[unisog] [dc-sage] Code Red mutated? (fwd)

Jeff Anderson-Lee jonah at dlp.CS.Berkeley.EDU
Mon Aug 6 20:25:06 GMT 2001


Paul L Schmehl <pauls at utdallas.edu> wrote:
 :The problem is two-fold:
 :1) People with no ethics who have no qualms about breaking in to other 
 :people's equipment
 :2) IR folks and individuals who, for whatever reason or excuse, won't 
 :update their equipment.

Don't forget:
3) Marketing pressure to ship code early and without extensive 
   security related code-review.
4) Products shipped with all the bells and whistles (e.g. IIS) auto-enabled.
5) People who don't know to patch what they don't know they are running.
6) Products shipped with unsafe features because someone thinks that
   users want them and the "Gee Whiz" factor is worth more than the risk.
7) Products marketed and sold to users who don't have the IT skills to
   manage them because after all "it's just point and click", right?
8) Patches shipped as "Hotfixes" instead of more publicized "Critical Updates".

There are many sides to this issue, and Microsoft and other software
vendors are NOT free of some share in the blame.  All software vendors
may need to start changing their tune very soon or else:  CAVEAT
EMPTOR!  This is some "majorly bad" PR and hopefully that will hit home
if nothing else does.  No doubt at least some companies are going to be
taking a long hard look at the TCO price of running Microsoft products
(amongst others).

Jeff Anderson-Lee
Systems Manager, Digital Library Project
ERL, University of California at Berkeley



More information about the unisog mailing list