Pure and simple as a hammer to the forebrain

     
 

Stupid Security Tool for Stupid SysAdmins
2001-03-13 16:01:46


Laughable Technology
 
The ricochet from a Mountie shooting himself in the foot can be devastating you know.
-- Lenny Tuberose

 

As a clueful systems administrator, part of my job is to keep the 3v1l hax0rs out of my network. In fact, that's the reason why I got this job in the first place -- everyone knows computer security is dead sexy. The chicks fall all over you.

At present, I'm in an end-to-end Microsoft environment at a Really Big Computer Corporation(tm). So while part of me just laughs at each new Microsoft Security Update (in big, self-righteous HAR HAR HARs), another part (the part that gets paid), shudders in dread with every release. So, the reports of Soviet barbarians at the gates caused some initial distress for me, personally.

Of course, after a cursory read, I learned that these ex-Commies were using old, known, and easily patched exploits. I rested easy, trusting in my current (and recently audited) MS band-aids.

But, just for kicks, I downloaded Patchwork, a "program that would determine instantly whether a Windows NT system is vulnerable to the attack," distributed by the auspiciously-named Center for Internet Security(SM). My partner, "Miggidy" Mike D, ran this much-lauded and highly anticipated utility on a test box.

Thank our lucky stars, Patchwork "confirms that this system contains the patches, updates, and security configurations this 'Patchwork' program was designed to verify." Though the emphasis is mine, the message is in a big, reassuring, green font. Furthermore, if that's not misleading enough, it also proudly states, "IIS is updated and SAFE for Internet use." (Emphasis theirs, this time.)

This machine, by the way, is running W2K Advanced, with only hotfixes Q277873 and Q259728 installed. No Service Pack. No other hotfixes. All the default script mappings. All the services turned on. All the default virtuals. Basically, a machine which could be compromised by a half dozen other known exploits (like this one or this one), if we were dumb enough to put this on the Internet.

I'll concede that SANS, CIS, and Gibson Research pepper their README's with excuses and caveats about how no system is truly secure, the program is designed to audit for a limited set of vulnerabilities, blah blah blah. Yet, in the very title bar, it calls itself the "Windows Anti-Intrusion Patch Check & Scan." Oh, and the author crows it "was hand crafted -- byte by byte -- in 100% pure 32-bit Intel assembly language." A little hyperbole? In a MS "security" application? Perish the thought!

Let's face it: Companies which run NT as their enterprise are easy to fool. After all, they're using Windows. Programs like this -- endorsed by the FBI, by the way -- are not helping ensure America's security against an onslaught Cold War dropouts. Not one bit.

In fact, I envision a plague of panicky meetings with security administrators, wasting thousands of man-hours arguing for or against this dopey application, resulting in huge losses of productivity in an already depressed tech sector.

Talk about an ingenious Denial of Service attack.

Over.  End of Story.  Go home now.

xxxlover@pigdog.org


comments powered by Disqus
 
     

 

C L A S S I C   P I G D O G

Escape to Spock Mountain!
by Baron Earl

Skunk School -- Learn Why Not To Keep Skunks As Pets
by El Snatcher & Ms. BunnyPenny

GNUisance
by El Snatcher, Mr. Bad

Absinthia: The Pigdog Interview
by El Snatcher, Mr. Bad

10-09

El Destino

Frank Sinatra told Donald Trump to "go fuck himself"

07-05

El Destino

Whatever happened to JenniCam's Jennifer Ringley?

05-03

El Destino

Iíve Made Millions Selling Fake Plastic Hillbilly Teeth

05-03

Baron Earl

Fyre Fest Lawsuit

05-03

Baron Earl

US Government uses drones to shoot M&Ms at endangered ferrets

05-03

Baron Earl

When will the abuse of airline passengers stop?

05-03

El Destino

Hillbilly miner turned coder wants to make Kentucky into "Silicon Holler"

03-31

El Destino

86-year-old William Shatner cast in a new romantic comedy: 'Senior Moment'

03-19

El Destino

New ransomware taunts its victims with ASCII art of Spock and Kirk

01-26

Flesh

Alex Jones is Big, Fat, And Drunk in Public.

08-01

El Destino

Amazon's secret: incest in the Kindle ad?

08-01

El Destino

Slut Walk! Sexy feminist protest, or invaders from Mars?

04-25

Daemon Agent

The Quest for the Best Cheap Beer in a Can

04-25

Eugene Leitl

Beverage science at its finest

04-16

El Destino

YouTube punishes copyright offenders with animated pirate cat

04-09

Baron Earl

Poll shows that almost half of Mississippi's Republicans think interracial marriage should be illegal

04-07

Baron Earl

Commodore64 redux - now with Linux

04-06

El Destino

George Takei demonstrates why he should be playing Spider-Man

04-01

El Destino

High school students sacrifice chickens to improve their batting average

03-31

Baron Earl

Creating a wall-hangable computer from an Ikea shadow box frame

More Quickies...