RE: [fw-wiz] concerning ~el8 / project mayhem

From: Bill Royds (broyds@rogers.com)
Date: 08/18/02 

From: "Bill Royds" <broyds@rogers.com>
To: "Paul D. Robertson" <proberts@patriot.net>, "Marcus J. Ranum" <mjr@ranum.com>
Date: Sun Aug 18 17:12:01 2002

Anecdote.

A number of years I was working in support for a agricultural research facility.
We often got requests for "please create a file with all crop yield data from Manitoba for 1964-1974 for fields that used ...", standard database retrieval stuff, but the data set, being huge, was on magnetic tapes on an IBM mainframe, not in a database. Standard procedure for the support staff was to write a Fortran program to run on the mainframe with hardcode field values to extract the data into a file.
  Being new and figuring that this was silly, I wrote a script that prompted the user for which years, conditions etc. needed to be extracted, created the JCL for a standard MVS utility to extract the file and gave the script to the users who requested the data.
   My boss, who had been padding his tasks accomplished report for years with these extracts was furious. I had just cut his "productivity" by 2/3 and he was very upset.

  I see the same attitude among a lot of management. Their view of activity is getting brownie points, not actually achieving results. That is why they like IDS on the Internet side of a firewall. More noise pads "attacks stopped" reports.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Paul D.
Robertson
Sent: Sun August 18 2002 03:13
To: Marcus J. Ranum
Cc: R. DuFresne; firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] concerning ~el8 / project mayhem

<snip>

Well, it's not just the pseudo-security folks who have given us this
problem- a lot of blame rides on the shoulders of the old-school
consultant/accountant brigade[1]-

It's a heck of a lot more profitable to add 30 patches than it is to
upgrade, block or remove one service. Vulnerabilities equal billable
hours, and (more importantly) thicker reports.

Task-directed stuff "upgrade that ancient server" isn't as palatable, or as
obviously continued business generating as reporting 72 different
vulnerabilities and attributing 6 of them to your own employees who are "saving
the world" by generating and distributing sample exploits to the bad guys.

I *know* I should upgrade my 8 year old Web server, I didn't know that
something called candlefritz would cause it to spill out credit card
data on a multicast network. Besides which, upgrading that would break my
phf script!