Slashdot Mirror

← Back to Stories (view on slashdot.org)

Due Diligence?

Posted by michael on from the postscript-always-a-nice-touch dept.

ekr writes "The OpenSSL remote buffer overflows discovered at the end of July got a lot of press here on /. But how many people actually fixed their machines? I decided to study this question, and the results are kind of depressing. Two weeks after the release of the bug, over two thirds of the servers I sampled were still vulnerable. Even two weeks after the Slapper worm was announced, a third of the total servers were vulnerable. The paper can be found here in PDF or Postscript."

4 of 202 comments (clear)

  1. One word: Liability by Real+World+Stuff · · Score: 0, Troll

    Unless there is liability accountability, people will continue to be lazy. This frequently happens when no-talent hack spend 8 hours a dat hiding from their inflated resumes.

    --
    If we don't fight for ourselves no one will.
  2. Who should be worried? by JanusFury · · Score: 0, Troll

    Who should be worried about this bug? What does it affect, in particular? I'm guessing just specific webserver configurations, but do I need to patch the Linux distro I just put on this box to dual-boot? If so, how difficult is it - I'm barely getting used to Linux and the idea of recompiling a bunch of system libraries and updating lots of software doesn't sound very good to me ;)

    --
    using namespace slashdot;
    troll::post();
  3. Gentoo! by tercero · · Score: 0, Troll

    For Gentoo users it's as easy as:
    emerge update
    emerge -u world

    It took my Athlon 800 system >2 minutes to be fixed. I can understand the liability about why not to upgrade and apply security holes, but as IT pros, we have to weigh out the evils of this world and pick the best path for our users.

  4. The Barcella method saved my bacon by HamNRye · · Score: 1, Troll

    Wow, I just read this after reading that article about sh*tty programming, and Michael Barcella saved my bacon. I have decided not to install any patches because:

    I can't understand what the he** this program is doing. It's all just "use stdio.h"... WTF?? You wackos can read this stuff??

    It is not written in perl, ruby, python, JavaScript or some other high level language. MB told me that C/C++ is evil. I believe him.

    While I was trying to read it, a friend came up and pointed at the screen. Rule #3, no pointers.

    Finally, I did not see the official seal of the united states in the upper left corner of my text editor. I never do, but after reading MB's column, I look for it.

    However, I can't post this message because I am leaving the inet services off until I can understand all of the source for my TCP-IP stack. After that, I'm gonna tackle the source for Telnet.

    WooT!
    ~Hammy