Information Security News mailing list archives
RE: Security Firm Blamed For Code Red Costs
From: InfoSec News <isn () c4i org>
Date: Mon, 13 Aug 2001 03:17:18 -0500 (CDT)
Forwarded from: Patrick S. Harper <patrick () internetsecurityguru com> I do not believe that full discloser is the problem. Full discloser in my opinion keeps software manufactures on their toes. I believe that many of the problems come from unqualified people sitting in the sysadmin or network engineer chair. Companies (especially smaller ones) do not want to pay what it cost for someone who knows what they are doing to come in and secure there systems. Too many times have I seen the "Network Administrator" of a company who has no clue. He just happened to like computers and wound up with the job so they could save 20K a year. Then when a disaster hits, a server falls over or they get hacked they have no clue how to recover. The company has to then bring in a consultant for disaster recovery (which for me is 1.75X my normal rate) they loose money and productivity because no e-mail is going out or Joe lost that project that he had been working on for three months with no backup (but it was on a network share???) I think sometimes that incidents like this are good in a way. You learn the importance of getting and keeping good people, keeping them up on training, making sure they have the appropriate equipment, and are ready to do there jobs. just my $.02 worth
-----Original Message----- From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf Of InfoSec News Sent: Saturday, August 11, 2001 2:05 AM To: isn () attrition org Subject: [ISN] Security Firm Blamed For Code Red Costs http://www.newsbytes.com/news/01/168934.html By Brian McWilliams, Newsbytes ALISO VIEJO, CALIFORNIA, U.S.A., 10 Aug 2001, 5:11 PM CST The damage toll from the Code Red worm has sparked a new debate over what security experts call "full disclosure." Richard M. Smith, chief technology officer for the Privacy Foundation, today criticized the company that found and publicized the glitch in Microsoft's Internet Information Server (IIS) which led to the creation of the malicious worm and a copy-cat. "Was it really necessary for eEye Digital Security to release full details of the IIS buffer overflow that made the Code Red I and II worms possible? I think the answer is clearly no," wrote Smith in a message to the Bugtraq security mailing list today.
[...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Security Firm Blamed For Code Red Costs InfoSec News (Aug 11)
- <Possible follow-ups>
- RE: Security Firm Blamed For Code Red Costs InfoSec News (Aug 13)
- Re: Security Firm Blamed For Code Red Costs InfoSec News (Aug 13)