This is getting tiresome! Cracking someone's system and modifying it to
leave a backdoor is criminal. Police using leverage over a criminal to get
at other criminals is nothing new nor necessarily bad if done within the
law. As to the responsibility of all of the sundry admin's and software
vendors please refer to last month's thread about the phb who allowed his
linux box to get hacked and mediaone shut him off for running a scan on
their network - repeatedly. Let's not rehash tired old arguments over and
over. For those who weren't here suffice it to say the internet is not a
good fit for any traditional analogies; you should secure your servers;
crackers are criminals and hard to track down; ISP's are business's that
must protect their own resources and infrastructures; Owners of connected
machines must understand that they are both vulnerable to attack and
responsible for the behavior of their machines while they are connected
whether they are aware or not... Just go back and re-read the entire
flame-war if it will amuse you. It kept us all busy for about two weeks
prior to the last nashua lug meeting.
-----Original Message-----
From: Tony Lambiris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 22, 2001 2:23 PM
To: Kurth Bemis; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Max Vision to get 18 Month
> depends where you leave it. In charlestown, i leave my car unlocked all
> the time (except at night). In new York or Boston I locked it and then
> checked on it every hour, and i made sure that all valuables were taken
out
> and that it was parked in a well lit area ,etc.....
I was actually going to say how these types of analogies really dont fit.
You cant compare neighborhoods to the internet. I have no problem leaving my
windows cracked a little bit when Im home because I live right on the border
of New Boston, but everytime I go to the mall, I lock everything up, and I
put whatever valuables I have laying around in the glove box and lock it
(security through obscurity... out of sight, out of mind). There aren't any
'bad parts' on the internet.
> agreed. they should be shot.....and just because the admin didn't do his
> job the company that the admin works for is out for blood to get this guy
> that wrote the worm. dosen't anyone remember robert tappan morris? you'd
> think that in 20 years of computers moving into the mainstream that we'd
be
> a bit more prepared for this stuff.
And that's exactly what it is. They arent preparded. The whole process is a
game. Plain and simple. A new bug is discovered, someone writes an exploit
for it, and its a race whether you can patch your servers first, or they get
in first. Although, there are a ton of other things you can do to protect
your system from typical exploits (how can they run a suid shell in /tmp if
you set the filesystem perms to nosuid and noexec?), but thats a whole other
matter. The mentality of most admins is "if its working, Im doing my job",
and thats BS. Every admin should be subscribed to BUGTRAQ, they should be
visiting 'hacking' websites everyday, and a whole array of other stuff. THAT
is being an admin. The sad part (like Kurth mentioned), is that the time
frame between the bug being discovered, and an exploit being released is
AMPLE time to patch any vulnerable systems you may have. Not to mention 9
out of 10 bugs that can be exploited are discussed on the VULN-DEV bugtraq
list.
> if its a known hole in the softare then it is your fault. you didn't
> upgrade or patch....why not? its not like this was found one night and
> then the worm came out the next. there was pleanty of time to
> upgrade....people just don't. even linus said that people aren't
upgrading
> software as much as they should be nowadays. :-)
I definately agree. Admins should have all the software installed on their
servers written down somewhere, and they should be subscribed to any
mailinglists for those programs. They should also have mail filters that
filter any traffic that pertains to those specific programs. Admins simply
dont take the time and care they should, so when they do get hacked, and
fire from above comes down on them, then the admin will do everything in
their power to get the [h|cr]acker, as to pass the blame off of his
shoulders. Admins just dont want to take responsibility for their ignorence
and neglect. Very childish if you ask me.
> but who left the front door open? you did? why? I'm not saying its ok
to
> take your TV...but if it does dissapear whose fault is it? yours. I
Hear hear. Theres obviously a chance that they will kick down your door to
get your TV, but by closing and locking your door and setting your house
alarm, you just cut down your chances by 1000%. Besides, criminals dont like
working (which is why they do what they do). If they see an easier target,
youd better believe they are going to pass your house by.
> believe that people are directley responsible for thier actions. I'm not
> saying that because people are stupid it dosen't meant that criminals
> aren't criminals. they are. however the punishment is wayyy too stiff
for
> a action could of been prevented by patching and recompiling something.
I personally think he got way too much time. When companies calculate
'damages', do you honestly think they are remotely accurate? No. They want
to make an example out of whoever got into their network. Of course... if
the admin did their JOB, then all this frustration and damages wouldve never
happened in the first place. :)
> and yes..i agree MS should be held directly accountable for cracks and
> other flaws due bad programming.
This brings up a very interesting point.... if a hosting service goes down,
the company paying for hosting can sue the hosting company for loss of
profit (due to the servers being down). Yet when a machine BSOD's, or the
15th remote IIS exploit is released that week, Microsoft gets off scotch
free?
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
