[6bone] report of 6bone planning BOF

Jeff Simmons jsimmons@goblin.punk.net
Wed, 19 Mar 2003 17:45:42 -0800 

Pardon a lurker who's just here to learn about IPv6 from piping up, but ...

On Wednesday 19 March 2003 01:41 pm, Jeroen Massar wrote:

> There is nothing one can do against bad admins except hitting them
> quite hard with a very big cluestick. It's the same for the fact
> that you will still see Code Red and other worms flying around.
> Some people just don't do their job correctly or good.

You know, every time there's a problem on the internet, worms, virii, open 
mail relays, etc., someone trots out this tired old argument.  Bad admin.  
Hit with cluestick.  

Reality, down in the trenches, is a little different.  Most admins would LOVE 
to clean up their networks and servers, but can't.  They're in firefighting 
mode from the minute they come into work, and priorities are assigned not 
with the health of the internet in mind, but with a concern for which of the 
higher-ups in the organization is the most pissed off at the moment.  Or how 
much money it will make.

Fix that open relay?  And buy a new copy of the OS, which we stole in the 
first place?  How much will that save us?

Patch the DB server?  Sorry, we promised that customer 99.999% uptime.

Fix that routing table?  Why, how's it affect our day to day operations?

You want horror stories, contact me.  I've got a LOT of them.

I'm not here to jump in someone's face, or even to defend my chosen 
profession.  But you guys have a chance to influence the next generation of 
internet protocols, and this kind of stuff isn't ever going to get fixed 
unless there are economic incentives to do so.  The kind that will make 
management sit up and take notice.  Not admins, management.  They're the ones 
that call the shots on what gets fixed and what doesn't.

What we need is a way to hit MANAGEMENT with that cluestick.  And if it's 
built in at the protocol level, so much the better.  Because if you think 
that it's just a problem of bad or lazy admins, you're going to be trotting 
that argument out again and again and again for many years to come.

-- 
Jeff Simmons				       jsimmons@goblin.punk.net
     Simmons Consulting - Network Engineering, Administration, Security

"In conclusion the main thing we did wrong ... was to worry about criminals 
being clever;  we should rather have worried about our customers ... being 
stupid."          Ross Anderson, "Security Engineering"