Re: Code Red - A Possible Origin?

[H C <keydet89 () yahoo com>]

Michael,

> The FBI has a conflict-of-interest,

Can you elaborate on this?  How does the FBI have a
conflict of interest, w/ regards to the context of
this thread?

> even though they are in the stone age
> when it comes to computers and computer systems.

How so?  Both NIPC and the Computer Crime Squad have
some pretty bright guys and gals.  

> 'cyber-terrorism' and 'information warfare,' as well
> as 'Electronic Pearl
> Harbor' (I LOVE that one!) are red herrings
> contractors, government agencies
> and the military play the "Me Too!" game for more
> funding. 

Please be clear when you make statements like this. 
First off, "Electronic Pearl Harbor" is a phrase first
attributed to Winn Schwartau.  Second, it was Congress
that held ineffectual hearings regarding security,
throwing their own 'red herring'.  Third, how has the
military adoption of "information warfare" generated
an increase in funding, particularly at a time when
all services (except the Marine Corps) are having
difficulty bringing in enough new people to sustain
their forces?

> That comes from
> 27 years active duty in the Navy.  Then, it was
> 'terrorism.'  Now, it's
> "cyberterrorism."  It's become just a money game.  I
> don't want my
> profession to be associated with such yellow
> journalistic tactics.

In all fairness to those who _are_ using those terms,
perhaps there is a reason for it.  Not too long ago,
the teachers in Oakland, CA, started a similar
campaign.  They claimed that their kids spoke
"ebonics".  As odd as it may sound, the reason for
doing this was that all other channels for requesting
necessary funding had been exhausted.

Also, I sense that you're mixing targets here.  You
say that you don't like what gov't agencies and the
military are calling this activity, then you say that
you don't want your "profession to be associated with
such yellow journalistic tactics".  I've been out of
the military for only a little while, but I can't
believe that they've all turned into journalists.

> The bottom line is, in most cases, if you're hacked
> and you're functioning
> as the sysadmin, IT'S YOUR FAULT!!! 

I somewhat agree with you on this.  Any sysadmin who
hadn't disabled the ida/idq script mappings on IIS or
hadn't installed the patch had best be very, very
happy that Code Red wasn't nearly as destructive as it
could have been.

However, where I disagree is in the sense that
managers are not making sysadmins responsible for
security.  Most other jobs...sales, admin, HR,
recruiting, etc...all have quantifiable metrics by
which the employee can be judged.  Did the admin
person process payroll and pay the office rent on time
this month?  How many leads did the sales rep
generate, and how much revenue have they brought in? 
Yet, when it comes to security, very few managers seem
to assign the responsibilities and provide the
necessary resources (ie, training, etc).

> until
> we canonize that in people's minds, the ISVs and
> vendors will continue to
> duck responsibility with the EULAs and the
> integrators and consultants will
> continue to duck THEIR responsibilities, too. 

Again, this "ducking" can be obviated or mitigated
through the use of contracts.  Yes, I've been a
consultant, and I've been releaved in some cases that
the customer wasn't bright enough to pin the sales rep
down on a couple of items.  Yet, in the long run, this
only hurts the customer.  If you know what it is
you're looking for, or can articulate your needs, then
you can put the necessary language and stipulations in
the contract.  

> It hasn't happened yet.  The thought that we,
> sitting in air-conditioned
> offices, with laptops or CRT screens in front of us
> are 'warriors' fighting
> the 'good fight' is just laughable.  

So you mean when I'm playing a Quake tourney, I'm NOT
a warrior?  ;-)

Seriously, I fully agree.  A lot of folks billing
themselves as "cyber-warriors" are really slip-shod in
their work.  Many of them are very technically adept,
and can make a Linux kernel sit up, hop around on one
leg, and bark.  But what good does that do for a
client who doesn't have any Linux, and very little
*nix...maybe an HP-UX system, or some Solaris?

> After all, who is the last person you know who died
> because of a buffer
> overflow?

I've seen the stuff from intelligence folks that says
that real, legit terrorists aren't comfortable with
the use of computer technology to meet their
aims...yet.  Why break into a computer system to open
the gates of a dam and flood an area, when it's easier
to just blow it up?
 



__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com