Re: Was RE: disinfection tool -- now a minor rant.

["Jim" <mlist () budget co nz>]

> From the beginning, I thought this was the whole point
> of the Code Red worm.  Given how "noisy" the worm is,
> and given that CRv1 and 2 weren't all that destructive
> (CRII seems to be an escalation...sort of, "I already
> told what I could do...now I'm going to do it."), it
> seems that CR is someone's idea for forcing admins to
> install the patch.  After all, the vector leads to a
> system-level compromise.  Look at it like a
> vaccine...give the patient a small dose of the largely
> inert 'virus' so that the system develops an immunity.

Oo! Ooo! Now we can think up a new MS conspiracy...  the code red patch must
have code in it to move money into Microsofts account, so they created code
red in order to force everyone to install the patch AAAAAHAHAHAHAHA I knew
they were evil.


> > A lot of people, me included, can't understand why
> > professional
> > admins don't update their systems.
>
> Nor do I understand.

Professional admins do update their systems, that's part of what makes them
professional ;)


> After years of hearing this, I would love to hear a
> viable way of doing this.  I've heard a variety of
> techniques for educating business owners on risk, from
> showing how it would impact their business, to making
> it a business issue, to showing how a lack of security
> can impact the bottom line.  I'm to the point of
> believing that the business owners already know...they
> just like the idea of someone kissing their arses and
> begging for money.

One opinion that prevails often is "Why would anyone want to hack us?  Our
data isn't useful to anybody".  The idea that their hardware and bandwidth
might be of some use to a parasite doesn't occur naturally to people who
don't think about hardware and bandwidth.


> > Contact your local paper or radio station
> > and talk to the
> > news director.  Do an interview, be an expert.
>
> There have to be trade-offs with this.  After all,
> there are already 'experts' talking to the media,
> which in turn generates FUD.  Say the wrong thing
> and/or get quoted out of context, and you risk ending
> up on a site like Attrition in a less-than-favorable
> light.  The problem with the media is that if you're
> not sensational enough, you don't get interviewed.
> That's why JP of AntiOnline got more press with
> regards to "profiling" than the folks who do it
> professionally.

I don't think anyone should volunteer to speak publicly as an expert.  On
the net, it's fantastic.  Someone asks a question, three people respond
correctly, and one person believes he has a correct answer when in fact he
doesn't.  He is corrected within hours by the internet system.  But a public
speaker has no such system available.  Once something's been said, true or
not, everyone has heard it, and people who don't know any better will
believe it.  Why shouldn't they?  The guy was an expert.

If expert status came with peer recognition, then experts could be invited
to speak publicly.  Volunteering is basically saying "I consider myself an
expert on this topic", and the person who considers him(her)self an expert
is often a dangerous sort of expert.


> Perhaps this is where Mr. Ng's complaint comes
> from...the very fact that one group has to take the
> time to rescue another group from themselves, when we
> all have access to the same resources.  So someone
> invests a significant amount of intellectual property
> to make someone else's job easier...for what?

To help ensure that the problem is more contained?  To prevent infection of
larger numbers of machines?  I see your point, the unpatched people are lazy
or uninformed, and you can feel like you're doing their job by helping out
(especially if it's all the time), but at the end of the day, more code red
infections mean slower internet traffic and general degrading of service for
everyone.  That's a good enough reason to help the slackers get it together.

Plus, I liked someone else's point - there are a lot of internet connected
small businesses that don't even employ an admin.  Quite often in these
cases, you'll find that the secretary has a key to the backup tapes, and
every morning she switches a tape.  Generally not even checking to see if
the backup worked.  There's no-one at this company "not doing their job",
the admin job doesn't even exist.  The scripted-patches CD would be a
perfect candidate for companies like this.  You could possibly even make a
small profit, by selling the CDs.  Is it legal to charge for CDs with
Microsoft patches on them?  I mean, assuming you set a relatively minor
price to cover distribution and such?
There obviously is some added value in the work that's gone into the
scripting, but the CD would be next to no use if it only came with the
scripts and you had to provide links to all the patches.



-----------------------------------------------
This message is confidential. If you are not the intended recipient you must not read or do anything else with this 
message.
If you have received this message in error please notify us immediately by return email and destroy this email. Thank 
you.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com