RE: [inbox] Re: CyberInsecurity: The cost of Monopoly

["Curt Purdy" <purdy () tecman com>]

NT4 SP2 was a nightmare.  Luckily I heard about it in the newsgroups the day
I planned on installing it on my ISP boxes (yes I run IIS, locked down, in
addition to Apache).  That taught me a lesson, and I now wait 48-72 hours
after release before installing any Microsoft service pack or hotfix, while
I observe Uncle Bill's guinea-pigs.

One of the things I love about *NIX is the stability.  FreeBSD 5.1 (I run on
my desktop) is more stable than any Microsoft .1 product ever hoped to be,
but the FreeBSD crew is still classifying 4.8 the production version (I run
on my servers).

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Rodrigo
Barbosa
Sent: Tuesday, September 30, 2003 2:01 AM
To: full-disclosure () lists netsys com
Subject: Re: [inbox] Re: [Full-disclosure] CyberInsecurity: The cost of
Monopoly


On Mon, Sep 29, 2003 at 11:51:03PM -0500, Paul Schmehl wrote:
> > As some may recall, my original statement was an answer to someone that
> > was points that Unix is more secure then Windows (I agree up to this
> > point), and gave and example telling that there are still several codered
> > vulnerable machine around. This is the point I was commenting about. And
> > you do have to agree that is a machine, today, is still vulnerable to
> > Codered, it is mostly due to a fault of the administrator.
> I'm going to pick one small nit with you.  There is another possible
guilty
> party.  In some cases, at least in edu and medical centers (that's what
I'm
> familiar with) the *vendor* is at fault.  Some vendors will not certify
> their scientific instruments with the latest Service Packs and patches,
> leaving the admins no other choice but to find some other way to protect
> the machine.  (Hell, we sometimes have trouble getting vendors of
> *security* devices to support their products with the latest SPs and
> patches.  (Which is another reason that I dislike putting security-related
> software on Windows boxes, but sometimes you simply have no choice.)

I stand corrected.

I kind of remember something about a friend of mine (Win admin) installing
NT SP2 and it breaking MS-SQL server.

And yes, you are correct about vendors too.

So, simply put, we are doomed :)

- When the software gets a bugfix released, you can't install it because
of the vendor
- When you can install it regardless of the vendor, the net admin forgets
to install it
- When the net admin remembers to install it, the users mess up
- When the user don't mess up, the cleaning lady pulls the plug

Talk about trustworthy computing :)

[]s

--
Rodrigo Barbosa <rodrigob () suespammers org>
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html