Gentlemen:For those of you smartass know-it-alls that think you've got the tiger by the tail, here's a suggestion for you - volunteer your time to some of the local educational institutions. Pick a non-profit in your local area and help them with their network. Do some fund raising to get them the equipment they need. Or donate the equipment you throw out because it's "out of date". DO something about the problem instead of bitching about it in the lists and blaming the poor admins who have no power to fix it.
It's apparent that this worm has frayed a lot of nerves, and I certainly understand
that. The lazy admin accusation has been leveled many times before, as have
the arguments presented in defense of admins. The truth, I suspect, is as in many
of these situations somewhere in the vast landscape in between the extremes. Some
admins *are* lazy and/or incompetent. Many of us have fought for years to get
management to realize that systems administration is a profession unto itself,
not a sideline for Joe Bob down in the mail room in between package delivery runs.
But I know from personal experience that not only educational institutions, but many
others--in scientific fields, for example--are extraordinarily reluctant to allow security
on their networks due to the perception that it interferes with the free exchange of
data. "Scientists shouldn't be burdened with such things," they often say. In these
cases convincing the powers that be to let you install even a simple software firewall
can make root canal look like a day at the kiddie park. Often even a catastrophe
doesn't do it. They just lay the blame on the IT staff and retain the status quo. I've
even seen instances in which the security budget was *reduced* following a
catastrophic loss of data because 'it obviously wasn't doing any good to spend
money in that area.'
In short, the issue of ensuring that all boxes get patched for all vulnerabilities, while
admittedly more important with each passing day and each increasingly destabilizing
incident, is not at all a simple one, no matter how it may look on paper. I don't
honestly know the way to address it most successfully. But I would be willing
to bet that it will involve education and cooperation among all of us concerned with
the fate of the Internet. I'd also be willing to bet that name-calling won't get us there.
Peace, brothers.
m5x
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
