As a clueful systems administrator, part of my job is to
keep the 3v1l hax0rs out of my network. In fact, that's the
reason why I got this job in the first place -- everyone
knows computer security is dead sexy. The chicks fall all
over you.
At present, I'm in an end-to-end Microsoft environment at a Really Big Computer
Corporation(tm). So while part of me just laughs at each new Microsoft Security
Update (in big, self-righteous HAR HAR HARs), another part (the part that gets
paid), shudders in dread with every release. So, the reports of Soviet barbarians at
the gates caused some initial distress for me, personally.
Of course, after a cursory read, I learned that these ex-Commies were using
old, known, and easily patched exploits. I rested easy, trusting in my current
(and recently audited) MS band-aids.
But, just for kicks, I downloaded Patchwork, a "program that
would determine instantly whether a Windows NT system is vulnerable to the
attack," distributed by the auspiciously-named Center for Internet
Security(SM). My partner, "Miggidy" Mike D, ran this much-lauded and highly
anticipated utility on a test box.
Thank our lucky stars, Patchwork "confirms that this system contains the
patches, updates, and security configurations this 'Patchwork' program was
designed to verify." Though the emphasis is mine, the message is in a big,
reassuring, green font. Furthermore, if that's not misleading enough, it also
proudly states, "IIS is updated and SAFE for Internet use." (Emphasis
theirs, this time.)
I'll concede that SANS, CIS, and Gibson Research pepper their README's with
excuses and caveats about how no system is truly secure, the program is
designed to audit for a limited set of vulnerabilities, blah blah blah. Yet, in
the very title bar, it calls itself the "Windows Anti-Intrusion Patch Check &
Scan." Oh, and the author crows it "was hand crafted -- byte by byte -- in 100%
pure 32-bit Intel assembly language." A little hyperbole? In a MS "security"
application? Perish the thought!
Let's face it: Companies which run NT as their enterprise are easy to fool.
After all, they're using Windows. Programs like this -- endorsed by the FBI, by
the way -- are not helping ensure America's security against an onslaught Cold
War dropouts. Not one bit.
In fact, I envision a plague of panicky meetings with security administrators,
wasting thousands of man-hours arguing for or against this dopey application,
resulting in huge losses of productivity in an already depressed tech sector.
