Posts by Ron Guilmette

Don't look down, look out

There are so many comments here focused on the specific individual boxen involved in this event. Were they running Windoze or Linux? Was this really just an extraordinarily clever reverse psychology ploy by MS, trying to convince the world that Linux ain't safe? Was it probably next to impossible to track down the little bugger in a lab filed with a massive ugly tangle of wires? (Yes.)

But I just want to remind everyone that if you look downwards, with a microscope, looking for tiny details, all you are going to see is your shoes and a bunch of ugly worms. (No pun intended.) Everyone should instead raise their eyes, and look to the broader import of this story.

One or maybe two obscure machines got seriously futzed with. Yea so? Everybody wants to know: Who was the dumb ass engineer, or the dumb ass PHB, or the exceptionally clever marketing dept. person at Microsoft who plugged this box into the network without securing it. That's NOT what I want to know. I want to know: Where were the NETWORK security administrators? It really ain't that difficult to run Nmap, or even vastly more trivial tools, such as those I myself have written, and to find out in 15 minutes or less the IPs of all of the boxes on the whole of Microsoft's network that are responding to well-formed DNS packets sent to UDP port 53 and that SHOULDN'T be running any kind of DNS server. The same goes for TCP ports 22, 25, 80, 8080 and so on. This isn't rocket surgery. So where were the _network_ security dudes? Forget about the individual machines themselves. Think about the network, and _its_ overall security. Who was asleep at the switch who should have been watching THAT?

Furthermore, this whole thing is only news because it happened to be in Microsoft's IP space. That makes it at once funny, ironic, and tragic. But mostly gives up a vivid illustration of yet another important point that can only be grasped by raising your eyes and looking at the Bigger Picture.

The fact that this was Microsoft is really troubling, _not_ because they make 90% of everything the Universe of electronics runs on these days, but rather because Microsoft, as a company, can't give anybody the excuse that ``Oh, well, our company just makes ball bearings and so we are technologically naive, and we actually didn't have the first clue about how to secure our network, even if we had spend any time thinking about do that, we haven't/didn't.'' No, Microsoft can't say that they are naive or ignorant, or that they don't know diddly pooh about software or networking. That is the _other_ thing that makes this story poignant, and after we all get done laughing at Microsoft over this, it is the only thing that people should keep on thinking about, tomorrow and the next day and the next day. Because if this can happen to a Microsoft, which _does_ itself make and ship both software and networking products, then the inference that should be drawn... once you stop laughing at the small details of this event... is that this little event is really only the tip of the iceberg with respect to the Internet as a whole. I mean seriously... Do we think that the ``network security'' smarty pantses at companis that actually _don't_ make & sell software and networking stuff for a living are doing any better at catching or stopping stuff like this? I mean you know, the network security smarty pantses at garden variety ball bearing or widget manufacturers at places like, you know, General Electric or General Motors or Samsung or Sanyo or The China National Railway, or Tata, or other places that don't even make ball bearings, like The University of Alberta, or the Department of Education, or Ticketron, or Starbucks or whatever. Do we have any realistic hope at all that there are competent, knowledgeable, hard-working network security dudes and/or ladies at any of THOSE places who are routinely scanning their networks for this kind of network-visible anomaly? Don't bet your milk money on it! If Microsoft, which _does_ know something about software and networking, ain't finding and killing this kind of stuff on their own network, e.g. before some outside dude like me finds it, then you'd be dumb to believe that most, or even anything other than a tiny fraction of the other owners of big IP address blocks on the Internet are doing so either.

So virtually none of the holders of non-trivial IP address blocks on the Internet are even bothering to sweep their own networks (which can be done quite trivially) looking for this kind of ``That shouldn't be there'' stuff, either on a routine basis, or in most cases ever. And worse, even if some well-meaning white-hat like me comes along and does it for them... without spending months getting prior approval, in triplicate, signed off on by both legal and the CTO... then that act, unlike most others, *will* likely awaken the slumbering ``network security'' admins, who will thence immediately e-mail your provider _and_ the FBI and everybody else who will listen, to tell them all that you are really an evil hacker ``attacking'' them and that they will settle for nothing less than castration.

The bottom line is that with the exception of banks, the CEOs and other PBHs _everywhere else_ don't see spending money on securing the corporate network properly as a profit center, so they won't pay for it, and they won't even allow even the competent and caring local network admins to even try to do it as long as there are higher things on the priority list, like explaining to Sally down in accounting for the 87th time that no, the mouse DOES NOT plug in to the RJ11. (Important high priority task like that are obviously what the PHBs want their network ``engineers'' spending all of their time on, and if they want to work on securing the network, that's fine, but they have to do that on their own time, after they punch out for the day.)

Everybody should read the article that was put up right here today at TheReg and that quotes Richard Clark as saying that the current state of Internet security is ludicrous. He points out that we could probably secure the whole damn thing for only a fraction of the development costs of the next X-Box. He's right, but only in the engineering sense. Problem is that securing the Internet is really only 10% engineering. It is 90% politics and convincing PHBes in their own fiefdoms that they should even give a damn. One can only hope that pointing to the example of the BP oil spill might make them see things clearly. It is dramatically cheaper to clean up the mess _before_ you have a big corporate PR disaster sticking to you like a mat of tar.

P.S, If anybody who has at least a /20 wants a free scan of any kind... and you can't manged to just install Nmap on your own... call me or e-mail me. I'll try to help.