> One opinion that prevails often is "Why would anyone want to > hack us? Our > data isn't useful to anybody". The idea that their hardware > and bandwidth > might be of some use to a parasite doesn't occur naturally to > people who > don't think about hardware and bandwidth. This is something I see commonly among both professionals and end users. I usually rell a horror story or two, with the odd case study. Often the message starts to sink in and the seed is planted. Code Red (and its descendents) are another nice case study. Another overlooked group is the hobbyist organisation who sets up their web server, or has one hosted by "someone's work". If administered by the hobbyist/non profit group themselves, the admins may not be aware of the responsibility thast goes with running such a system. I've had some degree of success with educating people about risks and responsibilities they may not have considered. > If expert status came with peer recognition, then experts > could be invited > to speak publicly. Volunteering is basically saying "I > consider myself an > expert on this topic", and the person who considers > him(her)self an expert > is often a dangerous sort of expert. Agreed. Security is an area where one can never know everything. We're always learning and trying to keep up to date. > To help ensure that the problem is more contained? To > prevent infection of > larger numbers of machines? I see your point, the unpatched > people are lazy > or uninformed, and you can feel like you're doing their job > by helping out > (especially if it's all the time), but at the end of the day, > more code red > infections mean slower internet traffic and general degrading > of service for > everyone. That's a good enough reason to help the slackers > get it together. Well, the rate of attempts here is at least several hundred per hour, possibly into the thousands (I gave up counting some time ago). Anyone who cleans up and patches their infected system is helping to keep that unwanted traffic down. > Plus, I liked someone else's point - there are a lot of > internet connected > small businesses that don't even employ an admin. Quite > often in these > cases, you'll find that the secretary has a key to the backup > tapes, and > every morning she switches a tape. Generally not even > checking to see if > the backup worked. There's no-one at this company "not doing > their job", Unfortunately, this is something that some OSs (especially Windows NT/2000 SBS, with its simplified interface) encourage. An easy to configure and use server means an increased likelyhood of someone with less admin experience running a publicly accessible server. Some of the people running these machines could be educated, but even then, how do you find everyone? > the admin job doesn't even exist. The scripted-patches CD would be a > perfect candidate for companies like this. You could > possibly even make a > small profit, by selling the CDs. Is it legal to charge for CDs with > Microsoft patches on them? I mean, assuming you set a > relatively minor > price to cover distribution and such? I have a feeling you probably couldn't, but you'd have to read the licence conditions that come with the patches (most MS patches and all service packs throw up an agreement dialog, so shouldn't be too hard to find out). > There obviously is some added value in the work that's gone into the > scripting, but the CD would be next to no use if it only came with the > scripts and you had to provide links to all the patches. Agreed. It would be better if the CD came with everything, just pop it in and run setup (or let it autorun, if you haven't killed that off). Better yet would be if Microsoft offered security updates for its OSs for some time after purchase, even if it meant subscribing to a security update service for a small cost to cover media distribution (bundle that with the OS). ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 17:29:44 PDT