RE: Large ISP response to Code Red?

["Jonathan A. Zdziarski" <jonathan.zdziarski () micromuse com>]

To reiterate, IMHO it's both the fault of the vendor and the ISP.  MS
*should* have had a patch out for this long before this happened.  Many
large ISPs these days don't bother spending the money on security admins to
put the workarounds in or even keep up-to-date on vulnerabilities which is
why I have no pity on them.

*But* you cannot place sole blame on the ISP.  If you bought a Ford with
firestone tires, is it your fault if you die in a crash because the
manufacturer dropped the ball?  Even if they issued a warning about the
tires, are you going to tell the relatives of a dead family that it's their
fault for not going out and buying new tires instead of waiting for a recall
or more information?

The standards of software manufacturers like Microsoft are lower than
acceptable because administrators and consumers allow them to be
irresponsible with their code.  More pressure needs to be applied, IMHO, on
the software manufacturers who haven't got their act together enough to have
a good test/qa department or coders smart enough to be able to write secure
code, but rather than apply the pressure there, we as consumers drill these
software companies for the next version NOW - this is, however, not an
excuse for the vendor to be as irresponsible as they've been.  If software
manufacturers like Microsoft weren't crack ho's thirsty for a quick buck,
code would be much more secure - and Windows 2000 wouldn't be considered a
different product than Windows NT.

I for one am sick of buying cheap junk software with bugs like this.  Take a
look at the recent SSH 3.0.0 exploit...The stinking software allowed anyone
to log in as bin, daemon, etc. on any machine that used 'NP' in their shadow
file...tell me they couldn't have found that bug if they were responsible
enough to test their own software thoroughly...especially when jumping up a
major version number like that.  Did they even TRY to log in with a wrong
password when testing it, or did they just go from alpha to release?  If
anyone heard about it but didn't fix it, or if they didn't bother
subscribing to lists like this because they didn't know any better, I
haven't got a lot of pity for them but I still blame the vendor for
irresponsibly releasing code without adequately testing it.  Same case with
Microsoft.


-----Original Message-----
From: Kundera [mailto:kundera () onebox com]
Sent: Tuesday, July 31, 2001 2:40 PM
To: incidents () securityfocus com
Cc: jonathan.zdziarski () micromuse com
Subject: RE: Large ISP response to Code Red?


How many times do you people have to be told that this vulnerability
is over a month old?  In addition, MS's best practices guide for IIS,
which has been around for much longer, recommends removing file mappings
that aren't in use.  How can you possibly blame MS for our laziness?
 If you let the tires on your car wear down until they're bald and then
you wreck in the rain, should you blame the manufacturer?  No!  It's
your own fault for not paying more attention and you deserve what you
got!

Kundera

-----Original Message-----
From: Jonathan A. Zdziarski [mailto:jonathan.zdziarski () micromuse com]

My 2 cents:

Security is everyone's responsibility.  Microsoft needs to get on the
ball and provide patches and workarounds much quicker than they have
been.  It wouldn't surprise me to see a class action suit crop up after
this last failure to take action.  ISPs [wrongly] trust the vendor to
provide secure software.

__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com