On Tue, May 22, 2001 at 02:23:14PM -0400, Tony Lambiris wrote:
> I was actually going to say how these types of analogies really dont fit.
> You cant compare neighborhoods to the internet. I have no problem leaving my
> windows cracked a little bit when Im home because I live right on the border
> of New Boston, but everytime I go to the mall, I lock everything up, and I
> put whatever valuables I have laying around in the glove box and lock it
> (security through obscurity... out of sight, out of mind). There aren't any
> 'bad parts' on the internet.
You're right; but only because the Internet is ONE BIG NEIGHBORHOOD.
There are no bad parts, just one big bad whole. Anyone with a
computer and a desire to break your stuff is milliseconds away from
it, and they ARE the bad element. It's not on the other side of the
RR tracks; it's on your own bloody wire.
> And that's exactly what it is. They arent preparded. The whole process is a
> game. Plain and simple. A new bug is discovered, someone writes an exploit
> for it, and its a race whether you can patch your servers first, or they get
> in first. Although, there are a ton of other things you can do to protect
> your system from typical exploits (how can they run a suid shell in /tmp if
> you set the filesystem perms to nosuid and noexec?)
[SNIP]
> Every admin should be subscribed to BUGTRAQ, they should be visiting
> 'hacking' websites everyday, and a whole array of other stuff. THAT
> is being an admin.
This is all well and good, and I agree in principle with a lot of the
points you and others are making, but the damning flaw in it is that
it overlooks one very important thing: reality.
Reality: Not every sysadmin has time to read security mailing lists.
Reality: Companies are almost always less interested in security than
in productivity.
Reality: if every sysadmin were a security expert, they wouldn't have
time to be good at anything else.
Reality: If all the servers and desktops were kept 100% current with all
the security patches and bug fixes, no one would ever get any
work done, because there'd be no time for anything else.
Reality: As if all this weren't enough, most companies don't have
enough sysadmins to meet their IT needs, even if they're
already doing ZERO to fix their security problems.
So yeah, it's really easy to blame the sysadmins for not being
up-to-date on all their patches and upgrades, but ask your average
sysadmin how much time they are allowed to spend on this stuff. I can
almost guarantee you that for the majority of them, the answer will be
0. 0 hours, 0 minutes, 0 seconds.
Why? Because management doesn't see it as important until all the
servers melt down. Why? Because it's virtually impossible to show
how it will advance the bottom line. It's true that the admins need
to take responsibility for keeping up-to-date, but it's hard to blame
those that don't when their management basically won't let them.
I'm really sick of people blaming the admins. If managers would let
them take care of these problems, they would, PROVIDED they were
skilled and educated enough to know about them. If you're a junior
admin, and your senior admins don't know there even are security
issues, how are you going to find out?
But most importantly, IF WE DID NOT ALLOW SOFTWARE VENDORS TO SELL
BUGGY SOFTWARE AND TAKE NO RESPONSIBILITY FOR THE CONSEQUENCES, WE
WOULD NOT HAVE THIS PROBLEM.
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
