[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Date: Mon, 29 Sep 2003 23:51:03 -0500

--On Monday, September 29, 2003 21:49:26 -0300 Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx> wrote:


As some may recall, my original statement was an answer to someone that
was points that Unix is more secure then Windows (I agree up to this
point), and gave and example telling that there are still several codered
vulnerable machine around. This is the point I was commenting about. And
you do have to agree that is a machine, today, is still vulnerable to
Codered, it is mostly due to a fault of the administrator.

I'm going to pick one small nit with you. There is another possible guilty party. In some cases, at least in edu and medical centers (that's what I'm familiar with) the *vendor* is at fault. Some vendors will not certify their scientific instruments with the latest Service Packs and patches, leaving the admins no other choice but to find some other way to protect the machine. (Hell, we sometimes have trouble getting vendors of *security* devices to support their products with the latest SPs and patches. (Which is another reason that I dislike putting security-related software on Windows boxes, but sometimes you simply have no choice.)

Case in point, I just today helped a professor set up a small SOHO router to protect three machines, one running NT 4.0 SP3, another running Win2k SP2 and a third running Win98. All three machines are controlling six figure scientific instruments, and all three are as vulnerable as can be. The "admins" are professors whose job it is to discover new things in science, *not* secure computing equipment. But the reason the machines are vulnerable is because of the vendor, not because we choose to keep them that way. Now they're safely tucked away, nated and firewalled, and there is no access to them from our network, much less from the internet.

So, while I agree with you that in *many* cases, if a box is vulnerable to Code Red, it is the admins' fault, that is not true in *every* case. (It *is* the admins' fault if they don't solve the problem somehow, however.)

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Rodrigo Barbosa

References:
- Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Rodrigo Barbosa
- Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Frank Knobbe
- Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Rodrigo Barbosa

Prev by Date: RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Next by Date: RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Mo nopoly
Previous by thread: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Next by thread: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Index(es):
- Date
- Thread