| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: DCOM RPC exploit (dcom.c) John.Airey@...b.org.uk replied to me: > Why do I get the distinct impression that only myself and Paul Schmel > actually understand what the realities of life are these days? There is > really very little control over "users", whether they are in a "edu" or not. Why do I get the distinct impression that you are fatalist? You _can_ do better. Maybe not where you work now because you may work with a bunch of morons, but you _can_ do better because there are place where your fatalism are unacceptable as a matter of policy. They are rare, but they are slowly growing in number. And no, I'm not one of those "I've installed FreeBSD and Linux on the three machines in my bedroom LAN" folks and yes, I do know where Paul is coming from as I started my IT career in a university computer centre (and although we were rather fortunate where I worked compared to many in the level of control we could wield, I certainly would not want to be responsible for security there now...). > Imagine a company where a user is told by the IT department that such and > such a computer can't be used. He then goes and buys it on his own credit > card and claims it back on expenses (this happens more than you realise). > Said IT department now has to support the machine that he was told he > couldn't have, probably because someone higher up in the organisation says > that it has to. This computer will probably consume a disproportionate > amount of support time. The irony is that the purchaser will probably then > tell you it was a bargain (yeah, right!). You're telling me nothing new and if you understood what I wrote you would understand that I _know_ that kind of crap not only happens way too often, but that it does shows the lack of value in which computer security is held, in general. However, that security antagonistic attitude can be eliminated from your network if it is properly designed and managed. Yes, that requires more management buy-in than most system admins get at the moment, but that is also (slowly) changing. > The bottom line is that these days, the IT departments do not have enough > power to enforce any radical suggestions. ... Which is precisely why you are in the mess you are in. That you seem to accept that "this is how it is" means you are not helping solve the problem, so please shut up and stop whining. > ... I'd be surprised if any > organisation exists (outside of the military) that insists on knowing the > MAC addresses of machines before they get connected to the network. (In our > case we monitor MAC addresses instead as we can then spot network problems). Bzzzzt -- wrong. Some small, medium and large corporates do this. Some .edus even do it. Stop believing or accepting "it's too hard" and start being part of the solution. You think knowing all machine MACs and not allowing network access would be difficult to manage? I know of corporate network setups where there are at least seven _physically isolated_ networks with some of those run on these principles (the ones that aren't run thus are entirely isolated from the other networks (including being limited to specific rooms within the buildings) and from the Internet and used for development work, testing and two separate build systems). > I remember the days of dumb-terminals and users who had to ask permission to > print. At that time we could control what happened on the network. With the > advent of PCs and desktop printers, that's all changed. ... And in a corporate environment the question is not has it changed, but _should it have_? As I said, start being part of the solution and stop accepting that just because Bob before you was a moron and couldn't design or manage his way out of a soggy paper bag does not necessarily mean that you have to keep doing things as badly as he did... (Of course, if Bob is now your manager, you may not have much choice apart from finding a job where doing your work well matters...) > ... In a way, we are the > victims of our own success. Network connectivity is seen as a right, not a > privilege. "Doing it right" usually means getting the IT department to fix a > problem caused by someone else's mistakes. Yeah, yeah. You are telling me how stupid/lazy/under-resourced people do it. We all know that. I was talking about things you should think about if you were going to do it well. Do you see the difference of orientation there? (And yes, I know that for some of you it is very unlikely you will ever be given the freedom to do it really well, but such weirdly non-commercial and otherwise not held to high standards of excellence outfits will eventually be the trifling exception that at one level we will laugh at and at another level we marvel at how well the folk running such systems manage given the loony lack of managerial oversight to implement true "best practices". You seem married to the badly flawed status quo so I guess it's an easy bet to pick the kind of place you'll end up working.) > The truth is that all sysadmins are all involved in damage limitation, which > is why we subscribe to this list. We do our utmost to prevent damage, but > recent history shows us just one user clicking on a dodgy email attachment > can bring down major networks. In other cases not knowing what a firewall > should and shouldn't do has caused other outages (even affecting Microsoft). Yeah, but as I said, some of us are working toward changing the silly underlying assumptions that _allow_ such stupidities at the many, many orders of magnitude above "sane" that we currently suffer... > After all, if what has been suggested is true and has been implemented, why > bother to subscribe to this list? Entertainment... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists