lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F2726F1.23827.577FB3A@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: DCOM RPC exploit  (dcom.c)

John.Airey@...b.org.uk replied to me:

> Why do I get the distinct impression that only myself and Paul Schmel
> actually understand what the realities of life are these days? There is
> really very little control over "users", whether they are in a "edu" or not.

Why do I get the distinct impression that you are fatalist?

You _can_ do better.

Maybe not where you work now because you may work with a bunch of 
morons, but you _can_ do better because there are place where your 
fatalism are unacceptable as a matter of policy.  They are rare, but 
they are slowly growing in number.

And no, I'm not one of those "I've installed FreeBSD and Linux on the 
three machines in my bedroom LAN" folks and yes, I do know where Paul 
is coming from as I started my IT career in a university computer 
centre (and although we were rather fortunate where I worked compared 
to many in the level of control we could wield, I certainly would not 
want to be responsible for security there now...).

> Imagine a company where a user is told by the IT department that such and
> such a computer can't be used. He then goes and buys it on his own credit
> card and claims it back on expenses (this happens more than you realise).
> Said IT department now has to support the machine that he was told he
> couldn't have, probably because someone higher up in the organisation says
> that it has to. This computer will probably consume a disproportionate
> amount of support time. The irony is that the purchaser will probably then
> tell you it was a bargain (yeah, right!).

You're telling me nothing new and if you understood what I wrote you 
would understand that I _know_ that kind of crap not only happens way 
too often, but that it does shows the lack of value in which computer 
security is held, in general.  However, that security antagonistic 
attitude can be eliminated from your network if it is properly designed 
and managed.  Yes, that requires more management buy-in than most 
system admins get at the moment, but that is also (slowly) changing.

> The bottom line is that these days, the IT departments do not have enough
> power to enforce any radical suggestions. ...

Which is precisely why you are in the mess you are in.  That you seem 
to accept that "this is how it is" means you are not helping solve the 
problem, so please shut up and stop whining.

> ...  I'd be surprised if any
> organisation exists (outside of the military) that insists on knowing the
> MAC addresses of machines before they get connected to the network. (In our
> case we monitor MAC addresses instead as we can then spot network problems).

Bzzzzt -- wrong.

Some small, medium and large corporates do this.  Some .edus even do 
it.  Stop believing or accepting "it's too hard" and start being part 
of the solution.  You think knowing all machine MACs and not allowing 
network access would be difficult to manage?  I know of corporate 
network setups where there are at least seven _physically isolated_ 
networks with some of those run on these principles (the ones that 
aren't run thus are entirely isolated from the other networks 
(including being limited to specific rooms within the buildings) and 
from the Internet and used for development work, testing and two 
separate build systems).

> I remember the days of dumb-terminals and users who had to ask permission to
> print. At that time we could control what happened on the network. With the
> advent of PCs and desktop printers, that's all changed.  ...

And in a corporate environment the question is not has it changed, but 
_should it have_?

As I said, start being part of the solution and stop accepting that 
just because Bob before you was a moron and couldn't design or manage 
his way out of a soggy paper bag does not necessarily mean that you 
have to keep doing things as badly as he did...  (Of course, if Bob is 
now your manager, you may not have much choice apart from finding a job 
where doing your work well matters...)

> ...  In a way, we are the
> victims of our own success. Network connectivity is seen as a right, not a
> privilege. "Doing it right" usually means getting the IT department to fix a
> problem caused by someone else's mistakes.

Yeah, yeah.

You are telling me how stupid/lazy/under-resourced people do it.  We 
all know that.  I was talking about things you should think about if 
you were going to do it well.  Do you see the difference of orientation 
there?  (And yes, I know that for some of you it is very unlikely you 
will ever be given the freedom to do it really well, but such weirdly 
non-commercial and otherwise not held to high standards of excellence 
outfits will eventually be the trifling exception that at one level we 
will laugh at and at another level we marvel at how well the folk 
running such systems manage given the loony lack of managerial 
oversight to implement true "best practices".  You seem married to the 
badly flawed status quo so I guess it's an easy bet to pick the kind of 
place you'll end up working.)

> The truth is that all sysadmins are all involved in damage limitation, which
> is why we subscribe to this list. We do our utmost to prevent damage, but
> recent history shows us just one user clicking on a dodgy email attachment
> can bring down major networks. In other cases not knowing what a firewall
> should and shouldn't do has caused other outages (even affecting Microsoft).

Yeah, but as I said, some of us are working toward changing the silly 
underlying assumptions that _allow_ such stupidities at the many, many 
orders of magnitude above "sane" that we currently suffer...

> After all, if what has been suggested is true and has been implemented, why
> bother to subscribe to this list?

Entertainment...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ