LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Not so fast

Not so fast

Posted Jan 30, 2003 0:56 UTC (Thu) by ncm (subscriber, #165)
Parent article: A look at the MS-SQL worm

Karsten wrote:

... infected hosts were on the order of 1% of all potential hosts ... Microsoft users were attaining a 99% patch and/or secure rate ... of systems...
Sorry, this is a fundamentally misleading number. It's distinctly abnormal for an SQL port to be open to the outside world; it's a back-office function. Therefore, that 1% figure identifies a level of gross incompetence beyond all analysis. The 99% were not patched or secured, they were just out of the line of fire.

It would be hard to imagine somebody competent enough to apply the patch, but still leave the port exposed, so that 1% figure must represent substantially all of the exposed hosts, unpatched. In other words, we can't conclude anything about the number that were patched because those were also the ones behind firewalls.

It would be hard to justify not firing someone who was responsible for any of the hosts involved.

(Log in to post comments)

Justify firings carefully

Posted Jan 30, 2003 14:47 UTC (Thu) by utoddl (subscriber, #1232) [Link]

It would be hard to justify not firing someone who was responsible for any of the hosts involved.

Right. Let's just list the benefits to the org that such firings bring:

  1. We were short-handed before, now we're spread even thinner.
  2. The person with the most valuable, recent, first-hand, hard-earned experience -- i.e., the one least likely to make such a mistake again -- just left the building with his personal possessions in a box.
  3. The remaining staff lives in fear and dread, knowing that all people make mistakes, and their next one may cost them their jobs, or...
  4. their coworker's mistake may result in their workload suddenly increasing with likely no increase in pay.
I could go on. If the person was incompetent to start with, then performance reviews should indicate it and he/she would end up being fired eventually anyway. If the reviews don't indicate incompetence, then there's a management problem that arbitrary firings won't solve. But firing someone for making a mistake and getting caught brings no benefit.

Question: Suppose the unpatched service had been discovered a week before the worm. Would you fire the admin on the spot even though no damage had resulted? Do you fire everybody who makes a mistake, or just the ones whose mistakes become too visible?

Not so fast

Posted Jan 30, 2003 15:47 UTC (Thu) by sphealey (guest, #1028) [Link]

It would be hard to justify not firing someone who was responsible for any of the hosts involved.
I see a lot of statements like this after every attack. I would suggest keeping in mind the old proverb that the winner of a game of chess is the person who makes the second-to-last mistake. Even Kasparov makes mistakes. Sooner or later you will too.

sPh

Perhaps - perhaps not

Posted Jan 30, 2003 17:17 UTC (Thu) by sphealey (guest, #1028) [Link]

I would suggest reading Russ Cooper's take on this situation over at NTBugTraq. Seems that even an ordinarily competent and watchful MSSQL admin might have been caught by this one.

sPh

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds