[PLUG-TALK] Server Security and Cracking

Rich Shepard rshepard at appl-ecosys.com
Tue Mar 5 16:21:12 UTC 2013


On Mon, 4 Mar 2013, Ronald Chmara wrote:

> Many companies collect metrics about downtime. Installing patches
> regularly creates downtime.

   Huh! So downtime that benefits the company is considered a bad thing?
Doesn't surprise me at all.

> In addition, most large companies have a weird hodge-podge of systems,
> with bizarre legacy equipment (and operating systems) that haven't been
> replaced because of budgetary constraints, political turf wars, etc.

   I forgot about this. I'm sure there are still 1970's-vintage COBOL apps
running on mainframes that have been patched but no one alive knows all the
code and they're afraid to break it. Of course, the potential costs of
failure are probably less than re-writing the application in something
modern (on modern hardware) and porting the legacy data but upper management
tends to not understand such subtleties.

> Here's an eye opener: XP came out in 2001. It's had thousands of known
> holes. It represents roughly 40% of the desktops
> *currently* in use. A company may have big-iron in their server rooms, but
> almost any large organization has, oh, somebody in the HR department
> running that-one-MS-Access-program-that-they-cannot-do-without, and thus,
> make for an easy target.

   True. Even with the most recent Microsoft stuff the majority of users I
know have no idea of anything beyond the surface UI. They keep all defaults
and think of these applications as the computer equivalent of a desk lamp:
plug it in and turn it on. There's no need to think about anything else.

   I just had an interesting experience with one client. He insisted that I
format a TeX typeset document so it looked just like a Word document. The
typeset output was too different for the decision-makers to whom he reports
who are all located in a small town in far northeast Washington.

> It's often not the case that the big iron is attacked and used to get to
> workstations, it's that workstations are a soft target, and used to get
> access to the iron.

   I thought this likely.

> Of course, there's huge exceptions to this, in my field, I've seen so much
> amazingly bad web application code that it would make a CxO's skin crawl,
> if they understood what was going on... but they generally don't.

   And therein lies the root of the whole problem, no?

Thanks very much for the detailed input,

Rich




More information about the PLUG-talk mailing list