Darrell Norton's Blog [MVP]

Fill in description here...

Blaster worm blogging: whose fault is it?

There are a bunch of posts over on .NET Weblogs @ ASP.NET about the blaster worm and whose fault it is (see the original post, one response, another, and another). Basically one side, the developers, says sysadmins are to blame. The other side, the sysadmins, says that they are not to blame, they are so overworked, and it’s all the software developers fault.

I’m going to have to agree with Frans’ post. The blaster worm is coming through port 135, which should never be open on an Internet-facing network connection. A simple firewall (which comes bundled with Windows XP/ 2003, or a free download) stops this attack even without the patch. As one post mentioned, yes it takes a while to roll out patches in a production environment. But you should have all the time in the world, since this worm should not get past a simple firewall configuration setup.

So if you are an overworked sysadmin and your systems are crashing all around you, I’m sorry but don’t blame the software developers. Either it is your fault for not setting up proper security, or it is your predecessor’s fault. Blame him (or her) or yourself. And for those sysadmins that complain about developers infecting the network via laptops that they took home at some point in time, that needs to be part of your security policy. If you cannot handle the extra work that goes along with allowing multiple points of presence, then simply do not allow it.

Now this might sound harsh, but at my previous job at a large defense contractor, there were many things we were not allowed to do (or which were insanely difficult to do) which seemed ridiculous at the time. We complained all the time, honest. But then we never fell victim to these types of attacks either.

Published Aug 15 2003, 06:14 AM by darrell

Comments

G. Andrew Duthie said:

I would only add that I do not see this as developers versus sysadmins. The main point of my post was that those of us who are more computer savvy (both developers and sysadmins) need to work hard to educate those around us to proper security procedures.

Yes, I said that the person responsible for network security at the DMV should be canned, and I still think that, but the larger point was that there are a lot of users out there who don't know what they're doing, and the only way they'll learn is if those of us who do know better try to teach them.

# August 15, 2003 3:36 AM

Joe Grossberg said:

"Either it is your fault for not setting up proper security, or it is your predecessor’s fault."

Bullshit. (And I'm a developer and not a sysadmin.)

This is only a problem because MS made the stupid and dangerous decision to have things like RPC enabled by default.

Yes, there's no excuse for sysadmins being so lackadaisical about patching systems, but if MS had a better security philosophy, that would be a moot point.

# August 15, 2003 4:53 AM

Darrell said:

Your last sentence sums up my entire argument. Microsoft does have a better philosophy *now*, this was probably code that was written well before all this happened. All developers make mistakes... I have, and I guarantee you have too. I don't think Microsoft is going with the code now, patch later philosophy as you mention on your blog post. And they DID take some responsibility by creating a patch and putting it out as a critical update before this worm was written (read the FAQ and see that the worm was out 3-4 weeks AFTER the patch was issued).

# August 15, 2003 10:25 AM

Brian Desmond said:

>And for those sysadmins that complain about
>developers infecting the network via laptops
>that they took home at some point in time,
>that needs to be part of your security
>policy.

I'd like to see you play policeman on thousands of data jacks. Jus tbecause I say "no personal computers" doesn't mean peope follow it. I have no way of knowing whether or not severely [techincally] incompetent teachers actually follow this.

Note, in my situation, this issue is not limited to my location, but hundreds of other schools, which bring a combined quantity of about 60,000 computers.

The Chicago Public Schools System certainly does not have RPC open on the frontend.

# August 15, 2003 12:09 PM

Dave said:

Brian, you keep talking about these 60,000 computers. About how difficult it is to do YOUR job properly. Now, how about if one were to consider the person who hired you?

Let's see... mucho CYA going on. Nary a word of self-fault. And this from an "IT manager". So tell me, where does the buck stop? Obviously not with YOU. Problem is, in most places - not in a school district I know, you see I speak from experience there - but in most places, this is simple cause for dismissal.

Now, let's speak of your "[technically] incompetent" teachers. Jeez. Next thing you know someone will cut out your electric grid and you'll have to listen to CYA as good as you give it.

Good managers accept some responsibility. Good managers don't scream at a clearly wrong audience - us developers. Good managers put it behind them and move on, making sure they learn AND IMPROVE from the past.

I'm clearly glad I don't work for an idiot like you.

# August 15, 2003 1:55 PM