lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

-----Original Message-----
From: Ron DuFresne [mailto:dufresne@...ternet.com] 
Sent: Sunday, January 26, 2003 3:35 PM
To: Schmehl, Paul L
Cc: Matt Smith; Richard M. Smith; jasonc@...ence.org; Jay D. Dyson;
Bugtraq; Full-Disclosure
Subject: RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET
BLOCK PORT 1434!

On Sat, 25 Jan 2003, Schmehl, Paul L wrote:
>
>> Until you've walked a mile in the shoes of the admins having to deal 
>> with this, keep your smug self-righteous indignation to yourselves.

>Admins of the boxes in question and more directly the network admins 
>are fully responsible.  But, perhaps the real issue here is this is 
>a rationale for more distinct perimiter boundries.  That and the fact 
>that foreknowledge of M$-SQL issues have been known since slapper at 
>the least and thus, these ports should have long been blocked or 
>'protected' on the perimiters.

This simply shows your ignorance of the issues, Ron.  Port 1434 was not
a normal port for SQL server *until* MSDE came out.  We obviously
blocked 1433 long ago, as did almost every edu in the universe.  But
1434 was a recent "innovation" to make SQL server capable of running
multiple instances on multiple ports.

>Yet, even if you have an internal 'cloud' of systems, they have
entrance 
>and exit points to and from your .edu network.  It might seem dramatic,

>but closing the access/entrance points from those systems that have/had

>been compromised would prhaps quickly resolve the issues in that .edu 
>domain you are charged with.

Now you're being silly.  I'm certain that every edu in the world was
rushing to close port 1434 yesterday.  But the horse was already out of
the barn.

>If the .edu domains policies do not allow 
>such 'extreme' measures of dealing with admins not up to snuff, then
the 
>matter needs to be pushed up the chain of that domains 'management', 
>which of course starts with admins, in staff meetings, pushing their 
>teir one folks and managers to push for something higher in the feeding
chain.

And here, you display your ignorance of the edu environment.  The idea
that an admin could close a port simply because he thought it was
dangerous is laughable.  You have to go through committtees made up of
students and faculty and convince them it's necessary.  Then you have to
get the President's approval, and in the case of state schools, the
approval of the Regents or Chancellors.

>Whining that your hands are too full to do the job you are hired and
paid 
>to do, while waiting for vendors to fix issues that they have a long
record 
>of wanting to avoid dealing with, will get nothing accomplished.

First of all, it's *not* my job.  Secondly, I wasn't whining.  Thirdly,
you'd better hope and pray there are people like me in edu who care
enough to fight for what's right security-wise, or there's no hope for
the Internet.  (And I can assure you that there are a *lot* of people in
edu who care very much and are working hard to change things.)

As far as waiting for vendors to fix things goes, why do you think I've
abandoned MS products at work and refuse to use them for any of my
security related work?

Blaming the admins for what happened is akin to prosecuting a woman for
being raped.  Instead of going after the perpetrators who wrote and
released the worm, you want to go after the admins whose networks were
taken advantage of.  And you *assume* they were lazy, incompetent or any
of the other perjoratives that make you feel better about yourself.

Try working in a large edu sometime and see how much change you can
initiate.  It takes a tough person to stick it out and keep fighting.
(I'm not tooting my own horn, but standing up for all edu admins
everywhere.)  Some universities are *still* fighting to get the NetBIOS
ports closed, for god's sake.  Do you think for one minute that *any*
admin in his right mind would *willing* expose those ports to the
Internet?  If not, then *why* on earth do you think they're still open?
(Because the admins don't have the power to close them.)

It's *real* easy to criticize.  Especially when you work in an
atmosphere you can completely control.  It's a lot tougher to find
solutions to real problems in the real world and fight for change where
it needs to occur.

Why not blame the networks that allow these jerks to release their
worms, run their DDoS networks and do all the other crap they do?  Why
is it still possible to host a website on the Internet that freely makes
worms, viruses and exploit code available to the world?  (Yeah, I know,
it's a freedom of speech issue, right?  Yeah, right!)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ