Screwdrivers & Degrees

Week of February 1, 2001

Of screwdrivers and degrees, GUIs and wizards, advisories and alerts.

There exist a plethora of supposedly esoteric system administration and security hardcopy magazines and ezines out there, and these publications supposedly target the system administration and security professional, but more and more we see that the kind of information they disseminate is significantly less than no-brainer and clueless, provoking one to wonder not only how qualified the writers for these publications are, not only how qualified the readers of these publications are, but what has happened to system administration in general.

Many years ago one rather well known David N. Cutler was reported as going through a roof (and several walls) when informed that his contractor, Microsoft Corporation, expected a graphical user interface, complete and replete with wizards, on his LAN server under development. It is not hard to appreciate and understand why Dave reacted. Network management is a serious business, and the thought of letting anyone unqualified get near a network server had most likely never occurred to Dave. And the thought that Microsoft Corporation was working towards this goal, of letting anyone with a screwdriver in their jeans back pocket, with or without a proper degree, get near a serious networking operation was terrifying.

It is no less terrifying today. Time and again we read about networking fiascoes which are not so much the result of faulty systemware but of improper management. The CD Universe scandal, the Hotmail scandal and countless others are not the result of improper code doing things system administrators have no power to control but of system administrators who have no clue what is going on when they should instead be fully aware of their networking system's strong points and shortcomings and know how to deal with both.

System administrators are regarded as being a dime a dozen. Almost anyone can get on an MCP bandwagon and find employment as such. MCP factories churn out the diplomas, promising you will pass sooner or later. Right here one must see that something is wrong. Not everyone is cut out to be a system administrator; awarding a diploma and giving a job to someone whose only prior job experience after quitting high school with bad grades in math at the age of 14 was working the soda fountain at a Tastee Freez drive in is pure folly - and it's cynical as well, and it jeopardises the common good.

A recent issue of a very well known ezine devoted significant real estate to answering a question from a supposedly qualified system administrator as to why some files are visible and some are not, explaining what a hidden file was and also how to view them and change their attributes. When times are so bad that system administrators cannot find hidden files and are not even aware of basic command files such as attrib.exe, it's time for all of us to sit up and take note.

And what these system administrators do not realize is that the very security advisories they are so studiously neglecting are being read and absorbed by ambitious pranksters on a regular basis. Just as the ILOVEYOU worm was able to exploit a hole which should never have remained open (and which certainly did not warrant the widespread and clumsy remedies which followed), continual updates on common network security holes which should be arriving in all these sysadmin mailboxes are either being systematically unread, or beyond the comprehension level of the sysadmins in question, or beg more time or more ambition than they can or care to deal with, or all of the above.

As Mark Joseph Edwards pointed out recently in his excellent column, tracking security alerts and security advisories can prove to be a valid benchmark into global Internet security in general:

According to its latest advisory, CERT released a previous advisory regarding BIND in November 1999 but continued to receive reports of compromises based on the reported vulnerabilities into December 2000. The advisory contains a chart showing that the height of those attacks came approximately 60 days after CERT released its first advisory. The pattern indicates that intruders became aware of and acted upon the reported vulnerabilities much quicker than network administrators acted to correct the same security problems.

MJE's forecast for the Internet in light of this situation is not rosy either:

CERT highlighted administrator lag time because BIND is so widely used across the Internet, and the security problems with the code are very serious. If administrators don't patch or upgrade the BIND servers across the Internet as soon as possible, then we can fully expect to see the Internet come to a screeching halt sometime within the next 60 days as DNS servers fall victim to intrusion - that is, if CERT's trend analysis is still applicable, and I think it is.

MJE's closing words, an admonition to stay on top of security advisories, should not be necessary. But complacency, although certainly a major factor here, is not the only one. Finding the right people for the right jobs and giving them the right working conditions and a salary commensurate with their abilities is the other.