A one-act play
Dramatis Personae:
Perry Metzger (PM): an AVP responsible for the firewall at a
Fortune 100 company.
Joe Cert (JC): A person at CERT supposed to be helping.
[The scene opens to Perry on the phone with Joe Cert. Perry is at work
and freaking out because he doesn't run Sun sendmail and doesn't know
what to do. If he turns off mail, his users will kill him. He has no
idea how many machines he has to fix or if he has a problem at all.]
PM: Well, I have the problem that I don't normally run Sun sendmail,
and I can't run it, so I need to know enough that I can figure out how
to fix my security problem.
JC: Well, we don't have a proceedure to tell people anything beyond
what we put in the advisory.
PM: I run the gateway for a firm that trades hundreds of billions of
dollars a day in the financial markets. We can't affort do get shut
down. Isn't there any way you can tell me anything that can help me?
JC: Well, we really don't have a proceedure in place.
PM: I see. Can I ask you some questions?
JC: Sure.
PM: So this problem, would it be fixed if I had the Prog mailer turned
off on my machines?
JC: Well, its a problem that will allow people to run programs on your
machine.
PM: Yes, but would turning off the Prog mailer fix it?
JC: Well, the problem allows people to run programs on your machine.
PM: I see. Will this problem only hurt machines that have direct TCP
access to the internet, or are machines that can get mail indirectly
also possibly affected?
JC: The hole is exploited by sending mail to the machine.
PM: Yes, but do you need SMTP access to the machine, or will just
being able to send mail to it hurt you?
JC: Well, the hole is exploited by sending mail to the machine.
PM: look, the machine on my firewall can't be telneted to. Does that
make me safe?
JC: Well, the hole is exploited by sending mail to the machine.
PM: Listen, I have THREE THOUSAND workstations in a dozen cities on
three continents. Are you telling me that I have to tell all my people
that they are working the weekend installing a new sendmail on every
machine in the firm? I don't even know how to test to see if I've
fixed the problem once I've done that!
JC: Well, the whole is exploited by sending mail to the machine.
PM: Can't you tell me any details?
JC: We really don't have a proceedure for that.
PM: Do you know what the problem is?
JC: I can reproduce it, yes.
PM: Look, I work for a company with REAL MONEY on the line here. I can
get you a letter from a managing director telling you that I'm legit.
You can check who we are in any newspaper -- we're one of the largest
investment banks in the world. Every day the Wall Street Journal lists
the Lehman Brothers T-Bond Index on page C-1. You can check my
criminal record -- hell, the SEC makes you get fingerprinted so many
times around here that I've still got ink on my fingers from the last
time. Can't you give me some help here?
JC: We really don't have a proceedure for doing that. I'm taking
notes, though, and I'll tell my management of your concerns.
[He continues in this vein, but eventually, our hero gives up,
realizing that CERT is part of the problem, not the solution. All
they've succeeded in doing is keeping him up at night. He can't fix
his problem, since he doesn't know how. He has no idea if he has a
problem. He can't check once he's done something to determine if he's
fixed it. All he knows is that CERT has no proceedure for telling him
anything regardless of who he is, period.]
PM: So what you are telling me is that if I want details I have to
subscribe to 2600 Magazine?
JC: We don't have a proceedure for giving you more information, no.
PM: I'm sure the crackers will be happy to hear that. They are likely
telling each other at a nice high speed.
--
Perry Metzger
|
|
