l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2003 Mar 18 15:50

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] what do they pay their staff for?!?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] what do they pay their staff for?!?



On Tue, Mar 18, 2003 at 12:26:41PM -0800, Peter Jay Salzman wrote:
> ok, let's forget the issue of why the army is using IIS to begin with.
> that's a whole different issue.  i'm wondering who gets paid to sit
> around and administrate army webservers, and why it didn't occur to them
> 
>    "hey, wait a minute.  WE'RE running IIS on win2k servers!"

Okay...

Two perspectives:

1) This is a problem that was being exploited by crackers and was learned
about in "white hat" circles by analyzing how the crackers were getting into
the systems.  Knowledge of the hole only started being available last week
(wednesday, IIRC) and CERT and MS's mailing lists (err, and ISS) only sent
out info with links to the patch on Monday.

2) It's one of those "security hotfixes", meaning that it's almost totally
untested.  This means that at an institution of meaningful size the correct
procedure is to deploy the hotfix on a testbed server, test that everything
works, and only then deploy it on the live server.  (or rotate between
testbed and live; depends on your setup) -- that could take most of a day.

When the fix is out before the exploit, it's reasonably easy...  It's also
easier when dealing with a patch-providing organization that can be
trusted to do a bit of testing on their own and where individual components
of the system can be trusted to be upgradeable without affecting the rest of
the system.  (in other words, if I upgrade the web server on a linux box, I
don't need to test the mail server; if I upgrade the web server on a win2k
box, I *must* check the mail server, as well as even less vaguely related
things.)

(In other words: give MS a hard time, not the poor overworked army sysadmin
who's supposed to maintain 500 boxes, of which the one that got hacked is
more than halfway down the priority list.)
-- 
Eric Eisenhart <*@eric.eisenhart.name>
http://eric.eisenhart.name/
IRC: Freiheit@freenode, AIM: falsch freiheit, ICQ: 48217244

Attachment: pgp00012.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.