"Chris DeVoney" <[EMAIL PROTECTED]> wrote: > On Friday, August 29, 2003 8:24 AM, Charles Ballowe wrote: > > Interesting -- the net cost of the worm is actually a net > > $0.00. For every penny that a company chalks up as a cost to > > the worm, some other company must be chalking up the cost as > > a profit from the worm. > > Forgive the comment, but that statement is very untrue. As someone else > hinted, companies are diverting manpower from other projects to tackle the > worm. No other company is benefitting from that expenditure.
Wrong. In at least some of those cases those "extra" resources are simply hastily applying the fixes and better preventative measures that should already have been applied or in place. Thus the _rest of the Internet_ benefits from that expenditure and therefore the site being fixed not only directly benefits (it will no longer be vulnerable to attack through this and related and highly obvious, even if not previously used in exploits against it, mechanisms) but indirectly (through its efforts and those on other previously inadequately configured systems, the Internet as a whole is a better place, meaning it is a better place for this site too). > Then there is the case of academic and medical establishments, of which I > can speak from experience. There were some additional costs in hiring > contractors. But the biggest cost was the diversion of (my estimate) > hundreds of man-weeks to analyzing, patching, remediating, mitigating these > worms from other projects. That wasn't money lost, that was time lost. And > the faculty, staff, students, and everyone who depends on that work loss. ...which clearly was never suitably factored into the initial design, roll-out and ongoing management of the systems in those establishments. If they paid out big now to fix this "one-off" (yeah, right...) incident, why did they not pay the little more up front to ensure they had well-designed, properly secured and easily managed systems that would have _prevented_ all those losses you are now bleating about? Why not? Simple -- they decided it was better to save a few grand and get four more PCs (or a couple of kick-arse systems to slake the sys- admins thirsts for Quake, or whatever...). False economy. Always was, always is and always will be. Do it once, do it right. There was no rocket science in being prepared to be anything other than mildly inconvenienced by Blaster -- sure, "outside" machines or machines with outside network connections that are also inside your site can be a hassle, but quality network gear allowing you to turn those machines off outlet by outlet is available and has been forever (though again, yes it costs a few bucks more up-front). Further, as such paths have always been stupefyingly obvious entrance points for this kind of "attack", protecting against them should always have been factored into the design and thus not be something to be hand-wringing over after the latest attack. > I won't go into fuller details, but because of the heavy dependence of > computing in biotechnology and medical fields, these worms and other > security problems have a larger societial cost. .... Which _surely_ raises questions about the sanity of anyone who would consider connecting such critical stuff to a sewer of a network like "the Internet as we have it", and doubly so to actually make such connections without taking _extremely careful and well thought through protective measures. It also raises serious questions about the sanity of the funding processes and groups that dole out the money driving these projects. > ... Most university medical > research comes from fixed grants. When you are always trying make those > limited resources stretch, diverting money and time to nonsense like this is > very, very frustrating. These problems do delay medical research and adds to > the cost of medical research without giving human benefits. Which makes it all the more imperative that the tax dollars funding you are deployed to best effect _up front_ rather than inefficiently and all topsy turvy when half the campus is running around like chooks with their heads cut off, no?? > I wish these misceates would consider those implications before converting a > lab server into a warez server when they get hit with a leading-edge or rare > illness. Yeah, right, don't we all In the meantime however, the US tax payers expect you (I don't mean you personally, more "you, the IT staff at such institutions collectively") to do something more effective with the "contributions" they make... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html