RE: Large ISP response to Code Red?

From: Jonathan A. Zdziarski (jonathan.zdziarskiat_private)
Date: Tue Jul 31 2001 - 11:57:18 PDT

  • Next message: Mike Baptiste: "CRv3? Or some other ida type"

    To reiterate, IMHO it's both the fault of the vendor and the ISP.  MS
    *should* have had a patch out for this long before this happened.  Many
    large ISPs these days don't bother spending the money on security admins to
    put the workarounds in or even keep up-to-date on vulnerabilities which is
    why I have no pity on them.
    
    *But* you cannot place sole blame on the ISP.  If you bought a Ford with
    firestone tires, is it your fault if you die in a crash because the
    manufacturer dropped the ball?  Even if they issued a warning about the
    tires, are you going to tell the relatives of a dead family that it's their
    fault for not going out and buying new tires instead of waiting for a recall
    or more information?
    
    The standards of software manufacturers like Microsoft are lower than
    acceptable because administrators and consumers allow them to be
    irresponsible with their code.  More pressure needs to be applied, IMHO, on
    the software manufacturers who haven't got their act together enough to have
    a good test/qa department or coders smart enough to be able to write secure
    code, but rather than apply the pressure there, we as consumers drill these
    software companies for the next version NOW - this is, however, not an
    excuse for the vendor to be as irresponsible as they've been.  If software
    manufacturers like Microsoft weren't crack ho's thirsty for a quick buck,
    code would be much more secure - and Windows 2000 wouldn't be considered a
    different product than Windows NT.
    
    I for one am sick of buying cheap junk software with bugs like this.  Take a
    look at the recent SSH 3.0.0 exploit...The stinking software allowed anyone
    to log in as bin, daemon, etc. on any machine that used 'NP' in their shadow
    file...tell me they couldn't have found that bug if they were responsible
    enough to test their own software thoroughly...especially when jumping up a
    major version number like that.  Did they even TRY to log in with a wrong
    password when testing it, or did they just go from alpha to release?  If
    anyone heard about it but didn't fix it, or if they didn't bother
    subscribing to lists like this because they didn't know any better, I
    haven't got a lot of pity for them but I still blame the vendor for
    irresponsibly releasing code without adequately testing it.  Same case with
    Microsoft.
    
    
    -----Original Message-----
    From: Kundera [mailto:kunderaat_private]
    Sent: Tuesday, July 31, 2001 2:40 PM
    To: incidentsat_private
    Cc: jonathan.zdziarskiat_private
    Subject: RE: Large ISP response to Code Red?
    
    
    How many times do you people have to be told that this vulnerability
    is over a month old?  In addition, MS's best practices guide for IIS,
    which has been around for much longer, recommends removing file mappings
    that aren't in use.  How can you possibly blame MS for our laziness?
     If you let the tires on your car wear down until they're bald and then
    you wreck in the rain, should you blame the manufacturer?  No!  It's
    your own fault for not paying more attention and you deserve what you
    got!
    
    Kundera
    
    -----Original Message-----
    From: Jonathan A. Zdziarski [mailto:jonathan.zdziarskiat_private]
    
    My 2 cents:
    
    Security is everyone's responsibility.  Microsoft needs to get on the
    ball and provide patches and workarounds much quicker than they have
    been.  It wouldn't surprise me to see a class action suit crop up after
    this last failure to take action.  ISPs [wrongly] trust the vendor to
    provide secure software.
    
    __________________________________________________
    FREE voicemail, email, and fax...all in one place.
    Sign Up Now! http://www.onebox.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:20:56 PDT