From: Michael Dean <michaelldeansbcglobal.net>
> NOw your answer below -- I think that guy is all wet. Maybe that's the
> attitude in the corner drugstore, but not in any big business.

If you don't know the difference between the corner drugstore and an
investment bank I'm not sending you to get my ibuprofen !

Sorry to anyone who though you were escaping the rant.

Crispin writes:
> I think Antonomasia is largely correct. It's not that big business does
> not want security, it's just that functional requirements often trump
> security desires. In some cases this is actually a good idea (managing
> some risks is cheaper than fixing the vulnerabilities). In some other
> cases it is just cluelessness; management doesn't understand the risks

I think they don't realise that getting some security takes effort, requires
central policy (not just on the books, but actually distributed and promoted)
and involves everybody in following it. A handful of guys in an isolated
office are not, by themselves, and for many reasons, going to get rid of
the problems. What can be done is finding the problems and taking them to
the people involved - in the hope of fixing them and educating them to avoid
recurrance.

If they don't want to know all we can do is point out that they're in
violation of policy and may be spotted in the next audit. More common
is the view "I need this or that to do my job" - they rarely do. I had
a sysadmin round my desk asking about passwordless ssh as root to produce
and transfer some files (that had to be made as root, he said). I suggested
cron as root to produce the files then he can ssh them as some other user.
We often help in ways like that (and sometimes program a bit for them) but
our presence in the corner doesn't magically make everybody else act securely.

People aren't going to take world-write off their scripts run from cron until
someone tells them it should be done. With .profile and similar we just do it
without asking.

Now if department A issues faulty code that gives the caller root
and department B has been using it for a while on multi-user machines in
ways not expected by "A" before I find out - you're all set for a big
finger-pointing exercise in which 13 months (so far) pass and nothing has
been fixed.

Then we had the guy wanting to install wu-ftpd thinking that if he logged file
transfers and held transferred files under home directories it would protect
his live code from unapproved modification by developers. Does he think FTP
is the only way to transfer files ?

And the sysadmins are not much better - the times I see unrestricted NFS
exports, + in /.rhosts, inetd.conf (or something called from it) with
world-write and new installs about a year behind in patches. They also
need every machine they build to be inspected - and then get sent a list of
things to fix just like the last 100 times they did this. Learning R! us.

As it is we can only pick stuff from the top of the urgent pile so this is
prioritisation by resource starvation. I never expect to reach the point
where I can look all around and see nothing worth fixing.

But as this related to training and qualification - if I can do 90% of my
job by grousing about filemodes will it make any difference if I can
explain salt in password hashes to a developer who may or may not do what
I suggest and I'll never know ?

Funnily enough managers are finding out the hard way that man-hours spent at
the desk doesn't amount to useful work. And that normally means reorganisation
rather than reform.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]