---

Fixing Security Holes on Internet Time

[ The opinions expressed by authors on Linux Today are their
own. They speak only for themselves and not for Linux Today. ] -lt
ed

By Linux Today writer
Paul Ferris

A recent New
York Times article
raises some alarming controversy. It’s an
attempt to point a finger at a supposedly irresponsible Netizen,
eEye, for distributing example cracker code. The code allows a user
to break into most Microsoft web servers running Internet
Information Server(IIS). IIS is Microsoft’s premier web serving
product. Over 1.4 million web servers are open to the exploit,
according to the article.

What I find to be the most damning of all though, is the
response to the problem. Carefully read what Microsoft’s lead
product manager Jason Garms has to say about eEye:

“I vehemently reject the notion that we were dragging our heels
on this. The absolute minimum expected to fix these things is two
weeks,” said Garms. The eEye tool “enabled even nontechnical
person [sic] to attack any Web site running this software.”

That’s an interesting twist of the facts. Reading about eEye,
and their recklessness, you practically get the feeling that they
are Internet terrorists.

Hardly.

What is wrong with this picture? I’ll tell you – the wrong
company has been fingered for the problem. Re-read that sentence,
and ask yourself who “enabled even nontechnical person”(s) to
attack web sites?

Microsoft, that’s who.

But, that’s not what I’m going to rant about today. The real
issue that I have with Mr. Garms and Microsoft as well, centers
around the “absolute minimum” time presented here to close a
security hole.

Two weeks for a security patch? Let’s examine that problem
closely.

You’re a major corporation or government web site with sensitive
web data. You have servers that are vulnerable to attack. A
security hole is found in the software you have put your trust
in.

You get to make a choice:

1) Close things down, because you cannot risk an intrusion.

2) Hope that no one gets in until the fix is made available.

3) Take things down temporarily, and fix it yourself.

Oh, wait. You’re dependent upon a proprietary company such as
Microsoft to supply your Internet security. Better scratch number
three.

That’s not the total point being made here, though. There are
several points.

Microsoft is sidestepping the security problem. They are
painting eEye as reckless, when it is they themselves that are
reckless. There is a better way to ensure security. It may not be
the Microsoft way, but it’s proven to allow security fixes in hours
or days, not weeks. But no mention by Microsoft is made of
switching to this new model. No, better to point out how “reckless”
others are in the wake of possible tragedy.

This security hole is so big you can drive a truck through it.
Never mind that virtually one fourth of all web servers run this
software, and Internet worm like madness could take them
all down in nano-seconds. We’re supposed to wait for two weeks
while a patch is created by an isolated team of programmers in one
location. Just forget that a different development model might be
able to seal the hole in hours instead of weeks.

What new development model? No surprise here, it’s Open Source
Software (OSS).

Why is it better? Let me count the ways.

OSS allows parallelization
When a security hole is discovered in an OSS product, many minds
can descend upon it at once. No lead product person is responsible
for this, it just happens out of need for the fix. People that work
with OSS take a lot of pride in their work, and with many eyes on
the product, the fixes happen on Internet time, not Microsoft
time.

OSS is generally believed to have higher security than
proprietary software
Let’s examine the teardrop exploit as an example. The
teardrop exploit affected both Linux and Windows systems. It was
patched under Linux in a matter of hours. The patch pretty much
closed the holes in the problem for Linux, but the Windows patch
failed to close similar exploits. It was generally agreed that
these systems were open to teardrop-style exploits because the
patch code received no peer review.

This is because of the above scenario. With many diverse people
looking at a piece of code, obvious security holes can be closed,
and potential problems spotted before things get out of hand.

Open Source software does not depend upon
centralization

There is no corporate reputation to protect in the open source
movement. No one gets all bent out of shape when a security hole is
found in Red Hat, Debian, FreeBSD and the other free software
products. No one spends time dragging their feet out of
embarrassment. No one points fingers at the people who found it.
There is nothing to protect. More to the point, there is no money
at stake for the creators of the product.

Not that OSS people don’t take pride in their product. It’s more
than that. I’m speculating that it’s more likely because no one’s
product revenue stream is at stake.

This runs contrary to the old style of thought, which states
that you need a company pushing a product to provide the best
support for it. That idea is being directly challenged by problems
that involve the Internet. Security is one of those problems.

Microsoft, I hope you are paying attention, because security on
the net is not a trivial thing. There are a lot of people that
count upon it now for more than just fun and games. Microsoft, you
may want to keep your previous development model. You may even
think it’s the only way to do business. But it appears that you are
clinging only to your best interests here, and not those of your
customer base.

Some companies depend upon the Internet for their livelihood.
The security thing, it’s not a trivial matter. You seem to be
saying that it is more important to protect your revenue, than to
ensure the safety of the revenue of those who have depended upon
you.

Possibly, you are just upset with eEye because they are giving
out source code, and you can’t stand the thought of that.

A lot of people mistakenly point to the cost of free software as
the big selling point for it. These people think that free software
will make it big in the long run because it costs less on the
procurement side. It doesn’t tax the buyer when they obtain the
service that the software provides.

When it comes to Internet security, these people are missing the
true savings.

This security breach, and it’s tangential spin of blame has
helped underscore the real selling point in a world where the
Internet is becoming increasingly more important, and more
prevalent. It’s not just Microsoft’s revenue stream that is at
stake here. It’s any company that is dependent upon one of
Microsoft’s products. That’s a lot of cash at stake. Cash that can
be weighed against security features available in Linux and
FreeBSD.

If you are a company that is dependent upon the security of your
web server for any kind of revenue, you need to ask yourself some
rather important questions.

Ask yourself if you can afford to wait for two weeks while a
proprietary software product is patched for holes. Ask yourself if
you can ever inspect the product for other holes possibly not yet
discovered.

Ask yourself who has the inferior support model under these
conditions. If this isn’t a support issue, and an important one, I
don’t know what is.

Ask yourself if you can afford not to use Open Source Software
under these conditions. The answers speak for themselves. In the
mean time, on Internet time, maybe some cracker or competitor will
walk away with some of the money before you can approve the
expenditure.

The true cost of proprietary software may be higher than you
were ever willing to spend.


Further reading:
NY
Times: Microsoft Flaw Can Be Exploited

ZDNET: A
chronology of the eEye decision

Rootshell:
Search Rootshell for teardrop (enter “teardrop” int

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis