Re: Recent Attacks

[David LeBlanc <dleblanc () mindspring com>]

At 02:18 PM 2/21/00 -0500, Matthew_S_Cramer () armstrong com wrote:

> The people that should be held responsible for this attack, if any, are the
> people that allow insecure systems on the internet.  

So we ought to blame the victim?  I have a lot of problem with this
approach.  So what you're saying is that if I don't install a Lowjack
system, and someone puts my car on a tow truck and steals it, that it was
my fault for not protecting myself?

Next, we can start blaming the people who wrote the software because
they're human and make mistakes, too.  While we're at it, lets blame
everyone except the people who sit there at their keyboard and attack
others.  Maybe we ought to blame society for raising a bunch of anti-social
kids, too.

For example, our highways are vulnerable to the pour-oil-off-the-bridge
attack.  You go pour 50 gallons of motor oil off of a local bridge onto the
interstate, and you'll cause a denial of service.  So, who should we blame
here?

a) bridge designers for failing to anticipate the attack, and allowing
holes in the fences over the bridge
b) motor oil manufacturers for making oil that doesn't prevent its use in
this manner
c) The shop where the oil was stolen from
d) tire manufacturers for making tires that aren't resistant to this
e) people who make roads that don't resist this attack
f) the people pouring the oil off the bridge

I think 'f' is the obvious answer.  

I didn't mean to go off on a rant (and don't mean anything personal), but
this one point really makes me irate.

A lot of my job is trying to get people to apply patches, correct
misconfigurations, etc.  The vast majority of them had no idea that there
was a problem.  It is obviously prudent to check your systems, and stay up
to date on patches, but assigning blame to the owners of the system is
wrong in most cases.


David LeBlanc
dleblanc () mindspring com