General discussion

Locked

Do administrators really care?

By robert ·
once a month I do a security audit on 100+ web
sites using only a standard web browser: Netscape
by name. The summary is on my site at
http://www.asrdesigns.ltd.uk/security.html

I have written to a number of the webmasters of
sites that I rate as 'severe vulnerability'
(about 14% of sites) offering a commercial
service at less than $300. Their attitude ranges
from accusing me of black mail to 'so what'. So
what if I can get to the home address and
telephone number of employees? So what if I can
access the client databases? So what if I can
get to user names and crack their passwords? And
as to black mail, $300 would not cover my phone
bill some months.

Perhaps WebMasters and Server Administrators arescared to accept specialist assistance as they
see it as weakness on their own part. In the
mean time the information that they are the
guardians of is open to less benevelant
observation than mine.

Regards, Robert.

This conversation is currently closed to new comments.

24 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Spam?

by garetht In reply to Do administrators really ...

Well, gee...
That was some nice, free advertising..

Collapse -

So how ...

by robert In reply to Spam?

So how would you have written the topic so not as to be 'spam'? I feel as strongly about vulnerable web sites as you seem to about spam.

There is a young man in Wales facing a jail sentence and confiscation of his equipment for trying to force people to take notice of what he was saying. It appears people only took notice after he took money out of accounts. His action was undoubtedly the wrong thing to do.

The ISSUE of what was the content was not addressed by the reply. Is it that people here too only care about what they consider as spam rather than the issue of web server security?

Collapse -

by garetht In reply to So how ...

>The ISSUE of what was the content was not addressed by the reply.
The ISSUE of the content appeared to be: Here is my web address, here is the amazing things I can do, and let me tell you my cost. Twice. A mere $300.

Sure, I see no problem using a real life example, and it's rather handy that it's your line of business, but the exact details of your service appeared to be pushed rather hard.

The topic is interesting, but I don't see why you had to advertise your site & cost. Perhaps your intentions were strictly academic, and if so, I wholeheartedly apologise for the insinuation, but it strongly smelt of spam.

Re: "Do you even know what spam is? Really, do you?" Yes, yes I do.
Thanks for asking. And in such an antogonistic way, too.

On topic, obviously, I would expect all decent Sys admins to reply, "Yes, we take security very seriously" but it seems a week doesn't go by without a high profile 'info-leak.'

The people you contact may be understandably reticent to hand over their security issues to an unknown, preferring to handle everything in-house (or not handle it, as the case may be..)


Re: "Your attitude seems to be, "don't bother me with security when I'm busy."" Who exactly are you talking about? The belief that no Sys admins care about security is laughable. The belief that a few admins don't take security as seriously as they should is perhaps more believeable.

Collapse -

Well...

by pallan In reply to

We could argue all day about whether or not this thread was started as free advertising, but it would accomplish nothing. The original poster has, however, raised an important question worth discussing. It certainly isn't spam. Spam is unsolictedmass-advertising through private email. This is a message posted to a public forum.

As for my other comment, it wasn't even directed at you. The person I was replying to stated quite clearly that he was too busy to be bothered with this sort ofthing.

Stop, take a deep breath. Spend a little less time needlessly antagonising people, and maybe check your server patches while you're at it.

Collapse -

To be more direct...

by eBob In reply to So how ...

Thanks for the offer of assistance, BUT "we" will be the judge of whether "our site" poses a "severe vulnerability" risk. We will use our standards and our tools.

Thank you very much.

Collapse -

No.

by pallan In reply to To be more direct...

The script kiddie who walks through the gaping hole in your security will be the ultimate judge of your work.

Collapse -

Seem to be tooting your own horn there

by BuffaloDan In reply to So how ...

If you REALLY REALLY cared about web site and network vulnerabilities, perhaps you might better have expressed to the administrators what you found and how to close the holes, rather than tell them they've got problems and must hire you to fix them.

Take a lesson from Steve Gibson, (www.grc.com), He hates hackers so bad, he Gives away tutorials, and firwall software.
(Good stuff too!)

In America, after the civil war, The Southern States were a mess, many people came to the south to helprebuild, but many other's also came and took advantage of their weekness. These people were known as Carpetbaggers. here in America, there is an inherant level of distrust in one who would, without being asked for, point out my weeknesses, and solicit money from me to repair them.

The key here is that you are UNSOLICITED.

While your intentions might be honorable, the appearance is of one who would willingly take advantage of another's weekness.

Collapse -

Do you even know what spam is?

by pallan In reply to Spam?

Really, do you? If you're seriously accusing this person of spamming, you clearly don't.

To address the original poster's question, *good* administrators care. They're the ones that have patched the holes, so you would almost never have cause to offer them your services. Unfortunately, good administrators are vastly outnumbered by clueless, cookie-cutter trained hacks.

Collapse -

Precisely!

by eBob In reply to Spam?

We have our own set of measurement tools, and are happy to rate our own site as to whether it suffers from 'severe vulnerability'. Thanks very much!

Which is what we invariably tell the spammers that send us these alarmist solicitations (that is,if we even bother to respond).

Collapse -

WOW !!!!

by mjervis In reply to Do administrators really ...

Is your sales aproach as harsh as your discussion? If so I can see how administrators would be pushed back. Your aproach to me would sound like black mail or extortion also if it is worded as your discussion is.

However aside from that your point is very valid. Why do I think your not getting the response you want? Many administrators work long hard hours putting together their sites with the skills they have. Yes of course some fall short of being secure. Be it maybe time constraints, budget, or skills. You may have the best thing on the market but if your trying to get people to listen to you like that you will not sell to much.

Administrators will listen. However I know many times sales people such as yourself call me when I am at the end of a project or busy with a piece of hardware that failed or anything along that line. I ask the sales person to call me back when I have time and thier answer is to keep pitching thier sale. They want to sell me thier product now because Ineed thier product. Well NO I DON'T. Not at that point. I need to focus on what I have in front of me then I can give time to that sales person after.

I am not accusing all sales people in this field of being like this, however the majority do fit into the above described category. And you know something? Since you didn't have the decency to allow me to get of the phone to work on my project and give you a call back later, I will not call you back.

If you haven't noticed thier is a big push for people in the IT field and some of us that are in this field have a lot of work on our shoulders. Work with your administrators more, if they ask you to call them back later do it. IT professionals do not sit at thier desks all day. Most are right out there doing the repairs and taking care of thier users. Respect thier time constraints and you may find the payback rewarding.

Back to Security Forum
24 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums