Tuesday, 06 November 2007

People just don't think, research or plug in their brains a lot of the time before speaking typing.

Such was the case the other day over at Kim Cameron's Identity Weblog, which was defaced recently via a  vulnerability in the blog application software used to drive the site. Kim is a Microsoft employee and is their Identity Architect. So, he's in a public-facing security role at the company.

As Kim points out, people came out of the woodwork in the comments on a very brief ZDNet article to slam Microsoft, it's applications, the fact that the site was hacked, etc. What they did not realize, even after it was pointed out to them a few times by others, is that the site runs on a BAMP architecture (similar to LAMP, but in this case it's BSD Unix, Apache, mySQL and PHP).

Kim's site runs 100% on non-Microsoft products. The vitriolic commenters on the ZDNet site slammed Microsoft technologies where none exist, and exuded the virtues of using - for example - Linux, Apache, mySQL and PHP -- the very platform that they did not take the time to discover (or even ask) had just been victimized.

You know what they say about assuming things? Yeah.

Security threats are real and exist on all platforms equally, not just IIS and Windows, not just in Windows applications. Bad programmers are bad programmers, and even when well-programmed, new threats arise all the time and need to be remediated once known. There's nothing about that fact that's Microsoft-specific, and to assume such is irresponsible.

I like and respect Kim, and the work he has done is excellent. His evangelism of the need for better forms of identification, authentication and credentialing has been invaluable, and his emphasis on the broad-spectrum community, not just Microsoft, is the right way to address the issues that cross all platforms and application types.

I have seen this non-thinking, just-fire-off-at-the-mouth, *nix-fixes-everything mentality backfire on people before, to great cost. Any system administrator who thinks running anything other than Windows solves their security problems or obviates the need to test, patch, review and maintain has his or her head stuck so far in the sand we have to strain to see their backside. Thinking and reasoning is what makes people special and unique. Take the time to know the facts, understand the circumstances, and reason based in reality.

Facts: Problems exist everywhere - Windows, Linux, OSX, PHP, ASP.NET, you name it. More often than being caused by an underlying platform issue, most security vulnerabilities and exploits are the result of programming errors, a lack of defensive programming style, and poor test coverage. I've managed enough software development with a specific focus on security of the applications to know you can create a completely locked down platform on any of the options available, whether Linux or Windows or other. But if you don't have a solid application, you're screwed. It's a lot like buying a great alarm system with laser detectors in the ceiling, trip wires on the roof, foot-think ceilings of concrete to prevent break-through, glass break sensors on explosive- and projectile-proof glass ... and leaving the front door standing open.

Kudos to Kim for keeping his cool personality in the face of all this and, as always, providing a measured and reasoned response. As he says, "There’s a lot of ideology to get past in teaching people about security." So true.



Add/Read: Comments [3]
IT Security | Tech
Tuesday, 06 November 2007 10:17:40 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by:
http://www.google.com/search [Referral]
http://www.bootcleats.com/adidas-f50-adizero-fg-c-58.html [Referral]
http://www.nikeoutletcleats.com/nike-mercurial-indoor-shoes-... [Referral]
http://www.nikeoutletcleats.com/ [Referral]
http://www.bootcleats.com/adidas-predator-soccer-shoes-c-83.... [Referral]
http://www.nikeoutletcleats.com/nike-mercurial-vapor-superfl... [Referral]
http://www.bootcleats.com/adidas-f50-indoor-shoes-c-75.html [Referral]
http://www.nikeoutletcleats.com/nike-tiempo-legend-iv-c-168.... [Referral]
http://www.bootcleats.com/ [Referral]
http://www.bootcleats.com/mercurial-superfly-iii-safari-c-19... [Referral]
http://www.bootcleats.com/nike-mercurial-indoor-shoes-c-52.h... [Referral]
http://www.361soccer.com/nike-5-elastico-pro-c-91.html [Referral]
http://www.directsoccerpro.com/adidas-predator-soccer-shoes-... [Referral]
http://www.361soccer.com/adidas-f50-adizero-fg-c-58.html [Referral]
http://www.361soccer.com/ [Referral]
http://www.directsoccerpro.com/nike-tiempo-legend-iv-c-211.h... [Referral]
http://www.361soccer.com/nike-mercurial-indoor-shoes-c-52.ht... [Referral]
http://www.361soccer.com/nike-ctr360-maestri-boots-c-62.html [Referral]
http://www.directsoccerpro.com/nike-ctr360-maestri-boots-c-6... [Referral]
http://www.directsoccerpro.com/adidas-f50-indoor-shoes-c-75.... [Referral]
http://www.361soccer.com/nike-tiempo-legend-iv-c-209.html [Referral]

More...
Tuesday, 06 November 2007 11:03:13 (Pacific Standard Time, UTC-08:00)
What are you talking about? BAMP is secure and impervious to attacks. The insecurity must be due to the fact that a Microsoft employee configured it. Just a joke... Heh. You know it's coming (if it already hasn't somewhere else).

Good post. When are you coming out of retirement you bum? :)
Tuesday, 06 November 2007 11:08:32 (Pacific Standard Time, UTC-08:00)
Coming out of retirement? What?!?!? Heh, just kidding. Not sure, but it will happen. Almost certainly not before January though. :)
Tuesday, 06 November 2007 12:10:47 (Pacific Standard Time, UTC-08:00)
Hey Now Greg,
Nice post, Kim's site is the first time I every used Cardspace for real on the net.
RunAs Fan,
Catto
Comments are closed.