pl.net bigfac 29-1-2003

Posted on 29-1-2003

Big Face Big Egg
By John Schwartz, NYT, Jan 27, 2003

The frantic message came from the corporation's information technology
workers: "HELP NEEDED: If you have servers that are nonessential, please
shut down."

The computer system was under attack by a rogue program called SQL Slammer,
which affected servers running Microsoft software that had not been updated
with a patch — issued months ago — to fix the vulnerability. The worm
hindered the operations of hundreds of thousands of computers, slowed
Internet traffic and even disrupted thousands of A.T.M. terminals. But this
wasn't happening at just any company. It was occurring at Microsoft itself.
Some internal servers were affected, and service to users of the Microsoft
Network was significantly slowed.

The disruption was particularly embarrassing for Microsoft, which has been
preaching the gospel of secure computing. On Jan. 23, the company's
chairman, Bill Gates, sent a memo to customers describing progress in
improving its products since he announced a "trustworthy computing"
initiative a year ago. "While we've accomplished a lot in the past year,
there is still more to do," he wrote. He cited the hundreds of millions
spent to shore up Microsoft's products, and its plans to deliver more
secure products in the future. He also listed "things customers can do to
help." The first item was "stay up to date on patches."

The paradox was not lost on computer security experts. "Microsoft has been
blaming the users, saying they have to keep their patches up to date," said
Bruce Schneier, founder and chief technical officer of Counterpane Internet
Security Inc., a company that manages security for customers. "On the other
hand, their own actions demonstrate how unrealistic that position is."

A spokesman for Microsoft, Rick Miller, confirmed that a number of the
company's machines had gone unpatched, and that Microsoft Network services,
like many others on the Internet, experienced a significant slowdown. "We,
like the rest of the industry, struggle to get 100 percent compliance with
our patch management," he said. "We recognize — now more than ever — that
this is something we need to work on. And, like the rest of the industry,
we're working to fix it."