Full Disclosure mailing list archives

Re: DCOM RPC exploit (dcom.c)


From: Paul Schmehl <pauls () utdallas edu>
Date: 27 Jul 2003 15:18:13 -0500

On Sun, 2003-07-27 at 14:24, Jason wrote:

Ok:
In short it goes like this.

Click Start->Run
Type "dcomcnfg.exe"
Turn it off

Great!  Now go click all 5000 computers we have to take care of.  This
is exactly what I'm talking about.  You smugly criticize networks for
not fixing problems, yet you completely ignore the fact that the tools
to do this on an enterprise scale either don't exist, are far too
expensive for the average network or require scripting expertise that
most don't have.  Not to mention the fact that for this to even work,
the security context must be administrator and the concept of sudo
hasn't entered the Windows world in a secure implementation (that I'm
aware of).

Please see references above for the counter to this statement.

As to charging for the knowledge. Yeah, it is my time and my mind that 
does the work, of course I am going to charge for it. Does UT provide an 
education for free to everyone?

No, but we don't charge them an arm and leg either.  Like most
universities, the product we provide is bargain priced and available to
almost anyone that's alive and breathing.

Hardly hypocritical, the information is free for the taking and the 
tools are readily available. Most of them already exist in the OS that 
was paid for. It simply requires that the time be put in to do it.

To the open source easy to use statement, since windows is pay to use 
why would anyone expect to be able to manage it for free?

I don't think it's unreasonable to expect an operating system to come
with the tools to manage it on an enterprise level rather than having to
spend extra dollars for that functionality.  Do you?

 I vote to 
spend my time making the free things easier to use so I do not have to 
buy windows.

Then don't criticize the Windows "community" for not having the tools to
do the job.  Criticize Microsoft.

I live in the real world, it is harsh and brutal, it is in fact the same 
world we all live in. Unfortunately the universities are half the 
problem here. A fantasy world exists on every campus where the belief is 
that everything should be free and you should be able to do what ever 
you want.

You're sadly mistaken.  Unis don't expect to get everything for free. 
But they don't get enough funding to purchase a full set of commercial
tools either.  And where do you think a large chunk of the open source
stuff comes from anyway?  Who writes much of the code?  Who provides the
mirrors to the world, free of charge?  Who does most of the research?

 Only one catch, we charge to be here at university to have 
access to our fantasy world where you get this information and do what 
you want but we want you to give your information to us for free even if 
you are not in our fantasy world. That is hypocritical.

It would be, if that were reality.  The reality is that most people's
education is highly subsidized by governments and private contributors. 
If students actually had to *pay* for their education (what it actually
costs to provide it to them) there would be far fewer students, far
fewer universities and a lot less open source programs.

Here we go again with this fantasy stuff, the information is free, the 
work to implement it is yours to do.

Funny how you think *your* labor has value, but the IT admins' does not.


IDSes don't protect anything.  They merely tell you where the shit just
hit the fan.  IPSes are still in their infancy, and very few admins are
going to trust them to stop bad stuff without also stopping important
traffic.

Some select quotes from any dictionary. They seem to apply to IDS in 
this case.

protect: To keep from being damaged, attacked, stolen, or injured; guard.

guard: To protect from harm by or as if by watching over.
        To supervise entry or exit through; keep watch at.


Oh, I get it.  You've never actually used an IDS.  You just understand
the dictionary definition of one.  Try sitting in front of the console
staring at a half a million alerts and see if the IDS *does* anything
besides spewing information that *you* have to research, that *you* 
have to interpret and that *you* have to take action on.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: