 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Fri, Mar 23, 2001 at 06:31:12PM -0500, Kenneth E. Lussier wrote: > OK, I could accept that. Except that it's two months old. I can see It doesn't matter if a vulnerability is two months old or 6 years old. Many system administrators either simply don't know anything about system security (a sad but true fact), or they don't know ENOUGH about it to take it seriously. Also, bear in mind that we now have all these unwashed masses running versions of BIND that ship with thier Linux distro's (many of which are way outdated versions that came on CD in some book they bought at B&N). These people mostly don't know what system security IS, never mind how to practice it. There are lots of reasons for people to not have these things fixed. The largest one is ignorance. You can't fix something you don't even know is broken. > If a sysadmin really is that overworked that they cannot keep recent, > never mind current, on these issues, then management needs to wake up > and smell the exploit. But then again, management usually doesn't pay > attention until something happens and it's too late. I believe Bruce > Schneier said it best when he said " Anyone who believes that > reactionary security measures are sufficient is either ignorant, blind, > or management". This is both humerous and well-said, but belies the real problem. Management falls into the same category as the poor newbie playing with their first free U*ix distro. They simply don't know any better. And to make matters worse, often some managers will take an occasional glance at a computer magazine, and convince themselves that they know all about computer security, and make decisions based on the most cursory understanding of the problem. This makes all our jobs harder. Fortunately, some managers get it, and some know they DON'T get it. Those are the ones you want to work for. I went to a SANS conference today... I consider myself fairly well-informed about security issues, and a lot of the material presented today wasn't really all that new to me (and some of it was). But there were some interesting things said today by both the instructor, Jesper Johansson (who, by the way, was excellent), and also by an FBI agent (James Hegarty) from their computer crimes division who happened to be taking the class, which sort of opened my eyes. Frankly, between the two of them, they've almost got me scared enough to seriously consider purchasing liability insurance and/or a change of career; and ironically, the enemy often is not the hackers... Just ask Randall Schwartz. Good security is not easy, and it is not a joke. Anyone who thinks otherwise is fooling themselves. If System/Security Administration is your job, make sure not only that you're keeping up-to-date on vulnerabilities, but also that your management understands what you are doing and why you are doing it. Get it in writing and SIGNED, if possible. And if it isn't possible, it may be worth considering finding a new employer. The risks to YOU are potentially VERY serious. Just ask Randall Schwartz. http://www.lightlink.com/spacenka/fors/faqv4p1.html#q4 http://www.lightlink.com/spacenka/fors/ http://www.stonehenge.com/merlyn/ (see: The biggest news in my life at the moment) If you're interested in learning more about system security (and IMNSHO if you're on this list you ought to be), SANS/GIAC has just added eCoast III in Portsmouth, in April. The material presented is both informative and interesting. If you're reletively new to system security, definitely check out GIAC Track I - Security Essentials. The three-day seminar will put you out about $1500, but it may be the best investment in your career you've ever made... -- Somebody set up us the bomb. All your base are belong to us. Take off every zig for great justice. --------------------------------------------------- Derek Martin | Unix/Linux geek ddm at pizzashack.org | GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
