[unisog] Security patches

Gary Flynn flynngn at jmu.edu
Tue Aug 7 16:30:30 GMT 2001

Paul L Schmehl wrote:
> Now, she is the extreme, but there are many people out there with a similar
> lack of security awareness.  They just find it really hard to believe that
> someone would actually want to break in to their computer.  After all,
> "there's nothing important on it".

I can't tell you how many times I've heard that. :(

We need to explain to these folks that computers are like cars and not
like safes. They allow a thief to travel around the Internet performing
mischief or worse with stolen tags. And if they hijack your car while
you're in it, they have your wallet, ID, access cards, fingerprints,
etc. to do with what they will.

Paul, I agree 100% with the thrust of this message but I have to pick
some nits further on.... :)

> **This** is the point I'm trying to make.  If we're really serious about
> security, we need to start talking about patching and stop complaining
> about vendors.  We need to make it as easy as possible for our users to
> patch their machines.

The vendors need to make it as easy as possible for our users to
patch their machines. Its their defects that are causing the
problems and their lack of setting reasonable expectations in
their marketing literature for their products' need for ongoing
maintenance and technical know-how to safely reside on a world-wide

Maybe each patch should entitle the customer to one free upgrade or
thirty minutes of free support. :)

> Yes, we need to complain *to* the vendors.  Yes, we need to *demand* better
> programming.  Yes, we need to find *somebody*, *anybody* who has a clue
> what bounds checking is.  But if we keep pounding on the vendor issue,
> that's all the general public hears, and they think it exempts them from
> worrying about security.  Hey, if *we* are helpless to solve the problem
> (because it's the vendors' fault), what are they supposed to do?

Stop buying from the vendors in the public spotlight? :)

Just kidding. I suspect that any vendor pandering to consumer demand
for ease of use, functionality, and time to market over all else would 
likely be in the same predicament as Microsoft. And if they don't pander, 
they don't stay in business.

> How many more Code Reds do we have to go through
> before we finally start getting mad at the networks that, by not patching
> their servers in a timely manner, put all of us at greater risk?

Its not the "networks". Its the individual computer operators. That said,
a network owned by an organization should definitely take steps to ensure
the integrity of its own network and in the process of doing so enforce 
reasonable expectations on its computer operators. Of course this means
that those in power have to do more than throw any available warm body
at the job and give them the time and resources to do the job properly.

Its only a matter of time before this stuff gets dumped on the courts
to determine liability.

> Should ISPs be totally blameless?  Why can't they block Code Red attacks
> before they get to the naive home users?  Why can't they stop SirCam at the
> front door?  Right now, ISPs are an open playground for crackers and script
> kiddies.  Is this the vendors' fault too?

ISPs are communications providers and should remain so. They should not
set or enforce security policies for their customers unless asked to do
so. I don't expect my phone company to screen my calls and don't want
my ISP to do so either. Their involvement should be limited to things
like secure routing updates, anti-spoofing filters, and increasing their
ability to detect, stop, and/or trace malicious activity at the request
of proper authorities.

Maybe its time for commercial and amateur computing licenses for the public 
Internet ala the commercial and amateur radio licenses for the public 

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list