RE: Was RE: disinfection tool -- now a minor rant.

[Tony Langdon <tlangdon () atctraining com au>]

> One opinion that prevails often is "Why would anyone want to 
> hack us?  Our
> data isn't useful to anybody".  The idea that their hardware 
> and bandwidth
> might be of some use to a parasite doesn't occur naturally to 
> people who
> don't think about hardware and bandwidth.

This is something I see commonly among both professionals and end users.  I
usually rell a horror story or two, with the odd case study.  Often the
message starts to sink in and the seed is planted.  Code Red (and its
descendents) are another nice case study.

Another overlooked group is the hobbyist organisation who sets up their web
server, or has one hosted by "someone's work".  If administered by the
hobbyist/non profit group themselves, the admins may not be aware of the
responsibility thast goes with running such a system.

I've had some degree of success with educating people about risks and
responsibilities they may not have considered.

> If expert status came with peer recognition, then experts 
> could be invited
> to speak publicly.  Volunteering is basically saying "I 
> consider myself an
> expert on this topic", and the person who considers 
> him(her)self an expert
> is often a dangerous sort of expert.

Agreed.  Security is an area where one can never know everything.  We're
always learning and trying to keep up to date.

> To help ensure that the problem is more contained?  To 
> prevent infection of
> larger numbers of machines?  I see your point, the unpatched 
> people are lazy
> or uninformed, and you can feel like you're doing their job 
> by helping out
> (especially if it's all the time), but at the end of the day, 
> more code red
> infections mean slower internet traffic and general degrading 
> of service for
> everyone.  That's a good enough reason to help the slackers 
> get it together.

Well, the rate of attempts here is at least several hundred per hour,
possibly into the thousands (I gave up counting some time ago).  Anyone who
cleans up and patches their infected system is helping to keep that unwanted
traffic down.

> Plus, I liked someone else's point - there are a lot of 
> internet connected
> small businesses that don't even employ an admin.  Quite 
> often in these
> cases, you'll find that the secretary has a key to the backup 
> tapes, and
> every morning she switches a tape.  Generally not even 
> checking to see if
> the backup worked.  There's no-one at this company "not doing 
> their job",

Unfortunately, this is something that some OSs (especially Windows NT/2000
SBS, with its simplified interface) encourage.  An easy to configure and use
server means an increased likelyhood of someone with less admin experience
running a publicly accessible server.  Some of the people running these
machines could be educated, but even then, how do you find everyone?

> the admin job doesn't even exist.  The scripted-patches CD would be a
> perfect candidate for companies like this.  You could 
> possibly even make a
> small profit, by selling the CDs.  Is it legal to charge for CDs with
> Microsoft patches on them?  I mean, assuming you set a 
> relatively minor
> price to cover distribution and such?

I have a feeling you probably couldn't, but you'd have to read the licence
conditions that come with the patches (most MS patches and all service packs
throw up an agreement dialog, so shouldn't be too hard to find out).

> There obviously is some added value in the work that's gone into the
> scripting, but the CD would be next to no use if it only came with the
> scripts and you had to provide links to all the patches.

Agreed.  It would be better if the CD came with everything, just pop it in
and run setup (or let it autorun, if you haven't killed that off).  Better
yet would be if Microsoft offered security updates for its OSs for some time
after purchase, even if it meant subscribing to a security update service
for a small cost to cover media distribution (bundle that with the OS).

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com