|Main||Elsewhere||Tech Tip||The Week in CrossNodes|
Last week we noted a mystery worm that was winding its way around the Web. Over the course of 24 hours, we came across reports about it that were, by turns, clueless and mystified before consensus finally gelled about just how it was people could "get infected by just visiting a site."
It turns out it's pretty easy to pull that off if you can manage to pop open an exploit in the Web server doling up the pages and insert some malicious code in those pages that promptly lays Internet Explorer open like a fish. And that's exactly what was happening: An IIS exploit coupled with an Explorer vulnerability was allowing malicious blackhats the opportunity to install keystroke loggers that harvested credit card information and send it off to their own servers.
In the chaos of coming to grips with the exploit, no one could even agree on the exact vector of attack. A he-said/she-said has ensued since, with Microsoft happy to blame the numerous victims with claims that the exploits in question have been patched for the past nine months, while the admins of the sites affected swear they've been running the latest patches and updates and still suffering from the attack.
Up until now, we've followed an orthodoxy about Web browsers that had less to do with personal preferences (we haven't been willing to use Internet Explorer from day to day for some time now) and more about our perception of the average corporate user and the state of IE's competition. Our attitude has largely been exactly what Microsoft wants people to believe: Technology is hard, people shouldn't have to switch, IE enjoys a massive lead in its installed base and hence the number of sites engineered to work only with IE, change is too much to ask or expect, Microsoft knows there's a problem and is working on it.
Internet Explorer's main danger comes, as tragic flaws often do, from really good intentions. The Microsoft vision has always been to make things "just work." But we've spent time over the last several weeks talking about old visions for technology from more trusting times, and how it's time to overhaul them: think SMTP, which still believes mail is coming from where it says it's coming from with very little convincing. Or any of a variety of protocols we've had to shoehorn into SSL wrappers to protect them from eavesdroppers. Or a basic NFS configuration that takes a remote workstation's word that it really is the sole possessor of a given IP and user ID.
Microsoft's problem is built around similar assumptions about human nature, modulated through a crass and perhaps unintended contempt for the people using its software, which is that they'll collapse into unproductive puddles of listless clicking at mysterious glyphs and symbols if the operating system they use is anything less than puppy-like in its desire to please them and do what they want. So the company has built in levels of automation in its products that are towering edifices of both cleverness and peril.
Our complacency about this state of affairs ended this week, though, when we read that, as far as one department of the US government is concerned, Internet Explorer is a menace. US-CERT, part of a partnership between the Department of Homeland Security and the private sector, says Internet Explorer is too dangerous to continue to use citing IE's zone security model, Microsoft's DHTML implementation, and Microsoft's own ActiveX technology, which provides hooks into the operating system at large.
We were nudged along by friends and colleagues (three in one day) who found themselves wondering why they hadn't considered the alternatives to Internet Explorer before: Opera, and Mozilla, for instance. So when asked, we pointed folks to the Mozilla Project's Firefox, a capable, full-featured browser that doesn't suffer from IE's security flaws:
- It doesn't employ VBScript or ActiveX -- two of IE's worst liabilities
- It doesn't have hooks into the operating system at large -- it runs in a relative sandbox
- It blocks popups and can supress attempts to hide parts of the browser windows, often used to obfuscate Web site information during a phishing scam
It has a few more benefits all its own:
- It's relatively compact: It's a small download and it doesn't take a lot of memory either in terms of RAM when running or hard drive space to store it.
- It's fast. Users who primarily work in a browser say running Firefox is often like getting a new computer.
- It's slavishly standards-compliant. Web pages have a good chance of presenting as they're coded.
- It's easily extensible. Hundreds of add-ons (called "extensions") are available that allow anything from editing CSS in place (great for Web designers) to controlling the cookies your computer accepts with ease.
- It has a feature called "tabbed browsing," which allows you to open multiple Web pages in a single window and get at them by clicking on their tabs, which run across the top of the page. For folks with three button mouses, opening a link in a new tab is as easy as middle-clicking.
So why aren't people all over this? Why isn't Firefox the choice of 95% of Web users, instead of IE?
That's part of the inertia we've been accepting as a given over the past few years:
- Many sites are designed with the scripting capabilities of IE in mind, meaning they break if viewed with another browser -- that means a lot of corporate intranet portals, for instance, which are designed by in-house teams who have been assured of a standard browser across employee workstations, won't work correctly
- Many sites won't "look right," because IE's implementation of Cascading Style Sheets (a key part of Web design in the past few years) is different from Firefox's.
- Firefox and IE don't look quite the same: There are different buttons in different places, and configuring them involves different menus
- Firefox (and Mozilla before it) don't come standard on many Windows systems, if any at all, meaning you'd need to know about them to get them. They aren't just sitting down there in the quicklaunch bar or on the main menu, they don't open when you click a Web link in an e-mail.
In fact, as much as we're recommending IT departments get themselves a copy of Firefox and begin evaluating how to use it in their organizations right now, we have to acknowledge that for some people the transition simply won't be complete for some time: There are too many legacy web pages people depend on from day to day that wre written to work only with Internet Explorer. A deplorable situation that underlies the need to stick to real standards instead of "market realities," but the hand we've dealt ourselves all the same.
That doesn't mean it's not time to start the process. Internet Explorer won't ever disappear from Windows, so it will always be available. It's just time to reduce its role where possible. If users need it for the company portal, then it's time to figure out ways to make it easy for them to open that portal in IE but go about their day-to-day browsing elsewhere.
The point isn't to somehow "punish" Microsoft, or to cave in to obnoxious orthodoxies about the company's general undesirability. The point is to secure our users (and ourselves) from potential avenues of attack. Internet Explorer is one of those avenues, we've known it for a while, and now we have an alternative to it. We owe it to the Internet community at large to take advantage.
Another take on the matter is available at internetnews.com, where senior editor Ryan Naraine points out that the Microsoft answer of "all will be fixed with XP SP2" isn't particularly useful to 70 percent of all business, which are still running Windows 2000 on their desktops.
» It was World Wide Developer's Conference week for Apple this week. Some items of interest to net admins: OS X Server 10.4 (Tiger) will include mobile home directories, and built in iChat and blogging server software based on the open source Jabber and Blojsom projects respectively.
There's also an NT Migration tool that Apple says "automatically extracts all of your user and group account information from an existing Windows Primary Domain Controller and moves it into Open Directory."
» In unrelated news, Apple also released new Rendezvous builds for Linux and Windows this week. (Make sure to check the week in Crossnodes, below, for more about Rendezvous and whether it belongs on your network.
» A vulnerability in Cisco's Collaboration Server could allow malicious users to upload files and gain administrative privileges. Patches are available.
» A controversial ruling from the U.S. Court of Appeals for the 1st Circuit in Boston upholds the right of e-mail providers to read and copy the inbound e-mail of their clients. It comes in the wake of a conviction for a businessman who did just that on the premise that he was violating the Wiretap Act.
» A common tactic in the spam war is to block mail in character sets besides Western European (like good old ISO-8859-1). That strategy goes hand in hand with the widespread assumption that China is a massive spam haven. While that's true (the country is responsible for about 6.6 percent of all spam sent), it turns out the biggest offender by far is the United States, which sends over 55 percent of the world's spam, thanks largely to zombie spam servers on home broadband connections. ISPs: Block port 25. Please.
Networks depend more and more on Dynamic Host Configuration Protocol (DHCP) to dole out IP addresses, subnet masks, default gateways, DNS, and WINS servers, among other critical networking services. In any sort of enterprise environment, it becomes nearly impossible to distribute IP addresses by hand, and DHCP is the perfect tool for the job.
Well, almost perfect. DHCP unfortunately has a rather major design flaw, and that is the ease with which a malicious (or hapless) user can hijack an entire subnet with a "rogue" DHCP server.
I honestly believe most major network catastrophes, especially in a corporate environment, happen by accident. But that does not mitigate the damage done when an engineer sets up a Linux server distribution with "everything" on by default and starts handing out 192.168.0.0 addresses.
When a DHCP-enabled client computer powers up on the network, or an already-powered system reaches half of its lease time, it will send out a DHCP Lease broadcast. Your router, generally with "helper addresses" configured, will translate the client broadcast into a unicast packet and route it directly to your DHCP server. The server responds to the router, and the router then re-broadcasts the remote DHCP server's lease offer back into the subnet.
The rogue DHCP server set up in the subnet however, is able to respond immediately (no delay from all of that broadcast/unicast translation and packet routing) to the client with an invalid IP address for that particular subnet. When the authentic broadcast comes back, the DHCP client turns a deaf ear. There is a good way to catch these rogue servers in your network once an upset user has contacted you. You'll know it is a rogue DHCP server issue because the output from a Windows ipconfig command will give an invalid IP. By running ipconfig /all from the command line, you can get the IP and MAC addresses of the offending DHCP server. You won't be able to use the server's IP address because it will be unreachable from the router. But, by doing a MAC lookup on the layer 2 switch (show cam [mac address] on most Cisco switches, for example), you will know the exact switch port the offending server lives on. Doing a quick port disable and having your customers run ipconfig /release followed by ipconfig /renew should get them up and running again.
Then you get to make a trip to the end of a network cable to see who owes you a free lunch.
Michael Burton is a Portland, OR employee of Intel, where he has worked in network management. Michael was the technical administrator for Intel's 20,000 node network at its Hillsboro, OR campus.
Perl's been called the 'Swiss Army chainsaw' of scripting languages, but in this installment of the Scripting Clinic you'll learn how to use it like a scalpel for your most demanding (and disorganized) files.
If you thought zeroconf would solve all your network configuration problems, you might want to hold on to your subnet calculator: The standard isn't soup, and configuration-free devices might make for a few too many chefs in your network kitchen.
Network News Break is CrossNodes' weekly summary of networking news and opinion, served up fresh. Please send your comments and suggestions to the editor.