lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <497BC68FEF2B4D4B93C27539FD5155E9026AFB@HBRG-EXCHANGE.anteon.com>
From: MRMyers at anteon.com (Myers, Marvin)
Subject: DCOM RPC exploit  (dcom.c)

OK, I admit it. I am a Techie Admin who is in management. I get to pick
the product, source it, install it, fix it, Admin it, everything except
actually purchase. Unfortunately, I am in a corporate environment where
corporate purchasing policy overtakes my life experience, research, and
so called expertise. They buy the stuff from whoever blows the most
sunshine up their A$$E$, and I get stuck trying to make it work. I am
not complaining at all. I like my job, (could someone tell the boss that
the pay SUX). What I am trying to say is that we all have our hurdles to
jump. But in the end, if we didn't like what we do at least a little
bit, we could find a new career.

------------------------------------------------------------------------
----

All of this is true and wonderful and oh so right.  (Not pickin' on you,
Nick.)

Now let me tell you how it works in the real world (one example.)  Our
School of Management is moving in to their new building in the next week
or so.  Obviously, when you put up a new building, one of the things
that has to be done is wire it and build the infrastructure for
networks, right?  (Well, actually, when they built the new Activity
Center a few years back, they sort of forgot that part until the
building was finished.  Then they had to retrofit the network.  Now
**that** was fun!!)  So, they consulted with IT to find out what would
best work on our network and the purchased the right equipment, right?

Well, actually, the Dean happens to have contacts at Alcatel, and
Alcatel, in their gracious wisdom, decided to donate *all* the
networking equipment that the new building would need - switches,
routers, cabling, everything.  How nice of them, right?  Weeeellllll, it
turns out that what they donated is stuff they couldn't get rid of, much
less sell for a profit.  Gives them a nice tax writeoff, and, much to
the Dean's chagrin, limits the functionality of the network.  (You see,
they *did* consult with IT *afterwards*, when things weren't working the
way they expected.  That's when they got the *bad* news.  No H.323 for
you.  No QoS.  Etc., etc.)

Now their stuck with a less than optimal configuration, limited
capability and obsolete equipment.  And IT is stuck with the headache of
trying to support that, dealing with the constant complaints that will
come from the staff and faculty of that school when things don't work
right, etc., etc., etc.

Oh, and was any thought given to security in the design phase?  Well, of
course not.  They didn't even have locks on the wiring closets until we
refused to support them unless they were installed.  (Although some of
us actually argued that we'd be better off to leave the locks off.  That
way the equipment would get stolen, and we could charge SOM for the
replacements, which would be configured the way *we* wanted them with
the capabilities that they need - and paid for by SOM.)

In an ideal world, none of this would happen.  But that is what I
referred to in an earlier post as the "pollyanna" world.  I know all the
techies would just *love* to be making the decisions about stuff like
this (so would we, don't kid yourself), but it's never been that way,
and it never will be that way.  That's reality.  And that's what IT
folks have to deal with every day.

I've actually seen posts where people have said things like, "Well, I
wouldn't work for a place like that."  Indeed.  That's why you're
unemployed.

So, when you(pl) shake your head and think, "They could do so much
better if they just had a clue", keep in mind that the real world
doesn't always give you what you want or need, and you have to learn to
deal with what exists, not with what you'd like to see exist.  And then
you have to listen to all the armchair generals telling you how
incompetent you are.  It's no wonder a lot of admins get very
frustrated.  (Again, I'm not talking about myself.  I really don't give
a rats ass what anyone thinks of me, so it doesn't matter what you say
about me.  Which is why, BTW, I'm perfectly willing to keep pounding
this point home, regardless of how much STFU mail I get.)

Now I'm certain that *someone* in this group of resident geniuses will
respond, "Well, the Dean should be fired if he's that stupid."  Well
Einstein, Deans get paid for bringing money into the school and riding
herd on the faculty.  The Alcatel deal *helps* his credibility with
senior administration.  How's that for a topsy turvy world? 

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ