March 7th, 2007

Windows vs. Unix, part duh!

Posted by Paul Murphy @ 12:15 am

Categories: Enterprise Policy, General, Sun

Tags:

When do three easy pieces lead to a conclusion about risks of unusual size? When they're about mis-adventures with Windows software.

First, my friend with the shiny new Lenova laptop never did get his encrypted Word files back after first loading Vista on that machine and then going back to XP - I offered to lend him the hacksaw I used when the people who sold us our house didn't leave a key to the back gate, but he wasn't amused.

Secondly, one of my favourite frequent contributors, defconvegas, wasn't amused either - in this case by something he imagined into my comments (see Unix vs. Windows or: sometimes a fool is just a fool) about a CIO endangering his University by not doing his job - specifically by bucking his responsibilities for student email to google.

Here's one of defcon's counter claims:

Majority of Fortune 500 companies some having more than 100,000 employees run Microsoft Exchange for email and MS Outlook. I work for a Fortune 500 company and we use MS Office and never have I had any problems with email or MS Office.

The first part of this is true - there are lots of big companies out there using Microsoft Exchange with Microsoft Outlook and Microsoft Office. The second part, however, suggests that this guy could play Russian Roulette with a fully loaded revolver for hours at a time and never get hurt.

The NIST vulnerabilities database shows 102 separate vulnerabilities for Microsoft Outlook over the last three years - and 68 more unique to Microsoft Exchange. Add 191 Access vulnerabilities, 117 for Word, 68 for Excel, so on all the way down the list to 4 for Publisher and you get a picture of stunning vulnerability - in fact, NIST records a total of 1,580 Microsoft vulnerabilities for the period, slightly more than two for every working day.

And, number three, you may have heard about this substitute teacher facing forty years in jail over some pop-up porn - here's the Washington Post's version of that story:

A 40-year-old former substitute teacher from Connecticut is facing prison time following her conviction for endangering students by exposing them to pornographic material displayed on a classroom computer.

Local prosecutors charged that the teacher was caught red-handed surfing for porn in the presence of seventh graders. The defence claimed the graphic images were pop-up ads generated by spy ware already present on the computer prior to the teacher's arrival. The jury sided with the prosecution and convicted her of four counts of endangering a child, a crime that brings a punishment of up to 10 years per count. She is due to be sentenced on March 2. [Since postponed to the 27th]

…

On the morning of Oct 19, 2004, Amero said she reported for duty at a seventh grade classroom at Kelly Middle School in Norwich, Conn. After stepping out into the hall for a moment, Amero returned to find two students hovering over the computer at the teacher's desk. As supported by an analysis of her computer during the court proceedings, the site the children were looking at was a seemingly innocuous hairstyling site called "new-hair-styles.com." Amero said that shortly thereafter, she noticed a series of new Web browser windows opening up displaying pornographic images, and that no matter how quickly she closed each one out, another would pop up in its place.

"I went back to computer and found a bunch of pop-ups," Amero said. "They wouldn't go away. I mean, some of the sites stayed on there no matter how many times I clicked the red X, and others would just pop back up."

…

The case came to trial this month, and computer expert W. Herbert Horner testified for the defence that the images were the result of incessant pop-up ads served by spy ware on the classroom computer. The prosecution's expert, a local police officer, said time-stamped logs on the machine showing adult-themed images and Web pages accessed by the Web browser at the time she was in the classroom proved that someone had intentionally visited the sites by clicking on a link or typing the address into the browser address bar.

An explanation for this is that Web browser logs will keep records of sites accessed whether they were generated by internal pop-up serving software or clicked on by a user. Also, try not to dwell on the fact that the judge in the case barred Horner from presenting technical evidence to back up his claims. Horner on Monday published a summary of the facts he would have presented were he allowed to at trial.

I have no idea what the truth is there, but her defence certainly sounds credible and the judge's actions in disallowing exculpatory technical testimony means first that she'll be freed of this charge on appeal, and secondly that she's likely to win millions of dollars from the school district when she sues them for knowingly endangering her, and her students, through incompetent IT support.

On the surface what these three vignettes have in common is simply that use of Unix would have avoided the time and file losses, the self-delusion, and the porn pop-ups. Look deeper, however, and what you should see is IT people transfering the consequences of their delusions to third parties - people who pay the price, but aren't aware of the risks.

It doesn't have to be this way - that's the subtext in my story about the CIO exposing his University to significant risk by abdicating part of his job to google - he says he "can't conceive" of keeping up with technology to manage email for 65,000 students, even though he has a whole PC staff - 30 of them dedicated just to "security"- available to do it.

And yet: I've never lost a file on Unix, Sun's 40,000+ internal email accounts run with the part time attention of three or four people, and schools using Sun Rays with Solaris servers have 100% provable control over what pops, or doesn't pop, up on those screens.