On 2010-04-20 at 12:39 -0500, Matt Lawrence wrote: > Having a linux server with an uptime of 1188 days is pretty neat from a > geeky perspective. Having a production server on the network of a company > that handles billions of dollars in financial transaction that hasn't had > security updates in 1188 days is rather frightening.
On a more light-hearted note: at $former_employer, we had managed Windows boxes in a domain, and FreeBSD workstations. The Unix boxes were for NOC staff and anyone in Support who agreed to follow some simple rules, which included subscribing to particular mailing-lists and applying the security updates that came through, since they'd no longer be getting automatic updates pushed out by the NT domain. One of those memes spread where a bunch of folk started putting the output from uname+uptime (or somesuch) into their mail .sigs. I protested that there was no need to give this information out. I was jeered at. I looked at the .sig on the jeer, looked at the uptime, and pointed out that their FreeBSD system had been up since before a critical kernel security advisory had come out; remote code execution via some network flaw, IIRC. I pointed out that this was the sort of information that attackers loved and, by way of example, I now knew that they weren't following the company security policy which they'd agreed to in order to get a non-managed host. A request for a status update on their security fixes, CC'd to the manager, not only got that particular instance fixed, it also stopped the information disclosure in .sigs. Of course, in part this just hid the underlying issue (lack of audit that staff were doing what they said they would) but the lesson ... I feel that the lesson was learnt. -Phil BOFH Pennock. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
