[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <154400000.1064897463@localhost>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: [inbox] Re: CyberInsecurity: The cost of
Monopoly
--On Monday, September 29, 2003 21:49:26 -0300 Rodrigo Barbosa
<rodrigob@...spammers.org> wrote:
>
> As some may recall, my original statement was an answer to someone that
> was points that Unix is more secure then Windows (I agree up to this
> point), and gave and example telling that there are still several codered
> vulnerable machine around. This is the point I was commenting about. And
> you do have to agree that is a machine, today, is still vulnerable to
> Codered, it is mostly due to a fault of the administrator.
>
I'm going to pick one small nit with you. There is another possible guilty
party. In some cases, at least in edu and medical centers (that's what I'm
familiar with) the *vendor* is at fault. Some vendors will not certify
their scientific instruments with the latest Service Packs and patches,
leaving the admins no other choice but to find some other way to protect
the machine. (Hell, we sometimes have trouble getting vendors of
*security* devices to support their products with the latest SPs and
patches. (Which is another reason that I dislike putting security-related
software on Windows boxes, but sometimes you simply have no choice.)
Case in point, I just today helped a professor set up a small SOHO router
to protect three machines, one running NT 4.0 SP3, another running Win2k
SP2 and a third running Win98. All three machines are controlling six
figure scientific instruments, and all three are as vulnerable as can be.
The "admins" are professors whose job it is to discover new things in
science, *not* secure computing equipment. But the reason the machines are
vulnerable is because of the vendor, not because we choose to keep them
that way. Now they're safely tucked away, nated and firewalled, and there
is no access to them from our network, much less from the internet.
So, while I agree with you that in *many* cases, if a box is vulnerable to
Code Red, it is the admins' fault, that is not true in *every* case. (It
*is* the admins' fault if they don't solve the problem somehow, however.)
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Powered by blists - more mailing lists