product liability (was 'we should all be uncomfortable with the extent to which luck..')

Joe Shaw jshaw at
Wed Jul 25 13:41:59 UTC 2001

On Wed, 25 Jul 2001, Larry Diffey wrote:

> The only way that administrators are going to be diligent about
> patches/updates is for the bean counters to show the CTO/CIO what the bottom
> line is for not installing updates when something like code red happens.

Not necessarily bean counters, as I've never seen one who could
understand that there is very little if any monetary ROI on security
products and services, but putting it in tangible terms that management
understands is always a good idea.

Sometime it plays out like a comedy of errors.  I used to work for a
company that took in revenue of several billion dollars a year, and who
relied heavily on their corporate image and "industry leader" status.  For
them, it was as easy as showing them the value of not having your web page
appear at or a story about your company being hacked on cnn.
This was our standard argument with managment.  "Buy this and allow us to
implement it, and the chance of us being a news item become a lot
smaller."  Of course, then you also have to explain that this alone will
not make you immune to any compromise attempt.  So, we got a site license
for an IDS package, becoming the specific vendor's largest licensee for
their IDS product.  And we thought all was going well.  Then we tried
requesting equipment to deploy the software package across the network,
and were told there was no justification for it.  Apparently the
multimillion dollar site license was not justification for spending a
couple hundred thousand on hardware.

> Then management will crack the whip and the administrators will have to
> constantly search for updates.

Many vendors, including Microsoft, have a security updates announcement
lists.  Then there's always the subscription to bugtraq or their new
targeted security updates mailling list.

> Of course this is all subject to the Dilbert Principle and some companies
> will get stupid about it:

And in a perfect world these companies would start to suffer from clue
atrophy because of a talent exodus.  I've certainly seen it happen.  But,
with the job market the way it is, I think many of us would live with a
certain amount of management stupidity in exchange for a steady paycheck.
At this point, after being unemployed for almost 5 months after being
laid off and working random contracts as they come up, I'd gladly deal
with some stupidity for medical benefits and a steady paycheck.

However, I think we might be straying from what could be considered
on-topic NANOG content.

Joseph W. Shaw II
Network Security Specialist/CCNA
Unemployed.  Will hack for food.  God Bless.
Apparently I'm overqualified but undereducated to be employed.

More information about the NANOG mailing list