refined even more over the aging > > OS 9 that has been phased out. And for personal computers (as opposed > > to server hardware), Apple has some of the most durable and functional > > machines out there today. Please go take a look at either the RAMs > > Head Shop or the Apple Store out at Streets of Southpoint. > > > > What we need is a clear and direct cultural shift away from supporting > > the hegemony of operating systems that is Microsoft. As outlined > > above, no product is perfect and all need proper attention. What is > > undeniable, however, is the fact that most (if not all) of this nasty > > virus and worm activity would have nowhere to go if we made this > > shift. Its malevolent seed could find no fertile ground for purchase, > > so to speak. And then we could all spend more time doing what we are > > here to do instead of making trouble calls, creating trouble tickets, > > balking at the hard word of the Networking people, and wondering why > > we lost all our data or are machine is attacking others on the > > Internet. > > > > While our RAMs Head Shop claims to be a fully functional Apple > > reseller and repair shop, I am always more than disheartened when I'm > > in there and hear a student inquiring about the row of Macs only to > > have the Store employee say that "they are not supported" and then > > point them to the back row of IBM/CCI machines. I think we are doing > > a major disservice to both our student population and those that have > > to manage the networks at UNC by denying that other options exist. I > > think that we, as a campus, need to reexamine our tight alliances with > > companies that make inferior and/or insecure products. > > > > Unfortunately, I only just heard of the fact that UNC is in the > > process of hiring a new Chief Information Officer. This is THE person > > involved in making decisions as to the computing future of UNC and the > > person whom I would like to ask my most difficult and pointed > > questions, however, the last interview/presentation was on Sept. 8th > > and I was unable to attend. I think it is a travesty to continue > > along the lines of our narrowly focused options for students, faculty > > and staff alike. I believe that the apprehension surrounding other > > options needs to be addressed and vocally challenged by those > > interested in keeping UNC-Chapel Hill on the cutting edge of > > technology research and development. > > > > Obviously, a lot more is at stake than cutting down on malicious > > network activity across our campus. Losing the right to compare and > > choose will certainly impair the abilities of our students and it has > > certainly caused many headaches this summer for the campus support > > personnel. Please take a moment and consider some of my suggestions. > > Also, please understand that I am not in any way paid or endorsed by > > any of the companies and products I've mentioned above. I am only > > trying to put this issue in perspective for those that may not have > > heard of such alternatives. > > > > Thanks! > > dave m. > > > > On Thursday, September 11, 2003, at 10:27 AM, BRM wrote: > > > >> Support Group: > >> > >> Weak admin passwords notwithstanding, does anybody else think > >> Microsoft should be held accountable for the onslaught of viruses, > >> worms > >> and Trojans that continue to disable networks and drive up the cost of > >> IT? Consider this article, written on 6/30/2003 by Caron Carlson at > >> http://www.eweek.com/article2/0,4149,1141769,00.asp. Here is an > >> excerpt... > >> > >> "The greatest threat to the nation's data networks today is not > >> nascent cyber-terrorism lurking in the shadows but rather technology > >> vendors unwilling to invest adequately in security, experts told > >> Congress last week. Increasingly, industry insiders are seeking ways > >> to > >> make vendors accountable for their products." > >> "The CERT Centers at the Software Engineering Institute at > >> Carnegie Mellon University, in Pittsburgh, found that security > >> features > >> in most products have not improved over the past few years." > >> > >> Steve Gibson warned everybody about this potential problem more > >> than two years ago. See http://grc.com/dos/grcdos.htm. > >> > >> If MS-Windows were a new car, it would be recalled immediately. > >> Why? Because there would be millions of wrecked vehicles strewn across > >> the landscape. > >> > >> Q: Where does a 50 million dollar gorilla drive? > >> A: Anywhere it wants. > >> > >> Bentley R. Midkiff, B.S., A+ > >> Research Technician III > >> Biochemistry & Biophysics > > > > -- > > David R. Matusiak > > NC LIVE Systems Admin, UNC-Chapel Hill > > v: 919.962.1288 > > f: 919.962.0484 > > e: [EMAIL PROTECTED] > > -- > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
