RE: Security Firm Blamed For Code Red Costs

[InfoSec News <isn () c4i org>]

Forwarded from: Patrick S. Harper <patrick () internetsecurityguru com>

I do not believe that full discloser is the problem.  Full discloser
in my opinion keeps software manufactures on their toes.  I believe
that many of the problems come from unqualified people sitting in the
sysadmin or network engineer chair.

Companies (especially smaller ones) do not want to pay what it cost
for someone who knows what they are doing to come in and secure there
systems.  Too many times have I seen the "Network Administrator" of a
company who has no clue.  He just happened to like computers and wound
up with the job so they could save 20K a year.  Then when a disaster
hits, a server falls over or they get hacked they have no clue how to
recover.

The company has to then bring in a consultant for disaster recovery
(which for me is 1.75X my normal rate) they loose money and
productivity because no e-mail is going out or Joe lost that project
that he had been working on for three months with no backup (but it
was on a network share???)  I think sometimes that incidents like this
are good in a way. 

You learn the importance of getting and keeping good people, keeping
them up on training, making sure they have the appropriate equipment,
and are ready to do there jobs.

just my $.02 worth



> -----Original Message-----
> From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
> Of InfoSec News
> Sent: Saturday, August 11, 2001 2:05 AM
> To: isn () attrition org
> Subject: [ISN] Security Firm Blamed For Code Red Costs
>
>
> http://www.newsbytes.com/news/01/168934.html
>
> By Brian McWilliams, Newsbytes
> ALISO VIEJO, CALIFORNIA, U.S.A.,
> 10 Aug 2001, 5:11 PM CST
>
> The damage toll from the Code Red worm has sparked a new debate over
> what security experts call "full disclosure."
>
> Richard M. Smith, chief technology officer for the Privacy Foundation,
> today criticized the company that found and publicized the glitch in
> Microsoft's Internet Information Server (IIS) which led to the
> creation of the malicious worm and a copy-cat.
>
> "Was it really necessary for eEye Digital Security to release full
> details of the IIS buffer overflow that made the Code Red I and II
> worms possible? I think the answer is clearly no," wrote Smith in a
> message to the Bugtraq security mailing list today.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.