RE: The worm author finally revealed!

[futureshoks () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

Fair comment and you are entiled to your opinion. However much we 'Helpdesk' (as Pipes puts it) people who have to 
manage actual live systems would like to secure our systems we are still driven by the management.

Yes it would be nice to have a management structure that recognised the value to infosec. Yes it would be nice if 
development would commit resources to updating code in the light to patches/upgrades/etc, Yes it would be nice if we 
could control the network with an iron fist. Yes it would be nice... but in the end we are driven by the bottom line, 
especially in the current economic climate. If the CEO says that the new product deadline is more important than fixing 
the code for SQL SP3 then that's what we have to deal with. Tough.

So saying that there is no excuse to patch blah blah blah doesn't hold true. We have to work within logistical 
boundaries and do what we can. What do you do if patching isn't viable, the systems have to stay up and 
development/test resources can't be commited to fixes? In this instance you block port 1434 if you can and hope to God 
that nothing bad happens.

What I am trying to say is that it is easy for security researchers, software vendors, anonymous people on mailing 
lists, etc. to say "patch your systems or you've only yourself to blame". But when people say things like "so yes, you 
proberly could get away with unplugging servers." in response it goes to show that they don't understand the political 
and logistical factors in running a real live secure system that generates revenue.

Just imagine you pulled the plug on your company's webserver because they were running an un-patched IIS (and you're 
running IIS because some development manager decided it was The Right Thing). Your CEO comes storming down saying they 
are loosing business and the reputation of the company is being damaged. What do you do? Retort with "well a hacked 
webserver would be more damaging". What do you think (s)he'll say? "Oh OK then, I see your point. Keep the servers down 
until its patched and thankyou for your proactive stance". Or more likely "get the servers back on-line or you are 
fired".

I'm not making personal attacks here: everyone should be free to have their own opinion and I'm willing to admit that I 
might be wrong. I just get narked by this whole attitude of security is the primary focus of everything. In the Real 
World I've found that money is the primary focus and security is protection of investment that sometimes has to be 
compromised - however much we know/insist that this shouldn't be the case.


On Thu, 2003-01-30 at 13:08, Pipes Cuchifrito wrote:
> > With regards patching systems: have you ever worked in a *real* operations post? Have you ever had developers of 
> > your main product say to you "no you can't upgrade to SP6a as it's break the main engine". No matter how much you 
> > beg and plead to get this fixed they don't have the resources. What you gonna say? "Fuck you then I'm unplugging the 
> > Live servers"?
Yet another clueless twit.

- --
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj46ckoZHGZ1dHVyZXNob2tzQGh1c2htYWlsLmNvbQAKCRCz85xsvW2z
xSxHAJ9FlbbdLhnOnSHCVNTg7BrtFEh9SACeODydxbVxVLjkjNbGcqZ63J4IH+0=
=blOf
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html