[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F2726F1.23827.577FB3A@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: DCOM RPC exploit (dcom.c)
John.Airey@...b.org.uk replied to me:
> Why do I get the distinct impression that only myself and Paul Schmel
> actually understand what the realities of life are these days? There is
> really very little control over "users", whether they are in a "edu" or not.
Why do I get the distinct impression that you are fatalist?
You _can_ do better.
Maybe not where you work now because you may work with a bunch of
morons, but you _can_ do better because there are place where your
fatalism are unacceptable as a matter of policy. They are rare, but
they are slowly growing in number.
And no, I'm not one of those "I've installed FreeBSD and Linux on the
three machines in my bedroom LAN" folks and yes, I do know where Paul
is coming from as I started my IT career in a university computer
centre (and although we were rather fortunate where I worked compared
to many in the level of control we could wield, I certainly would not
want to be responsible for security there now...).
> Imagine a company where a user is told by the IT department that such and
> such a computer can't be used. He then goes and buys it on his own credit
> card and claims it back on expenses (this happens more than you realise).
> Said IT department now has to support the machine that he was told he
> couldn't have, probably because someone higher up in the organisation says
> that it has to. This computer will probably consume a disproportionate
> amount of support time. The irony is that the purchaser will probably then
> tell you it was a bargain (yeah, right!).
You're telling me nothing new and if you understood what I wrote you
would understand that I _know_ that kind of crap not only happens way
too often, but that it does shows the lack of value in which computer
security is held, in general. However, that security antagonistic
attitude can be eliminated from your network if it is properly designed
and managed. Yes, that requires more management buy-in than most
system admins get at the moment, but that is also (slowly) changing.
> The bottom line is that these days, the IT departments do not have enough
> power to enforce any radical suggestions. ...
Which is precisely why you are in the mess you are in. That you seem
to accept that "this is how it is" means you are not helping solve the
problem, so please shut up and stop whining.
> ... I'd be surprised if any
> organisation exists (outside of the military) that insists on knowing the
> MAC addresses of machines before they get connected to the network. (In our
> case we monitor MAC addresses instead as we can then spot network problems).
Bzzzzt -- wrong.
Some small, medium and large corporates do this. Some .edus even do
it. Stop believing or accepting "it's too hard" and start being part
of the solution. You think knowing all machine MACs and not allowing
network access would be difficult to manage? I know of corporate
network setups where there are at least seven _physically isolated_
networks with some of those run on these principles (the ones that
aren't run thus are entirely isolated from the other networks
(including being limited to specific rooms within the buildings) and
from the Internet and used for development work, testing and two
separate build systems).
> I remember the days of dumb-terminals and users who had to ask permission to
> print. At that time we could control what happened on the network. With the
> advent of PCs and desktop printers, that's all changed. ...
And in a corporate environment the question is not has it changed, but
_should it have_?
As I said, start being part of the solution and stop accepting that
just because Bob before you was a moron and couldn't design or manage
his way out of a soggy paper bag does not necessarily mean that you
have to keep doing things as badly as he did... (Of course, if Bob is
now your manager, you may not have much choice apart from finding a job
where doing your work well matters...)
> ... In a way, we are the
> victims of our own success. Network connectivity is seen as a right, not a
> privilege. "Doing it right" usually means getting the IT department to fix a
> problem caused by someone else's mistakes.
Yeah, yeah.
You are telling me how stupid/lazy/under-resourced people do it. We
all know that. I was talking about things you should think about if
you were going to do it well. Do you see the difference of orientation
there? (And yes, I know that for some of you it is very unlikely you
will ever be given the freedom to do it really well, but such weirdly
non-commercial and otherwise not held to high standards of excellence
outfits will eventually be the trifling exception that at one level we
will laugh at and at another level we marvel at how well the folk
running such systems manage given the loony lack of managerial
oversight to implement true "best practices". You seem married to the
badly flawed status quo so I guess it's an easy bet to pick the kind of
place you'll end up working.)
> The truth is that all sysadmins are all involved in damage limitation, which
> is why we subscribe to this list. We do our utmost to prevent damage, but
> recent history shows us just one user clicking on a dodgy email attachment
> can bring down major networks. In other cases not knowing what a firewall
> should and shouldn't do has caused other outages (even affecting Microsoft).
Yeah, but as I said, some of us are working toward changing the silly
underlying assumptions that _allow_ such stupidities at the many, many
orders of magnitude above "sane" that we currently suffer...
> After all, if what has been suggested is true and has been implemented, why
> bother to subscribe to this list?
Entertainment...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists