[unisog] zotob variant?

Edgecombe, Jason jwedgeco at email.uncc.edu
Fri Oct 14 12:40:07 GMT 2005

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of John Stauffacher
> Sent: Thursday, October 13, 2005 5:30 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] zotob variant?
> I've really always wondered why Anti-Floop (shameless..i 
> know) vendors 
> always want to "Enumerate Badness", wouldn't it be a whole 
> lot easier to 
> enumerate the good. I'm sure the avg user will have a pretty small 
> "whitelist" of apps that they run. Rather than the overly ambiguous 
> "blacklist" of stuff that maybe they don't want to run. Seems like a 
> perfect candidate for default deny and then allow based upon 
> whitelisting. But, thats all a pipedream, for now we rely on policy 
> tools to make sure our computers are up to date and shaky "sig" based 
> sollutions, with their hourly updates....I'd rather just writeprotect 
> the C drive and be done with it....

Hi John,

I agree with the enumerate goodness principle, but sometimes you just
can't get away with it in reality. Applications are a good example. The
problem is that our users have been allowed to run anything they wanted,
including such badness as kazaa. The users are used to this and expect
it. There would be a hellraising if we went to a whitelist approach for
faculty. We can't even pull it off in the well-controlled labs. We rely
on DeepFreeze to clear off any badness. God forbid if some big grant
holder can't run his program or the Playboy CD. (found that once in a
faculty PC). All it takes is one cash cow to get ticked off, and the
game's over.

The core problem is that we don't have a list of applications that need
to be run. We have visitors and quasi-students who pay money to the Univ
and have to run some obscure app to teach some class. We're still having
trouble getting people to schedule lab reservations ahead of time.

Ideally, we could drop eveyone from Power User to regular user and get a
handle on things, but we don't have the manpower or user goodwill to
pull that off.

Jason Edgecombe
TST Web Developer
Dean's Office, College of Arts & Sciences

More information about the unisog mailing list