[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Authorities eye MSBlaster suspect 

"Chris DeVoney" <cdevoney@u.washington.edu> wrote:

> On Friday, August 29, 2003 8:24 AM, Charles Ballowe wrote:
> > Interesting -- the net cost of the worm is actually a net 
> > $0.00. For every penny that a company chalks up as a cost to 
> > the worm, some other company must be chalking up the cost as 
> > a profit from the worm. 
> 
> Forgive the comment, but that statement is very untrue. As someone else
> hinted, companies are diverting manpower from other projects to tackle the
> worm. No other company is benefitting from that expenditure.

Wrong.

In at least some of those cases those "extra" resources are simply 
hastily applying the fixes and better preventative measures that should 
already have been applied or in place.  Thus the _rest of the Internet_ 
benefits from that expenditure and therefore the site being fixed not 
only directly benefits (it will no longer be vulnerable to attack 
through this and related and highly obvious, even if not previously 
used in exploits against it, mechanisms) but indirectly (through its 
efforts and those on other previously inadequately configured systems, 
the Internet as a whole is a better place, meaning it is a better place 
for this site too).

> Then there is the case of academic and medical establishments, of which I
> can speak from experience. There were some additional costs in hiring
> contractors. But the biggest cost was the diversion of (my estimate)
> hundreds of man-weeks to analyzing, patching, remediating, mitigating these
> worms from other projects. That wasn't money lost, that was time lost. And
> the faculty, staff, students, and everyone who depends on that work loss.

...which clearly was never suitably factored into the initial design, 
roll-out and ongoing management of the systems in those establishments. 
 If they paid out big now to fix this "one-off" (yeah, right...) 
incident, why did they not pay the little more up front to ensure they 
had well-designed, properly secured and easily managed systems that 
would have _prevented_ all those losses you are now bleating about?

Why not?  Simple -- they decided it was better to save a few grand and 
get four more PCs (or a couple of kick-arse systems to slake the sys-
admins thirsts for Quake, or whatever...).

False economy.  Always was, always is and always will be.

Do it once, do it right.

There was no rocket science in being prepared to be anything other than 
mildly inconvenienced by Blaster -- sure, "outside" machines or 
machines with outside network connections that are also inside your 
site can be a hassle, but quality network gear allowing you to turn 
those machines off outlet by outlet is available and has been forever 
(though again, yes it costs a few bucks more up-front).  Further, as 
such paths have always been stupefyingly obvious entrance points for 
this kind of "attack", protecting against them should always have been 
factored into the design and thus not be something to be hand-wringing 
over after the latest attack.

> I won't go into fuller details, but because of the heavy dependence of
> computing in biotechnology and medical fields, these worms and other
> security problems have a larger societial cost.  ....

Which _surely_ raises questions about the sanity of anyone who would 
consider connecting such critical stuff to a sewer of a network like 
"the Internet as we have it", and doubly so to actually make such 
connections without taking _extremely careful and well thought through 
protective measures.

It also raises serious questions about the sanity of the funding 
processes and groups that dole out the money driving these projects.

> ...  Most university medical
> research comes from fixed grants. When you are always trying make those
> limited resources stretch, diverting money and time to nonsense like this is
> very, very frustrating. These problems do delay medical research and adds to
> the cost of medical research without giving human benefits. 

Which makes it all the more imperative that the tax dollars funding you 
are deployed to best effect _up front_ rather than inefficiently and 
all topsy turvy when half the campus is running around like chooks with 
their heads cut off, no??

> I wish these misceates would consider those implications before converting a
> lab server into a warez server when they get hit with a leading-edge or rare
> illness. 

Yeah, right, don't we all

In the meantime however, the US tax payers expect you (I don't mean you 
personally, more "you, the IT staff at such institutions collectively") 
to do something more effective with the "contributions" they make...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html