In regards to that SQL DDoS story

[clutch 1]

I posted the following to their messageboard after reading that "wonderful" (*cough*, *cough*) article:

 

Quote:

Umm, I wish the person quoted would have actually installed SQL 2K server, as it DOES ask for an Admin password during installation. And, while you can leave the password blank, it gives a warning that it isn't such a hot idea. This sounds a lot like the Red Hat vulnerability from a while ago, where they had a default admin password left from installation that allowed hackers to access their systems. But boy, nobody remembers that, now do they?

 

Oh, and anybody would half a brain would at least have either the ports blocked in a firewall, or use some sort of authentication protocol (like IPSec) amongst the replicating servers and server/admin console systems. Duh.

 

If you are dumb enough to install a major application like that with a KNOWN issue as the sa/blank password account, AND leave the port open to it from the outside, then you deserve to get hacked. The wonderful world of w4rez is giving high-powered applications and operating systems to people that have had no training in such, and these systems wind up hosting a ton of bots due to poor administration. Oh yeah, and there are a bunch of PAID admins that screw things like this up too.

 

[clutch 1]

Yeah, I have been watching the GUIs in Linux try more and more to be like Windows, even though they don't care for the OS. Most of the exploits that you see in Windows haven't happened in the Linux world because:

 

A. MS is a much bigger target for the monkeys of the world, and

B. The exploits focus on features Linux servers don't have.

 

IIS buffer exploits have been focused on Index Server (for those that have used it properly, they know how much a$$ it kicks) and the web printing ISAPI filter (nice extension for monitoring printers online, especially via AD). MS puts a MAJOR amount of time into these extra features, but they become easy targets since they spent most of the overall project time in adding usable features, and not securing them and making sure admins that use them understand how to properly secure the server. It's getting better though, and I volunteer to test MS apps whenever possible. Currently, I am testing service packs for MS SQL Server 2000 and I am hoping to get IIS 6.0/.NET server pretty soon (just sent in my NDA on Wednesday) so I can play with all the new features, and see what needs to be done to harden them against attack.

 

I think I just get tired of these monkeys that find it easier to berate MS because so many other people do it, and yet they haven't actually TRIED to learn all the aspects of the software they are b1tching about. Case in point, the moron "expert" that was quoted about the lack of a password being allowed during setup. That a$$ should know what he is talking about BEFORE he blabs about it to an online publication. Plus, the editors didn't even bother to verify the statement, so they are just as stupid. These people should stop whining about the problem, and be a part of the solution instead. How many people have you seen whine about MS products, yet still use Windows, Office, and other MS products? Seems kind of stupid, doesn't it? The only person that I have ever seen complain about MS products that I have respect for is a friend of mine that got me into networking to begin with. He has moved from MS/Windows systems to Linux, and he is FULLY dedicated to the OS. He has made an effort to learn everything he could about MySQL, Apache, and other products that run on that OS. The main reason why I respect him, is that he actually KNEW what he was talking about when it came to most MS products, and he chose Linux due to its much more lax licensing and would use it as some of his client sites (he's a consultant now).

 

Most people that whine about "holes" in Outlook or IIS don't even realize what they were talking about. Case in point, there was this BRILLIANT piece of coding using CDO/ActiveX from MS, it was the Outlook Web Control object. You could write webpages that would actually show your current inbox, calendar, contacts, etc from Outlook (normally shown in "dashboards" for corporate Intranets) and allow the person to create, open, and delete emails and such from Outlook but through the webpage. Unfortunately, this led to issues where people would host the object and try to get email account info from an unsuspecting web surfer with low security settings and outdated web browser (old or unpatched). MS had to take the cab file offline because it was too hard to get people to simply update their web browsers and Office versions with simple patches. They eventually released a fix for machines that already had it installed, but I don't think they ever put the cab file back online (I still host it on my Intranet site for the Team Calendar app that MS released shortly after Office 2K came out). Now, you can't use these features anymore, and many people lose out. Same thing goes for Palm units connecting to Outlook 2K; people b1tched about how easy it was to "hack" into Outlook, and MS had enough of it. They released SP2 which locked it down HARD. Now, with SP2 (and Outlook XP), every time I sync I have to authorize the application to talk to Outlook and give it an amount of time that it can continue to do so. Also, in this same patch, it damn near kills most attachments that come through to prevent morons from opening VBS files and trashing their Exchange servers. So, do you hear "Thanks!" from the users? Hell no. They NOW whine that they can't "do" anything anymore in Outlook and that all of their attachments are hidden from them.

 

So yeah, I guess I have a beef with MS bashers at large. Oh well. Oh and sorry for the long post, I was just a bit pissed about the whole thing.

 

[Brian Frank 0]

Right with ya clutch!

It's really funny how, say, some of the linux crew, say how unstable Windows is. Well, yeah, if we're talking 9x and earlier, but not 2k/XP. 40% of the market? Please. Linux has a lot of work before it's not laughable as a desktop replacement. There are about as many different distributions (major) available, plus you get into debian and redhat distros to further complicate things. And do forget, if you are the 1337 h4><0r type, you can whip out yer own distro. Loki Games is sort of going down the toilet. It's rare to see people make drivers for Linux, and even rarer to see them supported in these cases. You still have to fool around with settings to get devices to work.

The next best alternative, by a distant second, is Apple's Mac OS X and the Darwin kernel for the x86 platform.

People are pissed that Gates is rich and Torvalds isnt. Torvalds is also part of Transmeta, the company we all hear about and never see anything. We'll see a resurgance of Steven Jobs and the Mac sooner than Torvalds and his Linux will take over the desktop.

Linux is like a chicken (or penguin) with it's head cut off.

[clutch 1]

If Jobs was smart (and he has been known to be), he would embrace Linux/BSD as a server OS to compliment the Apple systems he sells. That would be a good way to go for both companies, and it would allow them to unify against MS. Then, you could have a nice platform to sell a real desktop OS, and have a scalable server to back it up. In addition, you would make all server management utilities HTML-driven so any desktop could handle management of the servers and keep a somewhat similar environment in relation to the Mac OS. I mean, that's one thing I REALLY like about MS products; they behave and look the same from desktop to server, and across all of their apps. Linux can scale well and can be quite stable, but lacks usability for the average user and doesn't have that many applications. The Mac has quite a few apps for desktop usage, but no real server OS to power the backend natively and isn't known to be highly configurable by the user it's targeted for. Why should the two of them fight over the desktop? That's a complete waste of energy.

 

Of course, there would be the issue of "compatability" if Apple was to release applications for managing fleets of their systems. Even if they are talking to each other, there's no guarantee either side would be listening most of the time. Case in point, Novell and Netscape. When Novell 5 first came out, it came with the Netscape web server application. Now, here's the funny part. Even though Novell OBVIOUSLY talked to Netscape on occasion due to the bundling of the web server application, they NEVER seemed to talk about Navigator and Client 32 interaction on the desktops. There were many times where a simple update/upgrade of Navigator would break Novell's Client 32 on Win9x workstations, or the newer Client 32 would break something in Navigator. And the best part would be that Novell would just blame Netscape, but just happen to have a fix on their site for the issue (this also applied to McAfee, and they had compatibility issues as well from time to time).

 

But, working together is a better way for both of them to go. I mean, if it's cold outside the tent, huddling together would keep them BOTH warm...

[clutch 1]

 

Must be the meds...