[19698] in bugtraq
Re: TCP Timestamping and Remotely gathering uptime information
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon Mar 19 15:06:15 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <200103170316.OAA29790@cairo.anu.edu.au>
Date: Sat, 17 Mar 2001 14:16:49 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: Bill_Royds@pch.gc.ca
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <85256A11.006CE0C8.00@pch.gc.ca> from "Bill_Royds@pch.gc.ca" at
Mar 16, 2001 02:48:09 PM
In some mail from Bill_Royds@pch.gc.ca, sie said:
>
> Actually, the logic is "This has been up for 300 days. It probably is not
> being maintained so it likely has that unpatched exploit avaialable".
I thought about this before I posted that email but decided against any
inclusion of it. Why ?
There are systems running around the world, today, that *need* to run
24x7 and security patches are no reason for a reboot. That aside, that
a system has been up, since its release, longer than it takes the time
information to wrap, do you *really* know how long it has been up ?
Upgrading of software running on a host has little or nothing to do with
how long it has been running - so long as you're not running M$ - if it's
not something like a library file. Last I checked, you didn't need to
reboot to patch up sendmail, named or apache :)
Good sysadmin practice should involve regular, scheduled, rebooting of
systems to ensure that over time the "tinkering" which happens on a day
to day basis never gets to a point where things that are meant to be in
the bootup process are left out. Well, that's my theory anyway :)
A large uptime of a machine may mean it is quite vulnerable, but does it
really tell you it is unmaintained ? Does a short uptime mean it is really
maintained or does it just tell you it was rebooted not long ago ?
Darren
