hultberg.org: LinkLog

Site defacement challenge, so?

According to attrition.org (and some of the major security companies) the site defacement challenge was a hoax. Even if it hadn't been, should anyone really have worried?

The article makes a good point: the problem with most site defacements is not the kids doing it. Is a site defacement really a "major security problem" at all?

Nearly anyone who provided alerts or commentary to the media on this item should have their heads examined, or at the very least question their ability to be a credible security professional if they really thought this was a "major" security concern. If a system administrator isn't peforming their duties on a daily basis - which includes keeping software patched and properly configured, monitoring log files, turning off un-necessary network services, and such - or if a CIO isn't enforcing strong IT management procedures, they have no business being employed in such a critical role for our large enterprises. Yet nobody's ever held accountable for poor system security and bad system administration practices - no CIO or system administrator's been fired or called to testify on why their site was compromised, or why they're being forced to use substandard, repeatedly exploitable software products that make it easy for anyone to cause mischief on the Net. Until these root problems are fixed (and "Trustworthy Computing" isn't necessarily the right answer) it's likely this situation will continue unabated.

If you don't know what the blinkenlights mean, stay away.

...quite obvious clues generally went unnoticed, since the story was a fantastic way to spice up an otherwise slow news week before the Independence Day holiday. Besides, Iraq is becoming embarassing, and nobody wants to talk about what's going on in Afghanistan right now, so why not spin up a spooky story about a potential Digital Armageddon?

Attrition Security Rant

Random fortune brought to you by www.fortunes.nu:

:: ()