Firewall Wizards mailing list archives
Re: Recent Attacks
From: Matthew_S_Cramer () armstrong com
Date: Tue, 22 Feb 2000 15:43:47 -0500
David LeBlanc <dleblanc () mindspring com> wrote:
At 02:18 PM 2/21/00 -0500, Matthew_S_Cramer () armstrong com wrote:The people that should be held responsible for this attack, if any, are the people that allow insecure systems on the internet.So we ought to blame the victim?
Well, your analogy is flawed. Let me clarify.....
I have a lot of problem with this approach. So what you're saying is that if I don't install a Lowjack system, and someone puts my car on a tow truck and steals it, that it was my fault for not protecting myself?
Well, like with automobiles, there is "best practice". A best practice of automobiles is to not leave them running and unattended in a high crime area. So that is a better analogy: you leave your car running and unattended for 7 days in a high crime area and then want sympathy when you find out is stolen? You'll get none from me...... Similarly, people put systems on the internet and ignore "best practice". An unpatched Redhat 4.2 linux machine on the internet is just being asked to be 0wned. Do the people that put that box out there and who ignored security concerns share some guilt? Absolutely! Is it libelous? Dunno. Maybe it should be. Again, return to Marcus's gun analogy. Here is my modification: a loaded machine gun left on my front porch unattended for a week. The gun is stolen and used in a murder. Sure, I am a "victim" because my gun was stolen. Do I deserve blame? You betcha. This is how I see unsecure, easily penetrated by known exploits, systems on the internet - unattended loaded machine guns.
Next, we can start blaming the people who wrote the software because they're human and make mistakes, too.
Actually, I find the "Disclaimer: we make no promise that this software will actually work and make no claim that it will not totally destroy your system" nauseating. I'd like to see some liability for crap software. Give the M$ lawyers something to do......
While we're at it, lets blame everyone except the people who sit there at their keyboard and attack others. Maybe we ought to blame society for raising a bunch of anti-social kids, too.
Strawman.........
For example, our highways are vulnerable to the pour-oil-off-the-bridge attack. You go pour 50 gallons of motor oil off of a local bridge onto the interstate, and you'll cause a denial of service. So, who should we blame here?
[snip] Again a flawed analogy. Consider again the loaded gun scenario......
I didn't mean to go off on a rant (and don't mean anything personal), but this one point really makes me irate. A lot of my job is trying to get people to apply patches, correct misconfigurations, etc.
Mine too. It is frustrating to be ignored. Maybe some possible liability will up the stakes.
The vast majority of them had no idea that there was a problem. It is obviously prudent to check your systems, and stay up to date on patches,
Yep, that's my point. It is "common sense". The fact that certain people are ignorant of common sense is never an excuse. See, the .gov and many .com's would like to see this problem solved with legislation: "throw the script kiddies in jail". Yeah, make them serve more time than convicted hitmen or mafiosos. NOT. This is a technical problem, there are technical solutions. People are ignoring the technical solutions (the info is OUT THERE ALREADY) and proposing legislation and criminal solutions. If people need motivations to use the technical solutions, I say throw some liability their way, that's all.
but assigning blame to the owners of the system is wrong in most cases.
All I say is apply the same rigours as we do in other industries. If you go against the best practices of an industry, you have to expect some liability. Throwing some script kiddies in jail, even with harsh penalties, won't fix things. Look at the example of the drug war..... Regards, Matt
Current thread:
- Re: Recent Attacks, (continued)
- Re: Recent Attacks Randy B. Samos (Feb 21)
- Re: Recent Attacks Barrett G. Lyon (Feb 23)
- Re: Recent Attacks Transistor Sister (Feb 21)
- Re: Recent Attacks ark (Feb 21)
- Re: Recent Attacks ark (Feb 21)
- Re: Recent Attacks daN. (Feb 24)
- Re: Recent Attacks David LeBlanc (Feb 23)
- Re: Recent Attacks blyonpop (Feb 23)
- Re: Recent Attacks ark (Feb 24)
- Re: Recent Attacks Paul D. Robertson (Feb 24)
- Re: Recent Attacks Matthew_S_Cramer (Feb 24)
- Re: Recent Attacks David LeBlanc (Feb 24)
- Re: Recent Attacks Darren Reed (Feb 24)
- Re: Recent Attacks Darren Reed (Feb 24)
- Re: Recent Attacks Crispin Cowan (Feb 24)
- Re: Recent Attacks Paul D. Robertson (Feb 24)
- RE: Recent Attacks David LeBlanc (Feb 24)
- Re: Recent Attacks Randy B. Samos (Feb 21)