Ben Laurie wrote a beautiful piece of desperation a while back in his O' Reilly blog. In it he describes his frustration and woes in dealing with the now infamous OpenSSL and Apache security holes and in doing so ends up asking himself "why do I bother?".
He is not the only one. Take for example the latest BIND vulnerability, the disclosure of which is worthy of a good rant. The moment the patch was out sysadmins & security people alike scrambled to patch their servers to make sure that the infrastructure they protect is safe and yet what is the truth? The truth is that frankly nobody cares, nobody in the company you work for understands email never mind DNS.
The daily battles are against people who are scared to death of being mugged and walk carefully around town avoiding dark alleys and yet happily open attachments from unknown people bearing titles such as "I love you" or something even more obviously fake. The not-so-daily battles involve sysadmins who install boxes only to forget about them leaving fertile ground for script kiddies. You are attacked from all over the planet by machines stuck in dusty corners of universities or indeed from mail servers of large corporations. How can this happen? Why don't universities use egress filtering? Why do corporations allow their main mail servers to be totally insecure?
So what happens is that you sigh, you bang your head against the wall, you vent your frustration and you go back to that other dark alley of the soul which is coding. There comes Emacs, up comes the code for your latest packet crafter so you can test your new IDS.
Why? I wish I had an answer.
Posted by arrigo at November 20, 2002 06:35 PM