lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F509C0F.30228.A76875A4@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Authorities eye MSBlaster suspect

"Chris DeVoney" <cdevoney@...ashington.edu> wrote:

> On Friday, August 29, 2003 8:24 AM, Charles Ballowe wrote:
> > Interesting -- the net cost of the worm is actually a net 
> > $0.00. For every penny that a company chalks up as a cost to 
> > the worm, some other company must be chalking up the cost as 
> > a profit from the worm. 
> 
> Forgive the comment, but that statement is very untrue. As someone else
> hinted, companies are diverting manpower from other projects to tackle the
> worm. No other company is benefitting from that expenditure.

Wrong.

In at least some of those cases those "extra" resources are simply 
hastily applying the fixes and better preventative measures that should 
already have been applied or in place.  Thus the _rest of the Internet_ 
benefits from that expenditure and therefore the site being fixed not 
only directly benefits (it will no longer be vulnerable to attack 
through this and related and highly obvious, even if not previously 
used in exploits against it, mechanisms) but indirectly (through its 
efforts and those on other previously inadequately configured systems, 
the Internet as a whole is a better place, meaning it is a better place 
for this site too).

> Then there is the case of academic and medical establishments, of which I
> can speak from experience. There were some additional costs in hiring
> contractors. But the biggest cost was the diversion of (my estimate)
> hundreds of man-weeks to analyzing, patching, remediating, mitigating these
> worms from other projects. That wasn't money lost, that was time lost. And
> the faculty, staff, students, and everyone who depends on that work loss.

...which clearly was never suitably factored into the initial design, 
roll-out and ongoing management of the systems in those establishments. 
 If they paid out big now to fix this "one-off" (yeah, right...) 
incident, why did they not pay the little more up front to ensure they 
had well-designed, properly secured and easily managed systems that 
would have _prevented_ all those losses you are now bleating about?

Why not?  Simple -- they decided it was better to save a few grand and 
get four more PCs (or a couple of kick-arse systems to slake the sys-
admins thirsts for Quake, or whatever...).

False economy.  Always was, always is and always will be.

Do it once, do it right.

There was no rocket science in being prepared to be anything other than 
mildly inconvenienced by Blaster -- sure, "outside" machines or 
machines with outside network connections that are also inside your 
site can be a hassle, but quality network gear allowing you to turn 
those machines off outlet by outlet is available and has been forever 
(though again, yes it costs a few bucks more up-front).  Further, as 
such paths have always been stupefyingly obvious entrance points for 
this kind of "attack", protecting against them should always have been 
factored into the design and thus not be something to be hand-wringing 
over after the latest attack.

> I won't go into fuller details, but because of the heavy dependence of
> computing in biotechnology and medical fields, these worms and other
> security problems have a larger societial cost.  ....

Which _surely_ raises questions about the sanity of anyone who would 
consider connecting such critical stuff to a sewer of a network like 
"the Internet as we have it", and doubly so to actually make such 
connections without taking _extremely careful and well thought through 
protective measures.

It also raises serious questions about the sanity of the funding 
processes and groups that dole out the money driving these projects.

> ...  Most university medical
> research comes from fixed grants. When you are always trying make those
> limited resources stretch, diverting money and time to nonsense like this is
> very, very frustrating. These problems do delay medical research and adds to
> the cost of medical research without giving human benefits. 

Which makes it all the more imperative that the tax dollars funding you 
are deployed to best effect _up front_ rather than inefficiently and 
all topsy turvy when half the campus is running around like chooks with 
their heads cut off, no??

> I wish these misceates would consider those implications before converting a
> lab server into a warez server when they get hit with a leading-edge or rare
> illness. 

Yeah, right, don't we all

In the meantime however, the US tax payers expect you (I don't mean you 
personally, more "you, the IT staff at such institutions collectively") 
to do something more effective with the "contributions" they make...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ