Full Disclosure mailing list archives
Re: [inbox] Re: CyberInsecurity: The cost of Monopoly
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 29 Sep 2003 23:51:03 -0500
--On Monday, September 29, 2003 21:49:26 -0300 Rodrigo Barbosa <rodrigob () suespammers org> wrote:
I'm going to pick one small nit with you. There is another possible guilty party. In some cases, at least in edu and medical centers (that's what I'm familiar with) the *vendor* is at fault. Some vendors will not certify their scientific instruments with the latest Service Packs and patches, leaving the admins no other choice but to find some other way to protect the machine. (Hell, we sometimes have trouble getting vendors of *security* devices to support their products with the latest SPs and patches. (Which is another reason that I dislike putting security-related software on Windows boxes, but sometimes you simply have no choice.)As some may recall, my original statement was an answer to someone that was points that Unix is more secure then Windows (I agree up to this point), and gave and example telling that there are still several codered vulnerable machine around. This is the point I was commenting about. And you do have to agree that is a machine, today, is still vulnerable to Codered, it is mostly due to a fault of the administrator.
Case in point, I just today helped a professor set up a small SOHO router to protect three machines, one running NT 4.0 SP3, another running Win2k SP2 and a third running Win98. All three machines are controlling six figure scientific instruments, and all three are as vulnerable as can be. The "admins" are professors whose job it is to discover new things in science, *not* secure computing equipment. But the reason the machines are vulnerable is because of the vendor, not because we choose to keep them that way. Now they're safely tucked away, nated and firewalled, and there is no access to them from our network, much less from the internet.
So, while I agree with you that in *many* cases, if a box is vulnerable to Code Red, it is the admins' fault, that is not true in *every* case. (It *is* the admins' fault if they don't solve the problem somehow, however.)
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Schmehl, Paul L (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 30)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 29)
- RE: [inbox] Re: CyberInsecurity: The cost ofMonopoly Steve Wray (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 29)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Ron DuFresne (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Dan Stromberg (Sep 30)
- <Possible follow-ups>
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Schmehl, Paul L (Sep 30)