From sans@sans.org Thu Oct 11 00:01:13 2001 Date: Wed, 10 Oct 2001 16:00:00 -0600 (MDT) From: The SANS Institute Subject: SANS NewsBites Vol. 3 Num. 41 From: Alan for the SANS NewsBites service Re: October 10 SANS NewsBites ... At the end of this issue you'll find a thought-provoking statement by Bill Murray placing Microsoft's contribution to Internet security in stark relief. ... AP ********************************************************************** SANS NEWSBITES The SANS Weekly Security News Overview Volume 3, Number 41 October 10, 2001 Editorial Team: Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Eugene Schultz ********************************************************************** .... Bill Murray's Short Essay on Microsoft's Role In Security "The debate about whether people should switch away from Microsoft's IIS misses the point. Suppose that tomorrow everyone that is knowingly and intentionally running and using IIS turned it off. Would it make any difference? As I understand it these malicious programs do not exploit only copies of IIS that somebody is using, "running," managing, choosing, or otherwise saying grace over. They exploit all instantiated copies of IIS. By shipping and installing by default hundreds of thousands of copies of flawed software that nobody asked for or wanted, Microsoft seriously weakened the network. That they make a timely patch available to the initiated is nice but irrelevant. That the cognescenti can run IIS safely is irrelevant. That it may or may not be more difficult to run safely than other web servers is irrelevant. Most of those running it did not intentionally decide to run it and most of them do not even know that they are running it until their neighbors start to complain. In their desire to be loved, Microsoft made a very bad decision, one that even they cannot easily remedy. They have opened Pandora's box. I have been saying for years that it is reckless to make a decision to run your code on someone else's machine without their permission, that it is hubris to believe that you can do that safely. I admit that I had virus writers, not Microsoft, in mind when I said it but now it is clear that the power to make such a decision cannot be trusted even to Microsoft. The more copies of that software one intends to be installed, the more important it is that the code be free of exploitable features, much less errors. It seems to me that Microsoft has seriously, not to say permanently polluted the network. Not only have they put their own customers at risk, they have put at risk people who do not run so much as a line of Microsoft code. What am I missing? Dear God, I do so hope I have it wrong." =============== NewsBites readers who want to change Microsoft's behavior can make a difference. More than 170 organizations (such as Shell, Intel, Hallmark, NASA, NIST, Navy, Infocomm Development Authority of Singapore, the Royal Canadian Mounted Police, and VISA and many other large and small organizations) have banded together to develop minimum security benchmarks for Internet connected systems. When enough organizations join them, and the buying community demands vendors deliver systems meeting minimum security standards, change will be possible. Instead of crying about the vendors' behavior, do something about it by joining others of like mind in the Center for Internet Security at www.cisecurity.org. Members of the Center are already testing tools that measure security of Cisco routers and of Solaris systems and they will shortly have a tool that measures security of Windows 2000. ==end== Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments.