Fixing Security Holes on Internet Time
  Jun 21st, 01:37:06

[ The opinions expressed by authors on Linux Today are their own. They speak only for themselves and not for Linux Today. ] -lt ed

By Linux Today writer Paul Ferris

A recent New York Times article raises some alarming controversy. It's an attempt to point a finger at a supposedly irresponsible Netizen, eEye, for distributing example cracker code. The code allows a user to break into most Microsoft web servers running Internet Information Server(IIS). IIS is Microsoft's premier web serving product. Over 1.4 million web servers are open to the exploit, according to the article.

What I find to be the most damning of all though, is the response to the problem. Carefully read what Microsoft's lead product manager Jason Garms has to say about eEye:

"I vehemently reject the notion that we were dragging our heels on this. The absolute minimum expected to fix these things is two weeks,'' said Garms. The eEye tool ``enabled even nontechnical person [sic] to attack any Web site running this software."

That's an interesting twist of the facts. Reading about eEye, and their recklessness, you practically get the feeling that they are Internet terrorists.


What is wrong with this picture? I'll tell you - the wrong company has been fingered for the problem. Re-read that sentence, and ask yourself who "enabled even nontechnical person"(s) to attack web sites?

Microsoft, that's who.

But, that's not what I'm going to rant about today. The real issue that I have with Mr. Garms and Microsoft as well, centers around the "absolute minimum" time presented here to close a security hole.

Two weeks for a security patch? Let's examine that problem closely.

You're a major corporation or government web site with sensitive web data. You have servers that are vulnerable to attack. A security hole is found in the software you have put your trust in.

You get to make a choice:

1) Close things down, because you cannot risk an intrusion.

2) Hope that no one gets in until the fix is made available.

3) Take things down temporarily, and fix it yourself.

Oh, wait. You're dependent upon a proprietary company such as Microsoft to supply your Internet security. Better scratch number three.

That's not the total point being made here, though. There are several points.

Microsoft is sidestepping the security problem. They are painting eEye as reckless, when it is they themselves that are reckless. There is a better way to ensure security. It may not be the Microsoft way, but it's proven to allow security fixes in hours or days, not weeks. But no mention by Microsoft is made of switching to this new model. No, better to point out how "reckless" others are in the wake of possible tragedy.

This security hole is so big you can drive a truck through it. Never mind that virtually one fourth of all web servers run this software, and Internet worm like madness could take them all down in nano-seconds. We're supposed to wait for two weeks while a patch is created by an isolated team of programmers in one location. Just forget that a different development model might be able to seal the hole in hours instead of weeks.

What new development model? No surprise here, it's Open Source Software (OSS).

Why is it better? Let me count the ways.

OSS allows parallelization
When a security hole is discovered in an OSS product, many minds can descend upon it at once. No lead product person is responsible for this, it just happens out of need for the fix. People that work with OSS take a lot of pride in their work, and with many eyes on the product, the fixes happen on Internet time, not Microsoft time.

OSS is generally believed to have higher security than proprietary software
Let's examine the teardrop exploit as an example. The teardrop exploit affected both Linux and Windows systems. It was patched under Linux in a matter of hours. The patch pretty much closed the holes in the problem for Linux, but the Windows patch failed to close similar exploits. It was generally agreed that these systems were open to teardrop-style exploits because the patch code received no peer review.

This is because of the above scenario. With many diverse people looking at a piece of code, obvious security holes can be closed, and potential problems spotted before things get out of hand.

Open Source software does not depend upon centralization
There is no corporate reputation to protect in the open source movement. No one gets all bent out of shape when a security hole is found in Red Hat, Debian, FreeBSD and the other free software products. No one spends time dragging their feet out of embarrassment. No one points fingers at the people who found it. There is nothing to protect. More to the point, there is no money at stake for the creators of the product.

Not that OSS people don't take pride in their product. It's more than that. I'm speculating that it's more likely because no one's product revenue stream is at stake.

This runs contrary to the old style of thought, which states that you need a company pushing a product to provide the best support for it. That idea is being directly challenged by problems that involve the Internet. Security is one of those problems.

Microsoft, I hope you are paying attention, because security on the net is not a trivial thing. There are a lot of people that count upon it now for more than just fun and games. Microsoft, you may want to keep your previous development model. You may even think it's the only way to do business. But it appears that you are clinging only to your best interests here, and not those of your customer base.

Some companies depend upon the Internet for their livelihood. The security thing, it's not a trivial matter. You seem to be saying that it is more important to protect your revenue, than to ensure the safety of the revenue of those who have depended upon you.

Possibly, you are just upset with eEye because they are giving out source code, and you can't stand the thought of that.

A lot of people mistakenly point to the cost of free software as the big selling point for it. These people think that free software will make it big in the long run because it costs less on the procurement side. It doesn't tax the buyer when they obtain the service that the software provides.

When it comes to Internet security, these people are missing the true savings.

This security breach, and it's tangential spin of blame has helped underscore the real selling point in a world where the Internet is becoming increasingly more important, and more prevalent. It's not just Microsoft's revenue stream that is at stake here. It's any company that is dependent upon one of Microsoft's products. That's a lot of cash at stake. Cash that can be weighed against security features available in Linux and FreeBSD.

If you are a company that is dependent upon the security of your web server for any kind of revenue, you need to ask yourself some rather important questions.

Ask yourself if you can afford to wait for two weeks while a proprietary software product is patched for holes. Ask yourself if you can ever inspect the product for other holes possibly not yet discovered.

Ask yourself who has the inferior support model under these conditions. If this isn't a support issue, and an important one, I don't know what is.

Ask yourself if you can afford not to use Open Source Software under these conditions. The answers speak for themselves. In the mean time, on Internet time, maybe some cracker or competitor will walk away with some of the money before you can approve the expenditure.

The true cost of proprietary software may be higher than you were ever willing to spend.

Further reading:
NY Times: Microsoft Flaw Can Be Exploited
ZDNET: A chronology of the eEye decision
Rootshell: Search Rootshell for teardrop

All times are recorded in CDT.
Copyright ©1999 by Linux Today
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.2.9 and Apache 1.3.6.
Linux Today is a corporate member of Linux International.