The Windows Conundrum and My Take on Blaster

Despite having the benefits of using a Mac (and being, therefore, largely immune to 99% of common infestations) and spending most of my time at a bash command prompt whatever the underlying OS is, I am sane enough to realize that I have to use Windows once in a while. The reasons are blatantly obvious:

  • Open Source software, by and large, sucks in usability and UI terms. And I'm talking bigtime, like fresh mint ice tea filtered through a lawnmower. There is the occasional architectural behemoth like Mozilla that manages to rise above the rest due to (or, in Mozilla's case before Firebird and Thunderbird came along, besides) its architectural underpinnings, but most Open Source software totters about in the fabled Bazaar while passers-by add feature after useless feature without making basic stuff like cut-and-paste work properly. I could rant on about how Linux is UNIX and the fact that it will only become a layman's OS if ordinary people don't need to open a single command-line to configure anything at all, but that's beside the point.
  • Seamless compatibility is a lie. No matter that Microsoft has now bundled Virtual PC with Mac OS X Office. It runs fine, but the décalage between the XP (not to mention the upcoming 2003) version and the 2000-like underpinnings of Office for the Mac mean fonts won't match, the occasional document has layout glitches, and you still can't manipulate Visio, Access and Outlook data directly (the latest Office update, which boasts Exchange support for Entourage, requires a server-side upgrade as well and relies almost solely on extended IMAP and WebDAV functionality).
  • There are always applications or data formats that won't run or can't be manipulated on a Mac, that the (several conflicting) Linux office suites won't open, and that force you, at the very least, to fire up Virtual PC (or a Terminal Services session to your tame XP box in the closet) to deal with them.

The Ugly Truth About My Past

That said, I actually like using Windows. I strongly prefer the Mac, but I've seen Windows evolve since I got my first "real" PC and started editing the college newspaper in PageMaker under version 286 (yeah, it was actually named after the CPU those days, even though it was version 2.11), and I know my way about it blindfolded (the way you have to deal with some Windows issues, you sure can feel the blindfold, but that's another story...).

Way back then, we had System 6.0 on the Mac. It had networking (the cheesy AppleTalk serial bus), it even had networked viruses. No, we didn't have Linux yet. We had VMS and some upstart Sun boxes around, and PCs were mostly running DOS.

How is this relevant to Blaster, you ask? Well, If I had known there and then that we'd need to download around 200MB of patches a year for a "normal" box (let alone what server admins have to go through), I'd probably have stuck to the Mac and bought a Sun workstation to make to while Steve Jobs got NeXT up and running.

Or I'd end up running WikiPedia:386BSD and become a full-fledged FreeBSD bigot (a fate I narrowly escaped, truth be told...)

Windows Downdate

With all the news going around concerning the Blaster nuisance (a new take on an old bug), I decided to join the rat race for Windows Update and patch my XP boxen.

Just in time, as it happened, to watch the site melt down for a quarter of an hour with 500 Internal Server Error messages. Oh well.

To while away the time, I've made a short list of the essential patches no self-respecting developer should be without these days (only the biggies, since these are what the baseline install should be these days). You can see it below (I might add to it later or move it about someplace else, since I like to make note of such things).

Why Blaster Was Inevitable

My take on the whole Windows vulnerabilities matter can be summarized in four bullet points:

  • Sure, Microsoft should never have let some of these bugs past QA testing. But a few (like the whole Exchange storage hotfix series) are notoriously difficult to track down and reproduce, and we have mostly to thank users (and "hackers") for pointing them out to Microsoft and ensuring they got fixed. So yes, they do share (some people would say a large) part of the blame, especially on client versions of their products. Server products are just too complex to forsee all the interactions and usually have a large legacy codebase (remember SQL Server and Sybase share the same roots, and that Exchange evolved from multiple distinct product lines).
  • Microsoft cannot (yet) automagically update every single misconfigured (and often mis-managed) box on the planet. I won't get into what they'd do if they could (because that particular topic keeps a lot of paranoid Linux zealots awake at night), but right now they can't, period. So the thousands of Windows variants out there (from Windows 95 onwards, including OEM variants and several likely permutations of patches) are an unmanageable mess.
  • People should be educated to understand that a computer is not a glorified typewriter - if you add network functionality to it, it becomes a Web surfing tool, sure, but also a remotely accessible typewriter. Buying anti-virus software (generally) won't help, although it may solve a lot of problems. But if you're on any sort of network, security updates are a must, and no matter how painless and trouble-free (or not) the process might be, it's still up to the user or administrator to do something to maintain their machine.
  • There are a lot of college students out there with nothing better to do than write expoits to inflate their precious little egos (which should be a concern in itself, since coursework should be their main occupation) and the morals of heavy-metal tour groupies (actually, I've known some pretty level-headed heavy metal groupies, far better human beings than the average 5cr1p7 k1ddi3, but stereotypes have their uses). Let's just use the term punks instead (ok, ok, I know some real Punks too, one of whom has a masters' degree in Applied Maths - you get my drift).

Why Some Server Administrators Should Be Flogged In a Public Square

Now, I won't reasonably expect a "regular" user to update his or her PC regularly (despite the not-so-subtle nudges from utterly annoying Windows Update baloons), but I definetly expect server administrators to know better.

Not only are they in charge of a whole organization's critical infrastructure, they are also responsible for doing something more than play Solitaire on the server console and flush printer queues. They have to implement minimal security measures, keep track of issued patches and service packs, read the odd CERT advisory, schedule some downtime, and patch their machines.

They have to be proactive and make sure things run smoothly not only now, but also for the forseeable future. Not just for their company, but at they very least for their own jobs (and some probably get away with doing - demonstrably - nothing due to their bosses' ignorance of what proper IT work is).

That's why I think Blaster is tolerable (and I'm honestly surprised it didn't happen earlier) but Slammer is not.

Conclusion and References

Sure, bash Microsoft for having a broken RPC listener. It's also broken on most other platforms, including the Mac OS X port (and probably the Linux one as well, but they'll get it fixed sooner).

But don't forget to report your systems administrator if he (or she) hasn't installed, at the very least, the following patches:

But I hear you say "you can always switch to a different OS". Yeah, right. Try getting that past the people who sign the cheques.

See Also: