> From the beginning, I thought this was the whole point > of the Code Red worm. Given how "noisy" the worm is, > and given that CRv1 and 2 weren't all that destructive > (CRII seems to be an escalation...sort of, "I already > told what I could do...now I'm going to do it."), it > seems that CR is someone's idea for forcing admins to > install the patch. After all, the vector leads to a > system-level compromise. Look at it like a > vaccine...give the patient a small dose of the largely > inert 'virus' so that the system develops an immunity. Oo! Ooo! Now we can think up a new MS conspiracy... the code red patch must have code in it to move money into Microsofts account, so they created code red in order to force everyone to install the patch AAAAAHAHAHAHAHA I knew they were evil. > > A lot of people, me included, can't understand why > > professional > > admins don't update their systems. > > Nor do I understand. Professional admins do update their systems, that's part of what makes them professional ;) > After years of hearing this, I would love to hear a > viable way of doing this. I've heard a variety of > techniques for educating business owners on risk, from > showing how it would impact their business, to making > it a business issue, to showing how a lack of security > can impact the bottom line. I'm to the point of > believing that the business owners already know...they > just like the idea of someone kissing their arses and > begging for money. One opinion that prevails often is "Why would anyone want to hack us? Our data isn't useful to anybody". The idea that their hardware and bandwidth might be of some use to a parasite doesn't occur naturally to people who don't think about hardware and bandwidth. > > Contact your local paper or radio station > > and talk to the > > news director. Do an interview, be an expert. > > There have to be trade-offs with this. After all, > there are already 'experts' talking to the media, > which in turn generates FUD. Say the wrong thing > and/or get quoted out of context, and you risk ending > up on a site like Attrition in a less-than-favorable > light. The problem with the media is that if you're > not sensational enough, you don't get interviewed. > That's why JP of AntiOnline got more press with > regards to "profiling" than the folks who do it > professionally. I don't think anyone should volunteer to speak publicly as an expert. On the net, it's fantastic. Someone asks a question, three people respond correctly, and one person believes he has a correct answer when in fact he doesn't. He is corrected within hours by the internet system. But a public speaker has no such system available. Once something's been said, true or not, everyone has heard it, and people who don't know any better will believe it. Why shouldn't they? The guy was an expert. If expert status came with peer recognition, then experts could be invited to speak publicly. Volunteering is basically saying "I consider myself an expert on this topic", and the person who considers him(her)self an expert is often a dangerous sort of expert. > Perhaps this is where Mr. Ng's complaint comes > from...the very fact that one group has to take the > time to rescue another group from themselves, when we > all have access to the same resources. So someone > invests a significant amount of intellectual property > to make someone else's job easier...for what? To help ensure that the problem is more contained? To prevent infection of larger numbers of machines? I see your point, the unpatched people are lazy or uninformed, and you can feel like you're doing their job by helping out (especially if it's all the time), but at the end of the day, more code red infections mean slower internet traffic and general degrading of service for everyone. That's a good enough reason to help the slackers get it together. Plus, I liked someone else's point - there are a lot of internet connected small businesses that don't even employ an admin. Quite often in these cases, you'll find that the secretary has a key to the backup tapes, and every morning she switches a tape. Generally not even checking to see if the backup worked. There's no-one at this company "not doing their job", the admin job doesn't even exist. The scripted-patches CD would be a perfect candidate for companies like this. You could possibly even make a small profit, by selling the CDs. Is it legal to charge for CDs with Microsoft patches on them? I mean, assuming you set a relatively minor price to cover distribution and such? There obviously is some added value in the work that's gone into the scripting, but the CD would be next to no use if it only came with the scripts and you had to provide links to all the patches. ----------------------------------------------- This message is confidential. If you are not the intended recipient you must not read or do anything else with this message. If you have received this message in error please notify us immediately by return email and destroy this email. Thank you. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:28:57 PDT