Re: Leaving Techwhirlers

Subject: Re: Leaving Techwhirlers
From: David Neeley <dbneeley -at- oddpost -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Wed, 24 Sep 2003 17:22:43 -0700 (PDT)


(NOTE: This is a LONG post delving into the argument Andrew Plato made concerning my own earlier post, in which I once again addressed the comparative wisdom of using the Windows "Auto Update" "feature" and why some companies may properly choose not to. His response, rather typically, was mostly to attack the messenger rather than the message--and, I believe, to use various histrionics rather than solid logic. If your response is to merely groan and say "There they go again!" while consigning this to the "bit bucket" I will surely understand.

However, I believe that many of these points have definite connection to the technology we use every day--so I have responded below. As always, I am open to comments from anyone regarding anything I may write.)

Andrew,

As usual, your logic is flawed in several particulars.

1) First, you say Microsoft isn't getting any information about the computer other than a "non reversible hash" and THEN you say people obsess about Microsoft "obtaining marketing data." Which is it--or do you simply want it both ways?

2) As you know, contact with Microsoft or anyone else that is initiated by the PC behind the firewall is *not* screened out by the corporate firewalls if the machine has external access at all. Again, my point was always that users should *not* use automatic update and that it was not "anal" to require that users not do so. You simply have reinforced my point, for which I thank you.

3) The concerns relating to the EULA and HIPAA were raised by actual IT officers with healthcare firms, not by me and not by people who are particularly anti-Microsoft. You may play word games all day--the fact remains that the *law* actually prohibits anyone not specifically authorized to be allowed access to machines containing confidential patient information. The *law* says that its provisions are enforceable under civil and criminal laws. Whether it would be enforced in reality is not the question. Your approach, as usual, is to merely ridicule the notion. While as a practical matter, any CIO involved has to make an individual calculation as to how much risk to assume, it is not right for Microsoft to put them in jeopardy in this way for no reason beyond Microsoft's own benefit.

4) The actual *code* involved in the registration "feature" is still present in the Enterprise software. As you surely know, that was a problem causing many malfunctions in customer sites *when their machines under some fairly common conditions demanded activation codes with no provisions to receive them." As I recall, this was a fairly widely understood problem early in the XP deployment until a patch was *finally* produced to correct it.

5) The EULA for the *service pack* is unconscionable because it changes the agreement that theoretically existed between Microsoft and the customer at the time of original purchase. In requiring unilaterally that the customer restrict previously granted rights in order to receive corrected code, Microsoft in effect has entered into a "contract of adhesion" in which the customer had no effective choice. For you to say the customer can simply "reformat his hard drive" is simply sophistry of the highest order, and you should know it. If you do not, you are much more dim than I have ever given you credit.

6) It is not true that "only a small business uses WPA." While that may be Microsoft's intent, the *truth* is that even the largest corporations buy individual licenses quite often, especially for remote offices, telecommuters, and the like. Not all by any means, but many do. I, too, have worked within companies of all sizes--in my case, up to and including Fortune 50s. So please don't try to put down those who may not be so easily cowed!

7) Your argument that "Microsoft has better things to do than to concern themselves with what is on your PC" is also pure balderdash! Their rather ham-handed actions involving Windows Media Player, in the pursuit of new revenues from the multimedia producers through "digital rights management" are clear examples that not only *are* they interested in what you have on your computer, in various cases they are actively pursuing the issue.

8) I actually agree with you that lack of training and understanding of security issues is the largest problem at the moment. This is aided and abetted by Microsoft, which promotes an operating system design which, according to the development manager for Windows 2000, "...was not designed with security in mind." In fact, their continual push to greater interoperability between the operating system and their application programs is perhaps the largest indication that they have yet to "get it" regarding security issues. This is already making substantial comment both in public commentary and in various security organizations, as I am sure you know. If you don't, you're in the wrong business.

9) Yet another example of your hyperbole in support of your opinions--which may impress those who have less experience, perhaps, but of which I am distinctly *not* impressed...in response to my statements about the "auto update" feature (the *original* topic I addressed, remember?), when I said:

> For tech writers outside of those two areas, whether to enable automatic
update is a function of your company's security policies. My post was intended
to illustrate that blindly enabling this "feature" may not be a "good
thing"--especially in cases where a fine and/or jail term may ultimately
result."

Your reply:

"This is FUD. Nobody is going to arrest you and throw you in jail because you
tried to update your PC. I realize its very entertaining to sit and speculate
about these massive corporate conspiracies and work yourself into a lather
about how Bill the Borg wants to assimilate you. But its just not true. Unless
you can produce a case where somebody was actually thrown in jail for using
Windows Update, this isn't a valid point. "

Andrew, you are a "piece of work" to borrow the phrase! First, it is *not* FUD (a Microsoft innovation, one of the few) to say that *not* using automatic update in compliance with a company security policy is *not* "anal" as the original comment put it. As for being subject to arrest, that is purely a matter of law.

What part of "subject to" do you not understand? It is *not* required that "someone be actually thrown in jail" to understand that a knowing (or unknowing) violation of law may *subject you* to arrest. It is up to the justice system and its officers to decide *whether* to arrest you--and that is another point.

10) I did enjoy this paragraph, in which you buttress my point:

"Its not a matter of trusting them or not trusting them - its logic. What
benefit do they have chasing down individual users and locking them up? And if
we are going to chastise MS, what about all the other firms doing this? Are
they equally as evil for collecting marketing data. What about the people who
write worms to spam you? Aren't they "more evil" than MS? "

As I pointed out before, either they are collecting "marketing data" or they are not. Take your pick, please, and *then* we may be able to speak "logically" on the topic. Secondly, to compare the two to spam writers to Microsoft is to compare a hand grenade with a nuclear device. Personally, I would "go after" Microsoft for taking advantage of its dominant market position by releasing such flawed software year after year, knowing full well that their system for testing product prior to release is fundamentally flawed and/or their design itself needs total overhaul.

Consider: when Microsoft claims to "understand the needs of its users"--and when we have already agreed that ignorance on the part of the user community is the principal security threat--is it not *logical* to assume that they should already have produced a product which makes security *easy*?

11). "Moreover, if all your software is legal, then there isn't really anything to fear."

Andrew--tell that to the various firms that have been harrassed by the "Business Software Alliance"--which is completely dominated by Redmond! Businesses who have *purchased* their software but who may not have kept track of all the license documents are forced to engage in "software audits" and pay huge fines in many cases. *This* is being interested in the welfare of your customers? Please, Andrew, *tell* me you're not supposing your loyal readers are stupid enough to actually *buy* this nonsense?

12) "Yes, it makes me biased...." On that, Andrew, we obviously agree!

13) I said: "The simple fact is that the various flavors of UNIX and UNIX-like operating
systems were designed from the beginning to operate in a networked environment."

You responded: "So was Windows NT. Windows NT is actually based on UNIX."

Here, you are mistaken. Windows NT was developed by a team led by a Mr. Cutler, who had been the principal architect while at DEC of VMS. During the NT development and before it was named, it was referred to by many old hands around the company as "portable VMS" because it was ostensibly designed to be readily ported to various architectures (and was, in fact, released to support the DEC Alpha and the SGI/MIPS platforms, although obviously support for the latter was later dropped). The fundamental NT design called for a low-level element which varied from architecture to architecture connecting to a large layer called the "mezzanine"--a totally different design philosophy from UNIX. However, NT *also* did *not* anticipate being multi-user or a network-native citizen as UNIX was.

Would you like again to claim that "NT was based on UNIX"? Perhaps, if so, you would specify where I am mistaken or, failing that, some kind of specifics to buttress your claim?

14) Speaking of Linux and others, I said "Each of them can be secured without adding additional products. In the case of the open source products, this securing is done through text files without requiring any particularly difficult skills to master."

"Hardly. You have to know where those files are. You have to know the format.
And if you mistype one thing - the whole thing fails. Furthermore, most
open-source "patches" come in the form of source code. Meaning a lengthy
compile and test period."

I refer you, for example, to www.bastille-linux.org. There are other resources that would show that you are overstating the case.

"You have obviously never run an IT department. All I can say is that you're
talking about theoretical benefits. Yeah, tinkering at home in the evenings on
old 486s you often can do cool stuff. But, that's tinkering. I tinker too
(when I have time). I've set up cool little Linux routers as well. Its fun. Its
also too haphazard to use in a corporate environment where 10 people need to be
trained to use that router."

Actually, this discussion takes place on a list of people who have computers--and often networks--at home. That is why I have put various examples in terms they could appreciate and, perhaps, apply themselves.

As you know, Linux is rapidly becoming the most popular embedded operating system anywhere. Anyone with a TiVo box is running a headless Linux computer, for instance. Many of the Linux router and firewall distributions are simplicity itself to install and configure...but that is off the topic.

"Tinkering doesn't translate into a corporate IT department. You can't just tinker with a mission critical server."

True. Taking it down several times a week to do software updates and patches is certainly defined as "tinkering" in my book. That alone would rule out Windows as a serious competitor in *any* back office setup where alternatives that are more stable and more robust are available. Again, I thank you for making my point for me!

"Yes, I make money securing systems. And you know what - UNIX and BSD machines
are sometimes the most insecure points in a company."

True. Especially when they have often been brought in "through the back door" by people just learning the systems who are trying to gain additional functionality that they cannot get or that simply costs too much in the Windows environment.

"Just recently I had a customer get three Linux boxes get hacked and trashed. The Win2K servers in the
other room were fine. Considering I see a 50:1 ratio of Windows boxes to Linux. When 10 out of 100 Linux machines are hacked and 300 out of 100,000 Windows machines are hacked...well, you do the math. "

Okay, Andrew--the math says that you have proved nothing! If this were the pattern everywhere, among people who have equivalent knowledge in system administration on both systems, *then* it would mean something. What *you* have shown is a reliance upon the same sort of BS "statistics" that seem prevalent in the Windows press releases and in their bought-and-paid-for "studies".


15) "Security isn't something that only open-source has and Windows
doesn't. Windows machines can be just as secure or insecure as any other
machine. What makes a difference is how they are configured. A poorly
configured Linux machine is just as insecure as a poorly configured Windows
machine. Configuration, management, and use have a much more profound affect on
security than the underlying OS technology."

Andrew, the *differences* are significant.
* Windows, with its closed design, forces users to take Microsoft's word for it that security holes are plugged...and they have an awfully poor track record in that regard!
* Windows, designed as a huge and monolithic system, has long since passed the point where a particular patch for one problem may not impact five or six others--an architectural design flaw that is becoming increasingly obvious.
* Windows has tremendous internal security problems *by design*--in which security levels can be changed by knowledgeable intruders to *system* (the most basic permission normally only given to processes of the OS itself)...again, a dangerous architectural flaw.
* I have already mentioned the interoperability "features" that present a continued security problem--for any who do not understand, consider the various "macro virus" problems with Office files through Visual Basic for Applications exploits.
* For a "mission critical server" to need to be taken out of service through one to multiple reboots to install a patch of a non-critical function that can be exploited results from the integration of the GUI with the fundamental core of the operating system. For a *server* to *require* a GUI as a mandatory part of its operation is itself absurd.

This has been a rather enjoyable exercise, Andrew--although I doubt many have read this far to appreciate it.

David Neeley

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NEED TO PUBLISH YOUR FRAMEMAKER CONTENT ONLINE?
?Mustang? (code name) is a NEW online publishing tool for FrameMaker that
lets you easily single-source content to Web, intranets, and online Help.
The interface is designed for FrameMaker users, so there is little or no
learning curve and no macro language required! See a live demo that
will take your breath away: http://www.ehelp.com/techwr-l3

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

Previous by Author: Re: Leaving Techwhirlers
Next by Author: Re: From the Department of Redundancy Department
Previous by Thread: Re: Leaving Techwhirlers
Next by Thread: Re: Leaving Techwhirlers


What this post helpful? Share it with friends and colleagues:


Sponsored Ads