[ The opinions expressed by authors on Linux Today are their
own. They speak only for themselves and not for Linux Today.
]
By Paul
Ferris, Staff Writer
The recent challenge
and counter challenge by Microsoft and the LinuxPPC group was quite entertaining.
It was a vindicating feeling watching as the Windows 2000 box went
up and down while the Linux box was a veritable rock in the cracker
storm.
It was also unfortunately misleading. I’m of the opinion that
what really happened was some clever marketing action. It was
beyond a shadow of a doubt a dismal failure by Microsoft in the
area of server stability. It was, however, pretty successful at
taking everyone’s eyes off Microsoft’s real security issues.
If you can define the battlefield, you stand a better chance at
winning the war. I’m sure that Sun Tsu fits in here somehow, but
since we’re not fighting half the battle, it doesn’t really matter.
Microsoft’s biggest security problems for the moment stem from
gaping holes on the client side of the computing equation. By
staging this public fiasco, they once again get to define the
battlefield. They therefore stand some kind of pathetic chance at
winning some public sympathy. The public has very little sympathy
for system crackers and I think that Microsoft chose that aspect
carefully as well.
Some members of the Open Source community are even applauding
them for putting their software up for testing by community
break-in.
Ok, I’ll give them some applause. *clap*.
There, Microsoft, are you happy? Great job, you did do something
right, although you should have given some recognition to your
competition. They at least were that sporting of you.
I will not, however, applaud the spin that this produces. The
server security problems that they have are nothing compared to the
gaping holes in their client products. These holes exist from
years of arrogant, closed process design and a lack of digital diversity in
the marketplace.
Folks, I think we’ve been played somewhat. They have taken
advantage of the Open Source community’s propensity toward
accepting a challenge, although it’s cost them somewhat. It’s also
helped define the direction for the spotlight. The spotlight has
been carefully directed away from their client software
problems.
It’s time that Microsoft realized that their security doesn’t
exist in a vacuum. It’s time that they gave up this idea that some
press releases and spin will solve security problems. These
problems go deep. Windows 95 was supposed to be the end of the line
for the DOS based code that they have been hanging onto like a
childish baby who’s not giving up it’s favorite toy.
Just last year Russ Cooper, Windows security expert (Wired
magazine’s description) was quoted as saying this: “Somebody
demonstrate to me that they know how [the Outlook bug] works,
because nobody has,” said Cooper. “The fact is, the information
that got out there was not sufficient for somebody to write their
own [Outlook exploit].” (Article dated 8/6/1998).
This along side of quotes from Karan Khanna, Microsoft security
manager who at the time was downplaying the problems caused by Back
Orifice (a system hacking/cracking tool, or brilliant remote
management tool – you decide). Back Orifice would not be half the
threat it is if it were not for the casual attitude Microsoft has
fostered toward system security.
Well, I’m glad Microsoft didn’t stage a challenge in
that arena. Think of the potential data loss. That was one
year ago. Today they are fixing a hole in the ODBC drivers that
matches the year-old description above completely. All one has to
do is open a spreadsheet and shell commands can be executed on the
local machine without any user intervention.
What a miscarriage of PR spin. They were warned about it that
far back, and for a whole year at least they have not even
recognized this to be a potential problem.
Now suddenly they say
“We take security issues very seriously…” . I’m not
convinced. I think that they would very much like for all of the
problems with their mail client software, Windows 9x code and
Internet virii to disappear overnight.
They just released Windows 98. Now we hear of Windows 2000
personal. Just a guess here, but I’d bet that Windows 2000 personal
will be their number one selling operating system for a couple of
more years to come. God forbid, possibly longer. Even if it’s not,
the number of legacy desktops running Windows 9x technology with
flawed client programs is sizable. These desktops are not going
away overnight.
As much as I despise Windows NT, it’s better than Windows on top
of DOS technology. It beats a poke in the eye with a sharp stick, I
guess I’m trying to say. The problem is that Windows 2000 personal
is still single user centric. The concept of privilege is still
devoid of definition, and we have no hope of knowing the holes yet
to be uncovered like the ones above. Holes like man-holes in the
dark.
The problems go beyond operating system design. The problems
exist at the application level as well. Put one badly designed
security problem on top of another one, and it spells really big
trouble. Put these two problems in a global context with a good
portion (90%) of the population executing them on a network and you
have a security nightmare.
Microsoft would have us switch our focus to server security and
forget client security. It makes for the best solution to their
current public relations problems. I say no. No, let’s not forget
that the real destiny for Linux is the desktop. Yes, it makes an
awesome server. Yes it’s very stable, and extremely hard to break
into. But Linux has the potential to be the killer desktop in this
Internet age. Not just that it’s more stable. Not just at a lower
cost. Not just not Microsoft.
No.
Linux also has the potential to show the world what security
really is in the Internet realm. On the desktop – Today.