Re: Regarding Article "Is Linux a net security risk?"

[kw <tattooma () ADRIC GENOCIDE2600 COM>]

Hello David,

Before starting, I would like to note that I never sent any email to
anybody at idg.com.au.  I posted a message to a security mailing list, and
somebody on that list apparently replied to my message and CC'ed some of
the idg.com.au staff.

I will reply inline to your email, on a point by point basis, and will
then include my thoughts on the article at the end of this email, also
inline.

On Fri, 9 Jun 2000 David_Hutchins () idg com au wrote:

> Thank you for feed back on Helen's Linux  article. I have noted your

Although I never sent "feed back" to you, I appreciate your amiability.

> concerns and will ensure that I raise them with Helen. Its currently not
> our policy to have author's emails contained within the emails, merely
> because we post people 's names as primary points of contact for the email
> service, we haven't published author's emails, but will consider doing so.
>
> I can understand that occasionally articles which don't perhaps cover all
> the angles, may appear biased, but in reality nothing can be further from
> the truth...There is no deliberate attempt to cover any issue, vendor,
> product, or trend, with any bias. The reality is that our  journalists do

This is not an issue of "bias".  The problem is that numerous statements
in the article are just plain completely wrong.  I'll address them on a
point-by-point basis at the end of this email.

> straight reporting. In this case it happened to be a report that said
> "XYZ". I am sure you can understand the challenges of getting the news and
> publishing the news, ie what has happened, has to be done within a very
> narrow window. Often there is simply not the time, nor the space,  to talk
> to every person or source that may have an alternate view. Often the
> stories that are published are not going to accord with the view of every
> reader.

I hope you can come up with better excuses than those.  "Time" and "space"
constraints is no excuse for publishing B.S.  The issues that I have are
not with matters of opinion, they involve matters of fact, and the
glaring, reprehensible errors in your article.  Some of the sheeple might
actually believe things you print.  You have a responsibility to at least
try ... never mind.  I gave up on the media a long time ago, and I now
even find myself occasionally questioning the editorial motives of Rob
Malda.  There are only three decent IT journalists left in the world now:
Declan McCullagh, Bob Sullivan, and Laura Taylor.  The end must be near.

>  In each case we do as much as we can as thoroughly and professionally as
> we can in the time given.

If you can't do it right, or at least almost right, then don't do it at
all.

> Perhaps you would like to forward your contact details, so in future our
> team might contact you or a colleague to present additional information so
> relevant stories are more comprehensive.

You've got my email address.

> Thank you for your feedback though, its one of the best ways we have in
> improving what we do.

Yes, I agree.  You still have plenty of time to publish a corrected
article, or better yet, to just pull that article off the site completely.

> In future though I will not tolerate emails that contain abusive language,
> normally such emails, are immediately trashed, without any further reading,

See my initial comments at the top - I never sent any email to you, and I
certainly would not send you abusive email.  I reserve my abuse for my
true friends.

> if the matter persists we look at taking it further by ensuring the sender
> receives none of our material. Your tone and the language you use can add
> or detract from your credibility

Good point.  Thanks for the advice.

> David Hutchins
> Editor
> The Wire (Online News Service For IDG)


And now, a couple of comments on the original article ...

[Note:  Chris Brenton addressed many of the issues that I raise in an
email he sent subsequent to my first email]

> http://www.idg.net/ic_186624_1794_9-10000.html
>
> Is Linux a net security risk?
> By Helen Han
>
>
> SYDNEY, 7 June, 2000 - A SANS Institute of America report has named
> Linux and Unix operated sites as more vulnerable to internet attacks
> than Windows and Mac powered sites.

No.  SANS neither said nor implied any such thing.

> Compiled by US industry, government, and academics, the June 1 paper,
> titled How to Eliminate the Ten Most Critical Internet Security Threats:
> The Experts' Consensus, names versions of Unix and Linux systems in nine
> out of a "top ten" list of security vulnerabilities for operating
> systems that engineers "need to eliminate".

Helen seems to be missing the point completely, looking to blame Linux and
UNIX operating systems when the real culprits are actually certain
applications, misconfigurations, poor security policies, and not
installing security patches in a timely fashion.

> Dean Stockwell, director of sales and support, Network Associates
> Asia-Pacific, dismissed SANS's report as "skewed".

He was not even one of the SANS Top 10 List signatories.  In fact, he's in
sales, so his opinion doesn't even count.  Why not ask one of the experts
who signed the document?  Their names were conveniently listed at the
bottom of the document.

> "Virus peddlers target the most popular system," said Stockwell. These
> happen to be Unix or Linux in the enterprise space, he believes.

Now, I *know* that this guy has no idea what he's saying when he states
that "virus peddlers" target UNIX and Linux in enterprise environments.
In the NAI/McAfee database of 50,000+ viruses, how many viruses are
listed for UNIX/Linux?  This statement was so absurd that I felt the need
to use "colorful language" in my original email.

> "Most hackers graduate from Unix and Linux platforms. They know them

Nope.  I bet you mean "crackers", not "hackers", and they usually learn on
Windows these days.

> intimately. They don't try to exploit them," Stockwell said.

"They" try to exploit anything that is exploitable.  Some of them even
direct their attacks at certain networks or platforms ... but I am
starting to generalize and stereotype, so let's move on.

> Fifteen per cent of Australian organisations use a Linux system
> somewhere in their network server infrastructure, according to Rolf
> Jester, regional director of market services, Gartner Asia-Pacific.
>
> Moreover, Stockwell suggested that local "up and coming" IT
> administrators are being trained in Unix or Linux platforms.

Maybe so, but 80-90% of the world is still Windows.

> Stockwell also observed an "anti-Microsoft camp growing in Australia.
> They're turning to more stable platforms," he said, declining to name
> alternative brands.

More irrelevant stuff.

> A spokesperson from Sydney IT consultancy startup Working Technology
> begged to differ. "Unix and Linux are the geek operating systems," the
> representative said. "Windows NT is supported by 90 to 100 per cent of
> developers worldwide."

Wrong again.

> So how does network security health rate in Australia?
>
> "Security is not a high enough priority for IT networks here," Stockwell
> said. "We're concerned about Y2K and GST problems. Security is priority
> two or three. It needs to be number one."

You're still worried about Y2K???  Maybe you should write an article about
why we all need to keeping worrying about Y2K.  GST keeps me awake at
night too.

> Stockwell attributes the perceived negligence to corporate Australia's
> "lack of best practices" and increasingly "busy" IT departments.

True, true.

> "To apply a security patch to any software literally takes minutes," he
> said. "I've often had to do it myself."

"Internet Explorer" --> "Tools" --> "Windows Update" doesn't count as
"often having to do it yourself".  Code your own diffs while you wait for
the vendor to release more hotfixes that intentionally break third party
apps marketed by the vendor's competitors.  Don't bother even waiting for
Service Pack 7 either.

> His advice to ensure Australian businesses are safe from network attack
> via the net is to enforce a policy of mandatory systems testing,
> particularly for file servers and mail servers, and committing to
> regular upgrading.
>
> Industry ignorance to IT security threats are dire to the economy,
> Stockwell warned.
>
> He pointed to the fallout from the notorious I Love You virus as an
> expensive example of a country unprepared for a "simple" security attack
> "written by a student in a matter of days".
>
> The Love Bug cost Australian business an estimated $1.5 billion in
> down-time over four days.

No!  Not the random arbitrary dollar estimates for damages again!


David,

Thanks for taking the time to reply, and for reading my comments.

Regards,

kw

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".