Following Up "Beware the Microsoft Shell Game!"
What this means is that unless a knowledgeable sysadmin has taken explicit action to prevent it, any 15-year-old who can copy code off the Internet, can use Microsoft's IIS to bypass your firewall, bypass your password system and gain administrator-level access to the machine that hosts your web server. They can inspect, alter or delete files at will, no matter how you have them secured. They can also use root-level access to that machine as a springboard for attacks on other systems inside your firewall.
A writeup on this latest in the apparently unending stream of gaping holes in Microsoft's security is at http://www.eeye.com/html/Research/Advisories/AD20010501.html.
This is about bad as it gets, folks. It's a big, nasty problem even by Microsoft's security-bug-of-the-month standards.
At Craig Mundie's anti-open-source sermonette in New York Thursday, I hope someone will have the temerity to ask him a few simple questions:
1. Should Microsoft's record on security inspire confidence in customers considering entrusting their digital identities to Microsoft's Hailstorm system and their critical business data to .NET?
2. Even the most cursory inspection of sites that specialize in tracking security bugs (such as CERT and BugTraq) suggests that open-source operating systems such as Linux and the BSDs have a far better security record than Microsoft Windows, both in having fewer vulnerabilities and in more rapid deployment of fixes. How does Microsoft propose to close the technology gap and catch up to the quality level of these systems?
3. How can potential operating-system customers with millions (perhaps billions) of dollars riding on the security of their computer systems form a rational estimate of their exposure if they cannot inspect the source code of those systems?
4. If the answer to question 3 is "You can see the source code if you're a big enough company to pay us for the privilege", then why should customers have to pay for the privilege of doing the job Microsoft's own QA teams so frequently bungle?
5. How would you respond to the following statement: "Any engineer or executive who, disregarding best practices, entrusts security-critical functions to closed-source software is committing an actionable breach of their responsibility to their employer?"
Eric Raymond can be contacted at Eric S. Raymond.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Client-Side Performance
- Libarchive Security Flaw Discovered
- Peppermint 7 Released
- Sony Settles in Linux Battle
- Maru OS Brings Debian to Your Phone
- The Giant Zero, Part 0.x
- Profiles and RC Files
- Git 2.9 Released
- Snappy Moves to New Platforms
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide