Re: [fw-wiz] Security dumming down - the king's clothes
From: Marcus J. Ranum (mjr_at_ranum.com)
To: Roger Marquis <email@example.com>, firstname.lastname@example.org Date: Fri, 12 Dec 2003 11:03:01 -0500
>Anyone in the news media know why this critical security story was
>de-indexed so quickly?
> Internet worms and critical infrastructure, Bruce Schneier
>It's a detailed examination of the correlation between MSBlast and
>the Aug. 14 power blackout. Recommended reading, however, despite
>being published on Dec. 9 it is no longer included in Cnet's front
>page index or their security index which goes back to Nov. 25.
Bruce's look at the problem is probably too technical for a lot
of journalists. :) Seriously, though, Bruce makes some provocative
points but unfortunately, now that the event is over, it's probably not
going to be possible to tell exactly what *DID* happen. More interesting
broad questions that could have been asked are hidden in Bruce's
article, and therefore are ignored namely:
1) If these networks are so critical, why are their controlling
systems internet-connected at all!?
2) If these networks are so critical, why has there been no
overall systematic design of their security properties?
3) If these backup systems and management systems that
Bruce mentions are also critical to the grid networks, why
aren't they treated as such?
I guess, to me, it boils down to "what, don't people understand
that transitive trust implies transitive failure?" but that's a statement
of the obvious. :(
When I read something like Bruce's article, I divorce it automatically
from Microsoft-related questions - if Microsoft wasn't the issue,
some other software vendor would be. As much as we're all
jealous of microsoft's wealth and power^H^H^H^H^H^H^H^H^H^H^H^H^H^H
concerned by Microsoft's dominance in the software industry, I don't
suspect that any of the other O/S vendors out there (Sun? IBM?
Apple?) would do a fantastically superior job if they had 99.9% of
the desktops in the world, either. So focus on the kind of issues I
see above: why are trust boundaries between mission critical and
non-critical networks weakly defined and poorly understood?
>Would it be paranoid to associate this with @Stake's dismissal of
>Dan Geer after voicing his personal opinion of this same vendor's
>security and the short shrift major news outlets gave that?
Major news outlets did NOT pay "short shrift" to the Geer/Schneier/et al
paper on monocultures. In fact, they hyped it far beyond its worth.
It's an interesting position paper but I think it contains serious flaws
for my views, which I won't repeat here)
You've perhaps forgotten, but that event was news for almost a week.
In today's news environment, a *week* is what you get if you're Michael
Jackson and you're arrested for child molestation. A *week* is a lot
of media attention. Indeed, Geer et al's paper has sparked a long-term
hype-trend on the monoculture topic, as far as I can tell. Viz:
My assessment is that the paper in question got an unusually large
helping of media attention, for a computer security story.
>These correlations were further supported a couple of weeks ago at
>Stanford's Cyber Security Conference where all speakers went to
>great lengths to avoid criticizing the vendor in question.
Even you avoided naming Microsoft, my friend! :) What have they
got on you? ;)
That was the DHS one, right? Now, in that case, you were dealing
with people who still are hoping to get money and favors from
Microsoft. So of course they are going to be careful not to bite
the hand that feeds them.
>All of which make me wonder about an article by Fred Avolio in
>September's Information Security Magazine.
>It was, on the surface, an attempt to make a distinction between
>"stateful inspection" and "application intelligence", but anyone
>who knows Fred can see that the story was dumbed down to a such an
>absurd degree that it makes no sense at all, except perhaps to a
>marketing or rhetoric PhD. It should be noted that Information
>Security Magazine rarely covers anything other than products which
>run under operating systems written by the vendor in question and
>that they rarely say anything negative about anything.
I don't think Fred needs me to stick up for him so I won't. ;)
But - if I know Fred, he was probably trying to make a subtle
point about marketing bullsh*t applied to computer security. :)
After all, "application intelligence" sure sounds like a marketing
bullsh*t reinvention of proxy firewalls - which is old old stuff not
new new stuff. I don't want to put words into Fred's mouth but I
know he sees his job as to educate - to try to get people who are
not very technically sophisticated (but who may think they are)
to see the fundamentals that they haven' had time to learn.
Part of the "dumbing down" that you're seeing is the result of
security's newfound importance as a field. We've got loads of folks
who are trying to spin up quickly because they've finally
realized they need to worry about it. We've also got tons of
new security companies trying to cash in on security's
newfound importance - so every one of those companies (most
of which sell pretty much the same thing) have marketing
idiots who work for them who say "we need to define a NEW
CATEGORY OF PRODUCT" so they start messing with the
language. Now, all those poor newly-minted security guys have
to wade through all this new marketing glop filled with claims
that they have to validate the truth or falsity of, and new
terminology they have to figure out. To a greater or lesser
degree, a lot of us old-timers try to fight the flood of bullsh*t
by educating customers and end users so they can identify
it themselves. So, yes, Fred probably is dumbing down a lot of
You don't make a lot of friends if you write an article that says
"Calling something 'stateful multi-layer inspection' is a ridiculous
load of dingoes kidneys when you consider that all it's doing is
keeping a state-table entry on which direction you saw the
original SYN packet and doing some minimal TCP sequence
processing to make sure packets are within a window. Only a
marketing idiot would come up with a term like 'stateful multi-layer
inspection' for something that's basically a little bit more stateful
than router 'established' screening." Of course journalists aren't
required to make friends but - it doesn't help a lot if your editors
get hate mail each time you write a column. :)
>The common thread is the amazing degree to which cyber security is
>being dumbed-down whenever it applies to this one particular vendor.
Can't you say "Microsoft"? Cat got your tongue? ;)
I don't think that's the case. There's certainly no broad conspiracy
or even a small one. There are a few companies and individuals who
look out for their financial interests - but they HAVE to. :)
There's also a matter of professional ethics. I happen to believe
that if you're taking someone's money you should not publicly
throw rocks at them unless that's part of your arrangement. It
falls under the old rule of "the customer is always right"
@Stake's single largest customer was Microsoft. By doing
what he did without telling his boss what he was doing, Geer
broke the 3rd law of corporate survival: he surprised his boss
with something bad involving a big customer. Whether it's morally
justified or not, it's professionally stupid. Dan could have resigned
a year or 2 before he published that paper, if that's how he really felt,
and then nobody could have faulted him at all.
If you work for a man, in heaven's name, work for him. If he pays you
wages which supply your bread and butter, speak well of him, stand
by him and the institution he represents. If put to a cinch, an ounce of
loyalty is worth a pound of cleverness. If you must vilify, condemn and
eternally disparage -- resign your position, and when you are outside,
damn to your heart's content. But as long as you are a part of the
institution, do not condemn it. If you do that, you are loosening the tendrils
that are holding you to the institution, and by the first high wind that comes
along, you will be uprooted and blown away and probably will never know why.
- Elbert Hubbard
>Perhaps the most damaging example of this is our own government's
>failure to even identify the vendor as the source of the it's worst
>infrastructure vulnerabilities and the cause of nearly every
>documented security breach.
Yeah, this surprised me, too. Because Microsoft is NOT the source of
its worst infrastructure vulnerabilities. I'd have expected my government
workers to be eager to find someone else to blame. Microsoft is not
the problem! The problem is: why has our federal government built
mission-critical internet-facing systems using such poor security?
A lot of the problems with Windows can be mitigated (it's hard work... but
it's doeable) why has such incompetence become endemic in
Put another way: Why would we believe that the same people who
built the government's existing insecure windows systems would be
able to build secure systems using UNIX or anything else for that
Perhaps that's why there's silence. With current federal IT expertise
and procurement practices (basically nobody knows how to do anything
except hire contractors) federal IT security is going to s*ck no matter
>The logical outcome of this collective failure to to recognize the
>king has no clothes will, I fear, be as bad for information security
>as it was for the airlines on 9/11/01.
A lot of folks recognize that the emperor has no clothes. The
question is: why? Microsoft's stuff is certainly PART of the problem
but another big piece of the problem is that people insist on buying
it and don't manage it right. There's enough blame to go around
and just assuming a conspiracy is too simplistic. The truth is a more
complex combination of clueless customers, cruddy code, incompetent
federal IT workers, consultants out for a buck, marketing idiots, and
a dash of denial.
firewall-wizards mailing list