From: yossarian at planet.nl (yossarian)
Subject: The worm author finally revealed!

> > > How 'bout
> > > an even more esoteric question?  Why do the tier 1 providers (like
> > > UUNET) allow traffic on port 1434???
> > because there is no reason to block it.
Well some people might want to use it. If they are to block any port ever
used by attackers, we'll have to decide on a replacement for TCP/IP - many
trojans can use ANY port, for instance.

Paul Schmehl wrote:
> Really?  Well people here are talking about suing the "admins" who are
> "too lazy" to patch.  How about if I sue the ISPs who don't block port
> 1434/UDP and consequently take down the Internet from all their single
> users who were running SQL with no clue?

> Wanna bet a lawyer will take that case some day?
>
Don't think so, single users don't have enough money to pay their fee, let
alone the damages. ISP have their contracts and SLA's, unless you decide to
buy filtering, you don't get it - no case you can win in court.

What you are advocating, is taking legal action to everyone except the
professionals in your dept. too busy to fix their boxes.

If I add your recent posts up: responsible are the virus makers, the people
doing full disclosure, the ISP's, the home users unknowingly or cluelessly
running SQL server, maybe MS for making this buggy product, anyone but your
beloved admins who get leery, but  have no clue: 6 months after the release
of the hotfix, someone somehow patched the server just before slammer, and
this, not the virus, took down your helpdesk system. Yeah, right.

And to fix the system, it had to be completely rebuild. Did you ask HEAT?
You had no back-ups? No pre-patch test - BTW it was no hotfix but in a
service pack, just released - did your people really install an SP without
testing? No test system - helpdesk systems are generally considered
critical, so a back-up system is essential and you can use this for test -
just make a disk image first. Can be an older box, if it is not 100%
identical the test will not be 100% reliable but it will give you a general
idea of the impact of an SP. No roll back scenario. You have no firewall,
since a proper one will be darn expensive as you point out in very much
detail in other posts, and incorrectly if I may add, since 1 professional
cost 40k you say plus a skilled and expensive admin, but to do it minimally
good
you need two systems, so it will be a quarter of a million dollars. Yeah,
two firewalls, so you need TWO expensive admins. For a proper firewall, you
say you need half a million - to have four admins each guard their own
system.
Get your maths right. I'm wondering about the rest of your budgetting. I
would get leery if I only had one server as a responsibility. No, I would
get lazy.

Helpdesk systems hardly require an outside connection anyway, so for this
baby
you won't need a firewall. Apparantly you have no network zoning. Since you
don't have a firewall, all your systems are at risk for any attack, and you
worry about your very conscientious yet leery admins.

Let's adjust the bet - wouldn't a company someday sue an edu for repeatedly
being used as DDoS-amp, and spreading viruses? Let me put it this way - if
my company would be hurt for a second or third time by the same r00ted
hosts, I will take the case to court if the systems are in a country were
there is an effective liability legislation, even if it is from a non-profit
organisation short of cash. If one of my customers gets hit this way I will
advice and help them in the legal proceedings - probably for free because it
would be so much fun. And I have no consideration for someone being very
busy and very limited in budget - this is not uncommon, even companies
sometimes economize.

The diff is that I do not tolerate sorry excuses, nor putting the blame on
any external party, not from my CISO, nor from my helpdesk. You are too
defensive.

yossarian

Powered by blists - more mailing lists