I couldnt agree more. Dont get me wrong... I have said things to knock admins in the past however the more i talk to administrators I find that companies themselves make it a pain for administrators to sometimes even do their jobs. Two of the biggest things I from nt admins about security: 1. I am damned if I do and damned if I dont. A lot of times I have to wait until late friday night or late in the evening to install a security patch because company management doesnt want any downtime for our eCommerce store etc... 2. I can not install XYZ Microsoft patch until we have tested it with our environment to make sure its not going to break things. Funny enough a lot of NT admin's seem to be more afraid patches sometimes then vulnerabilities themselves. those are generalizations and just examples but never the less i was a bit surprised as i talked with a large handful of admins about this codered ordeal.... i was especially (well not really) surprised about number 2. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: Mark Challender [mailto:MarkCat_private] |Sent: Monday, August 06, 2001 12:05 PM |To: 'Mark Ng'; incidentsat_private |Subject: Was RE: disinfection tool -- now a minor rant. | | | |-----BEGIN PGP SIGNED MESSAGE----- |Hash: SHA1 | |This email struck a nerve in me. | |Mr. Ng speaks of "ignorant Sysadmins" and wanting to "get the idiots |to listen." | |A lot of people, me included, can't understand why professional |admins don't update their systems. | |What many of us forget, though, is that NT4 is being used by millions |of small businesses who do not have professional admins and don't |have a clue what IIS4 is and why it needs to be patched. Yet, they |are connected with DSL (Cisco 675 modems that are failing) or |fractional T1s and they don't understand why the "bad guys" want to |get into their systems. | |What needs to be done is for people like us to educate those business |owners. Contact your local paper or radio station and talk to the |news director. Do an interview, be an expert. Create a "hit squad" |of local sysadmins and offer to take phone calls from business |owners. Create a Code RED fix on CD (maybe include SP6 and all post |SP6 fixes including the IIS fixes on CD with an automated QChain |script) | |But, quit complaining about "stupid, ignorant sysadmins" and the |"idiots" and do something to help the situation. | |Most of us were not smart sysadmins to begin with........ | |- -----Original Message----- |From: Mark Ng [mailto:marknat_private] |Sent: Monday, August 06, 2001 5:20 AM |To: incidentsat_private |Subject: RE: disinfection tool | | |Perhaps a very controversial viewpoint is using the backdoor |installed by the |copycat code red worm to patch these systems. The majority of |sysadmins who |by now haven't patched (or unmapped the script mappings from) their |systems |are mostly ignorant anyway. Perhaps a couple of honeypot systems |built to |automatically connect back, patch and reboot. | |The only issue that creates is the problem of transparent proxies. |Not sure |how you'd solve that one. | |This may eventually be the only way of actually getting rid of code |red |completely. If we live in a an ideal world, we'd eventually get the |idiots |to listen. However, I find that unlikely. | |Mark | |- ---------------------------------------------------------------------- |- ------ |This list is provided by the SecurityFocus ARIS analyzer service. |For more information on this free incident handling, management |and tracking system please see: http://aris.securityfocus.com | |-----BEGIN PGP SIGNATURE----- |Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> | |iQA/AwUBO27p4d5aUxficepaEQLQDACgn//XAnrm1HFZbBtD/Ax7ODRB5AIAoOzn |dXkFl5005IccBSWdQQatpnM9 |=oTd8 |-----END PGP SIGNATURE----- | |------------------------------------------------------------------- |--------- |This list is provided by the SecurityFocus ARIS analyzer service. |For more information on this free incident handling, management |and tracking system please see: http://aris.securityfocus.com | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:36:43 PDT