Tim Mullen, 2002-04-15
Don't blame Microsoft. They gave you the patch; it's your responsibility to use it.
Colapse all |
Post comment
The Buck Stops Where?
2002-04-15
Nighthawk (3 replies)
Nighthawk (3 replies)
The Buck Stops Where?
2002-04-16
Anonymous (1 replies)
Anonymous (1 replies)
I don't know what are YOU on!.I had around 110 IIS Servers running here.I patch the day something critical comes out.Something goes wrong?...This is why you SHOULD have something called BACKUPS.Not to mention that you can always call M$.At least their technical support is great.
Stop bitching and l...
[ more ] [ reply ]
Stop bitching and l...
[ more ] [ reply ]
The Buck Stops Where?
2002-05-06
Anonymous
Anonymous
This leads me to recommend what every company should have:
A mirror testing environment of your production machines,
which represent as closely as possible your running environment. When you patch and test here, work out your backout strategy if/when things go pointy side up, ensure your backups...
[ more ] [ reply ]
A mirror testing environment of your production machines,
which represent as closely as possible your running environment. When you patch and test here, work out your backout strategy if/when things go pointy side up, ensure your backups...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
hmmm... (1 replies)
hmmm... (1 replies)
If you can't rebuild, troubleshoot and reconfigure every machine in your sphere of influence and don't have someone on staff that can. Then get up to speed or find another profession....
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-23
dave.williams@gte.net
dave.williams@gte.net
Wow, that is exactly what I want from an application provider, a developer, and--oh yeah--an Operating System/Systems house. One can dream, one can hope, and then one must install an inferior product because everyone else has...but I don't want to be the only one to take credit for being able to mai...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-15
MG (1 replies)
MG (1 replies)
It is *so* refreshing to hear from someone who not only understands security, but understands how it relates to business. Extending my sales to the web is a cost of doing business. Securing the portal is an added expense, and one I know I must pay for. No one will do it for me. My IT people can ban...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-16
Anonymous (1 replies)
Anonymous (1 replies)
Sounds like you're running quite a large scale environment there with your "web portal".
How do you justify the risks associated with deploying these patches? What kind of testing, lab environment, staffing, etc do you use to mitigate the risks? How many SYSTEMS do you use with unique applicatio...
[ more ] [ reply ]
How do you justify the risks associated with deploying these patches? What kind of testing, lab environment, staffing, etc do you use to mitigate the risks? How many SYSTEMS do you use with unique applicatio...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-18
MG (2 replies)
MG (2 replies)
Ahem.
Let me give you a clue. If your business requires 10,000 web servers, then you sure as hell had better require your OWN formal method for testing. Saying that getting Code Red is better than learning how to deply patches is the stupidist thing I have ever heard.
People like you are t...
[ more ] [ reply ]
Let me give you a clue. If your business requires 10,000 web servers, then you sure as hell had better require your OWN formal method for testing. Saying that getting Code Red is better than learning how to deply patches is the stupidist thing I have ever heard.
People like you are t...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-20
Willie (1 replies)
Willie (1 replies)
Respectfully, that's not what he said, MG (about Code Red).
I'm sure you and your staff are plenty competant about keeping things up to date and secure, and you should take some pride in that. But your and your staff don't do it for your health. It takes time and money to do these things. If y...
[ more ] [ reply ]
I'm sure you and your staff are plenty competant about keeping things up to date and secure, and you should take some pride in that. But your and your staff don't do it for your health. It takes time and money to do these things. If y...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-22
Anonymous
Anonymous
From your comments it is obvious that you are used to working in mom-and-pop shops and have never had the responsibility for securing a Fortune 50 (not 500, _50_) company's infrastructure.
The recommended course of action by the author is irresponsible and would drive a real company out of busine...
[ more ] [ reply ]
The recommended course of action by the author is irresponsible and would drive a real company out of busine...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-16
Willie (2 replies)
Willie (2 replies)
Mr. Mullen, can you at least begin to understand the system administrators' hesitancy to install this patch? Agreed, this one has to be done. But MS patches have, indeed, caused further problems in the past--and the patches just keep coming and coming. Futher, why not blame Microsoft for writing ...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
Anonymous (1 replies)
Anonymous (1 replies)
Timmy attacks any company that differs from the M$ mindset, and doesn't have the balls to point out the where the real problems ..lies....
[ more ] [ reply ]
[ more ] [ reply ]
Responsibility?
2002-04-16
Anonymous
Anonymous
While it might be your responsibility to apply the patches (hell, I'm still getting Code Red/Nimda scans on my home Apache server), it's Microsoft's responsibility to ensure the patches don't break the servers.
However, the network admins in the story should at least be testing the patch to see i...
[ more ] [ reply ]
However, the network admins in the story should at least be testing the patch to see i...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-16
Anonymous (1 replies)
Anonymous (1 replies)
"All products have security issues, and all products will continue to have security issues."
This line is a sorry excuse for MS software. Show me the last security advisory for Apache that included patches for 10 security holes. Show me the last security advisory for Apache that gave you complet...
[ more ] [ reply ]
This line is a sorry excuse for MS software. Show me the last security advisory for Apache that included patches for 10 security holes. Show me the last security advisory for Apache that gave you complet...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
Anonymous (1 replies)
Anonymous (1 replies)
Wouldn't you have to include all the PHP advisories and such to make it a really fair comparison?
...
[ more ] [ reply ]
...
[ more ] [ reply ]
The underlaying concept VS patches
2002-04-16
Anonymous
Anonymous
How can you write something like that ?!?
Your God offer you nothing else than pure shit your still
happy with that! Don't blame others one to not like it!
"All softwares have security weakness"
"All softwares need patches"
...
Just try to compromise my Apache server, not patched
from...
[ more ] [ reply ]
Your God offer you nothing else than pure shit your still
happy with that! Don't blame others one to not like it!
"All softwares have security weakness"
"All softwares need patches"
...
Just try to compromise my Apache server, not patched
from...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-16
Anon (3 replies)
Anon (3 replies)
I do agree with one point: it ultimately falls upon the administrator to secure his systems and his network. Unfortunately, at this point, if he is still using IIS and doesn't have some basic security built into his setup, he's already dropped the ball. IIS can be made immune to 90% of the worms ...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
Anonymous
Anonymous
IIS means looking for troble. Yes, you can protect it (somewhat), but still doesn't get even close to the rock solid Apache on bsd or linux. Example. I have two web servers. NT4/IIS with all security patches and Slackware linux. Installed at the same time (3 years ago) Guess how many times re-booted...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-18
Anonymous
Anonymous
Everyone's situation is different.
We have a webmaster and his incompetent staff who hardly know anything about Microsoft products .asp and other Ms stuff they push to do their development. So imagine the boat I am in trying to convince these bozos to switch platforms to Unix/Linux hardened syst...
[ more ] [ reply ]
We have a webmaster and his incompetent staff who hardly know anything about Microsoft products .asp and other Ms stuff they push to do their development. So imagine the boat I am in trying to convince these bozos to switch platforms to Unix/Linux hardened syst...
[ more ] [ reply ]
The Buck Stops Where?
2002-05-05
Anonymous
Anonymous
I agree with a large part of what you say.
If the basic premise of an OS or NOS is ease of use, and little or no thought was given to SECURITY from inception on, by the time the product is on the street, it is to late. Security will always be an afterthought and not an integral part of the system...
[ more ] [ reply ]
If the basic premise of an OS or NOS is ease of use, and little or no thought was given to SECURITY from inception on, by the time the product is on the street, it is to late. Security will always be an afterthought and not an integral part of the system...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-16
Anonymous
Anonymous
Too many organizations want 'fire and forget' technology, or at least 'fire and forget' security. They balk at spending for secure, robust planning, implementation, administration, and maintenance of their technology infrastructure. They want a 'silver bullet'; they want to 'get security' or 'get te...
[ more ] [ reply ]
[ more ] [ reply ]
Chase the vulnerability -- the game you can't win
2002-04-16
Scott Wimer
Scott Wimer
This approach to security is fundamentally broken.
As an industry, we've been playing the chase-the-vulnerability game for 15 years now. And you know what, the game hasn't really changed. The trigger events are the same now as they were when the Morris worm tore through the net (vulnerability a...
[ more ] [ reply ]
As an industry, we've been playing the chase-the-vulnerability game for 15 years now. And you know what, the game hasn't really changed. The trigger events are the same now as they were when the Morris worm tore through the net (vulnerability a...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
Anonymous (1 replies)
Anonymous (1 replies)
Did you say that EVERYONE uses ASP? Excuse me? I've been using PHP for several years now, yes, even on my Windows/IIS servers, and I can't think of probably no more than 2-3 security advisories released for it over that time period - let alone buffer overflows or other things that compromise the sys...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
Anonymous
Anonymous
You may be using PHP (which also has issues) but did you go back and purposefully remove the ASP ISAPI support? If not, you are still vulnerable. Even if *you* did, many people will not. The point is that most installations will have asp enabled, and a high percentage have to have it. If you have ...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
Mel
Mel
Where does the buck stop?
That depends on who's asking the question. For the customers of the company that Tim's freind works for, the buck does indeed stop at that company.... and perhaps that companys Network Admins. However for those Network Admins, the buck does indeed stop at...
[ more ] [ reply ]
That depends on who's asking the question. For the customers of the company that Tim's freind works for, the buck does indeed stop at that company.... and perhaps that companys Network Admins. However for those Network Admins, the buck does indeed stop at...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-17
blacklight
blacklight
When you buy a company's product, you don't just buy the product but a piece of the company's strengths and weaknesses. I just don't happen to think that MS is a software engineering powerhouse, and considering their habit of using scads of consultants rather than employees and their habit of firing...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-04-18
Anonymous
Anonymous
For those of you who work inoperations that don't haave a clue, follow along, it is real easy....
1) There is something called a test environment that replicates your production as closely as possible. How about testing those patches first on these boxes?
2) There is also something called due...
[ more ] [ reply ]
1) There is something called a test environment that replicates your production as closely as possible. How about testing those patches first on these boxes?
2) There is also something called due...
[ more ] [ reply ]
It all comes down to these things.
2002-04-19
Noseman (1 replies)
Noseman (1 replies)
I believe every live invironment should have a test enviroment. These systems should be exactly alike.
If the patch works on the test system it should work on the live system. If there is a problem on the test enviroment you restore from backup. The end.
If everybody moved to Iplanet or whateve...
[ more ] [ reply ]
If the patch works on the test system it should work on the live system. If there is a problem on the test enviroment you restore from backup. The end.
If everybody moved to Iplanet or whateve...
[ more ] [ reply ]
It all comes down to these things.
2002-04-22
Anonymous
Anonymous
For the record, most people use Apache as their webserver of choice (http://www.netcraft.com/). Do you see many vulnerabilities for Apache?
While this "target the most prevalent system" thing might float with the server/desktop OS, it definitely doesn't float with IIS. IIS is not the most use...
[ more ] [ reply ]
While this "target the most prevalent system" thing might float with the server/desktop OS, it definitely doesn't float with IIS. IIS is not the most use...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-19
Owen Creger
Owen Creger
Take a look at M$ own best practices for applying hotfixes:
http://www.microsoft.com/technet/treeview/default.asp?url=/t
echnet/security/bestprac/bpsp.asp
4th bullet point under General Best Practices, and I quote
"Service packs and hotfixes must be tested on a representative non-production envi...
[ more ] [ reply ]
http://www.microsoft.com/technet/treeview/default.asp?url=/t
echnet/security/bestprac/bpsp.asp
4th bullet point under General Best Practices, and I quote
"Service packs and hotfixes must be tested on a representative non-production envi...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-19
Sculder
Sculder
All the comment here are so tiring and annoying. Always the same discussion between "must patch" "change system" "deactivate things". Here is the truth :
- Most people are irresponsible, they should apply the patch as soon as they appear otherwise they are bad, at least a lot worse than those nice ...
[ more ] [ reply ]
- Most people are irresponsible, they should apply the patch as soon as they appear otherwise they are bad, at least a lot worse than those nice ...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-19
Anonymous
Anonymous
Okay, Tim. Let's try to figure out where the buck stops.
First, who insisted that the company use IIS? Then, who refused to allow a switch to a more secure web server after Code RGB, Nimda, and every critical-hole-of-the-week since?
Who makes IT "damned if they do and damned if they don't" - d...
[ more ] [ reply ]
First, who insisted that the company use IIS? Then, who refused to allow a switch to a more secure web server after Code RGB, Nimda, and every critical-hole-of-the-week since?
Who makes IT "damned if they do and damned if they don't" - d...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-22
ali abolfathi (1 replies)
ali abolfathi (1 replies)
i am very happy that some security experts like the author of this title look at the problem deeply and tell the fact of IT industry.while the computers are working and serving us,the bugs and security issues exist and it is not related just to microsoft products.
patching holes is the one of the i...
[ more ] [ reply ]
patching holes is the one of the i...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-23
Anonymous
Anonymous
If you really consider that patching is one of the most important part of security job you are obviously ignorant of what the job is (or should be).
The most important part of the job is to help design reliable system that would not fail at any time for any reason. Relying mostly on patch means you...
[ more ] [ reply ]
The most important part of the job is to help design reliable system that would not fail at any time for any reason. Relying mostly on patch means you...
[ more ] [ reply ]
Blame the (Em)balmer?
2002-04-23
dave.williams@gte.net (1 replies)
dave.williams@gte.net (1 replies)
You've really fell out of a tree on this one...
This is akin to blaming the mortician for the death of the "customer". What business, process, or development cycle allows one to continuiously "patch" its products. Medical equipment, automobiles, phones, or electric blankets don't have nearly the ...
[ more ] [ reply ]
This is akin to blaming the mortician for the death of the "customer". What business, process, or development cycle allows one to continuiously "patch" its products. Medical equipment, automobiles, phones, or electric blankets don't have nearly the ...
[ more ] [ reply ]
Blame the (Em)balmer?
2002-04-29
Stefan
Stefan
>> You've really fell out of a tree on this one...
Nice lead-in. When you start with an insult, people really take you seriously.
>> This is akin to blaming the mortician for the
>> death of the "customer".
Nice analogy if we overlook the small fact it doesn't make the slightest bit of se...
[ more ] [ reply ]
Nice lead-in. When you start with an insult, people really take you seriously.
>> This is akin to blaming the mortician for the
>> death of the "customer".
Nice analogy if we overlook the small fact it doesn't make the slightest bit of se...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-23
blacklight
blacklight
Somebody should have told the Big Bad "M" that patching is not as important as getting the systems right, BEFORE the Big Bad "M" started peddling their software to an unsuspecting world. Post-facto pearls of wisdom about what should have been and what could have been in some idealized past don't co...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where? -- No, not everyone uses ASP
2002-04-25
Anonymous
Anonymous
ASP is not worth the time. Coldfusion or PHP is worth a developers time. [end personal rant]
A number of these posts have talked about how a sys admin is no good if they can not troubleshoot problems caused by MS patches. Yes, patches can be uninstalled and then single patches be installed inst...
[ more ] [ reply ]
A number of these posts have talked about how a sys admin is no good if they can not troubleshoot problems caused by MS patches. Yes, patches can be uninstalled and then single patches be installed inst...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-26
Bakdosh
Bakdosh
Well, it seems that every one here has a magical formula to built an intrusion-proof network and fortress servers. Or at last belive so. How cool.
By the way, it reminds me that on of the most important aspect of the sys admin job is to have a strategy and take the means to apply it. You need to ma...
[ more ] [ reply ]
By the way, it reminds me that on of the most important aspect of the sys admin job is to have a strategy and take the means to apply it. You need to ma...
[ more ] [ reply ]
The Buck Stops Where?
2002-04-29
Anonymous (1 replies)
Anonymous (1 replies)
Once again Tim proves he has no business writing anything other than maybe Hallmark cards. When service pack 6 for NT 4 came out I tested it, and did not install it. Then very quickly a new service pack 6a came out. Tim don't tell me, you click the "always trust Microsoft" check box in your brows...
[ more ] [ reply ]
[ more ] [ reply ]
The Buck Stops Where?
2002-05-04
Anonymous
Anonymous
Reminds me of the Sunw licensing agreement, where you could never tell anyone when something went wrong with your machine or you would be liable for a lawsuit. I'll never forget "Sunspots argument" from Sunw :-)! They really thought I would believe that sunspots were causing their systems to constan...
[ more ] [ reply ]
[ more ] [ reply ]
Tim, when is the last time you had to admin more than 50 servers...?
2002-04-30
tarr
tarr
You use Micro$uck, you pay the price in dollars, performance, uptime and security... Managers and magazine article writers implement M$ crap because they think a gui and "wizards" are replacements for knowing what the hell you're doing..... Don't reply, just switch to a *NIX and thank me later...
...
[ more ] [ reply ]
...
[ more ] [ reply ]
The Buck Stops Where?
2002-05-06
Anonymous
Anonymous
And why do the sysadmins have no time?
Perhaps they work for a boss like mine who refuses to buy any kit for testing and regards patching as lower priority than new systems, new flashing lights, bells and whistles. Just because systems are unsecure it does not follow that the sysadmins are to blame...
[ more ] [ reply ]
Perhaps they work for a boss like mine who refuses to buy any kit for testing and regards patching as lower priority than new systems, new flashing lights, bells and whistles. Just because systems are unsecure it does not follow that the sysadmins are to blame...
[ more ] [ reply ]
I have had waaaaay too many hotfixes from M$ that have taken down IIS servers or botched up the TCP/IP stack than articles you've written!!!
Let's say this Admin has 2 identical boxes, he applies the hotfix tests the hell out of it, finds that it works beauty then insta...
[ more ] [ reply ]