Re: OT: Re: WANAL (Re: What could have been done differently?)

On Mon, Feb 03, 2003 at 11:27:46AM +0100, [EMAIL PROTECTED] said: > > > > --On Tuesday, January 28, 2003 18:06:47 -0800 Scott Francis > <[EMAIL PROTECTED]> wrote: > > > I'm sure > > they'll move to a newer version when somebody on the team gets a chance > > to give it a thorough code audit, and

Re: OT: Re: WANAL (Re: What could have been done differently?)

--On Tuesday, January 28, 2003 18:06:47 -0800 Scott Francis <[EMAIL PROTECTED]> wrote: > I'm sure > they'll move to a newer version when somebody on the team gets a chance > to give it a thorough code audit, and run it through sufficient testing > prior to release. The -current tree now is at

Re: What could have been done differently?

At least theoretically, the US *is* supposed to have a comparable system. European privacy law makes it illegal to transfer personal data of any kind to a country without a comparable system - the US has a voluntary "Safe Haven" scheme that is supposed to enable US companies to be able to receive

Re: What could have been done differently?

On Thu, Jan 30, 2003 at 10:39:17AM -0800, [EMAIL PROTECTED] said: > IIRC, MS's patches has been digitally signed by MS, and their patching > system checks these sign silently. So, they will claim that > compromised route info and/or DNS spoofing does not affect their > correctness. > > Though, I'm

Re: What could have been done differently?

at Thursday, January 30, 2003 12:01 AM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> was seen to say: >> But this worm required external access to an internal server (SQL >> Servers are not front-end ones); even with a bad or no patch >> management system, this simply wouldn't happen on a properly >> con

Re: What could have been done differently?

On Tue, Jan 28, 2003 at 11:13:19AM -0200, [EMAIL PROTECTED] said: [snip] > But this worm required external access to an internal server (SQL Servers > are not front-end ones); even with a bad or no patch management system, this > simply wouldn't happen on a properly configured network. Whoever got

Re: What could have been done differently?

> Similarly, you _pay_ MS for a product. A product which is repeatedly > vulnerable. I think this is key. People (individuals/corporations) keep buying crappy software. As long as people keep paying the software vendors for these broken products what incentives do they have to actually fix t

Re: What could have been done differently?

> Not to sound to pro-MS, but if they are going to sue, they should be able to > sue ALL software makers. And what does that do to open source? Apache, > MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun > vendor because some moron shoots himself in the head with it?

Re: What could have been done differently?

> But this worm required external access to an internal server (SQL Servers > are not front-end ones); even with a bad or no patch management system, this > simply wouldn't happen on a properly configured network. Whoever got > slammered, has more problems than just this worm. Even with no firewal

Re: What could have been done differently?

On Wed, Jan 29, 2003 at 12:21:50PM -0800, [EMAIL PROTECTED] said: [snip] > > So far, the closest thing I've seen to this concept is the ssh > > administrative host model: adminhost:~root/.ssh/id_dsa.pub is > > copied to every targethost:~root/.ssh/authorized_keys2, such that > > com

Re: What could have been done differently?

On Wed, 29 Jan 2003, Scott Francis wrote: On Wed, Jan 29, 2003 at 10:47:30AM -0800, [EMAIL PROTECTED] said: > On Tue, 28 Jan 2003, Scott Francis wrote: > > He argued instead that OSes should be redesigned to implement the > principle of least privilege from the ground up, down to th

Re: What could have been done differently?

On Wed, Jan 29, 2003 at 10:47:30AM -0800, [EMAIL PROTECTED] said: > On Tue, 28 Jan 2003, Scott Francis wrote: > > He argued instead that OSes should be redesigned to implement the > principle of least privilege from the ground up, down to the > architecture they run on. > > [...] > > The

Re: What could have been done differently?

On Tue, 28 Jan 2003, Scott Francis wrote: He argued instead that OSes should be redesigned to implement the principle of least privilege from the ground up, down to the architecture they run on. [...] The problem there is the same as with windowsupdate - if one can spoof the central

Re: What could have been done differently?

On Tue, 28 Jan 2003, Scott Francis wrote: > I'm still looking for a copy of the presentation, but I was able to find a > slightly older rant he wrote that contains many of the same points: > http://www.bsdatwork.com/reviews.php?op=showcontent&id=2 > Good reading, even if it's not very much pract

Re: What could have been done differently?

> His main thesis was basically that every > OS in common use today, from Windows to UNIX variants, has a fundamental > flaw in the way privileges and permissions are handled - the concept of > superuser/administrator. He argued instead that OSes should be redesigned to > implement the principle

Re: What could have been done differently?

On Tue, 28 Jan 2003 19:10:52 EST, Eric Germann <[EMAIL PROTECTED]> said: > Sort of like the person who sued McD's when they dumped their own coffee in > their lap because it was "too hot". Somewhere in the equation, the > sysadmin/enduser, whether Unix or Windows, has to take some responsibility

Re: What could have been done differently?

On Tue, 28 Jan 2003, Steven M. Bellovin wrote: :They do have a lousy track record. I'm convinced, though, that :they're sincere about wanting to improve, and they're really trying :very hard. In fact, I hope that some other vendors follow their :lead. My big worry isn't the micro-issues like b

Re: What could have been done differently?

On Tue, Jan 28, 2003 at 09:00:48PM -0500, [EMAIL PROTECTED] said: > In message <[EMAIL PROTECTED]>, Scott Francis writes: > > >There's a difference between having the occasional bug in one's software > >(Apache, OpenSSH) and having a track record of remotely exploitable > >vulnerabilities in virtu

Re: What could have been done differently?

On Tue, Jan 28, 2003 at 08:14:17PM +0100, [EMAIL PROTECTED] said: [snip] > restrictive measures that operate with sufficient granularity. In Unix, > traditionally this is done per-user. Regular users can do a few things, > but the super-user can do everything. If a user must do something that >

Re: What could have been done differently?

On Tue, 28 Jan 2003, Andy Putnins wrote: > This is therefore a request for all of those who possess this "clue" to > write down their wisdom and share it with the rest of us I can't tell you what clue is, but I know when I don't see it. In some cases our clients have had Code Red, Nimda, and S

Re: What could have been done differently?

> Somewhere in the equation, the sysadmin/enduser, whether Unix > or Windows, has to take some responsibility. Hence I loved this: http://www.nytimes.com/2003/01/28/technology/28SOFT.html Worm Hits Microsoft, Which Ignored Own Advice By JOHN SCHWARTZ Among the com

Re: OT: Re: WANAL (Re: What could have been done differently?)

On Tue, Jan 28, 2003 at 08:53:59PM +0200, [EMAIL PROTECTED] said: [snip] > Hi Paul, > > What do you think of OpenBSD still installing BIND4 as part of the > default base system and recommended as secure by the OpenBSD FAQ ? > (See Section 6.8.3 in ) Op

Re: What could have been done differently?

In message <[EMAIL PROTECTED]>, Scott Francis writes: > >There's a difference between having the occasional bug in one's software >(Apache, OpenSSH) and having a track record of remotely exploitable >vulnerabilities in virtually EVERY revision of EVERY product one ships, on >the client-side, the

Re: What could have been done differently?

On Tue, Jan 28, 2003 at 11:22:13AM -0500, [EMAIL PROTECTED] said: [snip] > That is, I think there is a big difference between a company the > size of Microsoft saying "we've known about this problem for 6 > months but didn't consider it serious so we didn't do anything > about it", and an open sour

Re: What could have been done differently?

On Tue, Jan 28, 2003 at 07:10:52PM -0500, [EMAIL PROTECTED] said: [snip] > As has been said, no one writes perfect software. And again, sometime, the > user has to share some responsibility. Maybe if the users get burned > enough, the problem will get solved. Either they will get fired, the > so

RE: What could have been done differently?

tes [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 28, 2003 10:36 AM > To: [EMAIL PROTECTED]; Leo Bicknell; [EMAIL PROTECTED] > Cc: Eric Germann > Subject: Re: What could have been done differently? > > > From: "Eric Germann" > > > > > Not to so

Re: What could have been done differently?

On Tue, Jan 28, 2003 at 03:10:18AM -0500, [EMAIL PROTECTED] said: [snip] > Many different companies were hit hard by the Slammer worm, some with > better than average reputations for security awareness. They bought > finest firewalls, they had two-factor biometric locks on their data > centers, th

Re: OT: Re: WANAL (Re: What could have been done differently?)

On 1/28/03 11:57 AM, "Paul Vixie" <[EMAIL PROTECTED]> wrote: > >> What do you think of OpenBSD still installing BIND4 as part of the >> default base system and recommended as secure by the OpenBSD FAQ ? >> (See Section 6.8.3 in ) > > i think that bin

Re: What could have been done differently?

Sean Donelan wrote: Many different companies were hit hard by the Slammer worm, some with better than average reputations for security awareness. They bought finest firewalls, they had two-factor biometric locks on their data centers, they installed anti-virus software, they paid for SAS70 audit

RE: What could have been done differently?

On Tue, 28 Jan 2003, Eric Germann wrote: > > Not to sound to pro-MS, but if they are going to sue, they should be able to > sue ALL software makers. And what does that do to open source? A law can be crafted in such a way so as to create distinction between selling for profit (and assuming li

Re: What could have been done differently?

--On 28 January 2003 10:42 -0600 Andy Putnins <[EMAIL PROTECTED]> wrote: How does one find a "clueful" person to hire? Can you recognize one by their hat or badge of office? Is there a guild to which they all belong? If one wants to get a "clue", how does one find a master to join as an appre

Re: OT: Re: WANAL (Re: What could have been done differently?)

> What do you think of OpenBSD still installing BIND4 as part of the > default base system and recommended as secure by the OpenBSD FAQ ? > (See Section 6.8.3 in ) i think that bind4 was relatively easy for them to do a format string audit on, and that

OT: Re: WANAL (Re: What could have been done differently?)

## On 2003-01-28 17:49 - Paul Vixie typed: PV> PV> In any case, all of these makers (including Microsoft) seem to make a very PV> good faith effort to get patches out when vulnerabilities are uncovered. I PV> wish we could have put time bombs in older BINDs to force folks to upgrade, PV> bu

WANAL (Re: What could have been done differently?)

[EMAIL PROTECTED] ("Eric Germann") writes: > Not to sound to pro-MS, but if they are going to sue, they should be able > to sue ALL software makers. And what does that do to open source? > Apache, MySQL, OpenSSH, etc have all had their problems. ... Don't forget BIND, we've had our problems as

RE: What could have been done differently?

TECTED]] > Sent: January 28, 2003 12:43 > To: Alex Bligh > Cc: Sean Donelan; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: What could have been done differently? > > This is therefore a request for all of those who possess this > "clue" to > write down their

Re: What could have been done differently?

On Tue, 28 Jan 2003 10:42:05 - Alex Bligh wrote: > > Sean, > > --On 28 January 2003 03:10 -0500 Sean Donelan <[EMAIL PROTECTED]> wrote: > > > Are there practical answers that actually work in the real world with > > real users and real business needs? > > 1. Employ clueful staff

Re: What could have been done differently?

In a message written on Tue, Jan 28, 2003 at 10:23:09AM -0500, Eric Germann wrote: > Not to sound to pro-MS, but if they are going to sue, they should be able to > sue ALL software makers. And what does that do to open source? Apache, > MySQL, OpenSSH, etc have all had their problems. Should we

RE: What could have been done differently?

] Cc: Eric Germann Subject: Re: What could have been done differently? From: "Eric Germann" > > Not to sound to pro-MS, but if they are going to sue, they should be > able to > sue ALL software makers. And what does that do to open source? > Apache, MySQL, OpenSS

Re: What could have been done differently?

At 11:13 AM 1/28/03 -0200, Rubens Kuhl Jr. et al postulated: | Are there practical answers that actually work in the real world with | real users and real business needs? Yes, the simple ones that are known for decades: - Minimum-privilege networks (access is blocked by default, permitted to kn

Re: What could have been done differently?

From: "Eric Germann" > > Not to sound to pro-MS, but if they are going to sue, they should be able to > sue ALL software makers. And what does that do to open source? Apache, > MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun > vendor because some moron shoots himsel

RE: What could have been done differently?

Not to sound to pro-MS, but if they are going to sue, they should be able to sue ALL software makers. And what does that do to open source? Apache, MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun vendor because some moron shoots himself in the head with it? No. It

Re: What could have been done differently?

In a message written on Tue, Jan 28, 2003 at 03:10:18AM -0500, Sean Donelan wrote: > They bought finest firewalls, A firewall is a tool, not a solution. Firewall companies advertise much like Home Depot (Lowes, etc), "everything you need to build a house". While anyone with 3 brain cells realize

Re: What could have been done differently?

| Many different companies were hit hard by the Slammer worm, some with | better than average reputations for security awareness. They bought | finest firewalls, they had two-factor biometric locks on their data | centers, they installed anti-virus software, they paid for SAS70 | audits by the pr

Re: What could have been done differently?

Sean, Ultimately, all mass-distributed software is vulnerable to software bugs. Much as we all like to bash Microsoft, the same problem can and has occurred through buffer overruns. One thing that companies can do to mitigate a failure is to detect it faster, and stop the source. Since you

Re: What could have been done differently?

ED> Date: Tue, 28 Jan 2003 12:42:41 + (GMT) ED> From: E.B. Dreger ED> Sure, worm authors are to blame for their creations. ED> Software developers are to blame for bugs. Admins are to s/Admins/Admins and their management/ Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Band

Re: What could have been done differently?

SD> Date: Tue, 28 Jan 2003 03:10:18 -0500 (EST) SD> From: Sean Donelan [ snip firewalls, audits, et cetera ] As most people on this list hopefully know, security is a process... not a product. Tools are useless if they are not applied properly. SD> Are there practical answers that actually w

Re: What could have been done differently?

Sean, --On 28 January 2003 03:10 -0500 Sean Donelan <[EMAIL PROTECTED]> wrote: Are there practical answers that actually work in the real world with real users and real business needs? 1. Employ clueful staff 2. Make their operating environment (procedures etc.) best able to exploit their c