 |
| |
 |
Media Gone Mad
Why last week's big Windows security hole is nothing more than technology press hot air.
By
Tim Mullen
Feb 24, 2003
|
|
"Windows XP Kills Dog, Steals Toaster"
That's the next headline I'm expecting to read after wallowing
through a week of technology press misreporting about the latest
security issue in Windows XP -- an "issue" that's really nothing of the
sort.
At the center of this shameful tempest in a teapot is the Windows
Recovery Console (RC), which by design allows you to boot up a damaged
system and access supported file systems like FAT and NTFS.
The perceived issue, which started its life
on Brian Livingston's Web log and spun out of control from there, comes
from the fact that if you boot the Win2k Recovery Console on a machine
loaded with XP, it dumps you out to a command prompt without asking you
for the XP administrator password.
News flash: this is expected, and desirable, behavior. The Win2k RC
can't read the XP registry, so it thinks it is a corrupted Win2k
installation. When it can't verify the SAM, it bails out to the
console. Administrators want this behavior. If you have an
installation on which some third-party driver has hosed the registry,
the Recovery Console will allow you to attempt to fix it. That's what
"Recovery Console" means.
Despite what the media is saying, booting to the Win2k RC does not
allow one to "administer" the XP installation as the local
administrator. In fact, you don't get to administer it at all. You
can't list services, because it can't read the registry. You can't
enable or disable services, because it can't read the registry. You
can't really do anything, except copy files around -- that is, as long
as they are not encrypted with EFS or something else. This is the
exact behavior one who administers a Windows installation would expect,
and the same functionality one would get if upon booting other
alternate operating system.
What I find amazing is the fact that with every article that covers this non-issue, the story gets better and better.
This has nothing to do with Win2k or XP. It has to do with not
allowing un-trusted users physical access to your assets. This is a
basic security postulate, like death and taxes.
Yet the media went out of its way to make this another Microsoft "exploit." Wired reported
that security experts call this a "genuine threat." I'll tell you this
-- if a "security expert" tells you that this is a Microsoft
vulnerability, they're not a security expert. I mean, if I wanted to
hork data off of a system I had full physical access to, I'd just grab
the drive, stick it in my pocket, and walk out whistling "Jimmy Crack
Corn and I Don't Care."
Give Bill a Break
I certainly wouldn't sit there looking stupid while the Win2k
Recovery Console took its five minutes to boot to a console so I could
copy files, one by one, to a floppy disk (assuming I knew the "SET"
command that allowed me to do so in the first place). Or even better,
I'd just whip out my Linux boot floppy, change the administrator
password and go nuts.
What I find amazing is the fact that with every article that covers this non-issue, the story gets better and better.
WinInformant headlined
with "Windows XP Wide Open." Hyperbole. They further reported that
you could administer the XP installation without a password, and
perform other actions with full administrator privilege. Poppycock.
Geek.com went so far as to say
that the anonymous user (whatever that means in this case) is logged in
with the XP administrator account. What bovine feces! What ever
happened to journalistic integrity? What ever happened to research?
It's like these people are making it up as they go along just to reel
in the hits.
This kind of thing damages overall security. It clouds the issue,
and rains on the wrong parade. The media should give its readers all
the information-- not slant it in an effort to make Microsoft look like
the bad guy every time.
Instead of wasting space on functions that are not even
vulnerabilities, they should be covering issues like Oracle's
"unbreakable" applications having yet another series of remote buffer
overflows that took six months to fix. They should be covering the
fact that in order to get the patches for Oracle, you have to pay for
them under a service contract. If Microsoft tried something like that,
angry mobs of protesters would pull Bill Gates from his own home like a
group of crazed Colombian soccer fans and bind him to a whipping post.
It is unfortunate that the people in a position to educate the
masses to computer security do not even bother to educate themselves.
When banner ad revenue for a media outlet becomes more important than
accuracy, it's time to find a new profession.
|
|
|
|
Timothy
M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a
developer of secure, enterprise-based accounting software.
|
|
|
|
|
|
|
|
| |
