Interesting People mailing list archives
a view from a vet -- Slammered
From: Dave Farber <dave () farber net>
Date: Sun, 26 Jan 2003 19:28:59 -0500
I am keeping this thread open since I believe it is very important to understand the issues and how we can attack them. Prayer is not sufficient. Dave ------ Forwarded Message From: Bob Frankston <rmfxixB () bobf Frankston com> Date: Sun, 26 Jan 2003 18:15:17 -0500 To: dave () farber net, "'ip'" <ip () v2 listbox com> Subject: [IP] Slammered {If I try to edit this I'll never get around to sending it because I have to catch up after wasting hours on this and it probably captures the mood in the current form. So please excuse my typos.} I feel obliged to add to the blaming -- yesterday I noticed my SQLServer was eating up my CPU so I killed the process and but was too busy to go to the MS site. Today I was dealing with a network problem that turned out to be ... But, as I point out below, I also applaud Microsoft for at least giving us the rope with which to play. So I killed the server, downloaded and applied the fix and it failed with a message saying that something went wrong -- tell me what? Why? So I deinstalled and reinstalled the whole thing. Why was I caught? After all I run AV software and I frequently check the MS site for updates and I run Windows Update and do all of that. But Microsoft puts the onus on me to keep vigilant about their myriad of applications. Office has its own procedure and so does SQL server and who knows what lurks in the bowels of my PC that I don't know about MDAC?? Whatever that is? I find Microsoft security claims to totally meaningless if they don't first address the human factors issues. I remember Multics security was entirely about human factors. That is, until the military wanted "real" security and then they installed some cockamamie system whose main purpose seemed to be to prevent work from being done since just about any cooperation created insecurities. At least it provided entertainment as we thought of ways to get around it. Of course, real people didn't use that stuff. But having such mechanisms allows people to claim security while putting all the blame on the users for not spending all of their time and effort keeping track of the latest postings and for actually trying to use the software. It's like the legal notices in the newspapers in small type on some back page. They're a joke and the antidote is to have people whose job it is to find them and alert others. It's very fallible open loop signaling. Why do I run SQL Server? Well, I have been intending to migrate my databases to it since Access isn't getting the investment necessary to have it scale but SQL server is a product for IT departments and not for kneading data. So I'm stuck. But I have used it for some applications including accessing other SQL servers of the net for a site I built. Why do I have my ports open? For the same reason that using a condom and having creating new people are incompatible. I want to use computers and not treat them as sacred objects to be run by a tribe of wizards. Does Microsoft deserve blame? Yes. They still need to learn that security is about people and not guard towers. The idea of shutting the ports is silly -- I'm on a dynamic network and even if I have a firewall and shut it down there are also all those internal systems vulnerable because of firewalls. (At least I run SQLServer on only my main system at the moment.) But the lock it down and hide approach is endemic. Outlook locks down my address book which make it difficult for me to have programs that access my own data. And then there's that "simple" file sharing in XP which subverts the ACL system rather than leveraging it and seems to be blissfully unaware of the Internet. Where's the effort to make the ACLs usable and making them work in noncorporate environments. That's part of the problem -- corporations are supposed to have people dedicated to being vigilant and making sure no users does anything insecure or even innovative. Small business and homes? Well, they can't really uses computers because they are too complicated so why worry about it That was the challenge I faced when I had the incomprehensible idea of making networking something you would actually use within the home. I had to get past all of the complexity that existed because, well, because it existed. And there is still a lot of that with the NATs being examples of what makes it so hard to actually use any of this. And worse, the NATs/Firewalls are given as solutions when they only contribute to the stifling complexity. But I also very much applaud Microsoft for at least making these products available. And I don't expect them to fix the unfixable -- I've decommissioned my older OS's though I realize that's not a full solution. Oracle puts out blatantly false advertisements saying their systems never have viruses and bugs and they get away with it because they sell to corporations which need to pretend that is true. At least Microsoft errs on the side of giving us powerful tools. The key is to learn from these experiences. I do not want to drive Microsoft into the liability avoidance mode in which they say their software only works behind firewalls in static configurations with a full time IT staff. I'd rather there be canaries, even if I have to be the one, from whom we can learn than to listen to Steve Gibson and others who simply tell us to be afraid and hide. I just want to make sure that there is learning and not just blame. Bob Frankston http://www.Frankston.com -----Original Message----- From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com] On Behalf Of Dave Farber Sent: Sunday, January 26, 2003 02:30 To: ip ------ Forwarded Message From: Adam Peake <ajp () glocom ac jp> Date: Sun, 26 Jan 2003 14:27:30 +0900 To: dave () farber net Subject: Re: [IP] More on Slammer - Bank of America ATMs impacted ---- Forwarded Message
From: "Paul E. Robichaux" <paul () robichaux net> Date: Sat, 25 Jan 2003 20:12:06 -0500 To: dave () farber net Subject: RE: [IP] More on Slammer - Bank of America ATMs impacted This is unfair, Dave. Microsoft released a patch for this in July of
2002.
Blaming the vendor for administrator failure is certainly easy, and bashing Microsoft is what I'd expect from Rick; however, any administrator who got bitten by this worm has no one to blame but
themselves. Dave, perhaps you could check the following comment I was sent about Microsoft's lack of blame:
Here's a bigger joke: service packs 1 and 2 for SQL Server 2000 and the
patch issued for the 1434 problem identified in July are unaffective against this. Only service pack 3, issued last week, will stop it.
If correct, then it is quite fair to slam Microsoft, and to do so before the buck is passed elsewhere. Adam ------ End of Forwarded Message ------ Forwarded Message From: Joe Touch <touch () ISI EDU> Date: Sat, 25 Jan 2003 21:47:01 -0800 To: dave () farber net Subject: Re: [IP] More on Slammer - Bank of America ATMs impacted Dave Farber wrote:
------ Forwarded Message From: "Paul E. Robichaux" <paul () robichaux net> Date: Sat, 25 Jan 2003 20:12:06 -0500 To: dave () farber net Subject: RE: [IP] More on Slammer - Bank of America ATMs impacted This is unfair, Dave. Microsoft released a patch for this in July of
2002. A patch in 2002 on a 2000 product that fixes a buffer overrun error. Why, in this era of buffer overrun errors (didn't they go back at least to the Morris worm of 1988?), don't manufacturers check their code BEFORE they release it? Joe ------------------------------------- You are subscribed as rcv-interesting-people () frankston com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- a view from a vet -- Slammered Dave Farber (Jan 26)