Feedback

The following are some of the responses I've received from people about The Facts article. For those who are curious, I do get about 1 out of 10 that disagree with my conclusions, but so far none has been willing to debate the facts I've outlined. The following examples give a pretty good snapshot of how my mail runs. Enjoy!


Date: Tue, 18 May 1999 23:24:23 +0200 
From: THC CTheis@happycom.lu
X-Mailer: Mozilla 4.5 [en] (Win95; I) 
X-Accept-Language: en 
MIME-Version: 1.0 
To: vernAHTgranerDAUGHTnet 
Subject: I could not agree more 

Dear Vernon,
I read your "research document" THE FACTS, and actually found myself 
glad and convinced that there remain reasonable people on this planet 
earth.

As a CNE (that means Convinced Novell E.. to me) I have to fight every 
day against this NT-Mania (my bosses want to migrate to a 
business-critical application on NT 4.0 and on the fly they want to 
replace existing Netware SFTIII File and Print Server (a real beauty!!) 
by some NT Cluster solution.

I hope your document will shake them all over !

Thanks anyway 
Christian Theis


From: Mike Glynn mikeg@netpro.com
To: "'vernAHTgranerDAUGHTnet'" vernAHTgranerDAUGHTnet 
Subject: Thank you 
Date: Thu, 3 Jun 1999 14:46:57 -0700 

Vern,
Thank you for such an informative site. You have addressed many of the 
issues that either I deal with on a daily basis or am asked all the time. My 
company (NetPro) has products that monitor and alert on NDS, monitor and 
alert on Groupwise and also troubleshoot and optimize on NDS. Day in and day 
out I am faced with companies (and many school districts) who are trying to 
decide whether to stay with Novell or go to NT. In my opinion, the only 
reason they are even considering NT comes down to one word...Microsoft. I 
find that the people in the trenches all love Netware, but Microsoft has 
gotten to the upper level management and sold the "Microsoft hype." I think 
your site will help bring many issues to light.

Just so you don't think I am a total Big Red Fanatic, my company too will 
benefit from a raw product, Windows 2000. We have a solution that monitors, 
alerts and optimizes the directory for Windows 2000. Due to all the faults 
you pointed out, we expect to do a HUGE business playing in the NT world.
So, we push people to keep Novell simply because we believe it is in their 
best interest. Either way, my company wins. We sell product no matter which 
way they go. Since we are making money either way, we have no true alliances 
with either direction (ok, maybe slightly towards Novell since they invested 
2 mill into us). We just firmly believe that Novell is the smartest route.
Thank you again for all the information and insight this site gives.

Michael P. Glynn 

NETPRO )Sales 
Regional Account Manager 
Midwest Territory 
800.998.9010 
mikeg@netpro.com 
http://www.netpro.com/

"Tell a man that there are 400 billion stars and he'll believe 
you. Tell him a bench has wet paint and he has to touch it." 
- Steven Wright

From: "Henry P. Segalas" hsega@aidb.state.al.us
To: "'Vernon Graner'" vernAHTgranerDAUGHTnet
Subject: Webpage 
Date: Mon, 26 Apr 1999 14:42:22 -0500 
Organization: Alabama Industries for the Blind 

Vernon,
I was directed to your site by one of my vendors. I found it an 
interesting read and wish you luck in your efforts to stave off the NT 
madness which seems to have taken over the planet. I had a similar 
experience as you depict three years ago. I had a small LAN that was 
primarily anchored by a single Novell 3.12 server, and an NT 3.15 server 
that served as a window to the internet and ran our MS Mail service. Prior 
to my encountering NT, I had been a CNE for several years - my first Novell 
install was a 2.11 network. 

I was pretty comfortable with Novell and felt it would last forever, 
but I was proven wrong. I somewhat blame Novell for their predicament. 
Some years ago I then went to a networking conference hosted by BNUG 
(Boston Novell Users Group) and listened to Mr. Burton, (a former Novell 
exec), outline what he felt would be Novell's demise. He threw up a slide 
that depicted the very state of affairs we have now. This speech was given 
by him a full year before NT was released. The writing was on the wall for 
Novell, and they let it happen. Of course, the media blitz that Microsoft 
could afford, took a lot of people away. And we're still flowing down the 
river without a paddle.

In my case, I lost my fight to retain a network anchored in Novell. 
What would have required two, possibly three Novell servers quickly grew 
to a 9 NT server network. The cost of this was astronomical, but once 
committed, money kept stubbornly being spent to reach the objective. Once 
you step down that path, there is no end... Just promises of the next 
service pack or upgrade. And when it gets there, instead of the pain going 
away, you have to relearn everything all over again. I changed jobs and 
now I am totally surrounded by NT, and I whine like mad about it. I miss 
the days when a network was stable and your server could be trusted. And 
all of my vendors know how I feel.... 'Cus they feel the pain too!
Great site. Did I say that? Good luck Vernon.

Henry P. Segalas 

Manager, Information Systems 
Alabama Industries for the Blind 
PH: 800-348-4242 / (256) 761-3502 
Fax: (256) 761-3505 
hsega@aidb.state.al.us
A CNE since January 1990

And of course, an example of those that disagree....

From: "Jarrod Scott" jarrod_scott@dragonbbs.com
To: vernAHTgranerDAUGHTnet
Subject: Netware vs. NT
Date: Sat, 24 Apr 1999 05:24:45 -0400
X-Mailer: Microsoft Outlook Express 4.72.3155.0
X-Mimeole: Produced By Microsoft MimeOLE V4.72.3155.0

Vern, 
I don't think you have researched your subject thoroughly enough. Any of those
so called security loopholes that you have mentioned in NT can also be
exploited in Netware. I personally know of a utility that will provide a
regular user with supervisor rights using NDS. I know of several utilities
that will provide admin rights to just about anybody on the network and coming
in from the internet (providing no firewall software). I will be the first to
admit that the ideal world is an environment with NT and Netware running on
the same network. But I think that you have overstated the facts.

Sincerely,
Jarrod Scott, MCSE, MCP+I


And my response:

Jarrod

Thank you for taking the time to make your opinions known. I would like to respond to your mail topic by topic.

At 0524 AM 4/24/99 -0400, you wrote

Vern,

I don't think you have researched your subject thoroughly enough.

I used both NT Server and Novell NDS platforms in a High School environment on 2 campuses for 2 years (4 net years?) In this environment, despite our applying every service pack and hotfix to our NT server, the students regularly exploited the progression of security holes I pointed out in my article. I have spent 2 years researching, verifying, updating and refining the article you refer to. I would like to know what would meet your criteria of "thoroughly enough"?

Any of those so called security loopholes that you have mentioned in NT can also be exploited in Netware.

This statement is patently false. For starters, Novell doesn't use SMB for password traffic, so it is not subject to the L0PHTcrack utility. OGRE exploits SMB as well and subsequently does not function against Novell NDS. The other security holes I mention also exploit vulnerabilities in NT that are not available under Novell due to wholesale architectural differences in the platforms. I will admit that certain kinds of attacks will function against both Novell and NT in certain circumstances, (IE OOB or DoS) but in both these cases, Novell would have to be intentionally misconfigured to fall pray to these as the default settings defend against these style of attacks. Also, if you were using the Novell native IPX as the *only* protocol, even these attacks fail as they rely on TCP/IP to work.

I personally know of a utility that will provide a regular user with supervisor rights using NDS.

Most of the utilities that function as you describe require access to the Novell Console. As Novell doesn't require console access for general administrative functions, there is far less chance of these exploits working. I also notice you don't give the name or source for the utility you mention subsequently making it impossible for an interested party to verify your claim.

I know of several utilities that will provide admin rights to just about anybody on the network and coming in from the internet (providing no firewall software).

Again you do not give specifics on programs, sources or procedures. Without references to backup your statement, I cannot concede your point. Playing Devil's Advocate however, I can point out that the behavior your statement refers to can be found in a set of utilits from Simple Nomad called Pandora's box http://www.nmrc.org/pandora/ . The hack tools and procedures available there are defeated by 2 simple expedients. (1) Secure the Novell Console from physical and remote access (2) Set NCP packet signature option = 3.

By NOT setting up RCONSOLE (the utility that allows remote access to the console) and by placing the server in a locked room, you deny hackers the ability to use console based hacks. All the password crack tools fail without this access. By signing each packet, the packet signature option defeats any of the packet "spoofing" that would allow impersonation of the administrator. In practice, the only change that must be made to the Novell server is the single line that raises the signature level to 3. Type this line once in the startup.ncf script, then lock the door to the server room and you're secure. A far cry from the pack after pack of patches you must download, unpack and install to attempt to make NT secure. And in the end my experience has shown that NT is STILL not secure.

This is not an opinion simply based on reading articles from pundits or listening to peers, this is first hand experience with 2 High School campuses full of ingenious little hackers that delight in bringing the network down. When we had NT, the network went down repeatedly. With Novell it hasn't gone down once.

I will be the first to admit that the ideal world is an environment with NT and Netware running on the same network.

Actually, In the ideal system, NT would be stable and hack free in its own right. We have to compromise and use NT servers managed by NDS for NT. This allows NT with it's vast array of sought after capability (Back Office, IIS etc) to be made available without subjecting either the NT box or the Network to security flaws gleefully exploited by our sub-adult hackers.

But I think that you have overstated the facts.

I take issue with this concluding statement as the sources I present are simply used to underscore my opinion that NT is poorly suited to our particular environment. It might be possible to overuse facts or to misquote them, but in the practice of providing evidence to reinforce a conclusion, I don't think it is possible to "overstate" them. I can only assume that you imply exaggeration or alteration of the original source (facts) themselves. Since I have provided comprehensive footnotes allowing the reader to examine my sources, I don't see how this would be possible. I think it is paramount that any conclusions I draw be borne out by the supporting material. The sources I present are there so the reader may review the evidence that brought *me* to *my* conclusions. As these references are linked to the original source, how would it be possible for me to alter them?

When you provide facts to support your rebuttal, I will be happy to look at them and maybe become enriched by the experience. I enjoy debating issues if the participants are earnestly endeavoring to enlighten the person holding a contrary position. A *good* debate enriches both parties. A *flame war* is an exercise in passionate emotions and is of little value apart from dubious entertainment. I will gladly welcome the former and ignore the latter.

I am not yet MCSE although I have taken a number of the courses and expect I will have the certification (to join my MCP, my Novell CNA and my Novell CNE certs) soon. If, through your MCSE experience, you have reason to take issue with the accuracy of any of the points I have made, I would enjoy discussing your point of view. But please, make sure you provide me with Facts :)

Sincerely,

Vern Graner


Jared did not respond.