Microsoft: "Do what I say,

[Theophylact]

not what I do."

[muno]

That site requires registration, is it available free somewhere?
-M

[SaTaNcLaUz]

Microsoft fails Slammer's security test
Robert Lemos, Staff Writer, CNET News.com

Microsoft's policy of relying on software patches to fix major security flaws was questioned Monday after a series of internal e-mails revealed that the software giant's own network wasn't immune from a worm that struck the Internet last weekend.

The messages seen by CNET News.com portray a company struggling with a massive infection by the SQL Slammer worm, which inundated many corporate networks Saturday with steady streams of data that downed Internet connections and clogged bandwidth.

"All apps and services are potentially affected and performance is sporadic at best," Mike Carlson, director of data center operations for Microsoft's Information Technology Group, stated in an e-mail sent at 8:04 a.m. PST Saturday to other members of Microsoft's operations groups. "The network is essentially flooded with traffic, making it difficult to gather details concerning the impact."

The messages put Microsoft in an awkward position: The company relies on customers to patch security flaws but the events of last weekend show that even it is vulnerable. In this case, Microsoft urged customers to fix a vulnerability in the SQL Server 2000 software, but it apparently hadn't taken its own advice. Moreover, despite its 1-year-old security push, the software giant still had critical servers vulnerable to Internet attacks.

"This shows that the notion of patching doesn't work," said Bruce Schneier, chief technology officer for network protection firm Counterpane Internet Security. "Publicly, they are saying it's not our fault, because you should have patched. But Microsoft's own actions show that you can't reasonably expect people to be able to keep up with patches."

For years, system administrators have complained about their inability to keep up with the steady stream of patches that have poured out of Microsoft and other software companies. In October, the software giant even raised the bar for what's considered a "critical" vulnerability, so that administrators wouldn't have to deal with so many patches that seemingly required immediate attention.

“Seems like every time I install a system patch, something else goes wrong with my system,” said Frank Beier, president of Web design firm Dynamic Webs. The designer said many system administrators won’t patch for many months, because they don’t trust Microsoft to fix the problem without breaking some other function of the software.

“In most cases, I'm better off just playing Russian roulette with the hackers until our servers are broken into,” he said.

In the case of SQL Slammer, it seemed that Microsoft had done it right. The company had informed customers six months earlier about a flaw and included patches in both a roll-up patch--a software update that includes all the latest patches--and in the company's latest service pack for Microsoft SQL Server 2000.

But even within Microsoft, something went wrong.

"At approximately, 10:00 p.m. (PST, Friday), traffic on the corporate network jumped dramatically, eventually bringing all services to a crawl," stated Carlson's memo. "The root cause appears at this time to be a virus attacking SQL."

On Saturday, the Microsoft's Windows XP Activation service was down, not because the servers were vulnerable, but because the company's internal network was inundated with junk data, Rick Devenuti, the chief information officer for the software giant, said in an interview Monday.

"We are not sure how the virus got into our network," he said.

That the company has SQL servers on the desktop is not surprising, he added. Many of its developers run the database on their PCs, and other test machines have vulnerable databases installed to replicate customer networks. Devenuti didn't know how the worm got into the system to affect those servers, however.

"It just takes one machine to get going," he said. "At any given point in time, it is hard to be 100 percent patched with any machine. We are working hard to make patch management easier. But 100 percent is a high bar and in this case we are not there."

News.com's Stephen Shankland contributed to this report.

[Theophylact]

muno, the New York Times requires registration, but it's free. You should not only register, you should bookmark it. Even if you think it's too liberal (and, of course, I don't), it's by far the best newspaper in the US.

Every Wednesday, by the way, they have some really good recipes.

[muno]

Thanks for that s?tanclauz.
-M
//edit: In reply to the big nose guy.
I shun registering to somewhere just to read one article, or do one download (cnet). Usually everything's available somewhere else for free.

I have no real need to read american newspapers, if it affects me, it's written on a local paper too (finnish).

[Theophylact]

Quote:

I have no real need to read american newspapers

Gee, don't you think that's a little parochial? My browsers have their home pages set at http://news.bbc.co.uk because it's better than any of the US sites. And on Tuesday, the Times has a whole section devoted to science, as well as its Thursday "Circuits" section on information technology.

[muno]

I tried looking at merriam-webster for a definition of 'parochial' but I still don't understand your sentence
-M

[Theophylact]

One of the subsidiary meanings is "of very limited or narrow scope; provincial". "Parochial" is the opposite of "catholic" (a joke that perhaps only Americans will understand).

[Detritus]

Quote:

One of the subsidiary meanings is "of very limited or narrow scope; provincial". "Parochial" is the opposite of "catholic" (a joke that perhaps only Americans will understand).

[muno]

Ok, if the sentence is saying whether I have a narrow scope or not, then yes.

But wouldn't the question be the same if I asked 'do you read helsingin sanomat?' (hs is the largest newspaper in finland).

That is, if I (again) understood the question correctly
-M