-----BEGIN PGP SIGNED MESSAGE----- Fair comment and you are entiled to your opinion. However much we 'Helpdesk' (as Pipes puts it) people who have to manage actual live systems would like to secure our systems we are still driven by the management.
Yes it would be nice to have a management structure that recognised the value to infosec. Yes it would be nice if development would commit resources to updating code in the light to patches/upgrades/etc, Yes it would be nice if we could control the network with an iron fist. Yes it would be nice... but in the end we are driven by the bottom line, especially in the current economic climate. If the CEO says that the new product deadline is more important than fixing the code for SQL SP3 then that's what we have to deal with. Tough. So saying that there is no excuse to patch blah blah blah doesn't hold true. We have to work within logistical boundaries and do what we can. What do you do if patching isn't viable, the systems have to stay up and development/test resources can't be commited to fixes? In this instance you block port 1434 if you can and hope to God that nothing bad happens. What I am trying to say is that it is easy for security researchers, software vendors, anonymous people on mailing lists, etc. to say "patch your systems or you've only yourself to blame". But when people say things like "so yes, you proberly could get away with unplugging servers." in response it goes to show that they don't understand the political and logistical factors in running a real live secure system that generates revenue. Just imagine you pulled the plug on your company's webserver because they were running an un-patched IIS (and you're running IIS because some development manager decided it was The Right Thing). Your CEO comes storming down saying they are loosing business and the reputation of the company is being damaged. What do you do? Retort with "well a hacked webserver would be more damaging". What do you think (s)he'll say? "Oh OK then, I see your point. Keep the servers down until its patched and thankyou for your proactive stance". Or more likely "get the servers back on-line or you are fired". I'm not making personal attacks here: everyone should be free to have their own opinion and I'm willing to admit that I might be wrong. I just get narked by this whole attitude of security is the primary focus of everything. In the Real World I've found that money is the primary focus and security is protection of investment that sometimes has to be compromised - however much we know/insist that this shouldn't be the case. On Thu, 2003-01-30 at 13:08, Pipes Cuchifrito wrote: > >With regards patching systems: have you ever worked in a *real* operations post? >Have you ever had developers of your main product say to you "no you can't upgrade to >SP6a as it's break the main engine". No matter how much you beg and plead to get this >fixed they don't have the resources. What you gonna say? "Fuck you then I'm >unplugging the Live servers"? > Yet another clueless twit. - -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wmAEARECACAFAj46ckoZHGZ1dHVyZXNob2tzQGh1c2htYWlsLmNvbQAKCRCz85xsvW2z xSxHAJ9FlbbdLhnOnSHCVNTg7BrtFEh9SACeODydxbVxVLjkjNbGcqZ63J4IH+0= =blOf -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
