From: Ellen K. 

It's really interesting to see how things work in a not-very-big MIS
department.   There were three machines running SQL Server when I
arrived at my new job at the end of November.   (Now there are four plus
my test box.)  All of them were running the original version, i.e. NO
service packs or patches had been applied.  However, the company was
protected by virtue of the fact that ports 1433 and 1434 were blocked at
the firewall.   Last week, with impeccable timing, the firewall went
down.   None of the machines with SQL Server are naked on the net, but
the network guy said any box using NAT was effectively naked.   (At
least I think that's what he said, I don't understand anything about
networking, but it was something about NAT.)   Which meant that if one
of those had MSDE on it, the worm could have gotten in.   Meanwhile
Thursday the guy who went to SQL Server class but should stick to hardware
installed the personal version on the machine of one of the Clipper
programmers, with no service pack.   I told them to put it on,
even wrote down for them the exact path where I put it on the network and
printed out the instructions I had made, they didn't.   Friday I
asked the programmer if he installed it, he said "I don't need the
latest version, I just put it on my box to play with so I can learn
it." Then I explained for the second time that this is a security
problem. The sysadmin was sitting right there and I guess that gave me a
little more credibility because then he went and finally applied it.  
Sheesh.


On Thu, 30 Jan 2003 15:59:30 -0800, "Rich"  wrote in message
:

>   If you are arguing that a process involving humans is less than perfect, I
would have no disagreement.  I think the human factor is all the
difference.  I had no problem because I make the effort to keep my systems
safe.  George claimed that he doesn't get hit by exploits because he does
the same.  Joe Barr is an example of someone that while he talks a lot
about how Windows is horrible and Linux is great did get his Linux system
rooted while George and I running Windows have not.  I believe that what
this shows is that George and I are more competent then Joe Barr.
>
>   I'll go further and say that you can't force people to do things they
should and to not do things they shouldn't.  It's not like the effort in
this recent example was large.  Some people simply didn't do it for
different reasons probably ranging from, I didn't know to it's not
important to it's not my job.
>
>   What I find both sad and humorous when these things happen is that lots of
people go off in search of someone to blame because it has to be someone
else at fault.  The blame here goes first to the folks that released the
worm.  They took a malicious action.  From there it really depends on
perspective.  An admin responsible for keeping a system secure is by
definition the one responsible when he has failed to do so.  These admins
are innocent bystanders when it comes to being attacked but that doesn't
absolve them of the responsibility they have.  Similarly, Microsoft was
responsible for the bug being exploited and like the admin for his own
systems is responsible for releasing an update which Microsoft did last
July.
>
>   On a related note, I think the guy that originally reported the problem is
feeling a bit guilty.  One article I read suggested that he has or will
consider changing his reporting of problems so as not to provide potential
attackers with ammunition.
>
>Rich
>
>  "John Cuccia"  wrote in message
news:2c2j3vsj46vqnv69pq07qhpnp3rus8m294{at}4ax.com...
>  On Wed, 29 Jan 2003 18:53:06 -0800, "Rich"  wrote:
>
>  >   It's all a red herring anyway.  Despite John's delusions, I had no
problem with my computers even with MSDE installed.  Why, because I'm more
competent than John must believe himself to be.  Lot's of people are.  If
John is not one of them he shouldn't go blaming anyone else.
>
>  Talk about your red herrings! I have no beliefs concerning your
>  computers at all, Rich, nor do I believe you to be incompetent.
>
>  The discussion in question is about a larger issue than your
>  computers, or mine.  It is about a flawed process, no matter how hard
>  you try to make it be about something else

--- BBBS/NT v4.01 Flag-4