RE: [ISN] Security Firm Blamed For Code Red Costs

From: InfoSec News (isnat_private)
Date: Mon Aug 13 2001 - 01:17:18 PDT

  • Next message: William Knowles: "[ISN] Crack the code"

    Forwarded from: Patrick S. Harper <patrickat_private>
    
    I do not believe that full discloser is the problem.  Full discloser
    in my opinion keeps software manufactures on their toes.  I believe
    that many of the problems come from unqualified people sitting in the
    sysadmin or network engineer chair.
    
    Companies (especially smaller ones) do not want to pay what it cost
    for someone who knows what they are doing to come in and secure there
    systems.  Too many times have I seen the "Network Administrator" of a
    company who has no clue.  He just happened to like computers and wound
    up with the job so they could save 20K a year.  Then when a disaster
    hits, a server falls over or they get hacked they have no clue how to
    recover.
    
    The company has to then bring in a consultant for disaster recovery
    (which for me is 1.75X my normal rate) they loose money and
    productivity because no e-mail is going out or Joe lost that project
    that he had been working on for three months with no backup (but it
    was on a network share???)  I think sometimes that incidents like this
    are good in a way. 
    
    You learn the importance of getting and keeping good people, keeping
    them up on training, making sure they have the appropriate equipment,
    and are ready to do there jobs.
    
    just my $.02 worth
    
    
    
    > -----Original Message-----
    > From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    > Of InfoSec News
    > Sent: Saturday, August 11, 2001 2:05 AM
    > To: isnat_private
    > Subject: [ISN] Security Firm Blamed For Code Red Costs
    >
    >
    > http://www.newsbytes.com/news/01/168934.html
    >
    > By Brian McWilliams, Newsbytes
    > ALISO VIEJO, CALIFORNIA, U.S.A.,
    > 10 Aug 2001, 5:11 PM CST
    >
    > The damage toll from the Code Red worm has sparked a new debate over
    > what security experts call "full disclosure."
    >
    > Richard M. Smith, chief technology officer for the Privacy Foundation,
    > today criticized the company that found and publicized the glitch in
    > Microsoft's Internet Information Server (IIS) which led to the
    > creation of the malicious worm and a copy-cat.
    >
    > "Was it really necessary for eEye Digital Security to release full
    > details of the IIS buffer overflow that made the Code Red I and II
    > worms possible? I think the answer is clearly no," wrote Smith in a
    > message to the Bugtraq security mailing list today.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 03:26:33 PDT