Full Disclosure mailing list archives

Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c)

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 29 Jul 2003 20:49:49 +0200 (CEST)

On Tue, 29 Jul 2003, Jason wrote:

Given a conservative half a day downtime for only 100,000 of the more
likely 150,000 employees at a very conservative average burden of $10
per hour you have spent $4,000,000 in productivity losses alone. This
completely ignores costs like lost data, lost confidence, work that has
to be redone...


A-ha, so all of the 150,000 employees maintain a constant rate of
"productivity", and are at a hundred percent of their output capacity, so
that a downtime will cause an irreversible loss they cannot compensate for
by skipping one coffee break after an incident (incidents like this
occuring not particularly often)? And all perform a work that will be
disrupted by an outage?

As far as I can tell, there are some rare cases in a corporate
infrastructure where an outage can cause a measurable loss by deferring
certain processes that indeed can't be compensated for, either due to a
lack of output capacity, or because the availability is in fact the
product.

But those cases are either limited to specific businesses (that have a
process for a product), very localized (to a single or a couple of teams),
or happen sporadically (whenever there's a big push for a new release or
such). Most of the workers, most of the time in most of businesses are
able to assimilate any delays resulting of an outage because the very
nature of most office jobs is that they do not mean a constant and
non-manageable work load and performance requirements. Some do - but
that's an exception, not a rule.

As such, an incident can cause losses to some, if they are in a specific
situation or in a specific business. But saying that a worm (or anything
else) caused number_of_computers * average_sysadmin_pay * hours_to_fix =
ten bazillion dollars of losses to the industry is just silly and is
nothing more than FUD.

For most companies, an incident like this once in a while is just an
inconvenience. For that reason, they would not consider spending enormous
amounts of money on a better staffed and better educated IT department and
constant monitoring of the threats. Worm comes, worm goes, big deal.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-07-29 20:32 --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c), (continued)
- - - Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
    - Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c) Darren Bennett (Jul 29)
    - Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c) Ron DuFresne (Jul 30)
    - RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Bojan Zdrnja (Jul 30)
    - Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) yossarian (Jul 30)
    - RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 30)
    - RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Bojan Zdrnja (Jul 31)
    - Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
    - Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Scott M. Algatt (Jul 29)
    - Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Larry W. Cashdollar (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Michal Zalewski (Jul 29)
  - Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
  - RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Andy Wood (Jul 29)
    - RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Michal Zalewski (Jul 30)