Re: [fw-wiz] Security dumming down - the king's clothes

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 12/12/03

  • Next message: Jim Seymour: "Re: [fw-wiz] Rules for mailserver which is in internet zone ??"
    To: Roger Marquis <marquis@roble.com>, firewall-wizards@honor.icsalabs.com
    Date: Fri, 12 Dec 2003 11:03:01 -0500
    
    

    >Anyone in the news media know why this critical security story was
    >de-indexed so quickly?
    >
    > Internet worms and critical infrastructure, Bruce Schneier
    > <http://news.com.com/2010-7343-5117862.html?tag=nefd_gutspro>
    >
    >It's a detailed examination of the correlation between MSBlast and
    >the Aug. 14 power blackout. Recommended reading, however, despite
    >being published on Dec. 9 it is no longer included in Cnet's front
    >page index or their security index which goes back to Nov. 25.

    Bruce's look at the problem is probably too technical for a lot
    of journalists. :) Seriously, though, Bruce makes some provocative
    points but unfortunately, now that the event is over, it's probably not
    going to be possible to tell exactly what *DID* happen. More interesting
    broad questions that could have been asked are hidden in Bruce's
    article, and therefore are ignored namely:
            1) If these networks are so critical, why are their controlling
            systems internet-connected at all!?
            2) If these networks are so critical, why has there been no
            overall systematic design of their security properties?
            3) If these backup systems and management systems that
            Bruce mentions are also critical to the grid networks, why
            aren't they treated as such?
    I guess, to me, it boils down to "what, don't people understand
    that transitive trust implies transitive failure?" but that's a statement
    of the obvious. :(

    When I read something like Bruce's article, I divorce it automatically
    from Microsoft-related questions - if Microsoft wasn't the issue,
    some other software vendor would be. As much as we're all
    jealous of microsoft's wealth and power^H^H^H^H^H^H^H^H^H^H^H^H^H^H
    concerned by Microsoft's dominance in the software industry, I don't
    suspect that any of the other O/S vendors out there (Sun? IBM?
    Apple?) would do a fantastically superior job if they had 99.9% of
    the desktops in the world, either. So focus on the kind of issues I
    see above: why are trust boundaries between mission critical and
    non-critical networks weakly defined and poorly understood?

    >Would it be paranoid to associate this with @Stake's dismissal of
    >Dan Geer after voicing his personal opinion of this same vendor's
    >security and the short shrift major news outlets gave that?

    Major news outlets did NOT pay "short shrift" to the Geer/Schneier/et al
    paper on monocultures. In fact, they hyped it far beyond its worth.
    It's an interesting position paper but I think it contains serious flaws
    (see:
    http://www.ranum.com/security/computer_security/rants/monoculture.html
    for my views, which I won't repeat here)

    You've perhaps forgotten, but that event was news for almost a week.
    In today's news environment, a *week* is what you get if you're Michael
    Jackson and you're arrested for child molestation. A *week* is a lot
    of media attention. Indeed, Geer et al's paper has sparked a long-term
    hype-trend on the monoculture topic, as far as I can tell. Viz:
    http://news.com.com/2102-7355_3-5111905.html?tag=st_util_print

    My assessment is that the paper in question got an unusually large
    helping of media attention, for a computer security story.

    >These correlations were further supported a couple of weeks ago at
    >Stanford's Cyber Security Conference where all speakers went to
    >great lengths to avoid criticizing the vendor in question.

    Even you avoided naming Microsoft, my friend! :) What have they
    got on you? ;)

    That was the DHS one, right? Now, in that case, you were dealing
    with people who still are hoping to get money and favors from
    Microsoft. So of course they are going to be careful not to bite
    the hand that feeds them.

    >All of which make me wonder about an article by Fred Avolio in
    >September's Information Security Magazine.
    ><http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss81_art179,00.html>
    >It was, on the surface, an attempt to make a distinction between
    >"stateful inspection" and "application intelligence", but anyone
    >who knows Fred can see that the story was dumbed down to a such an
    >absurd degree that it makes no sense at all, except perhaps to a
    >marketing or rhetoric PhD. It should be noted that Information
    >Security Magazine rarely covers anything other than products which
    >run under operating systems written by the vendor in question and
    >that they rarely say anything negative about anything.

    I don't think Fred needs me to stick up for him so I won't. ;)

    But - if I know Fred, he was probably trying to make a subtle
    point about marketing bullsh*t applied to computer security. :)
    After all, "application intelligence" sure sounds like a marketing
    bullsh*t reinvention of proxy firewalls - which is old old stuff not
    new new stuff. I don't want to put words into Fred's mouth but I
    know he sees his job as to educate - to try to get people who are
    not very technically sophisticated (but who may think they are)
    to see the fundamentals that they haven' had time to learn.

    Part of the "dumbing down" that you're seeing is the result of
    security's newfound importance as a field. We've got loads of folks
    who are trying to spin up quickly because they've finally
    realized they need to worry about it. We've also got tons of
    new security companies trying to cash in on security's
    newfound importance - so every one of those companies (most
    of which sell pretty much the same thing) have marketing
    idiots who work for them who say "we need to define a NEW
    CATEGORY OF PRODUCT" so they start messing with the
    language. Now, all those poor newly-minted security guys have
    to wade through all this new marketing glop filled with claims
    that they have to validate the truth or falsity of, and new
    terminology they have to figure out. To a greater or lesser
    degree, a lot of us old-timers try to fight the flood of bullsh*t
    by educating customers and end users so they can identify
    it themselves. So, yes, Fred probably is dumbing down a lot of
    stuff.

    You don't make a lot of friends if you write an article that says
    "Calling something 'stateful multi-layer inspection' is a ridiculous
    load of dingoes kidneys when you consider that all it's doing is
    keeping a state-table entry on which direction you saw the
    original SYN packet and doing some minimal TCP sequence
    processing to make sure packets are within a window. Only a
    marketing idiot would come up with a term like 'stateful multi-layer
    inspection' for something that's basically a little bit more stateful
    than router 'established' screening." Of course journalists aren't
    required to make friends but - it doesn't help a lot if your editors
    get hate mail each time you write a column. :)

    >The common thread is the amazing degree to which cyber security is
    >being dumbed-down whenever it applies to this one particular vendor.

    Can't you say "Microsoft"? Cat got your tongue? ;)

    I don't think that's the case. There's certainly no broad conspiracy
    or even a small one. There are a few companies and individuals who
    look out for their financial interests - but they HAVE to. :)

    There's also a matter of professional ethics. I happen to believe
    that if you're taking someone's money you should not publicly
    throw rocks at them unless that's part of your arrangement. It
    falls under the old rule of "the customer is always right"
    @Stake's single largest customer was Microsoft. By doing
    what he did without telling his boss what he was doing, Geer
    broke the 3rd law of corporate survival: he surprised his boss
    with something bad involving a big customer. Whether it's morally
    justified or not, it's professionally stupid. Dan could have resigned
    a year or 2 before he published that paper, if that's how he really felt,
    and then nobody could have faulted him at all.

    If you work for a man, in heaven's name, work for him. If he pays you
    wages which supply your bread and butter, speak well of him, stand
    by him and the institution he represents. If put to a cinch, an ounce of
    loyalty is worth a pound of cleverness. If you must vilify, condemn and
    eternally disparage -- resign your position, and when you are outside,
    damn to your heart's content. But as long as you are a part of the
    institution, do not condemn it. If you do that, you are loosening the tendrils
    that are holding you to the institution, and by the first high wind that comes
    along, you will be uprooted and blown away and probably will never know why.
                    - Elbert Hubbard

    >Perhaps the most damaging example of this is our own government's
    >failure to even identify the vendor as the source of the it's worst
    >infrastructure vulnerabilities and the cause of nearly every
    >documented security breach.
    ><http://govtsecurity.securitysolutions.com/ar/security_think_tank_gives/>.

    Yeah, this surprised me, too. Because Microsoft is NOT the source of
    its worst infrastructure vulnerabilities. I'd have expected my government
    workers to be eager to find someone else to blame. Microsoft is not
    the problem! The problem is: why has our federal government built
    mission-critical internet-facing systems using such poor security?
    A lot of the problems with Windows can be mitigated (it's hard work... but
    it's doeable) why has such incompetence become endemic in
    federal IT?

    Put another way: Why would we believe that the same people who
    built the government's existing insecure windows systems would be
    able to build secure systems using UNIX or anything else for that
    matter?

    Perhaps that's why there's silence. With current federal IT expertise
    and procurement practices (basically nobody knows how to do anything
    except hire contractors) federal IT security is going to s*ck no matter
    what.

    >The logical outcome of this collective failure to to recognize the
    >king has no clothes will, I fear, be as bad for information security
    >as it was for the airlines on 9/11/01.

    A lot of folks recognize that the emperor has no clothes. The
    question is: why? Microsoft's stuff is certainly PART of the problem
    but another big piece of the problem is that people insist on buying
    it and don't manage it right. There's enough blame to go around
    and just assuming a conspiracy is too simplistic. The truth is a more
    complex combination of clueless customers, cruddy code, incompetent
    federal IT workers, consultants out for a buck, marketing idiots, and
    a dash of denial.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jim Seymour: "Re: [fw-wiz] Rules for mailserver which is in internet zone ??"

    Relevant Pages

    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • SecurityFocus Microsoft Newsletter #75
      ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #120
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #117
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Software Enceladus Server Suite Directory Traversal... ... An attacker is able to traverse outside of the established web root by ...
      (Focus-Microsoft)
    • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
      ... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...
      (microsoft.public.security)