lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <154400000.1064897463@localhost>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: [inbox] Re: CyberInsecurity: The cost of
 Monopoly

--On Monday, September 29, 2003 21:49:26 -0300 Rodrigo Barbosa 
<rodrigob@...spammers.org> wrote:
>
> As some may recall, my original statement was an answer to someone that
> was points that Unix is more secure then Windows (I agree up to this
> point), and gave and example telling that there are still several codered
> vulnerable machine around. This is the point I was commenting about. And
> you do have to agree that is a machine, today, is still vulnerable to
> Codered, it is mostly due to a fault of the administrator.
>
I'm going to pick one small nit with you.  There is another possible guilty 
party.  In some cases, at least in edu and medical centers (that's what I'm 
familiar with) the *vendor* is at fault.  Some vendors will not certify 
their scientific instruments with the latest Service Packs and patches, 
leaving the admins no other choice but to find some other way to protect 
the machine.  (Hell, we sometimes have trouble getting vendors of 
*security* devices to support their products with the latest SPs and 
patches.  (Which is another reason that I dislike putting security-related 
software on Windows boxes, but sometimes you simply have no choice.)

Case in point, I just today helped a professor set up a small SOHO router 
to protect three machines, one running NT 4.0 SP3, another running Win2k 
SP2 and a third running Win98.  All three machines are controlling six 
figure scientific instruments, and all three are as vulnerable as can be. 
The "admins" are professors whose job it is to discover new things in 
science, *not* secure computing equipment.  But the reason the machines are 
vulnerable is because of the vendor, not because we choose to keep them 
that way.  Now they're safely tucked away, nated and firewalled, and there 
is no access to them from our network, much less from the internet.

So, while I agree with you that in *many* cases, if a box is vulnerable to 
Code Red, it is the admins' fault, that is not true in *every* case.  (It 
*is* the admins' fault if they don't solve the problem somehow, however.)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ