How to get better security people
E.B. Dreger
eddy+public+spam at noc.everquick.net
Tue Mar 26 22:00:05 UTC 2002
> Date: Tue, 26 Mar 2002 12:56:39 -0500 (EST)
> From: batz <batsy at vapour.net>
(snip)
> Nimda and CodeRed were excellent indicators of how a good
> security policy can be a competetive edge during (increasingly common)
> global incidents. Hopefully we will see more security folks pressing
> this message, and more decision makes hearing it.
Sun Tzu and Lao Tze in the 3967/3561 thread...
...anyone else read Demming or other TQM proponents? Visible
numbers only syndrome is the problem with many people's attitudes
toward security...
I could name a local (Wichita) company that for the longest time
was running IIS4 + SP5, vulnerable to the iishack buffer overrun.
They stored their websites and company files on said machine.
The goons^H^H^H^H^Hconsultants who set it up gave a big "it's
secure because it's NT -- look, it asks for passwords" spiel that
management bought.
Even after one of their employees _demonstrated_ how an arbitrary
person could break in. Response? "We're not that big... nobody
would be that interested in us." Warnings about random scans
fell on deaf ears.
Service patches were never applied. When some suspicious
happenings left said server inoperable, they just installed
Win2000 and went on, not caring what had happened or why.
No, I was not the employee. A friend of mine worked there before
getting fed up and quitting.
"If it works, it must be right," versus, "It doesn't truly work
unless it's right." I find it amusing how the same people keep
who keep things under tight physical lock and key are so lax and
apathetic about electronic security.
As Demming said, "People who buy on price alone deserve to get
rooked."
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist at brics.com>, or you are likely to be blocked.
More information about the NANOG
mailing list