Re: Was RE: disinfection tool -- now a minor rant.

[H C <keydet89 () yahoo com>]

> Mr. Ng speaks of "ignorant Sysadmins" and wanting to
> "get the idiots
> to listen."

> From the beginning, I thought this was the whole point
of the Code Red worm.  Given how "noisy" the worm is,
and given that CRv1 and 2 weren't all that destructive
(CRII seems to be an escalation...sort of, "I already
told what I could do...now I'm going to do it."), it
seems that CR is someone's idea for forcing admins to
install the patch.  After all, the vector leads to a
system-level compromise.  Look at it like a
vaccine...give the patient a small dose of the largely
inert 'virus' so that the system develops an immunity.
 
 
> A lot of people, me included, can't understand why
> professional
> admins don't update their systems.

Nor do I understand.

> ...and they don't understand why the
> "bad guys" want to
> get into their systems.
>
> What needs to be done is for people like us to
> educate those business
> owners.  

After years of hearing this, I would love to hear a
viable way of doing this.  I've heard a variety of
techniques for educating business owners on risk, from
showing how it would impact their business, to making
it a business issue, to showing how a lack of security
can impact the bottom line.  I'm to the point of
believing that the business owners already know...they
just like the idea of someone kissing their arses and
begging for money.

Amongst security-sensitive folks like us, if a
vulnerability can be found to easily lead to a root
compromise, it'll be fixed and patched most rikky-tik.
 In the real world, unless their is actually a working
exploit that is currently being used by the kiddies,
the business types generally don't listen.  

> Contact your local paper or radio station
> and talk to the
> news director.  Do an interview, be an expert.

There have to be trade-offs with this.  After all,
there are already 'experts' talking to the media,
which in turn generates FUD.  Say the wrong thing
and/or get quoted out of context, and you risk ending
up on a site like Attrition in a less-than-favorable
light.  The problem with the media is that if you're
not sensational enough, you don't get interviewed. 
That's why JP of AntiOnline got more press with
regards to "profiling" than the folks who do it
professionally.
 
> Create a "hit squad"
> of local sysadmins and offer to take phone calls
> from business
> owners.  Create a Code RED fix on CD (maybe include
> SP6 and all post
> SP6 fixes including the IIS fixes on CD with an
> automated QChain
> script)

Perhaps this is where Mr. Ng's complaint comes
from...the very fact that one group has to take the
time to rescue another group from themselves, when we
all have access to the same resources.  So someone
invests a significant amount of intellectual property
to make someone else's job easier...for what?
 
> But, quit complaining about "stupid, ignorant
> sysadmins" and the
> "idiots" and do something to help the situation.

Well, I think the reason Bruce Schneier recently
decided to start pushing monitoring over preparation
(and this is speculation on my part) is b/c he got
tired of trying to push the idea of planning ahead,
configuring systems, and installing patches.  No one
seems to want to do it.  Look how many systems got hit
by the sadmin/IIS worm...and the IIS side of it had
been patched for 7 or 8 months.  

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com