To reiterate, IMHO it's both the fault of the vendor and the ISP. MS *should* have had a patch out for this long before this happened. Many large ISPs these days don't bother spending the money on security admins to put the workarounds in or even keep up-to-date on vulnerabilities which is why I have no pity on them. *But* you cannot place sole blame on the ISP. If you bought a Ford with firestone tires, is it your fault if you die in a crash because the manufacturer dropped the ball? Even if they issued a warning about the tires, are you going to tell the relatives of a dead family that it's their fault for not going out and buying new tires instead of waiting for a recall or more information? The standards of software manufacturers like Microsoft are lower than acceptable because administrators and consumers allow them to be irresponsible with their code. More pressure needs to be applied, IMHO, on the software manufacturers who haven't got their act together enough to have a good test/qa department or coders smart enough to be able to write secure code, but rather than apply the pressure there, we as consumers drill these software companies for the next version NOW - this is, however, not an excuse for the vendor to be as irresponsible as they've been. If software manufacturers like Microsoft weren't crack ho's thirsty for a quick buck, code would be much more secure - and Windows 2000 wouldn't be considered a different product than Windows NT. I for one am sick of buying cheap junk software with bugs like this. Take a look at the recent SSH 3.0.0 exploit...The stinking software allowed anyone to log in as bin, daemon, etc. on any machine that used 'NP' in their shadow file...tell me they couldn't have found that bug if they were responsible enough to test their own software thoroughly...especially when jumping up a major version number like that. Did they even TRY to log in with a wrong password when testing it, or did they just go from alpha to release? If anyone heard about it but didn't fix it, or if they didn't bother subscribing to lists like this because they didn't know any better, I haven't got a lot of pity for them but I still blame the vendor for irresponsibly releasing code without adequately testing it. Same case with Microsoft. -----Original Message----- From: Kundera [mailto:kunderaat_private] Sent: Tuesday, July 31, 2001 2:40 PM To: incidentsat_private Cc: jonathan.zdziarskiat_private Subject: RE: Large ISP response to Code Red? How many times do you people have to be told that this vulnerability is over a month old? In addition, MS's best practices guide for IIS, which has been around for much longer, recommends removing file mappings that aren't in use. How can you possibly blame MS for our laziness? If you let the tires on your car wear down until they're bald and then you wreck in the rain, should you blame the manufacturer? No! It's your own fault for not paying more attention and you deserve what you got! Kundera -----Original Message----- From: Jonathan A. Zdziarski [mailto:jonathan.zdziarskiat_private] My 2 cents: Security is everyone's responsibility. Microsoft needs to get on the ball and provide patches and workarounds much quicker than they have been. It wouldn't surprise me to see a class action suit crop up after this last failure to take action. ISPs [wrongly] trust the vendor to provide secure software. __________________________________________________ FREE voicemail, email, and fax...all in one place. Sign Up Now! http://www.onebox.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:20:56 PDT