[TriLUG] Fwd: [support] Accountability and possible solutions

Andrew Perrin clists at perrin.socsci.unc.edu
Thu Sep 11 16:29:15 EDT 2003


Hear, hear!

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu


On Thu, 11 Sep 2003, David R.Matusiak wrote:

> hello Linux Lubbers --  i took a few moments today to address a major
> problem we are seeing on the UNC-Chapel Hill campus (and presumably at
> other institutions).  i thought my note might be of interest to those
> on TriLUG.  any feedback appreciated.
>
> best regards,
> dave m.
>
> Begin forwarded message:
>
> > From: "David R. Matusiak" <matusiak at unc.edu>
> > Date: Thu Sep 11, 2003  3:51:07  PM US/Eastern
> > To: support at listserv.unc.edu
> > Cc: "BRM" <midkiff1 at email.unc.edu>
> > Subject: Re: [support] Accountability and possible solutions
> >
> > While I would wholeheartedly echo the sentiments of Bentley Midkiff
> > about making software vendors more accountable for insecure products,
> > I fear that our selfless, heroic governmental representatives are too
> > far in the pockets of big software firms to hear the weak carping of
> > their constituents.  Witness "Shrink Wrap Licensing," UTICA, and the
> > DMCA.  All of these things are designed to protect the profit margins
> > of software corporations while whittling away at the rights and
> > freedoms afforded those that give the corporations money - US, the
> > consumers - each and every one of us.
> >
> > So I do not think that our efforts are best spent chasing down dirty
> > deals between Washington and Silicon Valley.  Instead I believe that
> > we must fight this approaching menace on the home front.  What is
> > meant by that is that each technology dollar spent (both as
> > individuals and as a university) should be subject to strict review,
> > not only in terms of unit cost economics, but more importantly in
> > terms of the impact that said technology will have on us, our
> > networks, our students and co-workers, and perhaps our careers.
> >
> > As I read through the summer log of major problems and outages that
> > came across the UNC Support list, I am not so much surprised by what
> > has taken place, but instead bothered by the fact that such limited
> > solutions (if any) have been presented.  Please do not read that as
> > "Certain campus sectors not doing their jobs," because I think that
> > individual departments (especially ATN Networking and Security) are
> > doing excellent jobs.  Considering the magnitude of some of the recent
> > attacks, we should be thankful to have any network connectivity at all
> > -- not to mention such great and available support people.
> >
> > Instead I want you to consider this one fact - the only advice ever
> > really offered is "Go to Microsoft and apply their patches."  This
> > paltry token is the most that can be offered, however, to those who
> > are running these inherently insecure operating systems.  And we have
> > had reports of responsible admins following this advice and still
> > seeing their machines get infected over and over again.  To further
> > belabor this point, please note this article from eWeek (published
> > yesterday) where the author has the opportunity to point out "Three
> > New Critical RPC Flaws Found" in current Microsoft products.
> >
> > http://www.eweek.com/article2/0,4149,1261437,00.asp
> >
> > This is a very sad state of affairs.  Almost two years ago, Bill Gates
> > promised he was pulling engineers away from the development of "new
> > features" in order to shore up the security of their products.  And
> > this summer has shown us all just how much integrity that gesture had.
> >  Week after week, virus and worm activity has skyrocketed and with new
> > exploits coming out regularly, there is no reasonable hope in sight.
> > So I would like to offer some more effective solutions in hopes of
> > improving both network security and End User happiness on the campus
> > here at Carolina.
> >
> > First and foremost, Rule # 1 should always be to understand the
> > process(es) necessary to keep your machine (or those you are
> > responsible for) patched and secure, both at the OS level and at the
> > application level.  No product is perfect and any device can be
> > dangerous if these vitals are ignored.  You must keep track of these
> > things or we will see more and more problems.  I cannot stress this
> > point enough.
> >
> > Next on the list would be to rectify misperceptions about "the
> > competition."  Believe it or not, there are actually other companies
> > out there whose primary purpose is to manufacture computer operating
> > systems.  One of the world's largest is our Raleigh neighbor, Red Hat
> > Linux, Inc.  While I would not solely endorse Red Hat above other
> > Linux vendors (mainly a personal preference issue), I do see them
> > doing good things for the software community and users alike.  Perhaps
> > most important amongst the recent improvements in Linux are the "ease
> > of use" factors and auto-updating functions being developed to help
> > both users and administrators alike successfully complete a transition
> > to Linux.  Besides this, we have some of the best LUGs (Linux User
> > Groups) in the country to assist with problems and questions (much
> > like this list does).  There are now very few proprietary application
> > products that have not been either ported to Linux or created anew to
> > draw users who used to say "Well, I need so-and-so and it only runs on
> > Windows 98."  1998 was almost 7 years ago - a lot has changed since
> > then.
> >
> > Perhaps you have heard of the SCO lawsuit against IBM, in which they
> > are trying to scare users and organizations away from Linux adoption
> > with their FUD (Fear, Uncertainty, Doubt) campaign that insists their
> > Intellectual Property has been infringed by Linux developers.  If
> > rational minds are allowed into the courtroom to testify, this will
> > become clear that SCO has no case and they themselves released and/or
> > jumbled code into Linux with their own Caldera Linux product.  You
> > cannot take back what you have already released under the GPL license.
> >  Sorry SCO, no doughnut.
> >
> > Still, wise IT managers must keep abreast of these issues and protect
> > their organization from such legal quagmires and threats.  If Linux is
> > not the thing for you, then I would suggest *BSD products (which are
> > all branches of the original Berkeley Software Development UNIX
> > model).  Not only are the best of these products completely FREE, they
> > are also responsible for running most of the powerhouse destinations
> > on the Internet.  FreeBSD, NetBSD and OpenBSD are amongst the most
> > respected and time-trial proven operating systems in the world.  All
> > of these products have just as active and helpful userbase as Linux.
> > You could even go with BSDi if you are in need of corporate-level
> > support.
> >
> > And my last suggestion is the easiest of all - Macintosh products by
> > Apple Computers, Inc.  The new OS for Mac, dubbed OS X (or OS "Ten"),
> > is itself based upon a Mach kernel derivative of BSD UNIX.  What has
> > this brought to Apple?  Unbelievable stability and all the power of a
> > full-fledged UNIX server.  What has Apple sacrificed to reach this
> > level?  Nothing - all the same plug and play niceness and GUI
> > simplicity is still present, perhaps refined even more over the aging
> > OS 9 that has been phased out.  And for personal computers (as opposed
> > to server hardware), Apple has some of the most durable and functional
> > machines out there today.  Please go take a look at either the RAMs
> > Head Shop or the Apple Store out at Streets of Southpoint.
> >
> > What we need is a clear and direct cultural shift away from supporting
> > the hegemony of operating systems that is Microsoft.  As outlined
> > above, no product is perfect and all need proper attention.  What is
> > undeniable, however, is the fact that most (if not all) of this nasty
> > virus and worm activity would have nowhere to go if we made this
> > shift.  Its malevolent seed could find no fertile ground for purchase,
> > so to speak.  And then we could all spend more time doing what we are
> > here to do instead of making trouble calls, creating trouble tickets,
> > balking at the hard word of the Networking people, and wondering why
> > we lost all our data or are machine is attacking others on the
> > Internet.
> >
> > While our RAMs Head Shop claims to be a fully functional Apple
> > reseller and repair shop, I am always more than disheartened when I'm
> > in there and hear a student inquiring about the row of Macs only to
> > have the Store employee say that "they are not supported" and then
> > point them to the back row of IBM/CCI machines.  I think we are doing
> > a major disservice to both our student population and those that have
> > to manage the networks at UNC by denying that other options exist.  I
> > think that we, as a campus, need to reexamine our tight alliances with
> > companies that make inferior and/or insecure products.
> >
> > Unfortunately, I only just heard of the fact that UNC is in the
> > process of hiring a new Chief Information Officer.  This is THE person
> > involved in making decisions as to the computing future of UNC and the
> > person whom I would like to ask my most difficult and pointed
> > questions, however, the last interview/presentation was on Sept. 8th
> > and I was unable to attend.  I think it is a travesty to continue
> > along the lines of our narrowly focused options for students, faculty
> > and staff alike.  I believe that the apprehension surrounding other
> > options needs to be addressed and vocally challenged by those
> > interested in keeping UNC-Chapel Hill on the cutting edge of
> > technology research and development.
> >
> > Obviously, a lot more is at stake than cutting down on malicious
> > network activity across our campus.  Losing the right to compare and
> > choose will certainly impair the abilities of our students and it has
> > certainly caused many headaches this summer for the campus support
> > personnel.  Please take a moment and consider some of my suggestions.
> > Also, please understand that I am not in any way paid or endorsed by
> > any of the companies and products I've mentioned above.  I am only
> > trying to put this issue in perspective for those that may not have
> > heard of such alternatives.
> >
> > Thanks!
> > dave m.
> >
> > On Thursday, September 11, 2003, at 10:27  AM, BRM wrote:
> >
> >> Support Group:
> >>
> >> 	Weak admin passwords notwithstanding, does anybody else think
> >> Microsoft should be held accountable for the onslaught of viruses,
> >> worms
> >> and Trojans that continue to disable networks and drive up the cost of
> >> IT? Consider this article, written on 6/30/2003 by Caron Carlson at
> >> http://www.eweek.com/article2/0,4149,1141769,00.asp. Here is an
> >> excerpt...
> >>
> >> 	"The greatest threat to the nation's data networks today is not
> >> nascent cyber-terrorism lurking in the shadows but rather technology
> >> vendors unwilling to invest adequately in security, experts told
> >> Congress last week. Increasingly, industry insiders are seeking ways
> >> to
> >> make vendors accountable for their products."
> >> 	"The CERT Centers at the Software Engineering Institute at
> >> Carnegie Mellon University, in Pittsburgh, found that security
> >> features
> >> in most products have not improved over the past few years."
> >>
> >> 	Steve Gibson warned everybody about this potential problem more
> >> than two years ago. See http://grc.com/dos/grcdos.htm.
> >>
> >> 	If MS-Windows were a new car, it would be recalled immediately.
> >> Why? Because there would be millions of wrecked vehicles strewn across
> >> the landscape.
> >>
> >> Q: Where does a 50 million dollar gorilla drive?
> >> A: Anywhere it wants.
> >>
> >> Bentley R. Midkiff, B.S., A+
> >> Research Technician III
> >> Biochemistry & Biophysics
> >
> > --
> > David R. Matusiak
> > NC LIVE Systems Admin, UNC-Chapel Hill
> > v: 919.962.1288
> > f: 919.962.0484
> > e: matusiak at unc.edu
> > --
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list