Results 1 to 9 of 9

Thread: the new virus - human incompetence

  1. #1
    Junior Member
    Join Date
    Feb 2004
    Posts
    14

    the new virus - human incompetence

    It seems we are all plagued with the threat of computer viruses that have struck our business and home systems with the release of the Mydoom virus just earlier this year. I think its becoming clear that we go about our daily life's patching and upgrading when the largest threat is the incompetent system administrator behind our network. I am not having an attack at system administrators just the ones that seem to have spent more time playing doom and watching porn than checking over their networks and where can a lot of these sort of administrators be found sat in our schools and colleges as it would seem in the UK. So the economic loss may not be as big as if a major companies servers go down for a few days or lose their data but due to our schools and colleges now using computers and plugging students to use them for all manor of work. Including valuable and sometime irreplaceable course work for major exams such as GCSE'S and A-levels the academic loss could be almost devastating in cases effecting our futures. Within 30minutes of just looking around i was shocked at the huge amount of security holes i found within my colleges system. This also included a default password in place for an administrator account. However a few days ago a virus was detected in a matter of seconds due to continual patch and upgrade schedule. I look in disbelief that some scriptkiddie just can simply go to the internet find a default password list then start to have complete control over the network i use do to my administrators lack of brain cells. However what got me was the fact that in our college we seem to have an obscurity is the best security policy.
    A student visiting a javascript programming websiteJavascript has his internet access taken away due he may pose a security threat. Currently im writting up a damming report on the state of the security on the network, but it is clear to me we need to get our priorities straight when dealing with computer security and sort the simple things out first before we start trying to stop the next trojan horse from attacking when we have a default password still enabled.

    Sorry if it seems like a rant im trying to display the threats posed by ourselfs. I think you would have to tend to agree though its time we feared our largest security threat- the human virus of incompetence. This is however not refering to people been tricked by social enginneers.
    \"I\'m gonna buy a gun and start a war
    If you can tell me something worth fighting for\" - Rush of Blood To the Head

  2. #2
    Yep. Life sucks then you die.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    That, my dear boy, is the essence of the problem.....

    Computers have become so "easy" that anyone can put up a web page or simply connect their network to it. Without studying the ways people can "mess" with you, many have no idea what is waiting out there for them. It's hard work learning all that stuff and most people, (let's say admins), aren't in the field for hard work.... they are in it because it pays..... because if they can drop to a DOS prompt and type "DIR" they are "gods" compared to the people that employ them...... They don't give a "monkeys" about the consequences - they can make the email or internet work..... Whoopee-doo...... I can do that..... so can you I'm sure.....

    It's time admins were checked by outside sources.... An "agency" that intercepts your Internet registration and looks at your systems..... If you are wide open you are blocked.... period...

    Sorry for the rant.... long week.... and my IDS logs are huge.... Why? ... Dumb frigging admins!!!!!!
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Junior Member
    Join Date
    Feb 2004
    Posts
    3
    This is no new thing, lazy people have been around for ages, and unfortunately some have found themselves in control of networks.
    Even more dangerous is trusting people. Human engineering has been a long time hacking tool.
    My own mother once gave away the username and password to our DSL router because someone called the house and said they where from the Telco. Hrmm mum you have a good heart, but…

    The other side of the coin is that once there is a major security breach there is a new job available for someone more astute as the lazy putz goes by the way side, oh well. More jobs to the more deserving who put in the hard yards.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I believe that there is another side to the coin?

    A lot of businesses want their systems 24/7/365 but are not prepared to finance the required redundancy to make that feasible.

    They are not prepared to pay for proper administration and security tools because "they don't earn anything for the business"

    I like a good winge along with the next man, but for every lazy, incompetent, or most likely ill-trained administrator, I have seen at least 5 on "mission impossible" due to lack of support from the business they work for?

    OK if you want to employ "cheap" then you must buy specialist consultancy to set up an environment that can be run by a "machine minder"

    Been there, done that, read the book, got the t-shirt Hell how can you be "Head of Development AND Site Security Officer".........................I have!!!!!..................undemocratically elected by the sysadmin staff

    It actually worked................project management types know how to fiddle budgets............hah! now I realise that it had nothing to do with security skills at all

    Just a few thoughts

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    yet another side of the coin would be the fact that human beings are also the ones who exploit these security weaknesses, incompetence is also what creates many of these exploits in the first place (i.e. poor coding practices) so lets not lay everything at the foot of the poor old systems admins.

    Redemption, maybe then writing a report "damning" the network security (are you an expert yourself? ) you should talk to your system admin and see what there take on the subject is, try and find out what security features the network has, what does your admin do? I suspect that writing such a report won`t really get you anyway, except maybe on someones s**t list. As nihil said there are many admins out there who are faced with an impossible task, the thing to remember is that the Admins have to provide a service to their customers, whether these are students, the finance department, or whoever, and these people demand one thing, while the admin wants another, and often the admin will loose as they are not the ones who dictate what checks get written. So maybe cut them a little slack?

    Although I also agree that there are is a lot of crap out there, and not just admins, security folks, porgammers, etc....

    Oh, and Human incompetence is not a new virus, long before computers came along we were making all kinds of problems for ourselves.
    Quis custodiet ipsos custodes

  7. #7
    Junior Member
    Join Date
    Feb 2004
    Posts
    14
    im not claiming human incompetence is a 'new' virus, but as our world moves more and more into this technical era it is becoming more far spread and apparent. Our problem is our administrators and teachers have no time to listen to students who haven't got the piece of paper 'qualification'. Its a matter of older knows better which i don't think is always the case these days. I would be happy to give my administrator slack if they did anything taxing, but they sit there playing on doom or changing someones lost password every few hours or so and if its a real hard day at the office they give a student a new mouse. There is no evedience of even once an administrator carrying out an audit of the logs on regualry occasions or doing any form of penetration testing. My concerns are that with such lax security, work of mine and other students could easily be damaged or lost all together by some malicious kid. The reason i feel a report is the only way to highlight these errors on paper, all to many a time we are put down and told that system administrator knows best. Its evedent that the more we move into this point and click era we face a bigger and bigger security threat and else our Operating Systems already have the security features in place which currently they are not substantial to support the click and point users.
    \"I\'m gonna buy a gun and start a war
    If you can tell me something worth fighting for\" - Rush of Blood To the Head

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Are your administrators motivated in anyway to do this? they are probably payed a crappy wage, given no resources, and spend half their day being told by others how they should do their job, do they have any prospects? are they just wannabe tech folks hiding out in school? etc etc...

    And you know, experience does play a part in this, experience tells you what needs to be protected, and how it needs to be protected, maybe your admins aren`t bothered to keep up to date on security as they feel there is no need to? if the network consists of workstations for students and a proxy connection to the internet then maybe they feel they don`t need to waste any time with this?

    I`m not saying that what they do is right, not at all, I see many admins who don`t know what the hell they are doing and have no right to be doing it, but then there are lots of endusers who think they know best and clearly don`t, especially in security. Many people think that if you are not doing the latest and greatest security thing then you must suck, but they fall down as they don`t have any idea of how this actually has to be applied, you protect an asset based on how valuable it is, what the threat to it is, and how likely you think this threat is actually going to occur, and then figure out what you can actually afford. So maybe your admins did some math and don`t think its worth it?

    Yes as the world gets more complex then perhaps human incompentence becomes more apparent, or does it? One could argue that lots of the problems of the past were due to incompetence as well, incompetence to stop a tyrant, or to cut corners, something to keep in mind when damning current state of things. maybe things really aren`t that different at all? maybe as with everything else no one takes notice until it bites them in the ass, so, viruses weren`t a problem for the masses when they first came out, so the masses didn`t bother, now however they stop folks using AIM or surfing to playboy.com so lets all complain about it, rather then trying to nip it in the bud when it first appeared, and this always happens, all the damn time, for everything. Oh and what happens when we all do suddenly take notice? we then look around for someone to blame.

    Also, a human is the one who is going to carry out a malicious activity on your network, so maybe you should think about that as well, why are students not encourage to help out the admins? why don`t they all understand the importance of not having their work destroyed by launching a new virus? It has to be a team effort, yes security has to be maintained to some degree, but users need to take some responsibility for their actions, in this era it seems that everyone wants to blame someone else for their problems, accountability seems to be a thing of the past, so give a thought to this as well.

    ok, early morning rant over...
    Quis custodiet ipsos custodes

  9. #9
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    331
    One more side here perhaps. Maybe the problem isn't lazy admins. Maybe as mentioned already they don't care or do not understand.

    I have another theory here. When I worked for a computer tech support line. (not saying who's sorry) We answered questions for new pc owners. Usually they were very general questions. Everynow and then you got to walk a user through flashing the bios or something like that. In order to work for this place you had to take a pc knowledge test. The average person got a 35% on this test. Well below average. I scored in the top 15% of the company. I got a job off the floor, I got to help the idiots they hired to help the people whom called in. My job would of been much easier if they had just called me in the first place. The folks answering the phones knew nothing more than the end users calling in. This company believed as many schools believe. You can take a set of questions and answers, with the right search options anybody can be a technician or an admin. I'd like to see these fuqs apply this to something like brain surgery.

    Point of my story is this. Computer work requires a passion. Some people picked up a keyboard when they were very young. Some left highshcool knowing how to get on the internet and check their email. The outcome after the two go to college for example is very obvious. While this may not hold water in some cases, it boils down to this. If you are to be succesful, you must love what you do.

    be safe and stay free
    Your heart was talking, not your mind.
    -Tiger Shark

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •