Re: codegreen, the problem.

[Patrick Patterson <ppatterson () carillonis com>]

-----BEGIN PGP SIGNED MESSAGE-----

On September 6, 2001 09:07 am, John Thornton wrote:
> The thing that scares me about codegreen and others like is the fact
> that it reboots IIS without even warning the network administrator.
> In the real world there are production servers that are running
> 24/7. Just up and rebooting a extremely important service such as
> IIS without letting anyone know is unheard of. For example, the company

Ok... I agree with you up to a point - some systems shouldn't be rebooted
during peak times....


> I work for runs a web based product that stores there clients data
> on SQL servers that is updated by IIS. If my servers just started
> to reboot while clients were using the product, our data integrity
> just went down the toilet and when you are talking about a product
> that is COMPLETELY data driven we have a problem. Now we are talking
> about countless man hours to inspect the database's and possibly
> have to fix the database's that your program just craped on. DBA's

WHOA! Umm... this program is rebooting the machine, not pulling the plug...

Given that this is NT, the random BSOD/HALT would cause you much more
problems... but since CodeGreen reboots your server, if your application is
at all intelligent, it will catch the NT equivalent of SIGTERM and shut down
nicely, without blowing the database... if it doesn't and your are this into
litigation, then you should immediately sick your legal team on your
application developer.



> are not cheep. My company is going to be mad at me, and pissed at
> you for the money that was lost and having to explain to our clients
> why they were kicked out of our server. Now we are talking about

Ok, now that's about the best justification that you had - the time when the
site was unavailable to customers.... However, if you are this pre-occupied
with uptime, then two questions:

1) Why are you using NT in the first place (I know, religious differences,
not meant to start a flame war, just a lot of folk simply don't use NT where
anything beyond 98.5 uptime is required.)

2) Why didn't you patch already for CodeRed? a CodeGreen like worm should
only "infect" an already infected server that is out there causing damage to
other people's machines, thus leaving you open for a lawsuit for negligence;
or the whims of any kiddie who wanted to send:
yourserver.com/scripts/root.exe+/c+del+/inetpub/wwwroot or whatever would
wipe out your "Mission Critical" application - and leave you FAR more behind
the eight ball than just a simple reboot.

> a lawsuit. From this point of view, your program is far worse then
> code red. Welcome to corporate America. I know, it sucks.
>
> Don't get me wrong what you are doing is great. I respect it. The
> problem is that there are so many unique ways that IIS is used that
> this whole concept of a (for lack of a better term) white hat worm
> that fixes everything is just a bad idea and in certain cases can
> do more harm then what you are trying to fix. If this goes into the
> wild I would not be shocked at all if someone try's to sue. Just
> something to think about.

True, corporate america is more into duck and cover, than in actually fixing
the problems. (most of the time, gross generalization)

I don't know what the solution is - the problem that spawns a CodeRed is
beyond just a single source - Vendors are responsible for releasing insecure
software (not really fixable, since I don't think that it is possible to have
software without at least one bug - but I think that they should default to
secure mode on installation, and then warn the user if they want to make the
system insecure), Admins are responsible for not doing their jobs properly
(there are some rather trivial ways of making sure that your systems are up
to date - as someone who has admin'd large server farms of mixed systems with
a very small staff, I know this IS possible...)... and I'm not sure what to
do about the User level who helps in the propagation out of ignorance....


- --

Patrick Patterson                       Tel: (514) 485-0789
Chief Security Architect                Fax: (514) 485-4737
Carillon Information Security Inc.      E-Mail: ppatterson () carillonIS com
- -----------------------------------------------------------------------
                The New Sound of Network Security
                     http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: UOGRJ11f7XppymldrmENFpStwC6MUgeF

iQCVAwUBO5jEhbqc3sMKNyclAQFe8AP9GQGgQKcL+LtnXMw3SJfxCEXglcVvNitD
5C/Fu2aVejlmqSO9wI+3MgWwwHMJYDc7dY4jLoglg48Oc7IAM8gpV0qBl1LzQqHw
DOZxnX/OQTGSSkBJCM3c0eCWeZOAZXKlv73tuIMrJN+fJma3y7wrIEvuqJdKTkwn
NxSx5zlEtSE=
=hayM
-----END PGP SIGNATURE-----