[TriLUG] Fwd: [support] Accountability and possible solutions

[David R.Matusiak]

hello Linux Lubbers --  i took a few moments today to address a major 
problem we are seeing on the UNC-Chapel Hill campus (and presumably at 
other institutions).  i thought my note might be of interest to those 
on TriLUG.  any feedback appreciated.

best regards,
dave m.

Begin forwarded message:

> From: "David R. Matusiak" <matusiak at unc.edu>
> Date: Thu Sep 11, 2003  3:51:07  PM US/Eastern
> To: support at listserv.unc.edu
> Cc: "BRM" <midkiff1 at email.unc.edu>
> Subject: Re: [support] Accountability and possible solutions
>
> While I would wholeheartedly echo the sentiments of Bentley Midkiff 
> about making software vendors more accountable for insecure products, 
> I fear that our selfless, heroic governmental representatives are too 
> far in the pockets of big software firms to hear the weak carping of 
> their constituents.  Witness "Shrink Wrap Licensing," UTICA, and the 
> DMCA.  All of these things are designed to protect the profit margins 
> of software corporations while whittling away at the rights and 
> freedoms afforded those that give the corporations money - US, the 
> consumers - each and every one of us.
>
> So I do not think that our efforts are best spent chasing down dirty 
> deals between Washington and Silicon Valley.  Instead I believe that 
> we must fight this approaching menace on the home front.  What is 
> meant by that is that each technology dollar spent (both as 
> individuals and as a university) should be subject to strict review, 
> not only in terms of unit cost economics, but more importantly in 
> terms of the impact that said technology will have on us, our 
> networks, our students and co-workers, and perhaps our careers.
>
> As I read through the summer log of major problems and outages that 
> came across the UNC Support list, I am not so much surprised by what 
> has taken place, but instead bothered by the fact that such limited 
> solutions (if any) have been presented.  Please do not read that as 
> "Certain campus sectors not doing their jobs," because I think that 
> individual departments (especially ATN Networking and Security) are 
> doing excellent jobs.  Considering the magnitude of some of the recent 
> attacks, we should be thankful to have any network connectivity at all 
> -- not to mention such great and available support people.
>
> Instead I want you to consider this one fact - the only advice ever 
> really offered is "Go to Microsoft and apply their patches."  This 
> paltry token is the most that can be offered, however, to those who 
> are running these inherently insecure operating systems.  And we have 
> had reports of responsible admins following this advice and still 
> seeing their machines get infected over and over again.  To further 
> belabor this point, please note this article from eWeek (published 
> yesterday) where the author has the opportunity to point out "Three 
> New Critical RPC Flaws Found" in current Microsoft products.
>
> http://www.eweek.com/article2/0,4149,1261437,00.asp
>
> This is a very sad state of affairs.  Almost two years ago, Bill Gates 
> promised he was pulling engineers away from the development of "new 
> features" in order to shore up the security of their products.  And 
> this summer has shown us all just how much integrity that gesture had. 
>  Week after week, virus and worm activity has skyrocketed and with new 
> exploits coming out regularly, there is no reasonable hope in sight.  
> So I would like to offer some more effective solutions in hopes of 
> improving both network security and End User happiness on the campus 
> here at Carolina.
>
> First and foremost, Rule # 1 should always be to understand the 
> process(es) necessary to keep your machine (or those you are 
> responsible for) patched and secure, both at the OS level and at the 
> application level.  No product is perfect and any device can be 
> dangerous if these vitals are ignored.  You must keep track of these 
> things or we will see more and more problems.  I cannot stress this 
> point enough.
>
> Next on the list would be to rectify misperceptions about "the 
> competition."  Believe it or not, there are actually other companies 
> out there whose primary purpose is to manufacture computer operating 
> systems.  One of the world's largest is our Raleigh neighbor, Red Hat 
> Linux, Inc.  While I would not solely endorse Red Hat above other 
> Linux vendors (mainly a personal preference issue), I do see them 
> doing good things for the software community and users alike.  Perhaps 
> most important amongst the recent improvements in Linux are the "ease 
> of use" factors and auto-updating functions being developed to help 
> both users and administrators alike successfully complete a transition 
> to Linux.  Besides this, we have some of the best LUGs (Linux User 
> Groups) in the country to assist with problems and questions (much 
> like this list does).  There are now very few proprietary application 
> products that have not been either ported to Linux or created anew to 
> draw users who used to say "Well, I need so-and-so and it only runs on 
> Windows 98."  1998 was almost 7 years ago - a lot has changed since 
> then.
>
> Perhaps you have heard of the SCO lawsuit against IBM, in which they 
> are trying to scare users and organizations away from Linux adoption 
> with their FUD (Fear, Uncertainty, Doubt) campaign that insists their 
> Intellectual Property has been infringed by Linux developers.  If 
> rational minds are allowed into the courtroom to testify, this will 
> become clear that SCO has no case and they themselves released and/or 
> jumbled code into Linux with their own Caldera Linux product.  You 
> cannot take back what you have already released under the GPL license. 
>  Sorry SCO, no doughnut.
>
> Still, wise IT managers must keep abreast of these issues and protect 
> their organization from such legal quagmires and threats.  If Linux is 
> not the thing for you, then I would suggest *BSD products (which are 
> all branches of the original Berkeley Software Development UNIX 
> model).  Not only are the best of these products completely FREE, they 
> are also responsible for running most of the powerhouse destinations 
> on the Internet.  FreeBSD, NetBSD and OpenBSD are amongst the most 
> respected and time-trial proven operating systems in the world.  All 
> of these products have just as active and helpful userbase as Linux.  
> You could even go with BSDi if you are in need of corporate-level 
> support.
>
> And my last suggestion is the easiest of all - Macintosh products by 
> Apple Computers, Inc.  The new OS for Mac, dubbed OS X (or OS "Ten"), 
> is itself based upon a Mach kernel derivative of BSD UNIX.  What has 
> this brought to Apple?  Unbelievable stability and all the power of a 
> full-fledged UNIX server.  What has Apple sacrificed to reach this 
> level?  Nothing - all the same plug and play niceness and GUI 
> simplicity is still present, perhaps refined even more over the aging 
> OS 9 that has been phased out.  And for personal computers (as opposed 
> to server hardware), Apple has some of the most durable and functional 
> machines out there today.  Please go take a look at either the RAMs 
> Head Shop or the Apple Store out at Streets of Southpoint.
>
> What we need is a clear and direct cultural shift away from supporting 
> the hegemony of operating systems that is Microsoft.  As outlined 
> above, no product is perfect and all need proper attention.  What is 
> undeniable, however, is the fact that most (if not all) of this nasty 
> virus and worm activity would have nowhere to go if we made this 
> shift.  Its malevolent seed could find no fertile ground for purchase, 
> so to speak.  And then we could all spend more time doing what we are 
> here to do instead of making trouble calls, creating trouble tickets, 
> balking at the hard word of the Networking people, and wondering why 
> we lost all our data or are machine is attacking others on the 
> Internet.
>
> While our RAMs Head Shop claims to be a fully functional Apple 
> reseller and repair shop, I am always more than disheartened when I'm 
> in there and hear a student inquiring about the row of Macs only to 
> have the Store employee say that "they are not supported" and then 
> point them to the back row of IBM/CCI machines.  I think we are doing 
> a major disservice to both our student population and those that have 
> to manage the networks at UNC by denying that other options exist.  I 
> think that we, as a campus, need to reexamine our tight alliances with 
> companies that make inferior and/or insecure products.
>
> Unfortunately, I only just heard of the fact that UNC is in the 
> process of hiring a new Chief Information Officer.  This is THE person 
> involved in making decisions as to the computing future of UNC and the 
> person whom I would like to ask my most difficult and pointed 
> questions, however, the last interview/presentation was on Sept. 8th 
> and I was unable to attend.  I think it is a travesty to continue 
> along the lines of our narrowly focused options for students, faculty 
> and staff alike.  I believe that the apprehension surrounding other 
> options needs to be addressed and vocally challenged by those 
> interested in keeping UNC-Chapel Hill on the cutting edge of 
> technology research and development.
>
> Obviously, a lot more is at stake than cutting down on malicious 
> network activity across our campus.  Losing the right to compare and 
> choose will certainly impair the abilities of our students and it has 
> certainly caused many headaches this summer for the campus support 
> personnel.  Please take a moment and consider some of my suggestions.  
> Also, please understand that I am not in any way paid or endorsed by 
> any of the companies and products I've mentioned above.  I am only 
> trying to put this issue in perspective for those that may not have 
> heard of such alternatives.
>
> Thanks!
> dave m.
>
> On Thursday, September 11, 2003, at 10:27  AM, BRM wrote:
>
>> Support Group:
>>
>> 	Weak admin passwords notwithstanding, does anybody else think
>> Microsoft should be held accountable for the onslaught of viruses, 
>> worms
>> and Trojans that continue to disable networks and drive up the cost of
>> IT? Consider this article, written on 6/30/2003 by Caron Carlson at
>> http://www.eweek.com/article2/0,4149,1141769,00.asp. Here is an
>> excerpt...
>>
>> 	"The greatest threat to the nation's data networks today is not
>> nascent cyber-terrorism lurking in the shadows but rather technology
>> vendors unwilling to invest adequately in security, experts told
>> Congress last week. Increasingly, industry insiders are seeking ways 
>> to
>> make vendors accountable for their products."
>> 	"The CERT Centers at the Software Engineering Institute at
>> Carnegie Mellon University, in Pittsburgh, found that security 
>> features
>> in most products have not improved over the past few years."
>>
>> 	Steve Gibson warned everybody about this potential problem more
>> than two years ago. See http://grc.com/dos/grcdos.htm.
>>
>> 	If MS-Windows were a new car, it would be recalled immediately.
>> Why? Because there would be millions of wrecked vehicles strewn across
>> the landscape.
>>
>> Q: Where does a 50 million dollar gorilla drive?
>> A: Anywhere it wants.
>>
>> Bentley R. Midkiff, B.S., A+
>> Research Technician III
>> Biochemistry & Biophysics
>
> --
> David R. Matusiak
> NC LIVE Systems Admin, UNC-Chapel Hill
> v: 919.962.1288
> f: 919.962.0484
> e: matusiak at unc.edu
> --